1 2 Previous Next 16 Replies Latest reply on Oct 19, 2020 12:51 AM by Fabrice POLTORATZKY

    how to configure  a reverse proxy for bcm relay?

    Fabrice POLTORATZKY
      Share This:

      We are using a Fortinet ADM as a reverse proxy on our customer infra. Does anyone know about how to configure the reverse proxy rule in order to route any BCM agent communication to the BCM relay on the private DMZ?

       

      When we use a rule that filter on the http header, the connexion to https://[publicdnsalias]:1610/ works but client agent fails with the following error:

       

      Failed to verify the supplied relay ([public DNS Alias])

       

      Myuestion is how to recognise the BCM agent https traffic among all the other traffic?

      I have checked the reverse proxy capabilities and we can use a regular expression if we know witch keyword is part on the https header...

        • 1. Re: how to configure  a reverse proxy for bcm relay?
          Steve Gibbs

          Fabrice POLTORATZKY,

           

          If you are using the default ports (1610 and 1611) just allow those uncommon ports through...  You can review this article:

          How to Manage Devices over the Internet (DMZ Relay)

           

          Hopefully I did not misunderstand your question.

           

          Steve

          • 2. Re: how to configure  a reverse proxy for bcm relay?
            Fabrice POLTORATZKY

            Thanks Steve!

             

            The way to implement a DMZ relay trough a firewall is well known for me... here we have a private DMZ where we would like to use the same relay for LAN Clients and for the Internet clients. so additionally to the firewall, we are using a reverse proxy that handle all the traffic between internal and external networks.

             

            So the reverse proxy is able to manage client requests and redirect them to our relay according different rues.

            If someone has allready implemented such configuration, please, let me know?

            • 3. Re: how to configure  a reverse proxy for bcm relay?
              Steve Gibbs

              I am researching now "Fortinet ADM" but hopefully there are "experienced" folks that have already faced this challenge to answer your question.

               

              Dominik Kress or Julien Devienne are either of you versed in this reverse proxy or another reverse proxy configuration requirement?

               

              I wonder if the "mechanism" property if using Relay List is using the proxy IP or if SSL handshake is the problem.

               

              Fabrice POLTORATZKY...  Are you testing device where Relay is either STATIC or BACKUP as the first option so it is not dynamic?

              • 4. Re: how to configure  a reverse proxy for bcm relay?
                Fabrice POLTORATZKY

                I have tested both static as the first option and then backup. In my case

                 

                static defines the relay FQDN for the LAN clients

                backup defines the public dns alias (bmcr.mydomain.fr) for the internet clients

                • 5. Re: how to configure  a reverse proxy for bcm relay?
                  Steve Gibbs

                  Thanks...  I am using Wireshark now to see if I can locate ANYTHING you can test to isolate BCM packet traffic...  Hopefully we can get others to get the answer you need sooner than later! I was concerned that using Proxy mode the product holds the entire message to fully inspect...  not sure if you may also be running into timeout issues:

                   

                  Administration Guide | FortiGate / FortiOS 6.4.0 | Fortinet Documentation Library

                  • 6. Re: how to configure  a reverse proxy for bcm relay?
                    Dominik Kress

                    Hi Fabrice,

                     

                    Since the provided address https://publicdnsalias:1611/login is available and BCM 20.08 answers your reverse proxy configuration looks good. Also the port 1610 does answer correctly.

                     

                    The provided error message (failed to verify) means that the client can't reach its parent device. On the relay you are using a wildcard certificate. Did you also add this certificate to your agent configuration?

                     

                    It should be enough to redirect the full https traffic from port 1610 and 1611 to your relay. The client agent then discovers that he isn't reachable from the parent device and will change the communication to a tunnel connection (60 seconds heartbeat to keep to tunnel alive).

                     

                    You should remove your public dns alias from your last post. 

                    • 7. Re: how to configure  a reverse proxy for bcm relay?
                      Steve Gibbs

                      Thanks Dominik for jumping in...  I did see the common "Failed to Verify Relay" which I see a lot when a firewall rule on the relay does not have the required ports open or the firewall between two networks are not configured to allow bi-directional traffic.

                       

                      Fabrice, Can you restart the agent on your test device and then look at the agent log file and filter the logs for RELAY.  This will show the IP address or Name of the device that was tried to be used as the relay.

                       

                      Also, please confirm that the advanced firewall rules are in place on the relay? Is this relay currently in use and has devices connected to it or is this a new setup and no devices are using this relay? Just needing to confirm the relay is properly configured as you go down this road of troubleshooting this issue.

                       

                      EDIT (ADDED LOG DATA FILTERED Module=Relay)

                      Agent Restart

                      2020/10/16 09:33:43 Relay                           I   [6836]  Scheduling <job.parent.check> now

                      2020/10/16 09:33:43 Relay                           I   [4552]  Processing <job.parent.check>

                      2020/10/16 09:33:43 Relay                           I   [4552]  Synchronized with relay 10.9.1.201 (self_ip=10.9.1.204, local_ip=10.9.1.204, relay_guid=AGENT_C9235395F499B60EFD55857CD2FC43D6, relay_port=1611)

                      2020/10/16 09:33:43 Relay                           I   [4552]  Cient Ip address is changed from  to 10.9.1.204

                      2020/10/16 09:33:43 Relay                           I   [4552]  Processing <event.agent.runtime.parent.updated>

                      2020/10/16 09:33:43 Relay                           I   [4552]  We cannot be reached by our parent.Opening tunnel...

