The following information provides some background on what happens when pairing servers in Illumio Xpress.
Rule Creation and Protection Schemas
When first opening Illumio Xpress, it will automatically create default labels, a default pairing profile, and a default ruleset.
When pairing and protecting servers, you need to replace these defaults with new rules and labels suited to your specific environment. The easiest way to do this is to use the Server Wizard. It will provide recommendations that will label your workload and create appropriate rules via protection schemas. For background information, or methods not using the Server Wizard, see Rules, Rulesets, and Rule Writing.
Protection Schemas
As part of the latest version of the Server Wizard, after workloads are paired, the PCE will automatically detect which server roles are on the machine and match them against the available protection schemas. A protection schema represents a way to associate ('protect') a workload with a given application, and Illumio Xpress supports up to 10 protection schemas per server workload. This support for multiple protection schemas is called the Multiple Server Role feature. The PCE will recommend the protection schemas that have been detected, and you have the option to choose whether to accept or override the provided recommendations. See Recommendations.
By selecting a given protection schema, corresponding labels will be applied to your workload, and corresponding rulesets will be created. After selecting the protection schemas for a given workload, the associated policies (if they exist) will appear in hyperlinks in the Server Wizard. If a protection schema does not yet have an associated policy, selecting the protection schema will still result in the appropriate labeling and inclusion of the workload into policies that will be added in near future.
Illumio Xpress Server Roles
This list is updated as additional server roles, protection schemas, and rulesets become available.
| Server Role/Application | Protection Schema Available | Rulesets Available |
| Active Directory | X | X |
| Active Directory Federation Services | X | X |
| Active Directory Certificate Services | X | X |
| Active Directory Lightweight Directory Services | X | X |
| File Server | X | X |
| Windows Server Update Services | X | X |
| Print Server | X | X |
| Windows Deployment Services | X | X |
| Active Directory Rights Management Services | X | |
| Hyper-V | X | |
| Remote Desktop Services | X | |
| Remote Access | X | |
| DNS | ||
| DHCP | ||
| Web-Server | ||
| VolumeActivation | ||
| NPAS | ||
| DeviceHealthAttestationService | ||
| HostGuardianServiceRole | ||
| Fax |
How the Multiple Server Role Feature Works
Illumio's enterprise policy model uses many different constructs to allow for users to write security policies with great flexibility.
Labels are the foundation of these constructs. With labels, you can specify a dimension (such as environment, role, etc.) and a value. These labels can be assigned to workloads, and policy rules can be written using these labels. Rules can also be written with label groups, which represent a collection of labels, each with the same dimension. See Labels and Label Groups.
The Multiple Server Role feature uses these two constructs to apply the appropriate policies to your workloads. Each protection schema is associated with multiple label group objects, and these label groups will now be used in the accompanied policy rulesets.
When a protection schema, or group of protection schemas, are selected for a workload, the PCE processes this set by producing a new label that represents this grouping of schemas.
By selecting these protection schemas, the workload will now have appropriate policies to protect it. After saving your selections, you can view the dynamically created labels on the workload by going to the workload page. Illumio Xpress automatically adds these labels to the label groups used in the rulesets associated with the selected protection schemas. The API provisions the label group update in which we dynamically create the label and move it into the label group.
Dynamically Created Labels
When one protection schema is used, the full label name is applied. If multiple protection schemas are used, Illumio Xpress represents each protection schema with a short code and groups them together to make labels.
| Protection Schema | App Whole Name | App Short Code | Role Whole Name | Role Short Code |
| Active Directory | Active Directory | AD | Domain Controller | DC-SVR |
| Active Directory Federation Services | Active Directory Federation Services | ADFS | ADFS Server | ADFS-SVR |
| Active Directory Certificate Services | Active Directory Certificate Services | ADCERT | CA Server | CA-SVR |
| Active Directory Lightweight Directory Services | Active Directory Lightweight Directory Services | ADLDS | AD LDS Server | ADLDS-SVR |
| File Server | File Servers | FILE | File Server | FILE-SVR |
| Windows Server Update Services | Windows Update Services | WSUS | WSUS Server | WSUS-SVR |
| Print Server | Print Services | Print Server | PRINT-SVR | |
| Windows Deployment Services | Windows Deployment Services | WDS | WDS Server | WDS-SVR |
| Active Directory Rights Management Services* | Active Directory Rights Mgmt Services | ADRMS | AD RMS Server | ADRMS-SVR |
| Hyper-V* | Hyper-V | HYPERV | Hypervisor | HYPERV-SVR |
| Remote Desktop Services* | Remote Desktop Services | RDS | RDS Server | RDS-SVR |
| Remote Access* | Remote Access Services | RA | RA Server | RA-SVR |
*These do not have rulesets at time of writing.
