It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Access

How to Deploy a Proxy For Bare Metal / Virtual Machine

  • Last updated on

This article offers the option to choose either the install script, or to use the manual steps listed below.  Before you begin, check the prerequisites.

Minimum OS supported versions:

  • CentOS 7
  • RHEL 8
  • Any modern Debian-based OS (Ubuntu)

 

Requires a valid CloudGen access proxy enrollment link. See step #4 of Add Proxy to get the link.

Choose  Install Script  or  Manual Steps  to proceed.

Install Script

  • The steps below will download and execute a script obtained externally. Barracuda Networks recommends that you inspect the contents before execution.
  • The script will install and enable a chrony service for time synchronization. This is required to ensure that tokens are validated properly.
  • Download and execute the installation script:

    sudo bash -c "$(curl -fsSL https://url.access.barracuda.com/proxy-linux)"
  • This script can also be used for unattended installations:

    curl -fsSLo install-proxy-linux.sh https://url.access.barracuda.com/proxy-linux 
    chmod +x install-proxy-linux.sh 
    ./install-proxy-linux.sh -h 

Install  CloudGen Access Proxy script

Available parameters:

ParameterAction
-hShow this help
-l stringLoglevel (debug, info, warning, error, critical), defaults to info.
-nDo not start services after install
-p int

Specify public port (1-65535), required for unattended installation

-r stringSpecify Redis host to use for token cache <only required for HA architecture>
-s intSpecify Redis port <optional>
-t tokenSpecify Barracuda CloudGen Access Proxy token
-uUnattended install, skip requesting input <optional>

 

Example for unattended installation with CloudGen Access Proxy token:  

Specify the  CloudGen Access Proxy token inside quotes:

 

./install-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u

Example for unattended installation with CloudGen Access Proxy token with Redis endpoint:

Specify the  CloudGen Access Proxy token inside quotes:

./install-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u -r localhost -s 6379

Example for unattended installation, skipping services start, without CloudGen Access Proxy token:

  • The token can also be obtained automatically via AWS SSM/Secrets Manager.
  • For more information, see Access Proxy Parameters.
./install-proxy-linux.sh -n -p 443 -u

CentOS/RHEL - Manual Steps

  1. Install prerequisites.

    sudo yum -y install yum-utils chrony
  2. Ensure chrony daemon is enabled on system boot and started.

    sudo systemctl enable chronyd
    sudo systemctl start chronyd
  3. Ensure time synchronization is enabled.

    sudo timedatectl set-ntp on
  4. Add CloudGen Access repository.

    sudo yum-config-manager -y --add-repo https://downloads.fyde.com/fyde.repo

        

  5. Install Envoy Proxy.

    sudo yum -y install envoy
    sudo systemctl enable envoy
  6.  Add CAP_NET_BIND_SERVICE to Envoy using a service unit override.? If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

    sudo mkdir -p /etc/systemd/system/envoy.service.d
    sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF
    [Service]
    Capabilities=CAP_NET_BIND_SERVICE+ep
    CapabilityBoundingSet=CAP_NET_BIND_SERVICE
    AmbientCapabilities=CAP_NET_BIND_SERVICE
    SecureBits=keep-caps
    EOF"
    sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf
  7. Reload and start Envoy Proxy.

    sudo systemctl --system daemon-reload  
    sudo systemctl start envoy 
  8. Install CloudGen Access Proxy Orchestrator and authz system.

    sudo yum -y install fydeproxy
    sudo systemctl enable fydeproxy
  9. Configure environment using a service unit override

    sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
    sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
    [Service]
    Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
    Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
    Environment='FYDE_LOGLEVEL=info'
    EOF"
    sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf
  10. For highly available installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

    sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
    Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
    Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
    EOF"
  11. Reload and start CloudGen Access Proxy Orchestrator daemon.

    sudo systemctl --system daemon-reload
    sudo systemctl start fydeproxy
  12. Configure the firewall (if enabled).

    sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
    sudo firewall-cmd --reload

Debian / Ubuntu - Manual Steps

  1. Ensure time synchronization is enabled.

    sudo timedatectl set-ntp on
  2. Add CloudGen Access repository.

    REPO_URL="downloads.fyde.com"
    wget -q -O - "https://$REPO_URL/fyde-public-key.asc" | sudo apt-key add -
    sudo bash -c "cat > /etc/apt/sources.list.d/fyde.list <<EOF
    deb https://$REPO_URL/apt stable main
    EOF"
    sudo apt update
  3. Install Envoy Proxy.

    sudo apt -y install envoy
    sudo systemctl enable envoy
  4. Add CAP_NET_BIND_SERVICE to Envoy using a service unit override.? If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

    sudo mkdir -p /etc/systemd/system/envoy.service.d
    sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF
    [Service]
    Capabilities=CAP_NET_BIND_SERVICE+ep
    CapabilityBoundingSet=CAP_NET_BIND_SERVICE
    AmbientCapabilities=CAP_NET_BIND_SERVICE
    SecureBits=keep-caps
    EOF"
    sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf
  5. Reload and start Envoy Proxy.

    sudo systemctl --system daemon-reload
    sudo systemctl start envoy
  6. Install CloudGen Access Proxy Orchestrator and authz system.

    sudo apt -y install fydeproxy
    sudo systemctl enable fydeproxy
  7. Configure environment using a service unit override.

    sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
    sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
    [Service]
    Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
    Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
    Environment='FYDE_LOGLEVEL=info'
    EOF"
    sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf
  8. For highly available installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

    sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
    Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
    Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
    EOF"
  9. Reload and start CloudGen Access Proxy Orchestrator daemon.

    sudo systemctl --system daemon-reload
    sudo systemctl start fydeproxy
  10. Configure the firewall (if enabled).

    sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
    sudo firewall-cmd --reload

Upgrading CloudGen Access Proxy

To upgrade your CloudGen Access Proxy to the latest version, execute one of the following.

For Debian/Ubuntu:

sudo apt upgrade fydeproxy envoy

For CentOS/RHELL:

 sudo yum upgrade fydeproxy envoy

Troubleshooting

See Troubleshooting the CloudGen Access Proxy in Barracuda Campus.


 

Last updated on