Connecting the gateway to a network involves address allocation and network communication routing for the service consumers. Network planning also includes gateway cluster sizing and addition of Load Balancers (LB) in front of the gateway cluster.
To protect data in a SaaS application, you gather a list of public domain and host names through which the SaaS is accessed over the Internet.
In case of internal enterprise applications, this relates to identifying networking address (IP addresses or host names) of relevant applications.
Gateway network interfaces can be divided into two categories, administrative and service. Administrative interfaces, such as Web UI and command line (SSH), are used to control and manage its configuration and monitor its state while service interfaces are used to deliver the service it is set to do. It is important that two NICs are created before you install the DSG.
For network security reasons DSG isolates the administrative interfaces from the service ones by allocating each with a separate network address. This enables physical separation when more than one physical NIC is available, otherwise logical separation is achieved by designating two different IP Addresses for admin and service use. Production implementation may strive to achieve further isolation for the service interface by separating inbound and outbound channels, in which case three IP Address will be required.
Network firewalls situated between consumer’s gateway interfaces, admin or services, and between the gateway and the system it is expected to communicate with will require to adjust to allow it.
Note: The supported TLS versions are SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.
If you are utilizing the DSG appliance, the following ports must be configured in your environment.
Port Number/TYPE (ECHO) | Protocol | Source | Destination | NIC | Description |
---|---|---|---|---|---|
22 | TCP | System User | DSG | Management NIC (ethMNG) | Access to CLI Manager |
443 | TCP | System User | DSG | Management NIC (ethMNG) | Access to Web UI |
The following are the list of ports that must be configured for communication between DSG and ESA.
Port Number/TYPE (ECHO) | Protocol | Source | Destination | NIC | Description | Notes (If any) |
---|---|---|---|---|---|---|
22 | TCP | ESA | DSG | Management NIC (ethMNG) |
| |
443 | TCP | ESA | DSG | Management NIC (ethMNG) | Communication in TAC | |
443 | TCP | DSG | ESA and Virtual IP address of ESA | Management NIC (ethMNG) | Downloading certificates from ESA | |
8443 | TCP | DSG | ESA and Virtual IP address of ESA | Management NIC (ethMNG) |
| |
15600 | TCP | DSG | Virtual IP address of ESA | Management NIC (ethMNG) | Sending audit events from DSG to ESA | |
389 | TCP | DSG | Virtual IP address of ESA | Management NIC (ethMNG) | Authentication and authorization by ESA | |
10100 | UDP | DSG | ESA | Management NIC (ethMNG) |
| This port is optional. If the appliance heartbeat services are stopped, this port can be disabled. |
5671 | TCP | DSG | Virtual IP address of ESA | Messaging between Protegrity appliances. | While establishing communication with ESA, if the user notification is not set, you can disable this port. |
The following are the list of ports that must also be configured when DSG is configured in a TAC.
Port Number/TYPE (ECHO) | Protocol | Source | Destination | NIC | Description | Notes (If any) |
---|---|---|---|---|---|---|
22 | TCP | DSG | ESA | Management NIC (ethMNG) | Communication in TAC | |
8585 | TCP | ESA | DSG | Management NIC (ethMNG) | Cloud Gateway cluster | |
443 | TCP | ESA | DSG | Management NIC (ethMNG) | Communication in TAC | |
10100 | UDP | ESA | DSG | Management NIC (ethMNG) | Communication in TAC | This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled. |
10100 | UDP | DSG | ESA | Management NIC (ethMNG) |
| This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled. |
10100 | UDP | DSG | DSG | Management NIC (ethMNG) | Communication in TAC | This port is optional. |
Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.
