SHORE TEL VPN Concentrator 4500 Operator's manual
VPN Concentrator 4500/5300
Installation and Configuration Guide
June 2009
800-1190-03, Revision 3
Document and Software Copyrights
Copyright © 2009 by ShoreTel, Inc. Synnyvale, California, U.S.A. All rights reserved. Printed in the United
States of America. Contents of this publication may not be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without prior written authorization of ShoreTel, Inc.
ShoreTel Inc. reserves the right to make changes without notice to the specifications and materi-
als contained herein and shall not be responsible for any damage (including consequential)
caused by reliance on the materials presented, including, but not limited to, typographical, arith-
metic, or listing errors.
Company Information
ShoreTel 960 Stewart Drive, Sunnyvale, California USA +1.408.331.3300 +1.408.331.3333 (Fax)
Contents
i
1.1 Specifications ...........................................................................................1
1.1.1 VPN Concentrator 4500............................................................................................1
1.1.2 VPN Concentrator 5300............................................................................................1
1.2 Hardware Installation................................................................................1
1.2.1 VPN Concentrator 4500............................................................................................1
1.2.1.1 Requirements for Installation .................................................................... 1
1.2.1.2 Front Panel LEDs ..................................................................................... 2
1.2.1.3 Back Panel................................................................................................ 3
1.2.1.4 Physical Installation .................................................................................. 4
Required Tools and Materials................................................................................4
Desktop Installation ............................................................................................... 4
Wall-Mount Installation ..........................................................................................5
Rack-Mount Installation ......................................................................................... 5
Connecting the Power and Cables ........................................................................ 6
1.2.1.5 Initial Configuration ................................................................................... 6
1.2.2 VPN Concentrator 5300............................................................................................7
1.2.2.1 Requirements for Installation .................................................................... 7
1.2.2.2 Front Panel Overview ............................................................................... 8
1.2.2.3 Back Panel Overview................................................................................ 9
1.2.2.4 Physical Installation ................................................................................ 10
Rack-Mount Installation ....................................................................................... 10
Connecting the Power and Cables ...................................................................... 10
1.2.2.5 Initial Configuration ................................................................................. 11
1.2.3 Deployment Scenarios............................................................................................ 12
2.1 Introduction.............................................................................................13
2.2 Redundant VPN Concentrators..............................................................14
2.3 SSL VPN Authentication Mechanisms ...................................................14
2.4 Other Features .......................................................................................14
3.1 Firmware Upgrade..................................................................................15
3.2 Licensing ................................................................................................16
3.3 Configuration ..........................................................................................17
3.3.1 GUI Interface...........................................................................................................18
3.3.1.1 Services Configuration............................................................................ 18
3.3.1.2 Set Link...................................................................................................19
3.3.1.3 Management Interface (VPN Concentrator 5300 Only).......................... 20
3.3.1.4 Route ...................................................................................................... 21
3.3.1.5 VLAN ...................................................................................................... 21
3.3.1.6 SSL VPN Main Page .............................................................................. 23
Global Configuration............................................................................................ 24
LDAP Configuration ............................................................................................. 25
Proxy ARP Configuration..................................................................................... 26
Stunnel IP Pool.................................................................................................... 26
3.3.1.7 SSL VPN Databases .............................................................................. 27
Username and Password Database .................................................................... 27
MAC Address Whitelist ........................................................................................ 28
MAC Address Blacklist ........................................................................................ 29
Current Sessions ................................................................................................. 30
3.3.2 Configuring VPN Parameters on IP Phones ........................................................... 31
3.3.2.1 Configuration via config files................................................................... 31
Contents
ii
3.3.2.2 Manual configuration .............................................................................. 32
3.3.2.3 Summary of recommended configuration and deployment procedure: .. 33
4.1 Tools and Troubleshooting.....................................................................35
4.1.1 Network Information................................................................................................ 36
4.1.2 Network Connectivity .............................................................................................. 37
4.1.3 Viewing Log Files....................................................................................................38
4.1.4 Packet Capture .......................................................................................................39
4.1.4.1 Capturing Packets for an Individual SSL Connection ............................. 39
Chapter 1: Specifications
VPN Concentrator Installation and Configuration Guide 1
C
HAPTER
1
1.1 Specifications
1.1.1 VPN Concentrator 4500
1.1.2 VPN Concentrator 5300
1.2 Hardware Installation
1.2.1 VPN Concentrator 4500
1.2.1.1 Requirements for Installation
•A computer with a web browser as supported by ShoreTel (Microsoft Internet
Explorer).
