Appgate SDP appliances are deployed in front of your protected resources so it's important that you have a good understanding of your current network topology. This information can then be used to optimize the placement of Controllers, Gateways, and Connectors throughout your network.
The placement of appliances is no longer tied to the DMZ and they can deployed in a distributed manner as all communication uses a trust model based on X.509 certificates. This means that:
Appliance hostnames are important, as they will be used to generate the correct certificates with the correct information
DNS needs to be used so the appliance can be accessed from the Internet
Time synchronization matters for all Clients and appliances
To streamline installation and configuration, this section provides a checklist of factors to consider prior to starting the process. Carefully review the requirements and questions below. You may wish to refer to the Interface schematic in the Appendix for an illustration of a typical installation.
Compatibility
Browser. Ensure that you are using a compatible browser for the admin UI and the Portal. Much of our testing has been performed on Chrome, Firefox and Safari, however you should test and select a browser that provides full functionality before deploying.
Virtualization platforms. If using virtualization platforms to host appliances, ensure they are up to date and supported.
Client platforms. Ensure that any platforms you plan to install Clients on are supported.
For information on compatible browsers, virtualization platforms, and client platforms, see the AppGate Support page.
Networking
List the protected resources that users will access with the Appgate SDP system. These may be in separate network zones or environments.
Determine how any hostnames will be resolved in each of your network zones (if appropriate). Each of these network zones will be treated as an individual Site when configuring the Appgate SDP system.
Identify the IP addresses or hostnames you will use for the Appgate SDP appliances deployed in the Collective.
Determine which NICs, networks, and IP addresses you will use for the encrypted traffic between the appliances.
Ensure that each appliance can reach at least one DNS server and one NTP server.
Determine if you would like to use a separate network and related interface for each appliance.
Determine which networks will be used for Client connections: internal private networks, external internet, or both.
If you use external Identity Providers as an authentication source, ensure that the Controller can reach the required server(s).
To use AppGate's ZTP service, ensure that the Controllers can reach *.appgate.net.
Ensure that the default IP Pool of 254 addresses is sufficient or if more will be required. If you choose to Disable Source NAT on Gateways then ensure your chosen IP pool range is routed back to each Gateway.
Ensure that the following TCP ports (unless specifically noted otherwise) are open to and from the appliances in your network: (see the interface schematic)
UDP and TCP: 10000 - 65535. This range is used when establishing client-server connections and should be open between Gateways, Connectors, and any internal networks or hosts. You can check the local port range by issuing the following command on the appliance: sysctl net.ipv4.ip_local_port_range.
Port 443. Used for Clients to connect and for communications between appliances. This must be open between appliances and from Client networks where users reside. SPA may also require ports UDP 53 and UDP 443 to be open.
NOTE
These specially crafted SPA handshake packet(s) must be received before a TLS/DTLS connection can be established with an appliance. SPA packets on port 53 (UDP) and on port 443 (UDP and/or TCP) are always sent regardless of the Global Settings configuration SPA use. This is done because the connecting device does not know the configuration setting of the receiving device.
For TCP SPA, the packet sent to port 443 (TCP) must be allowed through.
For UDP-TCP SPA, packets are sent to port 53 (UDP) and 443 (UDP), at least one of which must get through. If TLS is being used for the tunnel, the system will subsequently perform TCP SPA, so the packet sent to port 443 (TCP) must also be allowed through.
Port 8443. For appliance administrators. Must be open from admin networks.
Port 22. For appliance administration over SSH and must be protected (restrict to access from admin networks only).
Port 123 UDP. Used for NTP. Must be open to the NTP servers from all appliances.
Port 161 UDP. Used for SNMP. Must be open from any machine making SNMP calls.
Port 5555. Used for health checks. Must be open from any load-balancers/proxies in front of Controllers or Gateways.
Port 5556. Used for Prometheus. Must be open from any Prometheus servers scraping data.
Refer to the following for more information:
System Security - best practice guide for details about how to secure an appliance.
Network configuration for more details about the communications within a Collective.
Identity Providers
Determine the identity providers to be used with the system.
Before deployment, perform an audit of both user and machine group memberships. Appgate SDP rule decision making is reliant on which groups a machine or user is a part of.
Name Resolution
Determine the form of name resolution for each Site.
Determine if you will use the product on only the internal network, the external network, or both.
Choose your local DNS domain
Choose your external DNS domain
Do you have an internal DNS server set up that would do the resolving of the local domain?
Do you plan to use the default DNS within an AWS VPC? This is always the second available address in the subnet, for example 10.0.0.2
Do you have access to the cloud names (Tags, VPCs, or virtual networks) that can be used to resolve hosts?
Determine the hostname(s) that will be used for the admin Controller's admin/API TLS connection.
Determine the hostnames that will be used for the Controllers' System TLS connections.
Establish the profile DNS name the Clients should use to connect to the Controller and ensure that name is resolvable to external users on the internet.
Are you using hostnames or IP addresses for the Gateways? Is that name resolvable to external users on the Internet?
Determine the hostname you will give to the Portal.