This document describes how to use the LANCOM Management Cloud (LMC) to configure a LANCOM R&S®Unified Firewall to operate as a central gateway that uses the SD-Security feature to protect the local network and its components as managed by the LMC.
- LANCOM R&S®Unified Firewall with firmware version 10.6 or later
- LANCOM managed switch
- Optional: LANCOM access points for wireless access with LCOS version 10.50 or later (download latest version)
- LANtools from version 10.50 (download latest version)
- Web browser for configuring the Unified Firewall and LMC. The following browsers are supported:
- Google Chrome
- Mozilla Firefox
- LMC access (subject to charge) with an existing LMC project and licenses for all LANCOM devices used
- Functional Internet access for contact to the LMC
- A completely new local network is to be configured, in which the LANCOM R&S®Unified Firewall is to operate as a central gateway (e.g. for providing Internet access & a DHCP server for the local network) in addition to its security tasks.
- The local network and all of its components (in this case the LANCOM R&S®Unified Firewall, LANCOM Managed Switch and some LANCOM access points) are to be managed by the LANCOM Management Cloud (LMC).
- In the LMC, SD-Security is to be used to optimize the protection of the local network.
- A router provides an Internet connection and operates as the DHCP server that manages the local network with the address range 192.168.91.0/24.
- All of the LANCOM components used in the local area network are in their factory settings and have received an IP address from the network 126.96.36.199/24 from an upstream router.
- The configuration interface of the LMC can be reached via the Internet from a configuration PC connected to the central switch.
- The LMC is licensed correctly (see requirements), and a project and a site have been configured in the LMC.
- The router should continue to provide Internet The LMC does not manage this device.
- A DHCPoE connection is used to convert the previous local network 192.168.91.0/24 into an intermediate network, which is used by the Unified Firewall for WAN access via port eth0.
- The local network should then be given the IP address range 192.168.0.0/24 and the Unified Firewall, as a central gateway, distributes the local IP addresses to the various network components by means of DHCP. The new local network is on port eth1 of the Unified Firewall.
- A second local network with the IP address range 172.16.0.0/24, which has no access to the company network (separated by VLAN), is to be used by visitors to the company. This is also provided via the firewall port eth1.
- One or more LANCOM access points supply Wi-Fi networks for employees and visitors to the company.
1. Basic configuration of the Unified Firewall with the setup wizard:
1.1 Open the configuration interface of the Unified Firewall in the web browser (https://<local IP address of the firewall>:3438) and, as the first step, change the Administrator and Support passwords to ones of your choice.
1.2 Now click on Accept & login.
1.3 After logging in again, use the English-language setup wizard.
1.4 Since there is no backup to import, Continue without backup.
1.5 Configure the general settings according to your requirements.
1.6 The Internet interface is the Ethernet interface eth0, and the setting for Internet access must be DHCP.
With some Unified Firewall models (e.g. with a UF-260) the SFP port is used as eth0. If you do not want to/can not use this as an Internet interface, you must select one of the Ethernet interfaces for Internet access and adapt the further configuration process to your circumstances.
1.7 Disable the LAN configurations for the interfaces eth1 and eth2.
The local network configuration that you subsequently roll out to the Unified Firewall via the LMC is always created on the interface eth1.
Leave the configuration of the eth3 interface activated with the default settings. Should an error occur during the configuration of the Unified Firewall, you always have the option of accessing the device directly via an Ethernet interface.
1.8 Confirm the dialog that follows with OK.
1.9 Check the Summary information and then click Finish to complete the basic configuration.
2. Network and device configuration in the LMC:
2.1 Checking the required pre-settings & generating an activation code:
2.1.1 Open the LMC configuration interface in your web browser and switch to the project where you want to configure your scenario.
2.1.2 In the menu Project specifications → Device startup, make sure that the option “Disable default networks during configuration rollout...” is enabled.
2.1.3 Switch to the menu Project specifications → SDN and make sure that the SD-SECURITY feature is also activated along with SD-WAN, SD-LAN and SD-WLAN.
2.1.4 Go to the menu item Devices → Activation codes and click the button Create activation code.
2.1.5 Select the validity period you want and click on Generate now.
2.1.6 Copy the new activation code to the clipboard and save it, for example, as a *.txt file on your configuration PC.
2.2 Creating the local networks:
2.2.1 In this example configuration, the default IP address range of the INTRANET network will be changed to 192.168.0.0/16. You can, however, also use the default range. All other settings for this network have been left at the default values.
It is important that this network provides Internet access and that the DHCP & DNS feature is enabled. These are the default settings, among others.
2.2.2 Navigate to the menu Sites → <site name> → Networks.
2.2.3 Assign the network INTRANET to the site.
2.2.4 Go back to the Networks menu and add a new network, which is later to be used for the guest Wi-Fi.
2.2.5 Enter a name and a description for the new network.
- In this example the address range is changed to 172.16.0.0/16.
- Under Tag network data, be sure to assign a VLAN ID (in this case 999) to the network.
- Leave all other parameters as their default value.