•Two Ethernet cables
WAN Ports 1 x 10/100 Ethernet
LAN Ports 4 x 10/100 Ethernet
Serial Ports 1 x RS-232
Dimensions Height 1.688“ (42.863 mm), Width 10.438 “ (265.113 mm), Depth 6.625 “
(168.275 mm)
Weight 2 lb (0.91 kg)
Power 12V @ 3A, external AC Adapter
Environmental Operating Temperature: 5° to 40°C
Humidity: 20% to 80%, non-condensing
WAN Ports 1 x 10/100 Ethernet
LAN Ports 1 x 10/100 Ethernet
Management Ports 1 x 10/100 Ethernet
Serial Ports 1 x RS-232
Dimensions 19” Rack Mount, 1RU
Weight 11.5 lb (5.28 kg)
Power 100/240v VAC, auto-selecting, 47 to 63 Hz
Environmental Operating Temperature: 5° to 40°C
Humidity: 5% to 90%, non-condensing
Hardware Installation Chapter 1:
2
1.2.1.2 Front Panel LEDs
Item Description
PWR •Off – Power switch is off (or no power from the AC
outlet)
•Solid Green – Power is supplied to the unit
Status •Off – The unit could not boot up because of self test
failure
•Solid Green – Self test passed.
•Flashing Green – Configuration is being written to
permanent storage or an upgrade is in progress
Figure 1-1 Front view of the 4500
Chapter 1: Hardware Installation
VPN Concentrator Installation and Configuration Guide 3
1.2.1.3 Back Panel
Call out Description
APower Connector – Accepts the plug from the supplied
power adapter which can be connected to an AC outlet on
the wall using the supplied power cord.
B4 Ports 10/100 Mbps LAN Switch – Any one of the four
ports can be used to connect to the Local Area Network
(LAN) network.
CUSB Ports – Not used.
DEthernet WAN Port – This port is typically used when
connecting the 4500 to an upstream router.
EManagement Console Port – This port is used to establish
a local console session with the 4500 using a VT100
terminal or emulation program. The cable required is a
straight-through 8-wire cable with female connector. The
serial port uses a baud rate of 9600, 8 data bits, 1 stop bit
and no parity.
This port is used for debug or local diagnostic purposes
only. Primary configuration of the 4500 is performed from a
web browser as covered in Chapter 3.
Figure 1-2 Back view of the 4500
Hardware Installation Chapter 1:
4
1.2.1.4 Physical Installation
The 4500 device is designed for desktop, rack or wall-mount installation. Observe the
following guidelines when installing the system:
•Always verify that the AC cord is disconnected from a power source prior to
installation.
•Ensure that the installation site has adequate air circulation and meets the minimum
operating conditions for the system as specified in Specifications of this document
Required Tools and Materials
•If the unit will be mounted on the wall:
— 1 Flat or Philips screw driver
— 2 round or flat head Philips or slotted screws – 1 ½ inch long
FErase –
•If pressed twice in quick succession,
the CLI password will be changed to
its original password.
•If pressed three times in quick
succession, the 5300 will revert to
factory default settings. All passwords
will be reset and all prior
configurations will be erased.
Note: The default LAN address will be
set to 192.168.1.1
Caution: Setting the system
configuration to factory default will
erase all configuration changes.
