Support Center

1. Allow outbound access to the following domains. Whitelist these on your firewall as necessary or if you use an SSL web proxy then bypass them from the proxy:

   auth.blastwave.io and lighthouse.blastwave.io on TCP port 443.

2. Outbound UDP ports to all required destinations.

3. Resolution of DNS requests must be supported by the network.

4. If you use DNS over HTTPS, ensure it is configured in your OS and not in your browser to allow the BlastShield Client to use its associated DNS server.

5. Ensure that the timezone is correctly set on your computer for your location and that the clock is set accurately.

6. Orchestrator access requires IPv6 support in the OS of the host running the desktop client, so make sure there is no Windows group policy disabling IPv6 in the registry.

1. Outbound UDP ports to all required destinations.

2. Resolution of DNS requests must be supported by the network.

1. Outbound UDP ports to all required destinations.

2. Resolution of DNS requests must be supported by the network.

1. Allow outbound access to the lighthouse.blastwave.io domain.

2. Allow UDP Port 12345 inbound to the Orchestrator on your firewall.

3. Resolution of DNS requests must be supported by the network.

On premise, non-airgapped Orchestrator

1. Allow outbound access to the lighthouse.blastwave.io domain.

2. Allow UDP Port 12345 inbound to the Orchestrator on your firewall.

3. Resolution of DNS requests must be supported by the network.

On premise, fully airgapped Orchestrator

1. Allow UDP Port 12345 inbound from the local network to the Orchestrator.

BlastShield™ Client supported operating systems

BlastShield™ Mobile Client supported operating systems

BlastShield™ Mobile Authenticator supported operating systems

BlastShield™ Agent supported operating systems

Gateway VM requirements

Orchestrator VM requirements

x86 Gateway hardware requirements

Note 1: a USB interface is required to connect the boot media.

Note 2: size the appropriate number of NICs for your Gateway application.

x86 Orchestrator hardware requirements

Note: a USB interface is required to connect the boot media.

How do I register to join a BlastShield™ network?

If you have received a registration URL then use this method to register: Step 2 - Register with your BlastShield™ Network

If you have not received a registration URL, then contact us here: https://www.blastwave.com/contact

The authentication process on the Desktop Client does not start or display the QR code.

This behavior can indicate that your firewall or web proxy is blocking outbound traffic. Please check the following:

1. Allow outbound access to the following domains. Whitelist these on your firewall as necessary or if you use an SSL web proxy then bypass them from the proxy:

   auth.blastwave.io and lighthouse.blastwave.io on TCP port 443.

2. Outbound UDP ports to all required destinations.

3. Resolution of DNS requests must be supported by the network.

4. If you use DNS over HTTPS, ensure it is configured in your OS and not in your browser to allow the BlastShield Client to use its associated DNS server.

5. Ensure that the timezone is correctly set on your computer for your location and that the clock is set accurately.

6. Orchestrator access requires IPv6 support in the OS of the host running the desktop client, so make sure there is no Windows group policy disabling IPv6 in the registry.

If you have verified that the outbound traffic is allowed on your network, please check on your computer that your host AV or endpoint security software is not blocking the BlastShield™ Client from running.

Failed to create private key in secure enclave

If you see the "Failed to create private key in secure enclave" warning in the BlastShield Mobile Authenticator app, it commonly means that there is no screen lock configured on the mobile device (i.e. no passcode and no face id/touch id).

To resolve this, make sure that the screen lock is enabled on the phone.

The Desktop Client displays a certificate error

If, when starting the connection process, you see an error message on the Desktop client indicating it failed to connect to the authentication server due to a problem with the server certificate: -

This indicates that there may be an SSL web proxy or similar device inspecting the traffic. The following domains must be bypassed from the proxy:

auth.blastwave.io and lighthouse.blastwave.io

The authentication step using the Mobile Authenticator app stops working.

If the authentication step used to work for a user, but subsequently stops working, this can be due to an invalid or missing key. If a key has become invalid then an authentication reset of the user is required. The user should be sent the new invitation URL to register with.

Also, if a user has changed mobile device, then an authentication reset of the user will be required. The user should be sent the new invitation URL to register with.

An authentication reset should be performed on the BlastShield™ Orchestrator by the Administrator. You can learn how to reset user authentication here: reset user authentication.

You can connect to the Orchestrator, but not to any of your Agents or Endpoints.

