Applies To:

Show Versions Show Versions

Manual Chapter: FirePass® Controller version 6.0 Getting Started Guide: Setting Up the FirePass Controller
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


2

Setting Up the FirePass Controller


Before you begin

Before you begin the installation process, we recommend that you read the information supplied in this guide. We also recommend that you use the worksheet provided with the FirePass controller to record the values that you need for the Quick Setup process covered in Completing the Quick Setup process .

Installation prerequisites

In order to serve your remote access clients, before setting up the FirePass controller you need the following:

  • A publicly routable (external) IP address for the FirePass controller
  • A router or firewall that passes Internet traffic to the FirePass controller
  • A publicly accessible Domain Name Service (DNS) server

Configuring IP addresses

To configure the FirePass controller, you need a publicly routable (external) IP address for the FirePass controller. The IP address can be either of these:

  • An unused address to be used in a network address translation (NAT) configuration.
    You then assign an unused private IP address to the FirePass controller during the Quick Setup process covered in Chapter 3, Working with the FirePass Controller .
  • The address of your Internet router or firewall to be used in a port forwarding configuration.
Important

You cannot dynamically assign an IP address to the FirePass controller, using Dynamic Host Configuration Protocol (DHCP) or other methods, in any configuration.

Configuring your Internet router or firewall

To configure access to the FirePass controller, you need to be able to configure your Internet router or firewall to send traffic to the FirePass controller using either NAT, or port forwarding.

If you plan to use NAT, configure your Internet router or firewall to map the public IP address to the private IP address assigned to the FirePass controller. For information on configuring NAT, see your router or firewall documentation.

Important

You must configure packet filters or firewall rules to permit connections to the FirePass controller on TCP port 443. Optionally, you can also permit TCP port 80 for connections that occur when a user accesses the FirePass controller with a URL beginning with http:// rather than https://.
The FirePass controller automatically redirects the client from port 80 to port 443.

If you plan to use port forwarding, configure the Internet router or firewall to forward TCP port 443 to port 443 of the private IP address assigned to the FirePass controller. Optionally, also forward TCP port 80, for connections that occur when a user accesses the FirePass controller with a URL that starts with http:// rather than https://. The FirePass controller then automatically redirects the client from port 80 to port 443. Refer to your router or firewall documentation for information on configuring port forwarding.

Configuring DNS support

To allow access from the Internet to the FirePass controller using a fully qualified domain name (FQDN), such as myfirepass.siterequest.com, you must configure a publicly resolvable host name on your DNS server for the public IP address used by the FirePass controller. To do this, you must have a registered Internet domain name, such as siterequest.com, and you must be able to add a host name, such as myfirepass, to the public DNS server that is authoritative for the zone that contains your registered Internet domain name. You can administer the DNS server, or your ISP can administer the DNS server on your behalf.

Optionally, you might want to configure DNS name resolution for your private (internal) network. This would permit administrators on the internal network to connect to the FirePass controller using a FQDN. To do this, add the appropriate entry into the DNS server that is authoritative for the zone that contains your private domain namespace. For more information, refer to Understanding name resolution issues with private IP addresses , following.

Understanding name resolution issues with private IP addresses

If the FirePass controller is installed on a private (internal) network, where the router or firewall performs NAT or port forwarding, then the FirePass controller might have two different DNS mappings: one public name that resolves to the public (external) IP address, and a second, private name mapped to a private (internal) IP address. The private name might be the same as the public name, or it could be different.

Giving internal users access to the FirePass controller

To enable internal users (those on the local network) to connect to the FirePass controller using its private name, make one of the following configuration changes:

  • If you have both an internal and external DNS server, or a DNS server that maintains separate zones for public and private namespaces, add an A record to the zone that resolves to the FirePass controller's private IP address (such as 10.0.0.8). An A record is an address record, the basic DNS record type, and is used to associate a domain name with an IP address.
  • Alternatively, if your router or firewall supports configuration of aliases on your DNS server, set up the router or firewall to redirect internal FirePass controller traffic (traffic originating on the local network) to the FirePass controller's private IP address.

