Broker setup examples
The following example illustrates a broker and gateway setup.
There are 3 networks present, an intranet, a DMZ network and an internet facing network. A firewall between the Intranet and the Internet allows outbound connectivity but blocks all inbound connections. There is also a security policy in force that does not allow connections to be initiated from the DMZ to the intranet or from the Internet Facing network to the DMZ.
Hosts in the Internet Facing network do not have public IP addresses. The internet gateway uses DNAT to map internal IP addresses to public IP addresses, only for the ports needed for specific public services. In this example, the public service is the broker.
The broker requires connectivity to the server, but direct connections from the Internet Facing network to the server are not allowed. A chain of gateways is deployed to allow the broker to connect to the server.
The following tables provide details of the components and settings present in the example environment.
| Network name | Server | Broker | Gateway | Controller | Target |
|---|---|---|---|---|---|
| Intranet | Yes | No | Yes | Yes | Yes |
| DMZ | No | No | Yes | No | No |
| Internet facing | No | Yes | Yes | No | No |
| Internet | No | No | No | No | Yes |
| Network name | Subnet Address | Subnet Mask |
|---|---|---|
| Intranet | 10.1.0.0 | 255.255.255.0 |
| DMZ | 10.2.0.0 | 255.255.255.0 |
| Internet Facing | 10.3.0.0 | 255.255.255.0 |
| Host name | IP address | Roles |
|---|---|---|
| SERVER.example.com | 10.1.0.2 | TRC server on port 443 |
| BROKER1.example.com | 10.3.0.10 | TRC broker on port 8887 |
| BROKER2.example.com | 10.3.0.11 | TRC broker on port 8887 |
| GATEWAY1.example.com | 10.1.0.254 | TRC gateway |
| GATEWAY2.example.com | 10.2.0.254 | TRC gateway on port 8881 |
| GATEWAY3.example.com | 10.3.0.254 | TRC gateway on port 8881, inbound tunnel on port 8880 |
| CONTROLLER1.example.com | Dynamic IP in 10.1.0.0/24 | TRC controller |
| TARGET1.example.com | Dynamic IP in different networks | TRC target on mobile system |
| Source | Destination | Port | Description |
|---|---|---|---|
| 10.1.0.254/255.255.255.255 | 10.2.0.254/255.255.255.0 | 8881 | Allow GATEWAY1 to connect to GATEWAY2 |
| 10.2.0.254/255.255.255.255 | 10.3.0.254/255.255.255.0 | 8881 | Allow GATEWAY2 to connect to GATEWAY3 |
| Public DNS Name | Public IP | Private IP | Port |
|---|---|---|---|
| BROKER1.example.com | 203.0.113.23 | 10.3.0.10 | 8887 |
| BROKER2.example.com | 203.0.113.24 | 10.3.0.11 | 8887 |
Broker Configuration
Each broker is configured with
- Inbound connection for endpoints to connect
- Connection to the server via a gateway
Broker 1 is configured with an additional inbound connection for control connections from broker 2. Broker 2 is configured with a control connection to broker 1.
The following section provides examples of what would be set in the broker and gateway properties files for each of the relevant components.
BROKER1.example.com
PublicBrokerURL = BROKER1.example.com:8887
ServerURL = https://SERVER.example.com/trc/
ProxyURL = trcgw://GATEWAY3.example.com:8880
DefaultTLSCertificateFile = BROKER1.p12
DefaultTLSCertificatePassphrase = ************************
Inbound1.ConnectionType = Inbound
Inbound1.PortToListen = 8887
Broker2.ConnectionType = Broker
Broker2.DestinationAddress = BROKER2.example.com
Broker2.DestinationPort = 8881
BROKER2.example.com
PublicBrokerURL = BROKER2.example.com:8887
ServerURL = https://SERVER.example.com/trc/
ProxyURL = trcgw://GATEWAY3.example.com:8880
DefaultTLSCertificateFile = BROKER2.p12
DefaultTLSCertificatePassphrase = ************************
Inbound1.ConnectionType = Inbound
Inbound1.PortToListen = 8887
Inbound2.ConnectionType = Inbound
Inbound2.PortToListen = 8881
Inbound2.AllowEndpoints = no
Inbound2.AllowBrokers = BROKER1.example.com
Gateway Configuration
GATEWAY1
Gateway 1 is configured with a control connection to gateway 2 and an outbound tunnel connection to the server.
Gateway2.ConnectionType = Gateway
Gateway2.DestinationAddress = 10.2.0.254
Gateway2.DestinationPort = 8881
Server.ConnectionType = OutboundTunnel
Server.DestinationAddress = 10.1.0.2
Server.DestinationPort = 443
GATEWAY2
Gateway 2 is configured with an inbound connection and a control connection to gateway 3.
Inbound.ConnectionType = Inbound
Inbound.PortToListen = 8881
Gateway3.ConnectionType = Gateway
Gateway3.DestinationAddress = 10.3.0.254
Gateway3.DestinationPort = 8881
GATEWAY3
Gateway 3 is configured with an inbound connection and an inbound tunnel connection.
Inbound.ConnectionType = Inbound
Inbound.PortToListen = 8881
Server.ConnectionType = InboundTunnel
Server.PortToListen = 8880