Endian banner

The Switchboard Menu (optional)

This section describes the Endian Switchboard and the functionalities it provides, including management options for the devices, the users, and their rights.

Changed in version 3.0-2014-July: New layout of the module.

New in version 3.0-2014-July: Configuration of Endpoints.

The Endian Switchboard Architecture.

The Endian Switchboard is a VPN-based solution that allows a seamless connection of diverse remote devices, called endpoints to a centralised server through gateways. Users who have access to the server can easily reach the gateways and the endpoints, provided they have the necessary access rights.

The diagram below presents a possible setup of the various components of the infrastructure, showing how they are interconnected:

In a nutshell, there are two remote sites connected to the Switchboard by means of two gateways, which it turn control three endpoints each. The gateways are in “normal” modality (see below for more), so they have separate zones for the endpoints (GREEN) and for their uplink (RED).

The Switchboard and the client securely communicate over a protected channel using the SSL-encrypted OpenVPN protocol, which features data compression, automatic pushing of network routes, tunnelling, and an overall simplicity of configuration.

Finally, the Endian Connect App is a desktop application employed as a means to connect via VPN to the Switchboard, presenting the same GUI, plus the ability to directly connect to the endpoints.

More in detail, here follows the description of the various actors involved in the architecture.

Switchboard
The Switchboard is the heart of the whole infrastructure. It stores all the configuration data, the log files, the access policies, and keeps track of the connections.
Gateways
A gateway is the door through which the Switchboard can manage and allow connections to endpoints. It can be easily configured and activated using gateway provisioning. Gateways, which can be organised in groups, are usually in “normal” modality: they connect to the endpoints they control using their GREEN interface, and to the Internet using the RED interface. In some specific setups, gateways can be setup with an unique zone for both the uplink and the network. The GREEN subnet can be accommodated in size when the number of endpoints grows.
Endpoints
an endpoint can be in principle any kind of equipment that can connect via Internet, so they can be any kind of industrial machinery, as well as remote workstation, servers etc. endpoints have their own IP address and may connect to their local network and/or to the Internet by means other than the gateway. Each endpoint can be connected to only one gateway and receives an unique IP address (called virtual IP in the architecture) that falls within the GREEN network of the gateway. The endpoint’s virtual IP may change when the size of the network needs to be accommodated, for example with the addition of new endpoints to the network.

Besides all the equipment, the Switchboard infrastructure encompasses also user management and applications that allow the set up of suitable access policies to the endpoints. Access policies determine on one side which user can access which endpoint and on the other side what all the applications that can be done on an endpoint.

Users
A user is anyone who can in some way access and interact with either the Switchboard, a gateway, or an endpoint. A user can be member of user groups, in which she can play two roles, either be a member or an administrator of the group. A user can also be either a regular user of or a manager of gateways and gateway groups.
Applications
An application describes how to connect to an endpoint from the 4i Connect client; that is, which software application and which protocol are needed to connect. The types of applications may significantly vary, depending on the endpoint, since the same endpoint can be accessed in different ways (e.g., via RDP, via SSH, via HTTP). Several applications can be grouped together into an application profile: Each endpoint has one application profile attached, that defines all available and admitted connections possibilities.

Additional access policies

The Endian Switchboard implements an additional policy to restrict the access to remote gateways or endpoints: Exclusive access at either gateway or endpoint level, which allows a gateway or an endpoint to be accessed by only one user at a time, preventing other users to connect. This policy ensures that when a user operates on a critical endpoint or on a gateway controlling several sensible endpoints, her work is not interfered by someone else.

This policy is set globally: There cannot be some gateways (resp. endpoints) with exclusive access and some without. Moreover, if the policy is set at gateway level, it is propagated to all the endpoints controlled by that gateway, i.e., only who access the gateway can connect to the endpoints.

Finally, note that this policy can be disabled, granting concurrent access to all the infrastructure to everyone.

