...
For the UI implementation of ZedControl, the user on the device page, clicks the button 'Start EdgeView' to enable the EdgeView on the device. After it is started, the 'Download Script' button can be used to download the EdgeView Client Script (the user may need to change the file to be executable. e.g. run 'chmod u+x <script file>').
For the ZCli implementation, by issuing 'zcli edge-node start-edgeview <device-name>' to enable the EdgeView on the device. An Edgeview Client Script will be downloaded onto the user's laptop.
...
OpenVPN is similar to WireGuard in terms of the scheme of client/server, different cryptographic mechanisms are used. Similar steps as above are needed.
Some firewalls drop outbound UDP packets unless they are DNS type (Wireguard is UDP), to utilize the edge node controller HTTPs endpoint is important.
While for EdgeView, on the device controller, the user just needs to click one button to start the EdgeView on the device, it also creates a EdgeView client script to be ready to run on the user's laptop. There is no need to program another server configuration for the IP addresses and public keys. There is no routing that needs to be set up, and also there are no VPN IP address allocation issues. Yes, EdgeView does not have the N-to-N communication capability as in a normal SD-WAN or a VPN, but it allows multiple users to access the device which is behind a firewall or a proxy server to do the troubleshooting of the device and the management of applications associated with the device in a secure way.
...
No. Unlike a normal VPN going through multiple domains (with Internet in the middle) using routing schemes, EdgeView has multiple intermediate nodes stitching the traffic bidirectionally. It does not need to use IP over IP scheme. The EdgeView message is carried in normal TCP packets without IP overlay.
9)
...
Can the EdgeView Client and Device Communication bypass Dispatcher
No. The EdgeView channel between the client on the user's laptop and the remote device has to go through the Dispatcher. It currently does not support a dynamic shortcut for direct connection. The use cases of EdgeView is not a general full-mesh VPN solution which may try to optimize the latency.
10) If controller has 'Remote Console' for EVE App, is that equivalent to EdgeView
Yes or no. EdgeView TCP channel does offer the capability of allowing the users to use VNC client to connect to the EVE application's console port, but it also offers other access methods such as SSH, and it allows users to get to other TCP services provided by the applications. EdgeView allows the users to do debugging and troubleshooting on the targeted EVE device.
In the EdgeView scheme, the controller's role is to set up and start the EdgeView session; the controller does not get involved in the packet/data message switching part.
The decoupling of controllers from operation of EdgeView offers several benefits. First it allows simplification of controller's workflow; when debugging EdgeView operation itself, the only item needs to be checked is the EdgeView container which runs on the device side and on the user's laptop; when adding a new feature into EdgeView, normally only the EdgeView code needs to be touched, thus it is easy and fast to add features into EdgeView.
11) Why Dispatcher is needed, who controls it
If making an analogy between EdgeView and SD-WAN, EdgeView is a Hub and Spoke topology with the Dispatcher as the 'Hub' and the user's laptop and the EVE device are two 'Spokes'. This is true for any VPN with different remote sites having to cross the domains or Internet. The Dispatcher will connect to two different sites for the same EdgeView session to allow the user to access the EVE device and applications. The Dispatcher will stitch the messages from one side to the other based on a predetermined hash value generated by the EVE device controller.
Dispatcher can be placed anywhere, in the public cloud or private data center, as long as it can be reached from both ends of the EdgeView containers (the EVE device and the user laptop). It can be controlled by the same cloud management of the EVE device's controller or by the enterprises themselves. Since all the EdgeView messages through the Dispatcher are either authenticated or encrypted, it can not insert messages into the session or read from the session.
12) What is EdgeView TCP channel
From the user enabling EdgeView TCP channel point of view, it is by issuing the command 'tcp/<ip-address:port>/...', it will launch the TCP channel. See detail on TCP command.
The EdgeView TCP channel bridges the user's laptop TCP service to the remote device TCP service across different routing domains. The EdgeView on the user's laptop will set up TCP servers (listening on the pre-allocated TCP ports, 9001 and above). When the user launches some TCP client program, for example, 'ssh' client or web browser to point to the EdgeView local TCP service endpoint, this will be just like the user launching those client services on the remote device.
13) Does EdgeView work for devices behind NAT or Firewall
Yes. For firewalls, make sure the dispatcher IP address and port number is not blocked by the firewall rules.
14) Can Edgeview work if the device is behind a proxy server
Yes and no. EdgeView uses WebSocket (The Websocket Protocol) for bidirectional communication between the client and server. The HTTP protocol needs to be upgraded between the websocket client and server. If the proxy server is a 'pass-through' type for the HTTPs traffic from the device, in other words if the proxy server does not intercept the TLS, then the EdgeView will work through the proxy server. But if the proxy server is a 'MiTM' type or 'SSL-Bump' type, the proxy server needs to make a separate HTTPs connection to the DIspatcher and it may not request the 'Upgrade' service towards the Dispatcher, then the EdgeView will break since it can not establish the connection to the Dispatcher. This is mainly a proxy server software implementation issue. From an operational point of view, the proxy server can be configured by making exceptions for the WebSocket packets while keeping the 'MiTM' operation for the other HTTPs packets.
