What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Best practice public internet access

Votes:

0

Your Vote:

Up

Down

My network administrator doesn't want to open up for https traffic directly to the PRTG server in our core network. He would like to see some kind of DMZ-service in-between. (I believe this is called a reverse proxy?)

Could one possible design be to move the PRTG Core server to the DMZ and place an additional probe inside, in place of the moved Core? The major drawback of this design is that it would place a lot of network information in the DMZ, but on the access side of things my network admin would be happier.

What is the best practice design from Paessler? Any general advice?

dmz network-design security

Created on Feb 18, 2014 9:03:32 AM by  Børge Slind (0) 1



2 Replies

Votes:

0

Your Vote:

Up

Down

Hi,
in your case I would recommend using an reverse proxy which can be placed in your DMZ. We have tested this with Apache and IIS and with both even the mobile applications as well as the Enterprise Console is working.
Best regards

Created on Feb 18, 2014 9:53:39 AM by  Konstantin Wolff [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I've been trying to figure out how to allow this for remote probes. I thought of a reverse proxy, but unless you can do it with authentication which Prtg doesn't support, there is not much point.

However what I came up with should allow this to work and keep the network administrator happy. Setup the remote probe with some sort of DDNS system. It doesn't really matter which one or even if it supports your own domain name. Then setup the firewall rule to only allow that name/IP address to have access. You would need to make sure your firewall supports fqdn in an acl. Q

Created on Feb 21, 2014 6:30:45 AM by  Jeff Cook (101) 1 1



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.