Proxy servers

In some cases, the connection to a target system may be slow, insecure or blocked by a firewall. This is often true when the connection is made over a wide area network.

To address such connectivity problems, Bravura Security Fabric includes an optional application proxy server. When a proxy server is deployed, the main Bravura Security Fabric server can forward communication to specified (usually distant) target systems through the proxy server, rather than communicating directly with them.

Communication from the main Bravura Security Fabric server to the proxy servers is encrypted, efficient, and tolerant of high latency. Communication between the proxy server and target systems continues to use native protocols, but it is physically controlled in a high-bandwidth, low-latency, high-security LAN.

Using an application proxy reduces the attack surface in a distributed Bravura Security Fabric architecture, by allowing target communication through only a single port in the corporate firewall.

Bravura Security Fabric Proxy Service

The Proxy Service (psproxy) enables the Bravura Security Fabric proxy server on which it is installed to execute agents and exit trap programs on behalf of other Bravura Security Fabric servers.

The service also periodically receives updates (agents, exit programs, configuration data) from the Bravura Security Fabric server.

The service is automatically installed and started on Bravura Security Fabric proxy servers during setup. The psproxy program is also located in the service directory on the main Bravura Security Fabric server; however, it is not installed as a Windows service.

Note

The Proxy Service does not handle communications with the backend Bravura Security Fabric database. The Proxy Service is only used in conjunction with remote target systems.

See Proxy Service (psproxy) for command-line options.

Websocket Connector Proxy

The Proxy Service (psproxy) by itself requires incoming connectivity on a chosen port. This may be acceptable on a LAN network, but may not be feasible in a SaaS environment or under a restrictive security policy. In these scenarios, the optional Proxy Tunnel feature installs the TunnelClient service alongside psproxy at the remote site. TunnelClient initiates an outbound HTTPS/WebSocket connection to the central TunnelHost in the Bravura Security Fabric environment and securely tunnels traffic between the local psproxy and the central services.

In more detail, when firewalls intervene, the TCP port number used by psproxy is programmable, and a port redirector can be used so that only a single firewall opening is required for multiple target systems. When Proxy Tunnel is used instead of direct inbound access, the WebSocket Connector Proxy (TunnelClient) establishes outbound WebSocket connections over SSL/TLS to TunnelHost, enabling secure, bidirectional communication between the remote psproxy instance and the central Bravura Security Fabric services.

There is an option to install this feature during proxy server installation. The option requires preconfiguring a port and password to use during installation.

WebSocket Connector Proxy: Connection direction and firewall considerations

The WebSocket connector proxy in Bravura Security Fabric is designed so that connections are always initiated from the remote (managed) site outbound to the central psproxy service over HTTPS (WSS). This differs from traditional proxy deployments, which often require inbound connectivity from the Internet or a central data center into the corporate network.

With a traditional proxy, multiple inbound ports may need to be opened for target system native protocols. The WebSocket Proxy requires only that outbound HTTPS traffic (port 443) be allowed from the proxy server.

How the WebSocket connector proxy connects

At a high level:

The WebSocket TunnelClient service runs alongside psproxy on the remote/managed site.
It initiates an outbound HTTPS request to the configured TunnelHost endpoint in the central Bravura Security Fabric environment.
That HTTPS request is upgraded to a WebSocket (WSS) connection.
Once established, this WebSocket tunnel is bidirectional and carries all proxied traffic between the remote site and the central psproxy services. One or more target systems can be configured to communicate using the WebSocket tunnel.

From a firewall perspective at the remote site, this appears as a standard outbound HTTPS connection (typically TCP 443) to the Fabric service.

Important

The Proxy service does not open a new inbound connection into the remote network. It only accepts the outbound WebSocket connections initiated by the WebSocket connector proxy

Best practices

For systems administrators planning or reviewing proxy deployments with Bravura Security Fabric:

Prefer the WebSocket Connector Proxy when connecting remote psproxy instances to central Bravura Security Fabric services across firewalls or the Internet.
Avoid direct inbound exposure of psproxy from external or untrusted networks where possible.
Configure outbound HTTPS/WSS from TunnelClient to TunnelHost in line with your organization’s existing egress and proxy policies.
Use strong credentials and follow Bravura Security Fabric hardening guidance for authentication and access control.
Monitor and log tunnel establishment and failures as part of normal security operations.

This model follows best practices by using outbound-initiated, TLS-protected tunnels from TunnelClient to TunnelHost, minimizing the remote attack surface while still enabling secure, reliable communication for psproxy and other supported Bravura Security Fabric services.

Persistent Connector Service

The Persistent Connector Service (agtsvc) runs connector programs that are enabled for persistent listing. Persistent listing allows Bravura Security Fabric to list changes as soon as they happen on the Active Directory or LDAP domain controller to which the Persistent Connector Service (agtsvc) connects.

Installing Persistent Connector Service (agtsvc) on a proxy server allows you to run persistent listing on the proxy server.