Applies To:

Show Versions Show Versions

Manual Chapter: FirePass Administrator Guide 4.0: Deploying the FirePass Server
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


Deploying the FirePass Server


Overview of deploying the FirePass server

This section contains an overview of the tasks for deploying the FirePassTM server.

Summary of tasks for installing and deploying the FirePass server

Table 2.1 provides a summary of the tasks for installing and deploying the FirePass server.



Task

For more information, see

Configure the firewalls at your site to allow traffic to and from the FirePass server.

Configuring a firewall to work with the FirePass server

If the FirePass server has a private IP address, set up name resolution for internal users and client software.

Understanding name resolution issues for FirePass servers with a private IP address

Install the FirePass server, and power it up. Using the WAN port, create an isolated network to reach the FirePass server using its factory default IP address.

Installing the FirePass server

Enter basic configuration information using either the Administrative Console (recommended) or the Maintenance Console (available as a backup).

Using the Administrative Console to configure the FirePass server

Connect the FirePass server to the network. Test that the FirePass server is accessible on the network, and test DNS resolution of the FirePass server's host name inside and outside firewall.

Testing network connectivity

After the FirePass server is up and running and the network connections are working, use the Administrative Console to finish configuring the server from a Web browser.

Using the Administrative Console to configure the FirePass server

(Recommended) Change the superuser password.

Changing the superuser password

Configure one or more authentication methods for FirePass users. Then add groups and user accounts.

Chapter 3, Setting Up FirePass Server Security

Configure the FirePass server's Webifyers that you want to make available to users. For example, configure the SSL VPN Webifyer, if necessary.

Chapter 4, Configuring the FirePass Webifyers

Install a new SSL certificate.

Setting up certificates

(Optional) If necessary, customize the appearance of the user's home panel, such as the logo and terms used for logging in.

Customizing the user's home page


 

Configuring a firewall to work with the FirePass server

The FirePass server enables remote access by communicating through secure tunnels between remote users at untrusted or unprivileged hosts on the Internet and your corporate LAN. This section describes the firewall ports at your site that must be opened to allow traffic to and from the FirePass server so that it can operate correctly.

The particular firewall ports that you must open at your site depend on where you install the FirePass server relative to the firewalls, and which network and application services the server must access. There are some ports that must be open in all situations, such as ports 80 and 443 for HTTP and HTTPS, on the external firewall between the FirePass server and remote Web browsers. If the FirePass server is installed in a DMZ with an internal firewall separating it from the corporate network, you also have to open other ports as necessary to allow access to network services such as DNS, and to use particular application services such as e-mail.

The illustration in Figure 2.1 shows the services and ports used by the FirePass server.

.

Figure 2.1 Allowing traffic on firewall ports for a FirePass server

For more information on configuring the firewall ports, see the following section and the tables on pages 2-6 through 2-10.

Overview of the firewall configuration process

During the process of firewall configuration, you might consider opening the firewall ports in phases. In the initial phase, you could focus on opening the ports that allow access to the FirePass server from both inside and outside the firewall when you specify the server's host name in a Web browser. In this initial phase, you might also open the ports for SMTP so that the FirePass server can send email messages to the FirePass administrator. For this initial phase, the following ports need to be opened:

  • Assuming there is a firewall between the Internet and the FirePass server, the firewall must allow inbound traffic on ports 80 (HTTP) and 443 (SSH) as a base configuration with a destination address of the publicly accessible FirePass address.

  • The firewall must also allow the FirePass server access to network services such as NTP, DNS, and SMTP (on ports 123, 53, and 25). The network services might be located on an external network (Internet), or on the internal corporate network. The location of the network services and your particular deployment scenario determines which firewall's ports must be open, assuming there is a firewall between the FirePass server and these services.

  • If there is a firewall between the FirePass server and the corporate LAN, the firewall must allow traffic on ports 80, 443, and 661.

    To verify that the FirePass server has access to DNS and SMTP services after you have opened the ports and installed the FirePass server, you can use the instructions in Testing network connectivity.

