1. Manuals
  2. Brands
  3. Celestix Manuals
  4. Firewall
  5. cloud edge
  6. Installation manual

Celestix cloud edge Installation Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Cloud Edge Security Appliance
Installation Guide

Advertisement

Table of Contents
loading

Summary of Contents for Celestix cloud edge

  • Page 1 Cloud Edge Security Appliance Installation Guide...
  • Page 2 The information contained in this document represents the current view of Celestix Networks on the issues discussed as of the date of publication. Because Celestix Networks must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Celestix Networks, and Celestix Networks cannot guarantee the accuracy of any information presented after the date of publication.

  • Page 3: Table Of Contents

    The Next Step Install the Appliance Installation Notes Rack the Appliance Connect the Appliance to the Network Front Panel Controls Overview Power the Celestix Appliance The Next Step Configure the Appliance General Information Initial Access Configure IP Address without DHCP...
  • Page 4 Setup Wizard The Next Step Configure Features: Web Application Proxy Setup Wizard General Information Setup Wizard The Next Step Configure Features: Work Folders Setup Wizard General Information Initial Configuration Setup Wizard The Next Step Create a System Image Create a Backup Update Software Appendix Glossary...

  • Page 5: Introduction

    (web UI). For the E Series, it also provides simplified installation and configuration for Remote Access and supporting technologies. The Celestix E Series is a hardened and secure appliance platform that is optimized for secure Windows deployment out of the box.

  • Page 6: Guide Usage Notes

    Documentation generally refers to the appliance when discussing the E Series Appliance. Web User Interface The web UI is a management tool to access the most common Celestix product features. Initially, use it to quickly set up the server. Subsequently, use the web UI to access administrative features for both Comet and Remote Access roles.

  • Page 7: Verify Package Contents

    See the Appendix topic Web User Interface Content Overview  for features included in the web UI. See the online help topic Web User Interface Overview for more information about using the web UI (Help|Web UI Overview). Verify Package Contents Use the following information to confirm the package contains the necessary appliance accessories. Appliance Series Accessory List Table: Accessory List Appliance Series...

  • Page 8: Appliance Hardware Features

    Illustration 1: Appliance Package Contents If an item is missing from the package, contact Celestix Networks via email: support@celestix.com Appliance Hardware Features Each of the feature lists below include a legend to help identify components on the appliance. Page | 4...

  • Page 9: System Overview

    Illustration 2: Appliance Illustrations with Delineated Features System Overview The E Series Appliance simplifies the process to set up and manage access to IT resources. The diagram below provides a reference for features that are available on the appliance. Page | 5 E Series Installation Guide...
  • Page 10 Illustration 3: E Series Connectivity Features Example Deployment Topologies The diagrams that follow are intended to provide reference for IT administrators or architects. The examples provide a few scenarios for common aspects of E Series Appliance deployment, while the potential options are certainly numerous. DirectAccess Deployment with Manage-Out Access for external users with strong authentication that allows system administrators to support and manage remote clients.
  • Page 11 Illustration 4: DirectAccess Role Access for external users that includes a wide range of systems, like PCs, Macs, tablets, and smart phones. Requirements: Secure remote access for nonmanaged clients that include commonly used operating systems (Windows, Linux, OS X, Android, and iOS). Remote access to applications and data on the organization network.
  • Page 12 Illustration 5: VPN Role With Web Application Proxy Gateway Cross-premises network connectivity for internally hosted and cloud resources. Requirement: Seamless connectivity between on-premises data center and virtual machines hosted in the public cloud. Page | 8 E Series Installation Guide...
  • Page 13 Illustration 6: VDI Role General Setup Information The following lists network components most commonly required to support feature deployments. Note: Details for feature configuration are discussed in the topic Resource Worksheet. Network Policy Server E Series Appliance serves as the RADIUS server; it must be domain joined Network Access Server (RADIUS Client) IP Address Shared secret...
  • Page 14 Remote Access DirectAccess An Active Directory® Domain Services (AD DS) domain At least one domain-joined DirectAccess server (E Series) A public key infrastructure (PKI) [recommended] Network location server (optional) DirectAccess clients running Windows 7 Enterprise or Ultimate, or Windows 8.x Enter- prise SSL certificate (if using SSTP) External firewall exceptions for configured ports...

  • Page 15: The Next Step

    Sync share DNS entry (recommended) SSL certificate User group (recommended) End users: Windows 8.1/RT 8.1 Version Information Version information for appliance components are noted on the main web UI page. Click the E Series logo link from any page to access: The Next Step The following sections cover general setup, which includes appliance installation and configuration, then feature installation.

  • Page 16: Install The Appliance

    Install the Appliance The guide provides a system administrator with concise instructions for a base deployment. The document covers common installation requirements and is not intended to be comprehensive. Every network environment is different, and some installations may require additional configuration. Installation instructions first cover assumptions the guide takes into account for a common deployment to help administrators plan for the skills and resources they may need.
  • Page 17 information presented herein. Active Directory is used for the domain controller. The LAN is configured for DHCP. Use DHCP initially to assign an IP address to the LAN0 network adapter. Find the assigned IP address through the front panel controls. Note: If DHCP is not deployed, use the front panel controls to assign an IP address to LAN0.
  • Page 18 Primary/secondary DNS server(s) traffic. Static routes: Network address Gateway address Configure the Appliance Quick WAN information (LAN1) IP address May be needed in IG: > Setup Wizard Network Interfaces > Private or internal network Subnet mask interface The WAN (public network interface) adapter of the Default gateway appliance is the interface assigned to external network traffic.
  • Page 19 RADIUS server information (if not using Windows authentication) PKI (if applicable) IP address May be needed in post-configuration for DirectAccess. PKI is recommended but no longer required for DirectAccess deployment, with a few exceptions, like OTP authentication. Note: Root certificate required. Web Application Proxy ADFS FQDN Configure Features...

  • Page 20: Rack The Appliance

    Bold items are required Rack the Appliance Celestix appliances are either 1U or 2U and should be attached to a standard 19-inch equipment rack as follows. Note: If the appliance came with slides instead of brackets, see the instructions included in the slide packaging for the rack mounting procedure.

  • Page 21: Connect The Appliance To The Network

    To connect the appliance 1. Connect an Ethernet cable from the LAN0 network adapter on the Celestix appliance to the internal network hub or switch. 2. [Optional] For additional network connections, use the LAN1 adapter (or above) on the appli- ance.
  • Page 22 Illustration 8: Ethernet Connections Note: Hardware models vary and may look somewhat different from the example, but network connections will be similar. Network Interface LED indicators Each of the network adapters contains a pair of lights to help identify connection speed and usage. See below for details (listed by model number): 3400 Right light –...

  • Page 23: Front Panel Controls Overview

    The following example shows the Delete option selected by the cursor: > Delete < Press to select options. Power the Celestix Appliance Connect power and turn on the appliance. Page | 19 E Series Installation Guide...

  • Page 24: The Next Step

    Connect Power 1. Connect the power cable from a power source (typically a UPS) to the power inlet on the rear panel. The power cable is included in the appliance packaging. 2. The display will show the System Off message: Power On/Off the Appliance Power on and boot the appliance by pressing the Jog Dial.

  • Page 25: Configure The Appliance

    Configure the Appliance After the appliance has been installed on the network, settings need to be configured. The configuration instructions describe general server and network settings, like IP address, server name, and alert email. The section General Information provides necessary information about setup. General Information The following deployment notes provide information to understand feature configuration.

  • Page 26: Initial Access

    Unified Remote Access refers to the collection of technologies that Microsoft offers to allow external clients to access internal network resources. Documentation uses the short name Remote Access. The E Series includes the Remote Access features Direct Access, VPN, and Web Application Proxy.

  • Page 27: Access The Web User Interface

    To configure the internal network IP address Notes: Follow these instructions for deployments when DHCP is not used. Keep track of the IP address; it will be required to access the web UI. 1. Press the Jog Dial and scroll to > Configure Network <. 2.

  • Page 28: Quick Setup Wizard

    The factory default local administrator credentials are: User name: administrator Password: [Celest1x] The password is case-sensitive and the brackets are included. The “domain\administrator” user name format may be required. Important: A certificate warning may display because the site uses a self-signed certificate. Accept the certificate to access the web UI.

  • Page 29: The Next Step

    Username – enter an account with domain administrator access to AD (domain\username). For example: example\adminuser Password – provide the account password. 5. Reboot Click Next to apply changes and reboot the appliance. Important: Domain administrator credentials (example: example\adminuser) will be required to access the web UI after the reboot.

  • Page 30: Configure Features

    Now that the appliance is up and running, use the Features configuration tool to install roles and services necessary for the deployment. Instructions cover the functionality common to most deployments for an E Series Cloud Edge Security Appliance; however, an individual organization may need different or additional configuration.

  • Page 31: Feature Details

    Feature Details The information below includes the following conventions in the Need to Knows section for each of the available features. Installs – lists roles and features that will be installed. Affected Appliance Features – notes any conditions that may affect other features available on the appliance.
  • Page 32 resources in addition to manage-out functionality for remote domain-joined computers. Remote Access includes the option to enable a VPN that can be used for nonmanaged devices. Need to Knows for important details about configuration. Need to Knows The following summary information is provided for reference. Installs Role Service: DirectAccess and VPN (RAS) Feature: RSAT –...
  • Page 33 Need to Knows The following summary information is provided for reference. Installs Role Service: Web Application Proxy Feature: RSAT – Remote Access Management Tools (GUI and Command-Line Tools, module for Windows PowerShell) Affected Appliance Features Web Application Proxy requires the Remote Access role to be installed. Web Application Proxy is deployed when ADFS is intended to reside on a separate server from the E Series;...
  • Page 34 Affected Appliance Features RD Gateway requires NPS, which will be installed at the same time unless NPS is already installed, in which case the installation process proceeds just for RD Gateway. Required Configuration After Installation Configuration must be customized for an environment. Use the Remote Desktop Gateway link to open session to the Remote Desktop Gateway Manager Console in the browser.

  • Page 35: Rdp Application Usage

    Important: Work Folders is supported for use with Windows 8.1/8.1 RT devices. Work Folders provides options to: Use a folder that already contains user data so Work Folders can be employed without migrating servers and data, or affecting existing share options (for example, Folder Redirection, Offline Files, and home folders).

  • Page 36: The Next Step

    To access feature configuration 1. Click a feature name link in the list. 2. If necessary, confirm the RDP application download. 3. Open the application. 4. Enter administrator credentials for the appliance when prompted. Important: When the E Series is joined to an AD domain, a valid domain administrator account is required for logon.

  • Page 37: Configure Features: Remote Access Setup Wizard

    Configure Features: Remote Access Setup Wizard The wizard provides the steps to configure DirectAccess and VPN settings for the E Series Cloud Edge Security Appliance. It covers the minimum functionality common to most deployments; however, an individual organization may need different or additional configuration.
  • Page 38 Firewall rules have been configured to allow traffic if the DirectAccess server is on an IPv4 net- work: Teredo 6to4 IP-HTTPS If the appliance only has one configured network adapter, TCP port 62000 must be opened on the appliance. If using a security group to manage access for clients, the group has been created in AD prior to running the setup up wizard.

  • Page 39: Setup Wizard

    RADIUS – configuration for an external RADIUS server can be included to add strong authentication methods like one-time passwords (OTPs). VPN deployments using static IP addresses for clients need a defined range; otherwise, DHCP should be used. VPN deployments not using Windows authentication need settings for a RADIUS server. Example Information To help make the instructions clear, the following examples are used to identify components.
  • Page 40 i. Select the type of network environment: Edge – requires two network adapters; one to the public Internet and one to the internal network. Behind an edge device (with two network adapters) – one adapter connects to the perimeter network, and the other connects to the internal network.
  • Page 41 RRAS will assign to clients when they connect to the network. Enter the start and end IP addresses to define the range. b. Authentication i. Use Windows Authentication – use AD to authenticate users. ii. Use RADIUS Authentication – configure VPN connections to use RADIUS authentication.
  • Page 42 b. Advanced – define client parameters and assign the appliance network adapter that Dir- ectAccess service will use. i. Installation type – select the DirectAccess functionality to deploy: Full DirectAccess installation – bidirectional tunnels for remote client access and management. Client management only –...

  • Page 43: The Next Step

    4. Timeout – the default is usually sufficient, but the duration the appliance will try to connect to the RADIUS server can be customized as necessary. 5. Score – the default is usually sufficient, but customize the initial respons- iveness score as necessary. 6.

  • Page 44: Configure Features: Web Application Proxy Setup Wizard

    Proxy Setup Wizard The wizard provides the steps to configure Web Application Proxy (WAP) settings for the E Series Cloud Edge Security Appliance. It covers the minimum functionality common to most deployments; however, an individual organization may need different or additional configuration.

  • Page 45: Setup Wizard

    Internal DNS entries have been configured for Web Application Proxy to resolve hostnames for backend servers. Public DNS entries have been configured to resolve external URLs for each published applic- ation. Firewall rules have been configured to allow traffic for the following connectivity: To ADFS through port 443 To AD To published applications as required...

  • Page 46: The Next Step

    b. Username – enter ADFS administrator account. For example: intexample\adminuser c. Password – enter the password for the ADFS account. 2. Certificate 1. Certificate – navigate to and select the certificate that will be used for authentication. 2. Passphrase – enter the certificate passphrase. The wizard is complete when the congratulations screen displays.

  • Page 47: Configure Features: Work Folders Setup Wizard

    Configure Features: Work Folders Setup Wizard The wizard provides the steps to configure Work Folders settings for the E Series Cloud Edge Security Appliance. It covers the minimum functionality common to most deployments; however, an individual organization may need different or additional configuration.

  • Page 48: Initial Configuration

    Requirement Checklist The following items will be required to set up the Work Folders service. Plan ahead so that items are available when needed to complete configuration. Domain controller – Windows Server 2012 or higher. Publicly signed certificate – an SSL certificate is required for Work Folders; it must be a third- party certificate from a trusted vendor.

  • Page 49: Setup Wizard

    AD Security Group Configuration Set up security groups in AD to manage Work Folder access. Configuration is described briefly and requires familiarity with AD domain administration. User Group 1. Create a dedicated Work Folders user group with these settings: Scope: Global Type: Security 2.

  • Page 50: The Next Step

    The Next Step The next step depends on the deployment. Once all features for the deployment are configured, saving a copy of the system image to preserve initial configuration is recommended. Page | 46 E Series Installation Guide...

  • Page 51: Create A System Image

    (after a restart, before the appliance boots into the operating system). Online, or real-time images use more disk space than offline imaging, but they don’t interrupt the services the appliance provides. The LGV instructions below require direct access to the Celestix appliance. To create an LGV Notes: The appliance must be shut down and then started again to access the system recovery pro- cess.

  • Page 52: Create A Backup

    Note: Timing when to turn the Jog Dial is more important than how long it gets turned it. Two full rotations should be adequate to start the recovery system process. 5. The front panel display will show Celestix Appliance Installer when the recovery process launches. Menu options will display when the recovery system has loaded.

  • Page 53: Update Software

    Once applicable updates are installed, Celestix recommends checking for Windows updates (System|Windows Updates). Thank you for choosing the Celestix E Series Cloud Edge Security Appliance for your remote connectivity solution. This completes the setup and configuration steps for base-level deployment.

  • Page 54: Appendix

    Appendix Use the links to jump to a topic: Web User Interface Content Overview  Safety Precautions Product Reclamation and Recycling Glossary Index Resource Worksheet  Page | 50 E Series Installation Guide...

  • Page 55: Glossary

    Glossary Active Directory Microsoft's directory service for Windows domains. Active Directory Federation Services The Microsoft implementation of single sign-on (SSO). Acronym for Active Directory ADFS Acronym for Active Directory Federation Services Acronym for certificate authority Certificate The tool that TLS/SSL uses to encrypt communication. Certificate authority An entity that issues certificates to encrypt digital communication.
  • Page 56 Device Registration Service A feature of ADFS that facilitates Workplace Join, which allows users to register unmanaged devices to be known entities to the domain. DirectAccess A secure Remote Access connection that provides remote access to the internal network and manage-out capabilities. Directory synchronization A Microsoft tool that synchronizes users, groups, and attributes (like dis- tribution groups or user phone numbers) to an Office365 instance.

  • Page 57: High Availability

    Acronym for high availability High availability A system implementation that minimizes downtime, meaning unavailability to users. Identity provider An entity that authenticates a user to a service provider. Multifactor authentication Employs additional forms of user data for authentication. Two-factor authen- tication using one-time passwords is a common example.
  • Page 58 Password Sync A component of the Microsoft Directory Synchronization tool that coordinates password hashes between internal Active Directory and Office365. RADIUS Remote Access Dial In User Service (RADIUS) is an authentication protocol (RFC 2865). The HOTPin system uses the Microsoft application Network Policy Server (NPS) to implement RADIUS.
  • Page 59 Acronym for single sign-on UAG trunk A repository of published applications for user access; this term only applies to Celestix WSA environments or other UAG deployments. Virtual Private Network A secure Remote Access connection that provides access remote access to the internal network.
  • Page 60 Workplace Join The function that allows users to register devices with the domain through DRS; devices can then access application resources based on trust. Page | 56 E Series Installation Guide...

  • Page 61: Web User Interface Content Overview

    Web User Interface Content Overview The menu structure for the web UI is outlined below. Use it to quickly find features. Page | 57 E Series Installation Guide...

  • Page 62: Safety Precautions

    60° C. Do not disassemble, crush, puncture, short external contact, or dis- pose of battery in fire or water. Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type recommended by Celestix. Dispose of used batteries according to local regulations for haz- ardous waste. WARNING: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.

  • Page 63: Product Reclamation And Recycling

    August 2005 are marked with the following symbol or include it in their documentation: a crossed-out wheeled waste bin with a bar beneath. Celestix Networks provides recycling support for our equipment to comply with the WEEE Directive. For recycling information, send email to recycling@celestix.com indicating the type of Celestix Networks equipment needing to be disposed of and the country where it is currently located, or contact a Celestix Networks account representative.

  • Page 64: Index

    Index ADFS Requirement Checklist 21 Appendix reclamation/recycling 59 Resource Worksheet 64 Safety Precautions 58 web UI navigation 57 appliance hardware features 4 appliance installation 12 connect to network 17 front panel 19 network information worksheet examples 13 power on appliance 19 appliance setup 21 manual IP address 22 Backup and Restore...
  • Page 65 conventions document usage 2 Deployment Assumptions 21 Deployment Assumptions for Remote Access 33 Deployment Assumptions for WAP 40 Deployment Assumptions for Work Folders 43 DirectAccess setup 35 E Series version information 11 front panel controls 19 Jog Dial 19 Glossary 51 IP address configure manually 22 Jog Dial 19...
  • Page 66 network settings overview 12 overview 5 Power the Appliance 19 Remote Access Deployment Assumptions 33 Requirement Checklist 34 Requirement Checklist 21 Requirement Checklist for Remote Access 34 Requirement Checklist for WAP 41 Requirement Checklist for Work Folders 44 setup Remote Access with VPN 35 WAP 41 Work Folders 45 Setup Wizard for Remote Access with VPN 35...
  • Page 67 version information 11 VPN setup 35 Deployment Assumptions 40 Requirement Checklist 41 setup 41 web UI 2 access 23 navigation 57 web UI login 23 Work Folders Deployment Assumptions 43 Requirement Checklist 44 Work Folders setup 45 Page | 63 E Series Installation Guide...

  • Page 68: Resource Worksheet

    Resource Worksheet Table: Worksheet Form Property Detail Your Information Computer name Administrator password [Celest1x] (default; to be changed during setup) Workgroup or domain name LAN information (LAN0) IP address Private or internal network Subnet mask interface Default gateway Primary/secondary DNS server(s) Static routes: Network address Gateway address...
  • Page 69 DirectAcces/VPN DA server Static IP address(es) Public address for client connections GPOs (if using customized policies) NLS certificate (if using external server) Infrastructure server(s) DA client Public address Subnet mask Default gateway VPN server Client IP address pool (if not using DHCP) RADIUS server information (if not using Windows authentication) PKI (if applicable)
  • Page 70 AD DS IP address Subnet mask Default gateway RD Session Host (domain joined) IP address Hostname RD Connection Broker (domain joined) IP address Hostname Remote Desktop Virtualization Host server (optional) IP address Hostname Firewall rules Work Folders Sync share name SSL certificate AD security group for user accounts Sync share DNS entry (recommended)

Table of Contents