This document describes an overview of the AWS components required to provision a SecureAccess server and detailed deployment steps are needed to complete the setup.
If you haven’t created an account already, setup an AWS account to utilize the various AWS resources that are needed to provision Celestix SecureAccess server. Once you have completed the account setup you will be presented with the AWS Management Console.
AmazonVirtual Private Cloud(VPC) is the networking layer for Amazon EC2.A Virtual Private Cloud is a virtual network logically isolated from other virtual networks in the AWS cloud.
A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won’t be connected to the internet.
If your account supports the EC2-VPC platform only, it comes with a default VPC that has a default subnet in each Availability Zone. If you have a default VPC and don’t specify a subnet when you launch an instance, the instance is launched into your default VPC. You can launch instances into your default VPC without needing to know anything about Amazon VPC.
You can create your own VPC, and configure it as you need. This is known as a nondefault VPC. This gives you complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. Subnets that you create in your nondefault VPC and additional subnets that you create in your default VPC are called nondefault subnets.
An internet gateway enables your instances to connect to the internet through the Amazon EC2 network edge. You control how the instances that you launch into a VPC access resources outside the VPC.
Your default VPC includes an Internet gateway, and each default subnet is a public subnet. Each instance that you launch into a default subnet has a private IPv4 address and a public IPv4 address. These instances can communicate with the internet through the internet gateway.
An Elastic IP address is a static public IPv4 address associated with your AWS account and reachable from the Internet. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. The public DNS hostname resolves to the public IPv4 address or the Elastic IP address of the instance outside the network of the instance and to the private IPv4 address of the instance from the network of the instance.
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance you can assign up to five security groups to the instance. A Security group acts at the instance level, not subnet level. If you don’t specify a security group at launch time, the instance will be automatically assigned to the default security group for the VPC. When you create a security group, it has no inbound rules. Therefore no traffic is allowed to the instance until inbound rules are added.
AWS offers two kinds of NAT devices – a NAT gateway or a NAT instance. A NAT gateway service is a managed service that does not require your administration efforts. A NAT instance is launched from a NAT AMI and requires basic settings to be configured. These devices are required only if you need resources in private network to connect to the Internet e.g. the scenario where you create VPC with Public and Private Subnets.
To create a VPC wizard using the Amazon VPC wizard
Note: Select “VPC with Public and Private Subnets” if you plan to allow SecureAccess clients access to resources in the Private Subnet of the VPC in AWS. Select “VPC with Public and Private Subnets and Hardware VPN Access” if you plan to allow SecureAccess clients access to your corporate network.
For option (a) you must specify an Elastic IP address for your NAT gateway; if you don’t have one you must first allocate one to your account. If you want to use an existing Elastic IP address, ensure that it’s not currently associated with another instance or network interface. Refer section 2.1 for details on how to allocate an Elastic IP address.
For option (b) select the NAT instance type. The instance is automatically created.
To provision a Celestix SecureAccess server
This configuration is required only if you plan to use a static address pool for VPN address assignment configured in step 6 of SecureAccess Setup Wizard.
The wizard provides the steps to configure SecureAccess VPN settings. It covers the minimum functionality; however, an individual organization may need different or additional configuration.
Note: During the quick setup wizard if the server is not joined to the domain, the error message “SecureAccess deployment cannot continue because the server does not belong to the domain.” displays.
Note: In step 3 if you select the topology as Edge or Behind an Edge (with two network adapters), then this view displays two network interfaces – Internal and External. If you select Edge (with one network adapter) then this view displays only Internal.
Note: Depending on the VPC scenario that you have created before provisioning SecureAccess server, if you have a DHCP server available in the private network of the VPC or plan to use the DHCP server in the corporate network choose Assign addresses automatically.
Celestix Networks, Inc
North America: 510 668.0700EMEA : +44 (0)203 900 3737Asia : +65 6958 0822Japan : +81 3 5210 2991