Jump to content

Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

1.1. Scenario:

KATA/EDR CN is deployed on site, and there are some remote users that cannot connect to the internal network, and you want to receive the EDR telemetry from those endpoints and laptops when they are outside the network (considering that you don't have any VPN functionality).

You don't want to expose the CN on the internet, so you'd like to use the sensor to relay the telemetry to the CN and have visibility on the endpoints.

1.2. Pre-requisites and configuration steps:

To achieve the above scenario, we can deploy the KATA Network Sensor in the DMZ and publish it on the internet for remote and roaming users. The Network Sensor will be integrated with the CN and public IP/FQDN will be used to send the traffic from the internet to the sensor using port 443.

Two KES policies (Active/Out of Office) will be configured, The Active policy will have the KATA CN internal IP and the Out-of-Office policy will have the public IP/FQDN for KATA Sensor.

Connection profiling can be used to switch between the policies (similar to the connection gateway for KSC).

The below steps need to be performed for the successful deployment and integration.

  • Deploy the KATA Network Sensor in the DMZ
  • Configure to integrate with CN, and accept the request on the CN side.
    1. When using the KEDR license, the Accept button might not be available, integration of the KATA sensor requires a KATA license, or the latest KATA patch should be applied on the CN to fix this issue.
  • Export the certificate from the KATA Sensor using WinScp and copy it to the local computer or KSC server.

Note: you might need to allow the connection using WinSCP:

Location of the certificate = /etc/pki/tls/certs/

File name = kata.crt

Copy the kata.crt to /tmp/ and change the permissions to download the file.

  • Configure the destination NAT from Firewall towards KATA sensor internal IP for port 443.
  • Configure the KES (Out-of-office) policy and add the Public FQDN/IP in the connection settings along with the sensor certificate.

image.thumb.png.d102cfd8b8c77c0b66df3d5a70862929.png

  • Apply the KES (Out-of-office) policy to a test laptop.
  • Disconnect the Laptop from the network and wait for the connection to be established from the internet with KATA Sensor.
  • Verify the Endpoint status on the Central Node and check for the recent events.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...