CacheGuard-OSUser's Guide - Version UF-2.0.2
Administration Interfaces
Three interfaces are available to configure/administrate the CacheGuard appliance:- The Console port
- The HTTPS interface (Web Administration)
- Secure Shell (SSH)
The Console port
The Console port is the main interface of the CacheGuard appliance. It is either the serial port (a male DB9) of the appliance or the connected screen and keyboard. To use the serial port, link up the serial ports of the appliance and your workstation using a crossed serial cable. Or you can use your favourite terminal emulator (Putty, minicom...) to connect the appliance and choose the following serial line configuration: 115200 8N1.The Console port is the most secure interface and some key operations like the shutting down process (halt) are only available via the Console port. Note that after the installation, the only available administration interface is the Console port. When giving administration access to a remote administrator for the first time, you should use the Console port (access admin).
An administrator must be authenticated before connecting to the system. The user "admin" is the main administrator. Other administrator users with fewer rights, may be added using the command "admin user". To login enter the administrator login name at the login prompt. By default the password for the "admin" user is "admin" or the password configured during the installation. Change the default password "admin" as soon as possible.
The administration/configuration process via a character interface (Console port or SSH) is made using online commands. To see the list of online commands type the command "help" without any argument. To have details about a specific command use the command "help" followed by a command name. If you forget the syntax of a command the completion facility may help you to find the right syntax. The completion is available by using the <TAB > keyboard touch.
When using a character interface (Console port or SSH) the administrator has the ability to create mini-programs using a light-weight "bash" (an open source scripting language). Finally, to consult the history of previously typed commands, use the command "history".
To disconnect from the Console port use the command "exit". The connection is also closed automatically if no command is executed after a timeout.
Web Interface
For those who are not familiar with a CLI (Command Line Interface) or prefer a GUI (Graphical User Interface), a Web administration GUI is available. To connect to the Web administration GUI you need a Web browser. CacheGuard supports modern browsers, which generally means everything except IE8 and older versions. The GUI is tested against Firefox, Safari, Chrome, Opera and IE11. Note that before connecting to the appliance via a Web browser, the appliance must be configured to accept such a connection.
The default administration network interface is the internal network interface (the external network interface is considered as non-secure by default and can't be used for remote administration). To remotely administrate the appliance, you must first apply an IP address to the internal network interface. The Web administration GUI uses the HTTPS protocol and the related administration service should be activated to administrate the appliance using this protocol (for security reasons, HTTP is not supported). The HTTPS administration service is activated by default. If for some reason this service is deactivated you can reactivate it using the command "admin https on". The complete procedure to activate this service is as follows:
- Login as "admin"
- Type the following commands:
- ip internal <internal-ip> <internal-mask>
- admin https on
- apply
- access admin add internal <admin-ip>
- apply
Now the appliance may be administrated using your favourite Web browser. To connect to the Web administration GUI use the following URL: "https://<hostname>.<domainname>:8090". Note that you must use HTTPS and not HTTP.
The couple <hostname>.<domainname> must be resolved to the appliance administration IP address in your network - By default, the administration IP address is the internal network interface IP address (or the IP address set up for the administration 802.1q pseudo device when the "vlan" mode is activated - See the command mode vlan).
The default Web administration GUI port number is 8090. To modify this value use the following commands:
- port wadmin <port-number>
- apply
For people whom security issues are vital, we do not recommend the Web administration GUI (even if the GUI is developed in respect to all known security precautions) . To deactivate the Web administration interface use the following commands:
- admin https off
- apply
Secure Shell (SSH)
Another remote administration interface is the Secure Shell (SSH). When logged in remotely via an SSH client, administrators have access to online commands to manage the appliance. For security reasons some key operations (like "halt") are not available via SSH. For those operations the administrator should use the Console port.To use the SSH administration interface you should use an SSH client installed on your workstation. All modern UNIX systems (AIX, RedHat, Solaris...) integrate SSH clients. Under MS Windows systems we suggest the program "putty.exe".
- access admin add internal <admin-ip>
- apply
Now the appliance may be administrated via an SSH client. To connect to a remote appliance under a UNIX system, type "ssh admin@<cacheguard-internal-ip>". Remember that by default only the internal network interface can be used to remotely administrate the appliance. The user "admin" is the main administrator of the appliance. Other administrators with fewer rights, can be created using the command "admin user".
After connecting to the appliance, the administrator must enter a password to login to the system. The SSH password is the same as the Console port password.
An administrator may install his own SSH Keys on the appliance. When an SSH key related to an account and a remote machine is installed, the password is no longer required to login or remotely execute a command. This way, some periodic tasks could be executed automatically in batch mode without the need of entering manually a password. For instance consider the command ssh admin@172.18.2.10 "log save access 1 tftp 172.18.2.1 access.log.save". This command saves the latest access log from the appliance identified by the 172.18.2.10 IP address to the TFTP file server identified by the 172.18.2.1 IP address. When invoking this command, if an SSH key is installed for the remote administrator then a password will not be required.
The process of generating SSH keys depends on the remote system. For instance to generate an SSH key under a Linux system the usual command is "ssh-keygen". Under MS Windows systems we suggest the "puttygen.exe" program. These commands generate a couple of private and public SSH Keys. The public key should be copied on a file server (FTP, TFTP...). Only trusted file servers are allowed to exchange files with the appliance. To add an IP address to the list of trusted file servers type the following commands:
- access file add internal <file-server-ip>
- apply
- admin ssh key add tftp <file-server-ip> <sshkey-file-name>
When managing several remote appliances, there is a utility to identify each appliance by its hostname. To define a hostname use the command "hostname". The hostname is displayed in the prompt when logged in via SSH or the Console port. It is also displayed on the top title of the Web administration GUI.
The SSH interface offers almost the same possibilities offered by the Console port. Only some commands like "halt" are not available. See the section "Console port" for more information.
To disconnect an SSH session use the command "exit". The connection is also closed automatically if no command is executed after a timeout.