Secure App Connector Docker Prerequisites and Firewall settings For Private Applications
- Make sure to allow the following domains and HTTP(S) ports when you are using a firewall.
- By default, the first network interface (eth0) will be used for IP address allocation, and PA traffic subsequently.
- Make sure to capture periodic snapshots of the VMs when they're in a good state. This will help to recover if the connector goes to a bad state.
- All the connectors are setup with the default hostname out of the box. Changing it would affect connector functionality. If DNS auto-registration is enabled in the VMWare host, we recommend you to add another entry for this host with the desired DNS name.
- Connector does not support forwarding internal private application traffic through an explicit proxy. If an explicit proxy is used, the internal traffic such as Private App Subnet/Hosts and internal DNS servers should be added to the Docker Connector Bypass list to bypass the proxy.
- Ensure that all apps attached to a connector group are reachable from all connectors in that group.
IMPORTANT
- The connector will fail if its system time is not current. Ensure you sync time between VM and NTP/PTP servers periodically.
- Ensure that the CPU used for TCP deployments supports the Intel ADX instruction set.
NOTE
- Private Applications with TCP as protocol and port 53 are not supported.
- If there are any systems/firewalls in the path between the connector and Skyhigh cloud, ensure that the inactivity timeout for connections is disabled/set as high as possible and that connections aren't terminated for high traffic flow. This is to ensure that the tunnels between the connector and Skyhigh Cloud don't get terminated for inactivity during low-traffic hours.
Secure App Connector Docker Firewall settings for Private Applications
-
WARNING: To enable inspection of connector traffic, ensure the customer CA certificate used in the proxy/gateway is publicly trusted. If an untrusted customer CA certificate is used, then the connector functionality will be impaired.
NOTE: All the hosts/domains mentioned in the table below should be whitelisted/allowed in the outbound proxy.
Domains Port Purpose dashboard-us.ui.skyhigh.cloud 443 Updates the Connector status in SSE UI dashboard-eu.ui.skyhigh.cloud 443 Updates the Connector status in SSE UI iam.mcafee-cloud.com 443 Register a token or get access to the user accounts from the IAM service *pa-wgcs.skyhigh.cloud 443 Create an OpenVPN tunnel with the Private Access Gateway pa-wgcs.skyhigh.cloud 443 Create an OpenVPN tunnel with the Private Access Gateway *wgcs.skyhigh.cloud 443 443, 8080 Endpoint for registering the connector wgcs.skyhigh.cloud 443 443, 8080 Endpoint for registering the connector skyhighlinux.org 443 Skyhigh Centos iam.skyhigh.cloud 443 public.ecr.aws 443 Pull Docker images during the Docker connector update. gallery.ecr.aws 443 Pull Docker images during the Docker connector update. *cloudfront.net 443 cloudfront.net 443 eu-central-1-euprod-cwpp-binary-storage.s3.eu-central-1.amazonaws.com 443 Auto-update of runtime artifacts us-west-2-usprod-cwpp-binary-storage.s3.us-west-2.amazonaws.com 443 Auto-update of runtime artifacts *saasprotection.com 8080/443 For connector registration and pop reachability. saasprotection.com 8080/443 For connector registration and pop reachability. 161.69.0.0/17 , 131.229.128.0/17 8080/443 TCP For IP-based firewall rules required to reach the Skyhigh Security Gateway, to allow connector registration, and to access the Web Gateway/Skyhigh Security Proxy.