Connections

This page contains a table showing all devices configured on the Switchboard, along with the following information for each of them:

  • The device name, which contains two different types of objects: Gateways and endpoints. They can be distinguished as follows: Gateways appear simply with their name, like acme_gateway, while endpoints appear with their name along with the name of the gateway they are connected to, like acme_gateway >> acme_endpoint.
  • The device’s IP address.
  • A description of the device.
  • The device’s status, which is either available when it is connected, or offline otherwise.
  • The users connected to the device.
  • The actions available on each device:
    • swconn swdisconn - connect or disconnect the device.
    • logs - view logs of the device.
    • actreload - close and reopen the connection to the device.

Above the table, on the right-hand side appears a filter, useful to search among all devices that have been defined in the Switchboard. Simply write one or more characters and the matching devices will appear, concealing those that do not correspond. The search takes place within all the fields in the table, making the filtering more effective.

Users

This page is composed of two tabs, namely Users and Groups. In the former, user management can be carried out, while in the latter, users can be arranged into groups.

Users

In this page, all the users having the rights to connect to the Switchboard are listed in a table that shows the following data:

  • The name of the user.
  • A remark about the user (e.g., the real name or a description).
  • The groups the user belongs to.
  • The actions that can be carried out on each user:
    • on off - enable or disable the user.
    • swedit - modify the user.
    • delete - remove the user.
    • logs - see user’s activity log.

Above the table two links are shown. When clicking the Download CA certificate link the Switchboard‘s CA certificate will be downloaded. This certificate can be used when manually configuring a VPN connection on the user’s device.

New users can be added by clicking on the Add User link at the top of the page. In the page that will open, the configuration options are grouped into these tabs: User, Permissions, Groups, Additional user information, and Provisioning.

User

This tab gives access to some basic information about the user.

Name
The username for the new user. It must be unique.
Remark
The real name or a description of the user.
Authenticate using external authentication server
This checkbox is only visible if at least one external authentication server has been configured. Once it has been selected the following password input fields will disappear and the user will be authenticated by using the external authentication servers.
Password, Confirm Password
The new password for the user, to be inserted twice for confirmation. On the right-hand side of each field, a checkbox can be ticked to display the password.
One Time Password secret
This field contains the TOTP secret for the specific user. Due to the constraints in creating these secrets it is not possible to insert them manually but they must be generated by clicking on the Generate new secret button. A QR code representation of the secret can be displayed by clicking on the Show QR Code button.

One-Time Passwords

There are many different one-time password algorithms. On Endian UTM Appliance systems the Time-based One-Time Password algorithm has been implemented as described in RFC 6238. Since this is an open standard applications exist for almost all devices (Android, iOS and Windows smartphones, PCs etc.). To be able to use your device it needs to be initialized with the One Time Password secret. You can either do this by entering the secret manually or even more easily by taking a picture of the QR code with your application.

Permissions

In this tab it is possible to manage all the devices accessible by the user, its privileges on those devices, and the certificate associated with him/her.

Permissions

The user can be granted several permissions:

  • Superuser: The user has full permission.
  • Can create groups The user has the ability to create new groups.
  • Can manage applications: The user can manage the actions.
  • Can use the API: The user can access and use the Switchboard‘s API.
  • Push route to GREEN | BLUE | ORANGE zone: When one or more of these options is selected, appropriate routes to the subnets governed by the Switchboard will be pushed to the user.

Any combination of these values can be associated to the user.

Roles in user groups
The role that the user can assume in every group: either member of or administrator of. One role per selected group can be chosen.

Groups

In this tab there is a Multiselect box that allows to choose the groups that the user is member of.

Permissions on gateways and gateway groups
Similar to the previous option, select here the user’s permission on every gateway and gateway group, either regular user of or manager of.

Additional user information

More detailed information about the user can be supplied in this tab, including the certificate to be used for the authentication.

