WISE-PaaS/Secure Tunnel · 2021. 1. 19. · WISE-PaaS/Secure Tunnel – Easy Intranet Penetration • Remote operation and maintenance at anytime, anywhere • Unified cluster management
Post on 09-Mar-2021
5 Views
Preview:
Transcript
WISE-PaaS/Secure Tunnel Reverse Proxy Service for Enterprise Security
Advantech
WISE-PaaS Core Service
Xi Ren, PM,
12/07/2020 v0.1 (English)
Why WISE-PaaS/Secure Tunnel Is Essential?
Domain A
all-in-one edge intelligent server
all-in-one edge intelligent server
Domain B
Domain C
Internet
Internet users Internet operation and maintenance
Unable to achieve unified operation and maintenance management
Insecure and vulnerable
Cluster management is inconvenient due to a shortage of tools capable of mapping cluster
Intranet alarms cannot be delivered in timeand hence message processing is delayed
Unable to deploy upgrades across domains
….
Difficulties
WISE-PaaS/Secure Tunnel – Easy Intranet Penetration
• Remote operation and maintenance at anytime, anywhere
• Unified cluster management
• Access intranet services freely via the internet
• Remote alarm monitoring
• Remote application deployment updates
…
all-in-one edge intelligent server
all-in-one edge intelligent server
WISE-PaaS/Secure Tunnel
Domain A
Domain B
Domain C
Why Choose WISE-PaaS/Secure Tunnel
Multi-tenant isolation
Enterprise Secure Reverse Proxy Service
Secure and reliable
Cross-platform and multi-protocol support
Seamless integration
Cost decreasing and benefit increasing
One-key mapping
Support HTTPS protocols and SSL certificates TCP mapping adopts safe mTLS for encryption and
authentication SSH mapping adopts 2048-bit private key for authentication
Only specific IP set by users has access to the mapping
Support domain name forwarding The same external port can be used for mapping
via domain name, saving the cost of external network IP and port
K8s services support one-key batch mapping, and services within the cluster can be mapped
automatically without manual configuration
Seamlessly integrate with EnSaaS K8s Service and EnSaaS DB Service
Application services deployed for WISE-PaaS/IoTSuite all-in-one edge intelligent server and Kubernetes clusters, databases, message-oriented middleware and other clusters in the WISE-STACK private cloud scenario can be easily managed and maintained remotely through tunnel mapping from the public network.
Support TCP, HTTP, HTTPS, SSH protocols Support Windows, Linux, Docker Clients can be deployed on Kubernetes, virtual machines
or physical machines
Integrate with WISE - PaaS/SSO to support access and single sign-on by subscription users
Secure Tunnel Client
Service Service Service Service Service
TLS encrypted transmission
Service
Internet
Services are directly exposed to internet The access is insecure
Private network services don’t support Internet access
Reverse Proxy Service for Enterprise Security
X
Intranet
Service
Secure & Controllable Mapping Configuration
White-list Function User Permission Management
User can only access and operate the client and mapping he/she is authorized to
Service
Traditional Pattern Services are directly exposed to internet. The access is insecure
Private network services don’t support Internet access or remote operation& maintenance
User IP is included in white-list for secure traffic forwarding.
Without tunnel mapping, only intranet access is supported
TCP Protocol HTTPS Protocol
TLS encrypted transmission
Intranet
User IP not included in white-list can’t access service by tunnel mapping.
SSH Support mTLS encryption
and certificate Certified by
2048-bit private key
Web Service TCP Service
Blobstore
TCP HTTP/HTTPS Web Kubectl for easy cluster operation. One-click batch mapping for cluster services.
WISE-PaaS/Secure Tunnel Architecture Diagram
Kubernetes Cluster
Kubernetes
Cross-Platform Deployment
Support multi-tenant Remote management can be conducted anytime
anywhere through tunnel mapping Domain name forwarding support & cost saving
Seamlessly integrated for remote management of all-in-one edge intelligence server and private cloud
Enterprise Secure Reverse Proxy Service
Docker
Remote Service Access
Intranet services can be accessed from the Internet Services on private cloud and edge nodes can be
accessed through tunnel anytime anywhere
Remote Cluster Operation & Maintenance
User User Enterprise account
Remote Alarm Monitoring
EnSaaS DB Service
BlobStore
catalog
WISE-PaaS/Secure Tunnel Application Scenario
Clusters in Intranet can be operated, maintained and managed through the Internet by tunnel
Web kubectl is provided for easy operation of private network Kubernetes clusters
Database can be accessed by the Internet using tunnel-mapped domain name. There is no need to configure the IP
Remote Application Deployment & Update
Remote Database Operation & Maintenance
By tunnel mapping, notifications and alarms from
intranet can be sent to the user via mailbox, WeChat, and so on
Applications can be deployed on WISE-STACK Private Cloud and WISE-PaaS/IoTSuite all-in-one edge intelligence server
Enterprise Secure Reverse Proxy Service
WISE-PaaS/Secure Tunnel Contact window
PM Xi.Ren ren.xi@advantech.com.cn VOIP:523 EXT:6949
SE Wei.Cui cui.wei@advantech.com.cn VOIP:523 EXT:6900
Team
WISE-PaaS/Secure Tunnel Portal
V-1.0.2
Client Management
①Add client
②Check client details
③Download the deployment file and install the client (with one command) according to the instructions
Deploy Guide
Deploy File
Click the mapping created at the client side to go to the mapping page
Mapping Management
Add Client Filter by Client and Tunnel type
Tunnel list, access via external address directly
Enable or disable Tunnels
Cluster Tunnel
config and Web Kubectl accessible from the internet are provided to facilitate cluster operation and maintenance after mapping.
Basic information of the cluster mapping
config can be checked, copied and downloaded
Cluster Tunnel Use the mapped config to import clusters into ManagentPortal to manage it in a unified manner
Clusters within domain A
Clusters within domain B
Clusters within domain C
Clusters of different domains can be easily managed through Secure Tunnel
TCP Tunnel
Internet access address
Credential and private key can be viewed and downloaded
Enter internet access address and port
SSL: Enter the private key and credential downloaded
Database connection - remote access to Intranet postgre databases
Through Secure Tunnel, databases created on the intranet can be accessed and managed from the internet
HTTPS Tunnel
Intranet address
Mapped internet address
Access from the internet will be timed out when using ManagementPortal intranet address
Access the ManagementPortal set up on an all-in-one edge intelligent server from the internet
Here is an example of a ManagementPortal set up on an all-in-one server
Access from the internet will be granted when using mapped access by Secure Tunnel
Manage clusters set up on the intranet and cluster resources by mapping ManagementPortal
HTTPS Tunnel
View Dashboard –monitoring using notebook via the internet
View dashboard monitoring using cellphone via the internet
Monitor the mapped dashboard services set up on the intranet anytime, anywhere
HTTPS Tunnel
Take the ESM set up on an all-in-one server as an example
Intranet address
Mapped internet address
Services set up on the all-in-one server can be accessed easily from the internet。
The mapped service can access WISE-PaaS/SSO and still supports single sign-on (After logging into the Management Portal, you can directly enter WISE-PaaS/ESM by entering its URL)
Co-Creating the Future of the IoT World
Co-Creating the Future of the IoT World
top related