You can use a DMZ for a variety of reasons: to add a layer of protection and safety internally or, more commonly, because you have public-facing servers. Remote users have increasingly direct internet access, and using a DMZ for public-facing servers can offer advantages over a VPN.
The Symantec Management Platform and Task Server have very limited support for a DMZ environment. Only the Notification Server (NS) has the ability to use an Alias by using a setting called "PreferredNSHost" (for more information, see HOWTO10091). Setting the PreferredNSHost registry key will over ride the default computer name returned to Task Clients, but only if they are connecting to the NS for task.
Unfortunately, since Symantec recommends less than 500 systems connecting to the NS, changing the registry key is not a viable solution for most Task Server users. You will need Site Servers. Task Server currently has no support for using an Alias name on Site Servers. Task Server uses inventory data to return the computer name to the clients from the Site Server itself, and that is all they end up getting. There are existing requests to modify this behavior, but at this time there is no target date for when an alias feature might be added to Task Server.
Frequently Asked Questions
Can we change the supported process?
Some Task Server users have requested a means of modifying how the NS works so they can use an Alias. However, Symantec does not recommend or support this scenario. Symantec recommends that you do not use Task Servers (other than the NS) in a DMZ. It should be noted that the process of pulling the site server name is embedded in C# code, so there is no good way to modify this process. Package Servers might be able to be modified by changing Stored Procedures, but that will not be documented in this article.
What if we have to use a DMZ?
Some Task Server users have indicated that their Site Servers must be in a DMZ. However, Symantec does not recommend or support this scenario. This will also cause problems for clients. First, all of the clients will fail to reach their site servers. This causes them to fail over to the NS for their task server, thus overloading the NS. Second, if task communication is blocked on the NS, the clients may actually bring the NS down with a denial-of-service type behavior. Task agents, failing to connect to any server at all, can become verbose in attempts. In the event that using Site Server in a DMZ is an absolute necessity, you will be in an unsupported state and should contact your sales representative to clarify product functionality.