4 Replies Latest reply on Jul 7, 2017 2:10 AM by phoffmann

    Patching Servers in DMZ

    RobLent Specialist

      I have found a couple of articles from 2009 asking this question so as we are looking at it how are people patching their DMZ servers?

       

      Our LDMS server is on our LAN and we would not want to be opening ports to our DMZ for LDMS if we can help it.

       

      What are others doing?

        • 1. Re: Patching Servers in DMZ
          phoffmann SupportEmployee

          ... have you look at a CSA (Cloud Service Appliance) (if you've been with us a while, you may know it as a Management Gateway as well) ?

           

          That way, you can patch via policies with autorepair (it operates on a client-side pull model -- the Core only makes things available to clients, but clients need to send a request via the CSA to check for policies / jobs).

           

          More informationc can be found here:

          - Cloud Services Appliance

           

          Hope this helps?

          • 2. Re: Patching Servers in DMZ
            RobLent Specialist

            Cheers Phil.

             

            I was looking for Management Gateway so here it is.

             

            I will take a look.

            • 3. Re: Patching Servers in DMZ
              RobLent Specialist

              So I have a CSA and an agent that has this listed.

               

              Installed the agent on a server in my DMZ and using BrokerConfig have obtained a certificate and tested the connection as OK.

               

              So how do I now see this server in LDMS so that I can patch it?

              • 4. Re: Patching Servers in DMZ
                phoffmann SupportEmployee

                The client needs to send an inventory to the Core (you should be able to do that by sending a regular inventory scan -- the client should detect that it needs to go through the CSA) ... depending on your version involved, you need to make sure that you APPROVE the client certificate (either on the CSA itself or the Core, depending on your version).

                 

                That essentially marks the client as "this guy is OK to talk to me" -- and then you can send inventory scans / vulnerability scans through the CSA as normal.

                 

                Once the vulnerability scan has come in, you'd perform any patching as a policy (in short - the client in question needs to check for policies, notice the "hey, I'm supposed to patch X and Y" - and then work that down / download stuff from the Core.

                 

                Important points:

                * Patching / softdist through the CSA is entirely policy check dependant (the client needs to check for those)

                * Patches / Software distribution packages *MUST* be on the Core and MUST be on an HTTP share. Preferred servers & such will NOT work through the CSA.

                 

                Hope that helps?

                 

                (Again, a good bunch of information should be available in the CSA section of the community.)