ERM Proxy virtual machine

The ERM Proxy is a virtual machine that is installed separately from the rest of the Enhanced Room Management product suite. It allows an ERM server to provision multiple Cisco endpoints located on a private network, such as behind a firewall/NAT router, that would otherwise be non-directly contactable by ERM.

Additionally, when compared to passive provisioning alone, it provides a more immediate contact with a Cisco endpoint and, thus, a more immersive experience. For example, with passive provisioning alone, the Cisco endpoint will only act on configuration changes after it calls home to the ERM service (which can occur at some point between 45-400 seconds). Whereas, the ERM Proxy allows the ERM service to immediately push both configuration and commands to the Cisco endpoint, allowing them to be controlled and updated in real-time.

The ERM Proxy does not currently support Poly devices — these endpoints must be configured in Passive Mode.

This topic covers:

ERM Proxy architecture

The ERM Proxy virtual machine can be installed in VMware ESXi or Microsoft Hyper-V, and should be deployed as per your security policy. In a geographically-dispersed organization you would normally install multiple ERM Proxys — one in each region or office to manage the local endpoints in that location.

A typical ERM architectural overview that includes the ERM Proxy is shown below:

How it works

When the initial configuration of the ERM Proxy is complete, the following process occurs:

  1. The proxy sends an HTTP request to the ERM service using a TLS-secured connection (toward port 443), authenticated with the proxy client password, to request admission as a proxy client. In addition, the request includes a public SSH key from the proxy to enable a key-based SSH connection to be established in a later step.

    Assuming the ERM Proxy successfully authenticates, the ERM service will initially deny the setup of the SSH connection. After that, the proxy continues to periodically send requests toward the ERM service to see if access has been granted.

  2. A successfully authenticated ERM Proxy appears on the Proxy clients page within the ERM GUI. An ERM administrator must now manually confirm the proxy connection to the ERM service. See ERM proxy clients for more information.

          

  3. When the proxy connection is confirmed, the ERM service stores this confirmation. Then, during the next request cycle from the ERM Proxy, the ERM service responds with details required to establish an SSH connection, including the relevant port for this connection and additional security parameters.

    Note that the default listening port used by the ERM service to enable this SSH connection from the ERM Proxy is TCP 2222. This is configurable within the ERM Installer (via Installation > (ERM module) Details > Configure > Other settings > Incoming Pexip Proxy client port). Any updates to this configuration via the Installer must be deployed to the ERM module to take effect.

  4. The ERM Proxy establishes an SSH connection towards the ERM service using the configured port and negotiated security parameters.

  5. The SSH connection enables the ERM service to send provisioning details and API commands via the ERM Proxy to the remote systems. The ERM Proxy forwards the API requests received via the SSH connection as HTTP(s) requests to the Cisco endpoints (TCP port 80/443).

  6. Endpoints are configured for passive provisioning and live event updates. These HTTP requests are sent directly from the endpoints to the ERM service. Configuration of passive provisioning enables a fallback connection to the ERM service.

  7. An administrator can check the SSH connection status on the ERM service via the Admin > Proxy clients menu (see ERM proxy clients for more information).

Server specifications and network options

The default virtual appliance requires:

  • 4 cores (most modern processors will suffice)
  • 1.5 GB RAM
  • 15 GB SSD storage

This specification should be suitable for most installations as the required data traffic and compute levels are low. It also means that the virtual appliance would be appropriate to run on a shared compute host (with the caveat that there should be minimal oversubscription of the underlying host resources).

Depending on the network topology, the ERM Proxy can be deployed with one or two network interfaces in various configurations:

  • Single NIC, the first NIC is used to route all traffic.
  • Dual NIC:

    • The first NIC routes external traffic via the DMZ or public network.
    • The second NIC is used to route internal traffic via the LAN network.

Use of Load Balancers or Reverse Proxies

A load balancer or reverse proxy may be used in front of the ERM Proxy and/or the main ERM service.

