It is possible to monitor and get an alert by email when the service fails?
for example, I had the following problems:
The Secure Gateway tunnel is disabled and disconnected, it must be reconnected before re-enabled
Waiting for the Secure Gateway tunnel to be re-enabled...
The Secure Gateway tunnel was disconnected
Secure Gateway tunnel retry activation in five seconds
The Secure Gateway tunnel connection was refused
The following errors occurred on the Secure Gateway tunnel, ETIMEDOUT...
Unfortunately, we do not have a feature for sending alerts, though that could be a nice addition in the future.
As for the errors that you encountered with the client, updating to 1.4.0 should solve that issue for them. Thank you!
Related
I want to consider using a Bluemix to run my application? For a firewall problem, I want to use a secure gateway of IBM that is one service in Bluemix. It uses a web socket. I customized a web socket of jetty in the past. So I am wondering if a web socket client makes a permanent connection with a web socket server. Does the server giving data back to the client? If the connection is disconnected for some reason, how can the web socket handle this exception?
If you're wondering about how Bluemix Secure Gateway handles these situations, then yes, the Secure Gateway Client creates a persistent secure websocket connection to the Secure Gateway Servers which allows for the necessary communication between your application and your resource(s) behind the firewall. If the websocket connection goes down, the Secure Gateway Client will attempt to establish a new websocket connection with the Secure Gateway Servers.
I am using a Secure Gateway app on Bluemix to create a secure gateway tunnel between a virtual machine and Bluemix. I have installed the secure gateway client on the virtual machine, and opened ports for applications. I have created a secure gateway and configured the destination details on Bluemix.
However, the Secure Gateway app is not connecting to the individual applications. On Bluemix, it is showing the following status for each destination: Active Destinations: 0
When I log onto the VM and connect to the secure gateway client I receive the following error messages:
[2016-04-05 20:37:04.577] [INFO] (Client PID 1) The Secure Gateway tunnel is connected
[2016-04-05 20:37:04.895] [ERROR] (Client PID 1) The server failed to bring up the destinations associated with this gateway
[2016-04-05 20:37:04.906] [INFO] (Client PID 1) The Secure Gateway tunnel was disconnected
[2016-04-05 20:37:04.906] [INFO] (Client PID 1) Secure Gateway tunnel connection retry in 5 seconds
[2016-04-05 20:37:09.909] [INFO] (Client PID 1) Secure Gateway tunnel connection retry in 5 seconds
How can I resolve this and complete setting up a secure gateway tunnel between the VM and the secure gateway app on Bluemix so that the application is externally accessible? Thanks.
This issue is caused by the Secure Gateway Server encountering some error while attempting to set up the listeners for your destinations, causing it to send a message to the client triggering the tunnel to disconnect. While not ideal, this can typically be resolved by simply restarting the client.
I am going to use Secure Gateway service in Bluemix and I have some questions about how I should make it work.
Systems in my data center's intranet access the Internet through a proxy (with no authentication). Can Secure Gateway connect to Bluemix via a proxy?
Does it connect to Bluemix via HTTPS protocol?
The network admins asked me: What are the IPs (or the IP range) of Bluemix, any idea?
Thank you very much.
A Secure Gateway instance runs in two parts, as shown in "Reaching enterprise backend with Bluemix Secure Gateway via console": the gateway and the gateway client. The gateway runs in Bluemix, the gateway client runs in the data center containing one or more systems of record to connect to. The gateway client needs network access to the Bluemix data center (typically via the Internet) and to the systems of record (via the data center's internal network). The gateway client initiates the connection, so it needs to know Bluemix's address, but Bluemix doesn't need to know the gateway client's address.
To answer your questions specifically:
A proxy isn't supported. The gateway and its client need direct access to each other.
The connection uses HTTPS for SSL encryption. The transport level security (TLS) options can be used to add authentication.
Bluemix's IP addresses aren't published.
For point 3:
The client connects outbound to the cloud services. Once the SecGW is connected, all additional Destination connects flow through that connection, no additional firewall or iptables rules are needed. If they have a rule in-place so that the on-premises machine where the SecureGateway client is installed can use the outbound port 443 (HTTPS) to make connections, that is all they need.
Does the Datapower Secure Connection in Bluemix require the Datapower to be internet facing ?
If Bluemix starts the connection, the answer is maybe yes.
But as the Basic Secure Connection (Software), if that one initiates the connection, the server running the Basic Secure Connection only needs to have internet access (behind a firewall/gateway/etc...), but doesn't need to be internet facing : IP# on internet.
I have set up a Bluemix DataPower Secure Connection (in the Bluemix Cloud Integration Service) towards my on-premise DataPower appliance. The DataPower Secure Connection are pointing to an Internet IP, and my on-premise firewall maps this to the DataPower appliances "DMZ" ethernet interface.
On the DataPower appliance, the Cloud Gateway Service is configured to receive connections from the Bluemix DataPower Secure Connections. This seems to work well for endpoints I have added to the Cloud Gateway Service. Right now I am working on adding (1-way and 2-way) TLS in the Bluemix DataPower Secure Connection.
To my knowledge the DataPower connector and the Basic Secure connector must be able to connect to your DataPower. This is usually initiated by the on-premises side, either your DataPower or the Basic Connector client running on-premises.
Also, DataPower v7.2 now supports Secure Gateway connectivity which is the preferred way to securely connect your cloud applications to your on-premises DataPower resources. The UI for DataPower has been updated to provide the ability to configure for these connections.
I use Fiddler2 to analyse some pages that use https connections. I enabled HTTPS decryption, but I still see some Tunnel to host:443 entries in my log. I can see decrypted HTTPS traffic in the log, so I assume the decyption works.
I think, that a Tunnel to host:443 entry is created in addition to the decrypted log entry when the connection is opened.
Is my assumption correct or did I miss something?
Yes, this is expected.
If you click on Tunnel to Host:443 you'll see the following on the Statistics tab:
The selected session is a HTTP CONNECT Tunnel. This tunnel enables a client to
send raw traffic (e.g. HTTPS-encrypted streams or WebSocket messages) through
a HTTP Proxy Server (like Fiddler).
You can automatically hide these tunnels if you like by clicking Rules > Hide Connects.
My HTTPS interception and decryption stopped working and this message was also in my logs.
Perhaps it is unrelated but I was able to resolve but exporting the Fiddler certificate to Desktop (Tools > Fiddler Options > Export Root Certificate to Desktop), double clicking it to install it and restarting Fiddler and my Browser.