Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Secure App Connector V2 Prerequisites and Firewall settings For Private Applications

  1. Last updated
  2. Save as PDF
  • Make sure to allow the following domains and HTTP(S) ports when you are using a firewall. 
  • By default, the first network interface (eth0) will be used for IP address allocation, and PA traffic subsequently. 
  • Make sure to capture periodic snapshots of the VMs when they're in a good state. This will help to recover if the connector goes to a bad state.
  • All the connectors are setup with the default hostname out of the box. Changing it would affect connector functionality. If DNS auto-registration is enabled in the VMWare host, we recommend you to add another entry for this host with the desired DNS name. 
  • Connector does not support forwarding internal private application traffic through an explicit proxy. If an explicit proxy is used, the internal traffic such as Private App Subnet/Hosts and internal DNS servers should be added to the Connector V2 Bypass list to bypass the proxy. 
  • Ensure that all apps attached to a connector group are reachable from all connectors in that group.

IMPORTANT

  • The connector will fail if its system time is not current. Ensure you sync time between VM and NTP/PTP servers periodically. 
  • Ensure that the CPU used for TCP and UDP deployments supports the Intel ADX instruction set. 

NOTES 

  • Private Applications with TCP as protocol and port 53 are not supported.
  • UDP support has been tested with the DNS, ECHO, NTP, HTTP3, and RDP over UDP protocols. We do not support the PA app when the session is initiated on the server side rather than the client side.
  • If there are any systems/firewalls in the path between the connector and Skyhigh cloud, ensure that the inactivity timeout for connections is disabled/set as high as possible and that connections aren't terminated for high traffic flow. This is to ensure that the tunnels between the connector and Skyhigh Cloud don't get terminated for inactivity during low-traffic hours.

Secure App Connector V2 Firewall settings for Private Applications

WARNING: To enable inspection of connector traffic, ensure the customer CA certificate used in the proxy/gateway is publicly trusted. If an untrusted customer CA certificate is used, then connector functionality will be impaired. 

NOTE: All the hosts/domains mentioned in the table below should be whitelisted/allowed in the outbound proxy.

Domains  Port Purpose
dashboard-us.ui.skyhigh.cloud 443 Updates the Connector status in SSE UI
dashboard-eu.ui.skyhigh.cloud 443 Updates the Connector status in SSE UI
iam.mcafee-cloud.com 443 Register a token or get access to the user accounts from the IAM service
*.pa-wgcs.skyhigh.cloud 443 Create an OpenVPN tunnel with the Private Access Gateway
wgcs.skyhigh.cloud 443  
443, 8080 Endpoint for registering connector
skyhighlinux.org 443 Skyhigh Centos
iam.skyhigh.cloud   443  
public.ecr.aws 443 Pull docker images during the Connector V2 update.
gallery.ecr.aws 443 Pull docker images during the Connector V2 update.
cloudfront.net 443  
eu-central-1-euprod-cwpp-binary-storage.s3.eu-central-1.amazonaws.com 443 Auto-update of runtime artifacts
us-west-2-usprod-cwpp-binary-storage.s3.us-west-2.amazonaws.com 443 Auto-update of runtime artifacts
Additional host/port to be allowed for UDP
connect.gateway.skyhigh.cloud 443 UDP Client gateway 
connect.pa-gateway.skyhigh.cloud 443 UDP Tunnel gateway

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.