- 07 Sep 2023
- 4 Minutes to read
Installing Axonius Tunnel
- Updated on 07 Sep 2023
- 4 Minutes to read
- This functionality is currently applicable only for Axonius-hosted (SaaS) customers.
- Axonius Tunnel is only required to connect adapters whose sources are only accessible by an internal network. Configuring and installing the Axonius Tunnel is not required to connect adapters that are accessible to the internet.
Axonius Tunnel enables establishment of a link between an internal network and the Axonius-hosted (SaaS) instance.
The Axonius-hosted (SaaS) instance resides in the cloud and is not part of your organization's internal network. Axonius securely fetches data from the organization's data sources, known as adapters. To connect adapters that are only accessible by an internal network, you must configure and install an Axonius Tunnel on a server that has access to those sources.
To establish the link between the Axonius-hosted (SaaS) instance and an internal network, you need to:
- Provision a server to be used as the Tunnel server
- Install Docker Engine on the Tunnel server
- Add a new Tunnel Connection
- Install the Tunnel installation package
- Configure and connect adapters to use an Axonius Tunnel
1. Provision a server to be used as the Tunnel server:
Provision a server that meets the following network requirements either by a direct connection or by HTTPS proxy:
- Access to the internet via TCP port 443 from the Tunnel server.
- Access to the sources of the adapters that will be connected using this tunnel.
- The folder
/opt/axoniusmust be writeable.
If you are using the Palo Alto firewall, you must use 'OpenVPN APP-ID' for destination port 443 in order to establish the tunnel.
If you are using an IDS or DPI on your system, define the destination port protocol/profile as OpenVPN (and not HTTPS) in order to establish the tunnel.
The server hardware requirements are:
- An Intel x86 based architecture processor
- At least 1 GB of free disk space
- At least 1 GB of RAM dedicated to the tunnel container
For added security, when running Axonius Tunnel on an AWS EC2 instance, we recommend disabling version 1 of AWS' Instance Metadata API (IMDSv1), as Axonius Tunnel is fully-compatible with IMDSv2.
2. Install Docker Engine on the Tunnel server
Install any Linux distribution that supports Docker on the provisioned server (the Tunnel server).
- Install the Docker Engine software on the Tunnel server.
- Verify Docker is running:
sudo systemctl enable docker; sudo systemctl start docker
The Axonius Tunnel container and installer have been tested and certified on Ubuntu and on CentOS, but may be also supported on Debian and RedHat.
3. Add a new Tunnel Connection
To add a new tunnel connection:
On the Tunnels page, click Add Tunnel.
The New Tunnel Connection drawer appears.
Specify the following Tunnel settings:
- Tunnel name (optional, default: Tunnel_x) - Specify an indicative name for the Tunnel connection or use the system default. The Tunnel name can always be changed.
- Tunnel status notification (optional, default: empty) - Specify a list of email addresses to be notified when the Axonius Tunnel disconnects.
- If supplied, when an Axonius Tunnel disconnects, an email is sent to the supplied list of recipients.
- If not supplied, when an Axonius Tunnel disconnects, no email is sent.
- Proxy settings (optional, default: empty) - To configure a proxy service to be used by the Axonius Tunnel, select the Use Proxy checkbox. Once enabled, configure the Proxy address and Proxy port fields. Proxy user name and Proxy password are optional fields for proxy services.
Click the Create and Download button.
- A Tunnel record is added to the table.
- The Tunnel installation package is downloaded.
4. Install the Tunnel installation package
- Copy the Tunnel installation package to the Tunnel server.
- Execute the Tunnel installation package as the “root” user. For example:
chmod +x axonius_tunnel_launcher_T-1.sh
When the installation package has finished successfully, it shows the following message: “The Axonius Tunnel has been successfully installed.”
After the installation finishes, refresh the Tunnels page and track the Tunnel record status on the Connection Status field.
- To prevent the Axonius Tunnel from restarting automatically when the Docker Engine starts up, execute the command: ./axonius_tunnel_launcher.sh no_auto_start.
- To uninstall the Axonius Tunnel, execute the following command: ./axonius_tunnel_launcher.sh uninstall
5. Configure and connect adapters to use an Axonius Tunnel
Axonius Tunnel is only required if the source for the adapter is only accessible by an internal network.
Tunnel should not be selected if the source for the adapter is accessible from the internet.
- Open the Adapters page. Click the icon on the left navigation panel.
- Search for and click the relevant adapter. The Adapter Connections page opens displaying the list of configured connections.
- Add a new connection. click Add Connection. The Adapter Connection Configuration dialog opens.
- Populate the required information.
- Select the requested Tunnel Connection on the Tunnel Name field. Click Save.
- To save your changes and to establish a connection to the adapter connection using the configured credentials, click Save and Fetch.
Tunnel Installation Best Practices
In order to ensure the principle of least privilege it is necessary to install the Tunnel in a secure location within your network. This should ideally be a DMZ or protected network where traffic in and out of the subnet can be strictly controlled. The default policy for traffic originating from your Axonius Tunnel should be blocked. The ports and protocols required for the operation of an Axonius Tunnel are listed on the table below, and only these connections should be permitted through your firewall. Replace * with your Axonius Hosted ID:
|Tunnel Server IP||*.on.axonius.com||TCP/443||HTTPS||GUI Access. Required for fetching the tunnel container.|
|Tunnel Server IP||tun-*.on.axonius.com||TCP/443||OpenVPN||Tunnel Connection|
|Tunnel Server IP||Internal Systems||Various||Various||Adapter Data sources. Add one rule per adapter connection, using the correct destination IP/Port/Protocol|
For more details about configuring adapter connections, see: