Reverse Proxy Deployment

You can enhance the security of your deployment by leveraging a reverse proxy that authenticates SOTI MobiControl requests destined for the SOTI Cloud Link Agent.

In this topology, SOTI MobiControl is configured to communicate with the reverse proxy as if it was the SOTI Cloud Link Agent. The reverse proxy provides validation of the Client Certificate presented by SOTI MobiControl in the request and then publishes the request along with an authentication token to the SOTI Cloud Link Agent. The SOTI Cloud Link Agent verifies the authentication token and then returns the requested information to SOTI MobiControl.

Note: The reverse proxy must support passing a Windows Identity to the SOTI Cloud Link Agent. Generally, this is achieved through the Kerberos Constrained Delegation (KCD), which requires that the reverse proxy and the SOTI Cloud Link Agent host be bound to the same Active Directory domain with the appropriate Service Principal Name (SPN) present.

The following diagram illustrates SOTI Cloud Link Agent communication through a Reverse Proxy and outlines the authentication flow of this topology.

SOTI Cloud Link Agent Communication through a Reverse Proxy

Network Requirements

The "SOTI Cloud Link Agent Communication through Reverse Proxy Communication Matrix" table represents the communication requirements between SOTI MobiControl and the reverse proxy, between the reverse proxy and the SOTI Cloud Link Agent, and between the SOTI Cloud Link Agent and enterprise services available to SOTI MobiControl.

Bold text indicates required communication. CLA = SOTI Cloud Link Agent

Protocol Source Port Destination Port
HTTPs SOTI MobiControl 443 Reverse Proxy 443
HTTPs Reverse Proxy 443 CLA Host 443
LDAPs CLA Host 636 AD 636
HTTPs CLA Host 443 ADCS 443