The Expel Assembler enables you to create a secure VPN connection so that we can access your security devices. We’ve packaged it as a virtual machine. If you install virtual machine images regularly, this should be pretty straightforward.

Do you need an Assembler?

The Expel Assembler is only needed if a security device you want to connect to Workbench is on an internal network to your company. If Workbench can connect directly to the security device, you don’t need an Assembler at all! Just go right to adding the security device in Workbench.

Before you get started, you need 2 things.

  1. A place to run the Expel Assembler virtual machine. We work with VMWare or Hyper V for on-prem environments and AWS or Microsoft Azure for cloud environments. The Assembler needs the following resources available:

    • 4 virtual CPUs

    • 8 GB RAM

    • 100 GB disk space

  2. Connect the Assembler virtual machine to the following network resources:

    • Our VPN servers:



      TCP 443 or TCP 8099

    • The security devices you want to connect to the Expel Assembler. Search this knowledge base for documentation on each security device.

    • Your DHCP server, unless you decide to assign a static IP to the Assembler.

    • Your DNS server.

If your network is segmented, you may need to deploy multiple Assemblers. If you have any questions about how many Assemblers to install, let us know and we’ll recommend the best approach for your environment.

Download the Assembler image


If you are deploying the assembler image in Amazon Web Services (AWS), then skip this section and go to Register the Assembler in the Expel Workbench.

  1. In Expel Workbench, click Settings in the top navigation bar.

  2. Click Assemblers in the left navigation panel.

  3. Click Download installer.

  4. Click the installer link for your virtualization technology.

  5. Note the hash of the file downloaded for error checking in Step 7.

  6. Now’s a good time to grab a cup of coffee because it’ll take a few minutes to download.

    • If the hash matches, continue to Register the Assembler in Expel Workbench.

    • If the hash doesn't match, download it again and re-check the hash.

    • If the hash still doesn’t match after the second time, something’s not right. In that case, contact your engagement manager or customer success engineer in Slack or by email, or you can email

  7. After the download completes, verify that a hash of the file downloaded matches the data shown in Expel Workbench. The table below shows how you can do this for the 3 main operating systems.


    This is an important step because it confirms that your download is complete and that no one tampered with the image.

Operating system

Hash to verify




Search for cmd, and select cmd.exe or “Command Prompt” from the results. Run these commands in the window that opens:

cd <your download folder>

certutil -hashfile expel-assembler-vmware- <version>.ova sha256

Mac OS


In Spotlight Search, search for the Terminal program and run it. In the terminal window, run this command:

shasum -a 256 ~/Downloads/expel-assembler-vmware- <version>.ova



In a terminal program, run:

sha256sum ~/Downloads/expel-assembler-vmware- <version>.ova

Register the Assembler in the Expel Workbench

  1. In Workbench, click Settings in the top navigation bar, then Assemblers on the left navigation panel. You see a box with the Assembler Name and Location fields. If not, click the Add Assembler button.

  2. Type the Assembler Name and Location for the Assembler. It’s best to select names that are meaningful to both you and to Expel so you can easily identify the Assembler in the user interface. For example: ACME HQ.

  3. Note the Install Code for the newly registered Assembler. You need this later to activate the Assembler.

  4. To add another Assembler, click the Add Assembler button and repeat these steps.

Deploy the Assembler virtual machine in your network

Click a link for instructions on deploying the Assembler virtual machine in your network:

Activate the Assembler through the virtual machine console

  1. Select the newly deployed Virtual Machine for the Assembler.

  2. Open the console of the Assembler.

  3. Log in with username expel and password expel.

  4. Set a unique and secure password for the expel account. First type the existing password (expel), then type the new password 2 more times. Securely store the new password per your organization's policies. You need it to log in to the Assembler again.

    Note: Your password must be at least 8 characters and not a word found in the dictionary.

    You are required to change your password immediately (root enforced)
    Changing password for expel.
    (current) UNIX password: expel
    New password: <enter new password>
    Retype new password: <enter new password again>
  5. Azure users only: delete the users you created during VM creation by running:

              sudo userdel temp
  6. Determine the network interface to use by running:

              sudo expelmanage --list-interfaces
  7. The Assembler uses DHCP by default. To use DHCP, skip to the next step. To use a static network configuration, run:

    sudo expelmanage --net --interface <interface name> --type static --ip  <IP address> --netmask <subnet mask> --gateway <gateway IP> --dns  <nameserver IP>

    <interface name> is determined in the previous step.


    Get the IP address, subnet mask, gateway IP, and nameserver IP to input the above command from your virtualization administrator.

  8. Activate the Assembler by supplying the 8-character install code created in Register the Assembler:

    sudo expelmanage --activate <eight-character install code>

    You see output like this:

    [expel@hostname ~]$ sudo expelmanage --activate abcd1234
    Activation code set
    Regenerating SSH keys
    [expel@hostname ~]$
  9. Run exit to log out of the console.

Authorize the Assembler in the Expel Portal

Within 30 seconds of activating the Assembler with a matching install code, the Assembler you registered at changes status from Not Yet Connected to Connected, and an Authorize button appears for the Assembler. Click the Authorize button.

Workbench now automatically configures the Assembler. This process takes about 10 minutes but can take longer if you have a slow network connection. After complete, the status changes to Active.

If any errors occur along the way, leave everything as it is and file a support case. We can often fix any issues without any further involvement from you after it's connected to our VPN.

You can now begin to turn on your security devices. Follow the instructions in the Getting connected to Expel Workbench.