Celestix E6600, Installation Manual

Page 1: ...Security Simplified Celestix E Series Installation Guide E6600 Security Appliance ...

Page 2: ...cument Except as expressly provided in any written license agreement from Celestix Networks the furnishing of this document does not give you any license to these patents trademarks copyrights or other intellectual property Celestix Edge E Series Appliance Installation Guide Document Number EDG2200 120 001 Updated January 18 2017 Part Number CCD 2122 30000001 Product version E Series 2 2 0 0 2017 ...

Page 3: ...ck the Appliance 16 Connect the Appliance 17 3 Setup 20 Power the Appliance 20 Log in to the Web UI 20 4 Configuration 22 General Information 22 Use the Setup Wizard 23 Install Features 24 Configure Remote Access 29 Configure Web Application Proxy 36 Configure Work Folders 38 5 Create a System Image 41 LGV 41 6 Backup 42 7 Update Software 43 Appendix 44 Web User Interface Content Overview 45 Addit...

Page 4: ...Safety Precautions 49 Product Reclamation and Recycling 50 Glossary 51 Index 56 Resource Worksheet 64 ...

Page 5: ... network configuration and server task management For the E Series it also provides simplified installation and configuration for secure connectivity and supporting technologies The Celestix E Series is a hardened and secure appliance platform that is optimized for secure Windows deployment out of the box The 2 2 0 0 E Series offers the following functionality SecureAccess client Read only access ...

Page 6: ...he appliance shipping carton Unpack the server shipping carton and locate the materials and documentation necessary for installing the server All the rack mounting hardware necessary for installing the server into the rack is included with the rack or the server The contents of the server shipping carton include Celestix Appliance HPE server Power cord x 2 except 3600 model Rack rail hook and loop...

Page 7: ...6 E Series Installation Guide ...

Page 8: ...7 E Series Installation Guide ...

Page 9: ...8 E Series Installation Guide ...

Page 10: ...9 E Series Installation Guide Illustration 2 Appliance Illustrations with Delineated Features ...

Page 11: ...rios for common aspects of Celestix Edge appliance deployment while the potential options are certainly numerous DirectAccess Deployment with Manage Out Access for external users with strong authentication that allows system administrators to support and manage remote clients Requirements Secure remote access for managed Windows 7 and Windows 8 clients Anytime anywhere access to applications and d...

Page 12: ...ets and smart phones Requirements Secure remote access for nonmanaged clients that include commonly used operating systems Windows Linux OS X Android and iOS Remote access to applications and data on the organization network Web based applications need users to be pre authenticated at the edge Applications individually provisioned based on user roles ...

Page 13: ...ion 5 VPN Role With Web Application Proxy Gateway Cross premises network connectivity for internally hosted and cloud resources Requirement Seamless connectivity between on premises data center and virtual machines hosted in the public cloud ...

Page 14: ...loyments Note Some items are optional Details for feature configuration are discussed in the topic Resource Worksheet Network Policy Server Celestix Edge appliance serves as the RADIUS server it must be domain joined Network Access Server RADIUS Client IP Address Shared secret Network policies Authentication protocol options Remote Access DirectAccess An Active Directory Domain Services AD DS doma...

Page 15: ...Gateway like Windows Remote Desktop Client Remote Desktop Web Access Celestix Edge appliance must be domain joined Remote Desktop Connection Broker RD Session Host server with RemoteApp programs configured SSL certificate Firewall exceptions will be required for the WMI Service Option virtual desktop Remote Desktop Virtualization Host server Work Folders Celestix Edge appliance serves as the sync ...

Page 16: ...15 E Series Installation Guide Version Information Version information for appliance components are noted on the main web UI page Click the E Series logo link from any page to access ...

Page 17: ...of personal injury or equipment damage be sure that the rack is adequately stabilized before extending a component from the rack Rack the Appliance Celestix appliances are 1U and should be attached to a standard 19 inch equipment rack as follows 1 Power down the appliance 2 Disconnect all peripheral cables from the appliance 3 Disconnect each power cord from the appliance 4 In a server that uses t...

