Install the ExtraHop session key forwarder on a Windows server

Similar documents
Install the ExtraHop session key forwarder on a Windows server

Install the ExtraHop session key forwarder on a Windows server

Install the ExtraHop session key forwarder on a Windows server

VMware Horizon Client for Chrome Installation and Setup Guide. 15 JUNE 2018 VMware Horizon Client for Chrome 4.8

AirWatch Mobile Device Management

Managing SSL/TLS Traffic Flows

How to Configure SSL Interception in the Firewall

Contents. Introduction. Prerequisites. Requirements. Components Used

Using SSL to Secure Client/Server Connections

Exinda How To Guide: SSL Acceleration. Exinda ExOS Version Exinda Networks, Inc.

PCoIP Connection Manager for Amazon WorkSpaces

But where'd that extra "s" come from, and what does it mean?

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

ExtraHop 7.0 ExtraHop Trace Admin UI Guide

Cisco CTL Client setup

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N Rev 01 July, 2012

VMware AirWatch Integration with RSA PKI Guide

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Configuring Cisco Unified MeetingPlace Web Conferencing Security Features

Content and Purpose of This Guide... 1 User Management... 2

Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

Create Decryption Policies to Control HTTPS Traffic

Zmanda Cloud Backup FAQ

AXIS Device Manager HTTPS certificate management

ExtraHop 7.0 ExtraHop Explore Admin UI Guide

HOW TO GUIDE. XPR Enterprise Konica Minolta Embedded Quick Installation Guide. For Support Click here INTRODUCTION. Pre-requisites

LDAP Directory Integration

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

SSL Visibility and Troubleshooting

Barracuda Networks NG Firewall 7.0.0

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Mitel MiVoice Connect Security Certificates

Cisco CTL Client Setup

DPI-SSL. DPI-SSL Overview

Configuring SSL Security

VMware Horizon Client for Windows 10 UWP User Guide. Modified on 21 SEP 2017 VMware Horizon Client for Windows 10 UWP 4.6

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Configuring Secure Socket Layer HTTP

VMware Horizon View Deployment

Configuring Secure Socket Layer HTTP

Displaying SSL Configuration Information and Statistics

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

ExtraHop 7.3 ExtraHop Trace REST API Guide

How to Set Up External CA VPN Certificates

Deploy the ExtraHop Discover Appliance in Azure

FieldView. Management Suite

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

SAML-Based SSO Configuration

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org

Start Creating SSL Policies

Configuring the Cisco APIC-EM Settings

The information in this document is based on these software and hardware versions:

Teradici PCoIP Connection Manager 1.8 and Security Gateway 1.14

Using the Web-Browser and CLI Interfaces

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

Monitor load balancer performance in a dashboard

INUVIKA TECHNICAL GUIDE

Secure Web Appliance. SSL Intercept

UCS Manager Communication Services

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Troubleshooting Exchange Calendaring Integrations

Managing vrealize Automation. vrealize Automation 7.0.1

Deploy the ExtraHop Discover Appliance 1100

VMware Identity Manager vidm 2.7

BIG-IP System: SSL Administration. Version

SafeConsole On-Prem Install Guide

BIG-IP System: SSL Administration. Version

PCoIP Connection Manager for Amazon WorkSpaces

Deploy the ExtraHop Discover 3100, 6100, 8100, or 9100 Appliances

SECURE Gateway v4.7. TLS configuration guide

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

Wired Dot1x Version 1.05 Configuration Guide

SafeConsole On-Prem Install Guide

Using VMware View Client for Mac

Configuration Example for Secure SIP Integration Between CUCM and CUC based on Next Generation Encryption (NGE)

Stonesoft VPN Client. for Windows Release Notes Revision A

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

ExtraHop 6.1 ExtraHop Explore Admin UI Guide

How to Configure SSL Interception in the Firewall

CSM - How to install Third-Party SSL Certificates for GUI access

Appliance Upgrade Guide

NetExtender for SSL-VPN

Configuring F5 for SSL Intercept

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

vapp Deployment and Configuration Guide

HP JETADVANTAGE SECURITY MANAGER. Certificate Management

VMware Horizon JMP Server Installation and Setup Guide. Modified on 19 JUN 2018 VMware Horizon 7 7.5

Bomgar Appliance Upgrade Guide

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Configuration of Microsoft Live Communications Server for Partitioned Intradomain Federation

Setting Up the Server

Configure System Settings

McAfee Network Security Platform 9.2

Comprehensive Setup Guide for TLS on ESA

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Transcription:

