Kaseya Community

DMZ install or behind proxy

This question is not answered
All Replies
  • Yes.

  • Put more information in your quest please.

    Dan is right if the question is "Can i install the agent on a server in a DMZ or behind a proxy?"

    You may run into problems if you install the agent on ISA or TMG as you have to get the rule 100 percent correct for the agent to send traffic out. If you have multihomed nic's on a software proxy like ISA or TMG you might have to open up CMD and add a route to one of your network cards and so on. Play around and let us know how you go.

  • Sorry for the lack of info...

    Basically I'm not worried about client agents...I'm doing the intial install of the Kaseya system at our site, and I don't have any other systems that are active like this on the 'front line' running windows.  Everything is behind a linux based proxy server... so my question isn't regarding whether or not I can install a client on a system sitting in a DMZ...but can I put the main kaseya system in the DMZ (with a separate sql database and reporting services installed on a server on the internal LAN)?  

    If it's ok to put Kaseya's main system in a DMZ...then I'm wondering about the reverse proxy...Most basic websites are fairly no brainer to get working behind an incoming proxy....but on the other hand,exchange outlook web access is a real bear to get working right in a couple non-microsoft proxies I've worked with because it exploits some 'non-standard' communication and Microsoft basically says 'tough - use ISA' while others say 'tough - use the standard'.  Thus, my 'putting Kaseya behind a proxy in a dmz' question also reflects that anguish :)

    Pete

  • Kaseya set up is pretty simple with firewalls.  Basically port 80 (443 for ssl) and 5721 in and out are all you need, plus 1433 for SQL (all this assumes you are using standard ports).  Also allow VSA server to AD if you are running that.

    Lock down everything else.

    Remember to allow 1433 from Kserver to SQL.  Remember to allow 5721 from DMZ to and from LAN if you place agents in there.

    Best way to test it.  Install it as you mentioned (Kserv in DMZ, SQL on LAN).  Then put an agent on and internal pc and an agent on a laptop or pc at home.  Remote control and run a couple of scripts and you have proven the set up.  Any problems would then normally be site specific.  

    FYI we have out VSA on a separate server to SQL but both in the internal lan (for convenience).  We only have port 80, 443 and 5721 open on our gateway firewall and those 3 ports plus 1433 to SQL open on the VSA firewall.

  • Hi Pete,

    did you ever get this answered. I have a similar setup and I'd like to terminate the SSL connection at the proxy.

    I suspect IIS must be configured to support the (reverse) proxy setup?