1 of 1 people found this helpful
It lists the sites for all OS for online catalogs and from where online download is initiated. for windows its appserver.
Please check the link Davorin shared.
That should answer your qurey.
Thanks Sanjay and Davorin,
In the documentation that you say me, for Windows AppServer needs access with a lot of pages.
My doubt is why when you configure the Shavlik URL Conf tab you only put the https://content.ivanti.com?
The other pages when are used?
Thank you vey much
Other pages are used when you are downloading patches as you could see they are other vendors webpages like microsoft, adobe.
Thank you very much (Davorin and Sanjay)!!
patch metadata comes from shavlik/ivanti.
patch payloads - the patches themselves - come from the respective vendor. microsoft, adobe, winzip, etc. if you are only getting microsoft patches from microsoft (only microsoft related filters in the catalog) than you'd only need access to the ivanti urls and microsoft.com. if you include stuff like adobe and winzip, then you need access to their sites.
also - the customer understands this is outbound access right ? that is the appserver initiating a connection out to the site ? not the site being able to make a connection into the appserver ? i see confusion about that a lot.
Thank you Bill.
Customer wants to allocate the appserver in a DMZ for this reason.
How it works? the site being able to make a connection into the appserver ?
2 of 2 people found this helpful
there should be no reason to put the appserver in a dmz for an outbound connection.
a dmz is for servers that take incoming connections from the outside. eg a web server hosting your company website. something that is hosted on your server that you want people from the outside to connect to. a server in a dmz will have either limited or no connectivity to servers in your internal network. you would not put a web server in your internal network because if someone from the outside connects to it and compromises something, they could potentially gain access to other servers on your internal network. if that server is in the dmz, then they could not do that because there is no or limited connectivity to internal resources.
that is a completely different direction of traffic flow than what we are talking about w/ patching for tssa. nothing from the outside is making a connection to the appserver. it's not hosting anything the outside world needs access to. it's downloading things from the vendor sites. normally, but not always, outbound internet access is allowed from internal networks. it may be restricted, but it's typically allowed. it's a different type of risk. the risk being that what you download is malicious. that's mitigated by using https for downloads, antivirus checks on the downloads, etc.
i would argue that putting the appserver in a dmz makes it less secure. the appserver needs to connect to all your managed servers - that means lots of holes from the dmz into your internal network if the appserver is in the dmz. and it's now in a zone where other servers are taking inbound connections from unknown sources.
now, some companies have policies that say anything that touches the internet, even outbound, needs to be in a dmz. i would debate how effective that is, but maybe that's how it is and they can't change it. i've just seen the confusion between inbound and outbound connections several times where people think that opening access to the patch vendor sides for downloads somehow allows those sites to initiate a connection to the appserver, when that is not what is happening.
Thank you very much for your great explanation.
I talked this with the customer but they prefer to put the appserver in the DMZ.