R&S® TrustedGate System Management Tool

General

What is the R&S®Trusted Gate System Management Tool?

The R&S®Trusted Gate System Management Tool is designed to make the deployment and initial configuration of any R&S®Trusted Gate setup as easy as possible. This includes also the deployment of the cloud resources needed for the setup.

Currently supported solutions:

  • R&S®Trusted Gate Solution for Teams (Standard and Enterprise Edition, click here to see differences)
  • R&S®Trusted Gate Solution for Microsoft 365
  • R&S®Trusted Gate Solution for SharePoint
  • R&S®Trusted Gate Solution for OneDrive
  • R&S®Trusted Gate Secure Data Room Solution
  • R&S®Trusted Gate Mobile Access Solution
How does the tool work?

The R&S®Trusted Gate System Management Tool is based on Ansible. Therefore, the machine running the tool must be able to connect to your VMs on which the installation should be performed via the internet. To secure this connection, you need to enable SSH access on your machines with certificate authentication

How can I use this tool?

The R&S®Trusted Gate System Management Tool is completely integrated into the Azure Marketplace. After the deployment of one of our Solutions to your subscription, you get a single VM with the preinstalled tool and preconfigured RDP access. The credentials for the RDP connection are set by yourself during the deployment.

When you connect to the VM via RDP, a browser window should already be opened showing the System Management Tool UI. Else, you can open it on http://localhost/#/templates.

How can I exchange data with the System Management Tool?

It is necessary to exchange data with the Virtual Machine running the System Management Tool.

To do so, open the “Remote Desktop Connection” client on your Windows machine. In the following dialog, select “Show Options” and switch to Tab “Local Resources”.  Uncheck the “Printer” field and click on “More…”.

In the dialog which is opening now you can select the drive that you want to share via the RDP connection (e.g. your main C: drive).

After you have connected to the VM, you can see your shared drives when you open the file explorer and go to “thinclient_drives”.

Installation steps

Upload Software Package

To start with the installation process, you need to obtain a software package. This software package includes all necessary material for the application as well as your personal license file. The software that will be installed is automatically derived from the license file in your software package.

You can get in contact with our sales team to obtain such a package via https://hub.trustedgate.de.

Upload SSH keys

In this step, you need to upload the necessary SSH key pair to connect to your VMs. If you’ve selected to use already existent VMs, this key pair needs to be configured by you on all VMs you want to include in this setup. Please note that the user needs to be able to gain root permissions on the VMs.

If you’ve chosen to create your VMs automatically in Azure, the uploaded key pair will be copied to your deployed VMs automatically.

 

The input fields in this form are completely optional – if you leave every field blank, the System Management Tool will automatically generate a key pair for you. This key pair can be downloaded in the next installation step. Please keep these files extremely secure, as they are needed to access your VMs.

Download generated SSH keys

This step is only visible if you’ve chosen to generate your SSH keys automatically in the previous step.

You are prompted with the download of a zip file containing your SSH keys. Please keep this file extemely secure, as it is critical for your complete setup.

Afterwards, continue with “Finish”.

 

Configure VM setup

In this step you need to enter general information about your setup.

Please enter the amount of VMs on which your setup shall be distributed. This can be one single VM or multiple VMs. We propose to use at least 2 VMs, as the Administration server should run separated from other services.

Additionally, you need to enter a user name of your choice. If you want to use your own VMs, please make sure that this user exists on all VMs and can be accessed via the previously configured SSH key.

Configure target VMs

In this step you enter the necessary information for all of your VMs.

Please select for every VM whether you want to use an already existing one or to create one automatically in Azure.

If you want to use an already existing VM, plese enter its hostname. The tool will check afterwards if its able to connect to it.

If you want to create a VM automatically in Azure, please also choose the region and the size for this VM. Please note that the VM will be deployed to your subscription, therefore also the costs for this VM will be billed to your account.

Additionally, you will need to enter a DNS prefix that will be used for the VM. The tool will check afterwards whether the prefix is available.

(Azure) Enter Azure account data

This step is only visible if you’ve chosen to create at least one of your VMs in Azure.

To create the VMs on your behalf, please enter username and password for your Azure account. This account needs to have sufficient permissions to create VMs and storage accounts in Azure.

We won’t receive your account data, it is only used to create the necessary VMs.

(Azure) Create Azure VMs

This step is only visible if you’ve chosen to create at least one of your VMs in Azure.

In this step, you enter additional data needed to deploy your VMs on Azure.

