Celestix Cloud edge User manual

Installation Guide

Cloud Edge Security Appliance

The information contained in this document represents the current view of Celestix Networks on the issues discussed as of the date of publication.

Because Celestix Networks must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Celestix Networks,

and Celestix Networks cannot guarantee the accuracy of any information presented after the date of publication.

These instructions are for informational purposes only. CELESTIX MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be

reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or

otherwise), or for any purpose, without the express written permission of Celestix Networks.

Celestix Networks may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this

document. Except as expressly provided in any written license agreement from Celestix Networks, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

E Series Cloud Edge Security Appliance Installation Guide

Document Number: CES1002-120-001

Updated: April 1, 2015

Part Number: (CCD) 2001-30000001

Product version:E Series2.0

Comet version:2.0

The example companies, organizations, products, domain names, e-mailaddresses, logos, people, places, and events depicted herein are fictitious. No

association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

HOTPin, Celestix and Celestix logo are either trademarks or registered trademarks of Celestix Networks, Inc.

Microsoft, Microsoft logo, Microsoft Windows Server, Microsoft Forefront, Threat Management Gateway, Unified Access Gateway, Active Directory,

Windows, Windows NT, Office 365, Azure, ActiveX, Internet Explorer, Windows Phone, and Zune are either registered trademarks or trademarks of Microsoft

Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Table of Contents

Introduction 1

Guide Usage Notes 2

Verify Package Contents 3

Appliance Hardware Features 4

System Overview 5

The Next Step 11

Install the Appliance 12

Installation Notes 12

Rack the Appliance 16

Connect the Appliance to the Network 17

Front Panel Controls Overview 19

Power the Celestix Appliance 19

The Next Step 20

Configure the Appliance 21

General Information 21

Initial Access 22

Configure IP Address without DHCP 22

Access the Web User Interface 23

Quick Setup Wizard 24

The Next Step 25

Configure Features 26

Features Installation 26

Feature Details 27

RDP Application Usage 31

The Next Step 32

Configure Features: Remote Access Setup Wizard 33

General Information 33

iii

Setup Wizard 35

The Next Step 39

Configure Features: Web Application Proxy Setup Wizard 40

General Information 40

Setup Wizard 41

The Next Step 42

Configure Features: Work Folders Setup Wizard 43

General Information 43

Initial Configuration 44

Setup Wizard 45

The Next Step 46

Create a System Image 47

LGV 47

Create a Backup 48

Update Software 49

Appendix 50

Glossary 51

Web User Interface Content Overview 57

Safety Precautions 58

Product Reclamation and Recycling 59

Index 60

Resource Worksheet 64

Page | 1 E Series Installation Guide

IntroductionCelestix Networks delivers an exceptional combination of perimeter security features, scalability, and

simplicity in cost-efficient appliances. Ready-to-deploy appliances offer easier management that

reduces the risk and cost of security solutions. The Celestix® line of appliances provides key security

framework components: firewall, branch-office connectivity, web cache/proxy, wireless

policies/authentication, remote access, two-factor authentication, patch management, and anti-

spam/anti-virus gateway deployments. Celestix appliances provide the best option for the emergent

need to manage IT security for every level of infrastructure complexity.

The Celestix® E Series Cloud Edge Security Appliance provides simplified configuration for diverse

remote access needs. The E Series delivers secure connectivity to an organization’s network and cloud

resources with Microsoft® Windows Server® 2012 R2 Remote Access. Supporting technologies

include access management, bring your own device (BYOD) facilitation, and anywhere access to work

files.

Through Remote Access, organizations can choose the connectivity options best suited to the

environment. Always-on remote connection for both end user access and client management. RADIUS

and multifactor authentication. Encrypted access to internal resources without a VPN. Streaming

access to hosted applications from any device. Synced work files can be accessed on supported

devices and computers from wherever, even without network connectivity. A well-planned BYOD

blueprint can help users to work how and when they are most productive

The foundation of your Celestix appliance is the award-winning Comet engine. Comet provides

convenient access to administration functions like setup, network configuration, and server task

management through a web user interface (web UI). For the E Series, it also provides simplified

installation and configuration for Remote Access and supporting technologies.