Organizational unit name
The name of the organisation unit to which the user belongs to.
Organization name
The name of the users’ organisation unit.
City
The city where the user is located.
State or province
The state or the province where the user is located.
Country
The country where the user is located, chosen from the drop-down menu.
Email address
The user’s e-mail address.
Certificate configuration

The drop-down menu allows to configure the user’s certificate. The available options are:

  • Don’t change. Leave the current certificate. If the user has yet no certificate, one must be created.
  • Generate a new certificate. Create a certificate.
  • Upload a certificate . Upload a user certificate.
  • Upload a certificate request. Upload a user certificate request.

Additional options appear when selecting the certificate, except for the Don’t change choice, which correspond to those found under section Menubar ‣ VPN ‣ Certificates ‣ Add new certificate

By choosing Generate a new certificate, these new options are:

Subject alt name
An alternate name for the certificate’s subject.
Validity
How many days the certificate is valid.
PKCS12 file password, PKCS12 file password Confirmation
A password to protect the file in which the certificate is stored.

When selecting Upload a certificate, these options show up:

Certificate (PKCS12/PEM)
By clicking on the Browse button or on the textfield, a file chooser will open, in which to supply the path to the certificate to be uploaded.
PKCS12 file password
The password for the certificate, if needed.

Finally, the following two options appear with the choice of Upload a certificate request.

Certificate Signing Request (CSR)
By clicking on the Browse button or on the textfield, a file chooser will open, in which to supply the path to the CSR to be uploaded.
Validity (days)
How many days shall the certificate be valid.

Provisioning

In this tab appear two options for the management of the Endian Network credentials for the user.

Endian Network account
The username used to access Endian Network
Endian Network password or registration key
The password of the Endian Network account or the Endian UTM Appliance‘s registration key.

Groups

A user group is a set of users that have access to one or more gateways or gateway groups with specific roles and permissions.

The page initially shows only the Add new User Group link and an empty table carrying the list of all the groups and some information about them:

  • The name assigned to the group.
  • A remark about the group.
  • The available actions on each of them:
    • swedit - Modify the user group.
    • delete - Remove the user group.
    • logs - View the log files for the user group

When clicking on the Add Group link, the Editor opens right above the table. In the three tabs that compose the editor, new user groups can be defined, by supplying the following data:

Group

This is the tab in which to define a new user group.

Groupname
The name given to the group. It is mandatory and must be unique.
Remark
A description of the group.

Members

In this tab it is possible to add users to group, using a Multiselect box.

User roles in this user group

Select which users belong to the group and their role: From the multiselect box Add as choose the role, which is either member of or administrator of the group, then the user(s), by clicking on the + next to each user.

Permissions

This tab contains a multiselect box for the management of devices accessible by this user group.

Permissions for gateways and gateway groups
Select which gateways and gateways groups can be accessed by the users in this group: From the multiselect box Add as choose the role - regular user or manager, then the gateway(s) and gateway group(s) by clicking on the + next to each gateway and gateway group.

Logs in Switchboard.

The logs of the Switchboard encompass all events that happen on all the various object (e.g., gateways, user groups etc.) that are managed by the Switchboard. Unlike all other logs which record the system events, that can be accessed from Menubar ‣ Logs, log files of the Switchboard are reachable only from the Switchboard menu. In more details, this are the logs available, along with the meaning of the various keywords that are found therein.

Keywords

Each keyword designates a precise event and is almost self-explanatory. In alphabetical order, they are:

DEVICECREATE, DEVICEDELETE, DEVICEEDIT, GATEWAYCREATE, GATEWAYEDIT, GROUPCREATE, SYSTEMBOOT, TUNNELACTIVE, TUNNELINACTIVE, USERCREATE, USERDELETE, USEREDIT, USERLOGOFF, USERLOGON.

Note

TUNNELACTIVE and TUNNELINACTIVE refer to the creation of an OpenVPN tunnel from a client workstation to an endpoint.

