How to secure communication of mobile/roaming users using Secure Gateway Server?
Description
Secure Gateway Server can be used when roaming agents (on the mobile devices and desktops) access the server through internet. It prevents the exposure of the Server directly to the internet by serving as an intermediate server between the product server and roaming agents. This ensures that the product Server is secure from risks and threats of vulnerable attacks.
How Secure Gateway works?
Secure Gateway Server is a component that will be exposed to the internet. This Secure Gateway Server acts as an intermediate server between the managed roaming agents and the ManageEngine server. All communications from the roaming agents will be navigated through the Secure Gateway. When the agent tries to contact the ManageEngine server, Secure Gateway server receives all the communications and redirects to the ManageEngine server.
Note: Map your Secure Gateway's public IP address and UEMS Central server's private IP address to a common FQDN in your respective DNS. For example, if your FQDN is "product.server.com", map this to both your Secure Gateway and UEMS Central server IP address. By this mapping, the agents of roaming users will access UEMS Central server via Secure Gateway (using internet) and the agents within the LAN network will directly reach UEMS Central server, hence leading to quicker resolution.
Software requirements of Secure Gateway Server
You can install Secure Gateway Server on any of these Windows operating system versions:
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Hardware requirements
The hardware requirements for Secure Gateway Server include the following :
1 to 250 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Core i3 (2 core/4 thread) 2.0 Ghz 3 MB cache |
| RAM size |
4 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
251 to 500 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Core i3 (2 core/4 thread) 2.4 Ghz 3 MB cache |
| RAM size |
4 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
501 to 1000 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Core i3 (2 core/4 thread) 2.9 Ghz 3 MB cache |
| RAM size |
4 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
1001 to 3000 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Core i5 (4 core/8 thread) 2.3 GHz |
| RAM size |
8 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
3001 to 5000 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Core i7 (6 core/12 thread) 3.2 GHz |
| RAM size |
8 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
5001 to 10000 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Xeon E5 (8 core/16 thread) 2.6 GHz |
| RAM size |
16 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
10001 to 15000 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Xeon E5 (12 core/24 thread) 2.7 GHz |
| RAM size |
32 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
15001 to 20000 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Xeon E5 (14 core/28 thread) 2.7 GHz |
| RAM size |
32 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
20001 to 25000 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Xeon E5 (16 core/32 thread) 3.0 GHz |
| RAM size |
32 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
25001 to 30000 computers
| Server |
Parameter |
Requirement |
| Secure Gateway Server |
Processor information |
Intel Xeon E5 (16 core/32 thread) 3.0 GHz |
| RAM size |
32 GB |
| Hard disk space |
50 GB* |
| Network requirement |
Network card speed |
Minimum 1 GBPS Network Interface Card (NIC) |
| Bandwidth |
Minimum 1 MBPS (T1 connection) |
* May increase dynamically according to the frequency of scanning
To introduce Secure Gateway based communication to Endpoint DLP Plus, follow the steps given below:
- Modify Endpoint DLP Plus Settings
- Install and configure Secure Gateway
- Infrastructure recommendations
Modify Endpoint DLP Plus Settings
- Enter Secure Gateway IP address instead of UEMS Central server IP address under server details while adding remote office.
- Enable secured communication (HTTPS) under WAN agent to UEMS Central server communication.
- Configure NAT settings using the Secure Gateway's public FQDN/IP address.
- On the UEMS Central Server Console, click on Admin tab --> Server Settings --> NAT Settings.
- Add the FQDN of the Secure Gateway server against the Public FQDN under NAT device as shown below.
- Download and install Secure Gateway on a machine in Demilitarized zone.
- Enter the following details under Setting up the Secure Gateway window, which will open after the installation process.
Infrastructure recommendations
Ensure that you follow the steps given below:
- Secure Gateway's Public IP address with the port 8383 (https) should be provided to UEMS Central server for accessibility verification.
- Configure Secure Gateway in such a way, that it should be reachable via public IP/FQDN address configured in NAT settings. You can also configure the Edge Device/Router in such a way that all the request that are sent to the Public IP/FQDN address gets redirected to the Secure Gateway.
- It is mandatory to use HTTPS communication.
- You will have to ensure that the following port is open on the firewall for the the roaming user's agents to communicate via the Secure Gateway.
| Port |
Type |
Purpose |
Connection |
| 8383 |
8027 |
8443 |
8031 |
| HTTPS |
TCP |
HTTPS |
HTTPS |
| For communication between the WAN agent and the UEMS Central server using Secure Gateway |
To perform on-demand operations |
Web socket port used for remote control, chat, system manager etc |
For transferring files |
| Inbound to Server |
Inbound to Server |
Inbound to Server |
Inbound to Server |
You have now secured communication between UEMS Central server and roaming users.
