Summary

The process for installing a Tachyon DMZ Server to support Internet-facing Tachyon Agents.

Assumptions

The steps given on this page assume:

  • Tachyon is already installed on the internal corporate network
  • The Tachyon DMZ Server is domain-joined in the same domain in which the internal Tachyon Server resides, or with a two-way trust to that domain
  • The Tachyon DMZ Server hosts only the Tachyon Switch and Background Channel components, and is installed in a DMZ

In our example, the DMZ Sever has only one Switch, and the internal Tachyon Server is a single-server configuration with Master and Response Stacks. If your system has different requirements please contact 1E for advice.

Tachyon Agent devices will be configured to swap between being on the internal network and being external to the network, and therefore will communicate with the internal Tachyon Server when connected internally and the external Tachyon DMZ Server when accessing externally (eg. Internet).  Tachyon Agent devices must have the appropriate certificates installed. Please refer to Requirements: Tachyon Agent Certificates for more details.

On this page:

Architecture

Enabling Tachyon to support devices that are external to your company network is done by slightly extending the default single-server architecture.

The Responses Stack handles communications between the Master Stack and the Tachyon Agents. The Background Channel and Switches components handle the direct communication with the Tachyon Agents, the Core processes the information in both directions between the Master Stack and the Switches.

To enable external Tachyon Agent devices to interact with Tachyon you need to put the Background Channel and at least one Switch into the DMZ.

Communications ports

The Tachyon communications ports between the Tachyon Master Server and the Tachyon DMZ Server must be opened, as illustrated in the picture shown opposite. Please refer to the Communication Ports page for more details.

    MultiExcerpt named 'DMZConnectionsDiagram' was not found
The page: Communication Ports was found, but the multiexcerpt named 'DMZConnectionsDiagram' was not found. Please check/update the page name used in the 'multiexcerpt-include macro.

Preparation

You must ensure the following before installation of the Tachyon DMZ Server.

  • The Tachyon Master Server is installed and verified with internal Tachyon Agents. 
    • Please refer to Implementing Tachyon for more details
    • The documentation below assumes this has a Master Stack and Response Stack on the same server. 
  • The DMZ internal and external firewall are configured correctly. Please refer to the Communication Ports page for more details.
  • The Tachyon DMZ Server is provisioned. Although a DMZ Server does not have all Tachyon components, all prerequisites must be met in order for Tachyon Setup to run. In particular, the following must be prepared before installation. For more detail about each requirement, click on the relevant link.
    • Requirements: DNS Names (Preparation: DNS Names)
      • THe DMZ Server requires two DNS Names, even if the DMZ Server is configured with one network interface.
      • An internal DNS Name so that the internal Tachyon Server can connect to the DMZ Server. Documentation below assumes this DNS Name exists, but it can alternatively be the server's hostname FQDN. 
      • An external DNS Name so that Internet devices can connect to the DMZ Server, which is the name included in the Tachyon Agent configuration for Switch and Background Channel settings. This DNS Name is not necessarily for the actual IP Address(es) of the external network interfaces if DMZ firewall, Network Address Translation (NAT) or other routing is employed.
      • Both DNS Names require an HTTP class Service Principal Name (SPN), please refer to Preparation: Service Principal Name for more details, registered on the DMZ Server's computer$ account.
      • Both DNS Names must be included in the Web server certificate.
    • Requirements: Network interfaces (Preparation: Network interfaces)
      • The DMZ Server should have a internal network interface, and an external network interface for each Switch, in order to keep Core and Switch traffic apart. This recommendation is for performance reasons when supporting over 500 devices.
      • Internal and external interfaces will typically be on different subnets. Ensure your network routing is configured to route outgoing traffic using the internal interface.
      • If using two interfaces, the internal interface will use the internal DNS Name, and the external interface(s) will use the external DNS Name.  This is the assumption made in the configuration steps below.
      • If an internal interface is not used, then the external interface(s) will use both DNS Names.
    • Requirements: Tachyon Server Certificates (Preparation: Web server certificate)
      • The DMZ Server requires its own web server certificate, which has its private key exportable (also see cacert.pem note below). 
      • The certificate needs to include both DNS Names.
      • The DMZ Server must have access to the HTTP-based CRL Distribution Point specified in the certificate, in order to check CRLs.
    • Requirements: Windows Server roles and features (Preparation: Windows Server roles and features)
      • IIS website.
      • Windows Authentication role.
  • Test devices with the Tachyon Agent installed.
    • At least one connected to the internal network; another connected to the external network.

