Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
3
Helpful
5
Replies

CSA Updates for remote users

ftikphillips
Level 1
Level 1

‎10-02-2006 07:54 PM - edited ‎03-09-2019 04:23 PM

I was curious if there was any way to get policy updates easily to clients who may not come into an office frequently if at all and may not VPN in.

We are looking at deploying CSA, but have users that don't VPN in because of RPC over HTTPS for email and may not come into the office for several months, but they do connect to the Interenet.

We want them to be able to get policy updates if something new comes up and we want to protect those endpoints.

Thanks for your input.

Labels:
0 Helpful
5 Replies 5

netjim_66
Level 1
Level 1

‎10-03-2006 04:49 AM

One possibility is to have an internet facing

server from your DMZ that clients at home can connect to.

They would go to a https site and log in.

0 Helpful

jwalker
Level 3
Level 3
In response to netjim_66

‎10-03-2006 08:21 AM

If you have the remote clients pointing to a publicly available CSAMC, then they can get configuration changes. Basically you just have to set the agent to poll every minute or so in the agent kit. When the agent polls, it contacts the management center and asks if its config has changed. If the config is different, it downloads the changes and updates itself.

RichardSW
Level 1
Level 1
In response to jwalker

‎10-05-2006 07:52 AM

Right. The CSAMC can still be a local server, you just need a public IP address NATed to the private IP address.

One problem you will face is resolving the MC server. The agents try to connect to the server's Hostname. So what you will want to do to make this work is add a static record on your internal DNS server so the full hostname resolves to the local IP. Then register a public record with your ISP so the public IP also resolves to your Hostname (and the NAT will take care of the rest).

There is 1 caveat though - if you're using an internal domain suffix that is non-conformative to public dns suffixes, then you'll have to rename your server. For example, my MC might be "csa1.domain.local", so I can't register that with my ISP. So I will have to rename it to something like "csa1.mysitename.com". Then I can register that with my ISP, and I can still add a static record on my local dns server that points that hostname to the private IP address.

Now... if your mobile uses almost NEVER come back to the local network, then you could just add an entry in their HOSTS file after you set up the NAT. Then you wouldn't have to deal with dns and renaming the mc.

0 Helpful

tsteger1
Level 8
Level 8
In response to jwalker

‎10-05-2006 08:28 AM

I would stick with DNS to resolve the CSAMC. Our MC is in our DMZ on a public IP address. Agents can connect to it from internal or the Internet because it's in internal and external DNS.

It's been working this way trouble free for over three years.

I'd be very hesitant to rename any CSAMCs. A lot of things are dependant on the name as it exists during installation and changing it can cause problems.

0 Helpful

RichardSW
Level 1
Level 1
In response to tsteger1

‎10-05-2006 10:27 AM

If he can't register a public record for his internal hostname, then his only option is to rename the MC. But I suppose I left the most important part out - you're not just changing the name. You'd have to reinstall the MC and redeploy all the agents too.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents