Protector Air Setup

By default, Trusted Knight operations will set up access for the users listed on the signup form.  If you require a different set of users, or additional users with access, please contact Trusted Knight support. 
If your organization uses a third-party CDN service, you have two options: 
  1. Trusted Knight can include the Amazon CloudFront CDN service as part of Protector Air and manage the combined service for you. 
  1. You can continue to use your existing CDN in conjunction with Protector Air. 
  If you want to continue to use a third-party CDN, Protector Air should be between the CDN and your origin website.  This way all web requests from users will still hit the CDN first, providing you the full performance benefits from caching and geographic proximity.  Any requests that are not served by the CDN will pass through to Protector Air and then to your origin website.    To do this, the DNS changes will be slightly different from simply setting up a CNAME, since the main DNS entry for the domain name should still point to the CDN provider.  Depending on which CDN service you are using, Trusted Knight support can work with you to define what changes are most appropriate. 
Trusted Knight will provide a CNAME value, which you use as a new canonical name for your website domain name.  This will be a domain name managed by Trusted Knight, which is necessary because IP addresses used by Protector Air may change due to scaling, load balancing, and high-availability.  By using a CNAME instead an IP address, the organization does not need to make any further changes and any IP address changes will be managed by Trusted Knight.    Below is a simple example of how this works for a website owned by Ted’s Turtle Shoppe, where Trusted Knight provided the CNAME   

Before: The website domain name goes directly to an IP address for the website.   
After: The organization changes this entry to use the CNAME provided by Trusted Knight (the first entry below), while Trusted Knight manages the second entry. 
Yes.  Some organizations desire to test the functionality themselves before switching on live traffic, particularly in areas of the website that are not generally accessible, such as behind a login screen.  To do this, you can use the IP address of the CNAME and modify the “hosts” file on one or more computers and run some tests.  This overrides DNS for those computers, and directs the web traffic through Protector Air before it goes to the website.  Once testing is complete, you make the DNS changes to put Protector Air in place for all web traffic.  (And don’t forget to undo the changes on the test computers.) 
Organizations may sometimes request to run a trial without running live traffic through Protector Air.  This avoids the need for the DNS change and the SSL certificate.  Instead, a local hosts file change can be made on a few test machines, which overrides DNS and forces traffic from those test machines to route through Protector Air instead of going directly to the website.   However in Trusted Knight’s experience this usually makes the trial much less effective for three reasons.  First, it requires much more active involvement by the organization doing the evaluation, since without their involvement in generating web requests from test machines, no traffic will hit Protector Air.  Second, the test results will only be as thorough as the organization’s ability to test.  Are the testers able to generate web attacks like SQL injection?  Do the testers have experience with client-side malware such as keyloggers that they can use to test the anti-malware capabilities?  If not, then the test will simply show passing web traffic, with no alerts.  Finally, allowing live traffic to flow through Protector Air will not only provide a richer set of data for the trial, but will also provide some useful insight into what is actually happening with typical web sessions from real users and the Internet activity attempting to access the site. 
Usually, yes.  However there are two situations where an SSL certificate is not required: 
  1. The website ONLY supports HTTP (i.e. unencrypted) traffic.  This is becoming less common due to increased privacy concerns among website visitors. 
  1. This is a trial and you will not be running real web traffic through Protector Air 
  Organizations may sometimes request to run a trial without running live traffic through Protector Air.  However, this is not recommended – see below. 
Trusted Knight uses the Amazon CA, run by Amazon Web Services (AWS), to issue domain-validated SSL certificates.  Trusted Knight will request a new certificate through AWS, and AWS will send a verification email to the contacts listed in the WHOIS domain record for the website.  As long as your organization controls the domain, and is listed as the domain registrant, administrative contact, or technical contact (or forwarded by a domain proxy email address), you will be able to approve the new certificate request. 
If you are providing certificate files to Trusted Knight, then the certificate and private key can be provided in either a single file or multiple files: 
  • If using a single file, this will usually have a “.pfx” or “.p12” extension (which is a PKCS#12 format) 
  • If using separate files, these are usually base64 encoded files, with extensions like “.cer”, “.crt”, “.pem”, or “.key”.  Regardless of the extension, these will be text files containing a string of characters with a prefix similar to “-----BEGIN RSA PRIVATE KEY-----” or “-----BEGIN CERTIFICATE-----" 
  Please also include the certificate chain – usually this is included by default.    It is strongly recommended that the private keys be encrypted with a strong password, or else delivered over a secure channel. 
If you have multiple domain names, Trusted Knight needs the complete list in order to configure Protector Air for all of them.  These could be separate websites or part of the same website – for example, if your main site is but then when a customer wants to check out they are directed to, Trusted Knight will need both domain names if you want both protected behind Protector Air.  Similarly, Trusted Knight will need SSL certificates for all domains.  These could be in one certificate or separate ones.