If the Tachyon Web Server Certificates on the Tachyon DMZ Server and the internal Tachyon Server are from different issuing CAs, then:

  • Each server will require the other server's CA certificates to be added to its Trusted Root CA store, and likewise any intermediate issuing CA certificates. This is required so that each server can communicate with other.
  • The cacert.pem file on the Tachyon DMZ Server will need to include the public keys for all the intermediate CAs, up to and including the Root CA of the internal Tachyon Server's Web Server Certificate. If you do not do this, the Switch on the Tachyon DMZ Server will not be able to start because it won't be able to trust the Core on the internal Tachyon Server (Response Stack).

Similarly, if the Tachyon Web Server Certificate on the Tachyon DMZ Server and client authentication certificates on external Tachyon Agents are from different issuing CAs, then:

  • Windows devices will need the Tachyon DMZ Server's CA certificates to be added to their Trusted Root and Intermediate CA stores
  • Non-windows devices will need the Tachyon DMZ Server's CA certificates to be added to their cacert.pem file
  • The Tachyon DMZ Server will need the device's CA certificates to be added to the DMZ Server's Trusted Root and Intermediate CA stores, and updated in the cacert.pem file on the Tachyon DMZ Server.

The cacert.pem file can be updated using the Manage trusted authorities screen in Tachyon Setup, or using the Certificate Manager.

The installation process for a domain-joined Tachyon DMZ Server

As stated in the Assumptions above the DMZ Server is domain-joined. If your system has different requirements please contact 1E for advice.

Overview

The process requires several manual steps before and after running Tachyon Setup, because the automated process is prevented by the DMZ Server not having access to the Tachyon Master database on the internal server.  These steps include defining the cfgName used in the the SwitchCommandLine for each Switch, which maps to a new row created in the SwitchConfiguration table in the Tachyon Master database. For more details about cfgName please refer to the Switch Command Lines page.  In addition, the steps include increasing the level of security by changing the system so that all Switches connect to the Core API using HTTPS instead of HTTP.  The Background Channel is then initialized before finally carrying out verification steps to ensure everything is working.

An outline of the process is given below. For detailed steps, please refer to Detailed steps below.

  1. Install the internal Tachyon Server, with Master and Response Stacks, and ensure it works by running the verification steps.
  2. Ensure Preparation steps are complete for the Tachyon DMZ Server.
     
    On the internal Tachyon Server (Master Stack)
  3. Modify the TachyonMaster database to change the internal Core configuration to use HTTPS communications instead of the default HTTP.
  4. Update the TachyonMaster database to register the name of each new DMZ Switch and Background Channel.
      
    On the internal Tachyon Server (Response Stack)
  5. Modify the existing Switch host configuration file to use HTTPS and the DNS Name of the internal Tachyon Server (Response Stack) and restart the Switch.
  6. Modify the IP Address and Domain Restrictions module in the Tachyon Core web application IIS settings to enable the internal IP Address of the DMZ Server to access the internal Core.
  7. Restart the internal Switch Host service and confirm Switch(es) are running, and Agents are online.
  8. Ensure that everything is still working by running the verification steps.
     
    On the Tachyon DMZ Server
  9. Check if the Web Server Certificates on the DMZ Server is from a different issuing CA than the internal Tachyon Server or external Tachyon Agents.
  10. Run Tachyon Setup to install the Switch and Background Channel components onto the Tachyon DMZ Server.
  11. Add a new HTTPS binding on the Tachyon DMZ Server for external devices to use.
  12. Grant the internal Tachyon Server (Master Stack) permission to manage the Background Channel on the Tachyon DMZ Server.
  13. Increase the uploadReadAheadSize setting for the Background Channel.
  14. Do an IIS Reset.
  15. Modify the Switch host configuration file on the Tachyon DMZ Server to use the Switch cfgName and internal DNS alias for the Tachyon Server.
  16. Restart the DMZ Switch Host service and confirm Switch(es) are running.
  17. Copy existing Background Channel content from the internal Tachyon Server to the Tachyon DMZ Server.
  18. Verify that the internal Tachyon Server can upload content to the Background Channel on the Tachyon DMZ Server.
  19. Enable a Tachyon Agent to connect to the Tachyon DMZ Server Switch by changing the Tachyon Agent configuration file to point at both the internal Tachyon Server and the Tachyon DMZ Server.
  20. Run the verification steps to confirm that the Tachyon Server can upload content to the Tachyon DMZ Server Background Channel and that the enabled Tachyon Agent is able to download content from the Tachyon DMZ Background Channel.

