Return
-
Title
What is the Recommended Configuration for Sudo Clients in a DMZ? -
Description
In a scenario where a select number of Sudo need to reside in a DMZ what is the recommended configuration to ensure that they are able to contact the policy servers for joins and policy evaluations? -
Resolution
RESOLUTION:
The recommended configuration for this and the most secure would be to stand up a Primary Policy server exclusively for the DMZ in question. That would ensure all traffic for joins, policy evaluations and joins reside inside the DMZ removing any need for firewall ports to be opened.
This would have a secondary benefit of allowing for a unique Sudoers policy in the DMZ as well.
This would be true for Privilege Manager for Unix as well. The policy configuration would require more effort however as it can be more complex.