0% found this document useful (0 votes)

545 views

SOLIDserver Hardening Guide-8.2

Uploaded by

Michele Brunelli

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

545 views

SOLIDserver Hardening Guide-8.2

Uploaded by

Michele Brunelli

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 82

Hardening SOLIDserver

Version 8.2
Hardening SOLIDserver
Hardening SOLIDserver
Revision: #128019

Publication date March 02, 2023

Copyright © 2000-2023 EfficientIP
All product specifications and information provided in this document are subject to change or update without notice and should not be
construed as a commitment by EfficientIP. EfficientIP assumes no responsibility or liability for any mistakes, inaccuracies or omissions
that may appear in this document. All statements and recommendations in this document are believed to be accurate at the time they
are drafted but are presented without any representation or warranty of any kind, either express or implied, regarding their accuracy,
completeness, performance, up-to-dateness or suitability for any particular use or purpose, or with respect to the infringement of any
right. In particular, EfficientIP makes no representation or warranty that the results that may be obtained from your use of our products
will be effective, accurate or reliable or that the quality of the products will meet your expectations. Users must take full responsibility
for their application of any product.

This document aims at detailing EfficientIP proprietary solutions. As our solutions rely on several third-party products, created by other
companies or organizations, it may redirect readers to third-party websites and documentation for further information. EfficientIP cannot
be liable for or expected to provide said information regarding products maintained or created by third parties.

In no event shall EfficientIP be liable for any special, punitive, indirect, incidental or consequential damages of any kind including, but
not limited to, loss of present or prospective profits or business, loss of data, business interruption, damages to reputation or image,
whether in an action of contract, negligence, or other action, arising out of or in connection with the use, reliance upon or performance
of the products provided by EfficientIP or any information contained herein.

All EfficientIP products and documentation are subject to separate licensing terms which users must agree to and comply with in order
to use such products and documentation.
Table of Contents
1. Prerequisites ................................................................................................................. 1
2. Hardening the Access Controls ...................................................................................... 2
Securing the BIOS Password ..................................................................................... 2
Securing the iDRAC Superuser Password .................................................................. 3
Securing the System Admin Access ........................................................................... 3
Securing the Superuser Password ............................................................................. 4
Securing CLI and GUI Connection Parameters ........................................................... 4
Securing the HTTPS Connection ............................................................................... 5
Securing the Firewall ............................................................................................... 15
Securing the Services ............................................................................................. 17
Securing NetChange ............................................................................................... 18
3. Hardening the Management Infrastructure .................................................................... 19
Setting User Access ................................................................................................ 19
Setting Authentication Rules .................................................................................... 22
Managing Backups .................................................................................................. 28
Setting High Availability ........................................................................................... 30
Encrypting the Database ......................................................................................... 33
4. Hardening the Monitoring Infrastructure ........................................................................ 38
Securing the SNMP Connections ............................................................................. 38
Defining Alerts ........................................................................................................ 46
Managing the Logs ................................................................................................. 48
Tracking Sessions and Users ................................................................................... 51
5. Hardening the DNS Management ................................................................................. 54
Configuring Recursive and Authoritative Resolution ................................................... 54
Configuring a Smart Architecture ............................................................................. 56
Configuring Hybrid DNS .......................................................................................... 58
Configuring DNSSEC .............................................................................................. 60
Configuring TSIG Keys ............................................................................................ 61
Configuring DNS ACLs ............................................................................................ 63
Configuring Rate Limits ........................................................................................... 66
Configuring Anycast DNS ........................................................................................ 67
Configuring DNS Guardian ...................................................................................... 67
A. Hardening Checklist .................................................................................................... 68
B. Matrices of Network Flows ........................................................................................... 69
SOLIDserver ........................................................................................................... 70
IPAM ...................................................................................................................... 71
DHCP .................................................................................................................... 72
DNS ....................................................................................................................... 73
NetChange ............................................................................................................. 76
Identity Manager ..................................................................................................... 77
Remote Management .............................................................................................. 78

iv
Chapter 1. Prerequisites
This document aims at describing EfficientIP operational guidelines to harden SOLIDserver
security in a production environment.

Before going further, you should have installed SOLIDserver following any guide below:
• Configuring SOLIDserver on Hardware Appliances.
• SOLIDserver Installation on Virtual Appliances.
• SOLIDserver Deployment on Amazon Web Services Cloud Environment.
• SOLIDserver Deployment on Microsoft Azure Cloud Environment.
• Reimaging SOLIDserver on Hardware Appliances.
• SOLIDserver Installation on SDS-50 Hardware Appliances.
1
All guides are available on our download portal .

Hardening is the process of securing a system and its applications against unknown threats by
reducing its surface of vulnerability. Therefore, we strongly recommend that you:
1. Do not to connect your appliance to the Internet before going through the securing and
configuration process.
2. Secure physical access to your appliances and management terminals. Physical hacking re-
mains one of the most dangerous threat to the security of your environment.
3. Make sure to have an IT Security policy in your organization and that it is consistent with the
use of SOLIDserver components and configuration.
4. Check the EfficientIP Knowledge Base to keep up with the latest product evolutions, at
https://kb.efficientip.com/index.php/Main_Page. Log in using your credentials.
5. Keep SOLIDserver up-to-date in your running supported version. It is strongly recommended
to apply a security patch less than 24 hours after its official release. For more details, refer to
the chapter Upgrading in the Administrator Guide.

1
At https://downloads.efficientip.com/support/downloads/docs/, in the relevant version folder. Log in using your credentials. If you do
not have credentials yet, request them at www.efficientip.com/support-access.

1
Chapter 2. Hardening the Access
Controls
SOLIDserver comes with default administrator credentials for the following accesses:

• BIOS: (unset)
• iDRAC: root / calvin
• System: admin / admin
• GUI/API access: ipmadmin / admin
• SSH: admin / admin

To prevent any unauthorized access, these default passwords should be changed. In addition,
you must keep track of your credentials and change them regularly. EfficientIP cannot,
under any circumstances, guarantee the recovery of lost credentials.

Note that, upon installation:

• The protocols HTTPS, for the GUI and API, and SSH, for the CLI, are enabled. There is no
other way to setup or manage SOLIDserver appliances and services.
• An SSH hosted key is used to identify the appliance upon SSH connection. When you first
connect to SOLIDserver, your SSH client has no information about it and asks you if the finger-
print is correct. To avoid MITM attack when connecting via SSH, you can add a specific resource
record to the zone associated with the appliance domain, the Secure SHell Finger Print
(SSHFP), to publish the server SSH key fingerprint so the client can verify its authenticity. This
does not protect the very first SSH connection(s) to the appliance but it allows you to protect
the ones that come after you added the record. For more details, refer to the section Adding
an SSHFP Record in the Administrator Guide.
• SOLIDserver backups are stored locally but can be sent to a remote server. We strongly re-
commend using SFTP, which is more secure than FTP, as its traffic is encrypted to avoid any
interception of the backup file. For more details, refer to the chapter Managing Backups.

Securing the BIOS Password

By default on physical SOLIDserver appliances, there is no password set at BIOS level. You can
set one by accessing the appliance BIOS, either via a terminal and keyboard directly connected
to the appliance or from the iDRAC.

Note that EfficientIP cannot, under any circumstances, provide a procedure to recover a
lost BIOS password. Make sure to take all the necessary precautions when changing any BIOS
setting.

To set the BIOS password

1. If you want to display the BIOS menu of your physical appliance using a keyboard and a
terminal:
a. During boot-up, press F2 immediately when the message F2 = System Setup appears.
b. Otherwise, press F11 .The page Boot Manager opens. Click on Boot Manager > Launch
System Setup. The page System Setup opens
2. If you want to display the BIOS menu of your physical appliance via the iDRAC:

2
Hardening the Access Controls

a. Open any supported browser and, in the URL field, type in https://<iDRAC-configured-
IP-address>. If you are configuring from an iDRAC in version 8, the browser must have
Java installed.
b. Connect using the default credentials or the ones you set. For more details, refer to the
section Securing the iDRAC Superuser Password.
c. Click on Reset iDRAC , either from the bottom-left panel Quick Launch Tasks in iDRAC8
or via the menu Maintenance > Diagnostics in iDRAC.
d. During boot-up, in the drop-down menu Boot controls of the virtual console, select
BIOS Setup and press Enter .
3. Select System Security. The page opens and displays system security settings such as
the system password, setup password, TPM security, and Secure Boot. It also enables or
disables support for the power and NMI buttons on the server.
4. Edit the option Setup Password and set a password to restrict any change in the BIOS
settings, with the exception of the System password which can be changed without entering
the correct Setup password.
5. Edit the option Password Status and set it to Locked to prevent the System password from
being modified

Securing the iDRAC Superuser Password

For physical appliances, as opposed to virtual appliances, it is important to edit the default
password of the iDRAC platform that allows managing the hardware.

To change the iDRAC superuser password

1. Open any supported browser and, in the URL field, type in https://<iDRAC-configured-IP-
address>. If you are configuring from an iDRAC in version 8, the browser must have Java
installed.
2. Accept the certificate. The iDRAC login page opens.
3. In the field Username, type in root.
4. In the field Password, type in calvin.
5. Hit Enter. The iDRAC homepage opens.
6. In the navigation menu, click on iDRAC Settings. The menu expands.
7. Click on User Authentication (iDRAC8) or Users (iDRAC9).
8. In the column User ID, click on the number of the root account.
9. Make sure the box Configure User is ticked.
10. Click on NEXT .
11. Tick the box Change Password.
12. In the fields New Password and Confirm New Password, specify the new password of the
root account.

Securing the System Admin Access

SOLIDserver can be accessed remotely via SSH. By default, the account admin has the password
admin. To secure the administrative access to the system, you need to change that password.

Note that you can even edit the password level of security, as detailed in the section Securing
CLI and GUI Connection Parameters.

3
Hardening the Access Controls

Keep in mind that:

• It is important to change the admin password of the management appliance but also of any
remote SOLIDserver appliance running an EfficientIP DNS or DHCP server. When you add
them to your management appliance from the page All servers, make sure to configure the
enrollment parameters. For more details, refer to the sections Managing EfficientIP DNS
Servers and Managing EfficientIP DHCP Servers in the Administrator Guide.
• On the appliance, an SSH shell session is available on SOLIDserver system. If you update
configuration files directly, you can disturb or prevent SOLIDserver from running. Only admin-
istrators should use this configuration mode as, by default, admin is the only account that can
access SOLIDserver via SSH.

To change the SSH password

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, click on Account: admin. The wizard opens.
4. In the field New password, specify the password of your choice, in accordance with the
level of security you chose.
5. In the field Confirm password, specify the password again.
6. Click on OK to complete the operation.

Keep in mind that you can configure SOLIDserver to allow LDAP/RADIUS authentication for SSH
connections. For more details, refer to the appendix Using Remote Authentication for SSH Con-
nections to SOLIDserver in the Administrator Guide.

Securing the Superuser Password

Upon installation, the only user available is the superuser ipmadmin, a member of the group admin,
the most privileged group of users. This superuser can add other groups and users as described
in the chapter Hardening the Management Infrastructure.

It is strongly recommended to modify the password of this default account.

To change the superuser password

1. Connect to the appliance using the superuser default credentials: ipmadmin / admin.
2. From any page, in the top bar, select My account > Change Password. The wizard
Modify User Password opens.
3. In the field Previous password, specify the current password.
4. In the fields New password and Confirmation, specify the new password.
5. Click on OK to complete the operation. The report opens and closes.

Securing CLI and GUI Connection Parameters

You can set some registry database entries to increase the security of CLI and GUI connections.

To configure CLI and GUI connection parameters

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

4
Hardening the Access Controls

2. In the section Expert, click on Registry database. The page Registry database opens.
3. In the search engine of the column Name, filter the list using one of the entries below:

Table 2.1. Connection dedicated registry database entries

Entry Values Description
module.system.ssh_password
1 Low protection with no restriction for the SSH password. This is the
default value.
2 Medium protection requiring at least 8 characters for the SSH pass-
word.
3 High protection requiring at least 8 characters, including 2 digits and
2 special characters, for the SSH password.
www.login.session_timeout
0 Unlimited session duration, if a user does not log out their session
never ends. This is the default value.
>60 Number of seconds after which the user is logged out. You cannot
set the login session to less than 60 seconds.
ipmserver.login.regex_password_complexity
Regular expression Regular expression allowing to filter the GUI password, e.g:
.*(?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[^0-9a-zA-Z]).* . By de-
fault, this value is unset.
ipmserver.login.bad_login_retry_before_freeze
>1 Number of failed connection attempts allowed from the GUI before
temporarily restricting the access. By default, this value is 3 attempts.
ipmserver.login.bad_login_test_window
>5 Number of seconds over which connection attempts from the GUI are
counted. By default, this value is 10 seconds, i.e. 3 failed connections
in 10 seconds triggers access restriction.
ipmserver.login.bad_login_freeze_time
>5 Number of seconds during which access to the GUI is restricted after
excessive failed connection attempts. By default, this value is 30
seconds.
logout.session.redirect.ur
URL URL toward which the user is redirected after logging out.

4. In the column Value, click on the value of your choice. The wizard Registry database Edit
a value opens.
5. In the field Value, specify the value that suits your needs following the table above.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.
7. Repeat the steps 3 to 6 for all the connection parameters that suit your needs.

Securing the HTTPS Connection

SSL certificates authenticate the HTTPS connections to SOLIDsever.

By default, each appliance uses a self-signed certificate to secure connections. As this certificate
is not trusted by your web browser, warning messages appear to inform you that the certificate
is not from a trusted certifying authority, that its hostname is invalid, etc. This connection can be
prone to a man-in-the-middle (MITM) attack.

5
Hardening the Access Controls

When you receive such warnings, you can accept the certificate for the current session and save
it in the certificate store of your browser.

To eliminate the warning messages altogether, you can import or create a valid SSL certificate
and use this one instead of the default one to secure connections.

From the page All Certificates, you can:

• Import X.509 CA signed and self-signed certificates, CSRs (Certificate Signing Requests) and
private keys, as detailed in the section Importing SSL Objects.
• Create X.509 self-signed certificates, CSRs and private keys, as detailed in the section Creating
SSL Objects.
• Download the certificate and CSR details and public keys, as detailed in the section Down-
loading SSL objects.
• Delete certificates, CSRs and private keys, as detailed in the section Deleting SSL Objects.

Note that the SSL certificate is unique to each SOLIDserver appliance.

For more details on how to change the SSL certificate that authenticates the connections to the
appliance, refer to the section Changing the HTTPS Certificate in the chapter Configuring the
Services.

Importing SSL Objects

On the page All Certificates you can import:
• CA certificates and self-signed certificates, as detailed in the section Importing Certificates.
• CSRs (Certificate Signing Request), as detailed in the section Importing CSRs.
• Private keys, as detailed in the section Importing Private Keys.

Note that you cannot edit SSL objects. If you import the wrong object, you can only delete it and
perform the import again for the right one. For more details, refer to the section Deleting SSL
Objects.

Importing Certificates
You can import as many self-signed certificates and CA signed certificates as you need. The
import wizard allows you to paste in the certificate details, including any Subject Alternative
Names, and its private key.

Keep in mind that:

• Any valid certificate can be used as HTTPS certificate on the page Services configuration.
• If you import CA certificates, they are used to validate the certificates of external services if
you enable the relevant registry database keys.
• You can only import certificates that do not include any passphrase. If they do, the HTTP protocol
cannot start and you might lose the GUI access to your appliance.

To create a self-signed certificate, refer to the section Creating Self-signed Certificates.

To import a certificate
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

6
Hardening the Access Controls

2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, select Import > Certificate. The wizard Import an SSL object opens.
4. In the field Name, name the certificate.
5. In the drop-down list Type, select Certificate.
6. In the field Certificate, paste in the certificate, in PEM format.
7. In the field Private key, paste in its private key.
8. Click on OK to complete the operation. The report opens and closes. The certificate is listed,
its private key is available on the certificate properties page.

Once you imported a valid certificate, if it is not a CA certificate, you can use it as HTTPS certi-
ficate for your local appliance. For more details, refer to the section Changing the HTTPS Certi-
ficate.

If you imported a CA certificate to secure the SSL communications between SOLIDserver appli-
ances, you can enable two registry database keys to enforce certificate validation.

To enable the validation of CA certificates

Only users of the group admin can perform this operation.
1. If you manage remote appliances or a High Availability configuration, connect to the Master
or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Registry database. The page Registry database opens.
4. Filter the column Name with module.system.remote.
5. Hit Enter. Two keys are listed.
6. Enable the key module.system.remote_command.ssl_verify_peer.
a. In the column Value, click on the value listed. The wizard Registry database Edit a
value opens.
b. In the field Value, type in 1 to enable it. By default, it is set to 0.
c. Click on OK to complete the operation. The new Value is visible on the page.
7. Enable the key module.system.remote_command.ssl_verify_host.
a. In the column Value, click on the value listed. The wizard Registry database Edit a
value opens.
b. In the field Value, type in 1 to enable it. By default, it is set to 0.
c. Click on OK to complete the operation. The new Value is visible on the page.

Once you imported a valid CA certificate and enabled the registry database entries, you can use
it as HTTPS certificate for your local appliance. For more details, refer to the section Changing
the HTTPS Certificate.

Importing CSRs
You can import as many Certificate Signing Requests (CSR) as you need. The import wizard
allows you to paste in the certificate details, including any Subject Alternative Names, and its
private key.

To create a CSR, refer to the section Creating CSRs.

7
Hardening the Access Controls

To import a CSR
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, select Import > Certificate. The wizard Import an SSL object opens.
4. In the field Name, name the CSR.
5. In the drop-down list Type, select Certificate Signing Request. The page refreshes.
6. In the field Certificate, paste in the certificate, in PEM format.
7. In the field Private key, paste in its private key.
8. Click on OK to complete the operation. The report opens and closes. The CSR is listed, its
private key is available on the CSR properties page.

Importing Private Keys

You can import as many private keys as you need. Any private key can be used to create certi-
ficates and CSRs.

To create a private key, refer to the section Creating Private Keys.

To import a private key

If you imported a private key, you can use it to create a certificate or a CSR. For more details,
refer to the section Creating Self-signed Certificates or Creating CSRs.

Creating SSL Objects

On the page All Certificates you can create:
• Self-signed certificates, in PEM format. During the creation you can generate a private key or
use an existing one. For more details, refer to the section Creating Self-signed Certificates.
• CSRs (Certificate Signing Request), in PEM format. During the creation you can generate a
private key or use an existing one. For more details, refer to the section Creating CSRs.
• Private keys, as detailed in the section Creating Private Keys.

Note that you cannot edit SSL objects. If you create a misconfigured object, you can only delete
it and create it again. For more details, refer to the section Deleting SSL Objects.

8
Hardening the Access Controls

Creating Self-signed Certificates

From the page All certificates, you can create as many X.509 self-signed certificates as you need.

As each certificate is unique to a SOLIDserver appliance, you can configure it with Subject Altern-
ative Names for all the DNS names and IP addresses of the appliance.

The certificate creation wizard allows you to either configure and generate the certificate private
key or use an existing private key. For more details on private keys import or creation, refer to
the sections Importing Private Keys and Creating Private Keys.

