Best Known Method for Configuring LANDESK Cloud Service Appliance (former Management Gateway) version 4.2 and newer

Version 22

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

     

     

    This article is intended to provide a set of recommended configurations for LANDESK Cloud Service Appliance. The CSA configuration will allow an external (off the network) client to be managed.

     

    Here is a video of the process that includes core and agent side information: LANDESK - CSA - Installation and Configuration - YouTube

     

    LANDESK Cloud Service Appliance is an Internet software appliance that uses patented technology to help provide secure communication and management functionality to external devices. It acts as a meeting place where the Core Server and managed nodes are linked through their Internet connections. All management traffic must be initiated by the client agent.

     

    The LANDESK Cloud Service Appliance requires that all traffic be client initiated. When managed through the CSA Inventory, Software Distribution, Remote Control and Security Suite functionality are supported. Software Distribution requires that the packages be hosted on an http share on the Core Server or on a share accessible from the external network.

     

    Configuration of the Gateway

     

    The LANDESK Cloud Service Appliance configuration requires multiple steps. The following steps of the configuration will be explained in this article:

    • Cloud Service Appliance network placement
    • CSA configuration
    • Agent configuration for Gateway communication

     

    Installation of the Cloud Service Appliance

     

    The following are LDCSA installation parameters:

    • On CSA 4.2 No Media required for installation
    • The Media is pre-installed and stored for recovery purposes on a hidden partition (CSA 4.2)
    • On CSA 4.3 Installation USB is required
    • On the first system boot a username and password are required

            Username: admin    Password: admin

    Note: On Cloud Service Appliance 4.3, it will prompt you to change the password on the first login. The service account password will be automatically set to whatever you change your admin account's password on the first login. It is recommended that you set a different password for a service account later.

     

    After logging in the Cloud Service Appliance web page launches. The following steps should be done from the web page in the following order after logging in:

     

    • Accept the End User License Agreement.
    • Configure The Network for the Appliance. This includes assigning IP address, assigning DNS, and assigning a host name and Domain information.
    • Activate the Appliance (use the same credentials you used for your LDMS core)
    • Change the Admin Password

     

    The Cloud Service Appliance has the ability to allow encryption levels that are less than 128 bit (Country Restriction). For countries that do not have restrictions all traffic less than 128 bit can also be blocked. This setting is on the Gateway Services tab on the Cloud Service Appliance web console. See the screenshot below:

     

    LowEncryptionCSA.png   

     

    Block Services

     

    From the Security Tab on the Cloud Service Appliance web page services for the CSA can be enabled / disabled as needed for security purposes.

     

    Security_Services.png

    Network Settings

     

    The network is configured from the Cloud Service Appliance web page. The IP address is bound to the NIC on this page, DNS server (s) are set, as well as Domain and Hostname.

     

    Configure Date and Time first.

     

    Steps:

    1.    Click on System > Network Settings

    2.    Remove any references to the 192.168.0.1 and 192.168.0.2

    3.    Set IP, subnet, and gateway for your network on eth0.

    4.    Click add

    5.    Set the hostname and dns suffix for your device

    6.    Click save

    7.    Click on the hostnames tab.

    8.    Remove any references to the 192.168.0.1 and 192.168.0.2

    9.    We will want to add the core here.

    10.  Core IP, Core FQDN, Core Hostname click add

    11.  Ping license.landesk.com, patchec.landesk.com and patch.landesk.com to obtain the IP addresses.

    12.  Enter the IP, license.landesk.com, license.landesk.com click add

    13. Enter patch IP, patch.landesk.com, patch.landesk.com click add.

    HostNames.PNG

    14. Click save

    15. Click on the security section.

    16. Remove any subnets you use from the blocked list.

    17. Add the core IP to trusted

    18. Add the patch.landesk.com, patchec.landesk.com and license.landesk.com IP's in the trusted

    allowed.PNG

    19. Click save at the bottom

    20. Click on the users section. Make sure you know the service account password; we will need this to configure the core. It will only be used on the core in one location(Manage Gateway/Manage Cloud Service Appliances), so if you don't know it go ahead and reset it so you can have the correct password

    21. Click on the Gateway Service Section. In the additional Hostnames section you will want anything the gateway can resolve to or from, FQDN, internal and external IP, Etc

    AdditionalHostNames.PNG

    22. Click Save

     

    (Reference: Quick Guide - Gateway (Cloud Service Appliance) Configuration)

     

     

    CSA Activation

    The first Activation must be done over the internet to communicate with the license server.

