Applies to platform: Switchboard 5.0
Last updated: 22nd May 2018
This howto will guide you in the installation of the Switchboard on Premises. While the procedure is long and there are many steps to complete, they are easy and should require little efforts to be completed.
The scenario described here will allow users to access the Switchboard and the Connect Web Portal.
Before starting the configuration of the Switchboard on Premises, make sure to satisfy all the requirements:
- The Appliance needs to be registered to Endian Network and have valid switchboard channels.You can verify this requirement from the CLI of your switchboard, by checking if in the output of the following command:
root@endian:~ # en-client -i
appears the [switchboard] block, like the following:
[switchboard] code = switchboard name = VPN Switchboard description = VPN Switchboard product = Endian UTM Virtual Appliance 5.0 subscribed = 2017-05-03 09:25:19 expiration = 2020-05-02 09:25:19Make sure that the expiration date is in the future.
- The appliance must have two public IP addresses configured on the uplink. If the appliance has a private IP as uplink, then configure two public IPs with DNAT on the router.
NoteIf you have only one public IP you cannot add an OpenVPN instance on port 443 TCP, but you will still be able to use the Switchboard over the VPN Connection. Also the requirements 3. , 4. and 5. below are not needed anymore.If the Switchboard has only private IPs, add suitable DNAT rules on the router in front of it to allow traffic to the Switchboard's port 1194 UDP and 443 TCP.
- You have configured public DNS records for both IP addresses. One of them (say, vpn.example.com pointing to IP-1) will be used for the OpenVPN connections, while the other one (say, connect.example.com pointing to IP-2) will be used for the Connect Web portal.
- If you plan to use the Connect Web Portal, add a record in the DNS configuration, that points *.connect.example.com (every subdomain of connect.example.com) to IP-2.
- You have a public signed SSL certificate for *.connect.example.com, (wildcard certificate for the domain), which is needed to use the Connect Web Portal.
- If you use only devices equipped with OpenVPN version 2.3 or higher, always use TUN devices for the OpenVPN server setup. Indeed, older versions of OpenVPN do not support IP mapping and therefore you can not use Virtual IPs (see section Provisioning for details).
Enable the VPN Firewal
Under the Firewall menu, go to the VPN firewall (Firewall > VPN traffic) and make sure that the switch on the left of the Enable VPN firewall label is green: This shows that the firewall is activated. If the switch is gray, click on it to activate it. After a few seconds, the switch’s color will turn green and the list of the VPN firewall rules will appear, if some rule has already been defined.
Add Two OpenVPN Server Instances
The OpenVPN protocol is used for the communication between the Switchboard and the clients, hence the OpenVPN server must be appropriately configured. The scenario encompasses two instances, both of which have a routed subnet and use a TUN device, which is also the suggested device. TAP devices should be used only in the case it is mandatory to use the real IP addresses of gateways and endpoints.
To configure the OpenVPN instances, called ONE and TWO for simplicity, go to VPN > OpenVPN Server and click on Add new OpenVPN server instance.
- The ONE instance will be used to directly access the Switchboard and must be configured as follow:
- Port: 1194.
- Device Type: TUN.
- Protocol: UDP.
- VPN Subnet: an internal subnet, not used elsewhere in the configuration (here 172.30.0.0/24)
- Client to client connection: Filter connections in the VPN Firewall.
- Push these networks: tick the checkbox and write in the textbox below another subnet not used elsewhere (here 172.20.0.0/24). This subnet will be used in instance TWO as VPN Subnet.
- The TWO instance will be used to access the Connect Web Portal and must be configured as follows:
- Protocol: TCP.
- Port: 443.
- VPN Subnet: The internal subnet used in instance ONE for the Push these networks option, hence: 172.20.0.0/24).
- Client to client connection: Filter connections in the VPN Firewall.
- Push these networks: Tick the checkbox and write in the textbox below the VPN subnet used in instance ONE, hence: 172.30.0.0/24).
Save both instances, then restart the OpenVPN service.
Configure the Switchboard Module
The first important decision to take is to define the Exclusive Access, which is a security policy implemented to avoid concurrent access to a component of the infrastructure (gateways or endpoints) managed by the switchboard. You can find more precise details on the exclusive access and on the Switchboard architecture here.
To configure the Switchboard module, go to Switchboard > Settings > Network, then provide the following information:
- Switchboard bind IP address: Write the public IP IP-1 here (we use 220.127.116.11) ( Or if RED has private IP set it here )
- OpenVPN instance: select ONE here.
- OpenVPN server public IP/FQDN and port: write the FQDN and port of the VPN instance: vpn.example.com:1194. Note that this is the DNS entry corresponding to IP-1.
- Enable fallback OpenVPN instance: tick the option and select TWO as the Fallback OpenVPN instance.
- Fallback OpenVPN server public IP/FQDN and port: vpn.example.com:443 (this is the public FQDN for vpn)
- Enable automated virtual subnet assignment: Enabled
- Global virtual IP pool: Choose an IP pool that will be used to assign a virtual IP address to the devices used within the Switchboard; by default the special netblock 100.64.0.0/10 is used. Virtual IPs are used to simplify remote access to the devices, which will appear on the same subnet, thus making special routing rules unnecessary.
You can also write a Message of the day, that will be shown in the Switchboard's Dashboard and to the connected client, for example to inform users about scheduled activities. Once done, click on Save.
Configure the Switchboard Portal
The Switchboard portal allows users to connect to the switchboard using HTTPS, without a client. While it can be disabled, it is nonetheless useful, hence it is suggested to configure it. The following options are required:
- Portal fully qualified domain name. Tick the Enable portal checkbox and write here the domain name to be used to access the portal, here connect.example.com.
NoteThe FQDN you write here must be reachable from Internet.
- Portal HTTPS certificate: Select the SSL certificate to be used by the connection.
NoteIf you use a certificate that has been generated on the Endian Appliance, client browsers would show an error message upon connection (SEC_ERROR_UNKNOWN_ISSUER). To avoid these messages, you need to import on the Switchboard a third party, signed certificate. This is explained in section Import a third-party signed certificate.
Click on Save to save the configuration.
Configure the Provisioning
The provisioning allows to easily register gateways to the switchboard and make them quickly available. It is best used with Endian gateways, but can be used for other vendor's devices as well.
If you use Endian gateways, enable the Enable gateways provisioning option. In this way you can use the Plug & Connect/Autoregistration procedure to register and configure an Endian gateway in three steps from the Switchboard > Devices menu.
In the screenshot below you can see that there are a number of default Endian appliances that can access the Plug & Connect procedure. You can also select the default model to be registered when a new gateway is added to the switchboard.
Moreover, since you can connect also non-Endian gateways to the switchboard, it is strongly suggested to add 2 new models by clicking on the Add row button right above the list of models.
- A Generic-new model, that will be used for gateways equipped with a version of OpenVPN at least 2.3 included. Make sure that in the OpenVPN >= 2.3 column the value is yes.
- A Generic-old model, that will be used for gateways equipped with versions of OpenVPN older than 2.3 included. Click on the yes label in the OpenVPN >= 2.3 column and select no.
The reason for this choice is that OpenVPN versions up to 2.2 does not support virtual IP mapping, and therefore gateways using these older versions must be accessed using their real IP.
If you use non-endian gateways with OpenVPN greater than 2.3, that support OpenVPN mapping, you can access them using the Connect Web Portal, but you can not provision them: They must be registered manually.
Configure the Users
Users are the persons who will connect to the Switchboard, by using either the Endian ConnectAPP or the Endian Connect WEB). They are basically VPN users, that you can arrange in groups for an easier management: For example, you can grant permissions and access to devices to a whole group instead of to every single user. A simple scenario with groups is to arrange users in two groups:
- Administrators, who can manage devices, users, and permissions.
- Technicians, who can access devices for maintenance or every day use.
To create users and groups of users, go to Switchboard > Users, and follow these steps:
- In the Groups tab click on Add group to define a new group. Provide the group name (Administrators and Technicians in our scenario), which must be unique, and a description. You will be able to add users to the group once you have created them.
- In the User tab you can create new users, by filling in at least the username (which is the user's email address, that must be a valid one) and a password. You can optionally provide Additional user information and Permissions to the user.
- In the Groups tab, put the user in the appropriate group(s).
- In the Provisioning tab, supply the username and password of the Endian Network's user account.
- Edit the group on the Switchboard > Users > Groups and on "members" tab add the user to the group.
Configure the Devices
In the Switchboard > Devices page, devices can be managed, configured, and removed. With devices we intend at the moment only Gateways: devices like for example Endian Edge or Mercury appliances, or third-party devices, that will establish a VPN connection to the Switchboard using OpenVPN and act as gateways to allow remote endpoints, that are located behind them, to be accessed directly from the Endian Switchboard or using the Endian ConnectApp.
To define new gateways, go to Switchboard > Devices and do the following:
- In the Groups tab, define a new group name for gateways and add a description. In our example we set up a group called Lab01, that will encompass all gateways serving that lab. Click on Add to save the settings and create the new group.
- In the Devices tab, you can choose how to set up the new gateway in two different procedures:
- by clicking on the Plug & Connect (Autoregistration) link and applying the Plug & Connect procedure, which is explained in this article. This procedure is only valid for Endian devices and is the recommended one for them.
- Manually define a gateway, by clicking on the Add Gateway link. This procedure can be used on all devices.
Remote endpoints can be reached in different ways, for example using RDP, SSH, HTTP(S), VNC connections, depending on the particular task that it is executing. Each of this connections is called Application in Endian Switchboard. However, an endpoint can be reached with different modalities, for example, RDP and HTTPS: the first one to access the desktop and manage the database containing the actual data collected by the sensors installed on the endpoints -or managed by it; the latter to access daily, weekly, and monthly reports generated by the software running on the endpoint.
To allow an endpoint to be reached in different way, the Endian Switchboard provides the ability to group several applications in Application profiles, which represent all the possibilities for a user to access the endpoint. There are several default Applications and application profile, but many other can be defined and managed under Switchboard > Applications.
Import a third-party signed certificate (OPTIONAL)
If you need to import a thirdy-party certificate to avoid SSL browsers error messages (i.e a valid certificate signed by a CA) you have to import it from VPN > Certificates > Certificates > Add new certificate > Action > Upload a certificate. The certificate must be in pkcs12 format, which is sometimes referred to as PFX files. If you don’t have it, you may create it using the OpenSSL tool and then import it.
What you need:
- CA certificate (this usually is available on the CA website that have signed your server certificate), called here ca.pem.
- Server Certificate, here called server.crt.
- Server private key, here called server.key.
Once you have the above certs issue the following command on a Linux box. Replace the filenames with your certificate names:
root@linux:~ # openssl pkcs12 -nodes -export -out portal.p12 -inkey server.key -in server.crt -certfile ca.pem
Once done, import on the Endian Appliance the portal.p12 file.