Cloud Connector Guide II: On-Premise Customers

+ More

Table of Contents

Cloud Connector Configuration Prerequisites Accounts & Access Server Firewall Download and Install Download Cloud Connector Install Cloud Connector Certificate Generation Cloud Connector Download Tool Generate Certificates Review Creation Certificate Overview Install Certificates Import Certificates Cloud Connector Server Silverback Server Network Service Configure Silverback Restart Services Create Configuration Start Service Check Connection Silverback Monitoring Configure Active Directory Add Active Directory Restart Services Check Login Next Steps

CloudConnector Configuration

This section describes the cloud connector configuration for On-Premise Scenarios. The CloudConnector ensures for the Silverback server to be located in a remote and network separated environment. With the CloudConnector in place, Silverback can establish a direct communication only through the CloudConnector to your internal servers and services like: 

  • Active Directory
  • Certification Authority
  • Exchange 

Prerequisites

Accounts & Access

  • Administrative Access on the Server that will host the CloudConnector
  • Administrative Access to Silverback Server
  • Administrative Access to Silverback Management Console
    • Administrator
    • Settings Administrator
  • Matrix42 Account to download the CloudConnector installer

Server

Ensure that your CloudConnector Server must have installed at minimum Microsoft .NET Framework 4.7.2 and has TLS 1.2 activated for communication and ensure that the following Features are installed on the hosting cloud connector server. Use Add Roles and Features inside the Server Manager to install the required features.

  Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2
Features
  • .NET Framework 4.8 Features
    • .NET Framework 4.8
    • ASP.NET 4.8
    • WCF Services
      • TCP Port Sharing
  • .NET Framework 4.7
    • .NET Framework 4.7
    • ASP.NET 4.7
    • WCF Services
      • TCP Port Sharing
  • .NET Framework 4.6 Features
    • .NET Framework 4.6
    • ASP.NET 4.6
    • WCF Services
      • TCP Port Sharing
  • .NET Framework 4.5 Features
    • .Net Framework 4.5
    • ASP.NET 4.5 
    • WCF Services
      • TCP Port Sharing

Firewall

Ensure that the following port are open to ensure the communication:

Source (from) Destination (to) Port/Protocol
General
CloudConnector Silverback 443/tcp
CloudConnector Domain Controller 389,636,3268,3269/tcp
CloudConnector DNS Server 53/udp, 53/tcp
CloudConnector Certificate Revocation Lists 80/tcp
Certificate Distribution
CloudConnector Domain Controller 464/udp,464/tcp
CloudConnector Certification Authority 443/tcp
CloudConnector Certification Authority Random Port above 1023 /tcp
Exchange Protection Integration
CloudConnector Silverback 443/tcp

Download and Install

Download CloudConnector

  • Open Matrix42 Marketplace
  • Login with your Matrix42 Account 
  • Navigate to Unified Endpoint Management
  • Select Silverback
  • Download your current CloudConnector Version

Install CloudConnector

Perform the installation on the CloudConnector Endpoint Server. 

  • Double Click the CloudConnector executable
  • Process with Yes
  • Press Next
  • Select I accept the terms in the license agreement
  • Proceed with Next
  • Click Next
  • Select the number of CloudConnector services you want to install
    • Choose 2 as our recommendation
    • Press Next
  • Click Install
  • Click Finish
  • Open Start Menu
  • Under recently added you should CloudConnector Config Generation, we will need this tool later. 
  • Proceed with Certificate Generation

Certificate Generation

The cloud connector requires two public/private key-pairs, one for the Silverback server and one for the CloudConnector Client

CloudConnector

  • Connect to your CloudConnector Server via RDP

Download Tool

For certificate generation its important that the files are located under C:\M42Certs\ due to a hard coded file location within the script

 
  • Click Extract
  • Double Click M42Certs
  • Navigate to
    • OpenSSL
    • Archive

Generate Certificates

All certificates will generated by default with the Password 2secret4you. You can edit the batch file to change the password if needed.

 
  • Double Click CloudConnector-v1.1.bat
  • Enter the following information and proceed with Enter
    • Enter your country code, e.g DE
    • Enter your company state, e.g. Hessen
    • Enter your company city, e.g. Frankfurt
    • Enter your company name, e.g. Imagoverum
  • Review your information
    • Proceed with 1 
    • If you want to make changes press 2 and proceed 
  • Wait until the process is finished

You can ignore WARNING: can't open config file: /usr/local/ssl/openssl.cnf

 
  • When the Certificate created successfully information is shown, press any key

Review Creation

In your folder you should see now a bunch of new files. The following ones will be needed:

  • Client.cer
  • Client.pfx
  • RootRSA.cer
  • RootRSA.pfx 
  • Server.cer
  • Server.pfx

Certificate Overview

Review the following files and to whom they are issued and where to import them. Proceed with Install Certificates afterwards.

File Name Issued to Install Location
Client.cer  CloudConnector Client  Silverback server 
Client.pfx  CloudConnector Client  CloudConnector Server 
RootRSA.cer  Silverback Root Authority  CloudConnector Server 
RootRSA.pfx  Silverback Root Authority  Silverback Server 
Server.cer  Silverback Tunnel Certificate  CloudConnector Server 
Server.pfx  Silverback Tunnel Certificate  Silverback Server 

Install Certificates

Import Certificates

As mentioned above we need to import the pairs or certificates into the corresponding Certificate Stores on CloudConnector and Silverback server. 