You configure DNS aliases in the following situations:

  • If the router or firewall alters responses from your DNS server to DNS lookups from internal clients.
  • If the router or firewall alters the destination address of packets from the public address of the FirePass controller to the private address.

For information on configuring aliases on DNS servers, see your router or firewall documentation.

Placing the FirePass controller in a typical network configuration

Figure 2.1 shows the placement of the FirePass controller in a typical network configuration.

Figure 2.1 The FirePass controller in your network
Note

When you place the FirePass controller on your internal network, it goes behind the Internet firewall.

Unpacking the FirePass controller

The first thing you need to do is to unpack the FirePass controller from its shipping container. The following items are shipped in the container:

  • The FirePass controller
  • Cables
  • This Getting Started Guide
  • The licensing agreement
  • A worksheet that you can use to record your network settings to expedite installation of the FirePass controller
  • The Declaration of Conformity
Warning

The FirePass 4100 controller is shipped with a serial cable labeled FAILOVER that is reserved for future use. Do not use this cable.
Note

The power cables included with the FirePass controller are for exclusive use with the FirePass controller. Do not use these power cables with other electrical appliances.

Collecting configuration settings

Before you configure the FirePass controller, gather information about the configuration settings used in your network. You can record the settings you need in the worksheet that was shipped with the FirePass controller, and which is available online at the F5 Networks Technical Support web site, http://tech.f5.com.

Once you gather the specified settings, you can start the Quick Setup process, which prompts you to enter the values for these configuration settings.

  • Fully Qualified Domain Name
    Update your primary Domain Name Server (DNS) to include the name and IP address of the FirePass controller.
  • Network Configuration
    Specify the initial network configuration for the FirePass controller.
  • Network Access Service Configuration
    Specify the Network Access connection name that remote users see when they log on to the FirePass controller.
    • To configure basic SSL-based VPN Network Access settings, enter a connection name. If you will only be using a service other than Network Access (such as Portal Access or Application Access), or you would like to configure this service later, then simply leave all Network Access settings empty during the Quick Setup process.
    • To configure name resolution in your SSL-based Network Access settings, enter your DNS and WINS server IP addresses. The FirePass controller passes the DNS and WINS server IP addresses to the end user as part of the Network Access connection, and should match the ones used within your network.
  • Administrator
    Enter a new password during Quick Setup. By default, the administrator name and password are both set to admin.
  • Mail Server Configuration
    Enter the name of the mail sever that you want the FirePass controller alerts to be sent from.
  • Date and Time Configuration
    Enter the name of the NTP (network time protocol) server that provides the time and date service. You can leave this as the default NTP server that is specified.

Performing initial setup

This section describes the tasks you follow to perform the initial setup of the FirePass controller, in your network environment. The following list contains the tasks.

Setting the IP address for the computer to connect to the FirePass controller

The FirePass controller ships with a pre-configured static IP address. The factory default IP address of the controller depends on the model you have.

  • FirePass 1000
    192.168.1.99
  • FirePass 1200
    192.168.1.99
  • FirePass 4100
    192.168.0.99
    (Management port)

Before you connect the computer to the controller, you must set the IP address of the computer. To access the FirePass controller, the connected computer must be in the same subnet as the FirePass controller, and it cannot be configured with the factory default IP address that is set for the FirePass controller. The IP address you specify for the computer depends on the controller model you have.

  • FirePass 1000
    Use an IP address other than 192.168.1.99 in the 192.168.1.0/255.255.255.0 subnet.
  • FirePass 1200
    Use an IP address other than 192.168.1.99 in the 192.168.1.0/255.255.255.0 subnet.
  • FirePass 4100
    Use an IP address other than 192.168.0.99 in the 192.168.0.0/255.255.255.0 subnet.

