Archive
Notes for deploying Acronis Virtual Firewall
Components:
You can use either the setup application which will install all components or use MSI installer packages for unattended installations:
- Management Service: installed on the host(s) or designated VM(s) that will be set as Management Server for the entire Windows Server/HyperV environment. (Note: multiple management servers could be deployed to provide disaster recovery function)
- Virtual Router Management Service: installed on Virtual Router.
- Management Console: installed on each host/VM that will be used by administrators to operate and control the system security/compliance rules application
Firewall Rules
(if deploying in Azure, make configure the NSG rules) :
| Management Server | Firewall rules |
| from virtual router | • TCP 8939 – 5nine.Antivirus.UpdateService endpoint • TCP 8534 – Antivirus (AV) management endpoint • TCP 8790 – vFirewall management endpoint • TCP 8939 – IDS update service endpoint • TCP 8183 – For signature updates of Snort Intrusion Detection System (IDS) |
| from Management Console | • TCP 8789 – Client |
| to SQL Server Database | TCP 1433 (default) or other port defined in SQL configuration |
| to internet | • TCP 80 – Snort IDS / AV update over HTTP |
| to DHCP server (if applicable) | • UDP 68 |
| Outbound to DNS server | • UDP 53 |
| to Syslog Server (if applicable) | • UDP 514 |
| to additional Cloud Security Management Services (if applicable) | • TCP 8790 |
| to Virtual Router | • TCP 8533 • TCP 8788 |
| Virtual Router | Firewall rules |
| from management server | • TCP 8533 – AV management • TCP 8788 – vFirewall management |
| from Azure VMs | • TCP 8489 – AP agent communication • TCP 3187, TCP 8943 – AP agent update service communication. |
| to management server | • TCP 8534 – Antivirus (AV) management endpoint • TCP port 8183 – For Cisco Snort Intrusion Detection System (IDS) • TCP 8790 – vFirewall management endpoint |
| to internet | TCP 80 – AV update over HTTP |
| to Azure VMs | TCP 8287 – AP management endpoint |
| Azure Virtual Machines | Firewall rules |
| to virtual router | • TCP 8489 – AP agent communication endpoint • TCP 3187, TCP 8943 – AP agent update service |
| from virtual router | • TCP 8287 – AP management endpoint |
| Management Console | Firewall rules |
| to management server | • TCP 8789 – Client |
Configuration for High Availability
For HA scenarios, you will need to install a separate instance of Management Service onto each server in the windows failover cluster pair, pointing to the same data source (SQL server). SQL server may also be set for high availability. From this point you will have to use cluster failover role IP address/FQDN instead of a standalone IP address/FQDN as a management service address when you need to connect to the management service.
When configuring high availability in the failover clustering, you will have to select the Generic Service option for Cloud Security Management Service and proceed with setup in a standard way.
Silent Install from MSI Packages
To install Cloud Security components silently from the command line, run the Setup Launcher Application and copy the MSI package files to c:\Setup or to another location as once the launcher application is closed the directory and contents will be deleted.
Example – Setup Router Service:
msiexec /i RouterServiceSetup.msi /qn /norestart /l* info.log
MANAGEMENT_SERVER=[Cloud Security FQDN name]
WINLOGIN=[DOMAIN\Administrator] WINPASS=[Password]
Note: To install the management console on the server where multiple users with different privileges work, the best practice is to select the option Use default credentials so that each time the management console is started the necessary privileges are granted on it. The same applies to tenants’ setup, the user that is currently running the management console instance must match the user, set to connect to the management service in order to get the right privileges. Refer to the Global Administrator and Tenants section
Adding Microsoft Azure Tenant Account
The main thing to do before starting anything with 5nine Cloud Security is to add Microsoft Azure Tenant Account. Click on Azure Connection Settings dialog by selecting Settings – Add Azure Tenant main menu option.
Global Administrator and Tenants
The User Management feature is designed to set permissions on 5nine Cloud Security objects (virtual machines) and operations performed through the management console.
It is crucial to set them appropriately. These permissions are unrelated to users’ permissions that are set in Windows or Active Directory (AD); they apply users’ rights solely for Cloud Security objects and operations.
The most important users that have to be created (added) in User Management are Global Users, particularly Global Administrator. This user will be able to see all the virtual machines that are managed by Cloud Security and to perform all the operations through the management console: set global rules, create/delete tenants , operate the antivirus feature and set permissions for other users.
Note: Before the Global Administrator is created, there are no permissions set and any user operating management console is considered as Global Administrator.
Recommended Books
System Center 2012 R2 Virtual Machine
System Center Virtual Machine Manager 2012 Cookbook
Cloudtidings.com 