Deploy Ziti Edge Routers Behind a Proxy


Introduction: 

Enterprise network/security ops are becoming increasingly resistant to making changes in network or security gateways such as firewalls due to various reasons such as being aversive to risk, impact on regulatory compliance, lack of resources, complexity, etc. This introduces delays in the deployment of a CloudZiti edge such as a customer edge router in the LAN network behind the firewall. At times, the deployment itself is not feasible due to strict policies that do not allow changing outbound policies ( though CloudZiti does not require the opening of any inbound ports / IPs). However, the alternate approach taken by enterprises is to deploy network edge or WAN gateways behind the proxy. Proxies are typically configured with an allow-all outbound policy or it is relatively easier for policy changes on the proxy to allow the DNS / IP of the CloudZiti controller and public fabric routers. NetFoundry has introduced support for customer edge routers to work behind proxies. Only HTTP proxies without auth are currently supported. Coming soon, we are adding support for basic auth. Should you have any questions or feedback on this article, reach us at customer.success@netfoundry.io.

Architecture diagram of a customer edge router deployed behind a proxy:

ER-Proxy.jpg

The diagram above represents a customer edge router deployed behind a network proxy. The router can communicate with another router or endpoint in the network to initiate or receive traffic. 

 

Registering a customer edge router deployed behind a proxy:

New routers being deployed behind a proxy can be registered to the CloudZiti controller via the proxy. To register a customer edge router deployed behind a proxy, follow these simple instructions of setting the http / https proxy variables.

  1. Export the HTTPS proxy using the command:

    export HTTPS_PROXY=http://192.168.10.92:3128
  2. Register the router with the provided registration key using the router-registration command. Add the --proxyAddress option to specify the proxy address. Replace <REGKEY> with the actual registration key.

    router-registration --proxyAddress 192.168.10.92 <REGKEY> 

These commands will configure the necessary proxy settings and initiate the registration process for the customer edge router via the proxy Make sure to replace <REGKEY> with the actual registration key. 192.168.10.92 is the IP address of the proxy server in the above example. 3128 is the default proxy port.

 

You can verify that the registration process with the proxy address defined is updated in the router's config file:

root@:/opt/netfoundry/ziti/ziti-router# cat config.yml
v: 3
identity:
  cert: /opt/netfoundry/ziti/ziti-router/certs/cert.pem
server_cert: /opt/netfoundry/ziti/ziti-router/certs/server_cert.pem
key: /opt/netfoundry/ziti/ziti-router/certs/key.pem
ca: /opt/netfoundry/ziti/ziti-router/certs/ca.pem
ctrl:
endpoint: tls:xxxxx.production.netfoundry.io:443

proxy:
type: http
address: 192.168.10.92:3128

The data and control links established from the router are now routed via the proxy.

Configuring proxy server for a customer edge router that is already registered:

While we have discussed how to a router can be registered behind a proxy in the section above, we can also configure the network proxy for routers which are already registered. To achieve this, the router's config file has to be updated with the proxy information. When configured to use a proxy, the control & data plane traffic from the customer edge router is routed via the proxy.

1. Navigate to the Ziti-Router Configuration Directory:

ziggy@ip-192-168-0-232:~$ cd /opt/netfoundry/ziti/ziti-router/

2. Edit the Configuration File using vi (or any other text editor you prefer):

ziggy@ip-192-168-0-232:/opt/netfoundry/ziti/ziti-router$ sudo vi config.yml

3. Add the proxy information in the config file:

proxy:
type: http
address: 192.168.0.142:3128

192.168.0.142 is the IP address of the proxy server in the above example. 3128 is the default proxy port.

Configuring an explicit proxy for services hosted on a customer edge router:

We have so far discussed the steps to configure proxy server for data egressing from the router to the CloudZiti network. However, for services terminated on the router, which is ingress traffic from the CloudZiti network to the customer edge router, the proxy server details have to be configured while provisioning services. You can choose to have some services or all services routed via the proxy server to the router. 

Explicit proxy can be configured via host.v1 and host.v2 configurations .


Example using host.v1

{
"address": "192.168.2.50",
"port": 1234,
"protocol": "tcp",
"proxy": {
"address": "192.168.0.142:3128",
"type": "http"
}
}

Example using host.v2:

{
"terminators": [
{
"proxy": {
"type": "http",
"address": "192.168.0.142:3128"
},
"forwardPort": true,
"forwardAddress": true,
"forwardProtocol": true,
"allowedAddresses": [
"netfoundry.io"
],
"allowedProtocols": [
"tcp"
],
"allowedPortRanges": [
{
"low": 443,
"high": 443
}
]
}
]
}

192.168.0.142 is the IP address of the proxy server in the above example. 3128 is the default proxy port.

Exporting customer edge router VM Support Bundle via proxy:

To export the VM support bundle from an edge router that is running behind a proxy, follow these simple instructions:

  1. Export the HTTPS proxy using the command:

    export HTTPS_PROXY=http://192.168.10.92:3128
  2. Run the command to export the VM support bundle. Include the --proxyAddress option to specify the proxy address.

    sudo /opt/netfoundry/vm-support-bundle --proxyAddress 192.168.10.92

These commands will configure the necessary proxy settings and generate the VM support bundle from the edge router. 192.168.10.92 is the IP address of the proxy server in the above example. 3128 is the default proxy port.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.