Basic details on the key parts of the SDM environment and what information should be looked at for each as a basic check when things are not working as planned.
Gateways
-
Required: access outbound to app.strongdm.com:443.
-
Required, if configured: access to a configured syslog server
-
Port 5000 (Or as configured) - this isn't required for them to be alive, just required for client access to them. ie, they will show without error if this requirement isn't satisfied.
-
Same as relays, but also listen on a public interface
-
Most are configured with a public IP address, but this is not necessary. Just as long as clients can reach one or more gateways, private IP for the listening address is ok.
-
Gateways don't connect outbound to clients.
-
Gateways connect outbound to resources, either directly if there is a route from the gateway to the resource OR indirectly connects to resources through relays if there is no direct route from the Gateway to the resource.
Relays
-
Required: access outbound to app.strongdm.com:443
-
Required: every relay must be able to connect outbound to at least one gateway.
-
NOT required: access inbound to a relay from any other network element: not client, nor other relay, nor gateway.
-
Required: Relays must be able to reach outbound to the desired resources that they are intended to connect to. This could be one or more resources.
-
A particular relay does not have to be able to reach every resource.
Client
-
127.0.0.1 localhost must be on allowlist
-
HTTP Listener: Port 65230 (This is not required if there are no HTTP/ web resources)
-
Client (outbound) MUST be able to hit app.strongdm.com on port 443.
-
Client (outbound) MUST be able to hit at least 1 Gateway on port 5000 (or other port, if configured with a non-default port)
-
Can client get to the gateway?
- by customer:
sdm doctor -v
- by customer:
-
CLI Listener: Port 65220- Is there some network interception (zscaler, Netskope, etc) or workstation endpoint protection (Sophos) causing SDM to fail?
-
GUI can show the following when there are no active gateways: reconnecting...
-
Missing resources > check granted role
Gateways & Clients
-
A client outbound must be able to reach at least one gateway on its default port.
Gateways & Resources
-
A gateway may have to reach a resource through a relay if there is no direct path from the gateway to the resource.
-
All resources need to be accessible directly by either a relay or a gateway.
-
All resources don't need to be accessible by every relay/ gateway