Stonesoft SSL-1030 User manual
Appliance Installation Guide
SSL-1030 and SSL-1060
2
Legal Information
End-User License Agreement
The use of the products described in these materials is subject to the then current end-user license
agreement, which can be found at the Stonesoft website:
www.stonesoft.com/en/support/eula.html
Third Party Licenses
The Stonesoft software includes several open source or third-party software packages. The appropriate
software licensing information for those products can be found at the Stonesoft website:
www.stonesoft.com/en/customer_care/support/third_party_licenses.html
U.S. Government Acquisitions
If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S.
Government, the following provisions apply. If the Software is supplied to the Department of Defense
(“DoD”), the Software is subject to “Restricted Rights”, as that term is defined in the DOD Supplement to
the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is supplied
to any unit or agency of the United States Government other than DOD, the Government’s rights in the
Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”).
Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor
provisions.
Product Export Restrictions
The products described in this document are subject to export control under the laws of Finland and the
European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the
control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft
software in any manner is restricted and requires a license by the relevant authorities.
General Terms and Conditions of Support and Maintenance Services
The support and maintenance services for the products described in these materials are provided pursuant
to the general terms for support and maintenance services and the related service description, which can be
found at the Stonesoft website:
www.stonesoft.com/en/customer_care/support/
Replacement Service
The instructions for replacement service can be found at the Stonesoft website:
www.stonesoft.com/en/customer_care/support/rma/
Hardware Warranty
The appliances described in these materials have a limited hardware warranty. The terms of the hardware
warranty can be found at the Stonesoft website:
www.stonesoft.com/en/customer_care/support/warranty_service/
Trademarks and Patents
The products described in these materials are protected by one or more of the following European and US
patents: European Patent Nos. 1065844, 1189410, 1231538, 1231754, 1259028, 1271283, 1289183,
1289202, 1304830, 1304849, 1313290, 1326393, 1361724, 1379037, and 1379046 and US Patent
Nos. 6,650,621; 6,856,621; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305;
7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,325,248; 7,360,242; 7,386,525;
7,406,534; 7,461,401; 7,573,823; 7,721,084; and 7,739,727 and may be protected by other EU, US, or
other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or
registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property
of their respective owners.
Disclaimer
Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED
"AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility
for errors, omissions, or resulting damages from the use of the information contained herein. All IP
addresses in these materials were chosen at random and are used for illustrative purposes only.
Copyright © 2013 Stonesoft Corporation. All rights reserved. All specifications are subject to change.
Revision: AIG_SSL-1030_20130318
Introduction 3
Introduction
Thank you for choosing a Stonesoft™ appliance. This guide provides
instructions for the initial hardware installation and the maintenance of
the SSL-1030 and SSL-1060 appliances. See Product Documentation
(page 4) for information on other available documentation.
The use of the appliance is subject to the acceptance of the End User
License Agreement, which can be found at the Stonesoft web site.
Contents
Installation Procedure .................. 4
Product Documentation ................ 4
Safety Precautions ....................... 4
Unpacking the Appliance .............. 6
Front Panel .................................. 7
Rack-Mounting............................. 9
Connecting the Cables ................. 13
Configuring the Appliance ............. 15
Managing the Appliance ............... 33
Maintenance Operations............... 35
Disposal Instructions ................... 37
Caution – Never open the covers of the appliance! There are no user
serviceable parts inside. Opening the covers may lead to serious
injury and will void the warranty. Read the Safety Precautions (page 4)
before you conduct any installation or maintenance operations on the
appliance.
4Installation Procedure
Installation Procedure
The appliance installation involves the following mandatory steps:
1. Install the appliance into a rack and connect the cables. See
Rack-Mounting (page 9) and Connecting the Cables (page 13).
2. Configure the basic system settings (time, interfaces, and
routing), and import the license and a certificate. See Configuring
the Appliance (page 15).
Product Documentation
The available PDF documentation can be accessed through the SSL VPN
Administrator’s front page. The SSL VPN Administrator also has
embedded instructions that you can open by clicking the Help link or
question mark icon on the various pages.