                      2020/10/16 09:33:43 Relay                           I   [4552]  Opening tunnel (relay_guid=AGENT_C9235395F499B60EFD55857CD2FC43D6)

                      2020/10/16 09:33:43 Relay                           I   [4552]  Scheduling <job.parent.tunnel> with 60 second(s) timeout

                      2020/10/16 09:33:43 Relay                           I   [4552]  Scheduling <job.parent.check> with 3600 second(s) timeout

                      2020/10/16 09:33:43 Relay                           I   [4552]  Firing <callback.TransferWindowCallbackWindowChange> with [ShareType: true]

                      2020/10/16 09:33:43 Relay                           I   [4552]  Firing <callback.RelayCallbackChangeRelay> with [ParentName: 10.9.1.201][ParentAddr: 10.9.1.201][ParentPort: 1610][ParentGuid: AGENT_C9235395F499B60EFD55857CD2FC43D6][ParentConsolePort: 1611]

                      2020/10/16 09:34:43 Relay                           I   [8036]  Processing <job.parent.tunnel>

                       

                      I have a wireshark capture that I am willing to share when I restarted my agent.  You will need to install wireshark in order to load/view the results. because all the traffic is encrypted using my CERT, not sure if this will help...

                       

                      here is a screen shot of the first packet going to the relay after I restarted my client agent:

                       

                       

                       

                      Let me know if you want the wireshark capture file but not sure that will help you out....

                      1 of 1 people found this helpful
                      • 8. Re: how to configure  a reverse proxy for bcm relay?
                        Fabrice POLTORATZKY

                        Thanks Dominik!

                        What do you mean by "add the wildcard certificate to your agent configuration"?

                        You mean relay agent, client or both? or only install this certificate on the relay server?

                        • 9. Re: how to configure  a reverse proxy for bcm relay?
                          Fabrice POLTORATZKY

                          No thanks I do not need your wireshark capture.

                          • 10. Re: how to configure  a reverse proxy for bcm relay?
                            Fabrice POLTORATZKY

                            Yes my relay has allready devices connected from LAN cliient devices.

                            If I use a Layer7 proxy rule, I have got the following error on the client :

                             

                            020/10/16 16:40:36 SecurityProductsManagement      I   [15120] Not sending unchanged security products management inventory

                            2020/10/16 16:40:43 AgentActionDB                   I   [10180] Invoke local action AgentGetTcpIp

                            2020/10/16 16:40:43 AgentActionDB                   I   [10180] Action AgentGetTcpIp returned 0

                            2020/10/16 16:40:43 AgentActionDB                   I   [10180] Invoke local action AgentGetTcpIp

                            2020/10/16 16:40:43 AgentActionDB                   I   [10180] Action AgentGetTcpIp returned 0

                            2020/10/16 16:40:43 AgentActionDB                   I   [10180] Invoke action RelayCheckClient on remote host '[64:FF9B::5376:DB10]:1610', user 'BMC Client Management Agent'

                            2020/10/16 16:40:43 Socket                          D   [4696]  SslHandshake - Fatal error (SSL_ERROR_SSL)

                            2020/10/16 16:40:43 Socket                          D   [4696]  SslHandshake - Error details (error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed)

                            2020/10/16 16:40:43 SecureLib                       W   [10180] PAC: Application Error (routine: recv_srv_hello, object: packet, reason: recv_failed)

                            2020/10/16 16:40:43 AgentActionDB                   D   [10180] Remote action invocation failed, XML error: 4 (TCP CONNECTION FAILED)

                            2020/10/16 16:40:43 Relay                           W   [10180] Failed to verify the supplied relay (bmcr.universcience.fr)

                            2020/10/16 16:40:43 Relay                           I   [10180] Scheduling <job.parent.select> with 3600 second(s) timeout

                            2020/10/16 16:40:43 Socket                          D   [11532] BufferedSocket: receive failed

                            2020/10/16 16:40:49 FileStore                       I   [1792]  MulticastThread: No Multicast window defined

                             

                            It is clearly an SSL Handshake failure. Strange that RelayCheckClient is using an IPV6 address...

                            • 11. Re: how to configure  a reverse proxy for bcm relay?
                              Dominik Kress

                              The agent does use the certificate for authentication (and a bit more). By this all agents which communicate with each other need to have the same certificate (master, relay, client).

                               

                              I guess that you did not change the default SSL certificates for BCM but your reverse proxy uses your company wildcard (*.company) to secure the webpage. This will result in an  SSL Handshake failure.

                              • 12. Re: how to configure  a reverse proxy for bcm relay?
                                Dominik Kress

                                In addition to my last answer here is a link which describes the SSL mechanism of BCM:

                                SSL certificates - Documentation for BMC Client Management 20.08 - BMC Documentation

                                • 13. Re: how to configure  a reverse proxy for bcm relay?
                                  Steve Gibbs

                                  I am going out on a limb and say that the reverse proxy is acting like a relay as it intercepts and inspects and then forwards. it acts like "man in the middle". BMC Client Management is doing everything it should by not trusting a device without the proper handshake (PAC 2). Security is very important and connections are dropped if not able to use the trusted CERT to preform the required handshake.

                                   

                                  I recommend you work with the vendor of the reverse proxy and pose the same question to them to see how to configure with required certs.  Maybe they have come across this scenario with other customers. You can also open a ticket with your L1 support provider for BCM and see if there is a known fix in their KA DB.

                                   

                                  All certs are located in the bin directory of the master server.

                                   

                                  I am sorry there was no easy answer to your question.

                                   

                                  Steve

                                  • 14. Re: how to configure  a reverse proxy for bcm relay?
                                    Fabrice POLTORATZKY

                                    Here is what I have found on the vendor documentation:

                                    Chapter 16: SSL Transactions

                                     

                                     

                                    as BCM needs it own handshake, I would test the Layer7 SSL decryption by forward proxy  approach...

                                    1 2 Previous Next