ShoreTel 4500 Installation Manual
  1. Manuals
  2. Brands
  3. ShoreTel Manuals
  4. Gateway
  5. VPN Concentrator 4500
  6. Installation manual
ShoreTel 4500 Installation Manual

ShoreTel 4500 Installation Manual

Vpn concentrator
Hide thumbs Also See for 4500:
Table of Contents

Advertisement

Quick Links

ShoreTel VPN Concentrator
Models 4500/4550/5300LF/5300LF2
Installation Guide

Advertisement

Table of Contents
loading

Related Manuals for ShoreTel 4500

Summary of Contents for ShoreTel 4500

  • Page 1 ShoreTel VPN Concentrator Models 4500/4550/5300LF/5300LF2 Installation Guide...
  • Page 3 Trademarks ShoreTel, ShoreCare, ShoreTel, ShoreWare and ControlPoint are registered trademarks of ShoreTel, Inc. in the United Sates and/or other countries. The ShoreTel logo and ShoreTel IP Phone are trademarks of ShoreTel, Inc. in the United States and/or other countries. All other copyrights and trademarks herein are the property of their respective owners.

  • Page 5: Table Of Contents

    Licensing..........................23 3.1.1 Viewing Preconfigured Licenses ..................23 3.1.2 Ordering Additional Licenses ................... 24 3.1.3 Installing a License on a ShoreTel VPN Concentrator ............25 Chapter 4 Configuring the VPN Concentrator ..................27 4.1.1 Configuring the Out of Band Management Port (VPN Concentrator 5300LF/5300LF2 Only) ............................
  • Page 6 Contents 4.1.10 Viewing and Terminating Active Stunnel Session(s) ............49 4.1.11 Enabling Remote System Logging ................... 50 Configuring VPN Parameters on IP Phones ................ 51 4.2.1 Configuring VPN Settings on IP Phones via config files ........... 52 4.2.2 Configuring VPN Settings Manually on the IP Phone ............52 4.2.3 Summary of the Recommended Phone Configuration and Deployment Procedure ..

  • Page 7: Overview

    IT staff to implement a very secure and flexible remote work policy. Remote users simply connect a ShoreTel IP phone to a broadband router and with minimal configuration, establish a secure tunnel to the ShoreTel VPN Concentrator. Once connected, their phone acts as though it was located in the office.

  • Page 8: Vpn Concentrator 5300Lf

    AC power cord • MAC Address and Serial Number (affixed to the “belly” of the device) • AC power adapter, with attached power cord (4500 and 4550 models only) Note: If you have ordered additional licenses for the VPN, contact your reseller.

  • Page 9: Hardware Features

    Hardware Features 1.4.1 VPN Concentrator 4500 and 4550 The front and back panel of the VPN Concentrator models 4500 and 4550 are the same. For the purposes of this guide, the VPN Concentrator 4550 is used as an example. 1.4.1.1...
  • Page 10 1 through 3 can be used as a tag-based or port-based VLAN. USB Ports – Not used. Ethernet WAN Port – This port is used to connect the 4500/4550 to an upstream router. Note: This port requires an IP Address. If you do not know the IP Address assigned to the WAN Interface, contact your system administrator.

  • Page 11: Vpn Concentrator 5300Lf And 5300Lf2

    Chapter 1 Hardware Features 1.4.2 VPN Concentrator 5300LF and 5300LF2 The front panel and back panel components differ for the VPN Concentrator 5300LF and 5300LF2 models as defined here. 1.4.2.1 VPN Concentrator 5300LF Figure 1-3 Front Panel (5300LF) Component Description Erase •...
  • Page 12 Hardware Features Chapter 1 Component Description Reset – Used to do a hard reset of the system. Console – DB9 serial (RS232) port (male connector) for CLI-based configuration. The serial port uses a baud rate of 9600, 8 data bits, 1 stop bit and no parity.
  • Page 13 Chapter 1 Hardware Features 1.4.2.2 VPN Concentrator 5300LF2 Figure 1-5 Front Panel (5300LF2) Component Description Erase • If pressed twice in quick succession, the CLI password will be changed to its default password. • If pressed three times in quick succession, the 5300 will revert to factory default settings.

