Differences

This shows you the differences between two versions of the page.

Link to this comparison view

netserver_installation_6.0.0 [2014/06/16 16:54]
ybarajas
netserver_installation_6.0.0 [2014/08/28 16:02] (current)
ybarajas [Firewall Rules]
Line 1: Line 1:
 +====== Installation ======
  
 +
 +This section contains instructions on how to install or upgrade NetServer. The following details are available:
 +
 +  * **[[netserver_installation_6.0.0&#preparation|Preparation]]**
 +  * **[[netserver_installation_6.0.0&#system_requirements|System Requirements]]**
 +  * **[[netserver_installation_6.0.0&#firewall_rules|Firewall Rules]]**
 +  * **[[netserver_installation_6.0.0&#installation_process|Installation Process]]**
 +  * **[[netserver_installation_6.0.0&#migration_tool|Migration Tool]]**
 +  * **[[netserver_installation_6.0.0&#rollback_procedure|Rollback Procedure]]**
 +  * **[[netserver_installation_6.0.0&#netserver_binding|NetServer Binding]]**
 +
 +
 +
 +===== Preparation =====
 +
 +
 +Before installing NetServer, you should have already installed your RADIUS AAA server or NAS, and configured and tested the appropriate databases to authenticate your own local users.
 +
 +
 +You should have the following information:
 +
 +
 +    * The IP address of the host on which you plan to install NetServer.  This should be the Public IP Address registered to your iPass account which will be used to connect to the iPass AAA fabric.  Your certificate cannot be validated until iPass places this IP address into our database.
 +    * The IP address, port numbers and secrets of RADIUS servers which forward requests to the netserver.
 +    * The iPass ISP Code given to your company when it signed up with iPass. If you do not have this code, please contact your iPass NetServer Installation Engineer.
 +    * Your username and password for the iPass FTP site where you will download the software. If you do not have these credentials, please contact your iPass NetServer Installation Engineer.
 +
 +
 +In addition, you should make sure that you have access to the following:
 +
 +
 +    * A Mail Transfer Agent (such as Sendmail) installed and configured to allow you to send the certificate request.
 +    * Root access on the NetServer host.
 +
 +===== System Requirements =====
 +
 +=== Host Requirements ===
 +
 +A host running NetServer 6.0.0 must meet these requirements:
 +
 +  * Pentium II processor (or equivalent RISC processor) 
 +  *512 MB RAM 
 +  *128 MB free RAM, 256 MB recommended 
 +  *256 MB permanent disk space, 500 MB recommended
 +
 +=== Installation Requirements ===
 +
 +The NetServer installation process requires these system resources: 
 +
 +  *60 MB temporary disk space 
 +  *SMTP services for transmitting the certificate request 
 +  *Enrollment requests can be sent using FTP if SMTP services are not available.
 +
 +=== Supported Platforms ===
 +
 +NetServer 6.0.0 is supported on following platforms:
 +
 +  *Linux RHEL 5.5 32-Bit
 +  *Linux RHEL 5.5 64-Bit
 +  *CentOS 5.7 32-Bit
 +  *CentOS 5.7 64-Bit
 +  *Ubuntu 12.04.2 LTS 32-Bit
 +  *Ubuntu 12.04.2 LTS 64-Bit
 +  *Solaris 10 Sparc 32-Bit
 +  *Solaris 10 Sparc 64-Bit 
 +
 +=== Interoperable RADIUS Servers ===
 +
 +
 +The list of RADIUS servers with which NetServer is interoperable includes, but is not limited to:
 +
 +  *FreeRADIUS (recommended)
 +  *RADIATOR (recommended) 
 +  *Cistron RADIUS 
 +  *DTC RADIUS, v2.02 and later
 +  *Interlink Networks Advanced Server (AAA)
 +  *FUNK Steel-Belted RADIUS v3.0 and later
 +  *Ascend Access Control (Extended RADIUS)
 +  *Ascend RADIUS 960112, 970224 
 +  *Vircom RADIUS 
 +  *Navis RADIUS 
 +  *Merit (Enterprise Editions only)
 +
 +=== Additional Operational Requirements ===
 +
 +Additional operational requirements include: 
 +
 +  * Connectivity to a primary RADIUS capable of proxying authentication and accounting packets.
 +  * Domain Name Server (DNS) installed and configured to work with the NetServer host.
 +  * Connectivity to the iPass Transaction Servers. The TCP/IP protocol is required to support the SSL-encrypted connection between the NetServer and the iPass Transaction Centers. 
 +  * Other processes, such as a firewall or authentication server, can be run on the platform concurrently with NetServer.
 +
 +===== Firewall Rules =====
 +
 +If NetServer 6.0.0 is installed behind a firewall or other network address translation device, you must enable the firewall rules shown in the following table. Notes at the end of the table give more information.
 +
 +^ Purpose ^ Inbound ^ Source IP(s) ^ Destination IP(s) ^ IP ^ Port^ Protocol^
