How to secure communication of mobile/roaming users using Forwarding Server?
This document will explain you the steps involved in securing the communication of roaming users using Forwarding server component. Forwarding server can be used when roaming agents (on the mobile devices and desktops) access the server through internet. It prevents the exposure of Desktop Central Server directly to the internet by serving as an intermediate server between the Desktop Central server and roaming agents. This ensures that the Desktop Central Server is secure from risks and threats of vulnerable attacks.
How Forwarding Server works?
Desktop Central forwarding server is a component that will be exposed to the internet. This forwarding server acts as an intermediate server between the managed roaming agents and the Desktop Central server. All communications from the roaming agents will be navigated through the forwarding server. When the agent tries to contact the Desktop Central server, forwarding server receives all the communications and redirects to the Desktop Central Server.
Note: Map your Forwarding server's public IP adress and Desktop Central server's private IP address to a common FQDN in your respective DNS. For example, if your FQDN is "product.server.com", map this to both your Forwarding server and Desktop Central server IP address. By this mapping, the WAN agents of roaming users will access Desktop Central server via Forwarding server (using internet) and the agents within the LAN network will directly reach Desktop Central server, hence leading to quicker resolution.
To introduce forwarding server based communication to Desktop Central, follow the steps given below:
- Modify Desktop Central Settings
- Install and configure Forwarding server
- Copy the certificates
- Infrastructure recommendations
Modify Desktop Central Settings
- Enter forwarding server IP address instead of Desktop Central server IP address under Desktop Central server details while adding remote office. This is to ensure the WAN agents and DS communication to forwarding server.
- Enable secured communication(HTTPS) under DS/WAN agent to Desktop central server communication.
- Configure NAT settings using the Forwarding server's public FQDN/IP address.
Install and configure Forwarding server
- Download and install forwarding server on a machine in Demilitarized zone.
- Enter the following details under Setting up the forwarding server window, which will open after the installation process.
- DC Server Name: Specify the FQDN/DNS/IP address of the DC server
- DC Http Port: Specify the port number that the forwarding server uses to contact the DC server (eg: 8020)
- DC Https Port: Specify the port number that the mobile devices use to contact the DC server (eg: 8383 - it is recommended to use the same port 8383(HTTPS) for Desktop Central Server in secured mode)
- DC Notification Server port: 8027 (to perform on-demand operations), this will be pre-filled automatically
- Web Socket Port : 8443(HTTPS), this will be pre-filled automatically.
Copy the certificates
If you are using self signed certificate, follow the steps given below:
- Copy the server.crt and server.key files located in Desktop Central Server under ManageEngine\DesktopCentral_Server\apache\conf directory, to the location where forwarding server is installed - ManageEngine\MEForwardingServer\nginx\conf
If you are using third party certificate, follow the steps given below:
- Rename the third party certificate as server.crt
- Rename the private key as server.key
- If you are using an intermediate certificate, modify the file name as intermediate.crt
- Copy the server.crt, server.key and intermediate.crt files to the location where forwarding server is installed - ManageEngine\MEForwardingServer\nginx\conf\
- Navigate to ManageEngine\MEForwardingServer\conf\websetting.conf file and add the line: intermediate.certificate=intermediate.crt
After copying the certificates, click install to complete the installation process.
Ensure that you follow the steps given below
- Configure Forwarding server in such a way, that it should be reachable via public IP/FQDN address configured in NAT settings. You can also configure the Edge Device/Router in such a way that all the request that are sent to the Public IP/FQDN address gets redirected to the Desktop Central Forwarding Server.
- It is mandatory to use HTTPS communication
- You will have to ensure that the following port is open on the firewall for the WAN agents to communicate the Desktop Central Forwarding Server.
||For communication between the WAN agent/Distribution Server and the Desktop Central server using Desktop Central Forwarding Server.
||Inbound to Server
||To perform on-demand operations
||Inbound to Server
||Web socket port used for remote control, chat, system manager etc.
||Inbound to Server
You have now secured communication between Desktop central server, WAN agents and roaming users.