Best Practices Whitepaper

Internal HPDM Repository for

External Clients

Table of contents
Introduction ..............................................................................................................................................................................2
Overview....................................................................................................................................................................................3
Prework .....................................................................................................................................................................................4
Configuring HPDM Repository Server ....................................................................................................................................6
Infrastructure Firewall Rules ..................................................................................................................................................9

This guide was developed around HP Device Manager V5.0.3 but the concepts and configuration can be applied to previous
versions back to HP Device Manager back to V4.7 SP10.
Introduction
To configure a HP Device Manager Repository to service Thin Clients that are separated by a NAT firewall takes some behind
the scenes magic.

The HPDM Server and the HPDM Repository are separate pieces of HPDM infrastructure. In the scenario where all components
are installed together, the MRC and Console refers to the same hosts file. The MRC and Console need to “see” the HPDM
Repository using the same name as external clients use to access the HPDM Repository. While the HPDM Server will resolve
the name to a different IP address than the external thin clients, as there is a common name, everything works.

Note: HPDM Agent to HPDM Gateway traffic is handled differently than HPDM Agent to HPDM Repository traffic. While HPDM
Agent locks onto the IP address of the HPDM Gateway, the HPDM Repository address is supplied at the start of every task.

External (outside NAT firewall) clients can connect to the HPDM Gateway component via an external IP address without extra
HPDM configuration required. The only environment configuration required is an external to internal address mapping on the
NAT firewall.

For more information on HPDM go to www.hp.com/go/hpdm

To access the HP Device Manager Admin Guide for V5.0, please go to:
https://ftp.hp.com/pub/hpdm/Documentation/AdminGuide/5.0/HP_Device_Manager_5.0.3_Administrator_Guide_en_US.pdf

2
 Overview
For this document, the HPDM Server Service, HPDM Gateway Service and HPDM Master Repository Service are all installed on
a single Windows® Server. While the concepts are transferable, multi-server configurations are beyond the scope of this
document.
Figure 1 below represents the end state of a HPDM environment configured to support external or Internet Connected thin
clients.

Figure 1. HPDM Traffic Diagram

40001 IP Address

HPDM
G/way 40003 IP Address

Home or SMB Firewall

Corporate Router /

Thin Client
NAT Firewall

HPDM with
Server HPDM Agent

HPDM
Repos
HTTPS via Name (Default Port 443)

Sign up for updates

hp.com/go/getupdated

3
 Prework
One commonly used option is to change the HPDM Repository HTTPS access port from the default of 443 to 8443. This frees
up port 443 to be used by the HPDM Console Web Bridge which makes access to the HPDM Web Console via a web browser
simpler.
Note: The port 8443 has been chosen for this example but a different port could be chosen to suit the customer
requirements.
Figure 2. HPDM HTTPS Repository

Following on from the HPDM Repository HTPPS port configuration, change the HPDM Console Web Bridge to port 443 as per
Figure 3 below.

Figure 3. HPDM Console Web Bridge Configuration

Sign up for updates

hp.com/go/getupdated

4
 Once HPDM Web Console has been changed to use port 443, it is possible to logon to HPDM Web Console using as browser
without specifying a port as per Figure 4 below.

Figure 4. HPDM Web Console Logon Page

Sign up for updates

hp.com/go/getupdated

5
 Configuring HPDM Repository Server
1. Test the Internet resolvable FQDN name of your HPDM Repository Server. If the FQDN cannot be resolved, you cannot use
it. Figure 5 below shows “hpdm2.australiasoutheast.cloudapp.azure.com” as an internet resolvable FQDN of the HPDM
Repository Server. In this example, it is also the HPDM Server.
Figure 5. Checking External HPDM Repository Name to IP Address

2. Update the Hosts file (c:\Windows\Sysem32\Drivers\etc\hosts) on the MRC and console. Map the Internal IP address of
the HPDM Repository Server to the External Name used by the thin clients.

Figure 6. Update Hosts File Sample

Sign up for updates

hp.com/go/getupdated

6
 3. Using the HPDM Console, update the HPDM Master Repository configuration to replace the IP address of the internal
HPDM Repository Server with the Internet resolvable name of the HPDM Repository Server. The name must be the Fully
Qualified Domain Name, not just the hostname.

Figure 7. Repository Configuration Server Address

4. The only HPDM Repository Server file transport protocol required to service external thin clients is HTTPS. HTTPS will not
currently support image capture or deploy to Windows based thin clients, but this is not really something you want to do
over the internet anyway. SMB also has problems with mismatching names.
Refer to this article for assistance: https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-
unsuccessful-through-dns-cname-alias
Figure 8. Repository for External Clients

Sign up for updates

hp.com/go/getupdated

7
 5. Ensure the HTTPS Protocol Settings are configured for the previously chosen port number (Figure 2). Also check the
HPDM Repository Server URL is the Internet resolvable FQDN of HPDM Repository Server (Figure 5).

Figure 9. Repository Configuration HTTPS Port

6. Ensure the test of the HPDM Repository is successful. If the test is unsuccessful, go back and check all steps above. Also
check server firewall is configured to allow the HTTPS port.
Note: At this point all HTTPS communication is local to server hosting HPDM Server and HPDM Repository Server

Figure 10. Repository Configuration Test

Sign up for updates

hp.com/go/getupdated

8
 Infrastructure Firewall Rules
To support the HPDM configuration described in this document, there are a few firewall and NAT rules required to allow traffic
to pass between internal server infrastructure and external placed thin clients.

1. Port 40001 - Outbound - HPDM Gateway Server to the internet

2. Port 40003 – Inbound Firewall and NAT – Internet based thin clients to the HPDM Gateway Server
3. Port 8443 – Inbound Firewall and NAT – Internet based thin clients to the HPDM Repository Server. (NOTE: The port 8443
has been chosen for this example but a different port could be chosen to suit the customer requirements).

For a more detailed discussion of HPDM port requirements see the HP Device Manager Admin Guide.
https://ftp.hp.com/pub/hpdm/Documentation/AdminGuide/5.0/HP_Device_Manager_5.0.3_Administrator_Guide_en_US.pdf

Sign up for updates

hp.com/go/getupdated

© Copyright 2020 Hewlett-Packard Development Company, L.P.

Microsoft and Windows are trademarks of the Microsoft group of companies.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's
standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.

First Edition: September 2020