Appendix B: Ivanti Policy Secure CloudFormation Template
Ivanti, Inc. provides sample CloudFormation template files to deploy the Ivanti Policy Secure Virtual Appliance on AWS. Users can modify this to make it suitable for their need. Visit https://www.ivanti.com and download the pulsesecure-IPS-3-nics.zip file, and unzip it to get pulsesecure-IPS-3-nics-new-network.json.
This template creates a new Ivanti Policy Secure with 3 NICs, VPC, four subnets, security group policies attached to Ivanti Policy Secure internal, external and management subnets and user-defined routes on the Ivanti Policy Secure internal subnet to ensure Ivanti Policy used as default gateway for L3 tunnel. All 3 NICs of Ivanti Policy Secure are configured with dynamic IP configuration and enabled IP forwarding. Public IPs are attached to the Ivanti Policy Secure external and management NIC.
The template has following sections:
|
This section defines the parameters used for deploying Ivanti Policy Secure on AWS. It contains parameter name, its default value and the mouse-over help text that is displayed when mouse is placed over the parameter in AWS Web portal. The parameters defined here are displayed in the Custom Deployment page of AWS portal. |
|
|
This section defines resource types that are deployed or updated in a resource group. |
|
|
This section defines the public IP address, private IP address and primary private IP address returned after successful deployment of Ivanti Policy Secure on AWS. |
Parameters
Key Name: This is the name of the Ivanti Policy Secure Storage Account where the Ivanti Policy Secure VA image (.ami file) is stored.
"Parameters" : {
"KeyName": {
"Type": "AWS::EC2::KeyPair::KeyName",
"Default": "",
"AllowedPattern" : "[-_ a-zA-Z0-9]*",
"Description": "Name of an existing EC2 KeyPair. Your IPS will launch with this KeyPair.",
"ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
},
Ivanti Policy Secure Image AMI ID: This is the ID of the uploaded AMI file.
"IPSImageAMIId" : {
"Type" : "String",
"Description" : "AMI ID of your existing IPS image"
},
Instance Type: This specifies the size of the instance – t2.medium or t2.large
"InstanceType": {
"Description": "Select IPS instance type",
"Type": "String",
"Default": "t2.medium",
"AllowedValues": [
"t2.medium",
"t2.xlarge",
"t2.2xlarge"
],
"ConstraintDescription": "Must be an allowed EC2 instance type."
},
Ivanti Policy Secure Config Data: This section contains provisioning parameters that are required during the deployment of a Virtual Appliance. An XML-based configuration file can be present in another Virtual Machine in AWS cloud or in the corporate network which is accessible for Ivanti Policy Secure through site-to-site VPN between AWS and the corporate data center.
Ivanti Policy Secure accepts the following parameters as provisioning parameters:
- primary-dns
- secondary-dns
- wins-server
- dns-domain
- admin-username
- admin-password
- cert-common-name
- cert-random-text
- cert-organization
- config-download-url
- config-data
- auth-code-license
- enable-license-server
- accept-license-agreement
- enable-rest
For details about these parameters, see Ivanti Policy Secure Provisioning Parameters.
"IPSConfigData" : {
"Type" : "String",
"Description" : "IPS config data",
"Default" : "<pulse-config><wins-server>1.1.1.1</wins-server><dns-domain>psecure.net</dns-domain><admin-username>admin</admin-username><admin-password>password1234</admin-password><cert-common-name>va1.psecure.net</cert-common-name><cert-random-text>fdsfpisonvsfnms</cert-random-text><cert-organisation>Psecure Org</cert-organisation><config-download-url></config-download-url><config-data></config-data><auth-code-license></auth-code-license><enable-license-server>n</enable-license-server><accept-license-agreement>y</accept-license-agreement></pulse-config>"
},
VPC CIDR: It is a valid CIDR range of the form x.x.x.x/x for entire VPC.
"VPCCIDR": {
"Description": "CIDR block for entire VPC.",
"Type": "String",
"Default": "10.200.0.0/16",
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "Must be a valid CIDR range of the form x.x.x.x/x."
},
Internal Subnet CIDR: Subnet from which Ivanti Policy Secure Internal Interface needs to lease IP.
"InternalSubnetCIDR": {
"Description": "IPS internal interface connects to this subnet",
"Type": "String",
"Default": "10.200.11.0/24",
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/x"
},
External Subnet CIDR: Subnet from which Ivanti Policy Secure External Interface needs to lease IP.
"ExternalSubnetCIDR": {
"Description": "IPS external interface connects to this subnet",
"Type": "String",
"Default": "10.200.12.0/24",
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/x"
},
Management Subnet CIDR: Subnet from which Ivanti Policy Secure Management Interface needs to lease IP.
"ManagementSubnetCIDR": {
"Description": "IPS management interface connects to this subnet",
"Type": "String",
"Default": "10.200.13.0/24",
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/x"
}
},
Resources
VPC:
"VPC" : {
"Type" : "AWS::EC2::VPC",
IntSubnet: This block is responsible for creating subnet. The created subnet is applied to Ivanti Policy Secure Internal interface.
"IntSubnet" : {
"Type" : "AWS::EC2::Subnet",
ExtSubnet: This block is responsible for creating subnet. The created subnet is applied to Ivanti Policy Secure External interface.
"ExtSubnet" : {
"Type" : "AWS::EC2::Subnet",
MgmtSubnet: This block is responsible for creating subnet. The created subnet is applied to Ivanti Policy Secure Management interface.
"MgmtSubnet" : {
"Type" : "AWS::EC2::Subnet",
InternetGateway:
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
AttachGateway:
"AttachGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
PublicSubnetRouteTable:
"PublicSubnetRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
PublicSubnetRoute:
"PublicSubnetRoute" : {
"Type" : "AWS::EC2::Route",
ExtSubnetRouteTableAssociation:
"ExtSubnetRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
MgmtSubnetRouteTableAssociation:
"MgmtSubnetRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
EIP1:
"EIP1" : {
"Type" : "AWS::EC2::EIP",
EIPAssoc1:
"EIPAssoc1" : {
"Type" : "AWS::EC2::EIPAssociation",
EIP2:
"EIP2" : {
"Type" : "AWS::EC2::EIP",
EIPAssoc2:
"EIPAssoc2" : {
"Type" : "AWS::EC2::EIPAssociation",
IPSvExternalSecurityGroup:
"IPSvExternalSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
IPSvInternalSecurityGroup:
"IPSvInternalSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
IPSvManagementSecurityGroup:
"IPSvManagementSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
EC2Instance:
"EC2Instance" : {
"Type" : "AWS::EC2::Instance",
Eth0:
"Eth0" : {
"Type" : "AWS::EC2::NetworkInterface",
Eth1:
"Eth1" : {
"Type" : "AWS::EC2::NetworkInterface",
Eth2:
"Eth2" : {
"Type" : "AWS::EC2::NetworkInterface",
Outputs
The Outputs section defines the public IP address, private IP address and primary private IP address that is displayed on successful deployment of Ivanti Policy Secure on AWS.
"Outputs" : {
"InstanceId" : {
"Value" : { "Ref" : "EC2Instance" },
"Description" : "Instance Id of newly created instance"
},
"ManagementAddress" : {
"Value" : { "Fn::Join" : [" ", [ "Public IP address:", { "Ref" : "EIP2" }, "Private IP address:", { "Fn::GetAtt" : ["Eth2", "PrimaryPrivateIpAddress"] }]]},
"Description" : "IPS Management Interface details"
},
"ExternalAddress" : {
"Value" : { "Fn::Join" : [" ", [ "Public IP address:", { "Ref" : "EIP1" }, "Private IP address:", { "Fn::GetAtt" : ["Eth1", "PrimaryPrivateIpAddress"] }]]},
"Description" : "IPS Extenal Interface details"
},
"InternalAddress" : {
"Value" : { "Fn::Join" : [" ", [ "Public IP address:", { "Ref" : "EIP0" }, "Private IP address:", { "Fn::GetAtt" : ["Eth0", "PrimaryPrivateIpAddress"] }]]},
"Description" : "IPS Internal Interface details"
}
}
}