About connecting out-of-office devices

Some managed devices are always located outside of the main network (for example, computers in a company's regional branches; kiosks, ATMs, and terminals installed at various points of sale; computers in the home offices of employees). Some devices travel outside the perimeter from time to time (for example, laptops of users who visit regional branches or a customer's office).

You still need to monitor and manage the protection of out-of-office devices—receive actual information about their protection status and keep the security applications on them in the up-to-date state. This is necessary because, for example, if such a device is compromised while being away from the main network, it could become a platform for propagating threats as soon as it connects to the main network. To connect out-of-office devices to Administration Server, you can use two methods:

Connection gateway in the demilitarized zone (DMZ)
See the data traffic scheme: Administration Server on LAN, managed devices on the Internet, connection gateway in use
Administration Server in DMZ
See the data traffic scheme: Administration Server in DMZ, managed devices on Internet

A connection gateway in the DMZ

A recommended method for connecting out-of-office devices to Administration Server is organizing a DMZ in the organization's network and installing a connection gateway in the DMZ. External devices will connect to the connection gateway, and Administration Server inside the network will initiate a connection to the devices via the connection gateway.

As compared to the other method, this one is more secure:

You do not need to open access to Administration Server from outside the network.
A compromised connection gateway does not pose a high risk to the safety of the network devices. A connection gateway does not actually manage anything itself and does not establish any connections.

Also, a connection gateway does not require many hardware resources.

However, this method has a more complicated configuration process:

To act a device as a connection gateway in the DMZ, you need to install Network Agent and connect it to Administration Server in a specific way.
You will not be able to use the same address for connecting to Administration Server for all situations. From outside the perimeter, you will need to use not just a different address (connection gateway address), but also a different connection mode: through a connection gateway.
You also need to define different connection settings for laptops in different locations.

The scenario in this section describes this method.

To add a connection gateway to a previously configured network:

Install the Network Agent in connection gateway mode.
Reinstall the Network Agent on devices that you want to connect to the newly added connection gateway.

Administration Server in the DMZ

Another method is installing a single Administration Server in the DMZ.

This configuration is less secure than the other method. To manage external laptops in this case, Administration Server must accept connections from any address on the internet. It will still manage all devices in the internal network, but from the DMZ. Therefore, a compromised Server could cause an enormous amount of damage, despite the low likelihood of such an event.

The risk gets significantly lower if Administration Server in the DMZ does not manage devices in the internal network. Such a configuration can be used, for example, by a service provider to manage the devices of customers.

You might want to use this method in the following cases:

If you are familiar with installing and configuring Administration Server, and do not want to perform another procedure to install and configure a connection gateway.
If you need to manage more devices. The maximum capacity of Administration Server is 100,000 devices, while a connection gateway can support up to 10,000 devices.

This solution also has possible difficulties:

Administration Server requires more hardware resources and one more database.
Information about devices will be stored in two unrelated databases (for Administration Server inside the network and another one in the DMZ), which complicates monitoring.
To manage all devices, Administration Server needs to be joined into a hierarchy, which complicates not only monitoring but also management. A secondary Administration Server instance imposes limitations on the possible structures of administration groups. You have to decide how and which tasks and policies to distribute to a secondary Administration Server instance.
Configuring external devices to use Administration Server in the DMZ from the outside and to use the primary Administration Server from the inside is not simpler than to just configure them to use a conditional connection through a gateway.
High security risks. A compromised Administration Server instance makes it easier to compromise its managed laptops. If this happens, the hackers just need to wait for one of the laptops to return to the corporate network so that they can continue their attack on the local area network.