efolder arcserve cloud firewall configuration user guide · arcserve 1 efolder arcserve cloud...
TRANSCRIPT
Arcserve
1
eFolder Arcserve Cloud
Firewall Configuration User Guide
Table of Contents
Introduction ...................................................................................................................................... 2
What Will a Customer Get from eFolder Arcserve Cloud ......................................................... 2
Important Notice ....................................................................................................................... 2
Accessing The pfSense Firewall ................................................................................................. 3
Hyper-V/VirtualBox Continuity Cloud Nodes .................................................................... 3
VMware Continuity Cloud Nodes ...................................................................................... 3
Configurations Needed for Typical Scenarios .................................................................................... 4
Backup Customer Site and Replicate to Arcserve Cloud RPS Server ......................................... 4
Access VMs Created by VSB/IVM from UDP Console/RPS server ............................................. 4
Configuring the LAN Interface ........................................................................................... 4
DHCP Server Configuration ............................................................................................... 5
Firewall Rules & NAT ......................................................................................................... 6
Access VMs Created by VSB/IVM from Customer Site/Internet ............................................... 9
Prerequisite ....................................................................................................................... 9
OpenVPN ........................................................................................................................... 9
IPSEC VPN ........................................................................................................................ 18
Appendix ......................................................................................................................................... 19
Arcserve
2
Introduction
What Will a Customer Get from eFolder Arcserve Cloud
1. A Arcserve UDP Console/RPS server (UDP-Console). This server can be accessed from internet.
2. Hyper-V/VMware nodes if VSB/IVM service is included in customer’s subscription.
Note, on the Hyper-V server, two virtual switches are present. One is used for the WAN of
pfSense and the other is used for the LAN of the pfsense and all restored VMs.
3. A pfsense firewall running on a virtual machine on the Hyper-V node.
Each eFolder Continuity Cloud node is provisioned with a virtual firewall to handle Internet
traffic for your restored virtual machines and provide secure access to your servers.
Be default, the WAN interface is preconfigured in pfSense to the proper address for internet
access. The LAN interface needs to have the proper IP address set for the private network a
customer wish to use in the cloud.
Network topology
Important Notice
1. Only the private virtual switch (internal-LAN) should be used for customer VMs on Hyper-V.
Arcserve
3
Accessing The pfSense Firewall
Use the information provided by eFolder to gain access to the pfSense virtual firewall
running on your assigned Continuity Cloud (CC) Node.
Hyper-V/VirtualBox Continuity Cloud Nodes
1. To access the console of your pfSense virtual firewall, first log in to your CC Node,
then open a web browser and go to the WAN Alias IP address of your virtual firewall. (It
will look similar to the example shown below.)
https://10.x.x.x:37038
This is a locally accessible private IP address. There is also a shortcut on the desktop of
the CC Node.
2. Next, enter the credentials you received from eFolder for your virtual firewall and
click Login. Please note that the username and password are case sensitive.
VMware Continuity Cloud Nodes
1. To access the console of your pfSense virtual firewall, open a web browser and go to
the link provided by eFolder. It will look similar to the link below. This is a publicly
accessible IP address, so you can access this URL from any computer with an internet
connection.
Arcserve
4
https://38.x.x.x:37038
2. Next, enter the credentials you received from eFolder for your virtual firewall and
click Login. Please note that the username and password are case sensitive.
Configurations Needed for Typical Scenarios
Backup Customer Site and Replicate to Arcserve Cloud RPS
Server
No configurations on pfSense firewall needed
Access VMs Created by VSB/IVM from UDP Console/RPS server
Configuring the LAN Interface
Configure the LAN interface of the pfSense virtual firewall with the proper IP address
and subnet mask required for the virtual machines you are restoring. This IP address will
serve as the default gateway for all virtual machines you restore to the Continuity Cloud
node.
1. From the menu, hover over Interfaces and then select LAN from the drop-down list:
2. In the Static IP configuration section of the page, enter the IP address for the virtual
firewall:
IMPORTANT: Do not check the block private networks option. This would block traffic
from the WAN-DMZ.
This IP address will become the default gateway IP for virtual machines on your LAN.
In the example shown above, the VM used to be on the network 192.168.1.0/24
Arcserve
5
(netmask 255.255.255.0) with the default gateway having an IP of 192.168.1.1.
• Make sure that the Gateway is set to None.
• Click Save when you’re finished.
3. At the top of the page, click the Apply changes button:
DHCP Server Configuration
Next, enable and configure the DHCP server or leave it disabled within your
environment.
1. In the menu at the top of the page, choose Services, DHCP Server.
2. Click the LAN tab. If you need a DHCP server on the LAN network, enable the DHCP
server and enter the range of IPs you want the DHCP server to use in its pool.
Arcserve
6
Note: Typically, you can leave the DNS server IPs blank, and it will use eFolder’s DNS
infrastructure. If you do not want the firewall to act as a DHCP server, uncheck the
option. Either way, click the Save button at the bottom of the page.
3. Click the Apply changes button.
Note, if static IP address is used for VMs in the LAN, then this step is not needed. You will need to
manually configure static IP address for each VM within the correct subnet.
Firewall Rules & NAT
Now, configure any required firewall rules to allow external access to services running
on your restored virtual machines.
Set outbound traffic
1. By default, all outbound traffic is allowed. If you want to disable all outbound traffic
as the default, browse to the Firewall menu and then Rules.