The Celestix E Series is a hardened and secure appliance platform that is optimized for secure Windows

deployment out of the box.

The 2.0 E Series offers the following functionality:

lUpgraded appliance hardening.

lNew HTML5 responsive design web UI to support administration from mobile devices.

lOne-click installation for Remote Access and supporting roles.

lWizard-driven configuration for DirectAccess/VPN, Web Application Proxy, and Work Folders.

lDirectAccess real-time connection management, including reset, disable, and remove options.

Page | 2 E Series Installation Guide

GuideUsageNotesThis guide will help system administrators to efficiently install and configure a new appliance with a

base level setup. The instructions cover steps for some common deployment scenarios. They usually

offer one option to accomplish a task, though there may be other ways to achieve the same thing. The

guide does not provide extensive reference information. Online help in the web UI can usually provide

additional information.

DocumentConventionslUsing a PDF viewer besides Adobe® Reader® may disable some of this document’s func-

tionality and may change how the content displays.

lInstructions are generally intended for administrators to manage the server installation through

Comet’s web user interface administration tool, referred to as the web UI.

lInstructions are presented in the best order to follow for appliance setup.

lThe following text formats are used for clarification:

nWeb UI on-screen items are noted in bolded type for easy identification.

nFeatures on the appliance front and rear panels are also noted in bolded type.

nFile names are delineated as: filename.xxx

nTitles are delineated as: documentname

nCode is delineated as: codeexamples

lWhen referring to subsections in this document, the hierarchy is delineated by the symbol >.

For example, the location of the section To find updates would be delineated as:

Update Software >To find updates.

lInstructions assume the reader will navigate from the web UI main menu bar to access features.

For example, to access Software Updates, the navigation path from the menu bar would be

delineated as:

System|Software Updates.

lThough network interface connections are commonly referred to as NICs, ports, and adapters,

documentation uses the term network adapters.

lDocumentation generally refers to the appliance when discussing the E Series Appliance.

WebUserInterfaceThe web UI is a management tool to access the most common Celestix product features. Initially, use it

to quickly set up the server. Subsequently, use the web UI to access administrative features for both

Comet and Remote Access roles.

Page | 3 E Series Installation Guide

See the Appendix topic Web User Interface Content Overview for features included in the web UI. See

the online help topic Web User Interface Overview for more information about using the web UI

(Help|Web UI Overview).

VerifyPackageContentsUse the following information to confirm the package contains the necessary appliance accessories.

ApplianceSeriesAccessoryListAppliance Series 3400 6400 8400

Contents

CAT6 Ethernet Cable

Power Cable 2 2

RJ45 Connector Cable

Mounting Brackets & Hardware

Rack Mounting Slides & Hard-

ware

- included

- not included

Table: Accessory List

AccessoriesIllustrationsThe illustrations below will help to identify the items in the package. Only items appropriate for the

appliance series are included.

Page | 4 E Series Installation Guide

Illustration 1: Appliance Package Contents

If an item is missing from the package, contact Celestix Networks via email:

support@celestix.com

ApplianceHardwareFeaturesEach of the feature lists below include a legend to help identify components on the appliance.

Page | 5 E Series Installation Guide

Illustration 2: Appliance Illustrations with Delineated Features

SystemOverviewThe E Series Appliance simplifies the process to set up and manage access to IT resources. The

diagram below provides a reference for features that are available on the appliance.

Page | 6 E Series Installation Guide

Illustration 3: E Series Connectivity Features

ExampleDeploymentTopologiesThe diagrams that follow are intended to provide reference for IT administrators or architects. The

examples provide a few scenarios for common aspects of E Series Appliance deployment, while the

potential options are certainly numerous.

DirectAccessDeploymentwithManage-OutAccess for external users with strong authentication that allows system administrators to support and

manage remote clients.

Requirements:

lSecure remote access for managed Windows 7 and Windows 8 clients.

lAnytime, anywhere access to applications and data on the organization network.

lCompliance mandate for One-Time Password (OTP) authentication.

lSystem administrators inside the organization network need connectivity to initiate remote

desktop sessions and push software updates to remote clients.

