WAN Remote Access Issue
-
I have done this
change com to local fqdn
enable remote acess
change com to public fqdn
change remote access url to public fqdn
intiliaize remote acess
enable remote access server from com clusterthe entry was added, after configuration.
toec tells me it cannot reach com, but app is able to reach com on public name.
with internal com and public remotely, toec tells me remotely cannot be validatedThe reverse proxy I use is haproxy.
can you explain to me what is happening ? what the theopenem is trying to do to interact with each other.
I have tried inspecting with fiddler and on IIS observation I don't have any interactions and in the logs I have nothing. The documentation is not helping me
I use the reverse proxy so that all my hosted web servers goes out through 443 redirections are based on urls also the reverse proxy takes care of creating, assigning, renewing and distributing ssl certificates, I can also modify each transaction add monitoring authentication etc
-
@theopenem_admin
With the reverse proxy I cannot host directly the web server externally because i cannot validate let's encrypt certificates with the infrastructure, so I have to use self signed certificates and expose directly the servers with no middleware, I don't feel safe doing this because on the self signed certificates the certificate authority is private not public, so you can mitm the public toec clients .Also watchguard, sonicwall etc all use reverse proxies now
-
@theopenem_admin I was going through logs and on toec before having com communications error I have ApiRequest - The Request Was Unauthorized Provision/ComConnectionTest/ the request does not appear on approval requests even with all approvals disabled I have the same issue
-
@theopenem_admin Ok for toec the com api seems to refuse to allow toec, because of an authentification issue caused by the reverse proxy.
what kind of security is used on the rest api of the com server for it to need to have a specific origin ? -
Can you put your toec-api log into debug mode?
In your toec api web.config, about 2/3 down find level value="INFO", change it to DEBUG.
Have your external client try to checkin and post the log
-
@theopenem_admin
This is way more information thank you, it's really appreciatedAlso I had an issue with a .net core rest api where it would not support reverse proxies
I had used this information to add the support and it worked, maybe you could see some useful informationhttps://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-5.0
-
Your log indicates a certificate error. Did you install the Toems certs on the com server?
-
@theopenem_admin yes I can upload the certs if you want
I have generated the certificates with the public name set for the com server I don't know if this changes something -
Can you provide a screenshot showing the toems ca is installed in the root certificate authority?
-
-
@theopenem_admin
Ok I installed the bad intermediate certificate, sorry I'll update soon about remotely -
@theopenem_admin
Remotely has had a strange issue the installation failed on the client
When I try to run the deployment command manually I get this application cannot be executed on your pc and the installer weighs 0 bytes.I'm going to check on the remotely side I saw that there was a cors setting, How would i redeploy the remotely ?
-
Ok the app server contains the remotely files and the folder does not sync with the com server
-
@theopenem_admin
It's strange it tells me back that the certificates are invalid and it is giving me again the authorization issue, i'm reinstalling the certificates on both app and com server -
-
I've added a rule to rewrite the hostname in the reverse proxy i'm still getting the same issue
what certificate does the toec client need intermediate ?
-
-
@theopenem_admin
It seems like ProvisionAuth.cs In toec api validates the uri it also looks like it for intercom.
I'm pretty sure that why i'm not getting pushed remotely correctly, i asked the reverse proxy to change the uri for what the toec api is waiting for but the toec api is not accepting the change, like if it was not reading my new http header, i'm pretty sure those 2 controllers needs to have reverse proxy support added
