The decision has to be made which side of the hubs will act as tunnel server (receiving the connection) and tunnel client (making the connections). All in all, only one port will need to be opened on tunnel server end: default is 48003 but any available port can be used e.g 443. Please note that tunnel traffic is NOT an HTTPS traffic, if using port 443.
Following are high level steps, please refer to Installation Guide for detailed information on tunnel concepts and detailed steps.
1- On Tunnel Server:
I-Setup CA(Certificate Authority):
a- Enable Tunneling (if it is not already enabled)
• In hub probe GUI, in General section, select the checkbox next to "Enable Tunneling". It will enable "Tunnels" tab.
• In Tunnels section, select "Active" checkbox in "Server Configuration".
• In the "Certificate Authority Setup" window, fill out the field accordingly.
• Select "Security Settings" as desired. Note that if you choose Medium and above, the encryption will be stronger but on the cost of processing resources
• Click Apply button and restart the hub probe
Note: If first probe port is set on hub's controller, then you should also set first probe port in hub GUI Tunnels->Advanced section to offset it from e.g 48000 range.
II-Create Tunnel Client Certificate:
• In hub probe GUI, go to "Tunnels->Server Configuration" section
• Click on New button under "Issued Certificates" section
• In "Client Certificate Setup" Window, fill out "Who", "Where"fields accordingly. The fields under "Authentication" should be filled out as:
o Common Name: The tunnel client's connection IP address. If client is NAT'ed i-e its external IP address is different than internal IP, then use client's external IP address in this field. You can also use wild-card i-e either one asterisk '*' or four asterisks '*.*.*.*' (without quotes) to setup only one certificate which can then be used for multiple tunnel clients
o Password: Make note of this password, as you will use it on client side of the hub when installing the certificate.
o Expire days: The default is 365 days, depending on the requirements and the length of the client tunnel's life, this can be increased to avoid re-generating tunnel certificate and reset the tunnel client
III-Copy Tunnel Client License:
• In hub probe GUI, in "Tunnels->Server Configuration" section, click View under "Issued Certificates" section
• Click Copy button , it will copy the Certificate to your clipboard
• Open Notepad application and do a CTRL+v or right-click Paste
• Save the file, name it accordingly and make sure that no extra character is inserted in to the file
• Now, copy the file to tunnel client or have it available so that you can copy/paste on tunnel client side
2- On Tunnel Client:
Note 1: During hub installation, you are given an option to "initialize Security", which creates a local copy of security.cfg file and sets up Nimsoft 'administrator' user password. This is a required step on tunnel clients as you need to login to hub as 'administrator' user to setup tunneling
Note 2: Normally, Infrastructure Manager will not be installed/available on tunnel client side. You can use "Nimsoft Using DMZ Tunnel Setup Wizard" ("Nimsoft Monitoring->Tools" application group):
I-Using Infrastructure Manager:
• Login to tunnel client hub
• In hub probe GUI, enable "Tunneling" option in General section
• Switch to Tunnels tab and then to "Client Configuration"
• Click New button
• Deselect "Check Server Common Name" if Tunnel Server is NAT'ed
• Fill out fields accordingly. Use the Password which you setup in step 3 of "Create Tunnel Client Certificate"
• Paste client certificate in "Certificate" field, you created in step 3 of "Create Tunnel Client Certificate" and copied in step 5 of "Copy Tunnel Client License"
• Click on OK and then Apply and restart the hub probe
Now, if all goes well, your tunnel client will connect to tunnel server. If you get errors accessing new hub, refer to Troubleshooting section.
II-Using "Nimsoft DMZ Tunnel Wizard”:
• Open up "Nimsoft DMZ Tunnel Wizard" from Program's menu
• Select "Client" in first screen
• You will be prompted for administrator password
• Fill in the fields appropriately and tunnel certificate
After finishing up, do not login to new hub till the Enabled status shows up in Security column of Infrastructure Manager
If you get errors accessing new hub, refer to Troubleshooting section
Note: Tunnel doc is attached in .doc format which contains troubleshooting section as well.
keywords: tunnel tunnels SSL enable enablement DMZ different network networks certificate client server Nimsoft wizard NAT tunneling setup config configuration NAT'ed install security encrypted