Page | 7 E Series Installation Guide

Illustration 4: DirectAccess Role

VPNAccess for external users that includes a wide range of systems, like PCs, Macs, tablets, and smart

phones.

Requirements:

lSecure remote access for nonmanaged clients that include commonly used operating systems

(Windows, Linux, OS X, Android, and iOS).

lRemote access to applications and data on the organization network.

lWeb-based applications need users to be pre-authenticated at the edge.

lApplications individually provisioned based on user roles.

Page | 8 E Series Installation Guide

Illustration 5: VPN Role With Web Application Proxy

GatewayCross-premises network connectivity for internally hosted and cloud resources.

Requirement: Seamless connectivity between on-premises data center and virtual machines hosted in

the public cloud.

Page | 9 E Series Installation Guide

Illustration 6: VDI Role

GeneralSetupInformationThe following lists network components most commonly required to support feature deployments.

Note: Details for feature configuration are discussed in the topic Resource Worksheet.

Network Policy Server

lE Series Appliance serves as the RADIUS server; it must be domain joined

lNetwork Access Server (RADIUS Client)

lIP Address

lShared secret

lNetwork policies

lAuthentication protocol options

Page | 10 E Series Installation Guide

Remote Access

lDirectAccess

nAn Active Directory® Domain Services (AD DS) domain

nAt least one domain-joined DirectAccess server (E Series)

nA public key infrastructure (PKI) [recommended]

nNetwork location server (optional)

nDirectAccess clients running Windows 7 Enterprise or Ultimate, or Windows 8.x Enter-

prise

lVPN

nSSL certificate (if using SSTP)

nExternal firewall exceptions for configured ports

lWeb Application Proxy

nE Series Appliance serves as the reverse proxy

nADFS installed on separate Windows 2012 R2 server

nSSL certificate

nFirewall rules for traffic between Web Application Proxy server (E Series) and ADFS server

Remote Desktop Gateway

lE Series Appliance must be domain joined

lRD Connection Broker and RD Web Access Server

lRD Session Host server

lRD Gateway server

lSSL certificate

lAD DS Group Managed Service Account

lFirewall exceptions maybe required

lEnd Users: RDP client that supports RD Gateway (like Windows Remote Desktop Client)

Remote Desktop Web Access

lE Series Appliance must be domain joined

lRemote Desktop Connection Broker

lRD Session Host server with RemoteApp programs configured

lSSL certificate

lFirewall exceptions will be required for the WMI Service

lOption – virtual desktop: Remote Desktop Virtualization Host server

Work Folders

lE Series Appliance serves as the sync server; it must be domain joined

lDomain-joined Windows Server 2012 R2 as the sync share; share volume formatted as NTFS

Page | 11 E Series Installation Guide

lSync share DNS entry (recommended)

lSSL certificate

lUser group (recommended)

lEnd users: Windows 8.1/RT 8.1

VersionInformationVersion information for appliance components are noted on the main web UI page. Click the E Series

logo link from any page to access:

TheNextStepThe following sections cover general setup, which includes appliance installation and configuration,

then feature installation.

Page | 12 E Series Installation Guide

InstalltheApplianceThe guide provides a system administrator with concise instructions for a base deployment. The

document covers common installation requirements and is not intended to be comprehensive. Every

network environment is different, and some installations may require additional configuration.

Installation instructions first cover assumptions the guide takes into account for a common

deployment to help administrators plan for the skills and resources they may need. Assumptions are

followed by the Resource Worksheet. The worksheet helps to gather necessary information that will

aid in the installation process. Preparation steps are followed by instructions to rack, connect to the

network, and power the appliance.

InstallationNotesThe following topics cover resources to prepare for installing the appliance on the network.

AssumptionsPlease note the necessary skills/knowledge administrators should have and the assumptions that

cover appliance installation for a majority of network environments.

SkillsandKnowledgeSystem administrators should be familiar with:

lNetworking technology

lWindows server management

lMicrosoft Active Directory®

lMicrosoft Unified Remote Access

lNetwork Policy Server*

lWork Folders*

lRemote Desktop Web Access*

*As required for deployment.

NetworkSettingsThe following general conditions apply to the instructions contained in this guide. If alternatives apply,

they are noted. Again, every network is different and may require some adjustment to the general

Page | 13 E Series Installation Guide

information presented herein.

lActive Directory is used for the domain controller.

lThe LAN is configured for DHCP. Use DHCP initially to assign an IP address to the LAN0 network

adapter. Find the assigned IP address through the front panel controls.

Note: If DHCP is not deployed, use the front panel controls to assign an IP address to LAN0.

lStatic IP addresses are reserved for network adapters as needed.

ResourceWorksheetIt will expedite the process to gather and verify resource information in the Resource Worksheet below

before starting appliance installation and setup. An example of the worksheet is provided below with

descriptions for the information it includes. A printable copy of the worksheet is included in the

Appendix.

Note: Incorrect network configuration could compromise or impede the appliance.

Property Detail Notes

Computer name Used in IG: Configure the Appliance >Quick Setup Wizard.

The appliance must be assigned a computer name. The

computer name must be 15 alphanumeric characters or

less.

Administrator password [Celest1x] (default; to be changed during

setup)

Used in IG: Configure the Appliance >Quick Setup Wizard.

The administrator account is a member of the local

administrator group. The default password is case

sensitive with brackets included. It should be changed as it

is public knowledge. The password requires at least six

characters and at least three of these four categories:

lUppercase letter

lLowercase letter

lNumber

lNon-alphanumeric character (for example, !, $,

#, %)

Workgroup or domain name Used in IG: Configure the Appliance >Quick Setup Wizard.

Required for appliance setup.

Record the name of the Workgroup or Domain that will be

joined during setup.

LAN information (LAN0)

Private or internal network

interface

IP address

Subnet mask

Default gateway

Used in IG: Configure the Appliance >Quick Setup Wizard.

Required for appliance setup.

The LAN (private network interface) adapter of the

appliance is the interface assigned to internal network

Table: Worksheet Form Example

Page | 14 E Series Installation Guide

Primary/secondary DNS server(s)

Static routes:

Network address

Gateway address

traffic.

WAN information (LAN1)

Private or internal network

interface

IP address

Subnet mask

Default gateway

Primary/secondary DNS server(s)

Static routes:

Network address

Gateway address

May be needed in IG: Configure the Appliance >Quick

Setup Wizard >Network Interfaces

The WAN (public network interface) adapter of the

appliance is the interface assigned to external network

traffic. This configures how the WAN, or public interface,

connects to the Internet.

DMZ (LAN2 +) information

Additional network interfaces

Include the IP address/subnet mask for

each adapter to be used.

May be needed in IG: Configure the Appliance >Quick

Setup Wizard >Network Interfaces.

The DMZ adapters are optional configuration. This

information is only necessary if you will assign static IP

addresses to these adapters.

SMTP server IP address

SMTP gateway name

Used in IG: Configure the Appliance >Quick Setup Wizard.

SMTP is required for Alert Email.

Active Directory server IP address

Hostname

Used in IG: Configure the Appliance >Quick Setup Wizard.

ADFS AD DS FQDN

Administrator account

Used in IG: Configure Features: Web Application Proxy

ADFS is required for Web Application Proxy.

Network Policy Server Network Access Server (RADIUS Client)

IP Address

Shared secret

Network policy criteria

Authentication protocol options

May be needed in post-configuration for NPS or Remote

Desktop Gateway.

Setting up RADIUSauthentication requires designating

the NPS clients that will forward access requests, the

criteria that will service as the policy to grant access, and

the protocols that will be used for authentication.

DirectAcces/VPN DA server

Static IPaddress(es)

Public address for client connections

GPOs (if using customized policies)

NLS certificate (if using external server)

Infrastructure server(s)

DA client

Public address

Subnet mask

Default gateway

DNS

VPN server

Client IP address pool (if not using

DHCP)

Used in IG: Configure Features: Remote Access Setup

Wizard.

The Remote Access/VPN wizard will require server

information. The client information will be required to set

up remote devices.

Note: Infrastructure server information refers to

resources not discoverable by Active Directory.

Page | 15 E Series Installation Guide

RADIUS server information (if not using

Windows authentication)

PKI (if applicable) IP address May be needed in post-configuration for DirectAccess.

PKI is recommended but no longer required for

DirectAccess deployment, with a few exceptions, like OTP

authentication.

Note: Root certificate required.

Web Application Proxy ADFS FQDN

SSL certificate

Used in IG: Configure Features:Web Application Proxy

Setup Wizard.

Note: Root certificate required.

Remote Desktop Gateway RD Gateway (join domain)

IP address

Hostname

External FQDN

AD DS

IP address

Subnet mask

Default gateway

DNS

RD Session Host (domain joined)

IP address

Hostname

RD Connection Broker (domain joined)

IP address

Hostname

RD Web Access (domain joined)

IP Address

Hostname

Firewall rules

Used in IG: Configure Features >Feature Details >

Remote Desktop Gateway (RD Gateway) >Required

Configuration After Installation.

Remote Desktop Web Access RD Web Access Server (domain joined)

IP address

Hostname

AD DS

IP address

Subnet mask

Default gateway

DNS

RD Session Host (domain joined)

IP address

Hostname

Used in IG: Configure Features >Feature Details >

Remote Desktop Gateway (RD Gateway) >Required

Configuration After Installation.

Page | 16 E Series Installation Guide

RD Connection Broker (domain joined)

IP address

Hostname

Remote Desktop Virtualization Host server

(optional)

IP address

Hostname

Firewall rules

Work Folders Sync share name

SSL certificate

AD security group for user accounts

Sync share DNS entry (recommended)

Used in IG: Configure Features >Work Folders Setup Wiz-

ard.

Application server IP address

Hostname

May be needed in post-configuration for:

Web Application Proxy

Remote Desktop Gateway

RD Web Access

RADIUS server IP address

Hostname

May be needed to set up Remote Access with VPNor NPS.

RADIUS clients IP address

Hostname

May be needed to set up Remote Access with VPNor NPS.

Bold items are required

RacktheApplianceCelestix appliances are either 1U or 2U and should be attached to a standard 19-inch equipment rack

as follows.

Note: If the appliance came with slides instead of brackets, see the instructions included in the slide

packaging for the rack mounting procedure.

Caution:

lDo not place the appliance on the floor.

lKeep it in an upright position.

lPlace it in a well-ventilated area that is out of direct sunlight.

1. Select a secure location where only authorized personnel can access the appliance.

2. Mount the appliance to the rack:

a. Use all the provided screws to attach mounting hardware to the front right and left sides

of the appliance.

Table of contents

Popular Firewall manuals by other brands

Kerio

Kerio Control NG100W quick start guide

Huawei

Huawei USG9500 Series Hardware guide

NETGEAR

NETGEAR ProSafe FVS114 Specifications

Intel

Intel McAfee Data Loss Prevention Prevent quick start guide

SonicWALL

SonicWALL NSA 250M series Getting started guide

PaloAlto Networks

PaloAlto Networks ION 1000 Hardware reference

Juniper

Juniper NetScreen-204 user guide

ETIC

ETIC IPL-C user guide

Ronde & Schwarz

Ronde & Schwarz GP-T user manual

Cisco

Cisco M195 Hardware installation guide

ZyXEL Communications

ZyXEL Communications ZyXEL ZyWALL 35 quick start guide

Freedom9

Freedom9 freeGuard Slim 100 Quick install guide

ZyXEL Communications

ZyXEL Communications ZyWALL 110 Series user guide

PI S7-Firewall user manual

Fortinet

Fortinet FortiGate FortiGate-5003 quick start guide

IBM

IBM QRadar XGS 5200 Replacement instructions

D-Link

D-Link NetDefend DFL-800 datasheet

McAfee

McAfee Data Loss Prevention Prevent quick start guide

Celestix cloud edge User manual

Popular Firewall manuals by other brands