Skip to main content

BlastShield Documentation

On-premise installation of an air-gapped Orchestrator on a bare metal x86 device and user authentication with the Mobile Authenticator app.

Introduction

The BlastShield™ Orchestrator is used to provision and manage all systems in a BlastShield™ network. This includes management of gateways, endpoints, remote users, groups, and policies. This article describes how to install a new Orchestrator into a fully air-gapped network. Once installed, you will use the Orchestrator to manage and provision all systems within the BlastShield™ Network.

Air-gapped deployment with mobile authentication

In this scenario, the BlastShield™ Orchestrator, Gateways and Host Agents are air-gapped. Users will authenticate via the mobile authenticator app, which requires that the users have external access.

on-prem-orchestrator-with-mobile-authenticator.png

Deployment notes for an air-gapped deployment using the Mobile Authenticator

  1. The Authentication Server is cloud hosted.

  2. The Orchestrator is deployed on premises and is air-gapped.

  3. Gateways and Host Agents are on premises and are air-gapped.

  4. The users’ Mobile Authenticator apps and the user workstations are on-premises and have an external connection to the Authentication Server.

  5. The workstations must be on the same network as the Orchestrator.

  6. Devices that run the BlastShield Client must have their DNS set to the IP address of the Orchestrator (or forward the blastshield.app zone in any existing DNS server you might have).

  7. As the Orchestrator will be self-hosted, you should provide your own certificate for the Orchestrator HTTPS web UI.

Before Starting

  1. Request the Orchestrator BSI invitation file and the administrator BSI invitation file from BlastWave. This are used for registering the BlastShield network and for registering the administrator user.

  2. The Orchestrator will use UDP port 12345 for communications. Please forward UDP Port 12345 inbound on the firewall to the Orchestrator.

  3. Install a BlastShield Client on the administrator workstation. You can download the Client from here.

  4. Download the Orchestrator firmware. You can download the Orchestrator firmware here.

  5. Make sure you have a suitable hardware platform on which to install the Orchestrator.

x86 Orchestrator hardware requirements

Parameter

Value

CPU

Minimum Intel Atom with AES-NI support or Intel Celeron with AES-NI support. Note that more powerful CPUs with AES-NI support such as Core i3 or Xeon are also supported.

RAM

Minimum 8GB

HDD/SSD

Minimum 64GB

NICs

One NIC is required.  Most NICs made by Intel, Broadcom and Mellanox are supported.

Note: a USB interface is required to connect the boot media.

Step 1 Prepare the installation media

In this step you will be downloading the BlastShield™ Orchestrator Software Installer. Using the Invitation (.bsi) file you received from BlastWave, you will prepare a USB installer to install the software on your x86 platform and bind it to the BlastShield™ Network. Below are the steps to prepare the installation media.

  1. Download the firmware if you have not already done. You can download the Orchestrator firmware here

  2. Unzip the Installer Package (Do NOT run the Installer file).

  3. Write the Installer image to a USB drive using any available image writer

    Note: there are several free utilities available for writing images to USB drives. We recommend the balenaEtcher software, but you can use any utility.

  4. Once you have written the image to the USB, copy the Orchestrator BSI invitation file into the root folder of this image on the USB.

  5. Create a file and name it authorized_keys

    1. This file should contain a SSH public key in one-line OpenSSH format which will be used by the administrator to apply the license to the Orchestrator immediately after installation.

    2. Add the SSH public key to the authorized_keys file and copy this file to the root folder of the USB.

Note

The USB should contain the following:

  1. The installer image.

  2. The BSI file.

  3. The authorized_keys file.

Step 2 Install the Orchestrator firmware on the x86 Platform

In this step you will be booting the x86 platform from the USB image created in the previous step.

Connect your x86 platform as shown here and then follow the steps below.

x86-installer-on-prem-orchestrator.png

  1. Making sure the x86 server is connected as shown above, power it on and exit the boot sequence using the break key that applies to your hardware, then select the boot setup menu. Ensure the USB boot media is connected.

