Applies To:

Show Versions Show Versions

Manual Chapter: FirePass 5.2.2 Handbook: Installing the FirePass Controller
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>



Installing the FirePass Controller


Overview of installing the FirePass controller

Installing the FirePass® 600 controller is fairly straight-forward if you follow these instructions and make the necessary changes in your existing environment. The FirePass controller configuration tasks can be categorized as initial installation and configuration tasks, and additional or secondary configuration tasks. Some of the secondary tasks are required, some are recommended, and some are optional.

A Quick Start card is included with the controller. Read the Recommended Reading and use the Quick Setup worksheet to gather necessary network configuration information before beginning to install the FirePass controller.

Summary of tasks for installing and configuring the FirePass controller

Installing and configuring the FirePass 600 controller is a multi-step process. However, the process is simple, as long as you complete the tasks in the correct order.

Table 2.1 lists a summary of the initial tasks for installing and configuring the FirePass controller and suggests where to look for more details. The tasks are listed in the order you should do them. Once you have completed the initial tasks listed here, you can move on to the secondary configuration tasks shown in Table 2.2.

Overview of initial FirePass installation and configuration tasks


Task

For more information, see

Configure the firewalls at your site to allow traffic to and from the FirePass controller.

Configuring a firewall

If the FirePass controller has a private IP address, set up name resolution for internal users and client software.

Understanding name resolution issues with private IP addresses

Install the FirePass controller, and start it. Using the Port 1, create an isolated network to reach the FirePass controller using its factory default IP address.

Installing the FirePass controller

Configure the controller using the Quick Setup wizard.

Using the Quick Setup wizard

Install a FirePass controller license.

Installing a FirePass 600 controller license

Connect the FirePass controller to the network. Test that the FirePass controller is accessible on the network, and test DNS resolution of the FirePass controller's host name inside and outside the firewall.

Testing network connectivity


 

Table 2.2 provides a summary of the additional tasks for installing and configuring the FirePass controller. Once you have completed the initial installation tasks listed in Table 2.1, you can review these additional tasks, and complete the ones necessary for your configuration.

Overview of additional FirePass configuration tasks


Task

For more information, see

Install a new, trusted SSL server certificate.

Installing a server certificate

Add user accounts and configure one or more authentication methods for FirePass controller users.

Overview of FirePass controller users

After the FirePass controller is up and running and the network connections are working, use the Administrative Console to finish configuring the controller from a web browser.

Using the Administrative Console

If necessary, customize the appearance of the user's home screen, such as the logo, and terms used for logging in.

Online help


 

Preparing for the installation

Installation of the FirePass controller goes smoothly if you gather necessary information and prepare your environment before you start. The Quick Start card and the Quick Setup worksheet included with the FirePass 600 controller provide information about what you need to do before you begin installing the FirePass controller.

Requirements before installation

The FirePass 600 controller is designed to be easy to install and configure, but in order to be successful, you need the following three things.

Note


The FirePass 600 controller does not support dynamically assigned IP addresses for any configurations.

 

  • A static, Internet-accessible public IP address
    To configure the FirePass 600 controller, you need a static IP address that is accessible from the Internet. This public (external) IP address may be either:


    • A new public IP address assigned to the FirePass controller, to be used for Network Address Translation configurations.


    • An existing public IP address currently assigned to your Internet router or firewall, to be used with Port Address Translation configurations.


  • The ability to configure your Internet router or firewall
    You need to configure your Internet router to send traffic to the FirePass controller using either Network Address Translation (NAT), or Port Address Translation (PAT).


    • For NAT, set up rules to map the public IP address to a private IP address assigned to the primary interface of the FirePass controller. (If you are also configuring a firewall, TCP ports 443 (HTTPS) and 80 (HTTP) must be allowed.)


    • For PAT, also known as port forwarding, configure the Internet router to forward TCP ports 443 and 80 to the internal IP address assigned to the FirePass controller. (The FirePass controller needs port 80 to redirect traffic to port 443.)


  • The ability to register an Internet host name
    You must be able to register a host name for accessing the FirePass controller (for example, firepass.siterequest.com). You must also be able to configure Internet name resolution for the new host name.


    • For NAT, the fully qualified domain name you register should resolve to the public IP address of the FirePass controller. (This is the IP address with a NAT rule sending traffic to the private IP address on the FirePass controller.)


    • For PAT, the fully qualified domain name you register should resolve to the public IP address of your Internet router or firewall.


Understanding Network Address Translation and Port Address Translation

Network Address Translation (NAT) rules or Port Address Translation (PAT) rules on your router provide access from the Internet to the FirePass controller. When you configure the firewall for NAT or PAT, the router forwards incoming packets to the controller. Which option you use depends on your network configuration:

  • Network Address Translation
    If you have an external (public) IP address for the FirePass controller, configure NAT rules on the router/firewall to forward traffic from the FirePass controller's public IP address to the controller's internal (private) IP address. (If you are configuring a firewall, you must allow TCP ports 443 and 80.)


  • Port Address Translation
    If you do not have an external IP address available for the FirePass controller, or if your router/firewall does not support NAT, configure PAT rules to forward TCP ports 443 and 80 to the private IP address assigned to the FirePass controller.


Additional network configuration requirements

You also need to make the following configuration changes in your local network:

  • Configure an internal Domain Name Services (DNS) server
    Configure the DNS server so that queries from the local network for the FirePass controller name resolve to the internal (private) IP address of the controller.


  • Configure an internal WINS server
    Configure the WINS server to allow network share browsing with Network Access. (If you do not have an internal WINS server, you need to use IP addresses to access some internal resources or configure static host entries in the FirePass controller Administrative Console.)


Configuring a firewall

The FirePass controller provides remote access by communicating through secure tunnels between remote users at untrusted or unprivileged hosts on the Internet and your corporate LAN. A tunnel is a secure (private) connection between computers or networks over a public network. This section describes the firewall ports you must open at your site to allow traffic to and from the FirePass controller so that it can operate correctly.

The particular firewall ports that you must open at your site depend on where you install the FirePass controller relative to the firewalls. Certain ports, such as ports 80 and 443 for HTTP and HTTPS, must be open in all situations on the external firewall between the FirePass controller and remote web browsers. If the FirePass controller is installed in a DMZ with an internal firewall separating it from the corporate network, you also have to open other ports as necessary to allow access to network services such as DNS. A DMZ, or demilitarized zone, is a small subnetwork or single computer that is installed between your internal corporate LAN and the external Internet.

Note


You can block port 80 on your firewall, but if you do, the FirePass controller will not be able to redirect http:// addresses to https://, and remote users will have to manually type https:// for every URL.

 

Overview of the firewall configuration process

Configure Network Address Translation (NAT) or Port Address Translation (PAT) and open ports so your firewall allows ports 80 (HTTP) and 443 (HTTPS) through to the FirePass controller. For more information on NAT and PAT, see Understanding Network Address Translation and Port Address Translation.

Services hosted behind firewalls

Network services are sometimes hosted locally behind a firewall, and sometimes hosted remotely. If the services are hosted remotely, the external firewall must allow the FirePass controller to make connections to those services on specific TCP/IP ports.

To allow access to the FirePass controller from the Internet, you can create either NAT rules or PAT rules on the firewall to forward inbound packets to the controller. The advantage of static NAT is that it does not require you to forward each individual port to the FirePass controller. However, some firewalls only allow static NAT using a public IP address other than its own public interface.

  • To use static NAT, configure a rule that forwards all allowable traffic from the public IP address to the private IP assigned to the FirePass controller.


  • If your firewall does not allow static NAT, you must use PAT (also known as port forwarding) by setting up rules to forward the appropriate ports to the private IP address assigned to the FirePass controller.


Stateful and non-stateful firewalls

Firewalls can be classified as stateful and non-stateful.

  • Stateful firewalls allow bi-directional communication (that is, they create a return rule for an allowed service). If you have a stateful firewall (most newer commercial firewalls are stateful), you only need to define rules for the actual traffic; the replies are automatically allowed to pass.


  • Older firewalls, especially ones based on Linux IP chains, are often non-stateful; they do not allow bi-directional communications. If you have a non-stateful firewall, you also must define rules for traffic coming in and the replies with the ACK (acknowledgement) bit set for those protocols.


  • Note


    The FirePass controller includes a troubleshooting tool called the Network packet dump. This tool is useful for troubleshooting firewall-related issues. For more information, see the online help for the Device Management : Maintenance : Troubleshooting Tools screen.

     

Reviewing network traffic and the FirePass controller

To ensure full functionality of the FirePass controller, you should confirm that traffic between the remote user's browser and the FirePass controller is allowed through the firewalls. (See Understanding traffic between a remote user's browser and the controller.) The following table shows the traffic, listed in request/response pairs.

Note


A particular type of traffic shown in the table is required only if Required appears in the Comment column for the traffic, or if you are enabling an application service that requires the port to be opened.

 

Understanding traffic between a remote user's browser and the controller

To allow traffic between a remote user's browser and the FirePass controller, you must open the firewall ports as shown in Table 2.3.

