¶ Create a Virtual Machine
The recommended machine type and specification for the VM are provided below:
|
Instance Type |
CPU |
Memory |
Disk |
|---|---|---|---|
|
t2.medium |
2 vCPU |
4 GB |
30 GB |
- Go to AWS EC2 Dashboard and select region to deploy Cyber Gateway VM
- In the AWS EC2 dashboard, click on Launch Instance
- Enter Name of the instance
- Select Ubuntu on Application and OS Images [Quick Start]
- Select latest Ubuntu Server image [ for eg. 22.04 LTS (HVM), SSD Volume Type] on Amazon Machine Image (AMI)
- Select Architecture as per requirement, else skip it with default 64-bit (x86)
- Specify the Instance Type, recommended: t2.medium
- Create new key pair for ssh access or select any existing key pair from drop down list
- Store the key file in a location which can be used during SSH login to virtual machine
- Configure Network settings
- Select VPC from drop down list
- Select Subnet from drop down list which will be allowed for Internet Access [WAN Interface]
- Select Enable for Auto-assign public IP and Disable for Auto-assign IPv6 IP
- Create security group or select if any existing security group can be used
- Make sure new security group or existing selected security group allows SSH inbound rule
- Specify Storage, recommended 30GB
- Click on Launch instance to create Cyber Gateway VM
- Once instance is created, you can click on the instance ID to view the details of the VM
- Instance state and status check will show when VM is up and running
- Create LAN interface for CGW VM
- Select Network Interface from left panel
- Click on Create network interface
- Specify Description of the network interface, as shown in picture
- Select LAN subnet from drop down.
Make sure LAN subnet is different than the subnet configured for primary/WAN interface for Internet access. In current example, WAN subnet is 10.10.0.0/24 and LAN subnet is 10.10.1.0/24
- Select Custom option and configure .251 IP of the subnet as Static IP for LAN interface , as shown in picture
- Click on Create network interface
- Attach LAN interface to CGW instance
- Right click on CGW instance
- Select Networking → Attach network interface
- Select the LAN interface from drop down list and click on Attach
- Stop source/destination check for CGW instance
- Right click on CGW instance
- Select Networking → Change source/destination check
- Select Stop and Save
- Verify CGW LAN interface source/destination check setting is also not enabled
- Click on CGW instance ID
- Click on Networking
- Select and click on the CGW LAN interface which was created in previous steps with subnet IP .251
- Check setting, if Enabled, then disable it. If Enable option not selected then skip this step and cancel the operation as shown in below pic.
- Click on instance ID to check the public and private IPs allocated to VM
- Click on the Connect button to view the command for SSH access
- Use SSH command on a SSH client to login to CGW VM
¶ Create a Cyber Gateway
To create a Multi Interface Cyber Gateway (CGW-MIF), follow the steps below.
- Navigate to the MSP admin console -> Client Workspace
- Click on Gateways in the left menu bar → Add Gateway
- Name - You may change the name of the CGW
- Select Gateway Type as Multi Interface. Fill in the details and add Gateway.
- High Availability (HA) - Please select ‘Yes’ if CGW to be deployed in High Availability mode. 2 Ubuntu VMs or any other 2 quantity of recommended hardware needed for HA setup, Please refer HA user manual for more detailed instructions.
- Admin Notifications Email - Provide email ID which will receive alerts/notifications related to CGW
- LAN Configuration
- If NAT is not required on LAN network then select No for option NAT on LAN, else skip it
- In case of Multiple LAN subnets, click on + symbol and add additional subnets, else skip it
- LAN Subnet - Enter LAN subnet (for eg. 10.10.10.0/24). This will be added as Trustpath automatically to Gateway, so no need to add this as Trustpath again. VERY IMPORTANT: This is the subnet that will be behind the gateway (i.e. plugged into the LAN port of the gateway) that you want remote users to be able to access. This is NOT the subnet that the WAN port of the gateway is on.
