Home » Configure NAT settings
Applicable For Endpoint Central MSP 
 
 

How to secure communication of mobile/roaming users using Secure Gateway Server?

Description

This document will explain you the steps involved in securing the communication of roaming users using Secure Gateway Server component. Secure Gateway Server can be used when roaming agents (on the mobile devices and desktops) access the server through internet. It prevents the exposure of Endpoint Central Server directly to the internet by serving as an intermediate server between the Endpoint Central server and roaming agents. This ensures that the Endpoint Central Server is secure from risks and threats of vulnerable attacks.

How Secure Gateway Server works?

Endpoint Central Secure Gateway Server is a component that will be exposed to the internet. This Secure Gateway Server acts as an intermediate server between the managed roaming agents and the Endpoint Central server. All communications from the roaming agents will be navigated through the Secure Gateway Server. When the agent tries to contact the Endpoint Central server, Secure Gateway Server receives all the communications and redirects to the Endpoint Central Server. 

Endpoint Central secure gateway server Architecture

Note: Map your Secure Gateway Server's public IP address and Endpoint Central server's private IP address to a common FQDN in your respective DNS. For example, if your FQDN is "product.server.com", map this to both your Secure Gateway Server and Endpoint Central server IP address. By this mapping, the WAN agents of roaming users will access Endpoint Central server via Secure Gateway Server  (using internet) and the agents within the LAN network will directly reach Endpoint Central server, hence leading to quicker resolution.

Hardware requirements for secure gateway server

The hardware requirements for secure gateway server include the following :

Processor : Intel Core i5(4 core/8 thread) 2.3 GHz. 6 MB cache
RAM size : 4 GB

Steps 

To introduce Secure Gateway Server based communication to Endpoint Central, follow the steps given below:

  • Modify Endpoint Central Settings
  • Install and configure Secure Gateway
  • Copy the certificates
  • Infrastructure recommendations

Modify Endpoint Central Settings

  1. Enter Secure Gateway Server IP address instead of Endpoint Central server IP address under Endpoint Central server details while adding remote office. This is to ensure the WAN agents and DS communication to Secure Gateway Server.
  2. Enable secured communication(HTTPS) under DS/WAN agent to Endpoint Central server communication.
  3. Configure NAT settings using the Secure Gateway Server's public FQDN/IP address.

Click here to watch the video on how to Configure NAT settings:

Configure NAT settings

Link

Install and configure Secure Gateway Server

  1. Download and install Secure Gateway Server on a machine in Demilitarized zone.
  2. Enter the following details under Setting up the Secure Gateway Serverwindow, which will open after the installation process.
    • DC Server Name: Specify the FQDN/DNS/IP address of the DC server
    • DC Http Port: Specify the port number that the Secure Gateway Server uses to contact the DC server (eg: 8020)
    • DC Https Port: Specify the port number that the mobile devices use to contact the DC server (eg: 8383 - it is recommended to use the same port 8383(HTTPS) for Endpoint Central Server in secured mode)
    • DC Notification Server port: 8027 (to perform on-demand operations), this will be pre-filled automatically
    • Web Socket Port : 8443(HTTPS), this will be pre-filled automatically.

Copy the certificates

If the build number is below 90056 and if you are using self signed certificate, follow the steps given below. For build 90056 and above, this is done automatically.

  1. Copy the server.crt and server.key files located in Endpoint Central Server under ManageEngine\DesktopCentral_Server\apache\conf directory, to the location where Secure Gateway Server is installed - ManageEngine\MEForwardingServer\nginx\conf 

If you are using third party certificate, follow the steps given below:

  1. Rename the third party certificate as server.crt
  2. Rename the private key as server.key
  3. If you are using an intermediate certificate, modify the file name as intermediate.crt
  4. Copy the server.crt, server.key and intermediate.crt files to the location where Secure Gateway Server is installed - ManageEngine\MEForwardingServer\nginx\conf\
  5. Navigate to ManageEngine\MEForwardingServer\conf\websetting.conf file and add the line: intermediate.certificate=intermediate.crt

After copying the certificates, click install to complete the installation process.

Infrastructure recommendations

Ensure that you follow the steps given below

  1. Configure Secure Gateway Server in such a way, that it should be reachable via public IP/FQDN address configured in NAT settings. You can also configure the Edge Device/Router in such a way that all the request that are sent to the Public IP/FQDN address gets redirected to the Endpoint Central Secure Gateway Server.
  2. It is mandatory to use HTTPS communication
  3. You will have to ensure that the following port is open on the firewall for the WAN agents to communicate the Endpoint Central Secure Gateway Server.
Port Type Purpose Connection
8383 HTTPS For communication between the WAN agent/Distribution Server and the Endpoint Central server using Endpoint Central Secure Gateway Server. Inbound to Server
8027 TCP To perform on-demand operations Inbound to Server
8443 HTTPS Web socket port used for remote control, chat, system manager etc. Inbound to Server

You have now secured communication between Endpoint Central server, WAN agents and roaming users.