Test Connectivity from the Device to the CloudGen Access Proxy
- Get the CloudGen Access Proxy details from the CloudGen Access Enterprise Console.
Try to open an SSL connection to the proxy and confirm that the first lines reference
CloudGen Access Root Certificate Authority.
? openssl s_client -showcerts -servername <proxy_host> -connect <proxy_host>:<proxy_port> CONNECTED(00000006) depth=3 CN = CloudGen Access Root Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:1 depth=3 CN = CloudGen Access Root Certificate Authority verify return:1 depth=2 CN = CloudGen Access Intermediary Certificate Authority verify return:1 depth=1 CN = CloudGen Access://xxxx-xxxxxx-xxxx/ verify return:1 depth=0 verify return:1 ...
If the request fails or the operation times out, that means that you are not reaching the CloudGen Access Proxy.
Check the following:
- The Proxy Host DNS record is being resolved to the correct IP address.
- The Proxy Host IP address, if using IP instead of DNS, is correct.
- NAT configuration in the device/service that is exposing the CloudGen Access Proxy.
- Firewall rules to allow inbound communication to the configured CloudGen Access Proxy.
Check if the Device Is Trying to Access the Resource with the CloudGen Access App
Check the IP address for the failing resource. It should return an IP in the following range:
- 255.0.0.0/8 for Unix/Linux-based systems
198.18.0.0/15 for Microsoft-based systems
? nslookup myresource.private Server: 192.0.2.5 Address: 192.0.2.5#53 Name: myresource.private Address: 255.0.0.12
- Confirm that the CloudGen Access App is running and the tunnel is started.
- Check that the CloudGen Access App is enrolled in a tenant.
- Confirm the resource is created in the CloudGen Access Enterprise Console.
- Resource list update on CloudGen Access App can take up to 15 minutes. Force refresh if your CloudGen Access App version allows it.
Test Connectivity from Envoy Proxy to the Resource
The Envoy Proxy needs to be able to reach the resource with the configured properties.
Take note of the following resource:
- Resource Name – My Resource
- Public Host – myresource.private
- Resource Host – myresource.internal
- External Port – 80
- Internal Port – 3000
- Access Proxy – US-EAST-1-PROXY
Envoy Proxy must be able to resolve the Resource Host record.
? nslookup myresource.internal Server – 10.0.0.1 Address – 10.0.0.1#53 Name – myresource.internal Address – 10.0.0.20
For an HTTP resource, an HTTP request can be sent using curl.
? curl myresource.internal:3000 HTTP/1.1 200 OK [...]
For a redis resource, netcat can be used for connecting.
? nc myresource.internal 3000 PING +PONG
- Check that the DNS server is correctly configured.
- Confirm that intermediate firewall rules are not blocking access to the resource.
- For HTTPS connection, the Public Host needs to match the configured hostname in the resource certificate. However, the Resource Host just needs to be something the CloudGen Access Proxy can resolve and access.