Symantec Management Platform (Notification Server)

I am about to deploy Notification Server 6.0 SP3 with all sorts of bolt on solutions. I have a core network and two separate firewalled DMZs. I want to use my Altiris solution for inventory purposes and patch management on servers in the DMZ.

How should my architecture look? What options do I have? I understand that communication is only HTTP over tcp 80 (by default), but it will be initiated by the client (inside the DMZs). Do I need to open my firewall (inbound from DMZ) from all hosts to my NS? :(

Is there a document that might help?

Many thanks
 

Hi,

I went to kb.altiris.com and typed DMZ in the search. It came back with a ton of information and similar situations like your. I would try that first.

Many thanks. I will try there first.

We are doing this in several of our world regions and here at headquarters.  You can assign additional ports for IIS to listen on, which is what we did (from the start, actually).  We made the new port the default and added 80 as a backup for non-DMZ machines, then added firewall rules to allow the inbound traffic from the DMZ hosts to the NS only, via the specified port (< 1024).  The Agent policies are configured to "specify an alternative URL" (err something like that) for the NS, with the port appended to the url (http://servername.company.com:port/Altiris I believe).  Actually all the agents are using the custom port (for both DMZ and regular network) so we could apply QoS de-prioritization of the traffic on that port #.  We left port 80 in play so that support staff wouldn't have to remember to add the port to the URL when accessing the console.

Many thanks Kyle.  This looks like the way we are going to go.  Not too happy about opening inbound ports from multiple DMZ hosts but I can't really see much of any other way.

Regards

Eddie

Well, I think the risk is fairly well mitigated by only allowing HTTP through that custom port, from the source server, and only to the NS itself.  I guess that is still some exposure...but not much.  But again, I'm not a network nor security guy, so what do I know? :)

I know other customers have put ISA (or what ever the equivalent is now) server(s) between the DMZ and the NS.  That way they could control the requests coming into the NS (only allow requests to certain http paths and with certain http verbs, etc).  It would take a little effort to investigate using an http capture tool but not too bad I don't think.

One of my clients does this and we have not had any trouble. To keep things a little more locked down, they keep their SQL instance on a seperate box inside the firewall.

Do they just use the firewalling or ISA or both or something more as well?

Thanks

We went alternate ports. Nightmare! You then need to check that every other solution that you want to install can use alternate ports. Task server doesn't!!

Well, lucky for us we never installed nor deployed Task in our environment! :)  Call me crazy..but when I'm managing 14,000 machines....I don't want ANYTHING happening to all of them "right now" via an "oops" Task.  I'm a big fan of policy-based management for that reason.  Does Task Server just not like a custom port for the ALtiris Agent communication with the NS, or if you're trying to force it to use a different port specifically for Task Server communications with task agents?