IGEL Cloud Gateway on Nutanix AHV

The IGEL Cloud Gateway (ICG) implements a secure connection between endpoint devices and the UMS, both of which are located inside private networks. Finally I found some time to implement the IGEL Cloud Gateway (ICG), which enables the Universal Management Suite (UMS) to securely manage endpoint devices outside the company network.

Advertisements

Some time ago I wrote about the new IGEL UD Pocket, the portable Universal Desktop Thin Client coming as a USB device (IGEL UD Pocket – Micro Universal Desktop Thin Client). Finally I found some time to implement the IGEL Cloud Gateway (ICG), which enables the Universal Management Suite (UMS) to securely manage endpoint devices outside the company network.

The UD Pocket boots IGEL Universal Desktop Linux on your computer. However, it does not make any changes to the operating system already installed on the hard disk, SSD or flash storage – UD Pocket runs entirely from the USB stick. With the latest firmware now it is also possible to turn your Apple Mac into a temporary IGEL Thin Client.

As the primary use case for the UD Pocket is to provide a secure and managed Thin Client environment for BYOD and unmanaged external endpoints, usually this devices are not part of your network and have no direct access to the IGEL Universal Management Suite (UMS), IGEL’s management console. That’s exactly where the IGEL Cloud Gateway (ICG) can jump in and fill the gap.

The IGEL Cloud Gateway (ICG) implements a secure connection between endpoint devices and the UMS, both of which are located inside private networks. There are two topologies for using ICG, suggested by IGEL:

igel_cloud_gateway_topology_dmz
ICG in the Demilitarized Zone (DMZ) of the Company Network
igel_cloud_gateway_topology_cloud
ICG on the Internet (e.g.: at a Cloud-Hosting Provider)

I decided to place the ICG in our DMZ. The installation is available either as a virtual appliance or installer binary to install on your own (physical or virtual) Linux server. For my setup I wanted to use the virtual appliance, running on our Nutanix AHV cluster – and guess what – it works!

The installation is quite straight forward:

  1. Download the ICG Appliance zip archive
  2. Extract the archive
  3. Grab the .vmdk disk image
  4. Upload the disk image to Nutanix image service
  5. Create a new VM (2 vCPU / 2 Cores per vCPU, 2 GB RAM, DMZ NIC)
  6. Attach a disk by cloning from image services (Bus type SCSI)
  7. Boot the appliance
Setting up the virtual appliance

When your ICG appliance is up and running, you have to open a console on the virtual machine. On Nutanix this is really simple, within PRISM just go to the VM and start the console, log in as root with password usgIGEL1123.

icg_console
IGEL Cloud Gateway appliance console

The VM comes preconfigured with a US keyboard layout, so you might want to change it to a different layout with the loadkeys command. Here the command for a Swiss German keyboard layout:

loadkeys sg # Swiss German

The next step should be to change the default root password by entering the passed command.

passwd

For SSH connections to the ICG appliance, there is a dedicated user account. It’s important to set a password for this account too, because we will use it later to upload the generated keystore file.

passwd sshuser

The last step for now is to configure the network for the ICG appliance. We need to specify the IP, netmask and default gateway.

nano /etc/network/interfaces

Edit the entry eth0 in the file to represent your network configuration, it should look like this

iface eth0 inet static
address [IP address]
netmask [netmask]
gateway [default gateway IP address]

Save the file and reboot the appliance.

Gernerating an ICG Certificate

In order to provide an encrypted network connection and for authentication, ICG needs a TLS/SSL certificate. UMS in version 5.06.100 and newer lets you create your own root certificate and sign the ICG server certificate with it.

In UMS Console go to UMS Administration > Global Configuration > Cloud Gateway Options. In the Certificates section, click to generate a root certificate.

icg_configuration
IGEL Cloud Gateway Configuration

Fill in the certificate fields:

  • Displayname: Leave this as Root Certificate.
  • Your organization: Organization or company name
  • Your city or locality: Location
  • Your two-letter country code: ISO 3166 country code, e.g. US, UK or ES
  • Valid until: Local date on which the certificate expires. (Default: 10 years from now)

Click OK. A key pair and a certificate are generated.

Generating keys may take substantial time on virtual machines (VMs), as these do not have a powerful (pseudo) random number source.

The CA’s root certificate appears in the list. The CA is now ready to use and we can create a signed certificate to use for our IGEL Cloud Gateway appliance.

icg_cert
Generating a signed certificate for the IGEL Cloud Gateway

Fill in the certificate fields:

  • Displayname: Name the certificate
    The display name in the server certificate must not be the same as in the root certificate.
  • Your first and last name: Name of the certificate holder
  • Your organization: Organization or company name
  • Your city or locality: Location
  • Your two-letter country code: ISO 3166 country code, e.g. US, UK or ES
  • Hostname and/or IP address of certificate target server: Host name(s) or IP address(es) for which the certificate is valid. Multiple entries must be separated by semicolons.
    All IP addresses and host names by which the ICG will be reachable from within the company network or from outside must be provided here.
  • Valid until: Local date on which the certificate expires. (Default: one year from now)

Click OK. A key pair and a certificate are generated.

The signed certificate appears in the list. Right-click the signed certificate and select Export certificate chain to IGEL Cloud Gateway keystore format. The file keystore.icg is created. This file will be required for the gateway. Save the keystore.icg file.

Uploading the keystore and installing the IGEL Cloud Gateway

You can use SCP (secure copy) to upload the keystore.icg exported from UMS to the ICG appliance. To do this from a Windows client you can download the free WinSCP software from https://winscp.net.

