Remote Access Portal (RAP) Configuration

the following steps should be read carefully to successfully install remote access portal (rap) on the target machine prerequisite check the secure boot enabled status before the installation by running mokutil sb state command if it is enabled, it might cause an error during the wireguard installation please disable secure boot to continue the installation! the firewall rules that must be configured on the network level firewall protecting the network segment where the remote access portal is deployed (for example perimeter firewall, dmz firewall, cloud network firewall) these following rules apply to the network firewall in front of the remote access portal, not to any host based firewall running on the remote access portal server itself required firewall rules on the network firewall protecting the remote access portal 1) https access to the remote access portal (tcp) allow external users to access the remote access portal web interface 2) wireguard tunnel traffic (udp) the wireguard tunnel is established between the rpam connector (client) and the remote access portal (server) stateful network firewall (recommended and most common) stateful firewall examples include enterprise and cloud firewalls such as palo alto networks, fortigate, check point, cisco asa/ftd, juniper srx, and aws security groups required rules stateless network firewall in stateless firewall environments, traffic is evaluated per packet and connection state is not tracked required rules note port 7777 is strictly internal to the remote access portal server and must never be exposed on the network firewall 1 download the remote access portal (rap)’s installation script on the machine that will be used for remote access portal (rap) the support team can provide the installation script after downloading the script, unzip the installation script on the machine the user can use unzip command to extract the files from the installation script file linux cli \[root\@rap ]# unzip rap mtc cloud 1 4 0 zip in case bash unzip command not found error is shown, the unzip package should be installed via sudo dnf install y unzip command if it becomes necessary to start the script again for any reason (such as a wrong input or missing file etc…), please remove all installation files except for compressed remote access portal installation script, and unzip the compressed installation script file again after this you can execute the script we highly recommend this method since the extracted files might be modified after the script execution for the first time, and executing the script with modified files might cause faulty installation! 2 navigate to the cloud directory linux cli \[root\@rap ]# cd cloud/ 3 run the configuration script linux cli \[root\@cloud ]# sh configure sh in case of insufficient file permissions to execute the script, you run the chmod +x configure sh command you need root privileges to run this script 4 the remote access portal (rap)’s installation script should be restarted after the forced reboot the installation script asks user either a) to install mt outbound connector, or to install mt inbound connector, or b) to install remote access portal (rap) module on the cloud (the rpam connector is installed on prem by means of the rpam connector’s installation script (e g , rap onprem 1 4 0 zip )) you can ignore the following warning messages during the installation, as they do not prevent the installation 5 to continue with remote access portal (rap) installation, the user should select the third option by entering 3 and pressing the enter key in case of accidentally pressing enter key without selection, the installation script throws the following error you can simply restart the installation script by executing sh configure sh command again 6 the remote access portal (rap)’s installation script asks user to a for the first time installation on the cloud, the whole remote access portal (rap) system should be configured from scratch, thus, the first option should be selected by entering 1 and pressing the enter key during installation, the user is asked to choose between normal scenario and failover scenario for rpam normal scenario the remote access portal establishes the wireguard tunnel to a single rpam connector if the tunnel becomes unavailable, access is interrupted until the connection is restored (1) failover scenario the remote access portal is configured with a primary and a backup rpam connector if the wireguard tunnel to the primary rpam connector goes down, traffic is automatically redirected to the backup rpam connector (2) the remote access portal (rap)’s installation script asks several configuration details o the remote access portal (rap) hostname, o the port number of wireguard, o the ip segment of wireguard, o the wireguard ip address that will be assigned to remote access portal (rap) environment, o the wireguard ip address that will be assigned to rpam connector environment, o a public key generated by the rpam connector ’s installation script portal configuration descriptions example values remote access portal (rap) hostname https //rap company com port number of the wireguard 51820 ip segment of the wireguard 10 0 0 0/29 wireguard ip address assigned to the remote access portal (rap) ’s side 10 0 0 1 wireguard ip address assigned to the rpam connector ’s side 10 0 0 2 public key generated by the rpam connector ’s installation script hye1ob+egwbkribgwzpq8neiake7egv8iwt811t69eg= after all information has been filled in, the user should press y to continue, however, if the user fails to fill in every information successfully (either missing or wrong info), the user can press n to reenter information again once the remote access portal (rap)’s installation script asks the user to enter the public key, if the user doesn’t know the public key generated by the rpam connector’s installation script yet, the user can set temporary public key for now (e g , hye1ob+egwbkribgwzpq8neiake7egv8iwt811t69eg=) but please do not forget to set the public key by using the remote access portal’s installation script (please check 6 b below this section on this page), after the rpam connector’s installation script generates a public key during installation, the user is asked to choose the target pam version to download the proper rap jar file at the end of remote access portal’s installation script, the public key generated by this script is ready to use on the rpam connector (on prem) environment (e g , ftwteku3ge6yrhj8sswm279kdrkm/5l8isjajwyyeg0=) please do not forget to add this info on the rpam connector environment by using rpam connector’s installation script (please check 4 b at the next page) in the last step here to change self signed certificate and generic rsa private key with the user’s own certificate and rsa private key the user should remove the self signed certificate and generic rsa private key on /etc/nginx/certs directory after this, the user should add the user’s aws certificate and rsa private key with the same names lastly, the user should restart nginx service by using sudo systemctl restart nginx service command b once the remote access portal (rap) has been fully installed, only one configuration is missing here regarding public key that would be generated by the rpam connector’s installation script if the user executes the rpam connector’s installation script on premise (please, check 4 a at the next page), it generates a public key which would be used in the remote access portal (rap) here, thus now this option can configure the secure tunnel configuration file with the generated public key from rpam connector’s side the user should select the second option by entering 2 and pressing the enter key during installation, the user is asked to choose between normal scenario and failover scenario for remote privileged access management normal scenario the remote access portal establishes the wireguard tunnel to a single rpam connector if the tunnel becomes unavailable, access is interrupted until the connection is restored (1) failover scenario the remote access portal is configured with a primary and a backup rpam connector if the wireguard tunnel to the primary rpam connector goes down, traffic is automatically redirected to the backup rpam connector (2) set the public key data of the secure tunnel configuration file with a public key generated by the rpam connector’s installation script (e g , g1zi8fxmn0tgprf518mz7f/bk1npasnebspmbokd2ta=)