CloudConnector Server

  • On your CloudConnector Server, import the following certificates
  • Please mark the Private Key for the Client.pfx as exportable
File Name Issued to Issued By Certificate Store Exportable Key
Client.pfx CloudConnector Client Silverback Root Authority Local Computer > Personal  Yes
Server.cer Silverback Tunnel Certificate Silverback Root Authority Local Computer > Personal  No
RootRSA.cer Silverback Root Authority Silverback Root Authority Local Computer > Trusted Root Certification Authorities No

Silverback Server

  • On your Silverback Server , import the following certificates
  • Please mark the Server.pfx and RootRSA.pfx private key as exportable
File Name Issued to Issued By Certificate Store Exportable Key
Client.cer CloudConnector Client Silverback Root Authority Local Computer > Personal  No
Server.pfx Silverback Tunnel Certificate Silverback Root Authority Local Computer > Personal  Yes
RootRSA.pfx Silverback Root Authority Silverback Root Authority Local Computer > Personal  Yes

Network Service

  • Navigate to your CloudConnector Server
    • Right the click the CloudConnector Client Certificate
      • Select All Tasks
      • Click Manage Private Keys
      • Click Add
      • Type Network Service
      • Click Check Names
      • Click OK
    • Uncheck Full Control
    • Click OK
  •  Navigate to your Silverback Server
    • Right the click the Silverback Tunnel Certificate Certificate
      • Select All Tasks
      • Click Manage Private Keys
      • Click Add
      • Type Network Service
      • Click Check Names
      • Click OK
    • Uncheck Full Control
    • Click OK
    • Right the click the Silverback Root Authority Certificate
      • Select All Tasks
      • Click Manage Private Keys
      • Click Add
      • Type Network Service
      • Click Check Names
      • Click OK
    • Uncheck Full Control
    • Click OK

Configure Silverback

  • Open your Silverback Management Console
  • Login as Settings Administrator
  • Navigate to CloudConnector
  • Configure CloudConnector
    • Enable Send LDAP Request through Tunnel
    • Enable Request Client Certificates through tunnel (optional)
    • Enable Exchange Protection (optional)
    • Add your Client Certificate Thumbprint public key (Silverback Server > Client.cer > CloudConnector Client)
    • Add your Silverback Server Tunnel Certificate private key (Silverback Server > Server.pfx > Silverback Tunnel Certificate)

Ensure to remove spaces for thumbprints, e.g. 259ad790e3485931b489d6bc6d2ebd7401f597bb

 
  • Press Save

Restart Services

  • Open PowerShell with Administrator Privileges
  • Type: restart-service w3svc,silv*,epic*,mat* 
  • Click Enter
  • Wait until services all services have been restarted

Create Configuration

  • Navigate to your CloudConnector Server
  • Open Start Menu
  • Under recently added you should CloudConnector Config Generation
  • Confirm with Yes
  • Paste your Silverback Tunnel URL

You find the Tunnel URL in your Silverback Management Console under Settings Admin > CloudConnectors

 
  • Click the certificate button next to Client Certificate Thumbprint (private key)
    • Select your CloudConnector Client Certificate
    • Click OK
  • Disable Certificate Pinning
  • Click the certificate button next to Silverback Server Tunnel Certificate (public key)
    • Select your Silverback Tunnel Certificate
    • Click OK
  • Disable Encrypt Config Files
  • Click Export
    • Create Make New Folder
    • Name it e.g. Configuration Files
    • Click OK
    • Confirm with OK
  • Open on your File Explorer the following path
    • Configuration Files\SilverbackConfigs\srv\CloudConnector Client
    • Copy the following file SilverbackMDM.SilverBack.Service.CCClient.exe.config 
    • Paste the file into the following path C:\Program Files (x86)\Matrix42\CloudConnector\Service

Start Service

  • Open Services MMC
  • Start Silverback CloudConnector Service 1
  • Start Silverback CloudConnector Service 2

Check Connection

Silverback

  • Open your Silverback Management Console 
  • Login as Administrator
  • Navigate to Admin
  • Select CloudConnectors
  • You should see here now your running CloudConnectors 

Monitoring

If you are running Silverback 21.0 or older, use the adjusted URL: https://silverback.imagoverum.com/tunnel/TunnelInfo or press the CloudConnectors Monitoring link to open the CloudConnector Logs for reviewing Clients, Traffic and Errors.

 
  • Open the Log section by clicking the Log icon next to your account name
  • Now press CloudConnector
    • Select Connectors to review your connected clients
    • Select Traffic to review Traffic Logs and Errors

Configure Active Directory

  • Logout as Administrator
  • Login as Settings Administrator

Add Active Directory

  • Login as Settings Administrator
  • Navigate to LDAP
  • Configure your LDAP Connection
    • Enter your LDAP Server IP Address or FQDN (e.g. dc01.imagoverum.com)
    • Enter your LDAP Lookup Username
    • Enter your LDAP Lookup Password
  • Press Check LDAP Connection
    • You should see the confirmation the LDAP server is available
  • Click Save
  • Click OK

Restart Services

  • On your Silverback Server, restart services
    • restart-service w3svc,silv*,epic*,mat*
  • Navigate back to your CloudConnector Server instance
  • Restart Silverback CloudConnector Services

Check Login

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Related Articles