Tech Writer Resources
Armor Knowledge Base / Armor Anywhere / Pre-Installation
Port-Forwarding and Proxy Server and Client Deployment
Topics Discussed
In some environments, architectural configurations may prevent Armor services from properly communicating security updates and offering monitoring services.
If your network environment's servers are behind specific firewall controls that block regular outbound communication, then you may want to perform a port-forwarding / proxy server deployment, which will forward traffic between your servers and the Armor API and service endpoints.
This port-forwarding / proxy server sits within your environment to provide servers that do not have outbound network access to communicate with Armor Anywhere services.
This solution uses IPTABLES to forward service data out from the customer environment and into Armor.
Enabling setup of port-forward / proxy server deployment will prevent the functionality of remote support service.
Review Requirements
To be able to perform a port-forward / proxy server deployment, you will need the following resources or information:
Port-Forwarding / Proxy Server
- Linux server with OS of choice (CentOS7 recommended)
- Must be a standalone server
- 1vCPU/1GB RAM minimum
- IPTABLES package installed
- The installed Anywhere Agent on the server
- External IP Address
Client Armor Anywhere Agent Servers (prior to installing the Armor Anywhere Agent)
- Internal access from the port-forwarding server to download the configuration script
- Host file modifications made on each subsequent Anywhere Agent install
Review Firewall Rules
* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.
Port-Forwarding / Proxy Server
The port-forwarding / proxy server will need outbound access for the following:
The following ports will need to be opened for each server registered with Armor Anywhere.
Service / Purpose | Inbound / Outbound | Source | Destination | Inbound / Outbound | Port | Destination |
---|---|---|---|---|---|---|
Armor Agent | Inbound | Client VM Private IP | Port Forwarding Server Private IP | Outbound | 443/tcp |
|
Malware Protection, FIM, IDS | Inbound | Client VM Private IP | Port Forwarding Server Private IP | Outbound | 4119/tcp |
|
DSM | Inbound | Client VM Private IP | Port Forwarding Server Private IP | Outbound | 4120/tcp |
|
Relay | Inbound | Client VM Private IP | Port Forwarding Server Private IP | Outbound | 4122/tcp |
|
Monitoring | Inbound | Client VM Private IP | Port Forwarding Server Private IP | Outbound | 8443/tcp |
|
Remote Access | Inbound | Client VM Private IP | Port Forwarding Server Private IP | Outbound | 443/tcp |
|
Vulnerability Scanning | Inbound | Client VM Private IP | Port Forwarding Server Private IP | Outbound | *443/tcp |
|
Log Relay (Logstash) | Outbound | Client VM Private IP | Port Forwarding Server Private IP | Inbound |
| The IP address for your virtual machine |
Log Relay (Armor's logging service (ELK)) | Inbound | Client VM Private IP | Port Forwarding Server Private IP | Outbound |
|
|
Verify that your port forwarding / proxy server can externally communicate.
Proxy Software Configuration
Install iptables services and Squid on the port forwarding / proxy server.
yum install iptables-services squid
Generate the ca certificate. This is needed for ssl-bumping.
mkdir /etc/squid/ssl_cert cd /etc/squid/ssl_cert openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
Edit the /etc/squid/squid.conf. Paste the following configuration, replacing xxxx with your private subnet cidr address. This is to allow ingress from the Client Servers on this private subnet.
Example: 192.168.0.0/24
acl localnet src x.x.x.x #your network/hosts! acl SSL_ports port 443 acl Safe_ports port 443 acl CONNECT method CONNECT dns_v4_first on sslproxy_cert_error allow all http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 0.0.0.0:3128 cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid access_log /var/log/squid/access.log squid http_port 3129 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem always_direct allow all sslproxy_cert_error allow all acl step1 at_step SslBump1 ssl_bump splice all ssl_bump terminate all sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
Restart Squid.
systemctl restart squid
Set up IPTables nat rules.
/sbin/iptables -t nat -F /sbin/iptables -t nat -X
Add rules.
cat <<-EOF | iptables-restore *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 146.88.106.210 -A PREROUTING -i eth0 -p tcp -m tcp --dport 4119 -j DNAT --to-destination 52.13.172.208 -A PREROUTING -i eth0 -p tcp -m tcp --dport 4120 -j DNAT --to-destination 52.13.172.208 -A PREROUTING -i eth0 -p tcp -m tcp --dport 4122 -j DNAT --to-destination 52.13.172.208 -A POSTROUTING -j MASQUERADE :OUTPUT ACCEPT [0:0] COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT EOF
Persist the rules.
service iptables save
Enable IP forwarding in the Kernel.
sed -i '/^net.ipv4.ip_forward\ =\ 0/s/0/1/g' /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1
Client Configuration
Servers with the Anywhere agent
All servers that run the Anywhere agent will need outbound access to the port-forwarding server's private IP, with the following ports allowed:
Purpose / Service | Port | Destination |
---|---|---|
Armor Agent Heartbeat | 443/tcp | Your port-forwarding server private IP |
Malware Protection, FIM, IDS | 4119/tcp | Your port-forwarding server private IP |
DSM | 4120/tcp | Your port-forwarding server private IP |
Relay | 4122/tcp | Your port-forwarding server private IP |
Monitoring | 8443/tcp | Your port-forwarding server private IP |
Remote Access | 443/tcp | Your port-forwarding server private IP |
Vulnerability Scanning | *443/tcp | Your port-forwarding server private IP |
Vulnerability Scanning | *443/tcp | Your port-forwarding server private IP |
Linux
Update the host file, replacing x.x.x.x with your private IP address.
echo "x.x.x.x api.armor.com 3a.epsec.armor.com 1a.log.armor.com get.core.armor.com" >> /etc/hosts
- Install the agent, following the instructions outlined in ANYWHERE Installation.
Update the Rapid7 proxy settings to go through Squid.
Change x.x.x.x to your proxy IP.
echo '{ "https": "x.x.x.x:3129" }' > /opt/rapid7/ir_agent/components/bootstrap/common/proxy.config echo '{ "https": "x.x.x.x:3129" }' > /opt/rapid7/ir_agent/components/insight_agent/common/proxy.config service ir_agent restart
Windows
Update the host file, replacing x.x.x.x with your proxy server private IP address.
echo "x.x.x.x api.armor.com 3a.epsec.armor.com 1a.log.armor.com get.core.armor.com" >> c:\windows\system32\drivers\etc\hosts
- Install the agent, following the instructions outlined in ANYWHERE Installation.
Update the Rapid7 proxy settings to go through Squid.
Change x.x.x.x to your proxy IP.
echo '{ "https": "x.x.x.x:3129" }' > "C:\Program Files\Rapid7\Insight Agent\components\bootstrap\common\proxy.config" echo '{ "https": "x.x.x.x:3129" }' > "C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common\proxy.config"
Restart the Rapid7 service:
Restart-Service -Name ir_agent
Troubleshooting
Network
Run the following command to install:
yum install traceroute -y
Use Traceroute:
traceroute -T 3a.epsec.armor.com -p 4119 traceroute -T 3a.epsec.armor.com -p 4122
Proxy
Monitor packets on the proxy server.
watch -d iptables -t nat -L PREROUTING -n -v -x
Related Documentation
To learn more about how to install the Anywhere agent, see Step 4 in the following documents:
Was this helpful?
This page has no comments.