How To securely set up a dispatcher in a Demilitarized Zone (DMZ)

RES Support and RES Pre-Sales consultants often receive questions on how to manage and maintain devices with RES Wisdom in a Demilitarized Zone (DMZ) and mobile devices.  

 When you want to manage and maintain devices in a DMZ and mobile devices a few considerations needs to be taken into account, certainly because you want to make the communication stable and secure.  

• Communication from DMZ to LAN should be secure (use SSL)
• Communication within the DMZ should be secure (use SSL)
• Communication from internet (WAN) to DMZ should be secure (use SSL)
• Only needed resources should be stored temporarily in the DMZ

 

When you already have RES Wisdom running in your environment the communication between Dispatcher(s) and the RES Wisdom Datastore will probably take place without encryption. RES Wisdom has the option to communicate with Microsoft SQL based on SSL. When this option is enabled in the RES Wisdom management console, all traffic between Dispatchers and Datastore will be based on SSL.
Before you can enable the SSL option in RES Wisdom, the Microsoft SQL Server or Datastore needs to be enabled for SSL. How to enabled SSL on Microsoft SQL Server you can read on Microsoft TechNet or in the Microsoft knowledge base. 

  NOTE: When you enable SSL in RES Wisdom all Dispatchers and consoles need to be repaired  

 After the configuration of the Microsoft SQL Server the next step is to build a Windows Server in the DMZ that can act as RES Wisdom Dispatcher. When you already have a Windows Server in your DMZ, then this server can also be used as the RES Wisdom Dispatcher.  

When you have build or selected a server, you need to make sure that the correct ports for database communication on the firewall (DMZ to LAN) are opened. The ports that have to be opened depend on the type of database you use. (e.g. Microsoft SQL server by default communicates over port 1433).  

  RES Wisdom Agents communicate on port 3163 to the RES Wisdom Dispatchers. To enable mobile devices to communicate with the Dispatcher in the DMZ two actions need to be completed: 

• Create a WAN to DMZ rule for port 3163
• Create FQDN for the Dispatcher that’s available on the internet

 

RES Wisdom has only direct protocol encryption between Dispatcher and Database available for Microsoft SQL Server. When using Oracle, IBM DB2 or MYSQL we refer to the documentation of these products on how to set up secure communication between the database client (dispatcher) and the database.


Enable protocol encryption in RES Wisdom by changing the setting “Force protocol encryption” to “Enabled“

Â
When protocol encryption is enabled for Microsoft SQL Server: Select all dispatchers and click “Repair”. This will enforce all dispatchers to setup a secure SSL connection to the database Server. 

 

 Secure the DMZ Dispatchers

• Change the setting “Exclude from Dispatcher list” to “Yes”. This will prevent non-DMZ agents from trying to connect to the DMZ dispatcher(s)
• Change the setting “Protocol Encryption Dispatcher” to “Enabled”. This will enforce SSL encryption between the DMZ and mobile agents and the DMZ dispatcher(s)
• Change the setting “Dispatcher cache duration” to a value that is suitable to the security requirements. This setting prevents resources from being available in the DMZ no longer than needed.

 

 

Secure the DMZ Agents  

•  Create a team “DMZ” (or use any other suitable name) and add the DMZ agents to the team 

 

  

    

 

• Select all agents in the team and click “Change settings of selected Agents”Â

    

    

  • Change the setting “Dispatcher discovery” to the IP address of the DMZ dispatcher. This will prevent agents from trying to connect to other than the DMZ dispatcher(s).
  • Unmark “First try autodetect” this will prevent the agents from detecting a dispatcher by using multicast first.

    

   

  
  

   

  • Change the setting “Dispatcher locations” to “Only use discovered Dispatchers”. This will prevent agents from downloading the complete dispatcher list from the database to randomly connect to a dispatcher.
  
  
  • Change the setting “Protocol Encryption Dispatcher” to “Force”. This will force the agents to use SSL encryption when communicating to a dispatcher.

       

  
  

   

     

   
  NOTES: 

  1. When adding new DMZ agents to the team, make sure you apply those settings to those new individual agents since there is no such thing as TEAM settings!
  2. The dispatcher itself should also be managed and thus be configured as an agent in the DMZ also!