With the launch of IGEL Universal Management Suite (UMS) 12, the Unified Protocol used for all communication between the UMS and IGEL OS 12 devices was introduced, see (12.04.120) Overview of the IGEL UMS . The Unified Protocol is a secure protocol that uses TCP 8443, see (12.04.120) IGEL UMS Communication Ports . However, depending on the structure of your UMS environment, company's security policies, etc., it may be insufficient, and the use of the IGEL Cloud Gateway (ICG) or reverse proxy may be required. In the following article, you will find pros and cons of each solution.
...
In the case of the ICG, endpoint devices connect to the ICG as well as the UMS connects to the ICG, see (12.04.120) Devices and UMS Server Contacting Each Other via ICG. The WebSocket communication between the ICG and the UMS as well as between the ICG and the device is only established after mutual authentication, and the communication is encrypted with TLS. All data is routed through this WebSocket.
...
UMS as an Update Proxy feature cannot currently be used, i.e. IGEL OS devices can download the apps from the App Portal only, not from the UMS Server. See (12.04.120) Configuring Global Settings for the Update of IGEL OS Apps .
Higher latency and longer command execution in comparison to the reverse proxy. For large enterprise environments, the use of a reverse proxy may be considered.
...
Reverse proxy with SSL offloading is possible as of UMS 12.02. See NGINX: Example Configuration for as Reverse Proxy in IGEL OS with SSL Offloading (12.04.120) IGEL Cloud Gateway vs. Reverse Proxy for the Communication between UMS 12 and IGEL OS Devices .
The FQDN and port of the reverse proxy must be specified as a Cluster Address, see (12.04.120) Server Network Settings in the IGEL UMS .
| Info |
|---|
A reverse proxy / load balancer can also be used to distribute traffic from devices within the company network. For more information on network component integration, see (12.04.120) IGEL Universal Management Suite Network Configuration. |
It is advisable to use TLS 1.3 for the reverse proxy configuration.
...
Load balancing
UMS as an Update Proxy feature can be used, i.e. IGEL OS devices can download the apps from the UMS Server. See (12.04.120) Configuring Global Settings for the Update of IGEL OS Apps .
Adds an extra layer of security (depending on the configuration)
...
In this case, IGEL OS 12 devices communicate directly with the UMS, see (12.04.120) Devices Contacting UMS .
...
Legend to the image:
: Shows that the traffic in the WebSocket runs in both directions.
(multicolored): Shows from which side firewalls etc. must be opened.
...
port 8443 (can be changed under UMS Administrator > Settings > Web server port) must be opened in a firewall, but no other configuration is required
suitable for communication with devices within the company network
...
| Info |
|---|
IGEL Onboarding Service (OBS) is NOT a substitute for an ICG or a reverse proxy and is only meant to authenticate and register the endpoint device with the correct UMS during the onboarding. For more information on the OBS, see How to Start with IGEL > Initial Configuration of the IGEL Onboarding Service OBS and Onboarding IGEL OS 12 Devices. |