Configure the Socket proxy server for off-load Main server and proxy with DMZ

book

Article ID: 15433

calendar_today

Updated On:

Products

SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

Allowing direct socket access to the application servers that run Support Automation can be considered a security risk.

Improve performance by "Offload encryption and decryption of the incoming and outgoing data for all analysts or clients"



Manage Support Automation Connectivity with "Socket proxy server"

Implement the SA connectivity per the documentation in this link
https://docops.ca.com/ca-service-management/14-1/en/using/support-automation/administering-support-automation/manage-connnectivity
Manage Connnectivity
.
.
.
1/ How to Overcome Server Load
In large deployments, high server load can degrade the application performance. For this reason, you can off-load some of the processing to one or more Socket Proxy servers as follows:
Offload encryption and decryption of the incoming and outgoing data for all analysts or clients. The clients must connect either through Direct Socket or through HTTP.
Offload the processing of HTTP traffic from and to those clients connecting through HTTP to the Socket Proxy.

2/ Use Socket Proxy Within DMZ
In some network environments, allowing direct socket access to the application servers that run Support Automation can be considered a security risk. In such environments, you can use Socket Proxy within the DMZ. Using Socket Proxy in this scenario offloads some of the processing from the main server. The Socket Proxy works as follows:
1. On the configured external port, the Socket Proxy listens for incoming connections from analysts or end users.
2. The Socket Proxy establishes a peer connection to the main server on the configured internal port for every connection. These two connections are named the end-user connection and the server connection, respectively.
3. The end-user connections are encrypted and the Socket Proxy encrypts or decrypts data coming in or going out. The server connection is not encrypted.
4. For each incoming data-packet, the protocol structure is verified and a checksum value is validated. This happens before the data is passed on to the main server through the server connection.
5. The main server off-loads the encryption and decryption processing.
6. The Socket Proxy closes the matching peer connection once the end user or server connection closes.

Environment

Windows 2008 Windows 2012Service Desk 12.9Service Desk 14.1Environment of this tecdocSA Main serverSRVA : 192.168.182.161SA socket proxy serverSRVD : 192.168.182.164Analyst on192.168.182.181Employee192.168.182.180

Resolution

As we have the primary server named SRVA and the secondary server named SRVD, we have this list of server.

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmjAAG" alt="sa_proxy_process02.png" width="1659" height="948">

Create the configuration for pdm_configure. In this example it is named conf1

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmiAAG" alt="sa_proxy_process01.png" width="1659" height="948">

 

1/ Configure SRVD to start the process for "Socket proxy server"

Edit the configuration conf1, select "additional process" tab

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmkAAG" alt="sa_proxy_process1.png" width="1659" height="948">

Choose add process

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmlAAG" alt="sa_proxy_process2.png" width="1659" height="948">

define SRVD to run "SA socket proxy server"

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmmAAG" alt="sa_proxy_process3.png" width="1659" height="948">

Save and verify we have this list of process

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmnAAG" alt="sa_proxy_process4.png" width="1659" height="948">

 

2/ Execute pdm_configure on SRVA and SRVD

pdm_configure on SRVA

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmeAAG" alt="primary.jpg" width="1616" height="961">

 
pdm_configure on SRVD

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmoAAG" alt="socket_server.jpg" width="1459" height="879">

 

3/ Restart Service Desk

- on SRVA, stop "CA Service Desk Manager Server" service

- on SRVD, stop "CA Service Desk Manager Remote Proctor" service

- on SRVD, start "CA Service Desk Manager Remote Proctor" service

- on SRVA, start "CA Service Desk Manager Server" service

 

4/ Verification

We used wireshark to examine the communication and ports used. Analyst do remote control on Employee workstation

 

Employee

192.168.182.180 -->  192.168.182.161:8070
192.168.182.180 -->  192.168.182.164:10443

Analyst
192.168.182.181 -->  192.168.182.161:8070
192.168.182.181 -->  192.168.182.164:10443

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmgAAG" alt="SA_employee_to_sa_main port 8070.jpg" width="1695" height="918">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmhAAG" alt="SA_employee_to_sa_proxy port 10443.jpg" width="1920" height="1080">

 

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmfAAG" alt="SA_employee_to_sa_main port 10443 not used.jpg" width="1695" height="918">

 

 

Communication to listening port

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKmpAAG" alt="traffic.png" width="1145" height="741">

 


Remark
Per this configuration, there is no communication to socket port 10443 on SRVA running "SA main server", this allow to not open the socket port 10443 on the server running Service  Desk application server to external users.

 

Attachments

1558718055386000015433_sktwi1f5rjvs16usj.png get_app
1558718053510000015433_sktwi1f5rjvs16usi.jpeg get_app
1558718051524000015433_sktwi1f5rjvs16ush.jpeg get_app
1558718049192000015433_sktwi1f5rjvs16usg.jpeg get_app
1558718047381000015433_sktwi1f5rjvs16usf.jpeg get_app
1558718045407000015433_sktwi1f5rjvs16use.jpeg get_app
1558718043489000015433_sktwi1f5rjvs16usd.png get_app
1558718041298000015433_sktwi1f5rjvs16usc.png get_app
1558718039095000015433_sktwi1f5rjvs16usb.png get_app
1558718037164000015433_sktwi1f5rjvs16usa.png get_app
1558718035184000015433_sktwi1f5rjvs16us9.png get_app
1558718032957000015433_sktwi1f5rjvs16us8.png get_app