Hi is it possible to turn the communication meaning rather than the forwarder is polling the deployment server, the deployment server is polling the forwarder if he needs new apps. This is a request from security.
No. The deployment server can not
push to forwarders. The forwarders
pull from the deployment server.
If you need the opposite functionality you would need to look into using some other type of automated deployment management, potentially like Ansible or Puppet.
In the context of the question i think the terms push/pull are confusing and become moot.
I think @wilhelmF is coming at this from the position: If a wouldbe miscreant could compromise the DS, he can onward compromise all the clients without further lateral movement - this is because the clients 'trust' the DS.
On the other hand, by reversing the process, a single compromised client, can extend its reach no further, as no other clients nor deployment server trust it.
Puppet and Ansible still have the same security cascade issue as the DS, except the authentication is reversed - the server has to authenticate to prove it has appropriate permissions.
My comment above was to highlight that its not the direction of the push/pull which should be of concern, but the authentication and defence around those sensitive management assets. - whilst its always a good idea to lock your front door, don't be surprised if someone climbs through an open window.
With this in mind, I know I would rather manage one house, rather than a whole street. 🙂
Don't think it is possible.
How does the deployment server know there is a new forwarder installed?
Having clients phone home to a single server which you can verify with a certificate is a far more secure means of operating than the inverse.
I think you should take the opportunity to explain to security how the DS/DC architecture works, and why their request would be counter productive from an overall security standpoint.
(ie, one remote system with which to confirm identity, versus hundreds or even thousands)