Black Box ET0010A User Manual

EncrypTight Component Connections

EncrypTight User Guide

This section describes the planning for the following connections:

●

“ETPM and ETKMS on the Same Subnetwork” on page 27

●

“ETPM and ETKMS on Different Subnetworks” on page 27

ETPM and ETKMS

on the Same Subnetwork

When the ETPM is located on the same subnetwork as the external ETKMS, the ETPM communicates
with the ETKMS over the internal protected network using Ethernet connections as shown in

Figure 7

Figure 7

ETPM and ETKMS located in the same subnetwork

ETPM and ETKMS on Different Subnetworks

The ETPM and ETKMS interconnections on different subnetworks depends on the type of policy: Layer
3 IP policy or Layer 2 Ethernet policy.

ETPM and ETKMS in Layer 3 IP Policies

With larger IP networks, the ETPM and the external ETKMSs could be located on different subnetworks,
as shown in

Figure 8

. When managing the ETPM and ETKMS in-line, the communications path between

the devices must pass through one or more PEPs and potentially one or more firewalls. For in-line
management, in which management traffic can flow through the data path, be sure that the Enable
passing TLS traffic in the clear feature is selected on all PEPs. Enable this feature from the ETEMS
Appliance editor. By default, the Layer 3 PEPs are configured to pass all TLS traffic (port 443) in the
clear.

NOTE

The Enable passing TLS traffic in the clear feature passes all TLS traffic in the clear for all destination
addresses. For added security, disable passing TLS traffic in the clear and create a policy for all TLS
traffic (port 443) between EncrypTight components. For more information on creating policies, see

“Creating Distributed Key Policies” on page 181