Table of Contents
Advertisement
Advertisement
Table of Contents
Related Manuals for ShoreTel VPN Concentrator 4500
Summary of Contents for ShoreTel VPN Concentrator 4500
- Page 1 VPN Concentrator 4500/5300 Installation and Configuration Guide...
- Page 2 800-1190-03, Revision 3 Document and Software Copyrights Copyright © 2009 by ShoreTel, Inc. Synnyvale, California, U.S.A. All rights reserved. Printed in the United States of America. Contents of this publication may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without prior written authorization of ShoreTel, Inc.
-
Page 3: Table Of Contents
Contents 1.1 Specifications ...................1 1.1.1 VPN Concentrator 4500.................... 1 1.1.2 VPN Concentrator 5300.................... 1 1.2 Hardware Installation................1 1.2.1 VPN Concentrator 4500.................... 1 1.2.1.1 Requirements for Installation ..............1 1.2.1.2 Front Panel LEDs ..................2 1.2.1.3 Back Panel....................3 1.2.1.4 Physical Installation .................. 4 Required Tools and Materials................ - Page 4 Contents 3.3.2.2 Manual configuration ................32 3.3.2.3 Summary of recommended configuration and deployment procedure: .. 33 4.1 Tools and Troubleshooting..............35 4.1.1 Network Information....................36 4.1.2 Network Connectivity ....................37 4.1.3 Viewing Log Files....................38 4.1.4 Packet Capture ....................... 39 4.1.4.1 Capturing Packets for an Individual SSL Connection ......
-
Page 5: Specifications
Operating Temperature: 5° to 40°C Humidity: 5% to 90%, non-condensing Hardware Installation 1.2.1 VPN Concentrator 4500 1.2.1.1 Requirements for Installation • A computer with a web browser as supported by ShoreTel (Microsoft Internet Explorer). • Two Ethernet cables VPN Concentrator Installation and Configuration Guide... -
Page 6: Front Panel Leds
Hardware Installation Chapter 1: 1.2.1.2 Front Panel LEDs Figure 1-1 Front view of the 4500 Item Description • Off – Power switch is off (or no power from the AC outlet) • Solid Green – Power is supplied to the unit •... -
Page 7: Back Panel
Chapter 1: Hardware Installation 1.2.1.3 Back Panel Figure 1-2 Back view of the 4500 Call out Description Power Connector – Accepts the plug from the supplied power adapter which can be connected to an AC outlet on the wall using the supplied power cord. 4 Ports 10/100 Mbps LAN Switch –... -
Page 8: Physical Installation
Hardware Installation Chapter 1: Call out Description Erase – • If pressed twice in quick succession, the CLI password will be changed to its original password. • If pressed three times in quick succession, the 5300 will revert to factory default settings. All passwords will be reset and all prior configurations will be erased. -
Page 9: Desktop Installation
Chapter 1: Hardware Installation — 2 hollow wall anchors • If the unit will be mounted in a shelf — 1 Flat or Philips screw driver • Ethernet cables to connect the LAN ports to LAN switches or other Ethernet devices and the WAN port to a firewall or an upstream router. -
Page 10: Rack-Mount Installation
Hardware Installation Chapter 1: 4. Do not mount the 4500 on the wall as shown below. Rack-Mount Installation You can mount the 4500 in a 19” rack by using the rack-mount kit supplied with the product. 1. Attach the ear mounts to both sides of the 4500 with the screws. 2. -
Page 11: Vpn Concentrator 5300
12. Start configuring the system following the information in Chapter 1.2.2 VPN Concentrator 5300 1.2.2.1 Requirements for Installation • A computer with a web browser as supported by ShoreTel (Microsoft Internet Explorer). • At least one Ethernet cable VPN Concentrator Installation and Configuration Guide... -
Page 12: Front Panel Overview
Hardware Installation Chapter 1: 1.2.2.2 Front Panel Overview Figure 1-3 Front view of the 5300 Call out Description Erase – • If pressed twice in quick succession, the CLI password will be changed to its original password. • If pressed three times in quick succession, the 5300 will revert to factory default settings. -
Page 13: Back Panel Overview
Chapter 1: Hardware Installation Call out Description Reset – Hard reset of the system. Console – DB9 serial (RS232) port (male connector) for CLI based configuration. The serial port uses a baud rate of 9600, 8 data bits, 1 stop bit and no parity. 1.2.2.3 Back Panel Overview Figure 1-4... -
Page 14: Physical Installation
