Best Known Method for Configuring LANDESK Cloud Service Appliance (former Management Gateway) version 4.2 and newer

This article is intended to provide a set of recommended configurations for LANDESK Cloud Service Appliance. The CSA configuration will allow an external (off the network) client to be managed.

Here is a video of the process that includes core and agent side information: LANDESK - CSA - Installation and Configuration - YouTube

LANDESK Cloud Service Appliance is an Internet software appliance that uses patented technology to help provide secure communication and management functionality to external devices. It acts as a meeting place where the Core Server and managed nodes are linked through their Internet connections. All management traffic must be initiated by the client agent.

The LANDESK Cloud Service Appliance requires that all traffic be client initiated. When managed through the CSA Inventory, Software Distribution, Remote Control and Security Suite functionality are supported. Software Distribution requires that the packages be hosted on an http share on the Core Server or on a share accessible from the external network.

Configuration of the Gateway

The LANDESK Cloud Service Appliance configuration requires multiple steps. The following steps of the configuration will be explained in this article:

Cloud Service Appliance network placement
CSA configuration
Agent configuration for Gateway communication

Installation of the Cloud Service Appliance

The following are LDCSA installation parameters:

On CSA 4.2 No Media required for installation
The Media is pre-installed and stored for recovery purposes on a hidden partition (CSA 4.2)
On CSA 4.3 Installation USB is required
On the first system boot a username and password are required

Username: admin Password: admin

Note: On Cloud Service Appliance 4.3, it will prompt you to change the password on the first login. The service account password will be automatically set to whatever you change your admin account's password on the first login. It is recommended that you set a different password for a service account later.

After logging in the Cloud Service Appliance web page launches. The following steps should be done from the web page in the following order after logging in:

Accept the End User License Agreement.
Configure The Network for the Appliance. This includes assigning IP address, assigning DNS, and assigning a host name and Domain information.
Activate the Appliance (use the same credentials you used for your LDMS core)
Change the Admin Password

The Cloud Service Appliance has the ability to allow encryption levels that are less than 128 bit (Country Restriction). For countries that do not have restrictions all traffic less than 128 bit can also be blocked. This setting is on the Gateway Services tab on the Cloud Service Appliance web console. See the screenshot below:

Block Services

From the Security Tab on the Cloud Service Appliance web page services for the CSA can be enabled / disabled as needed for security purposes.

Network Settings

The network is configured from the Cloud Service Appliance web page. The IP address is bound to the NIC on this page, DNS server (s) are set, as well as Domain and Hostname.

Configure Date and Time first.

Steps:

1. Click on System > Network Settings

2. Remove any references to the 192.168.0.1 and 192.168.0.2

3. Set IP, subnet, and gateway for your network on eth0.

4. Click add

5. Set the hostname and dns suffix for your device

6. Click save

7. Click on the hostnames tab.

8. Remove any references to the 192.168.0.1 and 192.168.0.2

9. We will want to add the core here.

10. Core IP, Core FQDN, Core Hostname click add

11. Ping license.landesk.com, patchec.landesk.com and patch.landesk.com to obtain the IP addresses.

12. Enter the IP, license.landesk.com, license.landesk.com click add

13. Enter patch IP, patch.landesk.com, patch.landesk.com click add.

14. Click save

15. Click on the security section.

16. Remove any subnets you use from the blocked list.

17. Add the core IP to trusted

18. Add the patch.landesk.com, patchec.landesk.com and license.landesk.com IP's in the trusted

19. Click save at the bottom

20. Click on the users section. Make sure you know the service account password; we will need this to configure the core. It will only be used on the core in one location(Manage Gateway/Manage Cloud Service Appliances), so if you don't know it go ahead and reset it so you can have the correct password

21. Click on the Gateway Service Section. In the additional Hostnames section you will want anything the gateway can resolve to or from, FQDN, internal and external IP, Etc

22. Click Save

(Reference: Quick Gateway (Cloud Service Appliance) Configuration)

CSA Activation

System Updates:

The CSA allows updates to be downloaded to the appliance and applied when necessary.

Note:

4.2 CSA

Recommended patch order:

GSBWEB_61
GSBWEB_62
GSBWEB_63
GSBWEB_64
GSBWEB_68
GSBWEB_72
EECERT_1
BROKER_22
BROKER_27
BROKER_28
openssh-5.6p1-1.19
OPENSSH_5.8
BOOTSCRIPTS_2.3
DBUPDATE_1
SUMO-6.0
SECURITY_1

4.3 CSA

Patches are cumulative unless specified. Install the most recent patch available

Back Up and Restore

The CSA appliance has the ability to backup and restore the system settings. The appliance can be backed up at any time or can be configured to do a backup Weekly or Monthly. The configurations can be exported off the device and save to a desired location. If needed an import of any configuration can be done at any time. The backup export can be performed only on the web console of the CSA.

