1. Manuals
  2. Brands
  3. Celestix Manuals
  4. Security System
  5. CelestixEdge E Series
  6. Installation manual

Celestix CelestixEdge E Series Installation Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
CelestixEdge E Series Appliance
Installation Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CelestixEdge E Series and is the answer not in the manual?

Questions and answers

Summary of Contents for Celestix CelestixEdge E Series

  • Page 1 CelestixEdge E Series Appliance Installation Guide...
  • Page 2 The information contained in this document represents the current view of Celestix Networks on the issues discussed as of the date of publication. Because Celestix Networks must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Celestix Networks, and Celestix Networks cannot guarantee the accuracy of any information presented after the date of publication.

  • Page 3: Table Of Contents

    The Next Step Install the Appliance Installation Notes Rack the Appliance Connect the Appliance to the Network Front Panel Controls Overview Power the Celestix Appliance Initial Access The Next Step Appliance Setup General Information Access the Web User Interface Quick Setup Wizard...
  • Page 4 Configure Features: Web Application Proxy Setup Wizard General Information Setup Wizard The Next Step Configure Features: Work Folders Setup Wizard General Information Initial Configuration Setup Wizard The Next Step Create a System Image Create a Backup Update Software Appendix Glossary Web User Interface Content Overview Safety Precautions Product Reclamation and Recycling...

  • Page 5: Introduction

    For the E Series, it also provides simplified installation and configuration for Remote Access and supporting technologies. The Celestix E Series is a hardened and secure appliance platform that is optimized for secure Windows deployment out of the box.

  • Page 6: Guide Usage Notes

    Documentation generally refers to the appliance when discussing the E Series Appliance. Web User Interface The web UI is a management tool to access the most common Celestix product features. Initially, use it to quickly set up the server. Subsequently, use the web UI to access administrative features for both Comet and Remote Access roles.

  • Page 7: Verify Package Contents

    See the Appendix topic Web User Interface Content Overview  for features included in the web UI. See the online help topic Web User Interface Overview for more information about using the web UI (Help|Web UI Overview). Verify Package Contents Use the following information to confirm the package contains the necessary appliance accessories. Appliance Series Accessory List Table: Accessory List Appliance Series...

  • Page 8: Appliance Hardware Features

    Note: Fasteners to attach brackets or slides to the appliance are provided. Fasteners to bolt the appliance to the rack are not supplied. If an item is missing from the package, contact Celestix Networks via email: support@celestix.com Appliance Hardware Features Each of the feature lists below include a legend to help identify components on the appliance.
  • Page 9 E Series Installation Guide...

  • Page 10: System Overview

    Illustration 2: Appliance Illustrations with Delineated Features System Overview The CelestixEdge appliance simplifies the process to set up and manage access to IT resources. The diagram below provides a reference for features that are available on the appliance. Illustration 3: E Series Connectivity Features E Series Installation Guide...
  • Page 11 Example Deployment Topologies The diagrams that follow are intended to provide reference for IT administrators or architects. The examples provide a few scenarios for common aspects of CelestixEdge appliance deployment, while the potential options are certainly numerous. DirectAccess Deployment with Manage-Out Access for external users with strong authentication that allows system administrators to support and manage remote clients.
  • Page 12 Secure remote access for nonmanaged clients that include commonly used operating systems (Windows, Linux, OS X, Android, and iOS). Remote access to applications and data on the organization network. Web-based applications need users to be pre-authenticated at the edge. Applications individually provisioned based on user roles. Illustration 5: VPN Role With Web Application Proxy Gateway Cross-premises network connectivity for internally hosted and cloud resources.
  • Page 13 Illustration 6: VDI Role General Setup Information The following lists network components that most commonly require configuration to support feature deployments. Note: Some items are optional. Details for feature configuration are discussed in the topic Resource Worksheet. Network Policy Server CelestixEdge appliance serves as the RADIUS server;...
  • Page 14 Remote Access DirectAccess An Active Directory® Domain Services (AD DS) domain At least one domain-joined DirectAccess server (E Series) A public key infrastructure (PKI) [recommended] Network location server (optional) DirectAccess clients running Windows 7 Enterprise or Ultimate, or Windows 8.x Enter- prise SSL certificate (if using SSTP) External firewall exceptions for configured ports...

  • Page 15: The Next Step

    SSL certificate User group (recommended) End users: Windows 8.1/RT 8.1 Version Information Version information for appliance components are noted on the main web UI page. Click the E Series logo link from any page to access: The Next Step The following sections cover general setup, which includes appliance installation and configuration, then feature installation.

