The AD Bridge Cloud Gateway is used to bridge Linux virtual machines (VMs) in the cloud with the on premises AD Bridge Gateway and push universal policies created on the Cloud Gateway to cloud Linux VMs.
To set up the AD Bridge Cloud Gateway:
Install the gatekeeper on a Windows Server 2016 or later VM from your chosen cloud provider.
Install the gateway on an on-premises VM or a cloud VM with access to a managed Directory Services provider such as Amazon Directory Services or Microsoft Entra DS.
If the cloud VM has access to Directory Services, you can install the gateway on the same cloud VM as the gatekeeper.
The gatekeeper VM must have ports 443 and 30 exposed to the Internet.
You can use a managed database like AWS RDS or Azure SQL, or you can install SQL Server on a cloud VM yourself. Installing SQL Server on the same VM as the gatekeeper is acceptable.
Download the AD Bridge installation files from the Open text Downloads website onto a Windows device.
Extract the contents of the ADBRIDGECLOUD_3.5.zip file.
Open the ServiceConfiguration.Release.cscfg configuration file available in the extracted contents and modify the highlighted text as shown in the snippet below according to your environment:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="HAPI.Mvc.Gatekeeper.CloudService" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="6" osVersion="*" schemaVersion="2015-04.2.6">
<Role name="HAPI.Mvc.Gatekeeper.CloudHost">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="DatabaseConnection" value="Server=tcp:myserver.database.windows.net,1433;Initial Catalog=ADBridge;Persist Security Info=True;User ID=myuser@myserver;Password=" />
<Setting name="WildcardDomain" value="your domain name.com" />
<Setting name="LogStorageConnectionString" value="DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=" />
<Setting name="AzureLogShare" value="ADB" />
<Setting name="AzureLogDirectory" value="Logs" />
<Setting name="LoggingLevel" value="Error" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Certificate1" thumbprint="<thumbprint here>" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
<Role name="HAPI.Mvc.Gatekeeper.TraversalWorker">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="DatabaseConnection" value="Server=tcp:myserver.database.windows.net,1433;Initial Catalog=ADBridge;Persist Security Info=True;User ID=myuser@myserver;Password=" />
<Setting name="LogStorageConnectionString" value="DefaultEndpointsProtocol=https;AccountName=somestorageaccount;AccountKey=" />
<Setting name="AzureLogShare" value="ADB" />
<Setting name="AzureLogDirectory" value="Logs" />
<Setting name="LoggingLevel" value="Error" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Certificate1" thumbprint="<thumbprint here>" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
<NetworkConfiguration>
<VirtualNetworkSite name="Group resource group virtual network" />
<AddressAssignments>
<InstanceAddress roleName="HAPI.Mvc.Gatekeeper.CloudHost">
<Subnets>
<Subnet name="subnet name" />
</Subnets>
</InstanceAddress>
<InstanceAddress roleName="HAPI.Mvc.Gatekeeper.TraversalWorker">
<Subnets>
<Subnet name="subnet name" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>
</ServiceConfiguration>Configure your Linux VM:
Install NGINX.
# yum update
# reboot
# yum install epel-release
# yum install nginx
Install your SSL certificate on the NGINX server.
Copy the cors.include file from extracted contents to the/etc/nginx directory of the NGINX server.
Copy the nginx.conf file from extracted contents to the/etc/nginx directory of the NGINX server and replace the existing version of the file.
Configure the Azure firewall to allow HTTPS (port 443) traffic to the NGINX server.
Open the /etc/nginx/nginx.conf file and modify the highlighted text as shown in the snippet below according to your environment:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ~$(?<subdomain>\.)?(?<domain>.+)$;
root /usr/share/nginx/html;
#replace with your certificate in the next two lines
ssl_certificate "/etc/pki/nginx/cert-here.crt";
ssl_certificate_key "/etc/pki/nginx/cert-here.pem";
ssl_protocols TLSv1.2;
location ~*
"^/(api|portal|content|scripts|images|swagger)" {
gzip on;
gzip_proxied any;
gzip_types text/html application/json
application/javascript text/xml;
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header X-forward-for $proxy_add_x_forwarded_for;
proxy_set_header X-real-ip $remote_addr;
include cors.include;
rewrite ^/(.*) /$1 break;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
proxy_pass http://10.1.0.4;#replace with IP of your Cloud Host role
}
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header X-forward-for $proxy_add_x_forwarded_for;
proxy_set_header X-real-ip $remote_addr;
include cors.include;
proxy_pass https://10.1.0.5/ws; #replace with IP of your TraversalWorker role
}
location /route {
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
gzip on;
gzip_proxied any;
gzip_types text/html application/json application/javascript text/xml;
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header X-forward-for $proxy_add_x_forwarded_for;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header If-Modified-Since "";
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
expires off;
include cors.include;
proxy_pass https://10.1.0.5/route; #replace with IP of your TraversalWorker role
}
}
}
Copy compressed files of the web console to the Linux VM and run the following commands:
Remove the old HTML files # rm -rf /usr/share/nginx/html/*
Extract the web console files # tar -jxvf WebConsole_22472.tar.bz2 -C /usr/share/nginx/html/.
Restart the nginx service# systemctl restart nginx.
To add a GoDaddy SSL certificate, you must download the certificate, copy to the necessary agent machine and manually assign trust to the certificate:
Download the gdig2.crt.pem certificate from the GoDaddy Repository.
For RHEL 7:
Copy the gdig2.crt.file and ca-certificates.crt to /etc/pki/tls/certs.
Type ln -s /etc/pki/tls/certs/gdig2.crt.pem /etc/pki/tls/certs/27eb7704.0 and press Enter.
Type certutil -d sql:/etc/pki/nssdb -A -t "C,C,C" -n "Go Daddy Secure Certificate Authority - G2" -i /etc/pki/tls/certs/gdig2.crt.pem and press Enter.
For RHEL 8 and RHEL 9:
Copy the Go Daddy Secure Certificate Authority - G2.crt and ca-certificates files to /usr/share/pki/ca-trust-source/anchors.
Type update-ca-trust and press Enter.
For SLES 12 and SLES 15:
Copy the Go Daddy Secure Certificate Authority - G2.crt and ca-certificates files to /etc/pki/trust/anchors/.
Type update-ca-certificates and press Enter.
Restart the agent.
For Ubuntu 22, 20 and 18:
Copy the certificate.crt and ca-certificates files to /usr/local/share/ca-certificates/certificate.crt.
Type dpkg-reconfigure ca-certificates and press Enter.