VPN Concentrator 4500/5300 Installation and Configuration Guide
June 2009 800-1190-03, Revision 3 Document and Software Copyrights Copyright © 2009 by ShoreTel, Inc. Synnyvale, California, U.S.A. All rights reserved. Printed in the United States of America. Contents of this publication may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without prior written authorization of ShoreTel, Inc. ShoreTel Inc.
Contents 1.1 Specifications ...........................................................................................1 1.1.1 VPN Concentrator 4500............................................................................................ 1 1.1.2 VPN Concentrator 5300............................................................................................ 1 1.2 Hardware Installation................................................................................1 1.2.1 VPN Concentrator 4500............
Contents 3.3.2.2 3.3.2.3 Manual configuration .............................................................................. 32 Summary of recommended configuration and deployment procedure: .. 33 4.1 Tools and Troubleshooting.....................................................................35 4.1.1 Network Information................................................................................................ 36 4.1.2 Network Connectivity ............................................................
Chapter 1: Specifications C 1.1 Specifications 1.1.1 VPN Concentrator 4500 1.1.2 H A P T E R WAN Ports 1 x 10/100 Ethernet LAN Ports 4 x 10/100 Ethernet Serial Ports 1 x RS-232 Dimensions Height 1.688“ (42.863 mm), Width 10.438 “ (265.113 mm), Depth 6.625 “ (168.275 mm) Weight 2 lb (0.
Hardware Installation 1.2.1.2 Chapter 1: Front Panel LEDs Figure 1-1 Item Description PWR • • Status • • • 2 Front view of the 4500 Off – Power switch is off (or no power from the AC outlet) Solid Green – Power is supplied to the unit Off – The unit could not boot up because of self test failure Solid Green – Self test passed.
Chapter 1: 1.2.1.3 Hardware Installation Back Panel Figure 1-2 Call out Back view of the 4500 Description A Power Connector – Accepts the plug from the supplied power adapter which can be connected to an AC outlet on the wall using the supplied power cord. B 4 Ports 10/100 Mbps LAN Switch – Any one of the four ports can be used to connect to the Local Area Network (LAN) network. C USB Ports – Not used.
Hardware Installation Call out F Chapter 1: Description Erase – • If pressed twice in quick succession, the CLI password will be changed to its original password. • If pressed three times in quick succession, the 5300 will revert to factory default settings. All passwords will be reset and all prior configurations will be erased. Note: The default LAN address will be set to 192.168.1.1 Caution: Setting the system configuration to factory default will erase all configuration changes.
Chapter 1: Hardware Installation — 2 hollow wall anchors • If the unit will be mounted in a shelf — 1 Flat or Philips screw driver • Ethernet cables to connect the LAN ports to LAN switches or other Ethernet devices and the WAN port to a firewall or an upstream router. Desktop Installation 1. Remove the 4500 and the accessories from the shipping container. 2. Place the 4500 on a flat, dry surface such as a desktop, shelf or tray.
Hardware Installation Chapter 1: 4. Do not mount the 4500 on the wall as shown below. Rack-Mount Installation You can mount the 4500 in a 19” rack by using the rack-mount kit supplied with the product. 1. Attach the ear mounts to both sides of the 4500 with the screws. 2. Attach the 4500 with the ear mounts to the shelf by screwing the ear mounts to the shelf with screws. Connecting the Power and Cables 1. Connect one end of an Ethernet cable to local LAN port 4 of the 4500.
Chapter 1: Hardware Installation To connect to the 4500, follow these steps: 1. Assign static IP address 192.168.1.2 with subnet 255.255.255.0 to the Ethernet interface of the computer that is connected to the LAN port of the 4500 2. Launch a web browser on the PC and enter the following URL: http://192.168.1.1. Press Return and the following login window should appear: 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Enter the username as “root” and the password as “default” to log into the system.
Hardware Installation 1.2.2.2 Chapter 1: Front Panel Overview Figure 1-3 Call out A Front view of the 5300 Description Erase – • If pressed twice in quick succession, the CLI password will be changed to its original password. • If pressed three times in quick succession, the 5300 will revert to factory default settings. All passwords will be reset and all prior configurations will be erased. Note: The default LAN address will be set to 192.168.1.
