Views:
The agent may initiate communication to Server & Workload Protection or it may be contacted by Server & Workload Protection if the computer object is set to operate in bi-directional mode. Server & Workload Protection treats all connections to agents in a similar way. If the agent has not been activated, a limited set of interactions are possible. If the agent has been activated (either by an administrator or via the agent-initiated activation feature), the full set of interactions are enabled. Server & Workload Protection acts as an HTTP client in all cases, regardless of whether it was the client when forming the TCP connection. Agents cannot ask for data or initiate operations themselves. Server & Workload Protection requests information such as events and status, invokes operations, or pushes configuration to the agent. This security domain is highly controlled to ensure that agents have no access to Server & Workload Protection or the computer that it is running on.
Both the agent and Server & Workload Protection use two different security contexts to establish the secure channel for HTTP requests:

Procedure

  1. Before activation, the agent accepts the bootstrap certificate to form the SSL or TLS channel.
  2. After authentication, mutual authentication is required to initiate the connection. For mutual authentication, the Server & Workload Protection certificate is sent to the agent and the agent's certificate is sent to Server & Workload Protection. The agent validates that the certificates come from the same certificate authority (which is Server & Workload Protection) before privileged access is granted.

What to do next

Once the secure channel is established, the agent acts as the server for the HTTP communication. It has limited access to Server & Workload Protection and can only respond to requests. The secure channel provides authentication, confidentiality through encryption, and integrity. The use of mutual authentication protects against man-in-the-middle (MiTM) attacks where the SSL communication channel is proxied through a malicious third party. Within the stream, the inner content uses GZIP and the configuration is further encrypted using PKCS #7.