Install the free Adobe Reader program to view the PDF documents
(available at www.adobe.com/reader/).
Safety Precautions
The following safety information and procedures must be followed
whenever working with the Stonesoft appliance. However, be advised
that Stonesoft appliances are not end-user serviceable, and you must
never open the appliance covers for any reason. Doing so may lead to
serious injury and will void any hardware warranty that may be
associated with your appliance.
Electrical Safety Precautions
Basic electrical safety precautions should be followed to protect yourself
from harm and the appliance from damage:
• Be aware of the locations of the power on/off switch as well as the
room's emergency power-off switch, disconnection switch, or
electrical outlet. If an electrical accident occurs, you can then quickly
cut power to the system.
• Do not work alone when working with high voltage components.
• Use only one hand when working with powered-on electrical
equipment. This is to avoid making a complete circuit, which will
cause electrical shock. Use extreme caution when using metal tools,
which can easily damage any electrical components or circuit boards
they come into contact with.
Safety Precautions 5
• Do not use mats designed to decrease electrostatic discharge as
protection from electrical shock. Instead, use rubber mats that have
been specifically designed as electrical insulators.
• The power supply cord must include a grounding plug and must be
plugged into a grounded electrical outlet.
General Safety Precautions
Follow these rules to ensure general safety:
• Keep the area around the appliance clean and free of clutter.
• We recommend using a regulating uninterruptible power supply (UPS)
to protect the appliance from power surges, voltage spikes and to
keep your system operating in case of a power failure.
ESD Precautions
Electrostatic discharge (ESD) is generated by two objects with different
electrical charges coming into contact with each other. An electrical
discharge is created to neutralize this difference, which can damage
electronic components and printed circuit boards. Use a grounded wrist
strap designed to prevent static discharge.
Operating Precautions
Care must be taken to assure that the appliance’s cover is in place
when the appliance is operating to ensure proper cooling. If this rule is
not strictly followed, the warranty may become void.
Operating and Storage Temperatures
The allowed operating temperature of the appliance is 0...+40ºC. The
allowed storage temperature is -20...+70ºC. Do not operate or store the
appliance in temperatures outside these limits.
Caution – Never open the appliance covers! There are no user
serviceable parts inside. Opening the covers may lead to serious
injury and will void the warranty.
Note – Use a UPS (Uninterruptible Power Supply) in critical
environments with your Stonesoft appliance. If after a brief power
outage your Stonesoft appliance only partially starts up (for example,
the power light is on, but the NIC LEDs are off and the appliance does
not connect) turn the appliance off for five seconds and then back on.
6Unpacking the Appliance
Lithium Battery Precautions
For California:
Perchlorate Material - special handling may apply. See www.dtsc.ca.gov/
hazardouswaste/perchlorate.
This notice is required by California Code of Regulations, Title 22,
Division 4.5, Chapter 33: Best Management Practices for Perchlorate
Materials. This product/part includes a battery that contains Perchlorate
material.
Unpacking the Appliance
Inspect the box that the appliance was shipped in and note if the box is
damaged in any way. If the appliance itself shows any damage, file a
damage claim with the carrier who delivered the appliance.
Caution – Do not change the battery; the battery must be replaced by
authorized service personnel only. Danger of explosion if battery is
incorrectly replaced. Replacement battery must be same or equivalent
type recommended by the manufacturer. Used batteries must be
discarded according to the manufacturer’s instructions. Short-
circuiting the battery may heat the battery and cause severe injuries.
Front Panel 7
Front Panel
The connectors are explained in detail in Connecting the Cables
(page 13). The front panel indicator lights are explained below.
Power and Disk Activity
Note – Standby power is supplied to the system even when the
appliance is turned off.
Table 1 Power and Disk Activity Indicators
Indicator Status Explanation
Power Blue
Indicates power is being supplied to the
system's power supply unit. This LED is
illuminated when the system is operating
normally.
Disk Activity Red Indicates hard drive activity when flashing.
Power and disk activity
indicators
Port indicators
Rack-mounting brackets
Power Disk Activity
8Back Panel
Fixed Ports
Back Panel
Table 2 Indicators for Fixed Ports
Indicator Status Explanation
Activity
Unlit No link.
