Management Server Connectivity Behind a Firewall

You are here:

Overview

In this article you learn how to configure a management server to work behind a firewall, in an untrusted domain or both.

When a delegated user performs actions in System Frontier like invoking a built-in WMI query, starting a service or running a PowerShell-based tool to create AD users, those tasks are executed on management servers. Processes on a management server are executed in the context of the service account that has the rights needed to perform that particular task. The connection from the web server to the management server uses Windows authentication by default. This becomes problematic to impossible when the management server needs to sit behind a firewall and exposing WMI ports or other ports needed by your tools is not option.

Additionally, if the resources being managed require authentication to a domain that is not trusted by the source domain or is a workgroup, processes created to run your custom tools will not be able to authenticate. In these instances, you can use certificate-based authentication to secure the connection between the web server and the management server so that all communication is handled over a single TCP port and the management server can be joined to the target domain or work independently outside of a domain.

Requirements

  • System Frontier v1.70 or newer.
  • A self-signed SSL certificate or preferably, one generated by your organization’s certificate authority.

Web server configuration

Both the web server and the management server must use the same certificate in order to authenticate communication between them. If you have multiple web servers, perform the following steps on each one.

  • From the System Frontier web server, use File Explorer to find the .pfx certificate file.
  • Right-click on the .pfx file and click Install PFX.
  • On the Certificate Import Wizard dialog, choose Local Machine and click Next.
  • Click Next.
  • Provide the password for the private key and click Next.
  • Select Place all certificates in the following store.
  • Click the Browse button.
  • Choose Personal.
  • On the Completing the Certificate Import Wizard dialog, click Finish.
  • If the import was successful, click the Windows start button and search for cert.
  • Select Manage computer certificates.
  • Under Certificates – Local Computer, navigate to Personal > Certificates.
  • Right-click on the new certificate you just imported and select All Tasks > Manage Private Keys…
  • On the Permissions dialog, click Add.
  • Add the same service account that is configured for the System Frontier IIS application pool. Permissions for the account are set here so that it is authorized to use the certificate for communications with the management server.
  • Click OK.
  • On the Permissions dialog, make sure the account is selected.
  • Uncheck Allow for Full control.
  • Make sure Read is checked.
  • Click OK.

Management server configuration

The same certificate must be used on the management server in order for the calling web server to properly authenticate. If you have multiple management servers, perform the following steps on each one.

  • First, from the management server, complete all the same steps from the Web Server Configuration above, except this time, add and configure the NETWORK SERVICE account permissions on the certificate instead of the IIS application pool account.
  • Navigate to the folder where the System Frontier Management Service is installed. By default it is: C:\Program Files (x86)\Noxigen\System Frontier Management Service.
  • Open the Authorization.xml file with Notepad or another text editor.
  • Add the Subject value for the certificate in the name attribute of the certificate node. If the certificate line isn’t there, add it per the example below. Replace SystemFrontierManagement with the actual Subject name of your certificate.
<?xml version="1.0" encoding="utf-8" ?>
<systemFrontier>
	<authorized caller="miller\cooper" ipAddresses="192.168.74.148"></authorized>
	<customToolsPath path="C:\ProgramData\Noxigen\CustomTools"></customToolsPath>
	<certificate name="SystemFrontierManagement"></certificate>
	<logging debug="true"></logging>
</systemFrontier>
  • Save the file and restart the System Frontier Management service.
  • If the service does not start, consult the sf_debug.log (located in C:\ProgramData\Noxigen) and any corresponding Windows event log entries.

Add or configure management server

  • From the System Frontier web interface, navigate to Settings > Management Servers. Add or edit the management server where the certificate is installed.
  • In the Certificate name textbox, provide the Subject value of the certificate for that server.
  • Click Save.
If you remove the certificate on the System Frontier > Settings > Management Servers page, be sure to go to the actual management server and remove the certificate name from the name value of the certificate attribute of the Authorization.xml file, save the file and restart the System Frontier Management service.

Changes in the web interface

Associate credentials with the management server

  • From the System Frontier web interface, navigate to Settings > Credentials.
  • Add or edit credentials that will be used to execute tasks on the management server. Example: If the management server is installed in an untrusted domain, you would add credentials here that have the necessary rights needed for that domain.
  • Under the Management Server(s) section, assign the management server that will be used any time this credential is needed.
  • Click Save.

Firewall configuration

If there is a firewall between the System Frontier web server and any management server, it must be configured to allow traffic on TCP port 48500 from the web server to the management server. No other ports are required.

Verify connectivity

Once all the configuration steps have been complete, you will need to verify connectivity between the System Frontier web server and the management servers that are using certificate-based authentication.

  • First, if the management in question is not the primary management server and it’s new, you will need to manually sync it for the first time.
  • From the System Frontier web interface, navigate to Settings > Management Servers.
  • Click Sync button.
  • If successful, you will see a notification. Otherwise, you can view error details by navigating to Reports > Audit history and look for sync error messages.
  • After a successful sync, try running a custom tool that has credentials assigned to it for the new management server to ensure remote credential authentication is operational.

Next steps

Find ways to leverage the new certificate-based authentication feature to deploy management servers to remote sites, new acquisitions, secure enclaves or wherever you need remote management. Remember, System Frontier is more than just Windows server management. You can use RBAC to delegate management of Windows, Linux, Active Directory, public/private cloud, 3rd party apps or anything else that has an API.

Tags:
Was this article helpful?
Dislike 0