Choosing a cable and connection option

Before you can configure the FirePass controller, you must first connect the controller to the network.

You connect a computer containing an installed web browser to the FirePass controller using either of these methods:

  • A crossover Ethernet cable, which connects directly from the computer to the FirePass controller
  • A standard Ethernet cable (also called a patch cable or a straight-through cable), which connects to an isolated hub or switch, which connects to the FirePass controller.

In either connection option, you use the ports listed in Determining the connection port , following.

Figure 2.2 illustrates a connection configuration that uses a crossover Ethernet cable. In this case, you connect the computer directly to the FirePass controller.

Figure 2.2 Connection using a crossover Ethernet cable

Figure 2.3 illustrates a connection configuration that uses a standard Ethernet cable. In this case, you connect the computer to a switch or hub, and the you connect the switch or hub to the FirePass controller.

Figure 2.3 Connection using a standard Ethernet cable

Determining the connection port

You connect the crossover or standard Ethernet cable to the appropriate FirePass controller port. For information on which cable to use, see Choosing a cable and connection option , preceding.

The port you connect to varies, depending on the model you have.

  • FirePass 1000
    Use the WAN port.
    The WAN port is used for primary user and administrative services. The LAN and DMZ ports are available for other services, such as failover synchronization, DMZ use, or protecting your wireless LAN.
  • FirePass 1200
    Use the Port 1 port.
    The Port 1 port is used for primary user and administrative services. The Port 2 port is available for other services, such as failover synchronization, DMZ use, or protecting your wireless LAN.
  • FirePass 4100
    Use the Management port.
    The Management port is used for a direct connection to a management workstation. The Eth1.1 port is used for primary user and administrative services. The Eth1.2-1.4 ports are available for other services, such as dedicated clustering or failover synchronization, DMZ use, or for connecting to other LANs.
Important

The ports on the FirePass controller are not switched ports. When connecting more than one FirePass controller port, each port must be on separate Layer 2 and Layer 3 networks.

Turning on the FirePass controller

The power up sequence varies depending on the model of FirePass controller that you have.

To power up the FirePass controller

  1. After connecting the FirePass controller to the network (see Choosing a cable and connection option ), locate the power switch. The power switch location varies by model:
    • FirePass 1000
      The power switch is located on the back of the controller.
    • FirePass 1200
      The power switch is located on the back of the controller.
    • FirePass 4100
      The power switch is the center control button on the LCD panel on the front of the controller (the cover opens outward).
  2. Use the power switch to turn the controller on.
    Loading the system can take several minutes; up to five minutes for the FirePass 4100.
    1. After you turn on the power switch for the FirePass 4100, wait until the display on the LCD panel reads F5 Power standby mode. Press Enter to command power on.
    2. Press and hold the Enter control button (the green check mark in the center of the LCD panel) until the lights on the LCD panel come on.
      Figure 2.4 , following, shows the control buttons on the LCD panel for the FirePass 4100.
  3. Verify that the controller is ready. For more information, see Verifying that the controller is ready , following.
Figure 2.4 FirePass 4100 LCD panel control buttons

Verifying that the controller is ready

The ready signal depends on the model of controller that you have.

  • The FirePass 1000 emits three successive tones, which increase in pitch, to indicate that the system has been loaded, and displays FirePass 1000 on its LCD panel.
  • The FirePass 1200 emits three successive tones, which increase in pitch, to indicate that the system has been loaded, and blinks the blue LED for two-second intervals. For more information about LED states, see Understanding the LEDs on the FirePass 1200 , following.
  • The FirePass 4100 displays a cycle of three information panels. These are, in order:
    • The currently configured IP address of the Management interface and the fully qualified domain name
    • The date and time
    • The software version

When you hear the final tone or see the final panel, you can continue the setup tasks described in Completing the Quick Setup process .

