ADNM managing clients across WAN/Internet

[olt]

Hi,

Is it possible to use ADNM to monitor client PCs across the internet?  What ports would need to be open?  What security is in place between the client and ADNM server?

Thanks,
Edmund

[Vlk]

Do you mean VPN or bare Internet?

Could you please outline the scenario in a bit more detail? Is this a LAN with an AMS located off-site? Or laptops? Or something else?

The basic ports are listed in the ADNM Administrator's Guide (basically, only tcp/16111 is needed for the basic functionality). Updating mirror uses tcp/5033. Some extra features (remote virus chest, "apply to computer" etc.) need some additional ports (however, these are in the other direction, i.e. AMS --> client).


Thanks
Vlk

[olt]

Thanks for coming back to me Vik,

It's basically an AMS trying to look after a bunch of remote computers which are dotted about on different networks - home workers for example - but site to site VPNs aren't really an option.  They could simply use normal professional but I would like to have the benefits of managing/monitoring them centrally if possible.

Edmund

[Berg82]

Hi,

I’m also thinking of buying Avast for our company and have almost the same questions as Edmund. 
Most of our laptops connect to our network thru VPN to get access to the fileserver and other services.
Have I understood it correctly if there are no problems to monitor the clients (ADNM) thru a VPN connection? What happens if a client isn´t connected thru the VPN for some days? Does it get updates (Antivirus definitions files) from the Web ?

What happens when the client connects thru the VPN next time? Does it automatically update the status in ADNM?

Best Regards
Andreas

[Yanto.Chiang]

Dear Edmund and Andreas,

As i knew that if user use VPN connection eithers SSL VPN or IPSec VPN it should be use 2 IP's addresses like example :
If you IP Public 202.x.x.x  and IP Private from office thru VPN connection : 192.x.x.x, it should be client connected to VPN server at their office and client feel like work at office.

Logically ADNM should be possible to monitor client event thru VPN connection.

And then if client not at office environment, avast managed could trace other servers to update as long client could connected to the internet.

Correct me if i am wrong .


Regards,
Yanto Chiang

[wpn]

from the way the ADNM is setup it should technically be possible to monitor the clients without a VPN connection, the clients need to have the AMS ip address set to the public IP address of your company with the ports needed (see manual) and the firewall has to pass them through to the AMS server.
BUT  this would leave you with a HUGE security hole! (open ports that should not be opened on an internet connection, AMS acting as AMS for the WHOLE world not just your clients.... catch the drift?)

When the users use a VPN connection to connect to the corporate network it is certainly possible without (huge) security risks since your using VPN. I have several users that work this way and they connect happily and update properly. But since it is not a permanent connection the updates may be later if the client doesnt log in every day or every week....


if you want your users to connect to you corporate network without VPN or any kind of protection (local firewalls dont count here) then i would suggest you start writing your resume already because that is the worst possible sollution and shouldnt even be thought of.....

with VPN or with the new DirectAccess from Win2k8 R2 (requires a PKI infrastructure, therefor multiple servers extra unless you have a PKI already) then ADNM will work just fine....

[olt]

In this (public) case, if you have a limited number of clients with fixed WAN IP addresses then it should be possible to restrict access to the public ADNM to just customer's fixed IP addresses.  Of course it takes some management but it's better than wide open access.

Related to this - is avast working on updating ADNM so that it can better support situations like this?  Other vendors offer a centralised console to manage multiple customers (MSP type model) and since ADNM already uses certificates locally, it should be possible to design a system which uses those certificates to secure the communications between ADNM and a central managment system.

I don't think we need a full ADNM setup for the MSP (configuration could be left locally on the ADNM) but we do need to be able to monitor the ADNM installs at each site, check licenses, check updates etc...

Edmund

[Yanto.Chiang]

Hi Olt,

As long you using VPN connection, wherever you are and as long your office got VPN Server it wouldn't be a problem to connect to ADNM.
And avast also have a feature to let you download from another server if your PC/Notebook couldn't connected to your office.

Regards,
Yanto Chiang

[wpn]

i lost track of this thread....

adnm is basicly not more then a central place to get updates and policies for avast managed client.
you could allow the users with a fixed wan address to allow access to the site but the problem is that you need netbios/dns references for the servers.

without a VPN connection (either based on a vpn tool on the client or a router using vpn to log on to the corporate network) the local IP adres will never be routed over the internet...
Since the avast client uses the local ip address or netbios/dns name from the AMS server from the corporate network the connection will never be able to be made....
however you could have the clients set to check on the wan ip addresss from the corporate network but then you have to open several ports on your firewall publishing the AMS to the world wide internet for everybody to access...
its not a pretty idea, and hopefully you will see that yourself too:)
AMS has local security certificates for connecting the management console to the AMS server. no other certificates are generated and even with certificate generation you dont want to have your firewall opened for the AMS on the outside like that.... why open up 2 or more potential entry points for hackers... its like giving them 3 digits of your 4 digit pincode for your bankaccount they just have to guess the last digit... catch my drift?


HOWEVER

depending on what you can invest in the company and what you already have running there is something now from Microsoft in the Windows 2008 R2 domains.... its called DIRECT ACCESS
it will not need a VPN connection but it does require a pki infrastructure and a client certificate on the computer outside the network....
you can then use the netbios/dns name from the server to connect to the AMS