The Cloud Connect Module provides secure and seamless access to administer remote Mango installations behind customer firewalls or cellular connections without opening ports or using additional VPN or remote access software.
Once configured with a single click of a button on your central Mango Server you can open the remote Mango systems and be fully logged in with your admin user account being synchronized to the remote installation.
The Cloud Connect Module uses the popular and trusted SSH protocol to secure and encrypt all communications.
General security features are:
All data transmitted using Secure Shell protocol (SSH)
SSH password authentication is disabled
By default uses ECDSA authentication keys using NIST secp256r1 parameters (NSA suite B approved)
User can generate their own keys using OpenSSH ssh-keygen tool, software supports RSA keys and other ECDSA parameters. ED25519 is not supported.
Default symmetric cipher is AES 128 CTR
Default key exchange algorithm is ECDH SHA2 NIST p521
Default MAC algorithm is HMAC MD5
Configure Cloud Connect Client
To connect a remote Mango installation to the Mango Server follow these steps. Requires server configuration, see below.
On your MangoES or Mango Installation
Go to Administration > Cloud connect and select the “Client tab”
On the client tab scroll down to the Client public key and Copy to Clipboard.
On your cloud / Central server
Go to Administration > Cloud connect and select the “Server tab”
Past the public key into the Cloud Mango Server tab under “Authorized keys”
On the Client tab fill in the following settings
Start client with Mango: True
Host: URL of your cloud Mango
Port: port being used on the cloud Mango (9999)
Accept unknown hosts: true (this will turn to false after the first connection)
Forward Mango web port: True The port number must match the port Mango is running on on the remote device, ie port 80 or 8080 or another.
Forward SSH port: True The port number must match the ssh port being used on remote device, ie for a MangoES it’s 2222
Click the Start on the client tab and wait for validation that the connection is successful
On the Cloud Mango
Verify connection and access, go to Administration > Connected clients
Here you will see a list of all devices connected to the server. You can click the “Open web interface” button to access the web UI of the device via the cloud connect tunnel.
You can use the ssh port to access the MangoES from the cloud server with a command like:
ssh mango@localhost -p 37001
Configuring the Cloud Connect Server (Central Mango Installation)
The central Mango installation needs to be configured to accept the incoming cloud connect connections from remote Mango installations. These need to only be followed once for the initial setup.
Go to Administration > Cloud connect > SERVER tab
Select Start server with Mango option.
Select the desired port to use for incoming connections and click the START button.
Configure the Proxy
The proxy allows admin users to access the remote Mango installation via a special URL on your cloud Mango. The GUID is used in a URL such as http://1-d597d2d9-5795-342b-8f3c-072c54f89493.demo.mangoautomation.net. This special URL will open the web GUI of the remote Mango installation with the admin user being automatically authenticated so no user name or password is needed.
You need a Wild Card DNS A record configuration for your domain name to be used such as *.cloud.mangoautomation.net -> your server IP
If using SSL you need to have a wild card certificate for the domain Mango is running on. For the example above a wild card certificate for *.mangoautomation.net will not work, it will need to be for *.cloud.mangoautomation.net
When using the proxy you will only be able to access Mango at the domain you specify in the env.properties file.
Configure the proxy
In your overrides/properties/env.properties file with
sessionCookie.domain=.cloud.mangoautomation.net (notice dot after equals)
On the Administration > Cloud Connect > PROXY tab
Enable the proxy (checkbox)
Enter your domain name in the text box
Configure the authentication as you want (recommended settings shown)