Requirements¶
Ericom Shield can be deployed in various deployments and topologies. The most common use cases are detailed here. The requirements detailed hereunder are per a single machine deployment and per multi machine deployment.
Requirements for Ericom Shield¶
Hardware Requirements¶
Minimum hardware specifications are (per each shield server):
- 16GB memory
- 4 core processors
- 64GB disk space
Note
These are the minimum requirements. 8 core processors is the recommendation.
In case partitioning is planned (this is not mandatory for Shield, only optional), here are the recommended sizes for the different partitions:
- /boot - 0.5 GB
- /var/log - 10GB
- /tmp - 10GB
- / (root) - (including /var/lib) - rest of the disk
Note
Other file systems on the Ubuntu server are not used/relevant for Shield, and do not require specific disk allocation. They can all be included under /root.
For Management nodes, the recommendation is 256GB of disk space.
Note
Ericom Shield supports both horizontal and vertical scaling. Horizontal scaling means adding more machines to the system. Vertical scaling means adding more hardware to the system. A higher spec machine will host more virtual containers and therefore more browser sessions. For further information on scaling and how to determine the exact required hardware per usage, please contact Ericom Shield Professional Services.
Software Requirements¶
- Linux Ubuntu Server 16.04 or 18.04 (64-bit, not workstation) or CentOS-7.6 (1810) on X86 architecture
- Has a fixed IP Address
- Has SSH server installed
- Has an internet connection (DNS and Proxy settings are configured properly)
- Locale is EN-US
Note
It is recommended to turn on the Ubuntu Security Automatic Updates on the host server. Further details can be found here.
Note
RHEL is also supported. If this is the selected OS, please contact Ericom Shield Professional Services.
Connectivity¶
Ports
Ericom Shield requires these ports to be open on the network:
| From | To | Port | Protocol | Comment |
|---|---|---|---|---|
| Proxy/ICAP | Shield | 3128 | TCP | Inbound between End-Users/Proxy and Shield |
| Proxy/ICAP | Shield | 1344 | TCP | Inbound between End-Users/Proxy and Shield |
| Administrator Console | Shield | 8181 | TCP | Inbound between Administrator and any Shield server |
| NetData | Shield | 8383 | TCP | Inbound between Administrator and any Shield server |
| Speedtest Page | Shield | 8185 | TCP | Inbound between End-Users/Proxy and Shield |
| Shield | Shield | 2376 | TCP | Inbound/outbound between any Shield servers, used for Cluster Management |
| Shield | Shield | 2377 | TCP | Inbound/outbound between any Shield servers, used for Cluster Management |
| Shield | Shield | 4789 | UDP | Inbound/outbound between any Shield servers, used for Cluster Management |
| Shield | Shield | 7946 | TCP | Inbound/outbound between any Shield servers, used for Cluster Management |
| Shield | Shield | 7946 | UDP | Inbound/outbound between any Shield servers, used for Cluster Management |
| Shield - Authentication Proxy | LDAP Server | 389 | TCP | Between Shield and LDAP server |
| Shield - Authentication Proxy | LDAPS Server | 636 | TCP | Between Shield and LDAP server |
| Shield - Authentication Proxy | AD-Kerberos | 88 | TCP | Required when using Kerberos authentication |
| Shield - Authentication Proxy | AD-Kerberos | 88 | UDP | Required when using Kerberos authentication |
| Shield | Internet | 80 | TCP | |
| Shield | Internet | 443 | TCP | |
| Shield | DNS | 53 | TCP | |
| Shield | DNS | 53 | UDP | |
| Shield | Shield | SSH 22 | TCP | Inbound/outbound between all Shield Nodes |
| Browsers Farm | Internet | 25 | TCP | Required when using SMTP for alerts and statistics |
DNS & Subnet
Ericom Shield uses the Linux Host DNS configuration to identify which DNS server to use. Essentially this is the dns-nameservers entry that was defined in /etc/network/interfaces when setting a fixed IP address. If this entry is configured to use an external DNS such as Google, this will result in Shield being unable to resolve any internal names (e.g. server.company.local). It is therefore important to ensure that this entry is configured to use an internal DNS server.
DNS is also important between each server node. In other words, each server node will need to be able to resolve each of the other servers within the cluster. This can be achieved by ensuring that each node is registered with DNS, or by updating the host file on each machine.
Shield uses Subnet 10.20.0.0/16. In case the same range is already being used in the existing network, please contact Ericom Shield Professional Services.
SSL & Firewalls
It is highly recommended to disable any security agents running on the Shield servers, e.g. firewalls, SSL decryption etc.
Requirements for CDR Solution¶
Ericom Shield comes with a cloud-based file sanitization service. It is also possible to use an on-premise factory integrated CDR solution. Following are the requirements for a local file sanitization server.
Hardware Requirements¶
Minimum hardware specifications are (per 10,000 users): * 16GB memory * 4 core processors * 100GB disk space
Note
The file sanitization server must be installed on a dedicated server (physical or virtual).
Software Requirements¶
A Windows Server 2012R2 with the latest rollups and updates installed OR A Windows Server 2016 with the latest updates installed