Versions Compared

Old Version 12

changes.mady.by.user Agat Support

Saved on

compared with

New Version Current

changes.mady.by.user Avi J. Levin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this KB we are going to learn how to install and configure Bastion Reverse Proxy and its filters (EWS and LAC).
If you have done that already please make sure to configure all the initial setting settings in the installer by following this KB.

You can advise Bastion folder structure for reference to Refer to Bastion Folder Structure regarding the folder structure

Table of Contents

Installing the Bastion Reverse Proxy

1. Right-click the installer and choose to run as administrator.
When this window pops up chose select SphereShield for Skype for Business

Info

If no user properties file was detected you will be required to choose one.

It's Its default location is: C:\Agat\SphereShield.Setup\setup.properties.user

...

4. Validate the installation - For any issues please refer to the installation log file by clicking the  button.
After completing the installation make sure that the Bastion service has been created:


Bastion initial configuration 

Configure the Listeners

  1. Go to the bastion.xml (located by default at “c:\Agat\Bastion\Bastion.xml”) and set the IP and port on which the Bastion will listen on.

Configure the Certificate

under ssl::serverCert configure the certificate the bastion will be using.

There are 3 modes of loading the certificate:

  1. Certificate store - change the path to the following format(change the thumbprint after the '#' to your particular settings):

    <path>store:/LocalMachine/My/#667B3CC8ADF2B13BB9F4BF258F3232C337EE3389</path>


    Note:
    Sometimes you will copy unintended hidden characters when copying from the Windows Certificate store due to bad ANSI conversion.
    We recommend deleting the '#' sign and two additional characters and retype them manually in order to avoid unneeded complications.

  2. Local unencrypted .crt and .key file - add the following tags

    <path>cert\DemoServer.crt</path> <!-- Relative path  to certificate -->
<privateKey>cert\DemoServer.key</privateKey> <!-- Relative path  to key-->


  3. PFX file - add the following tags

    <path>cert\DemoServer.pfx</path> <!-- Relative file to pfx --> <password encrypted="false">123456</password> <!-- PFX password →

Info

You can configure in addition whether the Bastion will require a client certificate, this is relevant when applying CAF(used for enforcing additional certificate factor) 

For more information see the documentation for Cloud Conditional Access

This can be configured under the <clientCert> tag with the following options

ignore Bastion shouldn't ask for a client certificate. 
askBastion should ask for a client certificate, but not require it. 
requireBastion should require a client certificate (connection will fail if no client certificate is provided) 


Channels

A Channel is a configuration that specifies the particular route headers to a single internal host and the associated filters that will process the traffic.

you You can have a channel without any filter, in .  In this case, the bastion will just reroute the traffic without attaching any additional filtering.

The filter is loaded automatically from a subfolder  based on the DLL name without the extension

Channel Structure

The following XML describes the general structure of a channel

Code Block
<channel name="[Unique name for the channel]" listener="[listener]">
	<!--for which hosts this channel will apply-->
    <externalHosts>
    	<host>PublicDNS1.domain.com</host>
		<host>PublicDNS2.domain.com</host>           
    </externalHosts>
    <!--Where to publish connections on this channel -->
    <publish>
    	<host>[InternalHost.corp.domain.com/IP]</host>
        <sslPort>443</sslPort>
        <convertTo>keep</convertTo>
    </publish>
    <filters>
    	<filter>[Folder]\[DLL name without ext]</filter>
	</filters>
</channel>


External host - externalHost

The external hostnames the Bastion will redirect the traffic from

Example
Code Block
<externalHosts>
	<host>PublicDNS1.domain.com</host>
	<host>PublicDNS2.domain.com</host>           
</externalHosts>


Info

You can have multiple hosts per channels

Target hosts - publish 

The FQDN or IP of the host to which the Bastion will publish the traffic from the external hosts

It is built from:

  1. host - the host to which the traffic will be published to
  2. sslPort - the listening port on the published server host
  3. convertTo - Convert HTTP traffic to HTTPS
Example
Code Block
<publish>
    <host>[InternalHost.corp.domain.com/IP]</host>
    <sslPort>443</sslPort>
	<convertTo>keep</convertTo>
</publish>


Filter - filter

The relative path of the filter.

The base path is taken from the previous XML element filters:: path 


Code Block
 <filters>
      <!--The directory where the dll of the filters are -->
      <path>filters\</path>
   </filters>


Example

Code Block
<filters>
	<filter>[Folder]\[DLL name without ext]</filter>
</filters>


Skype Channel

A redirection to a Front-End Skype pool, one pool must have the lyncdiscover and the general front-end services(meet, dialin) and a separate channel for every separate pool with just the pool external address.