  • Page 14: Physical Installation

    WAN port to a firewall or an upstream router. • If the unit will be mounted on the wall (4500 and 4550): — 1 Flat or Philips screw driver — 2 round or flat head wood screws, Philips or slotted, and 1 ½ inch long. Refer Figure 1-7.

  • Page 15: Desktop Installation

    2. Place the unit on a flat, dry surface such as a desktop, shelf or tray. 1.5.3 Wall-Mount Installation (4500 and 4550) You can mount the unit on a wall using the two built-in hang holes on the bottom of the appliance.

  • Page 16: Rack-Mount Installation

    Physical Installation Chapter 1 Figure 1-8 Distance between hang holes on the 4500/4550 2. Remove the unit and accessories from the shipping container. 3. Mount the unit on the wall as shown below. Figure 1-9 Mounting position WARNING Do not mount the unit on the wall as shown below: Figure 1-10 Improper Mounting Position 1.5.4...

  • Page 17: Connecting The Vpn Concentrator To An Ac Outlet

    Chapter 1 Physical Installation Figure 1-11 Attaching the Ear Mounts 1.5.5 Connecting the VPN Concentrator to an AC outlet 1. Plug the power cord attached to the Power Adaptor into the AC Power Connector on the back of the device. 2.

  • Page 18: Accessing The Web Configuration Gui

    1. If you are connecting to the 4500/4550 for the first time: a. Connect one end of an Ethernet cable to local LAN port 4 of the 4500/4550. Connect the other end of the cable to your computer’ s Ethernet port.

  • Page 19: Connecting To The Web Configuration Gui (5300Lf/5300Lf2)

    Chapter 1 Accessing the Web Configuration GUI Note: The default user name and password for the device is “root” and “default”. If this user name and password does not allow you to access the device, it may have been changed. Obtain the user name and password from your system administrator.
  • Page 20 Accessing the Web Configuration GUI Chapter 1 3. Launch a web browser on the PC and enter the following URL: http://192.168.1.1. If you are connecting to the 5300LF/LF2 after initial configuration, complete the following steps: 1. Confirm with the system administrator if the Management Interface has been enabled. If the Management Interface is enabled, you must connect to LAN port 3.

  • Page 21: Setting The Ip Address For The Vpn Concentrator

    Chapter 1 Setting the IP Address for the VPN Concentrator Figure 1-15 System Page for the 5300LF2 Setting the IP Address for the VPN Concentrator The device is pre-configured with an assigned LAN IP Address of http://192.168.1.1. To set the LAN IP address, obtain a static LAN IP Address from your system administrator. The VPN concentrator must be on the same LAN subnet as the other devices on the network with which it will connect.
  • Page 22 Setting the IP Address for the VPN Concentrator Chapter 1 Figure 1-16 Network Page 2. Under WAN Interface Settings: a. Select Static IP. b. Set the IP Address to an IP address that is within the subnet of the DMZ for your firewall.

  • Page 23: Deploying The Vpn Concentrator Behind A Firewall

    9. Connect the device to the WAN by completing one of the following steps: — If you are connecting the 4500/4550 to the WAN, connect one end of an Ethernet cable to the 4500/4550 WAN port, and connect the other end to Ethernet port of an appropriate device based on your deployment scenario.
  • Page 24 Deploying the VPN Concentrator Behind a Firewall Chapter 1 Figure 1-17 Deploying the VPN Concentrator behind an Enterprise Firewall...

  • Page 25: System Overview

    Figure 2-1 Remote phones connectivity to Headquarters through secure SSL VPN tunnels A maximum of 10 simultaneous SSL VPN tunnels can be licensed on the 4500/4550. A maximum of 100 simultaneous SSL VPN tunnels can be licensed on the 5300LF/5300LF2.

