DMZ Support Preconsiderations

We recommend carefully planning out your configuration before starting to configure your DSM environment in order to employ it in a DMZ.
The following overview provides information about the steps you need to take to successfully employ HEAT Desktop and Server Management (Ivanti DSM) in a Demilitarized Zone (DMZ). Also, it provides examples and an analysis of this specific type of configuration.

Objective

It is very important to think about what exactly you want to achieve with DSM support in the DMZ.

There are the following typical scenarios:

• DMZ Scenario 1: Manage External Workstations with DSM
• DMZ Scenario 2: Provide a DSM Infrastructure to a Customer

Existing Network Environment

Also, it is very important to analyze the existing network configuration and the third party components you are using (especially the Active Directory and encryption solutions) before you start employing Ivanti DSM in a DMZ. You will only profit from the full functionality and configuration of Ivanti DSM if the network configuration has been implemented correctly.

We recommend answering and considering the following aspects and questions on the existing network configuration:

• Is there already a DMZ?
• How can you secure this DMZ, if applicable?
• Which rules apply for communicating to and from the DMZ?
• Which ports are available for communicating with the DMZ?
  Find a description of the ports that are required for Ivanti DSM in the following text.

It is very important to know the communication rules across the firewall limits to be able to establish the communication within the DSM environment via Transport Layer, Web Server and distribution.

We recommend answering and considering the following aspects and questions on the Active Directory configuration and communication:

• Is there an Active Directory Forest?
  Are there several Active Directory Domains and trust levels between the respective domains?
  How is the Active Directory set up?
• Are you going to use Active Directory in the DMZ or will you be working with local users in the DMZ?
• Which DSM component is connected to which Active Directory domain?
• Is communication encrypted (HTTPS)?
• Is a certificate required for client authentication?
• Which certificates are used?
• How are the certificates provided?
• Is there a Public Key Infrastructure, possibly a CA Root integrated in the Active Directory?

It is therefore very important that the respective DSM users have the right permissions throughout the complete DSM environment. If communication runs encrypted via HTTPS, make sure that the web server and the clients accessing it have the required certificates. DSM supports the use to certificates without requiring a separate configuration.

Providing and Preparing the Required Servers

The number of servers in the DMZ depends on the requirements you want to meet. The minimum requirement is a server that is a depot and a Management Point at the same time.

DMZ Scenario 1: Manage External Workstations with DSM uses the minimum requirements.

DMZ Scenario 2: Provide a DSM Infrastructure to a Customer has two sides: On the one side is the Service Provider with a server as Management Point where the Transport Layer, Distribution Service and an HTTP/HTTPS depot are installed.
On the other side, i.e. the customer side, is a server in the DMZ as Management Point with Transport Layer and HTTP depot.