Set up an identity connector

Complete these tasks to set up an identity connector:

Set up an identity connector in a VMware environment

Before you begin

Create and download an identity connector

To deploy the identity connector template file in a VMware environment:

Note the VM for the connector needs to meet these requirements:

Processors

Intel-VT or AMD-V processor with hardware virtualization enabled; four cores recommended.

Memory (RAM)

8 GB recommended.

Storage

16 GB recommended.

Network

1 vNIC

1 GB/s recommended.

Static IP address or dynamic IP assigned from DHCP server.

DNS

  1. To deploy the connector on a VMware vSphere Client using ESX or ESXi versions earlier than 6.5, see Deploy a VMware vSphere Client using ESX or ESXi versions earlier than 6.5.

  2. To deploy the connector on a VMware vSphere Client using ESX or ESXi version 6.5 or later, see Deploy a VMware vSphere Client using ESX or ESXi version 6.5 or later.

  3. In ETP, approve the identity connector:

    1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Access and Identity Connectors.
    2. Locate the connector that you are installing.
    3. Verify that the connector shows the private and public IP addresses assigned to it. This may take a few minutes.
    4. Click Need your approval to approve the connector. Wait for verification. You'll know this process is complete when a message appears indicating that the connector is running.
    5. Click Save.

Deploy a VMware vSphere Client using ESX or ESXi versions earlier than 6.5

Before you begin

Download the VMware connector from ETP. See Create and download an identity connector.

To deploy a connector with ESX or ESXi versions that are earlier than 6.5:

📘

You need to use the VMware vSphere Client (vSphere Client) for this process. The steps for deploying a vSphere Client differ depending on the version of your VMware ESXi hypervisor. For a list of supported ESXi versions, see Connector-to-VM and cloud platform compatibility.

  1. The connector should download as a tar.gz file but the file extension may be incorrect in Microsoft Windows. Rename the tar file to a tar.gz file. For example, rename <filename>.tar to <filename>.tar.gz.

  2. Decompress and untar the archive to extract the /agent directory.

  3. In the vSphere Client:

    1. Click File > Deploy OVF Template.

      IMAGE_STUBIMAGE_STUB

    2. Deploy the agent.ovf file from the agent directory.

      IMAGE_STUBIMAGE_STUB

    3. Make sure that the OVF deployment completes successfully. Wait for the success message to appear.

      IMAGE_STUBIMAGE_STUB

Next steps

Return to the Identity Connector page to verify the connector IP address information and to approve the connector. For more information, see Set up an identity connector in a VMware environment.

Deploy a VMware vSphere Client using ESX or ESXi version 6.5 or later

Before you begin

Download the VMware connector from ETP. See Create and download an identity connector.

To deploy a connector with ESX or ESXi versions later than 6.5, use the VMware vSphere Web Access portal or the Open Virtual Machine Format (OVF) tool from a command line interface. For more information on how to deploy it, see the VMware product documentation.

The process to deploy a vSphere Client differs depending on the version of your VMware ESXi hypervisor. For a list of supported ESXi versions, see Connector-to-VM and cloud platform compatibility.

After you deploy a connector, return to the Identity Connector page to verify the connector IP address information and to approve the connector. For more information, see Set up an identity connector in a VMware environment.

Set up an identity connector in Amazon Web Services

Before you begin

Create and download a connector for Amazon Web Server. For instructions, see Create and download an identity connector.

You can create an identity connector Amazon Machine Image (AMI) in your Amazon Web Services (AWS) environment.

The connector does not receive traffic from outside but it may need to connect to ETP cloud instances for configuration and other data. Make sure the security group associated with the connector is set up with this policy:

  • Outgoing traffic: Allow all.
  • Incoming traffic: Deny all.

To set up an identity connector in AWS:

  1. Log in to your AWS console and click AWS services menu > AWS CloudFormation > CREATE STACK.

  2. Under Create Template, select Upload a template to Amazon S3.

  3. Click Choose File.

  4. Select the downloaded CloudFormation template.

  5. Provide a stack name, NAT instance type, VPC ID and subnet information and click Next.

    📘

    For the NAT instance type, make sure you use a minimum of m4.large.

  6. Complete the configuration of tags, storage, and other features as needed. Since AWS does not use swap space for storage, use a minimum of 12 GB RAM for memory.

  7. Click CREATE. Once the stack creation is complete, the connector instance starts and automatically connects to ETP cloud.

  8. In ETP, approve the identity connector:

    1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Access and Identity Connectors.

    2. Locate the AWS connector and click Need your approval.

    3. Click Save.

Set up an identity connector in a Google Cloud Platform environment

Before you begin

Create and download the connector template file for Google Compute Engine (GCE). This file is a tarball (connector-id.tar.gz) file. Save the connector tarball in a safe location. For instructions, see Create and download an identity connector.

To set up an identity connector in a Google Cloud Platform:

  1. Log in to the GCP console. Use the storage browser to upload the connector-id.tar.gz file to your Google Cloud storage.

  2. Create an image using the connector-id.tar.gz file. Click Compute Engine > Images > New image.

  3. Enter a name for the identity connector.

  4. From the Source Type menu select Cloud Storage Object.

  5. Enter the location of the tarball file stored in Cloud storage. For example, gs://bucketname/connector-id.tar.gz.

  6. Spawn an instance using the new image. Select the image name and click Create Instance.

  7. Enter a name for the instance, select HTTPs to allow only HTTPs traffic, select the zone, and make sure the Machine Type is n1-standard. A minimum of 2vCPU with 8 GB memory for connectors is recommended. Make sure the image has the correct connector image.

  8. Select the appropriate Boot Disk Type.

  9. Make sure the identity connector has Internet connectivity. Assign Ephemeral or New static IP address.

  10. Click Create. GCP creates and boots up the connector instance in Google Cloud.

  11. In ETP, approve the identity connector:

    1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Access and Identity Connectors.

    2. Locate the GCE connector and click Need your approval.

    3. Click Save.

Set up a Docker-based identity connector

Before you begin

  1. Verify Docker is properly installed. Identity connectors installed as Docker containers require a Docker-ready OS environment. If you do not have Docker installed, see the Docker documentation. Refer to the instructions that apply to your environment.

  2. Create and download the identity connector file for Docker. For instructions, see Create and download an identity connector.

To set up an identity connector as a Docker image on a Docker-ready environment:

📘

You cannot attach Client-Access applications to a Docker-based identity connector.

  1. In your Docker environment, open a terminal window.

  2. Navigate to the downloaded Docker container.

  3. Unzip the Docker image:

    $ gunzip <Connector_docker_image_filename.tar.gz>

  4. Load the image into Docker:

    $ sudo docker load -i <Connector_docker_image_filename.tar>

  5. Check that the image is loaded properly and find the <docker_image_name>:

    $ sudo docker images

  6. Run the Docker image:

    $ sudo docker run --name <Connector_Name> --restart=always -d <docker_image_name>

  7. Confirm that the Docker-based container is running:

    $ sudo docker ps

  8. In ETP, return to the identity connector configuration and complete these steps:

    1. In the Enterprise Center navigation menu, select Clients & Connectors > Access and Identity Connectors.

    2. Locate the Docker connector and click Need your approval.

    3. Wait while the ETP service verifies the connector. A success message appears when the Docker-based identity connector is running as a container.

  9. To prevent abnormal behavior in the event of the agent being restarted, commit the identity connector to a new image:

    $ sudo docker commit <Connector_Container_ID> <new_image_name>

    Replace <new_image_name> with any name you choose for this connector.

    Your Docker-based identity connector now runs as a container on your server.

Set up an identity connector in a Microsoft Azure environment

Before you begin

  1. Make sure your Microsoft Azure account and billing are set up before installing an identity connector.

  2. Create and download the connector file for Microsoft Azure. For instructions, see Create and download an identity connector.

This procedure assumes that an Azure administrator created a resource group necessary for template deployments. To create a resource group, refer to the Microsoft Azure product documentation.

If the connector secures web applications, use at minimum a Standard_A2. If the connector is being used to secure RDP/VDI type applications, use at minimum a Standard_A8.

To set up an identity connector in a Microsoft Azure virtual environment:

  1. Log in to your Microsoft Azure portal.

  2. From the left-hand menu, click New.

  3. In the search field, type template deployment, and select Template deployment.

  4. In the Template Deployment page, click Create.

  5. In the Custom deployment page, click Build your own template in the editor.

    The Edit template page appears.