Amber Link ok.
Link
Unlit Speed is 10 Mbps.
Green Speed is 100 Mbps.
Orange Speed is 1 Gbps.
Activity Link
AC power connector
Power on/off switch
Rack-Mounting 9
Rack-Mounting
This section provides information on installing the Stonesoft appliance
into a rack unit. You can install the appliance into a two-post or a four-
post rack unit.
Preparing for Rack-Mounting
The appliance delivery includes four (4) six-millimeter screws for
attaching the appliance into a rack unit. Read the sections below before
you begin the installation.
Choosing a Setup Location
Decide on a suitable location for the rack unit that will hold the
appliance:
• The appliance must be situated in a clean, dust-free area that is well
ventilated.
• Avoid areas where heat, electrical noise, and electromagnetic fields
are generated.
• Leave enough clearance in front of the rack to enable you to open the
front door completely (~63 cm/25 inches).
• Leave enough clearance in the back of the rack to allow for sufficient
airflow and ease in servicing (~76 cm/30 inches).
Rack Precautions
• Ensure that the leveling jacks on the bottom of the rack are fully
extended to the floor with the full weight of the rack resting on them.
• In single rack installation, attach stabilizers to the rack.
• In multiple rack installations, couple the racks together.
• Always make sure the rack is stable before extending a component
from the rack.
• Extend only one component at a time—extending two or more
simultaneously may cause the rack to become unstable.
Device Precautions
• Determine the placement of each component in the rack before
starting the installation.
• Install the heaviest appliance components on the bottom of the rack
first, and then work up.
Caution – Read the Safety Precautions (page 4) before proceeding.
10 Rack-Mounting
• The appliance must be connected to a grounded power outlet.
• Use a regulating uninterruptible power supply (UPS) to protect the
appliance from power surges, voltage spikes and to keep your system
operating in case of a power failure.
• Always keep the rack's front door and all panels and components on
the appliances closed when not servicing to maintain proper cooling.
Before Installing the Appliance Into a Rack
• Make sure that the rack is securely anchored onto an unmovable
surface or structure before installing the appliance into the rack.
• Make sure that the system is adequately supported. Make sure that
all the components are securely fastened to the appliance to prevent
components falling off from the appliance.
• Be sure to install an AC power disconnect for the entire rack
assembly. This power disconnect must be clearly marked.
• The rack assembly must be properly grounded to avoid electric shock.
• The rack assembly must provide sufficient airflow to the appliance for
proper cooling.
Installing the Appliance Into a Rack
This section provides information on installing the appliance into a rack
unit. There are a variety of rack units on the market, so the assembly
procedure may differ slightly from what is instructed. If necessary, refer
to the instructions that came with the rack unit you are using.
If you are installing the appliance into a Telco-type rack, follow the
general directions below. The main difference in the installation
procedure is whether you are installing the appliance into a four-post
rack or a two-post rack. Proceed to one of the following:
•Installing the Appliance Into a Four-Post Telco Rack
•Installing the Appliance Into a Two-Post Telco Rack (page 11)
Installing the Appliance Into a Four-Post Telco Rack
If you are installing the appliance into a four-post Telco-type rack, the
rack-mounting brackets on the appliance are in the right position for the
installation. You only need to attach the rack-mounting brackets to the
rack using the four (4) screws provided in the delivery package.
Note – Do not install the appliance upside down.
Rack-Mounting 11
To install the appliance into a four-post Telco rack
1. Attach a rack-mounting bracket to the rack with two screws
through the holes in the front of the bracket: one screw through
the top hole and another through the bottom hole in the bracket
(see the front panel illustration for the location of the holes).
2. Repeat step 1 with the bracket on the other side of the appliance.
Proceed to Connecting the Cables (page 13).
Installing the Appliance Into a Two-Post Telco Rack
If you are installing the appliance into a two-post Telco-type rack, you
must move the rack-mounting brackets into the correct position on the
side of the appliance before attaching the rack-mounting brackets to the
rack.
To install the appliance into a two-post Telco rack
1. Remove the six (6) screws on the side of the appliance to detach
the rack-mounting bracket from the appliance.
