Security

Hi all,
I have a cppm cluster sitting behind a firewall that basically blocks internet access from the subnet the cppm servers are installed on. This hasn't been too bad as all i do normally is download the firmware release or fingerprint   update manually and install stuff that way.

However, i now want to install some extensions on this server and am a bit stuck because of course the cluster members don't have Internet access.

Only solution seems to be external access via a proxy server but I need to know the URLs that need to be allowed. Don't know what level of regex is allowed when specifying the URL to connect to.

So ... is there a list of urls used to pull all downloads required by a cppm server .. including  extensions

or is there a way of obtaining extensions manually.

Methinks the move of cppm 6.0 to use of tokens could screw things up even more :-(

RGds
Alex

------------------------------
Alex Sharaz
------------------------------

Alex, some TechNote have them listed, others don't. This was the last list I had, however I suggest checking with TAC to ensure it's not changed.

extensions.clearpassbeta.com

registry-1.docker.io

index.docker.io

auth.docker.io

production.cloudflare.docker.com

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Jul 14, 2021 06:00 AM
From: Alex Sharaz
Subject: clearpass update URLs

Hi all,
I have a cppm cluster sitting behind a firewall that basically blocks internet access from the subnet the cppm servers are installed on. This hasn't been too bad as all i do normally is download the firmware release or fingerprint   update manually and install stuff that way.

However, i now want to install some extensions on this server and am a bit stuck because of course the cluster members don't have Internet access.

Only solution seems to be external access via a proxy server but I need to know the URLs that need to be allowed. Don't know what level of regex is allowed when specifying the URL to connect to.

So ... is there a list of urls used to pull all downloads required by a cppm server .. including  extensions

or is there a way of obtaining extensions manually.

Methinks the move of cppm 6.0 to use of tokens could screw things up even more :-(

RGds
Alex

------------------------------
Alex Sharaz
------------------------------

Note that the extensions probably will require internet access as well. Here is what I got from my DNS server in lab:
clearpass.arubanetworks.com - Normal updates
registry-1.docker.io - Extension search/installation
auth.docker.io - Extension search/installation
aruba-skyhook.firebaseio.com - Skyhook used by one of my extensions

What you could consider is allowing the updates server, then the ones that Danny shared, and if you have an issue during updates or extension install temporarily allow all outbound from your ClearPass, once done close your firewall again. Enabling logging on the DNS server that ClearPass uses may also help, as the URLs may differ based on which extensions you use.

The token in 6.10 for updates download is likely to make things better as the token is retrieved by your browser and then used by ClearPass to authenticate to clearpass.arubanetworks.com. ClearPass does not reach out to the actual authentication server during the generation of the updates token.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 14, 2021 06:00 AM
From: Alex Sharaz
Subject: clearpass update URLs

Hi all,
I have a cppm cluster sitting behind a firewall that basically blocks internet access from the subnet the cppm servers are installed on. This hasn't been too bad as all i do normally is download the firmware release or fingerprint   update manually and install stuff that way.

However, i now want to install some extensions on this server and am a bit stuck because of course the cluster members don't have Internet access.

Only solution seems to be external access via a proxy server but I need to know the URLs that need to be allowed. Don't know what level of regex is allowed when specifying the URL to connect to.

So ... is there a list of urls used to pull all downloads required by a cppm server .. including  extensions

or is there a way of obtaining extensions manually.

Methinks the move of cppm 6.0 to use of tokens could screw things up even more :-(

RGds
Alex

------------------------------
Alex Sharaz
------------------------------

Many thanks both of you for the FQDN list, much appreciated.

Good to know about the 6.10 token side of things.

Sadly don't have access to any of the firewally things between the cppm servers and outside world

onwards and upwards
Rgds
Alex

------------------------------
Alex Sharaz
------------------------------

Original Message:
Sent: Jul 15, 2021 04:55 AM
From: Herman Robers
Subject: clearpass update URLs

Note that the extensions probably will require internet access as well. Here is what I got from my DNS server in lab:
clearpass.arubanetworks.com - Normal updates
registry-1.docker.io - Extension search/installation
auth.docker.io - Extension search/installation
aruba-skyhook.firebaseio.com - Skyhook used by one of my extensions

What you could consider is allowing the updates server, then the ones that Danny shared, and if you have an issue during updates or extension install temporarily allow all outbound from your ClearPass, once done close your firewall again. Enabling logging on the DNS server that ClearPass uses may also help, as the URLs may differ based on which extensions you use.

The token in 6.10 for updates download is likely to make things better as the token is retrieved by your browser and then used by ClearPass to authenticate to clearpass.arubanetworks.com. ClearPass does not reach out to the actual authentication server during the generation of the updates token.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 14, 2021 06:00 AM
From: Alex Sharaz
Subject: clearpass update URLs

Hi all,
I have a cppm cluster sitting behind a firewall that basically blocks internet access from the subnet the cppm servers are installed on. This hasn't been too bad as all i do normally is download the firmware release or fingerprint   update manually and install stuff that way.

However, i now want to install some extensions on this server and am a bit stuck because of course the cluster members don't have Internet access.

Only solution seems to be external access via a proxy server but I need to know the URLs that need to be allowed. Don't know what level of regex is allowed when specifying the URL to connect to.

So ... is there a list of urls used to pull all downloads required by a cppm server .. including  extensions

or is there a way of obtaining extensions manually.

Methinks the move of cppm 6.0 to use of tokens could screw things up even more :-(

RGds
Alex

------------------------------
Alex Sharaz
------------------------------