15) Can I SSH into the remote EVE device over EdgeView
Yes if the controller policy allows it. EVE software has the 'ConfigItem' configuration for installing user's SSH public key, the 'sshd' currently listens on '0.0.0.0:22'; but later on it can be changed to listen only on '127.0.0.1:22' and dynamically sets up a non-root user to be more secure. Assume the user's laptop has the SSH private key, the user sets up the EdgeView command 'tcp/localhost:22' in one terminal, and opens another terminal to enter the SSH session by issuing "ssh -i <my-ssh-private-key> root@localhost -p 9001".
16) How to use WireShark on remote EVE device interfaces
You can run WireShark application on your laptop and capture packets through it to remote EVE devices. Need to run later versions of WireShark, version 3+.
First SSH needs to be enabled on your remote EVE device (upload through the EVE configure items with your SSH public key).
Launch the EdgeView with command 'tcp/localhost:22', which normally maps the channel into port 9001 locally.
In WireShark user interface (taking example of macOS), in the 'Capture' section, there is a pull-down menu, to select 'External Capture'. The page should have a list underneath with a 'setup' icon and 'SSH remote capture: sshdump' line. Click on this 'setup' icon at the left of the line. The 'Wireshark - Interface Options: SSH remote capture: sshdump' window is popped up. Configure three items:
- Server: Remote SSH server address: 127.0.0.1; Remote SSH server port: 9001
- Authentication: Remote SSH server username: root; Path to SSH private Key: browse and select your private key file, or do nothing if the private key is your laptop's '~/.ssh/rsa_id' file.
- Capture: Remote interface: type in the name of the remote EVE device interface name, e.g. 'eth0', 'bn1' or 'nbu3x2'.
You can hit the 'Capture' button on the WireShark to start collect packets, optionally define the filters you need.
17
Yes or no. EdgeView TCP channel does offer the capability of allowing the users to use VNC client to connect to the EVE application's console port, but it also offers other access methods such as SSH, and it allows users to get to other TCP services provided by the applications. EdgeView allows the users to do debugging and troubleshooting on the targeted EVE device.
In the EdgeView scheme, the controller's role is to set up and start the EdgeView session; the controller does not get involved in the packet/data message switching part.
The decoupling of controllers from operation of EdgeView offers several benefits. First it allows simplification of controller's workflow; when debugging EdgeView operation itself, the only item needs to be checked is the EdgeView container which runs on the device side and on the user's laptop; when adding a new feature into EdgeView, normally only the EdgeView code needs to be touched, thus it is easy and fast to add features into EdgeView.
10) Why Dispatcher is needed, who controls it
If making an analogy between EdgeView and SD-WAN, EdgeView is a Hub and Spoke topology with the Dispatcher as the 'Hub' and the user's laptop and the EVE device are two 'Spokes'. This is true for any VPN with different remote sites having to cross the domains or Internet. The Dispatcher will connect to two different sites for the same EdgeView session to allow the user to access the EVE device and applications. The Dispatcher will stitch the messages from one side to the other based on a predetermined hash value generated by the EVE device controller.
Dispatcher can be placed anywhere, in the public cloud or private data center, as long as it can be reached from both ends of the EdgeView containers (the EVE device and the user laptop). It can be controlled by the same cloud management of the EVE device's controller or by the enterprises themselves. Since all the EdgeView messages through the Dispatcher are either authenticated or encrypted, it can not insert messages into the session or read from the session.
11) What is EdgeView TCP channel
From the user enabling EdgeView TCP channel point of view, it is by issuing the command 'tcp/<ip-address:port>/...', it will launch the TCP channel. See detail on TCP command.
The EdgeView TCP channel bridges the user's laptop TCP service to the remote device TCP service across different routing domains. The EdgeView on the user's laptop will set up TCP servers (listening on the pre-allocated TCP ports, 9001 and above). When the user launches some TCP client program, for example, 'ssh' client or web browser to point to the EdgeView local TCP service endpoint, this will be just like the user launching those client services on the remote device.
12) Does EdgeView work for devices behind NAT or Firewall
Yes. For firewalls, make sure the dispatcher IP address and port number is not blocked by the firewall rules.
13) Can Edgeview work if the device is behind a proxy server
Yes and no. EdgeView uses WebSocket (The Websocket Protocol) for bidirectional communication between the client and server. The HTTP protocol needs to be upgraded between the websocket client and server. If the proxy server is a 'pass-through' type for the HTTPs traffic from the device, in other words if the proxy server does not intercept the TLS, then the EdgeView will work through the proxy server. But if the proxy server is a 'MiTM' type or 'SSL-Bump' type, the proxy server needs to make a separate HTTPs connection to the DIspatcher and it may not request the 'Upgrade' service towards the Dispatcher, then the EdgeView will break since it can not establish the connection to the Dispatcher. This is mainly a proxy server software implementation issue. From an operational point of view, the proxy server can be configured by making exceptions for the WebSocket packets while keeping the 'MiTM' operation for the other HTTPs packets.
