Assuming users' mobility, Desktop Central Server should be reachable via public IP address. So that devices in LAN and WAN can be managed all the time. There are two approaches in configuring the NAT settings. The two approaches are explained below:
Desktop Central Server should be reachable via public IP address, you can configure the NAT settings in such a way that all the request that are sent to the Public IP address gets redirected to the Desktop Central Server.
If you use the same DNS name for both public and private IP, then all internal requests within the LAN will be directed through the internal DNS to reach the private IP without getting routed through the public IP.
Devices from WAN uses the DNS name to reach the public IP address from where it gets directed to the private IP address.
It is recommended to use FQDN instead of IP address. You can also use self signed or third party certificates to ensure data security. Since using certificates will encrypt the communication which is the sent to and from the server, this assures that the corporate data is secure in the internet. When you use any third party certificates it recognizes the server using the FQDN. To know more about using third party certificates, refer to this.
This section explains you about managing desktops and devices without exposing the Desktop Central Server directly to the internet. This can be achieved with the use of a forwarding server. This ensures that the Desktop Central Server is secure from risks and threats from vulnerable attacks. Desktop Central Forwarding server is a component that will be exposed to the internet. This forwarding server acts as an intermediate between the managed desktops, devices and the Desktop Central server.
Desktop Central server communicates with the APNs/GCM to wake the mobile device. All communications from the mobile device will be navigated through the forwarding server. When the device tries to contact the Desktop Central server, forwarding server receives all the connections and redirects to the Desktop Central Server. When an on-demand task is performed, computers within the LAN, will contact the Desktop Central server directly using the FQDN. Computers which are outside the corporate network will reach the forwarding server, which in-turn will route all requests to the Desktop Central server.
To configure NAT Settings, follow the steps below:
You have now successfully set up Desktop Central to manage desktops and devices. To configure the forwarding server, follow the document mentioned below: Setting up the Desktop Central Forwarding Server.
Setting up forwarding server, involves the following steps:
Download the Forwarding Server from here https://www.manageengine.com/products/desktop-central/DCForwardingServer.exe
Double click the exe to start the installation process
Enter the Desktop Central Server Name, HTTP and HTTPS Port numbers and click Next DC Server Name : Specify the FQDN/DNS/IP address of the DC server
DC HTTP Port : The port number that the forwarding server uses to contact the DC server (ex:8020)
DC HTTPS Port : The port number that the mobile devices use to contact the DC server (ex:8383 - it is recommended to use the same port 8383(HTTPS) for Desktop Central Server in secured mode).
Desktop Central will automatically detect the ports used for on-demand operations and list it. You should ensure that the ports are not blocked in the firewall/anti-virus. The default ports used for on-demand operations are 8027 & 8443.
Third Party Server Certificate has to be renamed as server.crt
Private key has to be renamed as server.key
If you are using an intermediate certificate, modify the file name as intermediate.crt
Copy the server.crt, server.key and the intermediate certificate and paste it in the location where the forwarding server has been installed - ManageEngine\MEForwardingServer\nginx\conf\
Navigate to ManageEngine\MEForwardingServer\conf\websetting.conf and add the line: intermediate.certificate=intermediate.crt
You have successfully copied the cetificates, click install to complete the installation process.
Forwarding Server will start automatically. You can verify the same by running services.msc from the same computer. Verify if, MangeEngine Forwarding Server - has started. You have successfully configured the forwarding server
Verify if the certificates are copied to the specified location appropriately