What I would like to know is if my (Fleet) server should be on the same network, or exactly how can I centrally manage the fleet 🤔
06/13/2022, 3:50 AM
Lots of Qs better probably asked in #fleet but your client need to talk to the fleet server. If you are talking about stateful firewalls, etc the client initiate all connections so you don't need an allowed path from the fleet server to the orbit/osquery endpoint.
it really depends on what you want to manage and monitor whether you want it public on the internet, or private and routable by clients. Everything is TLS btw.
J Armando G
06/15/2022, 12:33 AM
Thanks Jason, that makes sense! I’ll look closer to the Docs, maybe I’m missing out on something (Like, the client establishes the connection w/the server, but what port and protocol should I keep in mind to allow connections and all that)
06/15/2022, 2:10 AM
Ah. That's easy - everything is over HTTPS / 443. I can tell you that what we do is expose fleet to the internet behind a WAF and then restrict the admin URL paths to trusted origins. This means that clients can always check in and don't need to be on-prem, or on VPN, etc.