To create a self-signed certificate

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, click on Add. The wizard Create an SSL object opens.
4. In the field Object Name, name the certificate.
5. In the drop-down list SSL File Type, select X509 certificate.
6. In the drop-down list Encryption type, RSA is displayed in read-only.
7. In the field Encryption, specify the value of your choice. By default, 2048 is displayed.
8. In the field Certificate Validity (days), edit the number of days if need be. By default, 1825
is displayed.
9. In the drop-down list Digest method, select SHA224, SHA256, SHA384 or SHA512.
10. Click on NEXT . The last page opens.
11. Configure the file details:
a. In the field Country Code, specify the two letter code of your country.
b. In the field State or Province, specify the state, province or region name in full letters.
c. In the field Locality, specify the city name.
d. In the field Organization Name, specify your company name.
e. In the field Organization Unit Name, specify the name of the department of the final
user.
f. In the field Common Name, specify the appliance hostname.
g. In the field Email address, specify your email address.
12. You can configure Subject Alternative Names for the appliance:
a. In the drop-down list Type, select DNS or IP. The page refreshes.
b. In the field Value, specify the DNS name (hostname) or the IP address of the appliance.
c. In the field Subject Alternative Name, the Type and Value are displayed.
d. Click on ADD . The Subject Alternative Name is moved to the list Subject Alternative
Names.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. Repeat these operations for all the DNS names and IP addresses of the appliance.

9
Hardening the Access Controls

13. Click on OK to complete the operation. The report opens and closes. The certificate is listed,
its private key is available on the certificate properties page.
Once you created a valid certificate, you can use it as HTTPS certificate for your local appli-
ance. For more details, refer to the section Changing the HTTPS Certificate.

To create a self-signed certificate using an existing private key

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, click on Add. The wizard Create an SSL object opens.
4. In the field Object Name, name the certificate.
5. In the drop-down list SSL File Type, select X509 certificate.
6. Tick the box Use a previously generated private key. The field Use key appears.
7. In the drop-down list Use key, select the private key of your choice. All existing keys are
listed, whether they were created, imported or generated along with a certificate.
8. In the field Certificate Validity (days), edit the number of days if need be. By default, 1825
is displayed.
9. In the drop-down list Digest method, select MD5, SHA1 or MD2.
10. Click on NEXT . The last page opens.
11. Configure the file details:
a. In the field Country Code, specify the two letter code of your country.
b. In the field State or Province, specify the state, province or region name in full letters.
c. In the field Locality, specify the city name.
d. In the field Organization Name, specify your company name.
e. In the field Organization Unit Name, specify the name of the department of the final
user.
f. In the field Common Name, specify the appliance hostname.
g. In the field Email address, specify your email address.
12. You can configure Subject Alternative Names for the appliance:
a. In the drop-down list Type, select DNS or IP. The page refreshes.
b. In the field Value, specify the DNS name (hostname) or the IP address of the appliance.
c. In the field Subject Alternative Name, the Type and Value are displayed.
d. Click on ADD . The Subject Alternative Name is moved to the list Subject Alternative
Names.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. Repeat these operations for all the DNS names and IP addresses of the appliance.
13. Click on OK to complete the operation. The report opens and closes. The certificate is listed.
Once you created a valid certificate, you can use it as HTTPS certificate for your local appli-
ance. For more details, refer to the section Changing the HTTPS Certificate.

10
Hardening the Access Controls

Creating CSRs
From the page All certificates, you can create as many Certificate Signing Requests (CSR) files
as you need. The CSR details can be sent to the Certificate Authority that generates your certi-
ficate. Then you must import the certificate you receive, as detailed in the section Importing
Certificates.

As a CSR is used to generated a unique certificate for a SOLIDserver appliance, you can configure
it with Subject Alternative Names for all the DNS names and IP addresses of the appliance.

The CSR creation wizard allows you to either configure and generate the certificate private key
or use an existing private key. For more details on private keys import or creation, refer to the
sections Importing Private Keys and Creating Private Keys.

To create a CSR
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, click on Add. The wizard Create an SSL object opens.
4. In the field Object Name, name the CSR.
5. In the drop-down list SSL File Type, select CSR File. The page refreshes.
6. In the drop-down list Encryption type, RSA is displayed in read-only.
7. In the field Encryption, specify the value of your choice. By default, 2048 is displayed.
8. Click on NEXT . The last page opens.
9. Configure the file details:
a. In the field Country Code, specify the two letter code of your country.
b. In the field State or Province, specify the state, province or region name in full letters.
c. In the field Locality, specify the city name.
d. In the field Organization Name, specify your company name.
e. In the field Organization Unit Name, specify the name of the department of the final
user.
f. In the field Common Name, specify the appliance hostname.
g. In the field Email address, specify your email address.
10. You can configure Subject Alternative Names for the appliance:
a. In the drop-down list Type, select DNS or IP. The page refreshes.
b. In the field Value, specify the DNS name (hostname) or the IP address of the appliance.
c. In the field Subject Alternative Name, the Type and Value are displayed.
d. Click on ADD . The Subject Alternative Name is moved to the list Subject Alternative
Names.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. Repeat these operations for all the DNS names and IP addresses of the appliance.

11
Hardening the Access Controls

11. Click on OK to complete the operation. The report opens and closes. The CSR is listed, its
private key is available on the CSR properties page.
Once you created a CSR, you can go to its properties page to download the content of the
panel Certificate and send it to the Certificate Authority. For more details, refer to the section
Downloading SSL objects.

To create a CSR using an existing private key

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, click on Add. The wizard Create an SSL object opens.
4. In the field Object Name, name the CSR.
5. In the drop-down list SSL File Type, select CSR File. The page refreshes.
6. Tick the box Use a previously generated private key. The field Use key appears.
7. In the drop-down list Use key, select the private key of your choice. All existing keys are
listed, whether they were created, imported or generated along with a certificate.
8. Click on NEXT . The last page opens.
9. Configure the file details:
a. In the field Country Code, specify the two letter code of your country.
b. In the field State or Province, specify the state, province or region name in full letters.
c. In the field Locality, specify the city name.
d. In the field Organization Name, specify your company name.
e. In the field Organization Unit Name, specify the name of the department of the final
user.
f. In the field Common Name, specify the appliance hostname.
g. In the field Email address, specify your email address.
10. You can configure Subject Alternative Names for the appliance:
a. In the drop-down list Type, select DNS or IP. The page refreshes.
b. In the field Value, specify the DNS name (hostname) or the IP address of the appliance.
c. In the field Subject Alternative Name, the Type and Value are displayed.
d. Click on ADD . The Subject Alternative Name is moved to the list Subject Alternative
Names.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. Repeat these operations for all the DNS names and IP addresses of the appliance.
11. Click on OK to complete the operation. The report opens and closes. The CSR is listed.
Once you created a CSR, you can go to its properties page to download the content of the
panel Certificate and send it to the Certificate Authority. For more details, refer to the section
Downloading SSL objects.

12
Hardening the Access Controls

Creating Private Keys

From the page All certificates, you can create as many private keys as you need.

Private keys can be used to create certificates or CSRs. For more details, refer to the sections
Creating Self-signed Certificates and Creating CSRs.

To create a private key

Downloading SSL Objects

You can download SSL object details from the panels of their properties pages.
• From the properties page of a certificate you can download the Certificate, Private key and
Public key.
• From the properties page of a CSR you can download the Certificate, Private key and Public
key.
• From the properties page of a private key you can only download the Private key.

Note that the panel Certificate is displayed in PEM format and includes all the configured Subject
Alternative Names.

To download SSL objects details

Deleting SSL Objects

You can delete any SSL object, except the certificate currently used by the appliance.

13
Hardening the Access Controls

To delete an SSL object

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. Tick the object(s) of your choice.
4. In the menu, click on . The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The certificate is no
longer listed.

Changing the HTTPS Certificate

Once you have created or imported an SSL certificate, you can change the current certificate
and use you own to secure HTTPS connections to SOLIDserver.

Before changing the SSL certificate, keep in mind that:

• The SSL certificate is unique to each SOLIDserver appliance.
• You can only change the SSL certificate locally. If you select a remote appliance in the
drop-down list SOLIDserver, the lines HTTP webserver and SSL Certificate are no longer
available.
• Changing the certificate is immediate. After selecting the new certificate, the wizard checks
the validity and configuration of the certificate. If the certificate is valid, it is immediately used.
If the checks fail, the operation is automatically rolled back and the certificate is not changed.
• Your browser must allow pop-up windows as the validity and configuration checks may
open extra windows.

To change the HTTPS certificate

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. Under the menu, in the drop-down list SOLIDserver, make sure the local appliance is selec-
ted.
4. Under the line HTTP webserver, click on SSL Certificate. The wizard Change the current
SSL certificate opens.
5. In the drop-down list SSL Certificate, select the certificate of your choice. By default, the
certificate Apache SSL Cert Base is available and selected.
6. Click on OK to run the validity and configuration checks and complete the operation. During
these checks, a pop-up window may open and detail the checks progression. If it does, you
must accept the certificate to use the new SSL certificate.
If the checks fail, the operation is automatically rolled back and the certificate is not changed.
In this case, you need to import or create a valid certificate and follow this procedure again.

14
Hardening the Access Controls

Securing the Firewall

1
SOLIDserver embeds a restrictive stateful firewall, or Stateful Packet Inspection (SPI) , to secure
flows and provide a Simple Stateful logic.

Be careful when configuring the firewall as it may lead to loss of connection between your devices.
We recommend that:
• The firewall remains enabled, i.e. in Restricted mode.
• The UDP port 161 (SNMP) be restricted to the management interface and only allow connection
from management appliances and system administrators networks.
• The TCP ports 80 and 443 (HTTP and HTTPS) be restricted to the management interface and
only allow connection from management appliances and system administrators networks.
• The TCP port 22 (SSH) be restricted to the management interface and only allow connection
from management appliances and system administrators networks.
• The TCP port 5432 (PostgreSQL) denies connection from any IP address except between
two appliances in High Availability.
• The UDP and TCP ports 123 (NTP) deny connection from any IP address if the appliance does
not need to offer time service to other hosts on the network.

In any case, we strongly recommend authorizing connection to the least access points possible.
For more details on all SOLIDserver network configurations, refer to the appendix Matrices of
Network Flows.

Enabling or Disabling the Firewall

By default, SOLIDserver firewall is Restricted, i.e. enabled, and all the firewall rules set are re-
spected and enforced in order.

You can Open the firewall, to disable it, and ignore all these rules.

To open or restrict the firewall

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Configuration, in the line Firewall can be Restricted or Open.
4. Click on the current state to change it. The wizard Firewall state configuration opens.
5. Click on OK to complete the operation. The firewall is marked Open or Restricted.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Adding a Firewall Rule

Before adding firewall rules, keep in mind that:
• The precedence sets the configuration of the firewall rule, its set of parameters. If matched,
the rules are applied following the order set by their position. Therefore if you set two firewall

1
also known as dynamic packet filtering.

15
Hardening the Access Controls

rules from a DNS server A to a DNS server B via the same port, interface and protocol, if one
denies access while the other grants it, only the rule with the smallest position is applied.
• As the firewall is restrictive, the last position 65535 denies access to any kind of packets, no
matter what protocol or where it goes or comes from. In addition, the positions 1 - 99 and 59999
- 65535 are reserved by EfficientIP and cannot be used.

To add a firewall rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Firewall rules. The page Firewall rules opens.
3. In the menu, click on Add. The Firewall rule configuration wizard opens, fill in all the re-
quired parameters following the table below:

Table 2.2. Firewall rules parameters

Parameter Description
Position The rule precedence, a number between 100 and 59998. For more details, refer to the
introduction of the section.
Action The action to execute when a packet matches the selection criterion of the rule.
allow Packets matching the defined criterion. The rule exits the firewall
rule processing. The search terminates at this rule.
deny Packets matching the defined criterion. The packets are discarded.
The search terminates.
Protocol The protocol of the firewall rule. The available protocols handle IPv4 and/or IPv6.
From The source parameters, the accepted values are the following.
The fields From and To work together, so you must specify either two IPv4 addresses
or two IPv6 addresses, you cannot mix the protocol versions
me A special keyword that matches any IP address configured on an
interface in SOLIDserver.
any A special keyword that matches any IP address.
<address>/<prefix> An IP address specified with mask-length. It must follow the format:
x.x.x.x/p or xxxx::/p .
<address> An IP address specified without mask-length. It must follow the
format: x.x.x.x or xxxx:: .
Source port The source port on which the firewall rule should be applied. Use a comma to separate
several port numbers.
To The destination parameters, the accepted values are the following.
The fields From and To work together, so you must specify either two IPv4 addresses
or two IPv6 addresses, you cannot mix the protocol versions.
me A special keyword that matches any IP address configured on an
interface in SOLIDserver.
any A special keyword that matches any IP address.
<address>/<prefix> An IP address specified with mask-length. It must follow the format:
x.x.x.x/p or xxxx::/p .
<address> An IP address specified without mask-length. It must follow the
format: x.x.x.x or xxxx:: .
Destination port The destination port on which the firewall rule should be applied. Use a comma to sep-
arate several port numbers.
Via The interface the packets should go through. The parameter via causes the interface to
always be checked as part of the match process. By default, nothing is selected.

16
Hardening the Access Controls

Parameter Description
Log The logging status of the rule. By default, No is selected. You can decide to save, Yes,
the log parameter indicating if a packet matches a rule on the page Syslog; it is saved
with a facility SECURITY name.
Keep state The dynamic rule status of the rule. By default, No is selected. It allows you to decide if
you want SOLIDserver firewall to add a dynamic rule, upon match, whose default beha-
vior is to match bidirectional traffic between source and destination IP/port using the
same protocol.

4. Click on OK to complete the operation.

5. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Securing the Services

It is recommended to keep services enabled only when they are needed. For instance, if your
appliance is dedicated to management, you can disable the DHCP and DNS services.

Note that the SNMP and NTP services must never be stopped or disabled. For more details,
refer to the chapters Configuring the Services and Configuring the Time and Date in the Admin-
istrator Guide.

SOLIDserver allows to handle all the embedded services.

Enabling or Disabling a Service

Before enabling or disabling a service, keep in mind that this operation impacts the service:
• Disabling a service automatically stops it.
• Enabling a service automatically starts it

To enable/disable a service
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, look for the service of your choice.
4. In the column Enabled:
a. To enable the service, click on Disabled. The wizard opens.
b. To disable the service, click on Enabled. The wizard opens.
5. Click on OK to complete the operation.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Starting or Stopping a Service

Before starting or stopping a service, keep in mind that:
• Once a service is disabled, it cannot be started.

17
Hardening the Access Controls

• A disabled service is automatically stopped, so you can only stop an Enabled service.

To start/stop a service
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, look for the service of your choice.
4. In the column Running:
a. To start the service, click on Stopped. The wizard opens.
b. To stop the service, click on Started. The wizard opens.
5. Click on OK to complete the operation.

Securing NetChange
SOLIDserver allows to manage versioning for your network devices, which is supported by most
vendors, to automatically save all the changes in the configuration files. All the revisions of the
files are then saved in SOLIDserver backup file. For more details, refer to the section Managing
Configuration Versioning in the Administrator Guide.

Thanks to a registry database key, you can show or hide all or some of the passwords of the
configuration file. By default, they are all hidden and we strongly recommend leaving it this way.

To configure the passwords display in the configuration files

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.iplocator.rancid.show_passwords.
4. Hit Enter. Only this key is listed.
5. In the column wizard Value, click on the value listed. The Registry database Edit a value
opens.
6. In the field Name, the key name is displayed in read-only.
7. In the field Value, specify 0, 1 or 2. By default, it is set to 0.

Table 2.3. Available display options for passwords in the configuration file
Value Description
0 Allows you to hide all the passwords in the configuration files.
1 Allows you to display only the encrypted passwords of the configuration files, in their encrypted
form. All the non-encrypted passwords are hidden.
This display option can be useful to keep track of the password changes without displaying them.
2 Allows you to display all the passwords of the configuration files.
This display option is not recommended.

We strongly recommend leaving the default value 0.

8. Click on OK to complete the operation. The report opens and closes. The column Value
contains the value you set.

18
Chapter 3. Hardening the Management
Infrastructure
The management infrastructure can be hardened by:
• Setting specific access to users.
• Adding authentication rule(s) to grant access to SOLIDserver to external Microsoft Active Dir-
ectory, RADIUS, LDAP and OpenID users.
• Defining a custom backup management.
• Configuring two appliances in High Availability to ensure uninterrupted access.

Setting User Access

Within SOLIDserver, user rights and resources depend on the group they belong to.

Upon installation, only the superuser exists.

Being logged as the superuser, ipmadmin, you belong to the most privileged group, admin. Users
of that group can perform all operations and have access to all existing resources. Some operations
can only be performed by the users of that group, in which case it is specified in the procedure.

To configure access to other users, you need to:

1. Add or import users.
2. Add a group of users.
3. Configure that group with users. At group level, the users are considered a resource.
4. Configure that group with rights. From the page Rights of each group you can grant or deny
access to operations in all modules to the users of the group.
5. Configure that group with resources. From the page Resources of each group, you can add
existing objects as resource.The resources define the list of objects on which users can perform
operations. If a group does not have resources, its users are granted rights that they cannot
use on any object.

In the following sections, you add a group of users and set it with:
• Rights, all the granted and denied operations, such as adding or deleting a resource type.
• Resources, all the objects you can perform the rights on, such as servers, zones or networks.
• Users, they must belong to a group to have access to the appliance and specific rights and
resources.

In addition, these groups of users can be externally authenticated via Microsoft Active Directory,
RADIUS, LDAP or OpenID. For more details, refer to the section Setting Authentication Rules.

Setting Groups
You can add as many groups as you need. For each group you can then define rights and re-
sources, which includes its users.

To add a group
Only users of the group admin can perform this operation.

19
Hardening the Management
Infrastructure

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Groups. The page opens.
3. In the menu, click on Add. The wizard Add a group opens.
4. In the list Parent group, select the parent group of your choice or None. The selected parent
group can add users to the group you are adding.
5. Click on NEXT . The next page opens.
6. If classes are enabled, in the list Group class, select a class or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the field Group name, name the group. If you intent to authenticate users via AD, name
the group after an existing AD group.
8. In the field Description, you can specify a description.
9. In the drop-down list Copy rights from group, you can select any group, except admin, or
None. The rights of the selected group are granted or denied to the group you are adding,
their rights configuration is exactly the same. You can edit the Rights of the new group later
on.
10. Click on OK to complete the operation. The report opens and closes. The group is listed.

Setting Rights
The rights are services in essence that can be granted or denied to groups of users. They corres-
pond to operations named as follows: <action-granted>: <object-concerned>.

The group admin is the only one with full administration rights. You must configure rights for all
other groups.

Keep in mind that:

• Rights alone are useless. Without any resource, the users of the group cannot use the rights
they are granted. For example, granting the right Add: zone to a group without adding any DNS
server as resource of the group would be useless.
• You need to grant the right to Display any module/type of resources you plan to manage.

For more details regarding group rights, refer to the chapter Managing Groups in the Administrator
Guide.

To configure the rights of a group

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Click on the Name of the group of your choice. The page Resources opens.
4. In the breadcrumb, click on Rights. The page opens.
5. Tick the right(s) of your choice. The menu Edit is now selectable.
6. In the menu, select Edit > Allow or Deny. The wizard opens.
7. Click on OK to complete the operation. The page refreshed, the column Permission displays
the current configuration of the right.

20
Hardening the Management
Infrastructure

Setting Resources
Adding an object, such as a DNS server or a terminal network, to a group resources means that:
• Its users can display, in read-only, the parent object(s) of the resource.
For example, adding a DNS zone as a resource to a group allows its users to display the
server it belongs to. However, they cannot display the other zones in that server if they are not
added to the resources of the group. In any case, users need the right to display the module
elements.
• Its users can perform operations, granted rights, over the object(s) set as resource.
For example, adding a DHCP scope as a resource to a group allows its users to edit it if the
group has the right to edit scopes. If the group does not have the right to edit DHCP servers,
the server containing the scope can be displayed, as described above, but it cannot be edited.
• Its users can apply display the content of the object(s) set as resource.
For example, adding a space as a resource to a group allows its users to add networks in it if
the group has the right to add networks.

You can as many resources to a group as you need.

Note that you can also add resources to a group from a listing page or from a resource properties
page. For more details, refer to the section Managing the Resources of a Group of Users in the
Administrator Guide.

