Using NGINX as the Proxy Server

A preferred server can be used as a proxy server between the device and the WSO2 IoT server. The steps documented below is only an example of configuring the proxy server using NGINX, which is a known reverse proxy server.

Follow the steps given below to configure the proxy Server:

Install NGINX on your production environment.
Example:
Get an SSL certificate. Make sure that the common name of the certificate you are getting matches the constructed URI.

The WSO2 IoTS client sends requests to the WSO2 IoTS server through a Proxy Server. The Windows WSO2 IoTS protocol constructs a URI that uses the host name by appending the domain of the email address to the subdomain, enterpriseenrollment for the each device request. Therefore, you can either purchase a domain name or create a DNS entry in the http://enterpriseenrollment.<EMAIL_DOMAIN> format.
Navigate to the /usr/local/etc/nginx directory, create a folder named ssl, and add the CA certificate and the private key to this folder.

Configure the /usr/local/etc/nginx/nginx.conf file with the details of the SSL certificate and the Windows endpoints as explained below.

Click here to view a configured nginx.conf file.

server {
        listen 443;
        server_name enterpriseenrollment.dilan.me;
        ssl on;
        ssl_certificate /usr/local/etc/nginx/ssl/certificate.crt;
        ssl_certificate_key /usr/local/etc/nginx/ssl/private.key;
        
        location /EnrollmentServer/Discovery.svc {
               if ($request_method = GET) {
               return 200;
        }

               proxy_set_header X-Forwarded-Host $host:$server_port;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://<IP>:<GATEWAY_PORT>/api/device-mgt/windows/v1.0/discovery/post;              
 
               proxy_http_version 1.1;
        }
        location /ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc {
           
               proxy_set_header X-Forwarded-Host $host:$server_port;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://<IP>:<GATEWAY_PORT>/api/device-mgt/windows/v1.0/certificatepolicy/xcep/1.0.0;
 
               proxy_http_version 1.1;
        }
        location /windows-web-agent {
               proxy_set_header X-Forwarded-Host $host:$server_port;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://<IP>:9763/windows-web-agent;
               
 
               proxy_http_version 1.1;
        }
        location /ENROLLMENTSERVER/DeviceEnrollmentWebservice.svc {
               proxy_set_header X-Forwarded-Host $host:$server_port;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://<IP>:<GATEWAY_PORT>/api/device-mgt/windows/v1.0/deviceenrolment/wstep/;
 
               proxy_http_version 1.1;
        }

        location /ENROLLMENTSERVER/Win10DeviceEnrollmentWebservice.svc {
               proxy_set_header X-Forwarded-Host $host:$server_port;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://<IP>:<GATEWAY_PORT>/api/device-mgt/windows/v1.0/deviceenrolment/enrollment;
 
               proxy_http_version 1.1;
        }
        location /Syncml/initialquery {
               proxy_set_header X-Forwarded-Host $host:$server_port;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://<IP>:<GATEWAY_PORT>/api/device-mgt/windows/v1.0/syncml/devicemanagement/1.0.0/request/;
 
               proxy_http_version 1.1;
        }
        location /devicemgt {
               proxy_set_header X-Forwarded-Host $host:$server_port;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://<IP>:<GATEWAY_PORT>/api/device-mgt/windows/v1.0/management/devicemgt/1.0.0/pending-operations/;
 
               proxy_http_version 1.1;
        }
    }
    include servers/*;
}

Configure the SSL certificate details.

server {
        listen 443;
        server_name enterpriseenrollment.wso2.com;
        ssl on;
        ssl_certificate /usr/local/etc/nginx/ssl/star_wso2_com.crt;
        ssl_certificate_key /usr/local/etc/nginx/ssl/enterpriseenrollment_wso2_com.key;

You need to configure the following properties:

Property	Description	Example
`server_name`	Define the common name of the certificate.	`enterpriseenrollment.wso2.com`
`ssl_certificate`	Define where you saved the SSL certificate.	`/usr/local/etc/nginx/ssl/wso2_com_SSL.crt`
ssl_certificate_key	Define where you saved the private key of the certificate.	`/usr/local/etc/nginx/ssl/enterpriseenrollment_wso2_com.key`

Configure the Windows endpoints.

Click here to know more on the required Windows endpoints.

The GATEWAY_PORT used by default in WSO2 IoTS for device management is 8280.
For more information on how the Windows endpoints are used, see how the Windows device enrollment process message flow works.

Click here to see a sample Windows endpoint configuration.

Example:

location /ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc {  
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_pass http://10.10.10.10:8280/api/device-mgt/windows/v1.0/certificatepolicy/xcep;

    proxy_http_version 1.1;
}

Property	Description
`location`	This property specifies the "`/"` prefix that needs to be compared with the URI sent from the request. For more information, see the NGINX documentation.
`proxy_set_header`	Required to configure Windows for reverse proxy.
`proxy_pass`	Define the respective Windows endpoint.