The CGW requires a single virtual machine (VM) or bare metal (BM) machine to deploy. For High-Availability (HA) deployment, you will need two VMs or two separate hardware boxes. For deployment on a hardware box, check out the hardware deployment options here.
For Zero-Trust Secure Private Access (SPA) only deployment use case, you will create a VM with a single network interface. If you have a VM with more than one network interface, only a single interface will be used by the cyber gateway.
For Modern Workplace security use case, you will create a VM with at least two network interfaces (a LAN interface and a WAN interface). If you plan to leverage SD-WAN capability, you will need two WAN interfaces. Similarly, if you have multiple LANs, you can create as many LAN interfaces on the VM as you wish.
See example below, where the VM supports two LAN interfaces and two WAN interfaces (WAN1 for ISP1, and WAN2 for ISP2) addressing the SD-WAN and two LAN networks (LAN A and LAN B) use case.
As pointed earlier, for Multi interface CGW deployment, you need to create at least two network interfaces on the VM, a LAN interface and a WAN interface. for single-interface CGW deployment you would need just one network interface.
When cyber gateway is deployed on the inside of the Firewall, you need to make sure the following outgoing ports are allowed in the Firewall.
Protocol
Allow Outgoing Ports
Allow Incoming Ports
UDP
3479, 51821-51830
None
TCP
8089
None
If you are deploying cyber gateway with an existing Firewall present, make sure outgoing ports mentioned above are open. Note Firewalls generally block incoming ports and not the outgoing ports, which are open in most cases. If this is the case, you do not need to do anything.
Internet must be accessible from the VM:
Check basic internet connectivity ping 8.8.8.8
Check DNS resolution works ping google.com
Check internal/private application servers on the LAN are accessible from the VM.
Ping internal/private application server IP to verify connectivity
Install SSH server using below command (skip if already installed):
For Zero-Trust Secure Private Access (SPA) only deployment use case, follow the instructions for single-interface CGW deployment.
For Firewall replacement (or overlay) including Zero-Trust Secure Private Access (SPA) use case, follow the instructions for Multi interface CGW deployment.