Bridged Proxy Cluster
Overview
You can deploy a StrongDM proxy cluster in "bridged" mode to enable access to a high-security internal network that only allows outbound network connections. The bridged proxy cluster has bridge workers outside the internal network and proxy workers inside the network. The proxy workers inside the network make outbound connections to one or more bridge workers running outside the network, which can then forward client traffic back to them.
How it works:
In this configuration, proxy workers are egress only, meaning they do not accept connections from outside, but they can initiate connections themselves. The proxy worker(s) inside the secure subnet reach out (through the load balancer) and make connections with the bridge worker(s) to prepare to receive traffic.
When a user attempts use their client (StrongDM Desktop app or CLI) to connect to a resource that is attached to the bridged proxy cluster, the client reaches out to the proxy cluster's load balancer. The traffic is then directed to a bridge worker, which has a connection open to a proxy worker and routes it there.
The proxy worker proxies the connection to the resource, authenticating to it without revealing the credentials to the user.
Just like in a normal proxy cluster, every proxy worker must have access to the same set of resources. Bridge workers do not intelligently route traffic between proxy workers running in different environments. Proxy workers running in separate environments containing separate resources must belong to separate clusters.
To deploy bridge workers, follow the steps to deploy a normal proxy cluster and add the following variable to the bridge workers' environment:
SDM_BRIDGE=localIf you are using the sdm install command, you can use the --bridge flag to set this variable:
./sdm install --worker --bridge local --worker-bind-addr :443 --app-domain {APP_DOMAIN} This instructs the workers to run in bridge mode. StrongDM recommends running multiple bridge workers behind a load balancer for high availability.
Once the bridge workers are deployed, you can deploy proxy workers inside your sensitive network and configure them to connect to the bridge workers by adding the following environment variable:
SDM_BRIDGE=<PROXY_CLUSTER_ADDRESS>:<PORT>Instead of binding to a local port and listening for incoming traffic, the proxy workers connect to the load-balanced bridge workers and start accepting client traffic from them.
You do not need to allow inbound traffic into your sensitive network.
You do not need to deploy a second load balancer inside the network.
Proxy workers can only connect to bridge workers within the same proxy cluster. You cannot mix and match workers between proxy clusters.
We recommend the following best practices when deploying a proxy cluster:
Deploy one proxy cluster in each environment where you host resources.
A proxy cluster should consist of at least two proxy workers behind a load balancer for high availability.
A bridged proxy cluster should consist of at least two proxy workers behind a load balancer for high availability and two bridge workers.
Configure the load balancer to accept connections on port 443 and forward them to the individual proxy workers on port 8443.
Use a network load balancer to forward TCP traffic directly to the proxy workers without any processing.
If the load balancer supports client IP address preservation, enable it.
Use a DNS domain name to route traffic to the load balancer rather than an IP address.
Proxy Egress Requirements
Workers in a bridged proxy cluster have the same egress requirements as in a normal proxy cluster. In addition, the proxy workers must be allowed to egress to the bridge workers.
Third-party Certificates
Third-party certificates are supported the same as in a normal proxy cluster. You must ensure the relevant environment variables are set on both the bridge workers and proxy workers.
Last updated
Was this helpful?