Celestix Networks delivers an exceptional combination of secure connectivity features, scalability, and simplicity in cost-efficient virtual and hardware appliances. Ready-to-deploy appliances offer easier management that reduces the risk and cost of security solutions. Celestix® solutions offer flexibility to protect access to IT resources.
The Celestix® SecureAccess V Series Appliance provides simplified configuration for Microsoft® Windows Server® 2012 R2 remote connectivity solutions. The V Series facilitates access management, bring your own device (BYOD) programs, and anywhere access to work files.
A well-planned cloud blueprint can help users to work how and when they are most productive. Through the V Series, organizations can choose the connectivity options best suited to organizational goals.
The foundation of your Celestix virtual appliance is the award-winning Comet engine. Comet provides a web user interface (web UI) for convenient access to administration functions like setup, network configuration, and server task management. For the V Series, it also provides simplified installation and configuration for secure connectivity and supporting technologies.
The product installs as a trial version. A license activation key must be purchased from Celestix and uploaded to the virtual appliance before the 30-day trial period ends.
The Celestix V Series is a hardened and secure virtual appliance platform that is optimized for secure Windows deployment.
The 126.96.36.199 V Series offers the following functionality:
This guide will help system administrators to efficiently install and configure a new virtual appliance with a base level setup. The guide does not provide extensive reference information. The instructions cover steps for some common deployment scenarios. They usually offer one option to accomplish a task, though there may be other ways to achieve the same thing.
For example, the location of the section To find updates would be delineated as:
Update Software : To find updates.
For example, to access Software Updates, the navigation path from the menu bar would be delineated as:
The SecureAccess virtual appliance simplifies the process to set up and manage access to IT resources. The diagram below provides a reference for features that are available on the appliance.
Illustration 1: E Series Connectivity Features
The diagrams that follow are intended to provide reference for IT administrators or architects. The examples provide a few scenarios for common aspects of SecureAccess virtual appliance deployment, while the potential options are certainly numerous.
DirectAccess Deployment with Manage-Out
Access for external users with strong authentication that allows system administrators to support and manage remote clients.
Illustration 2: DirectAccess Role
Access for external users that includes a wide range of systems, like PCs, Macs, tablets, and smart phones.
Illustration 3: VPN Role With Web Application Proxy
Cross-premises network connectivity for internally hosted and cloud resources.
Requirement: Seamless connectivity between on-premises data center and virtual machines hosted in the public cloud.
Illustration 4: Remote Desktop Services Role
The following lists network components that most commonly require configuration to support feature deployments.
Note: Some items are optional. Details for feature configuration are discussed in the topic Resource Worksheet.
Network Policy Server
Remote Desktop Services Components
The web UI is a management tool to access the most common Celestix product features. Initially, use it to quickly set up the server. Subsequently, use the web UI to access administrative features for both Comet and Remote Access roles.
See the Appendix topic Web User Interface Content Overview for features included in the web UI. See the online help topic Web User Interface Overview for more information about using the web UI (Help|Web UI Overview).
Version information for virtual appliance components are noted on the main web UI page. Click the E Series logo link from any page to access:
The guide provides a system administrator with concise instructions for a base deployment. The document covers common installation requirements and is not intended to be comprehensive. Every network environment is different, and installation for an individual organization may require either additional or other configuration not discussed herein.
Review the skills, knowledge, and the server requirements for virtual appliance deployment.
Skills and Knowledge
SecureAccess administrators should have the following skills, knowledge, and consequent access privileges:
The V Series server specification are covered below.
