The Expel Assembler serves as a network proxy to allow our analysts to access the security devices that live on internal networks. These may be traditional on-premises networks, or cloud-based networks that function as internal networks. 

An assembler is only needed if your security device lives on an internal, private network where a direct external connection cannot be established. If your external users are able to directly log in to the security device through the Internet, you do not need an assembler to set up your integration with Expel.


This guide is meant to be informative. To get started with configuring the Assembler for your environment, go to Add a New Assembler.

Quick Links

How It’s Built

Supported Environments

Expel currently supports the following vendors as deployment targets for an assembler:

  • VMware (on-prem)
  • Hyper-V (on-prem)
  • AWS (cloud-based)
  • Azure (cloud-based)
  • Google Cloud Platform (cloud-based)

Development and Testing

Expel follows a modern software development process for everything that goes on the Assembler. We sign all commits for packages being installed, and also perform thorough security testing and monitoring. These activities include: 

  • Regular security and vulnerability scans
  • Internal and external risk assessments
  • Internal and external penetration tests

We use Lynis to evaluate the Assembler’s security, which produces a hardening score.

System Components

The Assembler uses the following components when running:

  • Operating System: Fedora CoreOS stable
  • Virtual Private Networking: OpenVPN
  • Proxy Configuration Manager: Envoy Configurator
  • Proxying Software: Envoy, Squid
  • SSH Access Management: Teleport
  • Logging: Fluent Bit, Rsyslog
  • Monitoring and Metrics: Datadog agent
  • Linux Containers: Podman
  • Programming Language: Python, Go
  • Repository Authentication: gCloud CLI
  • Logging: Snoopy, auditd

How It Works

The Assembler is packaged as a virtual machine. You can configure more than one assembler if your networks are segmented. For a detailed look at how the Assembler interacts with your network, see the operational diagrams.

Network Connections

Each assembler requires two outbound connections to a port on our VPN server (no inbound connection is required, and all inbound SSH from your network is blocked by default). The first connection is used for the installation assets server, which enables installation of the VPN client via RPM packages. The second connection is used to install the rest of the assembler's software and to run the Assembler service itself. 

  • First outbound connection: ( on port 443
  • Second outbound connection: ( on port 443 or 8099 (either is sufficient)

Expel’s backend infrastructure initiates all communications with an assembler through our VPN. The only software on an assembler that can initiate a network connection to Expel is Teleport, a third-party software package that creates a secure connection via SSH and also logs all connections that are made to an assembler. Teleport connects to a central Teleport server and to our vpnpost heartbeat software, which allows us to track an assembler's connectivity. We minimize the number connections initiating from an assembler to help prevent malware from making network connections to Expel's infrastructure.

The types of communications that take place within the VPN are dependent on your security technology, but some examples include:

  • Configuring the proxying software (Envoy) - via GRPC on port 8500
  • Proxying to security devices - via HTTPS on port 3128, 8443, 9500, and 9501
  • Managing the configuration of the assembler - via regular SSH on port 22
  • Allowing human logins via SSH for ad-hoc needs - via Teleport on port 3022

Each assembler uses Dynamic Host Configuration Protocol (DHCP) by default, but this can be changed to a static IP address if you prefer. You may also wish to gain access to the assembler via the console of your virtualization platform, or by enabling SSH when you add the assembler. More details about these optional configurations can be found in the onboarding guide for your specific technology.


The VPN tunnel uses Transport Layer Security (TLS) 1.2 with Advanced Encryption Standard (AES) 256 encryption. 

Credential Management

Credentials for customer devices are never stored on an assembler, which keeps them safe from theft. Instead, the Expel backend provides the virtual machine with credentials every time an assembler runs a job.


Only Expel’s engineers can log into an assembler via the command line, and only for troubleshooting and onboarding support; accessing an assembler via the command line is not done as a routine part of service delivery. 

Some additional notes about access to the Assembler:

  • The account structure includes one customer account, which can be accessed from the virtualization console or (optionally) via SSH. 
  • Expel uses two-factor authentication and named accounts to allow its analysts to access an assembler.
  • All commands issued by Expel analysts on an assembler are centrally logged and then exported to a log system, and are audited through Teleport.
  • All security device access through the proxy is logged locally by the proxy software, and can be passed to your event logging infrastructure as a remote syslog upon request.


Expel software updates are installed continuously as improvements are made, and this process generally does not require any interaction from you. A few additional notes about maintenance activities:

  • Assemblers are updated as operating system updates are released, which will then initiate a reboot during the window of time you specify during assembler creation.
  • Critical patches are performed on an as needed basis.
  • An assembler should never need to be reinstalled, unless we have a major operating system change (rare).

Operational Diagrams

These diagrams are meant to show you how the Assembler interacts with your network.

Initial Configuration



Normal Operations