•You can optionally also remove the lifting handle from the bracket
by removing the screws that hold the handle to the bracket.
2. Move the rack-mounting bracket to the back of the appliance and
re-attach the bracket with three of the screws. It is also
Caution – You must use two screws to attach each rack-mounting
bracket to the rack. Using only a single screw for each bracket does
not provide sufficient support and may cause damage to the
appliance.
12 Rack-Mounting
recommended to re-attach the three remaining screws back to the
front of the appliance.
3. Repeat steps 1 and 2 with the bracket on the other side of the
appliance.
4. Attach each bracket to the rack with two screws through the holes
in the front of the bracket: one screw through the top hole and
another through the bottom hole in the bracket (see the front panel
illustration for the location of the holes).
Proceed to Connecting the Cables (page 13).
Caution – You must use two screws to attach each rack-mounting
bracket to the rack. Using only a single screw for each bracket does
not provide sufficient support and may cause damage to the
appliance.
Connecting the Cables 13
Connecting the Cables
Connecting Network Cables
To connect network cables
1. Connect the network cables to the Ethernet ports.
•The ports are numbered 0-1 or 0-5 depending on the appliance
model. The port numbers increase from left to right.
2. Connect the supplied network cable to the management port eth0
and to the network port of a computer that you will use to
configure the appliance.
•The default IP address of the management port is
192.168.100.1. You can change the default IP address when you
configure the appliance. Configure the computer you use for
connecting to the appliance to use an IP address in the same
network (192.168.100.0/24). See Configuring the Appliance
(page 15) for information on how to connect to and configure the
appliance.
•The administration port’s IP address is active only when a
network cable is plugged into the port.
•If you want to manage the appliance remotely, we recommend
that you set up access through the Application Portal in the same
way as other services that the appliance offers to users.
Cable Types
Make sure that the copper cables you use are correctly rated (CAT 5e or
CAT 6 in gigabit networks).
Note – When the appliance is powered and you need to unplug it,
always wait at least five (5) seconds before plugging in the appliance
again. If you wait less than five seconds, the appliance may not have
time to clear properly and may fail to start.
Two USB ports
Serial port Two or six Ethernet ports (number
depends on appliance model)
14 Connecting the Cables
Speed/Duplex Settings
Network cards at both ends of each cable must have identical speed/
duplex settings. This also applies to the automatic negotiation setting: if
one end of the cable is set to autonegotiate, the other end must also be
set to autonegotiate. Gigabit standards require interfaces to use
autonegotiation—fixed settings are not allowed at gigabit speeds.
Connecting the Appliance to the Power Supply
To connect the appliance to the power supply
1. Connect the power cable to the AC power connector on the back of
the appliance.
2. Plug the power cord into a grounded, high-quality power strip that
offers protection from electrical noise and power surges.
•We highly recommend using an uninterruptible power supply
(UPS) to ensure continuous operation and minimize the risk of
damage to the appliance in case of sudden loss of power.
Note – Standby power is supplied to the system even when the
appliance is turned off.
Configuring the Appliance 15
Configuring the Appliance
Before the appliance can offer any services to the users, you must
configure the networking settings for all interfaces you intend to use.
Start by Defining the Basic Settings.
Defining the Basic Settings
The only interface that is defined when you receive the appliance is the
management port (eth0). The default IP address of the management
port is 192.168.100.1. You can change the default IP address and
other default settings for the appliance in the Engine Configuration
Wizard.
To start the Engine Configuration Wizard
1. Connect the appliance to a computer using the serial cable
supplied with the appliance.
2. On the computer, open a terminal with the following settings:
9600 bps, 8 databits, 1 stopbit, no parity.
3. Turn on the appliance using the power on/off switch. The engine
bootup process is shown in the console and, after some time, the
Engine Configuration Wizard starts.
To set the keyboard layout
1. Highlight the entry field for Keyboard Layout using the arrow keys
and press Enter. The Select Keyboard Layout dialog opens.
2. Highlight the correct layout and press Enter.
1
16 Configuring the Appliance
Tip: Type in the first letter to move forward more quickly in the list of keyboard
layouts.