To add resources to a group from the page Resources

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Click on the name of the group of your choice. The page Resources opens.
Note that you cannot select the group admin as, by default, it has authority over all the re-
sources.
4. In the menu, select Add > Resources > <module-of-your-choice> > <resource-of-
your-choice>. The wizard opens.
5. Tick the resource(s) of your choice.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the selected resources are listed on the page.
On the object(s) properties page, the panel Groups access lists the group.

Setting Users
When you add users to a group, it grants them the right configured for said group. Users can be
part of multiple groups at the same time, cumulating the rights and resources of each of them.

If you want to use an external authentication system, we strongly suggest that you configure
your group of users before enabling the remote authentication rules. Once the authentication
rules are enabled, the corresponding users can log in SOLIDserver. This goes especially for AD
authentication, once the rule is enabled any AD user can log in the appliance. If you added a
group of users named after the AD group the users belong to, SOLIDserver automatically adds
a user in the GUI and put it in the corresponding group of users. For more details, refer to the
section Setting Authentication Rules.

To add a local user

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

21
Hardening the Management
Infrastructure

2. In the section Authentication & Security, click on Users. The page opens.
3. In the menu, click on Add. The wizard Add a user opens.
4. If classes are enabled, in the list User class, select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field Login, specify the user login. This login cannot be an email address.
1
6. In the field Password, specify the user password .
7. In the field Confirm password, specify the user password again.
8. To configure additional parameters:
a. Tick the box Expert mode.
b. In the field First name, specify the user first name.
c. In the field Last name, specify the user last name.
d. In the field Official name, the user last and first name are automatically displayed. You
can replace them by a shortname or shorter name if you want.
e. In the field Email, specify the user email address.
f. In the field Login URL, specify the URL toward which the user should be directed after
being authenticated.
g. In the drop-down list Maintainer group, select the group of users that should be able
to edit the user information (names, credentials, email...) and classes.
9. Click on OK to complete the operation. The report opens and closes. The user is listed among
the users with its Login, Official name and Origin in the corresponding columns.

Once you added a user, you must add it as the resources of any group. It can also belong to
several groups with different resources and rights. The user credentials are the same but their
access correspond to the group they belong to.

To add a user to a group

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Click on the name of the group of your choice. The page Resources of that group opens.
4. In the menu, click on Add > Users. The wizard Rights & delegation: Users opens.
5. Tick the user(s) of your choice.
6. Click on OK to complete the operation. The wizard closes and the page refreshes. The user
is listed among the resources of the group.

Setting Authentication Rules

Once you configured your groups with rights, resources and users you can grant access to ex-
ternal users stored on remote Microsoft Active Directory (AD), LDAP, RADIUS servers and/or
OpenID compatible identity providers.

Note that this guide does not detail how to authenticate OpenID users. For more details, refer to
the chapter Managing Authentication Rules in the Administrator Guide.

1
If the user is of Unix type and the password is not printable, the system password is used.

22
Hardening the Management
Infrastructure

From the page Authentication rules you can add rules dedicated to authenticate Active Directory,
LDAP and/or RADIUS users. Once you add a rule, SOLIDserver can grant secure access to the
identified users or deny them access if they are not found anywhere.

Thanks to a systematic check of all the remote authentication possible configurations, you can
add as many rules as you want to authenticate users stored on AD, LDAP or RADIUS remote
servers. SOLIDserver compares and checks all the user credentials against one another. This
allows you to set different authentication configurations for each remote server.

Note that there is no order in which authentication rules are checked, therefore, it is important
to keep your authentication servers updated with the same data. If a user is in the group A on a
server and in the group B on another server, there is no mean to set a preference for one authen-
tication rule over the other.

Adding Active Directory Authentication Rules

The rule AD authentication allows you to configure user authentication through a Microsoft Active
Directory server. You can add as many AD rules as you need.

Active Directory (AD) is a technology created by Microsoft that provides a variety of network
services, including LDAP like directory services and other network information. SOLIDserver
supports remote authentication with any AD running on Microsoft Window Server 2008, 2008
R2, 2012 R2, 2016 or 2019.

To successfully authenticate users and take into account existing AD groups, you must:
1. Already have at least one group added both on the AD server and among SOLIDserver groups
of users with the exact same name, down to the case. The group name in SOLIDserver must
match the AD group name, the group name is case sensitive.
2. Configure said group with the resources and rights that define the users profile.
3. Add and configure the AD authentication rule with the option Synchronize set to Yes. You can
even configure it to deny access to users that do not belong to an AD group.
With this configuration, AD users are automatically added as resource of the matching local
group when they connect, they are granted the relevant rights and resources.

Once the rule is added, AD users can connect to SOLIDserver. Note that:
• The changes performed on the AD server are not immediately taken into account by SOLID-
server. To avoid waiting, you can delete the AD users you modified from the page Users, when
they connect again, SOLIDserver contacts the AD server and authenticates them with their
new parameters.
• If several email addresses are available for one user, only the first non-empty value is taken
into account.

To add the AD user authentication rule

23
Hardening the Management
Infrastructure

5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
6. In the field Comment, you can add a comment regarding that rule.
7. Click on NEXT . The page Rule filters opens.
8. Click on NEXT . The page Rule parameters opens.
9. Configure the basic AD authentication parameters following the table below:

Table 3.1. Active Directory basic parameters

Field Description
AD server The IP address or hostname of the Active Directory server. This field is required.
AD server port The port of the Active Directory server. Leave it empty to use the default AD port.
This field is optional.
Use secure LDAP Tick this box to use secure LDAP during the authentication. SOLIDserver uses
a
LDAP and SSL to connect to the AD server .
Domain of DC The domain of the Domain Controller. Fully Qualified Domain Name (FQDN) of
your AD, for instance mydomain.corp. This field is required.
Default user domain The default domain of the user who connects through AD. This domain is con-
catenated to the user name. For instance, the user login jdoe is concatenated
with mydomain.corp to produce [email protected]. If you let this field empty,
you have to connect with [email protected]. If you configure mydomain.corp
in this field then you only have to connect with jdoe. This field is optional.
a
Secure LDAP configuration relies on the TCP port 636. Make sure this port is open on your network.

10. You can configure the advanced AD authentication parameters.

a. Tick the box Expert mode. The configuration fields appear.
b. In the drop-down list Deny if not in a group, you can select Yes or No. By default, it is
set to Yes so only the members of an AD group can connect to SOLIDserver.
c. By default, the box Manage imbricated groups is unticked. You can tick it to allow
SOLIDserver to look for members in sub-groups of the specified top group on the AD
server during the authentication.
11. Click on NEXT . The last page opens.
12. In the drop-down list Synchronize, set the synchronization behavior of your choice. By default,
No is selected.
Select Yes if you want to synchronize SOLIDserver database with the AD database and
automatically add the users of the AD group name in the matching local group of users. Said
users are granted the same rights and resources as the local group. The box Expert mode
appears.
13. You can tick the box Expert mode to configure further the synchronization.The configuration
fields appear.

Table 3.2. Active Directory parameters for the groups synchronization

Field Description
AD group granted "admin" The name of any group on the AD server. All the users of the specified group
rights are granted access to SOLIDserver with the same rights as the users of the
group admin. These users are also listed as resource of the group admin. This
field is optional.
Login The login of an account that can retrieve the AD attributes of the users that you
want to grant access to SOLIDserver. This field is optional. Note that if your AD
is configured in a very strict manner and do not not specify an account with suf-
ficient rights, standard users might not be able to browse their own attributes.
This field is optional.
Password If you specified a Login, specify its account password. This field is optional.

24
Hardening the Management
Infrastructure

Field Description
Base DN The name of the top of the AD tree. The level specified is the starting point of
the search for a matching user account on the server. You can customize this
field in order to look in specific location(s) of the AD. This field is optional.
Use sAMAccountName You can decide to use or not the sAMAccountName field as user login. This
field as login parameter is used for pre-AD installation (basically NTDS) and accepts 8-char-
acters long login names instead of regular longer names. This field is optional.

14. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.

If some users connections fail, some guidelines may help an administrator to troubleshoot the
authentication.

To troubleshoot a remote AD authentication

1. Ask the user(s) whose connection fails to:
a. Try to connect to SOLIDserver with their AD credentials several times. The authentication
rule may not be taken into account immediately. If this fails:
b. Double check their AD credentials, they may not specify the proper ones.
If neither solution solves the problem, go to step 2.
2. Connect to SOLIDserver using the credentials of a local administrator:
a. In the sidebar, click on Administration. The page Admin Home opens.
b. In the section Monitoring, click on Syslog. The page Syslog opens.
c. In the column Log, look for any AD related information: Missing/invalid parameter or
ldap_connect. These messages look as follows:
Missing/invalid parameter : [usr_login]
Missing/invalid parameter : [usr_password]
Missing/invalid parameter : [ad_hostaddr]
Missing/invalid parameter : [ad_domain]
ldap_connect(): could not connect to ''

Most of the time, the source of the problem is that the AD connection is impossible. The
column may even indicate that the AD user credentials are not recognized as a member of
any existing SOLIDserver group.

Adding LDAP Authentication Rules

The rule LDAP authentication allows you to configure user authentication through LDAP version
2 or 3. You can add as many LDAP rules as you need.

Lightweight Directory Access Protocol (LDAP) is an application protocol over TCP/IP for querying
and modifying directory services that might hold passwords, addresses, groups, public encryption
keys and other exchange-facilitating data.

To set up authentication for SSH connections, refer to the appendix Using Remote Authentication
for SSH Connections to SOLIDserver in the Administrator Guide.

To successfully authenticate users and take into account an existing LDAP group, before
the first user connection you must:
1. Add a group of users within SOLIDserver matching the relevant LDAP group. This local group
must have the same name as the LDAP group. Therefore, to include the whole LDAP repository
tree structure, it may look as follows: cn=group1,ou=Groups,dc=example,dc=com.

25
Hardening the Management
Infrastructure

2. Add and configure the LDAP authentication rule with the option Group attribute set to match
this LDAP group.
With this configuration, LDAP users are automatically added as resource of the matching local
group when they connect, they are granted the relevant rights and resources.

If you have clients distributed among several LDAP groups, you can decide to add local groups
that only use the section Common Name (CN) of your LDAP groups. To do so, you need to tick
the relevant box during the rule configuration. Keep in mind that if you tick this box, the name of
all LDAP groups you add within SOLIDserver must only use the CN. You cannot mix long and
short group names in the database to authenticate LDAP users.

Once the rule is added, LDAP users can connect to SOLIDserver. Note that:
• The changes performed on the LDAP server are not immediately taken into account by
SOLIDserver. To avoid waiting, you can delete the LDAP users you modified from the page
Users, when they connect again, SOLIDserver contacts the LDAP server and authenticates
them with their new parameters.
• If several email addresses are available for one user, only the first non-empty value is taken
into account.

To add the LDAP user authentication rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
The fields Module and Event are already filled with the values Rights & delegation and Ex-
ternal user login.
4. From the list Rule, select (018) LDAP authentication.
5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
6. In the field Comment, you can add a comment regarding that rule.
7. Click on NEXT . The page Rule filters opens.
8. Click on NEXT . The page Rule parameters opens.
9. Configure the rule parameters as follows.

Table 3.3. LDAP parameters

Field Description
LDAP server The IP address or hostname of the LDAP server. This field is required.
LDAP server port The port of the LDAP server. Leave it empty to use the default LDAP port.
This field is optional.
Use secure LDAP Tick this box to use secure LDAP during the authentication. SOLIDserver
uses LDAP and SSL to connect to the LDAP repository. This field is optional.
Use LDAP v3 Tick this box to use LDAP in version 3. Otherwise, version 2 is used. This
field is optional.
Base DN The top level of the LDAP repository tree is the base, as follows: dc=ex-
ample,dc=com. This field is required.
Group attribute The name of the attribute(s) in LDAP that matches one or several groups
in SOLIDserver, for instance memberof. If you specify an attribute, you en-
able the synchronization and SOLIDserver can retrieve all the groups of the
user. Several names must be separated by a comma. This field is optional.

26
Hardening the Management
Infrastructure

Field Description
Short group name (CN) Tick this box if you want to use only the Common Name (CN) as group
name, instead of the whole directory tree structure. This box should be
ticked for all LDAP rules or none of them, so make sure that all the groups
of users locally added in SOLIDserver are named using only the CN before
the first user authenticates. This field is optional
LDAP group granted "admin" The name of any group on the LDAP server. All the users of the specified
rights group are granted access to SOLIDserver with the same rights as the users
of the group admin. These users are also listed as resource of the group
admin. This field is optional.
Login The login of an account that can retrieve the LDAP attributes of the users
that you want to grant access to SOLIDserver. This field is optional and
based on the attribute uid. Note that if your LDAP is configured in a very
strict manner and do not not specify an account with sufficient rights,
standard users might not be able to browse their own attributes.
Password If you specified a Login, specify its account password.

10. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.

Adding RADIUS Authentication Rules

The rule RADIUS authentication allows you to configure user authentication through any RADIUS
server. You can add as many RADIUS rules as you need.

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that uses access
servers to provide centralized access management to large networks.

To set up authentication for SSH connections, refer to the appendix Using Remote Authentication
for SSH Connections to SOLIDserver in the Administrator Guide.

To successfully authenticate RADIUS users keep in mind that:

• A user with no access to RADIUS cannot access SOLIDserver either.
• The authentication rule does not allow you to specify groups, therefore you should add group(s)
of users before enabling the rule. As the group name is sent by RADIUS, any local group of
users must be named exactly like the relevant RADIUS group, down to the case and potential
accents. RADIUS return value can hold multiple values, i.e. several groups, separated by a
comma.
• RADIUS users are automatically added to SOLIDserver when connecting for the first time.
• Users attributes, such as group or email, are updated at each connection.

You can use FreeRADIUS or RADIUS for Cisco ACS with SOLIDserver. For more details, refer
to the appendix Configuring RADIUS in the Administrator Guide.

To add the RADIUS user authentication rule

27
Hardening the Management
Infrastructure

4. In the list Rule, select (017) RADIUS authentication.

Table 3.4. RADIUS authentication rule parameters

Field Description
RADIUS server IP address The IPv4 address of the host server. This field is required.
The number of the UDP port used to contact the RADIUS server. By
default, the port 1812 is used for authentication. This field is required.
RADIUS server port If you specify the port 0, the library looks up the service RADIUS/UDP
or the service radacct/UDP in the network services database and uses
the port found.
The RADIUS password. This password is necessary to grant SOLID-
RADIUS secret passphrase
server access to RADIUS. This field is required.
The timeout period of your RADIUS server, i.e. the number of seconds
RADIUS request timeout (seconds) after which the server switches to timeout status if no reply is received.
By default, it is set to 3. This field is required.
The maximum number of requests to be sent before the server stops
RADIUS max tries before giving up trying to connect and switches to failure state. By default, it is set to
3. This field is required.
The IP address that SOLIDserver needs to connect to RADIUS. This
RADIUS NAS IP address
field is optional.

10. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.

Managing Backups
Backup files allow to restore the configuration of an appliance. You can store them locally and
even archive them on a remote server.

You should regularly backup your appliance. In order to help you perform this maintenance oper-
ation, SOLIDserver includes automatic backup and version management mechanism.

The backup process can either be scheduled or triggered on demand. Note that:
• SOLIDserver automatically generates a new backup before each upgrade to allow revert-
ing back its data and configuration.
• The backup files are stored on the appliance itself, but you can also decide to store the backup
files on a remote FTP server or SFTP server. For ease of use and to prevent confusion, binaries,
system and log files are not included in the backup stored on the appliance. Still, they can be
restored separately, either when you reinstall SOLIDserver or when you update the system.

Keep in mind that creating an instant backup during the enrollment of a Hot Standby appliance
in High Availability may trigger an error.

To create an instant backup

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

28
Hardening the Management
Infrastructure

2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
3. Under the menu, in the drop-down list SOLIDserver, make sure your local appliance is se-
lected.
4. In the menu, select Tools > Create instant backup. The wizard Create instant backup
opens.
5. To only save the database, configuration files and certificates, and avoid generating a large
backup file, you can tick any of the following boxes:
• Exclude all the reports, i.e. all the performed operations of the window Notifications in
the top bar.
• Exclude all the files from the directory "tftpboot".
• Exclude all the files from the directory "users". By default, this box is ticked.
6. Click on OK to complete the operation. The report opens and works for a while. Once the
backup is generated, it is listed in the panel Local backup file and named solid-<hostname>-
<year><month><day>-<hour><minutes>.gz.

You can archive a copy of SOLIDserver backup files on a remote server. Note that:
• You can archive backups on an FTP server or an SFTP server. We strongly recommend using
SFTP as it relies on an SSH key instead of a password, which is far more secure than FTP.
• You can configure the remote server to decide which logs to include, how many days they
should keep the backup files, and which port to use. On SFTP servers, usually the same port
than SSH is used.
• If no remote archive is configured, the panel Remote archive contains the message Remote
archive is disabled.

To configure a remote archive on FTP or SFTP

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
3. Under the menu, in the drop-down list SOLIDserver, select the local appliance or a remote
appliance.
4. In the panel Remote archive, click on EDIT . The wizard Archive server parameters opens.
5. Tick the box Enable remote archive, the wizard refreshes and displays the remote archive
configuration parameters. By default, the box is unticked.
6. Configure the remote archive parameters according to your needs:

Table 3.5. Backup archiving parameters

Field Description
Remote server The IP address or the hostname of the FTP or SFTP server.
Remote port The port used to communicate with the server. If no port is used, the port 21 is used
for FTP and the port 22 for SFTP.
Remote directory The directory where the backup files should be stored.
Mode The protocol and mode used to archive the files: Active FTP, Passive FTP or SFTP.
By default, Passive FTP is selected.
Remote login The login of the account used to connect to the FTP or SFTP server. If you selected
SFTP, the remote login is required.

29
Hardening the Management
Infrastructure

Field Description
Remote password If you selected Active FTP or Passive FTP, the password of the account used to
connect to the FTP server.
DNS
DNS firewall (RPZ)
Tick any of these boxes to save the corresponding logs on the remote server.
DHCP
System
Retention The number of days, from 4 days to Unlimited, beyond which a backup should be
automatically deleted from the FTP server. By default, 4 days is selected.

7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the panel Remote archive displays the configuration you just set.
8. If you selected SFTP, the panel SSH local key displays the SSH public key used. You must
COPY it and paste it on the SFTP server to secure the communication with SOLIDserver.

Setting High Availability

From the page Centralized Management you can add remote SOLIDserver appliances to manage
and monitor them. On this page you can also set up High Availability between the local appliance
and a remote one.

In such a configuration, the local Master appliance contains all the data you manage, and the
remote Hot Standby replicates the Master database. Each appliance can have a specific config-
uration of its services and network. The remote appliance becomes a read-only backup server
replicating the content of the Master appliance database.

You can even enable to automatic switch between the appliances if the Master crashes or en-
counters any problem, the Hot Standby can replace it immediately and vice versa. Therefore,
the Hot Standby must replicate the Master database as often as possible.

Setting up two appliances in High Availability requires:

1. Meeting the prerequisites and taking into account the limitations.
2. Configuring the Master Appliance Locally.
3. Adding the Future Hot Standby to the page Centralized Management of the Master appliance.
4. Configuring the Appliances in High Availability, i.e. enrolling the remote appliance as Hot
Standby.

For more details regarding the management of appliances configured in High Availability, refer
to the chapter Centralized Management in the Administrator Guide.

Prerequisites
• You must have two SOLIDserver appliances.
• The HA configuration can only be configured from and with appliances using an IPv4 address.
• On all appliances, the NTP should be configured to make sure they are all set at the same
time and date. For more details, refer to the chapter Configuring the Time and Date in the Ad-
ministrator Guide.

Limitations
• The database High Availability is configurable only for two appliances.

