STONESOFT Appliance Installation Guide StoneGate FW-100 Appliance Installation Guide StoneGate FW-100 Copyright 2001-2007 Stonesoft Corp. All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from Stonesoft Corporation. Stonesoft Corporation Stonesoft Inc. Italahdenkatu 22 A 1050 Crown Pointe Parkway, F-00210 Helsinki Suite 900 Finland Atlanta, GA 30338 USA Trademarks and Patents Copyright 2007 Stonesoft Corporation. All rights reserved. All specifications are subject to change. The products described herein are protected by one or more of the following US and European patents: US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200;
6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737, 7,234,166, 7,260,843, and 7,280,540; European Patent Nos. 1065844, 1259028, 1271283, 1289183, 1289202, 1313290, 1326393, 1379046, 1330095, 131711, and 1317937; and may be protected by other EU, US, or other patents, or pending applications. StoneGate, Stonesoft, and the Stonesoft logo are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners. Disclaimer Although every precaution has been taken to prepare these materials, Stonesoft assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. They are not intended to represent the IP addresses of any specific individual or organization. THESE MATERIALS ARE PROVIDED AS-IS. STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION OR TECHNIQUES CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: SGAIG_FW-100_20071205 Introduction Thank you for choosing Stonesoft's StoneGate appliance. This guide provides instructions for the initial hardware installation of the FW-100 appliance(s). The use of the appliance is subject to the acceptance of the End User License Agreement, which can be found at http://www.stonesoft.com/
en/support/eula.html. You must have a working Management Center on a separate server to bring the appliance(s) operational. The system architecture is explained on the next page. See the StoneGate Installation Guide for instructions on how to install the Management Center and configure the firewall. Note The purpose of this appliance installation guide is to help you get started with your StoneGate appliance. See Product Documentation, on page 5 for information on other available documentation. Contents Getting Started.. Safety Precautions Front Panel Back Panel..... Configuring the Computer . Initial Configuration .... Resetting the Configuration . Disposal Instructions R&TTE Compliance... Caution - Never open the covers of the appliance! There are no user serviceable parts inside. Opening the covers may lead to serious A injury and will void the warranty. Read the Safety Precautions, on page 7 before you conduct any installation operations on the appliance. Introduction 3 Getting Started StoneGate System Components Illustration 1 StoneGate Components FirewallVPN engines The illustration above shows all available StoneGate components. Out of these, you need the following components to have an operational Firewall/VPN system:
1. A Management Server, which stores the configuration of the system. In most environments, it is best to have just one common Management Server for all firewall and IPS engines. At least one Log Server to handle and store logs and alerts (can be installed simultaneously on the same machine with the Management Server). At least one Management Client that you use to connect to the Management Server to change settings and monitor the system. The Firewall Engines that handle the actual traffic processing (in this case, the FW-100 appliance(s)). Licenses for each component except the Management Client(s) and the FW-100 appliance(s). Generate the licenses at the Stonesoft website. The Monitoring Server and the Monitoring Client are optional components that are available on separate order. StoneGate IPS engines can be added to the same system for unified management and incident handling. 4 Getting Started Installation Procedure The appliance installation involves the following mandatory steps:
d, fo Configure a SOHO Firewall in the Management Center (see the separate StoneGate Installation Guide or the online help of the Management Client). The SOHO Firewall element represents the FW-100 appliance in the Management Client. Save the initial configuration in the Management Client. The initial configuration is needed to establish trust between the appliance and the Management Server (see the separate StoneGate Installation Guide). Connect the cables as instructed in Back Panel, on page 11. Configure your computer to enable contact with the appliance
(Configuring the Computer, on page 13). Perform the initial configuration to configure the appliance and establish contact between the appliance and the Management Server (see Initial Configuration, on page 14). Product Documentation The following documentation covers the StoneGate Firewall/VPN products:
+ The Installation Guide explains how to install the Management Center and configure your firewalls basic settings.
+ The online help system of the Management Client contains the step-
by-step instructions for the daily configuration and management of your system.
+ The Administrator's Guide contains the same information as the online help system of the Management Client, but in PDF form.
