Redirecting the Collector TCP channel

Contents

Redirecting the Collector TCP channel

Overview

Because Engines are usually not accessible through the Internet, only the Collectors running on devices inside the corporate network or with VPN access can reach their assigned Engine. Thus, the Collectors of roaming devices without VPN access cannot directly communicate with their Engine.

To forward Collector traffic from the roaming devices to Engines, run the redirection service on an Appliance that has interfaces both facing the Internet and your corporate network. The redirection service is limited however to forwarding the UDP traffic of the Collector only; that is, device information and end-user activity. Features such as automatic updates and the modules Engage and Act, on the other hand, also require the TCP channel of the Collector to be fully functional.

Thus, to enable the Engage, Act and automatic updates in roaming devices, set up a reverse proxy in the same Appliance that runs the redirection service. The Engine Appliance already includes a version of the popular web server nginx that you can configure as reverse proxy for the TCP channel of the Collector.

As a prerequisite, remember that roaming devices will only be able to reach their assigned Engine both inside and outside the corporate network if the name of the Engine configured in the Collector is valid as well for the redirection Appliance when the device is on the Internet. Please contact Customer Success Services to get guidance on how to configure the DNS service for that purpose.

Running nginx on the Engine Appliance

To redirect the TCP channel of the Collector, we assume that you already have an Engine Appliance up and running where the Engine service has been stopped to exclusively use the Appliance for redirecting Collector traffic.

Ensure that nginx is running on your redirection Appliance by logging in to the CLI of the Appliance and running the following command:

sudo systemctl status nginx

If the service is not running, first enable it with the following command to make nginx start on every boot of the Appliance:

sudo systemctl enable nginx

Start the service after configuring it appropriately, as shown in the instructions below.

Transfer TLS certificates and private key to the redirection Appliance

To secure the connection between the Collectors and ngninx, copy the certificates and private key that protect the TCP channel of the Engines to the redirection Appliance (we name the certificate and key files in the same way as in the article on replacing certificates):

  1. Copy the certificate and key files to the redirection Appliance:
    • If you are using a custom certificate to protect the TCP connection between Collectors and Engines:
      1. Copy the server certificate (slave.crt), the intermediate certificate or chain of certificates (intermediate.crt), if any, and the private key (slave.key), all in PEM format, to the nexthink account of the redirection Appliance using your favorite SCP tool.
      2. Log in to the CLI of the redirection Appliance.
      3. Concatenate the server and intermediate certificates. If you do not have an intermediate certificate, the command will give you a warning that you can safely ignore:
        cat slave.crt intermediate.crt > bundle.crt
    • If you are using the default certificates generated by the Appliance:
      1. Log in to the CLI of the Engine.
      2. Get the keystore in the Engine that holds the certificates and key to protect the TCP channel.
        keytool -importkeystore \
        -srckeystore /var/nexthink/nxproxy/keystore/keystore.jks \
        -destkeystore certs_key.p12 -deststoretype PKCS12
        When prompted for the destination keystore password and for the source keystore password, always type in nexthink.
      3. Get the bundle of certificate files and the private key from the keystore. Provide nexthink as password to each command:
        openssl pkcs12 -in certs_key.p12 -nokeys -out bundle.crt
        openssl pkcs12 -in certs_key.p12 -nocerts -nodes -out slave.key
      4. Clean the certificate and key files off additional attributes:
        sed -ni -e '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' bundle.crt
        sed -ni -e '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' slave.key
      5. Copy the certificate and key files to the redirection Appliance using your favorite SCP tool.
      6. Log in to the CLI of the redirection Appliance.
  2. Change the permissions of the certificate and key files:
    sudo chmod 444 bundle.crt
    sudo chmod 400 slave.key
  3. Move the certificate and key files to a standard location:
    sudo mv bundle.crt /etc/pki/tls/certs
    sudo mv slave.key /etc/pki/tls/private

Depending on how you configured your DNS for Collectors to reach both their assigned Engine and the redirection Appliance, your certificates may require to be issued to multiple subjects. For default certificates, multiple subjects can be specified when setting the external names of the Engine. Please contact Customer Success Services if you need guidance on DNS configuration.

Configuring nginx as WebSocket reverse proxy

The TCP channel of the Collector actually uses WebSocket as its application level protocol. To configure nginx as a reverse proxy for the WebSocket protocol and thus redirect TCP Collector traffic, the Appliance includes an additional folder to store Nexthink-related configuration:

  1. Log in to the CLI of the Appliance.
  2. Create an additional configuration file for nginx in the folder reserved by the Appliance. The name is not important as long as the extension is .conf:
    sudo vi /var/nexthink/nxnginx/conf.d/nxcollector-ws.conf
  3. Press i and insert the content detailed below.
  4. Press Esc to stop inserting text.
  5. Type in the sequence :wq and press Enter to save the changes and exit the editor.
  6. Stop and disable the proxy service in the Engine to avoid interference with the redirection of the TCP channel:
    sudo systemctl stop nxproxy
    sudo systemctl disable nxproxy
  7. Restart nginx:
    sudo systemctl restart nginx

The content of the configuration file should look like this:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

upstream wsengine {
    server {Engine_Private_IP}:8443;
}

server {
    listen {Redirection_Appliance_IP}:8443 ssl;
    server_name {DNS_FQDN};

    ssl_certificate /etc/pki/tls/certs/bundle.crt;
    ssl_certificate_key /etc/pki/tls/private/slave.key;

    location / {
        proxy_pass https://wsengine;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 1w;
    }
}


Where you have to substitute the following keywords for actual values:

{Engine_Private_IP}
The IP address of the Engine as seen from inside the corporate network.
{Redirection_Appliance_IP}
The IP address of the redirection Appliance as seen from the Internet.
{DNS_FQDN}
The Fully Qualified Domain Name of the redirection Appliance on the Internet, as registered in the DNS.

If you changed the default port for the TCP channel, also substitute the port number 8443 for your own.

Redirecting traffic to more than one Engine

The procedure described above configure the redirection of one Engine only. To redirect TCP traffic to more than one Engine, repeat the following steps with the indicated variations:

  1. Transfer the TLS certificates and private key of that Engine to the redirection Appliance.
    • Use different names for the certificate and private key files of each Engine to avoid overwriting the files of other Engines.
  2. For each redirected Engine, add new upstream and server blocks to the configuration file with the following changes.
    • To multiplex the traffic, assign a different port number to each additional Engine. This requires you to change the default port number for the TCP channel (8443) on each additional Engine that needs traffic redirection.
    • For instance, to redirect another Engine through port 9433, add new upstream block indicating the new port in the server directive.
    • And a new server block that uses port 9443 in the listen directive, points to the certificate and key of the added Engine with the ssl_certificate and ssl_certificate_key directives, and references the new upstream in the location block.
  3. Stop and disable the proxy service in the Engine to avoid interference with the redirection of the TCP channel:
    sudo systemctl stop nxproxy
    sudo systemctl disable nxproxy
  4. Restart nginx:
    sudo systemctl restart nginx

That is, add the following or similar lines to the configuration file for nginx:

upstream wsengine2 {
    server {Engine_Private_IP}:9443;
}

server {
    listen {Redirection_Appliance_IP}:9443 ssl;
    server_name {DNS_FQDN};

    ssl_certificate /etc/pki/tls/certs/bundle2.crt;
    ssl_certificate_key /etc/pki/tls/private/slave2.key;

    location / {
        proxy_pass https://wsengine2;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 1w;
    }
}