Configure the Socket proxy server for off-load Main server and proxy with DMZ

Document ID:  TEC1843915
Last Modified Date:  08/20/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Service Desk Manager

Releases

  • CA Service Desk Manager:Release:14.1

Components

  • UNICENTER SERVICE DESK RXX:USRD
Introduction:

Allowing direct socket access to the application servers that run Support Automation can be considered a security risk.

Improve performance by "Offload encryption and decryption of the incoming and outgoing data for all analysts or clients"

Question:

Manage Support Automation Connectivity with "Socket proxy server"

Implement the SA connectivity per the documentation in this link
https://docops.ca.com/ca-service-management/14-1/en/using/support-automation/administering-support-automation/manage-connnectivity
Manage Connnectivity
.
.
.
1/ How to Overcome Server Load
In large deployments, high server load can degrade the application performance. For this reason, you can off-load some of the processing to one or more Socket Proxy servers as follows:
Offload encryption and decryption of the incoming and outgoing data for all analysts or clients. The clients must connect either through Direct Socket or through HTTP.
Offload the processing of HTTP traffic from and to those clients connecting through HTTP to the Socket Proxy.

2/ Use Socket Proxy Within DMZ
In some network environments, allowing direct socket access to the application servers that run Support Automation can be considered a security risk. In such environments, you can use Socket Proxy within the DMZ. Using Socket Proxy in this scenario offloads some of the processing from the main server. The Socket Proxy works as follows:
1. On the configured external port, the Socket Proxy listens for incoming connections from analysts or end users.
2. The Socket Proxy establishes a peer connection to the main server on the configured internal port for every connection. These two connections are named the end-user connection and the server connection, respectively.
3. The end-user connections are encrypted and the Socket Proxy encrypts or decrypts data coming in or going out. The server connection is not encrypted.
4. For each incoming data-packet, the protocol structure is verified and a checksum value is validated. This happens before the data is passed on to the main server through the server connection.
5. The main server off-loads the encryption and decryption processing.
6. The Socket Proxy closes the matching peer connection once the end user or server connection closes.

Environment:
Windows 2008 Windows 2012 Service Desk 12.9 Service Desk 14.1 Environment of this tecdoc SA Main server SRVA : 192.168.182.161 SA socket proxy server SRVD : 192.168.182.164 Analyst on 192.168.182.181 Employee 192.168.182.180
Answer:

As we have the primary server named SRVA and the secondary server named SRVD, we have this list of server.

sa_proxy_process02.png

Create the configuration for pdm_configure. In this example it is named conf1

sa_proxy_process01.png

 

1/ Configure SRVD to start the process for "Socket proxy server"

Edit the configuration conf1, select "additional process" tab

sa_proxy_process1.png

Choose add process

sa_proxy_process2.png

define SRVD to run "SA socket proxy server"

sa_proxy_process3.png

Save and verify we have this list of process

sa_proxy_process4.png

 

2/ Execute pdm_configure on SRVA and SRVD

pdm_configure on SRVA

primary.jpg

 
pdm_configure on SRVD

socket_server.jpg

 

3/ Restart Service Desk

- on SRVA, stop "CA Service Desk Manager Server" service

- on SRVD, stop "CA Service Desk Manager Remote Proctor" service

- on SRVD, start "CA Service Desk Manager Remote Proctor" service

- on SRVA, start "CA Service Desk Manager Server" service

 

4/ Verification

We used wireshark to examine the communication and ports used. Analyst do remote control on Employee workstation

 

Employee

192.168.182.180 -->  192.168.182.161:8070
192.168.182.180 -->  192.168.182.164:10443

Analyst
192.168.182.181 -->  192.168.182.161:8070
192.168.182.181 -->  192.168.182.164:10443

SA_employee_to_sa_main port 8070.jpg

SA_employee_to_sa_proxy port 10443.jpg

 

SA_employee_to_sa_main port 10443 not used.jpg


Remark
Per this configuration, there is no communication to socket port 10443 on SRVA running "SA main server", this allow to not open the socket port 10443 on the server running Service  Desk application server to external users.

 

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >