WAN Remote Access Issue
-
Is there a reason the remote access url is not filled in?
-
It does not change the result
What allows to enable the remote access server is to change the com url to a local fqdn
I can add it if you wish
You see the error message Could Not Enable Remote Access for the Com Server ...?
Remotely is installed and i'm able to activate it but not with the pubilc domain -
-
Is that your reverse proxy address or the address for that com server?
-
@theopenem_admin
reverse proxy -
@theopenem_admin yes
-
And your reverse proxy is forwarding to that server on port 444?
-
@theopenem_admin
no
the reverse proxy sends to http://local.fqdn:8000
remotely and com web services receive remote transactions as if they were localthe reverse proxy interacts with the web server and then sends back the info to the client
-
It seems the proxy is the issue then. I would try this:
For the remotely url, put in http://local.fqdn:8000, then initialize remote access. After it's done change the url to the proxy but don't initialize it again.
It's all I can come up with at the moment, not sure if it would work. I would need to run some tests with a reverse proxy, which I haven't done yet.
-
I have done this
change com to local fqdn
enable remote acess
change com to public fqdn
change remote access url to public fqdn
intiliaize remote acess
enable remote access server from com clusterthe entry was added, after configuration.
toec tells me it cannot reach com, but app is able to reach com on public name.
with internal com and public remotely, toec tells me remotely cannot be validatedThe reverse proxy I use is haproxy.
can you explain to me what is happening ? what the theopenem is trying to do to interact with each other.
I have tried inspecting with fiddler and on IIS observation I don't have any interactions and in the logs I have nothing. The documentation is not helping me
I use the reverse proxy so that all my hosted web servers goes out through 443 redirections are based on urls also the reverse proxy takes care of creating, assigning, renewing and distributing ssl certificates, I can also modify each transaction add monitoring authentication etc
-
@theopenem_admin
With the reverse proxy I cannot host directly the web server externally because i cannot validate let's encrypt certificates with the infrastructure, so I have to use self signed certificates and expose directly the servers with no middleware, I don't feel safe doing this because on the self signed certificates the certificate authority is private not public, so you can mitm the public toec clients .Also watchguard, sonicwall etc all use reverse proxies now
-
@theopenem_admin I was going through logs and on toec before having com communications error I have ApiRequest - The Request Was Unauthorized Provision/ComConnectionTest/ the request does not appear on approval requests even with all approvals disabled I have the same issue
-
@theopenem_admin Ok for toec the com api seems to refuse to allow toec, because of an authentification issue caused by the reverse proxy.
what kind of security is used on the rest api of the com server for it to need to have a specific origin ? -
Can you put your toec-api log into debug mode?
In your toec api web.config, about 2/3 down find level value="INFO", change it to DEBUG.
Have your external client try to checkin and post the log
-
@theopenem_admin
This is way more information thank you, it's really appreciatedAlso I had an issue with a .net core rest api where it would not support reverse proxies
I had used this information to add the support and it worked, maybe you could see some useful informationhttps://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-5.0
-
Your log indicates a certificate error. Did you install the Toems certs on the com server?
-
@theopenem_admin yes I can upload the certs if you want
I have generated the certificates with the public name set for the com server I don't know if this changes something -
Can you provide a screenshot showing the toems ca is installed in the root certificate authority?
-
-
@theopenem_admin
Ok I installed the bad intermediate certificate, sorry I'll update soon about remotely
