This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Agent Certificate Authentication (Azure App GW v2)

anttimustonen
By
Level 6

Hi,

Just in case if anyone out there is pondering about mutual authentication of agents and Beacon over the Internet, on Azure the best solution in my opinion is to use Application Gateway (v2) instead of IIS. Exposing a VM to Internet using IIS-configured certificate authentication is available, but likely not the most secure method. App GW v2 allows certificate authentication via SSL Policies at the front end as well as in the back end if required along with end-to-end TLS. Once  App GW v2 and certificates are set up, beaconengine.config needs to be configured to use the app GW public DNS name instead of beacon hostname. Naturally certificate revocation checks need to be disabled on agents when using self-signed certificates.

Note that self-signed certificates do not work at the back end of App GW v2 (or at least I could not make them work without the 502 error) but you can do http at the back end without problems as https is already used at the front end. With trusted certificate https should work at the back end as well.

See the attachment for simplified configration diagram.

 

‎Sep 19, 2022 02:17 AM - edited ‎Sep 19, 2022 02:31 AM

Preview file
25 KB
(1) Reply

ChrisG
By Community Manager Community Manager
Community Manager

Thanks for sharing the interesting idea!

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

‎Sep 26, 2022 03:31 AM

0 Kudos