Do you all mind sharing recommendations on how to securely expose port 5721 from an on-premise deployment to allow agents to check in?
Our VSA has always been an on-premise deployment meaning the only way for our agents to connect is being in the office or over VPN. This was a viable approach with only 10% of our users connecting over VPN. However, now with 50% of our associates working from home, having everyone connect to VPN is impractical when trying to deploy patches.
We’re looking at our options to have users connect to the VSA when connected to their home wifi and without VPN. One option is to expose port 5721 to the public internet. Which raises security concerns because if the VSA server is compromised somehow using the expose port, the risk to other agents can be significant.
Open port 5721 to the internet, and make sure you keep the vsa server up to date, and require 2FA for all admins.. It's the best you can do. At some level anything with internet access is a risk and you have to weigh the results. Honestly I would argue that having port 5721 open to the internet is more secure than having users connected to their home networks connecting into a VPN back to your office... Much more likely for their machine to have some type of infection by nature of being on their home network, then spreading that to your internal network across the VPN,than something successfully breaching the VSA server.
Jonathan is spot on. 5721 traffic will be evaluated by the VSA's software firewall before getting to the app server.
No need to join it to the Domain, but you can. Bit of a false sense of security, either way you argue... since a fully breached VSA has more power then a Domain Admin, since it can create domain admins at will.
Some customers put it in a DMZ with 443 access from the internet side... some only open 5721 and you need to VPN in to get to the UI. Again, if you use MFA or SSO, and practice good PW complexity and rotation... the convenience of being able to touch every endpoint from any browser gives you a tactical advantage when battling any threat.
Like loading rubber bullets because your afraid the enemy might steal your gun... more likely then not, when the battle arrives... you going to be running towards the fight, wishing you loaded the full metal jacket .62 grain ballistic tip.
Point is, your slightly more exposed, but considerably more powerful when your Agents can call home, providing you full control and visibility from anywhere in the world. Staying blind because your afraid your visibility can be compromised, I would argue makes you disproportionally weaker...
That said, you are wise to be paranoid... and "just because your paranoid, doesn't mean they're not really out to get you..."