Network Planning

Connecting the gateway to a network involves address allocation and network communication routing for the service consumers. Network planning also includes gateway cluster sizing and addition of Load Balancers (LB) in front of the gateway cluster.

To protect data in a SaaS application, you gather a list of public domain and host names through which the SaaS is accessed over the Internet.

In case of internal enterprise applications, this relates to identifying networking address (IP addresses or host names) of relevant applications.

Gateway network interfaces can be divided into two categories, administrative and service. Administrative interfaces, such as Web UI and command line (SSH), are used to control and manage its configuration and monitor its state while service interfaces are used to deliver the service it is set to do. It is important that two NICs are created before you install the DSG.

For network security reasons DSG isolates the administrative interfaces from the service ones by allocating each with a separate network address. This enables physical separation when more than one physical NIC is available, otherwise logical separation is achieved by designating two different IP Addresses for admin and service use. Production implementation may strive to achieve further isolation for the service interface by separating inbound and outbound channels, in which case three IP Address will be required.

Gateway Admin and Services Interfaces

Network firewalls situated between consumer’s gateway interfaces, admin or services, and between the gateway and the system it is expected to communicate with will require to adjust to allow it.

Note: The supported TLS versions are SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.

If you are utilizing the DSG appliance, the following ports must be configured in your environment.

Port Number/TYPE (ECHO)ProtocolSourceDestinationNICDescription
22TCPSystem UserDSGManagement NIC (ethMNG)Access to CLI Manager
443TCPSystem UserDSGManagement NIC (ethMNG)Access to Web UI

The following are the list of ports that must be configured for communication between DSG and ESA.

Port Number/TYPE (ECHO)ProtocolSourceDestinationNICDescriptionNotes (If any)
22TCPESADSGManagement NIC (ethMNG)
  • Replication or Rulesets from DSG to ESA
  • DSG Patching from ESA
 
443TCPESADSGManagement NIC (ethMNG)Communication in TAC 
443TCPDSGESA and Virtual IP address of ESAManagement NIC (ethMNG)Downloading certificates from ESA 
8443TCPDSGESA and Virtual IP address of ESAManagement NIC (ethMNG)
  • Establishing communication with ESA
  • Retrieving policy from ESA
  • Sending audit logs to ESA
 
15600TCPDSGVirtual IP address of ESAManagement NIC (ethMNG)Sending audit events from DSG to ESA 
389TCPDSGVirtual IP address of ESAManagement NIC (ethMNG)Authentication and authorization by ESA 
10100UDPDSGESAManagement NIC (ethMNG)
  • Establishing communication with ESA
  • Communication in TAC
This port is optional. If the appliance heartbeat services are stopped, this port can be disabled.
5671TCPDSGVirtual IP address of ESA Messaging between Protegrity appliances.While establishing communication with ESA, if the user notification is not set, you can disable this port.

The following are the list of ports that must also be configured when DSG is configured in a TAC.

Port Number/TYPE (ECHO)ProtocolSourceDestinationNICDescriptionNotes (If any)
22TCPDSGESAManagement NIC (ethMNG)Communication in TAC 
8585TCPESADSGManagement NIC (ethMNG)Cloud Gateway cluster 
443TCPESADSGManagement NIC (ethMNG)Communication in TAC 
10100UDPESADSGManagement NIC (ethMNG)Communication in TACThis port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled.
10100UDPDSGESAManagement NIC (ethMNG)
  • Establishing communication with ESA
  • Communication in TAC
This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled.
10100UDPDSGDSGManagement NIC (ethMNG)Communication in TACThis port is optional.

Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.

Port Number/TYPE (ECHO)ProtocolSourceDestinationNICDescriptionNotes (If any)
123UDPDSGTime serversManagement NIC (ethMNG) of ESANTP Time Sync PortYou can change the port as per your organizational requirements.
514TCPDSGSyslog serversManagement NIC (ethMNG) of ESAStoring logsYou can change the port as per your organizational requirements.
N/A*N/A*DSGApplications/SystemsService NIC (ethSRV) of DSGEnabling communication for DSG with different applications in the organizationYou can change the port as per your organizational requirements.
N/A*N/A*Applications/SystemDSGService NIC (ethSRV) of DSGEnabling communication for DSG with different applications in the organizationYou can change the port as per your organizational requirements.

Note: N/A* - In DSG, service NICs are not assigned a specific port number. You can configure a port number as per your requirements.

NIC Bonding

The NIC is a device through which appliances, such as ESA or DSG, on a network connect to each other. If the NIC stops functioning or is under maintenance, the connection is interrupted, and the appliance is unreachable. To mitigate the issues caused by the failure of a single network card, Protegrity leverages the NIC bonding feature for network redundancy and fault tolerance.

