Document toolboxDocument toolbox

(12.06.110-en) IGEL Universal Management Suite Network Configuration

This article describes the Universal Management Suite (UMS) and IGEL Cloud Gateway (ICG) Integration with Network components like Firewalls and Reverse Proxies.

For Reverse Proxy configuration examples, see:


UMS Network Configurations

The diagram shows a network configuration with possible network boundaries where network components like Reverse Proxies, Proxies, Firewalls and Loadbalancer can be placed.

 

There are typically three different positions for these components:

  • Device and ICG Server

  • Device and UMS Server

  • ICG and UMS Server

Connection Types Between Device and UMS

For a successful configuration it is important to understand the different connection types.

Device to ICG / UMS Communication

The communication of the devices to UMS or ICG consists of two different types. Regular HTTPS calls for the device registration and a WebSocket connection with Mutual TLS for device management. These must be considered for Proxy, Reverse Proxy and Firewall configuration.

UMS to ICG Communication

The communication of the UMS to the ICG is also based on WebSocket and regular HTTPS calls. Every request is initialized by the UMS and uses Mutual TLS. A HTTPS Proxy can be configured for these connections in the UMS.

In case a Network Component is placed between these servers be aware of these connections. Connection problems could be observed when Deep Packet Inspection (DPI) is activated on a Firewall. The chapter SSL Offloading is only applicable for device to UMS / ICG connections. It is not supported for the communication between ICG and UMS.

Communication via Reverse Proxy

The diagram shows the device to UMS connection via a Network Component like Azure Application Gateway. The required connections are listed for SSL Offloading. The diagram shows one HTTPS connection which is necessary for device onboarding (Client Certificate request) and the following WebSocket connection where Mutual TLS and Client Certificate forwarding is required.

Communication via Azure Application Gateway

Some Reverse Proxies like NGINX support a Mutual TLS configuration with optional Client Certificate check. These Reverse Proxies can handle both required UMS connections with one configured listener. The Azure Application Gateway does not support this feature. The two types of connections used must be handled separately. According to this the Azure Application Gateway configuration must contain two separate listeners with corresponding rules.

The UMS supports the separation of the Onboarding and the WebSocket connections. The following diagram shows an overview of a device to UMS connection via the Application Gateway.

 

The HTTPS listener for device onboarding could use the standard https Port (443) and forwards direct to UMS.
In this example, the HTTPS listener for WebSocket connection listens on Port 8443 and uses mutual TLS for the Client Certificate Check and adds it to the Request Header, so that the UMS can verify it.

SSL Passthrough

SSL Passthrough passes encrypted HTTPS traffic from a client to the server and back again without any decryption or deep packet inspection. The HTTPS traffic is not manipulated so this configuration of network components shouldn’t have any impact on the ICG or UMS functionality. Please refer to the documentation of your Web Component for the appropriate settings.

 

Example

nginx – one possible configuration of passthrough:

## tcp LB and SSL passthrough for backend ## stream { upsream umsserver{ server 192.168.1.100:8443 max_fails=3 fail_timeout=10s; server 192.168.1.100:8443 max_fails=3 fail_timeout=10s; } server{ listen 443; proxy_pass umsserver; proxy_next_upstream on; } }

The configuration must be added to the nginx config file:

user nginx; worker_process auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.ped; events{ worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include/etc/nginx/conf.d/*.conf; } include/etc/nginx/passthrough.conf;

 

SSL Offloading

SSL Offloading means that the network component terminates the SSL connection and decrypts the data. This decrypted data could be sent directly to the Server which also sends decrypted data to the network component which handles the encryption.

The Network component could also inspect the decrypted traffic und encrypt it again before sending it to the server. The UMS supports only this type of communication with encrypted data until now. The diagram shows the required tasks for SSL Offloading on the Network Component for the device to UMS direction.

 

The Steps to configure SSL Offloading of a Network Component:

  • Configure Listener for SSL Termination. This includes:

    • Port: UMS Web Port

    • Key and Certificate: UMS Web Key and UMS Web Certificate

  • Configure Client Certificate Check and Client Certificate Forwarding. This includes:

    • SSL Client Certificate Check

    • Read SSL Client Certificate and add it to a Forwarded Header

  • If necessary, configure the WebSocket Upgrade Header

The processing of forwarded Client Certificates must be activated on UMS side. The configuration file is 
(Install Dir)/IGEL/RemoteManager/rmguiserver/conf/appconfig/application.yml.

igel: client-cert-forwarding: enabled: false client-cert-forwarded-header: X-SSL-CERT

 

Set client-cert-forwarding -> enabled to true.

The forwarding Header can be configured. The X-SSL-CERT Header value can be changed but be aware to change the corresponding value in the network component configuration.
The ICG configuration is analog except for the ICG Port, ICG KEY and ICG Certificate parameters.
The processing of forwarded Client Certificates must also be activated on ICG side.
The configuration file is (Install Dir)/IGEL/icg/usg/conf/application-prod.yml

Required Features of the Network Component

Client Certificate check and forwarding

The OS12 device uses two types of connections to the UMS. One is a direct https connection to onboard the device and get a Client Certificate. The other one is a WebSocket connection for managing the device with mutual TLS.
So, the used Reverse Proxy must at least implement one of the following configuration options: 

  • The Client Certificate check is optional, so the connection will always be forwarded but the certificate is only added when a valid certificate has been sent. Additionally, the WebSocket Upgrade must be supported. 

    F5 BIG-IP configuration example:

     

  • Path dependent forwarding configuration must be supported. The NGINX Reverse Proxy supports this type. The listing shows a configuration for the WebSocket endpoint which requires the Client Certificate, add it to the http header and add the WebSocket Upgrade header. See also, https://igel-jira.atlassian.net/wiki/spaces/ENLITEUMSE/pages/74450494 .

    The other configuration is required for the onboarding endpoint.

    NGINX configuration example:




  • Configuration of two endpoints (that is, two Virtual Servers / Listeners) on the Reverse Proxy / Loadbalancer. One endpoint is configured for the device onboarding and another one for the WebSocket connection.

Azure Application Gateway configuration example:

image-20241211-154741.png

UMS HA environment with Reverse Proxy, Loadbalancer

The device to UMS / ICG connection can be load balanced.
The UMS Web certificate and ICG certificate must correspond to the IP or Fully Qualified Domain Name of the servers and configured network component. Consider the Subject Alternative Names of the certificate. Wildcard certificates are possible. Be aware to set the UMS cluster address and the UMS public address.
The example shows a nginx upstream server configuration with multiple UMS server entries.

 

IGEL Cloud Service Configuration

The communication to the IGEL Cloud might be influenced also by network components. In case of the device onboarding via the Onboarding Service, the OBS must be reachable for the device. The UMS server also connects to the IGEL Cloud Services. Here the required reachable services are the Onboarding Service (OBS), the IGEL License Portal (ILP), the IGEL App Portal and the Insight Service. These connections can go over a Proxy but must be configured in the UMS. A network component like a firewall with Deep Packet Inspection could result in connection problems.


UMS Endpoint Paths for Reverse Proxy Integration

The paths required for OS 12 device connections to the UMS (via a reverse proxy) are:

  • Root path: /device-connector/device/*

  • Detailed paths:

    • /device-connector/device/ws-connect

    • /device-connector/device/portforwarding

    • /device-connector/device/.well-known/est/*

  • App proxy path: /ums-appproxy/*

The device communication is always TLSv1.3.

 

In case the UMS Web App should be used via a reverse proxy, the following paths are required:

  • /wums-app/*

  • /webapp/*

The device communication is TLSv1.2 or TLSv1.3.