Shutdown and Reboot

The Cloud Service Appliance can be shutdown and / or rebooted remotely. The only requirement is access to the CSA web page internally or externally.

Cloud Service Appliance Configuration

The CSA can be configured in a single NIC or a dual NIC configuration. Additional configuration is required if Port Forwarding is being used to pass traffic to the CSA.

Single NIC configuration

The CSA can be configured using a single NIC. In a single NIC configuration, the Core Server and the clients will need to be able to create an SSL connection to the CSA. By default the Core Server and clients will use the IP address of the CSA.

Basic Configuration Steps:

Add an IP Address to the NIC in the Network Configutaion
Configure the CSA firewall; add any non-routable IP addresses and IP ranges that should be blocked. Make sure that applicable subnets are allowed.
Route the incoming traffic from the Internet address to the CSA
Ensure that the firewall is set to ENABLED in the CSA

This configuration allows the clients to connect to the IP of the CSA and pass traffic through the CSA to the Core Server.

Dual NIC Configuration of the Cloud Service Appliance

The two NIC design allows for configuration that the IP address associated with the 'external' network can be associated with a NIC and the Core Server can communicate to the CSA on an internal IP address assigned to a second NIC. This allows for both internal and external communication without requiring IP routing between the networks.

Basic Configuration Steps:

Add an IP address to each NIC in the network configuration
Assign an FQDN to the external IP address and update the DNS servers. i.e. LDGATEWAY.COMPANY.COM
Configure the CSA firewall; add any non-routable IP addresses and ranges that should be blocked. Make sure that applicable subnets are allowed
Route the incoming traffic from the Internet address to the CSA
Ensure that the internal NIC of the CSA is set to ENABLED in the CSA
Ensure that the internal NIC of the CSA is connected to the internal side of the network

Note: It is recommended that the internal IP address be on the same subnet as the Core Server. If the appliance is not on the same subnet a route will likely need to be added for CSA version 4.2. This can be done from the appliance by selecting ALT+<F2>, and then right clicking and choosing Xterm. This allows a terminal session to the appliance. See Cloud Services Appliance 4.2 - How To Add a Persistent Static Route for adding a persistent route.

This configuration allows the clients to connect to the external IP address of the Cloud Service Appliance and pass traffic through it. This will allow for the physical separation of client and core server traffic. These steps provide an overview of the settings necessary to implement the two NIC configurations. Actual commands for routers, firewalls, etc., are not known as the network configuration and hardware vary.

Port Forwarding

Port Forwarding is a network configuration that allows for traffic to be sent to an address and then be forwarded to the actual device. Port Forwarding is utilized in many environments to isolate or protect a device. Port Forwarding can be used in Dual NIC or Single NIC configurations. All client traffic is on port 443. The clients must have an IP address that is accessible from external network . The following diagram is an illustration of this configuration. The external IP address is assigned to the Firewall and then the traffic on port 443 is forwarded to the Cloud Service Appliance.

Operating System

The Cloud Service Appliance is a custom build of Linux. CentOS 6.3 64 bit.
Only the necessary software for performing the actions and functions of the CSA are installed. This is done to limit the exposure and tolls available for attack.
No common external access utilities exist on the system (ie: wget, httpclient, ftp client, ncftp, lynx ...).
Connections to the CSA from remote clients and the Core Server are passed over SSL encrypted connections on port 443. The SSL sessions are signed by a LANDESK certificate. If this certificate is modified in any way, the CSA service will shut down.
Using a secure SSL tunnel, the CSA routes data between the client and the Core Server as long as they have an open connection on the CSA. The SSL data is not decrypted at the CSA. This provides security and allows a larger number of connections by minimizing CPU utilization. By leaving the data encrypted this eliminates the need for complex synchronization between the connections, when data is received, it is sent on to its destination without delay.
The Cloud Service client connections providing improper authentication, inappropriate syntax, or public key data are dropped.
Five (configurable) invalid authentication attempts from clients will lockout the client for a pre-determined amount of time (also configurable).
Once the connection between a Core Server and a client is established, the handshake and data encryption keys are left to the core. No un-encryption is performed by the CSA. This eliminates the possibility of a 'man in the middle' attack at the CSA.
All incoming connections (except SSH) are handled by the Gateway service.