    After you have verified that the FirePass server has access to DNS and SMTP services and that you can access the server from a Web browser from either side of the firewall, then you can open up the specific ports that are necessary for your particular deployment. See the following tables in this section that describe the ports and services. For example, if you are using LDAP for authentication, you must open ports 389 and 636. Here are some other examples of application services you might need to support:

  • To support My Files, the FirePass server needs access to Windows file servers using Microsoft Networking (ports 135, 137, 138, 139).

  • To support My Email, the FirePass server needs access to POP/IMAP and LDAP (ports 110, 143, 389, 636).

  • To support Host Access, the FirePass server needs access to Telnet (port 23).

    The services are sometimes hosted locally behind a firewall, and sometimes hosted remotely. If the services are hosted remotely, the external firewall must allow the FirePass server to make connections to those services on specific TCP/IP ports.

    To allow access to the FirePass server from the Internet, you can create either Network Address Translation (NAT) rules or port forwarding rules on the firewall to forward inbound packets to the server. The advantage of static NAT is that it does not require you to forward each individual port to the FirePass server. To use static NAT, configure a rule that forwards all allowable traffic from the public IP address to the private IP assigned to the FirePass server. However, some firewalls only allow static NAT using a public IP address other than its own public interface. In this case, you must use port forwarding by setting up rules to forward the appropriate ports to the private IP address assigned to the FirePass server.

    Firewalls can be classified as stateful and non-stateful. Stateful firewalls allow bi-directional communication (that is, they create a return rule for an allowed service). Older firewalls, especially ones based on Linux IP chains, are often non-stateful; they do not allow bi-directional communications. If you have a stateful firewall (most newer commercial firewalls are stateful), you only need to define rules for the actual traffic; the replies are automatically allowed to pass. If you have a non-stateful firewall, you also must define rules for traffic coming in and the replies with the ACK (acknowledgement) bit set for those protocols.

    For completeness, the following tables list the types of traffic (in pairs of request and response) that must be allowed through the firewalls for each category of FirePass server functionality.

    All traffic associated with the FirePass server falls into in one of these categories:

  • Traffic between the remote user's browser and the FirePass server. (See About the traffic between a remote user's browser and the FirePass server.)

  • Traffic between the FirePass server and network services, such as LDAP, RADIUS, and DNS. (See About the traffic between the FirePass server and network services.)

  • Traffic between the FirePass server and application services, such as file servers, email servers, and the Intranet. (See About the traffic between FirePass server and application services.)

  • Traffic between the FirePass server and corporate LAN using My Desktop. (See About the traffic between the FirePass server and the Desktop Agent.)

    Note


    A particular type of traffic shown in the tables is only required if Required appears in the Comment column for the traffic, or, as stated previously, if you are enabling an application service that requires the port to be opened.

About the traffic between a remote user's browser and the FirePass server

To allow traffic between a remote user's browser and the FirePass server, you must open the firewall ports as shown in Table 2.2.

The FirePass bridge ports (10000-10100) are optional ports in the external firewall that are used to distribute sessions to ensure that port 443 is open for new requests. These ports are configurable, and can be set to any of the high TCP/IP ports (1025 - 65535). If the number of concurrent My Desktop users is low--less than 5 concurrent users on the FirePass 1000, or less than 20 on the FirePass 4000--then there is no requirement to open the high TCP/IP ports (1025 to 65535). The server uses the high ports if they are available, otherwise it uses port 443.

During installation, or in case of severe malfunction, you may need to give Technical Support access to your Maintenance Console using Secure Shell (SSH). To allow this access while blocking routine SSH access, the FirePass server provides temporary, encrypted keys, further protected by a passphrase. For more information about providing SSH access to Technical Support, see Providing SSH access for Technical Support.





