x86 Gateway deployment
This article explains how to install the BlastShield™ Gateway software onto an x86 appliance.
A Gateway deployed on an x86 platform can be configured to support any of the following addressing modes:
Source+Destination NAT
Destination NAT
MAC Address
VLAN
Gateway addressing modes are explained in more detail here: Gateway Addressing Modes
Gateway use cases are described here: Gateway types and their use cases
You will require read / write access to your BlastShield™ Orchestrator.
You will require a USB flash drive to boot your hardware from, and a monitor and keyboard to connect to your server during the installation process.
A network connection for the Gateway upstream interface with connectivity to the Orchestrator.
You must have a suitable x86 hardware platform to install the Gateway software onto. Refer to the table of x86 Gateway hardware requirements for the minimum specifications.
x86 Gateway hardware requirements
Parameter | Value |
|---|---|
CPU | Minimum Intel Atom with AES-NI support or Intel Celeron with AES-NI support. Note that more powerful CPUs with AES-NI support such as Core i3 or Xeon are also supported. |
RAM | Minimum 4GB |
HDD/SSD | Minimum 8GB |
NICs | Most NICs made by Intel, Broadcom and Mellanox are supported. |
Note 1: a USB interface is required to connect the boot media.
Note 2: size the appropriate number of NICs for your Gateway application.
Outbound UDP ports to all required destinations.
Resolution of DNS requests must be supported by the network.
There are two ways you can install and provision the Gateway:
Install without a BSI file. Use this method if you do not have a BSI file and you want to provision the Gateway using its provisioning PIN code. You will need port 80 access to the Gateway from your workstation. There are two options; Direct Orchestrator Provisioning and the Provisioning URL method. The latter method is if someone else who does not have Orchestrator access will register the Gateway.
Using the BSI file. Use this method if you have created a BSI file on the Orchestrator and put it on the USB media. A unique BSI file is required for each new Gateway which you provsion.
Download the Gateway software here.
Unzip the Installer Package (Do NOT run the Installer file).
Write the Installer Image to a USB drive using any available image writer
Note: there are several free utilities available for writing images to USB drives. We recommend the balenaEtcher software, but you can use any utility.
In this step you will be booting the x86 appliance from the USB image created in the previous step.
Connect your x86 platform as shown here.
 |
Watch the following video or read the steps below to learn how to boot the x86 appliance from the USB image.
Connect the appliance as shown above, power it on, enter the boot setup menu. Set the appliance to boot from the USB and continue.
If multiple uplink interface types are installed on the appliance (Ethernet / Cellular) select the desired type
Select the uplink (network) interface for the Gateway from the displayed list. (Interfaces may be reconfigured as required once the software is installed).
Use the up / down arrow keys to select the uplink interface.
Press enter to confirm the selected interface(s).
(Interfaces may be reconfigured as required once the software is installed).
Select the uplink address configuration (DHCP or manual configuration of IP address, Default Gateway and DNS).
If you use the manual configuration of the uplink interface, set the IP Address/netmask, Default Gateway IP address, and DNS server IP address.
Wait for the Gateway uplink interface to come up.
At the Select Invitation File step, you will see an alert prompting "install without joining a BlastShield network". Click OK.
Select the endpoint interface(s) from the displayed list.
Use the up / down arrow keys and space-bar to select the endpoint interface.
Press enter to confirm the selected interface(s).
(Interfaces may be reconfigured as required once the software is installed).
Select the target device (hard drive).
Confirm that all data will be erased and the image will be installed on the server
You will be prompted to remove the USB media.
Remove the USB.
Click on OK
The Gateway will restart.
When the Gateway has restarted, the appliance provisioning menu will be displayed on the console. The Gateway is now ready to be provisioned from the Orchestrator.
From the Orchestrator, select "Gateways" from the left Menu.
Select "Add New Gateway" from the Gateway List.
Enter a Name for the new Gateway.
Set the Addressing Mode for the Gateway. Choose from the following options:
For MAC Addressing mode, click on MAC Address as the Addressing Mode.
