Optional External Component Integration with SecureCircle SaaS

When using the SecureCircle SaaS, some SecureCircle Server components hosted in the SaaS may need connectivity to optional external components. The following describes the recommendations for providing connectivity for each optional integration when using the SecureCircle SaaS.

Adding Active Directory Groups using Powershell (Highly recommended)

PowerShell may be used to import Active Directory Groups to the SecureCircle Server. The required script can be found under the Add Active Directory Groups using PowerShell section of our Command Line Reference guide

TLS/SSL-based Access

The SecureCircle Server reaches out to the external service over a public interface using a channel protected by the TLS/SSL protocol. This requires the forwarding of a port (generally on an on-premise firewall) to the given service from the public IPs of the SaaS instances. Two dedicated public IP addresses are provided to SaaS customers when a SaaS environment is provisioned.

• Active Directory - LDAPS (TCP 636)
• SIEM (Syslog server) - Syslog-TLS (TCP 6514)
• KMS - KMS vendor-specific (possibly TCP 5696)
• SMTP - SMTP/TLS (TCP 587)

IPSec VPN

An IPSec VPN tunnel is established between the otherwise-isolated SecureCircle SaaS network and an on-premise appliance/set of appliances (usually built into firewalls/routers), allowing the secure intercommunication of private IP subnets on both sides. If an IPSec VPN is requested by the customer and TLS/SSL-based Access is not an option, an IPSec VPN configuration is provided once the VPN endpoints are provisioned in the SaaS environment. The SaaS private subnet must not match a subnet already routed by the on-premise router/VPN appliance.

Establishing this secure tunnel enables otherwise non-encrypted traffic to be secure, enabling the use of LDAP (vs LDAPS), Syslog over UDP/TCP, and non-TLS/SSL SMTP over TCP 25.

Because of the overhead in establishing and maintaining the IPSec VPN, this method should only be chosen if TLS/SSL-based access to individual components is not an option.

Configuration

The VPN gateway will be configured on request. SecureCircle requires the following information:

• The make/model of the IPsec VPN endpoint. If available, configuration will be tailored to your appliance. A generic configuration can be provided as well.
• The IP address of the VPN endpoint. This must be accessible from the internet.
• The local subnet(s) to be routed over the VPN.

SecureCircle will provision the VPN gateway and provide the following:

• The SaaS local subnet. This defaults to 192.168.180.0/24. If there will be routing conflicts this can be modified on request.
• A default VPN configuration will be provided. See here for notes on stronger security options, and here for available options.