Page 18: ...IP address to the network adapter To connect the appliance 1 Connect an Ethernet cable from the Primary Port LAN1 network adapter on the Celestix appliance to the internal network hub or switch 2 For additional network connections use the Secondary Port LAN2 or 4 Network ports adapter LAN3 6 on the appliance The diagram below provides a reference Illustration 8 Ethernet Connections Note Hardware m...

Page 19: ...18 E Series Installation Guide 1 NIC link LED Green Network link Off No network link 2 NIC activity LED Solid green Link to network Flashing green Network active Off No network activity ...

Page 20: ...eries Installation Guide Connect the Power Connect the power cable to the appliance To connect power 1 Connect the included power cable from a power source typically a UPS to the power inlet on the rear panel ...

Page 21: ...nternal network adapter Primary Port is used to access the web UI Note If the LAN IP address was assigned through DHCP login to the appliance using a KVM or Monitor and Keyboard Login to the windows using the default username and password Check the IP assigned to the appliance To log in 1 Open the web UI in a browser From a client computer on the network default access to the appliance web UI is t...

Page 22: ...21 E Series Installation Guide Important A certificate warning may display because the site uses a self signed certificate Accept the certificate to access the web UI ...

Page 23: ...nologies that Microsoft offers to allow external clients to access internal network resources Documentation uses the short name Remote Access The E Series includes the Remote Access features Direct Access VPN and Web Application Proxy The terms roles services and features are used to refer to Server 2012 R2 functionality for remote connectivity Remote Desktop Services desktop virtualization refers...

Page 24: ...Celestix Edge01 Domain Name example com Use the Setup Wizard While working through the wizard the appliance may need to reboot Wizard Instructions 1 Administrator Password the default local administrator password should be changed as a security precaution because it is public knowledge However once the appliance has been joined to the internal domain domain administrator credentials must be used t...

Page 25: ...rror o Send warning alert email includes alert types where the level is set to Warning o Send informational alert email includes types where the level is set to Information SMTP server settings Name indicate the network SMTP server name or IP address Port enter the number used for SMTP communication Use SSL TLS select to require encryption SMTP settings select and provide credentials with permissi...

Page 26: ...to confirm 4 The feature s status indicator will rotate while the system processes the request 5 A confirmation will display when the process is complete 6 Click the restart system link if prompted See the topic Feature Details for more information about feature options Manage Features Once installed some of the features include links that launch RDP applications to management consoles MMCs These ...

Page 27: ...US authentication authorization and accounting or RADIUS proxy connection request referral Need to Knows The following summary information is provided for reference Installs Role Service Network Policy Server Feature RSAT Network Policy and Access Service Tools Affected Appliance Features NPS is required for Remote Desktop Gateway RD Gateway If RD Gateway is deployed the NPS role is installed auto...

Page 28: ... portal to make accessing applications more convenient It also leverages authentication authorization and SSO functionality It is configured for deployments where ADFS runs on a separate server Notes Web Application Proxy cannot be colocated with the following roles ADFS Web Application Proxy requires ADFS but cannot be installed on the same server DirectAccess The E Series only supports forms bas...

Page 29: ...nstalled in which case the installation process proceeds just for RD Gateway Required Configuration After Installation Configuration must be customized for an environment Use the Remote Desktop Gateway link to open an RDP session to the Remote Desktop Gateway Manager Console in the browser Note Firewall rules may need to be adjusted to allow traffic Remote Desktop Web Access RD Web Access RD Web A...

Page 30: ...source Manager Tools Affected Appliance Features None Required Configuration After Installation Configuration must be customized for an environment 1 Click the Wizard button to run the Work Folders configuration tool 2 Next use the Remote Desktop management console System Remote Desktop to open an RDP session from the local computer to the E Series appliance In Windows Server open the Server Manag...

