Network Configuration

This guide covers network setup for SPSA deployments.

Network Architecture

flowchart LR subgraph Internet U[Users] LE[Let's Encrypt] UPD[Update Servers] end subgraph DMZ SPSA[SPSA Gateway] end subgraph Internal T1[Windows Servers] T2[Linux Servers] DNS[DNS Server] NTP[NTP Server] end U -->|HTTPS 443| SPSA LE -->|HTTP 80| SPSA SPSA -->|HTTP/S 80/443| UPD SPSA -->|RDP 3389| T1 SPSA -->|SSH 22| T2 SPSA -->|UDP 53| DNS SPSA -->|UDP 123| NTP style LE fill:#fef3c7,stroke:#f59e0b style UPD fill:#fef3c7,stroke:#f59e0b

Network Placement

Place SPSA in a network segment that can:

  • Receive HTTPS connections from users
  • Receive HTTP connections for Let's Encrypt validation (public-facing deployments)
  • Connect to target systems on required ports
  • Access DNS and NTP services
  • Access internet for updates (optional but recommended)

Recommended: DMZ or management VLAN

Firewall Rules

Inbound to SPSA

Source Port Protocol Purpose
Users 443 TCP SPSA Portal (HTTPS)
Internet 80 TCP Let's Encrypt validation (optional)

Port 80 for Let's Encrypt

Inbound port 80 is only required for public-facing deployments using Let's Encrypt automatic certificate management. For internal deployments with manually installed certificates, port 80 is not needed.

Outbound from SPSA

Destination Port Protocol Purpose
Windows targets 3389 TCP RDP connections
Linux targets 22 TCP SSH connections
VNC targets 5900+ TCP VNC connections
Telnet targets 23 TCP Telnet connections (legacy)
DNS servers 53 UDP/TCP Name resolution
NTP servers 123 UDP Time synchronization
Internet 80 TCP Appliance updates (HTTP)
Internet 443 TCP Appliance updates (HTTPS)

Outbound Internet Access

Ports 80 and 443 outbound to the internet are required for appliance updates. If SPSA is deployed in an air-gapped environment without internet access, updates must be applied manually via other methods.

Protocol Flow Details

User Access Flow

flowchart LR A[User Browser] -->|HTTPS 443| B[SPSA Portal] B -->|RDP/SSH/VNC| C[Target System]

Let's Encrypt Validation Flow

flowchart LR A[Let's Encrypt CA] -->|HTTP 80| B[SPSA - Caddy] B --> C[Validation Response]

Appliance Update Flow

flowchart LR A[SPSA] -->|HTTPS 443 / HTTP 80| B[Update Repositories] B --> C[Package Downloads]

Port Summary

Required Ports

Direction Port Protocol Required Purpose
Inbound 443 TCP Yes User access to SPSA Portal
Outbound 3389 TCP Yes* RDP to Windows targets
Outbound 22 TCP Yes* SSH to Linux targets
Outbound 53 UDP/TCP Yes DNS resolution
Outbound 123 UDP Yes NTP time sync

*Required if using that protocol

Optional Ports

Direction Port Protocol When Needed
Inbound 80 TCP Let's Encrypt certificate validation
Outbound 80 TCP Appliance updates (HTTP repositories)
Outbound 443 TCP Appliance updates (HTTPS repositories)
Outbound 5900+ TCP VNC connections
Outbound 23 TCP Telnet connections (legacy)

DNS Configuration

Create DNS record for SPSA:

Type Name Value
A spsa.yourdomain.com SPSA IP address

For Let's Encrypt to work, the DNS record must be publicly resolvable and point to the SPSA appliance.

IP Configuration

Configure static IP address for SPSA:

Parameter Description
IP Address Static IP for SPSA
Subnet Mask Network subnet mask
Default Gateway Gateway for external access
DNS Servers DNS server addresses

Configuration is done through the appliance console or web interface.

Routing

Ensure SPSA has routes to:

  • All target systems (RDP, SSH, VNC, Telnet)
  • DNS servers
  • NTP servers
  • User networks (if not default route)
  • Internet (for updates and Let's Encrypt)

Deployment Scenarios

Public-Facing Deployment

For deployments accessible from the internet:

Inbound Outbound
TCP 443 from users TCP 3389/22/5900 to targets
TCP 80 from internet (Let's Encrypt) UDP 53 to DNS
UDP 123 to NTP
TCP 80/443 to internet (updates)

Internal-Only Deployment

For deployments not accessible from the internet:

Inbound Outbound
TCP 443 from internal users TCP 3389/22/5900 to targets
UDP 53 to DNS
UDP 123 to NTP
TCP 80/443 to internet (updates, optional)

Air-Gapped Deployment

For deployments without internet access:

Inbound Outbound
TCP 443 from internal users TCP 3389/22/5900 to targets
UDP 53 to internal DNS
UDP 123 to internal NTP

Air-Gapped Limitations

Without internet access:

  • Let's Encrypt certificates cannot be used
  • Appliance updates must be applied manually
  • Use internal CA or self-signed certificates

Testing Connectivity

After configuration, verify:

  1. Users can access https://spsa.yourdomain.com/
  2. SPSA can reach target systems (use sshping, rdpping)
  3. DNS resolution works
  4. Time is synchronized
  5. Updates can be downloaded (if internet access configured)

Connectivity Test Commands

From the SPSA console:

# Test SSH connectivity to target
sshping 192.168.1.50

# Test RDP connectivity to target
rdpping 192.168.1.50

# Display IP configuration
getip

Troubleshooting

Issue Check
Cannot access web interface Firewall allowing TCP 443 inbound
Cannot connect to targets Firewall allowing SPSA outbound to target ports
DNS errors DNS server configuration, UDP 53 outbound
Time drift NTP server configuration, UDP 123 outbound
Let's Encrypt fails TCP 80 inbound, public DNS record
Updates fail TCP 80/443 outbound to internet