Dropzone Connector Installation

Before proceeding, see the Dropzone Connector Overview for more information about when you would require the Dropzone Connector in your environment.

Enabling the Private Network Connector Client

Running the Private Network Connector Client requires a machine that meets the following requirements:

System
- has Docker Engine (Docker CE) installed
- capable of running x86_64 Linux docker containers
- has at least 1 GB of available memory
- has at least 1 GB of available disk space
- has access to at least one CPU core
  - assure it is not running on a system that will 'steal' CPU; doing so will introduce instability
Network
- can reach the resources (e.g. splunk) you want available for Dropzone integrations
- can connect outbound port 443 to the connector server
  - the connector server is the same as your tenant name with -connector after the first component. For example if your tenant is https://mycompany.dropzone.app then your connector server is mycompany-connector.dropzone.app port 443
- has access to DNS that can look up your tenant DNS name and internal resources
Availability
- is up 24x7

This may be a machine dedicated to this container, or a multi-use resource that meets your security policy.

Henceforth we will call this machine the connector-client-host.

To install the Private Network Connector Client, do the following:

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
Click System > Connectors

On the "Main" connector tile, click "Configure"

The configuration drawer will slide out from the right hand side

Download the Private Network Connector Client docker image by clicking on the link
Upload the Private Network connector Docker image to the connector-client-host, e.g. via scp

Load the docker image on the connector-client-host

connector-client-host$ sudo docker load -i connector.tar.gz

# Or, if sudo is not needed
connector-client-host$ docker load -i connector.tar.gz

Copy the command in the Dropzone UI and run it on the connector-client-host:

connector-client-host$ sudo docker run --detach --name connector --env OPTIONS='--auth ...

# Or if sudo is not needed
connector-client-host$ docker run --detach --name connector --env OPTIONS='--auth ...

Verify the connector is running by using docker ps

connector-client-host$ docker ps
CONTAINER ID IMAGE     COMMAND      CREATED         STATUS       NAMES
1c92972436d9 connector "/app/init"  3 seconds ago   Up 2 seconds dropzone-connector-client

Click Close
Refresh the page and you should see that Main is now in "Connected" state:

When enabling Data and Alert sources that need on-prem access, be sure to specify this Private Network Connector Client.

Alternate Launch Options

The Dropzone UI System > Connector page provides a default docker run command that will work for most scenarios. This section describes alternate options for your docker run that may be appropriate for your environment.

Outbound HTTP Proxy

The Dropzone connector supports using an outbound HTTP proxy, such as Squid, a setup for locked down DMZs for example.

To use an explicit HTTP proxy, update the docker run provided by the Dropzone UI by passing the HTTPS_PROXY flag into the environment:


## Send the outbound tunnel request via http://proxy.example.com:3128 
## Replace with your actual proxy url/port
##
$ docker run ... --env HTTPS_PROXY=http://proxy.example.com:3128 ...

You will need to configure your proxy to allow outbound CONNECT to the host tenant-connector.dropzone.app port 443.

Troubleshooting

The following troubleshooting steps may be useful in conjunction with your Dropzone support team.

Restarting the Private Network Connector Container

It is always safe to delete and relaunch the connector, for example if it does not come back properly after a reboot or system failure.

$ docker stop connector
$ docker rm connector
$ docker run ...    <-- command you got from the Dropzone interface

Testing Internal Connectivity

The connector service runs in a docker container on a host in your network. If it is unable to reach to your internal systems then you will get an error when configuring your integration in the Dropzone UI such as Error 111 - Connection Refused.

Test from the Host

Testing from the host where you're running the connector is sufficient in almost all cases. Using tools such as curl, telnet, netcat (nc, ncat, etc), or openssl are good ways to test any network ACLs that may be preventing your traffic.

Examples:

# See if splunk is available
$ curl -k -v https://our-splunk.example.com

# Same, showing certificate
$ openssl sclient -connect our-splunk.example.com:443

# just test the port is open or not
$ telnet our-splunk.example.com:443
$ nc our-splunk.example.com:443

Test From Inside the Connector

It's possible your docker host can reach your targets, but the connector container cannot. this could be caused by DNS inconsistencies, or having an IP address range for your connector network (traditionally 172.17.0.0/16) that overlaps your target's networks. In these cases, it may be helpful to test from within the connector container directly.