30
Hardening the Management
Infrastructure

• We strongly advise against displaying several HA configurations on the page Centralized

Management. If you add an appliance to this list, it means that you want to manage it.Therefore,
if you decide to add to your managing appliance two appliances configured in High Availability,
it means that you intend to manage them from the managing appliance. On the page Centralized
Management of the appliances in HA, the appliance Status changes from OK to Invalid creden-
tials because the local admin management password overwrites the management password
locally set on the Master appliance of this other HA configuration.
• The HA does not support the configuration of a NAT between the two appliances. Both
appliances send their local IP address when they communicate, therefore the converted IP
address cannot be used in the HA communication. Configuring a NAT might even break the
HA configuration.
• If you encrypted the database, you cannot enroll a remote appliance as Hot Standby if the
Active key of the local appliance, the future Master, is missing or corrupted.

Configuring the Master Appliance Locally

Whether you want to manage remote appliances or use a remote appliance to set up High
Availability, you must first of all configure the Management or Master SOLIDserver locally.

Configuring an appliance locally means assigning it an IP address. This operation defines the IP
address of the appliance as the Master address, it sets the grounds for the Master/Hot Standby
configuration.

To configure locally the Management or Master appliance

Only users of the group admin can perform this operation.
1. Connect to the future Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page opens.
In the column Local, your appliance is marked Yes. It does not have an IP address, which
is why its Status is Not configured.
4. In the menu, select Tools > Configure local SOLIDserver. The wizard Configure local
SOLIDserver opens.
5. In the drop-down list SOLIDserver IP address, select the IP address of the appliance you
are currently configuring.
6. Click on OK to complete the operation. The report opens and closes. On the page Centralized
Management, the local appliance details are now complete. Its Role is Standalone and its
Status OK.

Adding the Future Hot Standby

Once you configured your local appliance, you can add other appliances. You can add a large
number of appliances to overview all SOLIDserver appliances used on your network.

The local appliance becomes a management platform where you remotely manage and/or
monitor other SOLIDserver appliances via the drop-down list SOLIDserver available on the pages
Network configuration, Services configuration, Syslog and System statistics of the module Admin-
istration.

Only one of the remote appliances can be used as Hot Standby. For more details, refer to the
chapter Centralized Management in the Administrator Guide.

31
Hardening the Management
Infrastructure

To add a remote appliance

1. Connect to the future Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. In the menu, click on Add. The wizard Add/modify remote SOLIDserver opens.
5. In the field SOLIDserver IP address, specify the IP address of the appliance you want to
add to the list.
6. In the field "Admin" account password, you can specify the password of your SSH account.
By default, the default password of the account, admin, is automatically specified in the field.
7. Click on OK to complete the operation. The new appliance is listed. Its Role is Standalone
and its Status is Remote (managed).

For more details regarding how to configure the SNMP parameters used to monitor the Hot
Standby appliance, refer to the Adding a Remote Appliance in the Administrator Guide.

Configuring the Appliances in High Availability

Once the Master appliance is configured locally and the future Hot Standby is added to the page
Centralized Management of the Master, you can configure High Availability between the appli-
ances, i.e. enroll the Hot Standby.

This configuration has to be done from the future Master appliance and can be done on layer 2
or 3 or the network. For more details, refer to the section Frequently Asked Questions of the
chapter Centralized Management in the Administrator Guide.

Keep in mind that for the configuration to be viable and effective the two appliances must:
• Meet the prerequisites.
• Be set at the same time. For more details, refer to the chapter Configuring the NTP Server in
the Administrator Guide.
• Have the same version of SOLIDserver.
• Have the same performance rate, to ensure a smooth transition. In the event of a switch, the
former Hot Standby has retrieved all the database information and can actually provide the
same performance and efficiency as the original Master.
• Have the same architecture (32 bits or 64 bits).

To configure High Availability between two appliances

Only users of the group admin can perform this operation.
1. Connect to the future Master appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. Tick the appliance you want to set up as Hot Standby.
5. In the menu, select Edit > Enroll SOLIDserver as Hot Standby. The wizard Enroll
SOLIDserver as Hot Standby opens.
6. Click on OK to complete the operation. The report opens and works for a while until the Hot
Standby appliance database is erased and replaced by the Master appliance database. The

32
Hardening the Management
Infrastructure

appliance set as Hot Standby is unavailable for a while. Each appliance Role is modified
according to the configuration, they now share the same HA UID.

Once the High Availability is configured:

1. The information on the page Centralized Management of the Master is now also available on
the Hot Standby appliance.
2. On the page Centralized Management of the Hot Standby appliance, the only operation
available is switching the appliances role. For more details, refer to the section Switching the
High Availability Configuration in the Administrator Guide.
3. The Hot Standby appliance is now in read-only mode. Every modification made on the Master
appliance is copied in the Hot Standby database almost in real-time.
You can no longer edit the remote appliance database locally but you can still edit the services
and network configuration of both appliances separately. For more details, refer to the sections
Managing the Services and Network Configuration of Another Appliance in the Administrator
Guide.
4. The Hot Standby appliance replicates the content of the Master appliance database to provide
a backup if it has to replace the current Master appliance.
• From the page Centralized Management of the Master appliance, you should monitor the
columns Time drift and Replication offset, to make sure that the Hot Standby appliance
properly replicates the database. If at some point the replication stops, you can enroll again
the Hot Standby appliance following the procedure To configure High Availability between
two appliances.
• You can, for instance, configure and enable the automatic switch so that, if the Hot Standby
has not replicated the Master database in the last 60 seconds, it should check the Master
status three times in a row, every 4 seconds. If there is no response (timeout, etc.), the Hot
Standby switches to Master. For more details, refer to the section If the Network is Unreliable
in the Administrator Guide.
Note that the automatic switch is disabled by default. You can manually enable it. For
more details, refer to section Configuring High Availability Advanced Options in the Admin-
istrator Guide.

To check if the automatic switch is enabled

Only users of the group admin can perform this operation.
1. Connect to the Master appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Registry database. The page Registry database opens.
4. Filter the column Name with module.system.max_hot_standby_time_skew.
5. Hit Enter. Only this key is listed. If the value is 0 or -1, the automatic switch is disabled.
Set it to a value higher that 0 to enable the switch. Its usual value is 3600 seconds, if the
Last write period is greater than an hour, the two appliances cannot switch automatically.
The key can be set with values between -1 and 2^31.

For more details regarding the available switch configurations, refer to the section Configuring
High Availability Advanced Options in the Administrator Guide.

Encrypting the Database

To secure your appliance, you can encrypt its database. Using specific database keys, you can
encrypt all sensitive data, including passwords. Note that:

33
Hardening the Management
Infrastructure

• The database keys are not included in the appliance backup file.You must download and keep
them in a safe location.
• In High Availability, once the Hot Standby has replicated the Master data, both appliances have
an encrypted database.

Browsing Database Keys

From the page All database keys, you can add, activate, import, download, deactivate and delete
database keys.

To display the list of database keys

By default, only on fresh installations, a database key is available on the page. You can sort and
filter all the columns on the page but you cannot change their layout.

To display a database key properties page

The panel Database key displays all the properties of the key and allows you to download it.

Understanding the Database Keys Statuses

The column Status provides information regarding the database keys you manage.

Table 3.6. Database keys statuses

Status Description
Active The key is active, it currently encrypts the database.

! Active (missing) The key should be active but is missing from the key file. The database is not encryp-
ted. To activate the database encryption, you must import the key. For more details,
refer to the section Importing Database Keys.
Inactive The key is inactive and saved, it can be used to encrypt the database. For more
details, refer to the section Activating the Database Encryption.
! Inactive (missing) The key is inactive and missing from the key file. It cannot be used to encrypt the
database. If you want to use it to encrypt the database, you must import the key. For
more details, refer to the section Importing Database Keys.
! Inactive (unsaved) The key is inactive and unsaved, it cannot be used to encrypt the database. This is
the default status of all the keys you add. If you want to use the key to encrypt the
database, you must download it. For more details, refer to the section Downloading
Database Keys or Activating the Database Encryption.

34
Hardening the Management
Infrastructure

Adding Database Keys

You can add as many database keys as you want. No matter the number of keys you manage,
only one can be activated at a time to encrypt the database. Note that:
• By default on fresh installations, a key is already available. If you want to activate it rather than
adding a new one, refer to the section Activating the Database Encryption.
• If you configured appliances in High Availability, the Hot Standby automatically replicates the
database keys of the Master.
• If you already have database keys, you can import them. For more details, refer to the section
Importing Database Keys.

To add a database key

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.
4. In the menu, click on Add. The wizard Generate a database key opens.
5. In the drop-down list Encryption cipher, select either AES or Camellia.
6. In the drop-down list Key size (bits), select either 256, 192, or 128.
7. In the drop-down list Encryption mode, select either CBC, CFB, OFB or CTR.
8. Click on OK to complete the operation. The report opens and closes. The key is listed, its
Status is ! Inactive (unsaved). Until you download the key, its status does not evolve.

Once you added a key, you can activate it.

Activating the Database Encryption

To encrypt sensitive data, you must activate one of your database keys.

Before activating the encryption, keep in mind that:

• You must download the key file before activating it.
• You cannot activate the encryption using a missing key, one with the Status Active (missing)
or Inactive (missing). For more details, refer to the section Understanding the Database Keys
Statuses.
• Only one key can be activated at a time. Activating a new key automatically deactivates and
replaces the currently Active key. For more details, refer to the procedure To replace the cur-
rently Active key.
• On Management appliances, once you activate the encryption, you cannot enroll a remote
appliance as Hot Standby if the Active key of the local appliance is missing or corrupted.

If a banner above the top bar notifies you of any activation error, refer to the section
Troubleshooting the Database Encryption.

To activate the database encryption

35
Hardening the Management
Infrastructure

3. In the breadcrumb, click on All database keys. The page opens.

4. In the menu, select Tools > Activate encryption. The wizard Enable database encryp-
tion opens.
5. Click on DOWNLOAD KEY FILE to save the file locally. Make sure to keep it in a safe location.
6. Once you saved the file, tick the box The key file has been downloaded, saved in a safe
place and compared to the MD5 checksum.
7. Click on NEXT . The last page opens.
8. In the list Encryption key, select a key.
9. Click on OK to complete the operation. The report opens and closes. The key is active.

Once the database encryption is active, you can use a different database key to encrypt sensitive
data. Note that, in the procedure below, we tick the key that replaces the current active one, but
you can also execute the option Activate encryption without ticking any key and select it on the
last page of the wizard.

To replace the currently active key

Importing Database Keys

You can import as many keys as you need on the page.

Importing keys is useful if you already have database keys that can be used to encrypt sensitive
data, if the key used to encrypt the database has the Status Active (missing) or after restoring a
backup.

Note that if you configured appliances in High Availability, the Hot Standby automatically replicates
the database keys of the Master.

To import database keys

36
Hardening the Management
Infrastructure

3. In the breadcrumb, click on All database keys. The page opens.

4. In the menu, select Import > Key file. The wizard Import database keys opens.
5. Click on BROWSE to select the key file to import. The selected file is visible in the field File
name.
6. Click on OK to complete the operation. The report opens and closes. The keys are listed.

Downloading Database Keys

You can download as many database keys as you want in a single file. Make sure to keep the
file in a safe location.

It is recommended to download the relevant keys before you generate a backup or before upgrad-
ing the appliance.

To download database keys

Troubleshooting the Database Encryption

If you activated the database encryption and an error occurs, a banner above the top bar may
notify you that the active key is missing or unsaved.
If the active key is unsaved
The database encryption is deactivated. The key status is Active (unsaved), to activate it
again you must download it. For more details, refer to the section Downloading Database
Keys.
If the active key is missing and you downloaded your database keys
The database encryption is deactivated. The key status is Active (missing), to activate it again
you must import the database key file. For more details, refer to the section Importing Database
Keys.
If the active key is missing but you did not download your database keys
The encryption is deactivated but all sensitive data has been encrypted and you can no longer
decrypt it. You need to decide if you want to encrypt the database again or if you want to
deactivate the encryption. The procedure differs if you are troubleshooting a Standalone
appliance or appliances in High Availability.
For more details, refer to the section Troubleshooting the Database Encryption in the Admin-
istrator Guide.

37
Chapter 4. Hardening the Monitoring
Infrastructure
Once you secured accesses to your system, its management hierarchy and its backup policy, it
is important that you constantly keep an eye on its working state.

Securing the SNMP Connections

All SOLIDserver appliances integrate an SNMP server that can query and be queried for statistics.
1
You can even monitor SOLIDserver appliances from an external monitoring solution . Most of
the OIDs pertinent to SOLIDserver are described in the section Monitoring Using SNMP of the
Administrator Guide.

Management appliances rely on this SNMP server to retrieve statistics from some of the resources
they manage. This includes:
• Other SOLIDserver appliances dedicated to management, whether via remote management
or High Availability.
• Other SOLIDserver appliances dedicated to DNS or DHCP services, i.e. Efficient DNS or DHCP
servers.
• Some compatible network devices managed via NetChange.

To secure the SNMP connections:

• On all the elements from which SNMP statistics can be retrieved, you need to set SNMP cre-
dentials other than the default ones. For more details, refer to the section Configuring the SNMP
Service.
• On the management appliance, you need to save these credentials as SNMP profiles so it can
use them to retrieve statistics. For more details, refer to the section Managing SNMP Profiles.
• On the management appliance, you need to select what profile to use for each resource to
monitor. For more details, refer to the section Defining a Resource SNMP Profile.

On hardware SOLIDserver appliances with iDRAC, you can also configure SNMP monitoring for
an extra layer of security. For more details, refer to the section Monitoring the iDRAC Using SNMP.

Configuring the SNMP Service

You can retrieve SNMP statistics from SOLIDserver appliances from the page Service configur-
ation of the module Administration, you can:
1. Configure the TCP/UDP ports from which the appliance SNMP server handles requests and
responses.
2. Configure the list of profiles allowed to access SOLIDserver SNMP server. By default, a v1/v2c
profile exists with the community string public. You can delete it and create custom profiles to
secure your system. In all cases, we strongly recommend using SNMPv3 and read-only
profiles when possible.
3. Configure which IP address(es) can request the SNMP server. For instance:

1
Such as Nagios or HP OpenView

38
Hardening the Monitoring
Infrastructure

• On an appliance dedicated to DNS or DHCP or on a remote appliance, whether in HA or

not, you can specify only the IP address of the relevant management appliance and, if need
be, the IP address of your external SNMP monitoring solution.
• On the main management appliance, if need be, you can specify only the IP address of your
external SNMP monitoring solution.
4. Configure the parameters of your external monitoring solution to automatically send traps from
the management appliance in case of significant events. These traps can only be sent via
SNMPv2c.

Note that:

• The SNMP service must never be stopped or disabled. If you do not want it to offer statistics,
prefer using a firewall rule to block any traffic on the port 161. For more details, refer to the
chapter Securing the Firewall.
• You can monitor the server state from the columns Running and Enabled.
• SNMPv3 requires a properly configured NTP server. For more details, refer to the section
Configuring the NTP Server in the Administrator Guide.
• If you want to retrieve statistics from SNMP compatible devices managed via NetChange, you
need to set the credentials directly on the device. For more details, refer to the related propri-
etary documentation.

To configure the SNMP server

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, click on SNMP server.The wizard SNMP Server Configuration opens.
4. In the fields UDP port and TCP port, specify the number of the port of your choice to enable
the communication with the relevant protocol.
At least one of the fields must be filled in. By default, the UDP port number is 161, you can
use the same number for the TCP port.
5. Click on NEXT . The next page opens.
6. You can add profile(s) on the SNMP server.
Note that by default a profile v1/v2c already exists, it is set with the community string public
and can be deleted.
a. In the drop-down list SNMP version, select v1/v2c or v3, both values are detailed below.
By default, v1/v2c is selected.

Table 4.1. Available SNMP versions

SNMP version Description
v1/v2c SNMPv1 and SNMPv2c are simple request/response protocols. SNMPv2c includes
a bulk-retrieval mechanism and more detailed error message reporting to man-
agement stations.
If you select it, the fields Community and SNMP restriction appear.
v3 SNMPv3 uses the security features providing secure access to devices.
If you select it, the Authentication fields User, Level, Key, Algorithm and the Privacy
fields Key and Protocol appear.

No matter what you select, the field Access is grayed out and displays Read-only.
b. If you left v1/v2c selected, complete the configuration via the following fields.

39
Hardening the Monitoring
Infrastructure

Table 4.2. SNMPv1 and SNMPv2c profile configuration parameters

Field Description
Community The community string that would act as a password to access the SNMP agent.
SNMP restriction The source of the SNMP, an IP address, several IP addresses separated by a
space or default.

c. If you selected v3, complete the configuration via the following fields.

Table 4.3. SNMP v3 profile configuration parameters

Field Description
Authentication
User The login used for the authentication. This field is required.
Level The authentication security level, either a noauth, auth or priv. By default, noauth
is selected. This field is required.
Key The authentication passphrase, i.e. password. It must contain at least 8 characters.
This field is optional.
Privacy
Algorithm The authentication algorithm, either MD5 or SHA. By default, MD5 is selected.
This field is optional.
Key A privacy passphrase. If the privacy passphrase is not specified, it is assumed to
be the same as the authentication passphrase. This field is optional.
Protocol The privacy algorithm, either the DES or AES. By default, DES is selected. This
field is optional.

d. When the configuration is complete, click on ADD . The profile is moved to the SNMP
access list.
e. Repeat these actions for as many SNMP profiles as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

7. Click on NEXT . The last page opens.

8. You can set SNMP trap(s) on the server.
a. Configure an SNMP trap using the following fields.

Table 4.4. SNMP trap configuration

Parameter Description
Send Trap v1 Allows you to enable an agent to send a trap notifying of any significant event via
SNMP v1. By default, Yes is selected. This field is optional.
Send Trap V2 Allows you to enable an agent to send a trap notifying of any significant event via
SNMP v2. By default, Yes is selected. This field is optional.
Sends a trap Inform Allows you to enable routers to send inform requests to SNMP managers. By
default, Yes is selected. This field is optional.
Host The IP address of the device that listens to the network and catches the trap.
Port The number of the port on the host used to catch the trap. This field is optional.
Community The community string that would act as a password to access the SNMP agent.

40
Hardening the Monitoring
Infrastructure

b. When your configuration is complete, click on ADD . The profile is moved to the Trap
list.
c. Repeat these actions for as many traps as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

9. Click on OK to complete the operation.

10. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
In the column Name, each configured SNMP profile is listed under the SNMP server.

Managing SNMP Profiles

To retrieve statistics from other appliances or NetChange devices, the management appliance
needs to have the correct SNMP profiles saved in its database.

By default, 3 profiles are available to query an appliance SNMP server, standard v1, standard
v2c and standard v3. For more details, refer to the section Managing SNMP Profiles in the Ad-
ministrator Guide.

If you edited the profiles allowed to access the SNMP server when you configured the SNMP
service, you need to add these new profiles.

Once you added profiles, you can select which one to use for each resource to monitor. For more
details, refer to the next section Defining a Resource SNMP Profile.

To add an SNMP profile

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Network devices & SNMP profiles. The
page Network devices & SNMP profiles opens.
3. In the panel SNMP profiles configuration, click on ADD . The wizard Add an SNMP profile
opens.
4. In the field SNMP profile name, name the profile.
5. In the field Description, you can specify a description.
6. In the drop-down list SNMP version, select v1, v2c or v3.
7. Click on NEXT . The next page opens.
8. If you selected the version v1 or v2c:
a. In the field Read community, specify the read-only community string that would act as
a password for this profile reading requests.
b. In the field Write community, you can specify a write community string that would act
as a password for this profile reading and writing requests.
9. If you selected the version v3, configure the Read access parameters and Write access
parameters:

41
Hardening the Monitoring
Infrastructure

Table 4.5. SNMP v3 profiles access parameters

Field Description
User name The name of an existing user on the device(s) using the profile.
For the Read access parameters, this field is required.
Authentication key A key to ensure the authentication of the source.
For the Read access parameters, this field is required.
Authentication The cryptographic hash function used for authentication, either MD5, SHA1, SHA224,
SHA256, SHA384, SHA512 or None.
For the Read access parameters, this field is required.
Privacy key The encryption key to prevent snooping from unauthorized sources. This field is op-
tional.
Privacy The encryption type, either DES, AES or None. This field is optional.

