Before you begin the installation process, we recommend you read the information supplied in this booklet and fill in the worksheet provided. FirePass 600 controller in your network DNS entry for FirePass controller domain name (for example firepass.mycompany.com) pointing to FirePass external IP address Local DNS entry for FirePass controller domain name (for example firepass.mycompany.com) pointing to FirePass internal IP address Public DNS Local WINS Server Local DNS Server FirePass Controller Remote Network Access Client Internet Router/Firewall Internal Network FirePass® 600 Controller Remote Access Quick Setup Worksheet Fully-Qualified Domain Name (FQDN) FirePass Controller’s FQDN: Network Configuration IP Address: Default Gateway: DNS Server: Network Access Service Configuration Connection Name: Subnet Mask: Domain Suffix: For example: remoteaccess.mycompany.com For example: mycompany.com For example: 255.255.255.0 or 24 The Connection Name is the Network Access connection name remote users see when they log into the FirePass controller. DNS Server: WINS Server: The DNS and WINS server IP addresses are passed to the end user as part of the Network Access connection, and should be those used inside your network. Administrator Admin Login Name: Note: Select the time zone during Quick Setup. Note: Type the password during setup. The default administrator name and password are both set to admin. Mail Server Configuration E-Mail Server: Admin E-Mail Address: E-mail Display Text: Date and Time Configuration NTP Server: For example: ntp.nasa.gov Use this worksheet to record the values to enter during the initial Quick Setup configuration of your FirePass 600 remote access controller. Update your primary Domain Name Server (DNS) to include the name and IP address of the FirePass controller. Specify the initial network configuration for the FirePass controller. Use this configuration for Port 1 on the FirePass 600 controller. Note: In most situations, Port 2 will not be used. To configure basic SSL-based VPN Network Access settings, enter a connection name. Optional: To configure name resolution in your SSL-based VPN Network Access settings, enter your DNS and WINS server IP addresses. Enter the name or IP Address of your mail (SMTP) server. The FirePass controller will use the mail server to send optional e-mail notification when system events occur or when accounts are created. ® Copyright © 2004 by F5 Networks, Inc. FirePass is a registered trademark of F5 Networks. All rights reserved. PUB-0096-00 1104 Before you begin the installation process: Recommended reading FirePass Network PC Network File Share or Application Server Requirements for Setup: • A static, Internet-accessible public IP address To configure the FirePass 600 controller, you need a static IP address that is accessible from the Internet. This public (external) IP address may be either: – A new public IP address for network address translation (NAT) configurations – An address currently assigned to your Internet router/firewall, used with port address translation (PAT) configuration Note: The FirePass controller does not support dynamically assigned IP addresses for any configurations. • The ability to configure your Internet router/firewall You need to be able to configure your Internet router to send traffic to the FirePass controller using either network address translation (NAT), or port address translation (PAT). – For NAT, set up rules to map the public IP address to a private (internal) IP address assigned to the primary interface of the FirePass controller. Note: If you are also configuring a firewall, TCP ports 443 (HTTPS) and 80 (HTTP) must be allowed. – For PAT, also known as port forwarding, configure the Internet router to forward TCP ports 443 and 80 to the internal IP address assigned to the FirePass controller. Note: The FirePass controller needs port 80 to redirect traffic to port 443. • The ability to register an Internet host name You must be able to register a host name for accessing the FirePass controller (for example, firepass.mycompany.com). You must also be able to configure Internet name resolution for your organization’s registered domain name. – For NAT, the fully qualified domain name you register should resolve to the public IP address of the FirePass controller. (This is the IP address with a NAT rule sending traffic to the internal, private IP address on the FirePass controller.) – For PAT, the fully qualified domain name you register should resolve to the public IP address of the router/firewall. FirePass Controller 600 Recommended Reading About Network Address Translation and Port Address Translation Recommendations for Setup: • An internal Domain Name Services (DNS) server Configure an internal DNS server so that queries from the LAN for the FirePass controller name resolve to the private IP address of the controller. Network address translation (NAT) rules or port address translation (PAT) rules that are on your router/firewall provide access from the Internet to the FirePass controller. When you configure the router/firewall for NAT or PAT, the router forwards incoming packets to the controller. • External queries for the FirePass controller’s name must resolve to the external, Internet-accessible IP address configured for the FirePass controller (see The ability to register an Internet host name). • Note: If you are configuring a firewall, you must allow TCP ports 443 and 80. • An internal WINS server Configure an internal WINS server for accessing network share browsing with Network Access. Note: If you do not have an internal WINS server, you will have to use IP addresses to access some internal resources, or configure static host entries in the FirePass controller Administrative Console (on the Network Access : Resources screen, on the Hosts tab). Network Address Translation (NAT), Port Address Translation (PAT), and the FirePass 600 controller If you do not have an external IP