Version

7.X

Q/A

Question 1

How do I setup Bit9 with a reverse proxy?

Answer

This solution should be considered best effort.

Support does not get involved in setting up a reverse proxy for customers as it's not a supported configuration and we do not test/QA in house with a reverse proxy.   If you need assistance with a reverse proxy setup, configuration or troubleshooting, Support would refer you to Professional Services or here on User eXchange.

Given that, here is information that has been shared with customers previously that might assist you in configuring or troubleshooting your reverse proxy.

1. Make sure you forward the port not terminate it. The default port is 41002. You can verify your port configuration under the System Configuration – General tab.
2. NAT the internal IP of the Bit9 server to the DMZ and create a 1:1 firewall rule to allow only the external reverse proxy via the port
3. Setup the reverse proxy from the Internet IP and port to forward to the NAT address in the DMZ.
4. Make sure the traffic is all pass through, and not tampering/intercepting SSL
5. Ensure there is no kind of TCP/IP connection sharing occurring for the agent-server communications.

To summarize, it's HTTP over SSL over TCP, on ports 443 and 41002.

We do not officially support SSL termination.  (But, there are no client certificate authorizations, and no need to pass in the client's SSL session ID.  There is no SOAP or XML in there anyway, no WSDL's to share, it is very bare even at the HTTP layer, mostly just encrypted transfers.)

All clients use a single DNS name to address the server, so a name that can resolve both internally and externally to the right VIP is required.

We cannot provide vendor-specific guidance or instructions for other folks' products.