How to secure communication of roaming users using Forwarding Server?

Description

This document will explain you the steps involved in securing the communication of roaming users using Forwarding server component. Forwarding server can be used when roaming agents (on the roaming users' devices and desktops) access the server through internet. It prevents the exposure of Patch Manager Plus Server directly to the internet by serving as an intermediate between the Patch Manager Plus server and roaming agents. This ensures that the Patch Manager Plus Server is secure from risks and threats of vulnerable attacks.

How Forwarding Server works?

Patch Manager Plus forwarding server is a component that will be exposed to the internet. This forwarding server acts as an intermediate between the managed roaming agents and the Patch Manager Plus server. All communications from the roaming agents will be navigated through the forwarding server. When the agent tries to contact the Patch Manager Plus server, forwarding server receives all the communications and redirects to the Patch Manager Plus Server. 

Patch Manager Plus Forwarding Server Architecture

Note: Map your Forwarding server and Patch Manager Plus server IP address to common FQDN in your DNS to minimize bandwidth consumption. For example, if your FQDN is "product.server.com", map this to both your Forwarding server and Patch Manager Plus server IP address.

Steps 

To introduce forwarding server based communication to Patch Manager Plus, follow the steps given below:

  • Modify Patch Manager Plus Settings
  • Install and configure Forwarding server
  • Copy the certificates
  • Configure NAT settings
  • Infrastructure recommendations

Modify Patch Manager Plus Settings

  1. Enter forwarding server IP address instead of Patch Manager Plus server IP address under Patch Manager Plus server details while adding remote office. This is to ensure the WAN agents and DS communication to forwarding server.
  2. Enable secured communication(HTTPS) under DS/WAN agent to Patch Manager Plus server communication.

Install and configure Forwarding server

  1. Download and install forwarding server.
  2. Enter the following details under Setting up the forwarding server window, which will open after the installation process
  3. Patch Manager Plus (PMP) Server Name: Specify the FQDN/DNS/IP address of the Patch Manager Plus server
  4. PMP Http Port: Specify the port number that the forwarding server uses to contact the Patch Manager Plus server (eg: 6020)
  5. PMP Https Port: Specify the port number that the roaming users use to contact the Patch Manager Plus server (eg: 6363 - it is recommended to use the same port 6363(HTTPS) for Patch Manager Plus Server in secured mode)
  6. PMP Notification Server port: 6027 (to perform on-demand operations), this will be pre-filled automatically

Copy the certificates

If you are using a self signed certificate, follow the steps given below:

  1. Copy the server.crt and server.key files located in Patch Manager Plus Server under ManageEngine\PatchManagerPlus_Server\apache\conf directory, to the location where forwarding server is installed - ManageEngine\MEForwardingServer\nginx\conf 

If you are using a third party certificate, follow the steps given below:

  1. Rename the third party certificate as server.crt
  2. Rename the private key as server.key
  3. If you are using an intermediate certificate, modify the file name as intermediate.crt
  4. Copy the server.crt, server.key and intermediate.crt files to the location where forwarding server is installed - ManageEngine\MEForwardingServer\nginx\conf\
  5. Navigate to ManageEngine\MEForwardingServer\conf\websetting.conf file and add the line: intermediate.certificate=intermediate.crt

After copying the certificates, click install to complete the installation process.

Configure the NAT settings

  1. On the Patch Manager Plus Server Console, click on the Admin tab -> Server Settings -> NAT Settings.
  2. Add the FQDN of the forwarding server against the Public FQDN under NAT Device as shown below.

console-of-nat-settings

Infrastructure recommendations

Ensure that you follow the steps given below

  1. Configure Forwarding server in such a way, that it should be reachable via public IP/FQDN address configured in NAT settings. You can also configure the Edge Device/Router in such a way that all the request that are sent to the Public IP/FQDN address gets redirected to the Patch Manager Plus Forwarding Server.
  2. It is mandatory to use HTTPS communication
  3. You will have to ensure that the following port is open on the firewall for the WAN agents to communicate the Patch Manager Plus Forwarding Server.
    Port Type Purpose Connection
    6363 HTTPS For communication between the WAN agent/Distribution Server and the Patch Manager Plus server using Patch Manager Plus Forwarding Server. Inbound to Server
    6027 TCP To perform on-demand operations  Inbound to Server

You have now secured communication between Patch Manager Plus server, WAN agents and roaming users.

 

How To's