[plug] clients "phone home" to server. VPN maybe?

[Adrian Chadd]

You can also run a very minimal UI on the appliance image - enough
for a client to plug it into a LAN, login via a web browser and
put their credentials in.

You can then use this to generate the credentials required to
auth off of your server and suck down the customisations applicable
for that client.

That is sort of what I'm doing with my "appliance" that I've been
tinkering with for various projects. But then, I'm building it on
top of FreeBSD and not Linux - you thus may not be at all
interested. ;)

Don't try TCP over TCP and expect it to perform well. All I have
to say is "eww". Outbound only encrypted connections (say, via SSH)
with client supplied credentials is going to work alright.

Otherwise you will have to run your own PKI, sign individual keys
for clients, ship them a USB flash device with their specific PKI
keys and ask them to plug that in when they install their appliance.

That might even be a good idea in your environment. :)

If you want to scale past a few dozen appliances, don't have them
poll every 30 minutes for updates. And if they do, make sure you
make them sleep a random point before they poll. You don't want
to have to handle a few hundred boxes all polling the same server
every 30 minutes on the dot - you've got 29.95 other minutes
to poll during; so spread the load across them a bit. :)

2c,


Adrian

(Hm, I should do a PLUG talk about this stuff... but again, its all
FreeBSD based..)

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -