This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Data Security Gateway (DSG)

The DSG is a flexible platform that applies security operations on the network to protect sensitive data in various environments, including on-premises, virtualized, and cloud. It safeguards data across SaaS applications, web interfaces, APIs, and file transfers using Configuration over Programming (CoP) profiles.

Architecture diagram for DSG v3.3.0.0

Architecture diagram for DSG v3.3.0.0

Architecture diagram for ESA v10.0.1 with v3.3.0.0

Architecture diagram for ESA v10.0.1 with v3.3.0.0

Architecture diagram for DSG v3.3.0.0 in TAC

Architecture diagram for DSG v3.3.0.0 in TAC


ComponentActive FlowFailover Flow
Deployment of Rulesets from ESA_____- - - - - -
Policy Download_____- - - - - -
Forwarding of Audit Events to ESA_____- - - - - -

Communication Flow

DSG-1: DSG node configured during DSG patch installation in ESA.

DSG-2 to DSG-n: Other DSGs in TAC

Below table describes communication flows as depicted in diagrams above.

Communication Flow

FlowRequest InitiatorDestinationPortProtocolFlow DescriptionConfiguration
Deployment of Rulesets from ESA
ESA P1DSG-1443TLS
Step-1: ESA P1 initiates HTTPs request to DSG-1 directly without GTM/LTM to send command for DSGs to pull rulesets from ESA P1.
If DSG-1 is down, then ESA P1 connects to any of the DSGs i.e. DSG-2 to DSG-n
Primary Active Flow: Sticky to ESA P1 with other ESAs as standby ESA P1 -> DSG-1
DR Flow: Sticky to ESA S3 with other ESAs as standby ESA S3 -> DSG-1
DSG node configured during DSG patch installation in ESAAll other DSGs in TAC8300TLS
Step-2: DSG forwards the command to pull rulesets to all other DSGs in TAC
Not Applicable
All DSGs in TACESA P1443TLS
Step-3: All DSGs in TAC pulls rulesets from ESA P1 parallelly
Primary Active Flow: Sticky to ESA P1 with other ESAs as standby All DSGs in TAC -> ESA P1
DR Flow: Sticky to ESA S3 with other ESAs as standby
All DSGs in TAC -> ESA S3
Policy Download
Pepserver in the Protector nodeService Dispatcher in ESA8443TLS
  1. Through GTM.
  2. Through LTM-1 for active flow and LTM-2 for failover flow to Service Dispatcher in ESA.
Primary Active Flow: Sticky to ESA P1 with other ESAs as standby
Protector 9.1 ->GTM ->LTM-1 ->ESA P1
DR Flow: Sticky to ESA S3 with other ESAs as standby
Protector 9.1 ->GTM ->LTM-2 ->ESA S3
Forwarding of Audit Events to ESA
Log Forwarder in the protector nodeInsight in ESA9200TLS
  1. Through GTM.
  2. Through LTM-1 for active flow and LTM-2 for failover flow to Insight in ESA.
Primary Active Flow: Routed to all ESAs in the Primary Site
Protector 9.1/10.0 ->GTM ->LTM-1 ->ESA P1, S1,S2
DR Flow: Routed to all ESAs in the DR Site
Protector 9.1/10.0 ->GTM ->LTM-2 ->ESA S3, S4,S5
Forwarding of Audit Events to External SIEM using the ESA
Log Forwarder in the protector nodeTD-Agent in ESA24224/ 24284Non-TLS/TLS
  1. Through GTM.
  2. Through LTM-1 for active flow and LTM-2 for failover flow to Insight in ESA.
Primary Active Flow: Routed to all ESAs in the Primary Site
Protector 9.1/10.0 ->GTM ->LTM-1 ->ESA P1, S1,S2 -> External SIEM
DR Flow: Routed to all ESAs in the DR Site
Protector 9.1/10.0 -> GTM -> LTM-2 -> ESA S3, S4,S5 -> External SIEM

1 - Installing and Configuring DSG

Assumptions

  • This section assumes that there is no prior installation of DSG product and installation is happening from scratch.

  • GTM and LTM are provisioned and installed. For information about prescribed configurations for GTM or LTM, refer Recommended Traffic Manager.

Pre-requisites

  • Ensure there is good network connectivity between the machine where DSG is going to be installed and all the ESAs, and they can communicate with each other.

  • Ensure ESAs in both Primary site- ESA P1, S1, S2 and DR site- ESA S3, S4, S5 are up and running.

