WISE-PaaS/Secure Tunnel Reverse Proxy Service for Enterprise Security

Advantech

WISE-PaaS Core Service

Xi Ren, PM,

12/07/2020 v0.1 （English）

Why WISE-PaaS/Secure Tunnel Is Essential?

Domain A

all-in-one edge intelligent server

all-in-one edge intelligent server

Domain B

Domain C

Internet

Internet users Internet operation and maintenance

Unable to achieve unified operation and maintenance management

Insecure and vulnerable

Cluster management is inconvenient due to a shortage of tools capable of mapping cluster

Intranet alarms cannot be delivered in timeand hence message processing is delayed

Unable to deploy upgrades across domains

….

Difficulties

WISE-PaaS/Secure Tunnel – Easy Intranet Penetration

• Remote operation and maintenance at anytime, anywhere

• Unified cluster management

• Access intranet services freely via the internet

• Remote alarm monitoring

• Remote application deployment updates

…

all-in-one edge intelligent server

all-in-one edge intelligent server

WISE-PaaS/Secure Tunnel

Domain A

Domain B

Domain C

Why Choose WISE-PaaS/Secure Tunnel

Multi-tenant isolation

Enterprise Secure Reverse Proxy Service

Secure and reliable

Cross-platform and multi-protocol support

Seamless integration

Cost decreasing and benefit increasing

One-key mapping

Support HTTPS protocols and SSL certificates TCP mapping adopts safe mTLS for encryption and

authentication SSH mapping adopts 2048-bit private key for authentication

Only specific IP set by users has access to the mapping

Support domain name forwarding The same external port can be used for mapping

via domain name, saving the cost of external network IP and port

K8s services support one-key batch mapping, and services within the cluster can be mapped

automatically without manual configuration

Seamlessly integrate with EnSaaS K8s Service and EnSaaS DB Service

Application services deployed for WISE-PaaS/IoTSuite all-in-one edge intelligent server and Kubernetes clusters, databases, message-oriented middleware and other clusters in the WISE-STACK private cloud scenario can be easily managed and maintained remotely through tunnel mapping from the public network.

Support TCP, HTTP, HTTPS, SSH protocols Support Windows, Linux, Docker Clients can be deployed on Kubernetes, virtual machines

or physical machines

Integrate with WISE - PaaS/SSO to support access and single sign-on by subscription users

Secure Tunnel Client

Service Service Service Service Service

TLS encrypted transmission

Service

Internet

Services are directly exposed to internet The access is insecure

Private network services don’t support Internet access

Reverse Proxy Service for Enterprise Security

X

Intranet

Service

Secure & Controllable Mapping Configuration

White-list Function User Permission Management

User can only access and operate the client and mapping he/she is authorized to

Service

Traditional Pattern Services are directly exposed to internet. The access is insecure

Private network services don’t support Internet access or remote operation& maintenance

User IP is included in white-list for secure traffic forwarding.

Without tunnel mapping, only intranet access is supported

TCP Protocol HTTPS Protocol

TLS encrypted transmission

Intranet

User IP not included in white-list can’t access service by tunnel mapping.

SSH Support mTLS encryption

and certificate Certified by

2048-bit private key

Web Service TCP Service

Blobstore

TCP HTTP/HTTPS Web Kubectl for easy cluster operation. One-click batch mapping for cluster services.

WISE-PaaS/Secure Tunnel Architecture Diagram

Kubernetes Cluster

Kubernetes

Cross-Platform Deployment

Support multi-tenant Remote management can be conducted anytime

anywhere through tunnel mapping Domain name forwarding support & cost saving

Seamlessly integrated for remote management of all-in-one edge intelligence server and private cloud

Enterprise Secure Reverse Proxy Service

Docker

Remote Service Access

Intranet services can be accessed from the Internet Services on private cloud and edge nodes can be

accessed through tunnel anytime anywhere

Remote Cluster Operation & Maintenance

User User Enterprise account

Remote Alarm Monitoring

EnSaaS DB Service

BlobStore

catalog

WISE-PaaS/Secure Tunnel Application Scenario

Clusters in Intranet can be operated, maintained and managed through the Internet by tunnel

Web kubectl is provided for easy operation of private network Kubernetes clusters

Database can be accessed by the Internet using tunnel-mapped domain name. There is no need to configure the IP

Remote Application Deployment & Update

Remote Database Operation & Maintenance

By tunnel mapping, notifications and alarms from

intranet can be sent to the user via mailbox, WeChat, and so on

Applications can be deployed on WISE-STACK Private Cloud and WISE-PaaS/IoTSuite all-in-one edge intelligence server

Enterprise Secure Reverse Proxy Service

WISE-PaaS/Secure Tunnel Contact window

PM Xi.Ren ren.xi@advantech.com.cn VOIP:523 EXT:6949

SE Wei.Cui cui.wei@advantech.com.cn VOIP:523 EXT:6900

Team

WISE-PaaS/Secure Tunnel Portal

V-1.0.2

Client Management

①Add client

②Check client details

③Download the deployment file and install the client (with one command) according to the instructions

Deploy Guide

Deploy File

Click the mapping created at the client side to go to the mapping page

Mapping Management

Add Client Filter by Client and Tunnel type

Tunnel list, access via external address directly

Enable or disable Tunnels

Cluster Tunnel

config and Web Kubectl accessible from the internet are provided to facilitate cluster operation and maintenance after mapping.

Basic information of the cluster mapping

config can be checked, copied and downloaded

Cluster Tunnel Use the mapped config to import clusters into ManagentPortal to manage it in a unified manner

Clusters within domain A

Clusters within domain B

Clusters within domain C

Clusters of different domains can be easily managed through Secure Tunnel

TCP Tunnel

Internet access address

Credential and private key can be viewed and downloaded

Enter internet access address and port

SSL: Enter the private key and credential downloaded

Database connection - remote access to Intranet postgre databases

Through Secure Tunnel, databases created on the intranet can be accessed and managed from the internet

HTTPS Tunnel

Intranet address

Mapped internet address

Access from the internet will be timed out when using ManagementPortal intranet address

Access the ManagementPortal set up on an all-in-one edge intelligent server from the internet

Here is an example of a ManagementPortal set up on an all-in-one server

Access from the internet will be granted when using mapped access by Secure Tunnel

Manage clusters set up on the intranet and cluster resources by mapping ManagementPortal

HTTPS Tunnel

View Dashboard –monitoring using notebook via the internet

View dashboard monitoring using cellphone via the internet

Monitor the mapped dashboard services set up on the intranet anytime, anywhere

HTTPS Tunnel

Take the ESM set up on an all-in-one server as an example

Intranet address

Mapped internet address

Services set up on the all-in-one server can be accessed easily from the internet。

The mapped service can access WISE-PaaS/SSO and still supports single sign-on (After logging into the Management Portal, you can directly enter WISE-PaaS/ESM by entering its URL)

Co-Creating the Future of the IoT World

Co-Creating the Future of the IoT World