Switchboard on Premises Installation guide

This section explains the installation of the Switchboard on Premises. While the procedure is long and there are many steps to complete, they are easy and should require little efforts to be completed.

The scenario described here will allow users to access the Switchboard and the Connect Web Portal.

Note

This is a shortened version, the full version can be found at https://endian.zendesk.com/hc/en-us/articles/115014901408

Requirements

Before starting the configuration of the Switchboard on Premises, make sure to satisfy all the requirements:

  1. The appliance needs to be registered to Endian Network and have valid switchboard channels. Verify this requirement from the Switchboard's CLI, by checking if in the output of the following command:

    root@endian:~ # en-client -i
    

    the [switchboard] block is present, like the following:

    [switchboard]
    code = switchboard
    name = VPN Switchboard
    description = VPN Switchboard
    product = Endian UTM Virtual Appliance 5.0
    subscribed = 2017-05-03 09:25:19
    expiration = 2020-05-02 09:25:19
    

    Make sure that the expiration date is in the future.

  2. The appliance must have two public IP addresses configured on the uplink. If the appliance has a private IP as uplink, then configure two public IPs with Port Forwarding on the router.

    Note

    With only one public IP, no OpenVPN instance on port 443 TCP can be added, but it will still be possible to use the Switchboard over the VPN Connection. Requirements 3. and 4. below change slightly: both the DNS records should point to the only available public IP.

    If the Switchboard has only private IPs, add suitable Port Forwarding rules on the router in front of it to allow traffic to the Switchboard’s port 1194 UDP and 443 TCP.

  3. Configure public DNS records for both IP addresses. One of them (say, vpn.example.com pointing to IP-1) will be used for the OpenVPN connections, while the other one (say, connect.example.com pointing to IP-2) will be used for the Connect Web portal.

  4. If you plan to use the Connect Web Portal, add a record in the DNS configuration, that points *.connect.example.com to IP-2.

  5. You have a public signed SSL wildcard certificate for *.connect.example.com, which is needed to use the Connect Web Portal.

  6. If you use only devices equipped with OpenVPN version 2.3 or higher and if you plan to use Virtual IPs (IP mapping), always use TUN devices for the OpenVPN server setup.

Enable the VPN Firewal

Under the Firewall menu, go to the VPN firewall (Firewall ‣ VPN traffic) and make sure that the switch on the left of the Enable VPN firewall label is green: This shows that the firewall is activated. If the switch is gray, click on it to activate it.

Add Two OpenVPN Server Instances

The OpenVPN protocol is used for the communication between the Switchboard and the clients, hence the OpenVPN server must be appropriately configured. The scenario encompasses two instances, both of which have a routed subnet and use a TUN device. TAP devices should be used only in the case it is mandatory to use the real IP addresses of gateways and endpoints.

To configure the OpenVPN instances, called ONE and TWO for simplicity, go to VPN ‣ OpenVPN Server and click on Add new OpenVPN server instance.

  1. The ONE instance will be used to directly access the Switchboard and must be configured as follow:

    • Port: 1194.

    • Device Type: TUN.

    • Protocol: UDP.

    • VPN Subnet: an internal subnet, not used elsewhere in the configuration (here 172.30.0.0/24)

    • Client to client connection: Filter connections in the VPN Firewall.

    • Push these networks: tick the checkbox and write in the textbox below another subnet not used elsewhere (here 172.20.0.0/24). This subnet will be used in instance TWO as VPN Subnet.

  2. The TWO instance will be used to access the Connect Web Portal and must be configured as follows:

    • Protocol: TCP.

    • Port: 443.

    • VPN Subnet: The internal subnet used in instance ONE for the Push these networks option, hence: 172.20.0.0/24).

    • Client to client connection: Filter connections in the VPN Firewall.

    • Push these networks: Tick the checkbox and write in the textbox below the VPN subnet used in instance ONE, hence: 172.30.0.0/24).