- LAN Gateway - Specify IP address of the Gateway which will be used by the devices behind CGW in LAN subnet specified in above parameter. Configured LAN Gateway IP will be installed on the CGW machine, so make sure it is not conflicting in network or not installed on any other device statically. If HA (High Availability) is enabled, then do not use .251 and .252 IP addresses as LAN Gateway IP. These IP addresses will be installed on Primary and Secondary nodes respectively.
- Next HOP GW for LAN - Provide gateway for LAN traffic. It is required when LAN traffic has to send all traffic to an IP which handles communication with actual core LAN network.
- VLAN Configuration
- Select Yes if CGW needs to support VLAN network segments. Please refer VLAN user manual for more detailed instructions.
- If Yes is selected, please specify VLAN IDs and VLAN subnets.
- Specify VLAN Gateway IP
- Inter VLAN Communication - Select Yes, if inter VLAN communication should be allowed
- Enable/Disable DHCP IP allocation for all VLANs by selecting Yes/No for DHCP for All VLANs option
- You may also enable/disable DHCP IP allocation for individual VLAN by selecting Yes/No for DHCP option
- By default, VLAN DHCP function will use start range .2 to end range .250
- Select Yes if CGW needs to support VLAN network segments. Please refer VLAN user manual for more detailed instructions.
- DHCP Configuration
- DHCP server - Select Yes, if DHCP IP assignment should happen from CGW on LAN network. Please refer DHCP user manual for more detailed instructions.
- If selected Yes, DHCP server will be started for LAN
- Specify Start Range and End Range
- DHCP server - Select Yes, if DHCP IP assignment should happen from CGW on LAN network. Please refer DHCP user manual for more detailed instructions.
- SD-WAN Configuration
Mostly for CGW deployment on public clouds, you may not need static IPs on WAN interfaces but for specific requirements, it can be added.
- Static IP address along with their default gateway can be configured.
- Mostly it is required when existing Firewalls are replaced with CGW and ISP provided public IP and gateway need to configured on CGW node directly on WAN interface. Please refer SD-WAN user manual for more detailed instructions.
- Configure below parameters, if WAN Static IP is set to Yes, else skip it.
- WAN1 IP (Primary) - Specify IP with subnet for Primary CGW node
- WAN1 Gateway (Primary) - Specify gateway IP without subnet for Primary CGW node
- In case you want to deploy CGW with 2 WAN interfaces then select Yes for Multi WAN option, else skip it
- If selected Yes, you can select Traffic Distribution as Failover or Load Balance
- In case of Failover, only one WAN interface / ISP connection will be active
- In case of Load Balance, both WAN interfaces / ISP connections will be active and in load balance mode
- If Multi WAN is selected with WAN Static IP option, then WAN2 IP (Primary) must be configured with WAN2 gateway (Primary)
- Please refer SD-WAN user manual for more detailed instructions.
- In case High Availability is enabled, static WAN IP and gateway are required for both nodes
- WAN IP (Secondary) - Specify IP with subnet for Secondary CGW node
- WAN Gateway (Secondary) - Specify gateway IP without subnet for Secondary CGW node
- As per requirements, customer can enable/disable advanced configuration mentioned below.
- Please refer user guides for advanced features for more detailed explanation
¶ Deploy the Cyber Gateway
- Copy the Script for the cyber gateway you just created as shown in the screenshot below
- Paste the Script in the VM SSH console
- Press Enter
In case, you are unable to login to machine using SSH to copy and run CGW install command, then we recommend you to run pre-install script mentioned below. You have to type it on console, because copy paste won't work on some direct machine consoles.
bash <(curl -s https://s3-api.speerity.net/cgw/scripts/cgwctl.sh)Please share Workspace and CGW names with us on support@exium.net. We will push installation remotely.
The Cyber gateway deployment will start. At this time, you can leave the deployment running unattended. You will receive an email on the admin email that you specified earlier when the deployment is complete. You can also check the status of the cyber gateway in the Exium admin console. When cyber gateway is deployed successfully and connected, you will see a Green Connected Status as in the screenshot below.
Once the cyber gateway is deployed successfully and connected, you can start testing the Zero Trust Secure Private Access policies.