Page 3
Trademarks ShoreTel, ShoreCare, ShoreTel, ShoreWare and ControlPoint are registered trademarks of ShoreTel, Inc. in the United Sates and/or other countries. The ShoreTel logo and ShoreTel IP Phone are trademarks of ShoreTel, Inc. in the United States and/or other countries. All other copyrights and trademarks herein are the property of their respective owners.
Licensing..........................23 3.1.1 Viewing Preconfigured Licenses ..................23 3.1.2 Ordering Additional Licenses ................... 24 3.1.3 Installing a License on a ShoreTel VPN Concentrator ............25 Chapter 4 Configuring the VPN Concentrator ..................27 4.1.1 Configuring the Out of Band Management Port (VPN Concentrator 5300LF/5300LF2 Only) ............................
Page 6
Contents 4.1.10 Viewing and Terminating Active Stunnel Session(s) ............49 4.1.11 Enabling Remote System Logging ................... 50 Configuring VPN Parameters on IP Phones ................ 51 4.2.1 Configuring VPN Settings on IP Phones via config files ........... 52 4.2.2 Configuring VPN Settings Manually on the IP Phone ............52 4.2.3 Summary of the Recommended Phone Configuration and Deployment Procedure ..
IT staff to implement a very secure and flexible remote work policy. Remote users simply connect a ShoreTel IP phone to a broadband router and with minimal configuration, establish a secure tunnel to the ShoreTel VPN Concentrator. Once connected, their phone acts as though it was located in the office.
AC power cord • MAC Address and Serial Number (affixed to the “belly” of the device) • AC power adapter, with attached power cord (4500 and 4550 models only) Note: If you have ordered additional licenses for the VPN, contact your reseller.
Hardware Features 1.4.1 VPN Concentrator 4500 and 4550 The front and back panel of the VPN Concentrator models 4500 and 4550 are the same. For the purposes of this guide, the VPN Concentrator 4550 is used as an example. 1.4.1.1...
Page 10
1 through 3 can be used as a tag-based or port-based VLAN. USB Ports – Not used. Ethernet WAN Port – This port is used to connect the 4500/4550 to an upstream router. Note: This port requires an IP Address. If you do not know the IP Address assigned to the WAN Interface, contact your system administrator.
Chapter 1 Hardware Features 1.4.2 VPN Concentrator 5300LF and 5300LF2 The front panel and back panel components differ for the VPN Concentrator 5300LF and 5300LF2 models as defined here. 1.4.2.1 VPN Concentrator 5300LF Figure 1-3 Front Panel (5300LF) Component Description Erase •...
Page 12
Hardware Features Chapter 1 Component Description Reset – Used to do a hard reset of the system. Console – DB9 serial (RS232) port (male connector) for CLI-based configuration. The serial port uses a baud rate of 9600, 8 data bits, 1 stop bit and no parity.
Page 13
Chapter 1 Hardware Features 1.4.2.2 VPN Concentrator 5300LF2 Figure 1-5 Front Panel (5300LF2) Component Description Erase • If pressed twice in quick succession, the CLI password will be changed to its default password. • If pressed three times in quick succession, the 5300 will revert to factory default settings.
WAN port to a firewall or an upstream router. • If the unit will be mounted on the wall (4500 and 4550): — 1 Flat or Philips screw driver — 2 round or flat head wood screws, Philips or slotted, and 1 ½ inch long. Refer Figure 1-7.
2. Place the unit on a flat, dry surface such as a desktop, shelf or tray. 1.5.3 Wall-Mount Installation (4500 and 4550) You can mount the unit on a wall using the two built-in hang holes on the bottom of the appliance.
Physical Installation Chapter 1 Figure 1-8 Distance between hang holes on the 4500/4550 2. Remove the unit and accessories from the shipping container. 3. Mount the unit on the wall as shown below. Figure 1-9 Mounting position WARNING Do not mount the unit on the wall as shown below: Figure 1-10 Improper Mounting Position 1.5.4...