GLink Speed LED
Off – If the link is up, it indicates that the port is connected
to a 10BaseT Ethernet switch or hub.
Solid Amber – Indicates that the port is connected to a
100BaseT Ethernet switch or hub.
HLink Status LED
Solid Green – Ethernet link is up.
Blinking Green – Indicates activity on the link.
Call out Description
Chapter 1: Hardware Installation
VPN Concentrator Installation and Configuration Guide 5
— 2 hollow wall anchors
•If the unit will be mounted in a shelf
— 1 Flat or Philips screw driver
•Ethernet cables to connect the LAN ports to LAN switches or other Ethernet devices
and the WAN port to a firewall or an upstream router.
Desktop Installation
1. Remove the 4500 and the accessories from the shipping container.
2. Place the 4500 on a flat, dry surface such as a desktop, shelf or tray.
Wall-Mount Installation
You can mount the 4500 on a wall using the two mounting brackets on the bottom of the
appliance. We recommend that you use the two round or pan head screws.
1. Install two screws 5.9063” (150 mm) horizontally apart on a wall or other vertical
surface. The screws should protrude from the wall so that you can fit the appliance
between the head of the screw and the wall. If you install the screws in drywall, use
hollow wall anchors to ensure that the unit does not pull away from the wall due to
prolonged strain from the cable and power connectors.
2. Remove the 4500 and accessories from the shipping container.
3. Mount the 4500 on the wall as shown below.
Hardware Installation Chapter 1:
6
4. Do not mount the 4500 on the wall as shown below.
Rack-Mount Installation
You can mount the 4500 in a 19” rack by using the rack-mount kit supplied with the product.
1. Attach the ear mounts to both sides of the 4500 with the screws.
2. Attach the 4500 with the ear mounts to the shelf by screwing the ear mounts to the shelf
with screws.
Connecting the Power and Cables
1. Connect one end of an Ethernet cable to local LAN port 4 of the 4500. This port can be
seen in the area “B” of Figure 1-2. Connect the other end of the cable to your
computer’s Ethernet port.
2. Connect one end of an Ethernet cable to the WAN port of the 4500, shown in Figure 1-
2as “D,” and the other end to Ethernet port of an appropriate device based on your
deployment scenario. Please see section 1.2.3 for examples of deployment scenarios.
3. Plug one end of the power adapter into an AC outlet and the other end into the power
receptacle on the 4500. Make sure that the power and status LEDs, shown in Figure 1-
1as “A” and “B”, are solid green after a short while.
WARNING
Always connect the AC power cord to an AC outlet suitable for the power
supply that came with the unit in order to reduce the risk of damage to it.
•Connect one end of the AC power cord to the power adapter and the
other one to the AC outlet.
•Connect plug from the power adapter to the Power Connector on the
4500. Sometimes a little force is necessary to get the plug properly
positioned.
CAUTION
Secure the power adapter using a fastener or tie wrap to nearby shelf so that it
does not hang from the power connector.
•If connecting to a WAN router, cable modem or DSL modem, then
connect the Ethernet cable to the Ethernet WAN port on the 4500 and
the other end to the WAN device.
1.2.1.5 Initial Configuration
You can configure the 4500 using a web browser such as Internet Explorer or Netscape
Navigator. The 4500 is shipped with the pre-configured IP address 192.168.1.1 for the LAN
ports.
Chapter 1: Hardware Installation
VPN Concentrator Installation and Configuration Guide 7
To connect to the 4500, follow these steps:
1. Assign static IP address 192.168.1.2 with subnet 255.255.255.0 to the Ethernet
interface of the computer that is connected to the LAN port of the 4500
2. Launch a web browser on the PC and enter the following URL: http://192.168.1.1.
Press Return and the following login window should appear:
3. Enter the username as “root” and the password as “default” to log into the system.
4. The “System” configuration page should appear now.
5. Select Network from the “Configuration Menu”.
6. Perform the following steps in the “WAN Interface Settings:” section:
— Choose “Static IP Address”
— Set the “IP Address:” to an IP address that is within the subnet of your firewall’s
DMZ. Note: The IP address may be a private IP address.
