Confirm your Underlay Settings

Tempered Networks components require that certain conditions exist on your network before proceeding with installation and configuration.

Your underlay network is made up of your existing private network(s) and the Internet—basically, it's any network where you connect a HIPservice that needs access to your overlays and any networks in between. For Tempered Networks components to work correctly, they must be able to communicate with each other from where they are installed.

The Conductor

The Conductor is the central management appliance for all HIPservices. It tells the HIPservices how to contact one another and enforces policies on the protected network, allowing or forbidding devices from communicating with each other. It also manages licensing and provides diagnostic tools.

A Conductor can be either virtual or physical and can be configured in a high-availability (HA) pair. It passes no protected network traffic and does not communicate with the HIP protocol.

The Conductor must have at least two network interfaces. The recommended configuration is as follows:
Port 1
Internet Connected, either directly or with port forwarding.
Port 2
Local Area Network (underlay)
For the Conductor to work, it must be able to listen on the following ports:
TCP 8096 (MAP)
This is the port in which HIPservices communicate with the Conductor.
TCP 443 (HTTPS)
This is the port in which the Conductor Management can be accessed.

HIPservices

A HIPservice carries out or facilitates the connectivity between two connecting devices.

A HIPswitch is a network appliance that allows Ethernet devices to be added to an Overlay. It connects to a Conductor via a Metadata Access Point (MAP) for policy and peer addresses, and it connects to peer HIPservices to establish secure tunnels between locations.

A HIPswitch can be either virtual or physical and can be configured in an HA pair. It passes traffic between devices over a HIP tunnel.

A HIPswitch must have at least two network interfaces. The recommended configuration is as follows:
Port 1
Local Area Network (Underlay). Must be able to reach a Conductor and other HIPservices.
Port 2
Protected Device Network (Overlay). Must be able to reach the devices to add to the overlay.

It is possible to connect Ports 1 & 2 to the same network and provide existing device access to the Overlay, without isolating the protected devices inside of a separate network segment.

For the HIPswitch to work, it must have *outbound* connectivity on the following ports:
TCP 8096 (MAP)
Must have outbound connectivity to MAP to the Conductor.
UDP 10500 (HIP)
Must have outbound connectivity to HIP and to any other HIPservice is a must to communicate with.
At least one HIPswitch on one end of a tunnel must also be able to _listen_ on the following port:
UDP 10500 (HIP)
Must have outbound connectivity to HIP and to any other HIPservice is must communicate with.

Alternately, if HIPservices cannot be configured to listen for incoming connections, you can employ a HIPrelay to get around a network address translation (NAT).

HIPrelays

A HIPrelay is, typically, a virtual cloud-hosted appliance, running the HIPswitch 300v VM. It is able to listen for HIP traffic, allowing HIPswitches behind firewalls and routers to establish a tunnel between each other even when NATed.

For the HIPrelay to work, it must have _outbound_ connectivity on the following ports:
TCP 8096 (MAP)
Must have outbound connectivity to MAP to the Conductor.
UDP 10500 (HIP)
Must have outbound connectivity to HIP and to any other HIPservice is must communicate with.
It must also be able to _listen_ on the following port:
UDP 10500 (HIP)
This is the port, in which HIPservices communicate with the Conductor.

HIPrelays are still considered a type of HIPservice, but they serve a special role. Any HIPswitch - physical or virtual - can be turned into a HIPrelay. Once configured as a HIPrelay, it is not advisable to add any devices to it, but instead use it exclusively to bridge HIPservices that are not able to listen for incoming connections.

Changing network ports

You can change the MAP and HIP ports from their defaults of 8096 and 10500 in the Conductor. This will change the settings for all HIPswitches connected to that Conductor.

These settings rarely need to be adjusted. When they are, it is either to get around some immutable firewall settings or to add extra security by using atypical ports.

Note: If you change the MAP port, you will need to manually reconfigure all HIPservices to point to the Conductor with the new port. This might involve traveling to remote sites and putting devices into diagnostic mode, so adjust this setting carefully.

If you change the HIPservice port, the change will take effect on all HIPservices connected to the Conductor, so make certain that they have the proper outbound connectivity and port forwarding configured before adjusting this setting.

To change the default ports:

  1. In the Conductor, go to Settings.
  2. Find the Advanced section near the bottom of the Settings page. Next to Global HIPservice settings, click Edit Settings.
  3. Under Port settings, change the default ports, and click Save.

HIP and MAP Diagrams

Below are some diagrams illustrating successful and unsuccessful MAP and HIP configurations:

Figure 1: HIP configurations


Figure 2: MAP configurations


Check Your Underlay Settings

Check the following settings to confirm they're set for the new ports:

Firewalls
If a firewall is enabled between the Conductor and HIPservices in the solution, you must open the required firewall ports.
DHCP and DNS
If you prefer to configure your Conductor with a hostname or assign HIPservices IP addresses using DHCP, confirm that the underlay's DHCP and DNS settings are configured to support it.
Private Network Conductor
If the Conductor is located in a private network, either a firewall or router must provide a static public IP address so the Conductor can be reached by HIPservices outside the private network.
Private Network HIPswitch
If HIPservices located in a private network need to be accessed by HIPswitches outside the private network, a firewall or router must provide a static public IP address so the HIPservices can communicate.