How to secure communication of mobile/roaming users using Secure Gateway Server?
Description
This document will explain you the steps involved in securing the communication of roaming users using Secure Gateway Server. Secure Gateway Server can be used when roaming agents (on the mobile devices and desktops) and probes access the server through internet. It prevents the exposure of RMM Central Server directly to the internet by serving as an intermediate server between the RMM Central server, roaming agents and probes. This ensures that the RMM Central Server is secure from risks and threats of vulnerable attacks.
Click here to know in detail about re-establishing the communication between Distribution Server, Agents & Probes and Central Server.
How Secure Gateway works?
RMM Central Secure Gateway Server is a component that will be exposed to the internet. This Secure Gateway Server acts as an intermediate server between the managed roaming agents, probes and the RMM Central server. All communications from the roaming agents and probes will be navigated through the Secure Gateway. When the agent or probe tries to contact the RMM Central server, Secure Gateway server receives all the communications and redirects to the RMM Central Server.
Note: Map your Secure Gateway's public IP adress and RMM Central server's private IP address to a common FQDN in your respective DNS. For example, if your FQDN is "product.server.com", map this to both your Secure Gateway and RMM Central server IP address. By this mapping, the WAN agents of roaming users and probes will access RMM Central server via Secure Gateway (using internet) and the agents within the LAN network will directly reach RMM Central server, hence leading to quicker resolution.
Software requirements for Secure Gateway Server
You can install Secure Gateway Server on any of these Windows operating system versions:
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Hardware requirements for Secure Gateway Server
The hardware requirements for Secure Gateway Server include the following :
1 to 250 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Core i3 (2 core/4 thread) 2.0 Ghz 3 MB cache |
RAM size |
4 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
251 to 500 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Core i3 (2 core/4 thread) 2.4 Ghz 3 MB cache |
RAM size |
4 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
501 to 1000 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Core i3 (2 core/4 thread) 2.9 Ghz 3 MB cache |
RAM size |
4 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
1001 to 3000 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Core i5 (4 core/8 thread) 2.3 GHz |
RAM size |
8 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
3001 to 5000 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Core i7 (6 core/12 thread) 3.2 GHz |
RAM size |
8 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
5001 to 10000 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Xeon E5 (8 core/16 thread) 2.6 GHz |
RAM size |
16 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
10001 to 15000 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Xeon E5 (12 core/24 thread) 2.7 GHz |
RAM size |
32 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
15001 to 20000 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Xeon E5 (14 core/28 thread) 2.7 GHz |
RAM size |
32 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
20001 to 25000 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Xeon E5 (16 core/32 thread) 3.0 GHz |
RAM size |
32 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
25001 to 30000 computers
Server |
Parameter |
Requirement |
Secure Gateway Server |
Processor information |
Intel Xeon E5 (16 core/32 thread) 3.0 GHz |
RAM size |
32 GB |
Hard disk space |
50 GB* |
Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
For managing more than 30000 computers, contact RMM Central Support at rmmcentral-support@manageengine.com. We will customize Secure gateway server setup based on your network.
Steps
To introduce Secure Gateway based communication to RMM Central, follow the steps given below:
- Modify RMM Central Settings
- Install and configure Secure Gateway
- Infrastructure recommendations
Modify RMM Central Settings
Configure NAT settings using the Secure Gateway's public FQDN/IP address.
- On the RMM Central Server Console, click on Admin tab -> General Settings -> NAT Settings
- Tick the checkbox to configure NAT settings for Secure Gateway Server.
- Add the FQDN of the Secure Gateway server against the Public FQDN under NAT device as shown below.
- Specify the port in which the Secure Gateway server is to be installed (i.e : 8091 - It is recommended to use the same HTTPS port for SGS as the RMM Central Server in secured mode)
- Click on Save.
- In the popup that is shown, click on Yes, Proceed.
Install and configure Secure Gateway
- In the Secure Gateway Server page, Under Configuration Steps, Click on Download.
- Download and install Secure Gateway on a machine in Demilitarized zone.
- Enter the following details under Setting up the Secure Gateway window, which will open after the installation process.
- Central Server Name: Specify the FQDN/DNS/IP address of the RMM Central server.
- Https Port: Specify the port number that the mobile devices use to contact the RMM Central server (eg: 8091)
- Username & Password: Enter RMM Central user's credentials with administrative privilege.
- A list of ports that will be used for the Secure Gateway's communication will be displayed. Ensure that these ports are not occupied. (Note: All these ports must be ticked to ensure proper communication)
- Click on Next & Complete the installation.
Infrastructure recommendations
Ensure that you follow the steps given below
- Secure Gateway's Public IP address with the port 8091(https) should be provided to RMM Central server for accessibility verification.
- Configure Secure Gateway in such a way, that it should be reachable via public IP/FQDN address configured in NAT settings. You can also configure the Edge Device/Router in such a way that all the request that are sent to the Public IP/FQDN address gets redirected to the RMM Central Secure Gateway.
- It is mandatory to use HTTPS communication
- You will have to ensure that the following port is open on the firewall for the WAN agents to communicate the RMM Central Secure Gateway.
Port |
Type |
Purpose |
Connection |
8091 |
HTTPS |
For communication between the WAN agent/Distribution Server and the RMM Central server using RMM Central Secure Gateway. |
Inbound to Server |
8095 |
TCP |
To perform on-demand operations |
Inbound to Server |
8096 |
HTTPS |
Web socket port used for remote control, chat, system manager etc. |
Inbound to Server |
8096 |
HTTPS |
For transferring files |
8111 |
HTTPS |
For communication between probe and the RMM Central server using RMM Central Secure Gateway. |
Inbound to Server |
You have now secured communication between RMM Central server, WAN agents, probes and roaming users.