Reverse Proxy Deployment

You can enhance the security of your deployment by leveraging a reverse proxy that authenticates SOTI MobiControl Cloud requests destined for the Cloud Link Agent.

In this topology, SOTI MobiControl Cloud is configured to communicate with the reverse proxy as if it was the Cloud Link Agent. The reverse proxy provides validation of the Client Certificate presented by SOTI MobiControl Cloud in the request and then publishes the request along with an authentication token to the Cloud Link Agent. The Cloud Link Agent verifies the authentication token and then returns the requested information to SOTI MobiControl Cloud.

Note: The reverse proxy must support passing a Windows Identity to the Cloud Link Agent. Generally, this is achieved through the Kerberos Constrained Delegation (KCD), which requires that the reverse proxy and the Cloud Link Agent host be bound to the same Active Directory domain with the appropriate Service Principal Name (SPN) present.

The following diagram illustrates Cloud Link communication through a Reverse Proxy and outlines the authentication flow of this topology.


Cloud Link Communication through a Reverse Proxy

Network Requirements

The "Cloud Link Communication through Reverse Proxy Communication Matrix" table represents the communication requirements between SOTI MobiControl Cloud and the reverse proxy, between the reverse proxy and the Cloud Link Agent, and between the Cloud Link Agent and enterprise services available to SOTI MobiControl Cloud.

Bold text indicates required communication. CLA = Cloud Link Agent

Protocol Source Port Destination Port
HTTPs SOTI MobiControl Cloud 443 Reverse Proxy 443
HTTPs Reverse Proxy 443 CLA Host 443
LDAPs CLA Host 636 AD 636
HTTPs CLA Host 443 ADCS 443