2. Click the LAN tab. Find the rule from LAN net to any destination. Click the green
arrow on the left to disable the rule:
Arcserve
7
3. Then click the Apply changes button.
Port forwarding
Next, set up any ports that need to be forwarded from your assigned public IPs to
internal IPs.
1. Hover over Firewall in the main menu and select NAT.
2. Click the + icon to add a new rule under the Port Forward tab:
Normally, you should leave the Interface set to WAN and Protocol set to TCP.
3. For the Destination, choose the proper IP address that corresponds to your desired
public IP. Note that the WAN address entry is your primary public IP. If you have
additional public IP addresses assigned, they will be present at the bottom of the
drop-down list.
Arcserve
8
In this example, we are selecting the third WAN IP: 162.247.XXX.XX
4. From the Destination port range drop-down list, choose which protocol you want to
forward, or you can manually enter a range of ports. In this example, we are
forwarding remote desktop:
5. For the Redirect target IP and Redirect target port, enter the virtual LAN IP address
of the server that should receive the forwarded traffic. The target port should
normally be the same (in this example, remote desktop):
6. Typically, you should enable the NAT reflection setting. This allows servers in your
internal LAN to connect to forward ports using your assigned public IPs. (This is
sometimes called NAT loopback.) Note that this may not work in all scenarios.
7. The Filter rule association setting determines whether to automatically add a rule to
the Firewall rules to allow the port-forwarded traffic. Select Add associated filter
rule.
8. After you are finished configuring the port forward rule, click Save. Then click Apply
Changes. Repeat this for all ports that you want to forward.
Note: You can also setup 1:1 NAT if desired. Normally you do not need to customize
Outbound NAT.
Arcserve
9
Access VMs Created by VSB/IVM from Customer Site/Internet
Prerequisite
You will need to complete all previous steps firstly. If you don’t need to access VMs
running on Hyper-V from UDP Console/RPS server, then you can skip the “Firewall Rules
& NAT” part.
OpenVPN
Configure an OpenVPN Server to allow remote users access to resources on the LAN side
of the virtual firewall.
1. To access the OpenVPN configuration, go to the navigation bar and select OpenVPN
from the VPN drop-down menu.
2. Any configured OpenVPN servers will be displayed here. If none are present (as in
the screenshot below), click on the Wizard tab on the top and begin configuring a
new server.
3. The Server Setup Wizard will launch. Ensure Local User Access is selected in the
drop-down menu and click Next.
Arcserve
10
New certificate authority
• Complete the form with your information for generating a new certificate authority.
• Ensure the Key length is set to 4096 bit.
• All fields are required.
After all of the fields are complete, click Add new CA.
Arcserve
11
New server certificate
• Complete the form with your information for generating a new server certificate.
• Ensure the Key length is set to 4096 bit.
• All fields are required.
After all of the fields are complete, click Create new Certificate.
Arcserve
12
General server information
1. Set the Interface to WAN, Protocol to TCP, Local Port to 1194 and enter a description
for the OpenVPN server.
2. Configure the Cryptographic Settings for the OpenVPN connections as shown in the
following screenshot. Note: No TLS Shared Key is required.
Arcserve
13
3. For Tunnel Settings, set the Tunnel Network to the unique private network to be
used for communication between the remote hosts and this OpenVPN server.
• Set the Local Network to the LAN subnet of your pfSense firewall. This is the
network that will be accessible to your remote hosts that connect to the Open VPN
server.
• Ensure that Concurrent Connections is set high enough to accommodate the
number of expected remote hosts.
• All remaining fields should be left at their defaults, as shown below.
Arcserve
14
4. For Client Settings, enable Dynamic IP and Address Pool.
• Set the DNS Default Domain to the domain name you want appended to the
connection for remote hosts.
• Set the DNS Server 1 to the IP address of the remote DNS server you want remote
hosts to use for name resolution.
• Enable NetBIOS over TCP/IP to allow for propagation of NetBIOS traffic over the
VPN connection.
After the above fields are configured, click Next.
Arcserve
15
5. On the Firewall Rule Configuration screen, enable both checkboxes to allow all traffic
to be open to and from remote hosts connected over the VPN connection. Then click
Next.
Click Finish on the completion screen.
6. Verify the OpenVPN server has the Server mode set to Remote Access (User Auth )
and Local Database is selected for Backend authentication. Make corresponding
change if necessary.
Arcserve
16
Set up Remote User Accounts
1. To setup user accounts for remote users, hover over System in the navigation bar
and select User Manager.
2. On the Users tab, select the add user button in the bottom right corner.
Arcserve
17
3. Set the Username and Password for the new user. You can enter a Full name for
your reference, if needed. Then click Save.
The new user account will now be listed on the Users tab of the User Manager.
Arcserve
18
Download a fully-configured Open VPN client software installer
1. To download a fully configured OpenVPN Client software installer, browse to the
OpenVPN Server manager and click the Client Export tab.
NOTE: This installer will fully install and configure the client software to a remote host.
Users will only need to enter their username and password after installation.
2. Under the Client Install Packages section, select the appropriate x86 or x64 client
software installer that you want to distribute to your remote users.
IPSEC VPN
If you want to tie your virtual LAN to your actual LAN through an IPSec site-to-site VPN
tunnel, please see the detailed instructions at:
http://doc.pfsense.org/index.php/VPN_Capability_IPsec
Arcserve
19
Appendix