2.2.6 The new network now has to be assigned to your site under Sites →<site name> → Networks.
3. Pairing the Unified Firewall with the LMC:
3.1 Open the configuration of the Unified Firewall in a web browser.
3.2 The first time you login to the configuration interface of the Unified Firewall after completing the basic configuration, you will be asked to download the proxy CA certificates required for Internet and e-mail access.
Download all of the certificates offered. You need these later on every network client to access the Internet and to send or retrieve e-mails (also see LANCOM R&S®Unified Firewall: Configuring the HTTP(S) proxy to use UTM functions).
3.3 Switch to the menu Firewall → LMC Settings.
- Activate the pairing feature.
- Enter the activation code that you created in step 2.1.5 into the Activation Code box.
3.4 Then click on Save.
After a short time the Unified Firewall is paired with the LMC and appears in the LMC Devices menu.
4. Creating the W-Fi networks (SSIDs):
4.1 Open the configuration interface for the LMC and navigate to the Networks menu item.
4.2 First mark the network INTRANET and, in the lower menu, switch to the Wi-Fi tab.
4.3 Click the button Create new Wi-Fi SSID.
- In this example, the INTRANET network should support a Wi-Fi network with the SSID “Company” for the employees. Employees login to this using a password (WPA-PSK).
4.4 Then click on Save.
4.5 Then mark the GUEST network and, in the lower menu, switch to the Wi-Fi tab.
4.6 Click the button Create new Wi-Fi SSID.
- In this example, the GUEST network should support a Wi-Fi network with the SSID “GUEST” for visitors to the company. Visitors login to this using a password (WPA-PSK).
4.7 Then click on Save.
5. Configuring the switch ports:
5.1 In order for all of the configured networks to be provided via the (desired) ports on the central switch, these have to be assigned using a matrix in the Networks menu.
5.2 First mark the network INTRANET and, in the lower menu, go to the Switches tab.
5.3 Open the 10-port models tab and click on all of the displayed ports so that they take on the color that is assigned to the network.
5.4 Then click on Save.
5.5 Proceed in the same way for the GUEST network.
6. Enabling security features for a network:
6.1 In this example configuration, the security functions should be used in the INTRANET network. This is also configured in the Networks menu.
6.2 First mark the network INTRANET and, in the lower menu, go to the Security tab.
6.3 Enable the following features:
- Allow traffic from this network to the Internet.
- SSL inspection
6.4 Then click on Save.
- Alternatively you can enable additional security features on the tabs Application Management and Content Filter.
- For the GUEST network, it makes sense to use only the “Application Management” and “Content Filter” functions, since no certificates are required on the visitor's devices.
7. Roll out the full configuration to the Unified Firewall:
The necessary configuration steps in the LMC have now been completed. The new configuration can now be rolled out to the Unified Firewall.
Please note that the configuration of your local network will be completely changed when you roll out the configuration.
Among other things, devices receive two new local networks, and the Unified Firewall operates as a central gateway and DHCP server for the local network.
7.1 Go to the Devices menu and select the Unified Firewall.
7.2 Use the “three-dots” menu to select the option Configuration roll out, and confirm the next dialog with OK. The configuration is rolled out now.
Wait for 5 to 10 minutes for the roll-out process to complete. The changes to the network mean that, after the roll out, the Unified Firewall is shown as offline. This is because, following the configuration change, the Internet connection is no longer available.
After the roll out, you must re-connect the Ethernet cables on the switch, gateway router, and Unified Firewall (see the scenario image at the top of this article)!
- The cable connection between the firewall port eth0 and a switch port must be disconnected from the switch and plugged into an Ethernet port of the gateway router on which the previous local network (192.168.91.0/24) is provided via DHCP address assignment.
- A new cable connection is required between the firewall port eth1 and a port on the switch.
7.3 After changing the cable connections, it takes a few minutes for all of the network components to receive their new network information. The LANCOM switch and the access points may need to be restarted.
7.4 After the roll out, all devices have two networks.
- The INTRANET network has the IP address range 192.168.0.0/24.
- The GUEST network has the IP address range 172.16.0.0/24.
- You can reach the Unified Firewall under the local IP address 192.168.0.1.
To be able to access the Internet again (and thus the LMC) from your configuration PC, you now have to install the HTTPS CA certificate from the Unified Firewall on it. You downloaded this in step 3.2.
8. Adding further network devices to the LMC and network configuration:
8.1 After the LMC configuration has been successfully rolled out to the Unified Firewall, you can now pair all of the other network components with the LMC.
8.2 In LANconfig, mark all of the other network components and click with the right-hand mouse button.
8.3 Choose the option Pair device with LANCOM Management Cloud.
8.4 Enter the activation code that you created in step 2.1.5.
8.5 After successful pairing, the icon in front of the devices changes into an LMC symbol and the devices appear in the LMC dialog Devices.
8.6 Go to the LMC configuration interface and, in the menu Sites → <site name> → Devices assign all new devices to the site.
8.7 Finally, you have to roll out new LMC configuration to all of the devices in your project.
- To do this, switch to the menu Devices and mark all of the devices with the status “Outdated”.
- Use the “three-dots” menu to select the option Configuration roll out, and confirm the next dialog with OK. The configuration is rolled out now.
8.8 After the roll out, the configuration is complete.