Table: V 3400 Server Specifications
Windows Server® 2012 R2
2.4 GHz or greater with 2 cores
4 GB; 8 GB recommended
1-2 virtual adapters (depending on the design of DA)
Available Disk Space
50 GB or greater
Table: V 6400 Server Specifications
2.4 GHz or greater with 2 cores; 2.8 GHz recommended with 4 cores recommended
8 GB; 16 GB recommended
Table: V 8400 Server Specifications
2.8 GHz or greater with 2 cores; 2.8 GHz recommended with 6-12 cores recommended
8 GB; 32 GB recommended
Complete the following:
Accessing the web UI is necessary to continue to deploy and manage the virtual appliance. The IP address for the internal network adapter is used to access the web UI.
To log in
For example, if the server LAN IP address is 192.168.30.4, the web UI URL would be https://192.168.30.4:8098
Important: A certificate warning may display because the site uses a self-signed certificate. Accept the certificate to access the web UI.
After the application has been installed on a server, settings need to be configured. General setup uses a wizard to step through configuration in the web UI. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
For setup, the administrator needs access to the following resources:
Also, it’s recommended that administrators complete the Resource Worksheet in advance to expedite installation and setup.
The section General Information provides necessary details to complete configuration.
The following topics cover requirements, assumptions, and terminology used in the SecureAccess V Series Appliance Installation Guide.
The following list explains how terms to describe components are used in documentation.
Information presented in the V Series setup instructions is based on the following:
*As required for deployment.
The following items will be required to set up the V Series. Plan ahead so that items are available when needed to complete configuration.
To help make the instructions clear, these examples are used to identify components.
While working through the wizard, the virtual appliance may need to reboot.
Note: Fields will be autopopulated with available settings if the virtual appliance was joined to the domain previously; the reboot will be skipped if they are left unchanged.
For example: SecureAccess
For example: example.com.
For example: example\adminuser
Note: Domain administrator credentials (example: example\adminuser) will be required to access the web UI after the reboot.
Note: The alert email function will indicate whether a test email was sent. If the test email is not received after the alert email feature indicates that one was sent, the error is most likely due to SMTP server settings. An error will occur if the SMTP service is not running or if the virtual appliance is not correctly configured to see the SMTP server. Confirm the SMTP server and network settings before trying to test again.
The wizard is complete when the congratulations screen displays.
Once general setup and configuration are complete the Features configuration tool installs the roles and services necessary for SecureAccess V Series Appliance remote connectivity. Depending on the purpose for deployment, one or more roles can be installed. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
The following features are available:
To install a feature
See the topic Feature Details for more information about feature options.
Once installed, some of the features include links that launch RDP applications to management consoles (MMCs). These links serve two purposes:
Some features do not do not contain an RDP link, usually because no additional configuration is required.
To access management tools
For example, Network Policy Server:
A RemoteApp will download: confirm if necessary.
Important: When the V Series is joined to an AD domain, a valid domain administrator account is required for logon.
Note: If the File menu is not visible, use the quick close button (boxed x).
The following sections provides details about remote connectivity features.
The Need to Knows section in the feature descriptions below cover important details about configuration. They are organized as follows:
NPS provides basic RADIUS authentication, authorization, and accounting, or RADIUS proxy (connection request referral).
The following summary information is provided for reference.
Role Service: Network Policy Server
Feature: RSAT – Network Policy and Access Service Tools
Affected Appliance Features
NPS is required for Remote Desktop Gateway (RD Gateway). If RD Gateway is deployed, the NPS role is installed automatically as part of that feature setup.
Required Configuration After Installation
Configuration must be customized for an environment. Use the Network Policy Server link to open an RDP session in the browser to access RADIUS server/client configuration.
Remote Access with VPN configures DirectAccess (DA) on the V Series server. DirectAccess provides an automated, always-on secure connection for end user access to internal network resources in addition to manage-out functionality for remote domain-joined computers. Remote Access includes the option to enable a VPN that can be used for nonmanaged devices.
Role Service: DirectAccess and VPN (RAS)
Feature: RSAT – Remote Access Management Tools (GUI and Command-Line Tools, module for Windows PowerShell)
Feature: Group Policy Management
Feature: RAS Connection Manager Administration Kit (CMAK)
Deployments with nonmanaged remote devices will require the VPN option to be enabled.
