4.7.2. Deployment Steps

To ensure that the use case that we are deploying works correctly, it is necessary to carefully follow the steps we indicate. These may change depending on the requirements and needs in our case.

The mandatory and optional steps are detailed below. Remember it will depend on your specific case.

Architecture

• Architecture: The first step is the deployment of the nodes needed for this use case. Here we will find the necessary information related to the architecture of the use case. You can find a detailed explanation of the deployment of each of the nodes in Deployment and basic configuration

Configuration

• Backend Configuration: This section details the steps necessary to configure the nodes that make up the backend of the use case. These include CMI, CMIX, ON COre, and ON Sensor.

• VPN Gateway Configuration: The configuration of the VPN Gateway node (CMIX) includes the creation of zones, interfaces, hosts and basic rules as well as the configuration of the VPN itself depending on the chosen type (OpenVPN or Wireguard).

Administration

• AD Configuration: The AD configuration will be necessary in case you are authenticating VPN users against an Active Directory. Here we can also define LDAP filters to segment access to the VPN.

• Set FW as Network Device: It is important to have the VPN Gateway (CMIX) node defined as a Network Device within ON Core, this will help us to identify the node and to be able to configure the Toggle Port depending on the type of VPN used.

• ON Core Policies Configuration: It is important to define access policies in ON Core. These will determine the access permissions to the VPN.

• VPN RoadWarrior policy configuration: Here we will define the VPN policies in the VPN Gateway node.

• ON Agent Configuration: For the 2SRA use case, the VPN client is the OpenNAC Enterprise agent (ON Agent). This step explains how it should be used to connect to the deployed VPN.

Optional:

• Single Sign-On Wireguard VPN using SAML: The use of Wireguard as a VPN service allows us to use SAML as the authentication backend through the OpenNAC Enterprise captive portal. For this, it will be necessary to configure this section to deploy and configure the captive portal.

• OTP Configuration: To improve the security of the use case, it is possible to use the One Time Password (OPT or 2FA) system to require the one-time password when connecting to the VPN.

Operation

• Operation : In this step we will start operating the use case and checking that all the functionalities are working as expected. If we find some unexpected behavior we can go to the troubleshooting step in order to find and fix the issue.

Monitoring

• Monitoring : At this point we will see how the data is being ingested and saved in ON Analytics. To check this we can open the different visualizations available for this use case.

Troubleshooting

• Troubleshooting : The first time the use case is tested after deployment, some problems may appear. In this section we will see how to analyze them and look for possible failures to correct them. The problems that may appear can be found in the Platform Administration -> Troubleshooting guide.