Endian banner

The Switchboard Menu (optional)

This section describes the Endian Switchboard and the functionalities it provides, including management options for the devices, the users, and their rights.

The Endian Switchboard is a VPN-based solution that allows to control and manage complex infrastructures by providing a seamless connection of diverse remote devices, called endpoints, to a centralised server through gateways. Remote gateways and endpoints can be centrally managed directly from the switchboard or using the Endian Connect App, a desktop application that provides the same functionalities of the Switchboard. Devices can be accessed and managed by users, that are also created and managed on the switchboard, and can have different access levels to the gateways and endpoints. Endpoints can be accessed from remote workstations using application profiles.

Gateways can be added to the Switchboard literally in minutes by taking advantage of the Plug & Connect / Autoregistration procedure, that will take care of registering the gateway to Endian Network and of configuring the Green Zone and the VPN tunnel to the Switchboard. After the Plug & Connect procedure has been successfully completed, the gateway will be immediately available to the Switchboard users.

See also

A detailed description of the Plug & Connect procedure can be found in this article <http://help.endian.com/hc/en-us/>.

More in detail, here follows the description of the various actors involved in the architecture.

_images/switchboard-architecture.png

Figure 1: An example switchboard installation with most of the possible involved actors shown.

Switchboard

The Switchboard is the heart of the whole infrastructure. It stores all the configuration data about gateways and users, the log files, the access policies, and keeps track of the connections. It can be accessed in two ways:

  1. By using a browser that points to the URL https://GREENIP:10443/manage/access, in which GREENIP is the IP Address of the appliance it is installed on.
  2. By installing the Connect App on a workstation that accesses remotely to the appliance on which the Switchboard is installed.
Endpoint

An endpoint can be in principle any kind of equipment that can connect via Internet, so they can be any kind of industrial machinery, as well as remote workstation, servers and so on. Each endpoint has its own IP address and may connect to the local network and/or to the Internet by means other than the gateway. The only requirement is that the endpoint be reachable by the gateway.

Each endpoint can be connected to only one gateway and receives an unique IP address (called virtual IP in the architecture) that falls within the GREEN network of the gateway. The endpoint’s virtual IP may change when the size of the network needs to be accommodated, for example with the addition of new endpoints to the network.

Gateway

A gateway is the door through which the Switchboard can manage and allow connections to endpoints. It can be easily configured and activated using gateway provisioning. Gateways are directly connected to the Switchboard by means of a VPN tunnel and takes care of routing connections between the Switchboard and the endpoints.

Gateways can be organised in groups and are usually in “normal” modality: they connect to the endpoints they control using their GREEN interface, and to the Internet using the RED interface. In some specific setups, gateways can be setup with an unique zone for both the uplink and the network. The GREEN subnet can be accommodated in size when the number of endpoints grows.

Device
With device it is intended either an endpoint or a gateway.
User
A user is anyone who can in some way access and interact with either the Switchboard, a gateway, or an endpoint. Users can be arranged in user groups, in which a user can play two roles, either be a member or an administrator of the group. In the latter case, he can manage the members of the group.
Application profile
An application is one method to remotely access to an endpoint from a remote workstation and is defined by a path on the workstation to the program executable and by optional command argument. Since there are several possibilities to connect to an endpoint, application can be grouped together in application profiles, that encompass all possibilities to access the same type of endpoint. Each endpoint has one application profile attached, that defines all the possibilities to reach it.
Access policy

The basic access policy on the Switchboard is that a user can have access to one or more gateways and to all the endpoints managed by these gateways.

More advanced permissions can be granted to a user, including the ability to manage users, devices, applications, organizations and use the API.

Exclusive Access

The Endian Switchboard implements an additional access policy called Exclusive access, that can be granted at endpoint, gateway, or organization level. When this policy is enabled, only one user at a time can connect to that component, no one else can connect to it: When another user tries to access it, the switchboard prevents the connection. The rationale behind this policy is that when a user operates on a critical part of the infrastructure, like for example a gateway controlling several sensible endpoints, nobody else can interfere.

This policy is set globally: In the same Switchboard installation, there cannot be some organizations (resp. gateways, endpoints) that allow exclusive access and some that do not. Moreover, the policy is propagated downwards the hierarchy: If an organization is set to exclusive access, all the gateway have also the exclusive access set and the endpoints as well.

Finally, note that this policy can be disabled, granting concurrent access to all the infrastructure to everyone.

Organization
When deployed in large and complex scenarios, the management of users and devices on the Switchboard can be simplified by dividing all the available resources into small, self-contained units called organizations. Organizations can be organised in hierarchies and each of them consists of users, devices, and application profiles. The root organization retains some peculiar setting, called root node characteristics, see Organizations for details, while as a general rule, sub-organization inherit access policies and application profiles, although these can be overridden.

Connections

This page contains a table showing all devices configured on the Switchboard, along with the following information for each of them:

  • The device name, which may contain two different types of objects: Gateways sbgwred and endpoints sbendred, with the latter indented to highlight their roles and the gateway they are connected to. The icon of a device turns grey if they are online, and green if someone is connected to it.

    Note

    A small triangle on the left of a gateway denotes the presence of at least one endpoint managed by that gateway.

  • The groups to which the device belongs.

  • A description of the device.

  • The device’s status, which is either available when it is connected, or offline otherwise.

  • The users connected to the device.