    CSA_Activation.png

     

    CSA_Activate1.png

    System Updates:

     

    The CSA allows updates to be downloaded to the appliance and applied when necessary.

     

    Updates.png

    Note:

    4.2 CSA

    Recommended patch order:

    • GSBWEB_61
    • GSBWEB_62
    • GSBWEB_63
    • GSBWEB_64
    • GSBWEB_68
    • GSBWEB_72
    • EECERT_1
    • BROKER_22
    • BROKER_27
    • BROKER_28
    • openssh-5.6p1-1.19
    • OPENSSH_5.8
    • BOOTSCRIPTS_2.3
    • DBUPDATE_1
    • SUMO-6.0
    • SECURITY_1

     

    4.3 CSA

    Patches are cumulative unless specified. Install the most recent patch available

    Updates1.png

    Back Up and Restore

     

    The CSA appliance has the ability to backup and restore the system settings. The appliance can be backed up at any time or can be configured to do a backup Weekly or Monthly. The configurations can be exported off the device and save to a desired location. If needed an import of any configuration can be done at any time. The backup export can be performed only on the web console of the CSA.

    Backup1.png

     

    BackUp2.png

    Shutdown and Reboot

     

    The Cloud Service Appliance can be shutdown and / or rebooted remotely. The only requirement is access to the CSA web page internally or externally.

     

    Reboot_Shutdown.png

     

    Cloud Service Appliance Configuration

     

    The CSA can be configured in a single NIC or a dual NIC configuration. Additional configuration is required if Port Forwarding is being used to pass traffic to the CSA.

     

    Single NIC configuration

     

    The CSA can be configured using a single NIC. In a single NIC configuration, the Core Server and the clients will need to be able to create an SSL connection to the CSA. By default the Core Server and clients will use the IP address of the CSA.

     

    Basic Configuration Steps:

     

    1. Add an IP Address to the NIC in the Network Configutaion
    2. Configure the CSA firewall; add any non-routable IP addresses and IP ranges that should be blocked. Make sure that applicable subnets are allowed.
    3. Route the incoming traffic from the Internet address to the CSA
    4. Ensure that the firewall is set to ENABLED in the CSA

     

    This configuration allows the clients to connect to the IP of the CSA and pass traffic through the CSA to the Core Server.

     

    Dual NIC Configuration of the Cloud Service Appliance

     

    The two NIC design allows for configuration that the IP address associated with the 'external' network can be associated with a NIC and the Core Server can communicate to the CSA on an internal IP address assigned to a second NIC. This allows for both internal and external communication without requiring IP routing between the networks.

     

    Basic Configuration Steps:

     

    1. Add an IP address to each NIC in the network configuration
    2. Assign an FQDN to the external IP address and update the DNS servers. i.e. LDGATEWAY.COMPANY.COM
    3. Configure the CSA firewall; add any non-routable IP addresses and ranges that should be blocked. Make sure that applicable subnets are allowed
    4. Route the incoming traffic from the Internet address to the CSA
    5. Ensure that the internal NIC of the CSA is set to ENABLED in the CSA
    6. Ensure that the internal NIC of the CSA is connected to the internal side of the network

     

    Note: It is recommended that the internal IP address be on the same subnet as the Core Server. If the appliance is not on the same subnet a route will likely need to be added for CSA version 4.2. This can be done from the appliance by selecting ALT+<F2>, and then right clicking and choosing Xterm. This allows a terminal session to the appliance. See Cloud Services Appliance 4.2 - How To Add a Persistent Static Route for adding a persistent route.

     

    This configuration allows the clients to connect to the external IP address of the Cloud Service Appliance and pass traffic through it. This will allow for the physical separation of client and core server traffic. These steps provide an overview of the settings necessary to implement the two NIC configurations. Actual commands for routers, firewalls, etc., are not known as the network configuration and hardware vary.

