Configuring communication through a reverse proxy

The agent can communicate through a reverse proxy without losing any security. For this it uses two-way SSL certificates as a part of the inter-agent authentication process. In the authentication process, the Permissive Base SSL Client security parameter is used by default. When the inter-agent communication detects this parameter, it creates an additional SSL layer on top of the one intercepted by the reverse proxy. Use of two-way SSL certificates secures your connection when a BMC Client Management node is placed behind a reverse proxy. 

Related topics

Proxy-Options-parameters

The Permissive Base SSL Client security parameter is disabled for upgrades. For more information on Security parameters, see Setting-the-Security-parameters.

To build a second SSL layer, the agent embeds it in a web socket. This enables the agent to use standard protocols, which some reverse proxies may need. For more information on Security parameters, see Setting-the-Security-parameters.

To recognize a peer agent and distinguish it from any other HTTP(S) server (it is important when using a Permissive Client parameter), use a server with a configurable ID. You must use the same ID for all agents in a deployment.

To enable extension ID change, you can set more than one ID for the transition time. To do so, enter the IDs in a comma separated list.

ExtensionIDChange.png

The following diagram illustrates communication over reverse proxy: 

image2022-8-16_11-30-42.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*