Install the ExtraHop session key forwarder on a Windows server Published: 2018-07-19 The ExtraHop session key forwarder runs as a process on a monitored Windows server running SSL services. The forwarder establishes an SSL-secured connection to an ExtraHop Discover appliance to send all SSL session keys. The session keys enable the Discover appliance to decrypt SSL/TLS sessions that otherwise could not be decrypted, either because the session is encrypted with Perfect Forward Secrecy (PFS) ciphers or the Discover appliance does not have the private key for RSA handshakes. After the session keys are forwarded, they are immediately deleted from memory on the Windows server. Before you begin Read our blog post: What is Perfect Forward Secrecy? See the list of supported cipher suites that can be decrypted by the Discover appliance when session key forwarding is configured. Make sure that the Discover appliance is running firmware version 7.0 or later. Make sure that the Discover appliance is licensed for SSL Decryption. Install the session key forwarder on one or more Windows 2008 R2 or Windows 2012 R2 servers running SSL-based services with the native Windows SSL framework. OpenSSL on Windows is not currently supported. Session key processing on the Discover appliance requires that you upload the server certificate and private key file for any monitored SSL-encrypted service to the Discover appliance. Go to the Capture > SSL Decryption Keys page in the Admin UI to upload a.pem file that includes both a private key and certificate. The session key forwarder on the Windows server must be able to access a trusted CA certificate from the Windows certificate store to validate the certificate (or chain of certificates) that the Discover appliance presents. Make sure that the server certificates have an RSA public key. DSA and ECDSA public keys are not currently supported. The traffic for each monitored SSL server must be part of the data feed to the Discover appliance. Important: The session key forwarder software is provided as an.msi file. While it is possible to double-click the.msi file to start the installation process, we strongly recommend that you install the software from a command prompt. When the installation parameters are provided through the command line, the installation process incorporates the specified parameters into the registry and certificate store. If the installation is completed through the installer UI, there are no prompts for any parameters and you must configure them manually in the registry after the installation is complete. 2018 ExtraHop Networks, Inc. All rights reserved.

If you inadvertently install the software from the installer UI, uninstall the software and then reinstall from the command prompt. Install the software Warning: The installation requires a restart of the server. Do not start the installation unless you are able to restart the server after the installation completes. 1. Log into the Windows 2008 R2 or 2012 R2 server. 2. Download the latest version of the session key forwarder software. 3. Run the following command: msiexec /i C:\ExtraHopPFSInstaller.msi EDA_HOSTNAME=<hostname or IP address of Discover appliance> Where C:\ExtraHopPFSInstaller.msi is the path to the installer file. If required for your configuration, you can add the two optional parameters to the command: msiexec /i C:\ExtraHop.msi EDA_HOSTNAME=<hostname or IP address of Discover appliance> EDACERTIFICATEPATH=<path to.pem file> SERVERNAMEOVERRIDE=<Common Name> See Installation parameters in the Appendix. 4. When the installation completes, click Yes to reboot the server. Enable the SSL session key receiver service You must enable the session key receiver service on the Discover appliance before the appliance can receive and decrypt sessions keys from the session key forwarder. By default, this service is disabled. 1. Log into the Admin UI on the Discover appliance. 2. In the Appliance Settings section, click Services. 3. Select the SSL Session Key Receiver checkbox. If you do not see the checkbox, and you have purchased the SSL Decryption license, contact ExtraHop Support to update your license. 4. Click Save. View connected session key forwarders You can view connected session key forwarders after you install the session key forwarder on your Windows server and enable the SSL session key receiver service on the Discover appliance. 1. Log into the Admin UI on the Discover appliance. 2. In the System Configuration section, click Capture. 3. Click SSL Shared Secrets. Validate session key forwarding Perform these steps to make sure that the installation was successful and the session key forwarder is forwarding the keys to the Discover appliance. 1. Log into the Windows 2008 R2 or 2012 R2 server. exclude_from_doc_site Install the ExtraHop session key forwarder on a Windows server 2

2. Open the Services MMC snap-in. Ensure both services, ExtraHop Secret Agent and ExtraHop Registry Service show the status as Running. 3. If either service is not running, troubleshoot the issue by completing the following steps. a) Open the Event Viewer MMC snap-in and navigate to Windows Logs > Application. b) Locate the most recent entries for the ExtraHopAgent source. Common reasons for failure and their associated error messages are listed in the Troubleshoot common error messages section below. 4. If the Services and Event Viewer snap-in do not indicate any issues, apply a workload to the monitored services and go to the Discover appliance to verify that secret-based decryption is working. When the Discover appliance receives session keys and applies them to decrypted sessions, the Shared Secret metric counter (in Applications > All Activity > SSL Sessions Decrypted) is incremented. Create a dashboard chart with this metric to see if the Discover appliance is successfully receiving session keys from the monitored servers. Troubleshoot common error messages The following table shows common error messages that you can troubleshoot. If you see a different error or the proposed solution does not resolve your issue, contact ExtraHop Support. Message Cause Solution connect: dial tcp <IP address>:4873: connectex: A connection attempt failed because the connected party did not properly respond after The monitored server cannot route any traffic to the Discover appliance. Ensure firewall rules allow SSL connections to be initiated from the monitored server to the Discover appliance. exclude_from_doc_site Install the ExtraHop session key forwarder on a Windows server 3

