Cloud Connector Guide II: On-Premise Customers
Cloud Connector Configuration
This section describes the cloud connector configuration for On-Premise Scenarios. The Cloud Connector ensures for the Silverback server to be located in a remote and network separated environment. With the Cloud Connector in place, Silverback can establish a direct communication only through the Cloud Connector to your internal servers and services like:
- Active Directory
- Certification Authority
- Exchange
Prerequisites
Accounts & Access
- Administrative Access on the Server that will host the Cloud Connector
- Administrative Access to Silverback Server
- Administrative Access to Silverback Management Console
- Administrator
- Settings Administrator
- Matrix42 Account to download the Cloud Connector installer
Server
Ensure that your Cloud Connector Server must have installed at minimum Microsoft .NET Framework 4.7.2 and has TLS 1.2 activated for communication and ensure that the following Features are installed on the hosting cloud connector server. Use Add Roles and Features inside the Server Manager to install the required features.
Windows Server 2022 | Windows Server 2019 | Windows Server 2016 | Windows Server 2012 R2 | |
---|---|---|---|---|
Features |
|
|
|
|
Firewall
Ensure that the following port are open to ensure the communication:
Source (from) | Destination (to) | Port/Protocol |
---|---|---|
General | ||
Cloud Connector | Silverback | 443/tcp |
Cloud Connector | Domain Controller | 389,636,3268,3269/tcp |
Cloud Connector | DNS Server | 53/udp, 53/tcp |
Cloud Connector | Certificate Revocation Lists | 80/tcp |
Certificate Distribution | ||
Cloud Connector | Domain Controller | 464/udp,464/tcp |
Cloud Connector | Certification Authority | 443/tcp |
Cloud Connector | Certification Authority | Random Port above 1023 /tcp |
Exchange Protection Integration | ||
Cloud Connector | Silverback | 443/tcp |
Download and Install
Download Cloud Connector
- Open Matrix42 Marketplace
- Login with your Matrix42 Account
- Navigate to Unified Endpoint Management
- Select Silverback
- Download your current Cloud Connector Version
Install Cloud Connector
Perform the installation on the Cloud Connector Endpoint Server.
- Double Click the Cloud Connector executable
- Process with Yes
- Press Next
- Select I accept the terms in the license agreement
- Proceed with Next
- Click Next
- Select the number of Cloud Connector services you want to install
- Choose 2 as our recommendation
- Press Next
- Click Install
- Click Finish
- Open Start Menu
- Under recently added you should Cloud Connector Config Generation, we will need this tool later.
- Proceed with Certificate Generation
Certificate Generation
The cloud connector requires two public/private key-pairs, one for the Silverback server and one for the Cloud Connector Client
Cloud Connector
- Connect to your Cloud Connector Server via RDP
Download Tool
- Download Matrix42 Cloud Connector Tool.zip
- Perform a right click on Matrix42 Cloud Connector Tool.zip
- Select Extract All
- Change the Destination path to C:\
For certificate generation its important that the files are located under C:\M42Certs\ due to a hard coded file location within the script
- Click Extract
- Double Click M42Certs
- Navigate to
- OpenSSL
- Archive
Generate Certificates
All certificates will generated by default with the Password 2secret4you. You can edit the batch file to change the password if needed.
- Double Click CloudConnector-v1.1.bat
- Enter the following information and proceed with Enter
- Enter your country code, e.g DE
- Enter your company state, e.g. Hessen
- Enter your company city, e.g. Frankfurt
- Enter your company name, e.g. Imagoverum
- Review your information
- Proceed with 1
- If you want to make changes press 2 and proceed
- Wait until the process is finished
You can ignore WARNING: can't open config file: /usr/local/ssl/openssl.cnf
- When the Certificate created successfully information is shown, press any key
Review Creation
In your folder you should see now a bunch of new files. The following ones will be needed:
- Client.cer
- Client.pfx
- RootRSA.cer
- RootRSA.pfx
- Server.cer
- Server.pfx
Certificate Overview
Review the following files and to whom they are issued and where to import them. Proceed with Install Certificates afterwards.
File Name | Issued to | Install Location |
---|---|---|
Client.cer |
Cloud Connector Client |
Silverback server |
Client.pfx |
Cloud Connector Client |
Cloud Connector Server |
RootRSA.cer |
Silverback Root Authority |
Cloud Connector Server |
RootRSA.pfx |
Silverback Root Authority |
Silverback Server |
Server.cer |
Silverback Tunnel Certificate |
Cloud Connector Server |
Server.pfx |
Silverback Tunnel Certificate |
Silverback Server |
Install Certificates
Import Certificates
As mentioned above we need to import the pairs or certificates into the corresponding Certificate Stores on Cloud Connector and Silverback server.
