Celestix cloud edge, Installation Manual

Page 1: ...Installation Guide Cloud Edge Security Appliance ...

Page 2: ...cept as expressly provided in any written license agreement from Celestix Networks the furnishing of this document does not give you any license to these patents trademarks copyrights or other intellectualproperty E Series Cloud Edge Security Appliance Installation Guide Document Number CES1002 120 001 Updated April1 2015 Part Number CCD 2001 30000001 Product version E Series 2 0 Comet version 2 0...

Page 3: ...etwork 17 Front Panel Controls Overview 19 Power the Celestix Appliance 19 The Next Step 20 Configure the Appliance 21 General Information 21 Initial Access 22 Configure IP Address without DHCP 22 Access the Web User Interface 23 Quick Setup Wizard 24 The Next Step 25 Configure Features 26 Features Installation 26 Feature Details 27 RDP Application Usage 31 The Next Step 32 Configure Features Remo...

Page 4: ...Configure Features Work Folders Setup Wizard 43 General Information 43 Initial Configuration 44 Setup Wizard 45 The Next Step 46 Create a System Image 47 LGV 47 Create a Backup 48 Update Software 49 Appendix 50 Glossary 51 Web User Interface Content Overview 57 Safety Precautions 58 Product Reclamation and Recycling 59 Index 60 Resource Worksheet 64 ...

Page 5: ... suited to the environment Always on remote connection for both end user access and client management RADIUS and multifactor authentication Encrypted access to internal resources without a VPN Streaming access to hosted applications from any device Synced work files can be accessed on supported devices and computers from wherever even without network connectivity A well planned BYOD blueprint can ...

Page 6: ... items are noted in bolded type for easy identification n Features on the appliance front and rear panels are also noted in bolded type n File names are delineated as filename xxx n Titles are delineated as documentname n Code is delineated as codeexamples l When referring to subsections in this document the hierarchy is delineated by the symbol For example the location of the section To find upda...

Page 7: ...e following information to confirm the package contains the necessary appliance accessories Appliance Series Accessory List Appliance Series 3400 6400 8400 Contents CAT6 Ethernet Cable Power Cable 2 2 RJ45 Connector Cable Mounting Brackets Hardware Rack Mounting Slides Hard ware included not included Table Accessory List Accessories Illustrations The illustrations below will help to identify the i...

Page 8: ...n 1 Appliance Package Contents If an item is missing from the package contact Celestix Networks via email support celestix com Appliance Hardware Features Each of the feature lists below include a legend to help identify components on the appliance ...

Page 9: ...on 2 Appliance Illustrations with Delineated Features System Overview The E Series Appliance simplifies the process to set up and manage access to IT resources The diagram below provides a reference for features that are available on the appliance ...

Page 10: ...rous DirectAccess Deployment with Manage Out Access for external users with strong authentication that allows system administrators to support and manage remote clients Requirements l Secure remote access for managed Windows 7 and Windows 8 clients l Anytime anywhere access to applications and data on the organization network l Compliance mandate for One Time Password OTP authentication l System a...

Page 11: ...s and smart phones Requirements l Secure remote access for nonmanaged clients that include commonly used operating systems Windows Linux OS X Android and iOS l Remote access to applications and data on the organization network l Web based applications need users to be pre authenticated at the edge l Applications individually provisioned based on user roles ...

Page 12: ...ation 5 VPN Role With Web Application Proxy Gateway Cross premises network connectivity for internally hosted and cloud resources Requirement Seamless connectivity between on premises data center and virtual machines hosted in the public cloud ...

Page 13: ...required to support feature deployments Note Details for feature configuration are discussed in the topic Resource Worksheet Network Policy Server l E Series Appliance serves as the RADIUS server it must be domain joined l Network Access Server RADIUS Client l IP Address l Shared secret l Network policies l Authentication protocol options ...

Page 14: ...er E Series and ADFS server Remote Desktop Gateway l E Series Appliance must be domain joined l RD Connection Broker and RD Web Access Server l RD Session Host server l RD Gateway server l SSL certificate l AD DS Group Managed Service Account l Firewall exceptions maybe required l End Users RDP client that supports RD Gateway like Windows Remote Desktop Client Remote Desktop Web Access l E Series ...

Page 15: ...nd users Windows 8 1 RT 8 1 Version Information Version information for appliance components are noted on the main web UI page Click the E Series logo link from any page to access The Next Step The following sections cover general setup which includes appliance installation and configuration then feature installation ...

