Wondering if anyone has had any experience using MOVE SVA and Offload Scan Servers with Agent Handlers which are located in a DMZ and clients that are in an untrusted network and untrusted domain.
Currently, without MOVE, all clients in an untrusted network talk only with their Agent Handler (located in a DMZ), and the Agent Handler in turn has firewall rules opened to the domain controller, SQL server, and ePO server.
My question is, if we decide to install MOVE on these clients, will these clients also have to talk directly with their SVA Manager and OSS server, or will this communication occur via the Agent Handler? If clients need to talk directly to the SVA Manager and OSS servers, should these servers be in the DMZ? If clients need to talk directly to these servers, and the servers are not in the DMZ, wouldn't that mean we'd have to open up ports between the clients and the SVA and OSS, which would defeat the purpose of the Agent Handler?
Any advice would be appreciated.
Solved! Go to Solution.
In your mind replace ePO with agent handler in the picture:
Move SVA is interact with Offload Scan Server and Move Client; also with Agent handler and ePO Server. (Same SQL database)
The SVA loadbalaces and manages the Offload Scan Server.for the Clients
The Offload Scan Server just Scans for the clients and keeps the scan hash in the cache of a local database.
All is managed/configured by ePO (or agent handler if you want to use this part of management Server)
I only found a old docu of agent handler:
Maybe you find here what you are looking for:
So if we have systems in an untrusted network and we use an Agent Handler to limit access to the ePO server/SQL server/rest of network, should the SVA server and offload servers used by these untrusted systems reside in the DMZ as well?
I am questioning the proposal to move the SVM/SVA Manager to the DMZ. The SVM Manager requires a direct WebService communication port 8443 to ePO - that may not be advisable from within DMZ. Can you please comment?
When you use this configuration (with an agenthandler), is it possible to use the vSphere connector?
You need to enter the vSphere credentials from the ePO server for it to connect.