Operating Temperature: 5° to 40°C Humidity: 5% to 90%, non-condensing Hardware Installation 1.2.1 VPN Concentrator 4500 1.2.1.1 Requirements for Installation • A computer with a web browser as supported by ShoreTel (Microsoft Internet Explorer). • Two Ethernet cables VPN Concentrator Installation and Configuration Guide...
Hardware Installation Chapter 1: 1.2.1.2 Front Panel LEDs Figure 1-1 Front view of the 4500 Item Description • Off – Power switch is off (or no power from the AC outlet) • Solid Green – Power is supplied to the unit •...
Chapter 1: Hardware Installation 1.2.1.3 Back Panel Figure 1-2 Back view of the 4500 Call out Description Power Connector – Accepts the plug from the supplied power adapter which can be connected to an AC outlet on the wall using the supplied power cord. 4 Ports 10/100 Mbps LAN Switch –...
Hardware Installation Chapter 1: Call out Description Erase – • If pressed twice in quick succession, the CLI password will be changed to its original password. • If pressed three times in quick succession, the 5300 will revert to factory default settings. All passwords will be reset and all prior configurations will be erased.
Chapter 1: Hardware Installation — 2 hollow wall anchors • If the unit will be mounted in a shelf — 1 Flat or Philips screw driver • Ethernet cables to connect the LAN ports to LAN switches or other Ethernet devices and the WAN port to a firewall or an upstream router.
Hardware Installation Chapter 1: 4. Do not mount the 4500 on the wall as shown below. Rack-Mount Installation You can mount the 4500 in a 19” rack by using the rack-mount kit supplied with the product. 1. Attach the ear mounts to both sides of the 4500 with the screws. 2.
12. Start configuring the system following the information in Chapter 1.2.2 VPN Concentrator 5300 1.2.2.1 Requirements for Installation • A computer with a web browser as supported by ShoreTel (Microsoft Internet Explorer). • At least one Ethernet cable VPN Concentrator Installation and Configuration Guide...
Hardware Installation Chapter 1: 1.2.2.2 Front Panel Overview Figure 1-3 Front view of the 5300 Call out Description Erase – • If pressed twice in quick succession, the CLI password will be changed to its original password. • If pressed three times in quick succession, the 5300 will revert to factory default settings.
Chapter 1: Hardware Installation Call out Description Reset – Hard reset of the system. Console – DB9 serial (RS232) port (male connector) for CLI based configuration. The serial port uses a baud rate of 9600, 8 data bits, 1 stop bit and no parity. 1.2.2.3 Back Panel Overview Figure 1-4...
Hardware Installation Chapter 1: 1.2.2.4 Physical Installation Rack-Mount Installation Figure 1-5 Ear mounts on the 5300 The 5300 is designed for 19” rack mount installation. Simply secure the ear mounts (as shown Figure 1-5) on both sides of the chassis to the rack post with screws. Please observe the following guidelines when installing the system: •...
Chapter 1: Hardware Installation 1.2.2.5 Initial Configuration You can configure the 5300 using a web browser such as Internet Explorer or Netscape Navigator. The VPN Concentrator 5300 is shipped with the pre-configured IP address 192.168.1.1 for the LAN ports. To connect to the 5300, follow these steps: 1.
Hardware Installation Chapter 1: 1.2.3 Deployment Scenarios Figure 1-6 Connected to WAN through firewall and gateway router To secure, restrict or inhibit pass-through traffic to the VPN Concentrator, it must be deployed behind an enterprise firewall. Connect the WAN port of the VPN Concentrator to the DMZ network (or port) of the firewall as shown in Figure 1-6.
100 simultaneous SSL VPN tunnels can be licensed on the 5300. WARNING: If ShoreTel VPN phones will be deployed in remote locations, 911 calls placed from these phones will be routed to the Public Safety Answering Point (PSAP) nearest the site that hosts the switch and VPN concentrator.
Redundant VPN Concentrators Chapter 2: Redundant VPN Concentrators You can deploy multiple VPN concentrators for the purposes of redundancy and/or load balancing. Note: Separately apply each license to enable VPN tunnels. Licenses cannot be reused. Please refer to section 3.3.2.1 for details on making the remote IP phones aware of multiple VPN concentrators.
Page 19
Chapter 2: Other Features • History Log – A history log of all connection requests is maintained which includes information such as success and failure of sessions establishment, etc. Contact Center Administrator Manual...
2. Make sure that the “pub/e_4500” and “pub/e_5300lf” directories exist under the root directory of the FTP server. 3. To upgrade VPN Concentrator 4500, obtain the image files from ShoreTel support and place them in the “pub/e_4500” directory. Place the image files in “pub/ e_5300lf”...
1. Choose “System” submenu from “Configuration Menu” and provide the value of “LAN Interface MAC Address:” field to ShoreTel support. 2. Specify the part number to ShoreTel support based on the number of licenses required. A license key will be provided by ShoreTel support after the receipt of the above information.
Menu. Add the information for each sub network one by one. 2. Set the system name by going to the “Services Configuration” page under “System”. In addition set the remote logging server information if help is needed from ShoreTel support team.
By checking this option, syslog data can be sent to a remote system running a system log server. This option will help ShoreTel debug and solve the problems on the local deployed VPN Concentrator. The IP address of the remote system running a system Remote Syslog Hosts log server.
Chapter 3: Configuration 3.3.1.2 Set Link In addition to allowing a user to set the link rate for Ethernet interfaces on the system, Set Link also displays the link settings for all the Ethernet interfaces on the system. Please use caution when adjusting the ethernet link rate as incompatible rate setting may render the device unreachable.
