Managing remote/External Clients

[Hadoken]

Hi,

 

I am currently evaluating Malwarebytes Business and have a question regarding the ability to manage remote clients.

 

Our setup consists of a mix of local and remote clients. I have installed the Management Console and for all local clients I have been able to remote install the client, define policies, run scans, etc all perfectly fine.

 

But as for remote clients I’m not seeing any easy way to initially configure these. We have remote laptops that will not return to ‘base’ for several months at a time. The problem with this is that it appears the Management Console/Client is only ever configured to look at the management servers local/internal hostname. This is fine when the client is inside the network and can resolve the local hostname but when the client is external it can’t find the management server and we therefore have no control over it. I can’t see anywhere within the Malwarebytes Management Console to change the Management Server address to that of an external hostname/IP.

 

I created an installation package and installed the product on the remote client,  I then hunted around and found a ‘SCComm.exe.config’ file and in there found the ‘RemoteHost’ entry. If I manually change this to an external hostname of our server  and open up the client port of 18457 and forward this to the server then the remote client appears to work ok. It automatically  adds itself to the Management Console and I can run scans remotely, define policies which get updated to the remote clients, etc and information is sent back to the Console.

 

I was just wondering if there is a better way to achieve the same thing rather than having to manually modify an XML config file?

 

Thanks, David

[Hadoken]

I just found the 'Server Configuration' option within the start menu. If I use this to change the admin server address to say 'remote.domain.co.uk' it says it has changed successfully but when I try and logon to the console again with the new or old address I get the error...... "Registered server address cannot be found. Please go to the Admin page to modify the server address"

 

Any ideas how to change the server address?

 

Thanks

[gonzo]

You should NEVER locate the Management Server outside of your local network.  By doing so, you are making it vulnerable to attack.  As a result, the rest of your network will also become exposed.  This topic is covered in the Best Practices Guide.  The most appropriate answer is to have your remote clients connect to the server using a VPN.

 

The Best Practices Guide and the Management Console Admin Guide also provide warnings regarding changing of the server IP/name after clients have been installed on endpoints.  Server identity is defined on the endpoint when the client is installed, and several settings (which are not updated after that time) will get out of sync with the actual server IP/name.

 

If you can't regain connectivity between server and endpoints, you will need to open a support ticket with Malwarebytes Technical Support at https://www.malwarebytes.org/support/business/

[wattsdown]

I am having the same issue, but would like to use a CNAME or "A" DNS record as the server address INTERNALLY for disaster recovery, failover, replacement, etc. rather than the local IP or hostname. I would like to avoid using the local NetBIOS name or IP address for ease of management server replacement or upgrading later. I would rather use a CNAME record that points to my server's name. The clients will then use this CNAME record for communication and if the server's name or IP ever changes, I'll simply update the CNAME record to point to the new server name after MEE is installed on the new server.

 

The error I receive after attempting to log into the console is: "The registered server address cannot be found. Please go to the Admin pane to modify the server address."

 

Any suggestions? Is there a config file for MEE that I can edit and "approve" my CNAME record?

[Brewersbaseball]

+1

I've got non domain clients I only see once a year if I'm lucky, with no VPN access. Is there a secure way for these clients to be moderated by the admin console?

[gonzo]

Not at the present time.

 

Have you given those clients an alternate method of getting database updates?  Typically, clients get their database updates from the server, but if they don't see the server, they will not get updates unless the policy you put on that box "way back when" gave them an alternate path.  When they do get back on the local network, they will be transferring their threat logs to the server, so prepare for some heavy network traffic from those guys.

[SaraVN]

And additional problem to note: MalwareBytes Console tracks computers by IP address, not name, and not MAC address. Therefore, you won't have accurate records unless computers never use the same IP address. We have the problem that our VPN server only assigns a small group of addresses, so those computers keep showing up as duplicates because they have a different IP each time they connect - plus records of threats are comingled with other computers that have used the same IP address (which can be 10 or more computers per day!). I have contacted support about this. They believe that IP address is the best way to identify and track a computer - I have asked them to use something that is more stable - such as MAC address, however it does not seem like this is something that is on the horizon anytime soon.