The decision has to be made as to which side of the hubs will act as tunnel server (receiving the connection) and tunnel client (making the connections). Only one port will need to be opened on the tunnel server end: default port is 48003 but any available port can be used, e.g 443. Please note that tunnel traffic is NOT HTTPS traffic, if using port 443 and the best practice is to use port 48003 as HTTPS traffic over port 443 may be filtered to some extent in environments.
The following are high level steps, please refer to Installation Guide for detailed information on tunnel concepts and detailed steps.
Note: To avoid communication issues between the tunnel server and client the tunneled server in the DMZ should not be able to send or receive on port 48002.
1- On the Tunnel Server
I- Setup CA(Certificate Authority):
->Enable Tunneling (if it is not already enabled)
• In the hub probe GUI, in General section, select the checkbox next to "Enable Tunneling". It will enable "Tunnels" tab.
• In the Tunnels section, select "Active" checkbox in "Server Configuration".
• In the "Certificate Authority Setup" window, fill out the field accordingly.
• Select "Security Settings" as desired. Note that if you choose Medium or above, the encryption will be stronger but at the cost of processing resources.
• Click Apply button and restart the hub probe
Note: If first probe port is set on hub's controller, then you should also set first probe port in hub GUI Tunnels->Advanced section to offset it from e.g 48000 range.
II- Create Tunnel Client Certificate
• In the hub probe GUI, go to "Tunnels->Server Configuration" section
• Click on the New button under "Issued Certificates" section
• In the "Client Certificate Setup" Window, fill out "Who", "Where"fields accordingly. The fields under "Authentication" should be filled out as:
- Common Name: The tunnel client's connection IP address. If client is NAT'ed i-e its external IP address is different than internal IP, then use client's external IP address in this field. You can also use wild-card i-e either one
asterisk '*' or four asterisks '*.*.*.*' (without quotes) to setup only one certificate which can then be used for multiple tunnel clients.
- Password: Make note of this password, as you will use it on client side of the hub when installing the certificate.
- Expire days: The default is 365 days, depending on the requirements and the length of the client tunnel's life, this can be increased to avoid re-generating tunnel certificate and resetting the tunnel client each year, e.g.,
III- Copy Tunnel Client License
• In the hub probe GUI, in "Tunnels->Server Configuration" section, click View under "Issued Certificates" section
• Click Copy button, it will copy the Certificate to your clipboard
• Open Notepad application and do a CTRL+v or Rt-click Paste
• Save the file, name it accordingly and make sure that no extra characters are inserted in to the beginning or end of the file
• Now, copy the file to the Tunnel client or have it available so that you can copy/paste it on the tunnel client side
2- On the Tunnel Client
Note 1: During hub installation, you are given an option to "Initialize Security", which creates a local copy of the hub security.cfg file and sets up the Nimsoft 'administrator' user password. This is a required step on tunnel clients as you need to login to the hub as 'administrator' to setup tunneling
Note 2: Normally, Infrastructure Manager (IM) will not be installed/available on the tunnel client side so you may have to download and install it first.
I- Using Infrastructure Manager: (recommended method)
• Login to tunnel client hub
• In hub probe GUI, enable "Tunneling" option in General section
• Switch to Tunnels tab and then to "Client Configuration"
• Click New button
• Deselect "Check Server Common Name" if Tunnel Server is NAT'ed
• Fill out fields accordingly. Use the Password which you setup in step 3 of "Create Tunnel Client Certificate"
• Paste client certificate in "Certificate" field, you created in step 3 of "Create Tunnel Client Certificate" and copied in step 5 of "Copy Tunnel Client License"
• Click on OK and then Apply which will restart the hub probe
Now, if all goes well, your tunnel client will connect to the tunnel server. If you get errors accessing new hub, please refer to the Troubleshooting section.
II- Using the Nimsoft DMZ Tunnel Wizard:
• Open up "Nimsoft DMZ Tunnel Wizard" from Program's menu
• Select "Client" in first screen
• You will be prompted for administrator password
• Fill in the fields appropriately and tunnel certificate
After finishing up, do not login to the new hub until the Enabled status shows up in the Security column of the Infrastructure Manager.
If you get errors accessing new hub, refer to Troubleshooting section.