Allowing direct socket access to the application servers that run Support Automation can be considered a security risk.
Improve performance by "Offload encryption and decryption of the incoming and outgoing data for all analysts or clients"
Manage Support Automation Connectivity with "Socket proxy server"
Implement the SA connectivity per the documentation in this link
1/ How to Overcome Server Load
In large deployments, high server load can degrade the application performance. For this reason, you can off-load some of the processing to one or more Socket Proxy servers as follows:
Offload encryption and decryption of the incoming and outgoing data for all analysts or clients. The clients must connect either through Direct Socket or through HTTP.
Offload the processing of HTTP traffic from and to those clients connecting through HTTP to the Socket Proxy.
2/ Use Socket Proxy Within DMZ
In some network environments, allowing direct socket access to the application servers that run Support Automation can be considered a security risk. In such environments, you can use Socket Proxy within the DMZ. Using Socket Proxy in this scenario offloads some of the processing from the main server. The Socket Proxy works as follows:
1. On the configured external port, the Socket Proxy listens for incoming connections from analysts or end users.
2. The Socket Proxy establishes a peer connection to the main server on the configured internal port for every connection. These two connections are named the end-user connection and the server connection, respectively.
3. The end-user connections are encrypted and the Socket Proxy encrypts or decrypts data coming in or going out. The server connection is not encrypted.
4. For each incoming data-packet, the protocol structure is verified and a checksum value is validated. This happens before the data is passed on to the main server through the server connection.
5. The main server off-loads the encryption and decryption processing.
6. The Socket Proxy closes the matching peer connection once the end user or server connection closes.
As we have the primary server named SRVA and the secondary server named SRVD, we have this list of server.
Create the configuration for pdm_configure. In this example it is named conf1
1/ Configure SRVD to start the process for "Socket proxy server"
Edit the configuration conf1, select "additional process" tab
Choose add process
define SRVD to run "SA socket proxy server"
Save and verify we have this list of process
2/ Execute pdm_configure on SRVA and SRVD
pdm_configure on SRVA
pdm_configure on SRVD
3/ Restart Service Desk
- on SRVA, stop "CA Service Desk Manager Server" service
- on SRVD, stop "CA Service Desk Manager Remote Proctor" service
- on SRVD, start "CA Service Desk Manager Remote Proctor" service
- on SRVA, start "CA Service Desk Manager Server" service
We used wireshark to examine the communication and ports used. Analyst do remote control on Employee workstation
192.168.182.180 --> 192.168.182.161:8070
192.168.182.180 --> 192.168.182.164:10443
192.168.182.181 --> 192.168.182.161:8070
192.168.182.181 --> 192.168.182.164:10443
Communication to listening port
Per this configuration, there is no communication to socket port 10443 on SRVA running "SA main server", this allow to not open the socket port 10443 on the server running Service Desk application server to external users.