English (US) Italiano
Follow

How to install an Endian Switchboard on Azure

Introduction

Welcome to the installation and setup guide for Endian Switchboard. This document will walk you through the steps to install the software on Microsoft Azure and configure it for initial use. The instructions in this guide will be described with command line commands, but they can be performed also from the Azure web interface. By following these instructions, you will ensure a smooth installation process and proper configuration to meet your specific needs. Let's get started!

Prerequisites

Microsoft Azure

  1. You need to have a Microsoft Azure account

  2. You need to ask Endian to share the EndianOS Azure image and the password of the default administrator (admin)

Setup the Azure Environment

This tutorial is not meant to cover all the Microsoft Azure possible configurations, for further details you can refer to the dedicated web page at https://azure.microsoft.com/en-us/get-started.

As for example:

az group create --name endian6 --location germanywestcentral

As for example:

az storage account create

    --name endian6 \

    --resource-group endian6 \

    --location germanywestcentral \

    --sku Standard_LRS \

    --kind StorageV2 \

    --allow-blob-public-access true

az storage container create \

    --name yourname \

    --account-name endian6 \

    --public-access blob
  • Download the image shared by Endian an upload it on an Azure blob
As for example:

az storage blob upload --account-name endian6  --container-name yourname --type page --file imagename.vhd --name imagename.vhd
  • Create a virtual network
As for example:

az network vnet create --resource-group endian6 --name netEndian --address-prefix 10.5.0.0/16 --subnet-name Green --subnet-prefix 10.5.100.0/24

az network vnet subnet create --resource-group endian6 --vnet-name netEndian --name Red --address-prefix 10.5.101.0/24
  • Create a network security group
As for example:

az network nsg create --resource-group endian6 --name nsgEndian

az network nsg rule create --resource-group endian6 --nsg-name nsgEndian --name endian_firewall --priority 101 --destination-port-ranges 22 80 443 1194 5222 10443
  • Create a network interface
As for example:

az network nic create --resource-group endian6 --name nicGreen --vnet-name netEndian --subnet Green --network-security-group nsgEndian

az network nic create --resource-group endian6 --name nicRed --vnet-name netEndian --subnet Red --network-security-group nsgEndian
  • Create the virtual machine
As for example:

az vm create --resource-group endian6 --name yourname --use-unmanaged-disk --os-type linux --attach-os-disk "https://link.to.the.image/imagename.vhd" --priority Spot --max-price -1  --eviction-policy Deallocate --nics nicRed nicGreen

"connect.<yourdomain>.com"

Here is the command to add the public IP, as for example:

az network public-ip create --resource-group endian6 --name ipEndian --allocation-method Static

az network nic ip-config update --resource-group endian6 --nic-name nicGreen --name ipconfig1 --private-ip-address 10.5.100.100

az network nic ip-config update --resource-group endian6 --nic-name nicRed --name ipconfig1 --private-ip-address 10.5.101.100

az network nic ip-config update --resource-group endian6 --nic-name nicRed --name ipconfig1 --public-ip ipEndian

  • You need to generate an SSL Certificate containing both the domain defined before as the CN ("connect.<yourdomain>.com") and the wildcard domain as the SAN ("*.connect.<yourdomain>.com")

  • The only way to configure the wildcard domain is by putting the * symbol at the beginning and only once in the domain

  • The wildcard domain should not be like "*.<yourdomain>.com" because it will be both a security risk and also not all the browser will accept it

  • You need to insert in your DNS an entry for the FQDN and the wildcard domain. Here an example:

connect.yourdomain.com IN A XX.XX.XX.XX

*.connect.yourdomain.com IN CNAME connect.yourdomain.com
  • You will need to prove that you own the domain by responding to a DNS challenge and adding the corresponding entry in the DNS.

Setup the Endian Switchboard

After setting up the cloud environment, you can access the Admin portal of the Switchboard from the browser at: https://<the public IP you setup>:10443.

  • Login using the initial credentials

    • Username: admin

    • Password: the password shared by Endian

Note: Please ensure to change these credentials after completing the setup

  • Under "System", "Endian Network", "Subscriptions", you need to register the appliance inserting your Endian Network account (or create a new one) and the activation code received

  • Under "System", "Updates", you can eventually install the last updates by clicking on "Install updates"

General settings

  • Under "Switchboard", "Settings", "General settings" you need to insert the Fully qualified domain name (FQDN) mentioned defined before

  • In order to be able to select the HTTPS certificate mentioned in the prerequisites, you need to upload the certificate from the menu "VPN", "Certificates", "Certificates", click on "Add new certificate" and then "Upload a certificate"

  • The certificate must be encapsulated in the format PKCS12 with a password

  • You will then select the PKCS12 file and the related password and then click on "Add"

  • Select the imported certificate

  • You can choose to use the Exclusive access In order to avoid concurrent connections at endpoint level or at gateway level

  • You can allow sending email for generating and resetting passwords only if you also configure the SMTP settings under the "Proxy" menu

  • You can also enable the remote API by adding the corresponding API key

  • Click on "Save"

Note: Be aware that after saving the configurations, the web server will restart and you will might need to reload the page

  • Now you can configure the VPN server under "Switchboard", "Settings", "Network"

  • The OpenVPN server is running out of the box, but you can select your own certificate and add it under "VPN", "OpenVPN server", "Server configuration"

  • Under VPN", "OpenVPN server", "Server instances" you can add other instances for example in case the default one listening on port 1194 is not compliant with your internal rules

  • If you cannot open the UDP 1194 port, but you can open another port you can do a DNAT port forwarding (from the "Firewall" menu)

  • If in some cases you will allow only port TCP 443, then you will have to add a new OpenVPN instance which will run on port 443, but will be bound to a different private IP address (which is the external IP address seen in the AWS configuration) since the port is already used by the Switchboard Portal

  • You can select the IP address to which the switchboard should bind

    • This is important if you have multiple public IP addresses

Network settings

  • Under "Switchboard", "Settings", "Network" you can select a different IP address on which you can bind the Switchboard (if you leave it blank, the active uplink will be used)

  • You need to select as "OpenVPN instance" the UPD OpenVPN instance

  • As "OpenVPN server public IP/FQDN and port" you need to choose the public IP/FQDN address previously set

  • You can also enable a fallback OpenVPN instance by clicking on "Enable fallback OpenVPN instance" and filling in the details of the fallback instance

  • You can check "Enable automated virtual subnet assignment" to assign virtual IP addresses inside the network and let two machines with the same set of IP addresses communicate between them

  • You can also define manually the virtual IP pool

Portal

  • Under "Switchboard", "Settings", "Portal" you should enable the Switchboard portal by checking the corresponding box

Outgoing mail settings

  • Under "Switchboard", "Settings", "Outgoing mail settings" you can uncheck the box and configure the outgoing mail settings (using a smart host if needed) or otherwise globally configure the settings under "System", "Settings", "Outgoing mail server" or under "Proxy", "SMTP"
Have more questions? Submit a request

Comments