Before You Begin

Pulse Secure Virtual Traffic Manager: Cloud Services Installation and Getting Started Guide

Before You Begin

Make sure you have met the requirements listed in Prerequisites.

Your Traffic Manager software is primarily controlled through a Web-based administration interface served by the Traffic Manager Admin Server. This interface provides the Admin UI, and handles communications with the core Traffic Manager software.

To access the Admin UI, you connect to TCP port 9090 on the external IP address of the virtual machine instance. However, traffic to most ports is blocked by default in GCE's firewall rules and must be explicitly enabled through the creation of new firewall rules.

The Traffic Manager also requires additional ports to be made accessible in certain situations. The following table lists all ports and their use:

Port	Protocol	Reason
9090	TCP + UDP	For Web-based Admin UI access and intercluster communication.
22	TCP	For SSH command line access. Port 22 is allowed by default in GCE, though Ivanti recommends restricting access through suitable firewall rules to prevent unauthorized access. To further prevent unauthorized SSH intrusion to specific instances, Ivanti recommends enabling the SSH intrusion prevention feature during initial configuration. For more details, see Setting System Security.
9080	TCP + UDP	For intercluster communications between multiple Traffic Manager instances when one or more instances are outside the GCE network. For example, where multiple Traffic Manager clusters are managed by the Traffic Manager’s multi-site cluster management feature. For more information about this feature, see the Pulse Secure Virtual Traffic Manager: User’s Guide.
9070	TCP	Access to the Traffic Manager REST API.
8083	TCP	Required for Pulse Secure Virtual Web Application Firewall internal communications. Typically, instances within the same GCE network do not require these ports to be enabled through firewall rules. However, where you are managing multiple Traffic Managers across different networks, such firewall rules must be created.
8086	TCP
11000	TCP
11002	TCP
11007	TCP

The ports given in this table are the default values and can be modified through the Admin UI after you have completed initial configuration of your Traffic Manager software. You should ensure you update your firewall rules if you modify any of the ports shown. For more details, see the Pulse Secure Virtual Traffic Manager: User’s Guide.

ATTENTION
Further to the above, you must also create firewall rules applicable to any services you intend to configure in the Traffic Manager, if such services use ports or protocols not already allowed within GCE.

To create a firewall, use either the GCE management console or the “gcloud compute” command line API.

To create firewall rules in the GCE console

1.Login to GCE (https://cloud.google.com) and click My console.

2.In the navigation bar, click Networking > Firewall rules.

3.To add a new firewall rule, click New firewall rule.

4.Type a name for your rule, and optionally type a description.

5.Select the network you want this rule to apply to.

6.For Source filter, select “IP range” and then type the IP address range you want this rule to apply to.

If you need to also add Source tags to this rule, to determine which instances outbound traffic is allowed from, use instead the gcloud compute API method described later in this section.

7.Choose the protocol and port that you want to allow through the firewall.

8.Type a target tag name for this rule, if applicable. When a tag is applied to a virtual machine instance, the instance allows inbound connections in accordance with all firewall rules marked with that tag.

9.Click Create to create the rule.

For full details of each field and applicable values, see the Google Cloud Platform Help documentation. Click the question-mark icon in the title bar to access the help.

To create firewall rules using the gcloud compute API

•To create a new firewall rule, execute the following command:

gcloud compute firewall-rules create <name> [--network <network>] --allow <protocol>:<port> --source-ranges <ip network> --source-tags <tag1>[,<tag2>,...] --target-tags <tag1>[,<tag2>,...]

Substitute the variables in angled brackets (<>) with your desired settings:

•<name>: The firewall rule name.

•<network>: (optional) The GCE network this rule should apply to. If you are operating within a single GCE network, no value is necessary here so you can leave this argument out.

•<protocol>: The protocol to allow. Typically “TCP” or “UDP”.

•<port>: The port to allow.

•<ip_network>: The IP address range from which traffic is allowed. “0.0.0.0/0” enables all IP addresses for the given protocol and port.

•<tag1>,<tag2>,...: The source and target tags to associate with this rule. Set a source tag to control whether outbound traffic is allowed from Traffic Manager instances using this tag, and set a target tag to control whether Traffic Manager instances using this tag can accept inbound traffic.

10.To confirm that your firewall rule has been successfully added, use the following command:

gcloud compute firewall-rules list

To learn more about the gcloud compute API, see https://cloud.google.com/sdk/gcloud.