.. Reminder for header structure:
Parts (H1) : #################### with overline
Chapters (H2) : ******************** with overline
Sections (H3) : ====================
Subsections (H4) : --------------------
Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
Paragraphs (H6) : """""""""""""""""""""
.. _install_requirements:
#######################################
Checking WAPT Installation requirements
#######################################
*************************
Installation requirements
*************************
Naming conventions
==================
You have to take into consideration a few security points in order to extract all possible benefits from WAPT:
* If you are familiar with Linux, we advise you to install WAPT Server directly on Debian or a RedHat based distribution following the security recommendations of French :term:`ANSSI` or the `recommendations of your state cyberdefense agency `_.
* Although the WAPT Server is not designed to be a sensitive asset, we recommend it to be installed on a **dedicated host** (physical or virtual).
.. attention::
In all steps of the documentation, **you will not use any accent or special characters** for:
* user logins;
* path to the private key and the certificate bundle;
* the :abbr:`CN (Common Name)`;
* the installation path for WAPT;
* group names;
* the name of hosts or the the name of the server;
* the path to the folder :file:`C:\\waptdev`.
Network recommendations
=======================
The WAPT Server is using client SSL authentication to authenticate the client WAPT Agents. Thus it is required for the WAPT Server to do the TLS termination itself.
The use of WAF or reverse proxy that do TLS interception and terminaison is thus not supported.
It is possible to use a reverse proxy in "stream" mode if supported, like in `Nginx stream module `_
or `HAProxy TLS Passthrough module `_.
Please refer to the corresponding documentation for details.
Hardware recommendations
========================
The WAPT Server can be installed either on a virtual server or a physical server.
.. list-table:: Optimal RAM and CPU recommendations for the WAPT Server
:header-rows: 1
:widths: auto
:align: center
* - Size of the network
- CPU
- RAM
- Server optimization to apply
* - From 0 to 300 WAPT Agents
- 2 CPU
- 2048 Mio
- No
* - From 300 to 1000 WAPT Agents
- 4 CPU
- 4096 Mio
- Yes
* - From 1000 to 3000 WAPT Agents
- 4 CPU
- 8192 Mio
- Yes
* - From 3000 WAPT Agents onward
- 8 CPU
- 16384 Mio
- Yes
.. CLARIFY, what is Server optimization to apply
* A minimum of 10GB of free space is necessary for the system, the database and log files.
* **For better performance, Tranquil IT recommends the database to be stored on fast storage, such as SSD drives or PCIe-based solid-state drives**.
* The overall disk requirement will depend on the number and size of your WAPT packages (software) that you will store on your main repository, 30GB is a good start.
It is not strictly required to store WAPT packages on fast drives.
* Finally, we have knowledge of users with WAPT Servers equipped with multiple 10Gbps networking interfaces deploying at full speed massive Catia, National Instruments and Solidworks update packages on their :abbr:`LAN (Local Area Network)`.
Software recommendations
========================
Operating system
----------------
The WAPT Server is available on Linux and Windows:
* For Linux, **Debian 10, 11 and 12**, **Red Hat 7, 8, 9 and derivatives**, **Ubuntu server LTS 20.04 and 22.04** 64 bit versions are supported.
It is not mandatory to use a Linux server distribution, but use a **non-graphical** distribution.
.. note::
SELINUX is supported but not mandatory.
.. attention::
* The WAPT Server will only run on **64bit** based systems.
* Install the Server **without** the graphical user interface in GNU/Linux.
* :program:`Systemd` must be enabled.
* For Windows, WAPT Server can be installed on **Windows Server** 64 bit versions supported by Microsoft (Win2012r2, Win2k16, Win2k19 or Win2k22).
Depending on your need, it can also be installed on recent Win10 or Win11 Pro/Ent.
.. attention::
* The WAPT Server will only run on **64bit** based systems.
.. _open_ports:
Open Ports
----------
.. figure:: wapt-resources/wapt_concept_data-and-ports_flow-diagram.png
:align: center
:alt: Data-flow diagram for WAPT
Data-flow diagram for WAPT
Only ports **80** and **443** **MUST** be opened to incoming connections as the WAPT framework works with websockets initiated by the WAPT Agents.
Inbound
^^^^^^^
.. list-table:: Inbound ports to open for WAPT to work
:header-rows: 1
:widths: auto
:align: center
* - Protocol
- Port number
- Source
- Destination
- Description
* - `TCP`
- **80**
- All WAPT Agents
- WAPT Server
- Websocket connection (unsecured) for downloading packages and KB.
* - `TCP`
- **443**
- All WAPT Agents
- WAPT Server
- Websocket connection for downloading packages and KB.
* - `UDP`
- **69** Note: tftp uses ephemeral / dynamic ports for data transport.
If you have a firewall between the WAPT Server and the fleet of computers, be sure to enable support for tftp conntrack.
- **All computers** using :ref:`WADS deployment ` TFTP method.
- WAPT Server
- To download the first stage of OS boot files before HTTP becomes available.
Outbound
^^^^^^^^
.. list-table:: Outbound ports to open for WAPT to work
:header-rows: 1
:widths: auto
:align: center
* - Protocol
- Port number
- Source
- Destination
- Description
* - `TCP`
- **80**
- WAPT Server
- Internet
- For downloading :file:`wsusscn2.cab` and KB.
* - `TCP`
- **80**
- WAPT Server
- Linux repository (for Linux server) and Tranquil IT repositories ([#f1]_)
- Uploading of WAPT packages using (unsecured) HTTP.
* - `TCP`
- **443**
- WAPT Server
- Linux repository (for Linux server) and Tranquil IT repositories ([#f1]_)
- Uploading of WAPT packages using (secured) HTTPS.
* - `TCP`
- **53**
- WAPT Server
- Domain controller or :abbr:`DNS (Domain Name Service)` server
- Domain name resolution.
* - `TCP`
- **389**
- WAPT Server
- Domain controller or :abbr:`LDAP (Lightweight Directory Access Protocol)` server
- LDAP authentication to authenticate users with the WAPT Console or the WAPT Self-service.
* - `TCP`
- **636**
- WAPT Server
- Domain controller or :abbr:`LDAP (Lightweight Directory Access Protocol)` server
- LDAP authentication.
* - `UDP`
- **123**
- WAPT Server
- Domain Controller or :abbr:`NTP (Network Time Protocol)` server
- NTP to keep time synchronized and kerberos working properly.
.. rubric:: Footnotes
.. [#f1] The following DNS names are the Tranquil IT repositories to authorize:
* `https://wapt.tranquil.it `_
**********************
Tips before installing
**********************
.. _srv_dns:
Configuring the Organization's DNS for WAPT
===========================================
.. note::
**DNS configuration is not strictly required, but it is very strongly recommended**.
In order to make your WAPT setup easier to manage, it is strongly recommended to configure the :term:`DNS` server to include ``A`` field or ``CNAME`` field as below:
* *srvwapt.mydomain.lan*.
* *wapt.mydomain.lan*.
Replace *mydomain.lan* with your network's :term:`DNS` suffix.
Configuring DNS entries in Microsoft RSAT.
==========================================
* The ``A`` field **MUST** point to the WAPT Server IP address.
.. image:: wapt-resources/windows_rsat_dns-configure-alias_browser-window.png
:align: center
:alt: Configuring the A field in Windows RSAT
You can now install the WAPT Server on your favorite operating system:
* :ref:`Install the WAPT Server on GNU / Linux Debian `.
* :ref:`Install the WAPT Server on a RedHat based distribution `.
* :ref:`Install the WAPT Server on Windows ` (not recommended for large production networks).