Discovery behind internal firewalls

yaj · ‎04-23-2017

We have local (internal data centre, on premises) installations of Service Now Discovery servers. The internal network is increasingly being partitioned into various zones, behind internal PAN and Cisco firewalls. Each time a new server is built in a new zone behind firewalls, Discovery is obviously problematic, since the firewalls are not allowed to contain "any to any" rules, due to internal security policies. It's a bit tedious to put in a new process where for every RFC record to create a new server now has to include changing firewall rules for every new server that's built. More importantly, Service Now Discovery is not yet a CIO level directive, so not everyone wants to take on the extra work, especially when the firewalls are servers are handled by different (often more than two) groups.

Is there a "solution" other than opening a specific number of ports for each server on each firewall?

Does the MID server have anything like a proxy or port forwarding to simplify matters?

VivekSattanatha · ‎04-24-2017

Hi Yaj,

I don't think you can you use a proxy to discover internal devices. You can configure your MID Server with proxy only to communicate your ServiceNow instances.

If you have a problem with opening firewall ports then you can always place a MID Server in those VLANS.

Instead of opening Server- Server firewall ports, why don't you open it for VLAN - VLAN. By that way, you can reduce opening firewall requests for individual servers being built.

yaj · ‎04-24-2017

There is no budget to place MID Servers in every VLAN, so this is not a solution for the scenario presentated.

I am trying to find out if there is a solution beyond the very very obvious - "any to any - allow" rule in firewalls that come between Discovery MID Server(s) and the new Servers.

What about port forwarding? Does MID Server support port forwarding?

[This would reduce number of ports to be opened.]