This document describes how to use the LANCOM Management Cloud (LMC) to configure a LANCOM R&S®Unified Firewall to operate as a central gateway that uses the SD-Security feature to protect the local network and its components as managed by the LMC.
1.1 Open the configuration interface of the Unified Firewall in the web browser (https://<local IP address of the firewall>:3438) and, as the first step, change the Administrator and Support passwords to ones of your choice.
1.2 Now click on Accept & login.
1.3 After logging in again, use the English-language setup wizard.
1.4 Since there is no backup to import, Continue without backup.
1.5 Configure the general settings according to your requirements.
1.6 The Internet interface is the Ethernet interface eth0, and the setting for Internet access must be DHCP.
With some Unified Firewall models (e.g. with a UF-260) the SFP port is used as eth0. If you do not want to/can not use this as an Internet interface, you must select one of the Ethernet interfaces for Internet access and adapt the further configuration process to your circumstances. |
1.7 Disable the LAN configurations for the interfaces eth1 and eth2.
The local network configuration that you subsequently roll out to the Unified Firewall via the LMC is always created on the interface eth1. |
Leave the configuration of the eth3 interface activated with the default settings. Should an error occur during the configuration of the Unified Firewall, you always have the option of accessing the device directly via an Ethernet interface.
1.8 Confirm the dialog that follows with OK.
1.9 Check the Summary information and then click Finish to complete the basic configuration.
2.1.1 Open the LMC configuration interface in your web browser and switch to the project where you want to configure your scenario.
2.1.2 In the menu Project specifications → Device startup, make sure that the option “Disable default networks during configuration rollout...” is enabled.
2.1.3 Switch to the menu Project specifications → SDN and make sure that the SD-SECURITY feature is also activated along with SD-WAN, SD-LAN and SD-WLAN.
2.1.4 Go to the menu item Devices → Activation codes and click the button Create activation code.
2.1.5 Select the validity period you want and click on Generate now.
2.1.6 Copy the new activation code to the clipboard and save it, for example, as a *.txt file on your configuration PC.
2.2.1 In this example configuration, the default IP address range of the INTRANET network will be changed to 192.168.0.0/16. You can, however, also use the default range. All other settings for this network have been left at the default values.
It is important that this network provides Internet access and that the DHCP & DNS feature is enabled. These are the default settings, among others. |
2.2.2 Navigate to the menu Sites → <site name> → Networks.
2.2.3 Assign the network INTRANET to the site.
2.2.4 Go back to the Networks menu and add a new network, which is later to be used for the guest Wi-Fi.
2.2.5 Enter a name and a description for the new network.
2.2.6 The new network now has to be assigned to your site under Sites →<site name> → Networks.
3.1 Open the configuration of the Unified Firewall in a web browser.
3.2 The first time you login to the configuration interface of the Unified Firewall after completing the basic configuration, you will be asked to download the proxy CA certificates required for Internet and e-mail access.
Download all of the certificates offered. You need these later on every network client to access the Internet and to send or retrieve e-mails (also see LANCOM R&S®Unified Firewall: Configuring the HTTP(S) proxy to use UTM functions). |
3.3 Switch to the menu Firewall → LMC Settings.
3.4 Then click on Save.
After a short time the Unified Firewall is paired with the LMC and appears in the LMC Devices menu.
|
4.1 Open the configuration interface for the LMC and navigate to the Networks menu item.
4.2 First mark the network INTRANET and, in the lower menu, switch to the Wi-Fi tab.
4.3 Click the button Create new Wi-Fi SSID.
4.4 Then click on Save.
4.5 Then mark the GUEST network and, in the lower menu, switch to the Wi-Fi tab.
4.6 Click the button Create new Wi-Fi SSID.
4.7 Then click on Save.
5.1 In order for all of the configured networks to be provided via the (desired) ports on the central switch, these have to be assigned using a matrix in the Networks menu.
5.2 First mark the network INTRANET and, in the lower menu, go to the Switches tab.
| This example uses a 10-port LANCOM managed switch (GS-2310P+), and all networks are to be provided on all ports. |
5.3 Open the 10-port models tab and click on all of the displayed ports so that they take on the color that is assigned to the network.
5.4 Then click on Save.
5.5 Proceed in the same way for the GUEST network.
6.1 In this example configuration, the security functions should be used in the INTRANET network. This is also configured in the Networks menu.
6.2 First mark the network INTRANET and, in the lower menu, go to the Security tab.
6.3 Enable the following features:
6.4 Then click on Save.
|
The necessary configuration steps in the LMC have now been completed. The new configuration can now be rolled out to the Unified Firewall.
Please note that the configuration of your local network will be completely changed when you roll out the configuration. Among other things, devices receive two new local networks, and the Unified Firewall operates as a central gateway and DHCP server for the local network. |
7.1 Go to the Devices menu and select the Unified Firewall.
7.2 Use the “three-dots” menu to select the option Configuration roll out, and confirm the next dialog with OK. The configuration is rolled out now.
Wait for 5 to 10 minutes for the roll-out process to complete. The changes to the network mean that, after the roll out, the Unified Firewall is shown as offline. This is because, following the configuration change, the Internet connection is no longer available. After the roll out, you must re-connect the Ethernet cables on the switch, gateway router, and Unified Firewall (see the scenario image at the top of this article)!
|
7.3 After changing the cable connections, it takes a few minutes for all of the network components to receive their new network information. The LANCOM switch and the access points may need to be restarted.
7.4 After the roll out, all devices have two networks.
To be able to access the Internet again (and thus the LMC) from your configuration PC, you now have to install the HTTPS CA certificate from the Unified Firewall on it. You downloaded this in step 3.2. |
8.1 After the LMC configuration has been successfully rolled out to the Unified Firewall, you can now pair all of the other network components with the LMC.
| In this example, this includes the centrally managed switch and the three access points that provide the company and guest wireless LANs. The devices still have their factory default settings and obtain their IP addresses from the Unified Firewall via DHCP. |
8.2 In LANconfig, mark all of the other network components and click with the right-hand mouse button.
8.3 Choose the option Pair device with LANCOM Management Cloud.
8.4 Enter the activation code that you created in step 2.1.5.
8.5 After successful pairing, the icon in front of the devices changes into an LMC symbol and the devices appear in the LMC dialog Devices.
8.6 Go to the LMC configuration interface and, in the menu Sites → <site name> → Devices assign all new devices to the site.
8.7 Finally, you have to roll out new LMC configuration to all of the devices in your project.
8.8 After the roll out, the configuration is complete.
