How to secure communication of mobile/roaming users using Secure Gateway Server?
Description
This document will explain you the steps involved in securing the communication of roaming users using Secure Gateway Server. Secure Gateway Server can be used when roaming agents (on the mobile devices and desktops) access the server through internet. It prevents the exposure of Endpoint Central MSP Server directly to the internet by serving as an intermediate server between the Endpoint Central MSP server and roaming agents. This ensures that the Endpoint Central MSP Server is secure from risks and threats of vulnerable attacks.
For a step by step demonstration video on how to configure secure gateway server, click here.
How Secure Gateway works?
Endpoint Central MSP Secure Gateway Server is a component that will be exposed to the internet. This Secure Gateway Server acts as an intermediate server between the managed roaming agents and the Endpoint Central MSP server.All communications from the roaming agents will be navigated through the Secure Gateway. When the agent tries to contact the Endpoint Central server, Secure Gateway server receives all the communications and redirects to the Endpoint Central MSP Server.
Note: Map your Secure Gateway's public IP adress and Endpoint Central MSP server's private IP address to a common FQDN in your respective DNS. For example, if your FQDN is "product.server.com", map this to both your Secure Gateway and Endpoint Central MSP server IP address. By this mapping, the WAN agents of roaming users will access Endpoint Central MSP server via Secure Gateway (using internet) and the agents within the LAN network will directly reach Endpoint Central MSP server, hence leading to quicker resolution.
Software requirements for Secure Gateway Server
You can install Secure Gateway Server on any of these Windows operating system versions:
Windows 7
Windows 8
Windows 8.1
Windows 10
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Hardware requirements for Secure Gateway Server
The hardware requirements for Secure Gateway Server include the following :
* May increase dynamically according to the frequency of scanning
1001 to 3000 computers
1001 to 3000 computers
Server
Parameter
Requirement
Secure Gateway Server
Processor information
Intel Core i5 (4 core/8 thread) 2.3 GHz
RAM size
8 GB
Hard disk space
50 GB*
Network requirement
Network card speed
Minimum 1 GBPS Network Interface Card (NIC)
* May increase dynamically according to the frequency of scanning
3001 to 5000 computers
3001 to 5000 computers
Server
Parameter
Requirement
Secure Gateway Server
Processor information
Intel Core i7 (6 core/12 thread) 3.2 GHz
RAM size
8 GB
Hard disk space
50 GB*
Network requirement
Network card speed
Minimum 1 GBPS Network Interface Card (NIC)
* May increase dynamically according to the frequency of scanning
5001 to 10000 computers
5001 to 10000 computers
Server
Parameter
Requirement
Secure Gateway Server
Processor information
Intel Xeon E5 (8 core/16 thread) 2.6 GHz
RAM size
16 GB
Hard disk space
50 GB*
Network requirement
Network card speed
Minimum 1 GBPS Network Interface Card (NIC)
* May increase dynamically according to the frequency of scanning
10001 to 15000 computers
10001 to 15000 computers
Server
Parameter
Requirement
Secure Gateway Server
Processor information
Intel Xeon E5 (12 core/24 thread) 2.7 GHz
RAM size
32 GB
Hard disk space
50 GB*
Network requirement
Network card speed
Minimum 1 GBPS Network Interface Card (NIC)
* May increase dynamically according to the frequency of scanning
15001 to 20000 computers
15001 to 20000 computers
Server
Parameter
Requirement
Secure Gateway Server
Processor information
Intel Xeon E5 (14 core/28 thread) 2.7 GHz
RAM size
32 GB
Hard disk space
50 GB*
Network requirement
Network card speed
Minimum 1 GBPS Network Interface Card (NIC)
* May increase dynamically according to the frequency of scanning
20001 to 25000 computers
20001 to 25000 computers
Server
Parameter
Requirement
Secure Gateway Server
Processor information
Intel Xeon E5 (16 core/32 thread) 3.0 GHz
RAM size
32 GB
Hard disk space
50 GB*
Network requirement
Network card speed
Minimum 1 GBPS Network Interface Card (NIC)
* May increase dynamically according to the frequency of scanning
25001 to 30000 computers
25001 to 30000 computers
Server
Parameter
Requirement
Secure Gateway Server
Processor information
Intel Xeon E5 (16 core/32 thread) 3.0 GHz
RAM size
32 GB
Hard disk space
50 GB*
Network requirement
Network card speed
Minimum 1 GBPS Network Interface Card (NIC)
* May increase dynamically according to the frequency of scanning
Above 30000 computers
For managing more than 30000 computers, contact UEM Central MSP Support at msp-desktopcentral-support@manageengine.com. We will customize Secure gateway server setup based on your network.
Steps
To introduce Secure Gateway based communication to Endpoint Central MSP, follow the steps given below:
Modify Endpoint Central MSP Settings
Install and configure Secure Gateway
Infrastructure recommendations
Modify Endpoint Central MSP Settings
Enter Secure Gateway IP address instead of Endpoint Central MSP server IP address under Endpoint Central MSP server details while adding remote office. This is to ensure the WAN agents and DS communication to Secure Gateway.
Enable secured communication(HTTPS) under DS/WAN agent to Endpoint Central MSP server communication.
Configure NAT settings using the Secure Gateway's public FQDN/IP address.
On the Endpoint Central MSP Server Console, click on Admin tab -> Server Settings -> NAT Settings
Add the FQDN of the Secure Gateway server against the Public FQDN under NAT device as shown below
Install and configure Secure Gateway
Download and install Secure Gateway on a machine in Demilitarized zone.
Enter the following details under Setting up the Secure Gatewaywindow, which will open after the installation process.
Central Server Name: Specify the FQDN/DNS/IP address of the Central server. Or specify virtual IP address if Failover server is used.
Https Port: Specify the port number that the mobile devices use to contact the Central server (eg: 8041 - it is recommended to use the same port 8041(HTTPS) for Endpoint Central MSP Server in secured mode), it can be modified as required.
Notification Server port: 8057 (to perform on-demand operations), it can be modified as required.
Web Socket Port : 8047(HTTPS), it can be modified as required.
Username & Password: Enter Endpoint Central MSP user's credentials with administrative privilege.
Infrastructure recommendations
Ensure that you follow the steps given below
Secure Gateway's Public IP address with the port 8383(https) should be provided to Endpoint Central MSP server for accessibility verification.
Configure Secure Gateway in such a way, that it should be reachable via public IP/FQDN address configured in NAT settings. You can also configure the Edge Device/Router in such a way that all the request that are sent to the Public IP/FQDN address gets redirected to the Endpoint Central MSP Secure Gateway.
It is mandatory to use HTTPS communication
You will have to ensure that the following port is open on the firewall for the WAN agents to communicate the Endpoint Central MSP Secure Gateway.
Port
Type
Purpose
Connection
8041
HTTPS
For communication between the WAN agent/Distribution Server and the Endpoint Central MSP server using Endpoint Central MSP Secure Gateway.
Inbound to Server
8057
TCP
To perform on-demand operations like inventory scanning, patch scanning, remote control, remote shutdown, and moving agents from one remote office to another.
Inbound to Server
8047
TCP SSL
For remote desktop sharing and associated tools
Inbound to Server
You have now secured communication between Endpoint Central MSP server, WAN agents and roaming users.
Get Quote-Secure Gateway
Thanks for your submission, We will get in touch with you soon.
Remote Desktop & Mobile Device Management Software for MSPs trusted by