On-premises and cloud deployment options
The Orchestrator may be deployed either in BlastWave's secure cloud infrastructure or on-premises, depending on your security and operational requirements.
The following sections explain the options available for deployment, which range from a cloud hosted Orchestrator to a fully air-gapped on-premises solution.
Cloud-hosted Orchestrator deployment
In this deployment scenario, the Orchestrator is hosted and managed by BlastWave in our secure cloud infrastructure. There is no need to install the Orchestrator on premises and it is suitable for most deployment types. The authentication server, which facilitates the user MFA process is also hosted in BlastWave's secure cloud environment.

The requirement for using a cloud-hosted Orchestrator is that all BlastShield nodes (users, Host Agents and Gateways) must have outbound internet access to the Orchestrator, and (for users only) to the Authentication server.
On-premises Orchestrator deployment
In this deployment scenario, the Orchestrator is hosted and managed by the customer. This is typically required in situations where local rules or regulations do not permit the management function to be located externally to the enterprise. The Authentication Server is hosted in BlastWave's secure cloud infrastructure.

All BlastShield nodes (users, Host Agents and Gateways) must be able to access to the Orchestrator.
Users should be able to access the cloud-hosted Authentication Server from their mobile devices if they wish to use the Blastshield Mobile Authenticator app. If this is not possible then users can authenticate using a FIDO2 key.
Port forwarding must be configured for the Orchestrator.
Fully air-gapped deployment
Local regulations may sometimes require a fully air-gapped deployment, where no external access from the network is permitted. In a fully air-gapped network the Orchestrator is deployed on premises with no access to the internet, and similarly, users are also not allowed external internet access.

Deployment notes for a fully air-gapped deployment
Because the BlastShield™ Mobile Authenticator app requires external access it may not be used in a fully air-gapped network and FIDO 2 keys must be used for user authentication instead.
You must manually process the Orchestrator license request during the installation. This is a one-time process.
Any Gateways or Clients (eg user workstation running the BlastShield™ Client) must have it's DNS set to the IP address of the Orchestrator.
As the Orchestrator will be self-hosted, you should provide your own certificate for the Orchestrator HTTPS web UI.