Port Number/TYPE (ECHO) | Protocol | Source | Destination | NIC | Description | Notes (If any) |
---|---|---|---|---|---|---|
123 | UDP | DSG | Time servers | Management NIC (ethMNG) of ESA | NTP Time Sync Port | You can change the port as per your organizational requirements. |
514 | TCP | DSG | Syslog servers | Management NIC (ethMNG) of ESA | Storing logs | You can change the port as per your organizational requirements. |
N/A* | N/A* | DSG | Applications/Systems | Service NIC (ethSRV) of DSG | Enabling communication for DSG with different applications in the organization | You can change the port as per your organizational requirements. |
N/A* | N/A* | Applications/System | DSG | Service NIC (ethSRV) of DSG | Enabling communication for DSG with different applications in the organization | You can change the port as per your organizational requirements. |
Note: N/A* - In DSG, service NICs are not assigned a specific port number. You can configure a port number as per your requirements.
The NIC is a device through which appliances, such as ESA or DSG, on a network connect to each other. If the NIC stops functioning or is under maintenance, the connection is interrupted, and the appliance is unreachable. To mitigate the issues caused by the failure of a single network card, Protegrity leverages the NIC bonding feature for network redundancy and fault tolerance.
In NIC bonding, multiple NICs are configured on a single appliance. You then bind the NICs to increase network redundancy. NIC bonding ensures that if one NIC fails, the requests are routed to the other bonded NICs. Thus, failure of a NIC does not affect the operation of the appliance.
You can bond the configured NICs using different bonding modes.
CAUTION:The NIC bonding feature is applicable only for the DSG nodes that are configured on the on-premise platform. The DSG nodes that are configured on the cloud platforms, such as, AWS, GCP, or Azure, do not support this feature.
The bonding modes determine how traffic is routed across the NICs. The MII monitoring (MIIMON) is a link monitoring feature that is used for inspecting the failure of NICs added to the appliance. The frequency of monitoring is 100 milliseconds. The following modes are available to bind NICs together:
The following two bonding modes are supported for appliances:
Ensure that you complete the following pre-requisites when binding interfaces:
This section describes the procedure to create a bond between NICs.
Note: Ensure that the IP address of the slave nodes are static.
Note: Ensure that you have added a default gateway for the Management NIC (ethMNG) and Service NIC (ethSRV0). For more information about adding a default gateway to the Management NIC and Service NIC, refer to the section Configuring Default Gateway for Network Interfaces.
Note: When a bond is created with any service NIC (ethSRVX) in the Web UI, its status indicator appears red - which may indicate it is not functioning properly - even though the service NIC (ethSRVX) is active. To change the service NIC (ethSRVX) status indicator to green, click Refresh.
To create a bond:
On the DSG Web UI, navigate to Settings > Network > Network Settings.
The Network Settings screen appears.
Under the Network Interfaces area, click Create Bond corresponding to the interface on which you want to initiate the bond.
The following screen appears.
Note: Ensure that the IP address is assigned to the interface on which you want to initiate the bond.
Select the following modes from the drop down list:
Select the interfaces with which you want to create a bond.
Select Establish Network Bonding.
A confirmation message appears.
Click OK.
The bond is created and the list appears on the Web UI.
The following procedure describes the steps to remove a bond between NICs.
To remove a bond:
On the DSG Web UI, navigate to Settings > Network > Network Settings.
The Network Settings screen appears with all the created bonds as shown in the following figure.
Under the Network Interfaces area, click Remove Bond corresponding to the interface on which the bonding is created.
A confirmation screen appears.
Select OK.
The bond is removed and the interfaces are visible on the IP/Network list.
Using the DSG CLI Manager, you can view the bonds that are created between all the interfaces.
To view a bond:
On the DSG CLI Manager, navigate to Networking > Network Settings.
The Network Configuration Information Settings screen appears.
Navigate to Interface Bonding and select Edit.
The Network Teaming screen displaying all the bonded interfaces appears as shown in the following figure.
You can reset all the bonds that are created for an appliance. When you reset the bonds, all the bonds created are disabled. The slave NICs are reset to their initial state, where you can configure the network settings for them separately.
To reset all the bonds:
On the DSG CLI Manager, navigate to Networking > Network Settings.
The Network Configuration Information Settings screen appears.
Navigate to Interface Bonding and select Edit.
The Network Teaming screen displaying all the bonded interfaces appears.
Select Reset.
The following screen appears.
Select OK.
The bonding for all the interfaces is removed.