  2. Re-boot your server from the USB image, once the image boots you will begin the setup process.

  3. Select the uplink (network) interface for the Gateway from the displayed list (note that the Orchestrator will not use any endpoint interfaces).

  4. Set the IP address, Default Gateway and DNS server IP address. Please note that for an airgapped Orchestrator, the DNS IP address must be configured to the same address as the Orchestrator IP address (for a non-airgapped Orchestrator deployment you should provision the DNS to your network's preferred DNS server, please refer to the non-airgapped x86 installation for more details).

  5. Wait for the network interface to come up.

  6. Select the invitation (.bsi) file.

  7. Select the target device (hard drive).

  8. Confirm that all data will be erased and the image will be installed on the server.

  9. When the installation is complete you will be prompted to remove the USB media. at this point, and the server will re-boot.

    1. Remove the USB.

    2. Click on OK

    3. The VM will gracefully restart.

  10. Once the Orchestrator has started, you will see the local maintenance interface displayed on the console. The local IP address of the Orchestrator is displayed. You will use this address to SSH to the Orchestrator in the next step.

    Screenshot_2023-05-05_105438.png

  11. Forward UDP Port 12345 inbound on the firewall to the Orchestrator.

Step 3 Fetch the license and apply it to the new Orchestrator.

  1. SSH as admin into the new Orchestrator. Authentication is done by your SSH public key which was added during the VM setup.

  2. Copy the content of license_req.json which is generated in the home directory of the admin user. 

    $ cat license_req.json

  3. Return this content to BlastWave. BlastWave will reply with a license key.

  4. Whilst still connected to the Orchestrator by SSH, run the apply-license command and hit enter.

    $ apply-license

  5. You will see the following prompt:

    License:

  6. At this prompt, paste the license key information to the command line and hit enter to start the Orchestrator.

    License:{"license": "..."}

Step 4 Set the DNS on the BlastShield users' workstations

Any device running the BlastShield™ Client must have it's DNS set to the IP address of the Orchestrator.

  1. In a Windows desktop OS, you can change the DNS settings in the network interface properties > TCP/IPV4 settings.

    windows-dns-settings.png

    On macOS the DNS can be changed in the network System Settings

    macOS_DNS.png

  2. For networks which use an on-premise Microsoft DNS or an AD server for DNS, then a conditional forwarder can be added with the Orchestrator IP address as shown for the domain blastshield.app. In the example images below, 192.168.247.1 is the IP of the Orchestrator.

    add-new-conditional-fowarder.png
    conditonal-forwarder.png
Step 5 Register the new administrator user

Here you will use the administrator BSI invitation file or invitation link which you received from BlastWave to register and connect to the Orchestrator as the administrator user.

  1. If you are using the Mobile Authenticator app and you have received an administrator invitation (BSI) file then follow this process to register: Register the administrator user using an administrator (BSI) invitation file

  2. If you are using the Mobile Authenticator app and you have received an administrator invitation URL then follow this process to register: Register the administrator user using a registraton URL.

  3. You can download the Mobile Authenticator app here: Mobile Authenticator download links

  4. You can download the Desktop Client here: Desktop Client download links

Step 6 Connect to the Orchestrator

  1. Go to the BlastShield™ Desktop Client on your computer and ensure the Connection Status shows that it is connected.

  2. On the BlastShield™ Client, click on the Launch Orchestrator button.

    Blastshield-client-connection-status-view.png

  3. Scan the displayed QR code with the BlastShield™ Mobile Authenticator App on your mobile device.

    Desktop-client-QR.png

  4. Verify your facial or biometric identity on your mobile device.

  5. The Orchestrator administration user interface will open in your default web browser. At this stage the UI web server will be using a self-signed certificate for HTTPS, so you should acknowledge the browser security warning.

Further reading

Now that you have installed and connected to the Orchestrator, you can add Host Agents, Gateways and new users. Please refer to the following sections to learn how to do this.

In this section: