Page tree


Armor Knowledge Base


Feedback

Have a suggestion for the Armor Knowledge Base?

Send a message to kb@armor.com.










In some environments, architectural configurations may prevent Armor services from properly communicating security updates and offering monitoring services. 

If your network environment's servers are behind specific firewall controls that block regular outbound communication, then you may want to perform a port-forwarding / proxy server deployment, which will forward traffic between your servers and the Armor API and service endpoints. 

This port-forwarding / proxy server sits within your environment to provide servers that do not have outbound network access to communicate with Armor Anywhere services.  

This solution uses IPTABLES to forward service data out from the customer environment and into Armor.

Enabling setup of port-forward / proxy server deployment will prevent the functionality of remote support service.


Review Requirements


To be able to perform a port-forward / proxy server deployment, you will need the following resources or information: 

Port-Forwarding / Proxy Server

  • Linux server with OS of choice (CentOS7 recommended)
  • Must be a standalone server
  • 1vCPU/1GB RAM minimum
  • IPTABLES package installed
  • The installed Anywhere Agent on the server
  • External IP Address

Client Armor Anywhere Agent Servers (prior to installing the Armor Anywhere Agent)

  • Internal access from the port-forwarding server to download the configuration script
  • Host file modifications made on each subsequent Anywhere Agent install


Review Firewall Rules


* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Port-Forwarding / Proxy Server

The port-forwarding / proxy server will need outbound access for the following:

The following ports will need to be opened for each server registered with Armor Anywhere.

Service / PurposeInbound / OutboundSourceDestination

Inbound / Outbound

Port

Destination

Armor AgentInboundClient VM Private IPPort Forwarding Server Private IPOutbound443/tcp
Malware Protection, FIM, IDSInboundClient VM Private IPPort Forwarding Server Private IPOutbound

4119/tcp

DSMInboundClient VM Private IPPort Forwarding Server Private IPOutbound4120/tcp
RelayInboundClient VM Private IPPort Forwarding Server Private IPOutbound4122/tcp
MonitoringInboundClient VM Private IPPort Forwarding Server Private IPOutbound8443/tcp
Remote AccessInboundClient VM Private IPPort Forwarding Server Private IPOutbound443/tcp
Vulnerability ScanningInboundClient VM Private IPPort Forwarding Server Private IPOutbound*443/tcp
Log Relay (Logstash)OutboundClient VM Private IPPort Forwarding Server Private IPInbound
  • 5140/udp
  • 5141/tcp
The IP address for your virtual machine
Log Relay (Armor's logging service (ELK))InboundClient VM Private IPPort Forwarding Server Private IPOutbound
  • 5443/tcp
  • 5400-5600/tcp (Reserved)
    • Armor reserves the right to utilize this port range for future expansion or service changes.

1c.log.armor.com

  • These endpoints are served by the Amazon Elastic Load Balancers. As a result, the actual endpoints will vary dynamically across Amazon's IP ranges.


Verify that your port forwarding / proxy server can externally communicate.


Proxy Software Configuration


  1. Install iptables services and Squid on the port forwarding / proxy server.

    yum install iptables-services squid
  2. Generate the ca certificate. This is needed for ssl-bumping.

    mkdir /etc/squid/ssl_cert
    
    cd /etc/squid/ssl_cert
    
    openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.pem  -out myCA.pem
  3. Edit the /etc/squid/squid.conf. Paste the following configuration, replacing xxxx with your private subnet cidr address. This is to allow ingress from the Client Servers on this private subnet.