Chapter 1: Hardware Installation Call out 1.2.2.3 Description G Reset – Hard reset of the system. H Console – DB9 serial (RS232) port (male connector) for CLI based configuration. The serial port uses a baud rate of 9600, 8 data bits, 1 stop bit and no parity.
Hardware Installation 1.2.2.4 Chapter 1: Physical Installation Rack-Mount Installation Figure 1-5 Ear mounts on the 5300 The 5300 is designed for 19” rack mount installation. Simply secure the ear mounts (as shown in Figure 1-5) on both sides of the chassis to the rack post with screws. Please observe the following guidelines when installing the system: • • • • Never assume that the AC cord is disconnected from a power source. Always check first.
Chapter 1: 1.2.2.5 Hardware Installation Initial Configuration You can configure the 5300 using a web browser such as Internet Explorer or Netscape Navigator. The VPN Concentrator 5300 is shipped with the pre-configured IP address 192.168.1.1 for the LAN ports. To connect to the 5300, follow these steps: 1. Assign static IP address 192.168.1.2 with subnet 255.255.255.0 to the Ethernet interface of the computer that is connected to the LAN port of the 5300 2.
Hardware Installation 1.2.3 Chapter 1: Deployment Scenarios Figure 1-6 Connected to WAN through firewall and gateway router To secure, restrict or inhibit pass-through traffic to the VPN Concentrator, it must be deployed behind an enterprise firewall. Connect the WAN port of the VPN Concentrator to the DMZ network (or port) of the firewall as shown in Figure 1-6. The WAN port should be assigned to a private IP address (RFC 1918), or an IP address that can be used within a DMZ subnet.
Chapter 2: Introduction C 2.1 H A P T E R 2 Introduction The SSL based VPN Concentrator enables many remote VoIP Phones to establish secure voice communications with a ShoreTel telephone system through SSL VPN tunnels. For every SSL VPN tunnel, a virtual PPP interface is created on the VPN Concentrator. A PPP peer interface is created at the remote VoIP Phone.
Redundant VPN Concentrators 2.2 Chapter 2: Redundant VPN Concentrators You can deploy multiple VPN concentrators for the purposes of redundancy and/or load balancing. Note: Separately apply each license to enable VPN tunnels. Licenses cannot be reused. Please refer to section 3.3.2.1 for details on making the remote IP phones aware of multiple VPN concentrators. 2.
Chapter 2: Other Features • History Log – A history log of all connection requests is maintained which includes information such as success and failure of sessions establishment, etc.
Other Features 16 Chapter 2:
Chapter 3: Firmware Upgrade C H A P T E R 3.1 3 Firmware Upgrade The firmware on the VPN Concentrator can be upgraded through an FTP server. The FTP server can be sitting on either WAN or LAN network. Follow the steps below to upgrade the VPN Concentrator: 1. Make sure that the “pub/e_4500” and “pub/e_5300lf” directories exist under the root directory of the FTP server. 2. Make sure that the “pub/e_4500” and “pub/e_5300lf” directories exist under the root directory of the FTP server. 3.
Licensing 3.2 Chapter 3: Licensing The VPN Concentrator may or may not have preconfigured licenses for SSL VPNs. To view the preconfigured licenses, choose “System” submenu from “Configuration Menu” on the left of the web page. Under the “Registration Status:” section, choose the “View license key” link. The following page should then be displayed. VPN Concentrator 4500 supports a maximum of 10 SSL VPN sessions and VPN Concentrator 5300 supports a maximum of 100 SSL VPN sessions.
Chapter 3: Configuration To enter a newly obtained license key, choose the “Edit License Key” link at the bottom of the License page, and the following page should appear: Enter the new license key in the “License Key” field and click the “Submit” button. Make sure that the “Stunnel Sessions” field displays the correct number of licenses afterwards. Note down this value as it will be needed in further configuration of the device. 3.3 Configuration 1.
Configuration 3.3.1 GUI Interface 3.3.1.1 Services Configuration Chapter 3: Many services can be configured on “Configuration Menu→System→Services Configuration” page. The relevant services are specified below. Parameter 18 Description Enable Remote System Logging By checking this option, syslog data can be sent to a remote system running a system log server. This option will help ShoreTel debug and solve the problems on the local deployed VPN Concentrator.
