This video highlights the steps necessary to either deploy a new instance of cnMaestro On-Premises 3.2.0 or upgrade an existing 3.1.1 or earlier instance of cnMaestro On-Premises to 3.2.0, along with creating and connecting to an Anchor account.
Here is a PDF with the details:
cnMX VM deployment with Anchor Account -final v1.1.pdf (3.0 MB)
Does this mean on-prem cnMaestro is required to connect to the internet in order to use it?
Edit: This is even worse than I thought - it requires internet connectivity to on-board an SM.
For security reasons we do not allow internet access to our cnMaestro server. To require internet access to onboard a device makes 3.2 a non-starter. The even worse part is the Cambium 3.1.x OS version is about to go off support, leaving those that want a secure environment high and dry. Cambium did a similar thing on release of 3.x. This is a very bad look for Cambium IMO and a total disregard for existing customers security. Is Cambium going to require the FBI cnMaestro to always be connected to the internet too?
@rnelson , cnMaestro 3.2.0 uses outbound connections only. As long as you allow outbound connections, without exposing the cnMaestro server to the Internet this requirement can be satisfied. We also support a proxy for outbound connections for added security. Are you operating a completely air-gapped network?
Watch the updated video here:
Exposing the network to the internet was one of the concerns we had originally with cnMaestro, and which we had multiple conversations with Emilio and Matt around 2017, each assuring us cnMaestro would not require an internet connection. The networks that talk to cnMaestro are not exposed to the internet and never will be for client security reasons. Even if we firewall the outbound WAN on cnMaestro, if a vulnerability were to occur within cnMaestro on the LAN side that causes these internal networks to reach outbound on the internet, it would be a huge issue. IMO Cambium currently does not ship OVA images with library and OS security updates fast enough. I would strongly encourage the Cambium developers to scan the 3.1.x release with OpenSCAP. Instructions on how to do so:
As we have seen with the recent vulnerabilities in Ubiquiti products, Cambium must pay attention to these issues especially if they are playing in the federal and utility space. Nation state actors are increasingly targeting these sectors for compromise. Please know I am not trying to criticize Cambium, but point out security reasons for customer hesitancy to utilize a persistent internet connection to cnMaestro for what seems like no gain for the customer.