When a load balancer is used in front of the ERM service, the ERM Proxy connects to the upstream ERM service through this device using both HTTP and SSH connections. The ERM module may be configured using either one or two FQDNs (see Installing the ERM module for device management):

  • If the ERM service uses a single FQDN (defined in the Hostname field of the main ERM module configuration), then this FQDN should be exposed on the load balancer.
  • If the ERM service uses the optional Separate domain name for video conference system requests, then this FQDN should be exposed on the load balancer.

The use of such infrastructure can introduce additional complexities and issues. For example, a man-in-the-middle (MITM) device may terminate the HTTP stream as a transparent proxy, and the certificate chain presented toward the ERM Proxy may be issued from an untrusted Certificate Authority. As a result, the attempted connection will fail if the ERM Proxy has been configured to check the certificate validity (which is the default configuration setting). See Certificate chain troubleshooting for a MITM proxy for more information.

Installing the ERM Proxy

Pexip provides the ERM Proxy appliance via an OVA or VHDx template suitable for deployment on VMware ESXi or Microsoft Hyper-V. The templates are provided "as-is", offering a reference installation suitable for integrating with an existing Pexip ERM deployment.

No changes should be made to any ERM Proxy via the terminal interface (other than as described when running the initial installation wizard) unless directed to do so by Pexip support. This includes (but is not limited to) changes to the time zone, changes to IP tables, the configuration of Ethernet interfaces, or the installation of any third-party code/applications.

The information you need to specify during the initial configuration of an ERM Proxy includes:

  • The FQDN of the ERM service where the ERM Proxy will connect towards.
  • The name of the ERM Proxy.
  • A proxy client password (which enables the ERM Proxy to authenticate with the ERM service and establish a trust relationship to set up an SSH tunnel).

The installation process for the ERM Proxy is similar to that seen with the standard ERM Installer.

Obtaining the installation image

The latest version of the installation image is available at the Pexip download page.

Initial VM deployment and network settings

When you first start up the virtual machine, you are presented with a CLI installation wizard that offers a list of choices that you can navigate using the arrow keys.

The first section is for your network settings:

By default the VM appliance uses a single NIC which obtains its IP details via DHCP.

The options are:

Option Description
Refresh status Run this to see the current status of the machine, such as which IP number has been assigned via DHCP, as well as disk space and usage, which can both be helpful during installation.
Change hostname for server Here you can set the hostname for the server (this is primarily for internal use). This is helpful when monitoring entries in different types of event logs.
Change IP-settings on first/second NIC Choose this option to switch between using DHCP or manually entering IP numbers and other network settings such as gateway and DNS servers.
Set DNS-servers This option allows you to specify a standalone DNS server to apply to the server. Even if DHCP is used, an override DNS or similar setup might be used, which you then can specify here.
Set NTP-servers You can manually specify which NTP servers to use. This can, for example, be useful for a more secure network with a dedicated internal server which you can then enter an IP number or hostname for. If a hostname is specified, it requires an available working DNS server.
Set HTTP-proxy

Use this option if you lock outgoing HTTP(s) requests in your network. It allows all requests to exit via a third-party HTTP proxy where you can verify the traffic and lock down addresses that are not allowed. The format for defining the HTTP(s) proxies is:

http://user:password@address:port

Set static routes This option is available if you have several different subnets in your network. For example, traffic can go by default through the default gateway, but that 10.0.0.0/24 should instead go through a router that has an IP address 192.168.1.100.

Some choices may require a restart to take effect. You can choose to either restart after each step or, if you prefer, you can complete all settings and then restart at the end of your setup.

When you are satisfied with your network settings, select Continue at the bottom of the list. This takes you to the next section on security settings.

Server security settings

After configuring the network settings you can define the security settings for your server.

The options are:

Option Description
Set password for admin system account

Here you create a password for the default system user (username: admin), which can then be used to log in to the Linux console, for example, to troubleshoot or change a specific setting (with guidance from Pexip support).

