Oracle-Based Deployment Guide for Cisco IoT FND, Release 5.x.x and Later

Cisco IoT FND TPS Proxy

Updated: March 2, 2026

Want to summarize with AI?

On this page

Overview

Set up the TPS Proxy
Configure the TPS Proxy Firewall
Enroll the TPS Proxy for Cisco IoT FND
Configure Cisco IoT FND to use the TPS Proxy
Start the Cisco IoT FND TPS Proxy
Validate the TPS Proxy log entries

Overview

This topic explains how to install and configure the Cisco IoT FND TPS proxy, which enables field area routers to securely communicate with the Cisco IoT FND application server for tunnel provisioning, especially when Cisco IoT FND is behind a firewall.

The Cisco IoT FND TPS proxy is an optional server component that allows field area routers to initiate secure tunnel provisioning requests to the Cisco IoT FND application server, particularly when Cisco IoT FND is not directly accessible due to firewall restrictions.

Enables routers such as CGRs to contact Cisco IoT FND for Zero Touch Deployment (ZTD) initialization.
Operates when Cisco IoT FND does not have a publicly reachable IP address.
Authenticates HTTPS inbound requests from the TPS proxy using certificate subjects.

The Cisco IoT FND TPS proxy is used when field area routers need to communicate with Cisco IoT FND for tunnel provisioning, especially during Zero Touch Deployment (ZTD).

The TPS proxy does not have its own GUI.
Configuration requires editing the cgnms.properties and tpsproxy.properties-template files.
After tunnel provisioning, routers can contact Cisco IoT FND directly without the proxy.

Example: Using the TPS Proxy for Tunnel Provisioning

For example, when a field area router first contacts Cisco IoT FND, it uses the TPS proxy to request tunnel provisioning. After the tunnel is provisioned, the router can communicate directly with Cisco IoT FND without the proxy.

Set up the TPS Proxy

Before you begin

Install the cgms-tpsproxy RPM package Java application on a separate (TPS proxy) server to act as a stateless extension of IoT FND outside the firewall. The TPS proxy can be a Red Hat Enterprise Linux (RHEL) server. The cgnms-tpsproxy application runs as a daemon on the server and requires the following configuration parameters:

URL of the IoT FND server (to forward inbound requests).
IP address of the IoT FND server, as part of a whitelist (approved list) for forwarding outbound requests.

Before you install the TPS proxy, obtain the TPS proxy installation package:

cgms-tpsproxy-version_number.x86_64.rpm

To configure the proxy-server settings:

Procedure

	1.	Configure a RHEL server to use as the TPS proxy.
	2.	Connect this RHEL server so that it can be reached while outside the firewall.
	3.	Configure the TPS proxy using the template file: `ssh root@ tps_proxy_server cd /opt/cgms-tpsproxy/conf cp tpsproxy.properties-template tpsproxy.properties`
	4.	Edit the tpsproxy.properties file to add the following lines defining the inbound and outbound addresses for the IoT FND application server: `[root@cgr-centos57 conf]# cat tpsproxy.properties-template inbound-proxy-destination=https:// nms_domain_name :9120 outbound-proxy-allowed-addresses= nms_ip_address cgms-keystore-password-hidden=< obfuscated password >` Note You must edit the properties in the cgnms.properties and tpsproxy.properties-template files for HTTPS outbound tunnel provisioning requests so that IoT FND recognizes them as requests from the TPS proxy.

Configure the TPS Proxy Firewall

Procedure

	1.	Set up a firewall rule to allow HTTPS connections from the TPS proxy to the Cisco IoT FND server on port 9120 (for HTTPS inbound requests).
	2.	Set up a firewall rule to allow HTTPS connections from the Cisco IoT FND server to the TPS proxy on port 9122 (for HTTPS outbound requests).

Enroll the TPS Proxy for Cisco IoT FND

The enrollment process for the TPS proxy is the same as the Cisco IoT FND enrollment process. The certification authority (CA) that signs the certificate of the Cisco IoT FND application server must also sign the certificate of the TPS proxy. The certificate of the TPS proxy is stored in a Java keystore and is similar to the Cisco IoT FND certificate.

For the enrollment process, consider these scenarios:

Fresh installation
- If the keystore password is the same as the default password, change the default password.
  
  Note
  
  We strongly recommend that you change all default passwords. Do not use special characters such as, @, #, !, or + as the encryption_util.sh script cannot encrypt special characters.
- If the keystore password is different from default password, run the encryption_util.sh script and copy the encrypted password to the properties file.
  
  Note
  
  Edit the cgnms.properties and tpsproxy.properties files after running the encryption_util.sh script.

Upgrade

Regardless of whether you are using the default password or a custom one, the upgrade process encrypts the password in the /opt/cgms-tpsproxy/conf/tpsproxy.properties file.