10. Click on OK to complete the operation. The profile is listed in the panel.

Defining a Resource SNMP Profile

Using SNMP, you can monitor:
• DHCP servers, EfficientIP and EfficientIP Package servers.
• DNS servers, EfficientIP and EfficientIP Package servers.
• NetChange network devices with built-in SNMP capabilities.

To edit the SNMP monitoring parameters of a resource

1. Depending on your needs:
a. In the sidebar, go to DHCP > Servers. The page All servers opens.
b. In the sidebar, go to DNS > Servers. The page All servers opens.
c. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. At the end of the line of the resource of your choice, click on . The properties page opens.
3. In the panel SNMP monitoring parameters or SNMP properties, click on EDIT . The wizard
SNMP parameters opens.
4. Edit the monitoring parameters according to your needs:

Table 4.6. SNMP parameters used to monitor the resource statistics

Field Description
SNMP version The version of the SNMP protocol used to retrieve the statistics. It can be either v1, v2c
or v3. By default, v2c is selected. This field is required.
SNMP port The port used to retrieve the resource statistics. By default, the port 161 is used. If you
changed the UDP port of your SNMP server, you must use the same port. For more details,
refer to the section Configuring the SNMP Service.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1s, 2s, 3s, 4s, 5s, 10s
or 30s. By default, it is set to 2s. This field is optional.
Use bulk For SNMP version v2c or v3. Allows you to send several requests at once, it uses a bulk
transfer of data. This compact SNMP request method accelerates transfers. By default,
it is set to Yes. This field is required.

42
Hardening the Monitoring
Infrastructure

Field Description
Use TCP The network communication protocol, either TCP (Yes) or UDP (No). By default, No is
selected. You should use TCP instead of UDP if the network link is unreliable. This field
is required.
SNMP transfer The number of minutes above which the SNMP transfer is aborted when you add or refresh
timeout (minutes) a device, a value between 0 and 999. By default, it is set to 0. This field is optional.

5. Click on NEXT . The page SNMP profile opens.

6. In the drop-down list SNMP profile, choose a profile using the same version of the SNMP
protocol as the one you selected in the field SNMP version.
If you created SNMP profiles, you can choose one of your profiles. They are listed only if
they use the same version of the SNMP protocol as the one you selected on the previous
page.
Note that the SNMP profiles you can choose from must be configured on the appliance you
are currently working with. For more details, refer to the section Managing SNMP Profiles.
7. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.

Monitoring the iDRAC Using SNMP

The 4th and 5th generation of SOLIDserver hardware appliances are equipped with an independent
onboard iDRAC remote console that allows you to monitor hardware components and be notified
if any malfunction occurs. By identifying hardware issues at an early stage, you can strongly de-
crease the probability of a full hardware failure.

Before going further, you need to meet the following prerequisites:

• Manage a 4th or 5th generation SOLIDserver hardware appliance.

• Have a remote monitoring, syslog or SMTP server to receive the notifications.
• If need be, configure your local network firewall to allow the connection between the iDRAC
IP address and your remote server. Depending on the platform, make sure the related port is
open:
• Open the UDP port 162 for the monitoring server.
• Open the UDP port 514 for the syslog server.
• Open the TCP port 25 for the SMTP server.
For more details on how to open the ports on your network equipment, refer to its proprietary
documentation.

To monitor the iDRAC using SNMP, you need to enable the alerts from its web platform. During
the configuration, you specify how to be notified, via SNMP trap and/or mail notification, and
configure which alerts should be included in the notification.

To configure alerts on the iDRAC8

1. Connect to the iDRAC
a. Open any browser that has Java installed, in the URL field type in https://<iDRAC-
configured-IP-address>.
b. Accept the certificate. The iDRAC login page opens.
c. Login using your iDRAC credentials. For more details, refer to the section Securing the
iDRAC Superuser Password.
d. Hit Enter. The iDRAC homepage opens.

43
Hardening the Monitoring
Infrastructure

2. Enable and configure the alerts

a. In the navigation menu, click on Overview > Server > Alerts. The page refreshes.
b. In the section Alerts, tick the box Enabled.
c. Click on Apply to commit your modifications.
d. In the sections Category and Severity, tick the boxes that suit your needs.
e. Click on Apply to commit your modifications.
f. Click on the tab Alerts and Remote System Log Configuration. The page refreshes.
g. In the columns Email and SNMP Trap, tick the boxes that suit your needs.
h. Click on Apply to commit your modifications.
3. Configure the SNMP trap destinations
a. In the navigation menu, click on Overview > Server > Alerts. The page refreshes.
b. Click on the tab SNMP and Email Settings. The page refreshes.
c. In the section IP Destination List, for each SNMP server to notify, fill in the field Des-
tination Address, tick the related box State.
d. Click on Apply to commit your modifications.
e. In the section SNMP Trap Format, indicate the version that suits your needs.
f. Click on Apply to commit your modifications.
g. In the section SNMP Settings, indicate your remote SNMP server parameters.
h. Click on Apply to commit your modifications.
4. Configure the email destinations
a. In the navigation menu, click on Overview > Server > Alerts. The page refreshes.
b. Click on the tab SNMP and Email Settings. The page refreshes.
c. In the section Destination Email Addresses, for each email address to notify, fill in the
field Destination Email Address and tick the related box State.
d. Click on Apply to commit your modifications.
e. In the section SMTP (E-mail) Server Settings, indicate your remote SMTP server
parameters.
f. Click on Apply to commit your modifications.
5. Configure the remote syslog destinations
a. In the navigation menu, click on Overview > Server > Logs. The page refreshes.
b. Click on the tab Settings. The page refreshes.
c. In the section Remote Syslog Configuration, tick the box Remote Syslog Enabled.
d. In the fields Syslog Server #, specify the IP address of the remote syslog server to
notify. You can indicate up to 3 remote syslog servers.
e. In the field Port number, specify the port of the remote syslog server to notify. It is the
same on all the specified servers. By default, the value is 514.
f. Click on Apply to commit your modifications.

To configure alerts on the iDRAC9

1. Connect to the iDRAC
a. Open any browser that has Java installed, in the URL field type in https://<iDRAC-
configured-IP-address>.
b. Accept the certificate. The iDRAC login page opens.

44
Hardening the Monitoring
Infrastructure

c. Login using your iDRAC credentials. For more details, refer to the section Securing the
iDRAC Superuser Password.
d. Hit Enter. The iDRAC homepage opens.
2. Enable and configure the alerts
a. In the navigation menu, click on Configuration > System Settings. The page refreshes.
b. Click on Alert Configuration. The section expands.
c. In the drop down list Alerts, select Enabled.
d. Click on Apply to commit your modifications.
e. In the sections Category and Severity, tick the boxes that suit your needs.
f. Click on Apply to commit your modifications.
g. Click on Alerts and Remote System Log Configuration. The section expands.
h. In the columns Email and SNMP Trap, tick the boxes that suit your needs.
i. Click on Apply to commit your modifications.
3. Configure the SNMP trap destinations
a. In the navigation menu, click on Configuration > System Settings. The page refreshes.
b. Click on SNMP Traps Configuration. The section expands.
c. For each SNMP server to notify, fill in the field Destination Address, tick the related
box State.
d. Click on Apply to commit your modifications.
e. In the section SNMP Trap Format, indicate the version that suits your needs.
f. Click on Apply to commit your modifications.
g. In the section SNMP Settings, indicate your remote SNMP server parameters.
h. Click on Apply to commit your modifications.
4. Configure the email destinations
a. In the navigation menu, click on Configuration > System Settings. The page refreshes.
b. Click on SMTP (E-mail) Configuration. The section expands.
c. For each email address to notify, fill in the field Destination Email Address and tick
the related box State.
d. Click on Apply to commit your modifications.
e. In the section SMTP (E-mail) Server Settings, indicate your remote SMTP server
parameters.
f. Click on Apply to commit your modifications.
5. Configure the remote syslog destinations
a. In the navigation menu, click on Configuration > System Settings. The page refreshes.
b. Click on Remote Syslog Configuration. The section expands.
c. In the drop down list Remote Syslog, select Enabled.
d. In the fields Syslog Server #, specify the IP address of the remote syslog server to
notify. You can indicate up to 3 remote syslog servers.
e. In the field Port number, specify the port of the remote syslog server to notify. It is the
same on all the specified servers. By default, the value is 514.
f. Click on Apply to commit your modifications.

45
Hardening the Monitoring
Infrastructure

Defining Alerts
From any page of SOLIDserver you can add alerts.You can filter the list to customize the triggers
before adding your alerts.

In the procedure below, we add an alert on the page All zones already filtered with !=OK in the
column Status. That way, the alert is triggered when the status of any zone changes to a value
different from OK, it can send an email and/or an SNMP trap depending on what you configure.

When defining an alert, you can decide to send it:

• Via email, by selecting one or several groups of users or by indicating specific mail addresses.
You can configure the email address of a user when you add it. For more details, refer to the
chapter Hardening the Management Infrastructure.
• Via an SNMP trap to an external management platform by indicating its IP address and com-
munity string, if the SNMP server of the appliance is properly configured. For more details re-
garding how to configure the appliance SNMP server, refer to the chapter Securing the SNMP
Connections.

For more details regarding how to define and manage alerts, refer to the section Managing Alerts
in the Administrator Guide.

To add an alert
This procedure is an example, it sends an alert if any zone status changes to anything but OK.
1. Go to the page of your choice and filter the list according to your needs.
a. In the sidebar, go to DNS > Zones. The page All zones opens.
b. In the column Server, click on the name of the server of your choice to display the zones
it contains.
c. In the search engine of the column Status, click on . The filter constructor opens.
d. In the drop-down list on the left, select != (different from).
e. In the field on the right, click on . The statuses drop-down list opens.
f. Select OK and click on APPLY . The page refreshes. The column search engine now
contains != OK and only the zones with a status different from OK are displayed.
2. In the menu, select Alerts, gadgets & Smart Folders > Add an Alert. The wizard Add
an alert definition opens.
3. In the field Name, name the alert. By default, the alert is named after the module and page
from where you configure it, in our example DNS: Zones.
4. In the field Description, you can specify a description if needed.
5. For alerts added from the DNS page Analytics displaying Guardian data, in the drop-down
list Period, select the overall period of data to retrieve, either the last 1h, 3h or 6h.
6. In the section Expert mode, tick the box to display the expert configuration fields.
7. Through the fields Filter results and Value, you can configure the alert execution parameters.

Table 4.7. Alert execution configuration fields

Field Description
Filter results The filter of your choice, either != (different from), > (Greater than), < (Less than) or
== (Equal to). Any of these conditions affects the number specified in the field Value.
By default, != (different from) is selected.

46
Hardening the Monitoring
Infrastructure

Field Description
Value A number that corresponds to the threshold of your the filter you set before adding
the alert. By default, 0 is displayed.

For instance, if you do not want the alert to be triggered for less than 2 zones with a status
different from OK, you can select Greater than in the drop-down list Filter results and 2 in
the field Value.
8. In the section Triggered by change, tick the box if you want your alert to match your filter
only by change. In the case of our example, if you do not tick the box and three zones already
correspond to the filter (they could be in delayed create, timeout...), the alert is triggered if,
at the next check, the zones are still not set to OK.
9. In the drop-down list Alert Priority, define the alert priority. It can be Low, Normal, High,
Urgent or Immediate.
10. In the drop-down list Alert Severity, define the alert severity. You can choose among Minor,
Major, Crash and Block.
11. In the drop-down list Alert Group Owner, select a group of users among the ones you added.
12. You can tick the box Edit scheduling to configure a specific check frequency for the alert.
By default, the check is performed every 5 minutes of every hour, every day and every month.

Table 4.8. Alert check scheduling parameters

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

13. You can tick the box Send mail to notify the users of your choice via email when the alert
definition is met. The following fields appear.
a. In the drop-down list Mailing lists, select an existing group of users. The email address
of the users of the group must be configured, otherwise they can never receive the alert
notification.
b. In the field Additional Mail, specify the target email address of the alert notification.
c. Click on ADD to move the information to the Additional Mail List. The list contains all
the recipients of the alert email.
d. Repeat these actions from as many recipients as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

14. You can tick the box SNMP Trap to send a trap to the device of your choice when the alert
definition is met. The following fields appear.

Table 4.9. SNMP trap configuration parameters

Field Description
SNMP version The version of SNMP used, v2c.

47
Hardening the Monitoring
Infrastructure

Field Description
SNMP Destination The IP address of the network management platform.
SNMP Community The community string that would act as a password to access the SNMP agent.
Raised alert SNMP A custom OID to be sent when the alert is raised. You can use and extend the default
OID OID 1.3.6.1.4.1.2440.1.6.1.2.0.1.
Released alert A custom OID to be sent when the alert is released. If this field is empty, no trap is
SNMP OID sent when the alert is released.

15. Click on OK to complete the operation. It is now listed in the page Alerts Definition and
marked as Released.

Managing the Logs

In the module Administration, two pages allow you to manage the logs. You can monitor them
from Syslog and redirect them from Configuration of Network Logs.

Using syslog-ng include files, it is even possible to activate syslog over TCP protocol to avoid
syslog message loss. For more details, refer to the appendix Configuring Non-Supported Options
in the Administrator Guide.

Syslog
The page Syslog lists the logs of all the services executed. You can filter the list using the menu
or the columns to display a specific operation on the local or a remote appliance.

To display the logs of your choice on the page Syslog

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Syslog. The page Syslog opens.
3. In the drop-down list SOLIDserver, select the appliance of your choice. The page refreshes.
If you are not managing any remote appliance, the list only displays local.
If you are managing remote appliances, the local appliance is listed using only its hostname.
All remote appliances are listed as follows: <hostname> (<IP address>). Unreachable appli-
ances are listed as follows: <hostname> (<IP address>) - Timeout.
4. In the drop-down list Service, select the service of your choice:

Service Description
named The DNS log messages.
dns-firewall The log messages related to RPZ processing.
dhcpd The DHCP log messages.
ipmserver The internal transactional engine log messages.
messages All the system log messages.
auth The authentication log messages. By default, it logs failed authentications. To also
log successful authentications refer to the section Monitoring Successful Authentica-
tions.
ipmserver-rules The operations executed by rules.
gslb-check The Application log messages regarding initial health check failures and node status
changes.

5. You can tick the box Automatic refresh to automate the refresh of all the logs.

48
Hardening the Monitoring
Infrastructure

By default, the refresh is scheduled to be executed every 10 seconds. To change the refresh
frequency, refer to the section Editing Syslog Refresh Frequency.
6. You can look for specific logs by filtering the following columns:
a. From the column Time, you can sort and filter the logs based on the date and time of
the service execution. Note that you can edit the time and date format from the top bar
menu My Account > My Settings.
b. From the column Log, you can filter the logs based on the details of the operation per-
formed.

Editing Syslog Refresh Frequency

Administrators can change the frequency of the Automatic refresh via a registry database.

To edit Syslog Automatic refresh frequency

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with syslog.refresh .
4. Hit Enter. Only the key www.system.syslog.refresh is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, specify the number of seconds of your choice. By default, it is set to 10.
7. Click on OK to complete the operation. The report opens and closes. The Value is updated.

Monitoring Successful Authentications

By default, the service auth only returns failed connections. However, administrators can enable
a registry database to also take into account successful authentications in the logs.

Note that monitoring successful authentication events can drastically increase the number of
logs.

To monitor successful authentication events

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with success .
4. Hit Enter. Only the key ipmserver.login.log_success is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, type in 1 to enable the retrieval of successful authentication events. By
default, it is set to 0.
7. Click on OK to complete the operation. The report opens and closes. The Value is updated.

Configuration of Network Logs

The page Configuration of Network Logs allows users of the group admin to redirect the logs of
several appliances toward a remote syslog server to monitor them.

49
Hardening the Monitoring
Infrastructure

You can redirect the logs of a particular service and severity level. The available severity levels
are listed below.

Table 4.10. Syslog severity levels

Code Severity level Description
0 (maximum severity level) Emergency The system has completely crashed and is no longer functioning.
1 Alert The system is unstable and a crash is imminent. Action must be
taken immediately.
2 Critical Critical conditions. Should be corrected immediately.
3 Error Error conditions. Non-urgent failures that should be relayed to ad-
ministrators.
4 Warning Warning conditions. Indicates that an error is returned if no action
is taken.
5 Notice Unusual situation or significant event that is typically part of normal
day-to-day operations.
6 Information Normal operational messages - may be harvested for reporting,
measuring throughput, etc - no action required.
7 (minimum severity level) * (Debug) Useful messages to developers for debugging, not useful during
operations.

Note that selecting a log level automatically includes the logs with a higher severity, the ones
with a smaller code number. Therefore, if you select Warning (4) logs, you also redirect the Error
(3), Critical (2), Alert (1) and Emergency (0) logs.

To add a syslog redirection

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Syslog, click on Configuration. The page Configuration
of network logs opens.
3. In the menu, clcik on Add. The wizard Syslog configuration opens.
4. In the drop-down list Services, select the service of your choice.

Table 4.11. The services that can be redirected

Service Description
ipmserver The internal transactional engine logs.
dhcp The log messages of the service dhcpd.
dns The log messages of the service named.
dns-firewall The RPZ dedicated log messages of the service named.
posgresql The SQL logs.
messages All the system logs.
anycast The anycast logs.
auth The authentication logs.
security The security logs.
ipmserver-rules The operations executed by rules.
gslb-check The log messages of the service GSLB Server regarding initial health check failures
and node status changes.

50
Hardening the Monitoring
Infrastructure

5. In the drop-down list Level, select the severity level of your choice. Note that any severity
other than Emergency (0) also redirects higher severity levels, the ones with a lower code.
For more details, refer to the table Syslog severity levels.
6. In the field Target server, specify the IP address and port number of the Syslog server re-
ceiving the logs following the format <ip-address>:<port-number>.
7. Click on OK to complete the operation. The report opens and closes. The page displays the
list of logs redirections.

Once listed in the panel, you can DELETE any redirection.

Tracking Sessions and Users

SOLIDserver allows to monitor and track both sessions and users that connected to the appliance.

Tracking Sessions
The page Session tracking allows you to display the list of the users who recently connected or
are currently connected to SOLIDserver. The user connection is checked every 300 seconds.

To track the latest user sessions

You can also track previous sessions on the page Session history.

To display the session history of all users

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Session tracking. The page Session tracking opens.
3. On the right-end side of the menu, click on Session history. The page Session history
opens.
4. To display the latest user sessions again, in the breadcrumb click on Session tracking.

Tracking Users
The page User tracking allows each user to monitor their events, all the operations they carried
out. Note that:
• The different columns and filters on the page allow to track operations and who performed
them.
• You can display user operations on the page Syslog via a dedicated registry database entry,
as detailed in the section Sending a Copy of User Operations to Syslog.

Tracking User Operations

The columns on the page User tracking allow you to track user operations and display specific
object additions, editing, deletions... and the user who performed them.

51
Hardening the Monitoring
Infrastructure

To track user operations

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on User tracking. The page User tracking opens.
3. Filter the list to look for specific operations via the search engine of the column of your choice:
a. In the column Date, you can specify a date and time or double-click to use the filter
constructor.
b. In the column Service, you can specify an operation and/or object. The column returns
services formatted as follows: <operation>: <object-concerned>. For instance, Add:
spaces.
The list of all existing services is available on the page Rights of each group of users.
For more details, refer to the section Managing the Rights of a Group of Users in the
Administrator Guide.
c. In the column User, you can specify a user login to only display the operations they
performed.
d. In the column Description, you can specify information on the object the service was
performed on. Depending in the object, the information can be a name, IP or MAC ad-
dress, a parent object name... or even class parameters.
To display all the class parameters details, at the end of the description, click on the
link Class Parameters to displayed them. Note that hovering over the link displays the
details in a pop-up window.
4. Click on REFRESH to display the corresponding user(s).

