PProfessNet Academy
ZEUS Platform — from zero to operator/09advanced11 min

On-Prem Scanning — tunnel, AD/LDAP, vCenter

When ZEUS runs in the cloud and the customer has an on-premise environment (e.g. an AD domain, a Windows fleet, vCenter) behind a firewall with no inbound ports — we connect them with a reverse-SSH tunnel. The On-Prem Scanning studio exposes this data to the operator.

Topology

ZEUS (cloud)  →  127.0.0.1:9100  →  (reverse SSH)  →  lsn-vm:9100
                                                          │
                                                          └─→ lsn_probe_agent.py
                                                               · Get-LsnForest.ps1   (AD/LDAP)
                                                               · Get-LsnInventory.ps1 (network)
                                                               · Get-LsnPerf.ps1      (WinRM)
                                                               · pyVmomi (vCenter), SMB, SQL
  • Direction: pull. The frontend calls /api/v1/lsn-onprem/<probe>, the backend hits localhost:9100, the tunnel forwards to the agent on the customer's machine.
  • No inbound at the customer — the only requirement is outbound SSH from lsn-vm to ZEUS.
  • The agent listens only on 127.0.0.1 — the tunnel is the only way in.

Probes

ProbeSourceWhat it returns
/forestGet-LsnForest.ps1AD forest: domains, DCs, sites, trusts, privileged groups
/forest?fullpaged LDAPthe whole domain: all users/groups/computers/OUs/SPNs/GPOs/trusts
/ad-users, /gposLDAPusers and GPO objects
/inventorynetwork sweepARP + ICMP + banner-grab
/winrm-perf, /winrm-eventsWinRMperf + Windows Event Log
/vcenterpyVmomiVMs, hosts, datastores
/file-shares, /sql-instancesSMB / SQL Browsershares and SQL instances

Full domain scrape (paged LDAP)

AD caps a single response at MaxPageSize (1000 by default), so an ordinary query silently truncates a large domain. Get-LsnForest.ps1 -Full uses PageResultRequestControl to walk the entire domain page by page:

$page = [System.DirectoryServices.Protocols.PageResultRequestControl]::new(1000)
# ...loop over pages until Cookie.Length == 0 → the complete set of objects

This fulfills the "scrape the entire AD and LDAP" requirement. ADFS is covered by a separate probe (federation metadata XML + the ADFS WinRM module).

Cache layer + scheduler

The lsn_onprem_warmup_tick worker (ARQ) pre-warms the probe cache every ~4 min, so the studio renders in < 100 ms. It runs fail-open — a tunnel error does not break auth.

Configuration (brief)

LSN_ONPREM_ENABLED=1
LSN_ONPREM_HOST=127.0.0.1
LSN_ONPREM_PORT=9100
LSN_ONPREM_TOKEN=<token>

Operator runbook: scripts/lsn-probe/REVERSE_TUNNEL.md.

Security: the lsn-tunnel user on the ZEUS side has ForceCommand /bin/false and permitlisten="9100" — even a key leak does not grant a shell, only a single pre-authorized reverse-forward. All probes are read-only.

This is an advanced topic, but key for hybrid deployments — it lets you show the customer the entire AD forest and Windows fleet without opening a single inbound port.