Skip to content

Proofpoint Meta Networks VPN

Archived (pre-2022)

Preserved for reference only -- likely outdated. View original | Last updated: December 2021

Proofpoint Meta is the zero-trust alternative to VPN for secure remote access.

Documentation

Index

How to onboard new metaports in new regions:
Metaport Deployment And Onboarding

Point of contacts

OIT:

Meta: Ziv Cohen (Slack or email: zicohen@metanetworks.com)

Terraform code for metaports deployment

Metaports are EC2 instances deployed from AMI image provided by Meta. In order to deploy new metaports in new region or account we should ask Meta to share AMI image.

Terraform Code for metaports deployments:

OFW: metavpn (Github)

FairBid: terragrunt.hcl (Bitbucket)

Design

  1. Connecting OFW PRD EU-WEST-1, OFW STG EU-WEST-1, ci.fyber.com and Jenkins Slaves with MacOS from Berlin Office

metavpn_ofw.png

  1. Connection fo FairBid subnets in inneractive account are done through our metaport instances, the rest of subnets in this account are managed by devops team in Israel ( )

metavpn_fairbid.png

Mapped Subnets and DNS

Mapped Subnets

After metaport instances are deployed in AWS and connected to Meta Networks (Onboard metaports with token), you should create Mapped Subnet, specify subnets ip ranges and assign it on relevant metaports.

For example for Offerwall Mapped Subnet:

image2021-1-22_16-51-47.png

image2021-1-22_16-52-9.png

External DNS

If we need to use our own dns servers to resolve internal names we have to assign private dns zones to Mapped Subnet with option Enterprise DNS. This will make Meta DNS to forward dns requests for this private dns zones to our own DNS servers installed in AWS and reachable by metaports.

Our metaports should be configured to use our own DNS servers instead of default ones which came from DHCP. To to that we need conigure Systemd Resolved:

  1. Login to every metaport instance by ssh

```

ssh 10.37.119.22 -l ubuntu Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-1030-aws x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

 System information as of Fri Jan 22 16:00:46 UTC 2021

 System load:  0.0                Processes:             123
 Usage of /:   16.5% of 38.71GB   Users logged in:       0
 Memory usage: 11%                IP address for ens5:   10.37.119.22
 Swap usage:   0%                 IP address for lxdbr0: 198.51.100.1

* Introducing self-healing high availability clusters in MicroK8s.
  Simple, hardened, Kubernetes for production, from RaspberryPi to DC.

    https://microk8s.io/high-availability

* Canonical Livepatch is available for installation.
  - Reduce system reboots and improve kernel security. Activate at:
    https://ubuntu.com/livepatch

155 packages can be updated. 114 updates are security updates.

New release '20.04.1 LTS' available. Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Jan 22 16:00:39 2021 from 10.37.136.116 __ __ _ _ _ _ _ | \/ | | | __ _ | \ | | | |___ _____ _ __| | _____ _ | |\/| |/ _ \ __/ ` | | | |/ _ \ \ \ /\ / / _ | '| |/ / () | | | | / || (_| | | |\ | / | \ V V / () | | | <__ _ || |||_,| || ||__| // ___/|| ||____()

__  __      _        ____            _

| \/ | | | __ _| _ \ ___ _ | | | |\/| |/ _ \ __/ ` | |) / _ | '__| __| | | | | __/ || (| | / () | | | | || |_||_,|_| /|| __| ```

  1. Edit file /etc/systemd/resolved.conf
[Resolve]
DNS=10.37.139.209 10.37.143.233
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#Cache=yes
#DNSStubListener=yes
  1. Restart systemd services
sudo systemctl restart systemd-networkd

sudo systemctl restart systemd-resolved

User Management

In meta there are groups of users and assigned Access Policies.

User Groups managed by DevOps Berlin:

Name Description Policy
BLN-DevOps DevOps team in Berlin all
BLN-Engineers Berlin RnD: FairBid Backend, Fairbid SDK, Offerwall Inn prd, Fairbid, OFW stg and prd, Berlin Office Jenkins Slaves, ci.fyber.com
BLN-Contractors-SDK TBD TBD
BLN-Contractors-Backend TBD TBD
BLN-FairBid-Analytics-Group TBD TBD
External-FairBid-BigBlueBubble Group for external users turnilo: https://big-blue-bubble.fairbidsdk-analytics.fyber.com/
External-FairBid-Vizor Group for external users turnilo: Vizor Fairbidsdk Analytics

Users could be assigned to Groups manually or automatically from okta:

  1. In okta admin find Meta Networks app:
    image2021-1-22_16-41-24.png
  2. In app configuration you can find okta Groups, choose needed group and assign relevant Meta group (you specify multiple Meta Groups divided by comma):
    image2021-1-22_16-42-49.png
  3. After this, all users in this okta group will be added automatically to relevant Meta group
  4. If your remove user from okta group or removed assignment of meta groups to okta group, user won't be removed automatically