Sending a Copy of User Operations to Syslog

Using a dedicated registry key, administrators can save a copy of users operations in the file
ipmserver.log to display them on the pages User Tracking and Syslog.

To send a copy of user operations to Syslog

1. Add the registry key to enable the external storage of user operations
Only users of the group admin can perform this operation.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Registry database. The page Registry database opens.
c. Filter the column Name with module.system.usertracking_use_syslog.
d. Hit Enter. Only this key is listed.
e. In the column Value, click on 0. The wizard Registry database Edit a value opens.
f. In the field Name, the key name is displayed in read-only.
g. In the field Value, delete the 0 and replace it with 1. This value means the key is enabled.
h. Click on OK to complete the operation. The report opens and closes. In the column
Value, a 1 is displayed.
2. Display the user operations in Syslog
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Monitoring, click on Syslog. The page Syslog opens.
c. In the drop-down list SOLIDserver, verify that the local appliance is selected. Only the
hostname appears with no IP address.
d. In the drop-down list Services, select ipmserver. The page refreshes.

52
Hardening the Monitoring
Infrastructure

e. In the column Log, use the filter ipmserver: . The user operations are listed as follows:
<hostname> <process_name>[<process_id>]: ipmserver: <service_name> <user_name>
<service_parameters>

53
Chapter 5. Hardening the DNS
Management
If you manage DNS servers, no matter the vendor, we recommend securing your DNS infrastruc-
ture. To can add and configure servers, refer to the chapters Managing DNS Servers and Con-
figuring DNS Servers in the Administrator Guide.

Depending on your infrastructure, some or all of the following best practices allow to harden your
DNS management:
• Separate authoritative and recursive resolution. For more details, refer to the section Configuring
Recursive and Authoritative Resolution.
• Add a secure smart architecture to manage your servers, a Stealth smart architecture for in-
stance. For more details, refer to the section Configuring a Smart Architecture.
• Secure BIND servers via Hybrid DNS, once prepared your server engine can switch to NSD
or Unbound and reduce corruption risks. For more details, refer to the section Configuring
Hybrid DNS.
• Configure DNSSEC protection, to ensure your DNS hierarchy is legitimate. For more details,
refer to the section Configuring DNSSEC.
• Configure TSIG protection, to authenticate DNS data exchanges. For more details, refer to the
section Configuring TSIG Keys.
• Restrict access to recursive servers via DNS ACLs. For more details, refer to the section
Configuring DNS ACLs.
• Limit the number of responses of a server through rate limits. For more details, refer to the
section Configuring Rate Limits.
• Implement Anycast forwarding. For more details, refer to the section Configuring Anycast DNS.
• Configure DNS Guardian, if your license allows it, to set advanced protection on your system.
For more details, refer to the section Configuring DNS Guardian.

In addition, it is important that you:

• Dedicate a full appliance to DNS, i.e. it should only run the DNS service. Any other service
running alongside, other than NTP and SNMP, invites hacking attempts and decreases per-
formances. For more details, refer to the chapter Securing Services.
• Restrict public connection(s) to the interfaces through which the appliance is updated and an-
swers DNS queries. Open ports and/or additional attached network cables invites hacking at-
tempts. For more details, refer to the chapter Securing the Firewall.

Configuring Recursive and Authoritative Resolution

To resolve domain names and IP addresses:
• Authoritative name servers only query a local database
• Recursive name servers query a local database and a hierarchy of public name servers.
1
DNS best practices recommend separating authoritative and recursive services . This way, au-
thoritative name servers, that do not perform caching, are not affected by harmful or corrupted
entries that can be found in recursive name servers.

1
BIND version 10 explicitly conforms to this guideline by separating recursive and authoritative name servers.

54
Hardening the DNS Management

If you only need an authoritative resolution, the best practices recommend having 2 servers,
a master and a slave, located in two different data centers to ensure availability. For instance,
you could have two authoritative servers located in the data centers A and B that you manage
2
via one smart architecture from a SOLIDserver appliance located in the data center A .

If you need authoritative and recursive resolution, the best practices also recommend man-
aging servers located in different data centers to ensure availability. For instance, you can have
an authoritative server and a recursive server located in the data center A and the same config-
uration in the data center B. Both configurations can be managed via smart architectures from
2
one SOLIDserver appliance located in the data center A , one smart architectures would managing
the two authoritative servers and another one the two recursive servers.

Note that you should configure the authoritative name servers to accept DNS database updates
only from other authoritative name servers or management appliances. For more details, refer
to the section Configuring DNS ACLs.

Once you set the resolution that suit your needs on your server(s), refer to the section Configuring
a Smart Architecture.

To configure recursion on a DNS server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Recursion using .
To enable the recursion, refer to step 4. To disable the resolution, refer to step 5.
4. If the Recursion is set to No, you can click on EDIT to enable recursion.The wizard Recursion
configuration opens.
a. In the drop-down list Recursion, select Yes.
b. In the field Recursive-clients, specify the number of clients that you want to serve re-
cursively. If you leave the field empty, the default value, 1000, is applied. For more details,
refer to the section Configuring Rate Limits.
c. Click on NEXT . The page Allow recursion opens.
Using the drop-down lists Type and Restriction, you can grant or deny access to as
many networks, IP addresses, ACLs and keys as you need. Select a Type and complete
the configuration as follows:

Table 5.1. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 ad-
dress of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6
address of an appliance, user, host...
ACL The access configuration of an ACL defined at server level, allow or deny access
to admin, any, none, localhost, localnets or any server custom ACL. Note that the
ACL admin is used by SOLIDserver to configure and exchange data with DNS
servers.
TSIG key The access configuration of a DNS key defined at server level, allow or deny ac-
cess to any TSIG key available in the panel Keys. For more details, refer to the
section Configuring TSIG Keys.

2
Note that you can also have a backup SOLIDserver appliance located elsewhere, for instance in the data center B. For more details,
refer to the section Setting High Availability.

55
Hardening the DNS Management

Once a restriction or permission is configured as needed, click on ADD . The entry is

moved to the list ACL values. All denied entries are preceded by an exclamation mark
(!). Keep in mind that the entries order matters, each restriction or permission listed is
reviewed following the order you set. To order the entries, select them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
d. Click on OK to complete the operation.
5. If the Recursion is set to Yes, you can click on EDIT to disable recursion. The wizard Recur-
sion configuration opens.
a. In the drop-down list, select No.
b. Click on NEXT . The page Allow recursion opens.
c. Click on OK to terminate the recursion disabling.

Configuring a Smart Architecture

To manage similar name servers, either authoritative or recursive, you can group them in a DNS
smart architecture. Any action performed on the Master server is replicated on the Slave servers.
This avoids time loss and misconfiguration risks. For more details, refer to the chapters Deploying
DNS Smart Architectures and Managing DNS Smart Architectures in the Administrator Guide.

If your organization needs to deploy DNS servers on the Internet, we recommend using at least
3 name servers managed via a Stealth smart architecture:
• A true Master server hidden from the world,
• One or several visible slave server(s) used as decoy,
• Slave server(s) that do not transfer or accept transfers from the hidden Master server.
The Master server can be offline for maintenance without causing any interruption to DNS service
within the expiration duration (30 days) set for the validity of its zone data.

To add a DNS Stealth smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Smart architecture.The wizard Add a DNS smart architecture
opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field DNS Name, name the smart architecture with a valid FQDN.
5. In the list DNS smart architecture, select Stealth.

56
Hardening the DNS Management

DNS Hidden
Master

DNS Slave DNS

Pseudo
Master
Slave

Figure 5.1. DNS Stealth smart architecture

6. Click on NEXT . The page DNS servers role configuration opens.

7. You can select the physical servers that you want to manage from the smart architecture:
a. To add a master server, in the drop-down list Available DNS servers, select a server
and click on + HIDDEN-MASTER . The server is moved to the Hidden-master DNS server(s)
list. To remove a server from the list, select it and click on . Note that BIND/Unbound
hybrid, Generic, Amazon Route 53 and Azure servers cannot be hidden-master.
Repeat this action for as many servers as needed.
b. To add the slave server you want to use as pseudo master, in the drop-down list
Available DNS servers, select a server and click on + PSEUDO-MASTER . The server is
moved to the field Pseudo-master DNS server (slave server used as decoy). To re-
move the server from the field, click on . Note that BIND/Unbound hybrid and Generic
servers cannot be pseudo-master.
Repeat this action for as many servers as needed.
c. To add a slave server, in the drop-down list Available DNS servers, select a server
and click + SLAVE . The server is moved to the Slave DNS servers list. To remove a
server from the list, select it and click on . Note that Generic, Amazon Route 53 and
Azure servers cannot be slave.
Repeat this action for as many servers as needed.
8. If you want to publish one or several name servers or load balancers or even force the Hybrid
compatibility of the smart architecture, you need to complete the configuration as follows.
a. Tick the box Expert mode. The page reloads.
b. Click on NEXT . The page Advanced settings opens.
c. In the field NS record, specify the name server of your choice. It can also be the host-
name of an external load balancer.
d. Click on ADD . The name is moved to the Published name servers list. Note that the
first server in this list is used as MNAME value of the SOA for all the Master zones
managed by this smart architecture.
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

57
Hardening the DNS Management

e. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the section
Configuring Hybrid DNS.
9. Click on NEXT . The last page opens.
10. Tick the box Use DNS as DNSSEC resolver if you want to activate DNSSEC validation on
all the servers the smart architecture manages. For more details, refer to the chapter Config-
uring DNSSEC.
11. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
12. In the field Description, you can specify a description, it is displayed in the dedicated column
of the page All servers.
13. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the DNS section of the chapter Managing Advanced Properties in the Administrator
Guide.
14. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (master/slave) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server zones. For more details, refer to the section Configuring DNS ACLs.

Configuring Hybrid DNS

Network administrators should maintain and be ready to switch between at least two different
name server software products in case of suspected 0days threat on the DNS service.

When managing only EfficientIP servers via a smart architecture, you can use the DNS Hybrid
feature to switch, in seconds, between two DNS engines:
• If the smart architecture recursion is set to yes, a Hybrid compliant server can switch to
BIND/Unbound.
• If the smart architecture recursion is set to no, a Hybrid compliant server can switch to
BIND/NSD.

For more details regarding the limitation and configuration of DNS Hybrid, refer to the chapter
Hybrid DNS Service in the Administrator Guide.

Before using Hybrid DNS, you must generate the hybrid compatibility report to ensure that the
configuration of your DNS server and the elements it contains are compatible.

To generate the Hybrid DNS Engine incompatibilities report

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Tick the smart server managing the physical server you intend to switch to Hybrid.

58
Hardening the DNS Management

3. In the menu, select Report > Hybrid DNS Engine incompatibilities. The wizard Hybrid
incompatibilities report opens.
4. In the list Report format, select HTML or PDF.
5. Click on NEXT . The last page of the report opens.
6. In the drop-down list Action, select Generate new data, Schedule the report or a former report,
they are listed using their date and time. By default, Generate new data is selected.
a. If you leave Generate new data selected, a report of all to the incompatibilities with Hybrid
is immediately generated.
b. If you select Schedule the report, you can configure the frequency at which all the reports
are generated.

Table 5.2. Scheduled report frequency parameters

Field Description
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This
field is optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This
field is optional.
Month A specific month or every month. By default, every month is selected. This field
is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period.
The hour respects the UTC standard. By default, 20 is selected. This field is op-
tional.
Minute A moment of the hour, either 00, 15, 30 or 45. The minute respects the UTC
standard. By default, 00 is selected. This field is optional.
Name The name of the report on the page Scheduled reports. You can edit the default
name.
Mail to The name of the group which users should receive the export notification email.
By default, the first of your groups, in the ASCII alphabetic order, is selected. This
field is optional.
Note that no email can be sent if the users email address is not valid or if your
SMTP relay is not configured. For more details, refer to the section Configuring
the SMTP Relay in the Administrator Guide.
Rights as The name of the user whose rights and limitations are applied in the report, as
follows <user> [<group>]. Only the items this user has access to are listed in the
export. By default, the first of your users, in the ASCII alphabetic order, is selected.
This field is optional.

7. Click on OK to complete the operation. The report opens and closes.

When each report is generated, it is available in the module Administration on the page
Reports.
8. If you left Generate new data selected:
a. You can click on DOWNLOAD to save the report immediately.
Otherwise, it is available on the page Reports.
b. Click on CLOSE to go back to the page.

Once you generated the report, you must review and correct all the parameters it contains that
are not compatible with Hybrid until your smart architecture is marked compatible. You can gen-
erate as many reports as you need.

To find the Hybrid DNS Engine incompatibilities report

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

59
Hardening the DNS Management

2. In the section Monitoring, click on Reports. The page Reports opens.

3. In the column Name, you can look for the report DNS Hybrid Compliancy.

Once the physical server is Hybrid compliant, on the page All servers, the column Hybrid DNS
compatibility is marked Yes and, in the smart architecture editing wizard, the field Compatible
with a Hybrid DNS Engine is also marked Yes.

Once your server is compatible with Hybrid, you can switch it. If you manage it from a smart ar-
chitecture, that architecture can contain one or several BIND servers that you can all switch.
Keep in mind that, if you only switch one server, the other servers share the same limitations that
the Hybrid servers.

The switch to Hybrid actually follows this order:

1. All the Hybrid incompatibilities checks are made again.
2. If the server is actually compatible, the relevant Hybrid configuration is pushed to the physical
server.
3. Once the whole configuration is successfully pushed, BIND service is disabled and stopped
and the relevant Hybrid service (NSD or Unbound) is enabled and started.

To switch a physical server from BIND to Hybrid DNS

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Make sure the BIND physical server you want to switch to Hybrid belongs to a smart archi-
tecture compatible with Hybrid.
3. Make sure the server status is OK.
4. Tick the physical server you want to switch.
5. In the menu, select Tools > Expert > Switch DNS Engine > To NSD / Unbound. The
wizard Switching the DNS Engine opens.
6. Click on OK to complete the operation. The report opens and works until the relevant DNS
service restarts. The physical server Status is OK and its Version indicates the engine
name it switched to.

Configuring DNSSEC
Domain Name System Security Extensions (DNSSEC) is used to strengthen DNS protocol security.
It controls the integrity of all DNS answers and ensures that client queries are answered by the
proper zone.

By providing origin authentication, it protects the DNS information exchanged between name
servers configured with DNSSEC. Within SOLIDserver, it can only be configured on EfficientIP
servers and smart architectures managed via SSL, you cannot configure it on other DNS vendors.

You can configure DNSSEC on authoritative and recursive servers. In this section, we focus on
recursive servers, for more details refer to the chapter DNSSEC in the Administrator Guide.

Before configuring DNSSEC on a recursive server, keep in mind that:

• Just like the DNS, DNSSEC validation relies on resolvers. They must be part of a chain of
trust.
• DNSSEC resolvers validate the integrity of the records sent to DNS clients, they ensure the
DNSSEC chain of trust.

60
Hardening the DNS Management

• You can set Efficient DNS servers and smart architectures as DNSSEC resolvers and
associate them with a trust anchor.

To enable DNSSEC validation

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. In the panel DNSSEC, click on EDIT . The wizard Edit DNSSEC properties opens.
The box is not available for servers managed via a smart architecture, in this case to tick
the box you must edit the smart architecture.
4. Tick the box Use DNS as DNSSEC resolver. The wizard refreshes.
5. In the list Available Trust Anchor, select a trust anchor and click on . The trust anchor is
moved to the list Configured Trust Anchors.
To remove a trust anchor from the list, select it and click on . It is moved back to the list
Available Trust Anchor.
6. Click on OK to complete the operation.The wizard closes. In the panel DNSSEC, the DNSSEC
resolution is now Enabled and the list Trust Anchors contains the chosen trust anchor(s).
On the page All servers, in the column DNSSEC the server is now marked Yes.
On the properties page of the trust anchor, in the panel DNS servers using this trust anchor,
the server is listed.

Configuring TSIG Keys

SOLIDserver supports the use of Transaction SIGnatures (TSIG) keys to encrypt and authenticate
every DNS data exchange between SOLIDserver itself and your DNS servers or clients.

The information is encrypted via a technique called HMAC (Keyed-Hashing for Message Authen-
tication, see RFC 2104) which employs a shared secret and a one-way cryptographic hash
function to sign data. This shared secret is used a password known only to the two parties involved
in the exchange.

From the properties page of EfficientIP, EfficientIP Package and Generic servers as well as smart
architectures you can add, edit and delete TSIG keys. Once a key is added, you can use it:
• To secure the server with a unique TSIG key. A key can be used in any of the server statements
or in the statements of its views and zones.
At zone level you can set up dynamic update if you use the TSIG key specified on the server
in the statement allow-update.
• In your ACLs at server, view and/or zone level. For more details, refer to the chapter Configuring
DNS ACLs.
• When adding and editing slave zones, RPZ or not, and stub zones. For more details, refer to
the chapter DNS Firewall (RPZ) in the Administrator Guide.
• To set up dynamic update for your master zones. For more details, refer to the chapter Imple-
menting Dynamic Update in the Administrator Guide.

Note that TSIG keys are not supported by Microsoft servers. However, you can configure their
zones for dynamic update via GSS-TSIG keys.

For more details on TSIG keys, refer to the section Configuring DNS Keys in the Administrator
Guide.

61
Hardening the DNS Management

To add a TSIG key

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Keys using and click on ADD . The wizard TSIG Key configuration opens.
4. Configure the key. You can edit the valid hmac-sha512 key configured by default.

Table 5.3. DNS key configuration parameters

Field Description
Key name The name of the key. It must be a string starting with a letter or underscore, followed
by any number of letters, numbers, or underscores. This field is required.
Key algorithm The key algorithm, either hmac-sha512, hmac-sha384, hmac-sha256, hmac-sha224,
hmac-sha1 or hmac-md5 (obsolete). By default, hmac-sha512 is selected. This field
is required.
TSIG Key value The key value is the secret to be used by the algorithm, and is treated as a base-64
encoded string.
By default, the field contains a valid value, matching the default algorithm hmac-sha512.

5. Click on OK to complete the operation. The report opens and closes.

You can use TSIG keys to secure all the data exchanges between a DNS server and a SOLID-
server appliance. You can secure EfficientIP, EfficientIP Package and Generic servers. TSIG
keys are not supported by Microsoft servers.

By default, EfficientIP physical servers managed via a smart architecture provide TSIG keys on
the properties page. You can use either key to secure the server. Note that:
• The TSIG key used to secure the server must also be used in the statements allow-transfer
and allow-update. Setting these statements at server level allows for the server views and
zones to inherit the configuration.
By default, the statement allow-transfer is configured with the ACL any, and the statement allow-
update is configured with the ACL admin.
To include the relevant TSIG key in both statements you can include the key to the ACL admin.
In this case, you must edit the statement allow-transfer to replace the ACL any with the ACL
admin. The statement allow-update is automatically updated.
To avoid using ACLs, you can edit the statement allow-transfer to grant access to the TSIG
key instead of the ACL any. You also need to add it to the statement allow-update.
For more details, refer to the section Limiting Zone Transfers at Server Level in the Adminis-
trator Guide.
• The TSIG key selected at server level can be used at zone level to set up dynamic update, if
you use the TSIG key in the statement allow-update.

If you manage your physical servers from a smart architecture, the TSIG keys of the smart archi-
tecture are pushed to the properties of each of the physical servers it manages. So keep in mind
that a TSIG key must be unique to each server, you cannot use the same for several servers.