Logs

Log files always show the user who carried out the task, and are slightly different from each other:

  • User Groups: changes to user groups.
  • Users: all the applications carried out by a user on either another user, a gateway, or an endpoint.
  • Gateways: changes to gateways, connections to endpoints through gateways
  • Gateway Groups: Changes to groups of gateways, including changes in users’ access right to gateways.
  • Connections: access to endpoints using tunnels, access and changes to gateways.

Log files can also be exported in CSV format by clicking on the Export in CSV format button. A pop-up window will open, asking to save a copy of the log files to the local workstation.

Devices

This page contains two tabs, Devices, in which to manage all devices reachable from the switchboard, and Groups, in which to configure groups of devices.

Devices

On the page a table containing the list of all the gateways that have already been configured is shown. It contains the following information:

  • The name of the gateway.
  • A remark about the gateway.
  • The serial number of the gateway.
  • The groups of which the gateway is part.
  • The available actions:
    • on off - enable or disable the gateway.
    • swedit - modify the gateway.
    • delete - remove the gateway.
    • logs - see gateway’s activity log.
    • dlmail - Download the configuration of the gateway.

Above the table two links are shown. When clicking the Download CA certificate link the Switchboard‘s CA certificate will be downloaded. This certificate must be used when configuring the VPN connection on the device itself.

When clicking the Add Gateway link, the gateway editor will open right above the table and a new device can be created. The editor consists of several tabbed pages, in which to configure all the different options of the gateway.

Gateway

This tab contains the basic setup options for the gateway.

Name
The name assigned to the new gateway.
Auto registration
Tick this checkbox if the gateway will register to Endian Network using provisioning.
Proof of Identity (POI)
The POI is a unique serial ID used for the machine. It is not a mandatory option, so it can safely be left blank. This option is displayed only when Auto registration is enabled.
Password, Confirm password
The password to access the gateway. Tick the checkbox on the right-hand side of the textbox to show in clear text the password. This option is displayed only when Auto registration is disabled.
Model
The model of the gateway, selected among those available: 4i Edge 200, 4i Edge 300, 4i Edge 500, 4i office, and 4i industrial.
Serial Number
The serial number of the gateway. This option is displayed only if Auto registration is not enabled.
Remark
A description of the gateway.

Groups

In this tab it is possible to choose the groups to which the gateway will belong.

Endpoints

This tab contains information about all the endpoints that can be reached from the gateway and can be used to manage them.

Maximum number of endpoints

The first information to be supplied is an approximate estimate of the endpoint that will be governed by the gateway.

Note

This information is particularly relevant, as it is used to create a virtual network in which to accommodate all the IPs assigned to each endpoint. In case of doubt, choose a size larger than the actual number of endpoints, or the network will not suffice to accommodate additional endpoints.

Local Network
The network used by the endpoints, in CIDR Notation.
Do not translate real IPs into virtual IPs
When this checkbox is ticked, the endpoint will not be accessed via its virtual IP address, but via its real IP address.
Virtual Network

The virtual IP address to be assigned to the endpoint.

Note

When the option Enable automated virtual subnet assignment in the switchboard settings section is enabled, this option does not appear. Indeed, an IP address for each endpoint is automatically assigned by means of the above mentioned option.

Endpoints

A table showing all the endpoints controlled by the gateway, along with those information:

  • The name of the endpoint.
  • The endpoint’s IP address.
  • A remark.
  • The application profile used to access the endpoint.
  • The Enabled status, i.e., whether the endpoint is active or not.
  • The Source Nat status. If active (“yes”), the endpoint will see all the traffic as originating from the gateway. This set up can prove useful when e.g., the Endpoint is situated behind a firewall and can not communicate with the outside.
  • A custom field.

Each field in each table’s row can be edited by double-clicking on it: Depending on the type of information it carries, each field can show a drop-down menu (i.e., a “yes-no” choice for the Enabled column, or the available profiles for the Application Profile) or a text field (all the other).