Configuration Chapter 3: Parameter Description Same as for LAN Ethernet WAN Ethernet This value can be adjusted to reduce the latency introduced Set WAN MTU Size by large data packets on a slower link.If the WAN upstream bandwidth is less than 256 Kbps, the MTU size is automatically reduced to 800 bytes.
Chapter 3: Configuration 3.3.1.4 Route Parameter Description IP Network Network address of the subnet Netmask Subnet mask for the subnet Gateway IP address of the gateway router connecting to the subnet Delete Route If an entry found in the route table for the information given in “IP Network”, “Netmask”, and “Gateway”, then it will be deleted.
Page 28
Configuration Chapter 3: VPN Concentrator 4500 LAN port 4 can only do port based VLAN. LAN ports 1 through 3 can do both tag based or port based VLAN. Parameter Description VLAN ID to be used for the new VLAN...
Chapter 3: Configuration VPN Concentrator 5300 Parameter Description VLAN ID VLAN ID to be used for the new VLAN IP address of the VPN Concentrator in the broadcast IP Address domain associated with the VLAN ID being created. Network Mask Network mask of the broadcast domain for the new VLAN.
Configuration Chapter 3: Global Configuration Parameter Description Stunnel Enable Enable or disable SSL VPN service on the VPN Concentrator. A valid Server IP Address is required for Stunnel to be enabled. Stunnel Server IP Address IP Address of Stunnel server listening to clients’ requests. Note: This filed is empty by default.
Chapter 3: Configuration Parameter Description If this feature is enabled, and if a MAC address received in MAC Blacklist Validation the SSL VPN client request matches any of the MAC addresses on the MAC blacklist, then the request is rejected. Please see section MAC Address Blacklist configure the MAC blacklist database.
Configuration Chapter 3: Proxy ARP Configuration Parameter Description Proxy ARP is used to create a bridge between phones on the Enable Stunnel Proxy ARP LAN side and the phone connected through SSL VPN. The VPN Concentrator uses its own MAC address to receive the IP packets on behalf of all the remote phones and then routes the IP packets to the remote phones.
To add or delete a user from the database, choose “Stunnel” submenu from “Configuration Menu” and then choose “Username Database” submenu of “Stunnel.” Note: the VPN user name & password are independent of any user names and passwords set in ShoreWare Director for ShoreTel phone users. VPN Concentrator Installation and Configuration Guide...
Configuration Chapter 3: MAC Address Whitelist If MAC Whitelist validation is enabled for STUNNEL, the MAC Address sent by the client is validated against the configured MAC Address Whitelist. If the MAC Address is not present in the Whitelist then the session request is rejected. The maximum number of MAC Addresses that can be configured at a time in the Whitelist database is 1000.
Chapter 3: Configuration MAC Address Blacklist If MAC Blacklist validation is enabled for STUNNEL, the MAC Address sent by the client is validated against the configured MAC Address Blacklist. If the MAC Address is present in the Blacklist then the session request is rejected. The maximum number of MAC Addresses that can be configured at a time in the Blacklist database is 1000.
3.3.2 Configuring VPN Parameters on IP Phones All ShoreTel IP Phones that support the VPN feature need to be configured to be aware of the VPN Concentrator as well as how to authenticate with this device. Two methods are provided: 1.
Chapter 3: Configuration #VpnPort- Port to use when contacting the VPN Gateway. Sources are MAN, CFG. Default is 443. VpnPort 443 #VpnEnable- Enable VPN Client if set to 1. Sources are MAN, CFG. Default is 0 #VpnUserPrompt- Don’t cache the authentication user in NVRAM for survival across reboots if set to 1.
Configuration Chapter 3: Step 5: Enter the following VPN related parameters in order 1. VPN Gateway. [Default value = 0.0.0.0]. This is the IP Address of the VPN Concentrator the phone will connect with. Use the digit keys to enter digits and the * key to enter a period in the IP address (.) Press the # key to complete this entry 2.
Page 39
Chapter 3: Configuration This procedure allows for a turn-key installation of remote phones with minimal user intervention. VPN Concentrator Installation and Configuration Guide...
Chapter 4: Tools and Troubleshooting C H A P T E R Tools and Troubleshooting Tools offered through the GUI and Command Line Interface (CLI) can be used to troubleshoot the system. Sometimes both GUI and CLI need to be used to debug the problem. Logging into the GUI system has been explained earlier in Section 1.2.1.5 Section 1.2.2.5.
Tools and Troubleshooting Chapter 4: 4.1.1 Network Information Network information is available through both GUI and CLI. Following screenshot displays the network information such as routing tables, link status, and interface status: Please make sure that all links and interfaces are up and running and all interfaces have valid IP addresses.
Chapter 4: Tools and Troubleshooting Interface information can also be obtained through the CLI by issuing the “ifconfig” command. 4.1.2 Network Connectivity Once all the physical and logical interfaces are up and running then network connectivity can be checked by using the ping command. "traceroute" command can also be used to have an understanding about the path that a packet will take to reach a destination on the internet and the delay associated with it.: VPN Concentrator Installation and Configuration Guide...
To view the Stunnel related messages issue the command “ tail -f /var/log/stunnel_history.log” These files can also be provided to ShoreTel support team for debugging purposes. In addition ShoreTel’s remote system log server information can be entered in the “Services Configuration“so that ShoreTel support team can analyze it for debugging purposes.
” killall tcpdump 5. FTP the captured file “ ” to remote server so that it can be /etc/images/ETH1.pcap viewed by a program like “wireshark” or sent to ShoreTel support team for analy- sis. VPN Concentrator Installation and Configuration Guide...