install for the CE portion of a RE/CE setup requires the CE location to be able to egress to 3rd party domains listed here https://docs.cloud.f5.com/docs/reference/network-cloud-ref#allowed-domains to download necessary libraries. From a security perspective this is a concern because we cannot easily trust the libraries at these sources. We'd prefer one of two options. Option one would be allow the customer to point the CE to their trusted repository, such as a hosted antifactory, where they have already downloaded, scanned, and made available the necessary libraries. Option two would be to provide a single container file like an EAR or ZIP that includes all the necessary libraries for the install or upgrade, that the customer can download to their quarantined zone, scan, and then proceed with the update or install. With the second option, if the download comes from an F5 site then the customer is more likely to trust that the libraries and all related files have all ready been vetted by F5 and thus do not require re-scan. Another variation on option two would be for the install or upgrade egress to only pull files from a single F5 domain, basically a trusted F5 library repository, where F5 has already populated the repository with scanned/vetted libraries, this way the customer need only open egress to a single trusted domain. In that scenario, F5 would simply need to maintain the repository to ensure it always has the necessary libraries the latest CE versions would need access to during install/upgrade.