The management of the endpoints can be done using the buttons at the bottom of the table:

Add row
This option allows a new endpoint to be added to the gateway. Its configuration can be carried out by double-clicking on the fields of the new row.
Delete row

By clicking on this button, the highlighted endpoint is eliminated from the gateway. This button is active only when one row is selected.

Warning

The deletion of a row is immediate and can not be reversed.

Show CSV
This button toggles the table with a textfield, containing the same information present in the table in CSV format, useful to export the configuration of all endpoints.
Validate
Check whether the information inserted in the highlighted row is valid.

Permissions

The users that shall have access to this gateway can be added from the multiselect box in this tab. Each user can assume the role of either regular user or manager of the gateway.

Provisioning

In this section it is possible to define the configuration for a remote gateway. The available configurations options are:

Host name
The hostname of the gateway
Domain name
The gateway’s domain name.
Activation Code
The activation code of the gateway.
Company
The company to which the gateway belongs
E-mail
The reference e-mail for the gateway, usually of the responsible person for that gateway.
Timezone
The timezone in which the gateway is located.
Country
The country where the gateway is located.
Red type
The type of the RED interface, i.e., how the gateway connects to the Internet. Four types are available: DHCP, Static, No uplink, and 3G. See Network configuration for more information.
Red device
The interface that connects the gateway to the Internet. The available options in this drop-down menu are determined by the Model chosen above. This option does not appear when the Red type is set as No uplink
Red IPs/CIDRs
The IP address of the RED interface. This option appears only when the RED type is Static.
Red gateway IP
The IP address of the gateway for the RED interface. This option and the next one is needed to access the Internet and appears only when the RED type is Static or No uplink.
DNS Servers
The IP addresses of the DNS server used by the gateway, one per line. It appears only when the RED type is Static or No uplink.
Access Point Name
The name of the access point, used only by the 3G Red Type.
Green device
The interface of the GREEN zone, i.e., the one in which the endpoints are situated.
Green IPs/CIDRs
The IP address pool assigned to the GREEN zone.
Blue device
The interface of the BLUE zone.
Blue IPs/CIDRs
The IP address pool assigned to the BLUE zone.
Orange device
The interface of the ORANGE zone.
Orange IPs/CIDRs
The IP address pool assigned to the ORANGE zone.
Custom OpenVPN server IP address or FQDN

It is possible to assign a custom IP address of hostname to the OpenVPN server.

Changed in version 3.0: The possibility to supply a FQDN.

Custom OpenVPN fallback IP address or FQDN

A custom IP address of hostname of a fallabck OpenVPN server.

New in version 3.0-YYYYMMDD.

OpenVPN through HTTP proxy
Tick the checkbox when the gateway uses a proxy for its connection to the Internet. The next four options will appear to configure that proxy.
Upstream server
The IP address of the upstream proxy server.
Upstream port
The port on which the proxy service runs on the server.
Upstream username
The username to connect to the proxy server, if needed.
Upstream password
The password to connect to the proxy server, if needed.
Upstream NTLM proxy authentication
Click the checkbox if the upstream HTTP proxy requires NTLM Authentication.
Forge proxy user-agent
If the upstream HTTP proxy needs to be contacted with a given user-agent, write it here.

Port Forwarding

The options in this tab can be used to define on the gateway suitable port-forwarding rules that allow to redirect traffic coming from an endpoint to a given host.

The table contains the following information for each endpoint.

  • Endpoint. The endpoint for which the rule is defined. No choice is available if no endpoint has already been set up.
  • Local port. The port on the gateway that the endpoint communicates to.
  • Protocol. The protocol that can shall be used in the rule: Available choices are tcp, udp, or tcp+udp.
  • Remote IP. The remote IP address to which the traffic is forwarded.
  • Remote port. The port on the remote IP to which the traffic is forwarded.
  • Remark. A custom remark.

Each field in each table’s row can be edited by double-clicking on it: Depending on the type of information it carries, each field can show a drop-down menu (i.e., the list of the endpoint for the Endpoint column, or the available protocols for the Protocol columns), or a text field (all the other).