The Dropzone connector container has a very minimal configuration and does not include tools such curl, telnet, netcat (nc, ncat, etc), however it does include openssl which can be used to help troubleshoot.

Here is an example of making a curl-like request for https://www.example.com:


$ host="www.example.com"
$ printf "GET / HTTP/1.0\nHost: $host\n\n" | \
    docker exec -i dropzone-connector-client   \
    openssl s_client -connect $host:443 -servername $host -quiet

If you see the expected HTML output, then the connector has network connectivity to the target.

Testing Outbound Network Connectivity

If the connector fails to connect there could be a network issue or an IPS device that is preventing it from establishing the websocket connection. Running the following from the host where the connector runs can help identify this situation:

# the first part of your tenant hostname, e.g. "mycompany"
# if your tenant is https://mycompany.dropzone.app
$ tenant=mytenant

$ curl --http1.1 -i -N \
    -A "Go-http-client/1.1" \
    -H "Connection: Upgrade" \
    -H "Upgrade: websocket" \
    -H "Host: $tenant-connector.dropzone.app:443" \
    -H "Sec-WebSocket-Key: AAAAAAAAAAAAAAAAAAAAAA==" \
    -H "Sec-WebSocket-Protocol: chisel-v3" \
    -H "Sec-WebSocket-Version: 13" \
    "https://$tenant-connector.dropzone.app:443"

When successful, you should see an HTTP handshake and websocket upgrade like this:

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: ICX+Yqv66kxgM0FcWaLWlFLwTAI=

SSH-chisel-v3-server

If your network requires an HTTP Proxy for outbound connectivity to the connector server, add an -x option to your curl command above. For example if you use squid on squid.example.com port 3128, you'd add -x squid.example.com:3128 to the command.

Any device along the path that is interfering will likely provide feedback when this command is run.

Connector Healthchecks

The default Dropzone Private Network Connector Client docker run command is set to automatically restart the container if it fails. However here are additional ways you can healthcheck the container.

External Healthcheck

From outside the container you can use curl or other web tools to hit the /ping endpoint. For example, assuming the connector has received IP address 172.17.0.3, you would use the following

$ curl -i 172.17.0.3:8000/ping
HTTP/1.1 204 No Content
Date: Sat, 19 Apr 2025 11:43:00 GMT
Server: Python/3.11 aiohttp/3.12.13

Similarly, you could use nsenter to run curl from your host within the container network:

$ sudo nsenter -t $(docker inspect --format '{{ .State.Pid }}' dropzone-connector-client ) -n  curl -v http://127.0.0.1:8000/ping`

Internal Healthcheck

From within the container (e.g. if you are using docker compose) you can use python to healthcheck the /ping endpoint.

python3 -c "import http.client, sys; c=http.client.HTTPConnection('127.0.0.1',8000,timeout=5); c.request('GET','/ping'); sys.exit(0 if c.getresponse().status==204 else 1)"`

Upgrading the Private Network Connector Client

Dropzone updates the connector client infrequently to improve reliability, performance, or security.

Follow these steps to upgrade.

Identify the machine where you are currently running the connector (henceforth called "connector-client-host")
Follow the steps in Enabling the Private Network Connector Client above to but not including running the new container
- Download the connector docker image
- Copy the image to your connector-client-host
- Load the docker image (but do not run it yet)
Log into the connector-client-host (e.g. via ssh)
Permanently stop the old Dropzone connector container
- If you followed the default docker run instructions then it will be named dropzone-connector-client, but you may have named it differently

# Verify it not running
$ docker ps | grep dropzone
CONTAINER ID  IMAGE                COMMAND          NAMES
44726f707a6f  dropzone-connector   "/app/main.py"   dropzone-connector-client

# Stop and remove it
$ docker stop dropzone-connector-client
$ docker rm dropzone-connector-client

# Verify it is not running
$ docker ps | grep dropzone
CONTAINER ID  IMAGE                COMMAND          NAMES

Start the new connector container by copy/pasting the command from your Dropzone UI
- This is described above in Enabling the Private Network Connector Client

If you have any errors engage your Dropzone AI support representative.

PreviousDirect Login Links NextDropzone Integrations

Last updated 24 days ago

Was this helpful?