Network Planning
HySecure can be deployed in a cluster with either 1 node or multiple nodes. In both the cases, the network configuration of each node should be planned beforehand.
As part of the network configuration planning, the following needs to be decided for all NICs:
-
Interface IP Address - static or DHCP
-
Hostname through which the node can be accessed
-
DNS configuration using which the node will resolve domain names
-
IP address for cluster nodes. Ensure that all the IP addresses belong to the same subnet. One IP address needs to be reserved to be configured as a virtual IP to access the cluster.
-
If access to HySecure is to be allowed over the Internet, then port 443 should be NAT'ed to the HySecure virtual IP address.
-
Firewall configuration changes:
| # | Traffic Direction To Be Allowed | Port Number | HySecure Deployed in |
|---|---|---|---|
| 1 | Inbound Traffic from (WAN or LAN) to DMZ | 443 | DMZ |
| 2 | Outbound Traffic from HySecure Node(s) to App Servers (LAN or WAN) | Application Ports | DMZ |
| 3 | Outbound Traffic from HySecure Node(s) to Authentication Servers | - 389 for User Authentication - 636 for User Password Change or Secure Authentication - UDP 1812 for integrating a RADIUS Server | DMZ |
- Following ports should be kept open between cluster nodes if HySecure nodes are segregated but are in same subnet and firewall is between them.
| # | Functionality | TCP or UDP | Port Number |
|---|---|---|---|
| 1 | User Traffic | TCP | 443 |
| 2 | Monitoring | TCP | 80 |
| 3 | Log Sync | UDP | 4002 |
| 4 | Monitoring | UDP | 539 |
| 5 | Database Access | TCP | 3306 |
| 6 | Configuration Sync | TCP | 5536 |
| 7 | Real Time Status | TCP | 939 |