1. Checking WAPT Installation requirements¶
1.1. Installation requirements¶
1.1.1. Naming conventions¶
You have to take into consideration a few security points in order to extract all possible benefits from WAPT:
If you are familiar with Linux, we advise you to install WAPT Server directly on Debian or a RedHat based distribution following the security recommendations of French ANSSI or the recommendations of your state cyberdefense agency.
Although the WAPT Server is not designed to be a sensitive asset, we recommend it to be installed on a dedicated host (physical or virtual).
Attention
In all steps of the documentation, you will not use any accent or special characters for:
user logins;
path to the private key and the certificate bundle;
the CN;
the installation path for WAPT;
group names;
the name of hosts or the the name of the server;
the path to the folder
C:\waptdev
.
1.1.2. Network recommendations¶
The WAPT Server is using client SSL authentication to authenticate the client WAPT Agents. Thus it is required for the WAPT Server to do the TLS termination itself. The use of WAF or reverse proxy that do TLS interception and terminaison is thus not supported.
It is possible to use a reverse proxy in “stream” mode if supported, like in Nginx stream module or HAProxy TLS Passthrough module. Please refer to the corresponding documentation for details.
1.1.3. Hardware recommendations¶
The WAPT Server can be installed either on a virtual server or a physical server.
Size of the network |
CPU |
RAM |
Server optimization to apply |
---|---|---|---|
From 0 to 300 WAPT Agents |
2 CPU |
2048 Mio |
No |
From 300 to 1000 WAPT Agents |
4 CPU |
4096 Mio |
Yes |
From 1000 to 3000 WAPT Agents |
4 CPU |
8192 Mio |
Yes |
From 3000 WAPT Agents onward |
8 CPU |
16384 Mio |
Yes |
A minimum of 10GB of free space is necessary for the system, the database and log files.
For better performance, Tranquil IT recommends the database to be stored on fast storage, such as SSD drives or PCIe-based solid-state drives.
The overall disk requirement will depend on the number and size of your WAPT packages (software) that you will store on your main repository, 30GB is a good start. It is not strictly required to store WAPT packages on fast drives.
Finally, we have knowledge of users with WAPT Servers equipped with multiple 10Gbps networking interfaces deploying at full speed massive Catia, National Instruments and Solidworks update packages on their LAN.
1.1.4. Software recommendations¶
1.1.4.1. Operating system¶
The WAPT Server is available on Linux and Windows:
For Linux, Debian 10, 11 and 12, Red Hat 7, 8, 9 and derivatives, Ubuntu server LTS 20.04 and 22.04 64 bit versions are supported. It is not mandatory to use a Linux server distribution, but use a non-graphical distribution.
Note
SELINUX is supported but not mandatory.
Attention
The WAPT Server will only run on 64bit based systems.
Install the Server without the graphical user interface in GNU/Linux.
Systemd must be enabled.
For Windows, WAPT Server can be installed on Windows Server 64 bit versions supported by Microsoft (Win2012r2, Win2k16, Win2k19 or Win2k22). Depending on your need, it can also be installed on recent Win10 or Win11 Pro/Ent.
Attention
The WAPT Server will only run on 64bit based systems.
1.1.4.2. Open Ports¶
Only ports 80 and 443 MUST be opened to incoming connections as the WAPT framework works with websockets initiated by the WAPT Agents.
1.1.4.2.1. Inbound¶
Protocol |
Port number |
Source |
Destination |
Description |
---|---|---|---|---|
TCP |
80 |
All WAPT Agents |
WAPT Server |
Websocket connection (unsecured) for downloading packages and KB. |
TCP |
443 |
All WAPT Agents |
WAPT Server |
Websocket connection for downloading packages and KB. |
UDP |
69 Note: tftp uses ephemeral / dynamic ports for data transport. If you have a firewall between the WAPT Server and the fleet of computers, be sure to enable support for tftp conntrack. |
All computers using WADS deployment TFTP method. |
WAPT Server |
To download the first stage of OS boot files before HTTP becomes available. |
1.1.4.2.2. Outbound¶
Protocol |
Port number |
Source |
Destination |
Description |
---|---|---|---|---|
TCP |
80 |
WAPT Server |
Internet |
For downloading |
TCP |
80 |
WAPT Server |
Linux repository (for Linux server) and Tranquil IT repositories ([1]) |
Uploading of WAPT packages using (unsecured) HTTP. |
TCP |
443 |
WAPT Server |
Linux repository (for Linux server) and Tranquil IT repositories ([1]) |
Uploading of WAPT packages using (secured) HTTPS. |
TCP |
53 |
WAPT Server |
Domain controller or DNS server |
Domain name resolution. |
TCP |
389 |
WAPT Server |
Domain controller or LDAP server |
LDAP authentication to authenticate users with the WAPT Console or the WAPT Self-service. |
TCP |
636 |
WAPT Server |
Domain controller or LDAP server |
LDAP authentication. |
UDP |
123 |
WAPT Server |
Domain Controller or NTP server |
NTP to keep time synchronized and kerberos working properly. |
Footnotes
1.2. Tips before installing¶
1.2.1. Configuring the Organization’s DNS for WAPT¶
Note
DNS configuration is not strictly required, but it is very strongly recommended.
In order to make your WAPT setup easier to manage, it is strongly recommended to configure the DNS server to include A
field or CNAME
field as below:
srvwapt.mydomain.lan.
wapt.mydomain.lan.
Replace mydomain.lan with your network’s DNS suffix.
1.2.2. Configuring DNS entries in Microsoft RSAT.¶
The
A
field MUST point to the WAPT Server IP address.
You can now install the WAPT Server on your favorite operating system:
Install the WAPT Server on Windows (not recommended for large production networks).