  • Ensure that ESAs in both sites are in TAC.

  • Ensure that PIM is initialized on all the ESAs.

  • Ensure that ESAs in Primary site are in Audit Store Cluster and ESAs in DR site are in a separate Audit Store Cluster.

  • Ensure all the ESAs in the cluster and DSGs in the cluster, and that ESAs and DSGs themselves are reachable using hostname or FQDN.

1. Installing and Configuring the DSGs

  1. Install DSGs of version 3.3.0.0.

    For more information about installing DSG 3.3.0.0, refer Installing the DSG.

  2. Create TAC. Create TAC in one of the DSGs installed in the previous step.

  3. Join DSGs to TAC. Join the rest of the DSGs to the TAC created in the previous step.

  4. Upload and Install DSG Management Server Certificates. Upload and install DSG Management Server certificates in each of the DSGs individually. Ensure the SAN field in each of the certificates has the hostname and FQDN of the DSG node it is going to be installed in.

2. Perform ESA Communication

Perform ESA communication from all the DSGs. For all the options in ESA communication except for Update host settings for DSG, provide GTM IP, hostname, or FQDN as applicable.

For more information about performing set ESA communication, refer Setting up ESA communication.

2.1 Update Host Settings for DSG

For Update host settings for DSG in ESA communication, provide Primary ESA P1’s FQDN/hostname as applicable.

For more information about performing set ESA communication, refer Setting up ESA communication.

3. Install DSG Patch on all the ESAs in the Primary and DR site

Install DSG 3.3.0.0 patch on all ESAs in both sites, that is, ESA P1, S1, S2 in the primary site and ESA S3, S4, S5 in the DR site.

3.1 Provide DSG Details During Patch Installation

During the prompt for DSG details during patch installation, provide any of the DSG’s FQDN/hostname in TAC. Ensure the same DSG FQDN or hostname is provided during patch installation in all other ESAs.

4. Perform Post Installation Steps in all ESAs

For information to perform post installation steps, refer Post installation/upgrade steps.

5. Upload and Apply DSG Admin Tunnel Certificates

Upload and apply DSG Admin tunnel certificates from Web UI in ESA P1.

For more information regarding uploading and applying DSG Admin tunnel certificates, refer Upload Certificate/Keys.

6. Create and Deploy DSG Tunnels and Ruleset

6.1 Create Tunnels and Ruleset

Create tunnels and rulesets from the Web UI in ESA P1.

For more information related to creating tunnels, refer Tunnels.

For more information related to creating rulesets, refer Ruleset Reference.

6.2 Deploy Rulesets

Click on the Deploy button from the DSG’s Cluster page in ESA P1 to deploy rulesets in all the DSGs present in the TAC.

For more information related to deploying rulesets, refer Deploying configurations to the cluster.

7. Check Health Status of DSGs under Cluster Page

After the deployment of rulesets is successful, check the health status of DSGs in TAC from the DSG’s Cluster page in ESA P1. All the DSGs should show health status as green.

8. Ensure TAC Replication Job Includes DSG Configuration

Ensure TAC replication job also includes DSG’s configuration to be replicated to all the ESAs in TAC, that is, from Primary ESA P1 to all the Secondary ESAs S1, S2, S3, S4, S5.

Make sure to follow these steps meticulously to ensure a seamless installation and configuration process.

2 - Upgrading ESA with DSG

Pre-requisites

  • All the ESAs must be on v9.2.0.0.

  • All the DSGs must be on v3.2.0.0 HF-1.

  • ESAs and DSGs must be in a single TAC.

  • Ensure there is good network connectivity between the machine where DSG is going to be installed and all the ESAs, and they can communicate with each other.

  • Ensure ESAs in both Primary site - ESA P1, S1, S2 and DR site - ESA S3, S4, S5 are up and running.

  • Ensure all the ESAs in the cluster and DSGs in the cluster, and that ESAs and DSGs are reachable using hostname or FQDN.

Important: The ESA v10 only supports protectors having the PEP server version 1.2.2+42 and later. Hence, before proceeding with ESA upgrade, check for the installed protector version. If the protector version is below 1.2.2+42, then it would lead to failure of ESA upgrade. If the protector version is below 1.2.2+42, then remove the registered protectors from Policy Dashboard. For more information on instructions to identify installed protector version, refer documentation section Identifying the protector version.