 +| iPass Transaction Center auth-apac.ipass.com(Hong Kong,CN) |  |  | x | 216.239.98.126 | 9101 | TCP/IP |
 +| iPass Transaction Center auth-sjc.ipass.com(San Jose,CA) | |  | x | 216.239.108.126 | 9101 | TCP/IP |
 +| iPass Transaction Center auth7.ipass.com(Atlanta,US) | |  | x | 216.239.111.126 | 9101 | TCP/IP |
 +| iPass Transaction Center auth8.ipass.com(London,UK) | |  | x | 216.239.105.126 | 9101 | TCP/IP |
 +| iPass Transaction Center auth5.ipass.com(Santa Clara, US) | | | x | 216.239.99.126 | 9101 |TCP/IP|
 +
 +^ Purpose ^ Inbound ^ Outbound ^ Source IP(s) ^ Destination ^ Port ^ Protocol ^ Notes ^
 +| Monitoring | | x | | 216.239.99.200 | 1984 | TCP/IP | |
 +| Monitoring | x | | 216.239.99.200 | | 1984 | ICMP(ping) | |
 +| Monitoring | | x | | 216.239.100.200 | 1984 | TCP/IP | |
 +| Monitoring | x | | 216.239.100.200 | | 1984 | ICMP(ping) | |
 +| Configuration Upload Server | | x | | 216.239.111.209 216.239.111.200 | 9101 | TCP/IP | NetServer sends its configuration file on a regular basis to the Configuration Upload Servers. |
 +| Software Update Server | | x | | 216.239.99.209 216.239.99.200 | 9101 | TCP/IP | NetServer periodically checks for software updates on Update Server. |
 +|SSH access for troubleshooting and routine maintenance. | x | | 216.239.97.227 | | 22 | TCP/IP | SSH access from the iPass Operations Center should be allowed for troubleshooting and routine maintenance. |
 +
 +=== Supported RADIUS Attributes ===
 +
 +NetServer 6.0.0 supports the following RADIUS attributes:
 + 
 +  * All attributes form RFC 2865 and 2866
 +  * From RFC 2869: EAP-Message, Message-Authenticator, NAS-Port-Id
 +  * From RFC 4372: Chargeable-User-Identity (CUI)
 +  * From RFC 2546: ms-mppe-send-key, ms-mppe-recv-key
 +
 +//Graceful Forwarding//: NetServer authentication and accounting will drop attributes that are not listed in RFC 2865 and 2866, but packets are still forwarded.
 +
 +=== NetServer Default Ports ===
 +
 +  * SSL port=11811
 +  * Authorization port=11812(NetServer uses a different port than RADIUS)
 +  * Accounting port=11813
 +  * Proxy authorization port=11817
 +  * Proxy accounting port=11818
 +
 +===== Installation Process =====
 +
 +
 +The installation process consists of downloading the installation file and then installing the software.
 +
 +
 +=== Downloading ===
 +
 +
 +You will need to download NetServer installation file from our secure FTP site. Contact your iPass installation engineer for your FTP username and password.
 +
 +
 +**To download the NetServer installation file**:
 +
 +
 +  - At a command line, type: ftp [[ftp://ftp.ipass.com|ftp.ipass.com]] 
 +  - At the username prompt, type your FTP username.
 +  - At the password prompt, type your FTP password.
 +  - Type: cd NS/6.0.0
 +  - Type: bin
 +  - Type: get <correct version for your OS>
 +  - When the download is complete, type: bye.
 +
 +
 +<note important>Directory names and filenames are case-sensitive.</note>
 +
 +
 +=== Installing the Software ===
 +
 +
 +This guide uses the term <NS_Home> for the NetServer 6.0.0 installation directory. The default is /usr/ipass/netserver/current_version.
 +
 +
 +**To install the NetServer 6.0.0 directories:**
 +
 +
 +  - The iPass Products directory /usr/ipass should be created and owned by root or the appropriate "ipass" service account with sudoer permission.  If your partitioning scheme does not provide enough space for /usr/ipass, create a symbolic link for the /usr/ipass directory to the intended installation volume.
 +  - Copy the downloaded NS 6.0.0 installation file "netserver_6.0.0_<platform>.tar.gz" under '/usr/ipass/',where <platform> is the platform of your NetServer.
 +  - Type: cd /usr/ipass/ 
 +  - Type: gunzip netserver_6.0.0_<platform>.tar.gz to uncompress the installation file.
 +  - Type: tar -xvf netserver_6.0.0_<platform>.tar. By default, this will create a hierarchy in "/usr/ipass/netserver/6.0.0" with all the necessary directories and files. In order for NetServer to run correctly,you must keep the file hierarchy as it is installed.
 +  - Run ./create_link script from the directory path "/usr/ipass/netserver/6.0.0/.scripts" to create a softlink /usr/ipass/netserver/current_version -> /usr/ipass/netserver/6.0.0
 +  - Type: ipassconfig.csh -conf under /usr/ipass/netserver/current_version/bin to generate ipassNS.properties file. For detailed information regarding configuration, refer to [[netserver_configuration_6.0.0|Configuration]] section. Once configuration is complete, your NetServer is ready to be started.
 +  - Run init.sh script under /usr/ipass/netserver/current_vesrion/bin directory to create RC scripts.
 +  - Review the End User License Agreement from the file "<NS_Home>/license.txt".
