Jump to content

Recommended Posts

Just wanted to see if anyone would have any experience to offer or opinions on this.  We are working to setup a new on-prem server to be our new Automate Server.  We currently have an on-prem Automate server but just working to move it to a more robust and better server than where it currently sits.  We were thinking to have a split server setup where we would set the application server in the DMZ and then have the database server in our main production network in hopes to increase the security by placing the publicly accessible items in a DMZ and to keep the database more protected.  As we had a call with Automate support, they suggested that this setup would most likely cause some performance issues and may not really increase the security much since we would need to open up certain ports from our main production network to the DMZ for our agents to check in and for the Control Center to operate properly.  They also said that having a split server for our agent count was overkill for right now and that having a single server would be better.  With that said, has anyone had our proposed setup before, and if so, have you had any performance issues with it?

Also, due to our agent count, we are open to having a single server but also thought to vlan off the server so that it's on its own network so we can keep our production environment more protected.  Again, if we went this way, has anyone had any issues with having an Automate server in its own VLAN and separate from the rest of the network?  I am assuming not since it should work just fine but just wanted to get some feedback on this.

Thanks!

Share this post


Link to post
Share on other sites

@jheninger I specialize in Automate infrastructure-architecture. I'd be curious to know your agent count, but in general:

  • Isolation of the Automate stack is fine; you're accessing it over the web. My primary instance lives in it's own domain/vlan isolated from the rest of everything. 
  • Security ought to happen in-front of the server. There's a recent thread about using CloudFlare as a WAF. Any properly spec'ed UTM ought to do the trick, an appliance that will do basic IPS and GeoIP work would be your friend.
  • Communication between the app and DB is PLAIN TEXT. In a single server this isn't an issue per-say; since it's all local. However, since Automate stores credentials with reversible encryption there's a big potential for MITM attacks that would sniff credentials if you're traversing multiple networks with your DB traffic.
  • The performance concern is about latency -- if you have the network throughput don't let support dictate your architecture.

It's also worth noting that there are some exotic configurations you can do -- for example my primary instance is doing SSL offloading on a reverse proxy device before hitting my app server. Support will tell you it's not a supported config (and I get it) but if implemented correctly it works great. The only gotcha is that it will be difficult to get support to help you if there ever was an issue.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...