Please select the subscription you want to deploy to. Additionally, enter the name of the resource group you want to place your Azure resources in. Please note, that this name is only used as a prefix, as each different region you selected for deployment gets his own resource group (e.g. “TrustedGate-Solution-westeurope”).

You also have to select the location your storage account will be deployed to. This storage account can be used to store encrypted data of your installed Solution.

Assign components to VM

For each component which is part of your license, you can select now via a DropDown menu on which VM it should be installed. You can install multiple components on a single VM.

We propose to keep the Administration service on a single VM, as this should always be separated.

Install Solution for Teams on VMs

This steps performs the installation of the application on the selected servers. For this, you need to enter the hostnames for your SharePoint Online (e.g. your-org.sharepoint.com) and OneDrive (e.g. your-org-my.sharepoint.com) instances.

Additionally, you need to enter an E-Mail address, on which you will receive renewal information for the free Let’s Encrypt certificate which is obtained during the installation process.

This step enables you also to deploy a DNS server together with your solution. This DNS server automatically overwrites the DNS entries needed for the Reverse Proxy and can be used on your Client machines.

The DNS server will be deployed on the same server as your Reverse Proxy instance.

Install Solution for Microsoft 365 on VMs

This steps performs the installation of the application on the selected servers. For this, you need to enter the hostname for your SharePoint Online (e.g. your-org.sharepoint.com) instance.

Additionally, you need to enter an E-Mail address, on which you will receive renewal information for the free Let’s Encrypt certificate which is obtained during the installation process.

This step enables you also to deploy a DNS server together with your solution. This DNS server automatically overwrites the DNS entries needed for the Reverse Proxy and can be used on your Client machines.

The DNS server will be deployed on the same server as your Reverse Proxy instance.

Install Solution for SharePoint on VMs

This steps performs the installation of the application on the selected servers. For this, you need to enter the hostnames for your SharePoint instance.

Additionally, you need to enter an E-Mail address, on which you will receive renewal information for the free Let’s Encrypt certificate which is obtained during the installation process.

This step enables you also to deploy a DNS server together with your solution. This DNS server automatically overwrites the DNS entries needed for the Reverse Proxy and can be used on your Client machines.

The DNS server will be deployed on the same server as your Reverse Proxy instance.

Install Solution for OneDrive on VMs

This steps performs the installation of the application on the selected servers. For this, you need to enter the hostnames for your SharePoint and OneDrive instance.

Additionally, you need to enter an E-Mail address, on which you will receive renewal information for the free Let’s Encrypt certificate which is obtained during the installation process.

This step enables you also to deploy a DNS server together with your solution. This DNS server automatically overwrites the DNS entries needed for the Reverse Proxy and can be used on your Client machines.

The DNS server will be deployed on the same server as your Reverse Proxy instance.

Install Secure Data Room Solution on VMs

This steps performs the installation of the application on the selected servers. For this, you need to enter an E-Mail address, on which you will receive renewal information for the free Let’s Encrypt certificate which is obtained during the installation process.

 

Install Mobile Access Solution on VMs

This steps performs the installation of the application on the selected servers. For this, you need to enter an E-Mail address, on which you will receive renewal information for the free Let’s Encrypt certificate which is obtained during the installation process.

Download target configuration

In this step you download a zipped text file. This text file contains a short manual on how to adapt the encryption targets for your Solution.

Please follow this manual and click “Finish” to move on with the next step.

 

Download certificate signing request

As the R&S®Trusted Gate Solutions for Teams, Microsoft 365 and SharePoint are reverse proxy solutions, they need to pretend to the clients that they are the original servers. For this, we need a special certificate, which contains SAN entries for the services we intercept with our solution.

To make this certificate creation process as easy as possible for you, you can download a certificate signing request with the necessary entries in this step, as well as the associated private key. This certificate signing request must be signed from your internal company certificate authority, as all client needs to trust this issued certificate.

Upload signed certificate

Upload the signed certificate for your reverse proxy service. This includes the certificate and the corresponding private key.

You can get these files by simply signing the certificate signing request you downloaded in the previous step.

Create backup package
To run this step successfully, all of your components need to be running and initialized manually with your administration server – else, this step will fail. For a short manual on how to initialize your components, look here.

This step will collect all relevant data needed for a complete backup of your keys.

Download backup package

In this step, you download a zipped file containing all relevant backup information. This includes the application keys as well as SSH keys, certificates and a file containing all parameters you’ve entered during the deployment with the System Management Tool. Please be careful with this package, as it is highly security critical for all of your encrypted files.