Canary Upgrade

The Canary upgrade involves re-imaging the existing DSG instances to the newer version one by one using ISO or cloud image as applicable. This could be performed by re-using the same instance or spawning a new instance for DSG and terminating the older version DSGs.

Important: There will be downtime of DSGs during upgrade. However, the downtime can be minimized by spawning the fresh DSGs of version 3.3.0.0 in parallel to upgrading ESAs.

This section explains the upgrade flow of ESAs and DSGs only. It does not consider the presence of 9.1.0.0 protectors apart from DSG.

If DSGs are installed along with other 9.1 protectors, then refer Upgrading ESA with DSGs and 9.1 Protectors.

Canary upgrade is the prescribed way of upgrading DSGs. For alternative ways of upgrading DSGs, refer Upgrade process.

Perform the following steps to upgrade DSGs with ESAs.

1. Pre-Upgrade Steps

  1. Backup all ESAs.

    • On-Premise: Perform a full OS backup of all ESAs at both sites.
    • Cloud Premises: Take snapshots of each instance to ensure a restore point is available should any issues arise during the upgrade process. For more information about backup, refer Backup the appliance OS for on-premise ESAs and section 9.1.3 Backing Up on Cloud Platforms.

  2. Delete TAC replication job from Primary ESA P1.

    Follow the below steps to disable TAC replication scheduled task.

    1. On the Primary ESA P1’s Web UI, navigate to System > Task Scheduler.

    2. Click on the TAC replication scheduled task.

    3. Click on Remove.

    4. Click on “Apply” button to apply the changes.

2. Upgrading the ESAs in DR Site

  1. Remove all the ESAs at the DR site from the TAC.

    It is required to remove all the ESAs at the DR site from the TAC before proceeding with upgrading them.

  2. Upgrade ESAs at the DR Site sequentially. Commence the upgrade by focusing on the ESAs located at the DR site. Follow the below sequence:

    1. Upgrade ESA S3

    2. Upgrade ESA S4

    3. Upgrade ESA S5

    Prerequisites to understand about the pre-requisites.

    Upgrade Paths to ESA v10.0.1 to understand upgrade paths to ESA v10.0.1.

    Upgrading from v9.2.0.1 for steps to upgrade from ESA v9.2.0.1 to ESA v10.0.1.

    Post Upgrade steps to perform post upgrade of ESA.

  3. Ensure each ESA is fully upgraded before proceeding to the next ESA.

3. Post Upgrade Validation of ESAs in DR Site

  1. Conduct thorough validation of the upgraded ESAs at the DR site to confirm operational integrity and successful upgrade. Perform following validations in all the ESAs.

    1. Login to ESA Web UI.

    2. Check for correctness of the version under About.

    3. Navigate to Key Management > Key Stores in ESA Web UI and ensure that External Keystore configurations are intact.

    4. Navigate to Settings > Users and check that External Groups settings are intact.

    5. Navigate to Audit Store > Cluster Management and check if ESA S3, ESA S4 and ESA S5 are visible under Nodes tab and Cluster Status is shown as GREEN.

4. Pre-Upgrade Steps for DSG

  1. Remove existing DSGs from TAC. It is required to remove all the DSGs from the TAC before proceeding with further upgrade steps.

  2. As mentioned at the start of this section, it is expected to have downtime of DSGs. Hence, at this step, stop all the existing DSGs.

5. Upgrading the ESAs in Primary Site

  1. Remove all the ESAs at the Primary site from the TAC before upgrading them.

  2. Upgrade ESAs at the Primary Site sequentially.

  3. Follow the below sequence for upgrading all the ESAs in the primary site:

    1. Upgrade ESA P1

    2. Upgrade ESA S1

    3. Upgrade ESA S2

    Prerequisites to understand about the pre-requisites.

    Upgrade Paths to ESA v10.0.1 to understand upgrade paths to ESA v10.0.1.

    Upgrading from v9.2.0.1 for steps to upgrade from ESA v9.2.0.1 to ESA v10.0.1.

    Post Upgrade steps to perform post upgrade of ESA.

  4. Ensure each ESA is fully upgraded before proceeding to the next ESA.

6. Post Upgrade Validation of ESAs in Primary Site

  1. Validate Primary Site ESAs Post Upgrade.

  2. Conduct thorough validation of the upgraded ESAs at the Primary site to confirm operational integrity and successful upgrade.