Page 31: ...GPOs will manage settings for clients and servers they have been created prior to running the setup wizard AD will be used for DirectAccess authentication and authorization DNS needs to resolve to either the public host name of the DirectAccess entry point or the NAT device for the DirectAccess server Requirement Checklist The following items will be required to set up Remote Access Plan ahead so ...

Page 32: ...stix Edge01 Domain Name intexample com intexample com Use the Setup Wizard The setup wizard is a walk through to configure components for Remote Access While working through the wizard the appliance may need to reboot Access the screen through the web UI at Celestix Edge Features Remote Access with VPN Wizard Wizard Instructions Component Selection select a Remote Access configuration option Confi...

Page 33: ...n e The imported certificate should display in the Certificate field If not use the drop menu to select it c GPO and NLS i Group Policy Object GPO leave fields blank to configure the default options otherwise designate predefined AD policy groups that will manage settings for devices and servers 1 Client GPO specify the name for the AD policy that will manage client access 2 Server GPO specify the...

Page 34: ...ertificate was not imported from the domain root CA viii Click Next 2 VPN a Address Assignment i Assign addresses automatically use DHCP to assign client addresses ii Assign addresses from a static address pool enter a range of IP addresses that RRAS will assign to clients when they connect to the network Enter the start and end IP addresses to define the range b Authentication i Use Windows Authe...

Page 35: ...rk adapter navigate to and select it If it needs to be imported first complete the following a Click the Import button b Certificate Import navigate to and select the certificate that will be used for authentication c Password enter the certificate passphrase d Click the Import button e The imported certificate should display in the Certificate field If not use the drop menu to select it c GPO and...

Page 36: ...ate to and select the certificate that will be used for authentication b Password enter the certificate passphrase c Click the Import button 2 The imported certificate should display in the Certificate field If not use the drop menu to select it vii Intermediate CA select if the certificate was not imported from the domain root CA viii Click Next 2 Finish review the settings click Next to configur...

Page 37: ...tion Deployment Assumptions Information presented in the E Series setup instructions is based on the following The Web Application Proxy feature has been installed through the web UI Deployment is a single proxy server AD will be used for authentication and authorization through ADFS Internal DNS entries have been configured for Web Application Proxy to resolve hostnames for backend servers Public...

Page 38: ...le adminuser c Password enter the password for the ADFS account d SSO Portal if WAP will be used to publish applications for remote users enter the address end users will need to access those applications Note Entering the address creates the portal 2 Certificate a Click the Import button b Complete the following i Certificate navigate to and select the certificate that will be used for authentica...

Page 39: ...the setup wizard Requirement Checklist The following items will be required to set up the Work Folders service Plan ahead so that items are available when needed to complete configuration Domain controller Windows Server 2012 or higher Publicly signed certificate an SSL certificate is required for Work Folders it must be a third party certificate from a trusted vendor Additional requirements The c...

Page 40: ...ix Edge Features Work Folders Wizard Wizard Instructions Use the following instructions to import the SSL certificate for Work Folders 1 Certificate import a certificate to encrypt authentication a Click the Import button b Complete the following i Certificate Import navigate to and select the Work Folders certificate that will be used for authentication ii Password enter the certificate passphras...

Page 41: ...40 E Series Installation Guide The base level setup that allows external access to work files is now complete Supported clients can now be configured to access sync services ...

Page 42: ...T screen you will see Celestix Boot Loader 4 Select the Celestix Rescue Mode This menu provides you an option to restore the factory image or restore any existing LGV 5 If you have done this correctly you will enter the Celestix Rescue Mode and the System Restore menu should appear on screen to the connected VGA output A FOR SYSTEM RESTORE Factory reset Once in the System Restore menu use the Keyb...

Page 43: ...llation Guide 6 Backup Celestix recommends running the Windows backup utility System Backup once configuration is complete to provide a remediation option for issues that may result from future system updates or changes ...

Page 44: ...d install updates 1 Navigate to System Software Updates Appliance Updates 2 Complete the following a click the Check for Updates button b Select an item c Install install selected update 3 Confirm if prompted Once applicable updates are installed Celestix recommends checking for Windows updates System Windows Updates Thank you for choosing the Celestix Edge E Series Appliance for your remote conne...