Above the table there is a switch that can be clicked to hide or show all endpoints at once, while on the right-hand side appears a filter, useful to search among all devices that have been defined in the Switchboard. The matching devices will appear as soon as one character is written, concealing all those that do not correspond. The search takes place within all the fields in the table, making the filtering more effective.

When clicking on a device, gateway or endpoint, an overlay appears, showing various types of information about the device.

In its upper part appears the name of the device and the organization it belongs to, along with its status (online or offline).

The middle section contains two tabs, Applications and Logs. In the first one, Applications, there is the list of applications that can be used to connect to the device. The legend informs about the devices’ status:

  • Active. There is an ongoing connection to the switchboard from the current workstation.
  • Busy. Someone is connecting to the device from another location.
  • Inactive. There is no connection to the device.

The Log Tab contains all the actions and events that took place on the selected device. The log shown here are the same that can be found in the Switchboard‘s Logs section, when applying a filter containing the name of the device. More information about the data contained in the table and the actions logged can be found in the above-mentioned Logs section.

At the bottom, the information displayed depends on the device: in case of a gateway, its name and organization is shown, in case of an endpoint, also its real and virtual IP address and the gateway through which it is reachable are shown.

Note

To remotely connect to an endpoint, an application uses in most cases the virtual IP Address assigned by the Switchboard, although in some cases the real IP address is required.

Users

This page is composed of two tabs, namely Users and Groups. In the former, user management can be carried out, while in the latter, users can be arranged into groups.

Users

In this page, all the users having the rights to connect to the Switchboard are listed in a table that shows the following data:

  • The e-mail of the user, which acts also as username.
  • A description of the user (e.g., the real name).
  • The groups the user belongs to.
  • The actions that can be carried out on each user:
    • on off - enable or disable the user.
    • swedit - modify the user.
    • delete - remove the user.
    • logs - see user’s activity log.

New users can be added by clicking on the Add User link at the top of the page, while the certificate needed by the users to connect to the Switchboard can be downloaded by clicking on the Download CA Certificate link.

In the users editor, the configuration options that can be defined are grouped into these tabs: User, Groups, Permissions, Additional user information, and Provisioning.

User

This tab gives access to some basic information about the user.

Email address
The username for the new user. It must be unique.
Organization
The organization to which the user belongs to. This option is available only if at least one organization has been created.
Description
The real name or a description of the user.
Password, Confirm password
Write twice the user’s password, which must be at least eight characters long and contain a non-alphanumeric character.

Groups

In this tab there is a Multiselect box that allows to choose the groups that the user is member of. At least one user group must have been defined.

Roles in user groups
The role that the user can assume in every group: either member of or administrator of. One role per selected group can be chosen.

Permissions

In this tab can be selected the permissions a user has on the other nodes and users of the Switchboard. Items on the right column of the multiselect box are the permissions granted to the user, while those in the left column can not be used by the user. Click on the + on the right-hand side of the item to grant a permission, on - to remove the permission.

Global permissions

The user can be granted several permissions:

  • Superuser (full control): The user can fully manage the Switchboard.
  • Access to sub organizations: The user can access organizations.
  • Manage users The user can manage other users.
  • Manage devices The user can manage devices.
  • Manage applications: The user can manage the actions.
  • Manage organizations: The user can manage the organizations.
  • Use the API: The user can access and use the Switchboard‘s API.
  • Push route to GREEN | BLUE | ORANGE zone: When one or more of these options is selected, appropriate routes to the subnets governed by the Switchboard will be pushed to the user.

Any combination of these values can be associated to the user.

Hint

It is possible to use the two shortcuts Add all and Remove all to assign or remove all permissions at once.

Additional user information

More detailed information about the user can be supplied in this tab, including the certificate to be used for the authentication.

Address, Address line 2
The address of the user, split into two lines if necessary.
City
The city where the user is located.
ZIP code
The city’s ZIP code.
State or province
The state or the province where the user is located.
Country
The country where the user is located, chosen from the drop-down menu.
Job
The user’s job or role.
Certificate configuration

The drop-down menu allows to configure the user’s certificate. The available options are:

  • Don’t change. Leave the current certificate. If the user has yet no certificate, one must be created.
  • Generate a new certificate. Create a certificate.
  • Upload a certificate . Upload a user certificate.
  • Upload a certificate request. Upload a user certificate request.

If no certificate has been assigned to the user, the message Create a certificate via the ‘Certificate configuration’ is shown.

Additional options appear when selecting an option, except for the Don’t change choice.

By choosing Generate a new certificate, these new options are:

Organizational unit name
The name of the organisation unit to which the user belongs to.
Organization name
The name of the users’ organisation.
Subject alt name
An alternative name for the subject of the certificate.
Certificate digest algorithm
The algorithm used to encrypt the certificate, chosen among the available options: SHA1, SHA2 224, SHA2 256, SHA2 384, or SHA2 512.
PKCS12 file password, PKCS12 file password Confirmation
A password to protect the file in which the certificate is stored.
Validity (days)
How many days the certificate is valid.

When selecting Upload a certificate, these options show up:

Certificate (PKCS12/PEM)
By clicking on the Browse button or on the textfield, a file chooser will open, in which to supply the path to the certificate to be uploaded.
PKCS12 file password
The password for the certificate, if needed.

Finally, the following two options appear with the choice of Upload a certificate request.

Certificate Signing Request (CSR)
By clicking on the Browse button or on the textfield, a file chooser will open, in which to supply the path to the CSR to be uploaded.
Validity (days)
How many days shall the certificate be valid.

