Network Proxy Implementation for TLS 1.0/1.1 Conversion to 1.2+

Share on print
Share on facebook
Share on linkedin
Share on whatsapp
Share on email
At A Glance:
  • Document purpose: This guide provides details for implementing a reverse proxy to secure device communications to the Appspace platform with TLS 1.2+.
  • Business problem: Many customers are still using devices that support the 20+-year-old TLS 1.0/1.1 security protocols that have become vulnerable and insecure.
  • Solution: Customers who would like to continue using impacted devices with the TLS 1.1/1.0 protocols have the option of using a reverse proxy server to secure the device communication to the Appspace platform.
  • Conclusion: Appspace recommends that customers host their own proxy server for the highest level of security. Alternatively, Appspace can also host the proxy in a cloud environment for a fee, however, this is less secure as it still transmits insecure data over the internet.
WHAT’S IN THIS ARTICLE: 

Introduction

Appspace has historically allowed and supported legacy devices connected to our platform that communicate over a lower Transport Level Security (TLS) 1.0 protocol. However, the TLS 1.0/1.1 protocols have become more vulnerable as computing power and hacker activities have evolved and improved.

During Q2 2022, Appspace will begin phasing out support for the TLS 1.0/1.1 security protocols. After Q3 2022, Appspace will no longer support any connections to the platform, including devices using the TLS 1.0/1.1 security protocol.

Note
For additional information regarding impacted devices and remediation steps please refer to this article: Deprecating Support for Legacy Devices (TLS 1.0/1.1).

If your organization requires continued usage of impacted devices, you do have the option to use a reverse proxy server to secure the device communication to the Appspace platform. The reverse proxy server can be hosted by Appspace or by your organization within your infrastructure. A reverse proxy server is a type of HTTP server that typically sits behind the firewall in a private network, and directs client requests to the appropriate backend HTTP server.

A reverse proxy server acts as a gateway for a TLS connection and will convert TLS 1.0/1.1 traffic to use the newer TLS 1.2 protocol before it is transmitted to the Appspace platform.

Using a reverse proxy for TLS is very similar to Appspace’s recommended approach to on-prem content caching. For additional information regarding the reference implementation of a content caching proxy node, please refer to this article: Implementing a Content Caching Strategy

Implementation Options

Appspace is providing customers with the following two options for implementing a proxy:

  1. Customers host the proxy in their data center. This is a commonly used solution by many companies and is available at a reasonable cost.  Appspace will provide guidance for the configuration of the proxy. The customer needs to provide the server and configure and manage the server accordingly.
  2. Appspace hosts the proxy in a cloud environment. For a fee,  Appspace will be responsible for providing the server, and configuring it accordingly.

Proxy Option

Benefits

Hosted by customer

  • No non-secure traffic will transit the internet.
  • Minimal cost.
  • Easy to set up.
  • Appspace will provide guidance.

Hosted by Appspace

  • Appspace will set up and operate the proxy.
  • Minimal cost.
  • Easy to set up.
  • Appspace will provide server management.
Important
Our strong recommendation is that our customers host the proxy as this solution will provide the highest level of security. If Appspace hosts the proxy server, the TLS 1.0/1.1 traffic will still transit the internet, thus there is still some risk to the customer’s data. While the non-secure traffic will not enter the Appspace cloud, it will still be sent over the internet to the proxy server.

Proxy Server Hosted On-Prem – Customer

Customers can provide a proxy server on their network that accepts WAN TLS 1.0/1.1 traffic and converts it to TLS 1.2 traffic that can be sent to Appspace Cloud.

Proxy Server Hosted – Appspace

Appspace can provide a proxy outside of the Appspace Cloud that will accept WAN TLS 1.0/1.1 traffic and convert it to TLS 1.2 traffic that can be sent to Appspace Cloud.

Important
In this option the non-secure traffic is still transmitted outside of your network to the proxy server.

Requirements & Specifications – Reverse Proxy for TLS Translation

Software Requirements

For simplicity and reliability, Appspace recommends our customers implement and manage a proxy server on their network, based on Apache on Linux.

Apache is a powerful and popular open-source web server software that can be deployed on Linux or Windows. The solution discussed here assumes Linux-based deployments, however, it should work equally well on Windows, if that is preferred.

System Requirements

The reverse proxy should meet the following requirements:
  • Be accessible over the local network by hostname.
  • [recommended] Support the HTTPS protocol.
  • [required for legacy devices] Support TLS 1.0 connections.
  • [required for HTTPS] Provide an SSL certificate trusted by endpoint devices.
  • Support whitespace (%20) characters in URLs.
  • Relay content requests to the external Appspace server hostname.
  • Provide access to hostnames in the following domains and their subdomains:
    • *.appspace.com
    • *.appspaceusercontent.com 
    • *.appspacestatic.com
  • [Optional] Cache responses in local storage.
  • Perform cache cleanup to maintain free storage space.

Host Server Specifications

Listed below are the minimal and recommended specifications for a reverse proxy server.

Note
The system requirements for a reverse proxy server may vary depending on the size of the deployment.

Minimal specifications (approximate 50 devices):

  • 2 virtual CPU cores
  • 513 GB RAM
  • 32 GB storage

Recommended specifications (approximate 250 devices):

  • 4 virtual CPU cores
  • 4 GB RAM
  • 250 GB storage

SSL Considerations

Reverse caching servers integrate into existing networks and fully utilize SSL capabilities. Reverse caching proxies terminate SSL connections and interpret request data. Because they operate on their own hostname, they need to have a separate certificate for this hostname.

Appspace Device Configuration

Appspace cloud devices are originally registered to appspace.com domain hostnames, which only accept TLS 1.2 connections.

Please consult Appspace Support after the proxy implementation is complete, for assistance in getting devices rebased to reroute the device traffic to a TLS reverse proxy server.