Info

In case of an environment with multiple pools The traffic will be rerouted automatically


Example 1: A primary channel can be found in the following:
Code Block
<channel name="Skype-PoolA" listener="main">
         <!--for which hosts this channel will apply-->
         <externalHosts>
            <host>test.skypeshield.com</host>
            <host>lyncdiscover.company.com</host>
            <host>lyncpoolext.company.com</host>
            <host>meet.company.com</host>
            <host>dialin.company.com</host>
         </externalHosts>
         <!--Where to publish connections on this channel -->
         <publish>
            <host>internal-pool.fqdn</host>
            <sslPort>4443</sslPort>
            <convertTo>keep</convertTo>
         </publish>
         <filters>
            <filter>skype-pool-a\Lync_Access_Control</filter>
         </filters>
      </channel>
Exmaple 2: A topology with two Front-End pools
Code Block
<channel name="Skype-PoolA" listener="main">
         <!--for which hosts this channel will apply-->
         <externalHosts>
            <host>test.skypeshield.com</host>
            <host>lyncdiscover.company.com</host>
            <host>lyncpoolext.company.com</host>
            <host>meet.company.com</host>
            <host>dialin.company.com</host>
         </externalHosts>
         <!--Where to publish connections on this channel -->
         <publish>
            <host>internal-pool.fqdn</host>
            <sslPort>4443</sslPort>
            <convertTo>keep</convertTo>
         </publish>
         <filters>
            <filter>skype-pool-a\Lync_Access_Control</filter>
         </filters>
      </channel>
      <channel name="Skype-PoolB" listener="main">
         <!--for which hosts this channel will apply-->
         <externalHosts>
            <host>lyncpoolext.company.com</host>
         </externalHosts>
         <!--Where to publish connections on this channel -->
         <publish>
            <host>internal-pool2.fqdn</host>
            <sslPort>4443</sslPort>
            <convertTo>keep</convertTo>
         </publish>
         <filters>
            <filter>skype-pool-b\Lync_Access_Control</filter>
         </filters>
      </channel>

...

Info

For each additional pool you need to have a different folder

EWS - for EWS protection define another channel and point it to the

...

Exchange server 

A channel for the Exchange traffic in case EWS protection is applied, you can have separate channels for different Exchange servers

Example

Code Block
<channel name="EWS" listener="main">
	<!--for which hosts this channel will apply-->
	<externalHosts>
		<host>autodiscover.company.com</host>
		<host>ews-external.company.com</host>
	</externalHosts>
	<!--Where to publish connections on this channel -->
	<publish>
	    <host>internal-pool.fqdn</host>
    	<sslPort>443</sslPort>
        <convertTo>keep</convertTo>
    </publish>
    <filters>
    	<filter>ews\EWS_Protector</filter>
    </filters>
</channel>


Office Online Server

A channel for the Office Online Server with a LAC Filter

Example

Code Block
<channel name="EWS" listener="main">
	<!--for which hosts this channel will apply-->
	<externalHosts>
		<host>oos.company.com</host>
	</externalHosts>
	<!--Where to publish connections on this channel -->
	<publish>
	    <host>oos.corp.company.local</host>
    	<sslPort>443</sslPort>
        <convertTo>keep</convertTo>
    </publish>
    <filters>
    	<filter>OOS\Lync_Access_Control</filter>
    </filters>
</channel>


Logging

There are 3 types of logging enabled by the Bastion:

  1. main - Logging to a text file
  2. console - Logging to console, useful when wanting to debug a change in the configuration(logging can be seen by openning opening the Bastion in cmd with the option bastion.exe console)
  3. debug - Not relvantrelevant

A section for configuration of the logging

OptionModesExplanationScope
enabledtrue/falseWhether logging is activeAll
severityinfo/xtrace/debugLogging levelmain(text log)/console

maxFileSizeMb

Size in MBThe max size of the file for the active file in MBmain(text log)
maxArchiveSizeMbSize in MBThe max size of the archived logs in MBmain(text log)
minFreeSpaceMbSize in MBThe minimum free space to enable logging in MBmain(text log)

Severity levels

infoBasic information of loading and operation (recommended for production usage)
xtraceMore information  regarding the  routing
debugFull information of the routing with a listing of all the 


Configuring filters

After setting the Bastion XML you will be required to configure the Filters configuration using the following articles:

  1. How to configure Lync Access Control
  2. How to configure Configure EWS Protector

See also

Child pages (Children Display)
pageHow to Install Bastion and its filters

...