Redirecting the Collector TCP channel

Contents

Redirecting the Collector TCP channel

Overview

Because Engines are usually not accessible through the Internet, only the Collectors running on devices inside the corporate network or with VPN access can reach their assigned Engine. Thus, the Collectors of roaming devices without VPN access cannot directly communicate with their Engine.

To forward Collector traffic from the roaming devices to Engines, run the redirection service on an Appliance that has interfaces both facing the Internet and your corporate network. The redirection service is limited however to forwarding the UDP traffic of the Collector only; that is, device information and end-user activity. Features such as automatic updates and the modules Engage and Act, on the other hand, also require the TCP channel of the Collector to be fully functional.

Thus, to enable the Engage, Act and automatic updates in roaming devices, additionally install a reverse proxy in the same Appliance that runs the redirection service. Follow the procedure below to install the popular web server nginx on an Engine Appliance and configure it as a reverse proxy for the TCP channel of the Collector.

As a prerequisite, remember that roaming devices will only be able to reach their assigned Engine both inside and outside the corporate network if the name of the Engine configured in the Collector is valid as well for the redirection Appliance when the device is on the Internet. Please contact Customer Success Services to get guidance on how to configure the DNS service for that purpose.

Installing nginx in the Engine Appliance

In this section, we assume that you have an Engine Appliance up and running that is used exclusively for redirection, with the Engine service stopped.

To install nginx in this redirection Appliance:

  1. Log in to the CLI of the Appliance.
  2. Install the nginx package:
    • If the Appliance is connected to the Internet, type in:
    sudo yum install nginx
    • Alternatively, if the Appliance was installed without connection to the Internet and it still holds the offline install package:
      1. Extract the rpm of nginx from the offline install package (replace the x by the exact version of the package):
        tar xvzf Nexthink-offline-install-6.x.tgz --wildcards Packages/nginx*
      2. Install the rpm:
        sudo yum install Packages/nginx*

Transfer TLS certificates and private key to the redirection Appliance

To secure the connection between the Collectors and ngninx, copy the certificates and private key that protect the TCP channel of the Engines to the redirection Appliance (we name the certificate and key files in the same way as in the article on replacing certificates):

  1. Copy the certificate and key files to the redirection Appliance:
    • If you are using a custom certificate to protect the TCP connection between Collectors and Engines:
      1. Copy the server certificate (slave.crt), the intermediate certificate or chain of certificates (intermediate.crt), if any, and the private key (slave.key), all in PEM format, to the nexthink account of the redirection Appliance using your favorite SCP tool.
      2. Log in to the CLI of the redirection Appliance.
      3. Concatenate the server and intermediate certificates. If you do not have an intermediate certificate, the command will give you a warning that you can safely ignore:
        cat slave.crt intermediate.crt > bundle.crt
    • If you are using the default certificates generated by the Appliance:
      1. Log in to the CLI of the Engine.
      2. Get the keystore in the Engine that holds the certificates and key to protect the TCP channel.
        keytool -importkeystore \
        -srckeystore /var/nexthink/keystore.jks \
        -destkeystore certs_key.p12 -deststoretype PKCS12
        When prompted for the destination keystore password and for the source keystore password, always type in nexthink.
      3. Get the bundle of certificate files and the private key from the keystore. Provide nexthink as password to each command:
        openssl pkcs12 -in certs_key.p12 -nokeys -out bundle.crt
        openssl pkcs12 -in certs_key.p12 -nocerts -nodes -out slave.key
      4. Clean the certificate and key files off additional attributes:
        sed -ni -e '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' bundle.crt
        sed -ni -e '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' slave.key
      5. Copy the certificate and key files to the redirection Appliance using your favorite SCP tool.
      6. Log in to the CLI of the redirection Appliance.
  2. Change the permissions of the certificate and key files:
    sudo chmod 444 bundle.crt
    sudo chmod 400 slave.key
  3. Move the certificate and key files to a standard location:
    sudo mv bundle.crt /etc/pki/tls/certs
    sudo mv slave.key /etc/pki/tls/private

Depending on how you configured your DNS for Collectors to reach both their assigned Engine and the redirection Appliance, your certificates may require to be issued to multiple subjects. For default certificates, multiple subjects can be specified when setting the external names of the Engine. Please contact Customer Success Services if you need guidance on DNS configuration.

Configuring nginx as WebSocket reverse proxy

The TCP channel of the Collector actually uses WebSocket as its application level protocol. To configure nginx as a reverse proxy for the WebSocket protocol and thus redirect TCP Collector traffic:

  1. Log in to the CLI of the Appliance.
  2. Create an additional configuration file for nginx. The name is not important as long as the extension is .conf:
    sudo vi /etc/nginx/conf.d/nxcollector-ws.conf
  3. Press i and insert the content detailed below.
  4. Press Esc to stop inserting text.
  5. Type in the sequence :wq and press Enter to save the changes and exit the editor.

The content of the configuration file should look like this:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

upstream wsengine {
    server {Engine_Private_IP}:8443;
}

server {
    listen {Redirection_Appliance_IP}:8443 ssl;
    server_name {DNS_FQDN};

    ssl_certificate /etc/pki/tls/certs/bundle.crt
    ssl_certificate_key /etc/pki/tls/private/slave.key

    location / {
        proxy_pass https://wsengine;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 1w;
    }
}


Where you have to substitute the following keywords for actual values:

{Engine_Private_IP}
The IP address of the Engine as seen from inside the corporate network.
{Redirection_Appliance_IP}
The IP address of the redirection Appliance as seen from the Internet.
{DNS_FQDN}
The Fully Qualified Domain Name of the redirection Appliance on the Internet, as registered in the DNS.

Redirecting traffic to more than one Engine

The procedure described above configure the redirection of one Engine only. To redirect TCP traffic to more than one Engine, repeat the following steps with the indicated variations:

  1. Transfer the TLS certificates and private key of that Engine to the redirection Appliance.
    • Use different names for the certificate and private key files of each Engine to avoid overwriting the files of other Engines.
  2. For each redirected Engine, add new upstream and server blocks to the configuration file with the following changes.
    • To multiplex the traffic, assign a different port number to each additional Engine. This requires you to change the default port number for the TCP channel (8443) on each additional Engine that needs traffic redirection.
    • For instance, to redirect another Engine through port 9433, add new upstream block indicating the new port in the server directive.
    • And a new server block that uses port 9443 in the listen directive, points to the certificate and key of the added Engine with the ssl_certificate and ssl_certificate_key directives, and references the new upstream in the location block.

That is, add the following or similar lines to the configuration file for nginx:

upstream wsengine2 {
    server {Engine_Private_IP}:9443;
}

server {
    listen {Redirection_Appliance_IP}:9443 ssl;
    server_name {DNS_FQDN};

    ssl_certificate /etc/pki/tls/certs/bundle2.crt
    ssl_certificate_key /etc/pki/tls/private/slave2.key

    location / {
        proxy_pass https://wsengine2;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 1w;
    }
}