The Location tab captures basic information regarding your new site.
Identity and Location
This section captures information regarding the name and physical location of your new site.
Location Name: Enter the alphanumeric identifier for the Location that you are creating. This name must be unique within your domain. This name cannot be changed once you complete this form, so choose carefully. This will be the name used at all times to identify this Location, and will be assigned as the actual computer name of the Corente Services Gateway when it is booted with the configuration file that you are currently preparing. If you choose a name that is a valid NetBIOS name (i.e., 15 characters or less), users can connect to the Location to access remote computers on the domain using this name instead of the IP address.
Street Address: Enter the street address of the new Location that you are creating. This address can be up to 100 alphanumeric characters.
City: Enter the name of the city where this Location will be located. You may use up to 30 alphanumeric characters for this field.
State/Province: Select the appropriate state or province from the pull down list provided.
Postal Code: If applicable, enter the 5 digit U.S. postal code for the location of this Location. The initial placement of your Location icon on the U.S. map will be determined by this zip code. If you do not enter a valid code in this field, the icon will be placed in the upper right hand corner of the map.
Country: Select the appropriate country from the pull down list provided.
Time Zone: Select the appropriate time zone for the Location from the pull down list provided.
Maintenance
This section captures information regarding the upgrade preferences for this Location.
Require Administrator approval to enable Partner connections: By checking the box, you will require that the Corente Services Gateway is approved by an administrator before it is fully operational. When this option is selected for a new Corente Services Gateway and the configuration file for the Corente Services Gateway is downloaded, the new Location gateway is active but unable to connect to any of its partners. However, it is in communication with the Corente SCP while it waits for approval, so that connection to its partners can begin immediately following approval. The gateway icon is marked with a black triangle to signify that approval is required.
To approve the Corente Services Gateway, an administrator must right-click the Corente Services Gateway's icon in App Net Manager and select Approve Partner Connections. The Approve Partner Connections window will be displayed. Enter your login password and click Approve to approve the connections. Approval will be required again if the configuration is ever regenerated and re-downloaded. By leaving the box unchecked, the Corente Services Gateway will become operational and connect to its partners immediately following configuration download.
Automatic reboot after maintenance: Leave this box selected if you would like your Corente Services Gateway to automatically reboot after maintenance has been performed. If this box is selected, be aware that a reboot will pause your network connections until the operation is complete. If you unselect this box and your software has been upgraded, you will have to manually reboot the Corente Services Gateway in order for the machine to switch to the upgraded software. By default, this option is selected.
Preferred maintenance time: Upgrades to new versions of the Corente Services Gateway software will occasionally be downloaded automatically to your Location gateway from the Corente SCP. Select a day of the week and an hour when your network is least busy so that it can be interrupted for these upgrades safely, without harm to your business.
Remote Logging
This section allows you to specify a server that will capture log messages from the Corente Services Gateway. These options require the logging server to be configured appropriately to accept a syslog feed.
System Logging: Select this option to send all system log messages to an external server. The system log is normally recorded on the Corente Services Gateway itself. However, when this option is selected, the Location gateway will track and send all firewall log events to be recorded on the logging server that you specify. This is a traditional firewall log; a message is sent whenever a packet is denied from passing through the Corente Services Gateway. When this option is selected, the Logging Server Address field must be filled in.
Logging Server Address: When system logging is selected, enter the IP address of the logging server in this field. All log messages will be sent to this server.
Redundant Hardware Configuration
This section captures your preferences if you would like to provide redundant hardware for this Corente Services Gateway configuration. Hardware redundancy provides a site with a backup domain connection to use in the event of a hardware or software failure of the site's active Corente Services Gateway. To provide backup, two servers loaded with the Corente Services Gateway software are installed on the LAN. These servers function as a single entity, each alternating between serving as the Active Location gateway and the Standby Corente Services Gateway. You will not be able to choose which Corente Services Gateway is Active and which is Standby; this is negotiated between the pair.
Redundant hardware requires each participating Corente Services Gateway server to have an additional, dedicated Ethernet interface. (This means that Corente Services Gateways using the Peer configuration must have at least two Ethernet cards, and gateways using the Inline configuration must have at least three Ethernet cards.) The two gateways will be connected via these Ethernet interfaces. You can do this using either a VLAN on a router or a dedicated hub. The Ethernet interfaces for the two Location gateways will be on their own subnet (1.1.1.1/30).
The Active and Standby Corente Services Gateways require only one configuration file to be used between them. The Location gateways must both be connected to the LAN and to the same Internet Access Device, and share a set of IP address(es) and MAC address(es) for their LAN and WAN (or LAN/WAN) interface(s). The configuration file must be manually installed on the first Corente Services Gateway. Make sure a monitor/keyboard or is connected to this server. Also ensure that the router or hub to which the two Locations gateways will connect is turned on. When the first Corente Services Gateway reboots, the installation interface will ask to identify the MAC address of the backchannel port being used for redundant hardware:
"This is to configure the backchannel network interface port for the hardware failover. Now please disconnect all network cables to this gateway machine. Identify the network port that is dedicated to the hardware failover. Using a cable, connect the dedicated port to a hub, switch, or an active network device. Make sure you see the 'link' light of the network port is on. Select 'Continue' to continue with the Backchannel Configuration."
After following these directions, make sure both servers are connected to the LAN, hub or router, and have access to the Internet. Next, the software should be loaded onto the second server. Make sure a monitor/keyboard is connected to this server. This server will reboot, and the Failover Configuration option must be selected on the installation interface. The configuration will then load onto the second server, and the installation interface will ask to identify the MAC address for this server as well.
