General - How To's

How to set up Desktop Central in a Demilitarized Zone?


This Document describes the steps involved in Setting up Desktop Central in a Demilitarized Zone. It also explains how Desktop Central can be used effectively in various network scenarios.

What is DMZ?

DMZ works by creating a network security zone in which services can be accessed from trusted and untrusted networks alike. One or more firewall can be used to create the DMZ ensuring that sensitive and critical data resides safely on the DMZ. Generally computers which are located within DMZ are designed to receive most of the incoming traffic (requests that are received into DMZ from outside network) but strictly restricts the outgoing traffic(requests that are sent out from DMZ to Outside network).

Using Desktop Central in DMZ network

Using Desktop Central to manage computers in a DMZ makes desktop management simpler and easier without compromising the security aspects of the network. Since there are different ways to to design a network with a DMZ, installing Desktop Central requires few prerequisites, which are based on the customers network design. We would require to open few ports in the firewall which are customer specific and harmless to network.


Desktop Central can be used to manage computers in the following types of network.

  • All computers in DMZ
  • All computers in LAN
  • All computers in remote locations
  • All roaming Users through direct connection
  • All roaming users through VPN.

Ports to be Opened in DMZ:

When Desktop Central Server is installed in the DMZ, the following ports should be opened in the firewall to allow the Desktop Central Agents to communicate with the Desktop Central Server.

Note: All the ports are inbound to the Desktop Central Server. The data flow would be both the ways - inbound and outbound.

8020: Used for agent-server communication and to access the Web console
8383: Used for secured communication between the agent and the Desktop Central server
8443: Used to control computers remotely (secure mode)
8444: Used to control computers remotely
8031: Used to transfer files (secure mode)
8032: Used to transfer files
8027: Used to perform on demand operations.
5223: port should be open, if the mobile device connects to the internet through the WiFi, it is recommended to configure the IP range
5228, 5229 & 5230 Inbound port - Used by the GCM to reach the managed mobile devices

Installing Desktop Central Server in DMZ

In this scenario Desktop Central server is installed inside the DMZ zone. Desktop Central Agents are installed in the computers which are located in the LAN, and the remote locations. Once the Desktop Central agents are installed, managing computers using Desktop Central from DMZ becomes very easy. As per the default DMZ rules, all incoming traffic will be permitted to reach the Desktop Central Server. Desktop Central agents from LAN, remote offices, and mobile users will communicate with the Desktop Central Server periodically. So there would be no hinderance for the agents to reach the Desktop Central Server, and communication remains the same in though the Desktop Central Server is located in DMZ.



Desktop Central Server which is located in the DMZ will be restricted to allow outgoing traffic. So Desktop Server will be restricted to reach the internet, this would result in hindering few services of the Desktop Central Server, which needs to be addressed. Since Desktop Central Server cannot permit the outgoing traffic, the following tasks of Desktop Central would be affected.

  • Automatic Patch updates, patch binaries, and software binary updates will not be updated automatically.
  • Automatic retrieval of warranty information from the vendors website will be affected
  • Deploying tasks on demand would be affected.
  • Connecting computers that are located in remote locations for remote sessions will be affected.


  • Authenticate Desktop Central Server to reach only the specified vendors website for automatic patch download and automatic retrieval of warranty
  • Desktop Central Server should have ports 8027 opened , which are live TCP connections used for On Demand actions and taking remote control of computers which are located in LAN or a remote location.

Desktop Central Distribution Server in DMZ

In some network scenarios, administrators prefer not to disclose the location of the Desktop Central Server due to security reasons. In such cases, the location of the Desktop Central Server is not disclosed to any of the computers that need to be managed in the LAN and remote location. Installing a Distribution Server in DMZ to manage all the computers in DMZ and a remote location can be done. So the Distribution Server is addressed as the central server for all the Desktop Central Agents.



  • Distribution Server should be identified as the central server for all the agents.
  • Distribution Server should handle its tasks and re-route the tasks that need to be done by Desktop Central Server.
  • Distribution Server should be able to communicate with the Desktop Central Server which is might be in the LAN or in a remote location


  • Desktop Central Agents should be directed to the Distribution Server as the point of contact.
  • A back end entry for Distribution Server to interact with the Desktop Central Server.

So, all the computers in LAN, remote location and mobile users can be managed using Desktop Central installed in the DMZ. If you find any difficulties in setting up the network, kindly contact support for further assistance.