Advanced: Trusted Front End
Ivanti EPMM can support a TLS inspecting proxy using an Apache server to handle HTTPS requests from your devices to Ivanti EPMM when using mutual authentication. This proxy is also known as a Trusted Front End. It intercepts and decrypts HTTPS network traffic and when it determines that the final destination is Core, it re-encrypts and forwards the traffic to Core.
The devices that register to Ivanti EPMM (using port 443) must send HTTPS requests to the TFE rather than to Core. Also, the TFE must be provisioned with digital certificates that establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority.
If you are using SAML to allow local administrator users to use single-sign on for the Admin Portal and self-service user portal, after IDP authentication, the user is redirected to Core's URL, not the Trusted Front End's URL. The Trusted Front End is only for communication with devices.
If you are not using an Apache server for your Trusted Front End, work with Ivanti Professional Services or a Ivanti certified partner to determine if you can set up this deployment.
Sentry to Ivanti EPMM mutual authentication using a TFE
Ivanti EPMM supports mutual authentication with Sentry using a Trusted Front End (TFE) from the following releases:
- Ivanti EPMM - 188.8.131.52 and newer versions
- Standalone Sentry - 9.15.0 and newer versions
Ivanti EPMM will only initiate mutual authentication if Sentry is running 9.15.0 or newer software.
Before you begin
Work with Ivanti Professional Services or a Ivanti certified partner to set up this deployment.
- Enable mutual authentication for Apple and Android devices as described in "Mutual authentication between devices and Core" in the Ivanti EPMM Device Management Guide.
- In your devices' sync policies in the Admin Portal, set Server IP/Host Name to your Trusted Front End. This configuration makes devices send requests to the Trusted Front End instead of Core.
- If you use an external host, which is configured in the Admin Portal, in Settings > General > Enterprise, make sure your external host is configured to forward requests to the Trusted Front End. Changing the external host requires a Ivanti EPMM restart, which you can do in the System Manager, in Maintenance > Reboot.
- Set up your Trusted Front End to forward HTTPS requests from devices on port 443 to Core.
- In Security > Advanced > Trusted Front End, select Enable TFE use for communication from devices to Core.
- Click Apply.
Click Download CA Certficates.
A file called tfe-ca-certs.zip downloads. It contains the certificates that establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority. These certificates allow the Trusted Front End and Ivanti EPMM to validate the identity certificate that the device presents.
- Provision your Trusted Front End with the downloaded certificates.
Enter the following configuration choices when configuring TFE for your webserver:
- ProxyPreserveHost: On
- RewriteEngine: On
Your Ivanti contact has an example configuration file for Apache called ssl.conf. If you are using the [email protected] web clip for iOS devices, and you are using it on a port other than 7443, modify the value 7443 in ssl.conf.
- Install ssl.conf on your Trusted Front End.
"Mutual authentication between devices and Core" in the Ivanti EPMM Device Management Guide.