On Fri, Feb 11, 2011 at 00:40, Thorsten Biel <thorsten.b...@porsche.de> wrote: > On Feb 11, 2011, at 07:25, John Warburton wrote: > >> Does anyone have any experiences with puppet in the DMZ they can share? […] >> How do people get around the "common" rule that DMZ servers should not >> initiate network connections back to the internal network? Should we have a >> puppet server in the DMZ? > > Another approach is to use SSH tunnels. Use autossh to initiate SSH > connections from your puppetmaster to each client. > > The SSH tunnels open port 8140 on localhost on the client, allowing puppet on > the > client to tunnel back to the master. > > Not the most efficient approach, but easier to implement than a slave master. > I have about 50 DMZ clients running this way.
I am rather surprised: wouldn't your network security folks and auditors go absolutely ape when they discovered that you had punched a hole through their firewall to allow connections from the DMZ to a secure network without going through the appropriate security analysis process? Anyway, I guess my point is that while this would probably work I can't really see why it would bring any benefit compared to just punching the hole through the firewall directly: Puppet uses SSL secured communication, and validates the identity at both ends, so you have no more or less exposure than with this mechanism, so far as I can see? Regards, Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <dan...@puppetlabs.com> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.