We have an instance of McAfee ePO Agent Handler in DMZ and exposed to the internet, which we wish to protect with Cloudflare against DDoS attacks. The Agent Handler (AH) is basically a HTTPS service, through which we can push McAfee Endpoint Security policies to employee computers, when they are outside our local network or VPN. It’s currently served on https://22.214.171.124/, although it’s not meant to be accessed via a browser, you can just inspect the SSL certificate from there.
The trust between Endpoint Security clients and the AH is based on a (self-signed) SSL certificate, which the AH presents to clients. And this certificate cannot be changed, or exported.
Now, the question/problem is, is it possible to somehow use Cloudflare’s tools to protect the AH’s IP against DDoS attacks? We have tried setting up a DNS for the AH’s IP and simply enabling proxying, but that doesn’t work, because after that the AH service doesn’t present its own original certificate, but shows Cloudflare’s certificate instead.
The same thing is with Spectrum - the origin server’s cert gets replaced.
I assume, what would work, is enabling proxy for the DNS, but setting SSL security to Off? Even though this also wouldn’t be a viable solution, because we have other services hosted on that domain, that need the SSL security.
Are there any other options we can use with Cloudflare?