Communications ports
The Tachyon communications ports between the Tachyon Master Server and the Tachyon DMZ Server must be opened, as illustrated in the picture shown opposite. Please refer to the Communication Ports page for more details.
Multiexcerpt include | ||||
---|---|---|---|---|
|
Preparation
Anchor | ||||
---|---|---|---|---|
|
- Relevant internal servers
- Any internal server which hosts a Tachyon Server component which communicates with any DMZ Server
- Typically this will include the servers which host the Coordinator, the Consumer API, and any Core bound to a DMZ switch that is registered in the dbo.SwitchToCoreApi table in the TachyonMaster database
- The example diagrams and steps refer to only one internal server, but there may be separate servers for Master Stack (with Coordinator and Consumer API) and Response Stack (with Core).
- DMZ Server
- Any server that has Tachyon Server components installed which is not on the internal network (that is, outside of the corporate network)
- This includes a Tachyon DMZ Server (which has one or more Switches and a Background Channel)
Multiexcerpt | ||
---|---|---|
| ||
You must ensure the following before installation of Tachyon on a DMZ Server.
|
Certificate requirements
Tachyon Server certificate requirements are defined in Requirements: Tachyon Server certificates.
Info | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||
|
Tachyon DMZ Server installations have additional requirements for its certificates.
Relevant internal servers
Type | Additional certificate requirements | Where used | ||||
---|---|---|---|---|---|---|
Tachyon Server certificate | The Certificate requirements for standard servers require the Tachyon Server DNS Name FQDN and computername FQDN to be present in the certificate. However, it has an additional requirement to separate communications between internal and external Switches:
| This is the usual Tachyon website certificate. A DMZ Server installation has additional needs to allow Switches on the DMZ Server to communicate with:
| ||||
Tachyon Consumer API client certificate | The client certificate on the Tachyon Master Stack has the following requirements:
| Used by the Tachyon Master Stack (Consumer API) to perform client authentication with the Background Channel on the DMZ Server. Required only if certificate authentication is used instead of domain authentication.
|
DMZ Server
Type | Additional certificate requirements | Where used |
---|---|---|
DMZ Server certificate | The Certificate requirements for standard servers are valid with regard to trust, usage, enhanced key usage, the private key, and revocation. However, as this is an externally reachable certificate, it is not recommended that the computername FQDN is present in the certificate. As such, the certificate must meet the following requirements:
Optionally, it may also contain a Subject Common Name Field (subject:commonName) that is unique within the organization that identifies the certificate (https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.5.pdf#page=54). | Used by the Switch(es) and Background Channel to secure communication to Tachyon clients. |
DMZ Server client certificate | The client certificate on the Tachyon DMZ Server has the following requirements:
| Used by Switch(es) to perform client certificate authentication with its assigned Response Stack (Core). |
Certificate trust
The relevant internal servers must trust the DMZ Server certificate(s). In order to do so, ensure the DMZ Server For each of the following scenarios, ensure you import the CA certificate(s) ' issuing chain is imported of the trust chain into the server's Local Machine's Trusted Root Certification Authority or Intermediate Certification Authorities stores (as appropriate) on each relevant internal server.The DMZ server .
- Relevant internal servers must trust the DMZ Server certificate, therefore you must import the CA certificates used by the DMZ Server into the CA stores on the relevant internal servers.
- DMZ Server must trust the relevant internal
- server certificate(s)
- , therefore you must import the CA certificates used by relevant internal server(s)
- into the
- CA stores on the DMZ
- Server.
- The DMZ
- Server must also trust the Tachyon clients' certificates
- , therefore you import the CA certificates used by clients into the CA stores on the DMZ
- Server.
Note |
---|
The HTTP CDP referenced in any certificate, including imported CA certificates, must be reachable by the DMZ Server. |
Multiexcerpt | ||
---|---|---|
| ||
|
The installation process for a Tachyon DMZ Server
Overview
Multiexcerpt include | ||||
---|---|---|---|---|
|
To illustrate the following detailed steps we use the ACME network with two servers.
