When the Deep Security Agent (DSA) communicates with the Deep Security Manager (DSM) through TLS, the DSA would check the Server Name Indicator(SNI) hostname when it acts as a TLS client during the TLS handshake.
From the DSM web console, under Administration > Manager Nodes, the configured hostname of the manager is reflected as the Server Name in the SNI extension which could be in the hostname/FQDN format or an IP address. According to the RFC3546, a literal IPv4 or IPv6 address is not permitted in the "Hostname". The Deep Security Agent version 20.0 has been enhanced in compliance to the said RFC.
In summary:
| Manager Node Hostname | SNI extension |
|---|---|
| IP address | The DSA will omit the SNI hostname in the TLS client hello packet |
| Valid hostname/fqdn | The DSA will add the SNI hostname in the TLS client hello packet |
Here are the steps to configure the hostname of the Manager Node.
- Login to the DSM web console.
- Go to the Administration tab.
- From the left-hand side of the console, click the Manager Nodes.
You will see the list of available Manager Nodes you have, if you only have one, it will show only 1 item.
- Select the Manager Node and go to its properties. A new window will appear.
- On the top of the window, update the hostname field and provide the hostname or FQDN.
- Click OK, to save the changes.
Note: Changing the hostname will automatically set all computers to update. This means that the hostname or FQDN that you will configure here should be DNS resolvable by the agents, else the agent will not be able to communicate with the manager.