Versions Compared

Old Version 2

changes.mady.by.user Emese Pogany

Saved on

compared with

New Version Current

changes.mady.by.user Comala Publishing for Confluence Cloud

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The Client Certificate check is optional, so the connection will always be forwarded but the certificate is only added when a valid certificate has been sent. Additionally, the WebSocket Upgrade must be supported. 

    F5 BIG-IP configuration example:



  • Path dependent forwarding configuration must be supported. The NGINX Reverse Proxy supports this type. The listing shows a configuration for the WebSocket endpoint which requires the Client Certificate, add it to the http header and add the WebSocket Upgrade header. See also, NGINX: Example Configuration for as Reverse Proxy in IGEL OS with SSL Offloading /wiki/spaces/ENLITEUMSE/pages/74450494 .

    The other configuration is required for the onboarding endpoint.

    NGINX configuration example:

    Code Block
    # Configuration for WebSocket Endpoints
 location~/device-connector/device/(ws-connect|portforwarding) {
	proxy_pass https://umsserver;
	proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;# client certificate in current connection
	proxy_set_header Upgrade $http_upgrade; #Set upgrade header
	proxy_set_header Connection $connection_upgrade;
}
#Configuration for all other endpoints
 location / {
	proxy_pass https//umsserver;
	proxy_ssl_trusted_certificate ssl/ssl-cert-chain.cer;
	proxy_ssl_protocols TLSv1.3;
}



  • Configuration of two endpoints (that is, two Virtual Servers / Listeners) on the Reverse Proxy / Loadbalancer. One endpoint is configured for the device onboarding and another one for the WebSocket connection.

...

Drawio
border1
zoom1
pageId74449532
custContentId74876523
lbox1
diagramDisplayNameIGEL Cloud Configuration
contentVer1
revision1
baseUrlhttps://igel-jira.atlassian.net/wiki
diagramNameIGEL Cloud Configuration
width600
linksauto
tbstyletop

UMS Endpoint Paths for Reverse Proxy Integration

The paths required for OS 12 device connections to the UMS (via a reverse proxy) are:

  • Root path: /device-connector/device/*

  • Detailed paths:

    • /device-connector/device/ws-connect

    • /device-connector/device/portforwarding

    • /device-connector/device/.well-known/est/*

  • App proxy path: /ums-appproxy/*

The device communication is always TLSv1.3.

In case the UMS Web App should be used via a reverse proxy, the following paths are required:

  • /wums-app/*

  • /webapp/*

The device communication is TLSv1.2 or TLSv1.3.