Azure Application Gateway: Example Configuration as Reverse Proxy in IGEL UMS with SSL Offloading

This article describes the IGEL Unified Management Suite (UMS) configurations and the Azure Application Gateway configurations you need for SSL Offloading.

General compatibility is tested with the configurations described in this article. There could be different ways to do the configuration.
As the reverse proxy is an external software we cannot provide full support for each version.

Requirements

Requirements for UMS and certificate configuration for reverse proxy are summarized in Configure the UMS to Integrate Reverse Proxy with SSL Offloading.

Process Overview

The configuration tasks of the reverse proxy are:

UMS / ICG configuration and certificate export as described in Configure the UMS to Integrate Reverse Proxy with SSL Offloading
Azure application gateway creation
Routing rule creation for onboarding connection
Routing rule creation for the Websocket connection
Network security group check
Mutual authentication creation for WebSocket connection
Rewrite configuration for client certificate forwarding
Troubleshoot certificate error (if needed)

Create Azure Application Gateway

Assign correct Virtual network and Subnet.
Provide Frontend IP address.
Add backend pool with UMS address. Add the UMS / ICG FQDN or IP.

Add a Routing Rule for Onboarding Connection

Configure a listener:
- Set the Protocol to HTTPS.
- Set the Public IP address.
- The recommended Port value is 443.
Select the PFX file created in Configure the UMS to Integrate Reverse Proxy with SSL Offloading and enter the appropriate password.
Configure Backend targets. The already inserted Backend pool can now be selected and the Backend settings must be added.
Under Add Backend settings, set the Backend protocol to HTTPS and add the UMS Web Port as Backend port.
Select the UMS Web/Cloud Gateway Root Certificate exported in Configure the UMS to Integrate Reverse Proxy with SSL Offloading.
Set the value for Request time-out (seconds) to a value at least 130 seconds.
Verify that the Override with new host name is activated and set Host name override.
Set a Custom probe.

Custom Probe Settings:

Add a Routing Rule for the Websocket Connection

Configure a listener:
- Set the Protocol to HTTPS.
- Set the Public IP address.
- The recommended Port value is 8443.
Select the PFX file created in Configure the UMS to Integrate Reverse Proxy with SSL Offloading, and enter the appropriate password.
Add the same Backend Settings as for the Onboarding connection.

Check Network Security Group

Open the Network Security Group used for the Gateway Network and verify if the used Ports are listed
If they are not listed, add them.

Set Mutual Authentication for WebSocket Connection

The mutual authentication can be set in Azure Application Gateway with SSL Profiles:

Add an SSL Profile under SSL settings.
In the Client Authentication part of the Dialog the EST CA Certificate is required, that was exported from the UMS.
Add the SSL profile to the WebSocket listener. Not to the Onboarding listener!

Add a Rewrite for Client Certificate Forwarding

The client certificate must be forwarded to the UMS. The Application Gateway can be configured to forward it by a rewrite definition.

Create a rewrite set and assign it to the appropriate rule.
Add the following rewrite rule:

Troubleshooting Certificate Error: Common Name Does Not Match

The UMS or ICG certificate must contain the FQDN of the Backend Server as the Common Name. This value is mandatory for the Azure Application Gateway connection to the Backend. The following error occurs if the certificate is wrong.

In case the Common name cannot be adjusted, it is possible to adopt the Hostname of the UMS / ICG in the Backend Settings. In this case a custom probe must be defined with the given Host name value.