Skip to main content
Skyhigh Security

Deploy Connectors

Download and deploy connectors alongside the private applications. You can deploy multiple connectors for redundancy and scaling. When you add an application, you can associate it with several connector groups for high availability. For example, If the VM running a connector fails, your application is still secured and accessible by the other running connector.

Note: You do not need to install CWPP Agent or CI/ CD service on the connector host. 

Before you begin

Skyhigh Security strongly recommends using a Virtual Machine (VM) for deploying connectors with the following prerequisites:

  • Ubuntu on both IPv4 and IPv6 (version 18, 20, and 22 only)
  • 4 CPU
  • 8 GB RAM
  • 50 GB HDD (reserve around 25 GB for root partition ('/'))

You can also deploy connectors on Red Hat Enterprise Linux version 8.5, 8.6, 8.7, and 9.1 on both IPv4 and IPv6. 

The hostname of a VM is used to update the POP name in the Skyhigh CASB UI, so it is a good practice to have the hostname length less than 64 characters.

NOTE: Each connector is associated with a connector group. When you create a connector group, remember to copy the provisioning key it generates. A connector is identified with a connector group through this provisioning key. To achieve optimal performance, Skyhigh recommends that you deploy the connectors to the closest PoP. 

When you are using a firewall, you must set up your firewall to allow the following domains and HTTP(S) ports:

Domains  Port Purpose
myshn.net 443 Updates the PoP status in Skyhigh CASB UI
index.docker.io 443 Docker hub container image library to pull an image and token authentication
registry-1.docker.io
auth.docker.io
production.cloudflare.docker.com
storage.googleapis.com 443 Storage that keeps information on the latest Kubernetes release
k8s.gcr.io 443 Main Kubernetes image-serving system that stores images
cdn.fwupd.org   Open-source daemon to manage the installation of firmware updates on the Linux systems
api.snapcraft.io 443 Snap daemon installation
canonical-lgw01.cdn.snapcraftcontent.com
canonical-bos01.cdn.snapcraftcontent.com
security.ubuntu.com 443 Download and install packages on the host (Ubuntu) as a part of connector deployment
azure.archive.ubuntu.com
packages.microsoft.com
changelogs.ubuntu.com
motd.ubuntu.com
iam.mcafee-cloud.com 443 Register token or get access for the user accounts from the IAM service
us-east.pa-wgcs.skyhigh.cloud 443 Create an OpenVPN tunnel with the Private Access Gateway
us-west.pa-wgcs.skyhigh.cloud
de.pa-wgcs.skyhigh.cloud
sg.pa-wgcs.skyhigh.cloud
gb.pa-wgcs.skyhigh.cloud
br.pa-wgcs.skyhigh.cloud
jp.pa-wgcs.skyhigh.cloud
hk.pa-wgcs.skyhigh.cloud
 
fr.pa-wgcs.skyhigh.cloud
se.pa-wgcs.skyhigh.cloud
wgcs.skyhigh.cloud:8080
8080 Endpoint for registering connector

 

Deploy connectors

Complete the following steps to deploy connectors:

  1. On the Skyhigh SSE navigation bar, click Settings
  2. From the drop-down list, click Service Management.
  3. Click Add Service Instance.
  4. Select VMware vCenter.
  5. In the Instance Name field, enter the service instance name.
  6. Click Done.
    Adds the selected service instance.
  7. Under Services on the Service Management page, select the name of the service instance.
  8. Click Setup.
  9. Click Download Deployment Package.
    Downloads thePoPPackage.tar.
  10. Unzip the PoPPackage.tar file.
  11. Unzip theInfrastructure.tar file, and extract theinfra.shfile from the vCenter folder.
  12. Copy both PoPDeployment.tar and infra.shto the Ubuntu VM. E.g. by executing cp vCenter/infra.sh .
    NOTE: Make sure that the VM is set to the UTC timezone.
  13. Configure Domain Name System (DNS) in the host for name resolution. On AWS, Azure, and Google Cloud Platform, the DNS is configured dynamically. 
    NOTE:  You can configure a maximum of three DNS name servers in a host.
  14. Executeinfra.shon the VM and provide the following parameters:

  sudo bash infra.sh --provision_key="<PROV_KEY>" --gateway="<GATEWAY_IP>" --proxy="<PROXY>" --no_proxy="<NO_PROXY>"

NOTE: The provisioning key is generated when you create a connector group. The provisioning key is a text string that identifies a connector with a connector group. The maximum number of connectors you specify while creating a connector group is the number of times you can use a provisioning key.