To select a TSIG key for EfficientIP and EfficientIP Package servers

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Right-click over the name of the EfficientIP or EfficientIP Package server of your choice,
click on . The wizard Edit a DNS server opens.
3. Click on NEXT until you get to the last page of the wizard.
4. Tick the box Configure TSIG parameters if it is not already ticked.

62
Hardening the DNS Management

5. In the drop-down list TSIG key name, select the key of your choice.
6. Click on OK to complete the operation. The report opens and closes.

To configure a TSIG key for Generic servers

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Generic server of your choice, click on . The properties page
opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS server opens.
4. Click on NEXT until you get to the last page of the wizard.
5. Tick the box Configure TSIG parameters if it is not already ticked.
6. In the field TSIG key name, specify the name of the key.
7. In the drop-down list TSIG key method, select the method that suits your needs. The
standardized protocol for key codes is HMAC-MD5.
If you are not using an access key for this server, select None.
8. In the field TSIG key value, specify your key value.
9. Click on OK to complete the operation. The report opens and closes.

Configuring DNS ACLs

When configuring your DNS infrastructure, we recommend restricting accesses to your servers
using specific ACLs:

• You can add an ACL restricting access to the clients network(s) allowed to query the DNS.
• You can edit the ACL admin, which allows any connection by default, to restrict access to the
management appliance(s) IP address(es) only.
• You can add an ACL restricting access to the DNS servers IP addresses or network, for Master-
Slave synchronization.

You can then use these ACLs to configure the access controls on your EfficientIP smart architec-
tures and servers. Note that, by default:
• When you add a smart architecture, it uses the ACL any for the access control allow-query
and allow-query-cache and propagates it to the servers/zones it manages. This also applies
when you add an EfficientIP server not managed by a smart architecture, even though the ACL
is not displayed in the related properties page panel.
We recommend that you use ACLs to restrict access to the management appliance(s), other
DNS servers and clients.
• When you add a smart architecture, it uses the ACL any for the access control allow-transfer
and propagates it to the servers/zones it manages.This also applies when you add an EfficientIP
server not managed by a smart architecture, even though the ACL is not displayed in the related
properties page panel.
We recommend that you use ACLs to restrict access to the management appliance(s) IP ad-
dress(es) and other DNS servers
• When you add a zone to an EfficientIP server, either directly or via a smart architecture, it uses
the ACL any for the access control allow-update.
The same way, we recommend that you use ACLs to restrict access to the management appli-
ance(s) IP address(es), other DNS servers

Keep in mind that any configuration set at view or zone level overrides the server level configur-
ation.

63
Hardening the DNS Management

For more details regarding how to use ACLs to secure your DNS infrastructure, refer to the section
Managing DNS Security in the Administrator Guide.

Finally, note that you can add en extra layer of security by configuring DNS TSIG keys on your
servers and add them to your ACLs. For more details, refer to the section Configuring TSIG Keys.

To add or edit a DNS ACL

1. In the sidebar, go to DNS > Servers, Views, or Zones. The page opens.
2. At the end of the line of the resource of your choice, click on . The properties page opens.
3. Open the panel ACL using .
4. To add an ACL:
a. Click on ADD . The wizard ACL configuration opens.
b. In the field ACL name, name your ACL.
5. To edit an ACL:
a. Click on the ACL of your choice.
b. Click on EDIT . The wizard ACL configuration opens.
6. Configure the ACL according to your needs.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 5.4. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL The access configuration of an ACL defined at server level, allow or deny access to
admin, any, none, localhost, localnets or any server custom ACL. Note that the ACL
admin is used by SOLIDserver to configure and exchange data with DNS servers.
TSIG key The access configuration of a DNS key defined at server level, allow or deny access
to any TSIG key available in the panel Keys. For more details, refer to the section
Configuring TSIG Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
7. Click on OK to complete the operation. The report opens and closes. Your ACL is listed in
the panel ACL.
Once created, an ACL includes permissions and restrictions that you allow or deny access
to depending on the configuration you set:

64
Hardening the DNS Management

• If you allow access to the ACL, every permission it contains are granted access to,
every restriction it contains are denied access to.
• If you deny access to the ACL, the contrary is set: every permission it contains are
denied access to, every restriction it contains are granted access to.

To set a DNS ACL on a resource

1. In the sidebar, go to DNS > Servers, Views, or Zones. The page opens.
2. At the end of the line of the resource of your choice, click on . The properties page opens.
3. Open the panel Access control using .This panel displays different options: Allow-query,
Allow-query-cache, Allow-transfer and Blackhole.
4. Click on EDIT to change the configuration. The wizard opens, each page corresponds to an
option.
5. Click on NEXT until you reach the access control page that suits your needs, either Allow-
query, Allow-query-cache, Allow-transfer or Allow-update.
6. Configure the ACL according to your needs:
a. Using the drop-down lists Type and Restriction, you can configure as many restrictions
as you need: grant or deny access to networks, IP addresses, ACLs, and keys. Type
contains the following options:

Table 5.5. Restriction and permission parameters

Once a restriction or permission is configured as needed, click on ADD . The entry is

moved to the list ACL values. All denied entries are preceded by an exclamation mark
(!). Keep in mind that the entries order matters, each restriction or permission listed is
reviewed following the order you set. To order the entries, select them one by one and
click on the arrows to move them up or down .
All the entries of the ACL values constitute the content of your ACL.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
b. Click on NEXT .
c. If you have not reached the last page of the wizard, repeat step 5 and 6 until you con-
figured all the access controls that suit your needs.
7. Click on OK to complete the operation. The report opens and closes.

65
Hardening the DNS Management

Configuring Rate Limits

You should use Response Rate Limiting (RRL) to throttle the speed at which an authoritative
name server answers queries from a particular IP address.

Many DNS engines support RRL and allow a name server to remember how many times it has
sent the same response to the same querier. You can set a rate threshold, once exceeded the
name server waits for a time before sending a response; in the meantime it honors other queries
from other computers. As a result, the name server will never send responses to a querier any
faster than specified by the threshold. The RRLcompliant name server becomes immune to many
types of DDoS attack.

You can configure RRL on EfficientIP DNS servers, EfficientIP DNS Package servers, smart ar-
chitectures or Guardian servers configured with the parameter recursive set to 2.

If you set it on a smart architecture that manages different types of servers, it only applies to the
relevant servers. The settings are ignored by all the servers that do not support it. Note that you
can even configure it on a BIND/NSD Hybrid servers; however, the option Log only disables RRL
on NSD servers.

For more details on RRL, refer to the section Limiting the Number of Responses of a Server in
the Administrator Guide.

To limit the number of responses of a server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. Click on NEXT . The last page opens.
5. In the field Maximum number of responses per second, specify the number of your choice.
This field defines a threshold of responses which, once met, drops all the additional queries
unless you set a Slip value.
The field default value is 0, meaning the option is disabled. You can set a value between 1
and 1000. We recommend that you set the value at 10 or higher.
6. In the field Slip, you can specify a number between 0 and 10. This option allows you to add
an extra bit to the server responses, the Truncated (TC) bit, and makes the requestor use
TCP to resend the query once they receive the truncated response.The number specified
in the field defines every how many queries the TC bit and TCP are forced.
If the field is empty or set to 0, all the similar queries are dropped. If set to 1, the TC is set
in the response to every query. If set to 2, it is set in the response to every other query. If
set to 3, it is set in the response to every third query, etc.
We recommend that you set the Slip value to 1 because it limits cache poisoning attacks
- it is worthless for attackers performing volumetric or PPS DDoS attacks - and is less CPU
consuming for flooded resolvers.
7. If you are configuring a BIND server, in the section Log only you can tick the box. It allows
you to prevent the rate limiting function from operating and only display in the logs what
would have happened.
On NSD servers, ticking the box disables RRL altogether.
8. Click on OK to complete the operation. The report opens and closes. The configuration is
displayed in the panel.

66
Hardening the DNS Management

Configuring Anycast DNS

Anycast DNS is useful if your deployment includes multiple geographically distributed sites. It
improves the service high availability and reliability by improving the redundancy of the DNS
service. In addition to sharing the workload, this configuration helps mitigating a DDoS attack by
diluting its effects.

When relying on an anycast architecture, DNS clients always query the same IP address(es) but
their packets are routed to the nearest anycast DNS server according to the network topology.
If the closest DNS server is down, the related route is withdrawn and the packets are transparently
re-routed by the network to the nearest available DNS server in the topology.

Before setting up anycast, keep in mind that:

• You should configure anycast IP addresses on loopback interfaces only.
• You must set up the FRR routing protocol suite to set up anycast architectures.
• You can configure anycast via the routing protocols OSPF, BGP and/or IS-IS, on recursive
and authoritative DNS servers.
• Once you set up anycast, you can use Bidirectional Forwarding Detection (BFD) to accelerate
fault detection and route withdrawal when failure is detected on your network.
• SOLIDserver embeds FRRouting (FRR) is a routing protocol suite that allows you to set up
anycast architectures. Its configuration is locally stored on the appliance and is automatically
saved in the appliance backup file.
• Once anycast is configured, network routers exchange information with the SOLIDserver
routing daemon in order to route clients traffic to the nearest DNS server.

For more details on how to setup and use OSPF, IS-IS and BGP routing, refer to the section
Setting up Anycast DNS in the Administrator Guide.

Configuring DNS Guardian

Depending on the license and specificities of your appliance, you may be able to configure
Guardian.

Guardian offers adaptive security to DNS cache and recursive services by detecting threats and
activating adapted counter measures to ensure DNS services continuity and attack mitigation.

Once the service is configured and enabled, you can:

• Manage the parameters and configure your Guardian server.
• Monitor its statistics and manage its cache.
• Manage and deploy policies on your Guardian server. The policy triggers allow to tailor and
execute specific actions on the querying clients, like redirecting or even blocking them.
• Manage views on your Guardian server.
• Configure lists, gathering domains or client identifiers, and use them in your trigger or view
configurations.
• Configure the Rescue Mode, which allows to answer as many queries as possible if the local
DNS server is unable to do so, because of high traffic or during DDOS attacks.

For more details, refer to the part Guardian in the Administrator Guide.

67
Appendix A. Hardening Checklist
To keep track of SOLIDserver hardening process, you can print and fill in the check list below:

Table A.1. SOLIDserver Hardening Checklist

Hardening the access controls
Set the BIOS password on a physical appliance.
Change the iDRAC superuser password on a physical appliance.
Change SOLIDserver SSH administrative password on any appliance.
Secure the system superuser password on any appliance.
Secure the CLI and GUI connection parameters through the registry keys.
Set a CA or self-signed SSL and change the HTTPS certificates.
Ensure firewall rules deny access from any source except those necessary to the appliance purpose.
Ensure only the services necessary to the appliance purpose are running.
Make sure the NetChange network devices passwords are not visible.
Hardening the management infrastructure
Add groups of users.
Grant rights to the groups of users.
Add resources of the groups of users.
Add users and set them as resource of one or more groups.
Configure AD, LDAP and/or RADIUS authentication rules, if relevant.
Configure remote storage for the backup files using SFTP.
Set another appliance in High-Availability as read-only backup for the appliance database.
Encrypt the database.
Hardening the monitoring infrastructure
Secure the SNMP connections so the appliance can query and be queried for statistics.
Add alerts to monitor resources and be notified via SNMP trap and/or email.
Monitor and redirect logs to an external monitoring platform.
Track the sessions and users connecting to the appliance.
Hardening the DNS management
Separate authoritative and recursive resolution.
Use a secure smart architecture to manage your servers.
Prepare Hybrid DNS for a potential switch between DNS engines if need be.
Configure DNSSEC protection to ensure your DNS hierarchy is legitimate.
Configure TSIG keys to protect the communication between SOLIDserver and DNS servers or clients.
Restrict access to recursive servers via DNS ACLs.
Configure rate limit (RRL) on your servers to limit the number of responses.
Configure anycast forwarding.
Configure DNS Guardian, if your license allows it, to set advanced DNS protection.

68
Appendix B. Matrices of Network Flows
This appendix maps out the networks flows that you must open to manage your SOLIDserver
appliance or remotely manage servers. They are detailed in tables divided as follows:
• SOLIDserver network flows.
• IPAM network flows.
• DHCP network flows.
• DNS network flows.
• NetChange network flows.
• Identity Manager network flows.
• Remote Management network flows.

Each flow detail includes its Source IP, Port, Destination IP, Port, Protocol, Service used and
Notes, when relevant. The Source IP and Destination IP may contain the following:

Source IP / Destination IP Description

administrator The computer belonging to a user with administrative rights.
DHCP client The device querying the DHCP server.
DHCP server Any DHCP server, the flow must be opened for all servers.
DHCP backup A server managed in a SOLIDserver smart architecture that has a backup role
in your failover configuration.
DHCP master A server managed in a SOLIDserver smart architecture that has a master role
in your failover configuration.
DNS client The device querying the DNS server.
DNS server Any DNS server, the flow must be opened for all servers.
DoH client The device querying the DNS server via DNS over HTTPS.
DoH server Any DNS server answering queries via DNS over HTTPS, the flow must be
opened for all servers.
iDRAC The integrated Dell Remote Access Controller for SOLIDserver rack hardware
appliances of the 4th generation (SOLIDserver-260+) and 5th generation
(SOLIDserver-270+).
Kerberos servers Your Kerberos authentication server.
MS DHCP A Microsoft DHCP server managed from SOLIDserver.
MS DNS A Microsoft DNS server managed from SOLIDserver.
Network device All the routers, switches and/or firewalls which information you want to retrieve.
They must be managed in the module NetChange.
SOLIDserver Any SOLIDserver appliance.
SOLIDserver Hot Standby A SOLIDserver appliance configured in High Availability which role is Hot
Standby. As the Hot Standby can be switched to Master, the matrices flows
on both HA appliances should be configured the same.
SOLIDserver Management A SOLIDserver appliance managing another SOLIDserver or any external
server or service.
SOLIDserver Master A SOLIDserver appliance configured in High Availability which role is Master.
The matrices flows on both the Master and Hot Standby appliances should be
configured the same.
Windows AD Controller A Windows AD domain controller that allows your SOLIDserver appliance to
retrieve its data in the module Identity Manager.

69
Matrices of Network Flows

SOLIDserver
Basic Configuration
Source IP Port Destination IP Port Protocol Service Notes
administrator any SOLIDserver 80 TCP HTTP Graphic User Interface (GUI)
administrator any SOLIDserver 443 TCP HTTPS Graphic User Interface (GUI)
administrator any SOLIDserver 22 TCP SSH Command Line Interface (CLI)
SOLIDserver any DNS server 53 UDP DNS DNS resolution, DDNS update
SOLIDserver any DNS server 53 TCP DNS DNS resolution, DNS zone transfer
SOLIDserver any NTP server 123 UDP NTP Time synchronization
SOLIDserver any FTP server 21 TCP FTP Remote archive on an FTP or SFTP
SOLIDserver any SFTP server 22 TCP SFTP server

External Authentication
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver any LDAP/AD 389 TCP LDAP LDAP or AD authentication
SOLIDserver any LDAPS/AD 636 TCP LDAPS LDAPS or AD authentication
SOLIDserver any RADIUS 1812 UDP RADIUS RADIUS authentication

TFTP and NTP Services

Source IP Port Destination IP Port Protocol Service Notes
TFTP client any SOLIDserver 69 UDP TFTP File transfer
NTP client any SOLIDserver 123 UDP NTP NTP server

Monitoring and Logging

Source IP Port Destination IP Port Protocol Service Notes
Monitoring
any SOLIDserver 161 UDP SNMP
server SNMP pooling
SOLIDserver any SOLIDserver 161 UDP SNMP
Monitoring
SOLIDserver any 162 UDP SNMP SNMP trap
server
SOLIDserver any Log server 514 UDP Syslog Syslog export

iDRAC
Source IP Port Destination IP Port Protocol Service Notes
administrator any iDRAC 22 TCP SSH iDRAC SSH
administrator any iDRAC 80 TCP HTTP iDRAC GUI
administrator any iDRAC 443 TCP HTTPS iDRAC GUI
administrator any iDRAC 5900 TCP VNC Virtual Console

70
Matrices of Network Flows

IPAM
Cisco DNA
Source IP Port Destination IP Port Protocol Service Notes
Required to configure DNA synchroniza-
DNA center any SOLIDserver 443 TCP HTTPS
tion

SPX
RIPE

Source IP Port Destination IP Port Protocol Service Notes

SOLIDserver any RIPE database 43 TCP WHOIS Retrieve RIPE data (Whois)
SOLIDserver any RIPE database 80 TCP WHOIS Send data to the RIPE (Whois)
SOLIDserver any RIPE database 443 TCP HTTPS/POST Send data to the RIPE directly

APNIC

Source IP Port Destination IP Port Protocol Service Notes

APNIC data-
SOLIDserver any 43 TCP WHOIS Retrieve APNIC data (Whois)
base
APNIC data-
SOLIDserver any 80 TCP WHOIS Send data to the APNIC (Whois)
base
APNIC data-
SOLIDserver any 443 TCP HTTPS/POST Send data to the APNIC directly
base

71
Matrices of Network Flows

DHCP
EfficientIP DHCP Servers
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Required to manage an EfficientIP DH-
any DHCP server 443 TCP HTTPS
Management CP server on a SOLIDserver appliance
Failover channel port on the backup
DHCP master any DHCP backup 647 TCP Failover
server
Failover channel port on the master
DHCP backup any DHCP master 847 TCP Failover
server
DHCP client 68 DHCP server 67 UDP DHCP Required by the service DHCP
DHCP server 67 DHCP client 68 UDP DHCP Required by the service DHCP
DHCP client 546 DHCP server 547 UDP DHCP Required by the service DHCPv6
DHCP server 547 DHCP client 546 UDP DHCP Required by the service DHCPv6
Broadcast ad- Required by the DHCP protocol on the
DHCP client 68 67 UDP DHCP
dress local segment
DHCP server - any - ICMP ICMP Only if the option ping-check is enabled

Microsoft Windows DHCP Servers

Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Microsoft Remote Procedure Calls (MS
any MS DHCP 135 TCP MS RPC
Management RPC)
SOLIDserver
any MS DHCP 445 TCP SMB MS RPC locator
Management
49152
SOLIDserver a
any MS DHCP - TCP MS RPC MS RPC dynamic ports range
Management
65535
DHCP client 68 MS DHCP 67 UDP DHCP Required by the service DHCP
MS DHCP 67 DHCP client 68 UDP DHCP Required by the service DHCP
Broadcast ad- Required by the DHCP protocol on the
DHCP client 68 67 UDP DHCP
dress local segment
a
Stateful firewall configurations do not require a specific rule for dynamic ports. An ephemeral port is used for the session
conversation.

Linux Packages
Prerequisite before configuring a Linux Package: configuring DHCP network flows as detailed
in the section EfficientIP DHCP Servers.

Source IP Port Destination IP Port Protocol Service Notes

SOLIDserver Required to manage the DHCP server
any DHCP server 443 TCP HTTPS
Management on Linux packages

DHCP Statistics
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver SNMP v1, v2c and v3 to retrieve the
any DHCP server 161 UDP SNMP
Management server statistics

72
Matrices of Network Flows

DNS
EfficientIP DNS Servers
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Required to manage an EfficientIP DNS
any DNS server 443 TCP HTTPS
Management server on a SOLIDserver appliance
SOLIDserver DNS resolution, DDNS update, DNS
any DNS server 53 UDP/TCP DNS
Management zone transfer
DNS resolution, DDNS update, DNS
DNS server any DNS server 53 UDP/TCP DNS
zone transfer
DNS client any DNS server 53 UDP/TCP DNS DNS resolution
10000
SOLIDserver a
DNS server - 2053 UDP DNS DNS notify (optional)
Management
65535
a
The port 2053 allows you to speed up zone transfers between SOLIDserver Management and its managed DNS servers.
Keep in mind that not all DNS engines support this functionality, for instance Microsoft DNS engines do not support it.