  • Page 26: Redundant Vpn Concentrators

    Redundant VPN Concentrators Chapter 2 Redundant VPN Concentrators You can deploy VPN concentrators for the purposes of redundancy and load balancing. Note: Separately apply each license to enable VPN tunnels. Licenses cannot be reused. You can configure a remote IP phone to be aware of up to three VPN concentrators by setting the #VPNGateway parameter to the IP address of each VPN concentrator in the IP Phone’...
  • Page 27 Chapter 2 Other Features • Session Timeout – An optional global timeout value for SSL VPN sessions can be configured by the administrator. Any SSL VPN session will be terminated if it has been active for the duration of the timeout value. •...
  • Page 28 Other Features Chapter 2...

  • Page 29: Licensing

    3.1.1 Viewing Preconfigured Licenses The VPN is shipped with preconfigured licenses. The 4500/4550 is shipped with up to five licenses, and the 5300LF/5300LF2 is shipped with up to 10, depending on the original order. If additional licenses are ordered with the original purchase, a license key document is shipped with the product or sent to the partner or reseller.

  • Page 30: Ordering Additional Licenses

    You can install licenses for up to 10 tunnels on ShoreTel VPN 4500/4550 Concentrators and 100 tunnels on ShoreTel VPN 5300LF/5300LF2 Concentrators. Order additional licenses from your ShoreTel reseller or partner. To order a license key for a unit, you must...

  • Page 31: Installing A License On A Shoretel Vpn Concentrator

    24 hours of a valid request. 3.1.3 Installing a License on a ShoreTel VPN Concentrator This section describes how to install a license on a ShoreTel VPN Concentrator. Requirement • Valid license for the target VPN Concentrator, contained in a license key document.
  • Page 32 Licensing Chapter 3...

  • Page 33: Configuring The Vpn Concentrator

    H A P T E R Configuring the VPN Concentrator To configure the VPN Concentrator 4500/4550 and 5300LF/5300LF2, complete the following steps: Step 1 Install a License on the ShoreTel VPN Concentrator. See Chapter 3 on page Step 2 Set the IP Address. See...

  • Page 34: Creating And Deleting Vlans

    Configuring the VPN Concentrator Chapter 4 Figure 4-1 Management Interface Page Figure 4-2 Management Interface Page Parameter Description Enable Management Interface Enable the management interface checkbox to allow access through the management port. When enabled, connections to ONLY management protocols such as HTTP, SSH, SNMP , TELNET will be allowed on the management port.
  • Page 35 Chapter 4 Configuring the VPN Concentrator Since the 4500/4550 has four LAN ports and the 5300LF/5300LF2 has one LAN port, the VPN Configuration pages vary slightly. The VPN Configuration page for the 4500/4550 provides additional options for associating VLANs with LAN ports and for tagging data that moves between the ports.
  • Page 36 Assigning LAN Ports to VLANs (4500/4550 only) On the VPN Concentrator model 4500/4550, you can assign LAN ports as members of a VLAN using the VLAN Membership page. If a port is a member of a VLAN, it will accept both tagged and untagged traffic of that VLAN.
  • Page 37 You can configure per port VLAN settings on the VLAN Port Configuration page for the VPN Concentrator 4500/4550. These settings include the packet type accepted on the port and the port's PVID (Port VLAN ID).To access the VLAN Port Configuration page, choose Network VLAN Configuration from the Configuration Menu.

  • Page 38: Connecting Remote Vpn Clients To Lan Subnets

    Configuring the VPN Concentrator Chapter 4 Parameter Description Packet Type Specify the Packet type as Tagged Only or Untagged Only from the drop down menu. If Tagged Only is selected, only tagged traffic will be accepted on the associated LAN port. By default, only untagged packet types are accepted on a port.

