1 Reply Latest reply on Jul 1, 2013 1:43 AM by Frank Wils

    External Devices access via Gateway

    georged Apprentice

      I am still on a trial for the cloud gateway and have a few questions.

       

      I manually installed an exported agent to a laptop. I added my laptops public IP to the firewall allow list. I was able to run brokerconfig.exe and request the client certificate.

       

      How can this be automated?

       

      I don't mind manually installing the agent, but i want it to connect and fetch the client certificate on its own.

      Also do I need to add 0.0.0.0 to the firewall for all my public laptops? Is this only necessary for the certificate request? Can i block the administrative page to the public?

       

      In terms of policy and groups, i'm assuming i can create some smart group based on public IPs or hostnames? i havent looked at that yet.

       

      i know it says not to, but has anyone tried to put this behind a netscaler load balancer? This would be my backup if I can't block the admin page natively.

        • 1. Re: External Devices access via Gateway
          Frank Wils ITSMMVPGroup

          Lots of questions :)

           

          How can this be automated? ---> In SP1 the brokercert can be included in the agent installation

           

          Also do I need to add 0.0.0.0 to the firewall for all my public laptops? ---> Better empty the list of Allowed, as you never know from where a devicewill conect. The blocked list is tricky and you should evaluate the predefined entries very carefully as they block quite a large range...

           

          Is this only necessary for the certificate request? ---> No, the firewall is for all communication

           

          Can i block the administrative page to the public? ---> Currently not. But if you store the direct link somewhere yourself, you can go in the filesystem and change the opening page to not display the link.

           

          In terms of policy and groups, i'm assuming i can create some smart group based on public IPs or hostnames? ---> If devices are 'out' most of the time than IP should be the key.

           

          i know it says not to, but has anyone tried to put this behind a netscaler load balancer? ---> Never tried, but i think quite tricky to configure especially with the https certificate communication.

           

          Frank