Breadcrumbs

Configuration of an AWS Application Loadbalancer (ALB) for Deploying the IGEL Universal Management Suite (UMS)

This article provides instructions for configuring an AWS Application Load Balancer (ALB) with mTLS support to prepare for installing an IGEL Universal Management Suite (UMS) Server on an Amazon Elastic Compute Cloud (EC2) instance.

For details on the general network configurations, see IGEL Universal Management Suite Network Configuration.

Overview

We set up an Application Load Balancer (ALB) in AWS to securely expose the UMS Server application, running on port 8443, with HTTPS and mTLS enabled.

The AWS loadbalancer offers two different types of Mutual Authentication (mTLS) support:

  • Verify with Truststore
    The Client Certificate is verified by the AWS load balancer. The ALB requires a Client Certificate Chain to verify the Client Certificate. This chain must be added in to a truststore stored in S3.
    The request is then forwarded including the Client Certificate Leaf to the backend.

  • Passthrough
    The Client Certificate Chain is forwarded to the backend without a verification. (For the related configuration, see Alternative Configuration with mTLS Passthrough.)

To support client certificates forwarded from the ALB, the UMS Server must be configured to support Base64 decoding by setting the encodingType to URL_AWS.

Component

Value

ALB Type

Application Load Balancer

Scheme

Internet-facing

Listener Port

HTTPS 8443 & 443

Target

EC2 Instance running UMS

mTLS

Enabled (on port 8443)

Trust Store

Client Certificate Chain in S3 bucket

Encoding

URL_AWS handled at backend


AWS Configuration

Setting up an EC2 Instance

  1. Launch a new EC2 instance using the Windows Server 2022 AMI with the following settings:

    • Ensure the instance has a security group allowing HTTPS (8443) inbound traffic from the ALB's security group.

    • Assign a static public IP address

image-20250825-084759.png


Creating a Target Group

  1. Create a new Target Group, e.g. with “UMS-TargetGroup“ as the name, with the following settings:

    • Target type: Instance

    • Protocol : Port: HTTPS : 8443

    • Health check path:

      • UMS: /info

      • ICG: /usg/check-status

    • Success codes: 200

image-20250825-091458.png
image-20250916-121328.png


Exporting the CA Certificate Chain from the UMS

→ In the UMS Console, go to UMS Administration > Global Configuration > Server Network Settings > Export Client Certificate Chain, click Export, and save the certificate file in PEM format to a suitable location.

image-20250922-142233.png
image-20250923-071021.png



Creating a Trust Store with the UMS CA Certificate Chain via S3

→ Create an S3 bucket and upload the CA certificate chain you have just created.



Exporting the UMS Web Certificate Chain

  1. Select the web certificate that is currently in use, open the context menu, and click Export certificate chain to keystore.

image-20250923-073902.png



  1. Set a password for the keystore.

image-20250923-074223.png



  1. Save the keystore file to a suitable location.

image-20250923-074414.png


  1. Open the keystore file with a suitable tool, e.g., KeyStore Explorer.



  1. Enter the password you have defined during the export from the UMS.



  1. Select the correct key pair by comparing the entry name in the keystore tool with the serial number displayed in the UMS when you click Show certificate content.

image-20250923-081922.png
image-20250923-082231.png
image-20250923-101105.png



  1. Export the private key with the following properties:

    • Type: OpenSSL

    • Unencrypted

    • PEM is activated

    • Appropriate filename, e.g., something with “private_key”

image-20250923-101251.png
image-20250923-101418.png


image-20250923-101505.png
image-20250923-101615.png



  1. Export the certificate chain with the following properties:

    • Export length: Entire chain

    • PEM is activated

    • Appropriate filename, e.g., something with “entire_chain”

image-20250923-085924.png
image-20250923-090737.png



  1. Export the certificate chain, this time with the following properties:

    • Export length: Head only

    • PEM is activated

    • Appropriate filename, e.g., something with “headonly-body”

image-20250923-085924.png
image-20250923-091120.png


Configuring the ALB Listeners

image-20251029-080050.png

In the following, we will create an ALB with two listeners:

  1. Create an Internet-facing ALB.



  1. Create a listener that listens for HTTPS connections with mTLS on port 8443 and forwards traffic to the UMS target group.



  1. Click Import a certificate and paste the complete contents of the files we have exported from the keystore:

image-20250923-093757.png

Once imported, the certificate becomes available in the AWS Certificate Manager (ACM).



  1. Under mTLS settings, enable Verify with Trust Store and link to the S3 bucket with the UMS CA certificate chain you have created beforehand.

image-20250923-094515.png



  1. Create another listener that listens for HTTPS connections with standard TLS (no mTLS) on port 443 and forwards traffic to the UMS target group.