— Set the “Subnet Mask:”
7. Perform the following steps in the “Network Settings:” section:
— Set the “Default Gateway” to the upstream router’s IP address.
— Set the "Primary DNS Server" and "Secondary DNS Server" to the primary and
secondary DNS servers respectively.
8. Perform the following steps in the “LAN Interface Settings:” section:
— Set the “IP Address:” to an IP address that can be reached from the LAN network.
— Set the “Subnet Mask:”
9. Click the “Submit” button to make the above changes current.
10. Detach the Ethernet cable from the computer’s Ethernet interface and connect it to a
hub or Ethernet switch connecting to the LAN network.
11. Launch a web browser on any computer on the LAN networks and enter the LAN IP
address of the 4500. Press Return and the following log into the system as explained
above.
12. Start configuring the system following the information in Chapter 3.
1.2.2 VPN Concentrator 5300
1.2.2.1 Requirements for Installation
•A computer with a web browser as supported by ShoreTel (Microsoft Internet
Explorer).
•At least one Ethernet cable
Hardware Installation Chapter 1:
8
1.2.2.2 Front Panel Overview
Call out Description
AErase –
•If pressed twice in quick succession,
the CLI password will be changed to
its original password.
•If pressed three times in quick
succession, the 5300 will revert to
factory default settings. All passwords
will be reset and all prior
configurations will be erased.
Note: The default LAN address will be
set to 192.168.1.1
Caution: Setting the system
configuration to factory default will
erase all configuration changes.
BPower LED
•Off – Power switch is off (or no power from the AC
outlet)
•Solid Green – Power is supplied to the unit
CDisk Activity LED
•Off – No disk activity
•Flashing Red – Data is being read or written to the
disk.
•Solid Red – System failure.
DPort 3 (Management Port) – Out of band management
port used for configuration purposes. DHCP client is
enabled on this port from the factory.
EPort 2 (WAN Port) – Connects to the WAN or upstream
router. DHCP enabled from the factory.
FPort 1 (LAN Port) – Connects to the local network or
LAN. Factory configured for static IP with 192.168.1.1 IP
address.
Figure 1-3 Front view of the 5300
Chapter 1: Hardware Installation
VPN Concentrator Installation and Configuration Guide 9
1.2.2.3 Back Panel Overview
GReset – Hard reset of the system.
HConsole – DB9 serial (RS232) port (male connector) for
CLI based configuration. The serial port uses a baud rate of
9600, 8 data bits, 1 stop bit and no parity.
Call out Description
APower Inlet – Accepts a 3-pin Shroud Female connector of
a power cord with 3-pin Shroud Male connector on the
other end to connect to an AC outlet (See Power for
specifications).
BPower Switch – Turns the system power on or off
CVGA Port – Not used.
DUSB Ports – Not used.
Call out Description
Figure 1-4 Back view of the 5300
Hardware Installation Chapter 1:
10
1.2.2.4 Physical Installation
Rack-Mount Installation
The 5300 is designed for 19” rack mount installation. Simply secure the ear mounts (as shown
in Figure 1-5) on both sides of the chassis to the rack post with screws.
Please observe the following guidelines when installing the system:
•Never assume that the AC cord is disconnected from a power source. Always check
first.
•Never place objects greater than 5 lbs on top of the appliance as damage to the chassis
may result.
•Always connect the AC power cord to a properly grounded AC outlet to avoid damage
to the system or injury.
•Ensure that the physical location of the installation has adequate air circulation and
meets the minimum operating conditions as provided in the environmental
specifications for the system.
Connecting the Power and Cables
1. Connect one end of an Ethernet cable to local LAN port (Port 1) of the 5300. This port
can be seen as “F” in Figure 1-3. Connect the other end of the cable to your computer’s
Ethernet port.
