AppGate AX-V Virtual Appliance Getting Started Guide Author: Malcolm Hamilton and Adam Rose Version: 2.3 Date: 12.8.2015 1
Table of Constance INTRODUCTION 3 PREREQUISITES 3 REQUIREMENTS 3 TECHNICAL SPECIFICATIONS 3 BRIEF OVERVIEW OF THE APPGATE 3 SETTING UP THE APPGATE AX-V VMWARE IMAGE 5 INITIAL CONFIGURATION 6 Configure an IP Address 6 Change the Default Encryption Keys 6 Change the Default Passwords 6 HOW TO START THE APPGATE ADMINISTRATION CONSOLE 7 USING THE APPGATE CONSOLE 8 ADD YOUR LICENSE 8 SETUP DNS OR HOSTNAME MAPPINGS 9 ALL DONE 10 FURTHER INFORMATION 10 2
Introduction The AppGate appliance can be delivered as hardware or a virtual machine. There are many different options when a hardware appliance is chosen and only one option, model AX-V when the virtual appliance is the chosen method for delivery. This guide will walk you through all of the necessary steps to get your new AX-V virtual appliance installed into your virtualization environment and talking the network so it can be configured to protect your environment. Prerequisites A basic understanding of administration of VMware ESXi An understanding of basic networking concepts including VLAN s, routing, DNS, and NAT https://cryptzone.force.com/support/articles/customer/pre-installation-checklist-appgate- Security-Server/?q=preinstallation&l=en_US&fs=Search&pn=1 https://cryptzone.force.com/support/articles/customer/appgate-software-requirements Requirements VMware ESXi 5.0 and 5.5 Technical Specifications Concurrent Users* Throughput Up to 500 per unit Up to 250 Mbps with AES-128 encryption *Number of users and performance is dependent on physical resources available, application protocols, and usage patterns and may differ from the numbers in this document. Brief Overview of the AppGate The AppGate allows secure and controlled privileged user access to resources on protected servers regardless of client location. This is achieved by placing an AppGate between all users and sensitive network attached resources. All user traffic and access to the protected resources flows through the AppGate which acts as a proxy or gateway overlaying s 5-layer security method for enforcing a Zero-Trust framework. s 5-layer security method consists of strong encryption, user authentication, session authorization, policy enforcement, and global audit logging. AppGate appliances can be clustered together for redundancy, scalability, and geographic disparity. In environments where sensitive resources and protected networks are geographically distributed, AppGate Satellites (AS) can be used to extend the reach of an AppGate or AppGate cluster. 3
AppGate 5-Layer Enforced Security Model provides a Zero-Trust Framework for securing privileged user Access Building Blocks: 1. Encrypted Communication 2. User Authentication 3. Session Authorization 4. Policy Enforcement 5. Global Audit Logging Privileged User Encrypted User Specific Session AppGate Device Firewall Public and Private Networks User / Session Specific Walled-Garden Authorized Resources Presented to User User Account Groups Attributes Device Attributes Posture Context Dynamic ACL (User Specific) Protected Resource AppGate RBAC/ABAC Policy Engine All AppGate client and end-user software is hosted on the AppGate for easy download via the built-in web server. The recommended client type is the Java Web-start client. This client requires no installation and can be launched by simply clicking on a launch button on the AppGate hosted web page. Some services may require additional operating environment specific software. These packages are also available from the AppGate. Clients are available for a very wide range of computing platforms: Windows Mac OS X Linux Mobile Devices (iphone, ipad, Android) 4
Setting up the AppGate AX-V VMware Image The AppGate can be deployed as either a hardware appliance or a virtual appliance. The virtual appliance model number is AX-V. The AX-V image is delivered as an.ovf file that can be loaded onto VMware ESXi version 5.0 and 5.5. Download the image from here: http://download.cryptzone.com/files/download/axv-demo/axvdemo.7z Uncompress the image using 7zip or compatible tool; 7zip can be downloaded here: http://www.7-zip.org/ Open the VMware VSphere client, under the file menu, click deploy OVF Template. Browse to the location of the AX-V image and select the ovf file. Click Next Give the image a name for example AppGate-01 Add to an inventory location if required Click Next Select a resource pool for the image (A new pool may need to be created) Click Next Select a Storage point for the image to be stored. Click Next Select the Disk Format to be Thin (uses 2-3GB) Click Next Network Mappings just click next Do not tick start-up image when done. Click Finish The image will now be created within the ESXi environment. Optional: Edit the new AppGate VMware image hardware properties Increase the memory from 4 GB (which is minimum) to 8GB Start the image 5
