How To Create An Air-Gapped Appliance

Version Affected:  All version below 20.06 can be created as air-gapped currently.

Description:  

For the time being, this is how we manually create air-gap appliances to ship to customers.

Cause:  

Customers will need specific configurations for an air-gapped appliance.  Customer facing teams will be responsible to create these and ship out to customers.

Resolution:  

There are 4 main steps to get an appliance air-gapped.

1. Stand up an appliance in whichever farm is accessible. 
   
   In support team's case, we have a VMWare farm to utilize as well as a deploy machine.  Ensure deploy machine is reverted to base snapshot, where you need to set up administrative password.  Set password to whatever is desired, make note since this will be sent to customer.  From here, go ahead and activate the IdP and ensure all IdP functions are operating as expected.
   
   This is the VM used for support team's deploy machine.
   
   
   
2. Create a TRX Disable Code.  This is done by creating a sustaining Jira ticket and providing them their appliance GUID.  This can be found in the license info section of the system info tab.
   
   
   
   Once the code is received, place the code in the respective location under TRX Log Mode Code.  
   *NOTE* This is to NOT be confused with Log Disable Code.
   
   
   
   
3. Refer to this article to change the localadmin start page to classic experience instead of new experience.
   
   https://support.secureauth.com/hc/en-us/articles/360035048991-SecureAuth-Identity-Platform-air-gapped-installation-preventing-New-Experience-from-displaying
   
   
4. Hotfix the appliance due to a call to polaris/titan even if new experience is not being utilized.  This can be done before you ship it or after, either or, admin discretion.  

Now once this is all done, your new air-gapped appliance is good to go!  What we usually do is export the entire OVF out, remember to shut down VM prior to doing so, and then upload it to a location that the customer can download.  At the time of this article being written, we currently upload to SharePoint.

Special Considerations (optional as needed):  

Please consider Windows Updates.  Depending on some clients, they could either want it a clean slate or they want it patched all the way up; up to admin's discretion here.

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.