Cannot be colocated with Web Application Proxy
Configuration must be customized for an environment; there are two options:
Web Application Proxy publishes access to internal web applications for external users. The V Series adds a portal to make accessing applications more convenient. It also leverages authentication, authorization, and SSO functionality. It is configured for deployments where ADFS runs on a separate server.
Role Service: Web Application Proxy
Web Application Proxy requires the Remote Access role to be installed.
Web Application Proxy is deployed when ADFS is intended to reside on a separate server from the E Series; information for that server will be used in Web Application Proxy configuration.
Remote Desktop Gateway (RD Gateway) provides access to internal resources for remote users. Access is through the Remote Desktop Connect (RDC) client, and avoids the need for a VPN. User connections are encrypted and authorization policies set standards for client access.
Important: RD Gateway requires NPS.
Role Services: Network Policy Server, Remote Desktop Gateway, RPC over HTTP Proxy
Features: RSAT – Network Policy and Access Service Tools, Remote Desktop Services Tools/Remote Desktop Gateway Tools
RD Gateway requires NPS, which will be installed at the same time unless NPS is already installed, in which case the installation process proceeds just for RD Gateway.
Configuration must be customized for an environment. Use the Remote Desktop Gateway link to open an RDP session to the Remote Desktop Gateway Manager Console in the browser.
Note: Firewall rules may need to be adjusted to allow traffic.
RD Web Access (RD Web Access) provides streaming access to hosted applications. Windows 7 uses RemoteApp to start an RD Services session. Other devices can use a web browser to access them through Desktop Connection. RD Web Access also uses the RD Web Connection feature to let users access computers that have Remote Desktop enabled.
Role Service: RD Web Access
Rules for the external firewall must be adjusted to allow WMI traffic. See the topic Firewall Ports Reference for additional information about firewall configuration.
Work Folders uses an internal file server to host work files for anywhere access from supported computers and devices. Data is synced across devices over an Internet connection. This supports a bring your own device (BYOD) program without sacrificing control over data. Once synced, files can be worked on from wherever and will be updated on the sync share when the device has Internet connectivity.
Important: Work Folders is supported for Windows 8.1/8.1 RT devices.
Work Folders provides options to:
Role Services: File Server, File Server Resource Manager, Work Folders
Feature: RSAT – File Server Resource Manager Tools
Configuration must be customized for an environment:
The wizard provides the steps to configure DirectAccess and VPN settings for the SecureAccess V Series Appliance. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
General Information provides necessary details to complete configuration. The topic Additional Configuration Notes provides details about conditional configuration that applies to some deployments.
The following deployment notes provide information that qualifies setup processes to understand Remote Access configuration.
Information presented in the E Series setup instructions is based on the following:
Additional firewall configuration details are discussed in the topic Firewall Ports Reference.
The following items will be required to set up Remote Access. Plan ahead so that items are available when needed to complete configuration.
Additional Configuration Notes
The notes below discuss options that may apply to some deployments. They exceed the scope of these instructions, but may be helpful to consider when planning.
To help make the instructions clear, the following examples are used to identify components.
The setup wizard is a walk-through to configure components for Remote Access.
Access the screen through the web UI at SecureAccess|Features|Remote Access with VPN|Wizard.
Component Selection – select a Remote Access configuration option:
Note: DirectAccess should be enabled for managed clients, while VPN should be enabled to support unmanaged clients.
Configure both services DirectAccess and VPN
Note: While using an IP address is supported, the FQDN is a best practice.
For example: da.example.com
Important: Remote Access will create a WMI filter that will only allow mobile computers to join DirectAccess security groups. This setting requires that the administrator account configured for Remote Access have create/modify privileges.
Enter the start and end IP addresses to define the range.
Configure DirectAccess services only
Configure VPN services only
The wizard is complete when the congratulations screen displays. Depending on the configuration to be completed, this may take some time.