Hardware Installation Chapter 1: 1.2.2.4 Physical Installation Rack-Mount Installation Figure 1-5 Ear mounts on the 5300 The 5300 is designed for 19” rack mount installation. Simply secure the ear mounts (as shown Figure 1-5) on both sides of the chassis to the rack post with screws. Please observe the following guidelines when installing the system: •... -
Page 15: Initial Configuration
Chapter 1: Hardware Installation 1.2.2.5 Initial Configuration You can configure the 5300 using a web browser such as Internet Explorer or Netscape Navigator. The VPN Concentrator 5300 is shipped with the pre-configured IP address 192.168.1.1 for the LAN ports. To connect to the 5300, follow these steps: 1. -
Page 16: Deployment Scenarios
Hardware Installation Chapter 1: 1.2.3 Deployment Scenarios Figure 1-6 Connected to WAN through firewall and gateway router To secure, restrict or inhibit pass-through traffic to the VPN Concentrator, it must be deployed behind an enterprise firewall. Connect the WAN port of the VPN Concentrator to the DMZ network (or port) of the firewall as shown in Figure 1-6. -
Page 17: Introduction
100 simultaneous SSL VPN tunnels can be licensed on the 5300. WARNING: If ShoreTel VPN phones will be deployed in remote locations, 911 calls placed from these phones will be routed to the Public Safety Answering Point (PSAP) nearest the site that hosts the switch and VPN concentrator. -
Page 18: Redundant Vpn Concentrators
Redundant VPN Concentrators Chapter 2: Redundant VPN Concentrators You can deploy multiple VPN concentrators for the purposes of redundancy and/or load balancing. Note: Separately apply each license to enable VPN tunnels. Licenses cannot be reused. Please refer to section 3.3.2.1 for details on making the remote IP phones aware of multiple VPN concentrators. - Page 19 Chapter 2: Other Features • History Log – A history log of all connection requests is maintained which includes information such as success and failure of sessions establishment, etc. Contact Center Administrator Manual...
- Page 20 Other Features Chapter 2:...
-
Page 21: Firmware Upgrade
2. Make sure that the “pub/e_4500” and “pub/e_5300lf” directories exist under the root directory of the FTP server. 3. To upgrade VPN Concentrator 4500, obtain the image files from ShoreTel support and place them in the “pub/e_4500” directory. Place the image files in “pub/ e_5300lf”... -
Page 22: Licensing
1. Choose “System” submenu from “Configuration Menu” and provide the value of “LAN Interface MAC Address:” field to ShoreTel support. 2. Specify the part number to ShoreTel support based on the number of licenses required. A license key will be provided by ShoreTel support after the receipt of the above information. -
Page 23: Configuration
Menu. Add the information for each sub network one by one. 2. Set the system name by going to the “Services Configuration” page under “System”. In addition set the remote logging server information if help is needed from ShoreTel support team. -
Page 24: Gui Interface
By checking this option, syslog data can be sent to a remote system running a system log server. This option will help ShoreTel debug and solve the problems on the local deployed VPN Concentrator. The IP address of the remote system running a system Remote Syslog Hosts log server. -
Page 25: Set Link
Chapter 3: Configuration 3.3.1.2 Set Link In addition to allowing a user to set the link rate for Ethernet interfaces on the system, Set Link also displays the link settings for all the Ethernet interfaces on the system. Please use caution when adjusting the ethernet link rate as incompatible rate setting may render the device unreachable. -
Page 26: Management Interface (Vpn Concentrator 5300 Only)
Configuration Chapter 3: Parameter Description Same as for LAN Ethernet WAN Ethernet This value can be adjusted to reduce the latency introduced Set WAN MTU Size by large data packets on a slower link.If the WAN upstream bandwidth is less than 256 Kbps, the MTU size is automatically reduced to 800 bytes. -
Page 27: Route
Chapter 3: Configuration 3.3.1.4 Route Parameter Description IP Network Network address of the subnet Netmask Subnet mask for the subnet Gateway IP address of the gateway router connecting to the subnet Delete Route If an entry found in the route table for the information given in “IP Network”, “Netmask”, and “Gateway”, then it will be deleted. - Page 28 Configuration Chapter 3: VPN Concentrator 4500 LAN port 4 can only do port based VLAN. LAN ports 1 through 3 can do both tag based or port based VLAN. Parameter Description VLAN ID to be used for the new VLAN...
