Armor Knowledge Base  /  Armor Anywhere  /  Pre-Installation

Port-Forwarding and Proxy Server and Client Deployment

Topics Discussed

In some environments, architectural configurations may prevent Armor services from properly communicating security updates and offering monitoring services. 

If your network environment's servers are behind specific firewall controls that block regular outbound communication, then you may want to perform a port-forwarding / proxy server deployment, which will forward traffic between your servers and the Armor API and service endpoints. 

This port-forwarding / proxy server sits within your environment to provide servers that do not have outbound network access to communicate with Armor Anywhere services.  

This solution uses IPTABLES to forward service data out from the customer environment and into Armor.

Review Requirements

To be able to perform a port-forward / proxy server deployment, you will need the following resources or information: 

Port-Forwarding / Proxy Server

• Linux server with OS of choice (CentOS7 recommended)
• Must be a standalone server
• 1vCPU/1GB RAM minimum
• IPTABLES package installed
• The installed Anywhere Agent on the server
• External IP Address

Client Armor Anywhere Agent Servers (prior to installing the Armor Anywhere Agent)

• Internal access from the port-forwarding server to download the configuration script
• Host file modifications made on each subsequent Anywhere Agent install

Review Firewall Rules

Port-Forwarding / Proxy Server

The port-forwarding / proxy server will need outbound access for the following:

The following ports will need to be opened for each server registered with Armor Anywhere.

Proxy Software Configuration

1. Install iptables services and Squid on the port forwarding / proxy server.

   yum install iptables-services squid

2. Generate the ca certificate. This is needed for ssl-bumping.

   mkdir /etc/squid/ssl_cert
   
   cd /etc/squid/ssl_cert
   
   openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.pem  -out myCA.pem

3. Edit the /etc/squid/squid.conf. Paste the following configuration, replacing xxxx with your private subnet cidr address. This is to allow ingress from the Client Servers on this private subnet.

   • Example: 192.168.0.0/24

     acl localnet src x.x.x.x #your network/hosts!
     acl SSL_ports port 443
     acl Safe_ports port 443
     acl CONNECT method CONNECT
     dns_v4_first on
     sslproxy_cert_error allow all
     http_access deny !Safe_ports
     http_access deny CONNECT !SSL_ports
     http_access allow localhost manager
     http_access deny manager
     http_access allow localnet
     http_access allow localhost
     http_access deny all
     http_port 0.0.0.0:3128
     cache_dir ufs /var/spool/squid 100 16 256
     coredump_dir /var/spool/squid
     access_log /var/log/squid/access.log squid
     http_port 3129 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
     always_direct allow all
     sslproxy_cert_error allow all
     acl step1 at_step SslBump1
     ssl_bump splice all
     ssl_bump terminate all
     sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

4. Restart Squid.

   systemctl restart squid

5. Set up IPTables nat rules.

   /sbin/iptables -t nat -F
   /sbin/iptables -t nat -X

6. Add rules.

   cat <<-EOF | iptables-restore
   *nat
   :PREROUTING ACCEPT [0:0]
   :POSTROUTING ACCEPT [0:0]
   -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 146.88.106.210
   -A PREROUTING -i eth0 -p tcp -m tcp --dport 4119 -j DNAT --to-destination 52.13.172.208
   -A PREROUTING -i eth0 -p tcp -m tcp --dport 4120 -j DNAT --to-destination 52.13.172.208
   -A PREROUTING -i eth0 -p tcp -m tcp --dport 4122 -j DNAT --to-destination 52.13.172.208
   -A POSTROUTING -j MASQUERADE
   :OUTPUT ACCEPT [0:0]
   COMMIT
   *filter
   :INPUT ACCEPT [0:0]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [0:0]
   COMMIT
   EOF
   

7. Persist the rules.

   service iptables save
   

8. Enable IP forwarding in the Kernel.

   sed -i '/^net.ipv4.ip_forward\ =\ 0/s/0/1/g' /etc/sysctl.conf
   sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1
   

Client Configuration

Servers with the Anywhere agent

All servers that run the Anywhere agent will need outbound access to the port-forwarding server's private IP, with the following ports allowed:

Linux

1. Update the host file, replacing x.x.x.x with your private IP address.

   echo "x.x.x.x api.armor.com 3a.epsec.armor.com 1a.log.armor.com get.core.armor.com" >> /etc/hosts

2. Install the agent, following the instructions outlined in ANYWHERE Installation.

3. Update the Rapid7 proxy settings to go through Squid.

   1. Change x.x.x.x to your proxy IP.

      echo '{ "https": "x.x.x.x:3129" }' > /opt/rapid7/ir_agent/components/bootstrap/common/proxy.config
      
      echo '{ "https": "x.x.x.x:3129" }' > /opt/rapid7/ir_agent/components/insight_agent/common/proxy.config
      
      service ir_agent restart

Windows

1. Update the host file, replacing x.x.x.x with your proxy server private IP address.

   echo "x.x.x.x api.armor.com 3a.epsec.armor.com 1a.log.armor.com get.core.armor.com" >> c:\windows\system32\drivers\etc\hosts

2. Install the agent, following the instructions outlined in ANYWHERE Installation.

3. Update the Rapid7 proxy settings to go through Squid.

   1. Change x.x.x.x to your proxy IP.

      echo '{ "https": "x.x.x.x:3129" }' > "C:\Program Files\Rapid7\Insight Agent\components\bootstrap\common\proxy.config"
      echo '{ "https": "x.x.x.x:3129" }' > "C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common\proxy.config"

4. Restart the Rapid7 service:

   Restart-Service -Name ir_agent

Related Documentation

To learn more about how to install the Anywhere agent, see Step 4 in the following documents: 

• Windows 2012 and 2016
• Linux

Was this helpful?

Your Rating:

Thanks for voting!

Please Wait

Results:

22 rates