Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Endpoint Config: (Optional) Installing and Configuring Relay Server

Document created by RSA Information Design and Development Employee on Jul 9, 2019Last modified by RSA Information Design and Development Employee on Oct 16, 2020
Version 16Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness Platform Version 11.3.1 and later.

Relay Server (referred to as RAR in RSA Endpoints) extends NetWitness Platform’s visibility into endpoints when they are outside the corporate network. The Relay Server deployed in a cloud or DMZ relays the endpoint data between the hosts and the Endpoint Server. The hosts that are outside the corporate network send the endpoint data to the configured Relay Server and the corresponding Endpoint server pulls the data.

Note: If you have Windows hosts that are outside the corporate network, the log data is not sent to the Relay Server.

You can configure a Relay Server on the Endpoint Server Config view. Once the Relay Server is configured, the policy for the host is automatically updated and you can view the Relay Server settings on the Host Details view > Policy Details panel.

You can configure a single Relay Server with one or more Endpoint servers. In this case, the Relay Server ensures that the endpoint data reaches the Endpoint Server configured in the policy.

The following describes the architecture of the Relay Server.

The following flowchart explains how the host switches to the Relay Server.

Installing the Relay Server

The Relay Server installer contains binaries, certificates, configuration files, and the installation script required to install the Relay Server.

IMPORTANT:
- The Relay Server version must match with the corresponding NetWitness Endpoint Server version. If you plan to upgrade a Relay Server to a newer version, first upgrade the Endpoint Server, then download the Relay Server installer, and run the installer script.
- Operating System updates and general system hardening on the Relay Server must be managed by the customer according to standard best practices. The Relay server package does not contain OS updates and the operating system will not be updated as part of the standard NetWitness update process.
- Do NOT run the nwsetup-tui script to install the Relay Server. Follow the instructions in this document only as Relay Server is an independent server and not part of NetWitness Platform UI (Admin > Hosts).

Installation Media

The Relay Server can be installed only on a CentOS 7 or NetWitness Platform 11.4.0.0 base image which is available for download from Download Central (https://download.rsasecurity.com). Also, make sure that the Relay server host is connected to internet to download the required dependencies.
For more information on deploying Relay Server host on a:

  • DMZ - see "Step 1a. Deploy the Virtual Host to create VM" in the Virtual Host Installation Guide.
  • Cloud
    • see "Step 1. Deploy NW Server Host" in the Azure Installation Guide.
    • see "AWS Deployment" in the AWS Installation Guide.

Relay Server Host System Requirements

                        
Agents RAM CPU Cores DiskIdeal Beacon Interval
2000032 GB 4 cores 200GB 5 min

To install the Relay Server:

  1. Log in to NetWitness Platform.
  2. Click (Admin) > Services.
  3. Select the Endpoint Server service and click > View > Config > Relay Server tab.
  4. In the Download Installer section, enter the installer password and click Download to download the Relay Server installer file (RelayInstaller.zip).
  5. Copy the Relay Server installer file (RelayInstaller.zip) to the Relay Server host.
  6. Unzip the RelayInstaller.zip file on the Relay Server host. For example:

    /home/RelayInstaller.zip
    unzip <installer path>

  7. Set up the execution permission using the following command:

    chmod +x install.sh

  8. Run the installer script using the following command:

    ./install.sh

    The All necessary RPMs will be installed without further prompts is displayed.

  9. Enter Y to continue the installation.

    The password prompt is displayed.

  10. Enter the password.

    Note: Make sure you enter the same password you set while downloading the Relay Server installer.

    Note: In case if you are re-installing the Relay Server host. Do you wish to update the list prompt is displayed.
    - Enter Y to update the Endpoint server IPs.

    Enter the Endpoint Server IPs prompt is displayed.

  11. Enter all the Endpoint server IPs you plan to configure with the Relay server with comma separated.

If the Relay Server installation is successful, you can check the status of the services:

  • Check if the Relay Server is up and running:

    systemctl status rsa-nw-relay-server

  • Check if Ngnix is running:

    systemctl status ngnix

You can also update Endpoint Server IPs without installing the Relay Server.

To update Endpoint Server IPs without installing the Relay Server:

  1. Run the following command:

    bash /var/netwitness/relay-configure-allowed-hosts.sh

    The list of all the configured Endpoint server IPs is displayed and Do you wish to update the list prompt is displayed.

  2. Enter Y to update the list of Endpoint server IPs.

    Enter the Endpoint Server IPs prompt is displayed.

  3. Enter a comma-separated list of all the Endpoint Server IPs to update.

    The list of updated IPs is displayed.

Configuring the Relay Server

Make sure you have installed the Relay Server.

Note: During Relay Server host installation, firewalld is configured to allow incoming connections only on TCP ports 443 and 22.

To configure the Relay Server:

  1. Log in to NetWitness Platform.
  2. Click (Admin) > Services.
  3. Select the Endpoint Server service and click > View > Config > Relay Server tab.

    The Relay Server tab is displayed.

  4. Select the Enable Relay Server check box to enable the Relay Server configuration.

    Note: To disable the Relay Server, clear the Enable Relay Server check box.

    Caution: Before you disable the Relay Server configuration, if the hosts will be always roaming make sure to migrate these hosts to an alternate Endpoint server configured with a different Relay server. Else these hosts will not be able to connect back to the corporate network. When you disable the configuration, the Relay Server settings are removed from the EDR policy.

  5. In the Configure section:

    1. Enter the ESH.
    2. Specify the Relay Server, Port and HTTP Beacon Interval.

    IMPORTANT: RSA recommends that you provide the hostname that is resolvable for both agents and Endpoint Server instead of IP address.

  6. Click Test Connection to check if the Relay Server is reachable.
  7. Click Save Configuration to save the configuration.

Note: Before you modify the Relay Server configuration, perform any one of the following:
- Make sure that the hosts are inside the corporate network so that the policy with the Relay Server configuration is applied.
- If hosts will always be roaming, then migrate these hosts to an alternate Endpoint server configured with a different Relay Server.

IMPORTANT: You must change the root password after you deploy the Relay Server host.

You are here
Table of Contents > (Optional) Installing and Configuring Relay Server

Attachments

    Outcomes