  6. Replace all properties and elements in the template file with the contents of the connector file:

    1. Manually delete everything in the template file.

    2. Paste the contents of the connector file.

    3. Click Save.

  7. Configure the Basics or the basic settings:

    1. In the Subscription menu, select a type of subscription.

    2. For the Resource group, select Use existing, and in the menu, select your resource group.

    3. In the Location menu, select the location where resources are located.

  8. In the Settings area of the page:

    1. In the Vnet Resource Group field, enter the resource group of the virtual network.

    2. In the Admin Password field, enter the administrator password of the VM.

    3. In the Subnet Name field, enter the name of the subnet in the virtual network.

    4. In the Admin Username field, enter the administrator username of the VM.

    5. In the Existing Virtual Network Name field, enter the name of the virtual network.

  9. Review the Terms and Conditions, then select I agree to the terms and conditions stated above.

  10. Click Purchase.

Next steps

Verify that the connector was successfully created or if you prefer, deploy a second Azure template. For more information, see Verify that the connector was successfully created in Microsoft Azure.

Verify that the connector was successfully created in Microsoft Azure

Before you begin

Set up an identity connector in a Microsoft Azure environment.

To verify that the identity connector is successfully created in Microsoft Azure and is running in ETP:

  1. Verify the VM was created in Microsoft Azure:

    1. In the Microsoft Azure left menu, click the Virtual Machines icon.

    2. Verify that the VM appears and is running.

  2. In ETP, approve the identity connector:

    1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Access and Identity Connectors.

    2. Locate the Azure connector and click Need your approval. Wait while the ETP service verifies the identity connector. A success message appears when the identity connector is running.

    3. Click Save.

Deploy a second Azure template

To deploy a second Azure connector:

Note that you'll need to modify the template for the second connector a bit to reference a different public IP address and storage for the identity connector.

  1. Change the item publicIPAddressName to publicIp2.

  2. Change the items of vhd and name. Change "osDisk": {"caching": "ReadWrite", "vhd": {"uri": "[concat('http://',variables('storageAccountName'),'.blob.core.windows.net/vhds/','osdisk2.vhd ')]"}, "createOption": "FromImage", "name": osdisk2

Set up an identity connector in a Microsoft Hyper-V environment

Before you begin

  • Make sure your Microsoft Hyper-V environment is set up with sufficient computer and storage resources.

  • Create and download a connector template file for Microsoft Hyper-V. For instructions, see Create and download an identity connector.

    This is the connector footprint:

Processors

Intel-VT or AMD-V processor with hardware virtualization enabled four cores recommended.

Memory (RAM)

8 GB recommended.

Storage

16 GB recommended.

Network

1 vNIC
1 GB/s recommended.
Static IP address or dynamic IP assigned from DHCP server.
DNS

To set up an identity connector in a Microsoft Hyper-V environment:

  1. Open your Microsoft Hyper-V management console and import the downloaded.vhd file into your Hyper-V environment.

  2. In Microsoft Hyper-V Manager, create a new VM. A wizard opens to guide you through the process.

  3. Specify a name for the connector VM.

  4. Select the appropriate settings for Generation (Generation 1 for connector).

  5. Configure the memory for the connector (8 GB).

  6. Select the NIC for the connector to communicate with the internal network, which should have a route to the Internet and be able to communicate with the ETP service.

  7. Specify the location where you downloaded and saved the .vhd file.

  8. Verify the configuration in the summary tab and click Finish.

  9. Start your connector VM.

  10. Approve the connector in ETP:

    1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Access and Identity Connectors.

    2. Locate the Microsoft Hyper-V connector and click Need your approval. Wait while the ETP service verifies the connector.

    3. Click Save.

Set up an identity connector in an OpenStack/KVM environment

Before you begin

  • Make sure you have admin privileges to access OpenStack services, such as Glances, Horizons, and others.

  • Create and download the identity connector file for OpenStack/KVM. This image file is in tar format. For instructions, see Create and download an identity connector.

To set up an identity connector in an OpenStack environment:

  1. Untar the image file to a known location.

  2. Transfer the downloaded connector image file to the OpenStack Glances server.

  3. Log in to an SSH session on the Glances server.

  4. Enter this command to convert the downloaded image file format to the Qcow2 image format:

    qemu-img convert -f raw -O qcow2 image.img image.qcow2

  5. Approve identity connector in ETP:

    1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Access and Identity Connectors.

    2. Locate the OpenStack/KVM connector and click Need your approval.

    3. Click Save.


Did this page help you?