    • Example: 192.168.0.0/24

      acl localnet src x.x.x.x #your network/hosts!
      acl SSL_ports port 443
      acl Safe_ports port 443
      acl CONNECT method CONNECT
      dns_v4_first on
      sslproxy_cert_error allow all
      http_access deny !Safe_ports
      http_access deny CONNECT !SSL_ports
      http_access allow localhost manager
      http_access deny manager
      http_access allow localnet
      http_access allow localhost
      http_access deny all
      http_port 0.0.0.0:3128
      cache_dir ufs /var/spool/squid 100 16 256
      coredump_dir /var/spool/squid
      access_log /var/log/squid/access.log squid
      http_port 3129 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
      always_direct allow all
      sslproxy_cert_error allow all
      acl step1 at_step SslBump1
      ssl_bump splice all
      ssl_bump terminate all
      sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
  4. Restart Squid.

    systemctl restart squid
  5. Set up IPTables nat rules.

    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
  6. Add rules.

    cat <<-EOF | iptables-restore
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 146.88.106.210
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 4119 -j DNAT --to-destination 52.13.172.208
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 4120 -j DNAT --to-destination 52.13.172.208
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 4122 -j DNAT --to-destination 52.13.172.208
    -A POSTROUTING -j MASQUERADE
    :OUTPUT ACCEPT [0:0]
    COMMIT
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    EOF
    
  7. Persist the rules.

    service iptables save
    
  8. Enable IP forwarding in the Kernel.

    sed -i '/^net.ipv4.ip_forward\ =\ 0/s/0/1/g' /etc/sysctl.conf
    sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1
    


Client Configuration


Servers with the Anywhere agent

All servers that run the Anywhere agent will need outbound access to the port-forwarding server's private IP, with the following ports allowed:

Purpose / ServicePortDestination
Armor Agent Heartbeat443/tcpYour port-forwarding server private IP
Malware Protection, FIM, IDS4119/tcpYour port-forwarding server private IP
DSM4120/tcpYour port-forwarding server private IP
Relay4122/tcpYour port-forwarding server private IP
Monitoring8443/tcpYour port-forwarding server private IP
Remote Access443/tcpYour port-forwarding server private IP
Vulnerability Scanning

*443/tcp

Your port-forwarding server private IP
Vulnerability Scanning

*443/tcp

Your port-forwarding server private IP


Linux

  1. Update the host file, replacing x.x.x.x with your private IP address.

    echo "x.x.x.x api.armor.com 3a.epsec.armor.com 1a.log.armor.com get.core.armor.com" >> /etc/hosts
  2. Install the agent, following the instructions outlined in ANYWHERE Installation.
  3. Update the Rapid7 proxy settings to go through Squid.

    1. Change x.x.x.x to your proxy IP.

      echo '{ "https": "x.x.x.x:3129" }' > /opt/rapid7/ir_agent/components/bootstrap/common/proxy.config
      
      echo '{ "https": "x.x.x.x:3129" }' > /opt/rapid7/ir_agent/components/insight_agent/common/proxy.config
      
      service ir_agent restart

Windows

  1. Update the host file, replacing x.x.x.x with your proxy server private IP address.

    echo "x.x.x.x api.armor.com 3a.epsec.armor.com 1a.log.armor.com get.core.armor.com" >> c:\windows\system32\drivers\etc\hosts
  2. Install the agent, following the instructions outlined in ANYWHERE Installation.
  3. Update the Rapid7 proxy settings to go through Squid.

    1. Change x.x.x.x to your proxy IP.

      echo '{ "https": "x.x.x.x:3129" }' > "C:\Program Files\Rapid7\Insight Agent\components\bootstrap\common\proxy.config"
      echo '{ "https": "x.x.x.x:3129" }' > "C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common\proxy.config"
  4. Restart the Rapid7 service:

    Restart-Service -Name ir_agent

Troubleshooting

Network

  1. Run the following command to install:

    yum install traceroute -y
  2. Use Traceroute:

    traceroute -T 3a.epsec.armor.com -p 4119
    traceroute -T 3a.epsec.armor.com -p 4122

Proxy 

  1. Monitor packets on the proxy server.

    watch -d iptables -t nat -L PREROUTING -n -v -x



Related Documentation

To learn more about how to install the Anywhere agent, see Step 4 in the following documents: 




Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 0 rates