14) Can I SSH into the remote EVE device over EdgeView
Yes if the controller policy allows it. EVE software has the 'ConfigItem' configuration for installing user's SSH public key, the 'sshd' currently listens on '0.0.0.0:22'; but later on it can be changed to listen only on '127.0.0.1:22' and dynamically sets up a non-root user to be more secure. Assume the user's laptop has the SSH private key, the user sets up the EdgeView command 'tcp/localhost:22' in one terminal, and opens another terminal to enter the SSH session by issuing "ssh -i <my-ssh-private-key> root@localhost -p 9001".
...
) How to log into a remote application
Before the user tries to log into the application, some application related information needs to be gathered, for instance the VNC port number, application IP address and service port numbers. Edgeview 'tcp' command can be entered for different cases. For VNC, it will be 'tcp/localhost:<590x>' which the 'x' is the VNC display number for the application. Then launch a VNC client application on the laptop with "localhost:9001' as the VNC server endpoint; for SSH (assume the application has the SSH daemon running), the command will be 'tcp/<application-intf-ip>:22'. Then open another terminal window, and issue e.g. "ssh username@localhost -i 9001". In both examples, we assume the local port for TCP is 9001.
...
18) Can I use VNC or RDP
Yes. For using VNC to application console, see above section 'How to log into a remote application'. For RDP, enable the RDP service on the window application and find the application's interface IP address, using the EdgeView command 'tcp/<app-intf-ip>:3389' in one terminal, then launch the window RDP client to "localhost:9001" to connect.
...
19) Can web browser be used over EdgeView
Yes, the EdgeView TCP channel can be used to bridge the browser application on the user's laptop and the remote applications on the device side. For instance, an application with an interface IP address of 10.1.0.135 has a service on port 8080, EdgeView command can specify: 'tcp/10.1.0.135:8080' to launch the channel, and use the browser to point to url 'http://localhost:9001/<path-to-service>'.
...
20) Will EdgeView work for HTTPs or TLS services with remote applications
The normal EdgeView TCP relay will have problems supporting HTTPs or TLS protocols, since the source and destination IP addresses are changed and the Certificate content will not find a match. EdgeView supports the special TCP channel method using the proxy mechanism which can be used to support the HTTPs or TLS. EdgeView treats the user laptop and remote EVE device as a combined 'virtual proxy server'. The client application points to the proxy IP and port to the laptop (e.g. localhost:9001) and the proxy conversion is performed at the remote EVE device, since the device has access to the remote application's routing domain. To start EdgeView proxy, run the 'tcp/proxy' command on the laptop, then another client application (for instance a web browser) points to the laptop as its proxy server just as in a normal proxy service setting. For the details of proxy operation, see Proxy Command.
...
21) Does remote application need to be on EVE devices for EdgeView access
TBD
...
22) Why log-search if device log is already uploaded to the controller
Some logs are only present on the device and not uploaded to the controller side. For example, if the application on the device has the setting of 'not send logs'. Even if the logs are sent to the controller, the users of the enterprise may not have direct access to them. EdgeView offers the users some simple queries for the log entries on the device.
...
23) Is application port mapping still needed
If the device applications have the need of internal connection (not on the Internet) for machine-to-machine communication, then the port mapping is still needed.
...
24) How to get 'Show TechSupport' while the device fails to onboard
Yes, it is possible to get a compressed 'techsupport' file while the device has not onboarded yet. For the detailed steps, see Show TechSupport before Device Onboarding.
...
25) Does the EdgeView Client script run on MacOS and Window
Yes. The generated EdgeView client script will run on MacOS, assuming the docker client has been installed on the MacOS. It will run also on Windows OS if the Docker Desktop for Windows and WSL 2 is installed (e.g. with Ubuntu distro).
If the user laptop only runs WSL 1, then the EdgeView Client script needs to be simply converted into Window style script.
...
26) Is EdgeView Container built into EVE image
Yes, in current EVE OS releases. In future, EVE OS may decide to decouple the EVE image and some of the containers. The EdgeView container can then be dynamically downloaded into the EVE device when the EdgeView session is provisioned from the controller. In some cases it can have the chicken and egg situation, for example in order to troubleshoot the problem on the EVE device we need to use Edgeview, and due to those issues the EdgeView container can not be downloaded dynamically.
...
27) What does Multi-Instance EdgeView do
It allows multiple users to access the same remote EVE device or for different applications simultaneously. In the multi-instance case, the users share the same client script for EdgeView but supply an unique 'instance-id' when issuing the EdgeView commands.