Symantec App Center
™
4.0 Admin Documentation
Installation Planning Guide
Table of Contents
Purpose of Document ... 3
Deployment Options Overview ... 3
Public Cloud ... 3
Private Cloud ... 4
Software Application Deployment ... 4
On-Premise Network Deployment Options ... 5
Intranet-Only Deployment ... 6
DMZ Deployment ... 6
Proxy-based Deployment ... 6
Installation Questionnaire ... 6
Resource and Access Planning ... 6
SaaS or On-Premise Deployment? ... 7
SaaS Deployment ... 8
On-Premise Software Application Questions ... 10
Connections and Certificates... 10
Purpose of Document
This document is intended to assist administrators with preparing for an installation of Symantec App Center. There are two sections:
Discussion of the SaaS and On-Premise deployment options Questionnaire to gather relevant data required for the installation
Deployment Options Overview
There are three primary deployment options for Symantec App Center:
Public Cloud - SaaS deployment using Symantec’s public cloud
Private Cloud – SaaS deployment using an enterprise’s internal or hosted cloud service
Software Application – on-premise deployment in a Red Hat Enterprise Linux (RHEL) environment
Each option is detailed below, along with the pro’s and con’s of the approach. Additionally, for the on-premise options, an outline of the network deployment options is included.
Public Cloud
Private Cloud
An enterprise may utilize its own cloud SaaS offering, hosted using the Amazon EC2 or other providers.
Pros Cons
Quick and easy to get started
Minimal capacity planning is required
Minimal operations or administrative overheads Single tenant isolation
May not meet infosec / policy requirements May have minimum spend requirements
Software Application Deployment
Many IT departments have standardized the deployment of Red Hat Enterprise Linux on top of VMware. Management and monitoring capability is often pre-loaded onto specific Red Hat VM template images. Because of this, all App Center servers can be deployed as a software install on top of Red Hat Enterprise Linux 5.6 and 5.8 (only 64-bit guest OS formats are supported).
For a high-scale deployment, most IT departments will choose to deploy multiple App Center front-end application servers behind a load-balancer. With such a deployment, the front-end servers all connect to a customer-supplied database server or cluster.
As noted in the Network Deployment Options, the App Center servers may optionally be located in the DMZ, in which case the proxy becomes optional.
Pros Cons
If VMware infrastructure in place, quick and easy to provision
May be preferred by infosec / policy Scales to large number of users
Requires VMware operations involvement Requires Database administrator involvement Use of VMware tools for backup and HA IT is responsible for server hardening
On-Premise Network Deployment Options
With an on-premise deployment, administrators need to determine where the App Center servers sit within the organization’s network topology. There are three main options:
Intranet-only deployment DMZ deployment Proxy-based deployment
Intranet-Only Deployment
App Center can be deployed entirely within the corporate network if desired. This is more secure at the expense of usability, as mobile devices are often most valuable in the field. Additionally, device management may not be possible with this deployment scenario.
DMZ Deployment
App Center can be deployed inside the DMZ. Care must be taken to ensure a secure DMZ environment. Deployment in the DMZ allows users on-the-go to access App Center capability without requiring them to login to the corporate VPN.
Proxy-based Deployment
A more secure deployment scenario that gives the same capabilities as the DMZ deployment is to have a reverse-proxy deployed in the DMZ that can initiate connections to App Center within an isolated sub-network of the intranet. In such a deployment, there can be no direct connections between attackers and App Center, greatly increasing security.
App Center’s browser and client interactions are 100% REST (HTTPS) based.
Installation Questionnaire
This section will gather relevant information that will assist with the installation. Please fill in the relevant sections with as much detail as possible.
Resource and Access Planning
Question Answer
How many users do you expect to have?
What is the average number of devices per user? (e.g. if one in every three users would
have both a phone and tablet then the answer is 1.33)
What percentage of devices do you expect to be iOS vs. Android vs. Blackberry?
Over what period of time?
(e.g. 250 in first month, growing to 2,000 over 6 months)
What is the geographic distribution of your users?
How many apps do you expect to have? iOS apps
Android apps Blackberry apps
If iOS will be used, have you obtained an Apple Enterprise Developer license?
Is this license managed by a single individual and will the AppCenter administrator have access to it?
Will end-users all be employees, or also vendors/contractors?
What language support will be required across your deployment? Please provide percentage distribution
(e.g. English 65%, German 25%, Spanish 10%)
SaaS or On-Premise Deployment?
Question Answer
Do you prefer to deploy using SaaS or On-Premise?
Do you foresee starting with one deployment mode, and over time migrating to a different one?
SaaS Deployment
Question Answer
Is multi-tenancy (public cloud) acceptable, or do you prefer a privately hosted cluster (private cloud)?
Will you use Active Directory (AD) as your identity provider?
If AD, will INFOSEC permit an inbound LDAP over SSL connection to a domain controller (read-only DC is fine)?
Will you use a federated identity (SAML) service?
If federated, which software/service vendor?
(e.g. Ping, Okta, …)
If federated, will the provider also source user-group associations?
If neither AD or federated, will you be using another Identity and Access Management (IAM) approach?
On-Premise Deployment
Question Answer
Will you require Internet-based access for your users, or will intranet-only access be acceptable?
If Internet-based access, will you protect App Center with a firewall? (See “On-Premise
Connections & Certificates” #1 below.)
Will you protect App Center with a L7 proxy? If so, what URL documentation will you need (if any)?
What will you use to load balance traffic across multiple App Center front-ends (FE’s)?
Will you have a load balancer or proxy terminating the SSL connections?
Will you require the App Center FE to accept HTTP or HTTPS traffic?
Will you use Active Directory (AD) as your identity provider?
If not, does your identity provider support LDAP?
On-Premise Software Application Questions
Question Answer
Symantec currently supports RedHat 5.x, with 5.4 being the minimum supported version. Is this available?
Does IT have any monitoring system requirements?
Does IT have any requirements around the location of the application on the server (a specific directory)?
Does IT have any requirements around the application running as a specific user?
Does IT have an IT-managed database facility?
If so, App Center supports MySQL 5.1 and Oracle 11g Release 2 (11.2) If not, AC will require a database
server running either of these
Connections and Certificates
For on-premise deployments:1. If Internet-based access protected with a firewall, App Center will need to accept the following inbound connections:
22: SSH (should only be enabled as required for maintenance).
80: HTTP (only used for redirects - could be handled by a tier to the left). 443: HTTPS (SSL)
2. App Center will need to be able to make the following outbound connections in order for the following services to function:
22: SSH (should only be enabled as required for maintenance).
80: HTTP (only used for redirects - could be handled by a tier to the left). 443: HTTPS (SSL)
68/UDP DHCP (if DHCP is used for IP address assignment. If DHCP is not used, do not open). 3. App Center will need the following X.509 certificates:
A PEM-format SSL certificate. The certificate common name (CN) must match the DNS name of the App Center. The SSL certificate must be issued by a CA which is known by the trust stores of your test devices. Using a self-signed certificate results in constant warnings from browsers and devices, detracting from the user experience.
A PEM-format private key associated with the SSL certificate. Note that the private key must not be passphrase-protected.
A PEM-format bundle of intermediate certificates.
Support
Symantec offers free community and paid premium support for Symantec App Center. Contact your local Symantec Sales Representative or use our support site.