Traffic Type

Protocol

Source

Destination

Ack bit

Comment

Address

Ports

Address

Ports

HTTP

TCP

Remote Browser

1025 to 65535

FirePass server

80

 


Required

HTTP (response)

TCP

FirePass server

80

Remote Browser

1025 to 65535

yes

Required

HTTPS

TCP

Remote Browser

1025 to 65535

FirePass server

443

 


Required

HTTPS (response)

TCP

FirePass server

443

Remote Browser

1025 to 65535

yes

Required

FirePass bridge

TCP

Remote Browser

1025 to 65535

FirePass server

10000 to 10100

 


Optional for My Desktop

FirePass bridge Response

TCP

FirePass server

10000 to 10100

Remote Browser

1025 to 65535

yes

Optional for My Desktop

SSH

TCP

Local LAN

1025 to 65535

FirePass server

22

 


Optional

SSH (response)

TCP

FirePass server

22

Local LAN

1025 to 65535

Yes

Optional


About the traffic between the FirePass server and network services

The FirePass server needs access to the network services listed in Table 2.3, some of which are optional and depend on your particular configuration. If the services are hosted across a firewall from the FirePass server, you must open the firewall ports to allow the FirePass server to access these services.

Configure your internal DNS server such that your FirePass server host name resolves to the server's local IP address. This is to ensure that traffic from the same side of the firewall can reach the FirePass server. You can do this on a WINS server or on a DNS server if the DNS server is hosted locally. (See Understanding name resolution issues for FirePass servers with a private IP address.)



Traffic Type

Protocol

Source

Destination

Ack bit

Comment

Address

Ports

Address

Ports

DNS

TCP

Local LAN

1025 to 65535

FirePass server

53

 


 


DNS (response)

TCP

FirePass server

53

Local LAN

1025 to 65535

Yes

 


NTP

UDP

Local LAN

1025 to 65535

FirePass server

123

 


 


NTP (response)

UDP

FirePass server

123

Local LAN

1025 to 65535

 


 


SSH

TCP

Local LAN

1025 to 65535

FirePass server

22

 


Optional

SSH (response)

TCP

FirePass server

22

Local LAN

1025 to 65535

Yes

Optional

SecurID authentication

TCP

FirePass server

1025 to 65535

Local LAN

1645, 1646

 


Optional

SecurID authentication (response)

TCP

Local LAN

1645, 1646

FirePass server

1025 to 65535

Yes

Optional

LDAP

TCP

FirePass server

1025 to 65535

FirePass server

389, 636

 


Required for LDAP authentication

LDAP (Response)

TCP

Local LAN

389, 636

FirePass server

1025 to 65535

Yes

Required for LDAP authentication

RADIUS

TCP

FirePass server

1025 to 65535

Local LAN

1645, 1646

 


Required for RADIUS authentication

RADIUS (response)

TCP

Local LAN

1645, 1646

FirePass server

1025 to 65535

Yes

Required for RADIUS authentication

SMTP Services

TCP

FirePass server

1025 to 65535

Local LAN

25

 


 


SMTP Services (response)

TCP

Local LAN

25

FirePass server

1025 to 65535

Yes

 



About the traffic between FirePass server and application services

To allow traffic between the FirePass server and application services on the corporate LAN, you must open the firewall ports as shown in Table 2.4. The application services include the following services, some of which are optional and depend on your particular configuration:

  • File servers

  • Email servers

  • Intranet

  • Terminal servers

  • Legacy mainframe and AS/400 applications

  • Client/server applications

  • SSL VPN

    A FirePass server that needs to use any of these application services must be able to communicate with the local LAN on several ports. Most of these ports are listed in Table 2.4 with the default port assignments. (Your network may vary). Microsoft Networking requires four ports, two TCP/IP ports and two UDP ports. Port 135 is the RPC port, port 139 is the NetBIOS session, port 137 is the NetBIOS name service, and port 138 is the datagram. These ports must be configured to allow users to use the My Files Webifyer to view network file shares. A WINS server helps address resolution from NetBIOS to TCP/IP to work properly.



