Skip to main content

BlastShield Documentation

On-premise installation of the Orchestrator on VMware ESXi in a fully air-gapped network.

Introduction

The BlastShield™ Orchestrator is used to provision and manage all systems in a BlastShield™ network. This includes management of gateways, endpoints, remote users, groups, and policies. This article describes how to install a new Orchestrator into a fully air-gapped network. Once installed, you will use the Orchestrator to manage and provision all systems within the BlastShield™ Network.

Fully air-gapped deployment

Local regulations may sometimes require a fully air-gapped deployment, where no external access from the network is permitted. In a fully air-gapped network the Orchestrator is deployed on premises with no access to the internet, and similarly, users are also not allowed external internet access.

Fully_air-gapped_deployment.png

Deployment notes for a fully air-gapped deployment

  1. Because the BlastShield™ Mobile Authenticator app requires external access it may not be used in a fully air-gapped network and FIDO 2 keys must be used for user authentication instead.

  2. You must manually process the Orchestrator license request during the installation. This is a one-time process.

  3. Any Gateways or Clients (eg user workstation running the BlastShield™ Client) must have it's DNS set to the IP address of the Orchestrator.

  4. As the Orchestrator will be self-hosted, you should provide your own certificate for the Orchestrator HTTPS web UI.

Before Starting

  1. Request the Orchestrator BSI invitation file and the administrator BSI invitation file from BlastWave. This are used for registering the BlastShield network and for registering the administrator user.

  2. The Orchestrator will use UDP port 12345 for communications. Please forward UDP Port 12345 inbound on the firewall to the Orchestrator.

  3. Install a BlastShield Client on the administrator workstation. You can download the Client from here.

  4. Download the Orchestrator firmware. This download link is provided below in Step 1.

Step 1 Download the Orchestrator OVA file.
Step 2 Install the BlastShield™ Orchestrator OVA file on the ESXi client

Using the VMWare ESXi new virtual machine installer, the Invitation (.bsi) file you received from BlastWave, and the OVA file you downloaded in step 1 you will install the software on your ESXi hypervisor and register it to the BlastShield™ Network. The process is explained below.

  • Install the BlastShield™ Orchestrator OVA file on the ESXi client.

    1. From the ESXi host, go to Virtual Machines > Create/Register VM > Create a virtual machine from an OVF/OVA file

      vmware-gw-install-step3-1.png

    2. Enter a name and select the BlastShield™ OVA file.

      Screenshot_2023-05-04_143321.png

    3. Leave the default datastore option.

      vmware-passive-new-step3-2.png

    4. Deployment options

      1. 'Network mappings' should use the default "VM Network" port group for the Public Network. Note that the Protected Network setting will not be used and the setting will be ignored.

        vmware-passive-new-step4.png

      2. Deployment type should be set to Orchestrator or passive gateway (NAT).

      3. Disk provisioning' and 'Power on automatically' should use the default settings.

    5. In Additional Settings, add the contents of the bsi file.

      1. Paste the contents of the Orchestrator BSI file into the Invitation contents box.

      2. Set the IP address and prefix length, Default Gateway and DNS server IP address, being sure to note that you must configure the DNS IP address the same as the Orchestrator IP address for an airgapped Orchestrator deployment (for a non-airgapped Orchestrator deployment you should provision the DNS to your network's preferred DNS server, please refer to the non-airgapped VMware installation for more details). Leaving the boxes blank would use DHCP.

      3. Add your SSH public key (in one-line OpenSSH format) in the SSH Keys > SSH Key for "admin" user field.

      4. The screen shot below shows example settings. Please use settings appropriate to your network.

        Screenshot_2023-10-17_at_10_43_48.png

    6. Click next, then click 'Finish' to complete the configuration and launch the VM.

      Screenshot_2023-05-04_144308.png

    7. Once the Orchestrator has started, you will see the local maintenance interface displayed on the console. The local IP address of the Orchestrator is displayed. You will use this address to SSH to the Orchestrator in the next step.

      Screenshot_2023-05-05_105438.png

    8. Forward UDP Port 12345 inbound on the firewall to the Orchestrator.

Step 3 Fetch the license and apply it to the new Orchestrator.

  1. SSH as admin into the new Orchestrator. Authentication is done by your SSH public key which was added during the VM setup.

  2. Copy the content of license_req.json which is generated in the home directory of the admin user. 

    $ cat license_req.json

  3. Return this content to BlastWave. BlastWave will reply with a license key.

  4. Whilst still connected to the Orchestrator by SSH, run the apply-license command and hit enter.

    $ apply-license

  5. You will see the following prompt:

    License:

  6. At this prompt, paste the license key information to the command line and hit enter to start the Orchestrator.

    License:{"license": "..."}

Step 4 Set the DNS on the BlastShield users' workstations

Any device running the BlastShield™ Client must have it's DNS set to the IP address of the Orchestrator.

  1. In a Windows desktop OS, you can change the DNS settings in the network interface properties > TCP/IPV4 settings.

    windows-dns-settings.png

    On macOS the DNS can be changed in the network System Settings

    macOS_DNS.png

  2. For networks which use an on-premise Microsoft DNS or an AD server for DNS, then a conditional forwarder can be added with the Orchestrator IP address as shown for the domain blastshield.app. In the example images below, 192.168.247.1 is the IP of the Orchestrator.

    add-new-conditional-fowarder.png
    conditonal-forwarder.png
Step 5 Register the new administrator user and connect to the new Orchestrator

Here you will use the administrator BSI invitation file which you received from BlastWave to register to connect to the Orchestrator as the administrator user.

  1. Ensure your registered FIDO 2 Key is plugged into your computer.

  2. Launch the BlastShield™ Client App and click on FIDO2 Key.

    Screenshot_2023-05-05_113408.png

  3. Enter the security PIN for your FIDO 2 Key.

    Screenshot_2023-05-05_113423.png

  4. Select Add new - this is when you will register this key to the network.

    Screenshot_2023-05-05_113442.png

  5. Locate and select the Administrator invitation file (.bsi) for this key.

  6. Enter a name for this network (Note: this can be any name of your choosing).

    Screenshot_2023-05-05_113513.png

  7. You will be prompted to touch both metal sides of your FIDO 2 key to create new credentials.

    Screenshot_2023-05-05_113523.png

  8. Next, you will be prompted to touch the key again to sign in to the network.

  9. At this point you have registered your FIDO 2 key to the network, and are signed in to the BlastShield™ network.

    client_connected.png
Step 6 Connect to the Orchestrator

  1. Go to the BlastShield™ Desktop Client on your computer and ensure the Connection Status shows that it is connected.

  2. On the BlastShield™ Client, click on the Launch Orchestrator button.

    client_connected.png

  3. Interact with your FIDO2 key when prompted.

  4. The Orchestrator administration user interface will open in your default web browser. At this stage the UI web server will be using a self-signed certificate for HTTPS, so you should acknowledge the browser security warning.

Further reading

Now that you have installed and connected to the Orchestrator, you can add Host Agents, Gateways and new users. Please refer to the following sections to learn how to do this.

In this section: