Secure Gateway Server

How to secure communication of mobile/roaming users using Secure Gateway Server?

Description

This document will explain you the steps involved in securing the communication of roaming users using Secure Gateway Server. Secure Gateway Server can be used when roaming agents (on the mobile devices and desktops) access the server through internet. It prevents the exposure of Desktop Central Server directly to the internet by serving as an intermediate server between the Desktop Central server and roaming agents. This ensures that the Desktop Central Server is secure from risks and threats of vulnerable attacks.

For a step by step demonstration video on how to configure secure gateway server, click here.

How Secure Gateway works?

Desktop Central Secure Gateway Server is a component that will be exposed to the internet. This Secure Gateway Server acts as an intermediate server between the managed roaming agents and the Desktop Central server.All communications from the roaming agents will be navigated through the Secure Gateway. When the agent tries to contact the Desktop Central server, Secure Gateway server receives all the communications and redirects to the Desktop Central Server. 

Desktop Central Secure Gateway Server Architecture

Note: Map your Secure Gateway's public IP adress and Desktop Central server's private IP address to a common FQDN in your respective DNS. For example, if your FQDN is "product.server.com", map this to both your Secure Gateway and Desktop Central server IP address. By this mapping, the WAN agents of roaming users will access Desktop Central server via Secure Gateway (using internet) and the agents within the LAN network will directly reach Desktop Central server, hence leading to quicker resolution.

Software requirements for Secure Gateway Server

You can install Secure Gateway Server on any of these Windows operating system versions:

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Hardware requirements for Secure Gateway Server

The hardware requirements for Secure Gateway Server include the following :

 
 
1 to 250 computers
 
 
251 to 500 computers
 
 
501 to 1000 computers
 
 
1001 to 3000 computers
 
 
3001 to 5000 computers
 
 
5001 to 10000 computers
 
 
10001 to 15000 computers
 
 
15001 to 20000 computers
 
 
20001 to 25000 computers
 
 
25001 to 30000 computers
 
 
Above 30000 computers

Steps 

To introduce Secure Gateway based communication to Desktop Central, follow the steps given below:

  • Modify Desktop Central Settings
  • Install and configure Secure Gateway
  • Infrastructure recommendations

Modify Desktop Central Settings

  1. Enter Secure Gateway IP address instead of Desktop Central server IP address under Desktop Central server details while adding remote office. This is to ensure the WAN agents and DS communication to Secure Gateway.
  2. Enable secured communication(HTTPS) under DS/WAN agent to Desktop central server communication.
  3. Configure NAT settings using the Secure Gateway's public FQDN/IP address.  
    • On the Desktop Central Server Console, click on Admin tab -> Server Settings -> NAT Settings       
    • Add the FQDN of the Secure Gateway server against the Public FQDN under NAT device as shown below

Desktop Central Secure Gateway Server NAT Settings

Install and configure Secure Gateway

  1. Download and install Secure Gateway on a machine in Demilitarized zone.
  2. Enter the following details under Setting up the Secure Gateway window, which will open after the installation process.
    • DC Server Name: Specify the FQDN/DNS/IP address of the DC server. Or specify virtual IP address if Failover server is used.
    • DC Https Port: Specify the port number that the mobile devices use to contact the DC server (eg: 8383 - it is recommended to use the same port 8383(HTTPS) for Desktop Central Server in secured mode)
    • DC Notification Server port: 8027 (to perform on-demand operations), this will be pre-filled automatically
    • Web Socket Port : 8443(HTTPS), this will be pre-filled automatically.
    • File Transfer Port: 8031(HTTPS), this will be pre-filled automatically, but it can be modified as required.
    • Username & Password: Enter Desktop Central user's credentials with administrative privilege.

Infrastructure recommendations

Ensure that you follow the steps given below

  1. Secure Gateway's Public IP address with the port 8383(https) should be provided to Desktop Central server for accessibility verification.
  2. Configure Secure Gateway in such a way, that it should be reachable via public IP/FQDN address configured in NAT settings. You can also configure the Edge Device/Router in such a way that all the request that are sent to the Public IP/FQDN address gets redirected to the Desktop Central Secure Gateway.
  3. It is mandatory to use HTTPS communication
  4. You will have to ensure that the following port is open on the firewall for the WAN agents to communicate the Desktop Central Secure Gateway.
Port Type Purpose Connection
8383 HTTPS For communication between the WAN agent/Distribution Server and the Desktop Central server using Desktop Central Secure Gateway. Inbound to Server
8027 TCP To perform on-demand operations  Inbound to Server
8443 HTTPS Web socket port used for remote control, chat, system manager etc. Inbound to Server
8031 HTTPS For transferring files Inbound to Server

You have now secured communication between Desktop central server, WAN agents and roaming users.

Check this video for a step by step demonstration on how to configure the secure gateway server.

Remote Desktop & Mobile Device Management Software for MSPs trusted by