Secure App Connector V2 Prerequisites and Firewall settings For TCP Applications
V2 Prerequisite
- Make sure to allow the following domains and HTTP(S) ports when you are using a firewall. For more details, see the below section.
- The connector will fail if its system time is not current. Ensure you have sync time between NTP/PTP servers at the time of installation.
- By default, the first network interface (eth0) will be used for IP address allocation, and PA traffic subsequently.
- Make sure to capture periodic snapshots of the VMs when they're in a good state. This will help to recover if the connector goes to a bad state.
- All the connectors are setup with the default hostname out of the box. Changing it would affect connector functionality. If DNS auto-registration is enabled in the VMWare host, we recommend you to add another entry for this host with the desired DNS name.
- Connector does not support forwarding internal private application traffic through an explicit proxy. If an explicit proxy is used, the internal traffic such as Private App Subnet/Hosts and internal DNS servers should be added to the Connector V2 Bypass list to bypass the proxy.
- Ensure that all apps attached to a connector group are reachable from all connectors in that group
V2 Firewall settings
Warning: To enable traffic inspection, ensure that the CA cert is a publicly trusted one.
Warning: To enable inspection of connector traffic, ensure the customer CA certificate used in the proxy/gateway is publicly trusted. If an untrusted customer CA certificate is used, then connector functionality will be impaired.
Note: All the hosts/domains mentioned in the table below should be whitelisted/allowed in the outbound proxy
| Domains | Port | Purpose |
|---|---|---|
| www.myshn.net | 443 | Updates the Connector status in SSE UI |
| www.myshn.eu | 443 | Updates the Connector status in SSE UI |
| iam.mcafee-cloud.com | 443 | Register a token or get access to the user accounts from the IAM service |
| us-east.pa-wgcs.skyhigh.cloud | 443 | Create an OpenVPN tunnel with the Private Access Gateway |
| us-west.pa-wgcs.skyhigh.cloud | ||
| de.pa-wgcs.skyhigh.cloud | ||
| sg.pa-wgcs.skyhigh.cloud | ||
| gb.pa-wgcs.skyhigh.cloud | ||
| br.pa-wgcs.skyhigh.cloud | ||
| jp.pa-wgcs.skyhigh.cloud | ||
| hk.pa-wgcs.skyhigh.cloud | ||
| fr.pa-wgcs.skyhigh.cloud | ||
| se.pa-wgcs.skyhigh.cloud | ||
| de.pa-wgcs.skyhigh.cloud | ||
| au.pa-wgcs.skyhigh.cloud | ||
| in.pa-wgcs.skyhigh.cloud | ||
| sa.pa-wgcs.skyhigh.cloud | ||
| wgcs.skyhigh.cloud | ||
| 443, 8080 | Endpoint for registering connector | |
| skyhighlinux.org | 443 | Skyhigh Centos |
| iam.skyhigh.cloud | 443 | |
| public.ecr.aws | 443 | Pull docker images during the Connector V2 update. |
| gallery.ecr.aws | 443 | Pull docker images during the Connector V2 update. |
| eu-central-1-euprod-cwpp-binary-storage.s3.eu-central-1.amazonaws.com | 443 | Auto-update of runtime artifacts |
| us-west-2-usprod-cwpp-binary-storage.s3.us-west-2.amazonaws.com | 443 | Auto-update of runtime artifacts |