If you have enabled the Dual WAN feature on the Network tab, you will be unable to enable hardware failover.
When a software upgrade occurs (during the maintenance window that you scheduled above), the Corente Services Gateway hardware that is currently Active will be upgraded first. Once the upgrade has completed, the hardware will alternate and the Standby Location gateway will become Active so that it can be upgraded as well. This may cause multiple upgrade and tunnel up/tunnel down alerts, because the Corente Services Gateway that is upgraded first will attempt to re-establish its tunnels before the hardware switch occurs. Before it becomes the Standby Corente Services Gateway, it will bring the tunnels down again. Once the second Corente Services Gateway has completed the upgrade, it will establish the tunnels and remain as the Active Corente Services Gateway until the next hardware switch occurs.
Enable Redundant Hardware configuration: Select this option to enable hardware redundancy. If this option has been enabled, the following additional options will be available:
Enable scheduled hardware switch during weekly maintenance window: Select this option if you would like the Corente Services Gateways to rotate weekly between which Corente Services Gateway is designated as the Active and which as the Standby, so that each piece of hardware can be regularly confirmed to be functioning correctly. This switchover will occur during the weekly Preferred maintenance time that you specified above.
The following settings allow you to specify the timing of the failover intervals:
Redundant Hardware Keep-Alive Interval (seconds): The interval of time between each "heartbeat packet" that is sent by the Standby Corente Services Gateway to the Active Corente Services Gateway to make sure that the Active Corente Services Gateway is still functioning. The default is 60 seconds, with a maximum of 600 seconds.
Failover Interval after loss of Keep-Alive (seconds): The period of time that the Standby Corente Services Gateway will wait to initiate failover if the Active Corente Services Gateway has not responded to its "heartbeat" packet. This variable must be set at least twice the amount of time as the Redundant Hardware Keep-Alive Interval; therefore, the default is 120 seconds, with a maximum of 1200 seconds.
Every 10 attempts, the Redundant Hardware Keep-Alive Interval will be doubled, maxing out at 600 seconds. If this makes the interval longer than the Failover Interval after loss of Keep-Alive, then that interval will be doubled as well, maxing out at 1200 seconds. Upon success (or a restart after a failover), both intervals will revert back to the initial configured time.
Cloud Failover
The Cloud Failover section is available if you use a supported third-party VPN device configuration and applies only in the Oracle Public Cloud environment.
Failover Location Address: Specifies the LAN IP address of the Corente Services Gateway you plan to use as a failover location. In the event that the IPSec tunnel to the third-party device becomes unavailable, the Corente Services Gateway forwards packets to the failover location. The failover occurs within 30 seconds.
The following diagram illustrates the cloud failover configuration:
The preceding diagram shows two Corente Services Gateways that reside on the Oracle Public Cloud network and two third-party VPN devices that reside on the customer network. You configure the Corente Services Gateways and the third-party VPN devices on the same domain in App Net Manager. The two Corente Services Gateways are not partners. You partner each Corente Services Gateway with one of the third-party VPN devices.
In a cloud failover configuration, Corente Services Gateways:
Must have an inline configuration.
Must have the same LAN configuration. Although Corente Services Gateways do have different LAN IP addresses.
Must have the same User Group configuration.
You must enable dead peer detection (DPD) for the third-party VPN devices and ensure that they have the same subnet configuration.
Zero Touch Configuration
This section captures your preferences for Zero Touch Installation, which allows you to install a new Corente Services Gateway simply by placing a server loaded with the gateway software on the network and turning it on. When installing a new Location gateway, the configuration file is downloaded upon the first reboot after software installation. If there is no configuration file found on a floppy, a USB, or on the hard drive, the new Corente Services Gateway will attempt to acquire a dynamic IP address via DHCP.
To utilize Zero Touch Installation, the Corente Services Gateway
must be able to connect to the Internet, and the DNS server
must be able to resolve www.corente.comto
the Corente SCP. Communication between the new
Corente Services Gateway and the Corente SCP is secured
using the HTTPS protocol.
Zero Touch Installation cannot be used when the following IP addressing options are used for the WAN (Inline configuration) or WAN/LAN (Peer configuration) interfaces of the Location gateway:
Static IP address
PPoE
Proxy Server
These options may be used for normal operation of the Location gateway, however they cannot be used to download the configuration via Zero Touch Installation.
Fill out the fields as follows:
Enable Zero Touch Configuration: Select this option to enable Zero Touch Configuration.
Unique Identifier: Enter the unique identifier for the Corente Services Gateway server. You need only enter one unique identifier: either a service tag or a MAC address of one of the Corente Services Gateway's Ethernet interfaces. The software reads the service tag and all MAC addresses from the Corente Services Gateway server and passes all of them to Corente SCP, which then matches the identifier with the appropriate configuration file.
Notes
This field allows you to save notes about this Location that can be viewed by other administrators of the domain. You can enter up to 250 characters.
Advanced Performance Tuning
You can disable the options in this section to improve the throughput of the gateway by suppressing potentially compute-intensive side processes.
Enable Probe Monitoring (Security): Select this option to enable the Location gateway to determine if hostile network probing is occurring through the network. When deselected, probe monitoring is disabled and notifications will not be sent.
Enable Report Data Collection: Select this option to enable the collection of data for reports and graphs, such as bandwidth reports. When deselected, the gateway does not collect and present this data in App Net Manager.
Enable Compression: Select this option to enable compression for IPSec connections. Turning compression off on high-speed links results in better throughput performance. By default, compression is disabled for a new Location.