Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Charles_Hurst
Contributor

Management Server Internet Facing

Hey all,

Purely theoretical unless someone has encountered this...

Is it likely that a companies IT policies would prevent or at least not be too forthcoming with having their SMS internet facing?

I know a lot of companies that would have a management subnet that is not internet facing therefore would not be able to manage remote gateways using the same management server.

Is this something anyone has faced and if so what is the workaround?

My guess is a site to site VPN with a SMS on all sites for local management...

Thanks,

Charles

4 Replies
Vladimir
Champion
Champion

When CP SMS is deployed in the cloud environments, it is mandatory for it to be Internet-facing for integration with cloud providers APIs.

Even in distributed environments of moderate complexity, i.e. main office and branches, you have to statically NAT your management server to the public IP address to centrally manage branch firewalls.

Depending on geographical distribution of your offices and number of hosts and users in each, implementation of the local management may or may not be warranted.

Management over VPN is NOT recommended ad you can find multiple references for reasons in this forum.

If it is a planning stage, showing that management traffic is secure by nature and limiting source IPs in Gaia to those that belong to your organization should be sufficient justification for exemption in company's security policy.

Otherwise, if it is a really strict policy, you'll have to stick to WAN connectivity between sites not to expose management traffic to the outside at all.

Charles_Hurst
Contributor

Thanks again,

Makes a lot of sense!

I have been reading about (and thinking about deploying in my lab) Multi-Domain SMS which would I guess solve the problem of needing local SMS/Logs servers for large sites, and simplify management at the same time.

Thanks Vladimir source of all knowledge as usual!

Charles

0 Kudos
Vladimir
Champion
Champion

Charles,

Refuse the siren call of the MDS, unless it is truly warranted Smiley Happy

It often adds unneeded complexity to the operations and is mostly called for in multi-tenant environments with sufficient administrative personnel.

In R80.XX you have other options of managing distributed environments.

1. A single unified policy across your entire organization:

You can have shared inline layers to impose "Global" rules on the organization's policies:

across all gateways in organization and non-shared layers with installation targets being gateways at each location.

2. Separate policies for each location using shared layers when necessary.

3. Delegate administration of individual policies and/or layers to admins responsible for either each location or subset of layers across organization.

MDS is also called for in the composite organizations running multiple lines of businesses with each mandating the use of independent security domain (CSRC - Glossary - Security Domain ).

In this case, the person or organization managing MDS is NOT the same entity as the one responsible for the management of the DMS' (Domain Management Server(s)) it is running.

Cheers,

Vladimir

Charles_Hurst
Contributor

Thanks Vladimir,

Sorry for the delay!

Charles

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events