Before You Begin

Pulse Secure Virtual Traffic Manager 21.4: Cloud Services Installation and Getting Started Guide

Home

Before You Begin

Make sure you have met the requirements listed in Prerequisites.

Your Traffic Manager software is primarily controlled through a web-based administration interface served by the Traffic Manager Admin Server. This interface provides the Admin UI, and handles communications with the core Traffic Manager software.

To access the Admin UI, connect to TCP port 9090 on the virtual machine instance, and optionally, connect to port 22 if you require SSH command line access. However, traffic to these ports is blocked by EC2's default firewall rules.

To access the Admin UI or command line, you must create a new EC2 Security Group that allows traffic for these ports to pass through the firewall. You only need to create the security group once, but you must remember to apply it every time you launch a new virtual machine instance. With EC2-Classic, a security group cannot be added to a virtual machine instance after it is launched.

The following example shows how you can use Amazon's command line tools to create a security group called vtm-admin-server, which permits connections to the specified ports from any address in the 131.111.0.0/16 subnet:

ec2-create-group vtm-admin-server -d "Virtual Traffic Manager Admin Server"

ec2-authorize vtm-admin-server –P tcp -p 9090 -s 131.111.0.0/16

and, optionally, for SSH access:

ec2-authorize vtm-admin-server -P tcp -p 22 –s 131.111.0.0/16

The above arguments are used for example purposes only. You should specify your own security group and subnet when running these commands. However, ports 9090 and 22 should be used in all cases.

Intercluster communications must also be enabled, using the same method. To allow a Traffic Manager cluster to operate within a single EC2 region, use the following commands:

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P tcp -p 9090

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P udp -p 9090

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P tcp -p 9080

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P udp -p 9080

These commands ensure that the vtm-admin-server security group opens up UDP and TCP ports 9090 and 9080 for connections from other instances in the same vtm-admin-server group, launched with the specified <AWS Account Number>.

In addition, Pulse Secure Virtual Web Application Firewall (vWAF) users require using the following commands in order to authorize communication with the vWAF user interface and system processes:

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P tcp -p 8083

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P tcp -p 8086

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P tcp -p <AdminMasterPort>

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P tcp -p <AdminSlavePort>

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P tcp -p <UpdaterSlavePort>

For these commands, <AdminMasterPort> (default value 11000), <AdminSlavePort> (default value 11002), and <UpdaterSlavePort> (default value 11007) refer to configurable ports listed on the System > Application Firewall page in the Admin UI. If you make changes to any of these settings in the Admin UI or through one of the Traffic Manager external APIs, you must also update your security group settings accordingly.

If you want to use the REST API, you must allow connections to the TCP port used by the Traffic Manager REST service (the default port is 9070):

ec2-authorize vtm-admin-server -o vtm-admin-server

-u <AWS Account Number> -P tcp -p 9070

If you have multiple Traffic Manager clusters spanning multiple EC2-Classic regions or VPCs, you must open those ports to hosts connecting from the internet by using the following commands:

ec2-authorize vtm-admin-server -P tcp -p 9090 -s 0.0.0.0/0

ec2-authorize vtm-admin-server -P udp -p 9090 -s 0.0.0.0/0

ec2-authorize vtm-admin-server -P tcp -p 9080 -s 0.0.0.0/0

ec2-authorize vtm-admin-server -P udp -p 9080 -s 0.0.0.0/0

Multiple Traffic Manager clusters are typically managed by the Traffic Manager’s multi-site cluster management feature. For more information about this feature, see the Pulse Secure Virtual Traffic Manager: User’s Guide.

If your security policy requires it, you can limit these authorizations to the subnets corresponding to the different EC2 regions used, rather than 0.0.0.0/0 as used in the examples above. However, there is a risk that new instances may start up in alternative subnets and thus be unable to communicate with the cluster.

You also need to open ports for each virtual server you create on your Traffic Manager. For instance, the following command creates a group that allows traffic to HTTP (port 80) and HTTPS (port 443) servers from any Internet address:

ec2-create-group http-https -d "HTTP and HTTPS servers"

ec2-authorize http-https -p 80

ec2-authorize http-https -p 443

You can also create security groups using graphical management tools. In ElasticFox, security groups are managed in the Security Groups tab. In Amazon's AWS management console, click the Security Groups link in the Networking & Security section of the Navigation panel.

Was this article useful?

Copyright © 2022, Ivanti. All rights reserved.

Privacy and Legal