The Expel Assembler creates a secure VPN connection so that Expel can access the security devices that live on your internal network. It is packaged as a virtual machine. The first steps in leveraging an assembler as part of an Expel integration are to add a new assembler in Workbench and configure your firewall. Then you can deploy the virtual machine in a supported vendor environment, and continue on with the integration.


If your external users are able to directly log in to the security device because it is on an external network, you do not need an assembler to set up your integration with Expel.

Some virtual machine vendors may also require that you download and verify a CoreOS image file. You will find those instructions in this guide as well.


  • Your security device should live on an internal, private network where a direct external connection cannot be established.
  • You must have sufficient resources to run a virtual machine. You will need:
    • 2 virtual CPUs
    • 8 GB RAM
    • 20 GB disk space
  • You must be able to run an assembler with one of our supported environments. They include:
    • Hyper-V or VMware for on-premises environments
    • AWS, Azure, or Google Cloud Platform (GCP) for cloud environments
  • You may also need space to install multiple virtual machines if your network is segmented and you require multiple assemblers.

Quick Start

Setup includes the following steps (click any step for detailed instructions):

  1. Add an Assembler in Workbench
  2. Update your Firewall Configuration
  3. Download the Base CoreOS Image/Artifact
    • Hyper-V, VMware, or Azure only
  4. Deploy Your Virtual Machine
    • Each linked guide includes instructions on verifying the connection and also the next steps to adding a device in Workbench

You will then need to add your technology as a security device in Workbench as a final step. 


If you have any questions about how many assemblers to install, contact your Engagement Manager.

Step 1: Add an Assembler in Workbench

The first step is to alert us that you want to use an assembler, and to also tell us how the virtual machine should communicate with your internal network(s) and with us. You do this by adding a new assembler and configuring its properties.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Assemblers.
  3. Click Add Assembler.
  4. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “VMware Assembler” or “Network1 Assembler”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud” or “on prem;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • DNS servers (optional) - most of the time there will not be any custom network settings and this field can be left blank; if you have a unique DNS server for your setup, enter the IP address here so that Expel can connect the assembler to the Internet.
    • Allow SSH access to the assembler - it is recommended that you leave this box unchecked, as we will be managing the assembler on your behalf; you can check it if you wish to have direct access to the assembler for some reason (i.e. to see the packages or install something yourself).
    • Type - the assembler will use DHCP by default, however you can choose to use a static IP address if you prefer. It is important to note that if you choose to use a static IP address and set it up incorrectly, we will not be able to access your network or provision the assembler. 
    • Reboot window - specify an acceptable day and window of time for Expel to apply security updates/patches to the underlying packages on your virtual machine and to reboot, as this will cause your virtual machine and assembler to temporarily go offline. Note that the reboot could happen at any time during the window specified, and that the window cannot be less than 30 minutes; most updates take 3 minutes or less but in rare cases may take much longer.
  5. Click Save.
  6. Repeat this process if you need to add additional assemblers.

Step 2: Update your Firewall Configuration

Each assembler requires two outbound connections to a port on our VPN server. These two connections are used to encrypt your information and access all necessary assets and software packages that are required by each assembler. 

Before you deploy a virtual machine, you must edit your firewall to allow these two outbound connections:

First Outbound Connection

Source: Your Assembler Virtual Machine

Destination: (

Port: 443

Second Outbound Connection

Source: Your Assembler Virtual Machine

Destination: (

Ports: 443 or 8099 (either is sufficient)


AWS Virtual Machines Only

In addition to the two required outbound connections described above, you must also create one or more temporary outbound connections for the ignition file. Because of its size, the ignition file must be stored in an S3 bucket and referenced remotely during deployment. Any temporary connections are used once, and solely for that purpose.

Source: Your Assembler Virtual Machine

Destination: Follow these instructions to find a range of S3 IP addresses for your region

Port: 443

You will be instructed to delete any temporary connection(s) at the appropriate time in the AWS deployment guide (linked in Step 4, below).

Step 3: Download the Base CoreOS Image/Artifact

If you are deploying an assembler in AWS or GCP, the CoreOS image is hosted within the infrastructure and does not need to be downloaded. Skip this section and go to Step 4.

For deploy targets such as Hyper-V, VMware, or Azure, you must supply the standard CoreOS image or artifact to boot your virtual machine. The ignition file will provide the all necessary instructions to the CoreOS image or artifact, and will be obtained during Step 4. To download the appropriate file from Fedora CoreOS:

  1. Go to the Fedora CoreOS downloads page and scroll to the Bare Metal & Virtualized section for Hyper-V and VMware, or to the Cloud Images section for Azure.
  2. Locate the correct file for your environment.
    • First, click the Download button to download the image.
    • Next, click the Verify button and follow the on-screen steps to verify your download. You will be asked to download additional files and import a Fedora GPG key as part of this process.
  3. After you have successfully verified your download through Fedora, you can deploy your virtual machine.


If you are having trouble verifying your download or need help with the checksum file, see this topic in the Fedora CoreOS Documentation. If you still need help or are unable to successfully match the `checksum` values, contact your Engagement Manager.

Step 4: Deploy Your Virtual Machine

You can now configure and deploy your chosen virtual machine and verify the connection in Workbench, which will complete the Assembler portion of your integration. Go to one of the following links for instructions:

After you have a working assembler, you will need to add your technology as a security device in Workbench to complete the integration. Additional help and direct links to these instructions can be found in each guide above.