Security Center protects Alibaba Cloud Elastic Compute Service (ECS) instances, external servers, and servers in on-premises data centers. This topic describes how to connect servers in an on-premises data center to Security Center.

Procedure

If you want to install the Security Center agent on servers in an on-premises data center that cannot access the Internet, and manage the servers in the Alibaba Cloud console, follow these steps:
  1. Create a proxy cluster in an on-premises data center to connect the servers to the Internet.
  2. Modify the hosts file or local DNS settings to connect the proxy cluster to the servers.
  3. Install the Security Center agent on the servers to enable Security Center to protect the servers.

Create a reverse proxy cluster

The Security Center agent connects to the servers that support persistent connections and HTTP proxies through two separate domains.

Notice Persistent connection and HTTP proxies must be deployed on two different servers. You must prepare at least two servers to set up the proxy cluster.
  • Configure a server to deploy the persistent connection proxy
    Prerequisites
    • At least one server is available to deploy persistent connection proxies. GNU Compiler Collection (GCC) and zlib-devel are installed on the server.
      Note You can specify the number of servers to deploy persistent connection proxies based on the number of servers in the on-premises data center. If the on-premises data center has a large number of severs, we recommend that you prepare multiple servers to deploy persistent connection proxies.
    • Click here to download the NGINX version that supports reverse proxies.

    Procedure

    1. TCP persistent connections use the Layer-4 protocols. After you download NGINX, run the following compilation commands to install NGINX. You must add the --with-stream parameter before you run the compilation commands.
      tar -xvf nginx-1.9.0
      cd nginx-1.9.0
      ./configure --without-http_rewrite_module --with-stream
      make
      make install
    2. In the directory of NGINX configuration files, modify the nginx.conf file based on the following content.
      #user  nobody;
      worker_processes  auto;
      
      error_log  logs/error.log;
      #error_log  logs/error.log  notice;
      #error_log  logs/error.log  info;
      
      #pid        logs/nginx.pid;
      
      
      events {
          use     epoll;
          worker_connections  60000;
      }
      
      
      stream {
              server {
                  listen 80;
                  proxy_timeout 20m;
                  proxy_connect_timeout 60s;
                  proxy_pass app;
              }
      
              upstream app {
                 server jsrv.aegis.aliyun.com:80;
              }
      }
    3. After the configuration file is modified, restart NGINX.
  • Configure a server to deploy the HTTP proxy
    Prerequisites
    • At least one server is available to deploy the HTTP proxies.
      Note You can specify the number of servers to deploy HTTP proxies based on the number of servers in the on-premises data center. If the on-premises data center has a large number of severs, we recommend that you prepare multiple servers to deploy HTTP proxies.
    • Click here to download the NGINX version that supports reverse proxies.

    Procedure

    1. HTTP connections use the Layer-4 protocols. After you download NGINX, run the following compilation commands to install NGINX. You must add the --with-stream parameter when you run the compilation commands.
      sudo ./configure --without-http_rewrite_module --with-stream
      sudo make
      sudo make install
    2. In the directory of NGINX configuration files, modify the nginx.conf file based on the following content.
      #user  nobody;
      worker_processes  auto;
      
      error_log  logs/error.log;
      #error_log  logs/error.log  notice;
      #error_log  logs/error.log  info;
      
      #pid        logs/nginx.pid;
      
      
      events {
          use     epoll;
          worker_connections  60000;
      }
      
      
      stream {
              upstream updatessl {
                  server update.aegis.aliyun.com:443;
              }
              server {
                  listen 443;
            proxy_connect_timeout 60s;
                  proxy_pass updatessl;
              }
              upstream updatehttp {
                  server update.aegis.aliyun.com:80;
              }
              server {
                  listen 80;
            proxy_connect_timeout 60s;
                  proxy_pass updatehttp;
              }
        }
    3. After the configuration file is modified, restart NGINX.

Connect the proxy cluster to the servers in the on-premises data center

Select one of the following methods to connect the proxy cluster to the servers in the on-premises data center.

  • Modify the hosts file of the servers in the on-premises data center

    Modify the hosts file of the servers in the on-premises data center to redirect the requests targeting the domains of Security Center to the proxy cluster. In the hosts file, you must associate all the domain names of Security Center with the IP addresses of the proxy cluster. The domain names to be associated with the IP addresses of the proxy cluster are as follows. xx.xx.xx.xx is the IP address of the proxy cluster.

    Notice The domain names that contain jsrv refer to those of the servers where persistent connection proxies are deployed. The domain names that contain alicdn and update refer to those of the servers where HTTP proxies are deployed.
    xx.xx.xx.xx jsrv.aegis.aliyun.com
    xx.xx.xx.xx jsrv2.aegis.aliyun.com
    xx.xx.xx.xx jsrv3.aegis.aliyun.com
    xx.xx.xx.xx jsrv4.aegis.aliyun.com
    xx.xx.xx.xx jsrv5.aegis.aliyun.com
    xx.xx.xx.xx aegis.alicdn.com
    xx.xx.xx.xx update.aegis.aliyun.com
    xx.xx.xx.xx update2.aegis.aliyun.com
    xx.xx.xx.xx update3.aegis.aliyun.com
    xx.xx.xx.xx update4.aegis.aliyun.com
    xx.xx.xx.xx update5.aegis.aliyun.com
  • Modify the DNS settings of the on-premises data center

    Modify the DNS settings of the on-premises data center to resolve jsrv.aegis.aliyun.com and update.aegis.aliyun.com to the IP address of the proxy cluster.

Install the Security Center agent on the servers in the on-premises data center.

After the Security Center agent is installed on the servers in the on-premises data center, Security Center can protect your servers. To install the Security Center agent on servers that run the Windows operating system, you must download the Security Center agent installer. To install the agent on servers that run the Linux operating system, you must run relevant commands. For more information, see Manual installation.