We have “successfully” deployed ICG on AWS. But we have hit a snag. As you may know, EC2 instances don’t have public IP addresses mapped to an interface available to the OS — AWS IP addresses are Port Address Translated. This means the native IP address for the ICG is an IP that is “inside” or behind our firewall. We want to force the ICG and the UMS to use the AWS public elastic IP address. Without the public IP clients can connect while outside the office.
When we define the public IP address in a DNS TXT record for the domain for client registration, the client connect using that dns name given (public IP address) and then reverts to the private IP upon UMS registration.
ICG uses the IP address from the localhost to pair the certificate to UMS.
This should be no different than any standard NAT’ing scenario. You can define a different external name than internal. External is the elastic IP (the one that clients talk to) and internal is the actual/native IP (the one that UMS talks to). I believe in order to do this, you must use a SAN on your certificate to include both the internal and external name, as you would have an invalid cert verification if the name does not match on either scenario.
Thanks — we have been playing around with this option and the SAN on the UMS issued certs do not seem to be aligning with the config
I’m trying to find technical details on the steps to make this work. Since we want auto enrollment we are relying on Certs issued by the UMS
any help you can provide or pointers to docs about installing on AWS would be appreciated
we are trying to get the certs, the ICG config, and the UMS entries to line up
Hmm could you post an example of what you mean by the config isn’t lining up? Screenshot would be helpful – feel free to blur any sensitive details!
where was the screen shot you posted from?
I just want to make sure I have apples to apples
Click the cloud gateway folder above where you select the individual ICG in that screenshot. When you add the ICG, you are given those options I showed.
This tidbit of information helped us track down some issues:
1. The subject alternate names in the keystore had incorrect information. This was fixed
2. Issues with the DNS TXT Record
Nice – glad I was able to help!
Continue reading and comment on the thread ‘How to force the IGEL ICG and the UMS to use the AWS public elastic IP address’. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.
Submit a question, or Join Today!