ERM Proxy virtual machine
The ERM Proxy is a virtual machine that is installed separately from the rest of the Enhanced Room Management product suite. It allows an ERM server to provision multiple Cisco endpoints located on a private network, such as behind a firewall/NAT router, that would otherwise be non-directly contactable by ERM.
Additionally, when compared to passive provisioning alone, it provides a more immediate contact with a Cisco endpoint and, thus, a more immersive experience. For example, with passive provisioning alone, the Cisco endpoint will only act on configuration changes after it calls home to the ERM service (which can occur at some point between 45-400 seconds). Whereas, the ERM Proxy allows the ERM service to immediately push both configuration and commands to the Cisco endpoint, allowing them to be controlled and updated in real-time.
This topic covers:
- ERM Proxy architecture
- How it works
- Server specifications and network options
- Use of Load Balancers or Reverse Proxies
- Installing the ERM Proxy
ERM Proxy architecture
The ERM Proxy virtual machine can be installed in VMware ESXi or Microsoft Hyper-V, and should be deployed as per your security policy. In a geographically-dispersed organization you would normally install multiple ERM Proxys — one in each region or office to manage the local endpoints in that location.
A typical ERM architectural overview that includes the ERM Proxy is shown below:
How it works
When the initial configuration of the ERM Proxy is complete, the following process occurs:
The proxy sends an HTTP request to the ERM service using a TLS-secured connection (toward port 443), authenticated with the proxy client password, to request admission as a proxy client. In addition, the request includes a public SSH key from the proxy to enable a key-based SSH connection to be established in a later step.
Assuming the ERM Proxy successfully authenticates, the ERM service will initially deny the setup of the SSH connection. After that, the proxy continues to periodically send requests toward the ERM service to see if access has been granted.
A successfully authenticated ERM Proxy appears on the page within the ERM GUI. An ERM administrator must now manually confirm the proxy connection to the ERM service. See ERM proxy clients for more information.
When the proxy connection is confirmed, the ERM service stores this confirmation. Then, during the next request cycle from the ERM Proxy, the ERM service responds with details required to establish an SSH connection, including the relevant port for this connection and additional security parameters.
Note that the default listening port used by the ERM service to enable this SSH connection from the ERM Proxy is TCP 2222. This is configurable within the ERM Installer (via ). Any updates to this configuration via the Installer must be deployed to the ERM module to take effect.
The ERM Proxy establishes an SSH connection towards the ERM service using the configured port and negotiated security parameters.
The SSH connection enables the ERM service to send provisioning details and API commands via the ERM Proxy to the remote systems. The ERM Proxy forwards the API requests received via the SSH connection as HTTP(s) requests to the Cisco endpoints (TCP port 80/443).
Endpoints are configured for passive provisioning and live event updates. These HTTP requests are sent directly from the endpoints to the ERM service. Configuration of passive provisioning enables a fallback connection to the ERM service.
An administrator can check the SSH connection status on the ERM service via the menu (see ERM proxy clients for more information).
Server specifications and network options
The default virtual appliance requires:
- 4 cores (most modern processors will suffice)
- 1.5 GB RAM
- 15 GB SSD storage
This specification should be suitable for most installations as the required data traffic and compute levels are low. It also means that the virtual appliance would be appropriate to run on a shared compute host (with the caveat that there should be minimal oversubscription of the underlying host resources).
Depending on the network topology, the ERM Proxy can be deployed with one or two network interfaces in various configurations:
- Single NIC, the first NIC is used to route all traffic.
- The first NIC routes external traffic via the DMZ or public network.
- The second NIC is used to route internal traffic via the LAN network.
Use of Load Balancers or Reverse Proxies
A load balancer or reverse proxy may be used in front of the ERM Proxy and/or the main ERM service.
When a load balancer is used in front of the ERM service, the ERM Proxy connects to the upstream ERM service through this device using both HTTP and SSH connections. The ERM module may be configured using either one or two FQDNs (see Installing the ERM module for device management):
- If the ERM service uses a single FQDN (defined in the Hostname field of the main ERM module configuration), then this FQDN should be exposed on the load balancer.
- If the ERM service uses the optional Separate domain name for video conference system requests, then this FQDN should be exposed on the load balancer.
The use of such infrastructure can introduce additional complexities and issues. For example, a man-in-the-middle (MITM) device may terminate the HTTP stream as a transparent proxy, and the certificate chain presented toward the ERM Proxy may be issued from an untrusted Certificate Authority. As a result, the attempted connection will fail if the ERM Proxy has been configured to check the certificate validity (which is the default configuration setting). See Certificate chain troubleshooting for a MITM proxy for more information.