    Traffic Type

    Protocol

    Source

    Destination

    Ack bit

    Comment

    Address

    Ports

    Address

    Ports

    HTTP

    TCP

    Local LAN

    1025 to 65535

    FirePass server

    80

     


    Required

    HTTP (response)

    TCP

    FirePass server

    80

    Local LAN

    1025 to 65535

    Yes

    Required

    HTTPS

    TCP

    Local LAN

    1025 to 65535

    FirePass server

    443

     


     


    HTTPS (response)

    TCP

    FirePass server

    443

    Local LAN

    1025 to 65535

    Yes

     


    IMAP

    TCP

    FirePass server

    1025 to 65535

    Local LAN

    143

     


    Required for email

    IMAP (Response)

    TCP

    Local LAN

    143

    FirePass server

    1025 to 65535

    Yes

    Required for email

    POP

    TCP

    FirePass server

    1025 to 65535

    Local LAN

    110

     


    Required for email

    POP (Response)

    TCP

    Local LAN

    110

    FirePass server

    1025 to 65535

    Yes

    Required for email

    Microsoft Networking

    TCP

    FirePass server

    1025 to 65535

    Local LAN

    135, 139

     


    Required for File services

    Microsoft Networking (Response)

    TCP

    Local LAN

    135, 139

    FirePass server

    1025 to 65535

    Yes

    Required for File services

    Microsoft Networking

    UDP

    FirePass server

    1025 to 65535

    Local LAN

    137, 138

     


    Required for File services

    Microsoft Networking (Response)

    UDP

    Local LAN

    137, 138

    FirePass server

    1025 to 65535

    Yes

    Required for File services

    Telnet/3270

    TCP

    FirePass server

    1025 to 65535

    Local LAN

    23

     


    Required for Host Access

    Telnet/3270 (Response)

    TCP

    Local LAN

    23

    FirePass server

    1025 to 65535

    Yes

    Required for Host Access

    Client/Server applications

    TCP

    FirePass server

    1025 to 65535

    Local LAN

    User-defined TCP

     


    Required for each App tunnel

    Client/Server applications (response)

    TCP

    Local LAN

    User-defined TCP

    FirePass server

    1025 to 65535

    Yes

    Required for each App tunnel

    SSL VPN Connector

    TCP UDP ICMP

    FirePass server

    1025 to 65535

    Local LAN

    Any ports as needed

     


    Required for SSL VPN as needed

    SSL VPN Connector (response)

    TCP UDP ICMP

    Local LAN

    Any ports as needed

    FirePass server

    1025 to 65535

    Yes

    Required for SSL VPN as needed


About the traffic between the FirePass server and the Desktop Agent

To allow traffic from the FirePass server to the corporate LAN using the My Desktop feature, you must open firewall ports as shown in Table 2.5.

The FirePass client on the desktop computer on the local LAN uses ports 80 and 81 to initiate communications with the FirePass server during My Desktop sessions. The FirePass server "wakes" the client on port 661, then communicates with it on port 443. The client then initiates a new connection on port 81 back to the FirePass server.

Host Activation Protocol (HAP) is a registered port (661) which allows the FirePass server to initiate a session with the FirePass Desktop Agent. The FirePass server communicates with the Agent on port 443.

Note


The port numbers in the following table are default values which you can change. For more information, see Configuring the My Desktop Webifyer.


Traffic Type

Protocol

Source

Destination

Ack bit

Comment

Address

Ports

Address

Ports

HTTP

TCP

Local LAN

1025 to 65535

FirePass server

80, 81

 


Required for My Desktop

HTTP (response)

TCP

FirePass server

80, 81

Local LAN

1025 to 65535

Yes

Required for My Desktop

Host Activation Protocol (HAP)

TCP

FirePass server

1025 to 65535

Local LAN

661

 


Required for My Desktop

Host Activation Protocol (HAP) (response)

TCP

Local LAN

661

FirePass server

1025 to 65535

Yes

Required for My Desktop

HTTPS

TCP

FirePass server

1025 to 65535

Local LAN

443

 


 


HTTPS (response)

TCP

Local LAN

443

FirePass server

1025 to 65535

Yes

 



Understanding name resolution issues for FirePass servers with a private IP address

If the FirePass server is installed on a corporate LAN or in a DMZ that uses private IP addresses, the firewall or gateway performs Network Address Translation (NAT). This means that the FirePass server has two different DNS "identities"--one mapped to the public IP address, and another one to the NAT'ed private IP address.