Traffic between remote user's browser and FirePass controller  


Traffic Type

Protocol

Source

Destination

ACK bit

Comment

Address

Ports

Address

Ports

HTTP

TCP

Remote Browser

1025 to 65535

FirePass controller

80


Required if redirection to HTTPS is needed

HTTP (response)

TCP

FirePass controller

80

Remote Browser

1025 to 65535

yes

Required

HTTPS

TCP

Remote Browser

1025 to 65535

FirePass controller

443


Required

HTTPS (response)

TCP

FirePass controller

443

Remote Browser

1025 to 65535

yes

Required

SSH

TCP

Local LAN

1025 to 65535

FirePass controller

22


Optional (used by F5 Technical Support)

SSH (response)

TCP

FirePass controller

22

Local LAN

1025 to 65535

Yes

Optional


 

If you are locating the FirePass controller in a DMZ, you must open all traffic from the FirePass controller source IP address into your local network. If you are using a routed Network Access configuration, you must also open traffic for the subnet configured in Network Access. For more information on configuring Network Access, see Configuring Network Access settings.

Note


Configure your internal DNS server so that the FirePass controller host name resolves to the controller's local IP address. This ensures that traffic from the same side of the firewall can reach the FirePass controller. You can do this on a WINS server, or on a DNS server if the DNS server is hosted locally. (See Understanding name resolution issues with private IP addresses.)

 

Understanding name resolution issues with private IP addresses

If the FirePass controller is installed on a corporate LAN or in a DMZ that uses private IP addresses, the firewall or gateway performs NAT or PAT. This means that the FirePass controller has two different DNS identities: one mapped to the public IP address, and another mapped to a private IP address.

Users outside the firewall should not have name resolution problems because the FirePass controller's name resolves to the public address of the firewall or gateway. The firewall or gateway then uses NAT to forward the user's traffic to the FirePass controller.

However, internal users on the corporate LAN and the Desktop Access client software may be affected by internal name resolution problems unless you take specific steps to prevent them.

  • If you have an internal DNS server, add an A record to that zone that resolves to the FirePass controller's private address (such as 10.0.0.8). An A record is an address record, the basic DNS record type, and is used to associate a domain name with an IP address.


  • If you have a local WINS server, add a static entry for the FirePass controller name.


  • If you have a firewall that supports DNS aliasing, set up the firewall to redirect internal FirePass controller traffic (originating on the local network) to the FirePass controller's private IP address.


  • If there is no internal DNS server, WINS server, or suitable firewall feature, you must use a local hosts file on each corporate LAN computer that must connect to the FirePass controller.


  • Note


    This name resolution problem does not apply to a FirePass controller that has a public IP address, because internal and external users can both use a name that resolves to the same IP address for the controller.

     

Installing the FirePass controller

This section describes how to install a FirePass controller, connect it to a network, and start the controller.

When installing and connecting the wiring to the FirePass controller, be sure to follow these basic safety precautions to avoid injury to yourself or damage to the controller:

  • Read and follow all instructions.


  • Do not disassemble the FirePass controller.


  • Ensure that airflow is unrestricted through the fans and vents of the FirePass controller.


  • Connect the unit to a properly grounded and rated power supply circuit that meets the provisions of the current edition of the National Electrical Code, or other wiring rules that may apply to your location.


Contents of the FirePass controller package

After unpacking the FirePass controller, you should have the following items:

  • FirePass 600 controller


  • 120 VAC power cord or 220 VAC power cord


  • External power adapter


  • CAT 5 network cable


  • Null modem serial cable


  • Resource Kit containing a Quick Start card and Quick Setup worksheet


Connecting the FirePass controller to an isolated network

After you unpack the FirePass 600 controller, the next step is to connect the controller to an isolated network. When you have done this, you can turn the controller on.

Note


Use the Quick Setup worksheet included with the FirePass controller to collect and record your basic installation information before continuing.

 

To connect a FirePass controller to a network and start it
  1. Connect a PC to the controller using either:


    • An Ethernet crossover cable


    • A standard Ethernet cable with an isolated hub or switch


  2. Connect the Ethernet cable to the Port 1 connector on the back panel of the controller. Port 1 is clearly labeled on the controller.


  3. Temporarily change the IP address of the PC.
    Use any IP address in the 192.168.1.0/24 subnet except 192.168.1.99.


  4. Connect the power to the FirePass controller and turn the controller on using the main Power switch, on the back panel, to the right.

    Wait for the FirePass controller to complete its startup process. Three tones stepping up in pitch indicate the startup process is complete.


Configuring the FirePass controller

Configuring the FirePass controller is straightforward if you use the Quick Setup wizard. You need to understand the initial configuration process, including the default FirePass controller settings, using the Quick Setup wizard, and installing a license on the controller. You will also need to test the controller after you have configured it.

Overview of the initial configuration process

After you have unpacked the controller and connected it to your network, you can begin your configuration. To complete the initial FirePass controller configuration, you must complete these tasks.

