Jump to:navigation, search
Wiki

Telematik Infrastruktur as a Service

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden


















































Configuration of Telematik Infrastruktur as a Service

New article with version: 14.0.0(11.2024)

notempty
This article refers to a Beta version
-
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Applications TI Proxy

RISE as TIaas-Provider

WireGuard Configuration

Step 1 - Import Configuration
Step 1 Import Configuration
First, a new WireGuard connection is added under VPN WireGuard  button Add WireGuard connection.

In the first step, the configuration provided by RISE is selected to simplify further setup.

Add WireGuard Connection UTMuser@firewall.name.fqdnVPNWireGuard Add RISE WireGuard connection Step 1
Step 2 - Interface
Step 2 Interface
Caption Value Description
Add RISE WireGuard connection Step 2
Name: RISE TIaaS Name of the WireGuard connection
Release server networks globally: »192.168.175.0/24 Enable the server network in which the card terminal is located
All other values should be set correctly by loading the configuration.
Step 3 - Peer
Step 3 Peer
Name: RISE TIaaS-Peer Name of the peer of the connection
Add RISE WireGuard connection Step 3
All other values should be set correctly by loading the configuration.
Step 4 - Advanced settings
Step 4 Advanced settings
All buttons are activated:
Add RISE WireGuard connection Step 4

Configure TI-Proxy

RISE provides a Connection.conf file, which contains the IP address of the connector.
Example Connection.conf: 

tiaas:
  wireguard:
    ip: 172.31.34.1
  client:
    konnektor:
      url: 10.180.96.90
# This is a template to be filled by the customer. Please consult the manual how to perform the configuration
#card-terminal:

The IP address of the connector is the value under tiaasclientkonnektorurl, i.e. here 10.180.96.90.

This IP address is then used to configure the TI proxy.


Best Practice





  • Note
    Dieser section zeigt eine Umsetzung, die sich in der Praxis bewährt hat. Die Konfiguration erhebt keinen Anspruch auf Vollständigkeit und Korrektheit.
    Wir übernehmen keine Gewähr für etwaige Probleme oder Schäden, die direkt oder indirekt durch diese Konfiguration entstehen.

    1. Connect the card terminal: Via Assign a fixed lease to network topology
    2. Start the Wireguard Wizard and store the configuration from the provider on the UTM. Select all options in the last step of the wizard
    3. [UTM/RULE/Paketfilter#Netzwerkobjekte_erstellen_/_bearbeiten
    4. Create three services:
      1. Name: TI-Proxy-60000, Protocol: udp, Destination port: 60000
      2. Name: TI-Proxy-4742, protocol: udp, destination port: 4742
      3. Name: TI-Proxy-60000-TCP, protocol: tcp, destination port: 60000
    5. In Package filter, open the automatically created rule with the source internal-networks and the destination wg0-networks and add a HIDENAT to the wg0-interface
    6. In the packet filter, delete the rule that was also created automatically in the internal network.
      Instead, create the following three rules:
      1. source: internal-interface, destination: wg0-networks, service: TI-Proxy-4742, type: HIDENAT, network object: wg0-Interface
      2. source: wg0-networks, destination: wg1-interface, service: TI-Proxy-60000
      3. Source: wg0-networks, destination: wg1-interface, service: TI-Proxy-60000-TCP
    # Source Destination Service NAT Logging Action Active Buttons
    internal-interface wg0-networks TI-Proxy-4742
    Protocol: udp
    Destination port: 4742
    		HN
    with wg0-interface
    3/Min
    		 Accept On
    wg0-networks wg0-interface TI-Proxy-60000
    Protocol: udp
    Destination port: 60000
    3/Min
    		 Accept On
    wg0-networks wg0-interface TI-Proxy-60000-TCP
    Protocol: tcp
    Destination port: 60000
    3/Min
    		 Accept On
    internal-networks wg0-networks any HN
    with wg0-interface
    3/Min
    		 Accept On
    1. Enter data in the proxy
      1. Enter the virtual connector IP - in the example 10.180.96.90
      2. Enter the IP of the local wireguard interface (in this example 172.31.34.1)
      3. Enter the IP of the internal interface to which the card terminals are connected (here in the example 192.168.200.1)
    2. Create terminal on the connector (connector access in the example https://10.180.96.90:8443)
      1. The IP address is the wireguard address of the UTM: in the example 172.31.34.1
      2. Note
      3. The default port is 60000
      4. The Mac address is not required
    3. On the terminal, the trusted room may have to be set to RU in the admin menu under TSL list
    4. On the terminal, all trust blocks may have to be deleted in the Admin menu under Pairing
    5. Click on Pair in the connector
    6. Confirm on the terminal pair


    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/TIaaS&oldid=98880"