-
Page 29: Ssl Vpn Main Page
Chapter 3: Configuration VPN Concentrator 5300 Parameter Description VLAN ID VLAN ID to be used for the new VLAN IP address of the VPN Concentrator in the broadcast IP Address domain associated with the VLAN ID being created. Network Mask Network mask of the broadcast domain for the new VLAN. -
Page 30: Global Configuration
Configuration Chapter 3: Global Configuration Parameter Description Stunnel Enable Enable or disable SSL VPN service on the VPN Concentrator. A valid Server IP Address is required for Stunnel to be enabled. Stunnel Server IP Address IP Address of Stunnel server listening to clients’ requests. Note: This filed is empty by default. -
Page 31: Ldap Configuration
Chapter 3: Configuration Parameter Description If this feature is enabled, and if a MAC address received in MAC Blacklist Validation the SSL VPN client request matches any of the MAC addresses on the MAC blacklist, then the request is rejected. Please see section MAC Address Blacklist configure the MAC blacklist database. -
Page 32: Proxy Arp Configuration
Configuration Chapter 3: Proxy ARP Configuration Parameter Description Proxy ARP is used to create a bridge between phones on the Enable Stunnel Proxy ARP LAN side and the phone connected through SSL VPN. The VPN Concentrator uses its own MAC address to receive the IP packets on behalf of all the remote phones and then routes the IP packets to the remote phones. -
Page 33: Username And Password Database
To add or delete a user from the database, choose “Stunnel” submenu from “Configuration Menu” and then choose “Username Database” submenu of “Stunnel.” Note: the VPN user name & password are independent of any user names and passwords set in ShoreWare Director for ShoreTel phone users. VPN Concentrator Installation and Configuration Guide... -
Page 34: Mac Address Whitelist
Configuration Chapter 3: MAC Address Whitelist If MAC Whitelist validation is enabled for STUNNEL, the MAC Address sent by the client is validated against the configured MAC Address Whitelist. If the MAC Address is not present in the Whitelist then the session request is rejected. The maximum number of MAC Addresses that can be configured at a time in the Whitelist database is 1000. -
Page 35: Mac Address Blacklist
Chapter 3: Configuration MAC Address Blacklist If MAC Blacklist validation is enabled for STUNNEL, the MAC Address sent by the client is validated against the configured MAC Address Blacklist. If the MAC Address is present in the Blacklist then the session request is rejected. The maximum number of MAC Addresses that can be configured at a time in the Blacklist database is 1000. -
Page 36: Current Sessions
3.3.2 Configuring VPN Parameters on IP Phones All ShoreTel IP Phones that support the VPN feature need to be configured to be aware of the VPN Concentrator as well as how to authenticate with this device. Two methods are provided: 1. -
Page 37: Manual Configuration
Chapter 3: Configuration #VpnPort- Port to use when contacting the VPN Gateway. Sources are MAN, CFG. Default is 443. VpnPort 443 #VpnEnable- Enable VPN Client if set to 1. Sources are MAN, CFG. Default is 0 #VpnUserPrompt- Don’t cache the authentication user in NVRAM for survival across reboots if set to 1. -
Page 38: Summary Of Recommended Configuration And Deployment Procedure
Configuration Chapter 3: Step 5: Enter the following VPN related parameters in order 1. VPN Gateway. [Default value = 0.0.0.0]. This is the IP Address of the VPN Concentrator the phone will connect with. Use the digit keys to enter digits and the * key to enter a period in the IP address (.) Press the # key to complete this entry 2. - Page 39 Chapter 3: Configuration This procedure allows for a turn-key installation of remote phones with minimal user intervention. VPN Concentrator Installation and Configuration Guide...
- Page 40 Configuration Chapter 3:...
-
Page 41: Tools And Troubleshooting
Chapter 4: Tools and Troubleshooting C H A P T E R Tools and Troubleshooting Tools offered through the GUI and Command Line Interface (CLI) can be used to troubleshoot the system. Sometimes both GUI and CLI need to be used to debug the problem. Logging into the GUI system has been explained earlier in Section 1.2.1.5 Section 1.2.2.5. -
Page 42: Network Information
Tools and Troubleshooting Chapter 4: 4.1.1 Network Information Network information is available through both GUI and CLI. Following screenshot displays the network information such as routing tables, link status, and interface status: Please make sure that all links and interfaces are up and running and all interfaces have valid IP addresses. -
Page 43: Network Connectivity
Chapter 4: Tools and Troubleshooting Interface information can also be obtained through the CLI by issuing the “ifconfig” command. 4.1.2 Network Connectivity Once all the physical and logical interfaces are up and running then network connectivity can be checked by using the ping command. "traceroute" command can also be used to have an understanding about the path that a packet will take to reach a destination on the internet and the delay associated with it.: VPN Concentrator Installation and Configuration Guide... -
Page 44: Viewing Log Files
To view the Stunnel related messages issue the command “ tail -f /var/log/stunnel_history.log” These files can also be provided to ShoreTel support team for debugging purposes. In addition ShoreTel’s remote system log server information can be entered in the “Services Configuration“so that ShoreTel support team can analyze it for debugging purposes. -
Page 45: Packet Capture
” killall tcpdump 5. FTP the captured file “ ” to remote server so that it can be /etc/images/ETH1.pcap viewed by a program like “wireshark” or sent to ShoreTel support team for analy- sis. VPN Concentrator Installation and Configuration Guide... - Page 46 Tools and Troubleshooting Chapter 4:...