Remote Access Portal (RAP) Configuration

the following steps should be read carefully to successfully install remote access portal (rap) on the regarding machine prerequisite check the secure reboot enabled status before the installation by running the mokutil sb state command if secure boot is enabled, it might cause an error during the wireguard installation please disable it to continue the installation! the firewall rules that must be configured on the network level firewall protecting the network segment where the remote access portal is deployed (for example perimeter firewall, dmz firewall, cloud network firewall) these following rules apply to the network firewall in front of the remote access portal, not to any host based firewall running on the remote access portal server itself required firewall rules on the network firewall protecting the remote access portal 1) https access from external users (tcp) allow external users to access the remote access portal web interface 2) wireguard tunnel traffic (udp) allow the remote access portal (server) to establish a wireguard tunnel with the pam server (client) stateful network firewall (recommended and most common) stateful firewall examples include enterprise and cloud firewalls such as palo alto networks, fortigate, check point, cisco asa/ftd, juniper srx, and aws security groups required rule stateless network firewall in stateless firewall environments, traffic is evaluated per packet and connection state is not tracked required rules note port 7777 is strictly internal to the remote access portal server and must never be exposed on the network firewall 1 download the remote access portal (rap)’s installation script on the machine that will be used for remote access portal (rap) the support team can provide the installation script after downloading the script, unzip the installation script on the machine the user can use unzip command to extract the files from the installation script file linux cli \[root\@rap ]# unzip rap mtc cloud 1 4 0 zip in case bash unzip command not found error is shown, the unzip package should be installed with the sudo dnf install y unzip command if it becomes necessary to restart the script (because of a wrong input or missing file etc…), please remove all installation files except for compressed remote access portal (rap)’s installation script file and unzip the compressed installation script file again after this you can execute the script we highly recommend this method since the extracted files might be modified after the script execution for the first time, and executing the script with modified files might cause the problematic installation! 2 navigate to the cloud directory linux cli \[root\@rap ]# cd cloud/ 3 run the configuration script linux cli \[root\@cloud ]# sh configure sh if you cannot run the script because of insufficient file permissions, run the chmod +x configure sh command you need root privileges to run this script 4 the remote access portal (rap)’s installation script should be restarted after the forced reboot the installation script asks user either to install mt outbound connector, or to install mt inbound connector, or to install remote access portal (rap) module on the cloud (the pam side is installed on prem by means of the kron pam server’s installation script (e g , rap onpam 1 4 0 zip )) you can safely ignore the following warning messages during the installation, as they do not block the whole installation 5 to continue with remote access portal (rap) installation, select the third option by entering 3 and pressing the enter key in case accidentally pressing enter key without selection, the installation script causes a following error but it is not a big deal, you can restart the installation script by executing sh configure sh command again 6 the remote access portal (rap)’s installation script asks either a for the first time installation on the cloud, the whole remote access portal (rap) system should be configured from scratch, thus, the first option should be selected by entering 1 and pressing the enter key during installation, the user is asked to choose between normal scenario and failover scenario for rpam normal scenario the remote access portal establishes the wireguard tunnel to a single kron pam server if the tunnel becomes unavailable, access is interrupted until the connection is restored (1) failover scenario the remote access portal is configured with a primary and a backup kron pam server if the wireguard tunnel to the primary kron pam server goes down, traffic is automatically redirected to the backup kron pam server (2) the remote access portal (rap)’s installation script asks several configuration details o the remote access portal (rap) hostname, o the port number of wireguard, o the ip segment of wireguard, o the wireguard ip address that will be assigned to remote access portal (rap) environment, o the wireguard ip address that will be assigned to kron pam server environment (in the failover scenario, there are two inputs for the kron pam servers’ wireguard ip addresses ), o a public key generated by the kron pam server ’s installation script portal configuration description example values remote access portal (rap) hostname https //rap company com port number of the wireguard 51820 ip segment of the wireguard 10 0 0 0/29 wireguard ip address assigned to the remote access portal (rap) ’s side 10 0 0 1 wireguard ip address assigned to the kron pam server ’s side 10 0 0 2 (for failover scenario) wireguard ip address assigned to the backup kron pam server 10 0 0 3 public key generated by the kron pam server ’s installation script hye1ob+egwbkribgwzpq8neiake7egv8iwt811t69eg= after all the information is filled in, press y to continue if you fail to fill in every information successfully (either missing or wrong info), press n to reenter information again once the remote access portal (rap)’s installation script asks the user to enter the public key, if the user doesn’t know the public key generated by the kron pam server’s installation script yet, the user can set temporary public key for now (e g , ha3ebu4klphptxk86b+legmq6mgqyicpk+umg1ezyd8=) but please do not forget to set the public key by using the remote access portal’s installation script (please check 6 b below), after the kron pam server’s installation script generates a public key during installation, choose the target pam version to download the proper rap jar file at the end of remote access portal (rap)’s installation script, the public key generated by this script is ready to use on the kron pam server (on prem) environment (e g , ftwteku3ge6yrhj8sswm279kdrkm/5l8isjajwyyeg0=) please do not forget to add this info on the kron pam server environment by using kron pam server’s installation script ( kron pam server configuration docid 7e6tzf6rlmvyvj8eacu4k ) in the last step here to change self signed certificate and generic rsa private key with the user’s own certificate and rsa private key the user should remove the self signed certificate and generic rsa private key on /etc/nginx/certs directory after this, the user should add the user’s aws certificate and rsa private key with the same names lastly, the user should restart nginx service by using sudo systemctl restart nginx service command a once the remote access portal (rap) has been fully installed, only one configuration is missing here regarding public key that would be generated by the kron pam server’s installation script if the user executes the kron pam server’s installation script on premise ( kron pam server configuration docid 7e6tzf6rlmvyvj8eacu4k ), it generates a public key which would be used in the remote access portal (rap) here, thus now this option can configure the secure tunnel configuration file with the generated public key from kron pam server’s side the user should select the second option by entering 2 and pressing the enter key during installation, the user is asked to choose between normal scenario and failover scenario for rpam normal scenario the remote access portal establishes the wireguard tunnel to a single kron pam server if the tunnel becomes unavailable, access is interrupted until the connection is restored (1) failover scenario the remote access portal is configured with a primary and a backup kron pam server if the wireguard tunnel to the primary kron pam server goes down, traffic is automatically redirected to the backup kron pam server (2) set the public key data of the secure tunnel configuration file with a public key generated by the kron pam server’s installation script (e g , g1zi8fxmn0tgprf518mz7f/bk1npasnebspmbokd2ta=)