  • Page 16: Install The Appliance

    Install the Appliance The guide provides a system administrator with concise instructions for a base deployment. The document covers common installation requirements and is not intended to be comprehensive. Every network environment is different, and some installations may require additional configuration. Installation instructions first cover assumptions the guide takes into account for a common deployment to help administrators plan for the skills and resources they may need.

  • Page 17: Front Panel Controls

    information presented herein. Active Directory is used for the domain controller. The LAN is configured for DHCP. Use DHCP initially to assign an IP address to the LAN0 network adapter. Find the assigned IP address through the front panel controls. Note: If DHCP is not deployed, use the front panel controls to assign an IP address to LAN0.
  • Page 18 Setup Wizard Network Interfaces Public or external network Subnet mask > interface Default gateway The WAN (public network interface) adapter of the appliance is the interface assigned to external network Primary/secondary DNS server(s) traffic. This configures how the WAN, or public interface, connects to the Internet.
  • Page 19 Network Policy Server Network Access Server (RADIUS Client) May be needed in post-configuration for NPS or Remote Desktop Gateway. IP Address Setting up RADIUS authentication requires designating Shared secret the NPS clients that will forward access requests, the criteria that will service as the policy to grant access, and Network policy criteria the protocols that will be used for authentication.

  • Page 20: Rack The Appliance

    IP address This information would be used to extend functionality. Hostname Bold items are required Rack the Appliance Celestix appliances are either 1U or 2U and should be attached to a standard 19-inch equipment rack as follows. E Series Installation Guide...

  • Page 21: Connect The Appliance To The Network

    To connect the appliance 1. Connect an Ethernet cable from the LAN0 network adapter on the Celestix appliance to the internal network hub or switch. 2. [Optional] For additional network connections, use the LAN1 adapter (or above) on the appli- ance.
  • Page 22 The diagram below provides a reference. Illustration 8: Ethernet Connections Note: Hardware models vary and may look somewhat different from the example, but network connections will be similar. Network Interface LED indicators When the appliance is powered on, each of the network adapters displays a pair of lights to help identify connection speed and usage.

  • Page 23: Front Panel Controls Overview

    The angle brackets cursor > < allows editing after a selection when the front panel display is in configuration mode. The following example shows the Delete option selected by the cursor: > Delete < Press to select options. Power the Celestix Appliance Connect power and turn on the appliance. E Series Installation Guide...

  • Page 24: Initial Access

    Connect Power 1. Connect the included power cable from a power source, typically a UPS, to the power inlet on the rear panel. 2. The display will show the System Off message: Power On/Off the Appliance Power on and boot the appliance by pressing the Jog Dial. While it is possible to power off the appliance by pressing the Jog Dial for 5 seconds, it is far better to use the Shutdown option from the front panel display menu to power off the appliance gracefully.

  • Page 25: The Next Step

    1. Press the Jog Dial and scroll to > Configure Network <. 2. Press the Jog Dial again to select. 3. If necessary, press the Jog Dial and scroll to and select LAN. The display should show [ LAN0 ]. 4.

  • Page 26: Appliance Setup

    Appliance Setup After the appliance has been installed on the network, settings need to be configured. General setup uses a wizard to step through configuration in the web UI. Instructions cover the minimum functionality common to most deployments; however, an individual organization may need different or additional configuration.

  • Page 27: Access The Web User Interface

    The LAN is configured for DHCP. Use DHCP initially to assign an IP address to the LAN0 network adapter. Find the assigned IP address through the front panel controls. Note: If DHCP is not deployed, use the front panel controls to assign an IP address to LAN0.

  • Page 28: Quick Setup Wizard

    The factory default local administrator credentials are: User name: administrator Password: [Celest1x] The password is case-sensitive and the brackets are included. The “domain\administrator” user name format may be required. Important: A certificate warning may display because the site uses a self-signed certificate. Accept the certificate to access the web UI.
  • Page 29 For example: example\adminuser Password – provide the account password. 5. Reboot Click Next to apply changes and reboot the appliance. Note: Domain administrator credentials (example: example\adminuser) will be required to access the web UI after the reboot. 6. Alerts Email – optional; general appliance notifications can be sent to designated recipients through a connection to a network SMTP server.

  • Page 30: The Next Step

    The Next Step This completes the initial setup. Now it's time to install features. E Series Installation Guide...

