.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. _install_requirements:

#######################################
Checking WAPT Installation requirements
#######################################

*************************
Installation requirements
*************************

Naming conventions
==================

You have to take into consideration a few security points in order to extract all possible benefits from WAPT:

* If you are familiar with Linux, we advise you to install WAPT Server directly on Debian or a RedHat based distribution following the security recommendations of French :term:`ANSSI` or the `recommendations of your state cyberdefense agency <https://www.ssi.gouv.fr/uploads/2015/10/NP_Linux_Configuration.pdf>`_.

* Although the WAPT Server is not designed to be a sensitive asset, we recommend it to be installed on a **dedicated host** (physical or virtual).

.. attention::

  In all steps of the documentation, **you will not use any accent or special characters** for:

  * user logins;

  * path to the private key and the certificate bundle;

  * the :abbr:`CN (Common Name)`;

  * the installation path for WAPT;

  * group names;

  * the name of hosts or the the name of the server;

  * the path to the folder :file:`C:\\waptdev`.

Hardware recommendations
========================

The WAPT Server can be installed either on a virtual server or a physical server.

.. list-table:: Optimal RAM and CPU recommendations for the WAPT Server
  :header-rows: 1
  :widths: auto
  :align: center

  * - Size of the network
    - CPU
    - RAM
    - Server optimization to apply
  * - From 0 to 300 WAPT Agents
    - 2 CPU
    - 2024 Mio
    - No
  * - From 300 to 1000 WAPT Agents
    - 4 CPU
    - 4096 Mio
    - Yes
  * - From 1000 to 3000 WAPT Agents
    - 8 CPU
    - 8192 Mio 
    - Yes
  * - From 3000 desktops onward
    - 16 CPU
    - 16384 Mio
    - Yes

.. CLARIFY, what is Server optimization to apply

* A minimum of 10GB of free space is necessary for the system, the database and log files.
  
* **For better performance, Tranquil IT recommends the database to be stored on fast storage, such as SSD drives or PCIe-based solid-state drives**.

* The overall disk requirement will depend on the number and size of your WAPT packages (software) that you will store on your main repository, 30GB is a good start.
  It is not strictly required to store WAPT packages on fast drives.

* Finally, we have knowledge of users with WAPT Servers equipped with multiple 10Gbps networking interfaces deploying at full speed massive Catia, National Instruments and Solidworks update packages on their :abbr:`LAN (Local Area Network)`.

Software recommendations
========================

Operating system
----------------

The WAPT Server is available on Linux and Windows:

* For Linux, **Debian 11**, **Red Hat 7 / 8 and derivatives**, **Ubuntu server LTS 20.04** 64 bit version are supported.

.. note::
  
  SELINUX is supported but not mandatory.

* For Windows WAPT Server can be installed on **Windows Server** 64 bit version supported by Microsoft (Win2012r2, Win2k16 or Win2k19).
  Depending on your need, it can also be installed on recent Win10 Pro/Ent version (20H2 or later).

.. attention::

  The WAPT Server will only run on **64bit** based system.

.. _open_ports:

Open Ports
----------

.. figure:: wapt-resources/wapt_concept_data-and-ports_flow-diagram.png
   :align: center
   :alt: Data-flow diagram for WAPT

   Data-flow diagram for WAPT

As you can see, only ports **80** and **443** **MUST** be opened for incoming connections as the WAPT frameworks works with websockets initiated by the WAPT Agents.

Inbound 
^^^^^^^

.. list-table:: Inbound ports to open for WAPT to work
  :header-rows: 1
  :widths: auto
  :align: center

  * - Protocol
    - Port number
    - Source
    - Destination
    - Description
  * - `TCP`
    - **80**
    - All WAPT Agents
    - WAPT Server
    - Websocket connection (unsecured) for downloading packages and KB.
  * - `TCP`
    - **443**
    - All WAPT Agents
    - WAPT Server
    - Websocket connection for downloading packages and KB.
  * - `UDP`
    - **69**. Note : tftp use ephemeral/dynamic ports for data transport. If you have a firewall in between the server and the computers, be sure to have enable support
      for tftp conntrack.
    - **All computers** using :ref:`WADS deployment <wapt_wads>` TFTP method.
    - WAPT Server
    - To download the first stage of OS boot files before HTTP becomes available.

Outbound 
^^^^^^^^

.. list-table:: Outbound ports to open for WAPT to work
  :header-rows: 1
  :widths: auto
  :align: center
    
  * - Protocol
    - Port number
    - Source
    - Destination
    - Description
  * - `TCP`
    - **80**
    - WAPT Server
    - Internet
    - Websocket connection (unsecured) for downloading WAPT packages, :file:`wsusscn2.cab` and KB.
  * - `TCP`
    - **80**
    - WAPT Server
    - Linux repository (for Linux server) and Tranquil IT repositories ([#f1]_)
    - Uploading of WAPT packages using (unsecured) HTTP.
  * - `TCP`
    - **443**
    - WAPT Server
    - Linux repository (for Linux server) and Tranquil IT repositories ([#f1]_)
    - Uploading of WAPT packages using (secured) HTTPS.
  * - `TCP`
    - **53**
    - WAPT Server
    - Domain controller or :abbr:`DNS (Domain Name Service)` server
    - Domain name resolution.
  * - `TCP`
    - **389**
    - WAPT Server
    - Domain controller or :abbr:`LDAP (Lightweight Directory Access Protocol)` server
    - LDAP authentication to authenticate users with the WAPT Console or the WAPT Self-service.
  * - `TCP`
    - **636**
    - WAPT Server
    - Domain controller or :abbr:`LDAP (Lightweight Directory Access Protocol)` server
    - LDAP authentication.
  * - `UDP`
    - **123**
    - WAPT Server
    - Domain Controller or :abbr:`NTP (Network Time Protocol)` server
    - NTP to keep time synchronized and kerberos working properly.

.. rubric:: Footnotes

.. [#f1] The following DNS names are the Tranquil IT repositories to allow : 

  * `https://store.wapt.fr <https://store.wapt.fr>`_
  * `https://wapt.tranquil.it <https://wapt.tranquil.it>`_

**********************
Tips before installing
**********************

.. _srv_dns:

Configuring the Organization's DNS for WAPT
===========================================

.. note::

  **DNS configuration is not strictly required, but it is very strongly recommended**.

In order to make your WAPT setup easier to manage, it is strongly recommended to configure the :term:`DNS` server to include ``A`` field or ``CNAME`` field as below:

* *srvwapt.mydomain.lan*.

* *wapt.mydomain.lan*.

Replace *mydomain.lan* with your network's :term:`DNS` suffix.

These :abbr:`DNS (Domain Name Service)` fields will be used by WAPT Agents to locate the WAPT Server and their WAPT repositories closest to them.

Configuring DNS entries in Microsoft RSAT.
==========================================

* The ``A`` field **MUST** point to the WAPT Server IP address.

.. image:: wapt-resources/windows_rsat_dns-configure-alias_browser-window.png
  :align: center
  :alt: Configuring the A field in Windows RSAT

You can now install the WAPT Server on your favorite operating system:

* :ref:`Install the WAPT Server on GNU / Linux Debian <base_debian_server_install>`.

* :ref:`Install the WAPT Server on a RedHat based distribution <base_redhat-based_server_install>`.

* :ref:`Install the WAPT Server on Windows <base_windows_server_install>` (not recommended for large production networks).