In WinSCP open a new session to your ICG appliance, use the dedicated sshuser with the corresponding password for the connection and upload the keystore.icg to the sshuser’s home. Be aware that you might have to open port tcp/22 on your firewall, if you have already placed your ICG appliance in the DMZ. Don’t forget to close the ssh port after the upload is done.

You are now ready to install the IGEL Cloud gateway on the appliance. Once again connect to the console of the appliance, use the root credentials for the connection.

Copy the uploaded keystore into the current directory

cp /home/sshuser/keystore.icg .

Make the ICG installer executable

chmod u+x installer-[version].bin

Start the installer with your keystore.icg

./installer-[version].bin keystore.icg

Accept the installation path and accept or change the TCP port for the ICG service (Default: 8443). Do not reboot the system or restart the ICG Tomcat server before the first connection has been made from UMS.

Connecting the UMS to the ICG

Our IGEL Cloud Gateway is now ready to be linked to the IGEL Universal Management Suite (UMS). By default, the ICG accepts incoming connections on the TCP port 8443, both from the UMS and endpoint devices, so don’t forget to open the port in your DMZ firewall rules.

In the UMS console, go to UMS Administration > UMS Network > Igel Cloud Gateway.

icg_connect_ums
Connect ICG to UMS

Add a new IGEL Cloud gateway

Enter the following data:

  • Displayname: freely chosen name
  • Host: IP or DNS name of the ICG
    This address must also be present in the ICG certificate; see Generating an ICG Certificate. Otherwise, ICG and UMS would not be able to communicate.
  • Port: Listening port of the ICG as defined during the installation; see Installing the IGEL Cloud Gateway. (Default: 8443)
  • Click Finish.
icg_ums_connected
The IGEL Cloud Gateway is now connected to the UMS
Generating Passwords for Thin Clients

To establish a connection with the ICG, every thin client must authenticate with the ICG. For this purpose, a password must be generated. The thin client must present this password on first contact with the ICG. You have the following possibilities to generate passwords:

  • One-time passwords that can be used by any random thin client, but cannot be re-used by any other thin client. Hence, the number of passwords must match the number of thin clients.
  • One-time passwords that can only be used by specified thin clients and will be invalidated after use.
  • Multiple-time passwords that can be used by any thin client and will remain valid after use.

To generate the passwords for the thin clients in the UMS console go to UMS Administration > Global Configuration > Cloud Gateway Options

icg_generate_password
Generating passwords for the thin clients in UMS
Transferring the Passwords to the Thin Clients

To connect a thin client to the ICG, the newly generated credentials (fingerprint, password) must be available on the user resp. thin client side. In many cases, the user and device are in a remote location, which leaves it to the user to establish the connection to the ICG.

There are multiple possibilities to provide the credentials:

  • USB stick that contains the credentials in an XML file
  • USB stick that contains the credentials in an HTML file
  • E-Mail containing the credentials, created and sent directly from the UMS
  • E-Mail or printed letter containing the credentials; the credentials can be inserted via copy & paste.
Connecting a Thin Client to the IGEL Cloud Gateway

When the credentials are available at the user / thin client side, the thin client is ready to connect to the UMS.

If the thin client has not been configured yet, the Setup Assistant will start automatically on system startup; see the Setup Assistant chapter in the IGEL OS manual. The ICG Agent Setup, which is described here, is embedded in the Setup Assistant. The procedure is identical both for the standalone ICG Agent Setup and the one embedded in the Setup Assistant.

From Start Menu > System (System) open ICG Agent Setup.

Enter the ICG server IP address or DNS name into Address. Examples: 172.30.251.71 (IP address), icg.example.com (DNS name)

You can simplify the entry of the ICG server address for your users with a simple DNS tweak.

Add a TXT record for the host igel-cloud-gateway with the contents https:// [ICG IP address]:8443/usg/endpoint

When users enter their email address user@example.com as the server address in the ICG Agent Setup, the setup will look up this record on the example.com nameserver and find the gateway address to connect to.

Click Connect.

The setup utility checks connectivity and displays 3/4 of the ICG server certificate fingerprint.

Enter the missing part of the ICG server certificate fingerprint. Any part of the fingerprint may be missing; this is determined randomly.

Enter the ICG One-Time Password. Click the eye icon to toggle visibility of the password.

Click Login.

The message ICG connection ready! is displayed.

Click Finish.

The ICG connection icon ICG Tray Icon is shown in the task bar.

In the UMS console you can identify the ICG connected thin clients by the small cloud icon in front of the thin client name.

icg_connected
ICG connected thin clients

Supported Features

The ICG supports the following features of the Universal Management Suite (UMS):

  • Registering endpoint devices in the UMS
  • Registering the endpoint device firmware
  • Fetching & sending settings on endpoint device boot
  • Delete
  • Suspend
  • Shutdown
  • Reboot
  • Update & snapshot commands > Update
  • Update & snapshot commands > Update on Shutdown
  • Other Thin Client Commands > Send message
  • Other Thin Client Commands > Reset to Factory Defaults
  • Other Thin Client Commands > Settings UMS -> TC
  • Other Thin Client Commands > Settings TC -> UMS
  • Other Thin Client Commands > Refresh license information
  • Other Thin Client Commands > Refresh system information
  • File transfer UMS -> endpoint device (except for Firmware Customizations > Wallpaper, Firmware Customizations > Bootsplash)
  • Deploying a UDC3 license to an endpoint device with System > License Management > Add (+) (Note: the *.lic file has to be added from a local drive of the UMS host)

Universal Firmware Updates served from the UMS WebDAV directory do not work in most cases, as UMS is located on a private network and not reachable from the outside. Therefore a warning is shown when assigning such an update to an ICG-managed endpoint device. However, in UMS the assignment is made.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s