Secure Gateway Server

How to secure agent server communication using Secure Gateway Server?

Description

This document will explain you the steps involved in securing the communication of agents/distribution servers with the Server using Secure Gateway component. Secure Gateway can be used when server is contacted by the DS/agent through internet. It prevents the exposure of Desktop Central MSP Server directly to the internet by serving as an intermediate server between the Desktop Central MSP server and customer agents. This ensures that the Desktop Central MSP Server is secure from risks and threats of vulnerable attacks.

How Secure Gateway works?

Desktop Central MSP Secure Gateway is a component that will be exposed to the internet. This Secure Gateway acts as an intermediate server between the managed customer agents and the Desktop Central MSP server. All communications to the server will be navigated through the Secure Gateway. When the agent tries to contact the Desktop Central MSP server, Secure Gateway receives all the communications and redirects to the Desktop Central MSP Server. 

Note: Map your Secure Gateway's public IP adress and Desktop Central MSP server's private IP address to a common FQDN in your respective DNS. For example, if your FQDN is "product.server.com", map this to both your Secure Gateway and Desktop Central MSP server IP address. By this mapping, the WAN agents/DS will access Desktop Central MSP server via Secure Gateway (using internet).

Hardware requirements for secure gateway server

The hardware requirements for secure gateway server include the following :

Processor : Intel Core i5(4 core/8 thread) 2.3 GHz. 6 MB cache
RAM size : 4 GB

Steps

To introduce Secure Gateway based communication to Desktop Central MSP, follow the steps given below:

• Modify Desktop Central MSP Settings
• Install and configure Secure Gateway
• Copy the certificates
• Infrastructure recommendations

Modify Desktop Central MSP Settings

1. Enter Secure Gateway IP address instead of Desktop Central MSP server IP address under Desktop Central server details while adding remote office. This is to ensure the WAN agents and DS communication to Secure Gateway.
2. Enable secured communication(HTTPS) under DS/WAN agent to Desktop central server communication.
3. Configure NAT settings using the Secure Gateway's public FQDN/IP address.

Install and configure Secure Gateway

1. Download and install Secure Gateway on a machine in Demilitarized zone.
2. Enter the following details under Setting up the Secure Gateway window, which will open after the installation process.
   • DC-MSP Server Name: Specify the FQDN/DNS/IP address of the DC server
   • DC-MSP Https Port: Specify the port number that the mobile devices use to contact the DC server (eg: 8041 - it is recommended to use the same port 8041(HTTPS) for Desktop Central Server in secured mode)
   • DC-MSP Notification Server port: 8057 (to perform on-demand operations), this will be pre-filled automatically
   • Web Socket Port : 8047(HTTPS), this will be pre-filled automatically.

Infrastructure recommendations

Ensure that you follow the steps given below

1. Ensure that you've configured the correct NAT settings under Admin >> Server Settings >> NAT Settings.
2. You will have to ensure that the following port is open on the firewall for the WAN agents to communicate the Desktop Central MSP Secure Gateway.

You have now secured agent server communication using Desktop Central MSP Secure Gateway Server.