Versions Compared

Old Version 63

changes.mady.by.user Naiming Shen

Saved on

compared with

New Version 64

changes.mady.by.user Naiming Shen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

EdgeView is a tool to allow user users to interact with the remote edge devices and applications. EdgeView is implemented as a Docker container. The EdgeView container on the remote device serves as a 'server' function for EdgeView, and the same container on the user laptop serves as a 'client' function. The EdgeView client and server hops through the Dispatcher to communicate to each other. For a more detail description of the EdgeView, see the EdgeView Architecture document. EVE has EdgeView support since release 8.5.0.

...

SSH works fine if the user laptop and the edge device are in the same network, either they are all on the Internet or all in a private VPN network. If the edge device is behind NAT, firewall, LTE or proxy server, and the user's laptop is not, then SSH will not work. Also in the case of the user's laptop and the device belong belonging to the same network, if multiple users want to access the device, they all need to share the private SSH key (or add multiple public keys onto the device) which sometimes is not desirable.

...

There are many different SD-WAN solutions, different enterprises use different solutions and they have different IT policies and rules on the SD-WAN network. How to use the SD-WAN software to access the edge device and applications for troubleshooting will have to be achieved in case by case manner. The user can create a virtualized instance of the SD-WAN client as an App on the EVE device, the user's laptop has also to be part of the VPN. The correct routing needs to be setup set up in the SD-WAN App, the user can then access the other applications on the EVE device or the network connected to the EVE device.

Then, another solution can be to use the SD-WAN for EVE devices by the EVE controller provider independent of enterprises. The EVE controller provider manages the SD-WAN controllers and systems. The SD-WAN client runs as part of the EVE software. First of all, this needs to get enterprises IT permission to have a non-native SD-WAN into their remote locations; then to manage the SD-WAN controller itself, and make them scalable and HA is not a trivial task. There is also the challenge of security measures needed for managing multiple enterprises and synchronize synchronizing the devices device's SD-WAN status to the EVE controllers.

While the EdgeView solution is light weight, it does not need a controller for the operation. The user on the EVE device controller needs to authorize and start the session, the rest of the operation is between the user and the EVE device sharing a private token which only has a limited time to live. The EdgeView does not have all the capabilities of a normal SD-WAN, it has a set of commands to be used for EVE device troubleshooting, and it allows TCP access for applications and other servers on the remote network. Users do not need to configure and run routing protocols for EdgeView which normally is required by the SD-WAN clients.

...

The WireGuard and OpenVPN allows clients to communicate through their servers which resides reside in the cloud side. Normally all the endpoints share the same IP subnet in the VPN. All the endpoints of this VPN can talk to each other (if the server does not set limitations). The procedure to setup something for a user laptop to access the edge-node and it's its applications is like this:

...

OpenVPN is similar to WireGuard in terms of the scheme of client/server, different cryptographic mechanisms are used. Similar steps as above is are needed.

While for EdgeView, from on the device controller, the user just need needs to click one button to start the EdgeView on the device, it also creates a EdgeView client script to be ready to run on the user's laptop. There is no need to program another server configuration for the IP addresses and public keys. There is no routing that needs to be setupset up, and also there is are no VPN IP address allocation issues. Yes, EdgeView does not have the N-to-N communication capability as in a normal SD-WAN or a VPN, but it allows multiple users to access the device which is behind a firewall or a proxy server to do the troubleshooting of the device and the management of applications associated with the device in a secure way.

...

No. Unlike a normal VPN going through multiple domains (with Internet in the middle) using routing schemeschemes, EdgeView has multiple intermediate nodes stitching the traffic bidirectionally. It does not need to use IP over IP scheme. The EdgeView message is carried in normal TCP packets without IP overlay.

9) If controller has 'Remote Console' for EVE App, is that equivalent to EdgeView

Yes or notno. EdgeView TCP channel does offer the capability of allowing the users to use VNC client to connect to the EVE application's console port, but it also offers other access methods such as SSH, and it allows user users to get to other TCP services provided by the applications. EdgeView allows the users to do debugging and troubleshooting on the targeted EVE device.

In the EdgeView scheme, the controller's role is to setup set up and start the EdgeView session, ; the controller does not get involved into in the packet/data message switching part.

The decoupling of controller controllers from operation of EdgeView offers several benefits. First it allows simplification of controller's workflow; when debugging EdgeView operation itself, the only item needs to be checked is the EdgeView container which runs on the device side and on the user's laptop; when adding a new feature into EdgeView, normally only the EdgeView code needs to be touched, thus it is easy and fast to add features into EdgeView.

...

If making an analogy between EdgeView and SD-WAN, EdgeView is a Hub and Spoke topology with the Dispatcher as the 'Hub' and the user's laptop and the EVE device are two 'Spokes'. This is true for any VPN with different remote sites have having to across cross the domains or Internet. The Dispatcher will connect to two different sites for the same EdgeView session to allow the user to access the EVE device and applications. The Dispatcher will stitch the messages from one side to the other based on a predetermined hash value generated by the EVE device controller.

Dispatcher can be placed anywhere, in the public cloud or private data center, as long as it can be reached from both ends of the EdgeView containers (the EVE device and the user laptop). It can be controlled by the same cloud management of the EVE device's controller or by the enterprises themselves. Since all the EdgeView messages through the Dispatcher are either authenticated or encrypted, it can not insert message messages into the session or read from the session.

...

12) Does EdgeView work for devices behind NAT or Firewall

Yes. For firewallfirewalls, make sure the dispatcher IP address and port number is not blocked by the firewall rules.

...

Yes and no. EdgeView uses WebSocket (The Websocket Protocol) for bidirectional communication between the client and server. The HTTP protocol needs to be upgraded between the websocket client and server. If the proxy server is a 'pass-through' type for the HTTPs traffic from the device, in other words if the proxy server does not intercept the TLS, then the EdgeView will work through the proxy server. But if the proxy server is a 'MiTM' type or 'SSL-Bump' type, the proxy server needs to make a separate HTTPs connection to the DIspatcher and it may not request the 'Upgrade' service towards the Dispatcher, then the EdgeView will break since it can not establish the connection to the Dispatcher. This is mainly a proxy server software implementation issue. From an operational point of view, the proxy server can be configured by making exception exceptions for the WebSocket packets while keep keeping the 'MiTM' operation for the other HTTPs packets.

...

The normal EdgeView TCP relay will have problem support problems supporting HTTPs or TLS protocols, since the source and destination IP addresses are changed and the Certificate content will not find a match. EdgeView supports the special TCP channel method using the proxy mechanism which can be used to support the HTTPs or TLS. EdgeView treats the user laptop and remote EVE device as a combined 'virtual proxy server'. The client application points to the proxy IP and port to the laptop (e.g. localhost:9001) and the proxy conversion is performed at the remote EVE device, since the device has the access to the remote application's routing domain. To start EdgeView proxy, run the 'tcp/proxy' command on the laptop, then another client application (for instance a web browser) points to the laptop as its proxy server just as in a normal proxy service setting. For the detail details of proxy operation, see Proxy Command.

...

Some logs are only present on the device and not uploaded to the controller side. For example, if the application on the device has the setting of 'not send logs'. Even if the logs are sent to the controller, the users of the enterprise may not have directly direct access to them. EdgeView offers the users of some simple queries for the log entries on the device.

...

22) Does the EdgeView Client script run on MacOS and Window

Yes. the The generated EdgeView client script will run on MacOS, assume assuming the docker client has been installed on the MacOS. It will run also on Window Windows OS if the Docker Desktop for Window Windows and WSL 2 is installed (e.g. with Ubuntu distro).

...