Advanced: Trusted Front End

Ivanti EPMM can support a TLS inspecting proxy using an Apache server to handle HTTPS requests from your devices to Ivanti EPMM when using mutual authentication. This proxy is also known as a Trusted Front End. It intercepts and decrypts HTTPS network traffic and when it determines that the final destination is Ivanti EPMM, it re-encrypts and forwards the traffic to  Ivanti EPMM.

The devices that register to Ivanti EPMM (using port 443) must send HTTPS requests to the TFE rather than to Ivanti EPMM. Also, the TFE must be provisioned with digital certificates that establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority.

If you are using SAML to allow local administrator users to use single-sign on for the Admin Portal and self-service user portal, after IDP authentication, the user is redirected to Ivanti EPMM's URL, not the Trusted Front End's URL. The Trusted Front End is only for communication with devices.

If you are not using an Apache server for your Trusted Front End, work with Ivanti Professional Services or an Ivanti certified partner to determine if you can set up this deployment.

Ivanti Standalone Sentry to Ivanti EPMM mutual authentication using a TFE

Ivanti EPMM supports mutual authentication with Sentry using a Trusted Front End (TFE) from the following releases:

  • Ivanti EPMM - 11.5.0.0 and newer versions
  • Standalone Sentry - 9.15.0 and newer versions

Ivanti EPMM will only initiate mutual authentication if Sentry is running 9.15.0 or newer software.

Before you begin 

Work with Ivanti Professional Services or an Ivanti certified partner to set up this deployment.

  1. Enable mutual authentication for Apple and Android devices as described in "Mutual authentication between devices and Ivanti EPMM" in the Ivanti EPMM Device Management Guide.
  2. In your devices' sync policies in the Admin Portal, set Server IP/Host Name to your Trusted Front End. This configuration makes devices send requests to the Trusted Front End instead of Ivanti EPMM.
  3. If you use an external host, which is configured in the Admin Portal, in Settings > General > Enterprise, make sure your external host is configured to forward requests to the Trusted Front End. Changing the external host requires an Ivanti EPMM restart, which you can do in the System Manager, in Maintenance > Reboot.
  4. Set up your Trusted Front End to forward HTTPS requests from devices on port 443 to Ivanti EPMM.

Procedure 

  1. In Security > Advanced > Trusted Front End, select Enable TFE use for communication from devices to Ivanti EPMM.
  2. Click Apply.

  3. Click Download CA Certificates.

    A file called tfe-ca-certs.zip downloads. It contains the certificates that establish an identity chain of trust with a legitimate server verified by a trusted third-party certificate authority. These certificates allow the Trusted Front End and Ivanti EPMM to validate the identity certificate that the device presents.

  4. Provision your Trusted Front End with the downloaded certificates.

  5. Enter the following configuration choices when configuring TFE for your web server:

    • ProxyPreserveHost: On
    • RewriteEngine: On

    Your Ivanti contact has an example configuration file for Apache called ssl.conf. If you are using the Apps@Work web clip for iOS devices, and you are using it on a port other than 7443, modify the value 7443 in ssl.conf.

  6. Install ssl.conf on your Trusted Front End.

Related topics:

"Mutual authentication between devices and Ivanti EPMM" in the Ivanti EPMM Device Management Guide.