DNS Views and Medulla Relay in the DMZ

In a Medulla architecture, arelay can be placed in the DMZ to allow external workstations to access the platform without directly exposing the internal Medulla server if you do not have a VPN.

Since the Medulla agent configuration is unique across the entire network, it supports only a single domain name. To allow machines to reach the server from both the private network and the outside via this single address, you must use a single domain name combined with Split-Horizon DNS or a Round-Robin configuration.

DNS Views

Principle

A DNS view allows different responses to be returned for the same name depending on the origin of the request.

Internal workstations → internal Medulla server
External workstations → Medulla relay in the DMZ

Benefits

Only one DNS name to configure
No difference in configuration on the workstations side
The internal Medulla server is not exposed
Clear and secure architecture

Key takeaways

DNS views automatically route workstations to the correct Medulla access point, while maintaining a unique name and simple configuration.

Reference article on Bind9: https://kb.isc.org/docs/aa-00851

Round-Robin

Additionally, if you do not wish to configure DNS Views, you can opt for an alternative solution by setting up a Round-Robin mechanism. This mechanism distributes requests among multiple IP addresses associated with the same domain name, thereby ensuring a balanced distribution of connections.

To do this, you need to follow two steps:

Define the internal IP address of the primary Medulla server.
Define the public IP address of the DMZ relay server.

Network Prerequisites for Medulla SaaS

FLUX Test

Firewall

Active Directory

I already have a PXE server on my network—is that a problem?

Simplified Medulla Flowchart

OIDC

DNS Views and Medulla Relay in the DMZ

Filter machine types by GLPI ID

GLPI Access for Medulla

Disable convergence for the Extract drivers package

Configuration Guide: OIDC Authentication and User Synchronization

Activation Support / WSUS / CVE / Shop

Rename the FQDN and Switch to HTTPS on Medulla

Changing the SSH Port Between Server and Workstation

GLPI - Connecting an External GLPI

SUPPORT - Access

Installing Medulla on an OVH Virtual Private Server (VPS)

Client Workstations (Status & Visibility)

Packages

Remote Maintenance & Getting Started

Set the agent to Debug mode

Windows Agent Issue

Introduction

The ACLs

The ACLs (continued)

Console & Administration

Increase the Web session timeout (MMC / XMLRPC)

Retrieve the root password for the Medulla interface

Deployment (broadcasting)

Packages

Updates (Windows Updates)

Imaging menus

Client Workstations (Status & Visibility)

GPO

Reconfigure My Agent

Generate Windows and Linux agents

Linux MINT Distribution Agents

Uninstalling a Medulla Agent (Versions earlier than 5.5.2)

Uninstalling a Medulla Agent (Version 5.5.2 and later)

How do I force a reconfiguration of Medulla agents?

Duplicate MAC Addresses

Check the connection from the agent to the server

WithSecure alerts regarding PAExec used by Medulla

Architecture and Deployment of Medulla Relay Servers

Procedure for Adding Relays to Dedicated Medulla SaaS

Medulla Update - 5.4.x to 5.5.x

Services

Imaging Prerequisites

Imaging - Davos Debug

Imaging - Debug

Where are Medulla imaging masters stored?

About the Masters

An unknown machine does not appear in Medulla or GLPI after Register PXE

Copying Imaging Profiles

How the WSUS Tool Works

Module Update (WSUS) is unavailable after enabling AES protection for update catalogs

DNS Views and Medulla Relay in the DMZ

DNS Views

Principle

Benefits

Key takeaways

Round-Robin