On-Premises Data Center

Print Friendly, PDF & Email

Pre-requisites

Before initiating the deployment of HawkkScan in an On-Premise environment, it is crucial to ensure that the following prerequisites are met and configured:

  1. Terraform V1.4.2 needs to be installed on the machine from where scripts will be executed (the OS of this machine should be Ubuntu). This machine will act as a host.
  2. From the host machine, vSphere should be accessible.
  3. Admin access to VMWare vSphere is needed.
  4. Need the following information from VMWare/ vSphere:
    • vSphere user name (with Administrator access)
    • vSphere password
    • vSphere host/IP
    • Name of datastore
    • Datacenter name
    • Cluster name
    • Network name
  5. Additional information
    • IPv4 address (which will be assigned to the newly created machine)
    • Domain (this will be assigned to machine)
    • IP netmask
  6. Ubuntu 22.04 OS VM templates
  7. Domain as well as SSL (For exposing the Discovery realm for secure communication with the Presentation realm)

Whitelisting of URLs and Ports

Whitelisting During Deployment

The Discovery Realm is created using a script. This script, during installation, downloads certain components from Internet. To facilitate this process, it is essential to whitelist the following URLs:

Sr. No. URLs/Domains Ports Comments
1 mehrwertmacher.github.io 80, 443
2 *.github.com 80, 443
3 googlecloudplatform.github.io 80, 443
4 charts.bitnami.com 80, 443
5 gcr.io/spark-operator/spark-operator 80, 443
6 auth.docker.io 80, 443
7 index.docker.io 80, 443
8 hub.docker.com 80, 443
9 production.cloudflare.docker.com 80, 443
10 registry-1.docker.io 80, 443
11 gcr.io 80, 443
12 k8s.gcr.io 80, 443
13 *. gcr.io 80, 443 Allow all subdomains of this domain, as data is sourced from various subdomains during downloads.
14 *.cloudfront.net 80, 443 Allow all subdomains of CloudFront, as the Elasticsearch Docker image is downloaded from dynamic URLs.
15 docker.elastic.co 80, 443
16 quay.io 80, 443
17 *.quay.io 80, 443 All subdomains of quay.io need to be whitelisted.
18 access.redhat.com 80, 443
19 cdn.quay.io 80, 443
20 cdn01.quay.io 80, 443
21 cdn02.quay.io 80, 443
22 cdn03.quay.io 80, 443
23 *.amazonaws.com 80, 443 All services URLS of aws need to be white listed.
24 api.segment.io 80, 443
25 api.snapcraft.io 80, 443
26 *. snapcraft.io 80, 443
27 asia-south1-docker.pkg.dev 80, 443
28 *.pkg.dev 80, 443
29 *.snapcraftcontent.com 80, 443
30 *.cdn.snapcraftcontent.com 80, 443
31 *.cloudflare.net 80, 443
32 *.cdn.cloudflare.net 80, 443
33 compass.mongodb.com 80, 443
34 *.cloudfront.net 80, 443
35 *.ubuntu.com 80, 443
36 dl.bintray.com 80, 443
37 *.bintray.com 80, 443
38 docker.elastic.co 80, 443
39 docker-auth.ea-registry-production.elastic.co 80, 443
40 docker-auth.elastic.co 80, 443
41 *. elastic.co 80, 443
42 get.helm.sh 80, 443
43 gethelm.azureedge.net 80, 443
44 ghcr.io 80, 443
45 googlecode.l.googleusercontent.com 80, 443
46 *.googleusercontent.com 80, 443
47 grafana.com 80, 443
48 in.archive.ubuntu.com 80, 443
49 ipv4only.arpa 80, 443
50 pkg-containers.githubusercontent.com 80, 443
51 *. githubusercontent.com 80, 443
52 *. docker.com 80, 443
53 production.cloudflare.docker.com 80, 443
54 raw.githubusercontent.com 80, 443
55 registry.ea-registry-production.elastic.co 80, 443
56 registry.k8s.io 80, 443
57 repo1.maven.org 80, 443
58 storage.googleapis.com 80, 443
59 *. projectcalico.org 80, 443
60 *. googleapis.com 80, 443
61 registry.terraform.io 80, 443
62 *.terraform.io 80, 443
63 releases.hashicorp.com 80, 443
64 *.hashicorp.com 80, 443

Note

  • The URLs listed above are necessary solely for the installation of the Discovery Realm. After the installation process is complete, they may be removed from the whitelist.
  • It is advised to allow all URLs that begin with the mentioned domain and its subdomains.

Whitelisting During Application Lifecycle

The following URLs are essential for retrieving HawkkScan builds from the Elastic Container Registry (ECR). This is a crucial requirement for the automatic recovery of any HawkkScan component deployed within a container in the Kubernetes cluster.