Provisioning

In this tab appear two options for the management of the Endian Network credentials for the user.

Endian Network account
The username used to access Endian Network
Endian Network password or registration key
The password of the Endian Network account or the Endian UTM Appliance‘s registration key.

Groups

A user group is a set of users that have access to one or more gateways or gateway groups with specific roles and permissions.

The page initially shows only the Add new User Group link and an empty table carrying the list of all the groups and some information about them:

  • The name assigned to the group.
  • A description of the group.
  • The available actions on each of them:
    • swedit - Modify the user group.
    • delete - Remove the user group.
    • logs - View the log files for the user group

When clicking on the Add new User Group link (that becomes Add Group when at least one group already exists), the Editor opens right above the table. In the three tabs that compose the editor, new user groups can be defined, by supplying the following data:

Group

This is the tab in which to define a new user group.

Group name
The name given to the group. It is mandatory and must be unique.
Organization
The organization to which the group belongs to. This option is available only if at least one organization has been created.
Description
A description of the group.

Members

In this tab it is possible to add users to group, using a Multiselect box.

User roles in this user group
Select which users belong to the group and their role: From the multiselect box Add as choose the role, which is either member of or administrator of the group, then the user(s), by clicking on the + next to each user.

Devices

This page contains two tabs, Devices, in which to manage all devices reachable from the switchboard, and Groups, in which to configure groups of devices.

Devices

On this page a table containing the list of all the gateways that have already been configured is shown. It contains the following information:

  • The name of the gateway.
  • A description of the gateway.
  • The serial number of the gateway.
  • The groups of which the gateway is part.
  • The available actions:
    • on off - enable or disable the gateway.
    • swedit - modify the gateway.
    • delete - remove the gateway.
    • logs - see gateway’s activity log.
    • dlmail - Download the configuration of the gateway, which is a text file that contains all configuration options and the certificate used by the certificate.

Above the table three links are shown.

The first one, Plug & Connect (Autoregistration), allows to start the registration of a remote gateway to the Switchboard. This three-steps procedure needs a remote device connected to the Internet and a valid Activation Code for that device. By clicking on the link, a new panel appears, in which only one option is available.

Activation Code
Supply the activation code for the remote device to be connected.

After clicking on the Next button, a new screen appears, showing an image of the Appliance and with a few options.

Description
A description for the appliance. The default, self-generated value can be accepted.
Admin Password
Enter the password for the admin user, who will access the appliance by HTTPS.
Root Password
Enter the password for the root user, who will access the appliance by SSH or by console.
Use the same password for admin and root user
In order to use the same password for both users, tick this checkbox.

After this step, it is necessary to connect the WAN port of the remote appliance to the Internet, for the last step of the procedure.

Hint

The remote device must be able to communicate using port 443 TCP for the procedure to complete successfully.

After a few minutes the new gateway will be shown in the list along the already registered gateways on the Switchboard. If for some reasons the procedure is not successful, error messages are shown, along with the link to the troubleshooting document.

See also

A detailed description of the plug & connect procedure, which includes detailed requirements, more in-depth description, and troubleshooting options, can be found in this article <http://help.endian.com/hc/en-us/>.

When clicking the Add Gateway link, the gateway editor will open right above the table and a new device can be created. The editor consists of several tabbed pages, in which to configure all the different options of the gateway.

When clicking on the Download CA certificate link, the Switchboard‘s CA certificate will be downloaded. This certificate must be used when configuring the VPN connection on the device itself.

Gateway

This tab contains the basic setup options for the gateway.

Name
The name assigned to the new gateway, which must be unique. A default name is generated, but can be changed at will.
Organization
The organization to which the gateway belongs to. This option is available only if at least one organization has been created.
Description
A description for the device.
Serial Number
The serial number of the gateway. This option is displayed only if Auto registration is not enabled.
Password, Confirm password
The password to access the gateway. Tick the checkbox on the right-hand side of the textbox to show in clear text the password. This option is displayed only when Auto registration is disabled.
Enabled
Tick the checkbox to enable the device.

Groups

In this tab it is possible to choose the groups to which the gateway will belong.

Endpoints

This tab contains information about all the endpoints that can be reached from the gateway and can be used to manage them.

Maximum number of endpoints

The first information to be supplied is an approximate estimate of the endpoint that will be governed by the gateway.

Note

This information is particularly relevant, as it is used to create a virtual network in which to accommodate all the IPs assigned to each endpoint. In case of doubt, choose a size larger than the actual number of endpoints, or the network will not suffice to accommodate additional endpoints.

Local Network
The network used by the endpoints, in CIDR Notation.
Do not translate real IPs into virtual IPs
When this checkbox is ticked, the endpoint will not be accessed via its virtual IP address, but via its real IP address.
Virtual Network

The virtual IP address to be assigned to the endpoint.

Note

When the option Enable automated virtual subnet assignment in the switchboard settings section is enabled, this option does not appear. Indeed, an IP address for each endpoint is automatically assigned by means of the above mentioned option.

Endpoints

A table showing all the endpoints controlled by the gateway, along with those information:

  • The name of the endpoint.
  • The endpoint’s IP address.
  • A description of the endpoint.
  • The application profile used to access the endpoint.
  • The Enabled status, i.e., whether the endpoint is active or not.
  • The Source Nat status. If active (“yes”), the endpoint will see all the traffic as originating from the gateway. This set up can prove useful when e.g., the Endpoint is situated behind a firewall and can not communicate with the outside.
  • A custom field.