Microsoft Windows DNS Servers

Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Microsoft Remote Procedure Calls (MS
any MS DNS 135 TCP MS RPC
Management RPC)
SOLIDserver
any MS DNS 445 TCP SMB MS RPC locator
Management
49152
SOLIDserver a
any MS DNS - TCP MS RPC MS RPC dynamic ports range
Management
65535
SOLIDserver DNS resolution, DDNS update, DNS
any MS DNS 53 UDP/TCP DNS
Management zone transfer
DNS client any MS DNS 53 UDP/TCP DNS DNS resolution
MS DNS any MS DNS 53 UDP/TCP DNS DNS resolution, DNS zone transfer
a
Stateful firewall configurations do not require a specific rule for dynamic ports. An ephemeral port is used for the session
conversation.

Amazon Route 53 Servers

Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Required to manage a Route 53 DNS
any AWS Route 53 443 TCP HTTPS
Management server on Amazon Web Service (AWS)
SOLIDserver DNS resolution, DDNS update, DNS
any AWS Route 53 53 UDP/TCP DNS
Management zone transfer

73
Matrices of Network Flows

Linux Packages
Prerequisite before configuring a Linux Package: configuring the DNS network flows as detailed
in the section EfficientIP DNS Servers.

Source IP Port Destination IP Port Protocol Service Notes

SOLIDserver Required to manage the DNS server on
any DNS server 443 TCP HTTPS
Management Linux packages

DNS Statistics
Source IP Port Destination IP Port Protocol Service Notes
SNMP v1,v2c or v3 to retrieve the stat-
SOLIDserver
any DNS server 161 UDP SNMP istics of DNS servers on SOLIDserver
Management
appliances or Linux Packages

GSS-TSIG
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Kerberos serv-
any 88 Protocol Kerberos Kerberos authentication
Management ers

Routing Protocols for Anycast

Source IP Port Destination IP Port Protocol Service Notes
Router's IP(s) any SOLIDserver 179 TCP BGP
Router's IP(s) - 224.0.0.0/24 - OSPF OSPF
SOLIDserver - 224.0.0.0/24 - OSPF OSPF
- - - - - IS-IS

Guardian
Cache Sharing via Unicast

Source IP Port Destination IP Port Protocol Service Notes

Cache Sharing via Multicast

Source IP Port Destination IP Port Protocol Service Notes

Local Net-
- 224.0.0.0/24 - IGMP IGMP
work(s) IGMP
SOLIDserver - 224.0.0.0/24 - IGMP IGMP

74
Matrices of Network Flows

DNS over TCP

Source IP Port Destination IP Port Protocol Service Notes

The port 5353 is used by Guardian to
handle DNS TCP queries. No configura-
any any SOLISserver 5353 TCP DNS tion is required on the network firewall,
it is only set in the firewall rules of your
local SOLIDserver appliance.

DoT

Source IP Port Destination IP Port Protocol Service Notes

DNS client any DNS server 853 TCP DNS
DNS over TLS required configuration
DNS server 853 DNS client any TCP DNS

DoH

Source IP Port Destination IP Port Protocol Service Notes

DoH client any DoH server 443 TCP DNS
DNS over HTTPS required configuration
DoH server 443 DoH client any TCP DNS

75
Matrices of Network Flows

NetChange
Source IP Port Destination IP Port Protocol Service Notes
Network
NetChange any 161 UDP SNMP SNMP v1, v2c, v3
device
NetChange any DNS server 53 UDP DNS DNS resolution
Network
NetChange any 22 TCP SSH
device
Save the configuration
Network
NetChange any 23 TCP SNMP
device

76
Matrices of Network Flows

Identity Manager
Source IP Port Destination IP Port Protocol Service Notes
Windows AD
any SOLIDserver 5986 TCP WEF Required to retrieve sessions.
Controller

77
Matrices of Network Flows

Remote Management
High Availability
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver SOLIDserver
any 443 TCP HTTPS
Hot Standby Master
Health check
SOLIDserver SOLIDserver
any 443 TCP HTTPS
Master Hot Standby
SOLIDserver SOLIDserver
any 5432 TCP PostgreSQL
Hot Standby Master
Replication
SOLIDserver SOLIDserver
any 5432 TCP PostgreSQL
Master Hot Standby

Remote Management of Other Appliances

Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Management of remote SOLIDserver
any SOLIDserver 443 TCP HTTPS
Management appliances

SOLIDserver API Reference REST 8.1
No ratings yet
SOLIDserver API Reference REST 8.1
1,092 pages
SOLIDserver Administrator Guide-6.0.2
50% (2)
SOLIDserver Administrator Guide-6.0.2
1,284 pages
Microsoft Azure For Dummies
From Everand
Microsoft Azure For Dummies
Jack A. Hyman
No ratings yet
CompTIA CASP+ CAS-004 Exam Guide: A-Z of Advanced Cybersecurity Concepts, Mock Exams, Real-world Scenarios with Expert Tips (English Edition)
From Everand
CompTIA CASP+ CAS-004 Exam Guide: A-Z of Advanced Cybersecurity Concepts, Mock Exams, Real-world Scenarios with Expert Tips (English Edition)
Dr. Akashdeep Bhardwaj
No ratings yet
Linux Security Fundamentals
From Everand
Linux Security Fundamentals
David Clinton
No ratings yet
SOLIDserver Administrator Guide-8.1
No ratings yet
SOLIDserver Administrator Guide-8.1
1,537 pages
Microsoft Azure Security Technologies Practice Tests AZ-500
From Everand
Microsoft Azure Security Technologies Practice Tests AZ-500
iCertify Training
No ratings yet
Efficientip SOLIDserver Ipam Dns DHCP Ds PDF
No ratings yet
Efficientip SOLIDserver Ipam Dns DHCP Ds PDF
4 pages
SOLIDserver Quick Start-8.2
No ratings yet
SOLIDserver Quick Start-8.2
22 pages
Cloud Computing: The Untold Origins of Cloud Computing (Manipulation, Configuring and Accessing the Applications Online)
From Everand
Cloud Computing: The Untold Origins of Cloud Computing (Manipulation, Configuring and Accessing the Applications Online)
William Cormier
No ratings yet
CompTIA Security+ SY0-601 Exam Practice Tests
From Everand
CompTIA Security+ SY0-601 Exam Practice Tests
CertSquad Professional Trainers
No ratings yet
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
From Everand
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
Byte Books
No ratings yet
SOLIDserver Administrator Guide-7.1
No ratings yet
SOLIDserver Administrator Guide-7.1
1,355 pages
SOLIDserver Administrator Guide-7.3
100% (1)
SOLIDserver Administrator Guide-7.3
1,447 pages
Framework for SCADA Cybersecurity
From Everand
Framework for SCADA Cybersecurity
Richard Clark
5/5 (1)
Google Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed Answers
From Everand
Google Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed Answers
vivian njoroge
No ratings yet
Mastering System Center Configuration Manager
From Everand
Mastering System Center Configuration Manager
Vangel Krstevski
No ratings yet
SOLIDserver Hardware Reimaging-8.2
No ratings yet
SOLIDserver Hardware Reimaging-8.2
29 pages
Microsoft Windows Intune 2.0: Quickstart Administration
From Everand
Microsoft Windows Intune 2.0: Quickstart Administration
David Overton
No ratings yet
SOLIDserver Hardware Configuration-8.2
No ratings yet
SOLIDserver Hardware Configuration-8.2
27 pages
VMware View Security Essentials
From Everand
VMware View Security Essentials
Daniel Langenhan
No ratings yet
Mastering Microsoft Endpoint Manager
From Everand
Mastering Microsoft Endpoint Manager
Charles Smith
No ratings yet
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
From Everand
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
Tim Speed
No ratings yet
InduSoft Application Design and SCADA Deployment Recommendations for Industrial Control System Security
From Everand
InduSoft Application Design and SCADA Deployment Recommendations for Industrial Control System Security
Richard Clark
No ratings yet
The Official (ISC)2 CCSP CBK Reference
From Everand
The Official (ISC)2 CCSP CBK Reference
Aaron Kraus
No ratings yet
Implementing Zero Trust Architecture: An Enterprise Guide
From Everand
Implementing Zero Trust Architecture: An Enterprise Guide
Umair Akbar
5/5 (1)
Cybersecurity for Executives: A Guide to Protecting Your Business
From Everand
Cybersecurity for Executives: A Guide to Protecting Your Business
Matthew C. Smith
No ratings yet
Mastering Active Directory
From Everand
Mastering Active Directory
VICTOR P HENDERSON
No ratings yet
Ds SOLIDserver DDI EN 230124
No ratings yet
Ds SOLIDserver DDI EN 230124
6 pages
SOLIDserver Virtual Cloud AWS-8.1
No ratings yet
SOLIDserver Virtual Cloud AWS-8.1
19 pages
Cybersecurity Design Principles: Building Secure Resilient Architecture
From Everand
Cybersecurity Design Principles: Building Secure Resilient Architecture
Richie Miller
No ratings yet
Share Point Administrator - Inglese -
From Everand
Share Point Administrator - Inglese -
Riccardo Dominici
No ratings yet
5 Reasons Why EIP DDI Is Better
No ratings yet
5 Reasons Why EIP DDI Is Better
3 pages
CompTIA Cloud+ Certification Guide (Exam CV0-003): Everything you need to know to pass the CompTIA Cloud+ CV0-003 exam (English Edition)
From Everand
CompTIA Cloud+ Certification Guide (Exam CV0-003): Everything you need to know to pass the CompTIA Cloud+ CV0-003 exam (English Edition)
Gopi Krishna Nuti
No ratings yet
The Datadog Handbook: A Guide to Monitoring, Metrics, and Tracing
From Everand
The Datadog Handbook: A Guide to Monitoring, Metrics, and Tracing
Robert Johnson
No ratings yet
Ds SOLIDserver DDI EN 190204 PDF
No ratings yet
Ds SOLIDserver DDI EN 190204 PDF
6 pages
CCSP - Certified Cloud Security Professional Exam Insights
From Everand
CCSP - Certified Cloud Security Professional Exam Insights
SUJAN
No ratings yet
CompTIA CASP+ Certification The Ultimate Study Guide To Master the Advanced Security Practitioner Exam
From Everand
CompTIA CASP+ Certification The Ultimate Study Guide To Master the Advanced Security Practitioner Exam
Jake T Mills
No ratings yet
Microsoft Azure AI-102 Practice Tests
From Everand
Microsoft Azure AI-102 Practice Tests
CertSquad Professional Trainers
No ratings yet
CCISO – Certified Chief Information Security Officer Exam Practice Questions and Dumps Exam Guidebook Updated Questions for EC|Council
From Everand
CCISO – Certified Chief Information Security Officer Exam Practice Questions and Dumps Exam Guidebook Updated Questions for EC|Council
Byte Books
No ratings yet
(ISC)2 Certified Information Systems Security Professional CISSP Realistic Practice Test
From Everand
(ISC)2 Certified Information Systems Security Professional CISSP Realistic Practice Test
CertSquad Professional Trainers
No ratings yet
Hyper-V Security
From Everand
Hyper-V Security
Eric Siron
No ratings yet
CompTIA Linux+ Practice Tests: Exam XK0-004
From Everand
CompTIA Linux+ Practice Tests: Exam XK0-004
Steve Suehring
No ratings yet
CompTIA Cloud+ (Plus) Certification Practice Questions, Answers and Master the Exam
From Everand
CompTIA Cloud+ (Plus) Certification Practice Questions, Answers and Master the Exam
Jake T Mills
No ratings yet
Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications
From Everand
Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications
Alan Calder
No ratings yet
SD Solidserver Nsipam en v2.0
No ratings yet
SD Solidserver Nsipam en v2.0
7 pages
Check Point R7x Common Criteria Administration Guide
No ratings yet
Check Point R7x Common Criteria Administration Guide
171 pages
Flow Simulation Using SOLIDWORKS 2023
From Everand
Flow Simulation Using SOLIDWORKS 2023
Prof. Sham Tickoo
No ratings yet
Kaspersky security center
From Everand
Kaspersky security center
Mohammed Haytham Khabbaz samkary
No ratings yet
MCSA Windows 10 Study Guide: Exam 70-698
From Everand
MCSA Windows 10 Study Guide: Exam 70-698
William Panek
No ratings yet
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 2
From Everand
Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 2
Byte Books
No ratings yet
Basic Setup of FortiGate Firewall
From Everand
Basic Setup of FortiGate Firewall
Dr. Hidaia Mahmood Alassouli
No ratings yet
AZ-104 Azure Administrator Practice Paper 2: AZ-104 Azure Administrator, #2
From Everand
AZ-104 Azure Administrator Practice Paper 2: AZ-104 Azure Administrator, #2
Tech Interviews
No ratings yet
Professional Microsoft SQL Server 2008 Administration
From Everand
Professional Microsoft SQL Server 2008 Administration
Brian Knight
No ratings yet
Auditing Cloud Computing: A Security and Privacy Guide
From Everand
Auditing Cloud Computing: A Security and Privacy Guide
Ben Halpert
3/5 (2)
Ds SOLIDserver Appliance Suite EN 200401
No ratings yet
Ds SOLIDserver Appliance Suite EN 200401
7 pages
Transit Quarters
From Everand
Transit Quarters
Shyamala Nemana
4/5 (8)
Learning AirWatch
From Everand
Learning AirWatch
Mark Dunkerley
5/5 (1)
Centreon Administration and Configuration Guide: Definitive Reference for Developers and Engineers
From Everand
Centreon Administration and Configuration Guide: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
From Everand
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
Marius Sandbu
No ratings yet
GLBA White Paper
No ratings yet
GLBA White Paper
18 pages
Alternatives For Securing Virtual Networks
No ratings yet
Alternatives For Securing Virtual Networks
7 pages
Cloudera QuickStart
No ratings yet
Cloudera QuickStart
1 page
Smartfabric Os10 5 3 Sourcebook
No ratings yet
Smartfabric Os10 5 3 Sourcebook
28 pages
Installed Products
No ratings yet
Installed Products
4 pages
Getting Started
No ratings yet
Getting Started
3 pages
Ome P 40 Users Guide en Us
No ratings yet
Ome P 40 Users Guide en Us
226 pages
Quizlet PDF
No ratings yet
Quizlet PDF
3 pages
User Manual Teac WAP-AX100
No ratings yet
User Manual Teac WAP-AX100
43 pages
Techsheet Os10 5 3 0 Os9 Pub en Us
No ratings yet
Techsheet Os10 5 3 0 Os9 Pub en Us
66 pages
Controller-Less Wi-Fi: Less Hardware, More Value
No ratings yet
Controller-Less Wi-Fi: Less Hardware, More Value
8 pages
Embedded Gateway
No ratings yet
Embedded Gateway
27 pages
DD VE 3.1 Best Practices VMware v1.2.02
100% (1)
DD VE 3.1 Best Practices VMware v1.2.02
21 pages
Force10 Networks' Traverse and Traverseedge Family of Multiservice Transport Platforms
No ratings yet
Force10 Networks' Traverse and Traverseedge Family of Multiservice Transport Platforms
2 pages
Aerohive Primer PDF
No ratings yet
Aerohive Primer PDF
2 pages
Hive Manager
No ratings yet
Hive Manager
2 pages
Hiveap 300 Series: Product Specifications Sheet Warranty and Support Information
No ratings yet
Hiveap 300 Series: Product Specifications Sheet Warranty and Support Information
4 pages
Java Tutorial
No ratings yet
Java Tutorial
35 pages
Salt Lab Guide
No ratings yet
Salt Lab Guide
5 pages
Real Time Accident Detection and Alerting System For Medical Emergency and Rescue IJERTV12IS110006
No ratings yet
Real Time Accident Detection and Alerting System For Medical Emergency and Rescue IJERTV12IS110006
7 pages
System Optimization of Turbofan Engines Using Genetic Algorithms
No ratings yet
System Optimization of Turbofan Engines Using Genetic Algorithms
12 pages
240 - Ceragon - LAG - Presentation v1.9
No ratings yet
240 - Ceragon - LAG - Presentation v1.9
28 pages
E 801011 Pi Control GEA Omni GBR 6-A4 Man-165631
No ratings yet
E 801011 Pi Control GEA Omni GBR 6-A4 Man-165631
58 pages
Event Coordinator Cover Letter
100% (1)
Event Coordinator Cover Letter
7 pages
THERMACT-B Technical Presentation June
No ratings yet
THERMACT-B Technical Presentation June
69 pages
Nusrat Jahan Lecturer (Grade-I) Department of Civil Engineering Ahsanullah University of Science & Technology
No ratings yet
Nusrat Jahan Lecturer (Grade-I) Department of Civil Engineering Ahsanullah University of Science & Technology
37 pages
Instituto Politécnico Nacional: Direct Marketing
No ratings yet
Instituto Politécnico Nacional: Direct Marketing
19 pages
Sahil's Resume
No ratings yet
Sahil's Resume
2 pages
Power System _ Short Notes
No ratings yet
Power System _ Short Notes
19 pages
Baxter P.reese Calibration in Regulated Industries Federal Agency Use ISO-17025 ANSI Z540.3 28
No ratings yet
Baxter P.reese Calibration in Regulated Industries Federal Agency Use ISO-17025 ANSI Z540.3 28
131 pages
4541 - Programmable Timer
No ratings yet
4541 - Programmable Timer
11 pages
Nilton Galindo-ATV320 - PROFINET - Manual - EN - NVE41311 - 01
No ratings yet
Nilton Galindo-ATV320 - PROFINET - Manual - EN - NVE41311 - 01
126 pages
Teradata Warehouse Miner 5.4.4 User Guide Vol 2
No ratings yet
Teradata Warehouse Miner 5.4.4 User Guide Vol 2
464 pages
200 - Ceragon - IP-10G Radio - Presentation v1.5
No ratings yet
200 - Ceragon - IP-10G Radio - Presentation v1.5
29 pages
Bill of Material: Fire Generator - Platform, Fire Pump and Flow Meter Project
No ratings yet
Bill of Material: Fire Generator - Platform, Fire Pump and Flow Meter Project
1 page
8.sınıf Ingilizce 35 Soru G
No ratings yet
8.sınıf Ingilizce 35 Soru G
12 pages
Graphics 1 (Security Design Essentials) : by Yemisi Ajiboye-Osundina
No ratings yet
Graphics 1 (Security Design Essentials) : by Yemisi Ajiboye-Osundina
31 pages
ACTIVITY TABLE
No ratings yet
ACTIVITY TABLE
2 pages
ISO 228-2 Pipe Threads Where Pressure-Tight Joints Are Not Made On Threads
No ratings yet
ISO 228-2 Pipe Threads Where Pressure-Tight Joints Are Not Made On Threads
20 pages
Vnd.openxmlformats-Officedocument.wordprocessingml.document&Rendition=1 (1) (1)
No ratings yet
Vnd.openxmlformats-Officedocument.wordprocessingml.document&Rendition=1 (1) (1)
5 pages
Lexical and Syntax Analysis: CSE 325/CSE 425: Concepts of Programming Language
No ratings yet
Lexical and Syntax Analysis: CSE 325/CSE 425: Concepts of Programming Language
41 pages
HINO FM 1000 HR Service Sheet
100% (1)
HINO FM 1000 HR Service Sheet
7 pages
SD Assignment
No ratings yet
SD Assignment
14 pages
Kasi Sugam Darshan Ticket
No ratings yet
Kasi Sugam Darshan Ticket
1 page
AP2952 Chipown
No ratings yet
AP2952 Chipown
9 pages
3VL93003MN00 Datasheet en
No ratings yet
3VL93003MN00 Datasheet en
4 pages
The-Impact-Of-Social-Media-On-Humanity Worksheet Pre
100% (1)
The-Impact-Of-Social-Media-On-Humanity Worksheet Pre
10 pages