To set the engine’s timezone
1. Highlight the entry field for Local Timezone using the arrow keys
and press Enter.
2. Select the correct timezone in the dialog that opens.
Note – If the desired keyboard layout is not available, use the best-
matching available layout, or select US_English.
Note – The timezone setting affects only the way the time is displayed
on the engine command line. The actual operation always uses UTC
time.
2
1
Configuring the Appliance 17
To set the rest of the OS settings
1. Type in the name of the SSL VPN engine.
2. Highlight the entry field for Web Console and SSL-VPN admin
Password and press Enter to change the password that the user
admin uses to access the SSL VPN Web Console and the SSL VPN
Administrator.
•By default, the password is Pass1234. We strongly advise you to
change the password either in this dialog or after logging in to the
SSL VPN Web Console for the first time.
3. Enter the Web Console IP Address and the Web Console IP
Netmask. The default IP address of the SSL VPN Web Console is
192.168.100.1.
4. (Optional) Enter the Web Console IP Default Gateway IP address
through which outgoing traffic is routed.
5. (Optional) Highlight Enable SSH Daemon and press the spacebar
to allow remote access to engine command line using SSH.
Note – Changing the password for the admin user in the Engine
Configuration Wizard sets the same password for both the SSL VPN
Web Console and the SSL VPN Administrator.
Note – It is not necessary to enable the SSH daemon now for ongoing
management. You can also set this option through the SSL VPN Web
Console. We recommend that you enable the SSH access only when
needed and then disable the access again when you are done.
1
2
5
3
4
18 Configuring the Appliance
6. Highlight Finish and press Enter. The Engine Configuration Wizard
closes.
Continue by Logging in to the SSL VPN Web Console.
Logging in to the SSL VPN Web Console
The SSL VPN Web Console is used for interface configuration and other
such basic operating-system-level settings.
To log in to the SSL VPN Web Console
1. Open the web browser on the computer attached to the appliance
and connect to the SSL VPN Web Console at the address
https://<Web Console IP Address>:10000. The SSL VPN
Web Console login page opens.
•If you did not change the SSL VPN Web Console IP address in the
Engine Configuration Wizard, the address is the default SSL VPN
Web Console address https://192.168.100.1:10000).
2. Log in. By default, the username is admin and the password is
Pass1234.
•If you changed the SSL VPN Web Console and SSL VPN
Administrator admin password in the Engine Configuration
Wizard, log in using the new password, and continue by Setting
System Time (page 20).
•If you did not change the password in the Engine Configuration
Wizard, we strongly advise you to change the password according
to the following instructions.
Configuring the Appliance 19
Changing the Admin Password in the SSL VPN Web
Console
Changing the password for the admin user in the SSL VPN Web Console
sets the same password for the admin user in both the SSL VPN Web
Console and the SSL VPN Administrator.
To change the password for the SSL VPN Web Console
and the SSL VPN Administrator
1. In the SSL VPN Web Console, expand System in the menu on the
left and select Admin Password.
2. Enter a new password in both fields on the right and click Change.
Note – If you have previously set a different password for the admin
user in the SSL VPN Administrator, you must set the SSL VPN
Administrator admin password again after changing the admin
password in the SSL VPN Web Console. See Changing the Admin
Password in the SSL VPN Administrator (page 28).
1
2
20 Configuring the Appliance
Setting System Time
The system time must be set correctly for proper operation (used for
example, in Access rules, certificate validity checking, and log entries).
To set the system time
1. Expand Hardware in the menu on the left and select System Time.
2. Select the correct Time Zone and click Save.
3. Change the time in the System Time section and click Apply.
4. Synchronize the times by clicking Copy from system time.
Configuring Interfaces
You must add at least one interface in addition to the management port
to offer services to your users (a typical configuration requires two or
more additional interfaces). If you plan to create a pair of mirrored
appliances, we recommend using port eth1 on the appliances’ back
panel for communications between the pair of mirrored appliances. See
the SSL VPN Administrator’s Guide for instructions on how to set up a
mirrored pair.
1
2
3
4
This manual suits for next models
1
Table of contents
