How to comsume Managed Reverse Proxy
The services are consumed exclusively via the portal or API of the Enterprise Service Cloud.
Pre-Conditions
In order to use the Cloud Network Services, various conditions must be met
Network Range Reservation
For "Cloud Network Service" to be consumed, a customer IP range must be reserved once, which is then automatically managed by Swisscom. This task is done by Swiscom at onboarding.
DNS-Zone Managed by Swisscom
If desired, Swisscom will manage the DNS records associated with the Managed Reverse Proxy. This is only possible if the DNS zone is also managed by Swisscom (not part of Managed Reverse Proxy)
Domain Registration at SwissSign
If desired, Swisscom manages the public certificate, which is used in the managed reverse proxy. This is only possible if the domain on which the certificate is to be issued is registered at SwissSign.
Create Managed Reverse Proxy
The Managed Reverse Proxy can be ordered in the portal or on the API of the Enterprise Service Cloud.
Create Tufin Function (for Tufin managed tenants only)
Create a fufin function that can be selected at crate of the service. This is nessesary to manage the firewall ruls in tufin after create a managed reverse proxy.
Input Parameter
| Field | Description | Valid values |
|---|---|---|
| Uplink Topologie | Selection of the configured connection of the Enterprise Service Cloud to peripheral systems (outside) | Dropdown Menu (configured Uplink Topology) |
| Plan Name | Selection of performance classes | Dropdown Menu Managed Reverse Proxy S non Prod Managed Reverse proxy S Managed Reverse proxy M Managed Reverse proxy L Managed Reverse proxy XL |
| FQDN | DNS name which is used if DNS integration is selected DNS name used when creating the Certificate Signing Request | Valid fully qualified domain name. consisting of root domain, domain(s) and hostname separated by dots |
| FQDN Alias | Is a alternative fully qualified domain name to connect the service. The FQDN-Alias(es) will be included in the CSR | Valid fully qualified domain name. consisting of root domain, domain(s) and hostname separated by dots. One FQDN per Line |
| DNS-Integration | Checked: The DNS record(s) are created if the DNS zone is managed by Swisscom. (A record and/or AAAA record) Unchecked: No DNS record is created. | Checkbox |
| Description (Optional) | Additional instance description text | Text Input |
| Desired Certificat Provider | Selection of whether the certificate is to be created automatically by Swisscom or whether the certificate is to be provided by the customer | Dropdown Menu Public Cert provides by Swisscom Public Cert Provides by Customer |
| Internet Access | Checked: The IP address (IPv4 and/or IPv6) of the Managed Reverse Proxy is/are reachable from the internet. This is a chargeable option Unchecked: The IP address (IPv4 and/or IPv6) of the Managed Reverse Proxy is/are not accessible from the Internet. An exception to this is a connection to the Internet made by the customer outside of this service | Checkbox |
| Service Protocol | This value is fixed to https | none |
| Service Port | TCP port configured on the reverse proxy. | Free choice of TCP port |
| Redirect http to https | Checked: Requests on http are redirected to https Unchecked: http requests are allowed | Checkbox |
| IP-Adress Family | Choice of which IP stack should be used for the reverse proxy | Dropdown Menu Ipv4 Ipv6 DualStack |
| Backend Server IP | IP address of the backend server. It must correspond to the IP address family scope. With dual stack, either an IPv4 or IPv6 address can be used if the backend server supports this (cannot be changed later for the backend server). | IPv4 or IPv6 Address |
| Backend Service Port | TCP port configured on the backend server. | Free choice of TCP port |
| Backend Server re-encrypt | Checked: it is encrypted again based on the certificate on the backend server (public and private certificates are allowed on the backend server) Unchecked: no encryption is required for the backend server | Checkbox |
| Tufin Fuction | Enter the pre-configured Tufin Function name (this input is only visible tu tufin enabled tenants) | Text Input |
| List allow Source IP | List of source IPs the Managed Reverse Proxy acepts. For the exact syntax see "Technical-Details". Only the entities listed here will be activate | Multi-Line-Textbox |
| List deny Source IP | List of source IPs the Managed Reverse Proxy blocks. For the exact syntax see "Technical-Details". Only the entities listed here will be activate | Multi-Line-Textbox |
Post Tasks
When the Managed Reverse Proxy is created, the firewall-rules between the backend server and the Managed Reverse Proxy must be set accordingly.
