Secure App Connector V2 Prerequisites and Firewall settings For TCP Applications
V2 Prerequisite
- Make sure to allow the following domains and HTTP(S) ports when you are using a firewall. For more details, see the below section.
- The connector will fail if its system time is not current. Ensure you have sync time between NTP/PTP servers at the time of installation.
- By default, the first network interface (eth0) will be used for IP address allocation, and PA traffic subsequently.
- Make sure to capture periodic snapshots of the VMs when they're in a good state. This will help to recover if the connector goes to a bad state.
- All the connectors are setup with the default hostname out of the box. Changing it would affect connector functionality. If DNS auto-registration is enabled in the VMWare host, we recommend you to add another entry for this host with the desired DNS name.
- Connector does not support forwarding internal private application traffic through an explicit proxy. If an explicit proxy is used, the internal traffic such as Private App Subnet/Hosts and internal DNS servers should be added to the Connector V2 Bypass list to bypass the proxy.
- Ensure that all apps attached to a connector group are reachable from all connectors in that group
V2 Firewall settings
Warning: To enable traffic inspection, ensure that the CA cert is a publicly trusted one.
Warning: To enable inspection of connector traffic, ensure the customer CA certificate used in the proxy/gateway is publicly trusted. If an untrusted customer CA certificate is used, then connector functionality will be impaired.
Note: All the hosts/domains mentioned in the table below should be whitelisted/allowed in the outbound proxy
Domains | Port | Purpose |
---|---|---|
www.myshn.net | 443 | Updates the Connector status in SSE UI |
www.myshn.eu | 443 | Updates the Connector status in SSE UI |
iam.mcafee-cloud.com | 443 | Register a token or get access to the user accounts from the IAM service |
us-east.pa-wgcs.skyhigh.cloud | 443 | Create an OpenVPN tunnel with the Private Access Gateway |
us-west.pa-wgcs.skyhigh.cloud | ||
de.pa-wgcs.skyhigh.cloud | ||
sg.pa-wgcs.skyhigh.cloud | ||
gb.pa-wgcs.skyhigh.cloud | ||
br.pa-wgcs.skyhigh.cloud | ||
jp.pa-wgcs.skyhigh.cloud | ||
hk.pa-wgcs.skyhigh.cloud | ||
fr.pa-wgcs.skyhigh.cloud | ||
se.pa-wgcs.skyhigh.cloud | ||
de.pa-wgcs.skyhigh.cloud | ||
au.pa-wgcs.skyhigh.cloud | ||
in.pa-wgcs.skyhigh.cloud | ||
sa.pa-wgcs.skyhigh.cloud | ||
wgcs.skyhigh.cloud | ||
443, 8080 | Endpoint for registering connector | |
skyhighlinux.org | 443 | Skyhigh Centos |
iam.skyhigh.cloud | 443 | |
public.ecr.aws | 443 | Pull docker images during the Connector V2 update. |
gallery.ecr.aws | 443 | Pull docker images during the Connector V2 update. |
eu-central-1-euprod-cwpp-binary-storage.s3.eu-central-1.amazonaws.com | 443 | Auto-update of runtime artifacts |
us-west-2-usprod-cwpp-binary-storage.s3.us-west-2.amazonaws.com | 443 | Auto-update of runtime artifacts |