Restrict data access to Edge Services
The platform provides fine grained control on what an Endpoint can communicate with and what can communicate with the Endpoint. Two objects are central to controlling communication to and from an Endpoint - Routing Target and Routing Policies
Routing Target
A routing target is an external network which your endpoints can communicate with, or vice versa. The target can be
The internet
A VPN
Private cross-connects, private cloud connections or MPLS
Routing Policy
Routing policies are used to control the flow of data between Endpoints and Routing Targets. Rules define what data is and is not allowed to flow
Limit data to only Edge Services
At its strictest a Routing Policy can be configured to deny all data flowing to and from an endpoint. You might ask what is the point as the Endpoint cannot communicate with anything and vice versa. When locked down in this manner Edge Services are a special case. When an Edge Service such as SSH is configured on a Routing Policy, data for that service can travel between the portal and the Endpoint. Under the covers when an Edge Service is enabled special Rules are configured internally that enables communication with the Edge Service.
To lock down communications to only Edge Services configure a Routing Policy with just the default Rule. The default rule denies all traffic.
Edge Services are enabled on the Edge Services Tab
Once enabled the portal can communicate with the enabled Edge Service
Here you can specify on which port the Endpoint device exposes the web service on. For instance the standard port 80 for HTTP or port 443 for HTTPS, or a custom port like 8080, 9000.
Specify the protocol on which the web service is exposed on the Endpoint, HTTP or HTTPS. In the case of HTTPS, there is an additional option to trust an insecure SSL Certificate which the Endpoint might be using, which is common in the case of Self-Signed certificates in private networks.
There is an option to enable "Basic Authentication". The authentication is provided by the s-imsy core before allowing traffic from the Internet to your Endpoint.
You can also choose to use Access Control Lists (ACLs) which allow or restrict access based on the Source IP address of the Internet request attempting to contact your Endpoint. The ACLs works in 2 modes:
Allow: Which only allows the IP addresses or Subnets you specify, and blocks all other requests
Deny: Which blocks the IP addresses or Subnets you specify, and allows all other requests
Configure Routing Policy
When your HTTP Publisher configuration has been created in the 'Edge Services', you now need to apply this configuration in a Routing Policy which your Endpoint is configured to use (via the Endpoint Groups). This is done by navigating to the Routing Policy, going to the 'Edge Services' tab, then enabling the HTTP Publisher and selecting the HTTP Publisher configuration created in Step 1 above.
To allow traffic for the HTTP service and deny all other traffic the Policy Rules should be set to just the default deny all traffic rule.
Select 'Save and Apply Rules', and the HTTP Publisher on all the Endpoints using this Routing Policy, will now have the HTTP Publisher Edge Service available.
Accessing the HTTP service
The website address for the web service running on the Endpoint device can be found by navigating to the Endpoint view, selecting an Endpoint, and navigating to the 'Remote Access' tab. The Public URL is displayed right at the top.
http://192.168.50.132:8123/config/network