Installation on Linux (Asset Mode)
XplicitTrust can run on Linux systems in two modes:
-
Client Mode: for regular users to access services (like SSH, HTTPS, remote desktop, etc).
-
Asset Mode: services (like SSH, HTTPS, remote desktop, etc) can be remotely accessed from an XplicitTrust client, or from another system running in asset mode.
On this page are the instructions for Asset Mode:
Prerequisites
- On the firewall:
Allow TCP port 443 (“HTTPS”) outgoing (usually already enabled).
If possible, allow UDP port range 51820 - 60000 outgoing for best experience
Installation
-
Run (to install XplicitTrust agent):
sudo apt update sudo apt --yes install wireguard wireguard-tools wget iptables wget https://dl.xplicittrust.com/xtna-agent.deb sudo dpkg -i xtna-agent.deb
-
Run (to start XplicitTrust agent):
-
New Users trying out the system may want to use -allow-all-clients flag to assign the asset to the "Allow All" policy. While to be used cautiously in production, it is a good way to quickly experience how easy it is to connect systems in XplicitTrust without worrying about policies:
# Asset will be added to the "Allow All" policy: sudo xtna-util -user <your_email_address> -allow-all-clients
-
Experienced users may want to take advantage of various command line options, depending on circumstances:
-name <name> Asset name (defaults to hostname) -tags <tag1,...,tagN> Comma-separated list of tags to be assigned to asset -allow-all-clients Assign created asset to the 'Allow All' policy -qr print authentication URL as QR code
Some examples (you can of course also combine any way you like):
# Simply create the asset ('Deny All' policy will apply) and print the authentication URL as a QR code (for scanning with the mobile phone): sudo xtna-util -user <your_email_address> -qr
# Create asset and name it 'crm-server' ('Deny All' policy will apply): sudo xtna-util -user <your_email_address> -name crm-server
# Create asset and assign the tags 'sales-servers,marketing-servers' ('Deny All' policy will apply): sudo xtna-util -user <your_email_address> -tags 'sales-servers,marketing-servers'
# Register asset and assign to 'Allow All' policy # Careful, it may be better to assign more restricted policies sudo xtna-util -user <your_email_address> -allow-all-clients
A Note About Email Addresses
The email adress needs to be the same one you use to login to the XplicitTrust admin portal. In almost all cases this is the email address you use for single-sign on at your company.
Example:
sudo xtna-util -user my_name@my_company.de
A Note About Policies
The default policy is 'Deny All', meaning no client and / or asset has access to a new asset after it is created.
You can grant access to this asset by creating or updating an existing policy: https://console.xplicittrust.com/#/policies/.
You also have the option of assigning an asset to the 'Allow All' policy during installation by using the '-allow-all-clients' command line option specified above.
Special Case: Allowing Asset Access to Another Asset
We currently have a special case (temporarily): Granting one or more asset(s) access to an asset (rather than granting clients access, as outlined above).
This is possible, but does not happen on the regular policy page. Instead, you need to go the Asset Policy page:
-
-
Copy the URL that xtna-util returns, and open it from a browser where you can authenticate the admin email address used.
Prerequisites
-
Click "Create new" button, fill out form, click "Apply"
-
Click "Download Config" icon at top of the form box:
-
On the firewall Allow TCP port 443 (“HTTPS”) outgoing (usually already enabled).
If possible, allow UDP port range 51820 - 60000 outgoing for best experience
Installation
Run:
sudo apt update
sudo apt --yes install wireguard wireguard-tools wget iptables
wget https://dl.xplicittrust.com/xtna-agent.deb
sudo dpkg -i xtna-agent.deb
sudo xtna-util -import xtna-*.xtconfig
Tested Linux Distributions:
Ubuntu 18.04, Ubuntu 20.04, Ubuntu 21.10, Ubuntu 22.04, Debian Bullseye