BlastShield™ Agent Installation

BlastShield™ Agent Installation

This document describes how to deploy a BlastShield™ Agent onto a server and setup an access policy

Adding a new Agent - summary

The process to install and setup the BlastShield™ Agent on a server is summarised here:

  1. Create a new Agent instance in the Orchestrator and copy the registration information
  2. Install the Agent on the server. The agent will auto start and register with the Orchestrator
  3. Configure a policy to authorise access to the Agent.

Currently Supported Operating Systems

We currently have support for the following Linux distributions.

Windows

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012
  • Windows 10

Ubuntu

  • Ubuntu 20.10
  • Ubuntu 20.04.2 LTS
  • Ubuntu 18.04 LTS

Debian

  • Debian 11 (Bullseye)
  • Debian 10 (Buster)

CentOS

  • CentOS 8
  • CentOS 7

Amazon

  • Amazon Linux 2

Raspberry Pi OS

  • Raspbian GNU/Linux 10 (buster)

macOS

  • macOS 10.13

Linux Agent Installation

Learn how to add a new BlastShield™ Agent to a Linux server by watching the following video or reading the steps below.

Step 1: Add a new Agent in the Orchestrator

  1. Click on "Agents" in the "Manage" menu in the the left sidebar, and then click the red "Add New Agent" button at the top right.
  2. The New Agent dialogue opens.  Add a name for the Agent and a DNS Hostname. The DNS Hostname is optional and can be used to identify the Agent in the BlastShield™ network as BlastShield runs its own DNS.
  3. Then click on the red "Save and Download Invitation" button and choose the option for "Save and copy Linux/macOS installation command to the clipboard". Click on that option to copy the command.

Step 2: Install and register the Agent

Open a terminal session on the Linux server where you are going to install the Agent.

  1. Paste the command you just copied to the terminal and hit enter. This will start the software download.
  2. The software will automatically install and run. The Agent will then automatically register with the Orchestrator. When the process has completed you will see the following message in the terminal window:

"Installation successful, the agent IP address is <Agent IP address>."

Step 3: View the status of the Agent

Now that the installation and registration processes have completed, your Agent is up and running.

You can check the status of the Agent by typing the following:

sudo systemctl status blastshield

The logs may be viewed as follows:

sudo journalctl -u blastshield.service

The status of the new Agent on your server should appear as "Online" in the Orchestrator as shown in the image below. 

When the status of the Agent is ‘Online’ this shows that the Agent is operational and the Orchestrator can communicate with the Agent.

The BlastShield™ interface that has been created by the Agent on the server will only be accessible to authorised and authenticated BlastShield users.  To access this interface you must set up groups and access policies for your users.  The default behaviour is to block access until a policy has been created. You can learn how to create policies in the following section

Linux Agent manual installation

You can alternatively use the standard package manager commands to install the Agent on Linux. See this section to learn about the manual installation process.

Next Step:

Go to the 'Create your Policies' section below to create groups and policy to authorise access to the Agent.

Windows Agent Installation

Learn how to add a new BlastShield™ Agent to a Windows server by watching the following video or reading the steps below.

Step 1: Add a new Agent in the Orchestrator

  1. Click on "Agents" in the "Manage" menu in the the left sidebar, and then click the red "Add New Agent" button at the top right.
  2. The New Agent dialogue opens.  Add a name for the Agent and a DNS Hostname. The DNS Hostname is optional and can be used to identify the Agent in the BlastShield™ network as BlastShield runs its own DNS..
  3. Then click on the red "Save and Download Invitation" button and choose the option for "Save and copy invitation contents to the clipboard". Click on that option to copy the invitation.

Step 2: Install and register the Agent

Open a session on the Windows server where you are going to install the Agent.

  1. Download the Windows Agent Installer to the Windows computer and run the installer.
  2. The installer will install and run the Agent software and ask you for the .bsi invitation information which you have already copied from the BlastShield Orchestrator.
  3. Paste the invitation contents which you just copied to the clipboard into the installer and click Start to start the registration process.
  4. When the process has completed the installer displays a "Registration successful." message.

Step 3: View the status of the Agent

Now that the installation and registration processes have completed, your Agent is up and running. The status of the Agent as shown in the Orchestrator will change to Online as shown below.

When the status of the Agent is ‘Online’ this shows that the Agent is operational and the Orchestrator can communicate with the Agent.

The BlastShield™ interface that has been created by the Agent on the server will only be accessible to authorised and authenticated BlastShield users.  To access this interface you must set up groups and access policies for your users.  The default behaviour is to block access until a policy has been created.

Next Step:

Go to the 'Create your Policies' section below to create groups and policy to authorise access to the Agent.


macOS Agent Installation

Learn how to add a BlastShield™ Agent on macOS by watching the following video or reading the steps below.

