In a standard overlay network, vEdge routers initiate direct connections to the Viptela controllers—the vManage NMSs and vSmart controllers—over which they exchange control plane information. Because vEdge routers are typically located in branch sites and hence access the Viptela controllers over the internet, the result is that vManage NMSs and vSmart controllers have connections directly to the internet. If, for security or other reasons, you do not want these devices to have direct internet connections, you can insert a reverse proxy between the Viptela controllers and the vEdge routers. The reverse proxy acts as an intermediary to pass control traffic between the Viptela controllers and the vEdge routers. So instead of communicating directly with the vManage NMSs and the vSmart controllers, the vEdge routers communicate directly with the intermediate proxy device, and the proxy device relays the traffic to and from the vManage and vSmart controller devices.
The following figure illustrates a reverse proxy inserted between a vEdge router and the vSmart and vManage controllers.
The figure shows a network architecture that comprises two areas, one with no internet access and a second with internet access. The vSmart controllers and vManage NMSs are located in the area with no access to the Internet, and the reverse proxy device, along with the vBond orchestrator, are located in the area with internet access. All communication between the branch routers and the vSmart and vManage devices goes through the reverse proxy intermediary, and all communication between the routers and the vBond orchestrator occurs directly over a public internet connection, which is the standard overlay network behavior. The solid green lines in the figure illustrate these connections. Control plane traffic, indicated by the dashed blue lines, flows directly between the vSmart, vManage, and vBond devices.
For reverse proxy to work, you map the private IP address and port number of the vSmart controller and vManage NMS to a proxy IP address and port number. The private IP address is the IP address of the device's transport interface in VPN 0. The default TLS private port number is 23456. The proxy IP address and port number are values that you select and configure on the reverse proxy device.
The vManage pushes the private IP addresses and port numbers and their proxy mappings to the vBond orchestrator. When a vEdge router joins the overlay network and requests the IP addresses of the overlay network controller devices, the vBond orchestrator sends the mapped proxy addresses and port numbers of all registered controllers. Thus, the vEdge router connects to the reverse proxy instead of to the controllers directly.
To enable reverse proxy in the overlay network:
- Enable the reverse proxy functionality on the vManage NMS.
- Provision certificates on the proxy.
- Configure reverse proxy on vManage and vSmart controllers, defining the mapping between private IP addresses and port numbers and proxy IP addresses and port numbers.
- On vManage and vSmart controllers, configure the control transport protocol to be TLS.
Enable Reverse Proxy Functionality
To enable reverse proxy functionality in the overlay network:
- In vManage NMS, select the Administration ► Settings screen.
- In the Reverse Proxy bar, click Edit.
- Click Enabled.
- Click Save.
Provision Certificates on the Proxy
For reverse proxy to work, the reverse proxy device and the vEdge routers must authenticate each other.
On the reverse proxy device you must provision a certificate that is signed by the same CA with which the Viptela controller's certificate is signed.
On the reverse proxy, you also need to provision the vManage certificate bundle exported form the vManage NMS. This certificate is used by the reverse proxy to verify the vEdge routers. To do this:
- In vManage NMS, select the Configuration ► Certificates screen.
- Click Controllers in the top bar.
- Click Export Root Certificate in the top bar.
Configure Reverse Proxy on Controllers
To configure reverse proxy on individual vManage NMS and vSmart controller devices:
- In vManage NMS select the Configuration ► Devices screen.
- Click the Controllers tab.
- For the desired device, click the More Actions icon to the right of the row, and click Add Reverse Proxy. The Add Reverse Proxy popup is displayed.
- Click Add Reverse Proxy.
- Configure the private IP address and port number for the device. The private IP address is the IP address of the transport interface in VPN 0. The default port number is 12346. This is the port used to establish the connections that handle control and traffic in the overlay network.
- Configure the proxy IP address and port number for the device, to create the mapping between the private and public IP addresses and port numbers.
- If the vManage NMS or vSmart controller has multiple cores, repeat Steps 5 and 6 for each core.
- Click Add.
- In the Security feature configuration template for the vManage NMS and the vSmart controller, set the transport protocol to be TLS.
To display a device's private and proxy (public) IP addresses and port numbers, in the vManage Monitor ► Network screen, select the device, click Real Time, and select the Control Connections command. To display these IP address and pot numbers in the CLI, issue the show control local-properties command.
To verify the mapping between the private and proxy IP addresses and port numbers, issue the show orchestrator reverse-proxy-mapping command on the vBond orchestrator.
In the output of the show control connections command on a vEdge router, if the Proxy column value is Yes, the Peer Public IP and Peer Public Port fields show the proxy IP address and port number, respectively, and the output indicates that the connection is the controller device is through the proxy.
Have vEdge Router Generate Certificate
After you configure reverse proxy on the overlay network controllers, any vEdge router that joins the overlay network or that is already operating in the overlay network requires a signed certificate to establish a secure connection to the proxy device. The process for generating the signed certificate is initiated automatically by the vEdge router as soon as it learns that reverse proxy is enabled in the network, and the vEdge router receives a signed certificate that it uses to establish a secure connection to the reverse proxy device.
To view the signed certificate, issue the show certificate reverse-proxy command on the vEdge router.
Introduced in vManage NMS in Release 18.2.