Data is not returning for reports run against an agent located inside a Demilitarized zone on the ot (NETIQKB34334)

  • 7734334
  • 02-Feb-2007
  • 16-Oct-2007


VigilEnt Security Agent for Windows 4.0

VigilEnt Security Manager 4.1

Data is not returning for reports run against an agent located inside a Demilitarized zone on the other side of a Network Address Translation (NAT) firewall.

The NAT (Network Address Translation) firewall receives the returned report data from the agent inside the Demilitarized zone (DMZ).  However, because VigilEnt Security Manager sends a defined IP address inside the header of the report request to VigilEnt Security Agent for Windows, the VigilEnt Security Agent for Windows sends the return data to the NAT firewall, looking for the VigilEnt Security Manager IP address.  The NAT fireball then tries to route the data to this IP address and because the NAT fireball translates every IP address through the wall, the actual IP address cannot be found.  This in turn causes the return report data to get lost, unable to find the VigilEnt Security Manager.

Apply the VigilEnt Security Agent for Windows hotfix 34334, which can be accessed using the following link:

This hotfix is limited to static Network Address Translation (NAT) where the static mapping is 1-to-1. Dynamic and many-to-many (pooling) NAT configurations do NOT work.

Reports by proxy across a Network Address Translation (NAT) environment is not recommended, but can be supported if the appropriate ports (listed below) are opened through the firewall for Remote Procedure Call (RPC).

Ports: 1622 and 1621

Network Address Translation (NAT) with the agent behind the firewall works as long as you send any traffic to the public address of the agent (e.g. the routable IP address of the agent). If you try to send traffic to the private address (usually a non-routable address like 10.x.x.x or 192.x.x.x) it will fail. This means that when you create an end-point, you need to put in the public, routable IP address for the agent, rather than the local box's IP address.  To determine your routable IP address contact your systems administrator.

Virtual Private Network (VPN) also works both ways with this hotfix.

Remote Deployment installations do NOT work through Network Address Translation (NAT) firewalls.

Additional Information

Formerly known as NETIQKB34334