F-Secure and VLAN's
I recently implemented separate VLAN's for each floor and server network. Lets just say we have three different subnets. 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0. Before this change everything including Client Security Policy Management server was on one network 192.168.1.0/24 and worked just fine. Now the Policy manager cannot connect to the clients not on it's own network and vice versa.
I spoke with business support and he told me policy manager can see whatever the dos command "net view" can see. Net view can only see what is on it's own network from my tests. I have created a very basic network design and would expect an application not to really on a single broadcast domain to work correctly. Am I missing something or do I need to install a policy server on each subnet and manage rules on each one. Please any help would be greatly appreciated.
First of all, it's Clients that connect to Policy Manager and not vice versa. And the protocol is HTTP (for the Client Security) and HTTPS (for Policy Manager Console).
Communication is based on the underneath network communication, so it should work.
I would suggest:
1. If your central management address for Client Security is configured on FQDN (e.g. http://pms.mynet.local) then make sure that DNS resolving works correctly from workstations.
2. CHeck that clients on the same VLAN can connect to PMS. If this is the case and they can't connect from other VLANs then it's a networking problem. If not then it's a PMS port problem.
3. If it's a networking problem, then you should not be able to get a page response if you connect with a browser from your VLAN to your PMS (http://pms-ip-or-fqdn:host-port).
So if same VLAN connections are OK but different VLAN connections are not, then work out until your browsers from different VLANs get response from PMS ports. Until you get a page response your problem is networking or firewalling.
Hope I helped.
We have figured out the issue of the clients not connecting to Policy Manager due to them having the incorrect host port number after a recent upgrade.
I think now the windows autodiscover service will only discover computers on it's own network and we'll have to manually enter the ip address of computers we need to import, which is not that big of a deal.
Thanks for the response, it helped me to stop focusing on the recent VLAN changes and look at the host configurations.
Autodiscover will be needed only if you use the console to 'push' install installations. Probably in this case you will be able to push install only to local VLAN.
Export an msi, make installations from MSI and then import the hosts from within console.
If there is a hardened FSPM 10.10 on Linux server, which is visible to the LAN, as well as to the global public net, is it possible to define TWO management host addresses in FSCS 10.00 clients to connect it?
For example "FSPM = http://192.168.10.10:85" for use when clients are staying within the company LAN and ""FSPM = http://22.214.171.124:85" when the laptops are travelling abroad, without VPN access to the HQ LAN.
Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.
It's not possible to configure two management server addresses. The clients will fall back to our root update server anyway if they can't connect to the Policy Manager Server, so they'll at least get the latest definition files normally. However newer policies cannot be fetched.
Only workaround would be to use DNS name in the management server address which would be resolvable both outside of the company and inside the company network (pointing to applicable IP-addresses depending from where the laptop is trying to establish the connection from.)