Installation of onprem Incontrol in a hardened environment / configuration of fusion hubs

Hi,

I am hoping that my question is not too “noob” or I have overseen something in the manuals.

A customer of mine wants to use peplink routers in a lager scale.
We are talking here roughly about 250-300 routers in the field.

Unfortunately, due to security concerns, it’s not allowed to use the cloud hosted Incontrol.

I have already deployed the Incontrol on premise version with in our network, which at least boots and configures the database.

Afterwards the struggle starts.

  1. Due the hardened enviroment I have to pin all needed external ip addresses for incontrol.
    I have found the following : https://download.peplink.com/resources/ip_addresses.json
    Does this list is also applicable for the selfhosted incontrol or are there any additonal ressoruces needed?

  2. There is no “free” internet access within the enviroment.
    I have to configure a proxy server if somekind off http traffic needs to reach some sites / apis
    Is there a way to configure outbound proxy servers within incontrol?

  3. Privat incontrol instance on devices (fusionhubs and routers)
    If I enable the option that there is a private incontrol instance, what i need to configure here as “target” ? Is it also possible to use the IP addresses?
    Which of the following two would be the right apporach for the routers:

  • External IP of Incontrol
  • External DNS name
    What about the internaly hosted fusionhubs?
  • Internal IP of incontrol (same subnet)
  • External IP of Incontrol
  • External DNS name

Is there maybe somkind of howto / walkthrough available from peplink where there is described what exactly needs to be opened on the firewall to operate incontrol in a hardened environment?

Hello Matthias (@matthias.brogies),
You have a lot to solve here, though it is possible. In this instance, you may need to engage with your locally certified Peplink Partner to assist with the deployment. Have you reached out to them yet?
Please note that you have a very specialised deployment and one that a Certified Peplink Partner is best suited to assist you with.
Happy to Help,
Marcus :slight_smile:

Hi Marcus,

thanks for the reply.

Yes, I have already reached out to him.
But he was not able to answer all my questions.
That’s why I have registred here :slight_smile:

Currently the biggest issue for me is the communication to the onprem incontrol instance and the question of proper SSL Certificates

If you just could answer me, if the external IP is sufficent as incontrol target or i have to populate a proper DNS name for it and if it is possible to use selfsinged certs, that would be nice :slight_smile:

Br,

Matthias

Hello @matthias.brogies,
Did you get some help on this?
Have you been able to get your ICVA working?
Have you gone through in detail the ICVA installation guide (we find people often miss information found within, it is worth going through the guide a least a couple of times)?

Question: are the networking edge devices normally operating on the public internet services or wholly within a private intranet (the WANs are on private connection or the SIMs have private APNs)?

If all of your Peplink|Pepwave devices are operating on an internal ICVA, then you just need to have them pointing their InControl setting to that ICVA’s internal network IP. Your ICVA only needs outbound access to the domain and sub-domains of peplink.com for all of the licencing management.

If all of your devices are operating on the public internet, then use a domain name for the private ICVA rather than an IP; this allows for a much easier future ICVA systems relocation if the need ever arises. Your ICVA needs outbound access to the domain and sub-domains of peplink.com for all of the licencing management and inbound on the ports listed for InControl2 (details found here “Overview of ports used by Peplink SD-WAN routers and other Peplink services”) for the network devices to be monitored and managed.

Deploy the solution with the built-in SSL Certificates for all the system. If after correctly following the guides for securely setting up your system (start here “InControl 2 Initial Setup Guide”) and running a full penetration test you find you need to change the SSL Certificates, then do it after all of that, we have yet to find a genuine need to change the SSL Certificates (even in the most secure & sensitive environments) when the various guides on the forum are followed.

You are welcome to reach out to us (you can send a PM) or contact another experience Peplink Partner if you’re still struggling; Please expect that another experienced Peplink Partners that did not supply you the solution or services will charge you a support fee, alternatively you can also create a support request at https://ticket.peplink.com/ticket/new/public if your warranties are still valid and licences are all paid up.

Happy to Help,
Marcus :slight_smile:

1 Like