Celestix CelestixEdge E Series User manual
Installation Guide
CelestixEdge E Series Appliance
i
The information contained in this document represents the current view of Celestix Networks on the issues discussed as of the date of publication.
Because Celestix Networks must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Celestix Networks,
and Celestix Networks cannot guarantee the accuracy of any information presented after the date of publication.
These instructions are for informational purposes only. CELESTIX MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Celestix Networks.
Celestix Networks may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Celestix Networks, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectualproperty.
CelestixEdge E Series Appliance Installation Guide
Document Number: EDG2100-120-001
Updated: November 11 2015
Part Number: (CCD) 2101-30000001
Product version:E Series2.1
© 2015 Celestix Networks, Inc. All rights reserved.
The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No
association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
HOTPin, Celestix and Celestix logo are either trademarks or registered trademarks of Celestix Networks, Inc.
Microsoft, Microsoft logo, Microsoft Windows Server, Microsoft Forefront, Threat Management Gateway, Unified Access Gateway, Active Directory,
Windows, Windows NT, Office 365, Azure, ActiveX, Internet Explorer, Windows Phone, and Zune are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ii
Table of Contents
Introduction 1
Guide Usage Notes 2
Verify Package Contents 3
Appliance Hardware Features 4
System Overview 6
The Next Step 11
Install the Appliance 12
Installation Notes 12
Rack the Appliance 16
Connect the Appliance to the Network 17
Front Panel Controls Overview 19
Power the Celestix Appliance 19
Initial Access 20
The Next Step 21
Appliance Setup 22
General Information 22
Access the Web User Interface 23
Quick Setup Wizard 24
The Next Step 26
Configure Features: Installation 27
General Features Management 27
Feature Details 28
The Next Step 33
Configure Features: Remote Access Setup Wizard 34
General Information 34
Setup Wizard 36
The Next Step 42
iii
Configure Features: Web Application Proxy Setup Wizard 43
General Information 43
Setup Wizard 44
The Next Step 45
Configure Features: Work Folders Setup Wizard 46
General Information 46
Initial Configuration 47
Setup Wizard 48
The Next Step 49
Create a System Image 50
LGV 50
Create a Backup 52
Update Software 53
Appendix 54
Glossary 55
Web User Interface Content Overview 61
Safety Precautions 62
Product Reclamation and Recycling 63
Index 64
Resource Worksheet 68
1 E Series Installation Guide
Introduction
Celestix Networks delivers an exceptional combination of perimeter security features, scalability, and
simplicity in cost-efficient virtual and hardware appliances. Ready-to-deploy appliances offer easier
management that reduces the risk and cost of security solutions. The Celestix® line of security
appliances provides key security framework components: firewall, branch-office connectivity, web
cache/proxy, wireless policies/authentication, remote access, two-factor authentication, patch
management, and anti-spam/anti-virus gateway deployments. Celestix products provide the best
option for the emergent need to manage IT security for every level of infrastructure complexity.
The Celestix® CelestixEdge E Series Appliance provides simplified configuration for diverse remote
access and desktop virtualization needs. The E Series delivers secure connectivity to an organization’s
network and cloud resources with Microsoft® Windows Server® 2012 R2 Remote Access. Supporting
technologies include access management, bring your own device (BYOD) facilitation, and anywhere
access to work files.
A well-planned BYOD blueprint can help users to work how and when they are most productive.
Through the E Series, organizations can choose the connectivity options best suited to organizational
goals.
lAlways-on remote connection for both end user access and client management.
lRADIUS and multifactor authentication.
lEncrypted access to internal resources without a VPN.
lStreaming access to hosted applications from any device.
lSynced work files access by supported devices from wherever, even without network con-
nectivity.
The foundation of your Celestix appliance is the award-winning Comet engine. Comet provides a web
user interface (web UI) for convenient access to administration functions like setup, network
configuration, and server task management. For the E Series, it also provides simplified installation and
configuration for Remote Access and supporting technologies.
The Celestix E Series is a hardened and secure appliance platform that is optimized for secure Windows
deployment out of the box.
The 2.1 E Series offers the following functionality:
lWeb Application Proxy single sign-on portal
lSIEM support
lDirectAccess configuration updates
2 E Series Installation Guide
Guide Usage Notes
This guide will help system administrators to efficiently install and configure a new appliance with a
base level setup. The instructions cover steps for some common deployment scenarios. They usually
offer one option to accomplish a task, though there may be other ways to achieve the same thing. The
guide does not provide extensive reference information. Online help in the web UI can usually provide
additional information.
