Skip to main content

Netskope Help

Install Cloud Exchange

This document is for non-Amazon ECS deployment. For guidance on how to install a Cloud Exchange for Amazon ECSGo-to-Icon.png image purchased through the AWS Marketplace, go to Install Netskope Cloud Exchange with AWS ECS Fargate.

Only an Admin should install Cloud Exchange. The docker images are available on docker-hub. Make sure the volume can connect to docker-hub before executing the ./start command. Ensure docker connectivity prior to running the docker-compose command.

Note

Ensure that the most up-to-date version of docker is installed on the host prior to installing or upgrading cloud exchange.

For guidance on how to back-up your data and files for restoration after a clean install, or for disaster recovery, read this article: Backup Cloud Exchange.

To ensure your cloud exchange instance notifies you whenever an update is available, go to Settings > General and click Check for Updates as shown here.

For guidance on how to upgrade/migrate to the newest code, refer to one of these articles:

To install Cloud Exchange:

  1. Please review and ensure that all host and connectivity requirements have been validated before starting the install.

    Note

    To install Cloud Exchange on a Red Hat Enterprise Linux host (8.x or newer), refer to this article for additional requirements related to RHEL 8.0.

  2. Clone the netskopeoss/ta_cloud_exchange public Github repository to a volume with with at least 20 GB of storage. Always clone to any folder other than /usr/local to avoid a conflict within Docker.

    mkdir netskope
    cd netskope
    git clone https://github.com/netskopeoss/ta_cloud_exchange
    cd ta_cloud_exchange

    Note

    If you are a Beta user, run the following command during Step 2 to download the beta version of a release instead of the git clone command shown above:

    git clone -b beta https://github.com/netskopeoss/ta_cloud_exchange

    During step 2, while executing the setup script, opt IN to beta to use the beta code rather than the default action of searching for the latest GA version.

  3. Execute the setup script and follow the steps:

    python3 ./setup
    1. Special characters (including, but not limited to "#", "$", "/", etc.) are not supported when setting the maintenance password for CE. Some of the processes do not work and will cause system failures if you use special characters.

    2. Only use alphanumeric values for the maintenance password used by the JWT token.

  4. Launch Cloud Exchange 3:

    ./start

The Cloud Exchange UI is now accessible with the system’s IP (https://<ip>).

How to Generate and Install an SSL Certificate into Cloud Exchange

When first installed, Cloud Exchange does not require an SSL certificate and the web server can be reached over an unencrypted connection.

Note

There are two SSL-related folders created on the file system: ssl_certs and ca_certs.

If you want to add your own SSL certificate(s), you can add them to the ta_cloud_exchange/data/ssl_certs directory. The name of certificate file should be cte_cert.crt and cte_cert_key.key. The steps below explain how to do this.

The ca_certs directory is used, for example, when you configure a plugin for an on-premises product (like MISP, QRadar etc.) that has a self signed SSL certificate issued by your organization. In this case, you need to put your CA certs in the ca_certs directory to add them to the trust chain.

After you have the certificate(s) you'd want to use for connecting to Cloud Exchange, follow the steps to install your private certificate(s) to securely access Cloud Exchange.

  1. Log in to your Cloud Exchange host via CLI.

  2. Browse to the directory ta_cloud_exchange/$.

  3. Execute the command run ./stop.

  4. Remove certificates by going to the /ta_cloud_exchange/data/ssl_certs directory and using these commands:

    $ rm -rf cte_cert.crt

    $ rm -rf cte_cert_key.key

  5. After the existing SSL certificate is removed, you can install your private SSL certificate.

    1. Copy new certs to /ta_cloud_exchange/data/ssl_certs ‘sudo cp -r ../<Path_of_SSL_Certificate>.

  6. Restart Cloud Exchange using the command $run ./start.

This video shows how to use a Cloud Exchange setup script to create a self-signed certificate to enable and access the Cloud Exchange UI over HTTPS.