Message Cause Solution a period of time, or established connection failed because connected host has failed to respond connect: dial tcp <IP address>:4873: connectex: No connection could be made because the target machine actively refused it The monitored server can route traffic to the Discover appliance, but the receiving process is not listening. Ensure that the Discover appliance is licensed for both the SSL Decryption and Secret Agent features. connect: x509: certificate signed by unknown authority connect: x509: cannot validate certificate for <IP address> because it doesn't contain any IP SANs The monitored server is not able to chain up the Discover appliance certificate to a trusted Certificate Authority (CA). An IP address was supplied as the EDA_HOSTNAME parameter when installing the forwarder, but the SSL certificate presented by the Discover appliance does not include an IP address as a Subject Alternate Name (SAN). Ensure that the Windows certificate store for the computer account has trusted root certificate authorities that establish a chain of trust for the Discover appliance. Select from the following three solutions. If there is a hostname that the server can connect to the Discover appliance with, and that hostname matches the subject name in the Discover appliance certificate, uninstall and reinstall the forwarder, specifying that hostname as the value of EDA_HOSTNAME. If the server is required to connect to the Discover appliance by IP address, uninstall and reinstall the forwarder, specifying the subject name from the Discover appliance certificate as the value of SERVERNAMEOVERRIDE. Re-issue the Discover appliance certificate to include an IP Subject Alternative Name (SAN) for the given IP address. Uninstall the software If you no longer want the ExtraHop session key forwarder software installed, or if any of the original installation parameters have changed (Discover appliance hostname or certificate) and you need to reinstall the software with new parameters, do the following: exclude_from_doc_site Install the ExtraHop session key forwarder on a Windows server 4

Important: You must restart the server for the configuration changes to take effect. 1. Log into the Windows server. 2. Run the following command to remove the software and associated registry entries: msiexec /x C:\ExtraHopPFSInstaller.msi Where C:\ExtraHopPFSInstaller.msi is the path to the installer file. 3. Click Yes to confirm. 4. After the software is removed, click Yes to restart the system Appendix Installation parameters The session key forwarder software is provided as an MSI package. A complete installation of the forwarder requires specifying up to three parameters, which are described in the tables below. MSI Installation Parameter Registry Entry Description EDA_HOSTNAME HKEY_LOCAL_MACHINE\SOFTWARE\ExtraHop \EDAHost The Discover appliance hostname or IP address where SSL session keys will be sent. This parameter is required. MSI Installation Parameter Registry Entry Description EDA_CERTIFICATEPATH N/A The monitored server must trust the issuer of the Discover appliance SSL certificate through the server s certificate store. In some environments, the Discover appliance works with the self-signed certificate that the ExtraHop firmware generates upon installation. In this case, the certificate must be added to the certificate store. The EDA_CERTIFICATEPATH parameter enables a file-based PEM-encoded certificate to be imported into the Windows certificate store at installation. If the parameter is not specified at installation and a self-signed or other CA certificate must be placed into the certificate store manually, the administrator must import the certificate to Certificates (Computer Account) > Trusted Root Certification Authorities on the monitored system. This parameter is optional if the monitored server was previously configured to trust the SSL certificate of the Discover appliance through the Windows certificate store. exclude_from_doc_site Install the ExtraHop session key forwarder on a Windows server 5

MSI Installation Parameter Registry Entry Description SERVERNAMEOVERRIDE HKEY_LOCAL_MACHINE\SOFTWARE\ExtraHop \ServerNameOverride If there is a mismatch between the Discover appliance hostname that the forwarder knows (EDA_HOSTNAME) and the common name (CN) that is presented in the SSL certificate of the Discover appliance, then the forwarder must be configured with the correct CN. This parameter is optional. We recommend that you regenerate the SSL selfsigned certificate based on the hostname from the SSL Certificate section of the Admin UI instead of specifying this parameter. exclude_from_doc_site Install the ExtraHop session key forwarder on a Windows server 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback