ZEUS on-premise: reverse-SSH tunnel + scanning AD/ADFS and LDAP, vCenter, WinRM
This is the key lesson for anyone deploying ZEUS in an on-premise environment. It ties together everything from the previous lessons: AD/LDAP, vCenter, WinRM and tunneling — showing how the connector safely reaches into the customer's network without opening its firewall.
Access model: reverse-SSH tunnel
Inside the customer's network we deploy a lightweight collector (a container or a machine). It accepts no inbound connections. Instead it initiates an outbound reverse-SSH connection itself to the ZEUS control point:
# Collector wystawia kanał sterujący przez wychodzące SSH (port 443/22)
ssh -N -R 0:localhost:0 \
-o ServerAliveInterval=30 -o ExitOnForwardFailure=yes \
zeus-tunnel@relay.zeus.professnet.pl
Tip: the only connection is outbound traffic on 443/22 — identical to ordinary internet traffic. The customer's network team does not have to open any port "inward," which radically simplifies the security sign-off.
All further scanning traffic goes through this encrypted tunnel, within the customer's network, to the local systems.
Scan 1: AD/ADFS and LDAP — full domain, paging
Through the tunnel, ZEUS queries the domain controllers over LDAPS from a dedicated read-only service account. The key point: a paged search (pages of ~1000 objects with a continuation cookie), to read the full domain and not just the first batch:
- users, groups, computers, service accounts,
- membership in privileged groups (
Domain Admins, etc.), - password hygiene (accounts with no expiration,
PASSWD_NOTREQD), - Kerberoasting risk (service accounts with an SPN).
In addition, ZEUS checks the ADFS configuration (identity federation) where it is deployed — relying parties, claim rules, certificates.
Scan 2: vCenter / vSphere
Through the vSphere API (pyVmomi) and a Read-only account, ZEUS inventories the full VM fleet and the ESXi hosts: power state, guest OS, resources, VMware Tools, networks and host hardening (see lesson 02).
Scan 3: WinRM (the Windows fleet)
Through WinRM (HTTPS) and a read-only domain account, ZEUS collects the
endpoint posture of Windows hosts — exclusively Get-*: patch level, local
administrators, services and their accounts, the firewall state (see lesson 03).
Everything read-only
| Scan target | Protocol | Permissions |
|---|---|---|
| AD/ADFS/LDAP | LDAPS (paged) | read-only service account |
| vCenter/ESXi | vSphere API | Read-only role |
| Windows | WinRM HTTPS | domain account, only Get-* |
| Transport | reverse-SSH (outbound) | dedicated key |
The connector has no permissions to modify anything — it physically cannot change anything in the customer's environment.
One view, regardless of location
The data from AD, vCenter and Windows flows into the same model as Azure, AWS and GCP. A machine in the customer's server room and a VM in the cloud land in one inventory, with one findings queue and one set of compliance evidence (NIS2, DORA, ISO 27001).
Track summary
From AD/LDAP, through vCenter, WinRM, networking and tunneling, to hybrid with Arc and the full on-prem connector — you now have the complete picture for understanding how ZEUS safely "sees" a customer's on-premise environment without opening its firewall.