Connecting opsi Clients over the Internet
An opsi server provides two main functionalities:
-
A service for controlling the opsi environment (API / opsi-Config-Service)
-
Provision of product or installation files for clients (opsi-Depot)
When the opsi server is operated in a LAN and all clients access the opsi server via the LAN, clients can typically access the Config-Service and opsi-Depot directly. CIFS (Samba) is typically used as the protocol for accessing files in the opsi-Depot. Clients can mount the depot share as a network drive and read files over the network.
When clients are connected via other network connections (WLAN / WAN / VPN), there are some things to consider. These topics are covered below.
Access to the opsi-Depot
When accessing an opsi-Depot via connections other than LAN connections, the following points should be considered:
If the connection has low bandwidth or high latency, direct access to files in the depot is not recommended. In this case, the duration of software installations often increases significantly. Additionally, these connections are less reliable than LAN connections. Packet loss and temporary or long-term disruptions are more likely to occur.
To counteract these problems, the SmartCache WAN module (formerly WAN/VPN module) can be used. The SmartCache WAN module ensures that installation files are cached locally on the client in the background. Caching product files on the client offers numerous advantages:
-
Faster software installations: Installation files are transferred in the background. Installations only start after the transfer is complete. Since the installation files are then available locally, access is much faster. This is particularly advantageous for clients with low bandwidth, e.g., in home offices or branch offices.
-
Controllable network load and flexibility: File transfer to the client can be performed with limited bandwidth to avoid network overload. Various protocols can be used, independent of native operating system support.
-
Efficient updates: Existing files from previous versions can be reused, avoiding repeated downloads.
-
Robust installations: Software installation is performed exclusively using locally stored installation files. This ensures that started installations can be completed even in case of network disruptions or failures of file services.
-
Better trustworthiness: Operating systems and security software, such as virus scanners, trust local files more than files from network shares. This avoids access problems.
When accessing over a public network, additional security-related topics come into play. The protocol used for transferring depot files should offer strong encryption. Additionally, server verification is absolutely necessary. High standards should also be maintained regarding authentication.
The following measures should be implemented:
-
Use of WebDAV: Using WebDAV over HTTPS ensures strong encryption and verification of server identity.
-
Security can be significantly increased by enabling certificate-based client verification. Since the Windows WebDAV client does not support client certificates, SmartCache WAN must be used for this.
Following the principle of Zero-Trust security, security measures should also be implemented in private networks. |
Access to the opsi-Service
Since communication with the opsi-Service typically involves transferring only small amounts of data, bandwidth and latency are less critical here. However, when accessing over a public network, high security standards should be implemented.
The most important aspect here is comprehensive multi-factor authentication or Single Sign On. You can find more information and recommendations in the Security Chapter.
These measures should also be implemented in private networks, following the principle of Zero-Trust security. |
Two options for providing the opsi service via the Internet are presented below:
-
Make opsi service publicly accessible
-
Use of VPN connections
Make opsi service publicly accessible
The following presents different methods for making the opsi-Service available over the Internet. It is assumed that the standard port 4447 is used for the opsi-Service. In principle, however, any port can be used.
It makes sense to use a public DNS entry to access the opsi-Service more flexibly.
In the following, it is assumed that there is a corresponding DNS entry opsi.example.com
pointing to a public IP address of your router/firewall. It may make sense to use the same name as in the internal network, which simply points to a different IP address.
If the opsi CA is used to create the server certificate, the DNS name must be registered in the Subject Alternative Names (SAN) of the certificate. If this is an additional name, enter it in the opsiconfd configuration. For example:
ssl-server-cert-sans = [opsi.example.com]
Port-Forwarding
Port-Forwarding forwards incoming traffic from an external port to a specific internal port. The advantage of Port-Forwarding is low overhead and simple configuration, but it offers limited control over requests.
-
Configure your router/firewall to forward incoming traffic from port 4447 to the internal opsi server on port 4447.
Reverse-Proxy
A Reverse-Proxy accepts requests from the Internet and forwards them to the internal opsi-Service. The advantage of a Reverse-Proxy is extended control over requests and responses, but the configuration is more complex.
-
Set up the Reverse-Proxy to forward incoming traffic on the domain
opsi.example.com
to the opsi server. -
WebSocket traffic must also be considered here.
-
Ensure that the Reverse-Proxy correctly sets the HTTP header
X-Forwarded-For
to transmit the client’s IP address to the opsi server. -
Enter the IP address of the Reverse-Proxy in the opsiconfd configuration under
trusted-proxies
. Only then will the opsi-Service evaluate theX-Forwarded-For
header. -
Use a valid SSL certificate on the Reverse Proxy. Typically, the same certificate as for the opsi-Service can be used here.
-
Ensure that the certificate is renewed regularly.
NGINX
Example configuration for NGINX:
server {
listen 4447;
server_name opsi.example.com;
ssl on;
ssl_certificate /path/to/opsiconfd-cert.pem;
ssl_certificate_key /path/to/opsiconfd-key.pem;
location / {
proxy_pass https://<internal-opsi-server-address>:4447;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Apache
Example configuration for Apache:
<VirtualHost *:4447>
ServerName opsi.example.com
SSLEngine On
SSLCertificateFile /path/to/opsiconfd-cert.pem
SSLCertificateKeyFile /path/to/opsiconfd-key.pem
SSLProxyEngine on
ProxyPass /messagebus wss://<internal-opsi-server-address>:4447/messagebus
ProxyPassReverse /messagebus wss://<internal-opsi-server-address>:4447/messagebus
ProxyPass / https://<internal-opsi-server-address>:4447/
ProxyPassReverse / https://<internal-opsi-server-address>:4447/
</VirtualHost>
IPv6-based Solution
With IPv6, you can make the opsi-Service directly available over the Internet.
-
Assign a public IPv6 address to the opsi server.
-
Configure the firewall to allow incoming traffic on port 4447 for this address.
-
Ensure that the public DNS server has an AAAA entry for the opsi-Service.
Use of VPN connections
Access to the opsi server can also be achieved via VPN connections. Software installations in opsi typically occur before user login to avoid conflicts between updates and software usage. Therefore, it is important that the VPN connection is established before user login.
This is supported by many VPN software solutions. The Open Source solutions Wireguard and OpenVPN also offer this functionality.
Wireguard
Wireguard is a modern VPN protocol that offers high security and good performance. Wireguard is Open Source software and is available for all common operating systems. Wireguard enables establishing the VPN connection before user login.
OpenVPN
OpenVPN is another VPN protocol suitable for use with opsi. OpenVPN is also Open Source software and is available for all common operating systems. OpenVPN also enables establishing the VPN connection before user login.