WebSecurityService Connectivity: SD-WAN/SD CloudConnector · SymantecWebSecurityService/Page4...

Web Security Service

Connectivity:SD-WAN/SD Cloud ConnectorRevision: APR.30.2020

Symantec Web Security Service/Page 2

SD Cloud Connector IntegrationThe Symantec SD Cloud Connector is an SD-WAN Access Method to theWSS.

n "Connectivity: About SD-WAN" on the next page

n "Integrate the SD Cloud Connector" on page 9

Page 3


Connectivity: About SD-WANThe Software-DefinedWAN (SD-WAN) connectivity method is an option for fixed-location connections to theWeb SecurityService. This method reduces the need to continuously reconfigure existing network switches or firewalls. For micro-branch(small office size) locations, the SD-WAN solution can simplify your internet gateway infrastructure.

SD Cloud Connector Integration/Page 5

Why Implement an SD-WAN Solution?

n SD-WAN devices are application-aware and provide improved application performance.

n Supports multiple routing protocols, such as OSPF and RIP, over Multi-protocol LabelSwitching (MPLS) and provides connectivity throughWiFi and LTE wireless.

n Lowers the use of MPLS links and helps reduce the cost associated with expensive bandwidth.

Topography—Generic SD-WAN DeploymentOne reason companies implement an SD-WAN network architecture is that it provides integratedsecurity and policy orchestration through end-to-end encrypted connections.


About the SD Cloud Connector

As an Access Method option for fixed-locations connecting to theWSS, the SD Cloud Connector isbased on SD-WAN technology. For micro-branch (small office size) locations, the SD Cloud Connectorsolution eliminates the need for additional router or firewall infrastructure. This method provides analternative to the reconfiguration of existing routers and firewalls, plus provides centralizedmanagement of all locations through the cloud.

The Symantec SD-WAN Access Method comprises two components.

n SD Cloud Connector Edge—An appliance that provides enhanced connectivity to theWSS.

n Orchestrator Portal—A multi-tenant cloud-hosted portal that enables you to centrally manage oneor more Edges. You can configure andmanage the service and view data and statistics whenavailable as part of the service.

Topography

1—Deploy SD Cloud Connectors at each location. Every device ships with a Quick Start Guide for on-site personnel to follow to get connected.

2—Establish communication between the SD Cloud Connector and theWSS. The Edge uses its ownserial number a date and time to generate a Pre-Shared Key (PSK) that is shared between the Edge andtheWSS.

3—As employees perform internet content requests, the Edge passes the traffic to the Client TrafficController (CTC) in the nearest three geographical Symantec WSS data centers (this provides failoverwithout any additional configuration). TheWSS performs authentication, security, DLP, and use policyvalidation (as configured) and the return delivery of acceptable content.


4—Through the Symantec Orchestrator, you can administer andmanage all Edge devices, such asdefining policies and traffic routes to theWSS.

Tip: The diagram above is the basic topography. You can also configure anEdge device to serve as a central hub. Other Edge devices send traffic tothis hub, which then sends the requests to theWSS. For example, thecompany has a regional office surrounded geographically by several smallersatellite offices. This deployment method is not described in this document.TheOrchestrator Online Help System provides more information.

CapabilitiesIn addition to basic gateway firewall functionality, the SD Cloud Connector provides the following.

n Geo location and automatic fail-over

n Multi-Link support

n Load-Balancing Across Links

n Link Health Monitoring

n App-Based Traffic Direction

n Basic QoS and Firewall

n Granular Profiles Configuration

n Cloud-Based Central Management Portal

BenefitsThe Symantec SD Cloud Connector integration provides the following benefits.

n A viable option for environments where installing an agent on clients is prohibited or not desired.Also for environments that have a wide variety of device Operating Systems, especially whenmobile devices are involved.

n The turn-key solution is comparable to a homeWiFi router setup.

n Provides a low touch plug and play solution that replaces the need for additional WANrouters/firewall devices deployed at every location.

n Provides highly reliable connectivity to theWSS, reducingmanual steps.

n Provides application awareness and geo-location capabilities.

n Includes QoS and Firewall capabilities for improved Performance.