  • Page 39: Viewing And Changing Link Settings For Ethernet Interfaces

    Chapter 4 Configuring the VPN Concentrator 4.1.3.1 Adding a Static Route To add a static route, enter the following information: Parameter Description IP Network Enter the remote network address or host. Network mask Enter the subnet mask for the subnet. When defining a host route, the netmask should be 255.255.255.255.
  • Page 40 Configuring the VPN Concentrator Chapter 4 Figure 4-9 Set Link Page...
  • Page 41 Speed or Duplex Mismatch. If Ethernet interface speed or duplex mismatches result when the Link Rate is configured for Autonegotiate, ShoreTel recommends manual configuration of the Ethernet speed and duplex on both the VPN concentrator and the Ethernet switch.

  • Page 42: Configuring Stunnel

    If the WAN Upstream Bandwidth is less than 256 Kbit/s, the MTU size is automatically reduced to 800 bytes. This only applies if the WAN interface has an IPv4 address assigned. This option is not available on the 4500/4550 platforms. 4.1.5 Configuring Stunnel You can configure Stunnel VPN to provide secure VoIP services.
  • Page 43 Chapter 4 Configuring the VPN Concentrator The Stunnel Configuration page is divided into three sections: • Stunnel Configuration • Configuring LDAP Settings for Stunnel • Configuring a Stunnel IP Address Pool 4.1.5.1 Setting Stunnel Configuration Parameters Figure 4-11 Stunnel Configuration Section on the Stunnel Page Parameter Description Stunnel Enable...
  • Page 44 Configuring the VPN Concentrator Chapter 4 Parameter Description Enable Stunnel Server This option enables/disables the Stunnel server timeout Timeout feature on the system. By default this feature is disabled. If enabled, the “Stunnel Server Tunnel Timeout” will be set to a default value of 86400 seconds. Stunnel Server Tunnel Specify the timeout value (in seconds) for all SSL VPN Timeout...
  • Page 45 Chapter 4 Configuring the VPN Concentrator Parameter Description Max Clients Specify the maximum number of simultaneous client sessions supported by Stunnel. The permissible range of this parameter is 1-100. By default, the value is set as 100. Note that every stunnel requires a unique PPP peer IP Address, assigned from the Stunnel IP Pool, configurable using the bottom half of this page.
  • Page 46 Configuring the VPN Concentrator Chapter 4 4.1.5.2 Configuring LDAP Settings for Stunnel An LDAP server is optionally used to store Username/Passwords. This section allows you to configure various LDAP settings for Stunnel. Figure 4-12 LDAP Configuration Section of the Stunnel Configuration Page Parameter Description LDAP Authentication...

  • Page 47: Downloading, Creating, And Adding A Certificate

    Chapter 4 Configuring the VPN Concentrator simultaneous Stunnel connections, irrespective of the configured 'Max Clients' parameter value. By default, this list is empty. If you have added a new IP pool range, it will only become effective after the next restart of Stunnel. Note: Remove addresses from the DHCP server or servers on the LAN that will be used by the VPN Concentrator’...
  • Page 48 Configuring the VPN Concentrator Chapter 4 Figure 4-14 SSL/TLS Certificate Store Page The SSL/TLS Certificate Store page has three main sections: • Certificate • Create a Certificate • Add a Certificate 4.1.6.1 Downloading a Certificate The certificate list at the top of the page shows all certificates available on the system including their name and type.
  • Page 49 Chapter 4 Configuring the VPN Concentrator A certificate entry can be a normal certificate or a Certificate Signing Request (CSR). CSRs cannot be used for normal operation and can only be downloaded in order to be signed by a CA. Once the CA has signed the CSR, the resulting certificate can be added to the system and used.
  • Page 50 Configuring the VPN Concentrator Chapter 4 Figure 4-16 SSL/TLS Certificate Store page Parameter Description Certificate Name Enter a name for the certificate. This name is only used to manage the certificate and is shown in the certificate list. Certificate Type Select the type of certificate, HTTPS or CA Certificate.
  • Page 51 Chapter 4 Configuring the VPN Concentrator Parameter Description Locality Enter the location. For example, the name of a city. Organization Name Enter a name for the organization (for example, the com- pany name). Organization Unit Enter a name to identify the specific organization (for example, the name of a department).

