Lab 9: Worksites

Lab address, credentials, and architecture will be shared separately.

Objective
In this lab you will learn how to enable and configure Worksite features in Akamai
Guardicore Solution.

Field application
Develop skills necessary to allow users to selectively apply policies and rules to a set of
assets at a specific location inside the company environment.

Steps:
1.1. Navigate to the UI under System menu category, to verify that Worksites
has been added under SETUP as shown below.

1.2. You can also navigate to System→Configuration→Worksites and verify

that Enable Worksites feature is checked.

1.3. Unchecking the feature at this level will turn off the feature on the UI
2. Creating worksites
Use this table to identify the Worksite assigned to your application

Accounting New-York

© 2024 Akamai | Confidential 1 GCSA v50 Unit4 - Worksite

 Ecomm Madrid
Billing Los Angeles
CRM Hamburg
DMS Paris
OrgPortal Tel-Aviv

2.1. Navigate to the System menu and select Worksites. On the ensuing
menu, click on Create Worksite.
2.2. Enter Worksite Name (no more than 100 characters). Make sure to use a
name linked to your assigned application (hint: Billing-Worksite for
instance) and click Apply

2.3. Furthermore, you can add a comment by clicking the comment icon under
the comment column as well. Then click Apply.

© 2024 Akamai | Confidential 2 GCSA v50 Unit4 - Worksite

 2.4. Click Save to create the Worksite.

3. Assigning your application tier workloads

3.1. Navigate to the agent’s screen, in the search box, enter your application
name and bulk select by clicking on the name column.
3.2. Once your application tier workloads are selected, click on more button.

© 2024 Akamai | Confidential 3 GCSA v50 Unit4 - Worksite

© 2024 Akamai | Confidential 4 GCSA v50 Unit4 - Worksite
 3.3. Click Apply
3.4. Verify the worksite is listed on the Worksites screen and under AGENTS
and ASSETS columns you have the correct number of workloads
displayed.
3.5. Alternatively, you may access the Agents screen and filter by your
worksite to list the workloads of your application tier (if needed click on
More Filters button to display the Worksite tab).

4. Configuring Worksite policies

You will configure a policy in which your application tier workloads are only
accessible via ssh within the worksite through the Load balancer. Any other
attempt to access the workload within the worksite will be blocked. The only
exception is the jumpboxes for the administration of the lab.
4.1. Navigate to the Enforce menu category and select Rules.
4.2. From the Create rule button, drop down, and select Override Allow.

© 2024 Akamai | Confidential 5 GCSA v50 Unit4 - Worksite

 4.3. Click under Source (empty box) and choose under Assets icon, your
application load balancer (i.e. Accounting-lb-1) and the process ssh for
granularity and click Apply.
4.4. Navigate to the destination and choose under Labels icon, App:<your
application label (i.e., App: Accounting) and click Apply.
4.5. Under Ports/Protocols, uncheck UDP to leave only TCP, and type in 22
for port number and Save.
4.6. To differentiate your rules from other students, make sure to enter a
ruleset (Hint i.e., Accounting-worksites-rules-user#) and Save.
4.7. Click on All Worksites under the Worksite column and select your
created worksite. Click Apply.
4.8. Click Save to create the rule.
4.9. From the same Policy Rules screen, create an Override Block rule to
block any ssh connection attempts to your application tier workloads within
the worksite. Use the below illustration for guidance.

4.10. You should now have two rules under the ruleset you created.
On top of the screen, click on Publish to activate the rules under your
created ruleset as shown below.

© 2024 Akamai | Confidential 6 GCSA v50 Unit4 - Worksite

 5. Validation of Worksite policy enforcement
You will now validate the enforcement of your defined policy. You should be able
first to ssh from any of your jumpboxes (Linux/Windows) to your application load
balancer (i.e. Accounting-lb-1) and from there access any of the application tier.
of your application tiers from the Load balancer of your application tier but will not
be able to ssh between tiers.
5.1. Ssh to your Load Balancer. (Hint: access is through your Linux jumpbox
using the credentials provided by your instructor, and the IP of the load
balance is available from the from the agent screen)

© 2024 Akamai | Confidential 7 GCSA v50 Unit4 - Worksite

 5.2. From there, ssh to your application tier Load balancer VM (lb-1). (Hint: for
the IP address access the agent screen, filter by your application name
and the IPs are under IP addresses column)
5.3. Is the connection successful? If, not troubleshoot.

5.4. From your LB machine, try to ssh to the remaining tiers of your application
(Web1, Web2, db1 and, db2) one at a time).

5.5. Would the connections be successful? If not, troubleshoot?

© 2024 Akamai | Confidential 8 GCSA v50 Unit4 - Worksite

 5.6. From your database server (i.e. Accounting-db-2) application, attempt to
ssh to the webserver application (i.e. Accounting-web-2).
5.7. Would the connection be successful? If not, why?

Access the Network Log and locate the blocked traffic per Worksite policy

© 2024 Akamai | Confidential 9 GCSA v50 Unit4 - Worksite

 5.8. Optional Task: ask one of your colleagues using a different application on
the same lab to share the IP address of his Database VM (db-1). Attempt
to ssh from your application to the other application database server. Are
you successful, if so, why?

6. Handling worksites conflict

6.1. Navigate to the assets screen, filter the assets by your application name
and bulk select the application tier workloads.
6.2. Click on Assign Worksite, choose the default Worksite, and Apply.
6.3. Are you able to reassign the workloads to the default worksite? If not,
why? (Hint: Worksite hierarchy)
7. Optional (Disabling worksites)
7.1. Navigate to the System →Configuration and then click on Worksites.
Attempt to turn off the feature by unchecking Enable Worksites feature
and Save the changes. Are you successful? If not, why?
7.2. Access the Enforce menu category, locate the rules of your
worksite, and delete them and Publish the change.
7.3. Go to the Agents screen, filter and bulk select your application tier
workloads, then reassign them to the default worksite.

© 2024 Akamai | Confidential 10 GCSA v50 Unit4 - Worksite

 7.4. Navigate to the system menu category, click on Worksites.
There should be no assets nor agents assigned to the worksite.
7.5. Select your created worksite and remove.

7.6. On the same system menu, click on configuration. Select Worksites and
uncheck Enable Worksites feature and Save changes.

Good luck!!

© 2024 Akamai | Confidential 11 GCSA v50 Unit4 - Worksite