2. Connect one end of an Ethernet cable to the WAN port (Port 2) of the 5300, shown in
Figure 1-3 as “E,” and the other end to Ethernet port of an appropriate device based on
your deployment scenario. Please see section 1.2.3 for examples of deployment
scenarios.
3. Connect the 3-pin Shroud Female connector of the power cord to the AC socket on the
5300 shown as “A” in Figure 1-4. Connect the other end of the power cord into an AC
outlet on the wall.
4. Turn on the power by pressing 1 on the power switch (shown as “B” in Figure 1-4).
5. Make sure that the power LED (shown as “B” in Figure 1-3) is solid green and the disk
activity LED (shown as “C” in Figure 1-3) in not solid red.
Figure 1-5 Ear mounts on the 5300
Chapter 1: Hardware Installation
VPN Concentrator Installation and Configuration Guide 11
1.2.2.5 Initial Configuration
You can configure the 5300 using a web browser such as Internet Explorer or Netscape
Navigator. The VPN Concentrator 5300 is shipped with the pre-configured IP address
192.168.1.1 for the LAN ports.
To connect to the 5300, follow these steps:
1. Assign static IP address 192.168.1.2 with subnet 255.255.255.0 to the Ethernet
interface of the computer that is connected to the LAN port of the 5300
2. Launch a web browser on the computer and enter the following URL: http://
192.168.1.1. Press Return and the following login window should appear:
3. Enter the username as “root” and the password as “default” to log into the system.
4. The “System” configuration page should appear now.
5. Select Network from the “Configuration Menu”.
6. Perform the following steps in the “WAN Interface Settings:” section:
— Choose “Static IP Address”
— Set the “IP Address:” to an IP address that is within the subnet of your firewall’s
DMZ. Note: The IP address may be a private IP address.
— Set the “Subnet Mask:”
7. Perform the following steps in the “Network Settings:” section:
— Set the “Default Gateway” to the upstream router’s IP address.
— Set the "Primary DNS Server" and "Secondary DNS Server" to the primary and
secondary DNS servers respectively.
8. Perform the following steps in the “LAN Interface Settings:” section:
— Set the “IP Address:” to an IP address that can be reached from the LAN network.
— Set the “Subnet Mask:”
9. Click the “Submit” button to make the above changes current.
10. Detach the Ethernet cable from the computer’s Ethernet interface and connect it to a
hub or Ethernet switch connecting to the LAN network.
11. Launch a web browser on any computer on the LAN network and enter the LAN IP
address of the 5300. Press Return and log into the system as explained above.
12. Start configuring the system following the information in Chapter 3.
Hardware Installation Chapter 1:
12
1.2.3 Deployment Scenarios
To secure, restrict or inhibit pass-through traffic to the VPN Concentrator, it must be deployed
behind an enterprise firewall. Connect the WAN port of the VPN Concentrator to the DMZ
network (or port) of the firewall as shown in Figure 1-6. The WAN port should be assigned to a
private IP address (RFC 1918), or an IP address that can be used within a DMZ subnet. Connect
the LAN port of the VPN Concentrator to the LAN network using an LAN IP address from the
LAN’s IP subnet.
Figure 1-6 Connected to WAN
through firewall and gateway router
Chapter 2: Introduction
Contact Center Administrator Manual 13
C
HAPTER
2
2.1 Introduction
The SSL based VPN Concentrator enables many remote VoIP Phones to establish secure voice
communications with a ShoreTel telephone system through SSL VPN tunnels. For every SSL
VPN tunnel, a virtual PPP interface is created on the VPN Concentrator. A PPP peer interface
is created at the remote VoIP Phone. The VOIP signaling and media streams passing through
the PPP interface within the SSL VPN tunnel are therefore completely secure through the use
of encryption in SSL.