+ The Reference Guide contains background and reference information that helps you to plan and understand your system. Note ~ The above-mentioned product documentation contains all the necessary information for using the StoneGate FW-100 appliance. The online help available in the FW-100 web interface is not meant for the users of the preconfigured FW-100 appliances. Getting Started 5 Finding the Documentation Press F1 while in any Management Client window to view the online help. All PDF guides are available:
+ On the Management Center CD-ROM (in the Documentation folder)
+ At the Stonesoft Website at http://www.stonesoft.com/en/support/
technical_support_and_documents/manuals/. Install the free Adobe Reader program to view the PDF documents
(available at www.adobe.com/reader/). If your order includes the Installation Guide and Reference Guide, they are delivered as printed books. 6 Getting Started Safety Precautions The following safety information and procedures should be followed whenever working with electronic equipment. Electrical Safety Precautions Basic electrical safety precautions should be followed to protect yourself from harm and the appliance from damage:
+ Be aware of the locations of the room's emergency power-off switch, disconnection switch, or electrical outlet. If an electrical accident occurs, you can then quickly cut power to the system.
+ Do not work alone when working with high-voltage components.
- Disconnect the power cords before removing or installing main system components.
+ Use only one hand when working with powered-on electrical equipment. This is to avoid making a complete circuit, which will cause electrical shock. Use extreme caution when using metal tools, which can easily damage any electrical components or circuit boards they come into contact with.
+ Do not use mats designed to decrease electrostatic discharge as protection from electrical shock. Instead, use rubber mats that have been specifically designed as electrical insulators.
+ The power supply cord must include a grounding plug and must be plugged into a grounded electrical outlet. Use only the cord supplied with the appliance.
+ The power cord plug cap that plugs into the AC receptacle on the power supply must be an IEC 320, sheet C13, type female connector.
+ Make sure the shockproof (Home Office) socket used for the installation is freely accessible. The mains plug has to be unplugged to disconnect the unit from the mains completely.
- Make sure that the value of the upstream fuses of the mains connection does not exceed 16 amps.
+ Check whether the rated voltage rendered on the typeplate of the Power supply unit corresponds to the local power supply.
+ Do not open the enclosures of power supplies or CD-ROM to avoid injury. Safety Precautions 7 General Safety Precautions Follow these rules to ensure general safety:
+ Keep the area around the appliance clean and free of clutter.
+ We recommend using a regulating uninterruptible power supply (UPS) to protect the device from power surges, voltage spikes and to keep your system operating in case of a power failure.
+ Observe the respectively applicable framework conditions in your country for the installation of external ISDN basic accesses. If and when required, consult a technician who has the corresponding licenses. Obtain information about the special requirements of national regulations, and observe these legal requirements for the installation.
+ Incase of wall installation, ensure that the screws are safely screwed into the wall and can carry the weight of the unit and the cables. ESD Precautions Electrostatic discharge (ESD) is generated by two objects with different electrical charges coming into contact with each other. An electrical discharge is created to neutralize this difference, which can damage electronic components and printed circuit boards. Use a grounded wrist strap designed to prevent static discharge. Note - We recommend you use a UPS (Uninterruptible Power Supply) with your StoneGate appliance. If after a brief power outage your StoneGate appliance only partially starts up (for example, the power light is on, but the NIC LEDs are off and the appliance does not connect) turn the appliance off for five seconds and then back on. WLAN Precautions
+ When the radio components are switched on, do not move the appliance into the vicinity of inflammable gases or into a potentially explosive environment (such as paint shop) as the radio waves emitted may cause an explosion or fire.
+ Data traffic by a wireless connection may permit unauthorised third parties to receive data. Depending on how critical the safety of the data transmitted by the WLAN is, carry out the necessary steps to secure your radio network. Information on securing your WLAN is available at www.wi-fi.org. 8 Safety Precautions Operating Precautions Care must be taken to assure that the chassis cover is in place when the appliance is operating to ensure proper cooling. If this rule is not strictly followed, the warranty may become void. The temperature requirements for the appliance are: operating temperature +10...+35, and storage temperature O...+70 degrees Celsius. Do not open the power supply casing. Power supplies can only be accessed and serviced by a qualified technician of the manufacturer. Lithium Battery Precautions Caution The battery must be replaced by authorized service personnel only. Danger of explosion if battery is incorrectly replaced. Replacement battery must be same or equivalent type recommended by the manufacturer. Used batteries must be discarded according to the manufacturer's instructions. Short-circuiting the battery may heat the battery and cause severe injuries. Safety Precautions 9 Front Panel Illustration 2 Front Panel Tees aes Te LUE The LEDs on the front panel indicate the state and activity of the appliance. TABLE 14.1 Front Panel LEDs Power | On | Power supply has been connected. On Appliance is booting. Status - _
| Flashing, Appliance is active.
} : _ Appliance is connected to the
| On | Ethernet (at 100 Mbit/s or 10 1104 | | Mbit/s). -
a Data traffic via Ethernet port (at
| Flashing | 100 Mbit/s or 10 Mbit/s). On WLAN module is active. WLAN _} ~
| Flashing Data traffic via WLAN port. ADSL ; On ADSL connection is active. ____ 10 Front Panel Back Panel Illustration 3. Back Panel Antenna Serial Antenna Connector Port Connector
Reset Power Ethernet Ports ADSL Port Button Cable All connections are located at the rear of the appliance. The administrator who has defined the interfaces in the Management Client will inform you which ports of the appliance are used. If the initial configuration has already been imported, connect the cables to the ports according to the administrator's instructions, and connect the antennas and the rest of the cables according to the instructions below. If you import the initial configuration yourself, connect the cables as described in the following instructions. Note When the initial configuration has been imported, the appliance will function correctly only if you connect the cables to match the interface definitions created in the Management Client. Ask the administrator who defined the interfaces for more information. V_ To connect the cables 1. Screw on the two provided standard antennas to the respective antenna connectors Main and AUX.
+ The antennas attached to the Main and AUX connectors do not have the same function. Main is used for sending and receiving; AUX only for receiving. The appliance verifies which antenna receives a better signal and then uses that antenna for decoding. Place the appliance on a firm, level base. Orient the antennas. or BackPanel 11 4. Connect your computer to the Ethernet 1 port with the supplied Ethernet cable.
+ The appliance detects automatically whether it is connected to a switch or directly to a computer. Note - The computer has to be connected to the Ethernet 1 port for importing the initial configuration. If the initial configuration has already been imported on the appliance, connect the cables to the ports according to the administrator's instructions. 5. If you use ADSL, connect the ADSL port of the appliance to the ADSL socket on your computer with the supplied DSL cable. 6. Connect the remaining Ethernet ports on the appliance to any other desired LAN interfaces using further Ethernet cables according to the interface definitions. 7. If you want to have a serial connection to the appliance, connect the serial port of your computer (COM1 or COM2) to the serial port Console on the appliance.
+ Use the serial cable supplied with the appliance. 8. Connect the appliance to the mains socket using the supplied mains adaptor. Proceed to Configuring the Computer, on page 13. 12 Back Panel Configuring the Computer Make sure that the computer you are using is able to connect to the appliance over the network. If the initial configuration has not yet been imported on the appliance, the computer should now be connected to the Ethernet 1 port on the appliance. Vv To configure your computer Open the local area network properties on you computer. Open the properties of the TCP/IP protocol. Check the computer's IP configuration. The computer's IP address, netmask, and gateway information must match the appliances IP configuration. Before the initial configuration of the appliance, the computer's IP configuration must be the following:
+ IP address: in the range of 192.168.0.1-192.168.0.253
+ Netmask: 255.255.255.0
* Default gateway: 192.168.0.254 One Note The IP configuration changes with the initial configuration of the appliance. The computers IP address and the address of the default gateway must be the same as the IP address defined for the appliances corporate interface in the Management Client. The computer's netmask must also be the same as the corporate interfaces netmask. The administrator who created the initial configuration in the Management Client will inform you which addresses you should use. Once you have checked your computer's IP address information and possibly modified it to match the appliance's IP configuration, you can proceed to Initial Configuration, on page 14. Note - If DHCP service has been enabled in the Management Client, a DNS server will provide the IP address for your computer. Ask the administrator for more information. Configuring the Computer 13 Initial Configuration Once you have established contact between your computer and the appliance, you can continue configuring the appliance by importing the initial configuration (for example, from a USB stick) through the FW-100 web interface. The administrator who created the initial configuration in the Management Client may have encrypted the initial configuration with a password. In that case, the administrator will also provide the password for the initial configuration. You must import the initial configuration, unless you are informed that someone in your company has already taken care of configuring the appliance. In that case, the person who has imported the configuration should inform you of the steps you should take. You may still have to add information needed for ADLS use in the FW-100 web interface. If you must import the initial configuration or add ADSL information, start by Logging In to the FW-100 Web Interface. Logging In to the FW-100 Web Interface V_ To log in to the FW-100 Web Interface 1. Make sure that the appliance is connected to your computer that has the necessary display, mouse, keyboard, and a graphical user interface with a Web browser. 2. Open the Web browser and connect to http: //192.168.0.254. This is the appliances default IP address before importing the initial configuration. The login for the FW-100 web interface opens
(Illustration 4). Illustration 4 Web Interface Login reer aL 14 Initial Configuration