.. Reminder for header structure:
Parts (H1) : #################### with overline
Chapters (H2) : ******************** with overline
Sections (H3) : ====================
Subsections (H4) : --------------------
Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
Paragraphs (H6) : """""""""""""""""""""
.. _install_requirements:
#######################################
Checking WAPT Installation requirements
#######################################
*************************
Installation requirements
*************************
Naming conventions
==================
You have to take into consideration a few security points in order to extract all possible benefits from WAPT:
* If you are familiar with Linux, we advise you to install WAPT Server directly on Debian or a RedHat based distribution following the security recommendations of French :term:`ANSSI` or the `recommendations of your state cyberdefense agency `_.
* Although the WAPT Server is not designed to be a sensitive asset, we recommend it to be installed on a **dedicated host** (physical or virtual).
.. attention::
In all steps of the documentation, **you will not use any accent or special characters** for:
* user logins;
* path to the private key and the certificate bundle;
* the :abbr:`CN (Common Name)`;
* the installation path for WAPT;
* group names;
* the name of hosts or the the name of the server;
* the path to the folder :file:`C:\\waptdev`.
Hardware recommendations
========================
The WAPT Server can be installed either on a virtual server or a physical server.
.. list-table:: Optimal RAM and CPU recommendations for the WAPT Server
:header-rows: 1
:widths: auto
:align: center
* - Size of the network
- CPU
- RAM
- Server optimization to apply
* - From 0 to 300 WAPT Agents
- 2 CPU
- 2024 Mio
- No
* - From 300 to 1000 WAPT Agents
- 4 CPU
- 4096 Mio
- Yes
* - From 1000 to 3000 WAPT Agents
- 8 CPU
- 8192 Mio
- Yes
* - From 3000 WAPT Agents onward
- 16 CPU
- 16384 Mio
- Yes
.. CLARIFY, what is Server optimization to apply
* A minimum of 10GB of free space is necessary for the system, the database and log files.
* **For better performance, Tranquil IT recommends the database to be stored on fast storage, such as SSD drives or PCIe-based solid-state drives**.
* The overall disk requirement will depend on the number and size of your WAPT packages (software) that you will store on your main repository, 30GB is a good start.
It is not strictly required to store WAPT packages on fast drives.
* Finally, we have knowledge of users with WAPT Servers equipped with multiple 10Gbps networking interfaces deploying at full speed massive Catia, National Instruments and Solidworks update packages on their :abbr:`LAN (Local Area Network)`.
Software recommendations
========================
Operating system
----------------
The WAPT Server is available on Linux and Windows:
* For Linux, **Debian 11 and 12**, **Red Hat 7 / 8 and derivatives**, **Ubuntu server LTS 20.04** 64 bit versions are supported.
.. note::
SELINUX is supported but not mandatory.
* For Windows, WAPT Server can be installed on **Windows Server** 64 bit versions supported by Microsoft (Win2012r2, Win2k16, Win2k19 or Win2k22).
Depending on your need, it can also be installed on recent Win10 Pro/Ent version (20H2 or later).
.. attention::
* The WAPT Server will only run on **64bit** based systems.
* Install the Server **without** the graphical user interface.
* :program:`Systemd` must be enabled.
.. _open_ports:
Open Ports
----------
.. figure:: wapt-resources/wapt_concept_data-and-ports_flow-diagram.png
:align: center
:alt: Data-flow diagram for WAPT
Data-flow diagram for WAPT
Only ports **80** and **443** **MUST** be opened to incoming connections as the WAPT framework works with websockets initiated by the WAPT Agents.
Inbound
^^^^^^^
.. list-table:: Inbound ports to open for WAPT to work
:header-rows: 1
:widths: auto
:align: center
* - Protocol
- Port number
- Source
- Destination
- Description
* - `TCP`
- **80**
- All WAPT Agents
- WAPT Server
- Websocket connection (unsecured) for downloading packages and KB.
* - `TCP`
- **443**
- All WAPT Agents
- WAPT Server
- Websocket connection for downloading packages and KB.
* - `UDP`
- **69** Note: tftp uses ephemeral / dynamic ports for data transport.
If you have a firewall between the WAPT Server and the fleet of computers, be sure to enable support for tftp conntrack.
- **All computers** using :ref:`WADS deployment ` TFTP method.
- WAPT Server
- To download the first stage of OS boot files before HTTP becomes available.
Outbound
^^^^^^^^
.. list-table:: Outbound ports to open for WAPT to work
:header-rows: 1
:widths: auto
:align: center
* - Protocol
- Port number
- Source
- Destination
- Description
* - `TCP`
- **80**
- WAPT Server
- Internet
- Websocket connection (unsecured) for downloading WAPT packages, :file:`wsusscn2.cab` and KB.
* - `TCP`
- **80**
- WAPT Server
- Linux repository (for Linux server) and Tranquil IT repositories ([#f1]_)
- Uploading of WAPT packages using (unsecured) HTTP.
* - `TCP`
- **443**
- WAPT Server
- Linux repository (for Linux server) and Tranquil IT repositories ([#f1]_)
- Uploading of WAPT packages using (secured) HTTPS.
* - `TCP`
- **53**
- WAPT Server
- Domain controller or :abbr:`DNS (Domain Name Service)` server
- Domain name resolution.
* - `TCP`
- **389**
- WAPT Server
- Domain controller or :abbr:`LDAP (Lightweight Directory Access Protocol)` server
- LDAP authentication to authenticate users with the WAPT Console or the WAPT Self-service.
* - `TCP`
- **636**
- WAPT Server
- Domain controller or :abbr:`LDAP (Lightweight Directory Access Protocol)` server
- LDAP authentication.
* - `UDP`
- **123**
- WAPT Server
- Domain Controller or :abbr:`NTP (Network Time Protocol)` server
- NTP to keep time synchronized and kerberos working properly.
.. rubric:: Footnotes
.. [#f1] The following DNS names are the Tranquil IT repositories to authorize:
* `https://store.wapt.fr `_
* `https://wapt.tranquil.it `_
**********************
Tips before installing
**********************
.. _srv_dns:
Configuring the Organization's DNS for WAPT
===========================================
.. note::
**DNS configuration is not strictly required, but it is very strongly recommended**.
In order to make your WAPT setup easier to manage, it is strongly recommended to configure the :term:`DNS` server to include ``A`` field or ``CNAME`` field as below:
* *srvwapt.mydomain.lan*.
* *wapt.mydomain.lan*.
Replace *mydomain.lan* with your network's :term:`DNS` suffix.
These :abbr:`DNS (Domain Name Service)` fields will be used by WAPT Agents to locate the WAPT Server and their WAPT repositories closest to them.
Configuring DNS entries in Microsoft RSAT.
==========================================
* The ``A`` field **MUST** point to the WAPT Server IP address.
.. image:: wapt-resources/windows_rsat_dns-configure-alias_browser-window.png
:align: center
:alt: Configuring the A field in Windows RSAT
You can now install the WAPT Server on your favorite operating system:
* :ref:`Install the WAPT Server on GNU / Linux Debian `.
* :ref:`Install the WAPT Server on a RedHat based distribution `.
* :ref:`Install the WAPT Server on Windows ` (not recommended for large production networks).