Hello!
We’re upgrading our Endpoint Protector to the latest AMI and need to expose it to the web. We’re planning on using an AWS Application Load Balancer (ALB) to provide a front end for the web traffic, we were previously keeping our EPP server accessible via a VPN only but now, because of an expanded pool of protected devices, we need to expose it to the internet. How to best ensure we’re using the proper SSL termination when using an ALB. The eventual goal will be to leverage Fastly’s Edge service for the front end of the web traffic, but the short term goal is getting the ALB set up correctly. any advice would be welcome. Thanks!
Hi Jeffrey,
Endpoint Protector does not support Application Load Balancers (ALB) for client-server communication.The reason is SSL/TLS handling: Endpoint Protector relies on a certificate used for mutual authentication between the client and the server. Any form of SSL termination or inspection (as done by an ALB) breaks this trust chain and will disrupt client-server communication.
While it’s not the same architecture, AWS Network Load Balancers (NLB) are supported because they operate at Layer 4 and do not terminate or inspect SSL traffic.
As a security best-practice for internet-facing deployments, we also recommend separating the Server UI access from the client communication. You can configure the Server UI on a non-standard port (e.g., 8443) and restrict access as needed. At the same time, keep client-server communication on port 443 without SSL termination in between. Once port separation is completed, SSL termination can be applied only to the Server UI, while leaving the client communication port in passthrough mode.
For the port separation procedure you can open a support ticket and our engineers will assist.
Hope this helps,
Zoran
1 Like