Summary
In most situations where the SSFE server is available to Internet users, it is imperative to keep the SSFE servers within the intranet to protect it against unauthorized access. The administrator can then set up a reverse-proxy server in the DMZ.
You can use any kind of reverse-proxy software, but for those who do not have a readily available reverse-proxy server, Trend Micro provides a package that you can use to set up the reverse-proxy server.
Details
The machine to serve as the reverse-proxy server must meet the following system requirements:
- CPU: Dual core (in physical machine) / 2 vCore (in VM)
- RAM: 2 GB
- Disk: 20 GB minimum
To set up the reverse-proxy server:
- Install a Linux Server operating system (OS) in the hardware. Ubuntu 12.04 LTS is recommended. Make sure the OpenSSH server package is also installed.
- Log in to the Linux server and install the required reverse proxy package. To do so, execute the following command:
wget https://s3.amazonaws.com/safesync/nginx_1.1.19-tcpproxy-1_amd64.deb
- Create the configuration file for the reverse proxy using the command:
# sudo vim /etc/reproxy.conf
- Copy and paste the following content to /etc/reproxy.conf.
worker_processes 1;
pid /var/run/http-balancer.pid;
error_log /dev/null crit;
events {
worker_connections 10240;
}
tcp {
timeout 1d;
proxy_read_timeout 1d;
proxy_send_timeout 1d;
upstream http {
server 170.1.81.179:80;
check interval=10000 rise=2 fall=5 timeout=1000;
}
server {
listen 0.0.0.0:80;
proxy_pass http;
access_log /var/log/tcp_proxy.log;
}
upstream https {
server 1.2.3.4:443;
check interval=10000 rise=2 fall=5 timeout=1000;
}
server {
listen 0.0.0.0:443;
proxy_pass https;
access_log /var/log/tcp_proxy.log;
}
}
Change the IP address (1.2.3.4 in the sample) to the IP address of the SSFE Server. If there is a secondary SSFE server, add a second “server” line. - Start the reverse proxy server using the command:
# sudo /usr/sbin/nginx -c /etc/reproxy.conf
