This weekend I installed CESM on my LAN at home consisting of:
1 pc Windows XP Pro SP3 on which I installed CESM and CIS_ESM (Firewall Security conf.) , and
1 pc Windows XP Pro SP3 on which I installed CIS_ESM (Firewall Security conf.)
This works fine.
Detail:
This LAN sits behind a router with internet address 84.81.xxx.yyy. The internal addresses are 192.168.0.2 and 192.168.0.3 resp.
Now for the problem:
I have another computer at an ISP, with internet address: 213.193.aaa.bbb (Win2003 server)
I wanted to also install CIS_ESM on this one, but could not do that directly from the CESM server (84.81.xxx.yyy / 192.168.0.2).
So, I built the installation files, uploaded them to the remote computer (213.193.aaa.bbb) and got them installed with a little trick:
I changed the value of key Address1 in setup.ini (in the same directory where CesmAgent_x86_0.9.0.0.msi is located) from ‘192.168.0.2’ to '84.81.xxx.yyy)
In brief: I got both, the agent and CIS_ESM, installed on the remote computer …
But when I switch to ‘Remote Administrator Mode’ on the remote pc, I still cannot connect the remote PC from the CESM console.
If I look at the active connections in the Firewall Tasks > View Active Connections screen on the remote pc, i see that it is trying to connect from 213.193.aaa.bbb:1625 to 192.168.0.2:9901
This is not correct; it should be from 213.193.aaa.bbb:1625 to 84.81.xxx.yyy:9901
Apparently CESM is inserting the local LAN address into the installation package, which runs OK on the local LAN.
My questions:
Can one attach a remote PC (outside my LAN, on the internet somewhere) to a CESM-server that is on an internal LAN behind a router with an external address?
If so, how can I force CESM to insert the external address in the installation package for the agent? Or can i tweak some values somewhere?
Easiest thing to do is setup a VPN site-to-site tunnel between the two locations. It would be as if both locations were on the same network.
Without a VPN tunnel you would need to setup a firewall rule in your router to allow agent port and NAT to your CESM Server. You would have to set the agent to talk to the external IP of your CESM server location. The NAT rule would then take the packet coming from the port number you allowed in and route it to the server.
Yes, both networks have static external IP-addresses.
The one with CESM has address 84.81.226… (internal network is 192.168.0.0/255.255.255.0) and the other one with CIS_ESM (which I consider the remote one) also has a fixed address 213.193.212…
Thank you very much ratz, this worked for me !!
Do you have any idea if there will be a version of CESM (in the near future) to which more than one ‘out of NAT’ system can be added? I am consultant to several lawyer firms of which some have more than one office and we would like to be able to control the subsidiary offices (3 to 5 pc’s each) from the main office …