Cloud Connector Server
- On your Cloud Connector Server, import the following certificates
- Please mark the Private Key for the Client.pfx as exportable
File Name | Issued to | Issued By | Certificate Store | Exportable Key |
---|---|---|---|---|
Client.pfx | Cloud Connector Client | Silverback Root Authority | Local Computer > Personal | Yes |
Server.cer | Silverback Tunnel Certificate | Silverback Root Authority | Local Computer > Personal | No |
RootRSA.cer | Silverback Root Authority | Silverback Root Authority | Local Computer > Trusted Root Certification Authorities | No |
Silverback Server
- On your Silverback Server , import the following certificates
- Please mark the Server.pfx and RootRSA.pfx private key as exportable
File Name | Issued to | Issued By | Certificate Store | Exportable Key |
---|---|---|---|---|
Client.cer | Cloud Connector Client | Silverback Root Authority | Local Computer > Personal | No |
Server.pfx | Silverback Tunnel Certificate | Silverback Root Authority | Local Computer > Personal | Yes |
RootRSA.pfx | Silverback Root Authority | Silverback Root Authority | Local Computer > Personal | Yes |
Network Service
- Navigate to your Cloud Connector Server
- Right the click the Cloud Connector Client Certificate
- Select All Tasks
- Click Manage Private Keys
- Click Add
- Type Network Service
- Click Check Names
- Click OK
- Uncheck Full Control
- Click OK
- Right the click the Cloud Connector Client Certificate
- Navigate to your Silverback Server
- Right the click the Silverback Tunnel Certificate Certificate
- Select All Tasks
- Click Manage Private Keys
- Click Add
- Type Network Service
- Click Check Names
- Click OK
- Uncheck Full Control
- Click OK
- Right the click the Silverback Root Authority Certificate
- Select All Tasks
- Click Manage Private Keys
- Click Add
- Type Network Service
- Click Check Names
- Click OK
- Uncheck Full Control
- Click OK
- Right the click the Silverback Tunnel Certificate Certificate
Configure Silverback
- Open your Silverback Management Console
- Login as Settings Administrator
- Navigate to Cloud Connector
- Configure Cloud Connector
- Enable Send LDAP Request through Tunnel
- Enable Request Client Certificates through tunnel (optional)
- Enable Exchange Protection (optional)
- Add your Client Certificate Thumbprint public key (Silverback Server > Client.cer > Cloud Connector Client)
- Add your Silverback Server Tunnel Certificate private key (Silverback Server > Server.pfx > Silverback Tunnel Certificate)
Ensure to remove spaces for thumbprints, e.g. 259ad790e3485931b489d6bc6d2ebd7401f597bb
- Press Save
Restart Services
- Open PowerShell with Administrator Privileges
- Type: restart-service w3svc,silv*,epic*,mat*
- Click Enter
- Wait until services all services have been restarted
Create Configuration
- Navigate to your Cloud Connector Server
- Open Start Menu
- Under recently added you should Cloud Connector Config Generation
- Confirm with Yes
- Paste your Silverback Tunnel URL
You find the Tunnel URL in your Silverback Management Console under Settings Admin > Cloud Connectors
- Click the certificate button next to Client Certificate Thumbprint (private key)
- Select your Cloud Connector Client Certificate
- Click OK
- Disable Certificate Pinning
- Click the certificate button next to Silverback Server Tunnel Certificate (public key)
- Select your Silverback Tunnel Certificate
- Click OK
- Disable Encrypt Config Files
- Click Export
- Create Make New Folder
- Name it e.g. Configuration Files
- Click OK
- Confirm with OK
- Open on your File Explorer the following path
- Configuration Files\SilverbackConfigs\srv\Cloud Connector Client
- Copy the following file SilverbackMDM.SilverBack.Service.CCClient.exe.config
- Paste the file into the following path C:\Program Files (x86)\Matrix42\Cloud Connector\Service
Start Service
- Open Services MMC
- Start Silverback Cloud Connector Service 1
- Start Silverback Cloud Connector Service 2
Check Connection
Silverback
- Open your Silverback Management Console
- Login as Administrator
- Navigate to Admin
- Select Cloud Connectors
- You should see here now your running Cloud Connectors
Monitoring
If you are running Silverback 21.0 or older, use the adjusted URL: https://silverback.imagoverum.com/tunnel/TunnelInfo or press the Cloud Connectors Monitoring link to open the Cloud Connector Logs for reviewing Clients, Traffic and Errors.
- Open the Log section by clicking the Log icon next to your account name
- Now press Cloud Connector
- Select Connectors to review your connected clients
- Select Traffic to review Traffic Logs and Errors
Configure Active Directory
- Logout as Administrator
- Login as Settings Administrator
Add Active Directory
- Login as Settings Administrator
- Navigate to LDAP
- Configure your LDAP Connection
- Enter your LDAP Server IP Address or FQDN (e.g. dc01.imagoverum.com)
- Enter your LDAP Lookup Username
- Enter your LDAP Lookup Password
- Press Check LDAP Connection
- You should see the confirmation the LDAP server is available
- Click Save
- Click OK
Restart Services
- On your Silverback Server, restart services
- restart-service w3svc,silv*,epic*,mat*
- Navigate back to your Cloud Connector Server instance
- Restart Silverback Cloud Connector Services
Check Login
- Open a second browser or incognito window
- Open Self Service Portal (e.g https://silverback.imagoverum.com/ssp)
- Try to Login with your Active Directory Credentials
Next Steps
- Check our Getting Started Guide
- Check our Administrator Guide
- Check our Certification Authority Integration
- Check our Exchange Protection Integration