  1. Click Import a certificate and provide the same certificate configuration as you did for the first listener in step 4.



Configuring Logging and Monitoring

  1. Enable Access Logs and Connection Logs for the ALB.



  1. Set the log destination to the S3 bucket that is used for the trust store or another one as needed.

411e16ed-438c-4f3f-b582-631eb2789866.png



Configuring the UMS Server

Adjusting the Server Network Settings

The FQDN of the UMS cluster must be set as the external address. This FQDN of the UMS cluster must be included in your web certificate, and the corresponding certificate must be assigned to all UMS servers:

Configuration With ICG

If there are only ICGs behind the Loadbalancer you do not need to configure the UMS Cluster Address. Cluster Address is only required if a UMS is directly contacted by the AWS Loadbalancer.


  1. Go to UMS Administration > Global Configuration > Server Network Settings.



  1. Set the Cluster Address to the external address of your AWS ALB.

image-2024-3-25_10-18-12-1.png



  1. Set the OS 12 device enrollment address to the external address of your AWS ALB.

image-2024-3-25_10-18-29-1.png

Create UMS Web Certificate / Cloud Gateway Certificate

Setting the UMS Server to Accept the Certificate from the AWS ALB

The AWS ALB sends a header (X-Amzn-Mtls-Clientcert-Leaf) that contains only the client certificate, not the full certificate chain. Therefore, the UMS Server must be configured accordingly.

  1. Edit the file <UMS installation path>\rmguiserver\conf\appconfig\application.yml according to the example below:

igel:
  client-cert-forwarding:
    enabled: true
    encodingType: URL_AWS 
    client-cert-forwarded-header: X-Amzn-Mtls-Clientcert-Leaf

The encodingType must be explicitly set to URL_AWS to properly decode the certificate format used by the ALB, which URL-encodes the PEM-formatted certificate.

  1. Restart the UMS Server.

ICG Configuration

The ICG configuration for integration of the AWS Loadbalancer requires the selection of the Host (external) value in the ICG installation process. This value must be set to the AWS Loadbalancer IP/Hostname.

image-20251203-144351.png

If this value isn’t listed in the combobox, create a new Cloud Gateway Certificate which also contains the AWS Loadbalancer address.

Alternative Configuration with mTLS Passthrough

Passthrough can be selected as an alternative to truststore verification to forward the device Client Certificate. In the sections below, we highlight how this configuration differs compared to the truststore configuration.

image-20251029-080130.png

AWS Configuration Steps

The Passthrough option only requires one configured listener on AWS side. To configure this listener:

  1. Create an Web Socket listener.


  1. Create a listener that listens for HTTPS connections with mTLS on port 8443 and forwards traffic to the UMS target group.


  1. Click Import a certificate and paste the complete contents of the files we have exported from the keystore:

image-20250923-093757.png

Once imported, the certificate becomes available in the AWS Certificate Manager (ACM).


  1. Under mTLS settings, enable Passthrough.

image-20251020-202849.png

UMS Configuration

The FQDN of the UMS cluster must be set as the external address. This FQDN of the UMS cluster must be included in your web certificate, and the corresponding certificate must be assigned to all UMS servers:

Configuration With ICG

If there are only ICGs behind the Loadbalancer you do not need to configure the UMS Cluster Address. Cluster Address is only required if a UMS is directly contacted by the AWS Loadbalancer.

In case of a one-listener configuration, the OS 12 device enrollment address is also not required.

  1. Go to UMS Administration > Global Configuration > Server Network Settings.


  1. Set the Cluster Address to the external address of your AWS ALB.

image-20251030-102208.png

With the passthrough configuration, the OS 12 device enrollment address is not required.

Setting the UMS Server to Accept the Certificate from the AWS ALB

The UMS backend expects the client certificate chain to be forwarded via the X-Amzn-Mtls-Clientcert header. For this:

  1. Edit the file <UMS installation path>\rmguiserver\conf\appconfig\application.yml according to the example below:

igel:
  client-cert-forwarding:
    enabled: true
    encodingType: URL_AWS
    client-cert-forwarded-header: X-Amzn-Mtls-Clientcert

The encodingType must be explicitly set to URL_AWS to properly decode the certificate format used by the ALB, which URL-encodes the PEM-formatted certificate.


  1. Restart the UMS Server.

ICG Configuration

→ To integrate the AWS Loadbalancer in the ICG, set the Host (external) value in the ICG installation process to the AWS Loadbalancer’s IP/Hostname.

image-20251203-144351.png

If this value isn’t listed in the combobox, create a new Cloud Gateway Certificate which contains the AWS Loadbalancer address.

  1. Restart the UMS Server.