Tip


If you are running the FirePass 1200 in a noisy environment, you might not hear the tones. Always check the FirePass 1200 LEDs to determine status.

Understanding the LEDs on the FirePass 1200

The FirePass 1200 front panel contains three LEDs, which monitor your system. The left LED (green light) displays the power status and tells you when the system is operational. The middle LED (red light) monitors storage access. The right LED (blue light) displays status. Table 2.1 , following, describes the status LED (blue light).

Table 2.1 States and LED appearance
Controller state
LED status
Notes
Powered off
Off
 
Powering on, during BIOS POST
Off
 
Booting the kernel and loading the software
Blue LED blinks quickly
While the FirePass controller boots its kernel and loads its software, you cannot connect to it.
Operating in normal state
Blue LED blinks for two-second intervals
 
Shutting down or restarting
Blue LED blinks quickly
While the FirePass controller is shutting down or restarting, you cannot connect to it.
Shutdown completed
Off
When the shutdown sequence completes, you can safely turn off the power to the unit.

Completing the Quick Setup process

This section describes the configurations tasks you perform as you go through the initial configuration of the FirePass controller using the Quick Setup process.

Note

Before you begin the Quick Setup process described in this section, record the settings you need on the worksheet that was shipped with the FirePass controller, and which is available online at the F5 Networks Technical Support web site, http://tech.f5.com. This expedites the configuration process. For more information, see Collecting configuration settings .

Logging on to the FirePass controller Administrative Console

To complete the configuration tasks, you must first log on to the Administrative Console of the FirePass controller. At this stage, there are no user logon accounts, so you must access the FirePass controller using the administrator account.

In addition, because you have not yet installed any server certificates, the logon process presents a certificate warning. The FirePass controller ships with a default certificate. The default certificate is intended to aid you during the Quick Setup process, and is not intended for permanent use (that is, for use in a production configuration). You can change the FirePass controller certificate after you have initially configured the controller. For more information, refer to the FirePass Controller Administrator Guide and the online help.

To log on to the Administrative Console

  1. On the connected computer, start a web browser.
    The web browser home page opens.
  2. In the web browser address bar, type the administrative URL and press Enter.
    The administrative URL differs, depending on the model you have.
    • FirePass 1000
      https://192.168.1.99/admin/
    • FirePass 1200
      https://192.168.1.99/admin/
    • FirePass 4100 (Management port)
      https://192.168.0.99/admin/
Note: Be sure to include the ending slash (/) character when you specify the administrative URL.
  1. When the certificate warning message displays, accept it.
    The FirePass controller logon screen opens.
  2. In Username, type the default administrator name admin, and in Password, type the default administrator password admin.
  3. Click Go.
    The startup screen for unlicensed FirePass controllers opens, and you can start the Quick Setup process.

Starting the Quick Setup process

Once you are logged on to the Administrative Console of the FirePass controller, you can start the Quick Setup process.

To access the Quick Setup screens

  1. From the Welcome screen of the FirePass controller console, click the Run FirePass Quick Setup link.
  2. Enter the information that you recorded on your worksheet for each screen by following the guidelines in Collecting configuration settings .
  3. When you finish the Quick Setup process, the Quick Setup Completed screen opens, and you have a choice of either restarting the controller or shutting down the controller.
    We recommend that you shut down the controller and move it to its final destination in your network before proceeding. For information about shutting down and restarting the FirePass controller, see Shutting down the controller .
Warning

Do not use the power switch to shut down the FirePass controller without following the proper shutdown procedures provided in Shutting down the controller . If you incorrectly power down the controller, it could result in an unstable state, requiring that you return the controller to its factory default settings.
Important

When you set up the FirePass 4100, configure the Eth1.1 interface to connect the FirePass controller to the main network. Do not use the Management interface, because the Management interface is intended solely for administrative operations performed from a directly connected management workstation. We also recommend that you retain the default settings for the FirePass 4100 Management interface.

