Prerequisites and Environment Check
Overview
Before you download and run the IDAC installation:
- Confirm all prerequisites.
- Make sure you have the necessary Cyolo license.
- Review sizing considerations.
- Check and configure firewall settings.
- Create a DNS entry.
- Run a script to check for access to network resources .
Prerequisites
Make sure that you have all of the following:
- IDAC License - a JWT file from Cyolo.
- Use a clean, dedicated Linux server for the Cyolo IDAC installation and ensure that you have root permissions for the machine.
- A good internet connection.
- The hardware and software (operating systems) specifications, as detailed in the table below.
| Guideline | Comments | |
|---|---|---|
| Operating System | Ubuntu Server: 22.04 Focal 24.04 Jammu RHEL 8/9 | |
| CPU Cores | Minimum = 4 Recommended = 6 | If you need to scale, it is best with an IDAC, rather than additional CPU cores. |
| RAM | 8 GB | |
| Disk | 150 GB (minimum) | Disk space varies with the type of applications you use, as well as recording and retention settings. A general guideline is approximately 1 GB per day of logs, 1 GB per hour of recorded web RDP/SSH sessions, plus a 10% buffer. Maximum usage is approximately 1 GB per user per day of retention. Note that IDACs that have Storage recording roles should have at least 150 GB of disk space. Other roles can have 60 GB. So for example, a cluster of 10 IDACs can have 3 IDACs assigned to storage roles with 150 GB, and the other 7 IDACs can be not assigned to a storage role with 80 GB. In this scenario, logs are still replicated cross all clusters, the retention policy and activity will impact the minimal size for all IDACs, and the recordings will have an impact on the IDACs that run with Storage roles only. The installation will always flag in cases where IDACs run with less than 150 GB, but this is just a notification and not a blocker for the installation. |
License and Certificates
- Cyolo provides the license based on the customer’s requirements and details (e.g., Tenant URL, Company name, etc.).
- Customers may either use Cyolo’s certificates, or their own. We recommend using your own certificate for more flexibility and control of your environment.
- The certificate and key, if provided by the customer, should be available at the time of deployment.
Notes on Sizing
-
We recommend one IDAC per 1000 concurrent users. For example, if a site publishes applications that are relevant to 3,000 users, it is recommended that the site have three IDACs.
-
Tenant/Cluster High Availability - minimum of 3 IDACs; Site High Availability - minimum of 2 IDACs.
-
Busy sites should have more IDACs to support more traffic. The addition of CPU and RAM will not alleviate bottlenecks. However, additional IDACs will support higher throughput because of the availability of more TCP connections.
Firewall Settings
The table below specify which URLs/ports to allow for each type of IDAC installation.
A full list of IPs is also available here.
The list is updated once an hour.
| URL | Ports | Installation | Installation via proxy | Upgrade | Operation |
|---|---|---|---|---|---|
| get.cyolo.io | 443 | REQUIRED | |||
| tcp.cyolo.io (included in all) | 443 | REQUIRED | REQUIRED | ||
| all.cyolo.io | 443 | REQUIRED | |||
| ssh.cyolo.io | 443 | REQUIRED | REQUIRED | ||
| services.cyolo.io | 443 | REQUIRED | REQUIRED | REQUIRED | |
| s3-eu-west-1.amazonaws.com | 443 | REQUIRED | REQUIRED | ||
| registry.cyolo.io (included in all) | 443 | REQUIRED | REQUIRED | ||
| index.docker.io | 80 | REQUIRED | |||
| download.docker.com | 443 | REQUIRED | |||
| github.com | 80 | REQUIRED | |||
| registry.hub.docker.com | 80 | REQUIRED | |||
| get.docker.com | 443 | REQUIRED | |||
| objects.githubusercontent.com | 443 | REQUIRED | |||
| dseasb33srnrn.cloudfront.net | 443 | REQUIRED | |||
| production.cloudflare.docker.com | 443 | REQUIRED | |||
| registry-1.docker.io | 443 | REQUIRED | |||
| auth.docker.io | 443 | REQUIRED | |||
| metrics.services.cyolo.io | 443 | REQUIRED | REQUIRED | ||
| deploy.cyolo.io | 443 | REQUIRED | REQUIRED | ||
| security.ubuntu.com | 80 | REQUIRED | |||
| motd.ubuntu.com | 80 | REQUIRED | |||
| esm.ubuntu.com | 80 | REQUIRED | |||
| ec2.archive.ubuntu.com | 80 | REQUIRED |
DNS Records
- IDACs are connected to cloud routers as follows: *.cyolo.io → tcp.cyolo.io
- IDACs are connected to the Private Gateway as follows: *.cyolo.io → Private Gateway IP
Note: When using the Private Gateway as a proxy, ensure thatpg-proxy.<domain>resolves the Private Gateway IP.