Edit Reverse Proxy
Some configuration parameters of the Managed Reverse Proxy can be changed. The service is not interrupted bei doing this. Use this action to change your instance settings.
Input Parameter
| Field | Description | Valid values |
|---|---|---|
| Plan Name | Selection of performance classes | Dropdown Menu Managed Reverse Proxy S non Prod Managed Reverse proxy S Managed Reverse proxy M Managed Reverse proxy L Managed Reverse proxy XL |
| FQDN Alias | alternative fully qualified domain name to connect the service. The FQDN-Alias(es) will be included in the CSR | Valid fully qualified domain name. consisting of root domain, domain(s) and hostname separated by dots. One FQDN per Line |
| DNS-Integration | Checked: The DNS record(s) are created if the DNS zone is managed by Swisscom. (A record and/or AAAA record) Unchecked: No DNS record is created. | Checkbox |
| Description (Optional) | Selection of whether the certificate is to be created automatically by Swisscom or whether the certificate is to be provided by the customer | Text Input |
| Desired Certificat Provider | Selection of whether the certificate is to be created automatically by Swisscom or whether the certificate is to be provided by the customer | Dropdown Menu Public Cert provides by Swisscom Public Cert Provides by Customer |
| Internet Access | Checked: The IP address (IPv4 and/or IPv6) of the Managed Reverse Proxy is/are reachable from the internet. This is a chargeable option Unchecked: The IP address (IPv4 and/or IPv6) of the Managed Reverse Proxy is/are not accessible from the Internet. An exception to this is a connection to the Internet made by the customer outside of this service | Checkbox |
| Redirect http to https | Checked: Requests on http are redirected to https Unchecked: http requests are allowed | Checkbox |
| IP-Adress Family | Choice of which IP stack should be used for the reverse proxy | Dropdown Menu DualStack |
| Backend Server IP | IP address of the backend server. It must correspond to the IP address family selected at create time. Change from IPv4 to IPv6 or IPv6 to IPv4 is not supported. | IP address |
| Backend Service Port | TCP port configured on the backend server. | Free choice of TCP port |
| Backend Server re-encrypt | Checked: it is encrypted again based on the certificate on the backend server (public and private certificates are allowed on the backend server) Unchecked: no encryption is required for the backend server. Check the Backend server Port if you change this setting | Checkbox |
| List allow Source IP | List of source IPs the Managed Reverse Proxy acepts. For the exact syntax see "Technical-Details". Only the entities listed here will be activate | Multi-Line-Textbox |
| List deny Source IP | List of source IPs the Managed Reverse Proxy blocks. For the exact syntax see "Technical-Details". Only the entities listed here will be activate | Multi-Line-Textbox |
Generate new CSR
If customers decide to use their own certificate, they must first generate a certificate signing request in order to order a certificate from their certificate provider. The CSR is generated based on the values entered in this form, including the specified FQDN and the FQDN-Alias(es). Use this action to generate and fetch a new certificate signing request from your instance.
Input Parameter
| Field | Description | Valid values |
|---|---|---|
| Organization | Specifies the Organization attribute for the certificate. Organization is embedded in the certificate for name-based authentication purposes. | Text |
| City | Specifies City attribute for the certificate. City is embedded in the certificate for name-based authentication purposes. | Text |
| State | : Specifies the State or Province attribute for the certificate. State or Province is embedded in the certificate for name-based authentication purposes. | Text |
| Country | Specifies the Country name attribute for the certificate. Country is embedded in the certificate. You need to type the two-digit country code. | Text |
Upload Cetrificate
The X.509 certificate provided by the customer must be in PEM format and inserted unchanged into the multi-line text field, including the -----BEGINNING CERTIFICATE----- and the -----END CERTIFICATE----- Use this action to upload and activate a certificate on your instance.
Input Parameter
| Field | Description | Valid values |
|---|---|---|
| Certificate | Certificate in PEM format including -----BEGINNING CERTIFICATE----- and -----END CERTIFICATE----- | x509 Certificate |
Delete Managed Reverse Proxy
Delete must be confirmed. No recovery will be possible.
Post Tasks
The firewall rules set up between the Managed Reverse Proxy and the backend server must be removed manually.