Skip to main content

Deployment Check List

This comprehensive checklist covers the various considerations for installing ColorTokens Xshield Gatekeeper, emphasizing network integration, appliance type, configuration, and uninstallation procedures, including specific considerations for OT devices and high availability deployments.

Deployment Planning

Network Integration

  • Where will the gateway appliance be positioned within the subnet (LAN/VLAN)?   

  • Ensure the switch into which gatekeeper appliance is connected has two network ports available per each gatekeeper. One for upstream and another for downstream network.

  • Ensure upstream network / VLAN has connectivity to colortokens.com either directly or via a proxy. The following endpoints must be accessible depending on your region:

    • ng.colortokens.com
    • logs.ng.colortokens.com
    • artifacts.ng.colortokens.com
    • telemetry.ng.colortokens.com
    • apt-ng.colortokens.com
    • registration.colortokens.com

    Typically some changes to the perimeter firewall rules may be necessary to ensure outbound connectivity is available to the Gatekeeper.

  • Each Gatekeeper needs 2 VIP IP address allocated per VLAN (one for the upstream side and another for downstream side). In addition it needs 2 more IP addresses allocated per VLAN for each gatekeeper installed in a HA cluster. So for example with 2 Gatekeepers in a HA cluster you would need 2 VIP + 4 Physical Ips for the upstream and downstream subnet for a single VLAN managed.

  • Gatkeeper is typically connected to a distribution switch, access switch or core switch. It is preferable to connect the gatekeeper at a level that allows the Gatekeeper to see the subnets or VLANs it is managing.

  • Decide which VLANs must be managed by the Gatekeeper. The Gatekeeper downstream connection should be connected to a switch port that is a trunk port allowing these VLANS.

  • Traffic Flow Mode Configuration: Gatekeeper supports symmetric and asymmetric modes:

    • Symmetric Mode: Add static down routes on the upstream switch to send return traffic back through the gatekeeper for each managed VLAN. This ensures all traffic flows bidirectionally through the gatekeeper.
    • Asymmetric Mode: No down routes are configured on the switch. Return traffic flows directly from the switch to devices, while the gatekeeper can still capture all traffic.
    • For symmetric mode, configure static route precedence order on switches if needed to ensure static routes take precedence over connected routes.

Appliance Type

  • Will you use a hardware or virtual appliance?   

  • If hardware, is it a ColorTokens Xshield gateway appliance or compatible hardware?   

  • If virtual, what virtualization environment will be used (e.g., VMware)?   

  • Will the appliance be in standalone or high availability (HA) mode?   

  • For HA, plan for two or more appliances in active/standby or active/active modes

DHCP / DNS / Static IP Considerations

  • If using DHCP, will it be the Gatekeeper act as the DHCP server or DHCP relay ? It is preferable to use Gatekeeper in DHCP relay mode as this ensures existing IP allocations are maintained and also any DNS bindings are maintained?   

  • Ensure the gateway appliance is the only DHCP relay/server in the subnet.   

  • Decide whether gatekeeper should managed “All devices” in the subnet or “selected devices” in the subnet.   

  • If using static mode, plan to modify static devices' network configuration.   

  • Will Gatekeeper be using a Private DNS server or public one? What is the server IP

  • If using Static IP devices only DHCP is not necessary and Gatekeeper can be in static mode. However in cases where there are both DHCP and static devices Gatekeeper must be in mixed mode.

  • Static IP Device Configuration: For static IP devices, you must modify the network configuration on each individual device/endpoint:

    • Set the gateway IP to the Gatekeeper downstream VIP
    • Configure the netmask to /32 (255.255.255.255) or at least /29 depending on your network requirements

OT Device Considerations

  • Identify the different types of OT devices in the subnet and ensure for static devices you can set the Gateway IP to the Gatekeeper downstream VIP and netmask to /32 or at least /29.   

Appliance Installation

Virtual Appliance (OVA)

  • Ensure ESXi 6.5 or above is available.   

  • Determine and configure networking details for the WAN (upstream) interface.   

  • Set up disk and network interfaces for the VM in ESXi.   

  • Download the OVA image from the Xshield Console.   

  • Create the VM from the OVA image.   

  • Connect the WAN and LAN ports to the correct network/virtual port group in ESXi.   

  • Verify VM settings (RAM, CPU cores, HD size).   

  • Power on the VM.   

  • Increase disk size and configure network interfaces, if necessary.   

Appliance Installation (ISO Image)

  • Use amd64 based hardware capable of running Ubuntu 22.04.   

  • Create a bootable USB from the ISO image.   

  • Boot the HW appliance from the bootable USB.   

  • Follow the prompts to install the ColorTokens Xshield Gateway.   

  • Log in and change the default password.   

  • Configure and register the appliance.   

Appliance Configuration

Registration

  • Boot up the appliance and log in.   

  • Enter the gatekeeper name.   

  • Verify the gatekeeper information.   

  • Configure network settings if needed.   

  • Register the gatekeeper using the activation code or deployment key.   

  • Verify registration in the Xshield console.   

Appliance Configuration UI

  • Configure the appliance as standalone or HA.   

  • For HA, configure each appliance individually and then pair them up in the configuration UI by adding one gatekeeper to the primary gatekeeper applicance in the configuration UI

  • Configure DHCP settings (enable/disable, lease time, start/end IP, server/relay mode).

  • In HA mode configure VRRP ID and password. Note that each Gatekeepers in different clusters should be using differentVRRP IDs while all Gatekeepers in a single cluster must use the same VRRP ID.

  • Specify the IP address for the protected network interface (LAN).   

  • Specify the IP address and gateway IP for the WAN interface.   

  • Configure virtual IP and Peer IP for HA appliances.   

  • Apply the configuration changes.   

Post-Configuration

  • If using static mode, modify static devices network configuration to specify gateway IP / Netmask

  • If using DHCP, disconnect and reconnect devices or renew DHCP lease to renew their address.

Uninstallation

  • Be aware that uninstallation might revert interface configuration and cause loss of connectivity.   

  • If HA pair, uninstall the standby appliance first.   

  • To Uninstall Gatekeeper use the Xshield Gatekeeper List page to select the gatekeeper and select the decommission option in the UI. This will unregister the gatekeeper and remove any data on the Gatekeeper. The gatekeeper can then be unplugged from the network