Before you begin the installation process, we recommend that you read the information supplied in this guide, and also that you use the worksheet provided with the FirePass controller to record the values that you need to enter when going through the Quick Setup process covered in Chapter 3, Configuring the FirePass Controller .
In order to serve your remote access clients, before setting up the FirePass controller you need the following:
To configure the FirePass controller, you need a publicly routable (external) IP address for the FirePass controller. The IP address can be either of these:
To configure access to the FirePass controller, you need to be able to configure your Internet router or firewall to send traffic to the FirePass controller using either NAT, or port forwarding.
If you plan to use NAT, configure your Internet router or firewall to map the public IP address to the private IP address assigned to the FirePass controller. Refer to your router or firewall documentation for information on configuring NAT.
If you plan to use port forwarding, configure the Internet router or firewall to forward TCP port 443 to port 443 of the private IP address assigned to the FirePass controller. Optionally, also forward TCP port 80, for connections that occur when a user accesses the FirePass controller with a URL that starts with http:// rather than https://. The FirePass controller then automatically redirects the client from port 80 to port 443. Refer to your router or firewall documentation for information on configuring port forwarding.
To allow access from the Internet to the FirePass controller using a fully qualified domain name, such as myfirepass.siterequest.com, you must configure a publicly resolvable host name on your DNS server for the public IP address used by the FirePass controller. To do this, you must have a registered Internet domain name, such as siterequest.com, and you must be able to add a host name, such as myfirepass, to the public DNS server that is authoritative for the zone that contains your registered Internet domain name. You can administer the DNS server, or your ISP can administer the DNS server on your behalf.
Optionally, you might want to configure DNS name resolution for your private (internal) network. This would permit administrators on the internal network to connect to the FirePass controller using a fully qualified domain name. To do this, add the appropriate entry into the DNS server that is authoritative for the zone that contains your private domain namespace. For more information, refer to Understanding name resolution issues with private IP addresses .
If the FirePass controller is installed on a private (internal) network, where the router or firewall performs NAT or port forwarding, then the FirePass controller might have two different DNS mappings: one public name that resolves to the public (external) IP address, and a second, private name mapped to a private (internal) IP address. The private name might be the same as the public name, or it could be different.
To enable internal users (those on the local network) to connect to the FirePass controller using the private name, make one of the following configuration changes:
The placement of the FirePass controller in a typical network configuration is shown in Figure 2.1 .
Before starting the Quick Setup configuration procedure described in Chapter 3, Configuring the FirePass Controller , use the worksheet that was shipped with the FirePass controller to record the values that you will be entering during the initial Quick Setup process.
When you use the Quick Setup process, you are prompted to enter values for the configuration settings described in this section.
To configure basic SSL-based VPN Network Access settings, enter a connection name. If you will not be using a service other than Network Access (such as Portal Access or Application Access), or you would like to configure this service later, then simply leave all Network Access settings empty during the Quick Setup process.
To configure name resolution in your SSL-based Network Access settings, enter your DNS and WINS server IP addresses.
The DNS and WINS server IP addresses are passed to the end user as part of the Network Access connection, and should be the ones used within your network.