Setup and virtual machine requirements

Virtual machine requirements

To deploy Enterprise Security Connector:

  • Deploy the security connector on these hypervisors or cloud platforms:

    • Microsoft Hyper-V hypervisor
    • VMware ESXi version 5.5 or later
    • Microsoft Azure
    • Amazon Web Services (AWS)
  • Make sure the VM meets these resource requirements:

Security Connector TypeRAMDisk SpaceCPUNetwork Interfaces
SinkholeMinimum: 2 GB
Maximum: 8 GB
40 GBMinimum: 2 Cores
Maximum: 4 Cores
2
DNS ForwarderMinimum: 4 GB
Maximum: 8 GB
40 GBMinimum: 2 Cores
Maximum: 4 Cores
2
HTTP ForwarderMinimum: 4 GB
Maximum: 8 GB
40 GBMinimum: 2 Cores
Maximum: 4 Cores
2
  • Make sure you enable encryption on the hypervisor or in the software that you use to create virtual machines.

Network requirements

You need to:

  • Configure your organization's firewall to:

    • Allow outbound connections to TCP port 443 and to allow UDP traffic on port 123 for the interface that’s used for outbound traffic. For example, if you select one interface for outbound traffic, this is for the en1 interface. If you select two interfaces, outbound traffic is on the en2 interface.

    • For DNS Forwarder, allow outbound TCP port 443 for hostname *.akaetp.netwith dotas the ALPN. This configuration is required for DNS over TLS connections.

      If you configured TCP port 853 as the port for DoT instead of 443, make sure you allow outbound connections on port 853.

    • Allow outbound TCP port 80, port 443, and all transparent proxy ports for HTTP Forwarder to direct requests to the origin in case of failover.

    • For SSH connections, allow inbound access to TCP port 22.

    • For the en1 interface:

      • Allow inbound access to TCP and UDP port 53 for DNS.

      • Allow inbound access to the HTTP ports that are necessary for your organization’s network.

  • Deploy the security connector on the same LAN as user computers. This allows Security Connector to identify the internal IP address of user traffic. If you’re configuring the transparent proxy for HTTP Forwarder, you can deploy Security Connector in different LANs. Make sure the policy-based routing rules on the router preserve the original IP address of traffic.

Additionally, you should complete these steps:

  1. When using Security Connector as a sinkhole, assign the en1 interface (formerly the data interface) with an IP address that is outside the private network ranges defined by Request for Comment 1918 (RFC 1918):

    1. 10.0.0.0 - 10.255.255.255 (10/8 prefix)

    2. 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

    3. 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

    Many forms of malware do not connect to IP addresses in these ranges. If you do not have an unused subnet in your network for this configuration, create one to receive Security Connector traffic.

  2. Configure the interface that includes the Web Console in a secure or isolated location in your internal network. By default, the Web Console is not encrypted and operates over TCP port 3000.