How can TEM be configured to manage computers in a DMZ?
Steps to configure TEM to manage computers in a DMZ.
Resolving the problem
It is certainly possible to administer these computers using TEM. The problem is that these computers are not directly reachable from the TEM Server or other TEM Relays by IP because of the firewall or NAT.
In this scenario, the TEM Server/TEM Relay cannot send the TEM Clients the UDP message on port 52311 to notify them that there is a new action or new Fixlet messages. By default, the TEM Clients will check once a day to see if there is new information. So you will still be able to send actions to TEM Clients this way, but it will take them up to 24 hours to "notice" that there is a new action or new Fixlets for them. For more information on how the TEM components communicate with each other, please see TEM Network Requirements. Following are three suggestions for how to allow the TEM Clients in the DMZ to get the same performance as the other TEM Clients. Assume that TEM Clients can communicate to the TEM Server but the TEM Server cannot send messages to the TEM Clients because of the NAT or firewall.
Here are three possible ways to resolve the conflict:
- (Best Practice) Set up a TEM Relay on a computer that can reach the TEM Clients inside the DMZ. The unreachable computers are going to connect with the TEM Server through this TEM Relay. In this scenario, you must configure the TEM Relay to be reachable by the TEM Server on TCP port 52311. After this setup is complete, the TEM Server (or another TEM Relay) can notify the TEM Relay that there is a new action/Fixlet and the TEM Relay can notify the TEM Clients with a UDP message on port 52311.
- Permit communication on port 52311 to all computers through the DMZ. Again, communication among the TEM components is done on port 52311 and if you open this port up into the DMZ there will be no problems reaching the TEM components. This option will not work with a NAT as the TEM Server will think all the TEM Clients inside the DMZ to have the same IP address as the NAT.
- Increase the TEM Clients polling interval to something more frequent than once every 24 hours. In this scenario, the TEM Clients remain unreachable from the TEM Server or TEM Relays, but since they are checking in more frequently (for instance, you can set the interval to check every 30 minutes), the TEM Clients will see new actions and Fixlets sooner and you will have better TEM Client response times (although not quite as good as the TEM Clients that can receive notifications).
For more information about changing the polling interval for TEM Clients, see
Note: When the TEM Server attempts to send messages to TEM Clients the TEM Server uses the source address for the TEM Client. This source address is the one the TEM Client used on its poll cycle to reach the TEM Server. This means that if the TEM Client goes through a NAT the source address will change and be reassigned by the NAT. The IP Address the TEM Server uses to reach TEM Clients is often confused by the "IP Address" retrieved property. This retrieved property is calculated on the machine running each TEM Client but this IP Address may not be the same as the IP Address the TEM Server uses to reach that TEM Client.
For more information about managing computers that are outside the internal network, please see Internet Relays.