Step 1: Add a new Agent in the Orchestrator

  1. Click on "Agents" in the "Manage" menu in the the left sidebar, and then click the red "Add New Agent" button at the top right.
  2. The New Agent dialogue opens.  Add a name for the Agent and a DNS Hostname. The DNS Hostname is optional and can be used to identify the Agent in the BlastShield™ network as BlastShield runs its own DNS..
  3. Then click on the red "Save and Download Invitation" button and choose the option for "Save and copy Linux/macOS installation command to the clipboard". Click on that option to copy the command.

Step 2: Install and register the Agent

Open a terminal session to the server where you are going to install the Agent.

  1. Paste the command you just copied to the terminal and hit enter. This will start the software download.
  2. The software will automatically install and run. The Agent will then automatically register with the Orchestrator. When the process has completed you will see the following message in the terminal window:

"Installation successful."

Step 3: View the status of the Agent

Now that the installation and registration processes have completed, your Agent is up and running. The status of the Agent as shown in the Orchestrator will change to Online as shown below.

Logs for the Agent may be viewed in the Console.app.

Next Step:

Go to the 'Create your Policies' section below to create groups and policy to authorise access to the Agent.

Remove a macOS Agent

Unload the plist file for the Host Agent

sudo launchctl unload -w /Library/LaunchDaemons/io.blastwave.blastshield-agent.plist 

Remove the plist file

sudo rm /Library/LaunchDaemons/io.blastwave.blastshield-agent.plist

Remove the Host Agent files

sudo rm -rf  /Library/Application\ Support/BlastShield\ Agent

Create your Policies

This section explains how to create a policy to allow access to an Agent.

To allow your users to connect to the protected servers then you must set up a policy to allow them to access the server. BlastShield™ is a zero-trust solution so the default behaviour is to block access until you apply a Policy.

Policies are a simple way to grant users access to a protected server by linking a group of users to a group of BlastShield™ Agents.  You can also use policy to link one server to another server for m2m applications.

Policies work using a simple ‘From’ and ‘To’ methodology which links a group of users to a group of agents.  You must install one BlastShield™ Agent on each server that you want to provide secure access to.

The process is very simple:

  • Create a group for your users
  • Create a group for your agents
  • Create a policy to link the user group to the agents group in the direction you want

It is explained in more detail, below:

First, create your groups:

With BlastShield™ you must create one or more groups for your remote users and one or more groups for your Agents and/or Endpoints (servers or other protected devices). Groups let you segment and micro-segment users and protected assets.

This is how to add a group in the Orchestrator:

  • Select "Groups" from the left menu.
  • Select "Add New Group" from the Group List.
  • Enter a name for the new Group.
  • To add members to the new group, click the "Add Members" button. The "Add Group Members" menu will open.
  • If you are creating a group of users then select the desired users which you want to be associated with the new Group from the "Users" box.
  • Or, if you are creating a group of BlastShield™ Agents then select the desired agents which you want to be associated with the new Group from the "Agents" box.
  • You can combine Users, Agents and Endpoints in the same group.
  • Alternatively, you can leave the members list empty and add/modify new members later.
  • Click "Add Members" to save the members.
  • Click "Save" to save the new group.

Please refer to the following video for details of creating one group for your users and one group for your Agents and then adding members to them.

Add a user to a group

You must also add users to a group in the Orchestrator.

From the Orchestrator:

  • Select “Users” from the left menu.
  • Select the user which you want to add to a group.
  • Click on “Groups” tab and then click the 'Add Group' box.
  • Select the new group from the list of available groups.
  • Click on "Save" to save the changes.

The following video shows you how to add a user to a group from the "Users" menu in the orchestrator.

Alternatively, you can also add a user to a group through the “Groups” menu as shown in the video below.

From the Orchestrator:

  • Select "Groups" from the left hand menu.
  • Select the Group which you want to modify.
  • Click on the red "Add Members" button.
  • Select the Members you wish to add in any of the three option boxes (Users, Agents, Endpoints).
  • Click on "Add Members" to save.

Create an access policy

Users and Agents must be a member of a group for them to be used in a policy.

To connect your user groups and protected servers groups, you must link them with a policy as described here:

  • Select "Policies" from the left menu.
  • Select "Add New Policy" from the Policy List.
  • Enter a name for the new Policy.
  • Select desired "From" Groups to be associated with the new Policy.
  • Select desired "To" Groups to be associated with the new Policy.
  • Save the new Policy.

Policies are directional, so that you can control the direction in which connections may be initiated. Typically for remote access use-cases your policy would be from the "user group" to the "server group" so that users may start connections to the servers, but servers cannot start connections to users. You can create bi-directional permissions by using two policies.

The following video shows an example of creating an access Policy between a group of remote workers and a group of servers. The policy gives the remote workers authorisation to access the server group.

Administration Tasks

Click here to see the menu of common administration tasks, including upgrades, changing the BlastShield™ network prefix and configuring syslog

This article is always evolving and being updated when our product is being developed. Be sure to keep track of this article so you'll stay updated with the last version of it!