The guide provides a system administrator with concise instructions for a base deployment. The document covers common installation requirements and is not intended to be comprehensive. Every network environment is different, and installation for an individual organization may require either additional or other configuration not discussed herein.
Celestix E Series Appliance administrators should have the following skills, knowledge, and consequent access privileges:
To reduce the risk of personal injury or equipment damage, be sure that the rack is adequately stabilized before extending a component from the rack.
Celestix appliances are 1U and should be attached to a standard 19-inch equipment rack as follows.
Once the appliance is racked, it must be connected to the network.
If an IP address will be assigned through DHCP, and then configure for a static address is covered in the setup wizard interfaces instructions. If DHCP is not deployed, you have to configure the IP address manually to add the IP address to the network adapter.
To connect the appliance
The diagram below provides a reference.
Note: Hardware models vary and may look somewhat different from the example, but network connections will be similar.
Network Interface LED indicators
When the appliance is powered on, each of the network adapters displays a pair of lights to help identify connection speed and usage.
1 NIC link LED Green = Network link
Off = No network link
2 NIC activity LED Solid green = Link to network
Flashing green = Network active
Off = No network activity
To connect power
Accessing the web UI is necessary to continue to deploy and manage the appliance. The IP address for the internal network adapter (Primary Port) is used to access the web UI.
Note: If the LAN IP address was assigned through DHCP, login to the appliance using a KVM or Monitor and Keyboard. Login to the windows using the default username and password. Check the IP assigned to the appliance.
To log in
For example, if the server LAN IP address is 192.168.30.4, the web UI URL would be https://192.168.30.4:8098
The factory default local administrator credentials are:
User name: administrator
The password is case-sensitive and the brackets are included. The “domain\administrator” user name format may be required.
Important: A certificate warning may display because the site uses a self-signed certificate. Accept the certificate to access the web UI.
After the appliance has been installed on the network, settings need to be configured. General setup uses a wizard to step through configuration in the web UI. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
For setup, the administrator needs access to the following resources:
The section General Information provides necessary details to complete configuration.
The following topics cover requirements, assumptions, and terminology used in the Celestix Edge E Series Appliance Installation Guide.
The following list explains how terms to describe components are used in documentation.
Information presented in the E Series setup instructions is based on the following:
*As required for deployment.
The following items will be required to set up the E Series. Plan ahead so that items are available when needed to complete configuration.
To help make the instructions clear, these examples are used to identify components.
While working through the wizard, the appliance may need to reboot.
Note: Fields will be autopopulated with available settings if the appliance was joined to the domain previously; the reboot will be skipped if they are left unchanged.
The wizard is complete when the congratulations screen displays.
Once general setup and configuration are complete theFeatures configuration tool installs the roles and services necessary for Celestix E Series Appliance remote connectivity. Depending on the purpose for deployment, one or more roles can be installed. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
The following features are available:
To install a feature
See the topic Feature Details for more information about feature options.
Once installed, some of the features include links that launch RDP applications to management consoles (MMCs). These links serve two purposes:
Some features do not do not contain an RDP link, usually because no additional configuration is required.
To access management tools
Note: If the File menu is not visible, use the quick close button (boxed x).
The following sections provides details about remote connectivity features.
The Need to Knows section in the feature descriptions below cover important details about configuration. They are organized as follows:
NPS provides basic RADIUS authentication, authorization, and accounting, or RADIUS proxy (connection request referral).
The following summary information is provided for reference.
Affected Appliance Features
Required Configuration After Installation
Configuration must be customized for an environment. Use the Network Policy Server link to open an RDP session in the browser to access RADIUS server/client configuration.
Remote Access with VPN configures DirectAccess (DA) on the E Series appliance. DirectAccess provides an automated, always-on secure connection for end user access to internal network resources in addition to manage-out functionality for remote domain-joined computers. Remote Access includes the option to enable a VPN that can be used for nonmanaged devices.
Configuration must be customized for an environment; there are two options:
Web Application Proxy publishes access to internal web applications for external users. The E Series adds a portal to make accessing applications more convenient. It also leverages authentication, authorization, and SSO functionality. It is configured for deployments where ADFS runs on a separate server.
Remote Desktop Gateway (RD Gateway) provides access to internal resources for remote users. Access is through the Remote Desktop Connect (RDC) client, and avoids the need for a VPN. User connections are encrypted and authorization policies set standards for client access.
Important: RD Gateway requires NPS.
Configuration must be customized for an environment. Use the Remote Desktop Gateway link to open an RDP session to the Remote Desktop Gateway Manager Console in the browser.
Note: Firewall rules may need to be adjusted to allow traffic.
RD Web Access (RD Web Access) provides streaming access to hosted applications. Windows 7 uses RemoteApp to start an RD Services session. Other devices can use a web browser to access them through Desktop Connection. RD Web Access also uses the RD Web Connection feature to let users access computers that have Remote Desktop enabled.