Chapter 1 Physical Installation Figure 1-11 Attaching the Ear Mounts 1.5.5 Connecting the VPN Concentrator to an AC outlet 1. Plug the power cord attached to the Power Adaptor into the AC Power Connector on the back of the device. 2.
1. If you are connecting to the 4500/4550 for the first time: a. Connect one end of an Ethernet cable to local LAN port 4 of the 4500/4550. Connect the other end of the cable to your computer’ s Ethernet port.
Chapter 1 Accessing the Web Configuration GUI Note: The default user name and password for the device is “root” and “default”. If this user name and password does not allow you to access the device, it may have been changed. Obtain the user name and password from your system administrator.
Page 20
Accessing the Web Configuration GUI Chapter 1 3. Launch a web browser on the PC and enter the following URL: http://192.168.1.1. If you are connecting to the 5300LF/LF2 after initial configuration, complete the following steps: 1. Confirm with the system administrator if the Management Interface has been enabled. If the Management Interface is enabled, you must connect to LAN port 3.
Chapter 1 Setting the IP Address for the VPN Concentrator Figure 1-15 System Page for the 5300LF2 Setting the IP Address for the VPN Concentrator The device is pre-configured with an assigned LAN IP Address of http://192.168.1.1. To set the LAN IP address, obtain a static LAN IP Address from your system administrator. The VPN concentrator must be on the same LAN subnet as the other devices on the network with which it will connect.
Page 22
Setting the IP Address for the VPN Concentrator Chapter 1 Figure 1-16 Network Page 2. Under WAN Interface Settings: a. Select Static IP. b. Set the IP Address to an IP address that is within the subnet of the DMZ for your firewall.
9. Connect the device to the WAN by completing one of the following steps: — If you are connecting the 4500/4550 to the WAN, connect one end of an Ethernet cable to the 4500/4550 WAN port, and connect the other end to Ethernet port of an appropriate device based on your deployment scenario.
Page 24
Deploying the VPN Concentrator Behind a Firewall Chapter 1 Figure 1-17 Deploying the VPN Concentrator behind an Enterprise Firewall...
Figure 2-1 Remote phones connectivity to Headquarters through secure SSL VPN tunnels A maximum of 10 simultaneous SSL VPN tunnels can be licensed on the 4500/4550. A maximum of 100 simultaneous SSL VPN tunnels can be licensed on the 5300LF/5300LF2.
Redundant VPN Concentrators Chapter 2 Redundant VPN Concentrators You can deploy VPN concentrators for the purposes of redundancy and load balancing. Note: Separately apply each license to enable VPN tunnels. Licenses cannot be reused. You can configure a remote IP phone to be aware of up to three VPN concentrators by setting the #VPNGateway parameter to the IP address of each VPN concentrator in the IP Phone’...
Page 27
Chapter 2 Other Features • Session Timeout – An optional global timeout value for SSL VPN sessions can be configured by the administrator. Any SSL VPN session will be terminated if it has been active for the duration of the timeout value. •...
3.1.1 Viewing Preconfigured Licenses The VPN is shipped with preconfigured licenses. The 4500/4550 is shipped with up to five licenses, and the 5300LF/5300LF2 is shipped with up to 10, depending on the original order. If additional licenses are ordered with the original purchase, a license key document is shipped with the product or sent to the partner or reseller.
You can install licenses for up to 10 tunnels on ShoreTel VPN 4500/4550 Concentrators and 100 tunnels on ShoreTel VPN 5300LF/5300LF2 Concentrators. Order additional licenses from your ShoreTel reseller or partner. To order a license key for a unit, you must...
24 hours of a valid request. 3.1.3 Installing a License on a ShoreTel VPN Concentrator This section describes how to install a license on a ShoreTel VPN Concentrator. Requirement • Valid license for the target VPN Concentrator, contained in a license key document.
H A P T E R Configuring the VPN Concentrator To configure the VPN Concentrator 4500/4550 and 5300LF/5300LF2, complete the following steps: Step 1 Install a License on the ShoreTel VPN Concentrator. See Chapter 3 on page Step 2 Set the IP Address. See...
