Mango Cloud Connect Module

The Cloud Connect Module provides secure and seamless access to administer remote Mango installations behind customer firewalls or cellular connections without opening ports or using additional VPN or remote access software.

Once configured with a single click of a button on your central Mango Server you can open the remote Mango systems and be fully logged in with your admin user account being synchronized to the remote installation.

The Cloud Connect Module uses the popular and trusted SSH protocol to secure and encrypt all communications.

General security features are:

  • All data transmitted using Secure Shell protocol (SSH)

  • SSH password authentication is disabled

  • By default uses ESDSA authentication keys using NIST secp256r1 parameters (NSA suite B approved)

  • User can generate their own keys using OpenSSH ssh-keygen tool, software supports RSA keys and other ESDSA parameters. ED25519 is not supported.

  • Default symmetric cipher is AES 128 CTR

  • Default key exchange algorithm is ECDH SHA2 NIST p521

  • Default MAC algorithm is HMAC MD5


Configure Cloud Connect Client

To connect a remote Mango installation to the Mango Server follow these steps. Requires server configuration, see below.

On your MangoES or Mango Installation

Go to Administration > Cloud connect and select the “Client” tab

On the client tab scroll down to the Client public key and Copy to Clipboard.

Screenshot 2018-09-14 11.56.36.png

On your cloud / Central server

Go to Administration > Cloud connect  and select the “Server tab

Past the public key into the Cloud Mango Server tab under “Authorized keys

Screenshot 2018-09-14 11.51.53.png

On the Client tab fill in the following settings

Start client with Mango: True

Host: URL of your cloud Mango

Port: port being used on the cloud Mango (9999)

Accept unknown hosts: true (this will turn to false after the first connection)

Forward Mango web port: True
The port number must match the port Mango is running on on the remote device, ie port 80 or 8080 or another.

Forward SSH port: True
The port number must match the ssh port being used on remote device, ie for a MangoES it’s 2222

Click the Start on the client tab and wait for validation that the connection is successful

Screenshot 2018-09-14 11.56.23.png

On the Cloud Mango

Verify connection and access, go to Administration > Connected clients

Here you will see a list of all devices connected to the server.  You can click the “Open web interface” button to access the web UI of the device via the cloud connect tunnel.

Screenshot 2018-09-14 12.03.56.png

You can use the ssh port to access the MangoES from the cloud server with a command like:

ssh mango@localhost -p 37001


Configuring the Cloud Connect Server (Central Mango Installation)

The central Mango installation needs to be configured to accept the incoming cloud connect connections from remote Mango installations. These need to only be followed once for the initial setup.

Go to Administration > Cloud connect > SERVER tab

  • Select Start server with Mango option.

  • Select the desired port to use for incoming connections and click the START button.

Screenshot 2018-10-07 12.54.31.png

Configure the Proxy

The proxy allows admin users to access the remote Mango installation via a special URL on your cloud Mango. The GUID is used in a URL such as http://1-d597d2d9-5795-342b-8f3c-072c54f89493.demo.mangoautomation.net. This special URL will open the web GUI of the remote Mango installation with the admin user being automatically authenticated so no user name or password is needed.

Considerations:

  • You need a Wild Card DNS A record configuration for your domain name to be used such as *.cloud.mangoautomation.net -> your server IP

  • If using SSL you need to have a wild card certificate for the domain Mango is running on. For the example above a wild card certificate for *.mangoautomation.net will not work, it will need to be for *.cloud.mangoautomation.net

  • When using the proxy you will only be able to access Mango at the domain you specify in the env.properties file.

Configure the proxy

In your overrides/properties/env.properties file with

  • sessionCookie.useGuid=true

  • sessionCookie.domain=.cloud.mangoautomation.net (notice dot after equals)

On the Administration > Cloud Connect > PROXY tab

  • Enable the proxy (checkbox)

  • Enter your domain name in the text box

  • Configure the authentication as you want (recommended settings shown)

  • Restart Mango

Screenshot 2018-10-07 13.10.07.png