A reverse proxy is an application server that sits in front of one or more web servers and forwards requests to those web servers. Reverse proxy provides an additional level of abstraction and control to ensure a smooth flow of traffic between clients and servers. It can also provide load balancing, web acceleration, security, etc. ZENworks servers can be set up behind a reverse proxy without exposing them directly over the Internet, thereby ensuring that the server infrastructure is more secure.
ZENworks 23.3 natively supports reverse proxy with a well-known certificate. Make sure the reverse proxy is configured with a well-known certificate.
To configure the ZENworks zone to be front-ended by a reverse proxy, perform the following steps:
Navigate to ZCC > Devices > Servers and configure an additional hostname as the reverse proxy hostname. Set this hostname as the default hostname for the Server devices.
(Conditional) If MDM servers are configured, set the MDM servers to use the newly added hostname for all communications.
Navigate to Configuration > Certificates and perform the following:
(Conditional) Change CA to allow ZENworks to use the same CA that had issued the certificate for the Reverse Proxy if the ZENworks zone uses an External CA.
Perform a remint for all the Primary Servers in the zone.
Create an L4 definition in CSR and add the Primary Servers to this definition. The hostname to be configured for the L4 definition needs to be the reverse proxy hostname or IP.
If the L4 definition is configured using hostname, by default only the hostname gets included in the CSR. If IPs are to be included, set INCLUDE_IPS_FOR_L4 system variable as true at the Zone level.
Modify the osp-configuration properties file so that the reverse proxy address is now reflected as the additional DNS and the L4 address. For more information, see Configuring OSP for Additional DNS or L4 Switch.
(Conditional) Create a separate location for servers so that servers communicate directly between themselves rather than through proxy.
(Conditional) Create a separate location for agents with the L4 definition created in step 4, so that agents communicate to Primary Servers only via Reverse Proxy Server.
Create custom deployment packages with only the reverse proxy hostname set (remove all other hostnames). Repeat this for all Primary Servers in the zone.
Enroll the managed devices in the zone by using the custom deployment packages created in the previous step (step 8).
NOTE:When you try to promote a managed device to a Satellite Server, and if the Primary Server is located behind the reverse proxy, then you need to manually import the reverse proxy certificate in the jetty-keystore.jks file of the satellite server.
To import the reverse proxy certificate, use the following command:
keytool -import -alias <any_alias> -keystore jetty-keystore.jks -file <certificateFile>
You can get the passphrase/password for the jetty-keystore.jks file from the jetty.properties file.
For more information, see Patch Management Troubleshooting.
Sample NGINX reverse proxy configuration:
upstream mdmservers{
ip_hash;
server zenserver1.mydomain.com:443;
server zenserver2.mydomain.com:443;
keepalive 16;
}
upstream client-mgmt{
server zenserver1.mydomain.com:443;
server zenserver2.mydomain.com:443;
keepalive 16;
}
upstream admin-mgmt{
ip_hash;
server zenserver1.mydomain.com:7443;
server zenserver1.mydomain.com:7443;
keepalive 16;
}
#Mention the https port, ssl cert that will be presented by Nginx for the incoming requests
server {
listen 443 ssl;
ssl_certificate mydomain.crt;
ssl_certificate_key mydomain.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
client_max_body_size 200M;
#define the https endpoints that needs to be served via Nginx
location /zenworks-ping {
keepalive_timeout 70m;
proxy_connect_timeout 70m;
proxy_send_timeout 70m;
proxy_read_timeout 70m;
proxy_pass https://client-mgmt/zenworks-ping;
}
location /endpoint {
proxy_pass https://mdmservers/endpoint;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
location / {
proxy_pass https://client-mgmt;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
listen 7443 ssl;
ssl_certificate mydomain.crt;
ssl_certificate_key mydomain.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
client_max_body_size 200M;
location / {
proxy_pass https://admin-mgmt;
proxy_set_header Host $http_host;
}
}
#Hostname of reverse proxy is set to zenserver.myextdomain.com and the well known certificate(mydomain.crt)and key(mydomain.key) used for this server is stored locally.