Grouping of RAG services

Hello Everyone,

I’m facing an organizational issue with a deployment. The infrastructure where we’re deploying **

Netwrix Privilege Secure** includes a WAF.
Based on our testing, we’ve found that deploying the RAG is necessary to properly access the web portal and connect via RDP or SSH.

However, this raises a concern about the number of machines involved, as we end up with a RAG Portal that is essentially unused — the WAF is already acting as the interface and securing traffic between the public and private networks.

I would simply like to combine both services on a single machine. Is this possible?
Both services could communicate via the local interface (127.0.0.1).

Am I going about this the right way?
Or is there a recommended method to minimize the number of machines while still providing access behind the WAF?

yes you can do that. The separation of the Portal / Gateway is to limit the surface layer of the machine in the DMZ. Since the WAF is providing that functionality, you can place the Portal on the same machine as the Gateway. There will just be multiple layers of redirects, this hasn’t been tested internally. I am not sure what the originating IP will be in connections using this configuration. My concern is that all connections will appear to be from the WAF instead of the client address.

Another issue to be aware of, is that the RAG Gateway installs IIS for you and you will need to remove the default website that IIS creates because it will bind to the default HTTPS port and block NGINX from starting.