After the password has been set, this option changes to allow the disabling or re-enabling of the admin account.

Disable SSH-login using password

Choose this option to disable login via SSH with a password. SSH is enabled with the use of SSH keys by default, and not by using a password.

First, add your SSH key to the VM. To do this, temporarily activate SSH login using a password, add your SSH public key (to the ~/.ssh/authorized_keys file) and then deactivate this option for increased security.

Disable unattended upgrade for Host Information for this option will be added soon.
Disable further changes using boot console-wizard

If you select this option, you will no longer be able to access the terminal menu without first logging in.

If you have not enabled the admin system account, you will be locked out of the VM entirely and be unable to log in so will need to redeploy the appliance.

When you have chosen your options in this section, select Continue at the bottom of the list to proceed. As long as you have not selected Disable further changes using boot console-wizard, you can always return to these security choices later on to make additional changes.

CLI main ERM Proxy configuration menu

After the network and security steps of the installation wizard are complete, the main ERM Proxy configuration menu is displayed. Here, you can configure the main operation of the ERM Proxy to connect to an upstream ERM service:

The options are:

Option Description

Configure proxy /

Update server status

Initially, this option shows as Configure proxy, which allows you to configure the upstream ERM service connection for the ERM Proxy. After the proxy has been configured, this menu item changes to Update server status.

Within the Configure proxy menu, there are several sub-options:

Enter FQDN of the Pexip ERM server

The details you enter in this field depend on whether you have configured your ERM service with one or two FQDNs, and how you have exposed those FQDNs:

  • If your ERM service is configured with a single hostname / FQDN, then this should be used here.
  • If your ERM server is configured to use the optional Separate domain name for video conference system requests, then typically you will expose this FQDN for remote inbound requests. Note that the main FQDN would technically work, however, when using separate domain names in this way, you would typically use the main FQDN only for access to the ERM web admin GUI.
Enter the name of this proxy This name can be human-readable to identify the proxy when it attempts a connection to the ERM server.
Validate SSL connection (Y/n)

The default is Yes which ensures the ERM Proxy will validate the presented TLS certificate and chain from the ERM server or upstream infrastructure. Any certificate chain that has been issued from a public CA should be validated successfully using the built-in trusted root CA store.

If you use certificates from a private CA, then you should upload those root CA certificates in a PEM format into the /home/admin/trusted_ca.pem file (for example, using an SSH terminal, WinSCP or Filezilla).

Enter overridden IP for (proxy FQDN) Here you can define an IP to override the resolved FQDN of the ERM service (configured previously). For example, if the ERM service FQDN either doesn't resolve, or you want the request to be routed via some other infrastructure, or via an alternative route.
Enter proxy password If you have configured a Proxy client password within the ERM module (Admin > Settings > Security and privacy > Proxy client passwords), you should enter a matching password here.
Display live proxy logs

Shows a real-time view of the ERM Proxy logged events. Press Ctrl+C to cancel this view, and after a couple of seconds, you are returned to the menu.

This option only works after the proxy has been configured and has started.

Login shell Allows you to log in to the VM terminal shell.
Proxy settings

Allows you to configure additional settings for the proxy. There are several sub-options:

Configure proxy As per the Configure proxy menu above. When the initial configuration of the ERM Proxy is complete, you can reconfigure it via this option.
Upgrade proxy Lets you upgrade to the latest ERM Proxy image from the ERM registry portal. For this to occur, the ERM Proxy requires internet access to the erm-registry.pexip.io service.
Collect logs Gathers the log files, compresses them, and saves them to a file in the /tmp folder. The file can then be SCPed off the box using an application like WinSCP, FileZilla or scp at the command line (OS dependent).
Clear settings Removes the currently configured ERM Proxy settings.
Network settings Opens the network settings as described above.
Security settings Opens up the security settings as described above.
Hard drive cleanup This option lets you clean up data from your VM, including debug logs/raw call data, old versions and unused images.