5 Replies Latest reply on Apr 22, 2014 7:09 AM by Bill Robinson

    DMZ - Seperate Bladelogic Environment?

    Robert Stinnett

      Wanted to get a few people's opinion on this.  We have a DMZ environment that we are thinking of setting up an entire new BL infrastructure for.  This would help us ensure that nothing from our regular environment could be sent over to the DMZ, and vice versa.


      Is this best practice or would you recommend another way (tighter RBAC).  Just want to make sure what I am proposing isn't just going down the wrong path.



        • 2. Re: DMZ - Seperate Bladelogic Environment?

          Hi Robert


          DMZ --> De militarized Zone (out of the secure network)


          I believe the Blade infrastructure should work just as fine as in the network, setting up the infrastructure with Stricter RBAC and proper authentication (encryption) should work fine.



          • 3. Re: DMZ - Seperate Bladelogic Environment?

            Hi Robert,


            I think that you wanted to place your Appserver in the DMZ. Are you planning to have only the Appserver in DMZ or including the targets? Will your regular environment has the target servers?  I feel that having a secured RBAC will be sufficient for you. Anyways, we might use only the 4750, 9840, 9841, and 9842 ports between the Appserver and the target. So, even if it

            • 4. Re: DMZ - Seperate Bladelogic Environment?



              Since I've heard the term used differently by different customers, please clarify exactly how you're thinking about your DMZ.  If you're talking about a traditional, Internet facing DMZ, then for the LOVE OF GOD don't put your BL infrastructure in there!



              • 5. Re: DMZ - Seperate Bladelogic Environment?
                Bill Robinson

                right - it really depends what you are trying to prevent and what 'nothing' in "ensure that nothing from our regular environment could be sent over to the DMZ, and vice versa."  means.


                for example:

                you put bsa in the central/normal env.

                you create a rbac role that can see/mange/deploy to the DMZ servers.  no other role can see those servers, or any of the bsa content that this role creates.  so only content that this role created can get pushed to the dmz servers.  is that ok and not part of the 'nothing' above ?


                the agents never initiate a connection to the appserver it's always a response back from a communication initiated from the appserver, so there is no communication from the dmz to anywhere in this scenario.


                what is the concern w/ shared content here?  many customers have a DMZ and they will use the same patching and other jobs to target the dmz systems as well as their internal systems because for the purposes of patching and other deploys they are the same.