Hello,
We currently have a WAPT server (enterprise) 2.3.0.13516 (Bullseye).
Currently, it is only accessible on our internal network (private addressing) or via VPN.
In order to use the Active Directory OUs, we have enabled Kerberos authentication, with all clients being members of the domain.
With the increasing prevalence of remote work and the mobility of some employees, we unfortunately have machines that are almost never on the internal network, and therefore do not benefit from automatic updates.
We are considering making the WAPT server accessible from the internet, ideally via a reverse proxy, but we do not want to make the domain controllers public.
How can we proceed? Can we force agent registration via Kerberos and accept agents already registered without it?
Thank you for your advice.
[RESOLVED] WAPT server accessible from outside in an AD context
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hello Arnaud,
It is therefore possible to register the workstation on the local network where Active Directory is accessible. For the subsequent steps, it is not necessary to have AD accessible by the client workstation (only the WAPT server) [1].
It is then possible to secure the WAPT server at the nginx server level by enabling client certificate authentication directly in the nginx configuration (available in the enterprise version of WAPT). The WAPT server is then correctly configured and secured for direct internet access in a DMZ.
As for the reverse proxy, it's quite complicated to configure correctly (precisely because of client certificate authentication). Therefore, it's recommended to place the WAPT server directly in the DMZ without a reverse proxy.
Sincerely,
Denis Cardon
[1] Note: Regarding self-service, care must be taken to be in waptserver-ldap authentication mode (see documentation) if the workstation is in the wild.
The workstations need to see the Active Directory servers for initial registration (if Kerberos registration is enabled). During registration, the workstation will send a Certificate Signing Request (CSR) to generate a client certificate. The workstation will then use this client certificate to authenticate itself on the WAPT server.arnaud.houdelette wrote: ↑Apr 11, 2023 - 11:17 AM Currently, the latter is only accessible on our internal network (private addressing) or via VPN.
In order to use the AD OU units, we have enabled Kerberos authentication, with all clients being members of the domain.
With the widespread adoption of remote work and the mobility of some employees, we unfortunately have machines that are almost never on the internal network, and therefore do not benefit from automatic updates.
We are considering making the WAPT server accessible from the internet, if possible via a reverse proxy, but we do not want to make the domain controllers public.
How can we proceed? Can we force agent registration via Kerberos and accept agents already registered without it?
It is therefore possible to register the workstation on the local network where Active Directory is accessible. For the subsequent steps, it is not necessary to have AD accessible by the client workstation (only the WAPT server) [1].
It is then possible to secure the WAPT server at the nginx server level by enabling client certificate authentication directly in the nginx configuration (available in the enterprise version of WAPT). The WAPT server is then correctly configured and secured for direct internet access in a DMZ.
As for the reverse proxy, it's quite complicated to configure correctly (precisely because of client certificate authentication). Therefore, it's recommended to place the WAPT server directly in the DMZ without a reverse proxy.
Sincerely,
Denis Cardon
[1] Note: Regarding self-service, care must be taken to be in waptserver-ldap authentication mode (see documentation) if the workstation is in the wild.
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
-
arnaud.houdelette
- Messages: 7
- Registration: Oct 02, 2019 - 11:24
Thank you for the clarification.
Our Active Directory is not accessible from the DMZ. Therefore, we cannot place the WAPT server there.
However, given the server's Nginx configuration, I shouldn't have too much trouble finding a solution on that end.
I simply wanted to ensure that the clients' lack of connection to the Active Directory wouldn't interfere with the WAPT client (for example, with the allocation of OU units).
Our Active Directory is not accessible from the DMZ. Therefore, we cannot place the WAPT server there.
However, given the server's Nginx configuration, I shouldn't have too much trouble finding a solution on that end.
I simply wanted to ensure that the clients' lack of connection to the Active Directory wouldn't interfere with the WAPT client (for example, with the allocation of OU units).
-
arnaud.houdelette
- Messages: 7
- Registration: Oct 02, 2019 - 11:24
Good evening.
I managed to set up a reverse proxy quite easily. (with forced certificate authentication, except for the websocket).
The clients are successfully connecting to the server, updating, etc...
However, I had a little trouble getting the self-service to work.
The documentation gives 3 methods to enable LDAP authentication, but only specifies that an AD account is required for the 3rd one... or perhaps I misunderstood.
It's working now.
Similarly, we also use a reverse Nginx instance, which allows us, for example, to restrict console access from outside our network.
If I remember correctly, it also allows us to keep the backend's self-signed certificate valid regardless of its validity. It works quite well.
If I remember correctly, it also allows us to keep the backend's self-signed certificate valid regardless of its validity. It works quite well.
-
aurouze.eliott
- Messages: 1
- Registration: Apr 27, 2023 - 1:58 p.m.
Hello, I'm having trouble accessing the remote self-service interface. I can only access it by specifying the DN, for example: INT\aurouze.e, whereas it works without it when accessed locally.
Thank you in advance for your help.
Thank you in advance for your help.
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
@eliott, thank you for opening a new topic for a new question. I'm locking this topic.
Regards,
Denis
Regards,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