The BlastShield™ solution is zero-trust, so you will require a policy to allow access to the Agents on your protected servers.

1. You can learn about Policies here.

2. You can learn about Groups here.

3. Learn how to configure policy here.

Your Desktop Client connects to the BlastShield Network but you cannot connect to the Orchestrator.

Check the following on the host running the BlastShield™ Desktop Client.

1. Ensure that the timezone is correctly set on your computer for your location.

2. Verify that the system clock is accurate. An incorrect setting may cause connection errors in the Client.

How is the Overlay IP addressing defined?

Users, endpoints and Host Agents are each allocated a unique protected IP address from the overlay subnet by the Orchestrator when they are created. The overlay IP address is used to connect to a node in the BlastShield™ encrypted overlay. The default network for the subnet is 172.16.0.0/16 and if you want to use a different network prefix, you can change this on the Orchestrator.

The Orchestrator will always have the first IP address in the overlay subnet, so in the case of the default configuration, this will be 172.16.0.1. Endpoints and Host Agents will be allocated the next available address after the Orchestrator address as they are created. Users will be allocated an IP address in the 172.16.128.1 subnet for the default settings.

You can set your own IP address instread of the system suggested address, but the address must be in the protected overlay and it must not duplicate an existing IP address.

See the following article for details on changing the default network prefix: Changing the network prefix on the Orchestrator.

Where are log files stored?

1. Log files for the Client may be viewed in the Desktop Client GUI by clicking on the 'Logs' button at the bottom left off the Connection Status window. 

2. Event logs for all nodes (Users, Host Agents, Endpoints and Gateways) may be viewed from the Orchestrator and may be exported to a syslog server.

3. Connection logs may only be viewed if they are exported and viewed from a syslog server.

4. Agent and Client log files may also be examined from the host OS as follows:

How do I upgrade the Host Agent?

The Host Agent may be upgraded directly from the Orchestrator, which you can learn about here. This is the recommended method.

For Host Agents which are on Release 1.2 or lower, the Agent is upgraded by installing the latest version of the Agent software onto the server and you can learn how to do this here.

How is the Gateway upgraded?

The majority of Gateways are upgraded from the Orchestrator. The exception to this is a container based Gateway, much must be upgraded by by modifying the container to use a newer image.

You can read the Gateway upgrade process here.

What are the BlastShield™ Gateway hardware requirements?

The Gateway requires an x86 based hardware platform with the following minimum specifications:

Note 1: a USB interface is required to connect the boot media.

Note 2: size the appropriate number of NICs for your Gateway application.

What is the 'Send Default Gateway' option in the Endpoint configuration for?

If the 'Send Default Gateway' checkbox is ticked, then a default gateway address will be sent in the. DHCP offer from the BlastShield Gateway to its protected Endpoints.

The BlastShield Gateway will use 172.16.255.254 as the default gateway (if the standard prefix is being used).

The default gateway configuration can be enabled for Endpoint devices which require a default gateway IP address in their IP configuration and for configuring the Enhanced Gateway Endpoint connectivity feature.

Why does an Apple Mac Endpoint not respond to DNS-based queries?

Apple have implemented the DHCP functionality on the Mac such that if a default gateway is not sent in the DHCP offer then it discards the sent DNS entry, but it does accept the IP address.

The BlastShield Gateway allocates the protected IP address to the Mac endpoint by a DHCP offer but it does not include a default gateway address in the offer.

To learn how to work around this, watch the following video or read the steps below.

1. Go to the Orchestrator, and click on the Endpoints menu on the left.

2. Find the endpoint configuration for the Mac endpoint in question and click on it.

3. In the Endpoint Settings tab, check the "Send DHCP default gateway" option for the Mac endpoint.

4. This will ensure that a default gateway address is sent in the DHCP offer to the Mac computer and will ensure the Mac does not discard the offered DNS name.

5. Click "Save Changes".

Why doesn't the Anydesk client connect to an endpoint over the BlastShield network?

Anydesk is a remote connectivity app which connects a remote user to a host computer and routes the connection via Anydesk’s SaaS cloud. Since the SaaS cloud is outside of the BlastShield Network, then BlastShield™ will not send packets to it. Clients such as Microsoft Remote Desktop will work as an alternative, since they use a peer-to-peer connectivity.

Page 1

Page 2

Page 3

Page 4

Page 5

Page 6