Chapter 3: 3.3.1.2 Configuration Set Link In addition to allowing a user to set the link rate for Ethernet interfaces on the system, Set Link also displays the link settings for all the Ethernet interfaces on the system. Please use caution when adjusting the ethernet link rate as incompatible rate setting may render the device unreachable.
Configuration Chapter 3: Parameter 3.3.1.3 Description WAN Ethernet Same as for LAN Ethernet Set WAN MTU Size This value can be adjusted to reduce the latency introduced by large data packets on a slower link.If the WAN upstream bandwidth is less than 256 Kbps, the MTU size is automatically reduced to 800 bytes. The default value for this parameter is 1500 bytes for static IP addresses. PPPoE links negotiate the value automatically which can be overwritten using this parameter.
Chapter 3: 3.3.1.4 Configuration Route Parameter 3.3.1.5 Description IP Network Network address of the subnet Netmask Subnet mask for the subnet Gateway IP address of the gateway router connecting to the subnet Delete Route If an entry found in the route table for the information given in “IP Network”, “Netmask”, and “Gateway”, then it will be deleted. VLAN VLAN can be configured to create virtual interfaces on the VPN Concentrator so that it can be a part of multiple broadcast domains.
Configuration Chapter 3: VPN Concentrator 4500 LAN port 4 can only do port based VLAN. LAN ports 1 through 3 can do both tag based or port based VLAN. Parameter 22 Description ID VLAN ID to be used for the new VLAN IP Address IP address of the VPN Concentrator in the broadcast domain associated with the VLAN ID being created. Network Mask Network mask of the broadcast domain for the new VLAN. LAN Port Membership Associates the newly created VLAN to a port.
Chapter 3: Configuration VPN Concentrator 5300 Parameter 3.3.1.6 Description VLAN ID VLAN ID to be used for the new VLAN IP Address IP address of the VPN Concentrator in the broadcast domain associated with the VLAN ID being created. Network Mask Network mask of the broadcast domain for the new VLAN. SSL VPN Main Page Choose “Stunnel” submenu from the “Configuration Menu.
Configuration Chapter 3: Global Configuration Parameter 24 Description Stunnel Enable Enable or disable SSL VPN service on the VPN Concentrator. A valid Server IP Address is required for Stunnel to be enabled. Stunnel Server IP Address IP Address of Stunnel server listening to clients’ requests. Note: This filed is empty by default. Stunnel Server Port Number TCP port number to which SSL VPN Server listens to. This port number can have any value from 1025 to 65535, but the default value is 443.
Chapter 3: Configuration Parameter Description MAC Blacklist Validation If this feature is enabled, and if a MAC address received in the SSL VPN client request matches any of the MAC addresses on the MAC blacklist, then the request is rejected. Please see section MAC Address Blacklist to configure the MAC blacklist database. Max Clients This field specifies the maximum number of simultaneous SSL VPN sessions supported by the VPN Concentrator. By default the value of max clients is set as '100'.
Configuration Chapter 3: Proxy ARP Configuration Parameter Enable Stunnel Proxy ARP Description Proxy ARP is used to create a bridge between phones on the LAN side and the phone connected through SSL VPN. The VPN Concentrator uses its own MAC address to receive the IP packets on behalf of all the remote phones and then routes the IP packets to the remote phones. Stunnel IP Pool IP address pool specifies the number of IP addresses available to be assigned to each SSL VPN client.
Chapter 3: Configuration Username and Password Database The incoming Stunnel client request is authenticated against the username-password database. The Username’s List page allows system administrators to create a database of Usernames and Passwords to be used for client request authentication. The Stunnel Username-Passwords database has following characteristics: • • • • • The maximum number of Username-Passwords that can be registered at a time is 1000.
Configuration Chapter 3: MAC Address Whitelist If MAC Whitelist validation is enabled for STUNNEL, the MAC Address sent by the client is validated against the configured MAC Address Whitelist. If the MAC Address is not present in the Whitelist then the session request is rejected. The maximum number of MAC Addresses that can be configured at a time in the Whitelist database is 1000. Only valid MAC addresses are allowed. Duplicate MAC Addresses cannot be configured.
