TI-Proxy Configuration

Configuration of the proxy for a gateway connection to the telematics infrastructure

Last adaptation to the version: 14.0.9

New:

The TI-Proxy now also supports terminals in different local networks
The field for the ‘'Outgoing IP’' has been removed
Es gibt Implizite Regeln, die Updates aus dem Konnektor zu den Kartenterminals ermöglichen

[TIP Proxy Assistant
Bei Anbindung über WireGuard können Rekey After Time und Reject After Time eingestellt werden (v14.0.1)

notempty

This article refers to a Beta version

14.0.8.2 14.0.4

Introduction

Network structure of the TI proxy

The TI proxy can be used to enable secure communication between card terminals and TI connectors of the telematics infrastructure. The proxy forwards the terminal's data traffic via a WireGuard tunnel to a cloud gateway that manages access to the telematics infrastructure.

TI Proxy Wizard

Step 1 - Import configuration

Step 1 Import configuration

Caption	Value	Description	TI Proxy Wizard UTMuser@firewall.name.fqdnApplicationsTI Proxy Step 1 - Import configuration
Files:	Browse... No files selected.	If available, configuration files can be uploaded here
WireGuard configuration:	[Interface] Address = 203.113.0.113/32 ListenPort = 51820 ...	Inserting/uploading the configuration information for WireGuard from the config file
TI-Proxy Configuration:	tiaas: wireguard: ip: 203.113.0.113 ...	Inserting/uploading the configuration information for the TI proxy from the config file

Step 2 - Interface Step 2 Interface
Interface:	wg0	Used WireGuard Interface	Step 2 - Interface
Name:	wireguard-interface-wg0-ti-proxy	Name of the WireGuard Connection
IPv4 address:	203.113.0.113/32	IPv4 address in the transfer network for the local network interface
IPv6 address:	/64	IPv6 address in the transfer network for the local network interface
Listening Port:	51820	Port of the WireGuard Connection
Private Key:	Generate automatically Enter key value directly Select from keys	Private key of the WireGuard connection
Release server networks globally:		Networks that are to be enabled for the WireGuard connection. Not required here.

Step 3 - Peer Step 3 Peer
Peer type:	PeerAD userLocal user		Step 3 - Peer
Name:	wg0-peer-1	Name of the Peers
Release peer networks:	»192.168.12.0/24»192.168.13.12/30»192.168.13.16/30»192.168.13.24/30 ...	Networks of the peer that are to be released
Endpoint:	203.113.0.113	Public IP address under which the WG tunnel for the connector is received
Endpoint Port:	60010	The corresponding port
Open Key:	Enter key value directly Calculate from private key value Select from keys	Public key of the peer
Pre-Shared Key:		Pre-shared key to further secure the connection
Keepalive:	On 25 Seconds	Sends a signal regularly. This keeps connections on NAT routers open.

Step 4 - TI Proxy Step 4 TI Proxy
Connector IP:	10.180.96.90/---	IP address of the connector that enables the connection to the telematics infrastructure usually a private IP address from a VPN	Step 4 - TI Proxy
Incoming IP:	10.0.2.1/---	IP address of the WG interface

Step 5 - Advanced Settings Step 5 Advanced Settings
Create routes to the peer's networks:	Yes	Routes are created to the networks/hosts that were entered in step 3 under ‘'Enable peer networks’', with the interface that was displayed in step 2 as the gateway.	Step 5 - Advanced Settings
Create zones:	Yes	Creates new zones for the WireGuard interface
Zones:	wireguard-wg0 firewall-wireguard-wg0	Name of the new Zone
Create network objects for the peer:	Yes	Creates network objects for remote station
Network objects for the peer:	»wg-net-wg0-peer-1-1»wg-net-wg0-peer-1-2»wg-net-wg0-peer-1-3 ...	Network objects that are created for the remote station. The automatic proposal can also be changed.
Network group:	wg0-networks	Name of the network group of the connection is displayed
Create rules between the peer and internal-networks:	Yes	Generates autogenerated rules that facilitate commissioning
Control group:	wg0-network	Name of the control group is displayed

General

Caption	Value	Description	Applications UTMuser@firewall.name.fqdnTI-Proxy General configuration of the TI proxy
Connector IP:	10.180.96.90/---	IP address of the connector that enables the connection to the telematics infrastructure usually a private IP address from a VPN
Incoming IP:	203.113.0.113 (A0)	IP address of the interface of the UTM that establishes the connection to the connector

Connection to a connector via WireGuard (incoming IP) notempty This variant is the standard configuration in practice.
Connector IP:	10.180.96.90/---	IP address of the connector that enables the connection to the telematics infrastructure usually a private IP address from a VPN	WireGuard tunnel as ‘'Incoming IP’'
Incoming IP:	10.0.2.1 (wgx)	Tunnel IP address of the WG interface that establishes the connection to the connector
As a rule, the following values should ‘’'not be changed'‘’.
Rekey After Time:	120 Seconds	Defines the period of time after which a new key agreement (rekeying) is to be carried out. (Minimum: 120 seconds)
Reject After Time:	180 Seconds	Defines the period of time after which a peer is considered inactive after the last packet received and packets are discarded.(Minimum: 180 seconds)

Card terminal proxy

In the card terminal proxies area, add a proxy for a card terminal as follows:
Caption	Value	Description	Add Card terminal proxy UTMuser@firewall.name.fqdnApplicationsTI-Proxy Add card terminal proxy dialog
Card terminal IP:	192.168.175.71/---	IP address of the card terminal in the internal network
Card terminal port:	4742	Port of the card terminal via which communication takes place
Incoming and outgoing port:	60000	Port on which the UTM receives the data packets
Configuration with the button Save and close

If a connection to the card terminal could be established, the name is displayed If the error message Error: failed to restart ctproxy appears, this means that the proxy cannot reach the connector Several card terminals can be added, these can also be located in different local networks notempty New as of v14.0.9			TI-Proxy UTMuser@firewall.name.fqdnApplications

Status der impliziten Regel notempty New as of v14.0.8.2		Eine implizite Redirect-Regel ist aktiviert. Durch die Aktivierung der impliziten Regeln werden TCP Verbindungen des Konnektors zu den Kartenterminals per DESTNAT weitergeleitet. Dadurch ist ein Update der Kartenterminals aus dem Konnektor heraus möglich.
		Die implizite Regel ist deaktiviert. Ein Update der Kartenterminals aus dem Konnektor heraus ist nicht möglich.
		Aktiviert die implizite Regel
		Deaktiviert die implizite Regel

TI-Proxy Configuration

Contents

Introduction

TI Proxy Wizard

Step 1 - Import configuration

Step 2 - Interface

Step 3 - Peer

Step 4 - TI Proxy

Step 5 - Advanced Settings

General Configuration

Connection to a connector via WireGuard (incoming IP)

Configure card terminal proxy