External users outside the firewall do not have name resolution problems because the FirePass server's name resolves to the public address of the firewall or gateway. The firewall or gateway then forwards the user's traffic to the FirePass server.

However, internal users on the corporate LAN and the My Desktop client software can be affected by internal name resolution problems unless you prevent them. You can prevent name resolution problems by doing any of the following:

  • If you have an internal DNS server, set up a zone with a fully qualified domain name (such as server-name.company.com), and then add an A record to that zone that resolves to the FirePass server's private address (such as 10.0.0.8).

  • If you have a WINS server, add a static entry for the FirePass server name.

  • If you have a firewall that supports a DNS alias feature (such as the CISCO PIX), set up the firewall to redirect internal FirePass server traffic originating from the corporate LAN to the FirePass server's private IP address.

  • If there is no internal DNS server, WINS server, or suitable firewall, you must use a local hosts file on each corporate LAN computer that must connect to the FirePass server.

    Note


    This name resolution problem does not apply to a FirePass server that has a public IP address because internal and external users can both use a name that resolves to the same IP address for the server.

     

    To support the FirePass server's application tunnels for clustered or load balanced applications such as Oracle®, Citrix®, or SAP®, you must specify the fully qualified domain names of the servers running the applications. Those applications must also support the use of fully qualified domain names when passing server address information to the client side application. Single server applications may use the server IP address if the remote client is also configured to do so.

Installing the FirePass server

This section describes how to install one or more FirePass servers in an equipment rack, connect them to a network, and power them up.

When installing and connecting wiring to the FirePass server, be sure to follow these basic safety precautions to avoid injury to you or damage to the server:

  • Read and understand all instructions.

  • Do not disassemble the FirePass server.

  • Do not restrict airflow through the fans or vents of the FirePass server.

  • Connect the unit to a properly grounded and rated power supply circuit that meets the provisions of the current edition of the National Electrical Code, or other wiring rules that may apply to your location.

Unpacking the FirePass server

After unpacking the FirePass server, you should have the following items:

  • FirePass server

  • 120 VAC power cord

  • Network cable

Installing the FirePass server in an equipment rack

Install a FirePass 1000 server in a standard 1U equipment rack, and a FirePass 4000 server in a standard 2U equipment rack. Make sure that the rack has adequate ventilation and power. We strongly recommend using an Uninterruptible Power Supply (UPS).

Connecting the FirePass server to a network and powering up

To connect a FirePass server to a network and power up:

  1. Connect an Ethernet cable from your network to the 10/100 Base-T (RJ-45) WAN connector on the FirePass server.

  • FirePass 1000: the WAN port is clearly labeled on the front panel of the server.

    · FirePass 4000: the WAN port is on the back of the server. It is the network port in the expansion slot on the right side (see FirePass 4000 port locations ).

    Figure 2.2 FirePass 4000 port locations

  1. If you are connecting two dual-NIC FirePass servers in failover pairs, connect the same corresponding NICs to the same subnet on both servers. For example, connect the internal NIC on both servers to the same subnet. For information on configuring FirePass failover servers, see Chapter 7, Configuring FirePass Failover Servers and Cluster Servers.

  2. If you are connecting several FirePass servers as a cluster, connect the primary NICs to the same subnet unless they are installed in different geographic locations. For information on configuring FirePass server clusters, see Using FirePass server clusters.

  3. Plug in the power cable into a 120 VAC wall outlet and into the Power connector on the rear panel of the FirePass server.

  4. Turn on the Power switch on the front panel of the FirePass server.

    Note


    If you are powering up a server cluster, always power up the Master server first. If the Master server is not available when the slave servers power up, then the cluster does not work properly.

     

Warning


Do not turn the FirePass server off by using the Power switch on the front panel. Data corruption might occur, possibly rendering the FirePass server unavailable. To shut the FirePass server down, always use the Shutdown commands in the Administrative Console or the Maintenance Console. For more information, see Shutting down and restarting FirePass.

 

Performing the initial FirePass IP configuration

The FirePass server comes pre-configured with a default set of networking and server settings. The following table provides important default FirePass settings.




Setting

Factory default value

Admin Console User Name

admin

Admin Console password

admin

Maintenance Console User Name

maintenance

Maintenance Console password

<no password>

Server name

firepass.company.xyz

Server IP Address/Mask

192.168.1.99 / 255.255.255.0

DNS Server IP Address

192.168.1.1

Gateway IP Address

192.168.1.1

Domain suffix

company.xyz

SSL VPN Network Subnet

192.168.192.0 / 255.255.255.0

SSL Certificate

firepass.company.xyz

Administrator's email address

support@company.xyz

SMTP Server

mail.company.xyz

NTP Server

ntp.nasa.gov


 

Perform the initial IP configuration using the web-based FirePass Administrative Console interface (recommended) or the terminal-based FirePass Maintenance Console.

To use the web-based Administrative Console for initial configuration (recommended)
  1. Create an isolated network that includes the FirePass server and another machine with a web browser. Connect them directly using a cross-over Ethernet cable, or indirectly with a standard Ethernet cable and an isolated hub or switch. Enter the default URL, https://192.168.1.99/stats/ into the web browser (be sure to include the final slash). One or more certificate warning messages may be displayed. Accept these. You should see the FirePass login screen.

  2. Login using the default administrator name admin and password of admin.

  3. Set up the IP configuration. Navigate to Server/Maintenance/Network Configuration. Specify the IP address, subnet, and port settings. For more information see Maintaining the network configuration settings.

  4. DNS name resolution. Navigate to Server/Maintenance/Network Configuration/Hosts. Enter the fully-qualified domain name (FQDN) of your FirePass server and the IP Address of your Domain Name Server. If you have not already done so, make the corresponding entries in your Domain Name Server.

  5. Shutdown/restart. Now shut down and restart FirePass. For more information see Shutting down and restarting FirePass.

  6. Connect to your network. Disconnect the FirePass server from the isolated network and reconnect it to your network. Test the network connections by following the instructions in Testing network connectivity.

  7. Finish configuring your FirePass server following the steps in What's next?.

To use the terminal-based Maintenance Console for initial IP configuration

First see To use the Maintenance Console to configure the FirePass server.

  1. Configure the appropriate network settings for your environment.

  2. Shut down and restart the FirePass server.

  3. Login to the Administrator's Console, and then finish configuring the FirePass server following the steps in What's next?.

    Note


    You can also access the Maintenance Console using a Telnet session in the Administration Console. For more information, see Using the Administrative Console to configure the FirePass server. 

     

Testing network connectivity

After connecting the FirePass server to your network, powering it up, and performing the initial IP address configuration, test that you can access the server from your network, and that the FirePass server's fully qualified domain name resolves correctly both inside and outside the firewall.

To test network connectivity:
  1. Test that the FirePass server is accessible from the LAN by entering the following command on a host computer on the LAN:

    ping x.x.x.x

    where x.x.x.x is the FirePass server's private IP address.

  2. Test DNS resolution of the FirePass server's name and address inside the firewall. On a host computer inside the firewall, enter the following command:

    ping <fully qualified server name>

    Inside the firewall, this name should resolve to the FirePass server's private IP address.

  3. Test DNS resolution of the FirePass server's name and address outside the firewall. On a host computer outside the firewall, enter the following command:

    ping <fully qualified server name>

    Outside the firewall, this name should resolve to the FirePass server's public IP address.

    Note: You may not receive pings back from outside the firewall if the firewall is not configured to pass ICMP packets.

  4. Test accessing the server from a Web browser by entering the URL for the FirePass server on computers both inside and outside the firewall. For example, enter:

    https://<host name of FirePass>/stats/

    where <host name of FirePass> is the host name assigned to the FirePass server. For example, enter:

    https://server-name.company.com/stats/

    The FirePass server's login screen should appear when you enter this URL.

    Use the following information to troubleshoot problems accessing the server:

  • If you have trouble accessing the FirePass server with a Web browser on a computer outside the firewall, the problem is usually caused by a misconfigured firewall, or a firewall that does not allow packets to travel in both directions. Non-stateful firewalls do not keep a connection state history table and cannot identify packets returning from an open connection unless a similar rule looking for an ACK bit is configured to allow traffic to go in the opposite direction.

  • If you have trouble accessing the FirePass server by entering the fully qualified domain name on a computer inside the firewall, try entering the internal IP address. This problem is usually caused by DNS reflection, which occurs when an internal host sends a packet to the external interface of the firewall. When the firewall forwards the packet to the FirePass server, the FirePass server replies to the external interface of the firewall which cannot properly route the packet back to the internal host. Some routers have a work-around for this problem.

Using the Administrative Console to configure the FirePass server

After verifying that the FirePass server is accessible on your network, you can use the Administrative Console in a Web browser to administer the server and change configuration settings as necessary. You can run the Administrative Console on any computer that can access the FirePass server over the network.

Logging Into the Administrative Console

To log into the Administrative Console:
  1. Enter the following URL in a Web browser on a computer that can access the FirePass server over a network or the Internet:

    https://<host name of FirePass>/stats/

    where <host name of FirePass> is the host name assigned to the FirePass server. For example, enter:

    https://server-name.company.com/stats/

  2. If a Security alert appears, click Yes to accept the SSL encryption certificate.
    The FirePass login screen appears. (See below.)

  3. Enter the following superuser user name: admin.

  4. Enter the default superuser password: admin.

    Note: The user name and password are case sensitive. If the FirePass server rejects the user name and password, contact Technical Support.

  5. Click Login.

    After you log in, the Welcome panel for the FirePass Administrative Console appears. The Administrative Console is composed of several panels where you select options, enter configuration information, and choose commands to configure and administer the FirePass server. Some panels contain status information and reports that you can use to monitor the server. Click the tabs and links on the left side of the display to load each screen on the right side.

Changing the superuser password

One of the first tasks you should do is change the default password for the preconfigured Administrator ("superuser") account.

To change the superuser password
  1. Under the Server tab on the left side of the Administrative Console, click the Security link.

  2. Click the Password link.
    The Change Superuser Password screen opens.

  3. In the Old Password text box, type the current password.

  4. In the Password and Confirm Password text boxes, type the new password, and then click Go.

    You also see an option to disable the Superuser account. Do not check this option before you have given comprehensive Administrator privileges, including access to all links on the Server tab, to other named accounts. You can assign Administrator privileges to other users by navigating to Server/Security/Administrators. For more information about assigning Administrator privileges, see Granting Administrator privileges to other users.

    If your superuser password is lost, contact Technical Support.

Installing your license

Getting your first license

Your server should already have an installation type, serial number and registration key assigned. These show as the first three items in the Settings table display. If the Serial number is shown as unknown, contact Technical Support.

When you receive your new FirePass server, you should also have received an email from Technical Support or the entitlement server. If so, follow the directions in the email. If not, contact Support (support@f5.com) to make sure your license is ready.

Licenses are time-limited, for security reasons. Install your license as soon as you receive it.

Make sure that your firewall allows outbound Internet connections to port 443.

Navigate to Server/Settings. Then click on the Pick up new license... link. If your license is ready and the server can contact the licensing server, your new license is installed.

Adding capacity or features to your license

To add session capacity or features, see Adding capacity or features to your license.

Displaying a list of current settings and licensed features

You can display a list of the current configuration settings and licensed features. To display a list of current settings and licensed features click the Settings link under the Server tab. These are read-only, and are offered to assist in troubleshooting.

Using the Administrative Console to access the Maintenance Console

You can use a web browser to gain access to the Maintenance Console. You do this by launching a Telnet session within the Administrative Console.

To use the Administrative Console to run the Maintenance Console
  1. Under the Server tab on the left side of the Administrative Console, click the Maintenance link.
    The Maintenance screen opens.

  2. Click the Low-level link.

  3. Under Telnet access, click the Telnet Session to the Maintenance Account link.

  4. At the Login prompt, enter the following: maintenance.
    No password is required.

  5. Enter Y to agree to the conditions on the screen.
    The Maintenance Console menu appears.

Logging out of the Administrative Console

If you do not log out of the Administrative Console, the FirePass server automatically times you out after a period of inactivity. This time interval is specified in the Inactivity Timeout option on the Customization panel of the Administrative Console.

To log out of the Administrative Console

Use either option:

  • Click the Logout link on the left side of the Administrative Console.

  • Close your Web browser.

Using the Maintenance Console

If you intend to use the Administrative Console web interface (recommended) to configure the FirePass IP address or if your server's IP address and network mask are already configured correctly, you can skip this section.

However, if your server's IP address and network mask are not configured correctly, or if you are unable to connect to the server using a Web browser on the network, you can use the Maintenance Console to make configuration changes according to the instructions in this section. You can also use the Maintenance Console to perform basic connectivity diagnostics.

Use one of the following methods to access the server and run the Maintenance Console:

  • Connect another computer's serial port to the FirePass server's serial port, and then use a terminal emulation program.

  • Connect a monitor and keyboard directly to the FirePass server (FirePass 4000 only).

To use the Maintenance Console to configure the FirePass server
  1. Use a 9-pin D-style, null modem cable to connect the serial port on a serial terminal or on a computer to the FirePass server's serial console port on the server's rear panel.

  2. If necessary, turn on the FirePass server's Power switch.

  3. Do one of the following:

  • If you connected a serial terminal, press Enter on the terminal's keyboard to start the Maintenance Console.

  • If you connected a computer to the serial port, start a serial terminal emulation application (such as HyperTerminal on Windows® or Minicom on Linux) on the computer. Use the terminal emulation application to connect to the FirePass server with the following communications settings:


    Setting

    Value

    Bits per second

    9600

    Data bits

    8

    Parity

    None

    Stop bits

    1

    Flow control

    Xon/Xoff



  1. At the Login prompt, enter the following: maintenance
    No password is required.

  2. Enter Y to agree to the conditions on the screen.
    The Maintenance Console menu appears.

  3. To change the server name or other network settings, enter 1 for Network Configuration and then press the Enter key.

Tip


The IP Address and Network Mask are the only settings that you must configure to enable access to the server using the Administrative Console running in a Web browser on the network. But you can also use the other Maintenance Console commands at a later time to configure other settings.

 

  1. At the Network Configuration prompts, enter the appropriate information or press the Enter key to accept the current setting.

  2. After you finish entering the settings, enter Y at the confirmation prompt.

  3. For some configuration changes, the server prompts you to restart.

  • To restart the server, enter 6 for Restart Server on the command menu, and then press the Enter key.

  • Otherwise, enter 8 for Exit, and then press the Enter key to exit the Maintenance Console.

  1. Disconnect the serial cable.

What's next?

Now that the FirePass server is installed and accessible on the network, you can use the Administrative Console to finish configuring FirePass.

  • Set up security on the FirePass server by adding groups and user accounts, and then configuring authentication. For more information, see Chapter 3, Setting Up FirePass Server Security.

  • (Optional) If necessary, change the FirePass server host name to a name that is appropriate for your site. For more information, see Changing the FirePass server name.

  • Install a new SSL certificate. For more information, see Setting up certificates.

  • Configure the SMTP Server, Administrator's password and email, proxies, and SSL Server Certificate. See Chapter 5, Managing, Monitoring, and Maintaining the FirePass Server, for directions.

  • Install the license signature. You may have received an email from the F5 entitlement server describing how to install your license. If so, use those directions. If not, contact technical support (support@f5.com) to make sure your license is ready. Then navigate to Server/Settings/License and click on the link to pick up your new license signature.

  • Configure the Webifyers that you want to make available to users. For example, configure the SSL VPN Webifyer, if necessary. For more information, see Chapter 4, Configuring the FirePass Webifyers.

  • (Optional) If necessary, customize the appearance of the user's home page, such as the logo and terms used for logging in. For more information, see Customizing the user's home page, on page 5-31.

    Note


    After you use the superuser account to create user accounts, you can assign administrative privileges to one or more user accounts. For more information, see Assigning administrative privileges to a user account.




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)