Rules for the external firewall must be adjusted to allow WMI traffic. See the topic Firewall Ports Reference for additional information about firewall configuration.
Work Folders uses an internal file server to host work files for anywhere access from supported computers and devices. Data is synced across devices over an Internet connection. This supports a bring your own device (BYOD) program without sacrificing control over data. Once synced, files can be worked on from wherever and will be updated on the sync share when the device has Internet connectivity.
Important: Work Folders is supported for Windows 8.1/8.1 RT devices.
Work Folders provides options to:
Required Configuration After Installation
Configuration must be customized for an environment:
The wizard provides the steps to configure DirectAccess and VPN settings for the Celestix E Series Appliance. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
General Information provides necessary details to complete configuration. The topic Additional Configuration Notes provides details about conditional configuration that applies to some deployments.
The following deployment notes provide information that qualifies setup processes to understand Remote Access configuration.
Additional firewall configuration details are discussed in the topic Firewall Ports Reference.
The following items will be required to set up Remote Access. Plan ahead so that items are available when needed to complete configuration.
The notes below discuss options that may apply to some deployments. They exceed the scope of these instructions, but may be helpful to consider when planning.
To help make the instructions clear, the following examples are used to identify components.
The setup wizard is a walk-through to configure components for Remote Access.
Access the screen through the web UI at Celestix E | Features | Remote Access with VPN | Wizard.
Component Selection– select a Remote Access configuration option:
Note: DirectAccess should be enabled for managed clients, while VPN should be enabled to support unmanaged clients.
Configure both services DirectAccess and VPN
Configure DirectAccess services only
Configure VPN services only
The wizard is complete when the congratulations screen displays. Depending on the configuration to be completed, this may take some time.
The base level setup for Remote Access options is now complete. Clients can now be configured to access resources.
The wizard provides the steps to configure Web Application Proxy (WAP) settings for the Celestix E Series Appliance. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
General Information provides necessary details to complete configuration.
The following deployment notes provide information to understand Web Application Proxy configuration.
The following items will be required to set up the proxy. Plan ahead so that items are available when needed.
The setup wizard is a walk-through to configure components for proxy services.
Access the screen through the web UI at Celestix E | Features | Web Application Proxy | Wizard.
Note: Entering the address creates the portal.
The base level setup for Web Application Proxy is now complete.
The wizard provides the steps to configure Work Folders settings for the Celestix E Series Appliance. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
The following deployment notes provide information to understand Work Folders configuration.
The following items will be required to set up the Work Folders service. Plan ahead so that items are available when needed to complete configuration.
Note: A certificate is required for each server hosting the Work Folders feature.
The notes below discuss options that can extended Work Folders functionality. They exceed the scope of these instructions, but will be helpful to consider when planning deployment.
The best practice is to use security groups to manage Work Folder access. Set up for security groups in AD is described briefly and requires familiarity with AD domain administration.
To Create a User Group
The setup wizard is a walk-through to assign a certificate to encrypt remote access to work files.
Access the screen through the web UI at Celestix E | Features | Work Folders | Wizard.
Use the following instructions to import the SSL certificate for Work Folders.
The wizard is complete when the congratulations screen displays. Next, a sync share directory must be designated on the appliance.
Note: If the File menu is not visible, use the quick close button.
The base level setup that allows external access to work files is now complete. Supported clients can now be configured to access sync services.
Creating a system image, or snapshot, will provide an option to help remediate issues that may result from future updates or changes to the saved configuration. The image is created in the recovery system process where the main operating system is not running. Thus the system can be restored to the saved configuration, even if the operating system performance or functionality has been affected.
Important: A system image is intended to complement, not replace, regular backups through the Windows® OS.
The instructions below cover the appliance front panel Last Good Version (LGV) feature, which is accessed through the Jog Dial. LGV is an offline tool and requires that the system be rebooted to access it, but is convenient during setup because it can be run from the IPMI.
Note: The web UI also contains a System Imaging feature (System|System Imaging). It requires the use of a web browser, but can run when the operating system is loaded (online), or after a restart before the appliance boots into the operating system (offline). Online, or real-time images use more disk space than offline imaging, but they don’t interrupt the services the appliance provides.
The LGV instructions below require direct access to the Celestix appliance.
To create an LGV
CRITICAL: The appliance will boot to Windows Server after the Restore is complete; however, DO NOT interact with the appliance in any way until it has completed the full configuration process. The appliance will reboot, on its own, approximately 3 times while it runs scripts to install drivers, system files and any application components. Please DO NOT DISCONNECT ANY NETWORK CABLES.
The Saving System Image screen will show a progress indicator and an estimated time to completion for the image copy process.
