How to secure communication of roaming users using Forwarding Server?
Description
This document will explain you the steps involved in securing the communication of roaming users using Forwarding server component. Forwarding server can be used when roaming agents (on the roaming users' devices and desktops) access the server through internet. It prevents the exposure of Device Control Plus Server directly to the internet by serving as an intermediate between the Device Control Plus server and roaming agents. This ensures that the Device Control Plus Server is secure from risks and threats of vulnerable attacks.
How Forwarding Server works?
Device Control Plus forwarding server is a component that will be exposed to the internet. This forwarding server acts as an intermediate between the managed roaming agents and the Device Control Plus server. All communications from the roaming agents will be navigated through the forwarding server. When the agent tries to contact the Device Control Plus server, forwarding server receives all the communications and redirects to the Device Control Plus Server.
Note: Map your Forwarding server and Device Control Plus server IP address to common FQDN in your DNS to minimize bandwidth consumption. For example, if your FQDN is "product.server.com", map this to both your Forwarding server and Device Control Plus server IP address.
Steps
To introduce forwarding server based communication to Device Control Plus, follow the steps given below:
- Modify Device Control Plus Settings
- Install and configure Forwarding server
- Copy the certificates
- Infrastructure recommendations
Modify Device Control Plus Settings
- Enter forwarding server IP address instead of Device Control Plus server IP address under Device Control Plus server details while adding remote office. This is to ensure the WAN agents and DS communication to forwarding server.
- Enable secured communication(HTTPS) under DS/WAN agent to Device Control Plus server communication.
Install and configure Forwarding server
- Download and install the Forwarding server.
- Enter the following details under Setting up the forwarding server window, which will open after the installation process
- Device Control Plus (DCP) Server Name: Specify the FQDN/DNS/IP address of the Device Control Plus server
- DCP HTTP Port: Specify the port number that the forwarding server uses to contact the Device Control Plus server (eg: 6020)
- DCP HTTPS Port: Specify the port number that the roaming users use to contact the Device Control Plus server (eg: 6363 - it is recommended to use the same port 6363(HTTPS) for Device Control Plus Server in secured mode)
- DCP Notification Server port: 6027 (to perform on-demand operations), this will be pre-filled automatically
Copy the certificates
If you are using a self signed certificate, follow the steps given below:
- Copy the server.crt and server.key files located in Device Control Plus Server under Server_Installed_Directory\DeviceControlPlus_Server\nginx\conf directory, to the location where forwarding server is installed - ManageEngine\MEForwardingServer\nginx\conf
If you are using a third party certificate, follow the steps given below:
- Rename the third party certificate as server.crt
- Rename the private key as server.key
- If you are using an intermediate certificate, modify the file name as intermediate.crt
- Copy the server.crt, server.key and intermediate.crt files to the location where forwarding server is installed - ManageEngine\MEForwardingServer\nginx\conf\
- Navigate to ManageEngine\MEForwardingServer\conf\websetting.conf file and add the line: intermediate.certificate=intermediate.crt
After copying the certificates, click install to complete the installation process.
Configure the NAT settings by adding the FQDN of the forwarding server against the Public FQDN under the NAT settings as shown below.
Infrastructure recommendations
Ensure that you follow the steps given below
- Configure Forwarding server in such a way, that it should be reachable via public IP/FQDN address configured in NAT settings. You can also configure the Edge Device/Router in such a way that all the request that are sent to the Public IP/FQDN address gets redirected to the Device Control Plus Forwarding Server.
- It is mandatory to use HTTPS communication
- You will have to ensure that the following port is open on the firewall for the WAN agents to communicate the Device Control Plus Forwarding Server.
Port |
Type |
Purpose |
Connection |
6363 |
HTTPS |
For communication between the WAN agent/Distribution Server and the Device Control Plus server using Device Control Plus Forwarding Server. |
Inbound to Server |
6027 |
TCP |
To perform on-demand operations |
Inbound to Server |
You have now secured communication between Device Control Plus server, WAN agents and roaming users.
How To's