Document Conventions
lUsing a PDF viewer besides Adobe® Reader® may disable some of this document’s func-
tionality and may change how the content displays.
lInstructions are generally intended for administrators to manage the server installation through
Comet’s web user interface administration tool, referred to as the web UI.
lInstructions are presented in the best order to follow for setup.
lThe following text formats are used for clarification:
nWeb UI on-screen items are noted in this style.
nFeatures on the appliance front and rear panels are noted in this style.
nFile names are delineated as filename.xxx.
nTitles are delineated as documentname.
nExamples and code are delineated in thisstyle.
lWhen referring to subsections in this document, the hierarchy is delineated by the symbol for a
colon (:).
For example, the location of the section To find updates would be delineated as:
Update Software :To find updates.
lInstructions assume the reader will navigate from the web UI main menu bar to access features.
For example, to access Software Updates, the navigation path from the menu bar would be
delineated as:
System|Software Updates.
lThough network interface connections are commonly referred to as NICs, ports, and adapters,
documentation uses the term network adapters.
lDocumentation generally refers to the appliance when discussing the E Series Appliance.
Web User Interface
The web UI is a management tool to access the most common Celestix product features. Initially, use it
to quickly set up the server. Subsequently, use the web UI to access administrative features for both
Comet and Remote Access roles.
3 E Series Installation Guide
See the Appendix topic Web User Interface Content Overview for features included in the web UI. See
the online help topic Web User Interface Overview for more information about using the web UI
(Help|Web UI Overview).
Verify Package Contents
Use the following information to confirm the package contains the necessary appliance accessories.
Appliance Series Accessory List
Appliance Series 3400 6400 8400
Contents
CAT6 Ethernet Cable
Power Cable 2 2
RJ45 Connector Cable
Mounting Brackets & Hardware
Rack Mounting Slides & Hard-
ware
- included
- not included
Table: Accessory List
Accessories Illustrations
The illustrations below will help to identify the items in the package. Only items appropriate for the
appliance series are included.
4 E Series Installation Guide
Illustration 1: Appliance Package Contents
Note: Fasteners to attach brackets or slides to the appliance are provided. Fasteners to bolt the
appliance to the rack are not supplied.
If an item is missing from the package, contact Celestix Networks via email:
support@celestix.com
Appliance Hardware Features
Each of the feature lists below include a legend to help identify components on the appliance.
5 E Series Installation Guide
6 E Series Installation Guide
Illustration 2: Appliance Illustrations with Delineated Features
System Overview
The CelestixEdge appliance simplifies the process to set up and manage access to IT resources. The
diagram below provides a reference for features that are available on the appliance.
Illustration 3: E Series Connectivity Features
7 E Series Installation Guide
Example Deployment Topologies
The diagrams that follow are intended to provide reference for IT administrators or architects. The
examples provide a few scenarios for common aspects of CelestixEdge appliance deployment, while
the potential options are certainly numerous.
DirectAccess Deployment with Manage-Out
Access for external users with strong authentication that allows system administrators to support and
manage remote clients.
Requirements:
lSecure remote access for managed Windows 7 and Windows 8 clients.
lAnytime, anywhere access to applications and data on the organization network.
lCompliance mandate for One-Time Password (OTP) authentication.
lSystem administrators inside the organization network need connectivity to initiate remote
desktop sessions and push software updates to remote clients.
Illustration 4: DirectAccess Role
VPN
Access for external users that includes a wide range of systems, like PCs, Macs, tablets, and smart
phones.
Requirements:
8 E Series Installation Guide
lSecure remote access for nonmanaged clients that include commonly used operating systems
(Windows, Linux, OS X, Android, and iOS).
lRemote access to applications and data on the organization network.
lWeb-based applications need users to be pre-authenticated at the edge.
lApplications individually provisioned based on user roles.
Illustration 5: VPN Role With Web Application Proxy
Gateway
Cross-premises network connectivity for internally hosted and cloud resources.
Requirement: Seamless connectivity between on-premises data center and virtual machines hosted in
the public cloud.
9 E Series Installation Guide
Illustration 6: VDI Role
General Setup Information
The following lists network components that most commonly require configuration to support feature
deployments.
Note: Some items are optional. Details for feature configuration are discussed in the topic Resource
Worksheet.