  1. Connect to the controller.
    In the PC's web browser, type the controller's default URL (be sure to include the final slash):


  2. https://192.168.1.99/admin/

    A certificate warning message displays. Accept it.
    You see the FirePass controller login screen.

    The warning appears because you have not yet installed a trusted SSL server certificate. During the Quick Setup process you have the option to generate and install a self-signed certificate. For more information on certificates, see Overview of SSL Server Certificates.

  3. Log in.
    Log in using the default administrator name admin, and password of admin.
    The startup screen for unlicensed FirePass controllers displays.


  4. Run the FirePass Quick Setup.


    1. Click FirePass Quick Setup to run the Quick Setup wizard.


    2. Using the Quick Setup wizard and the Quick Setup worksheet, perform the initial configuration including updating the controller IP address, adding Network Access settings, changing the administrator user name and password, and generating a self-signed certificate.


    3. For more information, see Using the Quick Setup wizard.

  5. Shut down/Restart.
    The last step of the Quick Setup wizard prompts you to restart or shut down the FirePass controller. Select the appropriate option:


    • Click the Restart Controller link to restart the controller. Select this option if you are not moving the FirePass 600 controller to a new location.


    • Click the Shutdown Controller link to turn the controller off. Select this option if you are going to move the FirePass 600 controller to a new, permanent location. Wait for three tones stepping down in pitch that signal the controller has finished the shutdown process.


    • Do not use the Power switch to restart or turn off the controller. Click Restart or Shutdown at the end of the Quick Setup process, or use the Restart Controller or Shutdown Controller link on the Device Management : Maintenance : Restart Services screen.

  6. Connect to your network.


    1. Connect the FirePass controller to your network.
      Disconnect the controller from the isolated network and reconnect it to your network.


    2. Test the network connections by following the instructions in Testing network connectivity.


  7. Install a license.
    You need to install a FirePass controller license before you can finish configuring the controller. For more information, see Installing a FirePass 600 controller license.


  8. Finish configuring the FirePass controller.
    Finish configuring the FirePass controller using a browser on a PC on the network, and either the fully-qualified domain name of the controller, or the IP address you assigned during the Quick Setup.


    1. Install a trusted SSL server certificate.
      We recommend that you install a trusted SSL server certificate, signed by a known Certificate Authority (CA). The Quick Start wizard gives you the option to generate and install a self-signed certificate. For details about SSL server certificates, see Overview of SSL Server Certificates.


    2. Add user accounts.
      You can add FirePass user accounts in several different ways. For details about adding user accounts, see Overview of FirePass controller users.


    3. Test user logins and Network Access connections.
      Log in as a valid user and click on the Network Access connection link. For more information about Network Access, see the online help and Overview of Network Access.


About the FirePass controller preconfigured settings

The FirePass controller comes preconfigured with a default set of networking and controller settings. These settings provide a predefined configuration that allows you initial access to the controller. They are not intended for actual use in your environment. Connect to the controller using the default settings and then configure it with your own settings. The following table provides important default FirePass controller settings.


FirePass default network settings


Setting

Factory default value

Administrative Console User Name

admin

Administrative Console password

admin

Maintenance Console User Name

maintenance

Maintenance Console password

<no password>

Controller name

firepass.company.xyz

Controller IP Address/Mask

192.168.1.99 / 255.255.255.0

DNS Server IP Address

192.168.1.1

Gateway IP Address

192.168.1.1

Domain suffix

company.xyz

SSL VPN Network Subnet

192.168.192.0 / 255.255.255.0

SSL Certificate

firepass.company.xyz

Administrator's email address

support@company.xyz

SMTP Server

mail.company.xyz

NTP Server

ntp.nasa.gov


 

Using the Quick Setup wizard

After you install the FirePass 600 controller and connect to it for the first time, run the FirePass Quick Setup wizard to do the initial configuration of the controller. The Quick Setup wizard prompts you for basic configuration information and helps you configure the controller quickly. (You can run the Quick Setup wizard at any time by clicking the Run FirePass Quick Setup link on the Welcome screen.)

Make additional FirePass controller configuration changes using the Administrative Console or the Maintenance Console. For more information, see Using the Administrative Console to configure the controller, and Using the Maintenance Console.

Note


The Quick Setup wizard applies most changes immediately, including the administrator login name and password. However, it does not change the network configuration until you finish the wizard and restart the FirePass controller.

 

To make initial configuration changes using the FirePass Quick Setup

When you log onto the FirePass controller for the first time, the Quick Setup screen displays. Run the Quick Setup wizard from this screen to configure the controller. If you do not see the Quick Setup screen, run the Quick Setup wizard from the Welcome screen.