address available for the FirePass controller, or if your router/firewall does not allow NAT, use PAT. Configure PAT rules to forward TCP ports 443 and 80 to the private IP address assigned to the FirePass controller. Understanding Name Resolution Issues with Private IP Addresses If the FirePass controller is installed on a LAN, the firewall or gateway performs NAT or PAT. The FirePass controller has two different DNS identities: one mapped to the public (external) IP address, and a second, mapped to a private (internal) IP address. For external users connecting to the FirePass controller from outside the router/firewall, the controller’s name resolves to the public IP address of the router/firewall. The router/firewall then uses NAT, or PAT, to forward the user's traffic to the FirePass controller. So that internal users (those on the local network) can connect to the FirePass controller using the controller’s name, make one of the following configuration changes: FirePass 600 controller in your network Option #1 Second external address for FirePass controller (NAT rule to FirePass controller) Option #1 NAT rule from second external IP address to FirePass controller internal IP address Internet Router/Firewall If you have an external (public) IP address for the FirePass controller, configure NAT rules on the router/firewall to forward traffic from the FirePass controller’s public IP address to the controller’s private IP address. Switch or Hub Option #2 Router external IP address (PAT rule to FirePass controller) Internal Network If you have an internal DNS server, add an A record to the zone that resolves to the FirePass controller's private IP address (such as 10.0.0.8). An A record is an address record, the basic DNS record type, and is used to associate a domain name with an IP address. • If you have a local WINS server, add a static entry for the FirePass controller name. • If your router/firewall supports DNS aliasing, set up the router/firewall to redirect internal FirePass controller traffic (traffic originating on the local network) to the FirePass controller's private IP address. • If you do not have an internal DNS server, a WINS server, or a firewall that supports DNS aliasing, you must either use the IP address of the FirePass controller to make a connection, or change the local hosts file on each internal computer that will connect to the FirePass controller. FirePass Controller FirePass Internet • Option #2 PAT rule (for ports 443 and 80) from router external IP address to FirePass controller internal IP address To create a hosts entry on a Windows® computer, use Notepad to edit the computer’s hosts file. For example: 192.168.1.9 firepass.mycompany.com Note: The location of the hosts file varies, depending on the version of Windows. On Windows NT/2000/XP: %SystemRoot%\System32\drivers\etc\hosts For example: C:\Windows\System32\drivers\etc\hosts On Windows 9x and Windows Me: %WinDir%\hosts For example: C:\Windows\hosts FirePass Controller 600 Recommended Reading About Network Address Translation and Port Address Translation Recommendations for Setup: • An internal Domain Name Services (DNS) server Configure an internal DNS server so that queries from the LAN for the FirePass controller name resolve to the private IP address of the controller. Network address translation (NAT) rules or port address translation (PAT) rules that are on your router/firewall provide access from the Internet to the FirePass controller. When you configure the router/firewall for NAT or PAT, the router forwards incoming packets to the controller. • External queries for the FirePass controller’s name must resolve to the external, Internet-accessible IP address configured for the FirePass controller (see The ability to register an Internet host name). • Note: If you are configuring a firewall, you must allow TCP ports 443 and 80. • An internal WINS server Configure an internal WINS server for accessing network share browsing with Network Access. Note: If you do not have an internal WINS server, you will have to use IP addresses to access some internal resources, or configure static host entries in the FirePass controller Administrative Console (on the Network Access : Resources screen, on the Hosts tab). Network Address Translation (NAT), Port Address Translation (PAT), and the FirePass 600 controller If you do not have an external IP address available for the FirePass controller, or if your router/firewall does not allow NAT, use PAT. Configure PAT rules to forward TCP ports 443 and 80 to the private IP address assigned to the FirePass controller. Understanding Name Resolution Issues with Private IP Addresses If the FirePass controller is installed on a LAN, the firewall or gateway performs NAT or PAT. The FirePass controller has two different DNS identities: one mapped to the public (external) IP address, and a second, mapped to a private (internal) IP address. For external users connecting to the FirePass controller from outside the router/firewall, the controller’s name resolves to the public IP address of the router/firewall. The router/firewall then uses NAT, or PAT, to forward the user's traffic to the FirePass controller. So that internal users (those on the local network) can connect to the FirePass controller using the controller’s name, make one of the following configuration changes: FirePass 600 controller in your network Option #1 Second external address for FirePass controller (NAT rule to FirePass controller) Option #1 NAT rule from second external IP address to FirePass controller internal IP address Internet Router/Firewall If you have an external (public) IP address for the FirePass controller, configure NAT rules on the router/firewall to forward traffic from the FirePass controller’s public IP address to the controller’s private IP address. Switch or Hub Option #2 Router external IP address (PAT rule to FirePass controller) Internal Network If you have an internal DNS server, add