Applies to Platform: UTM 6.7.6 (and newer)
Last Updated: 11th Dec 2024
This article will describe how an EndianOS appliance can communicate with Endian Network when required to utilize an upstream proxy for Internet access. This can be the case in certain sensitive or high security enterprise networks. Before we dive into the details, let's first start with an explanation of the two primary components of Endian Network communications from the viewpoint of an Endian appliance:
en-client
This is responsible for interfacing with Endian Network using standard HTTP protocol over TCP 443. It's main functions include:
- Registering the appliance in Endian Network
- Synchronizing system information to make it visible on Endian Network
- Installing an SSH key
- Deregistering the system
en-liveclient
This is responsible for handling the authentication and real-time communications and uses a non-standard protocol using TCP 8991. It's main functions include:
- Authenticating to Endian Network
- Communicating the appliance status (presence)
- Managing the remote access requests via Web or SSH
How to Use Behind an Upstream Proxy
Since the en-client process uses standard HTTP protocol there are no issues with the ability of this client to work through an upstream proxy (including support for authentication).
However the en-liveclient does not typically function correctly through an upstream proxy without certain features enabled on the upstream proxy. In order to utilize the en-liveclient, you should configure the following on the upstream proxy:
- Allow the opening of HTTP tunnels (using the CONNECT method)
- Forward the traffic plainly, without performing SSL interception (or "bump"), which could interfere with the proper functioning of the tunnel
In addition, if you wish to utilize the remote access requests for SSH, the network firewall in front of the Endian appliance must allow SSH (TCP 22) for outgoing traffic.
Comments