How to Install i-SRA/OT App Gateway

Prerequisite

Before installing Safous i-SRA/OT in your environment, please ensure the following requirements are met. Following these guidelines will help you maximize Safous OT's functionality and provide a smooth user experience.

 

A. Hardware Requirements

To guarantee optimal performance and user experience, we recommend the following minimum hardware specifications for your PoP and App Gateway server:

• Dedicated Server: Use a clean, dedicated Linux server exclusively for App Gateway installation. Please ensure that you have root permissions for the machine.

• Scaling Guidelines: We recommend deploying one App Gateway for every 1,000 concurrent users in your environment. For example, a site serving applications to 3,000 users would ideally utilize three App Gateways.

• High Availability: For enhanced availability and uninterrupted service, you should have a minimum of two App Gateway instances per site. This redundancy ensures that even if one instance experiences an outage, the other can continue to provide access to your applications.

• Scaling for High-Traffic Sites: If you anticipate high traffic volumes for your installed site, we recommend deploying additional App Gateways to accommodate the increased traffic volumes and ensure a consistent and smooth user experience.

 

B. Server Specification

 

C. Network Configuration Requirement

To ensure the proper functioning of your Safous OT environment, the following items must be configured:

1. DNS Configuration

Safous OT uses DNS for proper operation. Before installing the Safous OT PoP and App Gateway, an additional DNS record must be added to resolve the Safous OT domain. In this article, we assume that we have the safous.com domain and want to set *.ot.safous.com as our Safous OT environment domain.

The following DNS record set must be added to your internal DNS server configuration:

DNS Zone (ot.safous.com)
tcp	IN	A	<PoP Internal IP>
*	IN	CNAME	tcp.ot.safous.com

2. Ensuring Connectivity

To ensure uninterrupted connectivity, please take the following steps:

• DNS resolver: Check your PoP and App Gateway machine. Ensure FQDN of PoP can be resolve in all machine.
• Firewall and Other Security Services: Check your firewall, WAF, or any other security services for rules or policies that might block traffic to or from these domains.

• Wildcard Subdomain Access: The domains with an asterisk (*) represent a wildcard, indicating that all subdomains under that domain need to be accessible. Please ensure that you have appropriate connectivity to all subdomains.
• Proxy Configuration: Do not use proxy servers for traffic between the App Gateway and these domains as this may disrupt the TLS connection and potentially lead to a termination of the TLS connection between the App Gateway and the destination.
• Traffic Manipulation: Ensure no system in your network are configured to manipulate or intercept traffic between the App Gateway and Safous ZTA PoP.

3. SSL Certificate Requirement

Before beginning the installation, plan how you want to deploy your Safous OT environment. Safous OT can also provide a self-signed certificate if the customer prefers not to deal with the certificate creation process.

If you generate your own trusted SSL certificate, ensure it includes the following:

Common Name (CN)	*.ot.iij-icarus.com
Subject Alternative Name → DNS	*.ot.iij-icarus.com

 

D. POP Installation

Similar to Safous ZTA, the Safous OT POP also acts as a server that routes traffic to and from the IDAC. In the Safous OT deployment, the POP will serve only your App Gateway. The Safous OT POP will not be accessible from the public internet or outside the internal network.

Please refer to the instructions below for installing the POP in the Safous OT environment:

• Download the Installer, Token, and KEY from Admin Portal.

• Put Installer (ot-installer.sh) and Token (ot-token.txt) on the PoP server in your preferred user home directory.
• Extract the Installer.

:~$ tar xzf safous-ot.tar.gz

• Set the environment variable 'KEY' from the Admin Portal.

:~$ KEY=<Paste KEY from Admin Portal>

• Copy or create the ot-token.txt file inside the extracted directory.
• Run Installer.

cd safous-ot
sudo bash ot-installer.sh -k $KEY -f ../ot-token.txt 

• • Choose the installation option [2] Install Private OT POP.

• • Wait for the installation to finish.

• After the POP installation is complete, verify the running containers. There should be three containers running: router, service-gateway, and repo.

:~$ sudo docker ps

 

E. App Gateway Installation

Similar to Safous ZTA, the Safous OT App Gateway acts as a connector for accessing your internal server and also located near your internal server. App Gateway not communicate directly with each other but route traffic through Safous OT POP. The Safous OT App Gateway will not be accessible from the public internet or outside the internal network.

Please refer below for how to install App Gateway in Safous OT environment:

• Download Installer, Token, and Copy KEY from Admin Portal.
  
• Put Installer (ot-installer.sh) and Token (ot-token.txt) on the App Gateway server in your preferred user home directory.
• Extract the installer.

:~$ tar xzf safous-ot.tar.gz

• Set environment variable 'KEY' from admin portal.

:~$ KEY=<Paste KEY from Admin Portal>

• Run Installer.

  cd safous-ot
  sudo bash ot-installer.sh -k $KEY -f ../ot-token.txt 

  • Choose install [1] Install Private OT App Gateway.

• • Wait for the installation to finish.

• After the AppGW installation is complete, verify the running containers. There should be three containers running: idac, guacd, and rdp-proxy.

:~$ sudo docker ps