Sr. No. URLs/Domains Ports Comments
1 102539048997.dkr.ecr.ap-south-1.amazonaws.com 80, 443
2 *.amazonaws.com 80, 443 All subdomains of AWS must be permitted.
3 hs-agent-comm.seqrite.com 443 This is a requisite for the agent workflow.
4 cbs.seqrite.com 443 This is a requisite for the agent workflow.
5 cbshef.seqrite.com 443 This is a requisite for the agent workflow.
6 download.quickheal.com 443, 80
7 cbsdevice.seqrite.com 443
8 cbssecured.seqrite.com 443
9 35bhfv3atb.execute-api.ap-south-1.amazonaws.com 443
10 dlupdate.quickheal.com 443
11 *.seqrite.com 443
12 3.111.89.140 80, 443 This will be an inbound call. The HawkkScan presentation will invoke the Discovery Realm API, which is hosted on-premises.

Note
All URLs beginning with the domains and subdomains mentioned above are allowed.

Whitelisting After Deployment

The browser-based Data Management Application, residing within the Presentation Realm and hosted on the Seqrite cloud, interacts with the Discovery Realm by making API calls to retrieve data for the purpose of presentation. To enable this communication, the Discovery Realm will have to be exposed outside by creating appropriate rules in the firewall. The firewall configuration will require source IP. In this context, the source IP address for API calls from the Discovery Realm is 3.111.89.140.

For accessing the Data Management Application, whitelist the following URLs:

Deployment of HawkkScan

Prerequisites

Before proceeding, ensure you have the following prerequisites in place:

  • A host machine with Terraform installed.
  • Access to the HawkkScan deployment wizard with the necessary URL.
  • A login user account on the host machine.

Procedure

Follow these steps to deploy the HawkkScan on your host machine.

Step 1. Download the HawkkScan Terraform Script

  1. Navigate to the URL specified in the Hawkkscan deployment wizard.
  2. Download the zip file containing the Terraform script.
  3. Save the downloaded zip file on the host machine to the /home/{USER} directory, where {USER} represents your login username.

Step 2. Extract the Downloaded Zip File

  1. On the host machine, extract the downloaded zip file.
  2. Ensure that the extracted folder is named "qh_hawkkscan."
  3. The folder should be located at /home/${USER}/qh_hawkkscan.

Step 3. Generate SSH Key Pair

  1. Run the following command to create an SSH key pair:
    ssh-keygen -t rsa
    This will generate a private key and a public key.

Step 4. Edit the Hostname Configuration

  1. Locate the "hostname_vm.txt" file within the "qh_hawkkscan" folder.
  2. Edit this file to update the IP addresses and hostnames of the target machines as needed.

Step 5. Modify Terraform Variable Values

  1. Navigate to the "master" folder within the "qh_hawkkscan" directory: /home/${USER}/qh_hawkkscan/master.
  2. Edit the "terraform.tfvar" file to update the following variable values according to your requirements:
    . vsphere_user: The user account for vSphere with administrator privileges.
    . vsphere_passwd: The password for the vSphere user.
    . vsphere_host: The IP address or DNS name of the vSphere server.
    . vsphere_dc: The name of the vSphere datacenter.
    . vsphere_ds: The name of the vSphere datastore.
    . vsphere_cluster: The name of the vSphere cluster.
    . vsphere_network: The name of the vSphere network.
    . vsphere_temp: The name of the template to be used.
    . name_vm: The desired name for the newly created virtual machine. It should match the name specified in the "hostname_vm.txt" file.
    . cpu: The number of CPUs required for the virtual machine.
    . memory: The amount of memory (RAM) required for the virtual machine.
    . local_user: The user account on the local machine where Terraform and the script are saved.
    . machine_ip: The IP address to be assigned to the newly created virtual machine. Ensure it corresponds to the name specified in the "hostname_vm.txt" file.
    . domain: The domain name to be assigned to the newly created virtual machine.
    . ipv4_netmask: The IPv4 netmask for IP addressing.
  3. In the "worker1," "worker2," and "worker3" folders, edit the "terraform.tfvar" file in each folder to update the same variables mentioned above along with the following variables:
    . master_ip: This refers to the IP address of the master machine, which should match the address specified in the master variable file.
    . master_user: This is the username associated with the master machine.
    . master_passwd: This password corresponds to the master machine’s login credentials.

Step 6. Initialize and Execute Terraform Commands

  1. From the master folder ("/home/${USER}/qh_hawkkscan/master") execute the following commands:
    • terraform init
    • terraform plan
    • terraform apply
  2. From the worker1, worker2, worker3 folder execute the following commands:
    • terraform init
    • terraform plan
    • terraform apply

Step 7: Post-Deployment Actions

  1. After completing the deployments, the Discovery Realm will be deployed on-premises.
  2. To make the Discovery Realm accessible externally, configure the necessary firewall rules.
  3. Configure domain and SSL settings for the firewall NAT rule to ensure proper functionality.
Was this page helpful?