...
The diagram shows a network configuration with possible network boundaries where network components like Reverse Proxies, Proxies, Firewalls and Loadbalancer can be placed.
Drawio |
---|
border | true | diagramName1 |
---|
zoom | 1 |
---|
pageId | 72035580 |
---|
custContentId | 74812189 |
---|
lbox | 1 |
---|
diagramDisplayName | UMS Network Configuration | simpleViewer | false |
---|
contentVer | 1 |
---|
revision | 3 |
---|
baseUrl | https://igel-jira.atlassian.net/wiki |
---|
diagramName | UMS Network Configuration |
---|
width | 600 |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 1348 | revision | 3 |
---|
|
There are typically three different positions for these components:
...
The communication of the devices to UMS or ICG consists of two different types. Regular HTTPS calls for the device registration and a WebSocket connection with Mutual TLS for device management. These must be considered for Proxy, Reverse Proxy and Firewall configuration.
Drawio |
---|
border | true | diagramName | 1 |
---|
zoom | 1 |
---|
pageId | 72035580 |
---|
custContentId | 74779468 |
---|
lbox | 1 |
---|
diagramDisplayName | Device to ICG |
---|
simpleViewercontentVer | false1 |
---|
linksrevision | auto5 |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 851 |
---|
revision | 5baseUrl | https://igel-jira.atlassian.net/wiki |
---|
diagramName | Device to ICG |
---|
width | 851 |
---|
links | auto |
---|
tbstyle | top |
---|
|
ICG UMS Communication
The communication of the UMS to the ICG is also based on WebSocket and regular HTTPS calls. Every request is initialized by the UMS and uses Mutual TLS. A HTTPS Proxy can be configured for these connections in the UMS.
Drawio |
---|
border | true | diagramName | 1 |
---|
zoom | 1 |
---|
pageId | 72035580 |
---|
custContentId | 74877532 |
---|
lbox | 1 |
---|
diagramDisplayName | Unbenanntes Diagramm | simpleViewer | false |
---|
contentVer | 1 |
---|
revision | 2 |
---|
baseUrl | https://igel-jira.atlassian.net/wiki |
---|
diagramName | Unbenanntes Diagramm |
---|
width | 600 |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 601 |
---|
revision | 2 |
---|
|
In case a Network Component is placed between these servers be aware of these connections. Connection problems could be observed when Deep Packet Inspection (DPI) is activated on a Firewall. The chapter SSL Offloading is only applicable for device to UMS / ICG connections. It is not supported for the communication between ICG and UMS.
...
The Network component could also inspect the decrypted traffic und encrypt it again before sending it to the server. The UMS supports only this type of communication with encrypted data until now. The diagram shows the required tasks for SSL Offloading on the Network Component for the device to UMS direction.
Drawio |
---|
border | true |
---|
diagramName | SSL Offloading |
---|
simpleViewer | false | 1 |
---|
zoom | 1 |
---|
pageId | 72035580 |
---|
custContentId | 74779474 |
---|
lbox | 1 |
---|
diagramDisplayName | SSL Offloading |
---|
contentVer | 1 |
---|
revision | 5 |
---|
baseUrl | https://igel-jira.atlassian.net/wiki |
---|
diagramName | SSL Offloading |
---|
width | 600 |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 964 |
---|
revision | 5 |
---|
|
The Steps to configure SSL Offloading of a Network Component:
...
Code Block |
---|
upstream umsserver {
server 192.168.27.96:8843 max_fails=3 fail_timeout=10s;
server 192.168.27.96:8843 max_fails=3 fail_timeout=10s;
server 192.168.27.96:8843 max_fails=3 fail_timeout=10s;
} |
Drawio |
---|
border | true |
---|
diagramName | HA |
---|
simpleViewer | false | 1 |
---|
zoom | 1 |
---|
pageId | 72035580 |
---|
custContentId | 74877534 |
---|
lbox | 1 |
---|
diagramDisplayName | HA |
---|
contentVer | 1 |
---|
revision | 3 |
---|
baseUrl | https://igel-jira.atlassian.net/wiki |
---|
diagramName | HA |
---|
width | 600 |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 694 |
---|
revision | 3 |
---|
|
IGEL Cloud Service Configuration
The communication to the IGEL Cloud might be influenced also by network components. In case of the device onboarding via the Onboarding Service the OBS must be reachable for the device. The UMS server also connects to the IGEL Cloud Services. Here the required reachable services are the Onboarding Service (OBS), the License Portal, the App Portal and the Insight Service. These connections can go over a Proxy but must be configured in the UMS. A network component like a firewall with Deep Packet Inspection could result in connection problems.
Drawio |
---|
border | true | diagramName | 1 |
---|
zoom | 1 |
---|
pageId | 72035580 |
---|
custContentId | 74779480 |
---|
lbox | 1 |
---|
diagramDisplayName | IGEL Cloud Configuration | simpleViewer | false |
---|
contentVer | 1 |
---|
revision | 1 |
---|
baseUrl | https://igel-jira.atlassian.net/wiki |
---|
diagramName | IGEL Cloud Configuration |
---|
width | 600 |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 843 |
---|
revision | 1 |
---|
|