Internet access: Network Agent as connection gateway in DMZ

Administration Server can be located on the internal network of the organization, and in that network's DMZ there can be a device with Network Agent running as a connection gateway with reverse connectivity (Administration Server establishes a connection to Network Agent). In this case, the following conditions must be met to ensure internet access:

• Network Agent must be installed on the device that is in the DMZ. When you install Network Agent, in the Connection gateway window of the setup wizard, select Use Network Agent as a connection gateway in DMZ.
• The device with the installed connection gateway must be added as a distribution point. When you add the connection gateway, in the Add distribution point window, select the Select → Add connection gateway in DMZ by address option.
• To use an internet connection to connect external desktop computers to the Administration Server, the installation package for Network Agent must be corrected. In the properties of the created installation package, select the Advanced → Connect to Administration Server by using a connection gateway option, and then specify the newly created connection gateway.

For the connection gateway in the DMZ, Administration Server creates a certificate signed with the Administration Server certificate. If the administrator decides to assign a custom certificate to Administration Server, it must be done before a connection gateway is created in the DMZ.

If some employees use laptops that can connect to Administration Server either from the local network or over the internet, it may be useful to create a switching rule for Network Agent in the Network Agent's policy.