Versions Compared

Old Version 1

changes.mady.by.user Emese Pogany

Saved on

compared with

New Version Current

changes.mady.by.user Sarah Leitner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The diagram shows a network configuration with possible network boundaries where network components like Reverse Proxies, Proxies, Firewalls and Loadbalancer can be placed.

Drawio
diagramName
bordertrue1
zoom1
pageId71997009
custContentId74877608
lbox1
diagramDisplayNameUMS Network ConfigurationsimpleViewerfalse
contentVer1
revision1
baseUrlhttps://igel-jira.atlassian.net/wiki
diagramNameUMS Network Configuration
width600
linksauto
tbstyletop
lboxtrue
diagramWidth1348
revision1


There are typically three different positions for these components:

...

The communication of the devices to UMS or ICG consists of two different types. Regular HTTPS calls for the device registration and a WebSocket connection with Mutual TLS for device management. These must be considered for Proxy, Reverse Proxy and Firewall configuration.

Drawio
1
bordertruediagramName1
zoom1
pageId71997009
custContentId74779509
lbox1
diagramDisplayNameDevice to UMS ICG
simpleViewercontentVerfalse1
linksrevisionauto1
tbstyletop
lboxtrue
diagramWidth851
revisionbaseUrlhttps://igel-jira.atlassian.net/wiki
diagramNameDevice to UMS ICG
width851
linksauto
tbstyletop

UMS to ICG Communication

The communication of the UMS to the ICG is also based on WebSocket and regular HTTPS calls. Every request is initialized by the UMS and uses Mutual TLS. A HTTPS Proxy can be configured for these connections in the UMS.

Drawio
bordertruediagramName1
zoom1
pageId71997009
custContentId74910673
lbox1
diagramDisplayNameUnbenanntes DiagrammsimpleViewerfalse
contentVer1
revision1
baseUrlhttps://igel-jira.atlassian.net/wiki
diagramNameUnbenanntes Diagramm
width600
linksauto
tbstyletop
lboxtrue
diagramWidth601
revision1

In case a Network Component is placed between these servers be aware of these connections. Connection problems could be observed when Deep Packet Inspection (DPI) is activated on a Firewall. The chapter SSL Offloading is only applicable for device to UMS / ICG connections. It is not supported for the communication between ICG and UMS.

...

The diagram shows the device to UMS connection via a Network Component like Azure Application Gateway. The required connections are listed for SSL Offloading. The diagram shows one HTTPS connection which is necessary for device onboarding (Client Certificate request) and the following WebSocket connection where Mutual TLS and Client Certificate forwarding is required.

Drawio
1
bordertruediagramName1
zoom1
pageId71997009
custContentId74910667
lbox1
diagramDisplayNameCommunication via Reverse Proxy
simpleViewercontentVerfalse1
linksrevisionauto1
tbstyletop
lboxtrue
diagramWidth964
revisionbaseUrlhttps://igel-jira.atlassian.net/wiki
diagramNameCommunication via Reverse Proxy
width964
linksauto
tbstyletop

Communication via Azure Application Gateway

...

The UMS supports the separation of the Onboarding and the WebSocket connections. The following diagram shows an overview of a device to UMS connection via the Application Gateway.

Drawio
1
bordertruediagramName1
zoom1
pageId71997009
custContentId74812280
lbox1
diagramDisplayNameCommunication vie Azure
simpleViewercontentVerfalse1
linksrevisionauto1
tbstyletop
lboxtrue
diagramWidth964
revisionbaseUrlhttps://igel-jira.atlassian.net/wiki
diagramNameCommunication vie Azure
width964
linksauto
tbstyletop


The HTTPS listener for device onboarding could use the standard https Port (443) and forwards direct to UMS.
In this example, the HTTPS listener for WebSocket connection listens on Port 8443 and uses mutual TLS for the Client Certificate Check and adds it to the Request Header, so that the UMS can verify it.

...

The Network component could also inspect the decrypted traffic und encrypt it again before sending it to the server. The UMS supports only this type of communication with encrypted data until now. The diagram shows the required tasks for SSL Offloading on the Network Component for the device to UMS direction.

Drawio
bordertruediagramName1
zoom1
pageId71997009
custContentId74812286
lbox1
diagramDisplayNameSSL OffloadingsimpleViewerfalse
contentVer1
revision1
baseUrlhttps://igel-jira.atlassian.net/wiki
diagramNameSSL Offloading
width600
linksauto
tbstyletop
lboxtrue
diagramWidth964
revision1


The Steps to configure SSL Offloading of a Network Component:

...

Code Block
upstream umsserver {
	server 192.168.27.96:8843 max_fails=3 fail_timeout=10s;
 	server 192.168.27.96:8843 max_fails=3 fail_timeout=10s;
 	server 192.168.27.96:8843 max_fails=3 fail_timeout=10s;
 }


Drawio
falsediagramWidth
bordertrue
diagramNameHA
simpleViewer1
zoom1
pageId71997009
custContentId74877614
lbox1
diagramDisplayNameHA
contentVer1
revision1
baseUrlhttps://igel-jira.atlassian.net/wiki
diagramNameHA
width600
linksauto
tbstyletop
lboxtrue
694
revision1

IGEL Cloud Service Configuration

The communication to the IGEL Cloud might be influenced also by network components. In case of the device onboarding via the Onboarding Service, the OBS must be reachable for the device. The UMS server also connects to the IGEL Cloud Services. Here the required reachable services are the Onboarding Service (OBS), the IGEL License Portal (ILP), the IGEL App Portal and the Insight Service. These connections can go over a Proxy but must be configured in the UMS. A network component like a firewall with Deep Packet Inspection could result in connection problems.

Drawio
bordertruediagramName1
zoom1
pageId71997009
custContentId74779515
lbox1
diagramDisplayNameIGEL Cloud ConfigurationsimpleViewerfalse
contentVer1
revision1
baseUrlhttps://igel-jira.atlassian.net/wiki
diagramNameIGEL Cloud Configuration
width600
linksauto
tbstyletop
lboxtrue
diagramWidth843
revision1