Configuring the VPN Concentrator Chapter 4 Figure 4-1 Management Interface Page Figure 4-2 Management Interface Page Parameter Description Enable Management Interface Enable the management interface checkbox to allow access through the management port. When enabled, connections to ONLY management protocols such as HTTP, SSH, SNMP , TELNET will be allowed on the management port.
Page 35
Chapter 4 Configuring the VPN Concentrator Since the 4500/4550 has four LAN ports and the 5300LF/5300LF2 has one LAN port, the VPN Configuration pages vary slightly. The VPN Configuration page for the 4500/4550 provides additional options for associating VLANs with LAN ports and for tagging data that moves between the ports.
Page 36
Assigning LAN Ports to VLANs (4500/4550 only) On the VPN Concentrator model 4500/4550, you can assign LAN ports as members of a VLAN using the VLAN Membership page. If a port is a member of a VLAN, it will accept both tagged and untagged traffic of that VLAN.
Page 37
You can configure per port VLAN settings on the VLAN Port Configuration page for the VPN Concentrator 4500/4550. These settings include the packet type accepted on the port and the port's PVID (Port VLAN ID).To access the VLAN Port Configuration page, choose Network VLAN Configuration from the Configuration Menu.
Configuring the VPN Concentrator Chapter 4 Parameter Description Packet Type Specify the Packet type as Tagged Only or Untagged Only from the drop down menu. If Tagged Only is selected, only tagged traffic will be accepted on the associated LAN port. By default, only untagged packet types are accepted on a port.
Chapter 4 Configuring the VPN Concentrator 4.1.3.1 Adding a Static Route To add a static route, enter the following information: Parameter Description IP Network Enter the remote network address or host. Network mask Enter the subnet mask for the subnet. When defining a host route, the netmask should be 255.255.255.255.
Page 40
Configuring the VPN Concentrator Chapter 4 Figure 4-9 Set Link Page...
Page 41
Speed or Duplex Mismatch. If Ethernet interface speed or duplex mismatches result when the Link Rate is configured for Autonegotiate, ShoreTel recommends manual configuration of the Ethernet speed and duplex on both the VPN concentrator and the Ethernet switch.
If the WAN Upstream Bandwidth is less than 256 Kbit/s, the MTU size is automatically reduced to 800 bytes. This only applies if the WAN interface has an IPv4 address assigned. This option is not available on the 4500/4550 platforms. 4.1.5 Configuring Stunnel You can configure Stunnel VPN to provide secure VoIP services.
Page 43
Chapter 4 Configuring the VPN Concentrator The Stunnel Configuration page is divided into three sections: • Stunnel Configuration • Configuring LDAP Settings for Stunnel • Configuring a Stunnel IP Address Pool 4.1.5.1 Setting Stunnel Configuration Parameters Figure 4-11 Stunnel Configuration Section on the Stunnel Page Parameter Description Stunnel Enable...
Page 44
Configuring the VPN Concentrator Chapter 4 Parameter Description Enable Stunnel Server This option enables/disables the Stunnel server timeout Timeout feature on the system. By default this feature is disabled. If enabled, the “Stunnel Server Tunnel Timeout” will be set to a default value of 86400 seconds. Stunnel Server Tunnel Specify the timeout value (in seconds) for all SSL VPN Timeout...
Page 45
Chapter 4 Configuring the VPN Concentrator Parameter Description Max Clients Specify the maximum number of simultaneous client sessions supported by Stunnel. The permissible range of this parameter is 1-100. By default, the value is set as 100. Note that every stunnel requires a unique PPP peer IP Address, assigned from the Stunnel IP Pool, configurable using the bottom half of this page.
Page 46
Configuring the VPN Concentrator Chapter 4 4.1.5.2 Configuring LDAP Settings for Stunnel An LDAP server is optionally used to store Username/Passwords. This section allows you to configure various LDAP settings for Stunnel. Figure 4-12 LDAP Configuration Section of the Stunnel Configuration Page Parameter Description LDAP Authentication...
