With the emerging security threats and the general trend of MSPs being target by cyber attackers, many people are seeking to harden and obfuscate their infrastructure so their server isn’t exposed to the world. This does improve security posture, but the implementation of technologies like a reverse proxy for Connectwise Automate are rather complex compared to a normal web application.

Between Automate and Control, there are multiple web services, a mix of TCP and UDP traffic, and certain other details that make the implementation of security technologies (like reverse proxies) difficult. Normally such technologies necessitate sending TCP and UDP traffic to different locations, and as a result, complexity tends to dominate such solutions. This complexity also impacts the application itself; certain changes need to be made to  Automate for it to work correctly behind a proxy.

Here at Automation Theory, we wanted to create an easy way to harden and obfuscate an Automate stack at the network layer. We’ve constructed a service that simplifies the protection of Automate stacks and offers additional value-add features. With our model, we create a security appliance that is hosted “out in space” at one of 10 data centers in 8 locations across the globe. This appliance performs reverse proxying for TCP traffic (with SSL offloading and cipher hardening for HTTPS), IPS scanning of inbound traffic, implements reputation-based blocking (GeoIP, Tor nodes, etc.), implements HTTP header best practice, and tunnels UDP traffic to the servers.

The SSL offloading requires a certificate, so with this service clients would also receive a randomly generated FQDN for accessing their servers (such as 601e8e9f8949e9b022.examplehosting.com) which would be used for the certificate. This FQDN would be used for all access to Automate (agent and technician). While there’s no such thing as security through obscurity, forcing all traffic through the proxy (unrelated domain in unrelated IP space) would hinder traditional reconnaissance.

The IPS scanning is tailored to Automate servers — only relevant rules are loaded to ensure the appliance does not hamper performance. Similarly, the reputation-based blocking uses both whitelists and blacklists to ensure efficient processing of traffic.

Since all communications would go through the proxy all functions of the Automate application would work without modification. This, along with the as-a-service model reduces complexity for Automate administrators, the proxy can be dropped in and operational within a few hours.

Please send an email to support@automationtheory.org if you’d like to set up a trial.