ABC-Deploy 
Internet Distribution Point

Manage remote computers


Features

Remote computers with Internet access can benefit from ABC-DP which is a webapp distribution point for remote and secure connection to ABC-Deploy.
In the current version ABC-DP enables the remote clients to deliver inventory data to the SQL database, and future versions will add software distribution to remote computers.

• ABC-DP is used as a fallback when a computer cannot access SQL or FileServer resources on the LAN.

• ABC-DP is developed for Internet use, and for high security networks where internal firewalls might prevent direct SQL and file operations from the clients to the ABC-Deploy resources.

 

VPN not needed

Remote clients get/put data over the Internet.
VPN is not needed and there are no configuration changes required at the clients.
Everything is SSL encrypted, and mutually authenticated with certificates.

• Be sure to get reports from all clients about patching status.

• Continue to get all hardware and software inventory, no matter where clients are located.


How it works 


Topology design

The ABC-DP Web Distribution point works as a proxy and can get/put ABC-Deploy data on behalf of a client, and the WEB Distribution point is available to clients on the LAN and to clients on the Internet.
On the LAN side we have the resource servers that ABC-Deploy use to store it’s data. These servers are the first priority for the client computers when they ask data or when they deliver data back. If resource servers are not directly available, then the clients will contact the ABC-DP Web Distribution point and ask get/put of the data.



About security

All communication with the ABC-DP is SSL encrypted.
Security of the system is based on the use of digital certificates for authentication.
Client certificates are automatically distributed to the clients when they first access the ABC-DP from the private interface (LAN), and the clients use the certificates to identify themselves when they later access the public interface from the Internet.



How certificates are distributed

When an ABC-Deploy agent start on a client, it is detected if it has a ROOT certificate from the ABC-DP, and also if it has a valid client certificate issued by the ABC-DP.
If this is not the case then these certificates are requested and delivered to the client.

Obtaining a ROOT certificate to trust the ABC-DP

1)   Client starting on LAN
2)   Client check if it has a valid root certificate from the ABC-DP.
3)   If a valid ROOT certificate is not present, then it is requested from the private interface .
4)   Client authenticate against Windows AD using it’s machine account when it connect.
5)   If authentication is OK; then request is evaluated by the ABC-DP and the ROOT certificate is delivered.
6)   Client install the received certificate into the Computer/Trusted Roots certificate store.

Obtaining a client certificate to authenticate to the ABC-DP

1)   Client starting on LAN
2)   Client check if it has a valid client certificate issued by the ABC-DP
3)   If valid client certificate is not present;
      a. Client generate a long password
      b. Client request the certificate, and provide the password in a SSL encrypted request to the private interface .
4)   Client authenticate against Windows AD using it’s machine account when it connect.
5)   If authentication is OK; request is evaluated by the server, and if client ask a certificate subject that match the name it used for authentication, then ABC-DP will create a client certificate with private key and subject equal to requesting machines X500 name.
6)   Client certificate is password protected with password received from client and sent back to the requesting client machine
7)   Requesting client unpack the certificate, and it is installed it into the Computer/MY certificate store.

The certificate only lives encrypted in memory and is never written to the file system. The private key is not exportable, meaning that the client certificate is bound to the physical machine and cannot be copied.

How is access from the Internet controlled

Public interface answer port #443
SSL encryption and mutual authentication.
A valid client certificate issued and trusted by the ABC-DP is required to allow connection.
All other connection attempts are discarded.
Used by Internet based clients to get/put data.

How is access from the LAN controlled

Private interface answer Port #443   
SSL encryption and mutual authentication.
A valid client certificate issued and trusted by the ABC-DP itself is required to allow connection.
All other connection attempts are discarded.
Used by LAN based clients to get/put data.

Private interface answer Port #4444 
SSL encryption and mutual authentication.
Windows Authentication is required – Meaning only trusted users and computers from the AD Forest can connect.
Used by LAN based clients for
- Certificate distribution to clients.
- Management interface and activity monitoring.


Installation Guide & Download

Download Software
Installation Guide