On-prem Support - Dropzone Connector

Dropzone AI connects to APIs via its Data Source and Alert integrations. Many of these are reachable across the internet, such as third-party Threat Intelligence sources, corporate SaaS tools, and public cloud APIs. However many corporate systems may be behind firewalls and VPNs for security reasons.

Customers are able to enable Dropzone to reach restricted systems by running a lightweight Dropzone Connector Client docker container within their secure environment. This process connects out to the Dropzone tenant network and establishes a reverse tunnel.

Connector Security

The Dropzone Connector Client establishes an outbound HTTP session, inside which websockets re used to establish a two-way TCP session. On this TCP session a secure SSH session is established. This SSH session is authenticated by both the client and the server, and fully end-to-end encrypted.

The Dropzone integrations that require access to the protected resources tunnel their connections through this Connector Client container, so their source IP is from within your datacenter.

The Connector Client can be run on any host capable of running Docker containers, such as a physical server, VM, or inside your public/private cloud environment. For additional security you may wish to run the Connector Client on a machine in a DMZ and create restrictive firewall rules that allow it to only reach the machines you specify.

Enabling the Connector Client

Running the Connector Client requires a machine that

has Docker Engine (Docker CE) installed
capable of running x86_64 Linux docker containers
has network connectivity to the systems you want to reach

This may be a machine dedicated to this container, or a multi-use resource that meets your security policy.

Henceforth we will call this machine the connector-client-host.

To install the Connector Client, do the following:

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Connectors

On the "Main" connector tile, click "Configure"

The configuration drawer will slide out from the right hand side

Download the Connector Client docker image by clicking on the link
Upload the connector Docker image to the connector-client-host, e.g. via scp.

Load the docker image on the connector-client-host

connector-client-host$ sudo docker load -i connector.tar.gz

# Or, if sudo is not needed
connector-client-host$ docker load -i connector.tar.gz

Copy the command in the Dropzone UI and run it on the connector-client-host:

connector-client-host$ sudo docker run --detach --name connector --env OPTIONS='--auth ...

# Or if sudo is not needed
connector-client-host$ docker run --detach --name connector --env OPTIONS='--auth ...

Verify the connector is running by using docker ps

connector-client-host$ docker ps
CONTAINER ID IMAGE     COMMAND      CREATED         STATUS       NAMES
1c92972436d9 connector "/app/init"  3 seconds ago   Up 2 seconds dropzone-connector-client

Click Close
Refresh the page and you should see that Main is now in "Connected" state:

When enabling Data and Alert sources that need on-prem access, be sure to specify this Connector Client.

If you have any errors engage your Dropzone AI support representative.

PreviousData Sources NextInteractive Chat

Last updated 1 year ago

Was this helpful?