Installing Altiris Agent to a workstation outside a DMZ

book

Article ID: 179610

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Problem
I would like to install the Altiris Agent to a workstation outside of the DMZ that the server is behind. I added the workstation to the "hosts" file on the Notification Server to help it resolve the name for the workstation.

Cause

The Notification Server is able to ping the workstation, but the workstation is not able to ping the Notification server. The server doesn't have a public IP address that can be seen from the public Internet.

Resolution

It is not possible to get behind a DMZ firewall without opening a port or using VPN for the workstation to use to that server.

Currently implementations on DMZ is not supported IF Cloud-Enabled Management is not used. We do not test hosting computers with the Symantec Management Agent on them in the DMZ and hence we do not support it - it is very risky from the security point of view. ITMS is a fully on-prem solution, not SaaS. If a customer decides to host SMP or computers in the DMZ - all possible security breaches due to improper implementation are on their own risk. 

Implementing Cloud-Enabled Management (CEM) is the recommended approach. 

Additional Information

181463 "What should be considered when installing the Altiris Agent on a server in the DMZ?"