Hello everyone,
First of all, best wishes to the whole team.
WAPT server 2.2.3 Enterprise license, Windows Server 2019.
So, to counter a potential attack, the client asked us to set up VLANs in each classroom with multiple subnets. But since this setup, the PCs using repositories are no longer accessing the repositories but the main server. We
have updated the rules ourselves, but without success.
Example: repository on 10.2.0.93,
PC network 10.2.110.0/24 and 10.2.111.0/24,
server ping workstation
, workstation ping server.
Then, someone from Active Directory security told us to implement two Group Policy Objects (GPOs) on the Active Directory server:
one that disables NetBIOS over TCP/IP and one that disables intelligent multi-resident name resolution.
Do you have a solution?
It worked before this implementation. Are there any additional ports besides those specified in the WAPT document that need to be opened for repositories?
[RESOLVED] REPO HS
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Could you please provide a screenshot of one of the rules for the remote site VLANs?
We need a rule that considers each VLAN and directs it to the correct server.
And of course, the secondary repository must be visible from the workstation in question. The server itself doesn't need to see the workstation, but the workstation must be able to perform HTTP/HTTPS GET/POST requests to both the server and the secondary repository.
Regards,
Denis
We need a rule that considers each VLAN and directs it to the correct server.
And of course, the secondary repository must be visible from the workstation in question. The server itself doesn't need to see the workstation, but the workstation must be able to perform HTTP/HTTPS GET/POST requests to both the server and the secondary repository.
Regards,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hello,
on one of the problematic machines, in the software inventory under /wapt_status/repositories/, are the rules correctly applied?
Is HTTPS properly configured on the secondary repositories?
Does short repository name resolution work correctly on the affected machines?
Regards,
Denis
on one of the problematic machines, in the software inventory under /wapt_status/repositories/, are the rules correctly applied?
Is HTTPS properly configured on the secondary repositories?
Does short repository name resolution work correctly on the affected machines?
Regards,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
The first two points are OK.dcardon wrote: ↑January 3, 2023 - 10:12 AM Hello,
on one of the problematic machines, in the software inventory under /wapt_status/repositories/, are the rules correctly applied? Is
HTTPS properly configured on the secondary repositories?
Does short repository name resolution work correctly on the machines in question?
Regards,
Denis
I think this stems from the fact that in the security audit, they made us add the blocking of NETBIOS over TCP/IP.
The problem must be with the DNS zone, which isn't taking over, because on a non-domain machine, the rule for this machine works correctly
Server: WAPT Enterprise 2.6.0.17226 on Debian 12;
Consoles: Windows 11
; Infrastructure: Windows
Consoles: Windows 11
; Infrastructure: Windows
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Okay, if you can use a fully qualified domain name (FQDN) for the repositories with the corresponding DNS resolution, that should solve the problem.
Regarding your short name resolution issue, disabling NetBIOS is a security step I highly recommend.
I'm marking this topic as resolved.
Regards,
Denis
Regarding your short name resolution issue, disabling NetBIOS is a security step I highly recommend.
I'm marking this topic as resolved.
Regards,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