     

    Port Forwarding

     

    Port Forwarding is a network configuration that allows for traffic to be sent to an address and then be forwarded to the actual device. Port Forwarding is utilized in many environments to isolate or protect a device. Port Forwarding can be used in Dual NIC or Single NIC configurations. All client traffic is on port 443. The clients must have an IP address that is accessible from external network . The following diagram is an illustration of this configuration. The external IP address is assigned to the Firewall and then the traffic on port 443 is forwarded to the Cloud Service Appliance.

     

    PortForwarding.png

    Operating System

     

    • The Cloud Service Appliance is a custom build of Linux. CentOS 6.3 64 bit.
    • Only the necessary software for performing the actions and functions of the CSA are installed. This is done to limit the exposure and tolls available for attack.
    • No common external access utilities exist on the system (ie: wget, httpclient, ftp client, ncftp, lynx ...).
    • Connections to the CSA from remote clients and the Core Server are passed over SSL encrypted connections on port 443. The SSL sessions are signed by a LANDESK certificate. If this certificate is modified in any way, the CSA service will shut down.
    • Using a secure SSL tunnel, the CSA routes data between the client and the Core Server as long as they have an open connection on the CSA. The SSL data is not decrypted at the CSA. This provides security and allows a larger number of connections by minimizing CPU utilization. By leaving the data encrypted this eliminates the need for complex synchronization between the connections, when data is received, it is sent on to its destination without delay.
    • The Cloud Service client connections providing improper authentication, inappropriate syntax, or public key data are dropped.
    • Five (configurable) invalid authentication attempts from clients will lockout the client for a pre-determined amount of time (also configurable).
    • Once the connection between a Core Server and a client is established, the handshake and data encryption keys are left to the core. No un-encryption is performed by the CSA. This eliminates the possibility of a 'man in the middle' attack at the CSA.
    • All incoming connections (except SSH) are handled by the Gateway service.

     

    Ports

     

    • Port 443 (HTTPS) (in/out) -- Port 443 is used for all management and client CSA traffic
    • Port 80 (HTTP) (in) -- Port 80 is only used for a default web page (optional)
    • Port 80 (HTTP) (out) -- Port 80 is used for licensing and patching of the CSA
    • Port 25 (SMPT) (outgoing only) -- Port 25 is used to email logs and alerts from the CSA to the configured email addresses
    • Port 22 (SSH) is allowed -- SSH connection can be used for terminal administration

     

    Firewall

     

    All ports / services / addresses are denied by default at the firewall

     

    • IP spoof detection in use.
    • SYN packet filtering is turned on.
    • UDP / ICMP filtering.
    • Explicit denial after exception list.
    • List of IP address ranges. The list is from various security sites, edits to the list are recommended. If internal (non routable) IP address ranges.

     

    User accounts

     

    • The 'root' user login is disabled by default.
    • The 'admin' user is the only user that can connect via SSH and will require elevated privileges.
    • System accounts lockout for period of time after 5 consecutive bad login attempts.

     

    Software - Applications

     

    • Outgoing SMTP mail is handled by customer build mail application. (Sendmail is NOT installed)
    • Tripwire file scanning is performed at regular intervals on the system to detect possible compromised files.
    • Web interface and Gateway service processes run unprivileged.
    • Internal database server runs with network support disabled.
    • CSA web console operates over authenticated SSL only (HTTPS port 443).

     

    Core Configuration

     

    After installing the Cloud Service Appliance, Core Server needs to be configured to connect to the CSA. This step must be completed before configuring managed devices to use the CSA.

     

    The 'Manage Cloud Services Appliances' option is available only from the core console, not from remote consoles. A LANDESK Administrator right is required to run 'Manage Cloud Service Appliances'.

     

    From the console on the Core Server, Click Configure | Manage Cloud Service Appliances.

    Configure_Core.png

     

    On the Cloud Service Appliance information tab, specify CSA information.

    CSA_Core_Config1.png

     

     

     

    CSA_Core_Config2.png

     

     

     

     

     

    CSA_Core_Config3.png

     

     

     

    CSA_Core_Config4.png

     

     

    Agent Configuration

     

    After the agent is configured on the client, the agent will need to be configured to communicate through the Cloud Service Appliance if desired. By default the agents will only communicate to the Core Server. Configuration of the client will require credentials to ensure the integrity of the database.