  • infra.sh invokes the deployment of a connector
  • GATEWAY_IP is the nearest Private Access Gateway deployed in the following PoPs:
    • US PoP - us-west.pa-wgcs.skyhigh.cloud
    • Ohio PoP - us-east.pa-wgcs.skyhigh.cloud
    • Germany PoP - de.pa-wgcs.skyhigh.cloud
    • Singapore PoP - sg.pa-wgcs.skyhigh.cloud
    • London PoP - gb.pa-wgcs.skyhigh.cloud
    • Brazil PoP - br.pa-wgcs.skyhigh.cloud
    • Osaka PoP - jp.pa-wgcs.skyhigh.cloud
    • Hongkong PoP - hk.pa-wgcs.skyhigh.cloud
    • Paris PoP - fr.pa-wgcs.skyhigh.cloud
    • Stockholm PoP - se.pa-wgcs.skyhigh.cloud

NOTE: We recommend that you select a PoP location that is nearest to the location where you deploy the connectors to achieve optimal performance.

  • <proxy> is the address of the proxy server
  • <no_proxy> is the list of domains you can add to bypass the proxy
     
     NOTE: Set the <proxy> and <no_proxy> parameters only when your connector uses the proxy server. When you use proxy, make sure to add corp.nai.org,.internalzone.com, .scur.com, and .corp.mcafee.com to the <no_proxy> parameter.

The following is an example of a sudo command:

sudo bash infra.sh --provision_key="ey.....LTUwRTVCOUE2NTFFNCJ9" --gateway="us-west.pa-wgcs.skyhigh.cloud" 

Example with proxy between connector the Internet
sudo bash infra.sh --provision_key="ey.....LTUwRTVCOUE2NTFFNCJ9" --gateway="us-west.pa-wgcs.skyhigh.cloud" \
     --proxy="http://10.212.24.192:9090" --no_proxy="localhost,.corp.trellix.com,172.17.0.1,ubuntu,127.0.0.1"


sudo bash ./infra.sh --provision_key="<PROV_KEY>" --gateway="<GATEWAY>"
Where:
<PROV_KEY> = eyJjb25uZWN0b3JOYW1lIjoiWlROQWFscGhhIiwiY3VzdG9tZXJJZCI6IjEjcyLTUwRTVCOUE2NTFFNCJ9
<GATEWAY> = us-west.pa-wgcs.skyhigh.cloud
<PROXY> = http://10.212.24.192:9090
<NO_PROXY> = localhost,corp.nai.org,.internalzone.com,.scur.com,.corp.mcafee.com,172.17.0.1,ubuntu,127.0.0.1
  1. Execute the pa_connector.sh script, and enter to check the status of the services running on POP.
    Following is a sample output you get when you enter 1:

Service_status.PNG

 

The below table lists the purpose of the services running on POP:

Service Name on POPs Purpose
CWPP logging Centralized logging for all services running on POP
CWPP connector Internal load balancer and communicates with Skyhigh SSE
CWPP update  Automatically updates services running on POP
CWPP pop manager Periodically sends the POP health status to the Skyhigh SSE via CWPP connector

After completing the deployment successfully, the connector and a POP Manager image is created on the VM and your docker instance runs as a container. You can check the POP status on the POP Management page. For more information about POP Management, see  About POP Management.

Once the connector is deployed, it automatically registers with Skyhigh SSE, generates the certificate, and get it signed by Skyhigh SSE. The connector establishes a tunnel with the Private Access Gateway by using this signed certificate. The connector provides secure access to the requested private application through the tunnel.

Post Connector Deployment

The following steps are automatically executed once a connector is deployed with the right parameters: 

  • Registers itself with Skyhigh Security. 

  • Receives a signed certificate for authentication while establishing the OpenVPN tunnel with the Private Access Gateway.

  • Periodically refreshes the access tokens.

  • Periodically checks to verify that the OpenVPN tunnel with the Private Access Gateway is up. If the tunnel is down, it brings up the tunnel. 

  • Connector establishes two tunnels with the Private Access Gateway.

  • Two OpenVPN connection requests from the Connector are load-balanced and sends traffic to two different Gateways, which results in two tunnels.

  • Periodically downloads the list of Private Applications from Skyhigh Security, checks connectivity with those applications, creates a health-update, and sends it to the Private Access Gateway.

  • Connector sends health-updates to both the OpenVPN tunnels.

  • The Cloud chooses one of the OpenVPN tunnels in a round-robin fashion  when a request for a private application is received (from an end-user device)

Acts as a proxy for the private applications and forwards traffic received through the OpenVPN tunnel to the corresponding servers of the private applications.

Connectors Upgrade

The connectors are automatically upgraded to the latest available version. This feature is supported only on the functional connectors with version  v1.0.0.3 and later.

To check the connector version, execute the pa_connector.sh script and enter 2: 

Connector_version.PNG

  • Was this article helpful?