Skip to main content

BlastShield Documentation

On-premise installation of an air-gapped Orchestrator on VMware ESXi and user authentication with the Mobile Authenticator app.

Introduction

The BlastShield™ Orchestrator is used to provision and manage all systems in a BlastShield™ network. This includes management of gateways, endpoints, remote users, groups, and policies. This article describes how to install a new Orchestrator into a fully air-gapped network. Once installed, you will use the Orchestrator to manage and provision all systems within the BlastShield™ Network.

Air-gapped deployment with mobile authentication

In this scenario, the BlastShield™ Orchestrator, Gateways and Host Agents are air-gapped. Users will authenticate via the mobile authenticator app, which requires that the users have external access.

on-prem-orchestrator-with-mobile-authenticator.png

Deployment notes for an air-gapped deployment using the Mobile Authenticator

  1. The Authentication Server is cloud hosted.

  2. The Orchestrator is deployed on premises and is air-gapped.

  3. Gateways and Host Agents are on premises and are air-gapped.

  4. The users’ Mobile Authenticator apps and the user workstations are on-premises and have an external connection to the Authentication Server.

  5. The workstations must be on the same network as the Orchestrator.

  6. Devices that run the BlastShield Client must have their DNS set to the IP address of the Orchestrator (or forward the blastshield.app zone in any existing DNS server you might have).

  7. As the Orchestrator will be self-hosted, you should provide your own certificate for the Orchestrator HTTPS web UI.

Before Starting

  1. Request the Orchestrator BSI invitation file and the administrator BSI invitation file from BlastWave. This are used for registering the BlastShield network and for registering the administrator user.

  2. The Orchestrator will use UDP port 12345 for communications. Please forward UDP Port 12345 inbound on the firewall to the Orchestrator.

  3. Install a BlastShield Client on the administrator workstation. You can download the Client from here.

  4. Download the Orchestrator firmware. This download link is provided below in Step 1.

Step 1 Download the Orchestrator OVA file.
Step 2 Install the BlastShield™ Orchestrator OVA file on the ESXi client

Using the VMWare ESXi new virtual machine installer, the Invitation (.bsi) file you received from BlastWave, and the OVA file you downloaded in step 1 you will install the software on your ESXi hypervisor and register it to the BlastShield™ Network. The process is explained below.

  • Install the BlastShield™ Orchestrator OVA file on the ESXi client.

    1. From the ESXi host, go to Virtual Machines > Create/Register VM > Create a virtual machine from an OVF/OVA file

      vmware-gw-install-step3-1.png

    2. Enter a name and select the BlastShield™ OVA file.

      Screenshot_2023-05-04_143321.png

    3. Leave the default datastore option.

      vmware-passive-new-step3-2.png

    4. Deployment options

      1. 'Network mappings' should use the default "VM Network" port group for the Public Network. Note that the Protected Network setting will not be used and the setting will be ignored.

        vmware-passive-new-step4.png

      2. Deployment type should be set to Orchestrator or passive gateway (NAT).

      3. Disk provisioning' and 'Power on automatically' should use the default settings.

    5. In Additional Settings, add the contents of the bsi file.

      1. Paste the contents of the Orchestrator BSI file into the Invitation contents box.

      2. Set the IP address and prefix length, Default Gateway and DNS server IP address, being sure to note that you must configure the DNS IP address the same as the Orchestrator IP address for an airgapped Orchestrator deployment (for a non-airgapped Orchestrator deployment you should provision the DNS to your network's preferred DNS server, please refer to the non-airgapped VMware installation for more details). Leaving the boxes blank would use DHCP.

      3. Add your SSH public key (in one-line OpenSSH format) in the SSH Keys > SSH Key for "admin" user field.

      4. The screen shot below shows example settings. Please use settings appropriate to your network.

        Screenshot_2023-05-04_144236.png

    6. Click next, then click 'Finish' to complete the configuration and launch the VM.

      Screenshot_2023-05-04_144308.png

    7. Once the Orchestrator has started, you will see the local maintenance interface displayed on the console. The local IP address of the Orchestrator is displayed. You will use this address to SSH to the Orchestrator in the next step.

      Screenshot_2023-05-05_105438.png

    8. Forward UDP Port 12345 inbound on the firewall to the Orchestrator.

Step 3 Fetch the license and apply it to the new Orchestrator.

  1. SSH as admin into the new Orchestrator. Authentication is done by your SSH public key which was added during the VM setup.

  2. Copy the content of license_req.json which is generated in the home directory of the admin user. 

    $ cat license_req.json

  3. Return this content to BlastWave. BlastWave will reply with a license key.

  4. Whilst still connected to the Orchestrator by SSH, run the apply-license command and hit enter.

    $ apply-license

  5. You will see the following prompt:

    License:

  6. At this prompt, paste the license key information to the command line and hit enter to start the Orchestrator.

    License:{"license": "..."}

Step 4 Set the DNS on the BlastShield users' workstations

Any device running the BlastShield™ Client must have it's DNS set to the IP address of the Orchestrator.

  1. In a Windows desktop OS, you can change the DNS settings in the network interface properties > TCP/IPV4 settings.

    windows-dns-settings.png

    On macOS the DNS can be changed in the network System Settings

    macOS_DNS.png

  2. For networks which use an on-premise Microsoft DNS or an AD server for DNS, then a conditional forwarder can be added with the Orchestrator IP address as shown for the domain blastshield.app. In the example images below, 192.168.247.1 is the IP of the Orchestrator.

    add-new-conditional-fowarder.png
    conditonal-forwarder.png
Step 5 Register the new administrator user

Here you will use the administrator BSI invitation file or invitation link which you received from BlastWave to register and connect to the Orchestrator as the administrator user.

  1. If you are using the Mobile Authenticator app and you have received an administrator invitation (BSI) file then follow this process to register: Register the administrator user using an administrator (BSI) invitation file

  2. If you are using the Mobile Authenticator app and you have received an administrator invitation URL then follow this process to register: Register the administrator user using a registraton URL.

  3. You can download the Mobile Authenticator app here: Mobile Authenticator download links

  4. You can download the Desktop Client here: Desktop Client download links

Step 6 Connect to the Orchestrator

  1. Go to the BlastShield™ Desktop Client on your computer and ensure the Connection Status shows that it is connected.

  2. On the BlastShield™ Client, click on the Launch Orchestrator button.

    Blastshield-client-connection-status-view.png

  3. Scan the displayed QR code with the BlastShield™ Mobile Authenticator App on your mobile device.

    Desktop-client-QR.png

  4. Verify your facial or biometric identity on your mobile device.

  5. The Orchestrator administration user interface will open in your default web browser. At this stage the UI web server will be using a self-signed certificate for HTTPS, so you should acknowledge the browser security warning.

Further reading

Now that you have installed and connected to the Orchestrator, you can add Host Agents, Gateways and new users. Please refer to the following sections to learn how to do this.

In this section: