The storage endpoint should already be configured with at least two Syncplicity Storage Connectors. If you have not configured your storage for this, see Hybrid Cloud Storage and Deploying Syncplicity On-Premises Storage Connector to setup your storage endpoint for Syncplicity.
The following topics describe the prerequisites for installing the on-premises DLP/AV Connector.
Hardware requirements
The DLP/AV Connector requires:
- A minimum of two virtual machines hosted on VMware vSphere Hypervisor (ESXi) 6.0, 6.5, 6.7 or later.
- Each virtual machine must have 8 gigabytes of random access memory, 8 virtual cores and a hard disk drive (HDD) of at least 50 GB.
See the next topic about network configuration for the network hardware requirements, which include two or more Storage Connectors and a storage backend that supports standard NFS v3 or v4, or s3 interfaces.
Network configuration
The DLP/AV Connector is supplied as an OVA file and installed on a virtual machine. The DLP/AV Connector requires the following:
- Each DLP/AV Connector requires a dedicated virtual machine hosted on VMware vSphere Hypervisor.
- At least two DLP/AV Connectors, but you can deploy more for scalability and high availability.
- At least two Storage Connectors
- Ensure TLS1.2 is used, by disabling TLS1.0 and TLS1.1, and SSLv3 is disabled. SSLv3 is disabled by default from the JDK.
As shown in the diagram, a typical example is with the storage layer in the private area of the corporate network. The Storage Connector and DLP/AV Connector virtual machines are in the semi-private area. Note that the SSL offloading load balancer in the DMZ is for Storage Connectors only.
Inbound port requirements
Atmos storage requirements
To enable the DLP/AV Connector to connect to an EMC Atmos storage backend, the following inbound ports must be open.
Connection |
Port |
Protocol |
From the DLP/AV Connector to the Atmos load balancer |
443 if SSL is used |
HTTP or HTTPS |
From the DLP/AV Connector in the DMZ to the Network Time Protocol (NTP) server |
123 |
UDP |
Elastic Cloud Storage (ECS) requirements
To enable the DLP/AV Connector to connect to an ECS storage backend, the following inbound ports must be open.
Connection |
Port |
Protocol |
From the DLP/AV Connector to the ECS load balancer |
9021 if SSL is used |
HTTP or HTTPS |
From the DLP/AV Connector in the DMZ to the NTP server |
123 |
UDP |
NFS v3 or v4-based storage
To enable connections from the DLP/AV Connector virtual machines to the NFS storage backend, the following inbound ports must be open. This includes EMC Isilon storage.
Port |
Protocol |
Type of Traffic |
53 |
TCP |
DNS for SmartConnect (Isilon only) |
111 |
TCP |
SUN Remote Procedure Call |
111 |
UDP |
SUN Remote Procedure Call |
300 |
TCP |
NFS mount daemon |
300 |
UDP |
NFS mount daemon |
302 |
TCP |
NFS stat daemon |
302 |
UDP |
NFS stat daemon |
304 |
TCP |
NFS lock daemon |
304 |
UDP |
NFS lock daemon |
2049 |
TCP |
NFS server daemon |
2049 |
UDP |
NFS server daemon |
Service accessibility check
To enable checking for DLP/AV Connector service accessibility from external hosts, the following should be allowed.
Connection |
Port |
Protocol |
From external hosts to the DLP/AV Connector virtual machines |
|
HTTP |
Outbound port requirements
In general, traffic outbound to external hosts on port 443 should be allowed. If for some reason this is not so, at least the following should be allowed.
Connection |
Port |
Protocol |
From the DLP/AV Connector virtual machines to: |
443 |
HTTPS |
From the DLP/AV Connector virtual machines to the NTP servers | 123 | UDP |
From the DLP/AV Connector virtual machines to centos.org, fedoraproject.org Note: Only required during the upgrade procedure or installation of separate packages to allow for RPM dependency checking. |
80 |
HTTP |
Configure Isilon storage
If you are not using Isilon storage, skip this section.
Isilon storage requires the following additional configuration steps.
- Create an NFS Export via the WebUI. The following screen shows the basic export settings that lock the export to only the connected Storage and DLP/AV Connectors. Add the IP addresses of the DLP/AV Connectors in the following fields: Clients, Always Read-Write Clients and Root Clients. The values 10.111.158.3 and 10.111.158.4 are example IP addresses of the Storage Connectors. Your IP addresses are different. All other export settings should be left as the defaults and not change.
- If the DLP/AV Connector is in the DMZ (Internet side of the firewall) and Isilon storage is inside the firewall, you must verify specific ports are opened on the firewall to allow access via NFS from the DLP/AV Connectors to the Isilon storage. This does not apply if the Isilon storage is not behind a firewall.
- Refer to Task 5: Prepare for NFS mounted storage in order to mount a dedicated Syncplicity share for the Isilon storage .
This completes the basic configuration of the EMC Isilon storage for the on-premises DLP/AV Connector.