2

TL;DR: is it possible to install some kind of local kms activation proxy, so the clients could only talk to the proxy, and the proxy will forward the activation request to a kms server which can not be reached by the clients themselves?

At our university, we provide two client pools for our students: a hardware pool with 50 Win7 clients, and a virtual VMWare View pool with Win8.1 clients. VMWare View does not support MAK activation, so we have to use kms - we want to use kms activation in the hardware pool as well. These pools are using an ip address pool that can not access the outside, only ports 80 and 443 through a web proxy.

Due to a cooperation between the universities in our state there is one university who is registrated with Microsoft, and all other universities are using there licences. This university has a kms server which we could use, and they do not want us to set up our own kms server - they say microsoft does not like to have too much kms servers in the same licensed organisation.

So what we want to do: our clients in a private subnet and blocked from the outside world with the exceptions http/https want to communicate with the kms server of another institution - since they provide the kms server for different institutions, i don't think they would accept changeing their kms ports...

What i can do ist to put kind of a gateway server in the middle - one foot in the internet, one foot in the private client net, and this "proxy" could then take the activation requests from the clients and pass them to the external kms server.

Is this somehow possible? The only thing i read about proxies in combination of win licensing is a proxy activation for mak keys... But this does not help.

womble
  • 96,255
  • 29
  • 175
  • 230
Tobias
  • 1,236
  • 1
  • 13
  • 25
  • 1
    Add allow rule for port 1688 to talk to that KMS server ?, else http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1026556 – yagmoth555 Aug 11 '15 at 14:07
  • That was what i asked our network admin - he does not want to do that. he won't allow anything else then 80 and 443 for this subnet. – Tobias Aug 11 '15 at 14:10
  • 7
    Well, tell the network admin it's required, and if necessary, involve the higher ups to make it possible. Your university pays a lot of money for this contract and to use it, you need to access this service. – Sven Aug 11 '15 at 14:18
  • 1
    It seems not only to be an adminsitrative but also a techinal problem: according to the net admin, non of our networking devices is capable of NAT. NOw i read that i could use a Win Server as router and let him NAT the addresses... Can it be that this is the only solution? – Tobias Aug 12 '15 at 08:26
  • @Tobias You mean the network the PC stand-in is isolated and not routed ? Just there it's a design error. – yagmoth555 Aug 12 '15 at 12:26
  • @yagmoth555 You are rigth, this is a crazy design. But we can not change this for the moment - we are trying to get a budget for a new network infrastructure, but as you can see, the current structure is completely out of date, and getting one that is up to date will get extremely expensiv. We have already applied for the funds. Untill we get the new infrastructure, i am now trying to set up a software router, so that at least the VMs can live on... – Tobias Sep 04 '15 at 07:07
  • The problem is the network admin. Fire him is the answer there. No need to nat internally.. he dont want to help – yagmoth555 Sep 04 '15 at 08:09

1 Answers1

0

I finaly created my own virtual KMS proxy appliance: simple debian, one NIC in the internal net, one to the outside world. Configured iptables to forward to the external KMS server, enabled NAT.

Now i only have to publish a new route to the external KMS server through this proxy, and activation is working fine.

I am still looking forward to our new network infrastructure...

Tobias
  • 1,236
  • 1
  • 13
  • 25