Celestix recommends running the Windows backup utility (System | Backup) once the configuration is complete to provide a remediation option for issues that may result from future system updates or changes.
The Software Update Service allows administrators to keep system software current through hotfixes, service packs, and upgrades. They are necessary for the security and proper functioning of the appliance.
Access the update service through the web UI (System | Software Updates).
To find and install updates
Once applicable updates are installed, Celestix recommends checking for Windows updates (System | Windows Updates).
Thank you for choosing the Celestix E Series Appliance for your remote connectivity solution. This completes the setup and configuration steps for base-level deployment.
Email questions to firstname.lastname@example.org
Use the port reference information below to plan for deploying the appliance.
The ports in the section below are required for Comet or application functionality.
The following reference information is provided here for convenience. It is based on Microsoft® TechNet articles for each of the technologies listed. It. Please see TechNet (https://technet.microsoft.com/) for the most current information.Last update: 4/14/2016
TCP port 443 inbound and outbound
For reference if WAP or the SSO Portal are deployed.
It will expedite the process to gather and verify resource information in the Resource Worksheet below before starting appliance installation and setup. An example of the worksheet is provided below with descriptions for the information it includes. A blank copy of the worksheet, which can be printed, is included in the Appendix.
Note: Incorrect network configuration could compromise or impede the appliance.
Used in – Configuration : Use the Setup Wizard : Wizard Instructions
The appliance must be assigned a computer name. The computer name must be 15 alphanumeric characters or less.
The administrator account is a member of the local administrator group. The factory default password is case sensitive with brackets included.
Important: The default should be changed as it is public knowledge.
Used in – Configuration : Use the Setup Wizard : Wizard Instructions : Hostname and Domain
Required for appliance setup.
Record the name of the Workgroup or Domain that will be joined during setup.
LAN information (LAN1)
Private or internal network interface
Primary/secondary DNS server(s)
Used in –
Configuration : Use the Setup Wizard : Wizard Instructions : Network Interfaces
The LAN (private network interface) adapter of the appliance is the interface assigned to internal network traffic.
Public or external network interface
May be needed in – Configuration : Use the Setup Wizard : Wizard Instructions : Network Interfaces
The WAN (public network interface) adapter of the appliance is the interface assigned to external network traffic. This configures how the WAN, or public interface, connects to the Internet.
DMZ (LAN 2 +) information
Additional network interfaces
The DMZ adapters are optional configuration. This information is only necessary to assign static IP addresses to these adapters.
AD DS FQDN
Used in – Configuration : Install Features : Web Application Proxy
ADFS is required for Web Application Proxy.
Network Access Server (RADIUS Client)
Network policy criteria
Authentication protocol options
May be needed in post-configuration for NPS or Remote Desktop Gateway.
Setting up RADIUS authentication requires designating the NPS clients that will forward access requests, the criteria that will serve as the policy to grant access, and the protocols that will be used for authentication.
Static IP address(es)
Public address for client connections
GPOs (if using customized policies)
NLS certificate (if using external server)
Client IP address pool (if not using DHCP)
RADIUS server information (if not using Windows authentication)
Used in – Configuration : Configure Remote Access : Use the Setup Wizard : Wizard Instructions.
The Remote Access/VPN wizard will require server information. The client information will be required to set up remote devices.
Note: Infrastructure server information refers to resources not discoverable by Active Directory.
May be needed in post-configuration for DirectAccess.
PKI is recommended but no longer required for DirectAccess deployment, with a few exceptions, like OTP authentication.
Note: Root certificate required.
Used in – Configuration : Configure Web Application Proxy : Use the Setup Wizard : Wizard Instructions
Firewall rules for HTTPS and SSH communication
The SSO portal is a WAP feature.
Rules need to be created in the edge firewall to allow application communication.
While each application type is different, the list of application requirements covers common information for publishing a variety of applications.
RD Gateway (join domain)
RD Session Host (domain joined)
RD Connection Broker (domain joined)
RD Web Access (domain joined)
RD Web Access Server (domain joined)
Remote Desktop Virtualization Host server (optional)
Used in – Configuration : Install Features : Feature Details : Remote Desktop Web Access : Required Configuration After Installation
Sync share name
AD security group for user accounts
Sync share DNS entry (recommended)
SMTP gateway name
May be needed in – Configuration : Use the Setup Wizard : Wizard Instructions : Alerts Email
Optional configuration; SMTP is required for Alert Email.
AD DS service account
ADFS IP address
DRS DNS entry
May be needed in post-configuration for:
Web Application Proxy
Remote Desktop Gateway
RD Web Access
Celestix Networks, Inc
North America: 510 668.0700EMEA : +44 (0)203 900 3737Asia : +65 6958 0822Japan : +81 3 5210 2991