an A record to the zone that resolves to the FirePass controller's private IP address (such as 10.0.0.8). An A record is an address record, the basic DNS record type, and is used to associate a domain name with an IP address. • If you have a local WINS server, add a static entry for the FirePass controller name. • If your router/firewall supports DNS aliasing, set up the router/firewall to redirect internal FirePass controller traffic (traffic originating on the local network) to the FirePass controller's private IP address. • If you do not have an internal DNS server, a WINS server, or a firewall that supports DNS aliasing, you must either use the IP address of the FirePass controller to make a connection, or change the local hosts file on each internal computer that will connect to the FirePass controller. FirePass Controller FirePass Internet • Option #2 PAT rule (for ports 443 and 80) from router external IP address to FirePass controller internal IP address To create a hosts entry on a Windows® computer, use Notepad to edit the computer’s hosts file. For example: 192.168.1.9 firepass.mycompany.com Note: The location of the hosts file varies, depending on the version of Windows. On Windows NT/2000/XP: %SystemRoot%\System32\drivers\etc\hosts For example: C:\Windows\System32\drivers\etc\hosts On Windows 9x and Windows Me: %WinDir%\hosts For example: C:\Windows\hosts Specify the initial network configuration for the FirePass controller. Use this configuration for Port 1 on the FirePass 600 controller. Note: In most situations, Port 2 will not be used. To configure basic SSL-based VPN Network Access settings, enter a connection name. Optional: To configure name resolution in your SSL-based VPN Network Access settings, enter your DNS and WINS server IP addresses. Enter the name or IP Address of your mail (SMTP) server. The FirePass controller will use the mail server to send optional e-mail notification when system events occur or when accounts are created. Copyright © 2004 by F5 Networks, Inc. FirePass is a registered trademark of F5 Networks. All rights reserved. IP Address: DNS Server: Date and Time Configuration ® NTP Server: Note: Select the time zone during Quick Setup. For example: ntp.nasa.gov PUB-0096-00 1104 Update your primary Domain Name Server (DNS) to include the name and IP address of the FirePass controller. Internet Router/Firewall Network File Share or Application Server Network PC For NAT, the fully qualified domain name you register should resolve to the public IP address of the FirePass controller. (This is the IP address with a NAT rule sending traffic to the internal, private IP address on the FirePass controller.) For PAT, the fully qualified domain name you register should resolve to the public IP address of the router/firewall. – You must be able to register a host name for accessing the FirePass controller (for example, firepass.mycompany.com). You must also be able to configure Internet name resolution for your organization’s registered domain name. The ability to register an Internet host name For PAT, also known as port forwarding, configure the Internet router to forward TCP ports 443 and 80 to the internal IP address assigned to the FirePass controller. Note: The FirePass controller needs port 80 to redirect traffic to port 443. For NAT, set up rules to map the public IP address to a private (internal) IP address assigned to the primary interface of the FirePass controller. Note: If you are also configuring a firewall, TCP ports 443 (HTTPS) and 80 (HTTP) must be allowed. You need to be able to configure your Internet router to send traffic to the FirePass controller using either network address translation (NAT), or port address translation (PAT). The ability to configure your Internet router/firewall – • – – • An address currently assigned to your Internet router/firewall, used with port address translation (PAT) configuration – Note: The FirePass controller does not support dynamically assigned IP addresses for any configurations. A new public IP address for network address translation (NAT) configurations To configure the FirePass 600 controller, you need a static IP address that is accessible from the Internet. This public (external) IP address may be either: A static, Internet-accessible public IP address FirePass FirePass Controller – • Requirements for Setup: Remote Network Access Client Local WINS Server Public DNS Local DNS Server Local DNS entry for FirePass controller domain name (for example firepass.mycompany.com) pointing to FirePass internal IP address DNS entry for FirePass controller domain name (for example firepass.mycompany.com) pointing to FirePass external IP address FirePass 600 controller in your network Before you begin the installation process, we recommend you read the information supplied in this booklet and fill in the worksheet provided. Before you begin the installation process: Recommended reading Internal Network FirePass® 600 Controller Remote Access Quick Setup Worksheet Use this worksheet to record the values to enter during the initial Quick Setup configuration of your FirePass 600 remote access controller. Fully-Qualified Domain Name (FQDN) FirePass Controller’s FQDN: For example: remoteaccess.mycompany.com Network Configuration Subnet Mask: Default Gateway: For example: 255.255.255.0 or 24 Domain Suffix: For example: mycompany.com Network Access Service Configuration Connection Name: The Connection Name is the Network Access connection name remote users see when they log into the FirePass controller. DNS Server: WINS Server: The DNS and WINS server IP addresses are passed to the end user as part of the Network Access connection, and should be those used inside your network. Administrator Admin Login Name: Note: Type the password during setup. The default administrator name and password are both set to admin. Mail Server Configuration E-Mail Server: Admin E-Mail Address: E-mail Display Text:
© Copyright 2024 Paperzz