To illustrate the following more detailed steps we use the ACME network with two servers:

  1. The internal Tachyon Server:
    • Internal Server hostname FQDN: ACME-TCNMST.acme.local
    • Internal Server DNS Name FQDN: tachyon.acme.local
       
  2. The external (domain-joined) Tachyon DMZ Server
    • DMZ Server hostname FQDN: ACME-TCNDMZ.acme.local
    • DMZ Server internal DNS Name FQDN: tachyondmz.acme.local
    • DMZ Server external (Internet) DNS Name  FQDN: tachyon.acme.com

Detailed steps

  1. Install the internal Tachyon Server, with Master and Response Stacks, and ensure it works by running the verification steps.
     
  2. Ensure Preparation steps are complete for the Tachyon DMZ Server.
     

  3. In the TachyonMaster database, modify the CoreApiConfiguration table to use HTTPS Core instead of HTTP Core Internal:
    1. Change BaseURL to point to the Core component on the Tachyon Master Server and to use HTTPS. In our example this would change the value
      • from  http://ACME-TCNMST.acme.local:80/CoreInternal/
      • to      https://tachyon.acme.local:443/Core/
     
  4. In the TachyonMaster database, register the name of  each new DMZ Switch and Background Channel:
    1. For each Switch on the Tachyon DMZ Server, create a new row in the SwitchConfiguration table by copying the * (asterisk) row.
      1. Change Name to <SwitchHostname>-SWn where SWn is the Switch suffix number 1 to 5. In our example this should be changed:

        • from  *  (asterisk)
        • to      ACME-TCNDMZ-SW1
      2. Change InstrumentationUrl to the internal Server DNS Name FQDN (Master Stack). In our example this should be changed:
        • from  http://tachyon.acme.local:3901/SwitchInstrumentation
        • to      https://tachyon.acme.local:3901/SwitchInstrumentation
      3. Do not change SummmaryUrl. Leave as  http://tachyon.acme.local:3902/  (not used - only required if using the 1E Summarizer testing tool)
      4. Do not change InstructionsUrl. Leave as https://tachyon.acme.local:443/Consumer/Instructions
    2. For each Switch on the Tachyon DMZ Server, create a new row in the SwitchToCoreApi table that maps the DMZ Switch to the internal Core.
      1. Change SwitchConfigurationId to the Id for the new entry in the SwitchConfiguration table
      2. Change CoreApiConfigurationID to the Id for the existing entry in the CoreApiConfiguration table
    3. For the Background Channel on the DMZ Server, create a new row in the BackgroundChannelApiConfiguration table: 
      1. Set ResourceUrl to use the internal DNS Name FQDN of the Tachyon DMZ Server. In our example this will be:  https://tachyondmz.acme.local:443/background/
       
  5. On the internal Tachyon Server (Response Stack), in the Tachyon installation directory Switch folder, modify the Tachyon.Switch.Host.exe.Config file so that internal Switches use HTTPS to connect to the internal Core (Response Stack):
    1. Locate and edit the Tachyon.Switch.Host.exe.Config file
    2. Modify the CoreUrl key to use HTTPS and the internal Tachyon DNS Name FQDN, in our example the change would be:
      • from <add key="CoreUrl" value="http://ACME-TCNMST.acme.local:80/CoreInternal"/>
      • to     <add key="CoreUrl" value="https://tachyon.acme.local:443/Core"/>
    3. For each internal Switch, modify its SwitchCommandLine to change the -config to use HTTPS and the internal Tachyon Server DNS Name FQDN, and Core instead of CoreInternal. In our example the change would be:
      • from <add key="SwitchCommandLine" value="-cfgName=ACME-TCNMST-SW1  -config= ACME-TCNMST.local:80/CoreInternal -NoStdOut -NoSumm -NoSw2Sw -Log=0" />
      • to     <add key="SwitchCommandLine" value="-cfgName=ACME-TCNMST-SW1 -config=https://tachyon.acme.local:443/Core -NoStdOut -NoSumm -NoSw2Sw -Log=0" /> 

        Do not add -cfgName if it is not present in the SwitchCommandLine., you only need to change the -config value.

