How to configure HTTP tunneling and reverse proxy for Cloud Agents?

Document ID : KB000011859
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

I want that the agent in the cloud to always uses the Reverse Proxy to connect to a collector in the intranet.
The Reverse Proxy forwards the agent traffic to the special collector.
What are the steps to achieve this?

Here is the overview: MOM - SpecialCollector  - Firewall - ReverseProxy -  Cloud Agent

- MoM:
mom_host - mom_IP@5001

- Special Collector for Cloud Agents:   
specialcollector_host -    specialcollector_IP@5001

- Cloud Agent:
agent_host     agentIP

- Apache Reverse Proxy:    
reverseproxy_host - reverseproxy_port@451

<VirtualHost *:451>
.      
</VirtualHost>

Answer:

1. Verify that the collectors connections are correct in the MOM_HOME/config/IntroscopeEnterpriseManager.properties
Remember, the MOM identifies collector using the host and port combination as defined in this file.

2: Configure the web server HTTP tunneling
Open the MOM_HOME/config/em-jetty-config.xml
Add the below new http section:

<Call name="addConnector">
    <Arg>
      <New class="com.wily.webserver.NoNPESocketConnector">
        <Set name="port">8444</Set>
        <Set name="HeaderBufferSize">8192</Set>
        <Set name="RequestBufferSize">16384</Set>
        <Set name="ThreadPool">
          <New class="org.mortbay.thread.BoundedThreadPool">
            <Set name="minThreads">10</Set>
            <Set name="maxThreads">100</Set>
            <Set name="maxIdleTimeMs">60000</Set>
          </New>
        </Set>
      </New>
    </Arg>
  </Call>

3. Configure your firewall to allows only the special_collector@8444

4. Configure the applications running in the agent cloud to connect to the special collector

- Open the MOM_HOME/config/loadbalancing.xml, add the below new agent-collector section:

<agent-collector name="agents_in_the_cloud">
  <agent-specifier>agent_host.*\|.*\|.*</agent-specifier>
        <include>
            <collector host="<specialcollector>" port="<specialcollector_port>"/>
        </include>
  </agent-collector>

If required, add additional agent-collection sections for your non "cloud agents"

5. Configure your Apache reverse proxy to forward the agent information to the special collector. Here is an example for this demonstration:

<VirtualHost *:451>
..
ProxyRequests Off
..
ProxyPass / https://urldefense.proofpoint.com/v2/url?u=http-3A__<special_collector>-3A8444_&d=DQIFAw&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=Odz8
ProxyPassReverse / https://urldefense.proofpoint.com/v2/url?u=http-3A__<special_collector>-3A8444_&d=DQIFAw&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=Odz8
..
</VirtualHost>

The above urls are just for demonstration purposes only.

NOTE: Make sure your apache reverse proxy is configured correctly.
For example, if reqtimeout module has been enabled make sure request header timeout has been setup correctly, otherwise continuous agent-em disconnection might occurs.

<IfModule reqtimeout_module>
      RequestReadTimeout header=60,minrate=500 </IfModule>

Consult your webserver documentation.

6: Configure the Cloud agent to connect to the reverse proxy @ port451:

Open the AGENT_HOME/core/config/IntroscopeAgent.profile
set agentManager.url.1=https://urldefense.proofpoint.com/v2/url?u=http-3A__<proxyserver>-3A451&d=DQIFAw&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p

NOTE: Above url is just for demonstration purposes only.

Additional Information:

https://docops.ca.com/ca-apm/10-3/en/administrating/configure-enterprise-manager/configure-agent-enterprise-manager-network-topology/configure-loadbalancing-xml-for-allowed-and-disallowed-agents-by-enterprise-manager

https://docops.ca.com/ca-apm/10-3/en/administrating/configure-enterprise-manager/configure-enterprise-manager-communications