The management of the rules associated with the endpoints can be done using the buttons at the bottom of the table:

Add row
This option allows to add a new rule. Its configuration can be carried out by double-clicking on the fields of the new row.
Delete row

By clicking on this button, the highlighted rule is deleted from the set. This button is deactivated if no row is selected.

Warning

The deletion of a row is immediate and can not be reversed.

Show CSV
This button toggles the table with a textfield, containing the same information present in the table in CSV format: This proves useful to export the whole set of rules.
Validate
Check whether the information inserted is valid.

Groups

The page contains only the Add group link above a table (initially empty) carrying the list of all the existent groups and some information about them:

  • The name assigned to the group.
  • A remark.
  • The available actions:
    • swedit - modify the gateway group.
    • delete - remove the gateway group.
    • logs - see gateway group’s activity log.

When clicking on the Add group link, the editor opens right above the table. The setup options are grouped in three tabs: Group, Members, and Permissions.

Group

This tab contains basic information about the group.

Groupname
The name assigned to the group.
Remark
A description of the group.

Members

The devices composing the group.

Devices in this gateway group
Choose which gateway are part of this group.

Permissions

User permissions on this gateway group
Select all users that can access this group and the role (i.e., either regular user or manager) they can assume.

Applications

There are two tabs in this page: Applications, in which to define all possible means to connect to an endpoint, and Profiles, in which to group together several applications.

Applications

An application can be seen as a means to access from the Endian S.r.L., Italy Connect Client to an endpoint or a service running on an endpoint, possibly using a third-party application installed on the client side.

The page initially shows only the Add application link and an empty table that will carry the list of all the available applications and some information about each application:

  • The name given to identify the application.
  • The type of the application (see further on for more information).
  • A remark.
  • The available actions for each application:
    • on off - Enable or disable the application.
    • swedit - Modify the application.
    • delete - Remove the application.

When clicking on the Add application link, the applications editor opens right above the table. Here, additional applications can be defined.

Name
A name to identify the application.
Type
The type of the application, which can be either URL or Program. Depending on the choice, the next options change. In the former case, the default system browser is used to open the URL provided, in the second one, the application relies on the use of an external program.
URL to open
The URL to be used for the connection. This option is available only when the type of application above is URL.
Command path
The full path to the program to use, which can contain placeholders for convenience and ease of writing. Only when the type Program is selected.
Command args
Additional arguments to be passed to the program. Only when the type Program is selected.
Remark
A custom note to explain the purpose of the application.
Enabled
Tick the checkbox to enable the application.

Examples of applications

When choosing an external program for an application, several placeholders can be used. In the Action URL and Command path, there are:

  • %DEVICE_IP% the IP address assigned to the device.
  • %PHYSICAL_IP% the physical IP of the device.
  • %SERVER_EXTERNAL_IP% for the server’s external, public IP address.
  • %SERVER_INTERNAL_IP% for the internal, private IP address.

New in version 3.0-2014-June: %PHYSICAL_IP% placeholder, that can be required by some application, instead of %DEVICE_IP% to correctly operate on the device.

In the Command args, the available placeholders are:

  • %PROGRAM_PATH%: The default installation directory for applications (usually C:\Program Files).
  • %SYSTEM_DRIVE%: The drive containing the Windows root directory (C:\).
  • %SYSTEM_ROOT%: The Windows root directory (C:\Windows).
  • %HOME_PATH%: The user’s home directory (C:\Documents and Settings\`username`).
Example 1.

Application for accessing an endpoint via VNC using TightVNC, an open source application to connect to the desktop of a remote computer. The following is the configuration needed:

  • Name: TightVNC
  • Type: Program
  • Command path: %PROGRAM_PATH%\TightVNC\tvnviewer.exe
  • Command args: -host=%DEVICE_IP% -port=5900
  • Remark: TightVNC viewer

These standard assumptions apply: TightVNC is installed in the standard location and the VNC server runs on the endpoint on the port 5900.

