Network Requirements
For an EPAS Enforcer deployment, it is assumed that the following components are present:
Example
- EPAS MASTER used for management of the Enforcer installation, as well as performing failover/fallback in case other components are down
- Two EPAS AGENTs used for high availability and load balancing in the Enforcer installation
- For Active Directory integration: existing domain infrastructure, with three domain controllers, DC1, DC2, DC3
- For Windows Local Accounts integration: at least one Windows workstation, desktop or server (versions Vista/2003 or newer), SERVER1
- For SSPR integration: at least one instance of the NetIQ Self-Service Password Reset (versions 4.0 and newer), SSPR1.
- For Linux integration: SERVER1, any Red Hat Enterprise Linux version 5,6,7 and 8 or SUSE Linux Enterprise (version 12) linux. Other systems are supported.
The current section handles all requisites related to the networking functionality of the EPAS Enforcer.
IP addressing and default port allocations¶
Each EPAS MASTER or EPAS AGENT system requires a valid IP address within the customer environment. No other network interfaces are usable on the aforementioned components. For a deployment with one MASTER and two AGENTs, the following example allocations can be made:
| Component | IP address | Description |
|---|---|---|
| EPAS MASTER | 10.222.100.101 |
Main EPAS interface, used for configuration and administration. The IP address should have access to any other IP addresses allocated to other components (such as EPAS AGENTs and / or systems enrolled in the Enforcer |
| EPAS AGENT 1 | 10.222.100.105 |
EPAS AGENT IP address. The MASTER connects to this IP for policy and configuration pushes. Domain controllers, standalone workstations or other integrations connect to this IP address for policy checking |
| EPAS AGENT 2 | 10.222.100.106 |
EPAS AGENT IP address. The MASTER connects to this IP for policy and configuration pushes. Domain controllers, standalone workstations or other integrations connect to this IP address for policy checking |
Info
EPAS Enforcer uses the following port numbers, in the default configuration:
443: default port for EPAS management console. Present only on EPAS MASTER.8443: default port for EPAS public password quality analysis page. Present only on EPAS MASTER22: default port for EPAS communication from MASTER to AGENT systems. The security protocol is based on the SSH software suite, using RSA private key authentication. Present only on EPAS AGENT10443: default port for password change handling. Enterprise systems enrolled in the Enforcer use this port to check for password policy compliance. The security protocol is based on mutually validated TLS, between the participating systems. Present on EPAS MASTER and EPAS AGENT
Firewall rules (Generic)¶
The following table contains the required firewall rules for Enforcer deployment, including the direction, common for all deployments.
| Source | Destination | Destination Port(s) | Component | Description |
|---|---|---|---|---|
| MASTER | AGENT1, AGENT2 | TCP: 22 |
EPAS Enforcer | Communication port for synchronization of password change requests, and password policy pushing |
| Operator(training room) | MASTER | TCP: 443,8443 |
EPAS Enforcer | The web service for managing EPAS needs to be accessible from the meeting room when we deploy the system (for training / configuration purposes) |
Firewall rules (Microsoft Active Directory)¶
In addition to the generic firewall rules presented in the previous section, for each deployment of EPAS Enforcer with Microsoft Active Directory, the following ports should be allowed (including the direction):
| Source | Destination | Destination Port(s) | Component | Description |
|---|---|---|---|---|
| MASTER | DC1, DC2, DC3 | TCP: 135,139,445TCP: 49152-65535UDP: 137,138Additionally, for Windows 2003 (if used): TCP: 1025-5000 |
EPAS Enforcer | For provisioning the domain controllers, WMI/SMB ports are used |
| DC1, DC2, DC3 | MASTER | TCP: 10443 |
EPAS Enforcer | For handling password change requests (as a failover) |
| DC1, DC2, DC3 | AGENT1, AGENT2 | TCP: 10443 |
EPAS Enforcer | For handling password change requests (primary/high availability) |
Firewall rules (Microsoft Windows Workstations/Servers)¶
In addition to the generic firewall rules presented in the previous section, for each deployment of EPAS Enforcer on Microsoft local systems, the following ports should be allowed (including the direction):
| Source | Destination | Destination Port(s) | Component | Description |
|---|---|---|---|---|
| MASTER | SERVER1 | TCP: 135,139,445TCP: 49152-65535UDP: 137,138Additionally, for Windows 2003 (if used): TCP: 1025-5000 |
EPAS Enforcer | For provisioning the Microsoft systems, WMI/SMB ports are used |
| SERVER1 | MASTER | TCP: 10443 |
EPAS Enforcer | For handling password change requests (as a failover) |
| SERVER1 | AGENT1, AGENT2 | TCP: 10443 |
EPAS Enforcer | For handling password change requests (primary/high availability) |
Firewall rules (NetIQ SSPR)¶
In addition to the generic firewall rules presented in the common section, for each deployment of EPAS Enforcer with SSPR integration, the following ports should be allowed (including the direction):
| Source | Destination | Destination Port(s) | Component | Description |
|---|---|---|---|---|
| SSPR1 | MASTER | TCP: 10443 |
EPAS Enforcer | For handling password change requests (primary) |
| SSPR1 | AGENT1, AGENT2 | TCP: 10443 |
EPAS Enforcer | For handling password change requests (primary) |
High-availability or load-balancing is achieved manually, for the NetIQ SSPR integration, using third party load balancers or DNS round-robin.
Firewall rules (Linux Servers/PAM)¶
In addition to the generic firewall rules presented in the previous section, for each deployment of EPAS Enforcer on Linux systems, the following ports should be allowed (including the direction):
| Source | Destination | Destination Port(s) | Component | Description |
|---|---|---|---|---|
| MASTER | SERVER1 | TCP: 22 |
EPAS Enforcer | For provisioning the Linux systems, ssh service is used. |
| SERVER1 | MASTER | TCP: 10443 |
EPAS Enforcer | For handling password change requests (as a failover) |
| SERVER1 | AGENT1, AGENT2 | TCP: 10443 |
EPAS Enforcer | For handling password change requests (primary/high availability) |