using PDQ deploy/inventory with client that is locked down
While i understand and am very thankful that pdq is a clientless setup, i want to know if there is a way to have a clients or firewall rule in place.
here is my scenario.
our backup server has all the firewall rules disabled except for those that need to be enabled (av client and backups software clients rules to name a few) this means ping and file and print sharing are disabled.
the reason for this is because of a recommendation to help prevent ransomware but making your sure you backup server is not easily able to be contacted.
https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/
https://www.ic3.gov/media/2016/160915.aspx
can pdq be set up in such a way to allow a certain port or client to be allowed through the firewall to communicate back to the server that hosts the main apps.
thanks,
Ian
Comments
You may find these links helpful:
https://support.adminarsenal.com/hc/en-us/articles/220533627-Windows-Firewall-Ports-and-Exceptions
http://www.adminarsenal.com/admin-arsenal-blog/initiating-deployments-using-powershell-2/
i attempted to use the powershell method on the second link. it let me initiate the call from my backup server to my deploy server, but after that, it said the target computer is offline. I believe this to be a result of file and print sharing and ping being off for the backup servers firewall. So I want to ask is if there is a different way to make this happen I would have no issue using the remote powershell, but i need to know if there is a different way to make a deployable package deploy.
Disable "Preferences --> Deployments --> Ping before deployment" in Deploy
and make sure "Preferences --> Scanning --> Offline Settings" is set to "Attempt scan" in Inventory.
Thank you for the response.
Both these values were already set to your recommendation.
I think you'll have to configure Windows Firewall to allow your PDQ machine to reach \\BackupServer\IPC$ and \\BackupServer\ADMIN$. I think you'll also have to allow ping. The good thing is you should be able to create rules that allow only the PDQ machine access.