CT Connectors

CT Connectors are software appliances built using the Linux code-base (currently, Ubuntu 16.04). CT Connectors enable secure access to remote users to the enterprise applications hosted in the Xaccess private network. Active CT Connectors in an Xshield instance are always connected to multiple CT Brokers deployed across multiple AWS regions in the ColorTokens Secure Cloud. This ensures redundancy and low-latency routing for access requests from remote users.

Deployment

CT Connector software images are available in multiple formats - OVA, DEB, AMI, and Azure VM. The following types of deployment are supported.

On-premises

Connectors can be deployed in private data centers on VMware instances and bare-metal servers. Both VM instances and bare-metal servers must be of the following minimum sizing - 2 vCPUs, 8 GB RAM, 50 GB disk space, and 1 Gbps throughput. VM instances must use the Thick provision lazy zeroed disk format.

Cloud-only

Connector images for deployment in the AWS and Azure clouds are readily available in the image galleries. The minimum recommended EC2 instance type for the Connector AMI is General purpose m5.large. The minimum recommended VM size for the Azure VM image is General purpose Standard_D2_v4.

ColorTokens periodically updates the AWS and Azure galleries with new Connector images. Currently, the latest image in the AWS gallery is 8.0.0.72-58, and the Azure gallery is 8.0.0.72-69.  We recommend that you always deploy the latest image.

Hybrid

With a hybrid deployment, you can deploy Connectors on-premises and on the AWS and/or Azure cloud. The specifications for deploying the Connectors remain the same as those for on-premises and cloud deployment. Also, no added configuration is needed on Xshield to enable hybrid deployment for Xaccess.

For all types of deployments, we recommend that you deploy at least two Connectors in the Active/Active redundancy mode. Monitor the TOP CONNECTORS BY RESOURCE UTILIZATION widget in the Xaccess Dashboard. If you see a considerable amount of resource utilization, add more Connectors to your deployment.    

Onboarding and registration

For new Xshield instances or instances that are newly adopting Xaccess, the Xaccess Onboarding Wizard unlocks the other Xaccess features. The wizard lets you deploy and register the first CT Connector to the instance and integrate an Identify Provider (IdP) with the instance. There on, you can deploy Connectors based on the type of deployment (on-premises, cloud-only or hybrid) you prefer and the throughput needed to manage users' access requests to the applications protected by the Connectors. 

Connectors must be explicitly registered to the instance using the Instance IDs of the Connector instances where they are deployed. All registered Connectors are listed on the Xaccess > Connectors page

Upgrading connectors

When SNAT is disabled, HA is supported for CT connector upgrades for versions 8.0.0.88 and above. This feature has dependency on Keepalive packages.

For HA enabled connector upgrades from all versions to 8.0.0.88 and above, you must install the connector and Keepalive package together.

To upgrade the connectors, follow the steps below:

  1. Copy ctconnector_8.0.0.88_amd64.deb (version=8.0.0.88 and above) and the script ctconnector_upgrade.sh to CT connector before executing the installation script.
  2. Execute sh ctconnector_upgrade.sh ctconnector_8.0.0.88_amd64.deb.

Application Discovery

Application Discovery for a CT Connector involves specifying the subnets and domains where the enterprise applications for users' access are hosted. Currently, this must be done on a per connector basis from the Xaccess > Connectors page. Enabling Application Discovery helps you use the Policy recommendations for user traffic to the relevant Workload groups and Domain groups to build Xaccess policies for users.

Management and troubleshooting

CT Connectors are built for low maintenance. Connectors can be managed from the Xshield UI or the CLI of the Connector.

  • Xshield UI - After the Connectors are deployed and registered with the instance, they are listed on the  Xaccess Connectors page. You can enable, disable or decommission Connectors from this page. The Status column on this page displays if the Connector is Online or Offline in the Xaccess private network. Connectors are monitored with 90-second heartbeats and deemed Offline if two heartbeats are missed.

    Currently, Connectors can be upgraded only by upgrading the Xshield agents on them.

  • Connector CLI - Connector CLI supports a wide range of config, show, and agent-related commands to troubleshoot connectivity and operational issues and manage the agents and agent processes on the Connectors. You can also download logs from Connectors using the Xshield Logcollect utility.

    By default, SSH access to Connectors is disabled. You must enable SSH access explicitly for one or more IP addresses.

  • CLI Password - You can view, copy or regenerate the CLI password on an on-premise connector instance. This option is disabled for AWS and Azure connectors.

ColorTokens manages the CT Brokers. During troubleshooting, if you identify that a CT Broker is the cause of the issue, contact ColorTokens Customer Support for assistance. 

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.