Save both instances, then restart the OpenVPN service.

Configure the Switchboard Module

The first important decision to take is to define the Exclusive Access, which is a security policy implemented to avoid concurrent access to a component of the Switchboard infrastructure (gateways or endpoints). More precise details on the exclusive access can be found in the online reference manual, in the Switchboard's Architecture description.

To configure the Switchboard module, go to Switchboard ‣ Settings ‣ Network, then provide the following information:

  • Switchboard bind IP address: Write the public IP IP-1 or the private IP of the RED uplink.

  • OpenVPN instance: select ONE here.

  • OpenVPN server public IP/FQDN and port: write the FQDN and port of the VPN instance: vpn.example.com:1194 (i.e., the DNS entry of IP-1).

  • Enable fallback OpenVPN instance: tick the option and select TWO as the Fallback OpenVPN instance.

  • Fallback OpenVPN server public IP/FQDN and port: vpn.example.com:443 (this is the public FQDN for VPN)

  • Enable automated virtual subnet assignment: Enabled

  • Global virtual IP pool: Choose an IP pool that will be used to assign a virtual IP address to the devices used within the Switchboard; by default the special netblock 100.64.0.0/10 is used. Virtual IPs are used to simplify remote access to the devices, which will appear on the same subnet, thus making special routing rules unnecessary.

Configure the Switchboard Portal

The Switchboard portal allows users to connect to the Switchboard using HTTPS, without a client. While it can be disabled, it is nonetheless useful, hence it is suggested to configure it. The following options are required:

  • Portal fully qualified domain name. Tick the Enable portal checkbox and write connect.example.com.

    Note

    This FQDN must be reachable from Internet.

  • Portal HTTPS certificate: Select the SSL certificate to be used by the connection.

    Note

    When using a certificate generated on the Endian Appliance, browsers would show an error message upon connection (SEC_ERROR_UNKNOWN_ISSUER). To avoid these messages, import on the Switchboard a third party, signed certificate. See section Import a third-party signed certificate for more information.

Click on Save to save the configuration.

Configure the Provisioning

The provisioning allows to easily register gateways to the Switchboard and make them quickly available. It is best used with Endian gateways, but can be used for other vendor’s devices as well.

When using Endian gateways, go to Switchboard ‣ Settings ‣ Provisioning and tick the Enable gateways provisioning option: It will be then possible to use the Plug & Connect/Autoregistration procedure to register and configure an Endian gateway in three steps from the Switchboard ‣ Devices menu. It will also be possible to select the default model to be registered when a new gateway is added to the Switchboard.

Moreover, since also non-Endian gateways can be connected to the Switchboard, it is strongly suggested to add 2 new models by clicking on the Add row button right below the list of models.

  1. A Generic-new model, that will be used for gateways equipped with a version of OpenVPN at least 2.3 included. Make sure that in the OpenVPN >= 2.3 column the value is yes.

  2. A Generic-old model, that will be used for gateways equipped with versions of OpenVPN older than 2.3 included. Click on the yes label in the OpenVPN >= 2.3 column and select no.

The reason for this choice is that OpenVPN versions up to 2.2 does not support virtual IP mapping, and therefore gateways using these older versions must be accessed using their real IP.

When connecting non-endian gateways with OpenVPN greater than 2.3, they will be accessible using the Connect Web Portal, but can not be provisioned and must be registered manually.

Configure the Users

Users are the persons who will connect to the Switchboard, by using either the Endian ConnectAPP or the Endian Connect WEB). They are basically VPN users, that can be arranged in groups for an easier management: As an example, to grant permissions and access to devices to a whole group instead of a single user. A simple scenario with groups is to arrange users in two groups:

  • Administrators, who can manage devices, users, and permissions.

  • Technicians, who can access devices for maintenance or every day use.

To create users and groups of users, go to Switchboard ‣ Users and follow these steps:

  1. In the Groups tab click on Add group. Provide the group name, which must be unique (Administrators and Technicians in this scenario), and an optional description.

  2. Create new users in the User tab by filling in at least a valid email address, which acts as username and a password.

  3. In the Groups tab, put the user in the appropriate group(s).

  4. In the Provisioning tab, supply the credentials of the user account on Endian Network.

  5. Go to Switchboard ‣ Users ‣ Groups and on the Members tab add the user to the group.

Configure the Devices

Go to Switchboard ‣ Devices to manage and configure Gateways: devices like for example Endian Edge or Mercury appliances, or third-party devices, that will establish a VPN connection to the Switchboard using OpenVPN and act as gateways to allow remote endpoints located behind them to be accessed directly from the Switchboard or using the Endian ConnectApp.

To define new gateways, go to Switchboard ‣ Devices, and do the following:

  1. In the Groups tab, define a new group name for gateways and add a description. Click on Add to save the settings and create the new group.

  2. In the Devices tab, choose how to set up the new gateway, either:

    • By clicking on Plug & Connect (Autoregistration) and applying the Plug & Connect procedure, which is only valid for Endian devices and is the recommended one for them.

    • By clicking on Add Gateway, to manually define a gateway. This procedure can be used on all devices.

  3. To configure the gateway manually, go to the first tab Gateway and write the Name and the Password of the gateway, which will be used by the gateway to establish the VPN connection. The name must be unique within the Switchboard instance, therefore a random one is generated, that you can change at will.

  4. Go to the Endpoints tab, to define the Endpoints that are placed behind the Gateway. Endpoints are those devices that you need to reach through the VPN tunnel established by the gateway. Click on the Add row button to add a new endpoint, which will have a name, a description, an IP address and an application profile.

  5. While this step is optional, nonetheless it is suggested to carry it out: Define a the Maximum number of endpoints that are reachable from the gateway, and the Local network, which is the real subnet in which those endpoints are located.

  6. Go to the Provisioning tab and remember to set the Model of the gateway, which defines if it is an Endian device or not and if IP mapping. Fill in all the necessary values to configure the networking of the Gateway (Uplink, zones). The network setup of an Endian device is explained in this tutorial.

  7. Once done, Click on Add to save the new gateway.

Application Profiles

Remote endpoints can be reached in different ways, for example using RDP, SSH, HTTP(S), or VNC connections, depending on the particular task that it is executing. Each of this connections is called Application in Endian Switchboard. However, an endpoint can be reached with different modalities, for example, RDP and HTTPS: the first one to access the desktop and manage the database containing the actual data collected by the sensors installed on the endpoints -or managed by it; the latter to access daily, weekly, and monthly reports generated by the software running on the endpoint.

To allow an endpoint to be reached in different way, the Endian Switchboard provides the ability to group several applications in Application profiles, which represent all the possibilities for a user to access the endpoint. There are several default Applications and Application Profiles, but many other can be defined and managed under Switchboard ‣ Applications.

Import a third-party signed certificate

Note

This step is optional.

In order to import a thirdy-party certificate to avoid SSL browsers error messages (i.e a valid certificate signed by a CA) you have to import it from VPN ‣ Certificates ‣ Certificates ‣ Add new certificate and select Upload a certificate as Action. The certificate must be in pkcs12 format, which is sometimes referred to as PFX files. It is also possible to create it using the OpenSSL tool and then import it on the Switchboard.

It is necessary to have:

  • CA certificate (this usually is available on the CA website that have signed your server certificate), called here ca.pem.

  • Server Certificate, here called server.crt.

  • Server private key, here called server.key.

Put these certificates in a directory of a Linux box, then issue the following command: Remember to replace the above-mentioned filenames with the actual certificate names:

root@linux:~ # openssl pkcs12 -nodes -export -out portal.p12 -inkey server.key -in server.crt -certfile ca.pem

The output is the portal.p12 certificate, that can be imported on the Switchboard.