DNS Names
Use the following table to help map the DNS Names used in your environment with the name used in the steps below.
Server | DNS Name references | DNS Name examples | DNS Names used in your environment |
---|---|---|---|
The internal Tachyon Server The diagram shows only relevant components of the Master Stack and Response Stack | Tachyon Server computername FQDN | ACME-TCNMST.acme.local | |
Tachyon Server DNS Name FQDN | tachyon.acme.local | ||
Tachyon Server Alternate DNS Name FQDN | tachyonalt.acme.local | ||
The external Tachyon DMZ Server | DMZ Server computername FQDN | ACME-TCNDMZ | |
DMZ Server internal DNS Name FQDN | tachyondmz.acme.local | ||
DMZ Server external DNS Name FQDN (Internet) | tachyon.acme.com |
Detailed steps
Location | Detailed steps | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Internal Tachyon Server (Master and Response Stacks) and internal Tachyon client(s). | Install the internal Tachyon Server, with Master and Response Stacks, and ensure it works by running the tests described in Verifying. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 | DMZ Server. | Ensure Preparation steps are complete for the Tachyon DMZ Server.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 | Internal Tachyon Server (Response Stack). | On the internal Tachyon Server (Response Stack) Add an alternate HTTPS binding to the Tachyon website. In our example this is https://tachyonalt.acme.local:443 You may have already created an alternate HTTPS binding when installing the Response Stack server. The Response Stack server is the server you have already installed that hosts the Core component. This will have been installed when installing a Single-Server with all components, or a dedicated Response Stack server. If you need to add the binding, then use the manual steps below.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 | Internal Tachyon Server (Response Stack). | On the internal Tachyon Server (Response Stack) On the server that hosts the Core component - which the DMZ Server will connect to - run Tachyon Setup and go to the Maintenance screen, and click on Add DMZ Server... This is the first stage of using Tachyon Setup to install a DMZ Server. It prepares the Response server and its database, and stores configuration details in a <DMZ Server computername>.ini file in the Setup folder. You will need to copy this file to the DMZ Server. When you click on Ok, Setup validates the configuration details. Any serious errors will prevent Setup from going ahead, and any warnings will cause a dialog to be presented to ask for confirmation about whether you want to continue. The ini file is only saved or updated after a succesful validation, or warnings have been accepted.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 | Internal Tachyon Server (Response Stack). | On the internal Tachyon Server (Response Stack), restart all Switches and confirm they are working.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 | Internal Tachyon Server (Master and Response Stacks) and internal Tachyon client(s). | Ensure that everything is still working by running the tests described in Verifying.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 | DMZ Server. | On the Tachyon DMZ Server
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 | DMZ Server. | Use Services.msc to confirm 1E Tachyon Switch Host service is running. If it is stopped then there is an issue with all the Switches. Check the number of Switch log files, and review their contents. There should be one log file for each Switch, plus Switch.Host.log Use IIS Manager to cofirm the presences of the Tachyon website, which contains only the Background web application. Check the binding to confirm all the bindings exist that were specified in the Website cofiguration screen.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
9 | Internal Tachyon Server (Response Stack) and DMZ Server. | Copy existing Background Channel content from the internal Tachyon Server to the Tachyon DMZ Server:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
10 | Internal Tachyon Portal, Tachyon Server (Response Stack) and DMZ Server. | Verify that the internal Tachyon Server can upload content to the Background Channel on the Tachyon DMZ Server:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
11 | DMZ Server and external Tachyon client(s). | Verify an external Tachyon client can connect to the Tachyon DMZ Server Switch. Change the Tachyon client configuration (1E Client configuration file) to point at both the internal Tachyon Server and the Tachyon DMZ Server. This assumes you want Tachyon client devices to be able to switch between internal and external access. If you prefer, you can simply enter details only for the Tachyon DMZ Server.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
12 | Internal Tachyon Portal and external Tachyon client(s). | Run verification steps to verify an external Tachyon client can download content from the Tachyon DMZ Server Background Channel.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
13 | Internal Tachyon Portal and external Tachyon client(s). | Verify the external client can receive Policy updates.
|