Each field in each table’s row can be edited by double-clicking on it: Depending on the type of information it carries, each field can show a drop-down menu (i.e., a “yes-no” choice for the Enabled column, or the available profiles for the Application Profile) or a text field (all the other).

The management of the endpoints can be done using the buttons at the bottom of the table:

Add row
This option allows a new endpoint to be added to the gateway. Its configuration can be carried out by double-clicking on the fields of the new row.
Delete row

By clicking on this button, the highlighted endpoint is eliminated from the gateway. This button is active only when one row is selected.

Warning

The deletion of a row is immediate and can not be reversed.

Show CSV
This button toggles the table with a textfield, containing the same information present in the table in CSV format, useful to export the configuration of all endpoints.
Validate
Check whether the information inserted in the highlighted row is valid.

Permissions

The users or groups of users that shall have access to this gateway can be added from the multiselect box in this tab. Each user can assume the role of either regular user or manager of the gateway.

If a group is selected, all members of that group can be selected as regular user or manager.

Provisioning

In this section it is possible to define the configuration for a remote gateway. The available configurations options are:

Model
Choose the model of the device from those available in the drop-down menu.
Activation code
The activation code used to set up the gateway.

Immediately after the choice of the model, all the configuration options for it will be displayed and can be configured.

Note

Depending on the type of the model chosen, some of the options available will be filled in with suitable values.

Root password
Choose the password for the root user, used for SSH (console) access.
Admin password
Choose the password for the admin user, used for HTTPS (browser) access.
Host name
The hostname of the gateway
Domain name
The gateway’s domain name.
Company
The company to which the gateway belongs
E-mail
The reference e-mail for the gateway, usually of the responsible person for that gateway.
Timezone
The timezone in which the gateway is located.
Country
The country where the gateway is located.
Red type
The type of the RED interface, i.e., how the gateway connects to the Internet. Four types are available: DHCP, Static, No uplink, and 3G. See Network configuration for more information.
Red device
The interface that connects the gateway to the Internet. The available options in this drop-down menu are determined by the Model chosen above. This option does not appear when the Red type is set as No uplink

The following options are displayed according to the selected type of red device. By choosing DHCP, none of them will appear.

Red IPs/CIDRs
The IP address of the RED interface. This option appears only when the RED type is Static.
Red gateway IP
The IP address of the gateway for the RED interface. This option and the next one is needed to access the Internet and appears only when the RED type is Static or No uplink.
DNS Servers
The IP addresses of the DNS server used by the gateway, one per line. It appears only when the RED type is Static or No uplink.
Access Point Name
The name of the access point, appears only in the 3G/4G and UMTS Red Type.
Modem Type
This option appears only for the 3G/4G Red Type and allows to select the type of modem to be used from the drop-down menu, among those available: 3G/4G or CDMA
Green device
The interface of the GREEN zone, i.e., the one in which the endpoints are situated.
Green IPs/CIDRs
The IP address pool assigned to the GREEN zone.
Blue device
The interface of the BLUE zone.
Blue IPs/CIDRs
The IP address pool assigned to the BLUE zone.
Orange device
The interface of the ORANGE zone.
Orange IPs/CIDRs
The IP address pool assigned to the ORANGE zone.
Custom OpenVPN server IP/FQDN, port, and protocol

A custom address used by the endpoint to connect to the OpenVPN server.

Hint

The format to be used for the address in this and in the next option is hostname.domain:port:protocol or IP.address:port:protocol, with the port or protocol as optional, hence valid values include vpn.example.com:1197:udp and 123.45.67.89:1192.

If the protocol is specified, the port must be specified as well.

Custom OpenVPN fallback IP address/FQDN, port, and protocol
A custom address used by the endpoint to connect to the fallback OpenVPN server.
OpenVPN through HTTP proxy
Tick the checkbox when the gateway uses a proxy for its connection to the Internet. The next four options will appear to configure that proxy.
Upstream server
The IP address of the upstream proxy server.
Upstream port
The port on which the proxy service runs on the server.
Upstream username
The username to connect to the proxy server, if needed.
Upstream password
The password to connect to the proxy server, if needed.
Upstream NTLM proxy authentication
Click the checkbox if the upstream HTTP proxy requires NTLM Authentication.
Forge proxy user-agent
If the upstream HTTP proxy needs to be contacted with a given user-agent, write it here.

Port Forwarding

The options in this tab can be used to define on the gateway suitable port-forwarding rules that allow to redirect traffic coming from an endpoint to a given host.

The table contains the following information for each endpoint.

  • Endpoint. The endpoint for which the rule is defined. No choice is available if no endpoint has already been set up.
  • Incoming IP. The gateway’s public IP address on which to apply the rule.
  • Incoming ports/ranges. The port or range of ports on which to apply the rule.
  • Protocol. The protocol that shall be used in the rule: Available choices are tcp, udp, tcp+udp, or icmp.
  • Remote IP. The remote IP address to which the traffic is forwarded.
  • Remote port/range. The port on the remote IP to which the traffic is forwarded.
  • Description. A custom remark about the gateway.

Each field in each table’s row can be edited by double-clicking on it: Depending on the type of information it carries, each field can show a drop-down menu (i.e., the list of the endpoint for the Endpoint column, or the available protocols for the Protocol columns), or a text field (all the other).

