Internet facing RA server?

Lo All,

Have an RA server 2.0.110 working well, and I would like to set it so that my remote as well as internal users connect to it for updates and tasks. I have it set to port 80 for updates and port 443 for client connections so that users will be able to traverse firewalls. This is working great with no issues.

HOWEVER, the users guide for RA server states that the RA server should NOT be internet facing, and I'm trying to figure out why. I want to deploy 1 image to all my clients and not have to worry about changing RA servers for clients at different sites. I have ESET servers as second backup profile.

Does anyone know why RA servers can not be internet facing? Is it because of vulnerabilities in RA HTTP server or...

thnx

 

The issue is twofold: You are presenting an attack vector through an exposed HTTP service so you want to take precautions like having that server in a DMZ, locking down its security configuration, or possibly even running a file version manger so you know when system files are being changed and stop potential exploits. The other issue is that a lot of people seem to not bother configuring their servers or clients correctly and take the easiest route which is no authentication on the management console or update mirror. If you do this and the mirror is publicly exposed, someone could stumble upon it and use it to get updates for free without actually buying Nod32 and you serving updates like to unauthorized people, even unintentionally, violates the hell out of the EULA and you are accountable. If you are going to have laptops in the field and want them to report in without connecting to a VPN, I recommend having a secondary RAS in a DMZ and only expose port 2222 for management console reporting and make sure you set a password for clients to attach on to the RAS. Then configure their update profiles so they continue to download updates straight from ESET.

It is tempting to serve updates through the RAS mirror, especially in light of the update issues a few months ago which caused a huge amount of problems due to our Juniper VPN requiring the very latest Nod32 defs for access and our laptops were unable to do so. You are better off using your update profile for Eset's servers as the primary and only open the firewall and switch to the other profile when those servers are having issues.

e: Fixed the wrong port number

 

Run on custom ports for http updates, no problem, I have quite a few doing that for clients. Port 80 I wouldn't though..it's a common widely exploited port. I usually do something in the 8xxx area. And port 2222 for management updates of course. All other ports...blocked via NAT.