  6. On the internal Tachyon Server (Response Stack), in IIS Management Console: add the internal IP Address of the Tachyon DMZ Server
    1. Expand Sites and navigate to and expand the Tachyon website
    2. Click on the Core application and double-click on IP Address and Domain Restrictions
    3. Add the internal IP address of the Tachyon DMZ Server to the IP Address and Domain Restrictions (including IPv6 address if used) 

  7. On the internal Tachyon Server (Response Stack), restart the 1E Tachyon Switch Host service.
    1. Ensure all internal Switches are running
    2. In Tachyon Explorer, confirm that at least one internal Agent is connected.
       
  8. Run the steps on the Verifying page to ensure that the reconfigured Tachyon Server is still working correctly.
     
  9. Check if the Web Server Certificates on the DMZ Server is from a different issuing CA than the internal Tachyon Server or external Tachyon Agents.

    If the Tachyon Web Server Certificates on the Tachyon DMZ Server and the internal Tachyon Server are from different issuing CAs, then:

    • Each server will require the other server's CA certificates to be added to its Trusted Root CA store, and likewise any intermediate issuing CA certificates. This is required so that each server can communicate with other.
    • The cacert.pem file on the Tachyon DMZ Server will need to include the public keys for all the intermediate CAs, up to and including the Root CA of the internal Tachyon Server's Web Server Certificate. If you do not do this, the Switch on the Tachyon DMZ Server will not be able to start because it won't be able to trust the Core on the internal Tachyon Server (Response Stack).

    Similarly, if the Tachyon Web Server Certificate on the Tachyon DMZ Server and client authentication certificates on external Tachyon Agents are from different issuing CAs, then:

    • Windows devices will need the Tachyon DMZ Server's CA certificates to be added to their Trusted Root and Intermediate CA stores
    • Non-windows devices will need the Tachyon DMZ Server's CA certificates to be added to their cacert.pem file
    • The Tachyon DMZ Server will need the device's CA certificates to be added to the DMZ Server's Trusted Root and Intermediate CA stores, and updated in the cacert.pem file on the Tachyon DMZ Server.

    The cacert.pem file can be updated using the Manage trusted authorities screen in Tachyon Setup, or using the Certificate Manager.

  10. On the Tachyon DMZ Server, run Tachyon Setup and complete the installation using the configuration option Switch and Background Channel for a DMZ 

    The workflow in Tachyon Setup has not yet been optimized for installing just the Switch and Background Channel components. Specifically:

    • The License file is required in the License file screen to cross-check the number of devices supported by the Switch.
    • Configuration settings are not required in the Database servers screen (options on this screen are greyed out).
    • In the Website configuration screen, specify the HTTPS Host Header as the DMZ Server internal DNS Name FQDN: tachyondmz.acme.local
    • Configuration settings are not required in the Active Directory and email screen (including Two-Factor authentication) - you can uncheck Enable email
  11. After installation, on the Tachyon DMZ Server, use IIS Management Console to add an additional HTTPS binding:
    1. Expand Sites and navigate to and expand the Tachyon website
    2. Under the Edit Site actions, click on Bindings...
    3. In the Add Site Binding dialog, select type https enter the Host name of the DMZ Server external (Internet) DNS Name  FQDN. In our example his would be: tachyon.acme.com
    4. Check to enable Require Server Name Indication
    5. Select the Web Server certificate and click OK to save
     
  12. On the Tachyon DMZ Server, use IIS Management Console to grant the internal Tachyon Server (Master Stack) permission to manage the Background Channel on the Tachyon DMZ Server:
    1. Expand Sites and navigate to and expand the Tachyon website
    2. Click on Background and double-click on the Application Settings icon
    3. In the Application Settings view, double-click on the AllowedUsers value, and in the Edit dialog, append the computer account of the internal Tachyon Server to the list, and click OK. In our example this would be:
      • from NT AUTHORITY\Network Service;ACME\ACME-TCNDMZ$
      • to     NT AUTHORITY\Network Service;ACME\ACME-TCNDMZ$;ACME\ACME-TCNMST$
     
