Applies To:

Show Versions Show Versions

Manual Chapter: FirePass® Controller version 5.5 Getting Started Guide: Setting Up the FirePass Controller
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


2

Setting Up the FirePass Controller


Before you begin

Before you begin the installation process, we recommend that you read the information supplied in this guide, and also that you use the worksheet provided with the FirePass controller to record the values that you need to enter when going through the Quick Setup process covered in Chapter 3, Configuring the FirePass Controller .

Installation prerequisites

In order to serve your remote access clients, before setting up the FirePass controller you need the following:

  • A publicly routable (external) IP address for the FirePass controller
  • A router or firewall that passes Internet traffic to the FirePass controller
  • A publicly accessible Domain Name Service (DNS) server

Configuring IP addresses

To configure the FirePass controller, you need a publicly routable (external) IP address for the FirePass controller. The IP address can be either of these:

  • An unused address to be used in a network address translation (NAT) configuration.
    You then assign an unused private IP address to the FirePass controller during the Quick Setup process covered in Chapter 3, Configuring the FirePass Controller .
  • The address of your Internet router or firewall to be used in a port forwarding configuration.
Important

You cannot dynamically assign an IP address to the FirePass controller, using DHCP or other methods, in any configuration.

Configuring your Internet router or firewall

To configure access to the FirePass controller, you need to be able to configure your Internet router or firewall to send traffic to the FirePass controller using either NAT, or port forwarding.

If you plan to use NAT, configure your Internet router or firewall to map the public IP address to the private IP address assigned to the FirePass controller. Refer to your router or firewall documentation for information on configuring NAT.

Important

You must configure packet filters or firewall rules to permit connections to the FirePass controller on TCP port 443. Optionally, you can also permit TCP port 80 for connections that occur when a user accesses the FirePass controller with a URL beginning with http:// rather than https://. The FirePass controller automatically redirects the client from port 80 to port 443.

If you plan to use port forwarding, configure the Internet router or firewall to forward TCP port 443 to port 443 of the private IP address assigned to the FirePass controller. Optionally, also forward TCP port 80, for connections that occur when a user accesses the FirePass controller with a URL that starts with http:// rather than https://. The FirePass controller then automatically redirects the client from port 80 to port 443. Refer to your router or firewall documentation for information on configuring port forwarding.

Configuring DNS support

To allow access from the Internet to the FirePass controller using a fully qualified domain name, such as myfirepass.siterequest.com, you must configure a publicly resolvable host name on your DNS server for the public IP address used by the FirePass controller. To do this, you must have a registered Internet domain name, such as siterequest.com, and you must be able to add a host name, such as myfirepass, to the public DNS server that is authoritative for the zone that contains your registered Internet domain name. You can administer the DNS server, or your ISP can administer the DNS server on your behalf.

Optionally, you might want to configure DNS name resolution for your private (internal) network. This would permit administrators on the internal network to connect to the FirePass controller using a fully qualified domain name. To do this, add the appropriate entry into the DNS server that is authoritative for the zone that contains your private domain namespace. For more information, refer to Understanding name resolution issues with private IP addresses .

Understanding name resolution issues with private IP addresses

If the FirePass controller is installed on a private (internal) network, where the router or firewall performs NAT or port forwarding, then the FirePass controller might have two different DNS mappings: one public name that resolves to the public (external) IP address, and a second, private name mapped to a private (internal) IP address. The private name might be the same as the public name, or it could be different.

To enable internal users (those on the local network) to connect to the FirePass controller using the private name, make one of the following configuration changes:

  • If you have both an internal and external DNS server, or a DNS server that maintains separate zones for public and private namespaces, add an A record to the zone that resolves to the FirePass controller's private IP address (such as 10.0.0.8). An A record is an address record, the basic DNS record type, and is used to associate a domain name with an IP address.
  • Alternatively, if your router or firewall supports DNS aliasing, set up the router or firewall to redirect internal FirePass controller traffic (traffic originating on the local network) to the FirePass controller's private IP address. Aliasing could occur if the router or firewall alters responses from your DNS server to DNS lookups from internal clients, or aliasing could occur if the router or firewall alters the destination address of packets from the public address of the FirePass controller to the private address. Refer to your router or firewall documentation for information on configuring DNS aliasing.

Typical network configuration

The placement of the FirePass controller in a typical network configuration is shown in Figure 2.1 .

 

 

Figure 2.1 The FirePass controller in your network
Note

When you place the FirePass controller on your internal network, it goes behind the Internet firewall.

Using the Quick Setup worksheet

Before starting the Quick Setup configuration procedure described in Chapter 3, Configuring the FirePass Controller , use the worksheet that was shipped with the FirePass controller to record the values that you will be entering during the initial Quick Setup process.

When you use the Quick Setup process, you are prompted to enter values for the configuration settings described in this section.

  • Fully Qualified Domain Name
    Update your primary Domain Name Server (DNS) to include the name and IP address of the FirePass controller.
  • Network Configuration
    Specify the initial network configuration for the FirePass controller.
  • Network Access Service Configuration
    The connection name is the Network Access connection name that remote users see when they log in to the FirePass controller.
  • To configure basic SSL-based VPN Network Access settings, enter a connection name. If you will not be using a service other than Network Access (such as Portal Access or Application Access), or you would like to configure this service later, then simply leave all Network Access settings empty during the Quick Setup process.

    To configure name resolution in your SSL-based Network Access settings, enter your DNS and WINS server IP addresses.

    The DNS and WINS server IP addresses are passed to the end user as part of the Network Access connection, and should be the ones used within your network.

  • Administrator
    Enter a new password during Quick Setup. By default, the administrator name and password are both set to admin.
  • Mail Server Configuration
    Enter the name of the mail sever that you want the FirePass controller alerts to be sent from.
  • Date and Time Configuration
    Enter the name of the NTP (network time protocol) server that provides the time and date service. You can leave this as the default NTP server that is specified.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)