2.24.2 Managing devices connected via the Internet

By using JP1/IT Desktop Management 2, you can keep track of the managed computers taken out of the office by employees working off-site from home or a satellite office without the need to set up a VPN connection.

In this case, you have to set up an Internet gateway server in the demilitarized zone (DMZ) of the corporate network and then connect the server to the management server. Managed computers and the management server are connected to one another via the Internet gateway server. Managed computers and the Internet gateway server are connected to one another via HTTPS.

Tip: As shown in the following figure, a management relay server located outside the company is connected to the internet. the management relay server and the internet gateway server are connected one another via HTTPS. Because of that, the management relay server and managed computer located outside the company can be managed by the management server located in a company.

[Figure]

Important: Note that, when you keep track of computers connected via the Internet, the available functions vary from when a VPN connection is used. For details, see 2.24 Managing devices used outside the company.

Organization of this subsection

(1) Managing connected devices
(2) Precautions for managing devices via Internet connection

(1) Managing connected devices

Devices connected via the Internet are managed as described below.

Prerequisites

The following prerequisites apply to devices managed through Internet connection:

Only devices (computers) running Windows as the OS can be managed.
An agent must be installed on each computer to be managed.
The network monitor must be disabled on managed computers.

Important: Agentless devices cannot be managed.

Important: Whenever a managed computer is taken out of the company for use, Wake on LAN and the AMT BIOS setting must be disabled to prevent inadvertent activation of the computer.

To manage devices through Internet connection:

In the Agent Configurations view of the Settings module on a managed computer, select Basic settings, and then the Perform HTTPS communication with the higher system via the Internet Gateway check box.

If you enable this setting, the agent communicates with the management server and the relay system via the Internet gateway.

Network connection control

A managed computer used outside the company is not subject to network connection control.

Furthermore, when a managed computer is used outside the company, an IP address that is different from the one managed in the internal network is set. For this reason, if network connection control is performed based on a network control list with IP addresses used for judgment, network connection control for managed computers might not work properly. For this reason, we recommend that you use MAC addresses for judgment when performing network connection control based on a network control list.

Switching the connection destination of managed computers which brings to inside of the company

You can operate the managed computers connect to the management server or the relay system directly when they are brought to inside of the company.

To disable connection to the Internet gateway from managed computers inside of the company, you have to edit both the firewall and proxy server settings. For details, see the description about managing devices used outside the company in the manual JP1/IT Desktop Management 2 Administration Guide.

To manage device through a management relay server which connected the Internet:

For management relay server to connect to higher management server through an Internet gateway, you must create an Internet connection configuration file in management relay server and execute rlyigwsetconf commandI will do it. For details, see the description of the procedure for connecting a management relay server to an Internet gateway in the manual JP1/IT Desktop Management 2 Configuration Guide.

To Page Top

(2) Precautions for managing devices via Internet connection

You have to observe the following precautions when managing devices via Internet connection:

When communicating with a higher system via the Internet gateway

The automatic or manual security measures are executed when a polling from the agent occurs.
The computer operation performed by an administrator is executed when a polling from the agent occurs.
The distribution of software and files by means of ITDM-compatible distribution is executed when a poling from the agent occurs.
The software and file distribution job that uses Remote Installation Manager is executed when a polling from the agent occurs.
When collecting files with large capacity exceeding 1 GB with the remote collection function, change the setting for Communication Settings - Communication Error Settings - Timing to assume that a communication error occurred - Assume that a communication failure occurred if no response is received from communication software within the specified period of Agent Configuration to 120 minutes. If the setting value is increased, when there is no response from the server due to a temporary failure such as communication failure or server failure, it takes time until it is assumed as an error, so the time to the next polling will be longer. After changing the setting, wait for the amount of time (or longer) specified in the Basic Settings - Timing of Communication with the Higher System - Polling Timing - Periodically perform polling on every system startup.
When distributing packages of 50 MB or more using the Remote Install Manager, communication timeout may occur, distribute by splitting the package to size within 50 MB.
If ITDM-compatible distribution fails while in progress due to a communication error, retry at the next polling timing.

When managed computers are connected to the internal network

If, while a managed computer connected to the internal network is turned off, the management server issues a request with the setting that enables automatic activation by means of Wake on LAN or AMT enabled, the request is received upon the occurrence of a polling at the time of system startup. Under this circumstance, a request might be executed with lower delay compared to when the managed computer is turned on.

When managed computers are connected to a network outside the company

When network connection is cut off or allowed based on the judgment made in accordance with the security policy, the network control list is updated, but the control of the network connection of computers used outside the corporate network is not performed.
Computers used outside the corporate network cannot be activated by Wake on LAN or AMT.

Switching the connection network of the managed computer

Before the Distribution that Uses Remote Install Manager job to the computer in the internal network environment is completed, if you take the computer out to the Internet environment, the job will be interrupted. The job will resume when the computer reconnected to the internal network environment.

Also, before the Distribution that Uses Remote Install Manager job to the computer in the Internet environment is completed, if you bring the computer back to the internal network environment, the job will also be interrupted. The job will resume when the computer reconnected to the Internet environment.

To Page Top