Example 2.

Application for accessing an endpoint via SSH using PuTTy, an open source SSH client that consists of only a .exe file and installed in user’s home directory.

  • Name: PuTTy -SSH
  • Type: Program
  • Command path: %HOME_PATH%\putty.exe
  • Command args: username@%DEVICE_IP%
  • Remark: SSH via PuTTy

Note that username must be a valid user account on the endpoint.

Example 3.

Application for accessing an endpoint via HTTPS. The default browser of the workstation will be used.

  • Name: HTTPS
  • Type: URL
  • Action URL: https://%DEVICE_IP%
  • Remark: HTTPS connection

Profiles

Applications can be grouped together into Profiles and attached to single endpoints, tailoring the possibility of access to them. In other words, it is possible to configure applications on a given endpoint so that it can be reached only via some given protocol (e.g., RDP, SSH or HTTP) or service (VNC). The choice of the applications can be influenced also by the endpoint’s running operating system and services.

The page, which is initially empty, shows only the Add profile link, contains a table carrying the list of all the available profiles and some information about each profile:

  • The name given to the profile.
  • A remark.
  • The applications that are encompassed in that profile.
  • The available actions on each of them:
    • edit - Modify the application profile.
    • delete - Remove the application profile.

Note

In case one or more profiles are deleted, though, the single applications will not be deleted: To remove an existing application, go to Applications.

When clicking on the Add profile link, the editor opens right above the table. Here, additional profiles can be created, by supplying the following data:

Name
A name to identify the profile.
Remark
A note about the profile.
Applications
Available applications are listed in this multiselect box. To add an application to the profile, click on the + next to the application’s name. To search for an application, use the textbox on top of the box. The Add all link can be used as a shortcut for moving all applications within the profile. An application can be removed from the profile by clicking on the - next to the application’s name in the right column.

Settings

This page allows to set up all the global configuration options of the Switchboard. Before actually configuring the Switchboard, it is mandatory to accomplish two tasks in two other modules: Firewall and VPN.

The first task consists in the activation of the VPN Firewall, as this is required by one option in the OpenVPN server. To complete the task, go to Menubar ‣ Firewall ‣ VPN Traffic (VPN traffic) and, if not yet active, click on the grey switch swoff.

Once that the VPN firewall has been enabled, the second task requires to set up a couple of options in the VPN module.

Indeed, the Switchboard relies on an OpenVPN instance running on the Endian UTM Appliance to provide secure connections between the clients and the devices. While most of the OpenVPN instance’s parameters can be freely chosen, two of them must be configured as follows:

  • The traffic on the OpenVPN’s device must be routed.
  • The traffic between the clients must be filtered.

The configuration options interested are:

  • In the Network options, the Bridged checkbox must not be ticked. Hence, if TAP is selected, do not tick the checkbox.

    Note

    When the TUN device is chosen, the traffic can only be routed and the checkbox is not accessible.

  • Under Advanced Options, the option Client to client connection should be set to Filter connection in the VPN firewall.

    More information about the aformentioned options can be found under Menubar ‣ VPN ‣ OpenVPN server ‣ Server configuration (see section OpenVPN server).

Exclusive access
This options governs the ability to lock single endpoints within a gateway, or even a whole gateway, allowing exclusive access to one user at a time. Three options are available, disabled -no exclusive access is granted, on gateway level -a whole gateway can be locked, and on endpoint level -single endpoints can be locked.
Switchboard bind IP address
It is the IP address on which the Switchboard listens for connections. It is mandatory when more IP addresses are assigned to the Switchboard.
OpenVPN instance
This option only appears if on the Endian UTM Appliance multiple instances of the OpenVPN server are running. Choose the instance to be used for the Switchboard from the drop-down menu.
OpenVPN server public IP address or FQDN

The public IP address or FQDN to be assigned to the Switchboard.

New in version 3.0-2014-July: The possibility to supply a FQDN.