 +===== Migration Tool =====
 +
 +
 +=== Migrating from NetServer 5.x to NetServer 6.0.0 ===
 +
 +If you are upgrading to NetServer 6.0.0 from version 5.x, the Migration Tool has to run manually post installation process. The Migration Tool will convert your old configuration file into the new ipassNS.properties adding newly added properties in 6.0.0, and copy certificates and keys from the old installation into KeyStores.
 +
 +===Manual Migration==== 
 +
 +  * Untar NetServer 6.0.0 build under /usr/ipass/ to create a hierarchy /usr/ipass/netserver/6.0.0
 +
 +
 +**1.** //Migrating from NetServer 5.x to 6.0.0//: Type ./ns_migration_tool.csh under
 +/usr/ipass/netserver/6.0.0/bin
 +
 +
 +For example, cd /usr/ipass/netserver/6.0.0/bin and run : ./ns_migration_tool.csh. It will prompt you for the path to migrate files from. Enter NS5.x path /usr/ipass/netserver/5.x. It should migrate ipassNS.properties file,certs and keys from 5.x version to 6.0.0 and it will add new attributes to ipassNS.properties as below:
 +
 +  * 'strip' flag is added for Routing Realms and for realms 'ipass' and 'ipasv' it is set to 'yes' by default and for other realms it is set to 'no' by default.
 +  * 'AdminKeyStoreProperty' is added to ipassNS.properties.
 +  * All .pem keystore files are migrated to .keystore extension
 +
 +
 +**2.** Once migration is done run create_link.sh script from the path "/usr/ipass/netserver/6.0.0/.scripts" to create soft link( It will create soft link under "/usr/ipass/netserver/current_version").
 +
 +**3.** Run init.sh script from /usr/ipass/netserver/current_version/bin to create RC scripts. 
 +
 +===The NetServerd Script=== 
 +
 +The script NetServerd is not included in the Migration Tool process, so command line options it contains will not be carried over to the new version of NetServer. This may trigger the following issues:
 +
 +
 +__Non-Default Ports__: The NetServer 6.0.0 Migration Tool assumes that your NetServer runs on the default port of 11811. If this is not the case, after you run the Migration Tool, you will need to edit the following attributes in the ipassNS.properties file:
 +      * Listener1=Type=RADIUS,Port=<port number>
 +      * Listener2=Type=RADIUSProxy,Port=<port number>
 +      * **Dual-Homed Hosts**: If NetServer 5.x runs on a dual-homed host, the Migration Tool may not bind NetServer to the correct IP address. You will need to check that the ipassNS.properties file reflects your correct IP address.
 +      * **Port Settings**: The migration tool will automatically migrate your previous port settings from NetServer 5.x to 6.0.0. 
 +===== Rollback Procedure =====
 +
 +
 +If you need to roll back your NetServer 6.0.0 installation to a previous 5.x version, follow the appropriate procedures listed here.
 +
 +
 +These instructions assume that NetServer 5.x is installed in /usr/ipass/netserver/5.x, and NetServer 6.0.0 is installed in /usr/ipass/netserver/current_version.
 +
 +
 +**To rollback NetServer 6.0.0:** 
 +
 +
 +  - If necessary, stop NetServer 6.0.0 as follows:
 +    * Type: cd /usr/ipass/netserver/current_version/bin
 +    * Type: ./netserverd stop
 +    * Check if the process stopped by typing: ps -auxwww | grep netserver
 +    * If the process did not die, execute: ./netserverd kill
 +    * Verify that the process stopped by typing: ps -auxwww | grep netserver
 +  - Change the softlink file /usr/ipass/netserver/current_version to point back to the previous NetServer directory /usr/ipass/netserver/<NS Version>, as follows:
 +    * cd to /usr/ipass/netserver/
 +    * rm current_version
 +    * ln –s /usr/ipass/netserver/5.x current_version
 +  - Start the old NetServer:
 +    * cd to /usr/ipass/netserver/<NS Version>/bin
 +    * run ./netserverd start
 +
 +
 +**Uninstalling NetServer 6.0.0** 
 +  *Type: cd /usr/ipass/netserver
 +  *Type: rm –rf 6.0.0
 +    
 +
 +===== NetServer Binding =====
 +
 +
 +To bind to a local IP for outgoing requests to the Transaction Servers, you need to configure the LocalIpAddress attribute of your IpassServers property:
 +
 +
 +**To view iPass Transaction Server information**, type: <NS_HOME>/bin>ipassconfig.csh -help IpassServer
 +
 +
 +**Sample format of**IpassServer:
 +
 +
 +IpassServer1 = name11=value11,name12=value12,…
 +
 +
 +IpassServer2 = name21=value21,name
 +
 +
 +See the [[netserver_ipassns._properties_6.0.0|Property Glossary]]  for more information on configuring this value.
 +
 +Go to: **[[dokuwiki_other|Other Product Documents]] > [[netserver_help_6.0.0|NetServer Admin Guide]]**
 +
 +{{tag>netserver installation requirements}}
 +
 +
 +\\
 

©2015 iPass Inc. All rights reserved. Terms of Use