English (US) Italiano
Follow

Basic Setup and Configuration of a Switchboard

  Version 5.0   Version 6.0

Applies to Platform: Switchboard 5.0
Last update: 04 June 2014

Applies to Platform: Switchboard 6.0
Last update: 09 Dec 2024

This article will guide you through the main configuration of the Endian Switchboard. While the procedure is long and there are many steps to complete, they are easy and should require little efforts to be completed.

The scenario described here will allow access to the Switchboard both via Connect App / Web Portal (as a user) and as a Gateway (as a remote machine/network).

Requirements

Before starting the configuration of the Switchboard on Premises, make sure to satisfy all the requirements:

  1.  The appliance needs to be registered to Endian Network.
  2.  Minimum 1-2 public IP addresses depending on: 
    1. If your gateways can connect over the Internet using UDP 1194 then you will need 1 public IP address.
    2. If your gateways CANNOT connect over the Internet using UDP 1194 and you wish to utilize the common port TCP 443 (HTTPS), then you will need 2 public IP addresses.

    WARNING

    If the appliance has private IPs on the uplink, then configure two public IPs with Port Forwarding on the router in front of it to allow traffic to the Switchboard's port UDP 1194 and TCP 443.

    Note

    The reason you need two public IP addresses is due to the fact that the Switchboard has a Connect Web portal that runs on TCP 443 (HTTPS). If you have only one public IP you cannot add an OpenVPN instance on port TCP 443 and use the Switchboard web portal at the same time, but you will still be able to use the Switchboard over the VPN Connection. This means requirements 3. , 4. below are a bit different, you should point your DNS records to the only available public IP.
  3. Minimum 1-2 public DNS A records. You should configure a public DNS records for each public IP address. If using 2 public IPs, you could setup one record (say, vpn.example.com pointing to IP-1) to be used for the OpenVPN connections, while the other one (say, connect.example.com pointing to IP-2) is used for the Connect Web portal.
  4. A wildcard DNS A record or CNAME (If you plan to use the Connect Web Portal). For the wildcard, create an A record in the DNS configuration, that points *.connect.example.com (every subdomain of connect.example.com) to IP-2. Alternatively you can create a CNAME record that maps *.connect.example.com to the primary domain connect.example.com
  5. A publicly signed SSL certificate in PKCS12 format (only). Using our previous examples, you would need a certificate for connect.endian.com that includes *.connect.example.com under the SAN (Subject Alternative Name). A public SSL certificate is needed to use the Connect Web Portal without users experiencing any browser errors or confusion.
  6. If you use only devices equipped with OpenVPN version 2.3 or higher and if you plan to use Virtual IPs (IP mapping), always use TUN devices for the OpenVPN server setup. Indeed, older versions of OpenVPN do not support IP mapping and therefore you can not use Virtual IPs (see section Provisioning for details).
  7. The Switchboard appliance must communicate with the IP/Ports present in this article (see the most updated access matrix) and registry.endian.com on port TCP 443

Enable the VPN Firewall

Under the Firewall menu, go to the VPN firewall (Firewall > VPN traffic) and make sure that the switch on the left of the Enable VPN firewall label is green: This shows that the firewall is activated. If the switch is gray, click on it to activate it. After a few seconds, the switch’s color will turn green and the list of the VPN firewall rules will appear, if some rule has already been defined.

Add Two OpenVPN Server Instances

The OpenVPN protocol is used for the communication between the Switchboard and the clients, hence the OpenVPN server must be appropriately configured. The scenario encompasses two instances, both of which have a routed subnet and use a TUN device, which is also the suggested device. TAP devices should be used only in the case it is mandatory to use the real IP addresses of gateways and endpoints.

To configure the OpenVPN instances, called ONE and TWO for simplicity, go to VPN > OpenVPN Server and click on Add new OpenVPN server instance.

    1. The ONE instance will be used to directly access the Switchboard and must be configured as follow:
        • Port: 1194.
        • Device Type: TUN.
        • Protocol: UDP.
        • VPN Subnet: an internal subnet, not used elsewhere in the configuration (here 172.30.0.0/24)
        • Client to client connection: Filter connections in the VPN Firewall.
        • Push these networks: tick the checkbox and write in the textbox below another subnet not used elsewhere (here 172.20.0.0/24). This subnet will be used in instance TWO as VPN Subnet.
      ONE.png
    2. The TWO instance will be used to access the Connect Web Portal and must be configured as follows:
      • Protocol: TCP.
      • Port: 443.
      • VPN Subnet: The internal subnet used in instance ONE for the Push these networks option, hence: 172.20.0.0/24).
      • Client to client connection: Filter connections in the VPN Firewall.
      • Push these networks: Tick the checkbox and write in the textbox below the VPN subnet used in instance ONE, hence: 172.30.0.0/24).

TWO.png

Save both instances, then restart the OpenVPN service.

Configure the Switchboard Module

The first important decision to take is to define the Exclusive Access, which is a security policy implemented to avoid concurrent access to a component of the infrastructure (gateways or endpoints) managed by the switchboard. You can find more precise details on the exclusive access and on the Switchboard architecture here.

To configure the Switchboard module, go to Switchboard > Settings > Network, then provide the following information:

  • Switchboard bind IP address: Write the public IP IP-1 here (we use 52.51.252.50) ( Or if RED has private IP set it here )
  • OpenVPN instance: select ONE here.
  • OpenVPN server public IP/FQDN and port: write the FQDN and port of the VPN instance: vpn.example.com:1194. Note that this is the DNS entry corresponding to IP-1.
  • Enable fallback OpenVPN instance: tick the option and select TWO as the Fallback OpenVPN instance.
  • Fallback OpenVPN server public IP/FQDN and port: vpn.example.com:443 (this is the public FQDN for vpn)
  • Enable automated virtual subnet assignment: Enabled
  • Global virtual IP pool: Choose an IP pool that will be used to assign a virtual IP address to the devices used within the Switchboard; by default the special netblock 100.64.0.0/10 is used. Virtual IPs are used to simplify remote access to the devices, which will appear on the same subnet, thus making special routing rules unnecessary.


You can also write a Message of the day, that will be shown in the Switchboard's Dashboard and to the connected client, for example to inform users about scheduled activities. Once done, click on Save.

Configure the Switchboard Portal

The Switchboard portal allows users to connect to the switchboard using HTTPS, without a client. While it can be disabled, it is nonetheless useful, hence it is suggested to configure it. The following options are required:

    • Portal fully qualified domain name. Tick the Enable portal checkbox and write here the domain name to be used to access the portal, here connect.example.com.

      Note

      The FQDN you write here must be reachable from Internet.

Navigate to Switchboard > Settings > Portal

  • Enable Portal. Tick the Enable portal checkbox and optionally set a welcome message to be displayed.

Navigate to Switchboard > Settings > General Settings

  • Fully qualified domain name. Enter here the domain name to be used to access the portal, in our case connect.example.com.

    Note

    The FQDN you write here must be reachable from Internet.
  • HTTPS certificate: Select the SSL certificate to be used by the connection.

    Note

    If you use a certificate that has been generated on the Endian Appliance, client browsers would show an error message upon connection (SEC_ERROR_UNKNOWN_ISSUER). To avoid these messages, you need to import on the Switchboard a third party, signed certificate. This is explained in section Import a third-party signed certificate.

SB-portal2.png

Click on Save to save the configuration.

Configure the Provisioning (If Using Plug & Connect)

The provisioning allows to easily register gateways to the switchboard and make them quickly available. It is best used with Endian gateways, but can be used for other vendor's devices as well.

If you use Endian gateways, you should enable the feature by navigating to:

Switchboard > Settings > Provisioning and tick the Enable gateways provisioning option. Additionally if you wish to specify a global Endian Network account to use in registering the gateways as part of the provisioning process, you can enter the username and password. In this way you can use the Plug & Connect (Autoregistration) procedure to register and configure an Endian gateway in three easy steps.

Switchboard > Settings > Provisioning and tick the Enable gateways provisioning and Send provisioning to the registry option. Additionally if you wish to specify a global Endian Network account to use in registering the gateways as part of the provisioning process, you can enter the username and password. In this way you can use the Plug & Connect (Autoregistration) procedure to register and configure an Endian gateway in three easy steps.

SB-provisioning.png

Have more questions? Submit a request

Comments