Setting up Policy Sharing in Messaging Gateway
Article ID: 381413
Updated On: 11-06-2024
Products
Issue/Introduction
In some network environments it is neccessary to have multiple Messaging Gateway (SMG) Control Centers to manage scanners in different data centers. Depending on the administration or mail policy needs, it may be helpful to have a primary / central Control Center which can provide shared policies with the Control Centers which are used to manage SMG scanners in disparate data centers.
Resolution
Setting up a Messaging Gateway Control Center cluster takes multiple steps:
- Ensure that TCP port 41616 is open on any firewalls between the the SMG Control Center systems to be grouped
- Set up the Primary / Central Control Center for policy sharing
- Set up a Secondary / Remote Control Center for policy sharing
- Add the Secondary / Remote Control Center to the Central Control Center list of "remote" servers
Setting up the Primary / Central Control Center
-
- Add a certificate to the Control Center which is going to act as the primary / central Control Center in the Messaging Gateway "cluster" from Administration > Certificates. This certificate will need to have the IP address of the primary / central control center as either the common name as shown below or as a subject alternative name (SAN) if using a third party signed certificate.
- Set the new certificate as the TLS certificate for the Control Center web interface on the Administration > Control Center > Certificates page. This will restart the Control Center web interface when the new certificate is saved.
- From Administration > Certificates add a self-signed certificate for the activemq service with the central Control Center IP address as the Common Name
- From the Administration > Control Center > Policy Sharing page set the central / primary Control Center as the central Control Center of a cluster. Authentication credentials will need to be set and the TLS certificate for activemq will need to be selected at this step. The authentication credentials do not need to match an existing user account. This step cannot be reversed and will cause the Control Center web application to restart.
- Following the Control Center service restart, two certificates will have been created in the Administration > Certificates > Applications list named BCC_HTTPS_CERT and BCC_REMOTE_MANAGEMENT_CERT.
Export the BCC_REMOTE_MANAGEMENT certificate for later use by selecting it and clicking the Export button
- Add a certificate to the Control Center which is going to act as the primary / central Control Center in the Messaging Gateway "cluster" from Administration > Certificates. This certificate will need to have the IP address of the primary / central control center as either the common name as shown below or as a subject alternative name (SAN) if using a third party signed certificate.
At this point the Control Center is set up to act as the primary / central Control Center in a cluster and a Global tab will have been added to the Content > Policies page for use in creating global content policies.
Setting up a Secondary / Remote Control Center for policy sharing
To add a secondary / remote control center to SMG Control Center policy sharing a trust relationship will need to be set up between the Control Centers and some certificate information shared between them.
-
-
- Add a certificate to the Control Center which is going to act as the secondary / remote Control Center in the Messaging Gateway "cluster" from Administration > Certificates. This certificate will need to have the IP address of the secondary / remote control center as either the common name as shown below or as a subject alternative name (SAN) if using a third party signed certificate.
- Export the certificate by selecting it and clicking Export
- In Administration > Control Center > Certificates, select the new certificate as the User interface HTTPS cerficate and click Save. This will restart the Control Center web application service as the new cert is installed.
- In Adminstration > Certificates > Applications, import the the BCC_REMOTE_MANAGEMENT_CERT certificate exported in step 5 of setting up the central / primary Control Center.
- Add a certificate to the Control Center which is going to act as the secondary / remote Control Center in the Messaging Gateway "cluster" from Administration > Certificates. This certificate will need to have the IP address of the secondary / remote control center as either the common name as shown below or as a subject alternative name (SAN) if using a third party signed certificate.
-
Add the Secondary / Remote Control Center to the Central Control Center
-
- On the Primary / Central Control Center, Import the HTTPS certificate of the secondary / remote Control Center to the list of certificates in Addministration > Certificates > Applications list
- On the Secondary / Remote Control Center go to Administration > Control Center > Policy Sharing and select the Join the Control Center cluster as a remote Control Center checkbox
- Enter the IP address of the Primary / Central Control Center and the authentication credentials set up previously. There is a Test button to confirm that the connection to the primary Control Center can be established.
- Click Save to add the secondary control center to the cluster. This will restart the secondary Control Center web interface and an entry for the secondary Control Center will be added to the primary Control Center remote server list.
- On the Primary / Central Control Center, Import the HTTPS certificate of the secondary / remote Control Center to the list of certificates in Addministration > Certificates > Applications list
At this point the two Control Centers are connected and Global policies can be created and shared from the Primary / Central Control Center Content > Policies > Global page.
Feedback
