Appgate Connector
Connectors
The Connector is an easy way to protect remote networks and/or groups of under-protected devices. Advanced has multiple configuration options, however by using the Express, only minimal configuration is required to allow users to connect to the local resources associated with a Connector via Appgate SDP Gateways.
In a typical environment, a Connector would be deployed as a standalone Appliance in a remote location such as in the Cloud or at a site office.
The Connector can be configured for HA operation if required.
For more detailed information there are separate sections for the Express Connector and the Advanced Connector.
What are Connector resource groups?
• A resource group in Appgate SDP is a configuration object that defines a set of local resources (such as IP addresses or subnets) that will be accessible through a specific Connector instance.
• Each resource group is mapped to a dedicated Client instance running inside the Connector appliance.
• Each resource group runs in its own isolated Linux namespace (virtual network) within the Connector. This ensures that traffic and policies are kept separate between different resource groups.
• Up to 60 Resource Groups can be configured on a single Connector.
• A resource group is whatever appliances on the network that you want to protect behind the connector. It can be one IP or a full subnet, for example 192.168.1.1 or 192.168.1.0/24.
2. How do the Connector resource Groups work?
• A resource group in Appgate SDP is a logical grouping of local resources (such as IP addresses or subnets) that share the same access rights and are managed by a single Client instance within a Connector.
• Each Connector can run multiple Client instances, with each instance dedicated to handling the traffic for its assigned resource group
3. Can a single device handle multiple Connector resource groups?
• The simple answer is yes it can.
• a Single Connector can handle multiple resource groups, up to 60 resource groups with 16000 TCP connections.
• This totals a maximum of 60 Client instances per Connector.
• a Resource Group is granted a license at the time it is created.
4. What are the limitations of a single Connector?
• The Connector will use more RAM as the number of Clients configured increases.
• You have the option to configure a virtual appliance; however, memory would need to be increased by 25MB for each additional configured client/resource group.
• 1Gb memory would equate to roughly 40 connected clients.
• a Maximum of 60 clients can be used on one Connector, irrespective if it is a hardware or virtual appliance.
• It is recommended to configure redundancy and have a pair of Connectors in HA.
• You are able to configure a hybrid setup with one virtual and one physical appliance if they have network connectivity.
5. How does the licensing model work?
• The system consumes 1 software license per resource group. Resource groups are sold in bundles of 5, 50, or 500.
• A resource group can contain any number of resources as long as they’re on the same network/share conditions, and as long as the resources do not exceed the maximum of 16,000 TCP connections.
6. How does redundancy work?
• Redundancy or High Availability can be set up where two Connectors will share a single VIP (Virtual IP Address) and exactly replicates all Resource Groups.
• The Appgate SDP system uses a match on the virtual IPs to associate the HA pair.
• The two appliances will negotiate which one is to become active.
o If the active one goes off-line, then the other will become active.
o You can see which one is active in the dashboard.
o Look in the Connector's status for the Network IP addresses.
o The Connector with both the actual IP and the virtual IP shown is currently the active Connector.
• When operating in HA mode, VRRP is used to start / stop Clients on the Connectors according to the VRRP state.
• HA operation relies on the use of the VRRP protocol. This means that HA Connector deployments can only work in environments which support VRRP traffic. This effectively rules out Cloud environments.
7. How many IoT devices can connect to a single connector before you need to add an additional for redundancy?
• 60 Resource groups that can handle 16000 TCP connections each.
• Scaling between connectors is not possible since the second connector, added for HA, will be in sleep mode until needed.
8. Types of Connectors
• There are two types of Connectors, Express and Advanced.
• Express allows you to do a basic configuration but you are limited to only one Policy and will consume one Resource Group license. Communication flow will be DOWN traffic from users to local resources.
• Advanced allows you more flexibility by configuring multiple resource groups, each resource group will consume one Resource Group License. Communication flow will be UP from local resources (such as a webcam) and DOWN traffic from protected resources behind Appgate Gateways.
9. Deployment Options
• You have the capability to deploy a virtual or physical appliance depending on where your IoT devices are located and system resource availability.
• As long as the Connector can access your Collective, there is no need for public IP's or public DNS entries.
• It is advisable to have a HA or redundant deployment. The devices will work together; however, one device will always be active.