Page 45: ...ation Guide Appendix Use the links to jump to a topic Web User Interface Content Overview Additional Features Firewall Ports Reference Safety Precautions Product Reclamation and Recycling Glossary Index Resource Worksheet ...

Page 46: ...45 E Series Installation Guide Web User Interface Content Overview The menu structure for the web UI is outlined below Use it to quickly find features ...

Page 47: ...wing log data or connectivity statistics without allowing access to settings or advanced tools For information about configuring the feature see the online help System Read Only Access SecureAccess SecureAccess is a remote access client application that provides automatic always on access to network resources and manage out functionality for Windows Home Professional and Mac computers For informat...

Page 48: ...e stated Required TCP port 443 inbound and outbound Conditional Protocol 41 inbound and outbound for 6to4 UDP port 3544 inbound and outbound for Teredo VPN behind firewall unless otherwise stated TCP port 1723 inbound and outbound for PPTP Protocol 47 inbound and outbound for PPTP TCP port 443 inbound and outbound for SSTP UDP port 500 inbound and outbound for L2TP IPsec IKEv2 UDP port 4500 inboun...

Page 49: ...ertificate Revocation List CRL TCP 80 inbound and outbound for HTTP Certificate Revocation List CRL TCP 21 inbound and outbound for FTP Certificate Revocation List CRL TCP 5985 inbound and outbound for WMI and PowerShell Remoting TCP UDP 3389 inbound and outbound for RDP Work Folders TCP port 443 inbound and outbound for folder synching TCP port 80 inbound and outbound for folder synching ADFS For...

Page 50: ...e cord by the plug Do not plug telecommunications telephone connectors into the NIC connectors This server contains an internal lithium battery There is a risk of fire and burns if battery is not handled properly Do not attempt to recharge the battery Do not expose the battery to temperatures higher than 60 C Do not disassemble crush puncture short external contact or dispose of battery in fire or...

Page 51: ...he use of certain substances that are commonly found in electronic products today Restricted substances include heavy metals like lead and polybrominated materials The RoHS Directive with some exemptions applies to all electrical and electronic equipment In accordance with Article 11 2 of Directive 2002 96 EC WEEE products put on the market after 13 August 2005 are marked with the following symbol...

Page 52: ...to encrypt digital communication Certificate revocation list A list of certificates that are no longer valid for encryption Comet Comet provides a web user interface web UI for convenient access to administration functions like setup network configuration and server task management CRL Acronym for certificate revocation list D DA Acronym for DirectAccess Device Registration Service A feature of AD...

Page 53: ... where switching from failed to redundant components occurs usually automatically Federation Federation refers to the mechanism that creates trust relationships for identity management These trust relationships then allow single sign on for multiple independent systems H HA Acronym for high availability High availability A system implementation that minimizes downtime meaning unavailability to use...

Page 54: ...tication protocol RFC 2865 The HOTPin system uses the Microsoft application Network Policy Server NPS to implement RADIUS RADIUS client A RADIUS client is a network access server NAS that facilitates authentication requests between access clients and the HOTPin system when RADIUS is used as the authentication protocol Read only access Read only access provides configuration to designate access wit...

Page 55: ...on in a federated system Single sign on Allows login to multiple system using one set of credentials In ADFS once users log in with their organization AD credentials they can access federated resources without being prompted further for authentication SSO Acronym for single sign on U UAG trunk A repository of published applications for user access this term only applies to Celestix WSA environment...

Page 56: ...Database A version of SQL Server Express that is automatically included with Windows Server It is the default data store option for ADFS Workplace Join The function that allows users to register devices with the domain through DRS devices can then access application resources based on trust ...

Page 57: ...estore system image 42 C CelestixEdge configuration 22 setup wizard 23 certificate WAP Requirement Checklist 38 Work Folders Requirement Checklist 40 configuration CelestixEdge 22 federation 22 connect to network network adapter 17 conventions document usage 4 D Deployment Assumptions for Remote Access 30 Deployment Assumptions for WAP 38 Deployment Assumptions for Work Folders 39 DirectAccess set...

