Follow these steps:
Please refer to the KB article on Setting up Apex One as a Service Remote Connection to Control Manager (TMCM) or Apex Central.
Refer to the Deep Discovery Installation and Deployment Guide.
Deep Discovery Analyzer hardening can be performed by separating the Management Port and System Port. The default Management Port can be seen under Administration > System Settings. Below is an example of Deep Discovery Analyzer network settings:
Below are the steps to enable separate Management Port and System Port:
- Enable the System Port of Deep Discovery Analyzer.
- Open the RDQA page to enable separation of Management Port and System Port by opening the following URL:
https://<DDAN IP>/pages/rdqa.php
- Go to System Settings.
- Look for the section Port Binding.
- Below is the default setting (eth0 only).
- Under Bind service to: select eth0(management) and eth1(system).
- Click Save.
- On the Port Binding popup message, click Configure Now.
- Open the RDQA page to enable separation of Management Port and System Port by opening the following URL:
- Configure the System Port IP Address Settings
- Under eth1(system) section, populate the required fields (IP address, Subnet mask, Gateway, DNS server).
- Click Save.
- After clicking Save, wait for it to complete, it will display, "Saving…" status.
- Afterwards, you will see at the top corner of the web console the message, "The setting has been saved."
As an example, below is how it looks like when there are two separate ports for Management Port and System Port.
Please take note of the caveat below before registering Deep Discovery Analyzer to Apex Central:
- In Apex Central, there is only one text box to enter the FQDN of Deep Discovery Analyzer.
- This FQDN will be synchronized to Apex One as a Service Server (Cloud). It will be used when it submits samples to Deep Discovery Analyzer (On Premise).
- The port forward rule in firewall should point to the System Port IP Address of Deep Discovery Analyzer, and not the Management Port IP Address.
- At the same time, Apex Central needs to communicate to the Management Port IP Address of Deep Discovery Analyzer. If it attempts to register using the System Port IP Address of Deep Discovery Analyzer, it will fail registering.
- The workaround for this is to override the hosts file of Apex Central and map the Management Port IP Address of Deep Discovery Analyzer to its public FQDN.
- Edit hosts file by adding the Management Port IP Address of Deep Discovery Analyzer and map it to the public FQDN. This way Apex Central Server would know how to reach the Management IP of Deep Discovery Analyzer, while Apex One as a Service Server would still use the public FQDN and use DNS to resolve the public IP, which is port forwarded to the Deep Discovery Analyzer System Port to receive sample submissions.
Below are the steps:
- Go to Apex Central Server.
- Open the Command prompt as Administrator, and enter the following command:
notepad C:\Windows\System32\drivers\etc\hosts
- Add the following line:
<X.X.X.X> <DDAN_PUBLIC_FQDN>
Below is an example where 172.20.0.36 is an example Management IP of Deep Discovery Analyzer, vddan.tekchallenge.com is a public FQDN)
172.20.0.36 vddan.tekchallenge.com
For more info on editing hosts file, refer to this page on How to Edit the HOSTS File in Windows.
Below are the requirements:
- When adding the Deep Discovery Analyzer (On Premise) to Apex Central (On Premise), use a publicly accessible FQDN of Deep Discovery Analyzer (DNS A Record), because this FQDN will be synchronized to Apex One (as a Service).
- Deploy Deep Discovery Analyzer (On Premise) in DMZ segment (System Port).
- On your perimeter firewall create the following:
- Access rule for INBOUND TCP port 443 from Apex One as a Service connect to Deep Discovery Analyzer public IP/FQDN.
- Port forward the above incoming TCP port 443 traffic to Deep Discovery Analyzer in DMZ (System Port).
Source Destination Port Protocol Direction Apex One as a Service IP/URL Deep Discovery Analyzer 443 TCP Inbound
- IP/Domain/DNS whitelisting. Please refer to this KB article for the list of IP/Domain/Domain to whitelist.
Below are the steps:
- Open Apex Central (on-premise) web console. Navigate to Administration > Managed Servers > Server Registration.
- Under the Server Type dropdown list, select Deep Discovery Analyzer the click Add.
- Populate the required fields then click Save.
Server Information
Server: <Use Deep Discovery Analyzer's public FQDN>
Display name:
Product: Deep Discovery AnalyzerAuthentication
User name: <Deep Discovery Analyzer Admin account>
Password: <Deep Discovery Analyzer Admin password>Connection
Proxy Server: <Specify proxy server if you are using proxy server>
Follow these steps:
- Open Apex Central (on-premise) web console. Navigate to Administration > Managed Servers > Server Registration.
- Under the Server Type dropdown list, select Apex One then click the edit icon on the Actions column.
- On Edit Server page, under Virtual Analyzer dropdown list, select your Deep Discovery Analyzer then click Save.
Follow these steps:
- Open Apex Central (on-premise) web console, and navigate to Policies > Policy Management.
- Under the Product dropdown list, select Apex One Security Agent then click your Policy.
- Under Edit Policy, expand Sample Submission then tick the box beside "Enable suspicious file submission to Virtual Analyzer".
- Still under Edit Policy page, expand Real-time Scan.
- Under Virus/Malware Scan Settings Only, tick the box beside "Enable CVE exploit scanning for files downloaded through web and email channels".
- Click Deploy.