State of knowledge

April 2022


The following configuration examples and explanations are intended to help you set up and configure the UCServer and set up the ProCall Mobile Apps for external access (outside the local network).

They do not concern the estos software itself and are therefore provided without guarantee and without support by estos GmbH.

Which HTTPS reverse proxy can I use?

In principle, all standard-compliant HTTP reverse proxy servers can be used, which enable HTTP GET and POST and web socket connections (RFC 6455).

As an aid, the setting up of two different proxy servers is described here. Depending on skills and preferences, both Microsoft Windows and Linux can be chosen as the operating system.

Microsoft Windows compatible

  • Microsoft Internet Information Services (IIS)

Linux compatible

  • nginx

What must I configure in the UCServer?

Set IP ports

In the UCServer administration you can view and change the network settings of the UCServer in the menu under Tools >> Network interfaces. In the standard setting, the UCServer answers queries via HTTP on port 7224 and HTTPS on port 7225. Normally, this setting does not need to be changed.

Store SSL certificate

In the case of an HTTP reverse proxy, all internet requests are first received by the proxy and then forwarded to the UC WebService, so the proxy is also responsible for the encryption of the connection. We strongly recommend the use of HTTPS with a trusted SSL certificate. If necessary, request an SSL certificate for your DNS name from a public certification authority. If you work with a self-signed certificate ("Self Signed Certificate"), the connection is encrypted but not secure and the use of browser applications is not possible.

Depending on your requirements, you can forward the requests within your LAN via unencrypted HTTP or with TLS encryption. If you also prefer an encrypted connection within your LAN, you can store a certificate in PFX format in the UCServer administration in the menu under Tools >> Network interfaces >> WebService HTTPS.

Configuration examples HTTP reverse proxy 

Microsoft Internet Information Services (IIS)

Requirements

Installation and preparation Microsoft Internet Information Services (IIS)

  1. Install Microsoft Internet Information Services (IIS) on the desired server. To do this, either download the installation package or add the role via the server administration.
  2. Add the WebSocket Protocol feature.
  3. Install the URL Rewrite Module.
  4. Install the Application Request Routing (ARR) package.
  5. Configuration Microsoft Internet Information Services (IIS)
  6. To establish the proxy function, the next step is to set up all components involved and configure them according to your infrastructure.
Configure SSL certificate

It is recommended to use a trusted SSL certificate. Set up a server certificate for the IIS as suggested by Microsoft: https://technet.microsoft.com/en-us/cc731977

Setting up a reverse proxy website

  1. Add a new website.
  2. Fill in the required fields.
    1. The path specification is not particularly relevant, since no web page is delivered. The IIS will still create a web.config file. estos recommends the path: C:\inetpub\wwwroot\ReverseProxy.
    2. Use https as the binding type.
    3. Enter the hostname that corresponds to your DNS entry and certificate.
    4. Select the previously-stored certificate.
  3. URL – Double-click on the newly created web page and open URL Rewrite.
  4. Click Add Rule(s)... and select Reverse Proxy.
  5. If you receive the following warning "Proxy Functionality must be enabled... ", confirm with OK.
  6. Configure Rewrite Module: In the next dialog, specify where the requests are to be redirected to

    1. Under Inbound Rules, enter the DNS name or the IP address to which the requests are to be redirected (e.g. UCServer, Firewall). Also, add the desired port.

    2. If you activate SSL Offloading, the requests are forwarded unencrypted. For the rest of this documentation, it is assumed that the option has been activated.
    3. Add two rules to the top. First forward websocket traffic and second forward normal traffic with the following rules:

Pattern

Action Type

Action URL

^(.+)s://<DNS NAME>(:443)?/ws/client/(.*)Rewrite{R:1}

://<REWRITE TARGET>:<REWRITE TARGET PORT>/ws/client/{R:3}

^(.+)s://<DNS NAME>(:443)?/(.*)Rewrite{R:1}

://<REWRITE TARGET>:<REWRITE TARGET PORT>/{R:3}

nginx

Installation in nginx

Install nginx via the package management of your Linux distribution, e.g. on Ubuntu:

$ sudo apt-get update

$ sudo apt-get install nginx

Configuration nginx

  1. In /etc/nginx/sites-Available, create a new configuration file with the name reverseproxy and copy the sample configuration described below to the file.

  2. It is recommended to use a trusted SSL certificate. Complete the SSL configuration according to http://nginx.org/en/docs/http/configuring_https_servers.html.
  3. In the example, exchange <DNS NAME> with your DNS entry, <REWRITE TARGET> with the desired forwarding destination and <PORT> with the configured port.
  4. Activate the configuration by creating a symbolic link to the configuration file in /etc/nginx/sites-enabled:
    $ cd /etc/nginx/sites-enabled
    $ sudo ln -s /etc/nginx/sites-Available/reverseproxy reverseproxy
  5. Restart the nginx service.
    sudo systemctl restart nginx.service
    or
    sudo service nginx restart


Sample configuration nginx

server {

    listen  80;

    server_name <DNS NAME>;

    rewrite ^ https://$server_name$request_uri? permanent;

}

server {

      listen 443 ssl;

      server_name <DNS NAME>;

ssl on;

      ssl_certificate /etc/ssl/certs/fullchain.pem;

      ssl_certificate_key /etc/ssl/certs/privkey.pem;

index index.html index.htm;

      proxy_read_timeout 3600s;

     

      # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

      add_header Strict-Transport-Security max-age=63072000;

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

      ssl_prefer_server_ciphers on;

      ssl_session_cache shared:SSL:10m;

      # DHE generated with

      # cd /etc/ssl/certs && openssl dhparam -out dhparam.pem 4096

      ssl_dhparam /etc/ssl/certs/dhparam.pem;

 

      location / {

             proxy_set_header X-Real-IP $remote_addr;

             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

             proxy_set_header Host $http_host;

             proxy_set_header X-NginX-Proxy true;

             proxy_pass http://<REDIRECT TARGET>:<PORT>;

             proxy_redirect off;

      }

      location /ws/client/websocket {

             proxy_pass http://<REDIRECT TARGET>:<PORT>;

             proxy_http_version 1.1;

             proxy_set_header Upgrade $http_upgrade;

             proxy_set_header Connection "upgrade";       

      }

}