My network administrator doesn't want to open up for https traffic directly to the PRTG server in our core network. He would like to see some kind of DMZ-service in-between. (I believe this is called a reverse proxy?)
Could one possible design be to move the PRTG Core server to the DMZ and place an additional probe inside, in place of the moved Core? The major drawback of this design is that it would place a lot of network information in the DMZ, but on the access side of things my network admin would be happier.
What is the best practice design from Paessler? Any general advice?
Article Comments
I've been trying to figure out how to allow this for remote probes. I thought of a reverse proxy, but unless you can do it with authentication which Prtg doesn't support, there is not much point.
However what I came up with should allow this to work and keep the network administrator happy. Setup the remote probe with some sort of DDNS system. It doesn't really matter which one or even if it supports your own domain name. Then setup the firewall rule to only allow that name/IP address to have access. You would need to make sure your firewall supports fqdn in an acl. Q
Feb, 2014 - Permalink
Hi,
in your case I would recommend using an reverse proxy which can be placed in your DMZ. We have tested this with Apache and IIS and with both even the mobile applications as well as the Enterprise Console is working.
Best regards
Feb, 2014 - Permalink