Best Practices for Connectors

For more information on the Agilicus Connector, refer to this introduction to Connectors.

Best Practices for Connectors

Micro-Segmentation

The only thing technically required for the Connector is the ability to reach (connect, ping) the resource you’re trying to get to. These resources can be remote desktops, web applications, SSH, or another similar service. The closer your users get to the resource they want to access, the more it will be secured against local risks. This is why we encourage you to have every machine that exposes resources to have its own Connector on it. This approach is more commonly known as micro-segmentation.

There are ways through network deployment technologies that you can create that micro-segmentation without having a Connector. You can read more about that in this whitepaper.

Consider the below comparison. On the right, in blue, shows the data paths for an Agilicus AnyX deployment via the connector. On the left, in red, shows how a VPN might work. In this model, a dual-homed industrial PC handles 2 segments, 1 entirely internal.

Where to Install the Connector

We often get asked where the Connector should be installed, and we recommend putting it on a stable machine that will be up all the time. You don’t want it on a laptop in reception, for example. 

The machine you install it on should of course have access to the resources and be close enough to the resources so that you’re not worried about something that’s closer that’s able to reach them without it. The Connector doesn’t require a lot of Memory or CPU and runs on almost any platform, so you have considerable flexibility.  

So in practice, most of our customers initially use one Connector per site or one per network. Let’s use an example of a company that has three subnets: a production network, an engineering network, and a marketing network. There could be three Connectors in that environment, but if the production environment has five different production lines, that might be one per line.

In the diagram shown, installing a connector at (1) means the blast-radius is the entire building. Installing a connector at (2) means we can control access in and out of our data centre with high precision. Instaling at (3) means we can do privileged access to a single server (e.g. block all inbound traffic for remote desktop except through the Agilicus AnyX Zero Trust).

A connector at (4) might suggest a departmental breakdown.

Looking at a production facility, we might find one connector per manufacturing ‘line’ (5). This would allow e.g. ensuring upgrades stay in the appropriate area and downtime. Moving the conector internal to each IPC can give perfect micro-segmentation.

Not shown, but common, using network devices (e.g. VLAN’s with isolation) to achieve the same effect with less software deployed.

High Availability

• When should I use this?
• When should I not?

Agilicus Connectors support high availability. This means there is more than one Connector that is always active. If, for whatever reason, the machine running the Connector died, your end users won’t experience any loss of service.

High availability is not appropriate if you have a Share (in this model, you might handle the high-availability externally, for example using Windows Clustering).

Connector Nomenclature 

It’s up to you how you choose to name your Connectors, but it should mean something to you. Most of our customers just use either the machine it is installed on, or the site/region/network segment for the name, but you may want to take a different approach. 

Conclusion

These best practices will help you use Connectors effectively in Agilicus AnyX and give you the information you need to set them up the way in the best way for your organisation’s needs.

If you have any feedback, questions, or issues you’re experiencing, message our team via the chat button in your administrative portal or email us at support@agilicus.com.