  • Page 52: Configuring The Stunnel Username-Password Database

    To add or delete a user from the username-password database: Note: The VPN user name and password are independent of any user names and passwords set in ShoreWare Director for ShoreTel phone users.  1. From the Configuration Menu, choose Stunnel Usernames Database.

  • Page 53: Configuring The Stunnel Mac Whitelist Database

    Chapter 4 Configuring the VPN Concentrator Figure 4-18 Usernames’ List Page 1. Enter a user name and password to add to the list. 2. Confirm the password. 3. Click Add. The new entry will be added to the Allowed users list. 4.

  • Page 54: Configuring The Stunnel Mac Address Blacklist Database

    Configuring the VPN Concentrator Chapter 4 Figure 4-19 MAC Addresses’ Whitelist Page 1. Enter the MAC addresses you want to add to the whitelist. The MAC address can be entered in the following format: HH:HH:HH:HH:HH:HH[/X], where “H” is a hexadecimal digit from 0 to F . The optional part /X specifies the number of hex digits from right to left.

  • Page 55: Viewing And Terminating Active Stunnel Session(S)

    Chapter 4 Configuring the VPN Concentrator  To add or delete MAC addresses from the Blacklist database, choose Stunnel  Usernames Database MAC Blacklist. Figure 4-20 MAC Addresses Blacklist Page 1. Enter the MAC address(es) you want to add to the Blacklist in the following format: HH:HH:HH:HH:HH:HH[/X], where “H”...

  • Page 56: Enabling Remote System Logging

    Configuring the VPN Concentrator Chapter 4 established and the amount of time the session has been active.This information is useful in diagnosing Stunnel issues. An active Stunnel session can be terminated by selecting the check box next to the session and clicking the Delete button. ...

  • Page 57: Configuring Vpn Parameters On Ip Phones

    86400 seconds. The default is '0'. Configuring VPN Parameters on IP Phones All ShoreTel IP Phones that support the VPN feature need to be configured to be aware of the VPN Concentrator as well as how to authenticate with this device.

  • Page 58: Configuring Vpn Settings On Ip Phones Via Config Files

    Configuring VPN Parameters on IP Phones Chapter 4 2. Manual configuration using the Phone User Interface. The latter method is only suggested for small deployments or demonstration purposes. 4.2.1 Configuring VPN Settings on IP Phones via config files The following table shows the relevant parameters #Keepalive parameter overrides 0 set in shore_s6g.txt file KeepAlive #DnsAddress- List of up to 2 DNS Server Addresses in dotted decimal format.

  • Page 59: Summary Of The Recommended Phone Configuration And Deployment Procedure

    Chapter 4 Configuring VPN Parameters on IP Phones a. VPN Gateway. This should be the IP Address of the VPN Concentrator with which the phone will connect. Use the digit keys to enter digits and the * key to enter a period in the IP address (.) Press the # key to complete this entry. b.
  • Page 60 Configuring VPN Parameters on IP Phones Chapter 4...

  • Page 61: Tools And Troubleshooting

    2. Use a terminal emulator such as HyperTerminal set to a baud rate of 9600, 8 data bits, 1 stop bit, NONE for flow control. Alternatively, you can connect to the VPN Concentrator remotely using SSH. 3. Log on as root and enter the password provided by ShoreTel support. Figure 5-1 Command Line Interface (CLI) 5.1.2 Viewing Network Information Network information is available through both the GUI and the CLI.
  • Page 62 Tools and Troubleshooting Chapter 5 Figure 5-2 Network Information Page Ensure that all links and interfaces are up and running and all interfaces have valid IP addresses. Also make sure that the default route is pointing to the right gateway. Interface information can also be obtained through the CLI by issuing the “ifconfig”...