Page 16: ...n steps are followed by instructions to rack connect to the network and power the appliance Installation Notes The following topics cover resources to prepare for installing the appliance on the network Assumptions Please note the necessary skills knowledge administrators should have and the assumptions that cover appliance installation for a majority of network environments Skills and Knowledge S...

Page 17: ...pliance Quick Setup Wizard The appliance must be assigned a computer name The computer name must be 15 alphanumeric characters or less Administrator password Celest1x default to be changed during setup Used in IG Configure the Appliance Quick Setup Wizard The administrator account is a member of the local administrator group The default password is case sensitive with brackets included It should b...

Page 18: ...ive Directory server IP address Hostname Used in IG Configure the Appliance Quick Setup Wizard ADFS AD DS FQDN Administrator account Used in IG Configure Features Web Application Proxy ADFS is required for Web Application Proxy Network Policy Server Network Access Server RADIUS Client IP Address Shared secret Network policy criteria Authentication protocol options May be needed in post configurati...

Page 19: ...D Gateway join domain IP address Hostname External FQDN AD DS IP address Subnet mask Default gateway DNS RD Session Host domain joined IP address Hostname RD Connection Broker domain joined IP address Hostname RD Web Access domain joined IP Address Hostname Firewall rules Used in IG Configure Features Feature Details Remote Desktop Gateway RD Gateway Required Configuration After Installation Remot...

Page 20: ...r NPS RADIUS clients IP address Hostname May be needed to set up Remote Access with VPN or NPS Bold items are required Rack the Appliance Celestix appliances are either 1U or 2U and should be attached to a standard 19 inch equipment rack as follows Note If the appliance came with slides instead of brackets see the instructions included in the slide packaging for the rack mounting procedure Caution...

Page 21: ...t common that an IP address will be assigned through DHCP and then configuration for a static address is covered in the Quick Setup Wizard interfaces instructions If DHCP is not deployed the section Configure IP Address without DHCP explains how to add the IP address to the network adapter To connect the appliance 1 Connect an Ethernet cable from the LAN0 network adapter on the Celestix appliance ...

Page 22: ...LED indicators Each of the network adapters contains a pair of lights to help identify connection speed and usage See below for details listed by model number 3400 n Right light displays connection speed green 100 Mbit amber 1 Gbit n Left light amber indicates link blink indicates activity 6400 8400 n Right light displays connection speed green 100 Mbit amber 1 Gbit n Left light amber blinks on ac...

Page 23: ...nfiguration mode the Jog Dial Oper ation section explains functionality Jog Dial Operation The Jog Dial on the appliance front panel is used to navigate the LED display to perform on screen commands l Turn to scroll through options n The square brackets cursor scrolls through items on the screen when the front panel display is in configuration mode The following example shows the Add option select...

Page 24: ...show the System Off message Power On Off the Appliance Power on and boot the appliance by pressing the Jog Dial While it is possible to power off the appliance by pressing the Jog Dial for 5 seconds it is far better to use the Shutdown option from the front panel display menu to power off the appliance gracefully The Next Step Once the appliance is installed on the network next configure network a...

Page 25: ...umptions Information presented in the A Series setup instructions is based on the following l The LAN is configured for DHCP Use DHCP initially to assign an IP address to the LAN0 network adapter Find the assigned IP address through the front panel controls Note If DHCP is not deployed use the front panel controls to assign an IP address to LAN0 l Active Directory AD is used as the domain controll...

Page 26: ...mple Information To help make the instructions clear the following examples are used to identify components CESA Appliance FQDN cesa01 example com Host Name cesa01 Domain Name example com Initial Access The internal network adapter LAN0 IP address is used to access the web UI The adapter needs to be configured with a static IP address The following describes two options l With DHCP initially assig...

Page 27: ...inue 8 Enter a Netmask if needed 9 Scroll to and select Proceed to Configure to save the entry The display returns to the Con figure Network screen when the process has completed 10 Scroll to Back and select to return the front panel display to idle mode To configure other adapters repeat the instructions above as necessary Access the Web User Interface Accessing the web UI is necessary to continu...

Page 28: ...s n User name the Administrator Password feature only changes the local administrator password which must be the logged in account n Password enter and confirm a new password Complexity requirements are noted on the screen 2 Date and Time use onscreen controls to enter the date time and time zone then configure for daylight savings if necessary 3 Network Interfaces if DHCP was used initially to as...

