HTTPS mode of agent installation is suitable to manage
This mode is helpful in cases where maintaining a dedicated network tunnel is not feasible; therefore allowing the communication over the internet.
Note : The most important prerequisite is that the Security Manager Plus(SMP) agents should be able to contact the Security Manager Plus server over HTTP.
The Security Manager Plus Server needs to be running on a system exposed to the internet (with an IP that is accessible by the external world). The web server port of Security Manager Plus (default:6767) needs to opened up to allow HTTP traffic to the server from the Security Manager Plus Agent. A management task (scan, patch deployment, agent configuration) will be initiated in the server via the web interface. The agent will check-in (poll) periodically to the Security Manager Plus Server (over the internet over HTTP secured using SSL), authenticate itself and fetch the tasks. The tasks will be executed and the response will be submitted to the server at the next check-in interval (default: 5 minutes).
This apparently means that it is the 'SMP Agent', that always communicates with the SMP Server (one-way) using HTTP protocol over the web. It either submits responses to previous tasks or fetches new tasks to execute. The SMP Server is just a provider in this case. This implies that the agent machine should be allowed web access. If a proxy server is required to access the internet for the agent machine, it can be configured during agent installation or from the agent system tray icon.
Note : The HTTPS Agent can also be used in the LAN! But the TCP agent cannot be used over the internet.
Consider a scenario where a Service Provider say SerPro in Washington, has a requirement to manage systems for 3 of his enterprise clients - AXZ Car wash in California, BNF Bank in Texas, Colt Freightliners in New York, who situated in different locations in the USA. These 3 networks are in no way interconnected and neither are they accessible by the SerPro network.
The Security Manager Plus Server will reside in the SerPro network in Washington. The Security Manager Plus Agents (in HTTPS mode) will be deployed in the systems in these 3 client networks spread across the US. The agents will contact the Security Manager Plus Server over the internet and fetch management tasks that need to be performed. On task completion they will report back periodically to the Security Manager Plus Server with the status update. Thus the systems in these independent enterprise networks will be managed by a single console with just internet accessibility.
Setting Up Security Manager Plus Server in the Service Provider Network
1. On a system which is in the Internet Data Center (IDC), with a public IP address
Security Manager Plus Server can be installed on a server in the IDC of the service provider. This server must have a unique public IP address and must be accessible over the web. Port 8843 (default web server port of Security Manager Plus server) must be open allow Security Manager Plus agents to communicate to this server.
Administrators can login to the web interface of Security Manager Plus either from the SerPro data center, SerPro internal network or from anywhere else if web access is allowed.
2. On a system in the internal network of the service provider, with internet access with a NAT/PAT router
Security Manager Plus can be installed on a system with an internal IP address, within the SerPro network. The NAT router in the service provider IDC will have the public IP address for external internet traffic, and this will redirect all traffic to and from the internal IP addresses. The NAT router must be configured (mapping in the routing table) in such a way that it routes all HTTP (web) traffic coming through port 6767 (default web server port of Security Manager Plus server) to the internal IP address of the system which has Security Manager Plus Server installed.
The SMP agents will have the external IP of the SerPro NAT router configured as the SMP Server name and will establish contact over the web on port 6767 (default). The NAT router at SerPro will take care of redirecting the requests/responses to the internal IP address of the SMP Server machine
Setting Up Security Manager Plus Agents at the customer sites
This process is very much simple and does not involve any major configurations at the customer sites.
Note : If the customer site cannot access the SMP server web interface, you can copy the SMP Agent installable on to the customer network by some other means, and proceed with the installation.
Alternatively, you can connect to the
Security Manager Plus Server from a browser in the target machine, using the URL : https://server_name:portnumber. (e.g.
Login and visit the 'Admin' tab.
Use the 'Download Windows Agent' link from Admin tab, to download and install the Security Manager Plus agent (.exe file) in that particular system. Carry out the same step for the desired number of target machines. Choose HTTPS mode when prompted for during the installation.
There are some parameters that need to be configured for this mode. These configurations are effected in any of the following ways:
By editing two config files - agent.ini & server.ini in the agent installation
From the web interface of Security Manager Plus --> Admin tab --> Agent Administration link for the agent system listed
Here are the parameters :
Do not alter Server Port value unless and until this has been changed accordingly during Security Manager Plus Server installation.