English (US) Italiano
Follow

How to install an Endian Switchboard on AWS

Introduction

Welcome to the installation and setup guide for Endian Switchboard. This document will walk you through the steps to install the software on Amazon AWS and configure it for initial use. By following these instructions, you will ensure a smooth installation process and proper configuration to meet your specific needs. Let's get started!

Prerequisites

Amazon AWS

  1. You need to have an Amazon AWS account

  2. You need to share where is located their instance

  3. You need to send Endian your AWS Account ID in order to let Endian share the EndianOS image

  4. You need to setup a public IP address (find more at: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) and choose the FQDN, usually the following convention is used: "connect.\<[yourdomain].com"

    • Under the EC2 Service, in the "Network & Security" tab, select "Elastic IPs"

    • Allocate a new IP address (it has a cost)

  5. You need to generate an SSL Certificate containing both the domain defined before as the CN ("connect.<yourdomain>.com") and the wildcard domain as the SAN ("*.connect<yourdomain>.com")

    • The only way to configure the wildcard domain is by putting the * symbol at the beginning and only once in the domain

    • The wildcard domain should not be like "*.<yourdomain>.com" because it will be both a security risk and also not all the browser will accept it

  6. You need to insert in your DNS an entry for the FQDN and the wildcard domain. Here an example:

    connect.yourdomain.com    IN A       XX.XX.XX.XX
    *.connect.yourdomain.com  IN CNAME   connect.yourdomain.com

  7. You will need to prove that you own the domain by responding to a DNS challenge and adding the corresponding entry in the DNS.

Setup the AWS Environment

This tutorial is not meant to cover all the Amazon AWS possible configurations, for further details you can refer to the dedicated web page at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html.

Instance creation

  • Login with your Amazon AWS account and open the EC2 service at https://console.aws.amazon.com/ec2/

  • Click on "Launch instance"

  • Insert a name for the instance

  • Choose the image to assign to the instance by selecting "My AMIs", "Shared with me" (see prerequisite 3)

  • Select the Instance type based on your needs

  • Use/Create a key pair (it is a required step for the instance creation, but at the moment it doesn't have an impact on the Switchboard) or select "Proceed without a key pair"

  • Under the "Network settings" section, the customer needs to set a VPC (for the VPC creation, please refer to https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html)

Note: since the Switchboard will be accessible from the internet, please ensure to set a positive number of public subnets (at least two for the GREEN and RED zones)

  • Set the public subnet under the selected VPC

  • Create a security group and define the inbound security rules. Here you can find the minimal setup:

    • Rule to access via SSH (Type: ssh, Source type: \)

    • Rule to access to the Admin portal of the Switchboard via port 10443 (Type: Custom TCP, Port range: 10443, Source type: \)

    • Rule to access to the User portal of the Swtichboard via HTTPS (Type: HTTPS, Source type: Anywhere)

    • Rule for the OpenVPN access (Type: Custom UDP, Port range: 1194, Source type: Anywhere)

  • Click on "Launch instance"

  • Under the EC2 Service, in the "Network & Security" tab, select "Elastic IPs"

  • Right click on the IP setup in the prerequisites and click on "Associate Elastic IP address"

  • Choose the instance previously created

  • Click "Associate".

Setup the Endian Switchboard

After setting up the cloud environment, you can access the Admin portal of the Switchboard from the browser at: https://<the public IP you selected>:10443.

  • Login using the initial credentials

    • Username: admin

    • Password: endian

Note: Please ensure to change these credentials after completing the setup

  • Under "System", "Endian Network", "Subscriptions", you need to register the appliance inserting your Endian Network account (or create a new one) and the activation code received

  • Under "System", "Updates", you can eventually install the last updates by clicking on "Install updates"

General settings

  • Under "Switchboard", "Settings", "General settings" you need to insert the Fully qualified domain name (FQDN) mentioned in prerequisite 4

  • In order to be able to select the HTTPS certificate mentioned in the prerequisites, you need to upload the certificate from the menu "VPN", "Certificates", "Certificates", click on "Add new certificate" and then "Upload a certificate"

    • The certificate must be encapsulated in the format PKCS12 with a password

    • You will then select the PKCS12 file and the related password and then click on "Add"

  • Select the imported certificate

  • You can choose to use the Exclusive access In order to avoid concurrent connections at endpoint level or at gateway level

  • You can allow sending email for generating and resetting passwords only if you also configure the SMTP settings under the "Proxy" menu

  • You can also enable the remote API by adding the corresponding API key

  • Click on "Save"

Note: Be aware that after saving the configurations, the web server will restart and you will might need to reload the page

  • Now you can configure the VPN server under "Switchboard", "Settings", "Network"

  • The OpenVPN server is running out of the box, but you can select your own certificate and add it under "VPN", "OpenVPN server", "Server configuration"

  • Under VPN", "OpenVPN server", "Server instances" you can add other instances for example in case the default one listening on port 1194 is not compliant with your internal rules

    • If you cannot open the UDP 1194 port, but you can open another port you can do a DNAT port forwarding (from the "Firewall" menu)

    • If in some cases you will allow only port TCP 443, then you will have to add a new OpenVPN instance which will run on port 443, but will be bound to a different private IP address (which is the external IP address seen in the AWS configuration) since the port is already used by the Switchboard Portal

Note: In this case you will need to create a new uplink under "Network", "Uplinks" and if needed attach a new network interface on the AWS instance (please see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-network-interface.html)

  • You can select the IP address to which the switchboard should bind

    • This is important if you have multiple public IP addresses

Network settings

  • Under "Switchboard", "Settings", "Network" you can select a different IP address on which you can bind the Switchboard (if you leave it blank, the active uplink will be used)

  • You need to select as "OpenVPN instance" the UPD OpenVPN instance

  • As "OpenVPN server public IP/FQDN and port" you need to choose the public IP/FQDN address previously set

  • You can also enable a fallback OpenVPN instance by clicking on "Enable fallback OpenVPN instance" and filling in the details of the fallback instance

  • You can check "Enable automated virtual subnet assignment" to assign virtual IP addresses inside the network and let two machines with the same set of IP addresses communicate between them

    • You can also define manually the virtual IP pool

Portal

  • Under "Switchboard", "Settings", "Portal" you should enable the Switchboard portal by checking the corresponding box

Outgoing mail settings

  • Under "Switchboard", "Settings", "Outgoing mail settings" you can uncheck the box and configure the outgoing mail settings (using a smart host if needed) or otherwise globally configure the settings under "System", "Settings", "Outgoing mail server" or under "Proxy", "SMTP"

  • For more details please also refer to Amazon SES service at https://docs.aws.amazon.com/ses/

Have more questions? Submit a request

Comments