Page 29: ...server a Select Enable alert email b Complete the following l Send error alert email includes alert types where the level is set to Error l Send warning alert email includes alert types where the level is set to Warning l Send informational alert email includes types where the level is set to Inform ation l To indicates one or multiple recipients For multiple addresses use a comma to separate addr...

Page 30: ...Proxy external access by authenticated users to published applications l Remote Desktop Gateway firewall friendly external access to internal network remote desktop servers l Remote Desktop Web Access RD Web Access access to RemoteApp in Windows 7 or to Desktop Connection through a web browser RD Web Access can also include remote access to internal computers through a browser l Work Folders a ser...

Page 31: ...s for important details about configuration Need to Knows The following summary information is provided for reference Installs Role Service Network Policy Server Feature RSAT Network Policy and Access Service Tools Affected Appliance Features NPS is required for Remote Desktop Gateway RD Gateway If RD Gateway is deployed the NPS role is installed automatically as part of the setup Required Configu...

Page 32: ...ill require the VPN option to be enabled Cannot be colocated with Web Application Proxy Required Configuration After Installation Configuration must be customized for an environment there are two options l Click the Wizard button to open the Remote Access configuration tool l Click the Remote Access with VPN link to open the Remote Access console as an RDP applic ation Web Application Proxy Web Ap...

Page 33: ...n must be customized for an environment there are two options l Click the Wizard button to open the Web Application Proxy configuration tool l Click the Web Application Proxy link to open the Remote Access console as an RDP application Remote Desktop Gateway RD Gateway RD Gateway provides secure access to internal resources for remote users Access is through the Remote Desktop Connect RDC client a...

Page 34: ...sion Other devices can use a web browser to access them through Desktop Connection RD Web Access also lets users access computers with Remote Desktop enabled through RD Web Connection See Need to Knows for details about configuration Need to Knows The following summary information is provided for reference Installs Role Service RD Web Access Affected Appliance Features None Required Configuration ...

Page 35: ... File Server File Server Resource Manager Work Folders Feature RSAT File Server Resource Manager Tools Affected Appliance Features None Required Configuration After Installation Configuration must be customized for an environment 1 Click the Wizard button to run the Work Folders configuration tool 2 Next use Remote Access Console CESA Remote Access Console to open an RDP session from the local com...

Page 36: ...mote Desktop Connection 7 Configure settings as needed 8 When done navigate to File Exit in the remote desktop window to close and return to the Maintenance screen Closing the application logs off the RDP session to the appliance and is recommended to release management resources Note If the File menu is not visible use the quick close button The Next Step Once Remote Access features are installed...

Page 37: ...onfiguration Domain Terminology Disambiguation The terms below describe components that are used in documentation l On premises domains are sometimes referred to as AD domains but documentation uses the term internal domain l Servers configured with the role Active Directory Domain Services may be referred to as the domain controller DC or designated by the acronym AD DS The acronym AD is used as ...

Page 38: ...vailable when needed to complete configuration l Domain controller DirectAccess requires Windows Server 2003 or higher l Public address usually an FQDN that clients will use to connect to the network l DirectAccess clients must be Windows clients that are domain joined Supported options n 8 Enterprise and higher n 7 Ultimate Enterprise Additional Configuration Notes The notes below discuss options...

Page 39: ...m cesa01 int example com da example com Host Name ad01 cesa01 Domain Name int example com int example com Setup Wizard The setup wizard is a walk through to configure components for Remote Access Access the screen through the web UI at CESA Features Remote Access with VPN Wizard Wizard Instructions While working through the wizard the appliance may need to reboot Component Selection Select a Remot...

Page 40: ...ent management only configure tunnel for remote client management ii Client Group designate an AD security group that will manage devices that connect through DirectAccess leave blank to include all remote devices iii Internal specify the internal network adapter in the drop menu c GPO and NLS i Group Policy Object GPO leave blank to configure the default options otherwise designate predefined AD ...

Page 41: ... RADIUS servers may use 1646 7 Always use the same message authenticator select if the attribute Request must contain the Message Authenticator attribute has been configured on the RADIUS server 3 Finish review the settings click Next to configure Configure DirectAccess services only select to add access through DirectAccess connections 1 DirectAccess a Basic define the appliance location and the ...

Page 42: ...ccess to the DirectAccess server ii Network Location Server the NLS server will be installed on the appliance unless an external server is designated 1 NLS Certificate if an SSL certificate will be used navigate to and select it 2 NLS URL if an external NLS server is deployed enter the HTTPS URL 2 Finish review the settings click Next to configure Configure VPN services only select to add access t...

