Confirm your Underlay Settings

The Conductor

The Conductor is the central management appliance for all HIPservices. It tells the HIPservices how to contact one another and enforces policies on the protected network, allowing or forbidding devices from communicating with each other. It also manages licensing and provides diagnostic tools.

A Conductor can be either virtual or physical and can be configured in a high-availability (HA) pair. It passes no protected network traffic and does not communicate with the HIP protocol.

HIPservices

A HIPservice carries out or facilitates the connectivity between two connecting devices.

A HIPswitch is a network appliance that allows Ethernet devices to be added to an Overlay. It connects to a Conductor via a Metadata Access Point (MAP) for policy and peer addresses, and it connects to peer HIPservices to establish secure tunnels between locations.

A HIPswitch can be either virtual or physical and can be configured in an HA pair. It passes traffic between devices over a HIP tunnel.

It is possible to connect Ports 1 & 2 to the same network and provide existing device access to the Overlay, without isolating the protected devices inside of a separate network segment.

Alternately, if HIPservices cannot be configured to listen for incoming connections, you can employ a HIPrelay to get around a network address translation (NAT).

HIPrelays

A HIPrelay is, typically, a virtual cloud-hosted appliance, running the HIPswitch 300v VM. It is able to listen for HIP traffic, allowing HIPswitches behind firewalls and routers to establish a tunnel between each other even when NATed.

HIPrelays are still considered a type of HIPservice, but they serve a special role. Any HIPswitch - physical or virtual - can be turned into a HIPrelay. Once configured as a HIPrelay, it is not advisable to add any devices to it, but instead use it exclusively to bridge HIPservices that are not able to listen for incoming connections.

Changing network ports

You can change the MAP and HIP ports from their defaults of 8096 and 10500 in the Conductor. This will change the settings for all HIPswitches connected to that Conductor.

These settings rarely need to be adjusted. When they are, it is either to get around some immutable firewall settings or to add extra security by using atypical ports.

If you change the HIPservice port, the change will take effect on all HIPservices connected to the Conductor, so make certain that they have the proper outbound connectivity and port forwarding configured before adjusting this setting.

To change the default ports:

1. In the Conductor, go to Settings.
2. Find the Advanced section near the bottom of the Settings page. Next to Global HIPservice settings, click Edit Settings.
3. Under Port settings, change the default ports, and click Save.

HIP and MAP Diagrams

Below are some diagrams illustrating successful and unsuccessful MAP and HIP configurations:

Check Your Underlay Settings

Check the following settings to confirm they're set for the new ports:

Firewalls

If a firewall is enabled between the Conductor and HIPservices in the solution, you must open the required firewall ports.

DHCP and DNS

If you prefer to configure your Conductor with a hostname or assign HIPservices IP addresses using DHCP, confirm that the underlay's DHCP and DNS settings are configured to support it.

Private Network Conductor

If the Conductor is located in a private network, either a firewall or router must provide a static public IP address so the Conductor can be reached by HIPservices outside the private network.

Private Network HIPswitch

If HIPservices located in a private network need to be accessed by HIPswitches outside the private network, a firewall or router must provide a static public IP address so the HIPservices can communicate.