The OSCE Edge Relay Server provides administrators visibility and increased protection for endpoints that users take outside of the company's intranet.
Administrators are concerned that the edge relay server, which resides in DMZ, is vulnerable to being exploited by attackers trying to gain access to the network.
This article tackles the following questions:
- How is communication secured between the edge relay server and the external OSCE agents?
- Does the OfficeScan agent look for edge relay server’s IP address, or we can force the agent look for Firewall IP which will do port forwarding to the edge?
OSCE uses several methods to secure network traffic between the Edge Relay Server and the external agents:
- The Edge server never initiates any connections. This allows customers to limit access to it.
- The Edge server uses several digital certificates to authenticate the agents and secure the data channels between the OSCE agents and the server.
- The external agents communicate with the Edge server using HTTPS.
- During the installation of the edge relay software, you specify the public IP and FQDN that you want the OSCE agent to connect to.
- An OSCE agent will feed back data to the Edge server only if it meets all of the following conditions:
- Its location is “out of office”
- It has the Edge Relay certificate
- It has the Edge Relay information in its registry
Between needing a special certificate to connect to it, and the customer being able to explicitly limit its outbound connections, it makes it difficult to use the edge server as a entry point for network infiltration.