Check for Access to Network Resources
Dependencies
Ubuntu:
apt-get install netcat-traditional dnsutils openssl -y
Red Hat:
dnf install curl bind-utils nc openssl -y
curl:
<https://deploy.cyolo.io/cyolo_check.sh>
\-o cyolo_check.sh
chmod 755 cyolo_check.sh
./cyolo_check.sh
Run the bash script provided below to check for required access to network resources.
Correct any issues before you run the IDAC installation wizard.
Cyolo Check Version 2.0
======= Checking for Dependencies
/bin/nc
/bin/dig
/bin/openssl
======= Upstream config
Extracting values from docker-compose.yml
UPSTREAM is tcp.cyolo.io:443
UPSTREAM_SNI is tcp.cyolo.io
NATIVE_SSH_UPSTREAM_ADDR is ssh.cyolo.io:22
AFFINITY_URL is affinity.cyolo.io
UPSTREAM_CLOCK is clock.cyolo.io:443
UPSTREAM_CLOCK_SNI is clock.cyolo.io
======= Cyolo Cloud
Checking the tcp.cyolo.io DNS Resolving
13.248.169.106
76.223.40.26
Validating connection to tcp.cyolo.io:443 - timeout is set for 10 seconds
openssl 13.248.169.106 on port 443 - success
openssl 76.223.40.26 on port 443 - success
Checking Access to Cloud Deployment (system.cyolo.io) - direct
HTTP Status Code: 200
DNS Resolving: 0.001512s
Total Time: 0.042202s
Checking the ssh.cyolo.io DNS Resolving
3.77.90.52
3.77.240.47
35.158.46.208
Validating connection to ssh.cyolo.io:443 - timeout is set for 10 seconds
openssl 3.77.90.52 on port 443 - success
openssl 3.77.240.47 on port 443 - success
openssl 35.158.46.208 on port 443 - success
Checking Access to Cloud Deployment (system.cyolo.io) - direct
HTTP Status Code: 200
DNS Resolving: 0.001827s
Total Time: 0.030331s
Affinity affinity.cyolo.io results:
eu-routers-i-0d11691b4e1e8d890.cyolo.io 443
Validating connection to the Affinity - timeout is set for 10 seconds
accessing eu-routers-i-0d11691b4e1e8d890.cyolo.io 443 - success
Latency check for Affinity
HTTP Status Code: 200
DNS Resolving: 0.002593s
Total Time: 0.020839s
======= Cyolo Services
Checking the metrics.services.cyolo.io DNS Resolving
52.17.209.253
54.77.35.69
Validating connection to metrics.services.cyolo.io:443 - timeout is set for 10 seconds
openssl 52.17.209.253 on port 443 - success
openssl 54.77.35.69 on port 443 - success
Checking Access to Cloud Deployment (system.cyolo.io) - direct
HTTP Status Code: 200
DNS Resolving: 0.001185s
Total Time: 0.045536s
Accessing services.cyolo.io results - success
Accessing registry.cyolo.io/v2/cyolosec/idac/tags/list results - success
======= Speed Check
Check download speed
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 10.4M 100 10.4M 0 0 36.3M 0 --:--:-- --:--:-- --:--:-- 36.3M
======= Docker & Docker Compose
Get Docker Version
Docker version 28.0.4, build b8034c0
Get Docker Compose Version
docker-compose version 1.25.4, build 8d51620a
======= TLS inspection test
openssl test results - success
======= Check Cyolo Clock
Checking Access to Cyolo Clock - direct
IDAC Clock: 2025-04-04T08:34:08
Cyolo Clock: 2025-04-04T08:34:08
See here for the link to the script.
See here for the link to the script.
Installing IDAC on AWS
Note: You can also install IDAC on AWS, from the AWS Marketplace with Bring Your Own License (BYOL). See this link for additional information.
Updated about 16 hours ago