Setting up a Reverse Proxy

Many organizations as a best practice restrict their Privilege Manager web server from inbound and outbound internet traffic. However this can cause a functional issue as agents not connected to the corporate network would not be able to reach the server to receive policy updates or submit event feedback.

To resolve this functional issue while maintaining security Delinea supports agent connections through a Reverse Proxy which can live in the DMZ. The proxy will filter connection requests and only forward those from the agents allowing communication while significantly reducing the potential attack surface. Proxies can be configured using many different networking tools and in this document we will show how to do so with Windows Application Request Routing in IIS.

In this setup, only the endpoint agent needs to be accessible via HTTPS. It is important to note that the certificate being used for HTTPS communication should be the same certificate that is installed on your Privilege Manager web server.

Setting up a Proxy Server is specific to your organization's environment and configuration. Installation should be guided by your internal IT team.

Testing Agent URLs

To test registered agent URLs use the following, based on Privilege Manager version:

  • /agent/agentregistration4.svc
  • /agent/agentregistration3.svc
  • /agent/agentregistration2.svc

For example using https://PrivilegeManagerAppServerName.DomainName/TMS/Agent/agentregistration4.svc at the agent point, should successfully return XML like the following:

xml returned

Note: Make sure that the server acting as the reverse proxy trusts and matches the certificate that the Privilege Manager web server is using for its HTTPS binding. If the certificate is not trusted, the proxy will return a 500.21 Gateway error.

Agent Configuration

When you set up the Agent, make sure that the BaseURL has been set to the DMZ Server Address by following the steps in Setting the Privilege Manager Server Address.

Important: The Privilege Manager server is not able to push tasks to agents when the agents are not connected to the same network. However, the internet connected clients will automatically pull tasks from the server on a scheduled interval.