Is this the method you require?

n "Integrate the SD Cloud Connector" on page 9.



Integrate the SD Cloud ConnectorThe SD Cloud Connector is Symantec's SD-WAN Access Method to theWeb Security Service. This topic describes theintegration process. Three components comprise themethod.

n Deployment of Symantec Edge devices at various locations.

n Access to the Symantec Orchestrator, a cloud-basedmanagement portal.

n Integration with theWeb Security Service portal/account.

About Edge Device Deployment(s)This solution document begins at the Orchestrator service registration and integration process. However, each deployed Edgedevice requires activation using a code generated by the Orchestrator. The process flow depends on how your organizationplans the deployment.

n Receive the order of Edge devices at a centralize location > pre-configure, including adding Edges to the Orchestrator> ship to your branch locations > where local personnel connect device to the internet.

n Drop-ship the Edge devices to branch locations > add Edges to the Orchestrator > local personnel connect device to theinternet > send activation code to local personnel, who activate the devices.

Technical RequirementsThe following information is required for you to add Edge devices to the Orchestrator portal.

n Edgemodel number(s).

n The Edge LAN IP address(es) associated with eachmodel (location-specific).

n Ports—The Edge andOrchestrator connections require the following ports to be open on any firewalls that are inline tothe internet after the Edge.

o 80, 443 (HTTP/HTTPS)

o 80, 443 (HTTP/HTTPS)

n Supports IKEv1 and IKEv2; Symantec recommends IKEv2.

Procedure—SD Cloud Connector

Prerequisite—Obtain API Key

In yourWeb Security Service portal, obtain an API that will tenant the service and theOrchestrator.

1. In the portal, navigate to Service mode > Account Maintenance > MDM, API Keys.

2. Click Add API Key.


3. In the Create API dialog, define the API as a Username and Password.

For example: Username is orchestrator.

Tip: If the portal displays a duplicate API key error, define a different username.

4. Click Add.

5. Select the API Key and click Enable.

6. Record these credentials for Orchestrator configuration.

Step 1—Access the Orchestrator.

When your account purchases the SD Cloud Connector, the admin of record receives a registration email that contains yourinitial access credentials to the Orchestrator.

1. In a browser, enter the URL provided in the email.

https://orchestrator.wss.symantec.com/

2. Enter the initial access credentials and Sign In.

Tip: Security Tip: Change the default access credentials.

Step 2—Tenant the Orchestrator and the Web Security Service

1. In the Orchestrator, select Configure > Network Services.

2. Scroll to Cloud Security Service and click New.

https://orchestrator.wss.symantec.com/


a. Name the service.

b. The Service Type is Symantec Web Security Service.

c. Select Automate Cloud Service Deployment.

d. Enter the Username and Password, which is the API Key you created in theWSS portal.

e. Click Validate Credentials.

f. Click Save Changes (the button is not active until your credentials are validated).

Step 3—Configure the Device Profile

1. In the Orchestrator, select Configure > Profiles.

a. Click New Profile.

b. In the New Profile dialog, Name the profile and click Create.

The portal displays the new Configure Profile.

2. Click the Device tab.

3. Add the cloud security service.

a. In the Configure Segments area, set the Cloud Security Service toggle to On.

b. From the resulting Cloud Security Service drop-down list, select the network service that you created inStep 2.


c. Select the web traffic redirection option.

n Redirect only web traffic...—Establish a tunnel to theWSS and sends only traffic from ports 80 (HTTP)and 443 (HTTPS).

n Redirect all internet-bound traffic...—Establishes a tunnel to theWSS and sends all internet-boundtraffic. By default, the Edge drops any internal network traffic (RFC1918). Select if you are using Trans-Proxy Access Method or SAML authentication.