     

    To provide secure communication between the client and Core Server, a certificate will be created for each client. Certificate information is stored in the database for the Core Server and in the Broker folder on the client. Each certificate can be repudiated if needed. When a certificate is repudiated certificate will be blocked at both the CSA and the Core Server. Only repudiated certificates are stored on the CSA.

     

    Prior to configuring the clients make sure Cloud Service Appliance communication is enabled in Client Connectivity Settings:

     

     

    Agent_CSA1.png

     

    Agent_CSA2.png

     

     

     

    Agent_CSA3.png

     

     

     

    Agent_CSA4.png

    Failover functionality information can be found here: Cloud Service Appliance Failover Mode LDMS 9.6

     

     

    Agent_CSA5.png

     

     

    Agent_CSA6.png

     

    Push out the agent or schedule update to agent settings (depends on whether you have pushed the agent to the clients previously).

     

     

    How to update Agent settings:

     

     

     

    Agent_CSA7.png

     

    .

     

    Agent_CSA8.png

     

     

     

    Agent_CSA9.png

     

     

    Agent_CSA10.png

     

     

     

    Agent_CSA11.png

     

    Unattended configuration of the client for the Cloud Service Appliance

    Refer to this community document: Unattended configuration of client for the Cloud Services Appliance

     

     

    Manual Configuration of the Agent

     

     

    After the agent is successfully installed on the client; run BrokerConfig.exe located in C:\Program Files (x86)\LANDesk\LDClient

     

    ManualAgent.png

    When BrokerConfig.exe is run the above dialog is displayed. The IP address of the Cloud Service Appliance will be displayed if the Core Server was configured for the CSA prior to the agent deployment. By default the agent will use the proxy settings from Internet Explorer. Manual configuration of the proxy settings will override all other proxy configurations. Manual configuration of the proxy settings will override all other proxy configurations. "Dynamically determine connection route" is the recommended setting for clients. The other settings are mainly for testing purposes or unique environments.

     

    The LANDESK user needs to be a member of the LANDESK Management Suite group but does not need to have a scope or any rights.

     

     

    Scripting Broker Request Process

     

    The Agent can be configured for the Cloud Service Appliance through a Software distribution task. If configured using a software distribution task no user intervention is required. A custom script 'Create Management Gateway Client Certificate' is available by default. This custom script will run Brokerconfig.exe -r. The switch -r will allow the Core Server and client to create and post certificates with no user intervention. BrokerConfig.exe -r can be created as a software distribution task and any delivery method used. Unattended client configuration for the CSA requires that the client be in-band or have direct communication with the Core Server.

     

    Soft_Dist.png

     

    Softw_schd.png

     

     

    Softwtask.png

     

     

    SftwDist_run.png

     

    Testing Communication

     

    The test button will test the communication and the credentials entered. Credentials should only be applied when testing externally (off the network client). If credentials are used internally, the test will always fail.

     

     

     

    Test_connection.png

     

     

    Agent Configuration that leverages the Cloud Service Appliance

     

    If the Node will be managed through the CSA, the agent needs to be configured to initiate all types of management traffic. All Software Distribution tasks will need to be delivered by Policies.

     

    Remote Control of Unmanaged Clients

     

    This section will cover setting up unmanaged client remote control through the LANDESK Cloud Service Appliance for the viewer and client side. The viewer will need to be customized to connect through the CSA and the client needs to have an on-demand remote control agent running. This agent uninstalls after the remote control session ends.

     

    On Demand Remote Control Agent

     

    Steps to create an on-demand remote control agent for download and installation:

     

    OnDemand1.png

     

     

    OnDemand2.png

    OnDemand3.png

    OnDemand4.png

     

     

     

    OnDemand6.png

     

    OnDemand7.png

     

    OnDemand8.png

     

    OnDemand9.png

     

    Now if you go to <CSA address>/client/tools.php you will find the package that you created under "Available Packages"

     

    Remote Control Viewer

     

    RemoteControl1.png

     

     

    Once the file downloads open it and run it.

     

    RemoteControl2.png

    RemoteControl4.png

     

    RemoteControl.png

     

    Conclusion

     

    This is a best practice guide based upon the objectives outlined. Configurations of the CSA can vary based on network configuration