The management of the rules associated with the endpoints can be done using the buttons at the bottom of the table:

Add row
This option allows to add a new rule. Its configuration can be carried out by double-clicking on the fields of the new row.
Delete row

By clicking on this button, the highlighted rule is deleted from the set. This button is deactivated if no row is selected.

Warning

The deletion of a row is immediate and can not be reversed.

Show CSV
This button toggles the table with a textfield, containing the same information present in the table in CSV format: This proves useful to export the whole set of rules.
Validate
Check whether the information inserted is valid.

Groups

The page contains only the Add group link above a table (initially empty) carrying the list of all the existent groups and some information about them:

  • The name assigned to the group.
  • A description of the group.
  • The available actions:
    • swedit - modify the gateway group.
    • delete - remove the gateway group.
    • logs - see gateway group’s activity log.

When clicking on the Add group link, the editor opens right above the table. The setup options are grouped in three tabs: Group, Members, and Permissions.

Group

This tab contains basic information about the group.

Groupname
The name assigned to the group.
Organization
The organization to which the group belongs to. This option is available only if at least one organization has been created.
Description
A description of the group.

Members

This tab contains information about the members of the group.

Devices in this gateway group
Choose which gateway are part of this group.

Permissions

User permissions on this device group
Select all users that can access this group and the role (i.e., either regular user or manager) they can assume.

Applications

There are two tabs in this page: Applications, in which to define all possible means to connect to an endpoint, and Profiles, in which to group together several applications and assign them to a device.

Applications

An application can be seen as a means to access from a remote PC or workstation equipped with the Endian S.p.A., Italy Connect App to an endpoint or to a service running on an endpoint, possibly using a third-party software installed on the workstation.

The page initially shows the Add application link and a table containing the applications available by default and other information:

  • The name given to identify the application.
  • The type of the application (see further on for more information).
  • A description of the application
  • The available actions for each application:
    • on off - Enable or disable the application.
    • swedit - Modify the application.
    • delete - Remove the application.

Above the table, on the right-hand side appears a filter, useful to search among all applications that have been defined in the Switchboard.

When clicking on the Add application link, the applications editor opens right above the table, giving the opportunity to define additional applications.

Two tabs are present in this editor: Application and Advanced parameters. The latter appears only for some of the Application type available.

Application

Name
A name to identify the application.
Organization
The name of an organization to which the use of the appliance is reserved. At least an organization must have been defined in the Organizations section for this option to appear.
Description
A description of the application.
Application type

The type of the application, which can be selected from the drop-down menu.

Note

The choice of the application type influences also the availability of some of the next options; also the options that appear in the Advanced parameters tab will depend on the application type chosen.

Protocol
The protocol that the application should use, chosen from the drop-down menu. It can be TCP, UDP, or TCP & UDP.
Port
The port used by the application.
URL to open
The URL to be used for the connection. This option is available only when the Application type above is either HTTP or HTTPS.
Enabled
Tick the checkbox to enable the application.

The next options appear only if the Application type above is Custom and allow to define the path on the workstation to launch the application and arguments to be passed to the program. Since a same application might be run on Microsoft Windows and Mac OS X, the path and the arguments can be specified twice. It is even possible to use placeholders, that will be replaced accordingly on the operating systems, see below for more details.

Command path
The full path to the program to use.
Command arguments
Additional arguments to be passed to the program.

The next options concern how the ConnectAPP launches the application to connect to the remote device. The options are available for Windows and Mac OS X.

Enable integrated application
By selecting this option, the ConnectAPP will use its integrated application for the remote connection.
Open external application
By ticking this checkbox, it will be possible to specify which external application will be launched to establish the connection to the remote device. Two more option will appear, Command path and Command arguments, that are exactly the same described above and for which it is possible to use the placeholders described next.

Available palceholders.

The purpose of a placeholder is to allow the same application to be used on every device, independently of the varying configuration values of each device, like for example their (public) IP addresses.

Placeholders can be used in the HTTP, HTTPS, and Custom application types.

For HTTP and HTTPS types, these are the available placeholders:

  • %DEVICE_IP% the IP address assigned to the device.
  • %PHYSICAL_IP% the physical IP of the device.
  • %SERVER_EXTERNAL_HOST% the FQDN of the server’s public hostname.
  • %SERVER_INTERNAL_IP% for the internal, private IP address.

New in version 3.0-2014-June: %PHYSICAL_IP% placeholder, that can be required by some application, instead of %DEVICE_IP% to correctly operate on the device.

In the Custom application type, the available placeholders are:

  • %PROGRAM_PATH%: The default installation directory for applications (usually C:\Program Files).
  • %SYSTEM_DRIVE%: The drive containing the Windows root directory (C:\).
  • %SYSTEM_ROOT%: The Windows root directory (C:\Windows).
  • %HOME_PATH%: The user’s home directory (C:\Documents and Settings\`username`).

As an example of application, suppose that each workstation equipped with Windows and the ConnectApp has also the program PuTTy installed in user’s home directory. To allow users to use putty to connect via SSH, define an application with the following configuration values:

  • Name: PuTTy -SSH
  • Description SSH via PuTTy
  • Application Type: Custom
  • Protocol: TCP
  • Port: 22
  • Command path: %HOME_PATH%\putty.exe
  • Command args: username@%DEVICE_IP%

Note that username must be a valid user account on the endpoint.