Ports

Port 443 (HTTPS) (in/out) -- Port 443 is used for all management and client CSA traffic
Port 80 (HTTP) (in) -- Port 80 is only used for a default web page (optional)
Port 80 (HTTP) (out) -- Port 80 is used for licensing and patching of the CSA
Port 25 (SMPT) (outgoing only) -- Port 25 is used to email logs and alerts from the CSA to the configured email addresses
Port 22 (SSH) is allowed -- SSH connection can be used for terminal administration

Firewall

All ports / services / addresses are denied by default at the firewall

IP spoof detection in use.
SYN packet filtering is turned on.
UDP / ICMP filtering.
Explicit denial after exception list.
List of IP address ranges. The list is from various security sites, edits to the list are recommended. If internal (non routable) IP address ranges.

User accounts

The 'root' user login is disabled by default.
The 'admin' user is the only user that can connect via SSH and will require elevated privileges.
System accounts lockout for period of time after 5 consecutive bad login attempts.

Software - Applications

Outgoing SMTP mail is handled by customer build mail application. (Sendmail is NOT installed)
Tripwire file scanning is performed at regular intervals on the system to detect possible compromised files.
Web interface and Gateway service processes run unprivileged.
Internal database server runs with network support disabled.
CSA web console operates over authenticated SSL only (HTTPS port 443).

Core Configuration

After installing the Cloud Service Appliance, Core Server needs to be configured to connect to the CSA. This step must be completed before configuring managed devices to use the CSA.

The 'Manage Cloud Services Appliances' option is available only from the core console, not from remote consoles. A LANDESK Administrator right is required to run 'Manage Cloud Service Appliances'.

From the console on the Core Server, Click Configure | Manage Cloud Service Appliances.

On the Cloud Service Appliance information tab, specify CSA information.

Agent Configuration

After the agent is configured on the client, the agent will need to be configured to communicate through the Cloud Service Appliance if desired. By default the agents will only communicate to the Core Server. Configuration of the agent will require that information be posted to the Core Server database. Configuration of the agent will require that information be posted to the Core Server database. Configuration of the client will require credentials to ensure the integrity of the database.

To provide secure communication between the client and Core Server, a certificate will be created for each client. Certificate information is stored in the database for the Core Server and in the Broker folder on the client. Each certificate can be repudiated if needed. When a certificate is repudiated certificate will be blocked at both the CSA and the Core Server. Only repudiated certificates are stored on the CSA.

Prior to configuring the clients make sure Cloud Service Appliance communication is enabled in Client Connectivity Settings:

Failover functionality information can be found here: Cloud Service Appliance Failover Mode LDMS 9.6

Push out the agent or schedule update to agent settings (depends on whether you have pushed the agent to the clients previously).

How to update Agent settings:

Unattended configuration of the client for the Cloud Service Appliance

Refer to this community document: Unattended configuration of client for the Cloud Services Appliance

Manual Configuration of the Agent

After the agent is successfully installed on the client; run BrokerConfig.exe located in C:\Program Files (x86)\LANDesk\LDClient

When BrokerConfig.exe is run the above dialog is displayed. The IP address of the Cloud Service Appliance will be displayed if the Core Server was configured for the CSA prior to the agent deployment. By default the agent will use the proxy settings from Internet Explorer. Manual configuration of the proxy settings will override all other proxy configurations. Manual configuration of the proxy settings will override all other proxy configurations. "Dynamically determine connection route" is the recommended setting for clients. The other settings are mainly for testing purposes or unique environments.

The LANDESK user needs to be a member of the LANDESK Management Suite group but does not need to have a scope or any rights.

Scripting Broker Request Process

The Agent can be configured for the Cloud Service Appliance through a Software distribution task. If configured using a software distribution task no user intervention is required. A custom script 'Create Management Gateway Client Certificate' is available by default. This custom script will run Brokerconfig.exe -r. The switch -r will allow the Core Server and client to create and post certificates with no user intervention. BrokerConfig.exe -r can be created as a software distribution task and any delivery method used. Unattended client configuration for the CSA requires that the client be in-band or have direct communication with the Core Server.

Testing Communication

The test button will test the communication and the credentials entered. Credentials should only be applied when testing externally (off the network client). If credentials are used internally, the test will always fail.

Agent Configuration that leverages the Cloud Service Appliance

If the Node will be managed through the CSA, the agent needs to be configured to initiate all types of management traffic. All Software Distribution tasks will need to be delivered by Policies.

Remote Control of Unmanaged Clients

This section will cover setting up unmanaged client remote control through the LANDESK Cloud Service Appliance for the viewer and client side. The viewer will need to be customized to connect through the CSA and the client needs to have an on-demand remote control agent running. This agent uninstalls after the remote control session ends.