Some managed devices are always located outside of the main network (for example, computers in a company's regional branches; kiosks, ATMs, and terminals installed at various points of sale; computers in the home offices of employees). Some devices travel outside the perimeter from time to time (for example, laptops of users who visit regional branches or a customer's office).
You still need to monitor and manage the protection of out-of-office devices—receive actual information about their protection status and keep the security applications on them in the up-to-date state. This is necessary because, for example, if such a device is compromised while being away from the main network, it could become a platform for propagating threats as soon as it connects to the main network. To connect out-of-office devices to Administration Server, you can use two methods:
See the data traffic scheme: Administration Server on LAN, managed devices on the Internet, connection gateway in use
See the data traffic scheme: Administration Server in DMZ, managed devices on Internet
A connection gateway in the DMZ
A recommended method for connecting out-of-office devices to Administration Server is organizing a DMZ in the organization's network and installing a connection gateway in the DMZ. External devices will connect to the connection gateway, and Administration Server inside the network will initiate a connection to the devices via the connection gateway.
As compared to the other method, this one is more secure:
Also, a connection gateway does not require many hardware resources.
However, this method has a more complicated configuration process:
The scenario in this section describes this method.
To add a connection gateway to a previously configured network:
Administration Server in the DMZ
Another method is installing a single Administration Server in the DMZ.
This configuration is less secure than the other method. To manage external laptops in this case, Administration Server must accept connections from any address on the internet. It will still manage all devices in the internal network, but from the DMZ. Therefore, a compromised Server could cause an enormous amount of damage, despite the low likelihood of such an event.
The risk gets significantly lower if Administration Server in the DMZ does not manage devices in the internal network. Such a configuration can be used, for example, by a service provider to manage the devices of customers.
You might want to use this method in the following cases:
This solution also has possible difficulties: