GUEST/IDM/CONNECT

Hardware

The integrator and/or end-user will provide physical servers that meet the requirements described in the Server Requirements section. Also, the integrator and/or end-user will need to provide the underlying infrastructure, including, but not limited to, network, switches, firewalls, and operating systems (installed), SQL Server, etc.

SSH

All Ubuntu machines will require SSH to be enabled on each server with the same username, password¹, and administration permissions (Sudo) granted to each server to be able to run any command. In addition, the OS’s default UMask settings should be enabled for this account. This account can be disabled after the installation process and re-enabled when upgrades are needed.

¹ Username and Password are required to be the same due to the installation application using Ansible. This tool will need to connect to the individual servers from the primary Docker server to install and configure the various aspects of the application.

SSL Certificate

The CONNECT/GUEST application is a web-based product that requires an SSL/HTTPS certificate for the web interface to ensure that the website is secure. This will also provide the end-user with a URL that can be used to access the website from any mobile/internet device. The certificate will be linked to a registered domain and will allow the end-user to use a fully qualified domain name. It may be possible to use an existing certificate if the certificate is a wildcard² certificate. Also, the certificate used must be in PEM format. Please also note that the certificate's private key will be required for the installation of the system when the certificate is terminated at the application level (this does not apply if a load balancer is used for SSL Termination).

A domain certificate can be used to replace a public certificate. However, when this is done, all users, systems, and web browsers used to access the application must be configured to trust the certificate. This includes accounts used to run any utility, such as the Integration client or IDM Importer.

² This certificate must be trusted by any computer attempting to access the application, including but not limited to any server running a utility.

Load Balancer (optional)

For a large system with multiple servers, Docker Swarm will provide a minimal level of load balancing via the ingress mesh network it uses. However, supplementing this with an external load balancer provides some additional benefits. One benefit is that the certificate can be offloaded to a load balancer to ease the management of the certificate. Otherwise, the certificate can be loaded directly onto the Docker web server. This would mean that each Docker server would need to be updated when the certificate expires (yearly, depending on the length of the certificate purchased by the installer/end customer).

Email Server

The application will require access to an email or SMTP server to allow the invitations and notifications for guests to be sent, and to allow updates to guest arrivals to be sent to the host. The SMTP server will also support emails from CONNECT with regard to audit and access privilege request/approval notifications.

Internet Connectivity

For the system to be accessible from external sources, the environment will require access to the internet. In addition, this will also be used to allow the application to install and update the application; however, alternative methods are available if needed. It is possible to run all aspects of CONNECT and Guest without access to the internet, if needed.

Apple/Google Event Pass

Symmetry GUEST offers a feature that allows for credentials to be pre-assigned and sent out in the form of either a Google or Apple Event Pass. When configured, this feature will be able to include a link in the visitor welcome email to add the pass to either the user's Google or Apple wallet application on their smartphone, allowing it to be used as their visitor pass.

To enable this functionality, the Integrator/end-user will need to set up and configure a Google Merchant Account and/or Apple Developer Account. Instructions to do so can be found below:

Web Routing of URL to Docker

The integrator or end-user will need to provide an SSL certificate and domain. The certificate provider may need to add a DNS entry to direct the URL to the end customer’s internet gateway. From its gateway entry point, the end user’s IT team would then need to NAT the gateway address from the entry point through to the load balancer or the Ubuntu Docker server that holds the SSL certificate.

To increase the security of the environment, it is advised to separate the machines into different DMZs: an internet-facing DMZ for the Docker; an application DMZ for RabbitMQ, REDIS, and Elastic; then a Backend DMZ for the SQL server. This would require the installer to set the firewall rules between each of the DMZs. The firewall is found below in the appendix.

Application Deployment

The application is typically deployed onto the virtual machines provided by the integrator and/or end user by AMAG Technology Professional Services via remote access³. The typical installation occurs via the use of the CONNECT/GUEST online installer, which is downloaded directly from AMAG Technology’s private Bitbucket repository to the primary Docker server. When executed, it will utilize Ansible to connect to the servers and install the separate components, including Docker, Elasticsearch, Redis and RabbitMQ. During this process, the images used to create the Docker containers will be downloaded from the AMAG Technology private Docker registry.

In addition to the online installer, an offline installer is also available for systems that are not able to access an outside internet connection. This installer essentially allows the user to download the required files to a separate machine, build the installer, and upload it to the primary Docker server. This is available for both the initial installation as well as upgrades.

For servers running Red Hat Enterprise Linux, the same online and offline installer options are available. However, in this case, it is the responsibility of the integrator and/or end-user to install and configure Docker Enterprise Edition on all Docker servers.

³ On-site deployment is also available if required.