  • Page 31: Configure Features: Installation

    Now that the appliance is up and running, use the Features configuration tool to install roles and services necessary for the deployment. Instructions cover the functionality common to most deployments for a CelestixEdge E Series Appliance; however, an individual organization may need different or additional configuration.

  • Page 32: Feature Details

    Feature Management Tools Once installed, some of the features include links that launch RDP applications to management consoles (MMCs). These links serve two purposes: Some features require additional configuration that can only be accomplished through the MMC. The links provide convenient access to advanced management functions. Some features do not do not contain an RDP link, usually because no additional configuration is required.
  • Page 33 Required Configuration After Installation – notes any configuration that will be necessary once the feature is installed. Network Policy Server (NPS) NPS provides basic RADIUS authentication, authorization, and accounting, or RADIUS proxy (connection request referral). Need to Knows The following summary information is provided for reference. Installs Role Service: Network Policy Server Feature: RSAT - Network Policy and Access Service Tools...
  • Page 34 Windows PowerShell) Feature: Group Policy Management Feature: RAS Connection Manager Administration Kit (CMAK) Affected Appliance Features Deployments with nonmanaged remote devices will require the VPN option to be enabled. Cannot be colocated with Web Application Proxy Required Configuration After Installation Configuration must be customized for an environment;...
  • Page 35 Affected Appliance Features Web Application Proxy requires the Remote Access role to be installed. Web Application Proxy is deployed when AD FS is intended to reside on a separate server from the E Series; information for that server will be used in Web Application Proxy configuration. DirectAccess cannot be colocated.
  • Page 36 Remote Desktop Web Access RD Web Access (RD Web Access) provides streaming access to hosted applications. Windows 7 uses RemoteApp to start an RD Services session. Other devices can use a web browser to access them through Desktop Connection. RD Web Access also lets users access computers with Remote Desktop enabled through RD Web Connection.

  • Page 37: The Next Step

    Installs Role Services: File Server, File Server Resource Manager, Work Folders Feature: RSAT – File Server Resource Manager Tools Affected Appliance Features None Required Configuration After Installation Configuration must be customized for an environment: 1. Click the Wizard button to run the Work Folders configuration tool. 2.

  • Page 38: Configure Features: Remote Access Setup Wizard

    Configure Features: Remote Access Setup Wizard The wizard provides the steps to configure DirectAccess and VPN settings for the CelestixEdge E Series Appliance. It covers the minimum functionality common to most deployments; however, an individual organization may need different or additional configuration. Remote Access setup requires configuration in the E Series Appliance web UI.
  • Page 39 If the appliance only has one configured network adapter, TCP port 62000 must be opened on the appliance. If using a security group to manage access for clients, the group has been created in AD prior to running the setup up wizard. If customized GPOs will manage settings for clients and servers, they have been created prior to running the setup wizard.

  • Page 40: Setup Wizard

    VPN deployments using static IP addresses for clients need a defined range; otherwise, DHCP should be used. VPN deployments not using Windows authentication need settings for a RADIUS server. Example Information To help make the instructions clear, the following examples are used to identify components. Internal Domain CelestixEdge Appliance Public Domain...
  • Page 41 Behind an edge device (with two network adapters) – one adapter con- nects to the perimeter network, and the other connects to the internal net- work. Behind an edge device (with one network adapter) – the adapter connects to the internal network. ii.
  • Page 42 i. Connection Name – create a name for the network connection that end users will recognize. ii. Support Email – enter the email account that will receive diagnostic reports created by the DirectAccess Diagnostics tool. Note: This option allows local name resolution when the server name does not exist in intranet DNS or if the DNS servers are unreachable.
  • Page 43 RRAS will assign to clients when they connect to the network. Enter the start and end IP addresses to define the range. b. Authentication i. Use Windows Authentication – use AD to authenticate users. ii. Use RADIUS Authentication – configure VPN connections to use RADIUS authen- tication.
  • Page 44 b. Advanced – define client parameters and assign the appliance network adapter that Dir- ectAccess service will use. i. Installation type – select the DirectAccess functionality to deploy: Full DirectAccess installation – bidirectional tunnels for remote client access and management. Client management only –...
  • Page 45 security groups to connect through DirectAccess. Important: Remote Access will create a WMI filter that will only allow mobile computers to join DirectAccess security groups. This setting requires that the administrator account configured for Remote Access have create/modify privileges. v. Enable Windows 7 Client Support – select for environments that require support for Windows 7 clients.

  • Page 46: The Next Step

    1. Radius Server – designate the server name or IP address. 2. Shared Secret – create a secret to authenticate communication between the appliance and RADIUS server. 3. Confirm – confirm the shared secret. 4. Timeout – the default is usually sufficient, but the duration the appliance will try to connect to the RADIUS server can be customized as necessary.

  • Page 47: Configure Features: Web Application Proxy Setup Wizard

    Configure Features: Web Application Proxy Setup Wizard The wizard provides the steps to configure Web Application Proxy (WAP) settings for the CelestixEdge E Series Appliance. It covers the minimum functionality common to most deployments; however, an individual organization may need different or additional configuration. Resources for Web Application Proxy setup are as follows: Required: E Series appliance web UI Conditional: SSO Portal deployment requires additional DNS records and firewall rules...

  • Page 48: Setup Wizard

    To published applications as required Requirement Checklist The following items will be required to set up the proxy. Plan ahead so that items are available when needed to complete configuration. AD FS – must be deployed on a separate server. AD FS administrator account –...

  • Page 49: The Next Step

    address end users will need to access those applications. Note: Entering the address creates the portal. 2. Certificate a. Click the Import button. b. Complete the following: i. Certificate – navigate to and select the certificate that will be used for authen- tication.

  • Page 50: Configure Features: Work Folders Setup Wizard

    Configure Features: Work Folders Setup Wizard The wizard provides the steps to configure Work Folders settings for the CelestixEdge E Series Appliance. It covers the minimum functionality common to most deployments; however, an individual organization may need different or additional configuration.

  • Page 51: Initial Configuration

    Domain controller – Windows Server 2012 or higher. Publicly signed certificate – an SSL certificate is required for Work Folders; it must be a third- party certificate from a trusted vendor. Additional requirements: The certificate subject needs to be the same as the Work Folders public URL (format: workfolders.<domain_name>) Certificate subject alternative names (SANs) must list the server name for each sync server in use.

  • Page 52: Setup Wizard

    User Group 1. Create a dedicated Work Folders user group with these settings: Scope: Global Type: Security 2. Add user accounts to the group. Setup Wizard The setup wizard is a walk-through to assign a certificate to encrypt remote access to work files. Access the screen through the web UI at CelestixEdge|Features|Work Folders|Wizard.

  • Page 53: The Next Step

    Maintenance screen. Closing the application logs off the RDP session to the appliance and is recommended to release management resources. Note: If the File menu is not visible, use the quick close button. The base level setup that allows external access to work files is now complete. Supported clients can now be configured to access sync services.

  • Page 54: Create A System Image

    (offline). Online, or real-time images use more disk space than offline imaging, but they don’t interrupt the services the appliance provides. The LGV instructions below require direct access to the Celestix appliance. To create an LGV...
  • Page 55 5. The front panel display will show Celestix Appliance Installer when the recovery process launches. Menu options will display when the recovery system has loaded. 6. Turn the Jog Dial to scroll to the option Create Last Good Version << and press to select.

  • Page 56: Create A Backup

    Create a Backup Once configuration is complete, creating a backup will provide another option to help remediate issues that may result from future system updates or changes. Celestix recommends running the Windows backup utility (System|Backup). Now that the configuration steps, system image creation and backup are complete, check for software updates.

  • Page 57: Update Software

    Once applicable updates are installed, Celestix recommends checking for Windows updates (System|Windows Updates). Thank you for choosing the CelestixEdge E Series Appliance for your remote connectivity solution. This completes the setup and configuration steps for base-level deployment. Email questions to support@celestix.com...

  • Page 58: Appendix

    Appendix Use the links to jump to a topic: Web User Interface Content Overview  Safety Precautions Product Reclamation and Recycling Glossary Index Resource Worksheet  E Series Installation Guide...

  • Page 59: Glossary

    Glossary Active Directory Microsoft's directory service for Windows domains. Active Directory Federation Services The Microsoft implementation of single sign-on (SSO). Acronym for Active Directory ADFS Acronym for Active Directory Federation Services Acronym for certificate authority Certificate The tool that TLS/SSL uses to encrypt communication. Certificate authority An entity that issues certificates to encrypt digital communication.
  • Page 60 Device Registration Service A feature of ADFS that facilitates Workplace Join, which allows users to register unmanaged devices to be known entities to the domain. DirectAccess A secure Remote Access connection that provides remote access to the internal network and manage-out capabilities. Directory synchronization A Microsoft tool that synchronizes users, groups, and attributes (like dis- tribution groups or user phone numbers) to an Office365 instance.
  • Page 61 Acronym for high availability High availability A system implementation that minimizes downtime, meaning unavailability to users. Identity provider An entity that authenticates a user to a service provider. Multifactor authentication Employs additional forms of user data for authentication. Two-factor authen- tication using one-time passwords is a common example.
  • Page 62 Password Sync A component of the Microsoft Directory Synchronization tool that coordinates password hashes between internal Active Directory and Office365. portal page The portal page consolidates external access to published applications. RADIUS Remote Access Dial In User Service (RADIUS) is an authentication protocol (RFC 2865).
  • Page 63 Acronym for single sign-on UAG trunk A repository of published applications for user access; this term only applies to Celestix WSA environments or other UAG deployments. Virtual Private Network A secure Remote Access connection that provides access remote access to the internal network.
  • Page 64 Windows Internal Database A version of SQL Server Express that is automatically included with Windows Server. It is the default data store option for ADFS. Workplace Join The function that allows users to register devices with the domain through DRS; devices can then access application resources based on trust. E Series Installation Guide...

  • Page 65: Web User Interface Content Overview

    Web User Interface Content Overview The menu structure for the web UI is outlined below. Use it to quickly find features. E Series Installation Guide...

  • Page 66: Safety Precautions

    60° C. Do not disassemble, crush, puncture, short external contact, or dis- pose of battery in fire or water. Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type recommended by Celestix. Dispose of used batteries according to local regulations for haz- ardous waste. WARNING: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.

  • Page 67: Product Reclamation And Recycling

    August 2005 are marked with the following symbol or include it in their documentation: a crossed-out wheeled waste bin with a bar beneath. Celestix Networks provides recycling support for our equipment to comply with the WEEE Directive. For recycling information, send email to recycling@celestix.com indicating the type of Celestix Networks equipment needing to be disposed of and the country where it is currently located, or contact a Celestix Networks account representative.

  • Page 68: Index

    Index ADFS Requirement Checklist 23 Appendix reclamation/recycling 63 Resource Worksheet 68 Safety Precautions 62 web UI navigation 61 appliance hardware features 4 appliance installation 12 connect to network 17 front panel 19 network information worksheet examples 13 power on appliance 19 appliance setup 22 Backup and Restore system image 50...
  • Page 69 Deployment Assumptions 22 Deployment Assumptions for Remote Access 34 Deployment Assumptions for WAP 43 Deployment Assumptions for Work Folders 46 DirectAccess setup 36 E Series version information 11 front panel controls 19 Jog Dial 19 Glossary 55 Jog Dial 19 Last Good Version 50 network adapter indicators 18 login...
  • Page 70 Remote Access Deployment Assumptions 34 Requirement Checklist 35 Requirement Checklist 23 Requirement Checklist for Remote Access 35 Requirement Checklist for WAP 44 Requirement Checklist for Work Folders 46 setup Remote Access with VPN 36 WAP 44 Work Folders 48 Setup Wizard for Remote Access with VPN 36 Setup Wizard for WAP 44 Setup Wizard for Work Folders 48 Software...
  • Page 71 Requirement Checklist 44 setup 44 web UI 2 access 23 navigation 61 web UI login 23 Work Folders Deployment Assumptions 46 Requirement Checklist 46 Work Folders setup 48 E Series Installation Guide...

  • Page 72: Resource Worksheet

    Resource Worksheet Table: Worksheet Form Example Property Detail Your Information Computer name Administrator password [Celest1x] (default; to be changed during setup) Workgroup or domain name LAN information (LAN0) IP address Private or internal network Subnet mask interface Default gateway Primary/secondary DNS server(s) Static routes: Network address Gateway address...
  • Page 73 Public address Subnet mask Default gateway VPN server Client IP address pool (if not using DHCP) RADIUS server information (if not using Windows authentication) PKI (if applicable) IP address Web Application Proxy AD FS FQDN SSL certificate SSO Portal Firewall rules for HTTPS and SSH communication Application requirements: Certificate...
  • Page 74 AD DS IP address Subnet mask Default gateway RD Session Host (domain joined) IP address Hostname RD Connection Broker (domain joined) IP address Hostname Remote Desktop Virtualization Host server (optional) IP address Hostname Firewall rules Work Folders Sync share name SSL certificate AD security group for user accounts Sync share DNS entry (recommended)

Table of Contents