To enroll the terminal TPS proxy:

Procedure

	1.	Create a cgms_keystore file .
	2.	Add your certifications to this file.
	3.	Copy the file to the /opt/cgms-tpsproxy/conf directory.

Configure Cisco IoT FND to use the TPS Proxy

You must edit the properties in the cgnms.properties and tpsproxy.properties-template files for HTTPS outbound tunnel provisioning requests so that Cisco IoT FND recognizes them as requests from the TPS proxy. The TPS proxy logs all inbound and outbound requests.

Note

If the properties in the cgnms.properties and tpsproxy.properties-template files are not set, Cisco IoT FND does not recognize the TPS proxy, drops the forwarded request, and considers it from an unknown device.

Note

The following examples employ variable not mandatory values, and are provided as examples only.

To configure Cisco IoT FND to use the TPS proxy:

Procedure

	1.	Open an SSH connection to the Cisco IoT FND server: `ssh root @nms_machine cd /opt/cgms/server/cgms/conf/`
	2.	Edit the cgms.properties file to add lines identifying the TPS proxy IP address, domain name, and user subjects in the cgdm-tpsproxy-subject property: Note The cgdm-tpsproxy-subject property must match the installed TPS proxy certificate. `cgdm-tpsproxy-addr= proxy_server_IP_address cgdm-tpsproxy-subject=CN= "common_name" , OU=" organizational_unit ", O=" organization ", L=" location ", ST=" state ", C=" country "` Note Use quotes around comma-separated strings.

Start the Cisco IoT FND TPS Proxy

Start the TPS proxy after it is installed, configured, and enrolled.

Procedure

Run the appropriate start script for your RHEL version:


RHEL Version	Command
8.x	`systemctl start tpsproxy`
7.x	`service tpsproxy start`

The TPS proxy log file is located at /opt/cgms-tpsproxy/log/tpsproxy.log .

Validate the TPS Proxy log entries

The TPS proxy logs all HTTPS inbound and outbound requests in the TPS proxy log file located at /opt/cgms-tpsproxy/log/tpsproxy.log . Reviewing these logs helps confirm the flow of requests and successful communication between the TPS proxy and Cisco IoT FND.

Procedure

	1.	Check the TPS proxy log file for inbound request entries for a CGR. Example: `73: cgr-centos57: May 21 2014 01:05:20.513 -0700: %CGMS-6-UNSPECIFIED: %[ch=TpsProxyServlet-49dc423f][eid=CGR1240/K9+JAF1732ARCJ][ip=192.168.201.5] [sev=INFO][tid=qtp46675819-29]: Inbound proxy request from [192.168.201.5] with client certificate subject [CN=CGRJAF1732ARCJ.example.com, SERIALNUMBER=PID:CGR1240/K9 SN:JAF1732ARCJ]` This log entry indicates an inbound HTTPS request received by the TPS proxy for a CGR device.
	2.	Verify that the TPS proxy log file contains a message indicating successful forwarding to Cisco IoT FND. Example: `74: cgr-centos57: May 21 2014 01:05:20.564 -0700: %CGMS-6-UNSPECIFIED: %[ch=TpsProxyServlet-49dc423f][sev=INFO] [tid=com.cisco.cgms.tpsproxy.TpsProxyServlet-49dc423f-22]: Completed inbound proxy request from [192.168.201.5] with client certificate subject [CN=CGRJAF1732ARCJ.example.com, SERIALNUMBER=PID:CGR1240/K9 SN:JAF1732ARCJ]` This entry confirms that the TPS proxy has successfully forwarded the inbound request to Cisco IoT FND.
	3.	Check the Cisco IoT FND server log file for entries identifying the TPS proxy and client subject. Example: `Request came from proxy Using forwarded client subject (CN=cg-cgr-1, SERIALNUMBER=PID:CGR1240/K9 SN:JSJ15220047) for authentication` This log entry in the Cisco IoT FND server log confirms that the request was received from the proxy and identifies the client subject used for authentication.
	4.	Review the TPS proxy log file for outbound request entries. Example: `%CGMS-6-UNSPECIFIED: %[ch=TpsProxyOutboundHandler][ip=192.168.205.5] [sev=INFO][tid=qtp257798932-15]: Outbound proxy request from [192.168.205.5] to [192.168.201.5:8443]` This entry shows an outbound HTTPS request initiated by the TPS proxy.
	5.	Check the Cisco IoT FND server log file for entries identifying the HTTPS connection from the proxy. Example: `Using proxy at 192.168.201.6:9122 to send to https://192.168.201.4:8443/cgdm/mgmt commands:` This entry confirms that the Cisco IoT FND server received a command via the proxy, identifying the proxy address and the target HTTPS endpoint.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.