Chapter 3: Configuration MAC Address Blacklist If MAC Blacklist validation is enabled for STUNNEL, the MAC Address sent by the client is validated against the configured MAC Address Blacklist. If the MAC Address is present in the Blacklist then the session request is rejected. The maximum number of MAC Addresses that can be configured at a time in the Blacklist database is 1000. Only valid MAC addresses are allowed. Duplicate MAC Addresses cannot be configured.
Configuration Chapter 3: Current Sessions The Active Stunnel Session(s) page lets the administrator view or terminate the active STUNNEL sessions. Each Active STUNNEL session is associated with a unique Username and MAC address as shown in the table. The timestamp and duration fields display the time the session was established and the amount of time the session has been active. 3.3.
Chapter 3: Configuration #VpnPort- Port to use when contacting the VPN Gateway. Sources are MAN, CFG. Default is 443. VpnPort 443 #VpnEnable- Enable VPN Client if set to 1. Sources are MAN, CFG. Default is 0 #VpnUserPrompt- Don’t cache the authentication user in NVRAM for survival across reboots if set to 1. # This will force user entry after all power on events, but will permit automatic restoration of # dropped links without user intervention. Sources are MAN, CFG. Default is 0.
Configuration Chapter 3: Step 5: Enter the following VPN related parameters in order 1. VPN Gateway. [Default value = 0.0.0.0]. This is the IP Address of the VPN Concentrator the phone will connect with. Use the digit keys to enter digits and the * key to enter a period in the IP address (.) Press the # key to complete this entry 2. VPN Port. [Default value = 443]. This is the port number on the VPN concentrator that the phone will connect to.
Chapter 3: Configuration This procedure allows for a turn-key installation of remote phones with minimal user intervention.
Configuration 34 Chapter 3:
Chapter 4: Tools and Troubleshooting C H A P T E R 4.1 4 Tools and Troubleshooting Tools offered through the GUI and Command Line Interface (CLI) can be used to troubleshoot the system. Sometimes both GUI and CLI need to be used to debug the problem. Logging into the GUI system has been explained earlier in Section 1.2.1.5 and Section 1.2.2.5. CLI can be accessed through Serial interface, SSH, or Telnet.
Tools and Troubleshooting 4.1.1 Chapter 4: Network Information Network information is available through both GUI and CLI. Following screenshot displays the network information such as routing tables, link status, and interface status: Please make sure that all links and interfaces are up and running and all interfaces have valid IP addresses. Also make sure that the default route is pointing to the right gateway.
Chapter 4: Tools and Troubleshooting Interface information can also be obtained through the CLI by issuing the “ifconfig” command. 4.1.2 Network Connectivity Once all the physical and logical interfaces are up and running then network connectivity can be checked by using the ping command. "traceroute" command can also be used to have an understanding about the path that a packet will take to reach a destination on the internet and the delay associated with it.
Tools and Troubleshooting Chapter 4: “ping” command is also available in CLI: • • • • • • # ping 4.2.2.2 PING 4.2.2.2 (4.2.2.2): 56 data bytes 64 bytes from 4.2.2.2: icmp_seq=0 ttl=53 time=46.5 ms 64 bytes from 4.2.2.2: icmp_seq=1 ttl=53 time=44.7 ms 64 bytes from 4.2.2.2: icmp_seq=2 ttl=53 time=45.6 ms 64 bytes from 4.2.2.2: icmp_seq=3 ttl=53 time=45.6 ms • --- 4.2.2.2 ping statistics --• 4 packets transmitted, 4 packets received, 0% packet loss • round-trip min/avg/max = 44.7/45.6/46.
Chapter 4: 4.1.4 Tools and Troubleshooting Packet Capture Packet capture capability can be used to capture packets and analyze them for debugging purposes. This capability is only available through CLI. Packets can be filtered for capture by on the basis of host, port, interface, etc. The captured packets are stored in a file in on RAM disk in the VPN Concentrator with the extension “pcap”. Packets can be captured on eth0 (LAN port), eth1 (WAN port), and pppX (where X is a positive integer).
Tools and Troubleshooting 40 Chapter 4:
