Hello, I'm Dean Tom Paleo. Welcome to Cyber Eri in the virtual ization installation, configuration and management class were on Model nine now, and we're going to talk about
access in authentication control for Yuri SX. I host.
So first we'll look a little bit at the sum of considerations for enabling the firewall that's built into us. Excited.
And then we'll also talk about what lock down mode needs.
Lastly, will talk a little bit about active director integration
after directory. Integration was actually performed in an earlier lab,
but now we've got a couple extra things to discuss as that relates to how you access your host.
we have to think about the security profile.
So if you select your host in the inventory, go to your configuration tab and select security profile from the software section. Remember, we have harbor up top software on the lower portion of the screen.
Each of the service is that
we'll start and stop with. The host could be individually controlled from this from this dialog box.
So what we need to do is
for each individual service, you need to select it, start a policy
for the most part, the start of policy can be left at the default setting.
These are already configured for your typical operation of the TSX I host, and you probably don't need to monitor or modify any of these settings. But if you do want to change them, this is where you would do it.
So each of the service is one selected.
or not a pop up within the dialogue, you have three choices. You can either start automatically,
which means that if the firewall opens the ports, the service can start and everything will work as expected. That's probably the default setting for most of the service is that you'll see there.
However, we can also instruct Yes, excited start and stop the the service with the host.
So that way you guarantee that when you bring the host up, it should start. And when you shut the host down and then disable that service
and your last option is to start the service manually. This might make sense if you're doing some testing or possibly you've got service is that you only need some of the time.
You can then control those manually so you don't have to deal with them. Starting and stopping automatically and therefore
reducing the amount of available resource is on your host.
Bsx. I doesn't come with a firewall.
It's included. There's no extra license required for this.
It is a service oriented firewall, which means that it's
opens the connections as they're needed, a kind of an on demand fashion compared to always being open, are always being closed.
However, the funding Wallace stateless,
which means that it's just doing a basic packet filtering type function that uses source I p address Destination I p Address protocol and port numbers. That's all it requires. So it's not a very sophisticated firewall, but it is better than nothing.
And because it's service oriented
and works when the when their connections are required, you do get a little extra security because of the way that
this particular far wall is designed.
So when you look at the firewall rule, you have to actually select the firewall properties from the same dialogue we're in here. Your configuration security profile.
When you select the firework properties, you'll get your list of rules,
and for each individual rule, you can then
click the, um, the rule and select the firewall button. And you get a choice, too, when you get a pop up saying, Do you want to allow the connections from any I p address
for some types of connections that you're yes, X I host uses. This might be appropriate,
but the other option is to only allow connections from the following I ps and you've got a little window there where you can type I p addresses in
you contrive individual I p addresses. You can type, uh, network
even using cider notation if you wish.
some further control over your inbound rules. You're out by rules, what can connect to what?
And as you get further into the security settings of hardening in the SX, I host for typical environment. You want to get away from allowing any I p address to connect or allow connections and try to create rules that are more specifically tailored for your particular environment.
We also have lock down mode for Yuri SX. I host.
This is something that's a great future.
Once you've got your host configure the way you want
and you have your authentication service is set up, everything is working correctly. Then you can think about using walked on boat.
is that on Lee, the V P X user has authentication permissions right off the top.
It's basically no one else can log into the host
In fact, only route can log into the host directly. And that's on Lee through the D. C. Why which we saw on in earlier labs
as the configuration and management screen for the host.
And you get to that from the council.
Or, if you're using a virtualized host, you can get to it through the council of the VM that you're actually running the host on, which is the case for some of the hosts that you'll see in the lab.
because the host is in lock down mode,
that means that we cannot do anything on the host directly. Everything that you do with the host must be done through the center
and, you know, from looking at other labs that were performed. If you try to connect to the host with the the V's Fear Client, you do get a message saying this. Host is managed by V Center at this I p address.
That's just a warning. Will enable lock down mode now that warning becoming enforced and you literally cannot do anything unless it goes through the center with the exception of root plugging in through the D. C. Why
so in order to do this, you can select the host,
go to the configuration tab, select security profile under the software section and select Locked on motors. Simple honor off setting.
You can also enable locked on mode from the D. C. Why
so if you want to do it from the from the consul where route is allowed to log in, you also have the option to enable the mode from that area as well.
One of the earlier labs we did
showed how integration with active directory was possible.
This is done through the configuration tab once again, and the software section
you've got a authentication service is link, which you can click
in order to add your host to a domain.
So one of the things to think about
is once you've done that, you're any local users such as Route or V P X user or any other local users that were created for that host.
Those can still be access directly from the host,
meaning that active director authentication is not required,
however, weaken once the host is attitude domain. You can then
use active director user accounts in order to access the host and then do things like create roles in order to, uh,
provide certain permissions and certain capabilities for individual users or groups of users.
we looked a little bit at what the security profile means and how you can control that from within the configuration tab of your,
looking at the firewall, seeing what kind of rules that supports whether or not you start and stop with the host or starting stop manually. You get those kinds of options.
We learned a little bit about what lock down mode means and why that's good for security reasons.
And lastly, a little bit of a reminder on how the active directory configuration works.
Okay, that concludes less than one. Stay tuned for lesson two. Thank you