Page 58: ... rack the appliance 16 RD Gateway install feature 28 read only access 48 Remote Access Deployment Assumptions 30 Requirement Checklist 31 Remote Access VPN install feature 27 Remote Desktop Web Access install feature 29 Requirement Checklist for Remote Access 31 Requirement Checklist for WAP 38 Requirement Checklist for Work Folders 40 resources overview 13 S SecureAccess 48 setup Remote Access wi...

Page 59: ...date software 45 V version information 15 VPN setup 32 W WAP Deployment Assumptions 38 install feature 28 Requirement Checklist 38 setup 38 web UI 15 navigation 47 web UI login 20 Work Folders Deployment Assumptions 39 install feature 29 Requirement Checklist 40 Work Folders setup 41 ...

Page 60: ...t password is case sensitive with brackets included Important The default should be changed as it is public knowledge Workgroup or domain name Used in Configuration Use the Setup Wizard Wizard Instructions Hostname and Domain Required for appliance setup Record the name of the Workgroup or Domain that will be joined during setup LAN information LAN1 Private or internal network interface IP address...

Page 61: ...US Client IP Address Shared secret Network policy criteria Authentication protocol options May be needed in post configuration for NPS or Remote Desktop Gateway Setting up RADIUS authentication requires designating the NPS clients that will forward access requests the criteria that will service as the policy to grant access and the protocols that will be used for authentication DirectAcces VPN DA ...

Page 62: ...Rules need to be created in the edge firewall to allow application communication While each application type is different the list of application requirements covers common information for publishing a variety of applications Syslog SIEM FQDN IP Port Certificate The Logging feature sometimes referred to as syslog is a security information and event management solution SIEM feature Server informati...

Page 63: ...address Hostname Firewall rules Used in Configuration Install Features Feature Details Remote Desktop Web Access Required Configuration After Installation Work Folders Sync share name SSL certificate AD security group for user accounts Sync share DNS entry recommended Used in Configuration Configure Work Folders Use the Setup Wizard Wizard Instructions RADIUS server IP address Hostname May be need...

Page 64: ...name May be needed in Configuration Use the Setup Wizard Wizard Instructions Alerts Email Optional configuration SMTP is required for Alert Email Workplace Join AD DS FQDN AD DS service account ADFS IP address ADFS FQDN DRS DNS entry This information would be used to extend functionality needed to set up BYOD access Application server IP address Hostname May be needed in post configuration for Web...

Page 65: ...ay address WAN information LAN2 Public or external network interface IP address Subnet mask Default gateway Primary secondary DNS server s Static routes Network address Gateway address DMZ LAN 2 information Additional network interfaces Include the IP address subnet mask for each adapter to be used Active Directory Domain Services AD DS IP address Hostname User account password ADFS AD DS FQDN Adm...

Page 66: ...ing DHCP RADIUS server information if not using Windows authentication PKI if applicable IP address Web Application Proxy ADFS FQDN SSL certificate SSO Portal Firewall rules for HTTPS and SSH communication Application requirements URL Certificate Hostname Port File format Syslog SIEM FQDN IP Port Certificate Remote Desktop Gateway RD Gateway join domain IP address Hostname External FQDN AD DS IP a...

Page 67: ...Default gateway DNS RD Session Host domain joined IP address Hostname RD Connection Broker domain joined IP address Hostname Remote Desktop Virtualization Host server optional IP address Hostname Firewall rules Work Folders Sync share name SSL certificate AD security group for user accounts Sync share DNS entry recommended RADIUS server IP address Hostname RADIUS clients IP address Hostname DNS AD...

Page 68: ...ide Property Detail Your Information SMTP server IP address SMTP gateway name Workplace Join AD DS FQDN AD DS service account ADFS IP address ADFS FQDN DRS DNS entry Application server IP address Hostname Bold items are required ...