  13. On the Tachyon DMZ Server, use IIS Management Console to increase the uploadReadAheadSize setting for the Background Channel:
    1. Expand Sites and navigate to and expand the Tachyon website
    2. Click on Background and double-click on the Configuration Editor icon
    3. In the Section drop-down, select system.web/httpRuntime and make a note of maxRequestLength value (the default is 262144 but it may have been changed since installation)
    4. In the Section drop-down, select system.webServer/serverRuntime and change the uploadReadAheadSize setting from the default 49152 to the value noted above
    5. In the Actions pane, click Apply
     
  14. On the Tachyon DMZ Server, perform an IIS Reset.
     

  15. On the Tachyon DMZ Server, in the Tachyon installation directory Switch folder, modify the Tachyon.Switch.Host.exe.Config file to use the new cfgName, and use HTTPS to connect to the internal Core:
    1. Locate and edit the Tachyon.Switch.Host.exe.Config file
    2. Modify the CoreUrl key to use HTTPS and the Tachyon DNS Name FQDN, in our example the change would be:
      • from <add key="CoreUrl" value=" http://ACME-TCNMST.acme.local:80/CoreInternal"/>
      • to  <add key="CoreUrl" value="https://tachyon.acme.local:443/Core"/>
    3. For the first Switch, modify the SwitchCommandLine to add the -cfgName specified as the Name in step 6ai above, and change the -config to use HTTPS and the internal Tachyon Server DNS Name FQDN, and Core instead of CoreInternal. In our example the change would be:
      • from <add key="SwitchCommandLine" value="-config=ACME-TCNMST.local:80/CoreInternal -NoStdOut -NoSumm -NoSw2Sw -Log=0" />
      • to     <add key="SwitchCommandLine" value="-cfgName=ACME-TCNDMZ-SW1 -config=https://tachyon.acme.local:443/Core -NoStdOut -NoSumm -NoSw2Sw -Log=0" />
     
  16. On the Tachyon DMZ Server, restart the 1E Tachyon Switch Host service.
    1. Ensure all DMZ Switches are running.
     
  17. Copy existing Background Channel content from the internal Tachyon Server to the Tachyon DMZ Server:
    1. Copy the content (minus the web.config file) from %PROGRAMDATA%\1E\Tachyon\Content on the internal Tachyon Server (Response Stack) to the equivalent directory on the DMZ Server. 

      Only the initial copy of content is required. From this point on, the Consumer API will maintain the content of the Background Channel on the Tachyon DMZ Server.
  18. Verify that the internal Tachyon Server can upload content to the Background Channel on the Tachyon DMZ Server:
    1. Delete the Verification instructions.
    2. Verify that %PROGRAMDATA%\1E\Tachyon\Content\1E-TachyonPlatform-VerificationStage2 is removed from the internal and DMZ servers.
    3. Upload the Verification Instructions.
    4. Verify that %PROGRAMDATA%\1E\Tachyon\Content\1E-TachyonPlatform-VerificationStage2 is re-created on the internal and DMZ servers.
     
  19. Configure the Tachyon Agent on a test device to connect to both the Tachyon Master Server and the Switch on the DMZ Server (assuming you want the Tachyon Agent device to be able to switch between internal and external access)
    1. Edit the %PROGRAMFILES%\1E\Tachyon\Agent\Tachyon.Agent.conf file:
      1. Modify the Switch configuration property. In our example this would be: Switch=tachyon.acme.local:4000;tachyon.acme.com:4000
      2. Modify the BackgroundChannelUrl configuration property. In our example this would be: BackgroundChannelUrl=https://tachyon.acme.local:443/Background/;https://tachyon.acme.com:443/Background/
    2. Ensure the test device is connected to the external network and not the internal network, then review the Tachyon.Agent.log to confirm the Agent connects.
    3. In Tachyon Explorer, confirm the external test device is connected.
     
  20. Verify the external Tachyon Agent can download content from the Background Channel on the Tachyon DMZ Server
    1. Run the verification stage 1 and 2 and confirm a successful response is received from the external Agent
    1. The Stage 2 Action confirms that content can be downloaded by the Agent