Installing the ERM Proxy
Pexip provides the ERM Proxy appliance via an OVA or VHDx template suitable for deployment on VMware ESXi or Microsoft Hyper-V. The templates are provided "as-is", offering a reference installation suitable for integrating with an existing Pexip ERM deployment.
No changes should be made to any ERM Proxy via the terminal interface (other than as described when running the initial installation wizard) unless directed to do so by Pexip support. This includes (but is not limited to) changes to the time zone, changes to IP tables, the configuration of Ethernet interfaces, or the installation of any third-party code/applications.
The information you need to specify during the initial configuration of an ERM Proxy includes:
- The FQDN of the ERM service where the ERM Proxy will connect towards.
- The name of the ERM Proxy.
- A proxy client password (which enables the ERM Proxy to authenticate with the ERM service and establish a trust relationship to set up an SSH tunnel).
The installation process for the ERM Proxy is similar to that seen with the standard ERM Installer.
Obtaining the installation image
The latest version of the installation image is available at the Pexip download page.
Initial VM deployment and network settings
When you first start up the virtual machine, you are presented with a CLI installation wizard that offers a list of choices that you can navigate using the arrow keys.
The first section is for your network settings:
By default the VM appliance uses a single NIC which obtains its IP details via DHCP.
The options are:
|Refresh status||Run this to see the current status of the machine, such as which IP number has been assigned via DHCP, as well as disk space and usage, which can both be helpful during installation.|
|Change hostname for server||Here you can set the hostname for the server (this is primarily for internal use). This is helpful when monitoring entries in different types of event logs.|
|Change IP-settings on first/second NIC||Choose this option to switch between using DHCP or manually entering IP numbers and other network settings such as gateway and DNS servers.|
|Set DNS-servers||This option allows you to specify a standalone DNS server to apply to the server. Even if DHCP is used, an override DNS or similar setup might be used, which you then can specify here.|
|Set NTP-servers||You can manually specify which NTP servers to use. This can, for example, be useful for a more secure network with a dedicated internal server which you can then enter an IP number or hostname for. If a hostname is specified, it requires an available working DNS server.|
Use this option if you lock outgoing HTTP(s) requests in your network. It allows all requests to exit via a third-party HTTP proxy where you can verify the traffic and lock down addresses that are not allowed. The format for defining the HTTP(s) proxies is:
|Set static routes||This option is available if you have several different subnets in your network. For example, traffic can go by default through the default gateway, but that 10.0.0.0/24 should instead go through a router that has an IP address 192.168.1.100.|
Some choices may require a restart to take effect. You can choose to either restart after each step or, if you prefer, you can complete all settings and then restart at the end of your setup.
When you are satisfied with your network settings, selectat the bottom of the list. This takes you to the next section on security settings.
Server security settings
After configuring the network settings you can define the security settings for your server.
The options are:
|Set password for admin system account||
Here you create a password for the default system user (username: admin), which can then be used to log in to the Linux console, for example, to troubleshoot or change a specific setting (with guidance from Pexip support).
After the password has been set, this option changes to allow the disabling or re-enabling of the admin account.
|Disable SSH-login using password||
Choose this option to disable login via SSH with a password. SSH is enabled with the use of SSH keys by default, and not by using a password.
First, add your SSH key to the VM. To do this, temporarily activate SSH login using a password, add your SSH public key (to the ~/.ssh/authorized_keys file) and then deactivate this option for increased security.
|Disable further changes using boot console-wizard||
If you select this option, you will no longer be able to access the terminal menu without first logging in.
If you have not enabled the admin system account, you will be locked out of the VM entirely and be unable to log in so will need to redeploy the appliance.
When you have chosen your options in this section, select Disable further changes using boot console-wizard, you can always return to these security choices later on to make additional changes.at the bottom of the list to proceed. As long as you have not selected
CLI main ERM Proxy configuration menu
After the network and security steps of the installation wizard are complete, the main ERM Proxy configuration menu is displayed. Here, you can configure the main operation of the ERM Proxy to connect to an upstream ERM service:
The options are:
Configure proxy /
Update server status
Initially, this option shows as ERM service connection for the ERM Proxy. After the proxy has been configured, this menu item changes to ., which allows you to configure the upstream
Within the Configure proxy menu, there are several sub-options:
|Display live proxy logs||
Shows a real-time view of the ERM Proxy logged events. Press Ctrl+C to cancel this view, and after a couple of seconds, you are returned to the menu.
This option only works after the proxy has been configured and has started.
|Login shell||Allows you to log in to the VM terminal shell.|
Allows you to configure additional settings for the proxy. There are several sub-options:
|Network settings||Opens the network settings as described above.|
|Security settings||Opens up the security settings as described above.|
|Hard drive cleanup||This option lets you clean up data from your VM, including debug logs/raw call data, old versions and unused images.|