Enable fallback OpenVPN instance
Tick the checkbox to allow a fall back
Fallback OpenVPN instance
The fallback OpenVPN instance used in case the one specified in the previous option does not run, chosen from the drop-down menu.
Fallback OpenVPN server public IP address or FQDN
The public IP address or FQDN to be assigned to the fallback server of the Switchboard.

New in version 3.0-2014-July..

Enable automated virtual subnet assignment
Tick this checkbox to allow the virtual IP addresses for the subnets to be automatically assigned. When enabled, the next option appears.
Manually define IP pool for each gateway group
By ticking this checkbox it becomes possible to choose IP addresses subnets for each gateway group.
Global virtual IP pool
This options defines the IP address subnet for the addresses of the gateways.
Push entire virtual IP pool on client connection
With this option enabled, whenever a client connects, the whole virtual IP subnet will be pushed to it.
Enable remote API
Tick the checkbox to enable the remote API.
API key
A string used as the key for accessing and using the API.
Enable gateways provisioning
When this checkbox is ticked, gateway provisioning is enabled. See below for more information.
Endian Network account
The username for accessing Endian Network, used for the automatic registration of the gateways.
Endian Network password or registration key
The registration key of the endpoint. Tick the checkbox on the right-hand side to show the password, which is otherwise hidden.
Provisioning Encryption Certificate (PEM)
The certificate used for the decryption of the file containing the provisioning settings.
Provisioning Encryption Private Key (PEM)
The certificate used for encrypting the provisioning file.
Models

This table contains all the available models that are to be used as gateways. Each model is accompanied with several information:

  • The name.
  • The list of the available network interfaces.
  • If they are equipped with OpenVPN version newer that 2.3 or not.
  • The modem port, that can be chosen from the drop-down menu.

It is possible to add new gateway models by clicking on the Add row button, then editing the fields by clicking on each of them. Finally, by selecting a row, this can be either deleted or validated, using the Delete row and Validate, respectively.

Note

The importance of the model having installed a version of OpenVPN equal or bigger than 2.3 is that the newer version allows those endpoints to be natted. It also allows to assign them a virtual IP address at gateway level, simplifying networking and communication between the endpoint, the gateways, and the connected users.

Gateway provisioning and creation of certificates.

Gateway provisioning is a simple and effective means to create the configuration for a number of remote gateways in one place (the Switchboard or the Connect App) and then use the configuration during the gateway’s or endpoint’s first boot for them to immediately start working.

In order to generate the certificate used for the encryption and decryption of the provisioning file, on the Switchboard there is a simple shell script, to be used from the CLI: generate-provisioning-certificate, that will generate both the private key and the public key using OpenSSL and place them in the correct location on the filesystem.

Installation of remote gateways

More in details, a gateway can be configured directly from the Switchboard (resp. from the Connect App) before the gateway is shipped and installed in its expected location. After the configuration has been created for a gateway, it can be exported and encrypted on an USB key.

Hint

The provisioning’s options are described in this section.

The provisioning file, i.e., the file containing the settings, is encrypted before it is stored on the USB key, using an own certificate, generated on the Switchboard. The file name shall be config_XXXXXXX.txt, where XXXXXXX is an arbitrary string.

The USB key, in turn, shall be plugged in to the gateway before the first boot.

Once the gateway is switched on for the first time, a trigger launches the provisioning-install script using the provisioning settings’ file that is stored on the USB key. If the gateway has already been installed, the trigger is not kicked off, preserving the existent configuration.

Hint

An existent configuration can be overwritten from a USB key if the root directory of the USB stick contains a file called force_provisioning, using e.g., Linux’s utility touch.

See also

On the help.endian.com wep page the following tutorials are available:

  1. Switchboard Installation Guide
  2. Set up of a VPN Server Instance

Client Download

From here it is possible to download the 4i Connect Client, that can be used from any workstation to both manage the Switchboard and to launch a connection to the devices, provided that the necessary applications are installed.