Reverse Proxy Deployment

Note: Reverse proxy deployment is only supported on Inbound SOTI Cloud Link Agent connections.

Enhance the security of your deployment by leveraging a reverse proxy that authenticates SOTI ONE application requests destined for the SOTI Cloud Link Agent.

In this topology, the SOTI ONE application is configured to communicate with the reverse proxy as if it were the SOTI Cloud Link Agent. The reverse proxy provides validation of the client certificate presented by the SOTI ONE application in the request and then publishes the request along with an authentication token to the SOTI Cloud Link Agent. The SOTI Cloud Link Agent verifies the authentication token and then returns the requested information to the SOTI ONE application.

Note: The reverse proxy must support passing a Windows Identity to the SOTI Cloud Link Agent. Generally, this is achieved through the Kerberos Constrained Delegation (KCD), which requires that the reverse proxy and the SOTI Cloud Link Agent host are bound to the same Active Directory domain with the appropriate Service Principal Name (SPN) present.

The following diagram illustrates SOTI Cloud Link Agent communication through a Reverse Proxy and outlines the authentication flow of this topology.

SOTI Cloud Link Agent Communication through a Reverse Proxy

Network Requirements

Review the communication requirements between:

  1. The SOTI ONE application and the reverse proxy
  2. The reverse proxy and the SOTI Cloud Link Agent
  3. The SOTI Cloud Link Agent and enterprise services available to the SOTI ONE application

Bold text indicates required communication.

Protocol Source Port Destination Port
HTTPs SOTI ONE application 443 Reverse Proxy 443
HTTPs Reverse Proxy 443 SOTI Cloud Link Agent Host 443
LDAPs SOTI Cloud Link Agent Host 636 AD 636
HTTPs SOTI Cloud Link Agent Host 443 ADCS 443