 

Manual installation Steps

Initialization of reverse proxy service

After you’ve run the “Installation” step, you need to manually initialize your reverse proxy service with your Administration server.

For this, you need the address of the VM on which you have installed the Administration server – it will be referenced as <ADMIN_URL> (e.g. trustedgate-admin.westeurope.cloudapp.azure.com) – and the address of the VM on which you have installed the reverse proxy service – it will be referenced as <RP_URL> (e.g. trustedgate-rp.westeurope.cloudapp.azure.com).

You can log in to the Administration server via navigating to https://<ADMIN_URL>:8443/TrustedGate-admin.

Log in with the default username and password (Admin1, 123456) and change the password of this administrator directly afterwards.

  • Navigate to Microservices –>  TrustedGate
  • Edit the existing default entry or create a new one
  • Fill the form with the information of your reverse proxy service and click “Save”
    • Name: A unique name for the reverse proxy service.
    • Url: URL of the newly installed reverse proxy service – enter https://<RP_URL>:8443/
    • Active: Select this checkbox.
    • Assigned Cores: Assign cores to the instance according to your setup. If you do not assign sufficient cores, you will see a warning in the instance’s log files and it will be slowed down.
    • Configured Targets: Select targets to be available in the new R&S®Trusted Gate encryption service. This needs to remain as “DefaultDocEncTarget”, as this target name is preconfigured for the reverse proxy.
    • File Metadata key: Select the only available entry

To initialize, select the newly created reverse proxy service and click Initialize. Click download from the pop-up dialogue. This should place a file ‘init.properties’ in your downloads directory. Please make sure the file name is exactly ‘init.properties’.

You need to copy this file into the customer configuration directory of the reverse proxy service. To do so, connect via SSH to the VM running your reverse proxy service ( ssh –i <path-to-your-ssh-key> <your-user>@<RP_URL>) and copy the file to /opt/tomee1/apache-tomee-plus-7.1.3/ROOT/conf/. You can either copy the contents of the file via clipboard or use the pscp command that comes with PuTTy.

The SSH private key to use for connecting is the key you have configured in Step 2  or downloaded in Step 3.

After making the mentioned above changes, restart your TomEE™ server on this VM via sudo service tomee-1 restart.

After startup, the reverse proxy service should connect with the R&S®Trusted Gate security administration server. Reload the Trusted Gates page in the security administration and ensure, that the reverse proxy service is displayed with a green icon, indicating that it has been successfully initialized.

Initialization of Secure Search service

After you’ve run the “Installation” step, you need to manually initialize your Secure Search service with your Administration server.

For this, you need the address of the VM on which you have installed the Administration server – it will be referenced as <ADMIN_URL> (e.g. trustedgate-admin.westeurope.cloudapp.azure.com) – and the address of the VM on which you have installed the Secure Search service – it will be referenced as <SEARCH_URL> (e.g. trustedgate-search.westeurope.cloudapp.azure.com).

You can log in to the Administration server via navigating to https://<ADMIN_URL>:8443/TrustedGate-admin.

Log in with the default username and password (Admin1, 123456) and change the password of this administrator directly afterwards.

  • Navigate to Microservices –>  Secure Search
  • Edit the existing default entry or create a new one
  • Fill the form with the information of your Secure Search service and click “Save”
    • In “Main Configuration” tab:
      • Name: A unique name for the Secure Search service.
      • Url: URL of the newly installed Secure Search service – enter https://<SEARCH_URL>:8443/TrustedGate-search-ms
      • Active: Select this checkbox.
      • Assigned Cores: Assign cores to the instance according to your setup. If you do not assign sufficient cores, you will see a warning in the instance’s log files and it will be slowed down.
      • Trusted Gates: Select all Trusted Gates for which the Secure Search service should index files – usually, this is the reverse proxy service and the Data Exchange UI.
    • In “Advanced” tab
      • Search Engine URL: http://localhost:8983/solr
      • Number of Shards: 1
      • Number of Replicas: 1

To initialize, select the newly created Secure Search service and click Initialize. Click download from the pop-up dialogue. This should place a file ‘init.properties’ in your downloads directory. Please make sure the file name is exactly ‘init.properties’.

You need to copy this file into the customer configuration directory of the Secure Search service. To do so, connect via SSH to the VM running your Secure Search service ( ssh –i <path-to-your-ssh-key> <your-user>@<SEARCH_URL>) and copy the file to /opt/tomee1/apache-tomee-plus-7.1.3/TrustedGate-search-ms/conf/. You can either copy the contents of the file via clipboard or use the pscp command that comes with PuTTy.