Advanced parameters

Depending on the application type chosen in the other tab, the following common options are available for all types except for Custom.

Username
The username used for the remote login.
Password, Confirm Password
The password that is used for the login, repeated twice for confirmation.

There is also the possibility to define advanced options for the following types:

  • SSH

    Private key

    Use the textfield to paste the private key used for the connection.

    Passphrase, Confirm Passphrase

    Write here the passphrase that corresponds to the private key.

    Terminal color scheme

    Select from the drop-down menu the colors used in the SSH terminal.

    Font

    The font used in the terminal.

    Font size

    The size of the font.

  • RDP

    There are a number of options that can be configured with this type of connection, but they are not required in most cases. These options allow to customise the authentication, the session, the audio support, some performance boost, and the RemoteApp.

  • VNC

    Number of connection retries

    The number of times the connection should be attempted after an unsuccessful try.

    Color depth

    Choose the color depth used for the connection.

    Swap red-blue

    Invert the red and blue colours.

    Cursor

    Choose from the drop-down menu whether to use the local or remote cursor.

    Read only connection

    Tick the checkbox to disallow the client to make changes on the remote device.

    Clipboard encoding

  • Telnet

    Username regex

    The regular expression that recognises the correct moment when to send the username to the remote device.

    Password regex

    The regular expression that recognises the moment when to send the password to the remote device.

    Terminal color scheme

    Select from the drop-down menu the colors used in the SSH terminal.

    Font

    The font used in the terminal.

    Font size

    The size of the font.

  • Custom

    For custom applications, click on Add row to add a new parameter, and then fill in the following information:

    Parameter name

    The name of the parameter.

    Value

    The value of that parameter.

It is possible to add any number of options and their values, these will be passed on the command line to the application.

Profiles

Applications can be grouped together into Profiles and attached to single endpoints, tailoring the possibility to access them. In other words, it is possible to configure applications on a given endpoint so that it can be reached only via some given protocols (e.g., RDP, SSH or HTTP) or services (e.g., VNC). The choice of the applications can be influenced also by the endpoint’s running operating system and services.

The page contains the Add profile link, above the table carrying the list of all the available profiles and some information about each profile:

  • The name given to the profile.
  • The description of the profile
  • The applications that are part of the profile.
  • The available actions on each of them:
    • swedit - Modify the application profile.
    • delete - Remove the application profile.

Note

In case one or more profiles are deleted, the single applications will not be deleted: To remove an existing application, go to Applications.

Above the table, on the right-hand side appears a filter, useful to search among all profiles that have been defined in the Switchboard.

When clicking on the Add profile link, the editor opens right above the table. Here, additional profiles can be created, by supplying the following information:

Name
A name to identify the profile.
Organization
Select for which organization the Profile will be available.
Description
A note about the profile.
Applications
Available applications are listed in this multiselect box. To add an application to the profile, click on the + next to the application’s name. To search for an application, use the textbox on top of the box. The Add all link can be used as a shortcut for moving all applications within the profile. An application can be removed from the profile by clicking on the - next to the application’s name in the right column.

Organizations

An important feature of the Switchboard are Switchboard Organizations that have been introduced to add support for a more granular division of complex enterprises into smaller, self-contained units -called indeed organizations, which can be arranged into hierarchies.

A Switchboard organization consists of one or more users and of one or more devices, be it gateways or endpoints. Users and devices within one organization can not see, access, or manage users and devices in other organizations. A user, a user group, or a device can belong to exactly one organization.

Within an organization, the default policy is that users can see all other users and all the devices in sub-organizations that are lower in the hierarchy.

The hierarchy within an organization consists of an unordered tree with a root node and at least one children or descendant, each node being one (sub-)organisation within the organization.

From a technical viewpoint, the sub-organisations are a bit different from the root node: Indeed the latter has some properties that the children inherit and cannot modify, because they are inherent to the whole organisation or to the Switchboard installation. These root node characteristics are:

  • OpenVPN: dedicated servers or instances, possibly with a fallback, and public IP address of FQDN.
  • A dedicated IP address pool, with manual or automatic virtual subnet assignment.
  • The possibility to push the entire virtual IP pool to the clients connected.
  • A unique Switchboard bind IP address, possibly with fallback.

This page initially contains an empty table of the available organizations, and some information about each of them:

  • The organization’s name.
  • The path (from the root organization)
  • The available actions on each organization:
    • swedit - Modify the application profile.
    • delete - Remove the application profile.

A link above the table, Add Organization, allows to define a new organization.

In the editor, a number of options are available to set up a new organization.

Unique Organization Identifier
An identifier used for the identification of the organization, which must be unique within the instance of the Switchboard.
Parent organization
If this is not the root organization, select from the drop down menu its parent.
Exclusive access
Select from the drop-down menu whether to enable or disable exclusive access to the whole organization.
Switchboard bind IP address
The Switchboard‘s IP address that must be used to access this organization.
Fully qualified domain name
The FQDN used to access the organisation.
Max number of nodes
The maximum number of nodes that this organization is composed of.
Organization Name
The name of the organization.
VAT number
The VAT number of the organization.
Address, Address line 2
The address of the organization.
City
The city in which the organization is located.
ZIP code
The city’s ZIP code.
State or province
The state or province in which the organization is located.
Country
The country in which the organization is located.
Email
The e-mail of the organization.
Website
The website of the organization.
Phone number
The phone number of the organization.
Fax number
The Fax number of the organization.
OpenVPN instance
Choose from the drop-down menu which instance of the OpenVPN server should be used for this organization.
OpenVPN server public IP/FQDN and port
The public IP address or FQDN of the OpenVPN instance that the organization will be accessed from.
Enable fallback OpenVPN instance

Tick the checkbox to enable a fallback OpenVPN instance that will be used to access the organization in case the main instance is not running.