The base level setup for Remote Access options is now complete. Clients can now be configured to access resources.
The wizard provides the steps to configure Web Application Proxy (WAP) settings for the SecureAccess V Series Appliance. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
General Information provides necessary details to complete configuration.
The following deployment notes provide information to understand Web Application Proxy configuration.
The following items will be required to set up the proxy. Plan ahead so that items are available when needed.
The setup wizard is a walk-through to configure components for proxy services.
Access the screen through the web UI at SecureAccess|Features|Web Application Proxy|Wizard.
For example: intexample\adminuser
Note: Entering the address creates the portal.
The base level setup for Web Application Proxy is now complete.
Reconfigure Web Application Proxy
The wizard provides the steps to configure Work Folders settings for the SecureAccess V Series Appliance. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.
The following deployment notes provide information to understand Work Folders configuration.
The following items will be required to set up the Work Folders service. Plan ahead so that items are available when needed to complete configuration.
Note: A certificate is required for each server hosting the Work Folders feature.
The notes below discuss options that can extended Work Folders functionality. They exceed the scope of these instructions, but will be helpful to consider when planning deployment.
Configure Security Group
The best practice is to use security groups to manage Work Folder access. Set up for security groups in AD is described briefly and requires familiarity with AD domain administration.
To Create a User Group
The setup wizard is a walk-through to assign a certificate to encrypt remote access to work files.
Access the screen through the web UI at SecureAccess|Features|Work Folders|Wizard.
Use the following instructions to import the SSL certificate for Work Folders.
The wizard is complete when the congratulations screen displays. Next, a sync share directory must designated on the virtual appliance.
Required Configuration After Setup Wizard: Sync Share
Note: If the File menu is not visible, use the quick close button.
The base level setup that allows external access to work files is now complete. Supported clients can now be configured to access sync services.
If all features have been configured, save a copy of the system image in the hypervisor to preserve initial configuration.
Celestix recommends running the Windows backup utility (System|Backup) once configuration is complete to provide a remediation option for issues that may result from future system updates or changes.
The Software Update Service allows administrators to keep system software current through hotfixes, service packs, and upgrades. They are necessary for the security and proper functioning of the virtual appliance.
Access the update service through the web UI (System|Software Updates).
To find and install updates
Once applicable updates are installed, Celestix recommends checking for Windows updates (System|Windows Updates).
Thank you for choosing the SecureAccess V Series Appliance for your remote connectivity solution. This completes the setup and configuration steps for base-level deployment.
Email questions to firstname.lastname@example.org
The descriptions below explain components that are not required for a base level deployment, but may be necessary functionality for a given deployment.
Read-only access allows organizations to give limited access to the web UI for reviewing log data or connectivity statistics without allowing access to settings or advanced tools. For information about configuring the feature, see the online help (System|Read-Only Access).
SecureAccess is a remote access client application that provides automatic, always-on access to network resources and manage out functionality for Windows Home/Professional and Mac computers. For information about configuring the feature, see the online help (SecureAccess|Remote Access Dashboard|SecureAccess).
Use the port reference information below to plan for deploying the virtual appliance.
The ports in the section below are required for Comet or application functionality.
TCP ports 80 and 443 outbound for Celestix licensing
TCP port 443 inbound to connect
TCP port 8098 inbound and outbound for licensing and to download configuration files
The following reference information is provided here for convenience. It is based on Microsoft® TechNet articles for each of the technologies listed. It. Please see TechNet (https://technet.microsoft.com/) for the most current information.
Last update: 4/14/2016
DA (behind firewall unless otherwise stated)
Remote Desktop Web Access
For reference if WAP or the SSO Portal are deployed.
Celestix Networks, Inc
North America: 510 668.0700EMEA : +44 (0)203 900 3737Asia : +65 6958 0822Japan : +81 3 5210 2991