  3. Perform following validations in all the ESAs.

    1. Login to ESA Web UI.

    2. Check for correctness of the version under About.

    3. Navigate to Key Management > Key Stores in ESA Web UI and ensure that External Keystore configurations are intact.

    4. Navigate to Settings > Users and check that External Groups settings are intact.

    5. Navigate to Audit Store > Cluster Management and check if ESA P1, ESA S1 and ESA S2 are visible under Nodes tab and Cluster Status is shown as GREEN.

7. Installing and Configuring the DSGs

  1. Create fresh DSGs of version 3.3.0.0. Perform this step in parallel to Upgrading the ESAs in Primary Site. This is to minimize the DSG downtime. Create DSGs v3.3.0.0 using ISO or cloud image as applicable.

    For more information about installing DSG 3.3.0.0, refer Installing the DSG.

  2. Create a new TAC with re-imaged DSGs. Starting DSG v3.3.0.0, ESAs and DSGs should be separate TAC. Hence, create a new TAC with DSGs re-imaged at above step.

  3. Upload and install DSG Management Server certificates in each of the DSGs individually. Ensure the SAN field in each of the certificates has the hostname and FQDN of the DSG node it is going to be installed in.

8. Creating TAC of all ESAs in Primary and DR sites

  1. Create TAC in Primary ESA P1. It is required to create TAC in Primary ESA P1 first before joining other ESAs in TAC.

  2. Join all the Secondary ESAs to the TAC from both sites. Join all the secondary ESAs that is, ESA S1, ESA S2 in Primary site and all the ESAs in DR site, that is, ESA S3, ESA S4 and ESA S5 to the existing TAC created in the above step 1 with Primary ESA P1.

9. Perform ESA Communication

Perform ESA communication from all the DSGs. For all the options in ESA communication except for Update host settings for DSG, provide GTM IP, hostname or FQDN as applicable. For more information about performing set ESA communication, refer Setting up ESA communication.

9.1 Update Host Settings for DSG

For Update host settings for DSG in ESA communication, provide Primary ESA P1’s FQDN or hostname as applicable. For more information about performing set ESA communication, refer Setting up ESA communication.

10. Install DSG Patch on all the ESAs in the Primary and DR site

Install DSG 3.3.0.0 patch on all ESAs in the Primary and DR site, that is, ESA P1, S1, S2, S3, S4, S5.

10.1 Provide DSG Details During Patch Installation

During the prompt for DSG details during patch installation, provide any of the running DSG’s FQDN or hostname in TAC. Ensure the same DSG FQDN/hostname is provided during DSG patch installation in all other ESAs.

11. Perform Post Installation Steps in All ESAs in the Primary and DR site

For information about performing post installation steps in all the ESAs, refer Post installation/upgrade steps.

12. Check DSG’s Cluster Page in ESA

Check if all the DSGs installed are listed in under Cloud Gateway > Cluster page in ESA.

13. Deploy Rulesets

Click on the Deploy button from the DSG’s Cluster page in ESA P1 to deploy rulesets in all the DSGs present in the TAC. For more information related to deploying rulesets, refer Deploying configurations to the cluster.

14. Check Health Status of DSGs from Cluster Page

After the deployment of rulesets is successful, check the health status of DSGs in TAC from the DSG’s Cluster page in ESA P1. All the DSGs should show health status as green.

15. Check for DSG nodes status in Policy Management Dashboard

  1. Login to ESA P1 Web UI.

  2. Navigate to Policy Management in ESA P1 Web UI and check if Datastores shows all the DSG nodes registrations as GREEN or Ok and Policy Deploy Status as GREEN or Ok.

16. Validate Protector Operations

  1. Confirm that DSGs can perform data security operations post-upgrade of the ESAs.

  2. Verify that audit events are being forwarded successfully to the ESAs.

  3. Create or Enable Scheduler tasks in Primary site ESAs. Create or enable all the scheduler tasks in Primary site ESAs as mentioned in section Scheduler Tasks.

17. Terminate the older version DSGs

With successful upgrade of DSGs and confirming its working with Validate Protector Operations, terminate all the older version DSGs which were stopped at step 2 in Pre-Upgrade Steps for DSG to free up resources.

Additional Considerations

  • Documentation: Maintain detailed records of the upgrade procedure for future reference.

  • Troubleshooting: Have contingency plans in place to address potential issues arising during the upgrade.

  • Support: Utilize Protegrity support services for guidance or troubleshooting assistance as needed.

Make sure to follow these steps meticulously to ensure a seamless upgrade and configuration process.