Note: For internal IP addresses that are not internet bound, use a hop beforethe Edge device to appropriately re-direct the traffic.

d. Select the Hash/Encryption algorithm for the IPsec tunnel that connects to all Symantec Edge devices.

e. Click Save Changes (upper-right of screen).

Caution: If you return and set the Cloud Security Toggle to Off, theWeb Security Serviceportal drops all tunnels and locations. Use with extreme prejudice.

Step 4—Configure the Edge Device(s)

1. In the Orchestrator, select Configure > Edges.

2. Click New Edge.


a. Name the Edge. For example, associate with an office name or geographical location.

b. Select theModel.

c. Select the device Profile you previously created.

d. Enter Contact Name and Email information.

n If you are the admin who is provisioning the physical Edge devices and then shipping them, enter youremail address.

n If another admin or person at the branch location receiving this Edge device and will be connecting andactivating it on location, enter their email address.

e. (Optional, Recommended) Click the Set Location link and enter geographic information. This allows you to viewthis Edge device on the global maps available in the Orchestrator portal.

f. Click Create.

TheOrchestrator displays the Activation Key in the highlight at the top of the page.

TheOrchestrator also sends an email to the recipient specified in sub-step d. The email contains the activationlink and instructions. But you can also copy this Activation Key and send or enter it in the Edge local userinterface.


(Activation is described in the final step).

3. (Optional) Perform the following steps if the local network requires a VLAN tag.

a. Click the Device tab.

b. Scroll down to the Configure VLAN area.

c. A corporate segment likely exists. If so, click Edit. Otherwise, click Add VLAN.


a. Enter Edge LAN IP Address for this device.

b. Enter the Cidr Prefix.

c. Click Update VLAN.

TheOrchestrator adds the Edge to the list (Configure > Edges).

Step 5—Activate the Edge(s)

The final integration step requires the Edge device to be already deployed and connected to the internet before it can beactivated.

Each Edge device ships with a Quick Start Guide, which describes how to connect to the internet and assign the gateway IPaddress.

As previously mentioned, when you add an Edge to the Orchestrator, the service sends an email to the defined email address.The email contains an activation link.

Tip: The Edge 5xx series devices generate aWiFi signal. You can locate the SSID from thewireless list on your client (laptop, for example) and connect to the device. The SSID format issymantec-xxx (three-letter/number combination).


1. Connect a client to the Edge device or shared network segment, open the email, and click the activation link.

2. The fields are populated, including your Activation Key as bound from the email. Click Activate.

Upon confirmation, proceed to the Orchestrator verification (Step 6).

Manual Activation OptionIf for some reason the link in the email fails to initiate the registration, you can attempt amanual activation.


1. Access the activation email.

2. Access the Edge interface: 192.168.2.1.

3. Enter the Activation Key.

4. Enter the Activation Orchestrator, which is the following URL: orchestrator.wss.symantec.com.

5. Click Activate.

Step 6—Verify Connection Status

OrchestratorAs Edges become activated, the Orchestrator detects them. It might not be instant; allow some time.

1. In the Orchestrator, select Monitor > Edges.

The Status column indicates connectivity (green = connected).

Hovering over the elements displays information, such as tunnel status.

2. Click any Edge link to display multiple monitoring tabs, each providing insight to the traffic that flows through the device.

Web Security ServiceIn theWeb Security Service portal, navigate to Service mode > Network > Locations.

The locations sourced by SD Cloud Connectors are labeled as FQDN IKEv2 Firewall in the Access Method column.


Location PolicyWith the SD Cloud Connector now integrated, you can define policy that applies to the location(s).

Date post:	20-Jul-2020
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

WebSecurityService Connectivity: SD-WAN/SD CloudConnector · SymantecWebSecurityService/Page4...

Documents