Installation of onprem Incontrol in a hardened environment / configuration of fusion hubs

Hi,

I am hoping that my question is not too “noob” or I have overseen something in the manuals.

A customer of mine wants to use peplink routers in a lager scale.
We are talking here roughly about 250-300 routers in the field.

Unfortunately, due to security concerns, it’s not allowed to use the cloud hosted Incontrol.

I have already deployed the Incontrol on premise version with in our network, which at least boots and configures the database.

Afterwards the struggle starts.

  1. Due the hardened enviroment I have to pin all needed external ip addresses for incontrol.
    I have found the following : https://download.peplink.com/resources/ip_addresses.json
    Does this list is also applicable for the selfhosted incontrol or are there any additonal ressoruces needed?

  2. There is no “free” internet access within the enviroment.
    I have to configure a proxy server if somekind off http traffic needs to reach some sites / apis
    Is there a way to configure outbound proxy servers within incontrol?

  3. Privat incontrol instance on devices (fusionhubs and routers)
    If I enable the option that there is a private incontrol instance, what i need to configure here as “target” ? Is it also possible to use the IP addresses?
    Which of the following two would be the right apporach for the routers:

  • External IP of Incontrol
  • External DNS name
    What about the internaly hosted fusionhubs?
  • Internal IP of incontrol (same subnet)
  • External IP of Incontrol
  • External DNS name

Is there maybe somkind of howto / walkthrough available from peplink where there is described what exactly needs to be opened on the firewall to operate incontrol in a hardened environment?

Hello Matthias (@matthias.brogies),
You have a lot to solve here, though it is possible. In this instance, you may need to engage with your locally certified Peplink Partner to assist with the deployment. Have you reached out to them yet?
Please note that you have a very specialised deployment and one that a Certified Peplink Partner is best suited to assist you with.
Happy to Help,
Marcus :slight_smile:

Hi Marcus,

thanks for the reply.

Yes, I have already reached out to him.
But he was not able to answer all my questions.
That’s why I have registred here :slight_smile:

Currently the biggest issue for me is the communication to the onprem incontrol instance and the question of proper SSL Certificates

If you just could answer me, if the external IP is sufficent as incontrol target or i have to populate a proper DNS name for it and if it is possible to use selfsinged certs, that would be nice :slight_smile:

Br,

Matthias