Skip to main content

 

Druva Documentation

Edge Server FAQs

inSync Private Cloud Editions: File:/tick.png Elite File:/tick.png Enterprise

 

With Edge Server being accessible from public networks, how does inSync secure or limit the Edge Server to listen only to organization’s official devices (laptops and mobiles) installed with inSync Clients?
The following methods are used to ensure that Edge servers only listen to authorized inSync Clients:Authentication on each connection: When a client connects, the client is first authenticated by using its credentials and unique Device Token.  If authentication fails the connection from the Edge server to the inSync Client is dropped. inSync Client registration (first connection):  The first time a client connects to the Edge Server, it is authenticated against the inSync Server by using its credentials and a unique Mass Deployment Token (MDT).  If authentication succeeds, the client is registered and provided a unique Device Token.   To control which devices are allowed to be registered, the Mass Deployment Token is securely pushed to the client by using the following tools:
  • Mobile Devices -   Currently support MobileIron
  • Laptops/Desktops -  Use mass deployment tools such as System Center Configuration Manager (SCCM)

 

How does Edge Server identify and rejects queries from Non-Druva clients that include all device types? 

The inSync Edge Server sits in a demilitarized zone (DMZ), outside your organization's firewall and facilitates communication between the inSync client and the inSync Server, or the inSync client and the inSync Storage Node. The inSync Server and Storage Nodes maintain an outbound connection to the Edge Server.

inSync Clients verifies the SSL certificate of the Edge Server before sending data to the Edge Server. inSync Clients then creates a connection with the edge server. The Edge server will listen for specific SSL requests on the configured port (default: 443). When the Edge server receives a request from a device, a parameter validation is performed. Only the requests having the right parameters in the correct format are filtered through and sent to inSync Server and storage node for the authentication. This is applicable to all endpoints on Windows, MAC, Linux, iOS, Android, and Windows Phone 8/8.1 platform.

Once the inSync client or mobile app is authenticated successfully, the Edge Server creates a secure tunnel from the inSync client and/or mobile app to the inSync Server or storage node. If a client or mobile app does not have valid credentials, the device will not be able to communicate directly with the inSync Server or Storage Node since the Edge server itself will terminate this connection. Edge server will never initiate a connection to the inSync Server or Storage Node. The inSync Server and Storage Node will initiate this connection with the Edge Server and it uses a unique shared key for this communication. This prevents any other device from masquerading as the Edge Server.

 

In an inSync On-Premise setup with Edge Server and MobileIron, is it possible for a device to make a connection directly with the Edge Server and then further with the Storage node and access the backup data?

It is possible if the inSync Client, that is, the device is authenticated as an authorized client. 

Each time a client needs to connect to the storage, it must first be authenticated against the inSync Server, via the Edge Server, by using the user credentials and unique Device Token.  Only after this can backup or data access proceed.

 

In an inSync On-Premise setup with Edge Server and MobileIron, can any device use the Edge Server as the entry point to the corporate network and access/manipulate the resources in the intranet ? What are the preventive measures for such scenarios?

No.The inSync Server and Storage nodes initiate and maintains a secure outbound connection to the Edge server.  The Edge server has no connection to anything else in the network other than the ability to proxy requests from inSync clients to inSync Server and storage nodes.

Additional security measures include:

  • A unique shared key is used between Edge Server and inSync Server and storage node. This prevents any other device from impersonating as the Edge Server.
  • SSL Certificate: inSync Clients verifies the SSL certificate of the Edge Server before sending data to the Edge Server.
  • TLS v1.2:  All communication uses TLS v1.2, by using AES 256-bit encryption.

 

What is the extent to which the inSync mobile app can integrated with MobileIron?

Druva is a MobileIron AppConnect partner and through its integration with MobileIRON provides the following capabilities for iOS devices:

  1. Ensures that inSync client can only be used on mobile devices authorized by ST Micro.

    The inSync App can only be used on the mobile device if the MobileIron App is installed and has been authorized. If the user installs the inSync app on their personal device that is not authorized by MobileIron, it will not be able to connect to the inSync Servers. 