Initial configuration Configure an IP Address It is necessary to change this IP address to a free IP address available on the internal LAN and in the same subnet as the internal address of the gateway. This is described below. We will also set a password for the default AppGate administrative user agadmin. Using the virtual machine console, login using the account name root and the password changeme. Run the following command: ag_ipconfig a.b.c.d/m where a.b.c.d is the new IP address and m is the new netmask. Ex ag_ipconfig 10.0.0.42/24. A default gateway can also be provided, ex ag_ipconfig 10.0.0.42/8 10.0.0.1. Change the Default Encryption Keys Changing the default encryptions keys on the newly installed AppGate is a necessary step to ensure security. Using the virtual machine console, login using the account name root and the password pass. Run the command rm f /var/opt/appgate/conf/ssh)host* Reboot the system using the command reboot Change the Default Passwords It is important that the default passwords for root and agadmin accounts be changed. Run the command ag_passwd_util agadmin to set a secure password for the administrative user agadmin. Run the command passwd.rootonly to change/set a secure password for the root user. All subsequent access will be done through the standard AppGate Console. 6
How to start the AppGate administration console Most of the administrative tasks on AppGate are done using the AppGate Console. **Note: If you have previously installed a different version the AppGate console application you will need to download and install the correct version from the AX-V appliance. ***Note: Java needs to be installed to run Java Webstart To start the AppGate Console: 1. Start a web browser and enter the IP number of your AppGate (eg. http://a.b.c.d/) 2. Select List Clients for Desktops and Laptops at the bottom of the page. 3. We recommend the AppGate Console in the Java Webstart section - it will ensure you are using the correct Console version together with your AppGate. 4. You can also install the local version of the AppGate Console. To do this, use the OS specific section of the web site to install a stand-alone version. The Console will launch. Please click OK if any prompts appear about accepting the program. You may now login with the user account agadmin using the password that was created earlier. 7
Using the AppGate Console The AppGate Console is used for almost all administration. The principal way of navigating within the console is the tree view on the left side of the console window. Throughout this guide we will use the following notation to help you find any required settings: Administration -> User Accounts. This indicates that the sub tree under Administration must be opened where an entry User Accounts is located. Add your license Your license for your AX-V AppGate supplied by. Copy the entire license blob from the email to the clipboard. Go to System Settings -> License Management -> Add... Click on Paste from clipboard 8
Setup DNS or hostname mappings The AppGate must be able to resolve the host names of the IP hosts it is protecting. If a DNS service is available on the internal network this should be used, otherwise static mappings between host names and IP numbers may be used. DNS is set under System Settings -> Network/Cluster Management -> Network: your-network -> DNS If DNS is not available, click on the Hosts tab and add each servers IP number and IP name. Use the full name, i.e. mail.local.net instead of mail **Note: Press Commit to apply any changes in Network/Cluster Management to the AppGate. 9
All Done AX-V AppGate administrators may now connect to the virtual appliance using the console application and being configuring the system for privileged user access. Further information The Support web site contains a lot of public information, notably a number of guides that describes how to setup some of the more advanced features of the AppGate. Useful links: Technical Articles https://cryptzone.force.com/support/pkb_home AppGate Server Manuals http:///downloadcenter/appgate AppGate User Manual http://download.cryptzone.com/files/download/appgate-11.1/doc/user_guide.pdf 10