Chapter 4 Configuring the VPN Concentrator simultaneous Stunnel connections, irrespective of the configured 'Max Clients' parameter value. By default, this list is empty. If you have added a new IP pool range, it will only become effective after the next restart of Stunnel. Note: Remove addresses from the DHCP server or servers on the LAN that will be used by the VPN Concentrator’...
Page 48
Configuring the VPN Concentrator Chapter 4 Figure 4-14 SSL/TLS Certificate Store Page The SSL/TLS Certificate Store page has three main sections: • Certificate • Create a Certificate • Add a Certificate 4.1.6.1 Downloading a Certificate The certificate list at the top of the page shows all certificates available on the system including their name and type.
Page 49
Chapter 4 Configuring the VPN Concentrator A certificate entry can be a normal certificate or a Certificate Signing Request (CSR). CSRs cannot be used for normal operation and can only be downloaded in order to be signed by a CA. Once the CA has signed the CSR, the resulting certificate can be added to the system and used.
Page 50
Configuring the VPN Concentrator Chapter 4 Figure 4-16 SSL/TLS Certificate Store page Parameter Description Certificate Name Enter a name for the certificate. This name is only used to manage the certificate and is shown in the certificate list. Certificate Type Select the type of certificate, HTTPS or CA Certificate.
Page 51
Chapter 4 Configuring the VPN Concentrator Parameter Description Locality Enter the location. For example, the name of a city. Organization Name Enter a name for the organization (for example, the com- pany name). Organization Unit Enter a name to identify the specific organization (for example, the name of a department).
To add or delete a user from the username-password database: Note: The VPN user name and password are independent of any user names and passwords set in ShoreWare Director for ShoreTel phone users. 1. From the Configuration Menu, choose Stunnel Usernames Database.
Chapter 4 Configuring the VPN Concentrator Figure 4-18 Usernames’ List Page 1. Enter a user name and password to add to the list. 2. Confirm the password. 3. Click Add. The new entry will be added to the Allowed users list. 4.
Configuring the VPN Concentrator Chapter 4 Figure 4-19 MAC Addresses’ Whitelist Page 1. Enter the MAC addresses you want to add to the whitelist. The MAC address can be entered in the following format: HH:HH:HH:HH:HH:HH[/X], where “H” is a hexadecimal digit from 0 to F . The optional part /X specifies the number of hex digits from right to left.
Chapter 4 Configuring the VPN Concentrator To add or delete MAC addresses from the Blacklist database, choose Stunnel Usernames Database MAC Blacklist. Figure 4-20 MAC Addresses Blacklist Page 1. Enter the MAC address(es) you want to add to the Blacklist in the following format: HH:HH:HH:HH:HH:HH[/X], where “H”...
Configuring the VPN Concentrator Chapter 4 established and the amount of time the session has been active.This information is useful in diagnosing Stunnel issues. An active Stunnel session can be terminated by selecting the check box next to the session and clicking the Delete button. ...
86400 seconds. The default is '0'. Configuring VPN Parameters on IP Phones All ShoreTel IP Phones that support the VPN feature need to be configured to be aware of the VPN Concentrator as well as how to authenticate with this device.
Configuring VPN Parameters on IP Phones Chapter 4 2. Manual configuration using the Phone User Interface. The latter method is only suggested for small deployments or demonstration purposes. 4.2.1 Configuring VPN Settings on IP Phones via config files The following table shows the relevant parameters #Keepalive parameter overrides 0 set in shore_s6g.txt file KeepAlive #DnsAddress- List of up to 2 DNS Server Addresses in dotted decimal format.
Chapter 4 Configuring VPN Parameters on IP Phones a. VPN Gateway. This should be the IP Address of the VPN Concentrator with which the phone will connect. Use the digit keys to enter digits and the * key to enter a period in the IP address (.) Press the # key to complete this entry. b.
Page 60
Configuring VPN Parameters on IP Phones Chapter 4...
2. Use a terminal emulator such as HyperTerminal set to a baud rate of 9600, 8 data bits, 1 stop bit, NONE for flow control. Alternatively, you can connect to the VPN Concentrator remotely using SSH. 3. Log on as root and enter the password provided by ShoreTel support. Figure 5-1 Command Line Interface (CLI) 5.1.2 Viewing Network Information Network information is available through both the GUI and the CLI.
Page 62
Tools and Troubleshooting Chapter 5 Figure 5-2 Network Information Page Ensure that all links and interfaces are up and running and all interfaces have valid IP addresses. Also make sure that the default route is pointing to the right gateway. Interface information can also be obtained through the CLI by issuing the “ifconfig”...
Chapter 5 Tools and Troubleshooting Figure 5-3 ifconfig Command Results 5.1.3 Checking Network Connectivity Once all the physical and logical interfaces are up and running, you can check network connectivity by using the ping command. The "traceroute" command can also be used to have an understanding about the path that a packet will take to reach a destination on the internet and the delay associated with it.
Page 64
Tools and Troubleshooting Chapter 5 Figure 5-4 Network Test Tools Page The “ping” command is also available in the CLI: Figure 5-5 ping Command Results...
When debugging problems, it is helpful to view the system message logs. These files can be provided to the ShoreTel support team for debugging purposes. In addition, ShoreTel’ s remote system log server information can help the ShoreTel support team further analyze a problem. If more information is required for debugging purposes, read the “Packet...
Page 66
FTP server so that it can be viewed by a program like Wireshark or sent to the ShoreTel support team for analysis. You can also copy the files from the system to your computer using WINscp if an external FTP server is...
In the By Products list, select VPN Concentrator. The Customers and Partners login page appears. d. Enter your ShoreTel login name and password and click on the Sign In button. The VPN Concentrator page appears. e. In the Download section, click the VPN Concentrator build to which you want to upgrade.
Page 68
5300LF pub/e_5300lf 5300LF2 pub/e_5300lf2 6. Upload the firmware file from ShoreTel Support to the corresponding directory on the FTP server. Important! The FTP server should be pointing to c:\ftp as the default base folder or location. The FTP server can be sitting on either the WAN or LAN network.
Page 69
Appendix A Firmware Upgrade 10. Click Submit. 11. Refer to the following Figures. Figure A-2 Upgrading Firmware for the VPN Concentrator 4500 Figure A-3 Upgrading Firmware for the VPN Concentrator 4550 VPN Concentrator Installation and Configuration Guide...
Page 70
Firmware Upgrade Appendix A Figure A-4 Upgrading Firmware for the VPN Concentrator 5300LF Figure A-5 Upgrading Firmware for the VPN Concentrator 5300LF2 12. Follow the progress of the upgrade using the refresh the upgrade status link. 13. When the Write process begins, heed the warning: WARNING!!! Do not change the configuration or power off the device until the write is 100 percent complete.
NONE for flow control. Alternatively, you can connect to the VPN Concentrator remotely using SSH. 3. Log on as root and enter the password provided by ShoreTel support. Note: Only two backup files can be stored in the VPN Concentrator’ s flash memory because of size constraints.
Page 72
Backup and Restore Appendix A USAGE: ewn help|list ewn save|load|delete [file name] ewn upload|download [file name] [ip address] where file name must use extension .conf1 or .conf2. At the command prompt (bash#), you can create the backup file, store it to local flash, copy it to a remote TFTP server, copy it from a remote TFTP server, delete it, load it, or list all available backup files.
Page 73
Appendix A Backup and Restore Table 3: Configuration Backup CLI Commands If you want to: Use this command Load a backup file to become the bash# ewn load <filename> running configuration This command loads the specified backup file into RAM and makes it the active running configuration.
P P E N D I X Console Port Pinout (5300LF2 only) To connect with the serial port of the 5300LF2, use an RJ45-to-DB9 cable. The RJ45-to-DB9 cable is included with the 5300LF2. Refer to Figure B-1. Figure B-1 RJ45 to DB9 Cable (5300LF2) The RJ45-to-DB9 cable must feature the following pinout: Table 1: Console Port Pinout for the 5300LF2 DB9 Signal...