In NIC bonding, multiple NICs are configured on a single appliance. You then bind the NICs to increase network redundancy. NIC bonding ensures that if one NIC fails, the requests are routed to the other bonded NICs. Thus, failure of a NIC does not affect the operation of the appliance.

You can bond the configured NICs using different bonding modes.

CAUTION:The NIC bonding feature is applicable only for the DSG nodes that are configured on the on-premise platform. The DSG nodes that are configured on the cloud platforms, such as, AWS, GCP, or Azure, do not support this feature.

Bonding Modes

The bonding modes determine how traffic is routed across the NICs. The MII monitoring (MIIMON) is a link monitoring feature that is used for inspecting the failure of NICs added to the appliance. The frequency of monitoring is 100 milliseconds. The following modes are available to bind NICs together:

  • Mode 0/Balance Round Robin
  • Mode 1/Active-backup
  • Mode 2/Exclusive OR
  • Mode 3/Broadcast
  • Mode 4/Dynamic Link Aggregation
  • Mode 5/Adaptive Transmit Load Balancing
  • Mode 6/Adaptive Load Balancing

The following two bonding modes are supported for appliances:

  • Mode 1/Active-backup policy: In this mode, multiple NICs, which are slaves, are configured on an appliance. However, only one slave is active at a time. The slave that accepts the requests is active and the other slaves are set as standby. When the active NIC stops functioning, the next available slave is set as active.
  • Mode 6/Adaptive load balancing: In this mode, multiple NICs are configured on an appliance. All the NICs are active simultaneously. The traffic is distributed sequentially across all the NICs in a round-robin method. If a NIC is added or removed from the appliance, the traffic is redistributed accordingly among the available NICs. The incoming and outgoing traffic is load balanced and the MAC address of the actual NIC receives the request. The throughput achieved in this mode is high as compared to mode 1.

Prerequisites

Ensure that you complete the following pre-requisites when binding interfaces:

  • The IP address is assigned only to the NIC on which the bond is initiated. You must not assign an IP address to the other NICs.
  • The NICs are on the same network.

Creating a Bond

This section describes the procedure to create a bond between NICs.

Note: Ensure that the IP address of the slave nodes are static.

Note: Ensure that you have added a default gateway for the Management NIC (ethMNG) and Service NIC (ethSRV0). For more information about adding a default gateway to the Management NIC and Service NIC, refer to the section Configuring Default Gateway for Network Interfaces.

Note: When a bond is created with any service NIC (ethSRVX) in the Web UI, its status indicator appears red - which may indicate it is not functioning properly - even though the service NIC (ethSRVX) is active. To change the service NIC (ethSRVX) status indicator to green, click Refresh.

To create a bond:

  1. On the DSG Web UI, navigate to Settings > Network > Network Settings.

    The Network Settings screen appears.

  2. Under the Network Interfaces area, click Create Bond corresponding to the interface on which you want to initiate the bond.

    The following screen appears.

    Note: Ensure that the IP address is assigned to the interface on which you want to initiate the bond.

  3. Select the following modes from the drop down list:

    • Active-backup policy
    • Adaptive Load Balancing
  4. Select the interfaces with which you want to create a bond.

  5. Select Establish Network Bonding.

    A confirmation message appears.

  6. Click OK.

    The bond is created and the list appears on the Web UI.

Removing a Bond

The following procedure describes the steps to remove a bond between NICs.

To remove a bond:

  1. On the DSG Web UI, navigate to Settings > Network > Network Settings.

    The Network Settings screen appears with all the created bonds as shown in the following figure.

  2. Under the Network Interfaces area, click Remove Bond corresponding to the interface on which the bonding is created.

    A confirmation screen appears.

  3. Select OK.

    The bond is removed and the interfaces are visible on the IP/Network list.

Viewing a Bond

Using the DSG CLI Manager, you can view the bonds that are created between all the interfaces.

To view a bond:

  1. On the DSG CLI Manager, navigate to Networking > Network Settings.

    The Network Configuration Information Settings screen appears.

  2. Navigate to Interface Bonding and select Edit.

    The Network Teaming screen displaying all the bonded interfaces appears as shown in the following figure.

Resetting the Bond

You can reset all the bonds that are created for an appliance. When you reset the bonds, all the bonds created are disabled. The slave NICs are reset to their initial state, where you can configure the network settings for them separately.

To reset all the bonds:

  1. On the DSG CLI Manager, navigate to Networking > Network Settings.

    The Network Configuration Information Settings screen appears.

  2. Navigate to Interface Bonding and select Edit.

    The Network Teaming screen displaying all the bonded interfaces appears.

  3. Select Reset.

    The following screen appears.

  4. Select OK.

    The bonding for all the interfaces is removed.

Last modified January 30, 2025