How to Manage Endpoints over the Internet
Endpoint Management and Security Suite (E.M.S.S.) leverages HTTPS and HTTP protocols which allows IT Administrators to easily manage endpoints over the intranet and internet (no VPN tunnel required).This article will guide IT Administrators on how to manage endpoints over the internet without publishing or exposing the EMSS Server to the internet.
Applies To:
Endpoint Management and Security Suite 7x
Network Diagram
The diagram below provides a high level overview on how the solution will work. In this example, there will be two static IP Addresses:
- 10.10.10.10 – IP Address for Caching Proxy.
- 10.10.10.11 – IP Address for the EMSS Server.
Steps
1. Install a Caching Proxy (LCP) inside your demilitarized zone (DMZ)
The goal is to designate a caching server that will act as a “middle-man” between the EMSS Server and Managed Endpoints. We do recommend leveraging your existing caching solution that is internet facing or install our Caching Proxy from the self-service center.
Installing a caching proxy will also reduce the workload on the EMSS Server during large deployments or security update rollouts.
2. Create Firewall Rule
Create a firewall rule that allows the static IP Address for the Caching Proxy inbound access to the EMSS Server. These rules are going to be explicit to allow TCP traffic from the Caching Proxy inside your DMZ to the EMSS Server that is inside your enterprise network. See table below on recommended rules.
Direction / TCP Port Number / DescriptionInbound / 25253 / This is the default port number for the Caching Proxy.
Inbound / 443 / This is the default port number for the EMSS Agent and is used for basic communication
Inbound / 80 / This is the default port number for the EMSS Agent and is used for http downloads.
Test these firewall rules from outside the enterprise network to make sure proper connectivity is allowed to the EMSS Server address.
3. Create Agent Policy for Mobile Computers
In this task, we need to create a dedicated policy for your mobile computers so we can activate the FastPath Servers feature. This feature will configure the Agent to communicate to the Caching Proxy when the computer is not connected to the enterprise network.
- Log onto the EMSS Web Console > Manage > Agent Policy Sets > click the create button to create a new agent policy.
- Name of the policy should be “Mobile Computer Policy”.
- Under FastPath Servers section, click the modify button to define the values.
- Add the following URL’s to in this page:
Address / Port / Description
/ 25253 / This setting will auto configure the EMSS Agent to communicate with a Caching Server that is located inside the DMZ.
Note: recommends using a DNS Record for 10.10.10.10 IP Address.
/ 80 / This setting will auto configure the EMSS Agent to communicate to the EMSS Server when the laptop is connected to the enterprise network.
- Configure the Interval to 60 minutes and click save.
4. Create a new Custom Group for Mobile Computers.
We need to create a new group for your Mobile Computers so we can assign the Mobile Computer Policy with the FastPath Server settings.
- Log onto the EMSS Web Console > Manage > Groups > select Custom Group > Right mouse click > select create group.
- For the Group Name, type Mobile Computers Group and click save.
- Change the view settings to Endpoint Membership and add at least a single endpoint to the group so we can test the settings.
- Change the view setting to Agent Policy Sets and assign the Mobile Computer Policy to the Mobile Computer Group. This will assign the FastPath settings to all members of the Mobile Computer Group.
5. Test the settings
If possible, if you have a Guest Wi-Fi Router that does not have access to the enterprise network, configure the computer to connect to the Guest Wi-Fi. Make sure this computer is the same computer is that a member of the Mobile Computers Group.
If you leverage Squid Proxy Server or our Caching Proxy as your caching appliance you can monitor the traffic by review the access.log located in <installpath>\ CachingProxy\var\logs.
6. Add all mobile computers to the Mobile Computers Group
Once you are satisfied with the testing results, now you can add all of your mobile computers being managed by the EMSS Server to the Mobile Computers Group. This will activate the FastPath Settings and now you can manage endpoints over the Internet with the Server being inside enterprise network.
FAQ
What do caching proxies do?
A caching proxy server accelerates service request by retrieving content saved from a previous request. Caching Proxy keeps a local copy of frequent request which helps organizations reduce bandwidth usage and cost.
What information or files are stored on the proxy?
To help minimize the network impact, EMSS Agent will initiate a download over TCP Port 80 so caching proxies can store the content locally. The type of content that is stored locally is as follows:
- Software patches or updates (Patch and Remediation).
- Antivirus Engine and Definition updates ( Antivirus)
- Module Activation (Manage > Endpoints > Manage Modules page).
Can I have more than on proxy?
Yes, you can use more than one caching proxy so you have failover if your primary caching proxy fails. also recommends using multiple proxies for mobile computers. Activate FastPath Feature to automatically configure the endpoint to use the nearest caching proxy. Consult the EMSS help for more information on FathPath.
How can I configure a client to use more than one proxy?
See Step 3 above to add additional caching proxies.
What happens if they only have one proxy and it goes down? What happens to the clients?
All endpoints that are binding to the caching proxy will report offline.
Can I configure any bandwidth settings on the proxy? How?
Since Caching Proxy is based Squid Proxy 2.7, please consult the Squid Configuration Guide on Squid configuration directive delay_pools.
An example on how to configure Caching Proxy to throttle the EMSS Agent at 256 kbps, edit the squid.config with the following settings below and restart the service for the changes to take effect:
########Delay Pools#########
# a simple global throttle, users sharing 256 Kbit/s
delay_pools 1
delay_class 1 1
# 256 Kbit/s fill rate, 1024 Kbit/s reserve
delay_parameters 1 32000/128000
acl All src 0/0
delay_access 1 allow All