When this option is enabled, the next two options appear.

Fallback OpenVPN instance
Choose from the drop-down menu which instance of the OpenVPN server should be used as fallback for this organization.
Fallback OpenVPN server public IP/FQDN and port
The public IP address or FQDN used for the fallback OpenVPN instance.
Enable automated virtual subnet assignment
Tick this checkbox to allow the virtual IP addresses for the subnets to be automatically assigned.
Global virtual IP pool
This options defines the IP address subnet for the addresses of the gateways within the organization.
Push entire virtual IP pool on client connection
With this option enabled, whenever a client connects, the whole virtual IP subnet will be pushed to it.
Enable remote API
Tick the checkbox to enable the remote API.
API key
A string used as the key for accessing and using the API.
Enable gateways provisioning
When this checkbox is ticked, gateway provisioning is enabled. See below for more information.
Endian Network account
The username for accessing Endian Network, used for the automatic registration of the gateways.
Endian Network password or registration key
The registration key of the endpoint. Tick the checkbox on the right-hand side to show the password, which is otherwise hidden.
Enable mandatory confirmation of notification messages
Tick this checkbox to enable the receipt on notification messages.
Add default applications and profiles
Tick the checkbox to add the default applications to this organization.

Statistics

This page presents statistics about the Organizations, the users, and devices that exist on the Switchboard and it is divided into three tabs. Each tab contains a table, with a filter bar above it, that allow to search within the elements in the table:

  • Filter: insert here a research string.
  • Organization: select from the drop-down menu the Organization in which to search.
  • From, To: select the time interval in which to look up. To select a given day, select it in both the From and To fields.

Organizations

This page shows a table containing the list of currently defined organizations, with a number of information.

Note

The numbers in parenthesis are the values of the child organizations.

  • Organization. The name of the organization, along with its ID and its path from the root organization.
  • Users. The number of users that belong to the organization.
  • Devices. The number of devices, which are grouped in three categories: Gateways, Endpoints, and Endian Appliances.
  • Nodes. Two values associated with the nodes: Counted nodes - the number of nodes the organization has, and Node limit - The maximum number of nodes allowed.
  • Traffic. The amount of traffic Sent from or Received by the organization.

Users

This page shows a table containing the list of the users that have connected through the Switchboard.

  • User. The account name and the organization it belongs to.
  • Connections. To Switchboard is the number of connections to the switchboard made by the user, while To devices the number of connections to devices.
  • Connections Time. To Switchboard is the amount of time spent by the user on the switchboard, while To devices the time spent on the devices.
  • Traffic. The amount of traffic that has been made by the user, divided into Sent by the user and :strong:Received from the user.

Devices

This page shows a table containing the list of devices connected to the Switchboard and a number of information about them.

  • Device. The name of the device and the organization it belongs to.
  • Connections. To Switchboard is the number of connections to the switchboard made by the device, By users shows how many users have connected to the device.
  • Connections Time. To Switchboard is the amount of time during which the device has been connected to the switchboard, while By users is the amount of time during which the users were connected to the device.
  • Traffic. The amount of traffic that has been made by device, divided into Sent by the device and :strong:Received from the device.

Settings

This page allows to set up all the global configuration options of the Switchboard. Before actually configuring the Switchboard, it is mandatory to accomplish two tasks in two other modules: Firewall and VPN.

The first task consists in the activation of the VPN Firewall, as this is required by one option in the OpenVPN server. To complete the task, go to Menubar ‣ Firewall ‣ VPN Traffic (VPN traffic) and, if not yet active, click on the grey switch swoff.

Once that the VPN firewall has been enabled, the second task requires to set up a couple of options in the VPN module.

Indeed, the Switchboard relies on an OpenVPN instance running on the Endian UTM Appliance to provide secure connections between the clients and the devices. While most of the OpenVPN instance’s parameters can be freely chosen, two of them must be configured as follows:

  • The traffic on the OpenVPN’s device must be routed.
  • The traffic between the clients must be filtered.

The configuration options interested are:

  • In the Network options, the Bridged checkbox must not be ticked. Hence, if TAP is selected, do not tick the checkbox.

    Note

    When the TUN device is chosen, the traffic can only be routed and the checkbox is not accessible.

  • Under Advanced Options, the option Client to client connection should be set to Filter connection in the VPN firewall.

    More information about the aforementioned options can be found under Menubar ‣ VPN ‣ OpenVPN server ‣ Server configuration (see section OpenVPN server).

This page contains three tabs, which group all configuration options for the Switchboard: Settings, Portal, and Provisioning.

Setting

Exclusive access
This options governs the ability to lock single endpoints within a gateway, or even a whole gateway, allowing exclusive access to one user at a time. Three options are available, disabled -no exclusive access is granted, on gateway level -a whole gateway can be locked, and on endpoint level -single endpoints can be locked.
Switchboard bind IP address
It is the IP address on which the Switchboard listens for connections. It is mandatory when more IP addresses are assigned to the Switchboard.
Enable VPN connection check (ping)

When the checkbox is ticked, an ICMP ping packet will be periodically sent through the VPN tunnel to ensure the connection is still alive.

When enabled, the next two options appear.

VPN connection check timeout (in seconds)
The interval between two successive checks.
VPN connection check attempts
How many times a failed check will be re-issued before the VPN connection is considered dead.
Message of the day
A message shown to all users connecting to the Switchboard.
OpenVPN instance
This option only appears if on the Endian UTM Appliance multiple instances of the OpenVPN server are running. Choose the instance to be used for the Switchboard from the drop-down menu.
OpenVPN server public IP/FQDN and port
The public IP address or FQDN to be assigned to the Switchboard.
Enable fallback OpenVPN instance
Tick the checkbox to allow a fall back instance of the OpenVPN server, in case the main one can not be reached. The next two options will appear.
Fallback OpenVPN instance
The fallback OpenVPN instance used in case the one specified in the previous option does not run, chosen from the drop-down menu.
Fallback OpenVPN server public IP/FQDN and port
The public IP address or FQDN to be assigned to the fallback server of the Switchboard.
Enable automated virtual subnet assignment
Tick this checkbox to allow the virtual IP addresses for the subnets to be automatically assigned. When enabled, the next option appears.
Global virtual IP pool
This options defines the IP address subnet for the addresses of the gateways.
Push entire virtual IP pool on client connection
With this option enabled, whenever a client connects, the whole virtual IP subnet will be pushed to it.
Enable remote API
Tick the checkbox to enable the remote API.
API key
A string used as the key for accessing and using the API.

Portal

This page allows to configure the portal and contains initially only two options.

Enable Portal
Tick the checkbox to reveal a new panel showing more configuration options.
Portal fully qualified domain name
Write the FQDN that will be used to access the Switchboard‘s portal.
Portal HTTPS certificate
Choose from the drop-down menu which certificate should be used to access the portal.
Welcome message
The message displayed to the users that connect to the portal.
Enable mandatory confirmation of notification messages
Tick this checkbox to enable the receipt on notification messages.

Provisioning

In this tab it is possible to specify the options for the gateway provisioning. Initially it contains only an option and a list of models.

Enable gateways provisioning
Tick the checkbox to enable provisioning. The next options will appear.
Endian Network account
The username used to access Endian Network
Endian Network password or registration key
The password of the Endian Network account or the Endian UTM Appliance‘s registration key.
Provisioning Encryption Certificate (PEM)
Copy and paste here the content of the .pem certificate file selected for the provisioning.
Provisioning Encryption Private Key (PEM)
Copy and paste here the content of the .pem file containing the private key corresponding to the selected certificate..

At the bottom of the page, it is possible to add new models of Endian appliances that can be used in the provisioning.

The table consists of those fields.

Name
The name given to the gateway.
Interfaces devices
The name of the network interfaces available in the appliance. The panel below the table can be used to copy and paste the correct network interfaces.
OpenVPN >= 2.3
Choose from the drop-down menu whether the appliance supports at least version 2.3 of OpenVPN.
Modem port
Choose from the drop-down menu which port should be used as modem port.

The management of the gateways can be done using the buttons at the bottom of the table:

Add row
This option allows a new gateway to be added to the list. Its configuration can be carried out by double-clicking on the fields of the new row.
Delete row

By clicking on this button, the highlighted gateway is eliminated from the list. This button is active only when one row is selected.

Warning

The deletion of a row is immediate and can not be reversed.

Validate
Check whether the information inserted in the highlighted row is valid.
Default models
Click on this widget to show a list of Endian appliances and their default values to be used in the table above.

Logs

The logs of the Switchboard encompass all events that happen on all the various object (e.g., gateways, user groups etc.) that are managed by the Switchboard and can be reached only from the Switchboard menu, unlike all other logs which record the system events, accessible from Menubar ‣ Logs.

This page contains a table with the list of all events that took place on the switchboard. Above the table, the Export as CSV format button allows to download the log file in CSV format.

Each line of the table represents one event and contains the following information about it. Events concern either a connection to a remote device or some administrative tasks like user management or the addition or removal of an application.

  • Date: The time stamp of the event, i.e., the date and time when it happened.

  • Action: A keyword associated to the event. Each keyword designates a precise event and is almost self-explanatory. In alphabetical order, they are:

    DEVICECREATE, DEVICEDELETE, DEVICEEDIT, GATEWAYCREATE, GATEWAYEDIT, GROUPCREATE, SYSTEMBOOT, TUNNELACTIVE, TUNNELINACTIVE, USERCREATE, USERDELETE, USEREDIT, USERLOGOFF, USERLOGON.

    Note

    TUNNELACTIVE and TUNNELINACTIVE refer to the creation of an OpenVPN tunnel from a client workstation to an endpoint.

  • User: The user who carried out the action.

  • Target user: The user that was the object of the action.

  • Gateway: In case of a connection to a device, the gateway used.

  • Endpoint: The endpoint to which a connection has been established or terminated.

  • Application: The application that has been modified.

  • Profile: The application profile that has been modified.

Client Download

From here it is possible to download the 4i Connect Client, that can be installed on a local workstation and used for both the management of the Switchboard and for launching a direct connection to the remote devices, using the application profiles defined on the Switchboard and provided that the necessary applications are installed on the workstation.

Switchboard API

The documentation for the Switchboard API is available here.