For example, if you select the following protection schemas together:
-
Active Directory
- File Server
-
Windows Server Update Services
This will result in the following two labels being dynamically created and subsequently applied to your workload:
-
App Label: "AD | FILE | WSUS"
-
Role Label: "DC | FILE-SVR | WSUS-SVR"
Rule Enforcement
For rules (and protection schemas) to be enforced, they must be in the correct enforcement state. You can put them in the correct enforcement state by selecting the Protection Ready link from the Server tile on the Illumio Xpress Dashboard. See Ways to Enforce Policy.
Re-onboarding Servers to Accommodate New Traffic
If you installed new applications or added new functionality to a server after onboarding (applying protection schemas, labels, etc.), you may need to re-onboard the server. If you wish to re-onboard a server, wait for at least 24 hours after new application installation or functionality modification to give Xpress time to recognize the change before using the steps listed below.
For example, if you went through the Server Pairing Wizard and selected an Active Directory (AD) protection schema, but later configured that server to do double-duty as a print server as well, your print traffic would be blocked by default. This is because you had originally selected a protection schema that allowed only that traffic necessary for AD server functionality.
To use the Server Pairing Wizard and select additional protection schemas after you have previously applied protection schemas, do the following:
-
From the Xpress Dashboard, browse to Workloads > Servers and select the server in question in the Name column.
-
Select Edit, remove all the assigned labels, and select Save. Keep note of any custom labels, as you may need to manually reapply them later. The server will now appear in the Server Pairing Wizard again.
-
From the Xpress Dashboard, start and complete the Server Pairing Wizard (select all the appropriate protection schemas for the server).
-
After completing the Server Pairing Wizard, add any necessary custom labels, and move the server to an enforced state using the Server Enforcement Wizard as described above in Rule Enforcement.
Guidance for Preexisting Customers
Adapting Existing Rulesets to the Multiple Server Role Workflow
You may disregard this section if you are a new customer. This guidance is of importance to only those customers who have been using Illumio Xpress prior to the inclusion of the Multiple Server Role feature.
If you have already gone through Server Wizard in full before the Multiple Server Role feature became available, some of the associated rulesets have already been created. If this has happened, there are two options in the event that you would like to use the new feature.
Option One: Modifying the Existing Ruleset
Imagine an Active Directory default ruleset
Each label within the ruleset can be replaced with the corresponding label group of the same name.
Note that not all labels need to be replaced, only the ones that have corresponding label groups. The following is a representative list of all label to label group conversions that may need to occur:
-
"Active Directory",
-
"Domain Controller",
-
"Active Directory Federation Services",
-
"ADFS Server",
-
"Active Directory Certificate Services",
-
"CA Server",
-
"Active Directory Lightweight Directory Services",
-
"AD LDS Server",
-
"Active Directory Rights Mgmt Services",
-
"AD RMS Server",
-
"Hyper-V",
-
"Hypervisor",
-
"File Servers",
-
"File Server",
-
"Windows Update Services",
-
"WSUS Server",
-
"Windows Deployment Services",
-
"WDS Server",
-
"Remote Desktop Services",
-
"RDS Server",
-
"Remote Access Services",
-
"RA Server",
-
"Print Services",
-
"Print Server"
Option Two: Deleting the Existing Ruleset
Re-use the Server Wizard after deleting the existing ruleset. This will re-create the ruleset with the label groups as expected. Any modifications to the existing ruleset would need to be re-applied.
Caveats
-
Do not delete or modify any of the objects (e.g., labels, label groups, pairing profiles, etc.) associated with a server pairing. This will break the onboarding, pairing, etc., which may result in unexpected behavior.
-
If you encounter issues with policy being applied, make sure that you have the correct VEN version installed. See Prerequisites for VEN Installation.