General information
The ticketing system has two secure connection options between the cloud application and the local bMS:
•a standard hybrid connection service from MS Azure (further information on the technology used, e.g. at: https://docs.microsoft.com/de-de/azure/app-service/app-service-hybrid-connections)
•bConnect baramundi Gateway
Both options can be configured simultaneously, but the activated bConnect baramundi Gateway is preferred by the system.
Requirement for the interface
•bMS installation with an available bConnect interface Version 2.0 (https call possible)
•Using Azure Hybrid Connection – installation MS Standard tool "Azure Hybrid Connection Manager" (HCM) for local secure connection management.
Download link HCM: <DOWNLOAD-LINK>
•Using baramundi Gateway – appropriate installation baramundi Gateway
Security aspects of the interface
Using Azure Hybrid Connection
•Azure Hybrid Connection Manager (HCM) provides secure access to on-premises systems and services.
•The feature does not require an endpoint on the customer network that is accessible via the Internet.
•The connection is not called from www, but the local tool connects against Azure
•Each hybrid connection corresponds to a single host port combination
oOnly https calls against the specified hostname are possible (port 443)
•HCM performs https calls against Azure only
oA WebSocket connection encrypted with TLS 1.2 is established
•In addition, an individual security key is generated on the ticketing system side for each customer instance, which is used for the connection with Azure.
•As an option, the server certificate of the bConnect interface can be specified as well. The ticketing system checks whether the certificates match for each call against the bConnect interface.
Using bConnect baramundi Gateway
•The gateway server must be accessible via the Internet
•Access is relayed via the baramundi Gateway and is secured with certificates
•Only https calls against the specified gateway hostname are possible (port 443)
•Authorization is facilitated through security profiles directly assigned to client certificates
oThe security profiles are linked to specific certificates, a Public Key Infrastructure (PKI) is not necessary
•The client certificate is exported to a PKCS #12 (.PFX) file and stored in the ticketing system settings
•The ticketing system then checks whether the client certificate match for each call against the bConnect interface
Interface setup and update
Preliminary notes
•It makes sense to first create / import the persons (end users who are to be assigned to assets), so that the "primary users" from bMS can be directly assigned to the asset during the endpoint import (identified by the matching e-mail address OR log in name of a person). Otherwise, manual assignments would have to be made afterwards. The primary user is entered in a separate field on the asset form and is also automatically added to the list of people assigned to the asset.
•The imports block the server of the ticketing system. During this time, no user can work and get an "hourglass"/ freeze and - depending on the import runtime - a time-out.
oThe import duration can take longer, especially with many endpoints (reference system with 750 endpoints: approx. 20 minutes).
oThe admin should never perform imports, especially for assets, without notice during normal working hours. If possible, planned imports outside of regular working hours.
Setup Guide - Azure Hybrid Connection
(1) In the administration area "bMS interface":
•Enter the FQDN (Fully Qualified Domain Name) of the bMS or specifically of the bConnect interface (as accessible from the intranet) in the "Hostname" field.
•Enter interface user and password (not yet required for the actual interface setup, only later for imports/job execution).
•Optional upload of a server certificate if a web server certificate is available for the bConnect interface.
•If a certificate is specified, only this server is trusted; without, all servers are trusted.
•All public certificate formats (i.e. the public key) are supported, which are also supported by the Windows certificate manager.
•Close the form dialog with "OK" to save the data
For all changes to the FQDN or certificate, the users in the "Administrator - Full" group receive a notification in the system as soon as the interface is set up and the connection string is generated/updated (this can currently take up to one working day). The data that was saved last is always used for the connection.
The notification is displayed in the so-called "notification window", which opens as a separate table list as soon as new messages are available or there are still unread messages. The notification list is updated approx. every 15 minutes. The notification window can be opened and updated manually via the general settings menu.
(2) Azure Hybrid Connection Manager setup (version 02/2021)
•Install Azure Hybrid Connection Manager (HCM) on a local server that has access to the bConnect interface. This server must have internet access, but does not have to be accessible from the internet.
•Click on "Enter Manually" and copy the complete connection string into the corresponding field, confirm with "Add".
•The connection is established. The overview list must show "Connected".
•In case of problems with the connection setup, please also refer to the chapter "Troubleshooting".
(3) In the administration area "bMS Interface":
•Test connection: the "Test connection" button calls the baramundi server and returns the bMS version number if successful. If this is successful, the system can be reached via the interface, regardless of the correct bConnect user/PW.
•Provided that the bConnect user has the correct permissions from baramundi, the interface is now ready for use and jobs and endpoints defined in bMS can be imported via the prepared import jobs.
•The respective job state is displayed in the list below it.
•Recommendation: The import of jobs should be executed first, as it is completed in 1-2 minutes depending on the number of jobs and currently also serves as an additional test.
•Note: During the import, the ticketing system is locked. Especially, the asset import can take longer depending on the number/ internet connection (approx. 20 min. for 750 endpoints). Therefore, it is advisable to plan/ start this outside working hours.
Furthermore, it is possible to define automatic import intervals for the import of endpoints/assets or jobs (daily, weekly).
The current limitation of the possible number of imports that can be performed is set to three times per import type.
Setup Guide - bConnect baramundi Gateway
This guide assumes, that
•the baramundi Gateway has been configured and is accessible from the Internet
•the client certificate has been created and assigned to the corresponding security profile in bMS
(1) Exporting the client certificate to a file (e.g. using MMC)
Microsoft Management Console (MMC) > Snap-In "Certificates":
1.Right-click the certificate and select "All tasks > Export…" to open the Certificate Export Wizard.
2.After clicking through the Wizard’s welcome page, make sure that the option is set to "Yes, export the private key" and click "Next".
3.Choose the format for the exported certificate (here, a PKCS # 12-encoded, or .PFX file). Make sure to check the boxes to include all certificates in the path and to export all extended properties, then click "Next".
4.You will be prompted for a password to protect this certificate. Create and confirm your password, then click "Next".
oPlease keep this password in mind, as you will need it later
5.Select the name and location of the file you are exporting. You may browse to a location you prefer – make sure to save the file with the .pfx extension. Then click "Next".
6.Review the information. If this all looks correct, click “Finish”
7.Check the information. If everything looks correct, click "Finish".
8.You will receive confirmation that the export was successful.
(2) in the adminstration area "bMS interface"
1.Select the "Use baramundi Gateway" checkbox
oIf you deselect this checkbox, Azure Hybrid Connect will be used after saving the settings, if configurated
2.Enter the FQDN (Fully Qualified Domain Name) of the Gateway (as accessible from the internet) in the "FQDN baramundi Gateway" field
3.Open the web form Client Certificate
4.Upload the certificate file to the "Attachment" field
5.Enter the password you noted earlier in the "Password" field
6.Save the changes by clicking on the "Save" button
a.If saved successfully, the "Subject", "Valid from" and "Valid to" fields show the current values
8.Close the form Client Certificate with the "OK" button - you will be redirected to the previous form
9.Click the "Save and close" button to save the settings
Important:
Please note the validity of the certificate and plan to renew it in good time. An expired certificate will impair the function of the interface.