cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Agent Certificate Authentication (Azure App GW v2)

Hi,

Just in case if anyone out there is pondering about mutual authentication of agents and Beacon over the Internet, on Azure the best solution in my opinion is to use Application Gateway (v2) instead of IIS. Exposing a VM to Internet using IIS-configured certificate authentication is available, but likely not the most secure method. App GW v2 allows certificate authentication via SSL Policies at the front end as well as in the back end if required along with end-to-end TLS. Once  App GW v2 and certificates are set up, beaconengine.config needs to be configured to use the app GW public DNS name instead of beacon hostname. Naturally certificate revocation checks need to be disabled on agents when using self-signed certificates.

Note that self-signed certificates do not work at the back end of App GW v2 (or at least I could not make them work without the 502 error) but you can do http at the back end without problems as https is already used at the front end. With trusted certificate https should work at the back end as well.

See the attachment for simplified configration diagram.

 

1 Reply
ChrisG
Community Manager Community Manager
Community Manager

Thanks for sharing the interesting idea!

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)
0 Kudos