The SSH private key to use for connecting is the key you have configured in Step 2  or downloaded in Step 3.

After making the mentioned above changes, restart your TomEE™ server on this VM via sudo service tomee-1 restart.

After startup, the Secure Search service should connect with the R&S®Trusted Gate security administration server. Reload the Trusted Gates page in the security administration and ensure, that the Secure Search service is displayed with a green icon, indicating that it has been successfully initialized.

Initialization of Data Exchange UI

After you’ve run the “Installation” step, you need to manually initialize your Data Exchange UI with your Administration server.

For this, you need the address of the VM on which you have installed the Administration server – it will be referenced as <ADMIN_URL> (e.g. trustedgate-admin.westeurope.cloudapp.azure.com) – and the address of the VM on which you have installed the Data Exchange UI – it will be referenced as <DATAEXCHANGE_URL> (e.g. trustedgate-dataexchange.westeurope.cloudapp.azure.com).

You can log in to the Administration server via navigating to https://<ADMIN_URL>:8443/TrustedGate-admin.

Log in with the default username and password (Admin1, 123456) and change the password of this administrator directly afterwards.

  • Navigate to Microservices –>  TrustedGate
  • Edit the existing default entry or create a new one
  • Fill the form with the information of your Data Exchange UI and click “Save”
    • Name: A unique name for the Data Exchange UI.
    • Url: URL of the newly installed Data Exchange UI – enter https://<DATAEXCHANGE_URL>:9443/TrustedGate
    • Active: Select this checkbox.
    • Assigned Cores: Assign cores to the instance according to your setup. If you do not assign sufficient cores, you will see a warning in the instance’s log files and it will be slowed down.
    • Configured Targets: Select targets to be available in the Data Exchange UI. This needs to remain as “DefaultDocEncTarget”, as this target name is preconfigured.
    • File Metadata key: Select the only available entry

To initialize, select the newly created Data Exchange UI and click Initialize. Click download from the pop-up dialogue. This should place a file ‘init.properties’ in your downloads directory. Please make sure the file name is exactly ‘init.properties’.

You need to copy this file into the customer configuration directory of the Data Exchange UI. To do so, connect via SSH to the VM running your Data Exchange UI ( ssh –i <path-to-your-ssh-key> <your-user>@<DATAEXCHANGE_URL>) and copy the file to /opt/tomee2/apache-tomee-plus-7.1.3/TrustedGate/conf/. You can either copy the contents of the file via clipboard or use the pscp command that comes with PuTTy.

The SSH private key to use for connecting is the key you have configured in Step 2  or downloaded in Step 3.

After making the mentioned above changes, restart your TomEE™ server on this VM via sudo service tomee-2 restart.

After startup, the Data Exchange UI should connect with the R&S®Trusted Gate security administration server. Reload the Trusted Gates page in the security administration and ensure, that the Data Exchange UI is displayed with a green icon, indicating that it has been successfully initialized.

Connect to a VM via SSH from Linux client

To connect to a VM via SSH from a Linux client with a private key, simply use the command “ssh -i <path-to-private-key> <your-user>@<your-vm>”. Please note that the private key file needs to have permissions 600 (to apply these permissions, use chmod 600 <path-to-private-key>.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Connect to a VM via SSH from Windows client

To connect to a VM via SSH from a Windows client you need additional software like PuTTY.

After you have installed PuTTY, open it and enter the following data:

  • In tab Session:
    • Host Name of your VM
  • In tab Connection -> Data:
    • auto-login username: the name of the user as which you want to the VM
  • In tab Connection -> SSH -> Auth:
    • Private key file for authentication: Enter the path of your .ppk private key file

After you have entered this data, you should be able to connect to the VM via the button “Open”.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Convert a SSH private key to PuTTY's .ppk format

To connect to a VM via PuTTY, you need the private key as .ppk file.

After you’ve installed PuTTY, you should be able to launch PuTTYgen via the Windows programs list

  • Click “Conversions” from the PuTTY Key Generator menu and select Import key.
  • Navigate to the OpenSSH private key and click “Open”.
  • Under “Actions / Save the generated key” select “Save private key”
  • Save the private key to the desktop as “id_rsa.ppk” to a path of your choice.

