Before you proceed
DISCLAIMER: There are inherent risks associated with implementing the configuration changes and instructions set forth in this document. Implementing the configuration changes described below may render your system vulnerable to unauthorized access by third parties. Please consult with your IT and Security professionals for specific guidance about your operating environment before implementing any of the configuration changes or instructions suggested in this document. This document and the instructions contained in it are provided “AS-IS,” and BMC disclaims all warranties and liabilities arising from your implementation of the configuration changes and instructions in this document. BMC is not responsible for any network issues arising from devices and components not provided by BMC.
In the wake of recent stay-at-home orders by governments around the world due to the COVID-19 pandemic, BMC has received several inquiries from customers seeking to connect their remote employees to BMC’s Remedy IT Service Management (ITSM) offering. The increased traffic on customers’ VPNs has been excessive and is believed to be the cause of disruptions in employees’ abilities to reach the Remedy ITSM service.
To enable remote employees to continue accessing Remedy ITSM to enter tickets, check the status of their tickets, and resolve tickets, several customers have asked BMC to provide instructions for an internet-facing portal into Remedy that does not require the use of VPN.
This document describes a possible approach to configuring your settings in a manner that allows you to access Remedy ITSM without going through a VPN. However, we recommend that you consult your security and IT teams before carrying out these instructions.
Locate the Remedy web tier (Mid Tier) in the corporate DMZ to allow external users to get to the Remedy web components while keeping the overall Remedy solution secured.
Suggested project approach
- Form a cross-functional team – Include everyone: security, business users, IT, and so on.
- Follow change control procedures – Ensure that all changes are implemented with the knowledge and consent of everyone impacted in your organization.
- Perform changes on a development or test environment first – Work through issues before making the changes in production. We can’t stress this enough!
- Unit test with a group of testers that have different job roles and, if needed, different geographies – The external testing of the Remedy Mid Tier will be very similar to the testing you would use to certify an upgrade. Utilize the same test procedures and scripts for this use case.
- “Good” internet access is required for testers to minimize or eliminate internet timeout issues – A home internet user usually has enough bandwidth and speed to connect to Remedy. However, if you have a user with slow network connections, it might be because the user is physically far from the web server. In this case, you can do the following:
o Create simplified views of the needed forms.
o Increase the number of seconds for the timeout.
Cautions and recommendations
Use the latest version of Remedy
Remedy version 20.02 or later is recommended.
Apply the latest patches and fixes to your Remedy deployment on a continuous basis
Reference: Downloading the installation files (select your version of Remedy)
Make sure Remedy administrators use a VPN to access the system
Administrators should not be allowed to access Remedy from non-VPN connections.
Enforce strong password complexity, a password expiration policy, and an account lockout policy
Enforce HTTPS and enable TLS v1.2 only. Use of CA-signed certificates is recommended.
Reference: Security planning
Set up a web server in your corporate DMZ
Work with your internal security team to harden your server in the DMZ with typical security settings, such as disabling all non-essential ports, applying the latest patches, changing all default passwords, and so on.
Reference: https://www.cisecurity.org/cis-benchmarks/ for benchmarks. See the FAQ section for common questions and answers for the security team.
Create and apply an SSL certificate to the new test web server for secure web sessions
Ask your security team to help if needed.
Configure Single Sign-On
Most customers have Single Sign-On (SSO) solutions like Okta. Follow the same configuration you use for your current Mid Tier servers.
Reference: Remedy Single Sign-On
Deploy the new test Mid Tier server into the DMZ
If it’s not there already, deploy the new test Mid Tier server into your corporate DMZ.
Test the new web server in the DMZ
Test in the following order:
Navigate to the default web login page.
Success: The Remedy Mid Tier server is accessible through the internet without a firewall.
Attempt to log in with your user name and password.
Success: The Remedy Mid Tier server can connect to a Single Sign-On solution such as Okta and to the internal Remedy server.
Have users test the deployment by running through typical test scenarios such as creating tickets, checking status, working on tickets, running queries, looking at dashboards, running reports, and so on.
Reference: Performing upgrade testing
Success: The test system works for these scenarios.
Success: The system successfully handles your remote workforce.
Employees might still experience issues with their connection to Remedy ITSM. Should this occur, you may want to ask such employees to upgrade to a business-class service with their internet service providers.
Change the configuration of the Mid Tier server to point to production
You are now ready to point the Mid Tier server to the production Remedy AR System server.
Reference: Remedy Mid Tier configuration
After you complete the configuration changes, do a quick sanity test of the key functionalities to make sure everything is working as expected.
Frequently Asked Questions (FAQ)
Can I test everything internally with a “standard” server first before placing the web server into the DMZ?
- One method we see customers using is to create the test server internally and get everything up and running internally. When everything works as expected, including testing, the Security team then locks down the Mid Tier server (especially port numbers) and puts the Mid Tier server into the DMZ.
If anything stops working as expected, the most likely root cause is a security setting, or a required port is disabled.
This method can make troubleshooting much easier because everyone knows the test server worked internally before moving into the DMZ.
Is Encryption on by default with Remedy?
- Only encrypted clients can communicate with the Mid Tier server, which is the default setting.
Reference: Activating encryption
What ports need to be open to allow a Mid Tier server to communicate from the DMZ to the internal network?
In order to harden security for the DMZ, the Security team will want to shut down all non-essential ports, especially any ports that typically have unencrypted traffic.
Typically, an on-premises deployment of Remedy uses a portmapper to dynamically assign port numbers to some processes. When communicating from the DMZ to the internal Remedy server behind a firewall, you need to specify the port number for each Remedy component. Do not use the portmapper.
- Network ports
- Configuring ports for a firewall in a server group
- Preparing to install Remedy Smart Reporting
- BMC Digital Workplace required ports
- Remedy with Smart IT required ports
- BMC Virtual Chat system requirements
What are the recommended Remedy configuration settings for Mid Tier users?
In Remedy version 9.1.02 or later, the following parameters default to false (F). You do not need to change the configuration settings.
F — Do not allow guest users. Unregistered users have no access to the system.
F — Do not allow unqualified searches.
In Remedy version 9.0 or earlier, consider changing these parameters to false (F) in Centralized configuration.
- Set Allow-Unqual-Queries – F after you successfully deploy and user test. Unqualified queries, especially against very large tables, can bring back very large results. This might be okay on an internal-only, high-speed local area network, but it can be slow over an internet connection.
- You might have existing user queries, reports, or dashboards that are using unqualified queries, such as Query all HelpDesk tickets, Query all Change Management Tickets, and so on. Explore what might be impacted and test the setting.
A single Mid Tier server is having performance issues because of very high traffic volume. Can I add additional Mid Tier servers?
- Remedy Mid Tier is designed to be put into a server pool to distribute high volumes of traffic among multiple servers.
Set up additional Mid Tier servers in a very similar manner to the first Mid Tier server.
Reference: Configuring the Mid Tier connection pool
Additional BMC Documentation resources
- Creating and applying an SSL certificate for encrypted web sessions
- Configuring the Remedy SSO server
- Configuring the Mid Tier through a firewall
- Cookies used by Remedy Mid Tier
Additional BMC Communities resources
- COVID-19 Response Resources
- Application Security News
- Securing Tomcat Server for Remedy Single Sign-On
- Add pfx certificate to tomcat (Mid Tier, Smart IT, Smart Reporting)
- RSSO Configuring & Troubleshooting SAML Authentication
- RSSO Kerberos Configuration & Troubleshooting