Skip to end of metadata
Go to start of metadata


Description:

Access to the Unified Firewall is required for configuration and error analysis. If there is no remote maintenance available for accessing the device, it may be necessary to connect to the Unified Firewall from the Internet.

This article describes how to enable access with the web client and SSH, and which IP addresses have to be set in order to enable remote access by LANCOM Systems Support.

Where an upstream router is operated, port forwarding to be set up on it to enable access to the Unified Firewall. This is described in step 3 for LANCOM routers.

If access by LANCOM Support is no longer required, LANCOM Systems recommends that you deactivate the remote access.


Requirements:

  • LANCOM R&S®Unified Firewall with firmware version 10.2 or later
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox



Procedure:

1) Allow access via SSH:

1.1) In your browser, open the configuration for the United Firewall and switch to the menu item Firewall → Firewall Access → SSH Settings.

1.2) Access restrictions are implemented by a whitelist. The IP address or the interface have to be entered into this list to permit access to the Unified Firewall.

Access from the Internet via SSH can be enabled by setting a checkmark for Internet. However, we do not recommend this as access to the device would be unrestricted. Instead, access should be restricted to certain IP addresses only.

Two entries are available in the whitelist, which allow the LANCOM Support Team (Rohde & Schwarz ...) to access the device. As this involves another location, it is necessary to enter a further IP address.

1.3) Under Source, enter the IP address 212.117.89.9 in CIDR notation (Classless Inter-Domain Routing) in order to allow access via SSH and enter a meaningful name under Title.

Then click on the “+” icon to save the entry.

Before LCOS FX 10.4 the IP address 217.6.21.90 must also be entered in CIDR notation.

Necessary entries:

  • 212.117.89.9/32
  • 217.6.21.90/32 (only before LCOS FX 10.4)



1.4) Set check marks for LANCOM Customer SupportRohde & Schwarz Internet Gateway and Rohde & Schwarz Cybersecurity Customer Support and click Save.



2) Allow access via HTTPS:

2.1) Open the configuration interface of the LANCOM R&S®Unified Firewall in your browser and go to the menu Firewall → Firewall Access → Webclient Settings.

2.2) Access restrictions are implemented by a whitelist. The IP address or the interface have to be entered into this list to permit access to the Unified Firewall.

Access from the Internet via HTTPS can be enabled by setting a checkmark for Internet. However, we do not recommend this as access to the device would be unrestricted. Instead, access should be restricted to certain IP addresses only.

Two entries are available in the whitelist, which allow the LANCOM Support Team (Rohde & Schwarz ...) to access the device. As this involves another location, it is necessary to enter a further IP address.

2.3) Under Source, enter the IP addresss 212.117.89.9 and 217.6.21.90 in CIDR notation (Classless Inter-Domain Routing) in order to allow access via HTTPS and enter a meaningful name under Title.

Then click on the “+” icon to save the entry.

Before LCOS FX 10.4 the IP address 62.153.130.132 must also be entered in CIDR notation.

Necessary entries:

  • 212.117.89.9/32
  • 217.6.21.90/32
  • 62.153.130.132/32 (only before LCOS FX 10.4)


2.4) Set check marks for LANCOM Customer SupportRohde & Schwarz Internet Gateway and Rohde & Schwarz Cybersecurity Customer Support and click Save.



3) Setting up port forwarding in the LANCOM router (optional)

If a LANCOM router is operated upstream, it needs to be set up with port forwarding to enable access to the Unified Firewall. This is the case when using the layer-3 loop and a “series” connection.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq. → Port forwarding table.

3.2) Set up port forwarding for access by SSH:

3.2.1) Create a new entry and modify the following parameters:

  • First port: Enter port 22.
  • Last port: Enter port 22.
  • Remote site: Select the relevant Internet remote site from the drop-down menu.
  • Intranet address: Specify the IP address of the Unified Firewall in the intermediate network.
  • Protocol: From the drop-down menu, select TCP.

3.3) Set up port forwarding for access by web client:

3.3.1) Create a new entry and modify the following parameters:

  • First port: Enter port 3438.
  • Last port: Enter port 3438.
  • Remote site: Select the relevant Internet remote site from the drop-down menu.
  • Intranet address: Specify the IP address of the Unified Firewall in the intermediate network.
  • Protocol: From the drop-down menu, select TCP.

3.4) This concludes the configuration steps in the LANCOM router. Write the configuration back to the router.