Page 43: ...he default is UPD 1812 for authentication Legacy RADIUS servers may use 1646 7 Always use the same message authenticator select if the attribute Request must contain the Message Authenticator attribute has been con figured on the RADIUS server The wizard is complete when the congratulations screen displays The Next Step The next step depends on the deployment Once all features for the deployment a...

Page 44: ...ses the term internal domain l Off premises domains are sometimes qualified by the terms external or public but doc umentation uses the term federated domain l Servers configured with the role Active Directory Domain Services may be referred to as the domain controller DC or designated by the acronym AD DS The acronym AD is used as a gen eral referent for the internal domain directory l A federati...

Page 45: ...o access ADFS for authentication l Publicly signed certificate an SSL certificate is required it is strongly recommended to use a third party certificate from a trusted vendor The certificate subject is the same as the fed eration service namespace Example Information To help make the instructions clear the following examples are used to identify components Internal Domain Federated Domain CESA Ap...

Page 46: ...rtificate navigate to and select the certificate that will be used for authentication 2 Passphrase enter the certificate passphrase The wizard is complete when the congratulations screen displays The Next Step The next step depends on the deployment Once all features for the deployment are configured saving a copy of the system image to preserve initial configuration is recommended ...

Page 47: ...erminology Disambiguation The terms below describe components that are used in documentation l A Sync server has the Work Folders role installed It can contain multiple sync shares l A Sync share is a collection of user folders that use the same policy settings l On premises domains are sometimes referred to as AD domains but documentation uses the term internal domain l Servers configured with th...

Page 48: ...d options n Windows 8 1 8 1 R 7 Professional Ultimate Enterprise n iPad with iOS 8 1 or later Additional Configuration Notes The notes below discuss options that can extended Work Folders functionality They exceed the scope of these instructions but will be helpful to consider when planning deployment l DNS configuration is required for the following instances n To sync files over the Internet a p...

Page 49: ...tificate passphrase 2 Finish review the settings click Next to configure The wizard is complete when the congratulations screen displays Next a sync share directory must designated on the appliance Required Configuration After Setup Wizard Configuration must be customized for an environment 1 Open an RDP session from the local computer to the E Series Appliance using Remote Access Console CESA Sys...

Page 50: ...eries Installation Guide The Next Step The next step depends on the deployment Once all features for the deployment are configured saving a copy of the system image to preserve initial configuration is recommended ...

Page 51: ...tem Imaging System System Imaging Accessing it through a web browser offers options for processes that are online when the operating system is loaded or offline after a restart before the appliance boots into the operating system Online or real time images use more disk space than offline imaging but they don t interrupt the services the appliance provides LGV The LGV instructions below require di...

Page 52: ... to select 7 Confirm when prompted The Saving System Image screen will show a progress indicator and an estimated time to completion for the image copy process Caution l DO NOT ACCESS OR TURN OFF THE APPLIANCE DURING THIS PROCESS l The appliance will shut down when the LGV process is complete Create a Backup Once configuration is complete creating a backup will provide another option to help remed...

Page 53: ...s 1 Navigate to System Software Updates Appliance Updates 2 Complete the following a click the Check for Updates button b Select an item c Install install selected update 3 Confirm if prompted Once applicable updates are installed Celestix recommends checking for Windows updates System Windows Updates Thank you for choosing the Celestix E Series Cloud Edge Security Appliance for your remote connec...

Page 54: ...50 E Series Installation Guide Appendix Use the links to jump to a topic l Web User Interface Content Overview l Safety Precautions l Product Reclamation and Recycling l Glossary l Index l Resource Worksheet ...

Page 55: ...e Directory ADFS Acronym for Active Directory Federation Services C CA Acronym for certificate authority Certificate The tool that TLS SSL uses to encrypt communication Certificate authority An entity that issues certificates to encrypt digital communication Certificate revocation list A list of certificates that are no longer valid for encryption CRL Acronym for certificate revocation list D DA A...

Page 56: ...nd attributes like dis tribution groups or user phone numbers to an Office365 instance DirSync Abbreviation for Directory Synchronization DNS Acronym for Domain Name System Domain Name System A service that translates domain names into IP addresses DRS Acronym for Device Registration Service F Failover A part of high availability where switching from failed to redundant com ponents occurs usually ...

