Every Reveal Agent needs to be able to directly connect to its associated edge node as specified in the bundle configuration file. For on-premises customers, this is likely to be the IP address or DNS entry for your DMZ deployed edge node(s). For cloud customers, it will be either the US or EU edge node DNS entries:
Europe cluster - edge.4bfc9a65.reveal.ava.uk:443
US cluster - edge.27d0b831.reveal.ava.uk:443
The Reveal Agent makes use of mutually authenticated certificates to ensure the connection between the Agent and any corresponding edge node. The initial trusted certificate is included as part of the enrollment bundle, along with a limited use token for obtaining its own certificate from the Reveal platform. The agent will reject any connection attempts to devices that do not present the correct certificates, such as "Man in the Middle" (MITM) proxies. It is not possible to bypass this mechanism.
It is therefore important that all proxies and other terminating/redirection services (i.e. Cisco Umbrella) have explicit exemptions in place for all communications to the Reveal edge nodes.
For some organizations this will only require the addition of all edge node IP addresses, however, for others, it may be necessary to exempt certain certificate subject names to allow transparent passthrough.
Whilst the agent uses this FQDN to resolve the IP address of the edge node, this is not the subject name of the certificates that get used to either establish an enrollment connection or to maintain an ongoing TLS connection to the platform. In these cases, the SNI is set to enroll.edge.jazz and circuit.edge.jazz respectively.
As such you should attempt to whitelist all of the following:
local edge node IP address(es)
enroll.edge.jazz - SNI
circuit.edge.jazz - SNI
subject name of edge nodes
Please note that whilst Ava will make every effort to ensure the IP addresses of cloud edge nodes do not change, we cannot guarantee this in the long term, so I would recommend regular checks of the IP to see if it has changed.
For those with OpenSSL installed, it is possible to test if there is a Proxy in the path by using the following command:
openssl s_client -connect edge.[4bfc9a65|27d0b831].reveal.ava.uk:443 -servername enroll.edge.jazz -verify 1
The output of the command should be a certificate signed by Jazz Networks Ltd. If this is not the case, please raise a support case via the Support Portal.