  1. Click FirePass Quick Setup.
    The Quick Setup Welcome screen displays.
    Click Next to continue.


  2. In the FirePass Fully Qualified Domain Name (FQDN) box, type a fully qualified domain name for the FirePass controller and click the Next button.
    The FQDN is the full name of a computer system, including all parts of the domain name. For example, if your domain name is mycompany.com, and the name you want to assign to the FirePass controller is firepass, the FQDN of the controller would be firepass.mycompany.com


  3. On the Network Configuration screen:


    1. In the IP Address box, type the IP address of the FirePass controller.


    2. In the Subnet Mask box, type the subnet mask.


    3. In the Default Gateway box, type the IP address for the default gateway.


    4. In the DNS Server box, type the IP address for the DNS server.


    5. In the Domain Suffix box, type the domain suffix for your organization.


    6. Click the Next button to continue.


  4. On the Network Access Service Configuration screen:


    1. In the Connection Name box, type a connection name for the Network Access connection (this is the name the users will see when they make a connection).


    2. In the DNS Server box, type the IP address of your DNS server.


    3. If you have a WINS server, type the IP address of the WINS server in the WINS Server box.


    4. Click the Next button to continue.


    5.  

  5. On the Administrator Name and Password screen, type the administrator login name and a new password.
    Click Next to continue.


  6. Note: The password must be at least 8 characters.

  7. On the Mail Server Configuration screen:


    1. In the E-Mail Server box, type the fully qualified name of your email server.


    2. In the Admin E-Mail Address box, type the email address for the administrator of the FirePass controller. The controller sends alerts and warnings to this address.


    3. In the E-Mail Display Text box, type any text you want to appear as part of the From email address.

    4. Click the Next button to continue.


    5.  

  8. On the Date and Time Configuration screen, click Next.


  9. On the Generate New Self-Signed Certificate screen, complete the boxes and click Generate to generate and install a self-signed server certificate. For details on server certificates, see Overview of SSL Server Certificates.


  10. Note: If you click the Next button, you bypass the step. You should install a trusted certificate before you make the FirePass controller available outside your internal network.

  11. After you generate and install a self-signed certificate, you have the option to download the certificate and the encryption key. Save the certificate and key and click Next to continue.


  12. When the Quick Setup is complete, click Finish.
    The wizard prompts you to restart the FirePass controller.


  13. On the Restart Services screen, restart or shut down the FirePass controller:


    • If you are not moving the controller to a new location, click Restart Controller.


    • To turn the controller off before moving it to a permanent location, click Shutdown Controller.


    • Note: Three tones, stepping down in pitch, signal that the controller has finished with the shutdown process.

Installing a FirePass 600 controller license

After you have made the initial configuration changes and have restarted the FirePass controller, the next step is to install a license. Installing a license is also known as activating a license.

You need to activate a license in order to use the FirePass controller. The license affects what configuration options you have access to, and what features of the controller are activated. When you activate a license, the FirePass controller accesses an F5 Networks licensing server and downloads the correct license based on your purchase.

Note


The FirePass controller only accesses the F5 Networks licensing server while it is activating the license.

 

When you receive a new FirePass controller, you should receive an email from Technical Support or the entitlement server with directions on how to license your controller. If you did not receive an email, contact Technical Support to make sure your license is ready.

Getting your license

Before you can use the FirePass 600 controller, you have to license it. Your controller should be preconfigured with a serial number and registration key. These are displayed on the Activate License screen. If the Serial number appears as unknown, contact Technical Support.

To see the Activate License screen
  1. In the Administrative Console, click Device Management on the navigation pane.


  2. Click Maintenance to display the Activate License screen.


  3. Check your serial number and registration key. Verify that the serial number is not unknown.


To install the controller's first license

Before activating the license, make the initial configuration changes and confirm that the FirePass controller is configured to work on your local network. (For more information, see Overview of the initial configuration process.) Also make sure that your firewall allows outbound Internet connections to port 443.

  1. In the Administrative Console, click Welcome on the navigation pane.
    A screen displays indicating that there is no FirePass license installed.


  2. Click Activate License.
    The Device Management : Maintenance : Activate License screen displays.


  3. In Registration Method, select Automatic, then click Request License at the bottom of the screen.
    A Terms of Use agreement displays.


  4. Read the terms, click the I have read and agree to the terms of this license box, and click Continue.
    A license file displays.


  5. To install and activate the license, click Continue.


  6. When a message displays saying that the license was activated, click Continue.


  7. If the Automatic registration method does not work, install the license using the manual method.

To install the controller's license manually
  1. In the Administrative Console, click Welcome on the navigation pane.
    A screen displays indicating that there is no FirePass license installed.


  2. Click Activate License.
    The Device Management : Maintenance : Activate License screen displays.


  3. In Registration Method, select Manual, then click Request License at the bottom of the screen.
    A Terms of Use agreement displays.


