1. Checking WAPT Installation requirements

1.1. Installation requirements

1.1.1. Naming conventions

You have to take into consideration a few security points in order to extract all possible benefits from WAPT:

  • If you are familiar with Linux, we advise you to install WAPT Server directly on Debian or a RedHat based distribution following the security recommendations of French ANSSI or the recommendations of your state cyberdefense agency.

  • Although the WAPT Server is not designed to be a sensitive asset, we recommend it to be installed on a dedicated host (physical or virtual).

Attention

In all steps of the documentation, you will not use any accent or special characters for:

  • user logins;

  • path to the private key and the certificate bundle;

  • the CN;

  • the installation path for WAPT;

  • group names;

  • the name of hosts or the the name of the server;

  • the path to the folder C:\waptdev.

1.1.2. Network recommendations

The WAPT Server is using client SSL authentication to authenticate the client WAPT Agents. Thus it is required for the WAPT Server to do the TLS termination itself. The use of WAF or reverse proxy that do TLS interception and terminaison is thus not supported.

It is possible to use a reverse proxy in “stream” mode if supported, like in Nginx stream module or HAProxy TLS Passthrough module. Please refer to the corresponding documentation for details.

1.1.3. Hardware recommendations

The WAPT Server can be installed either on a virtual server or a physical server.

Optimal RAM and CPU recommendations for the WAPT Server

Size of the network

CPU

RAM

Server optimization to apply

From 0 to 300 WAPT Agents

2 CPU

2048 Mio

No

From 300 to 1000 WAPT Agents

4 CPU

4096 Mio

Yes

From 1000 to 3000 WAPT Agents

4 CPU

8192 Mio

Yes

From 3000 WAPT Agents onward

8 CPU

16384 Mio

Yes

  • A minimum of 10GB of free space is necessary for the system, the database and log files.

  • For better performance, Tranquil IT recommends the database to be stored on fast storage, such as SSD drives or PCIe-based solid-state drives.

  • The overall disk requirement will depend on the number and size of your WAPT packages (software) that you will store on your main repository, 30GB is a good start. It is not strictly required to store WAPT packages on fast drives.

  • Finally, we have knowledge of users with WAPT Servers equipped with multiple 10Gbps networking interfaces deploying at full speed massive Catia, National Instruments and Solidworks update packages on their LAN.

1.1.4. Software recommendations

1.1.4.1. Operating system

The WAPT Server is available on Linux and Windows:

  • For Linux, Debian 10, 11 and 12, Red Hat 7, 8, 9 and derivatives, Ubuntu server LTS 20.04 and 22.04 64 bit versions are supported. It is not mandatory to use a Linux server distribution, but use a non-graphical distribution.

Note

SELINUX is supported but not mandatory.

Attention

  • The WAPT Server will only run on 64bit based systems.

  • Install the Server without the graphical user interface in GNU/Linux.

  • Systemd must be enabled.

  • For Windows, WAPT Server can be installed on Windows Server 64 bit versions supported by Microsoft (Win2012r2, Win2k16, Win2k19 or Win2k22). Depending on your need, it can also be installed on recent Win10 or Win11 Pro/Ent.

Attention

  • The WAPT Server will only run on 64bit based systems.

1.1.4.2. Open Ports

Data-flow diagram for WAPT

Data-flow diagram for WAPT

Only ports 80 and 443 MUST be opened to incoming connections as the WAPT framework works with websockets initiated by the WAPT Agents.

1.1.4.2.1. Inbound
Inbound ports to open for WAPT to work

Protocol

Port number

Source

Destination

Description

TCP

80

All WAPT Agents

WAPT Server

Websocket connection (unsecured) for downloading packages and KB.

TCP

443

All WAPT Agents

WAPT Server

Websocket connection for downloading packages and KB.

UDP

69 Note: tftp uses ephemeral / dynamic ports for data transport. If you have a firewall between the WAPT Server and the fleet of computers, be sure to enable support for tftp conntrack.

All computers using WADS deployment TFTP method.

WAPT Server

To download the first stage of OS boot files before HTTP becomes available.

1.1.4.2.2. Outbound
Outbound ports to open for WAPT to work

Protocol

Port number

Source

Destination

Description

TCP

80

WAPT Server

Internet

For downloading wsusscn2.cab and KB.

TCP

80

WAPT Server

Linux repository (for Linux server) and Tranquil IT repositories ([1])

Uploading of WAPT packages using (unsecured) HTTP.

TCP

443

WAPT Server

Linux repository (for Linux server) and Tranquil IT repositories ([1])

Uploading of WAPT packages using (secured) HTTPS.

TCP

53

WAPT Server

Domain controller or DNS server

Domain name resolution.

TCP

389

WAPT Server

Domain controller or LDAP server

LDAP authentication to authenticate users with the WAPT Console or the WAPT Self-service.

TCP

636

WAPT Server

Domain controller or LDAP server

LDAP authentication.

UDP

123

WAPT Server

Domain Controller or NTP server

NTP to keep time synchronized and kerberos working properly.

Footnotes

1.2. Tips before installing

1.2.1. Configuring the Organization’s DNS for WAPT

Note

DNS configuration is not strictly required, but it is very strongly recommended.

In order to make your WAPT setup easier to manage, it is strongly recommended to configure the DNS server to include A field or CNAME field as below:

  • srvwapt.mydomain.lan.

  • wapt.mydomain.lan.

Replace mydomain.lan with your network’s DNS suffix.

1.2.2. Configuring DNS entries in Microsoft RSAT.

  • The A field MUST point to the WAPT Server IP address.

Configuring the A field in Windows RSAT

You can now install the WAPT Server on your favorite operating system: