MId Server in DMZ

Ragav4 · ‎06-23-2021

We are planning to deploy the DMZ MId Server , right now the DMZ is completed with the built process. Can someone help me to know what re the pre-requestees and pre-requirement I have to know before setting up this MID.

I was referring to couple of documents on which they were referring to put the DMZ Mid Server inside the DMZ zone and block all the firewall ports. Could some one help me to know these requirements and also the software to be installed on the MID.

Hitoshi Ozawa · ‎12-04-2021

As is mentioned in ServiceNow documentation, unless it's necessary to discover machines in the DMZ, MID server shouldn't be in the DMZ. In this case, only let MID Server in the DMZ discover devices in the DMZ and have a different MID server internally to discover internal devices.

Firewall access: Configure any firewalls between the MID Server and the target devices to allow a connection. If your network uses a DMZ, and if your network security protocols limit port access from within the network to the DMZ, you might have to deploy a MID Server to a machine within the DMZ to probe the devices there.

https://docs.servicenow.com/bundle/rome-servicenow-platform/page/product/mid-server/task/t_ConfigMIDSvrConnecPrereq.html

Following ServiceNow page lists the requirements. MID server runs on Java so the server do need to run Java applications. MID server comes with JRE so there's is no need to install it separately.

https://docs.servicenow.com/bundle/rome-servicenow-platform/page/product/mid-server/reference/r_MIDServerSystemRequirements.html

Another requirement is ssl certification. This implies opening port for https (port 443)

My internal MID server connects to ServiceNow through the firewall. The firewall just needs to pass traffic between the internal MID server and ServiceNow. Can restrict ip addresses to ServiceNow and to OS update sites. Check the following page.

https://docs.servicenow.com/bundle/rome-servicenow-platform/page/product/mid-server/task/t_ConfigMIDSvrConnecPrereq.html?cshalt=yes

cynlink1 · ‎12-06-2021

It is likely that we will need to set up a MID Server to discover servers in the DMZ for Service Mapping. Each server in the DMZ would have different login credentials. My question is, if separate logins must be used for each individual device within the DMZ, how can I prevent Discovery from attempting to use all available credentials until it finds the one that works? The failed login attempts could trigger alerts, etc.

Rahul Priyadars · ‎12-05-2021

Is components you want to discover is inside your n/w - Then Put Mid Server Close to your Infrastructure.

On high level this is is the layering

You need to place your mid server close to your discoverable infrastructure.

putting in DMZ for normal private n/w hosts discovery will need a lot of QnA with security team.

Regards

RP

cynlink1 · ‎12-06-2021

It is likely that we will need to set up a MID Server to discover servers in the DMZ in addition to the MID servers inside our network (like image #2 in your post) for Service Mapping. Each server in the DMZ would have different login credentials. My question is, if separate logins must be used for each individual device within the DMZ, how can I prevent Discovery from attempting to use all available credentials until it finds the one that works? The failed login attempts could trigger alerts, etc.

Rahul Priyadars · ‎12-06-2021

You Can use discovery credential alias and behavior for control attempt.Credential aliases for Discovery allow an administrator to use specific credentials on Discovery schedules. You can configure behaviors for your aliases that determine how strictly the system enforces their use.

https://docs.servicenow.com/bundle/rome-servicenow-platform/page/product/credentials/concept/discovery-credential-alias.html

Regards

RP