On-prem Support - Dropzone Connector
Last updated
Was this helpful?
Last updated
Was this helpful?
Dropzone AI connects to APIs via its Data Source and Alert integrations. Many of these are reachable across the internet, such as third-party Threat Intelligence sources, corporate SaaS tools, and public cloud APIs. However many corporate systems may be behind firewalls and VPNs for security reasons.
Customers are able to enable Dropzone to reach restricted systems by running a lightweight Dropzone Private Network Connector Client docker container within their secure environment. This process connects out to the Dropzone tenant network and establishes a reverse tunnel.
The Dropzone integrations that require access to the protected resources tunnel their connections through this Private Network Connector Client container, so their source IP is from within your datacenter.
The Private Network Connector Client can be run on any host capable of running Docker containers, such as a physical server, VM, or inside your public/private cloud environment.
For additional security you may restrict what outbound connections can be made from the connector machine to your internal resources. Examples include
Putting the connector machine on a firewall DMZ
Enabling cloud-native restrictions on the connector machine (e.g. AWS Security Groups)
Running local firewall rules on the connector machine (e.g. iptables, shorewall)
Just make sure that the connector machine can reach the machines you want integrated, on the ports/protocols needed, DNS, and your tenant machine on port 8080.
Running the Private Network Connector Client requires a machine that meets the following requirements:
System
has Docker Engine (Docker CE) installed
capable of running x86_64 Linux docker containers
has at least 1 GB of available memory
has at least 1 GB of available disk space
Network
can reach the resources (e.g. splunk) you want available for Dropzone integrations
can connect to your tenant (e.g. https://mycompany.dropzone.app ) on port 8080 via TCP
has access to DNS that can look up your tenant DNS name and internal resources
Availability
is up 24x7
This may be a machine dedicated to this container, or a multi-use resource that meets your security policy.
Henceforth we will call this machine the connector-client-host.
To install the Private Network Connector Client, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
Click System > Connectors
On the "Main" connector tile, click "Configure"
The configuration drawer will slide out from the right hand side
Download the Private Network Connector Client docker image by clicking on the link
Upload the Private Network connector Docker image to the connector-client-host, e.g. via scp
Load the docker image on the connector-client-host
Copy the command in the Dropzone UI and run it on the connector-client-host:
Verify the connector is running by using docker ps
Click Close
Refresh the page and you should see that Main is now in "Connected" state:
When enabling Data and Alert sources that need on-prem access, be sure to specify this Private Network Connector Client.
The following troubleshooting steps may be useful in conjunction with your Dropzone support team.
It is always safe to delete and relaunch the connector, for example if it does not come back properly after a reboot or system failure
If the connector fails to connect there could be a network issue or an IPS device that is preventing it from establishing the websocket connection. Running the following from the host where the connector runs can help identify this situation:
When successful, you should see an HTTP handshake and websocket upgrade like this:
Any device along the path that is interfering will likely provide feedback when this command is run.
If you have any errors engage your Dropzone AI support representative.
The Dropzone Private Network Connector Client establishes an outbound HTTP session, inside which re used to establish a two-way TCP session. On this TCP session a secure session is established. This SSH session is authenticated by both the client and the server, and fully end-to-end encrypted.
