Enable Communication with Cybereason Servers

As part of the deployment process, you need to enable communication between your network and your Cybereason environment in the cloud, both at the network level and individual machine level.

This topic details the required communication settings. For details on how the different parts of the Cybereason platform communication, see Communication Between Components.

Select your TLS communication preferences

Communication between Cybereason servers and sensors takes place over TLS. The Cybereason platform’s TLS communication requires TLS 1.2 or TLS 1.3.

You can use either one-way or two-way TLS communication, based on the requirements in the following table:

Method	Details
One-way TLS	By default, new Cybereason deployments are configured with one-way TLS with a Cybereason server certificate that verifies the secure connection from your Cybereason server. As part of the TLS communication, the Cybereason sensor obtains the GeoTrust RSA CA 2018 Intermediate CA directly from the Detection server. For details on the One-way TLS certificate requirements, see Required Certificates for Cybereason Sensor Installation.
Two-way TLS	You can request Two-Way TLS communication between Cybereason sensors and servers. In this case, Cybereason provides a sensor installer packaged with a client certificate (in addition to the server certificate), enabling bi-directional secure communication between the server and sensor. Two-way TLS communication can use any of the following settings: NEED: If the sensor sends a certificate, the server checks it. If there’s a match, the server accepts the connection, otherwise it refuses the connection. If the sensor doesn’t send a certificate, the server refuses the connection. WANT: (default) If the sensor sends a certificate, the server checks it. If there’s a match, the server accepts the connection, otherwise it refuses the connection. If the sensor doesn’t send a certificate, the server accepts the connection. DISABLED: The server doesn’t check for a certificate. Even if the sensor sends a certificate, the server doesn’t check it and accepts the connection. To change the default setting, open a Technical Support case. In most cases, Cybereason installs certificates with the Cybereason CA. If Cybereason installs the Cybereason CA, there are no additional requirements for you to use Two-Way TLS. If your organization uses intermediate hardware, such as a proxy or a web application firewall (WAF), make sure that the hardware does not alter the installed certificates. If the proxy/WAF communication alters the installed certificates, you must ensure that the proxy contains the required, original (unaltered) certificate. In addition, for networks with intermediate hardware, you also need to retrieve a dedicated sensor for two-way TLS. For more information, contact Customer Success. For a list of required certificates for Two-Way TLS, see Required Certificates for Cybereason Sensor Installation. Note Ensure that Cybereason traffic is allowed if TLS/SSL certificate breaking technology is used. Any TLS/SSL certificate breaking technology will interrupt the service, for example, HTTPS inspection or non-transparent proxies.

Configure your network settings for platform communication

To enable machines on your network to communicate with the Cybereason platform, you must add a number of configurations.

To configure your network settings, follow these steps:

1. On your firewall, allow communication with *.cybereason.net using the Web Interface and Sensor communication ports you requested in the Deployment questionnaire (443 or 8443).

2. If your environment has enabled Endpoint Management Channel (which enables automated sensor updates and communication), on your firewall, allow inbound and outbound communication with the relevant URL listed in the following table to enable sensor package delivery:

   Region	URL	Notes
   USA	https://data-epgw.cybereason.net/
   EMEA	https://data-epgw-eu-west-1.cybereason.net/
   APAC	https://data-epgw-asia-northeast-1.cybereason.net/
   Global	http://probe-dist-dns.cybereason.net/	Required if you have the Authenticated URL feature enabled.

   The Global URL above is required in versions 23.2.87 and later, to support the Authenticated URL feature (which enables faster sensor updates at scale) and is available for Windows sensors.

   For more information, see Why do Sensors Communicate with a probe-dist.cybereason.net or data-epgw.cybereason.net address.

3. In your network, disable technologies that might break SSL communication, such as SSL inspection (including ICAP or content inspection). Because the Cybereason platform uses SSL certificates for communication between its servers, any technology that breaks SSL communication interrupts the Cybereason communication.

4. If you are using a Next-Generation Firewall (NGFW), allow RPC protocol through port that is used for sensor communication with Cybereason cloud servers. This is necessary because Cybereason servers send commands to sensors using RPC.

Note

Performing these steps as needed should resolve the issue of seeing error code 14 on the endpoint upon upgrading sensors.