Skip to content

Peer Tunnel

Peer tunnel allows a peer node to open access to its service ports for a main node to connect in the situations when the main node could not connect to the peer node service ports directly.

What is Peer Tunnel?

Peer node architecture requires the main node to connect to the peer node service ports such as WEB and Native Gateway ports as well as to Job Pool and local Active Directory ports to forward the traffic to the isolated network where the peer node is deployed. When the service ports on the peer node are not open for the outside connections the system owners have the option to configure the peer tunnel to open these ports for the main node to connect.

The tunnel assumes that the host server of the main node exposes SSH server port accessible for the peer node to connect from inside the isolated network as the outbound connection. In this case, the peer node builds and maintains reversed SSH tunnels to the main node host to open service ports for the main node to connect. When the reversed tunnels are established, the main node peer node configuration can reference Job Pool, WEB and Native Peer Gateways as available on the main node host itself on the ports configured in the peer tunnel. In the similar way, the owners of the main node can configure LDAP connection to the isolated LDAP server referencing main node host and the port from the tunnel configuration.

Peer Tunnel Architecture

Different tenants on the main node and even different sites of container inside the same tenant might use different peer nodes with some of then connected through peer tunnel architecture.

A peer node might maintain multiple tunnels to serve several tenants or several main node deployments.

The tunnel is built based on the regular Unix Host asset describing connection to the SSH server on the main node host. System owners can add alternative member assets to the tunnel asset to maintain tunnels to the alternative assets too for the high availability deployments of the main node. The peer node will open tunnels for all configured services.

Why to use Peer Tunnel?

Peer tunnels serve the same purpose of peer nodes. The only difference is that peer tunnels enable peer nodes to work in the isolated networks with blocked inbound traffic. As a result peer tunnels are useful in the following scenarios

  • MSP managing a client that is not comfortable to open inbound access to its network even for the one-to-one connection to a single peer node.

  • An organization department looking to provide access for the outside contractors to manage devices on the internal network.

  • Product manufacturer looking to support devices located inside their client networks.

How to configure peer tunnel?

  • Peer tunnel require the following conditions to work

    • Peer node should be deployed to the isolated network
    • The isolated network should allow outbound SSH (port 22) connection from the peer node to the main node host located outside of the isolated network.

  • Deploy peer node into the isolated network.

  • Create a Unix Host asset describing the main node host. The asset might use user / password, user / private key or user / protected private key authentication. It is recommended to use Server Key option for SSH asset configuration to validate destination host integrity for each connection.

  • Create a peer tunnel. A peer tunnel has the following characteristics:

    • Name is the name of the peer tunnel to appear in the reports and other references.
    • Asset is the asset describing the main node host. Note that the asset might contain alternative member assets all of which will be used to build tunnels to to support main node HA deployment.
    • WEB Gateway is the WEB Gateway service provided by the peer node. WEB Gateway is hosted by the peer node itself on the localhost 127.0.0.1 and it is shared between multiple tenants listening on the node level port (usually 4822).
    • Native Gateway is the gateway service to establish sessions using native SSH, RDP or WEB Browser clients provided by the peer node. Native gateway is hosted by the peer node on the localhost 127.0.0.1 unique for each tenant with unique local port (usually 8800, 8801, 8802, etc).
    • Job Pool is the remote job execution service provided by the peer node. Job pool is hosted by the peer node on the localhost 127.0.0.1 shared between multiple tenants listening on the node level port (usually 6443).
    • LDAP is LDAP or Active Directory service accessible by the peer node that the main node might use for authentication and authorization purposes. LDAP host is located outside of the peer node on the host that should be specified in the LDAP Local Host field. Active directory server is usually deployed on the port 636 or 3269 for global catalogue.
    • Remote Port for each service is the port the tunnel builds on the main node to use when configuring related services on the main node. Each port should be unique on the main node across all peer tunnels established by differernt peer nodes.

Peer Tunnel Parameters

  • Launch peer tunnel by enabling and saving peer tunnel configuration. The application rebuilds tunnels after updating the tunnel configuration. No server restart on the peer or the main node is required. The tunnel create, failure or recreate events are reflected in the peer node event log including IP addresses and ports involved in the establishing of the tunnels. When the tunnel is build the main node host will receive listening port per each service configured. This port should be used to attach peer or LDAP configuration on the main node.

  • Create peer configuration on the main node to reference the ports created by the peer node on the main node host. Use main node name instead of localhost to reference reverse forwarded ports to avoid special handling of localhost networking.

Main Node Peer Configuration

  • Create LDAP / AD configuration on the main node to reference the LDAP port created by the peer node on the main node host. Use main node name instead of localhost to reference reverse forwarded port to avoid special handling of localhost networking.

Main Node LDAP Configuration

  • After the configuration is completed use LDAP and Peer node configuration in the regular way to gain access to the resources in the isolated network through the reversed tunnel built by the peer node without the need to open ports in the isolated network firewall.