For VLAN adressing mode, click on VLAN.
For Destination NAT addressing mode, click on IP Address (Destination NAT).
For Source and Destination NAT addressing mode, click on IP Address (Source+Destination NAT).
Endpoint Interface Settings.
The following steps apply only to Gateways using NAT addressing modes.
If you are using the Gateway in a single NIC configuration, leave the Endpoint Interface Settings as default.
If you are using the Gateway in a dual NIC configuration, then configure the Endpoint Interface Settings:
If you want the endpoint interface to get it's IP address via DHCP, then leave the configure using DHCP box checked.
If you want to manually set the endpoint interface IP address , then un-check the configure using DHCP box.
Set the Interface address with prefix field to the same IP address as the router which the Gateway is replacing. Use CIDR format.
If you will be onboarding endpoints which are not within the subnet you specified with the interface address above, then enter the IP address of the gateway required to reach the endpoints in the Gateway (optional) field.
To enable NAT for connections coming from endpoints to the external upstream network, i.e those connections allowed by egress policies, then enable NAT external connections by checking the box.
To enable the Gateway to forward non-endpoint connections from the protected network to the public side of the Gateway, check the Forward connections for non-endpoint addresses box. This will allow devices which are situated on the protected network side of the Gateway, which are not provisioned as endpoints on the Gateway, to forward traffic out through the Gateway.
Leave the Subnet to allocate endpoint addresses from blank if you want the system to allocate the overlay IP address (default). If you want to specify the subnet, then enter it here in CIDR format.
Click on Save and Download Invitation.
Option1: To use the Provision running gateway appliance option watch the following video or read the steps below. You will require port 80 connectivity to the Gateway and be logged onto the Orchestrator:
Click on the option Provision running gateway appliance to start the Gateway provisioning process.
The Provision Gateway window will open. Use the provisioning PIN code and Local IP Address that is displayed on the Gateway console menu.
IP Address of Gateway: enter the IP address of the Gateway that is displayed in the Gateway console menu.
Provisioning PIN code: enter the provisioning PIN code that is displayed in the Gateway console menu.
Click the Provision button to continue.
When the Gateway provisioning has completed, the Registration successful message will be displayed.
The Gateway status in the Orchestrator will show Online.
Option 2: To use the External provisioning URL option, watch the following video or read the steps below. Your workstation will need port 80 access to the Gateway but it does not require Orchestrator access:
Click on the option Copy external provisioning URL.
Open the provisioning URL in a browser.
Enter the Gateway IP address and the provisioning PIN from the Gateway console menu.
Click on Register.
A new Gateway Provisioning window will open.
When the registration is complete, the Gateway provisioning window will display Registration Successful.
You can now close the browser window and verify that the Gateway is online in the Orchestrator.
From the Orchestrator, select "Gateways" from the left Menu.
Select "Add New Gateway" from the Gateway List.
Enter a Name for the new Gateway.
Set the Addressing Mode for the Gateway. Choose from the following options:
For MAC Addressing mode, click on MAC Address as the Addressing Mode.
For VLAN adressing mode, clock on VLAN.
For Destination NAT addressing mode, click on IP Address (Destination NAT).
For Source and Destination NAT addressing mode, click on IP Address (Source+Destination NAT).
Endpoint Interface Settings.
The following steps apply only to Gateways using NAT addressing modes.
If you are using the Gateway in a single NIC configuration, leave the Endpoint Interface Settings as default.
If you are using the Gateway in a dual NIC configuration, then configure the Endpoint Interface Settings:
If you want the endpoint interface to get it's IP address via DHCP, then leave the configure using DHCP box checked.
If you want to manually set the endpoint interface IP address , then un-check the configure using DHCP box.
Set the Interface address with prefix field to the same IP address as the router which the Gateway is replacing. Use CIDR format.
If you will be onboarding endpoints which are not within the subnet you specified with the interface address above, then enter the IP address of the gateway required to reach the endpoints in the Gateway (optional) field.