Page 57: ... a user to a service provider M Multifactor authentication Employs additional forms of user data for authentication Two factor authen tication using one time passwords is a common example N Network access server A component of RADIUS authentication Abbreviated NAS Network Policy Server How Microsoft implements RADIUS NPS Acronym for NPS O Office 365 The cloud implementation of the Microsoft Office...

Page 58: ...system when RADIUS is used as the authentication protocol Redundancy A part of high availability design that employs additional resources like extra servers to carry out required functionality in the event one component fails Relying party trust Designates a service provider as a partner organization for ADFS The service provider is a relying party that ADFS will trust authentication requests from...

Page 59: ...te Network A secure Remote Access connection that provides access remote access to the internal network VPN Acronym for virtual private network W WAP Acronym for Web Application Proxy Web Application Proxy A reverse proxy solution that publishes internal web applications for external access WID Acronym for Windows Internal Database Windows Internal Database A version of SQL Server Express that is ...

Page 60: ...Page 56 E Series Installation Guide Workplace Join The function that allows users to register devices with the domain through DRS devices can then access application resources based on trust ...

Page 61: ...Page 57 E Series Installation Guide Web User Interface Content Overview The menu structure for the web UI is outlined below Use it to quickly find features ...

Page 62: ...e cord by the plug l Do not plug telecommunications telephone connectors into the NIC connectors l This server contains an internal lithium battery There is a risk of fire and burns if battery is not handled properly Do not attempt to recharge the battery Do not expose the battery to tem peratures higher than 60 C Do not disassemble crush puncture short external contact or dis pose of battery in f...

Page 63: ...s the use of certain substances that are commonly found in electronic products today Restricted substances include heavy metals like lead and polybrominated materials The RoHS Directive with some exemptions applies to all electrical and electronic equipment In accordance with Article 11 2 of Directive 2002 96 EC WEEE products put on the market after 13 August 2005 are marked with the following sym...

Page 64: ...igation 57 appliance hardware features 4 appliance installation 12 connect to network 17 front panel 19 network information worksheet examples 13 power on appliance 19 appliance setup 21 manual IP address 22 B Backup and Restore system image 47 C certificate WAP Requirement Checklist 41 Work Folders Requirement Checklist 44 connect to network network adapter 17 ...

Page 65: ...Deployment Assumptions for WAP 40 Deployment Assumptions for Work Folders 43 DirectAccess setup 35 E E Series version information 11 F front panel controls 19 Jog Dial 19 G Glossary 51 I IP address configure manually 22 J Jog Dial 19 L Last Good Version 47 LED network adapter indicators 18 login web UI 23 N network adapter indicators 18 ...

Page 66: ...quirement Checklist 21 Requirement Checklist for Remote Access 34 Requirement Checklist for WAP 41 Requirement Checklist for Work Folders 44 S setup Remote Access with VPN 35 WAP 41 Work Folders 45 Setup Wizard for Remote Access with VPN 35 Setup Wizard for WAP 41 Setup Wizard for Work Folders 45 Software update 49 system image 47 Last Good Version 47 U Update software 49 ...

Page 67: ...V version information 11 VPN setup 35 W WAP Deployment Assumptions 40 Requirement Checklist 41 setup 41 web UI 2 access 23 navigation 57 web UI login 23 Work Folders Deployment Assumptions 43 Requirement Checklist 44 Work Folders setup 45 ...

Page 68: ...WAN information LAN1 Private or internal network interface IP address Subnet mask Default gateway Primary secondary DNS server s Static routes Network address Gateway address DMZ LAN2 information Additional network interfaces Include the IP address subnet mask for each adapter to be used SMTP server IP address SMTP gateway name Active Directory server IP address Hostname ADFS AD DS FQDN Administra...

Page 69: ...g DHCP RADIUS server information if not using Windows authentication PKI if applicable IP address Web Application Proxy ADFS FQDN SSL certificate Remote Desktop Gateway RD Gateway join domain IP address Hostname External FQDN AD DS IP address Subnet mask Default gateway DNS RD Session Host domain joined IP address Hostname RD Connection Broker domain joined IP address Hostname RD Web Access domain...

Page 70: ...in joined IP address Hostname Remote Desktop Virtualization Host server optional IP address Hostname Firewall rules Work Folders Sync share name SSL certificate AD security group for user accounts Sync share DNS entry recommended Application server IP address Hostname RADIUS server IP address Hostname RADIUS clients IP address Hostname Bold items are required ...