Xpress Runbook

The goal of Illumio Xpress is to allow quick onboarding of servers and endpoints through fully guided wizards that analyze your network traffic and give you rule recommendations that minimize risk.

Please contact xpress-feedback@illumio.com if you need onboarding guidance, need clarification, or want to provide feedback. We are excited to assist you as you explore the guided workflows.

Protecting Servers

The use case for protecting servers with Xpress is to apply targeted segmentation and ringfencing to critical Windows servers, thereby protecting them from compromise. At time of writing, these include: Active Directory, Active Directory Federation Services, File Server, Windows Server Update Services, and Print Services.

Please review the ‘What’s New’ in-app guide for new schemas, which protect different types of servers, as they are made available. If you have a recommendation, please email us with your suggestions at xpress-feedback@illumio.com.

In addition to improving the user experience, Illumio Xpress has added server role detection and a protection template for server roles. Furthermore, the system automatically labels these servers and recommends rules for the server roles.

The following flow lists the key events in the server protection process:

Illumio recommends that you on-board Active Directory and domain controller servers first.

If you haven't already, open a command terminal for the machine you want to protect by pairing an agent (VEN) to the workload.

  1. From the dashboard, select Add Servers.

    The Let's start by installing agents on your servers page of the wizard appears.

  2. Once you select Copy Script for your operating system, you will paste the copied script into the command prompt of the machine and press Enter. This will install an agent on the server, which will start communication with Illumio Xpress. If you first wish to see what the script contains, select Preview Script.

  3. After you select Next, the wizard will recommend protection schemas based on windows server roles.

  4. In the Choose protection schemas to apply page, select the Summary of Rules link in the Policies column to review the recommended rules for any server with a recommended or selected protection schema.

    If you do not want to confirm the recommended protection schemas for a given server, select Change in the Protection Schema column and choose different schemas that will apply different sets of rules and labels.

  5. When you are satisfied with the selections, choose Save. The wizard will then show you traffic that will be potentially blocked. Any saved schemas will still need to be enforced to provide protection for the servers.

  6. From the Xpress Dashboard, select the Protection Ready link to continue to enforcement.

For background information on protecting servers, see Protecting Servers Overview. If you had difficulty, see VEN Installation Troubleshooting or contact xpress-feedback@illumio.com.

 

Protecting Endpoints

The use case for protecting endpoints with Illumio Xpress is to block all inbound traffic to all endpoints, making sure nothing is getting into your endpoints unless explicitly allowed (Admin access to User endpoints; access based on observed inbound traffic from services).

Illumio Xpress supports the use of endpoint groups to allow and deny traffic from different paired endpoints. The wizard will suggest security recommendations to apply to endpoints such as tablets or laptops.

The following flow lists the key events in the endpoint protection process:

If you haven't already, open a command terminal for the machine you want to protect by pairing an agent (VEN) to the workload.

  1. From the dashboard, select Add Endpoints.

    The Let's start by installing agents on your endpoints page of the wizard appears.

  2. Once you select Copy Script for your operating system and selected user role (user or administrator), you will paste the copied script into the command prompt of the machine and press Enter.

    This will install an agent on the endpoint, which will start communication with Illumio Xpress. If you first wish to see what the script contains, select Preview Script.

    If you wish to later pair an endpoint with the same script, such as when a new person joins the department with the applicable endpoint, you can re-enter the endpoint onboarding wizard or do it manually. See Pairing Profiles and Scripts for instructions on how to pair your endpoint with a VEN.

  3. The wizard will present recommendations based on your environment when you select Next. However, you should evaluate your network traffic load (no more than 24 hours are necessary) prior to accepting recommendations and selecting Next.

    The Endpoint Traffic page of the wizard appears.

  4. This page shows details about administrator access, observed services and traffic, and what inbound traffic is blocked. For observed services and traffic, Illumio will note what traffic it recommends allowing and blocking.

  5. When you have reviewed or modified the recommended settings, select Save Rules.

    This provisions the endpoint group and associated components. A Success dialog will appear. From there you can return to the Xpress Dashboard. The provisioned endpoint group and associated components will still need to be enforced to provide protection for the endpoint.

  6. From the Xpress Dashboard, select the Protection Ready link to continue to enforcement.

For background information on protecting endpoints, see Protecting Endpoints Overview. If you had difficulty, see VEN Installation Troubleshooting or contact xpress-feedback@illumio.com.

Network Flow Visibility

Illumio Xpress map is a real-time map that shows how your systems are connecting and communicating with each other and the outside world. This map can be accessed using the Explore > Map link on the side navigation bar. It provides a visually intuitive way for you to review the traffic as affected by the policies (rules and schemas) you applied using the Xpress wizards. Draft view lets you predict how the policies would affect connections between your servers and/or endpoints, including potentially blocked traffic. Reported view lets you see how the enforced policies affect connections between your servers and/or endpoints, including actually blocked traffic. See Xpress Visualization.

Xpress Support & Troubleshooting Assistance

Please contact xpress-feedback@illumio.com if you need onboarding guidance, need clarification, or want to provide feedback. We are excited to assist you as you explore the guided workflows.