Figure 2-1 Remote phones connectivity to Headquarters through secure SSL VPN tunnels
A maximum of 10 simultaneous SSL VPN tunnels can be licensed on the 4500. A maximum
of 100 simultaneous SSL VPN tunnels can be licensed on the 5300.
WA R N I N G : If ShoreTel VPN phones will be deployed in remote locations, 911 calls placed from
these phones will be routed to the Public Safety Answering Point (PSAP) nearest
the site that hosts the switch and VPN concentrator. If the remote ShoreTel VPN
phone is outside of the PSAP’s designated area, this will delay or prevent an
effective response.
When remotely deploying a ShoreTel VPN phone, Shoretel strongly
recommends that you implement a 3rd-party solution which can route
emergency calls to the PSAP that is nearest to the VPN phone. If such a
solution is not available, the remote ShoreTel VPN phone should be clearly
labeled so that its users know these restrictions regarding 911 usage.
Redundant VPN Concentrators Chapter 2:
14
2.2 Redundant VPN Concentrators
You can deploy multiple VPN concentrators for the purposes of redundancy and/or load
balancing.
Note: Separately apply each license to enable VPN tunnels. Licenses cannot be reused.
Please refer to section 3.3.2.1 for details on making the remote IP phones aware of multiple
VPN concentrators.
2.3 SSL VPN Authentication Mechanisms
The following authentication modes are supported on the VPN Concentrator:
•User name and password validation – The SSL VPN client on the remote phone is
expected to provide the username and password so that they can be matched against
the following databases:
— Local database (default) – A list of valid usernames and their associated
passwords configured for the authentication in the local database by the
administrators.
— LDAP server database (optional) – This option requires an external LDAP server,
such as Microsoft Active Directory, containing the username and password
information for authentication. LDAP needs to be enabled in the VPN
Concentrator before this database can be used instead of the local database.
•MAC Address White list Validation (optional) – When enabled, a local database of
MAC addresses is used to validate the MAC address of a remote phone. The database
can be populated by the administrators using the GUI. If the MAC address of a remote
phone is not found in this database, then the SSL VPN connection request is rejected.
•MAC Address Blacklist Rejection (optional) – When enabled, a local database of
MAC addresses is used to identify the remote phones that should be denied access to
the network. The database can be populated by the administrators using the GUI. If
the MAC address of a remote phone is found in this database, then the SSL VPN
connection request is rejected.
2.4 Other Features
Understanding of the following features will be helpful in configuring the device:
•IP Address Assignment – A valid pool of IP address from the corporate LAN's
internal (private) IP subnet will be used by the VPN Concentrator to assign IP
addresses to the VPN phones via the virtual PPP connections over the SSL VPN. An
IP address pool has to be preconfigured on the VPN Concentrator by the administrator
so that a valid IP address can be assigned to each VoIP phone connected to the VPN
Concentrator.
•Session Timeout – An optional global timeout value for SSL VPN sessions can be
configure by the administrator. Any SSL VPN session will be terminated if it has been
active for the duration of the timeout value.
•Active Sessions – The system maintains a runtime list of all current active SSL VPN
sessions. The administrator can delete one or more active SSL VPN sessions if
necessary.
Chapter 2: Other Features
Contact Center Administrator Manual 15
•History Log – A history log of all connection requests is maintained which includes
information such as success and failure of sessions establishment, etc.
Other Features Chapter 2:
16
Other manuals for VPN Concentrator 4500
1
This manual suits for next models
1
Table of contents
Other SHORE TEL Network Router manuals
Popular Network Router manuals by other brands
Allied Telesis
Allied Telesis AT-9724TS Installation and user guide
Sierra Wireless
Sierra Wireless Raven XE quick start guide
Digi
Digi Digi TransPort WR Specifications
NETGEAR
NETGEAR S8000 user manual
Huawei
Huawei S6700 Series Configuration guide
Linksys
Linksys WRT54GL - Wireless-G Broadband Router... Firmware upgrade guide