  4. Copy the entire contents of the Product Dossier box, and click the indicated text, Click Here to access F5 Licensing Server. You will need to paste the dossier box contents into the licensing server.


  5. On the licensing server, paste the dossier into the Enter your dossier box, and click Activate.


  6. Follow the prompts and enter the requested information on the licensing server.


  7. When the server validates your information, a license file is displayed. You can either copy the entire file, or click Download license to copy the file to your local drive.


  8. Paste the license file in the License File box on the Device Management : Maintenance : Activate License screen, and click Install License.


  9. After the license is installed, click Continue.


  10. Note


    If you cannot access the F5 Networks licensing server using either the automatic or the manual activation process, contact F5 Technical Support.

     

Testing network connectivity

After connecting the FirePass controller to your network, starting it up, and performing the initial IP address configuration, test that you can access the controller from your network, and that the FirePass controller's fully qualified domain name resolves correctly both inside and outside the firewall.

Note


The following steps assume that your firewall is not configured to block ICMP packets.

 

To test network connectivity
  1. Test that the FirePass controller is accessible from the LAN by entering the following command on a host computer on the LAN:


  2. ping x.x.x.x

    where x.x.x.x is the FirePass controller's private IP address.

  3. Test DNS resolution of the FirePass controller's name and address inside the firewall. On a host computer inside the firewall, enter the following command:


  4. ping <fully qualified controller name>

    Inside the firewall, this name should resolve to the FirePass controller's private IP address.

  5. Test DNS resolution of the FirePass controller's name and address outside the firewall. On a host computer outside the firewall, enter the following command:


  6. ping <fully qualified controller name>

    Outside the firewall, this name should resolve to the FirePass controller's public IP address.

  7. Test accessing the controller from a web browser by entering the URL for the FirePass controller on computers both inside and outside the firewall. For example, use the following syntax where <fqdn> is the fully qualified domain name assigned to the FirePass controller:


  8. https://<fqdn>/admin/

    For example, you might enter:

    https://controller-name.company.com/admin/

    The FirePass controller's login screen should appear when you enter this URL.

Troubleshooting connections to the controller

If you have problems accessing the controller, it is probably due to one of two reasons; a misconfigured firewall, or DNS reflection. Use the following information to troubleshoot problems accessing the controller.

  • Accessing the FirePass controller on a computer outside the firewall
    If you have trouble accessing the FirePass controller with a web browser on a computer outside the firewall, the problem is likely caused by a misconfigured firewall, or a firewall that does not allow packets to travel in both directions.


  • Accessing the FirePass controller on a computer inside the firewall
    If you have trouble accessing the FirePass controller by entering the fully qualified domain name on a computer inside the firewall, try entering the internal IP address. This problem can be caused by DNS reflection, which occurs when an internal host sends a packet to the external interface of the firewall. When the firewall forwards the packet to the FirePass controller, the FirePass controller replies to the external interface of the firewall which cannot properly route the packet back to the internal host.


  • Providing Secure Shell access to Technical Support
    In case of severe malfunction, you may need to give Technical Support access to your Maintenance Console using Secure Shell (SSH). To allow this access while blocking routine SSH access, the FirePass controller uses temporary, encrypted keys, further protected by a passphrase.


Using the Administrative Console

After verifying that the FirePass controller is accessible on your network, you can use the Administrative Console in a web browser to administer the controller, and change configuration settings as necessary. You can run the Administrative Console on any computer that can access the FirePass controller over the network.

Logging in to the Administrative Console

The Administrative Console is composed of a number of screens where you select options, enter configuration information, and choose commands to configure and administer the FirePass controller. Some panels contain status information and reports that you can use to monitor the controller. Click the links on the navigation pane to expand navigation options and to load configuration screens.

To log in to the Administrative Console

To log in to the Administrative Console, you must have a computer that can access the FirePass controller over a network or the Internet.

  1. Type a URL using the following syntax, where <fqdn> is the fully qualified domain name assigned to the FirePass controller:


  2. https://<fqdn>/admin/

    For example, you might enter:

    https://controller-name.company.com/admin/

  3. If a Security alert appears, click Yes to accept the SSL encryption certificate.
    The FirePass login screen appears.


  4. Log in using the administrator name and password.
    If this is the first time you are logging in to the FirePass controller, the default administrator name is admin, and the default password is admin.
    If you ran the Quick Start wizard and changed the administrator name or password, use the name and password you typed in the Quick Start wizard.


  5. Note: The user name and password are case sensitive.

  6. Click Go to log in.
    After you log in, the FirePass Administrative Console Welcome screen appears.


Displaying a list of current settings

You can see a list of current settings on the Current Settings screen. These are useful for confirming settings and for troubleshooting problems.

Note


The licensed features appear on the Activate License screen after you install a license on the controller. For instructions on displaying the FirePass controller's licensed features, see To see the Activate License screen.

 

To display a list of current settings
  1. In the Administrative Console, click Device Management on the navigation pane.


  2. Click Current Settings to display the Current Settings screen.


  3. Note: The settings are read-only on the Current Settings screen.

Changing the superuser password

One of the first things you should do after installing and configuring the FirePass controller is change the default password for the superuser account. The superuser account is a preconfigured administrator account. The Quick Setup wizard prompts you to change the superuser password. You can also change the password at any time using the Administrative Console.

To change the superuser password
  1. On the navigation pane, click Device Management.


  2. Expand Security, and click Superuser to open the Superuser screen.


  3. In the Old Password box, type the current password.


  4. In the Password and Confirm Password boxes, type the new password.


  5. Click Update to change the superuser password.


  6. Note


    If your superuser password is lost, reset the controller using the Maintenance Console. This resets the superuser login name to admin, and the superuser password to admin.

     

Accessing the Maintenance Console from the Administrative Console

The Maintenance Console of the FirePass controller provides a way to make limited configuration changes to the controller. You can use the Administrative Console to access the Maintenance Console by starting a Telnet session from within the Administrative Console. Alternately, you can use a computer or terminal, directly connected to the FirePass controller serial port.

To use the Administrative Console to access the Maintenance Console
  1. In the Administrative Console, click Device Management on the navigation pane.


  2. Expand Maintenance and click Troubleshooting Tools.
    The Troubleshooting Tools screen opens.


  3. Under Telnet access, click Please click here to start a Telnet Session to the Maintenance Account.


  4. You may see one or more security warnings. Click Yes to continue.


  5. At the login: prompt, type maintenance.
    No password is required.


  6. Note: If there is no response from the Maintenance Console, use your mouse to click in the Console window, then press Enter to get a login prompt.

  7. Type Y to agree to the conditions on the screen.
    The Maintenance Console menu appears.


Using the Administrative Console to configure the controller

In most instances, you should use the Quick Setup wizard for the initial configuration of the FirePass controller. The Quick Setup wizard is designed to guide you through the necessary changes, prompting you for required information. You can start the Quick Setup wizard from the Administrative Console at any time, by clicking the Run FirePass Quick Setup link on the Administrative Console Welcome screen. For more information on the Quick Setup wizard, see Using the Quick Setup wizard.

To use the Administrative Console for initial configuration
  1. Log in using the default administrator name admin, and password of admin.


  2. Configure the controller's IP address:


    1. On the navigation pane, click Device Management.


    2. Expand Configuration and click Network Configuration.
      The IP Configuration tab is selected by default.


    3. In the appropriate boxes, type the IP address, subnet, and Broadcast IP address for your network, and select Port1 from the Interface list.


  3. Configure DNS name resolution:


    1. With the Network Configuration screen selected on the navigation pane, click the Hosts tab.


    2. In the FQDN of the controller box, type the fully qualified domain name (FQDN) of the FirePass controller, and click Update.


    3. Click the DNS tab.


    4. Type the IP address of your domain name service server in the Name server 0 box, and click Update.


  4. Configure Web Services:


    1. With the Network Configuration screen selected on the navigation pane, click the Web Services tab.


    2. Click Configure for each service listed on the Web Server Configuration screen.
      The Web Service Configuration for <fqdn> screen displays.


    3. Type the FQDN in the Hostname box.


    4. Select the IP address from the IP address list.
      Continue configuring the Web Service, and click Update when you are done.
      For details on configuring Web Services, see the online help.


    5. Click the Finalize tab and click the Finalize Changes button to finish configuring the Web Services.


  5. Shut down and restart the FirePass controller.
    Use the Shutdown command in the Administrative Console to turn off the FirePass controller. Do not use the Power switch on the front panel to turn the controller off.


  6. Disconnect the FirePass controller from the isolated network and reconnect it to your network. Test the network connections by following the instructions in Testing network connectivity.


  7. Finish configuring the FirePass controller using a browser on a PC on the network and either the fully-qualified domain name of the controller, or the IP address you assigned during the Quick Setup. For more information, see Overview of the initial configuration process.


Logging out of the Administrative Console

For security reasons, it is a good practice to log out before leaving your computer. If you do not log out of the Administrative Console, the FirePass controller automatically logs you out after a period of inactivity. This time interval is specified in the inactivity timeout option on the Device Management : Security : Timeouts screen of the Administrative Console.

To log out of the Administrative Console

Use either option:

  • Click the Logout link on the upper right of the Administrative Console.


  • Close your web browser.


Using the Maintenance Console

Network configuration changes should be made using the Administrative Console, but if your controller's IP address and network mask are not configured correctly, or if you are unable to connect to the controller using a web browser, you can connect directly to the controller and run the Maintenance Console to reset the controller and make limited configuration changes. You can also create or restore a snapshot of the FirePass controller configuration, and perform basic connectivity diagnostics using the Maintenance Console.

Note


The IP Address and Network Mask are the only settings that you must configure on the controller in order to access to the controller using the Administrative Console, but you can use Maintenance Console commands at any time to configure other settings.

 

Note


After resetting the FirePass controller, you must request a new FirePass license.

 

To use the Maintenance Console to reset the FirePass controller
  1. Use a 9-pin, D-style, null modem cable to connect the serial port on a serial terminal or on a computer to the FirePass controller's serial console port.
    The serial console port is located on the controller's rear panel.


  2. If necessary, turn on the FirePass controller's Power switch.


  3. Proceed based on your connection method:


    • If you connected a serial terminal, press Enter on the terminal's keyboard to start the Maintenance Console.


    • If you connected a computer to the serial port, start a serial terminal emulation application (such as HyperTerminal on a Windows® sytem or Minicom on a Linux® system) on the computer. Use the terminal emulation application to connect to the FirePass controller with the following communications settings.

      Setting

      Value

      Bits per second

      19200

      Data bits

      8

      Parity

      None

      Stop bits

      1

      Flow control

      Xon/Xoff




  4. At the login: prompt, type maintenance
    By default, no password is required.


  5. Type Y to agree to the conditions on the screen.
    The Maintenance Console menu appears.


  6. To make basic configuration changes, type 1 for Reset FirePass settings and/or admin password, then press the Enter key.


  7. Type 1 for Reset FirePass settings and admin password, then press the Enter key.
    A warning screen displays.


  8. At the Reset FirePass to default values (full reset) prompt, type yes and press Enter.


  9. Follow the prompts to reset the controller to default values.
    You are given the opportunity to change basic IP address values during the reset process.


  10. After you finish entering the settings, type Y at the confirmation prompt.


  11. For some configuration changes, you may need to restart the controller.


    • If the controller prompts you to restart, type 9 for Restart Server on the command menu, and then press the Enter key.


    • If you do not receive a restart prompt, type 0 for Exit, and then press the Enter key to exit the Maintenance Console.


  12. Disconnect the serial cable.


Creating or restoring a FirePass controller configuration snapshot

The FirePass controller configuration snapshot feature makes it easy for you to create a snapshot of the system configuration. This snapshot includes the software version, the network configuration, and the internal FirePass controller database. You can use a snapshot to restore the FirePass controller to a working configuration.

Note


To create or restore a configuration snapshot, you must connect to the Maintenance Console using the serial port on the FirePass controller.

 

To create a configuration snapshot
  1. Connect to the Maintenance Console using a direct connection to the FirePass controller serial port.


  2. At the login: prompt, type maintenance
    By default, no password is required.


  3. Type Y to agree to the conditions on the screen.
    The Maintenance Console menu appears.


  4. To create or restore a snapshot of the FirePass controller's configuration, type b for Create/restore FirePass snapshot, then press the Enter key.
    The FirePass controller restarts.


  5. At the prompt asking if you agree with the conditions for making a snapshot, type Yes.


  6. Type 1 for Create FirePass snapshot, then press the Enter key.
    A screen displays, showing information about the snapshot being created.


  7. When the snapshot has been created, restart the FirePass controller.
    The controller restarts in normal mode.


  8. To restore a configuration snapshot
  9. Connect to the Maintenance Console using a direct connection to the FirePass controller serial port.


  10. At the login: prompt, type maintenance
    By default, no password is required.


  11. Type Y to agree to the conditions on the screen.
    The Maintenance Console menu appears.


  12. To create or restore a snapshot of the FirePass controller's configuration, type b for Create/restore FirePass snapshot, then press the Enter key.
    The FirePass controller restarts.


  13. At the prompt asking if you agree with the conditions for making a snapshot, type Yes.


  14. You have the option to restore a configuration snapshot you created, or the factory default snapshot:


    • Select option 2 to restore a snapshot you created.
      This choice restores the last working configuration snapshot you created.
      A screen displays information about the snapshot being restored.


    • Select option 3 to restore the factory default snapshot.
      This option resets the FirePass controller to the factory default snapshot.
      Important: Resetting the FirePass controller to the factory default snapshot erases any configuration changes you have made.


  15. When the snapshot has been restored, restart the FirePass controller.
    The controller restarts in normal mode.
    If you restored the factory default configuration snapshot, you need to configure the FirePass controller like you did when you first installed it. For more information, see Overview of the initial configuration process.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)