  • Page 63: Checking Network Connectivity

    Chapter 5 Tools and Troubleshooting Figure 5-3 ifconfig Command Results 5.1.3 Checking Network Connectivity Once all the physical and logical interfaces are up and running, you can check network connectivity by using the ping command. The "traceroute" command can also be used to have an understanding about the path that a packet will take to reach a destination on the internet and the delay associated with it.
  • Page 64 Tools and Troubleshooting Chapter 5 Figure 5-4 Network Test Tools Page The “ping” command is also available in the CLI: Figure 5-5 ping Command Results...

  • Page 65: Viewing Log Files

    When debugging problems, it is helpful to view the system message logs. These files can be provided to the ShoreTel support team for debugging purposes. In addition, ShoreTel’ s remote system log server information can help the ShoreTel support team further analyze a problem. If more information is required for debugging purposes, read the “Packet...
  • Page 66 FTP server so that it can be viewed by a program like Wireshark or sent to the ShoreTel support team for analysis. You can also copy the files from the system to your computer using WINscp if an external FTP server is...

  • Page 67: Firmware Upgrade

    In the By Products list, select VPN Concentrator. The Customers and Partners login page appears. d. Enter your ShoreTel login name and password and click on the Sign In button. The VPN Concentrator page appears. e. In the Download section, click the VPN Concentrator build to which you want to upgrade.
  • Page 68 5300LF pub/e_5300lf 5300LF2 pub/e_5300lf2 6. Upload the firmware file from ShoreTel Support to the corresponding directory on the FTP server. Important! The FTP server should be pointing to c:\ftp as the default base folder or location. The FTP server can be sitting on either the WAN or LAN network.
  • Page 69 Appendix A Firmware Upgrade 10. Click Submit. 11. Refer to the following Figures. Figure A-2 Upgrading Firmware for the VPN Concentrator 4500 Figure A-3 Upgrading Firmware for the VPN Concentrator 4550 VPN Concentrator Installation and Configuration Guide...
  • Page 70 Firmware Upgrade Appendix A Figure A-4 Upgrading Firmware for the VPN Concentrator 5300LF Figure A-5 Upgrading Firmware for the VPN Concentrator 5300LF2 12. Follow the progress of the upgrade using the refresh the upgrade status link. 13. When the Write process begins, heed the warning: WARNING!!! Do not change the configuration or power off the device until the write is 100 percent complete.

  • Page 71: Backup And Restore

    NONE for flow control. Alternatively, you can connect to the VPN Concentrator remotely using SSH. 3. Log on as root and enter the password provided by ShoreTel support. Note: Only two backup files can be stored in the VPN Concentrator’ s flash memory because of size constraints.
  • Page 72 Backup and Restore Appendix A USAGE: ewn help|list ewn save|load|delete [file name] ewn upload|download [file name] [ip address] where file name must use extension .conf1 or .conf2. At the command prompt (bash#), you can create the backup file, store it to local flash, copy it to a remote TFTP server, copy it from a remote TFTP server, delete it, load it, or list all available backup files.
  • Page 73 Appendix A Backup and Restore Table 3: Configuration Backup CLI Commands If you want to: Use this command Load a backup file to become the bash# ewn load <filename> running configuration This command loads the specified backup file into RAM and makes it the active running configuration.
  • Page 74 Backup and Restore Appendix A...

  • Page 75: Console Port Pinout (5300Lf2 Only)

    P P E N D I X Console Port Pinout (5300LF2 only) To connect with the serial port of the 5300LF2, use an RJ45-to-DB9 cable. The RJ45-to-DB9 cable is included with the 5300LF2. Refer to Figure B-1. Figure B-1 RJ45 to DB9 Cable (5300LF2) The RJ45-to-DB9 cable must feature the following pinout: Table 1: Console Port Pinout for the 5300LF2 DB9 Signal...

This manual is also suitable for:

45505300lf5300lf2

Table of Contents