Browse Docs

Agentless Network Deployment

Overview

While deploying the DefensX product, the preferred method involves installing the DefensX Agent on client devices. Agent-based installation not only supports mobility and roaming of the installed computers but also integrates the DefensX Extension into web browsers. This effectively converts them into Secure Browsers, providing continuous protection against sophisticated attacks across all open tabs, a level of security not achievable through DNS filtering alone.

However, certain scenarios may necessitate agentless deployment, particularly for non-compatible devices such as printers and POS systems. In such cases, a hybrid deployment approach can be employed. This involves installing agents on compatible devices while utilizing agentless deployment through network segmentation or DNS server configurations.

In certain situations, deploying the agent may not be feasible even if the client types are supported. This is particularly common in environments such as schools or guest Wi-Fi networks, where implementing DNS-only filtering is preferred. In such cases, our agentless network deployments come into play. This allows for the provision of DNS-only filtering solutions to clients, offering an entry-level of security protection for internet access.

Configuring Public IP Addresses

The crucial step in agentless deployment is to add your Public IP addresses into the DefensX Backend. To access the configuration screen, first navigate to the Policies page. Then, click on the three-dot icon of the related deployment and select the Manage IPs menu, as shown below:

manage ips

In this screen, you can add up to 5 IP addresses or CIDR block.

Tip
 Available ranges are limited to /24 CIDR network range. You can also use hostnames if you are using a dynamic DNS solution.
deployment ips

After configuring the Public IP addresses, you’ll find the DefensX Anycast DNS IP Addresses. DNS queries sent from those IP addresses will be answered by our Anycast DNS servers based on the configured policy in the deployment. Our default Anycast DNS Server IP addresses are:

  • 3.33.220.70

  • 3.33.218.70

Using Multiple DNS Policy For Same Public IP Address

If you need to apply different policies to certain devices while using the same Public IP Address, you can achieve this by utilizing different DNS Server Address Pairs. Follow the steps below:

  • Navigate to the Policies page and click on the New Deployment button. Select the "Custom Deployment" option and provide a name for the deployment.

  • After creating the deployment, return to the Policies page. Click on the three-dot icon of the newly created deployment and select the Manage IPs menu item.

  • Add your Public IP Addresses

  • In the "Select DNS Server Address Pair" section, choose another pair of DNS addresses from the options and click the Change button.

  • You’ll now see a new pair of IP Addresses alongside the default ones. If you have network segmentation, you can assign this new pair of IP addresses to the clients requiring different policies.

dns servers

By configuring the new deployment in this manner, you can customize the Webfilter policy on the Policies page as needed. Despite the DNS request source addresses being the same, DefensX Anycast DNS servers can differentiate between policies based on the selected DNS Servers.

Installing the SSL Root Certificate

To view the URL Block pages for HTTPS websites, it’s essential to install the DefensX SSL Root certificate on the client device. This requirement arises from the operational mechanics of SSL/TLS and, in the absence of an agent, it is required to be installed by an external process.

Below, you’ll find instructions for installing the DefensX SSL Root certificate on various client types and operating systems. DefensX SSL Root certificate is public and can be downloaded from https://cloud.defensx.com/certs/DefensXCA.cer

Installing on the Windows

You can use certutil with admin rights to install the certificate like below (assuming that it is downloaded to the current user’s Downloads folder):

certutil -addstore -enterprise -f Root "C:\Users\%username%\Downloads\DefensXCA.cer"

You can also use the following Powershell script to automatically download and install the certificate with admin rights:

$downloadUrl = 'https://cloud.defensx.com/certs/DefensXCA.cer'
$localFile = "C:\Users\$Env:UserName\Downloads\DefensXCA.cer"

Invoke-WebRequest -Uri $downloadUrl -OutFile $localFile -UseBasicParsing

if (Test-Path $localFile) {
	certutil -addstore -enterprise -f Root $localFile
} else {
	Write-Host "Couldn't download the certificate"
}

Installing by Active Directory GPO

You can distribute the certificate by creating an Active Directory GPO object with the following steps:

  • Open the GPO Management in Domain Controller

  • Create a new GPO or append it to an existing one

  • Open Computer Configuration → Windows Settings → Security Settings → Public Key Policies section

  • Right-click to the Trusted Root Certification Authorities and then click Import

  • Locate the downloaded DefensXCA.cer file

Installing on the MacOS

After downloading the DefensXCA.cer file, you can install it with the following command:

sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain ~/Downloads/DefensXCA.cer