Secure App Connector V2 Prerequisites and Firewall settings For Private Applications
- Make sure to allow the following domains and HTTP(S) ports when you are using a firewall.
- The connector will fail if its system time is not current. Ensure you have sync time between NTP/PTP servers at the time of installation.
- By default, the first network interface (eth0) will be used for IP address allocation, and PA traffic subsequently.
- Make sure to capture periodic snapshots of the VMs when they're in a good state. This will help to recover if the connector goes to a bad state.
- All the connectors are setup with the default hostname out of the box. Changing it would affect connector functionality. If DNS auto-registration is enabled in the VMWare host, we recommend you to add another entry for this host with the desired DNS name.
- Connector does not support forwarding internal private application traffic through an explicit proxy. If an explicit proxy is used, the internal traffic such as Private App Subnet/Hosts and internal DNS servers should be added to the Connector V2 Bypass list to bypass the proxy.
- Ensure that all apps attached to a connector group are reachable from all connectors in that group.
NOTE: Private Applications with TCP as protocol and port 53 is not supported.
Note: UDP support has been tested with these DNS, ECHO, NTP, HTTP3, and RDP over UDP protocols. We do not support the PA app where the session is initiated on the server side instead of the client side.
NOTE: Ensure that inactivity timeouts for connections are disabled on any systems in the path between the connector and Skyhigh Cloud. This will prevent the tunnels from terminating due to inactivity during low-traffic hours.
Secure App Connector V2 Firewall settings for Private Applications
-
Warning: To enable inspection of connector traffic, ensure the customer CA certificate used in the proxy/gateway is publicly trusted. If an untrusted customer CA certificate is used, then connector functionality will be impaired.
Note: All the hosts/domains mentioned in the table below should be whitelisted/allowed in the outbound proxy
Domains Port Purpose www.myshn.net 443 Updates the Connector status in SSE UI www.myshn.eu 443 Updates the Connector status in SSE UI iam.mcafee-cloud.com 443 Register a token or get access to the user accounts from the IAM service *.pa-wgcs.skyhigh.cloud 443 Create an OpenVPN tunnel with the Private Access Gateway wgcs.skyhigh.cloud 443 443, 8080 Endpoint for registering connector skyhighlinux.org 443 Skyhigh Centos iam.skyhigh.cloud 443 public.ecr.aws 443 Pull docker images during the Connector V2 update. gallery.ecr.aws 443 Pull docker images during the Connector V2 update. cloudfront.net 443 eu-central-1-euprod-cwpp-binary-storage.s3.eu-central-1.amazonaws.com 443 Auto-update of runtime artifacts us-west-2-usprod-cwpp-binary-storage.s3.us-west-2.amazonaws.com 443 Auto-update of runtime artifacts Additional host/port to be allowed for UDP connect.gateway.skyhigh.cloud 443 UDP Client gateway connect.pa-gateway.skyhigh.cloud 443 UDP Tunnel gateway
Additional SCP Configuration for UDP Applications
- When you have only PA SKU: Enable the Support UDP traffic for Private Applications checkbox to support UDP PA traffic.
- To view this setting, go to Settings > Infrastructure > Client Proxy Management > Configuration Policies.
- When you have PA+Firewall SKU: Enable the firewall checkbox under Firewall Settings.
- To enable this setting, go to Settings > Infrastructure > Client Proxy Management > Configuration Policies> Firewall Settings.
SCP Configuration to Support RDP Over UDP
If any UDP Private application uses both TCP and UDP protocol, make sure to add the port of the UDP PA app under, Settings > Infrastructure > Client Proxy Management > Configuration Policies > Select configured policy > Admin > Click List of configured ports to redirect as HTTP/HTTPS Traffic and click Add Port.
For example, RDP uses both TCP and UDP protocol, add RDP port 3389 under Port-based Redirection settings.
Limitation of UDP Applications
-
Reporting/Analytics for PA UDP apps is still not supported.
-
Network Level Access is not supported for UDP based applications.