The FirePass controller immediately applies most settings you make during the Quick Setup process, including changes to the administrator logon name and password. However, the network configuration does not change until you finish the Quick Setup process and restart the FirePass controller.

Before restarting the FirePass controller and completing its configuration, move the controller to its final destination in your network. For more information, see Placing the FirePass controller in a typical network configuration .

You may also need to review the information in the following sections:

If you do not need to move the FirePass controller to another location, or you did not shut down the FirePass controller after Quick Setup, restart the FirePass controller and make sure it is ready before continuing. For more information, see Verifying that the controller is ready and Restarting the controller .

Preparing the FirePass controller for a production environment

After you complete Quick Setup, and have restarted the FirePass controller, you need to complete several tasks to make the FirePass controller ready for your production environment.

Note

For troubleshooting information, refer to the FirePass Controller Administrator Guide, which is available online at http://tech.f5.com.

Resetting the computer's IP address

Before continuing, you should reset the computer's IP address to its original setting. To return the computer's IP address to its original setting, you can use utilities provided with your computer's operating system.

Changing the computer's hosts file

If you do not have an internal DNS server or a firewall that supports the creation of aliases on the DNS server, you must either use the IP address of the FirePass controller to make a connection, or change the local hosts file on each internal computer that will connect to the FirePass controller.

To create a host entry for the FirePass controller, on a Windows-based computer, use a text editor to modify the computer's hosts file.
The host entry should be in the following format:

192.168.1.9 firepass.siterequest.com

On Windows NT®, Windows® 2000, or Windows XP operating systems, the hosts file is in the following location, where %SystemRoot% is the operating system's root directory:

%SystemRoot%\System32\drivers\etc\hosts

(For example, C:\WINNT or C:\WINDOWS.)

On Windows 9x and Windows Me systems, the hosts file is in the following location, where %WinDir% represents the root directory.

%WinDir%\hosts

Activating the FirePass controller license

Before you can take the FirePass controller into production, you must activate your license. The license activation feature provides an automated method for activating your license. To use the automated process, the FirePass controller must be able to contact the F5 licensing server on the Internet.

If you cannot access the F5 licensing server from the FirePass controller, refer to the FirePass Controller Administrator Guide and the online help for information on activating your license manually.

To activate the license, you must be logged on to the Administrative Console of the FirePass controller.

To log on to the Administrative Console

  1. On the connected computer, start a web browser.
    The web browser home page opens.
  2. In the web browser address bar, type either the fully qualified domain name or the IP address that you specified during the Quick Setup (assigned to the WAN port for FirePass 1000, Port 1 for the FirePass 1200, or the Eth 1.1 port for FirePass 4100).
    For example, using a browser, navigate to https://firepass.siterequest.com/admin/.
    The logon screen opens.
Note: Be sure to include the ending slash (/) character when you specify the administrative URL.
  1. In Username, type the logon name you supplied during the Quick Setup process.
  2. In Password, type the password you supplied during the Quick Setup process.
  3. Click Go.
    The startup screen for unlicensed FirePass controllers opens.

To activate your license

  1. On the Welcome screen, click the Activate License link.
    The Activate License screen opens.
  2. Select a licensing method.
    • We recommend that you use the Automatic licensing method.
      To use the Automatic licensing method, the FirePass controller must be able to contact the F5 licensing server on the Internet.
    • If your configuration or network policies prevent contacting the F5 licensing server directly, select the Manual licensing method.
  3. Click Request License, and follow the instructions presented on all subsequent screens.
    For more information, see the FirePass Controller Administrator Guide and the online help for the Activate License screen.
Note

Depending on your hardware configuration, you might be prompted to restart the FirePass controller after activating the license.

This completes the initial configurations tasks. You can now perform additional configuration tasks such as configuring groups, setting up security, adding access favorites, and enrolling users. For more information, see Chapter 3, Working with the FirePass Controller .




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)