Install and Activate the NEN

Important

Before installing NEN release 2.6.30

Installing this release upgrades the existing database on the NEN to a newer version of the database software. Illumio recommends that you back up the existing NEN database before you install NEN 2.6.30 so that you can revert the installation if necessary.

To back up the existing NEN database, issue the following commands on the NEN primary node:

illumio-nen-ctl set-runlevel 1 -svw

illumio-nen-db-management dump --file <outputfile-name>

illumio-nen-ctl stop

This section describes how to:

Install and activate a new standalone NEN deployment
Upgrade a PCE-based NEN installation to the standalone NEN installation required for NEN 2.3.x and later.

Illumio recommends that you have the following knowledge before installing and administering the NEN:

A thorough understanding our organization's security goals.
A thorough understanding of Illumio Core.
When integrating the NEN with your organization's load balancers and switches, know how to configure and manage these network devices.

NEN Software

For the complete list of OS support for the NEN, see NEN OS Support and Package Dependencies on the Illumio Support portal.

To download the NEN software:

Log into the Illumio Support portal and go to Software > NEN.
From the Download NEN Software page, select the latest version.
Click the filename in the table to download the software locally.

Optional Configurations

Consider configuring the following optional functionality when you install NEN software.

Verify the NEN RPM digital signature

You can verify the signature of the NEN RPM package before installation to ensure that the package hasn't been modified since it was signed.

Download the NEN RPM.
1. Go to Illumio Support software download page.
2. Select the NEN version you want to verify.
3. Click the RPM package you plan to install.
Import the Illumio NEN Public Key.
```
% gpg --import illumio_nen_pub.key
```
The imported file is placed in your /home directory.
List the keys in the imported file.
```
% gpg --list-keys illumio
```
In the output, locate the last 16 digits in the signature line.
pub rsaXXXX 2022-06-31 [SC]
8C34J70E2D13F9332AD1F49Dxxxxxxxxxxxxyyyy! Last 16 digits of the public key
List signatures in the RPM
```
% rpm -qpi illumio-nen-xxx-x.xx.x86_64.rpm | grep ^Signature
```
where xxx-x.xx is the version number of the package.
Visually compare the last 16 digits in the RPM with the last 16 digits in the imported Public Key.
Signature : RSA/SHA256, Key ID xxxxxxxxxxxxyyyy! Last 16 digits of the RPM.
If the signatures don't match, don't install the package. Contact Illumio Support.

Configure Proxy Support for NENs

Beginning with NEN release 2.6.10, you can configure proxy support for NENs by adding environment variables to the runtime_env file. This support defines an HTTP/HTTPS proxy for communication between the NEN and the PCE or between the NEN and managed devices (such as Server Load Balancers (SLB)). There's also support for specifying a list of IP address that are not allowed to communicate via a proxy server. You can configure these options by adding a field to the runtime_env.yml file.

Modify the template runtime_env file

Note

The NEN will honor the environment variables http_proxy, https_proxy,and no_proxy if they are present. However, you can override these variable values by setting appropriate values in the proxy_config variables in the NEN runtime_env.yml file.

The NEN will honor the environment variables http_proxy, https_proxy, and no_proxy if they are present. However, you can override these variable values by setting appropriate values in the proxy_config variables in the NEN runtime_env.yml file.

You can modify the runtime_env.yml file either during an interactive installation or later by copying and modifying the template runtime file.

Modify during an interactive installation.
Modify post-installation.

Configuration scenarios

Under the proxy_config option, configure proxy support for any of the following scenarios in the runtime_env.ymlfile.

PCE	Managed Devices (SLBs)	Scenario	Proxy Environment Variable
The PCE is proxied.	No SLBs are installed.	Configure the NEN to communicate with the proxied PCE.	`pce_https_proxy:`
The PCE is proxied.	SLBS are installed but not proxied.	Configure the NEN to communicate with the proxied PCE.	`pce_https_proxy:`
The PCE is proxied.	SLBs are installed and proxied.	Configure the NEN to communicate with the proxied PCE and proxied SLBs.	`pce_https_proxy:` and `device_http_proxy:` or `device_https_proxy:`
The PCE is not proxied.		Configure the NEN to communicate with proxied SLBs.	`device_http_proxy:`
N/A		Specify a list of IP address that are not allowed to communicate via a proxy server.	`no_proxy:`

Configure a PCE policy request timeout

Beginning with NEN 2.5.2.A1, you can configure a PCE policy request timeout. This may be needed If your NEN SLB implementation will involve large policy calculations. The timeout ensures that the NEN doesn't wait too long for the PCE to respond to policy requests in scenarios involving large policy calculations.

To configure the timeout, use the following runtime environment variable:

pce_policy_request_timeout_minutes

Default value: 10 minutes
Minimum value: 3 minutes

Configure a PCE connect timeout

Beginning with NEN 2.6.1, you can configure a PCE policy connect timeout. This may be necessary because the shortness of the default connect timeout in the CURL library (5 minutes) may make the NEN susceptible to timing out when trying to connect to the PCE. This in turn will prevent the NEN from updating policy on the SLB.