Management connections for Security Engines and how they work

When you connect the Security Engine to the SMC, the Security Engine makes initial contact with the Management Server and receives a certificate.

The certificate allows the Security Engine to authenticate itself to other components in all further communications. When components contact each other, they check if the other component’s certificate is signed by the same internal certificate authority as their own certificate. The certificate authority runs on the Management Server, but is separate from the Management Server itself. The initial contact procedure is secured using a one-time password.

If using Forcepoint Network Security Platform appliances, you can connect them to the SMC using the plug-and-play configuration method. In plug-and-play configuration, you upload the initial configuration to the Installation Server. When the appliance is turned on with all cables connected, it downloads the initial configuration from the Installation Server. After this, the Security Engine automatically installs the initial configuration and makes initial contact with the Management Server. You can also specify a policy to be installed on the Security Engine when it makes initial contact with the Management Server.

Note: There are special considerations when using plug-and-play configuration. For example, both the SMC and the Security Engines must be registered for plug-and-play configuration before you configure the engines. See Knowledge Base article 9662.

Saving the initial configuration details on a USB drive allows automatic configuration by turning on the appliance with the USB drive inserted. Alternatively, you can import the configuration details from a USB drive in the Security Engine Configuration Wizard.

You can also save the initial configuration details in some other suitable location or on the clipboard. You can then copy and paste or enter them manually in the Security Engine Configuration Wizard.

CAUTION:
The information must be handled securely when saving the initial configuration details on a USB drive or in some other location. The initial configuration files include the one-time password for establishing the trust relationship between the Management Server and the engine.

Limitations

  • The plug-and-play configuration method is only available for Forcepoint Network Security Platform appliances. You must have a valid proof-of-serial (POS) code for each appliance you want to configure using the plug-and-play configuration method.
  • Virtual Engines do not communicate directly with the SMC. All communication between Virtual Engines and the SMC is proxied by the Master Security Engine.

What should I know before I begin?

  • Security Engine certificates expire three years after they are issued. If the automatic certificate renewal option is active, the certificate is renewed automatically before it expires.
  • If the certificate of the Security Engine is lost or expires, the initial contact procedure must be repeated to reconnect the Security Engine to the other components.
  • The internal certificate authority that signs the Security Engine certificates is valid for ten years. The internal certificate authority is automatically renewed six months before the expiration date and new certificates signed by the new internal certificate authority are automatically created for the Security Engines. If the automatic certificate renewal fails, you must again make initial contact with the Management Server so that the Security Engine receives a new certificate.
  • When a new internal certificate authority is created, its initial status is Ready to Use and it is not yet Active. A new internal certificate authority in a Ready to Use state only signs Management Server certificates. Certificates for other SMC components are signed by the internal certificate authority that is used by the Management Server. In an environment with multiple Management Servers, the new internal certificate authority reaches Active status when all the Management Servers are using the new internal certificate authority.