6 Replies Latest reply on Feb 21, 2013 6:45 PM by Bill Robinson

    Segregated environments

    Jim Campbell

      Is there any BSA architecture in which we could use a single BSA appservers/fileserver/database environment but separate out a subset of servers (based on network) so that these only received directives from an application server located and managed within the segregated network?


      We would like to be able to use the same content (packages, nsh scripts, jobs, patching, etc) that we use for our corporate environment for this separate environment as well but with the requirement that no 'interactive' access can emanate from the corporate environment.  The idea is to restrict any management tool to users who run their applications from within the segregated environment - no direct communication from the corporate environment is permissible.


      Do we just have to create a separate Bladelogic instance and copy content over?  It appears that for SCCM we are able to set up a server in this segrated environment which is managed by centralized corporate servers but all of the communication on the managed targets only occurs between this server and the target - the corporate SCCM servers never directly touch the managed servers in the segregated environment.  These requirements are externally mandated so we can't really argue that its really not anymore secure to have content on the segregated SCCM server that can be altered by anyone in corporate anyway.

        • 1. Re: Segregated environments
          Bill Robinson

          job routing rules. this would only work though if the segregated job server is in the same physical location as the db server - db server across the wan from the appserver is a bad idea.


          you need to have the appservers talk to each other here though.- that's the other possible issue.


          the question here though is why can't you manage this w/ rbac ? 

          1 of 1 people found this helpful
          • 2. Re: Segregated environments
            Jim Campbell

            We can't manage it with RBAC because it would (presumably) allow a user in the corporate environment to "interact" with managed servers in the segregated environment.


            Even if we could run the jobs with an application server, wouldn't the packages still come from the fileserver in the corporate environment?

            • 3. Re: Segregated environments
              Jim Campbell

              If we were to set this up, would the fileserver cause any issue?  Is there direct communication between it and managed servers in the case where jobs are run only from a certain server on a subset of servers?

              • 4. Re: Segregated environments
                Bill Robinson

                i don't think your presumption is correct - how do you see that a user in the corporate side would be able to interact w/ the servers in the segregated side if they lack the rbac permissions to see or access those servers?


                the packages would still from from the file server, but it would come through the appserver, so no direct connection.

                • 5. Re: Segregated environments
                  Jim Campbell

                  The idea is that they don't want anyone to be able to issue commands from the corporate environment to interactively affect servers in the segregated environment.  All access to any of the management tools we use is to be allowed only by logging onto consoles within the segregated environment and authenticating against its domain.


                  Would the idea be to have the job/console server in the segregated environment be the only one capable of authenticating against the domain in that environment and then craft RBAC such that a role accessible only to users authenticated against that domain was the only one that had access to the segregated servers?  In that case however we would run into the problem of the RBACAdmins users being able to manipulate that role - we would then have to restrict usage of RBACAdmins to only that segregated appserver.  Otherwise, RBACAdmins:corporatedomainuser could always tamper with the role to add new users to it.


                  How crippling is the problem of having the db server and a separate appserver across the WAN?  There is really not anything i can think of in this situation to avoid it.

                  • 6. Re: Segregated environments
                    Bill Robinson

                    this is kind of the point of rbac.  true - RBACAdmins does have Read and ModifyACL on all objects but as you have found that can be audited. 


                    putting an appserver across a wan or otherwise segregated isn't necessairly going to solve this problem - appservers still need to talk to each other or you have problems running jobs, even if job routing rules are setup (a master appsrever gets elected, it controls job distribution) 


                    is there a problem having one of the central appservers dedicated to talking to the remote env ?

                    1 of 1 people found this helpful