    If the mobile device is de-authorized by MobileIron, then the inSync App can no longer be used on that device.

  2. Control the functionality that is permitted on the inSync Mobile App

    MobileIron can be used to configure the following capabilities on the inSync App:

    • Enable/Disable copy, paste & print functionality
    • Whitelist which apps can access inSync files.

How does the inSync Client connect and authenticate to the inSync Server and Storage nodes from the public network through the Edge Server

The following section provides details about how data flows through the Edge Server and how inSync prevents connections from unauthorized inSync Clients. 

  • How the Edge Server in DMZ connects to inSync Server and Storage nodes
    Click here to see the details.
    1. The inSync Server and storage nodes initiate and maintain a secure TLS1.2/AES-256 outbound connection to the Edge Server, by using the following:
      • A unique shared key is used for communication between the Edge Server, inSync Server, and storage nodes. This unique key prevents any threat from impersonating as Edge Server.
      • The Edge Server cannot initiate a connection to the inSync Server and storage nodes.
    2. When the inSync Client connects to inSync, the client creates a TLS1.2/AES-256 connection to the Edge Server only.
      • The Edge Server certificate is checked against the CA (certification authority), which prevents a man-in-the-middle attack.
    3. The inSync Client is authorized, by verifying the device token and credentials against the inSync Server. The authorization includes the following checks:
      • The Edge Server checks the format of the authentication call parameters before sending them to the inSync Server.  If the format is not correct and does not appear to be from an authentic Druva client, the connection to the inSync Client is dropped. 
      • If the authentication fails, the connection from the inSync Client to the Edge Server is immediately dropped.
    4. After authentication, all communication between the inSync Client, inSync Server, and storage node is authorized through the Edge Server.
  • Mass deployment of inSync Client
    Click here to see the details.
    1. inSync administrator generates a Mass Deployment Token (MDT) from the inSync Server.
    2. inSync administrator uses automated installation tools to install the inSync Client and the client configuration information. For example, MDT, IP addresses, and so on. Following are the automated installation tools for different devices:
      • Mobile Devices (Phones/Tablets):  MobileIRON is currently supported by Druva.
      • Laptops:  Any standard computer management and software deployment tool. For example, Microsoft System Center Configuration Manager (SCCM), Casper, and so on.
  • inSync Client registration when the client connects for the first time
    Click here to see the details.
    1. inSync Client creates a TLS connection to the Edge Server.
      • inSync Client also verifies the certificate of the Edge Server.
    2. Edge Server authenticates inSync Client against the inSync Server by using the client credentials and Mass Deployment Token (MDT) against inSync Server. 
      • If the authentication fails, then the connection from the Edge Server to the inSync Client is immediately dropped.
    3. The inSync Client is registered.  Additional information about the inSync Client, including a unique hardware identifier is saved by the inSync Server.
    4. inSync Server generates a unique device token and sends the token to the inSync Client.
    5. Device token is securely saved by the inSync Client in the keychain for future authentication.
    6. The session is completed.
  • inSync Client registration after the client is already registered
    Click here to see the details.
    1. inSync Client initiates a TLS connection to the Edge Server.
      • inSync Client also verifies the certificate of the Edge Server.
    2. Edge Server authenticates inSync Client against the inSync Server by using the inSync Client credentials and device token.
      • If the authentication fails, then the connection from the Edge Server to the inSync Client is immediately dropped.
    3. inSync Server returns an encrypted token and pointer to the storage node assigned to the inSync Client.
      • The token is encrypted by using a shared key which only the inSync Server and Storage nodes behind the firewall have.
      • The token is only valid for a short period of time, which is less than 2 minutes. Each time a session is started, a new token needs to be fetched from the inSync Server.
    4. inSync Client initiates a new TLS connection to the Edge Server at the location where the client's  storage node is located. It might be the same Edge Server if it is the same location.
    5. Edge Server authenticates the inSync Client against the storage node by using the encrypted token.
      • If the authentiction fails, then the connection from the Edge Server to the inSync Client is immediately dropped.
    6. Data is securely exchanged between the inSync Client and the Edge Server.  
    7. The session is completed.

     

  • Was this article helpful?