Skip to main content

BlastShield Documentation

On-premise installation of the Orchestrator on a VMware virtual machine in a non air-gapped network.

Introduction

The BlastShield™ Orchestrator is used to provision and manage all systems in a BlastShield™ network. This includes management of Gateways, endpoints, remote users, groups, and policies. This article describes how to install a new Orchestrator into a non air-gapped network. Once installed, you will use the Orchestrator to manage and provision all systems within the BlastShield™ Network.

On-premises Orchestrator deployment

In this deployment scenario, the Orchestrator is hosted and managed by the customer. This is typically required in situations where local rules or regulations do not permit the management function to be located externally to the enterprise. The Authentication Server is hosted in BlastWave's secure cloud infrastructure.

on-prem-orchestrator.png
  1. All BlastShield nodes (users, Host Agents and Gateways) must be able to access to the Orchestrator.

  2. Users should be able to access the cloud-hosted Authentication Server from their mobile devices if they wish to use the Blastshield Mobile Authenticator app. If this is not possible then users can authenticate using a FIDO2 key.

  3. Port forwarding must be configured for the Orchestrator.

Before Starting
  1. Request the Orchestrator BSI invitation file and the administrator BSI invitation file from BlastWave. This are used for registering the BlastShield network and for registering the administrator user.

  2. The Orchestrator will use UDP port 12345 for communications. Please forward UDP Port 12345 inbound on the firewall to the Orchestrator.

  3. Install a BlastShield Client on the administrator workstation. You can download the Client from here.

  4. Download the Orchestrator firmware. This download link is provided below in Step 1.

Step 1 Download the Orchestrator OVA file.
Step 2 Install the BlastShield™ Orchestrator OVA file on the ESXi client

Using the VMWare ESXi new virtual machine installer, the Orchestrator Invitation (.bsi) file you received from BlastWave, and the OVA file you downloaded in step 1 you will install the software on your ESXi hypervisor and register it to the BlastShield™ Network. The process is explained below.

  • Install the BlastShield™ Orchestrator OVA file on the ESXi client.

    1. From the ESXi host, go to Virtual Machines > Create/Register VM > Create a virtual machine from an OVF/OVA file

      vmware-gw-install-step3-1.png
    2. Enter a name and select the BlastShield™ OVA file.

      Screenshot_2023-05-04_143321.png
    3. Leave the default datastore option.

      vmware-passive-new-step3-2.png
    4. Next, configure the Deployment options.

      1. 'Network mappings' should use the default "VM Network" port group for the Public Network. Note that the Protected Network setting will not be used and the setting will be ignored.

        vmware-passive-new-step4.png
      2. Deployment type should be set to Orchestrator or passive gateway (NAT).

      3. Disk provisioning' and 'Power on automatically' should use the default settings.

    5. Next, complete the Additional Settings.

      1. In the BlastShield Invitation section, paste the contents of the Orchestrator BSI file into the Invitation contents box.

      2. In the Network Configuration section, set the IP address and public DNS server if you are manually configuring them. To use DHCP, leave all the boxes blank.

      3. Add your SSH public key (in one-line OpenSSH format) in the SSH Keys > SSH Key for "admin" user field.

      4. Click next, then click finish to add the new virtual machine.

        Screenshot_2023-05-04_144236.png
    6. Then click 'Finish' to complete the configuration and launch the VM.

      Screenshot_2023-05-04_144308.png
    7. Once the Orchestrator has started, you will see the local maintenance interface displayed on the console. The local IP address of the Orchestrator is displayed. It is not required to log in to this interface.

      Screenshot_2023-05-05_105438.png
    8. Forward UDP Port 12345 inbound on the firewall to the Orchestrator.

    9. To connect to the Orchestrator UI, follow the steps below.

Step 3 Register the new administrator user and connect to the Orchestrator

Here you will use the administrator BSI invitation file or invitation link which you received from BlastWave to register and connect to the Orchestrator as the administrator user.

  1. If you are using the Mobile Authenticator app and you have received an administrator invitation (BSI) file then follow this process to register: Register the administrator user using an administrator (BSI) invitation file

  2. If you are using the Mobile Authenticator app and you have received an administrator invitation URL then follow this process to register: Register the administrator user using a registraton URL.

  3. You can download the Mobile Authenticator app here: Mobile Authenticator download links

  4. You can download the Desktop Client here: Client download links

Step 4 Connect to the Orchestrator
  1. Go to the BlastShield™ Desktop Client on your computer and ensure the Connection Status shows that it is connected.

  2. On the BlastShield™ Client, click on the Launch Orchestrator button.

    Blastshield-client-connection-status-view.png
  3. Scan the displayed QR code with the BlastShield™ Mobile Authenticator App on your mobile device. Alternatively, if you are using a FIDO2 key instead of the Mobile authenticator app, then interact with you FIDO2 key when prompted.

    Desktop-client-QR.png
  4. Verify your facial or biometric identity on your mobile device if you are using the Mobile Authenticator app.

  5. The Orchestrator administration user interface will open in your default web browser. At this stage the UI web server will be using a self-signed certificate for HTTPS, so you should acknowledge the browser security warning.

Further configuration

Now that you have installed and connected to the Orchestrator, you can add Host Agents, Gateways and new users. Please refer to the following sections to learn how to do this.