Network Policy Server
lCelestixEdge appliance serves as the RADIUS server; it must be domain joined
lNetwork Access Server (RADIUS Client)
lIP Address
lShared secret
lNetwork policies
lAuthentication protocol options
10 E Series Installation Guide
Remote Access
lDirectAccess
nAn Active Directory® Domain Services (AD DS) domain
nAt least one domain-joined DirectAccess server (E Series)
nA public key infrastructure (PKI) [recommended]
nNetwork location server (optional)
nDirectAccess clients running Windows 7 Enterprise or Ultimate, or Windows 8.x Enter-
prise
lVPN
nSSL certificate (if using SSTP)
nExternal firewall exceptions for configured ports
lWeb Application Proxy
nCelestixEdge appliance serves as the reverse proxy
nAD FS installed on separate Windows 2012 R2 server
nSSL certificate
nFirewall rules for traffic between Web Application Proxy server (E Series) and AD FS server
Virtual Desktop Infrastructure (VDI) Components
lRemote Desktop Gateway
nCelestixEdge appliance must be domain joined
nRD Connection Broker and RD Web Access Server
nRD Session Host server
nRD Gateway server
nSSL certificate
nAD DS Group Managed Service Account
nFirewall exceptions maybe required
nEnd Users: RDP client that supports RD Gateway (like Windows Remote Desktop Client)
lRemote Desktop Web Access
nCelestixEdge appliance must be domain joined
nRemote Desktop Connection Broker
nRD Session Host server with RemoteApp programs configured
nSSL certificate
nFirewall exceptions will be required for the WMI Service
nOption – virtual desktop: Remote Desktop Virtualization Host server
Work Folders
lCelestixEdge appliance serves as the sync server; it must be domain joined
lDomain-joined Windows Server 2012 R2 as the sync share; share volume formatted as NTFS
lSync share DNS entry (recommended)
11 E Series Installation Guide
lSSL certificate
lUser group (recommended)
lEnd users: Windows 8.1/RT 8.1
Version Information
Version information for appliance components are noted on the main web UI page. Click the E Series
logo link from any page to access:
The Next Step
The following sections cover general setup, which includes appliance installation and configuration,
then feature installation.
12 E Series Installation Guide
Install the Appliance
The guide provides a system administrator with concise instructions for a base deployment. The
document covers common installation requirements and is not intended to be comprehensive. Every
network environment is different, and some installations may require additional configuration.
Installation instructions first cover assumptions the guide takes into account for a common
deployment to help administrators plan for the skills and resources they may need. Assumptions are
followed by the Resource Worksheet. The worksheet helps to gather necessary information that will
aid in the installation process. Preparation steps are followed by instructions to rack, connect to the
network, and power the appliance.
Installation Notes
The following topics cover resources to prepare for installing the appliance on the network.
Assumptions
The following sections provide information about necessary skills and knowledge administrators
should have and the assumptions that cover appliance installation for a majority of network
environments.
Skills and Knowledge
System administrators should be familiar with:
lNetworking technology
lWindows Server management
lMicrosoft Active Directory®
lMicrosoft Unified Remote Access
lNetwork Policy Server*
lWork Folders*
lRemote Desktop Web Access*
*As required for deployment.
Network Settings
The following general conditions apply to the instructions contained in this guide. If alternatives apply,
they are noted. Again, every network is different and may require some adjustment to the general
13 E Series Installation Guide
information presented herein.
lActive Directory is used for the domain controller.
lThe LAN is configured for DHCP. Use DHCP initially to assign an IP address to the LAN0 network
adapter. Find the assigned IP address through the front panel controls.
Note: If DHCP is not deployed, use the front panel controls to assign an IP address to LAN0.
lStatic IP addresses are reserved for network adapters as needed.
Resource Worksheet
It will expedite the process to gather and verify resource information in the Resource Worksheet below
before starting appliance installation and setup. An example of the worksheet is provided below with
descriptions for the information it includes. A blank copy of the worksheet, which can be printed, is
included in the Appendix.
Note: Incorrect network configuration could compromise or impede the appliance.
Property Detail Notes
Computer name Used in IG: Configure the Appliance >Quick Setup Wizard.
The appliance must be assigned a computer name. The
computer name must be 15 alphanumeric characters or
less.
Administrator password [Celest1x] (default; to be changed during
setup)
Used in IG: Configure the Appliance >Quick Setup Wizard.
The administrator account is a member of the local
administrator group. The default password is case
sensitive with brackets included.
Important: The default should be changed as it is public
knowledge.
Workgroup or domain name Used in IG: Configure the Appliance >Quick Setup Wizard.
Required for appliance setup.
Record the name of the Workgroup or Domain that will be
joined during setup.
LAN information (LAN0)
Private or internal network
interface
IP address
Subnet mask
Default gateway
Primary/secondary DNS server(s)
Static routes:
Network address
Gateway address
Used in IG: Configure the Appliance >Quick Setup Wizard.
Required for appliance setup.
The LAN (private network interface) adapter of the
appliance is the interface assigned to internal network
traffic.
WAN information (LAN1) IP address May be needed in IG: Configure the Appliance >Quick
Table: Worksheet Form Example
14 E Series Installation Guide
Public or external network
interface
Subnet mask
Default gateway
Primary/secondary DNS server(s)
Static routes:
Network address
Gateway address
Setup Wizard >Network Interfaces
The WAN (public network interface) adapter of the
appliance is the interface assigned to external network
traffic. This configures how the WAN, or public interface,
connects to the Internet.
DMZ (LAN2 +) information
Additional network interfaces
Include the IP address/subnet mask for
each adapter to be used.
May be needed in IG: Configure the Appliance >Quick
Setup Wizard >Network Interfaces.
The DMZ adapters are optional configuration. This
information is only necessary if you will assign static IP
addresses to these adapters.
SMTP server IP address
SMTP gateway name
Used in IG: Configure the Appliance >Quick Setup Wizard.
Optional configuration: SMTP is required for Alert Email.
Public domain registrar Credentials In SSO portal deployments, the portal FQDN should be
added as a record to the public DNS host service for the
federated domain.
Active Directory Domain Services
(AD DS)
IP address
Hostname
User account/password
Used in IG: Configure the Appliance >Quick Setup Wizard.
AD FS AD DS FQDN
Administrator account
Used in IG: Configure Features: Web Application Proxy
AD FS is required for Web Application Proxy.
Web Application Proxy (WAP) AD FS FQDN
SSL certificate
Used in IG: Configure Features:Web Application Proxy
Setup Wizard.
Note: Root certificate required.
SSO Portal Firewall rules for HTTPS and SSH
Application requirements:
URL
Certificate
Hostname
Port
File format
The SSO portal is a WAP feature.
Rules need to be created in the edge firewall to allow
application communication.
While each application type is different, the list of
application requirements covers common information for
publishing a variety of applications.
Syslog SIEM:
FQDN/IP
Port
Certificate
The Logging feature, sometimes referred to as syslog, is a
security information and event management solution
(SIEM) feature. Server information is needed if a SIEM
server is deployed on the network . An SSLcertificate is
required for encrypted remote logging.
DNS AD FS FQDN
Host/cluster IP
DNS must be updated to resolve the SSO portal FQDN to
the WAP IPaddress.
Workplace Join AD DS FQDN
AD DS service account
AD FS IP address
AD FS FQDN
DRS DNS entry
This information would be used to extend functionality
needed to set up BYOD access.
15 E Series Installation Guide
Network Policy Server Network Access Server (RADIUS Client)
IP Address
Shared secret
Network policy criteria
Authentication protocol options
May be needed in post-configuration for NPS or Remote
Desktop Gateway.
Setting up RADIUSauthentication requires designating
the NPS clients that will forward access requests, the
criteria that will service as the policy to grant access, and
the protocols that will be used for authentication.
DirectAcces/VPN DA server
Static IPaddress(es)
Public address for client connections
GPOs (if using customized policies)
NLS certificate (if using external server)
Infrastructure server(s)
DA client
Public address
Subnet mask
Default gateway
DNS
VPN server
Client IP address pool (if not using
DHCP)
RADIUS server information (if not using
Windows authentication)
Used in IG: Configure Features: Remote Access Setup
Wizard.
The Remote Access/VPN wizard will require server
information. The client information will be required to set
up remote devices.
Note: Infrastructure server information refers to
resources not discoverable by Active Directory.
PKI (if applicable) IP address May be needed in post-configuration for DirectAccess.
PKI is recommended but no longer required for
DirectAccess deployment, with a few exceptions, like OTP
authentication.
Note: Root certificate required.
Remote Desktop Gateway RD Gateway (join domain)
IP address
Hostname
External FQDN
AD DS
IP address
Subnet mask
Default gateway
DNS
RD Session Host (domain joined)
IP address
Hostname
RD Connection Broker (domain joined)
IP address
Hostname
RD Web Access (domain joined)
IP Address
Hostname
Used in IG: Configure Features >Feature Details >
Remote Desktop Gateway (RD Gateway) >Required
Configuration After Installation.
16 E Series Installation Guide
Firewall rules
Remote Desktop Web Access RD Web Access Server (domain joined)
IP address
Hostname
AD DS
IP address
Subnet mask
Default gateway
DNS
RD Session Host (domain joined)
IP address
Hostname
RD Connection Broker (domain joined)
IP address
Hostname
Remote Desktop Virtualization Host server
(optional)
IP address
Hostname
Firewall rules
Used in IG: Configure Features >Feature Details >
Remote Desktop Gateway (RD Gateway) >Required
Configuration After Installation.
Work Folders Sync share name
SSL certificate
AD security group for user accounts
Sync share DNS entry (recommended)
Used in IG: Configure Features >Work Folders Setup Wiz-
ard.
Application server IP address
Hostname
May be needed in post-configuration for:
Web Application Proxy
Remote Desktop Gateway
RD Web Access
RADIUS server IP address
Hostname
May be needed to set up Remote Access with VPNor NPS.
RADIUS clients IP address
Hostname
May be needed to set up Remote Access with VPNor NPS.
Application server IP address
Hostname
This information would be used to extend functionality.
Bold items are required
Rack the Appliance
Celestix appliances are either 1U or 2U and should be attached to a standard 19-inch equipment rack
as follows.
Table of contents
