AI Docs

How do I track devices that rarely connect to our corporate network?

4 min read

certero logo_cropped_png-01-20251105-100702.png

To track devices that rarely connect to the corporate network, you will need to implement an internet-facing Certero Endpoint Server.

The internet-facing Endpoint Server can collect inventory data from devices over the internet, rather than only when they are connected to your corporate network. This is useful if you have home or mobile workers who do not connect directly to your corporate network. Once the Certero client agent has been installed on these devices, they will be able to upload their hardware and software inventory over any internet connection.

The following steps should be taken when implementing an internet-facing Endpoint Server. Please get in touch with the Certero Service Desk if you need any assistance with this.

  1. Define the communications port that will be used between the internet-facing Endpoint Server in the DMZ and the internal Certero Application Server. This can be any HTTP or HTTPS port.

  2. Define the communications port that will be used between the end-user devices (e.g., laptops) and the internet-facing Endpoint Server. This can be any HTTP or HTTPS port; HTTPS port 443 is recommended.

  3. Define an internet-facing IP address and DNS name for the internet-facing Endpoint Server.

  4. Create a physical or virtual Windows Server in the DMZ that can be used as the Endpoint Server.

  5. Make firewall changes to allow the appropriate communication between the internet and this server, and between this server and the Certero Application Server.

Application Server Configuration

You will need to allow the Certero Application Server to listen on the appropriate port you have chosen in step 5. This means making changes to Internet Information Services (IIS) if you are using anything other than HTTP port 80. You will need to add a binding and/or certificate in IIS.

  1. Open IIS Manager on the Certero Application Server and browse to the server.

  2. If you are using HTTPS, you will need to add a certificate in IIS. You can use a self-signed certificate, domain certificate, or a certificate provided by a root authority (e.g., Verisign).

  3. Browse to the default website and click on "Edit Bindings." Add a binding for the HTTP or HTTPS port you intend to use for Endpoint Server communication. If using HTTPS, select the certificate you added in step 2. Restart IIS.

  4. Check that you can connect to the following URL internally:
    https://applicationserver:port/certerowebapp
    where applicationserver is the hostname of the Certero Application Server and port is the number of the port configured in the bindings in step 3.

  5. Note: You will need to change https to http depending on the bindings configured. If this returns a login screen, then the ports and bindings have been configured correctly.

Endpoint Server Configuration

In this step, you will install the Endpoint Server and test internet-based communication.

  1. Install the Endpoint Server on the new server.

  2. If you are using anything other than HTTP port 80, you will need to add a binding and/or certificate in IIS. Open IIS Manager on the Endpoint Server and browse to the server.

  3. If you are using HTTPS, you will need to add a certificate in IIS. You will need to use a certificate provided by a root authority (e.g., Verisign). You will also need to make sure the certificate matches your internet-facing DNS name for the Endpoint Server.

  4. Browse to the default website and click on "Edit Bindings." Add a binding for the HTTP or HTTPS port you intend to use for internet-facing communication. If using HTTPS, select the certificate you added in step 3. Restart IIS.

  5. Check that you can connect to the following URL over the internet:
    https://dnsname/certeroendpointserver
    where dnsname is the fully qualified domain name of the internet-facing Endpoint Server. If this returns a login screen, then the ports and bindings have been configured correctly.

  6. On the Certero Application Server, if you are using anything other than HTTP port 80, you will need to add a binding and/or certificate in IIS. Open IIS Manager and browse to the server.

Endpoint Server - Application Server Communication

In this step, you need to configure the Endpoint Server in the DMZ to communicate with the Application Server.

  1. On the Endpoint Server, there is a PowerShell script called
    ~\Endpoint Server\Configure.ps1
    To use the script, open a PowerShell window as Administrator.

  2. The script also has customized help, which you can see with the ‘Help’ parameter:
    ./Configure.ps1 -Help

  3. To change a parameter, put a hyphen followed by the parameter name, and then the new value. You can set more than one parameter in one execution of the script. This example shows multiple parameters being set at the same time:
    ./Configure.ps1 -TenantID <Your-Tenant-ID> -Hostname externaleps.example.com -Port 443 -SslMode Enabled -TenantsOnly $True

  4. To display the current configuration, execute the script without any parameters:
    ./Configure.ps1

  5. To test the current configuration, use:
    ./Configure.ps1 -TestSettings

Once these steps are completed and -TestSettings confirms the connection to the Application Server, the Certero Client agents will be able to upload an inventory over the internet.