Security best practices?
Hi everyone
I would like to get feedback on how to expose Desktop Central to the Internet in a secure manner. The documentation on this topic is scarce. I have not found any best practices so far. I would really appreciate comments from the community.
When we installed Desktop Central a few years ago, it was mainly used internally to patch out-of-date PCs and collect inventory data. The Desktop Central server was therefore set up in our LAN. Now we would like to make use of the following additional features:
- MDM
- Remote offices (some connect via VPN, others connect to the public IP)
- Remote management/control of roaming users (e.g. people who work from home)
This will require us to open various ports on our firewall and configure port forwarding to the Desktop Central server. The server is set up in our LAN which is not ideal. I am therefore looking for ways to improve this.
I initially thought we could set up a forwarding server and place it in the DMZ. However, Desktop Central support has explained to me that the forwarding server only supports MDM and can't be used to handle traffic to/from remote offices or WAN agents. More importantly, I was told that we won’t be able to manage remote offices and roaming users at all once the forwarding server is set up, so this is not an option.
I have seen posts from other users on this forum who set up two separate Desktop Central servers: one purely for MDM (which is exposed to the Internet and placed in the DMZ) and another one for patch management etc. (which remains in the LAN). This would improve security for MDM, however, the Desktop Central server would still have to be exposed to the Internet in order to support remote offices and roaming users.
Another option would be to move the Desktop Central server from the LAN into the DMZ. In our environment we currently don’t allow Active Directory access between DMZ and LAN which would surely limit the functionality.
I am curious how other people have set up and configured Desktop Central and I would appreciate any comments and suggestions.
Thank you.
I would like to get feedback on how to expose Desktop Central to the Internet in a secure manner. The documentation on this topic is scarce. I have not found any best practices so far. I would really appreciate comments from the community.
When we installed Desktop Central a few years ago, it was mainly used internally to patch out-of-date PCs and collect inventory data. The Desktop Central server was therefore set up in our LAN. Now we would like to make use of the following additional features:
- MDM
- Remote offices (some connect via VPN, others connect to the public IP)
- Remote management/control of roaming users (e.g. people who work from home)
This will require us to open various ports on our firewall and configure port forwarding to the Desktop Central server. The server is set up in our LAN which is not ideal. I am therefore looking for ways to improve this.
I initially thought we could set up a forwarding server and place it in the DMZ. However, Desktop Central support has explained to me that the forwarding server only supports MDM and can't be used to handle traffic to/from remote offices or WAN agents. More importantly, I was told that we won’t be able to manage remote offices and roaming users at all once the forwarding server is set up, so this is not an option.
I have seen posts from other users on this forum who set up two separate Desktop Central servers: one purely for MDM (which is exposed to the Internet and placed in the DMZ) and another one for patch management etc. (which remains in the LAN). This would improve security for MDM, however, the Desktop Central server would still have to be exposed to the Internet in order to support remote offices and roaming users.
Another option would be to move the Desktop Central server from the LAN into the DMZ. In our environment we currently don’t allow Active Directory access between DMZ and LAN which would surely limit the functionality.
I am curious how other people have set up and configured Desktop Central and I would appreciate any comments and suggestions.
Thank you.