To enable NAT for connections coming from endpoints to the external upstream network, i.e those connections allowed by egress policies, then enable NAT external connections by checking the box.
To enable the Gateway to forward non-endpoint connections from the protected network to the public side of the Gateway, check the Forward connections for non-endpoint addresses box. This will allow devices which are situated on the protected network side of the Gateway, which are not provisioned as endpoints on the Gateway, to forward traffic out through the Gateway.
Leave the Subnet to allocate endpoint addresses from blank if you want the system to allocate the overlay IP address (default). If you want to specify the subnet, then enter it here in CIDR format.
Click on Save and Download Invitation.
Select the option Save Invitation to disk to download the .BSI invitation file to your local workstation. You will need this file later when you flash the Gateway software to your x86 appliance.
Download the Gateway software here.
Unzip the Installer Package (Do NOT run the Installer file).
Write the Installer Image to a USB drive using any available image writer
Note: there are several free utilities available for writing images to USB drives. We recommend the balenaEtcher software, but you can use any utility.
Once you have written the image to USB, copy the invitation (.bsi) file in the root folder of this image on the USB.
In this step you will be booting the x86 appliance from the USB image created in the previous step.
Connect your x86 platform as shown here.
|
Watch the following video or read the steps below to learn how to boot the x86 appliance from the USB image.
Connect the appliance as shown above, power it on, enter the boot setup menu. Set the appliance to boot from the USB and continue.
If multiple uplink interface types are installed on the appliance (Ethernet / Cellular) select the desired type
Select the uplink (network) interface for the Gateway from the displayed list. (Interfaces may be reconfigured as required once the software is installed).
Use the up / down arrow keys to select the uplink interface.
Press enter to confirm the selected interface(s).
(Interfaces may be reconfigured as required once the software is installed).
Select the uplink address configuration (DHCP or manual configuration of IP address/netmask, Default Gateway and DNS).
If you use the manual configuration of the uplink interface, set the IP Address/netmask, Default Gateway IP address, and DNS server IP address.
Wait for the Gateway uplink interface to come up.
Select the endpoint interface(s) from the displayed list.
Use the up / down arrow keys and space-bar to to select the endpoint interface.
Press enter to confirm the selected interface(s).
(Interfaces may be reconfigured as required once the software is installed).
Select the invitation (.bsi) file.
Select the target device (hard drive).
Confirm that all data will be erased and the image will be installed on the server
When the installation is complete you will be prompted to remove the USB media.
Remove the USB.
Click on OK
The Gateway will restart.
When the Gateway has restarted, the appliance console menu will be displayed.
Go to your Orchestrator, and verify the Gateway status is now Online.
From within the Orchestrator, select "Gateways" from the left Menu
Select the desired Gateway from the Gateway List
Select "Add New Endpoint"
Enter a name for the new endpoint
Check "Endpoint Enabled" to Enable it when done.
The IP address is auto-populated.
Configure the endpoint Destination field.
If the Gateway is using either of the NAT addressing modes, enter the endpoint's private IPv4 LAN address or hostname.
If the Gateway is using MAC address addressing mode, enter the endpoint's MAC Address.
If the Gateway is using VLAN addressing mode, enter the endpoint's VLAN ID.
Click on Save Changes to confirm.
If the endpoint is reachable from the Gateway the the status of the endpoint will show as ONLINE.
If it does not show as online, then check the connectivity between the Gateway and the endpoint device.
For endpoints on Gateways which use destination NAT addressing mode only, add a route on the endpoint to the BlastShield 172.16.0.0/16 overlay network via the Gateway's endpoint interface as the next hop..
About Groups
Groups allow you to micro-segment users and endpoints. A group is a logical collection of endpoints and/or users that are grouped together. Groups are connected via policies, which form the foundation for BlastShield access control and segmentation management.
Any combination of endpoints and/or users can be grouped together.