You can now connect to the VM via Putty using the converted key.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Getting started

Change user credentials

You can change an user’s login credentials via the R&S®Trusted Gate security administration server.

Login to the administation server on https://<ADMIN_URL>:8443/TrustedGate-admin with your admin user (Default: Admin1, 123456). Navigate to Entities –> Users, select the user for which you want to change the password and click “Edit”.

In the following dialog, set the password and the password confirmation to a new password of your choice and click “Save”.

Add new user

You can create a new user via the R&S®Trusted Gate security administration server.

Log in to the administation server on https://<ADMIN_URL>:8443/TrustedGate-admin with your admin user (Default: Admin1, 123456). Navigate to Entities –> Users and click “Create”.

Set the following values in the opened form and click “Save”:

  • Name: Unique name for the user to be created
  • Password: Strong password for the user to be created
  • Role: User or Advanced User
    • Advanced Users are able to create project rooms and share data with externals
  • Groups: Select the groups the user should belong to – usually, this should be the DefaultDocEncGroup (If you haven’t already created new groups)
Create external user

To use the R&S®Trusted Gate Solutions for Teams, SharePoint and Microsoft 365, you need to map the external users to internal users. This can be done via the R&S®Trusted Gate security administration server.

Log in to the administation server on https://<ADMIN_URL>:8443/TrustedGate-admin with your admin user (Default: Admin1, 123456). Navigate to Entities –> External User Mappings and click “Create”.

In the form, enter the name of your external user (e.g. your-user@your-org.onmicrosoft.com) and select the internal user to which it shall be mapped. Afterwards, click “Save”.

Manipulating DNS resolving on Clients via hosts file

The client machines on which Microsoft Teams, Microsoft 365 or SharePoint are accessed need to be routed to the server running the reverse proxy instead of the official servers. Else, your files won’t be encrypted.

One way to achieve this is to manually edit the hosts file located in C:\Windows\System32\drivers\etc\hosts. Add the following lines to the file (subtitute <Reverse_Proxy_IP> with the IP of the server running your Reverse Proxy service):

For R&S®Trusted Gate Solution for Teams:

  • <Reverse_Proxy_IP> <your-server>.sharepoint.com
  • <Reverse_Proxy_IP> <your-server>-my.sharepoint.com
  • <Reverse_Proxy_IP> northeurope1-mediap.svc.ms
  • <Reverse_Proxy_IP> teams.microsoft.com
  • <Reverse_Proxy_IP> emea.ng.msg.teams.microsoft.com
  • <Reverse_Proxy_IP> ukwest-prod.notifications.teams.microsoft.com
  • <Reverse_Proxy_IP> westeurope.notifications.teams.microsoft.com
  • <Reverse_Proxy_IP> uksouth-prod.notifications.teams.microsoft.com
  • <Reverse_Proxy_IP> northeurope-prod-2.notifications.teams.microsoft.com
  • <Reverse_Proxy_IP> westeurope-prod-3.notifications.teams.microsoft.com
  • <Reverse_Proxy_IP> westeurope-prod-4.notifications.teams.microsoft.com
  • <Reverse_Proxy_IP> francecentral-prod.notifications.teams.microsoft.com
  • <Reverse_Proxy_IP> eu-prod.asyncgw.teams.microsoft.com

For R&S®Trusted Gate Solution for Microsoft 365:

  • <Reverse_Proxy_IP> <your-server>.sharepoint.com

For R&S®Trusted Gate Solution for SharePoint:

  • <Reverse_Proxy_IP> <your-sharepoint-hostname>

 

 

Manipulating DNS resolving on Clients via DNS server

The client machines on which Microsoft Teams, Microsoft 365 or SharePoint are accessed need to be routed to the server running the reverse proxy instead of the official servers. Else, your files won’t be encrypted.

One way to achieve this is to set an own DNS server for your Clients. This DNS server needs to overwrite the following DNS-entries and resolve them to the IP of your server running the reverse proxy:

For R&S®Trusted Gate Solution for Teams:

  • teams.microsoft.com
  • *.ng.msg.teams.microsoft.com
  • *.notifications.teams.microsoft.com
  • sharepoint.com
  • *.sharepoint.com
  • *.svc.ms
  • *.asyncgw.teams.microsoft.com

For R&S®Trusted Gate Solution for Microsoft 365:

  • *.sharepoint.com

For R&S®Trusted Gate Solution for SharePoint:

  • <your-sharepoint-hostname>

For your convenience, you can also choose to deploy a DNS server with the correct configuration automatically during the installation process.