Deployment Architecture

Deployment Server Communication

Path Finder

Hi is it possible to turn the communication meaning rather than the forwarder is polling the deployment server, the deployment server is polling the forwarder if he needs new apps. This is a request from security.

0 Karma


No. The deployment server can not push to forwarders. The forwarders pull from the deployment server.

If you need the opposite functionality you would need to look into using some other type of automated deployment management, potentially like Ansible or Puppet.

Ultra Champion

In the context of the question i think the terms push/pull are confusing and become moot.

I think @wilhelmF is coming at this from the position: If a wouldbe miscreant could compromise the DS, he can onward compromise all the clients without further lateral movement - this is because the clients 'trust' the DS.
On the other hand, by reversing the process, a single compromised client, can extend its reach no further, as no other clients nor deployment server trust it.

Puppet and Ansible still have the same security cascade issue as the DS, except the authentication is reversed - the server has to authenticate to prove it has appropriate permissions.

My comment above was to highlight that its not the direction of the push/pull which should be of concern, but the authentication and defence around those sensitive management assets. - whilst its always a good idea to lock your front door, don't be surprised if someone climbs through an open window.
With this in mind, I know I would rather manage one house, rather than a whole street. 🙂

If my comment helps, please give it a thumbs up!


Don't think it is possible.

How does the deployment server know there is a new forwarder installed?

0 Karma

Ultra Champion

Having clients phone home to a single server which you can verify with a certificate is a far more secure means of operating than the inverse.

I think you should take the opportunity to explain to security how the DS/DC architecture works, and why their request would be counter productive from an overall security standpoint.
(ie, one remote system with which to confirm identity, versus hundreds or even thousands)

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...