There is no limit to the number of endpoints and/or users that can be in a group.
Endpoints and users can be in one or multiple groups simultaneously.
Groups are linked together via policies to provide access between endpoints.
By default, endpoints/users cannot access or have visibility to other endpoints/users unless they are granted access via a policy
About Policies
A policy defines how groups can interact. Groups are connected via policies, which form the foundation for BlastShield access control and segmentation management.
Each policy will have two sets of groups - "From" and "To".
The "From" set is one or more source groups.
The "To" set is one or more destination groups.
There is no limit to the number of groups in a given policy.
"From" Groups will have access to "To" Groups within the policy.
"To" Groups will not have access to "From" Groups within the policy.
Groups can be in one or multiple policies simultaneously.
 |
About Egress Policies
Egress policies allow you to control external network access for Gateway endpoints which are isolated behind a Gateway. This enables endpoints to connect to external entities, for example to download a software update or to connect to an NTP server.
The endpoint group contains the endpoints which the policy applies to.
The allowed services are E and F.
The network prefixes or DNS names define the allowed external network destinations for the endpoint group.
 |
Create Groups
From the Orchestrator, select "Groups" from the left menu.
Select "Add New Group" from the Group List.
Enter a name for the new Group.
To add members to the new group, click the "Add Members" button.
If you adding users to the group then select the desired Users which you want to be associated with the Group from the "Users" box.
If you are adding Agents to the group then select the desired Agents which you want to be associated with the Group from the "Agents" box.
If you are adding Gateway Endpoints then select the desired Endpoints from the "Endpoints" box.
Alternatively, you can leave the members list empty and add/modify new members later.
Click "Add Members" to save the members.
Click "Save" to save the new group.
Repeat, if required, to ensure you have one group for your endpoints and one group for your users, which is the minimum you will need in order to define the access policy.
Please refer to the following video, which is an example of creating one group for your users and one group for Host Agents.
Create a Policy to link your Groups
Note
Users and Agents must be a member of a group for them to be used in a policy.
Select "Policies" from the left menu.
Select "Add New Policy" from the Policy List.
Enter a name for the new Policy.
Select desired "From" Groups to be associated with the new Policy.
Select desired "To" Groups to be associated with the new Policy.
Save the new Policy.
Policies are directional, so that you can control the direction in which connections may be initiated. Typically for remote access use-cases your policy would be from the "user group" to the "server group" so that users may start connections to the servers, but servers cannot start connections to users. You can create bi-directional permissions by using two policies.
The following video shows an example of creating an access Policy between a group of remote workers and a group of servers. The policy gives the remote workers authorisation to access the server group.
Create an Egress Policy
Egress policies are required only if a Gateway endpoint requires external network access.
Egress policies allow you to control external network access for Gateway endpoints which are isolated behind a Gateway. This enables endpoints to connect to external entities, for example to download a software update or to connect to an NTP server.
The Egress Policy menu in the Orchestrator allows policies for external network access to be configured on a per-endpoint group basis, where the groups are defined in the Orchestrator Groups menu. Allowed destinations may be defined either by network prefix or by DNS names and the policy may be further controlled by specifying an allowed service. An egress policy may be enabled or disabled from the Orchestrator if the external network access is only temporary.
From within the Orchestrator, select Egress Policies from the left Menu.
Select the red "Add New Policy" icon.
Enter a name for the new Policy.
Check the Policy Enabled box to enable the policy and continue with the configuration.
Select the desired endpoint Groups to be associated with the new Egress Policy in the Endpoint Groups dropdown box
Select any optional Services groups to be associated with the new Policy in the Services dropdown box.
If you want to allow external DNS queries in the policy, then check the Allow all DNS queries box.
Specify the allowed destinations for the Egress Poicy as required using the following options:
In the Allowed Prefixes box, define an allowed external IP address and prefix
in the Allowed DNS Names box, define an allowed external DNS name.
To allow recursive DNS queries, check the Recursive box.
Click Save Changes to save the new Egress Policy.