This scenario describes how to connect managed devices that are located outside of the main network to Administration Server.
Prerequisites
The scenario has the following prerequisites:
Stages
This scenario proceeds in stages:
This device will be used as a connection gateway. The device that you select must meet the requirements for connection gateways.
We recommend that you use a local installation to install Network Agent on the selected device.
By default, the installation file is located at: \\<server name>\KLSHARE\PkgInst\NetAgent_<version number>
In the Connection gateway window of the Network Agent setup wizard, select Use Network Agent as a connection gateway in DMZ. This mode simultaneously activates the connection gateway role and tells Network Agent to wait for connections from Administration Server, rather than establish connections to Administration Server.
Alternatively, you can install Network Agent on a Linux device and configure Network Agent to work as a connection gateway, but pay attention to the list of limitations of Network Agent running on Linux devices.
To make sure that Administration Server can actually connect to the connection gateway in the DMZ, allow connections to TCP port 13000 in all firewalls between Administration Server and the connection gateway.
If the connection gateway has no real IP address on the internet, but instead is located behind Network Address Translation (NAT), configure a rule to forward connections through NAT.
Create a new group under the Managed devices group. This new group will contain external managed devices.
The connection gateway that you have configured is waiting for a connection from Administration Server. However, Administration Server does not list the device with the connection gateway among managed devices. This is because the connection gateway has not tried to establish a connection to Administration Server. Therefore, you need a special procedure to ensure that Administration Server initiates a connection to the connection gateway.
Do the following:
The connection gateway is connected and configured.
Usually, external desktop computers are not moved inside the perimeter. Therefore, you need to configure them to connect to Administration Server through the gateway when installing Network Agent.
If updates of security applications are configured to be downloaded from Administration Server, external computers download updates through the connection gateway. This has two disadvantages:
Do the following:
Traveling laptops are within the network sometimes and outside the network at other times. For effective management, you need them to connect to Administration Server differently depending on their location. For efficient use of traffic, they also need to receive updates from different sources, depending on their location.
You need to configure rules for out-of-office users: connection profiles and network location descriptions. Each rule defines the Administration Server instance to which traveling laptops must connect, depending on their location and the Administration Server instance from which they must receive updates.