Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10 Document version 1.0 10.6.2.378-13/03/2015

Important Notice Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER S LICENSE Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam Network Security Appliances. You will find the copy of the EULA at http://www.cyberoam.com/documents/eula.html and the Warranty Policy for Cyberoam Network Security Appliances at http://kb.cyberoam.com. RESTRICTED RIGHTS Copyright 1999-2014 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd. Corporate Headquarters Cyberoam House, Saigulshan Complex, Opp. Sanskruti, Beside White House, Panchwati Cross Road, Ahmedabad - 380006, GUJARAT, INDIA. Tel: +91-79-66216666 Fax: +91-79-26407640 Web site: www.cyberoam.com PAGE 1 OF 18

Technical Support You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Headquarters Cyberoam House, Saigulshan Complex, Opp. Sanskruti, Beside White House, Panchwati Cross Road, Ahmedabad - 380006, GUJARAT, INDIA. Tel: +91-79-66216666 Fax: +91-79-26407640 Web site: www.cyberoam.com Cyberoam contact: Technical support (Corporate Office): +91-79-66065777 Email: support@cyberoam.com Web site: www.cyberoam.com Visit www.cyberoam.com for the regional and latest contact information. PAGE 2 OF 18

Contents Deploying Virtual Cyberoam Appliance in the Amazon Cloud... 4 Feature Overview... 4 Base Configuration... 4 Installation Steps... 5 Step 1. Choose Cyberoam AMI... 5 Step 2. Launching the Cyberoam AMI... 6 Step 2.1. Choose Instance Type... 9 Step 2.2. Configure Instance Details... 10 Step 2.3. Configure Instance Details (Part 2)... 10 Step 2.4. Add Storage Details... 11 Step 2.5. Tag Instance... 12 Step 2.6. Configure Security Group... 12 Step 2.7. Launch Status... 12 Step 2.8. View Launched Instance... 13 Step 3. Allocate Elastic IP to Amazon Virtual Cyberoam Instance and Register Appliance... 14 Step 3.1. Allocate Elastic IP Address... 14 Step 3.2. Register Appliance... 14 Step 3.3. Appliance defaults... 15 Migrating to Higher Instance... 16 PAGE 3 OF 18

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Welcome to Virtual Cyberoam Appliance in the Amazon Cloud deployment guide. This guide describes the installation instructions for launching a Cyberoam AMI (Amazon Machine Image) Instance on Amazon Web Services (AWS). Feature Overview Cyberoam Virtual Appliance for Amazon Web Services delivers a secure cloud computing platform that enables customers to deploy multilayer security in the cloud. By extending its security technology to Amazon's cloud, it protects assets in the cloud from attacks. Cyberoam satisfies an organization's cloud security needs with flexible and manageable security features like the Firewall, IPS, Application Control and Anti Virus protect services in the public cloud from unauthorized access and attacks. It also helps enforcing a consistent security policy across the organization by protecting data between the corporate network and Amazon Virtual Private Cloud and inspects data entering and leaving the private subnet in the Amazon's VPC. A Virtual Cyberoam Instance can be launched on Amazon Web Services by using an Amazon Machine Image (AMI). An AMI is a specific type of virtual appliance that is used to create a virtual machine within the Amazon Elastic Compute Cloud (EC2) in the form of an Instance. You can launch a Cyberoam Instance once you have created your on Virtual Private Cloud (VPC) on the Amazon Web Services (AWS). Once an Instance is launched, your Virtual Cyberoam appliance is allocated an Elastic IP though which you can access the Cyberoam Web Admin console. Your entire appliance memory is migrated to the Amazon Servers and is entirely virtualized. Cyberoam is available at the AWS Market Place. Cyberoam Network Security product can be used as a stand-alone AMI or as part of the VPC. Cyberoam offers BYOL and Hourly Licencing options for its Network Security product on the AWS market place. After selecting the product and license, Cyberoam Network Security instance can be launched as standalone EC2 Instance or into a VPC (if already configured). Base Configuration Prerequisite for Storage sizes: Root - 4 GiB EBS - 80 GiB Prerequisite for Network Interfaces: You need to configure at least 2 (Two) Network Interfaces to launch an Instance. PAGE 4 OF 18

Installation Steps Pre-requisites to Installation: Amazon Web Service (AWS) account. Cyberoam AWS licenses. (You can also get a free 30 day evaluation license, with the option to buy at the end of the evaluation period with Cyberoam Network Security (BYOL) product.) Step 1. Choose Cyberoam AMI Logon to the AWS Management console using your AWS account on console.aws.amazon.com. Screen AWS Console Login Screen The AWS home screen is displayed after Logging on. Go to EC2 Console > Instances and click on Launch Instance. PAGE 5 OF 18

From the left sidebar-menu, select AWS Market Place and search for Cyberoam. Click to select from the available Cyberoam products: 1. Cyberoam Network Security Cyberoam Network Security Pay As You Go (PAYG) is pre-licensed solution with all security modules subscribed. The usage charges are applied hourly. 2. Cyberoam Network Security (BYOL) Cyberoam Network Security (BYOL) offers security solution with Trial Subscriptions of security modules. For further use, you can purchase licenses/module-subscriptions from your existing channel partners or Cyberoam website. Review the product description and click Continue. Note: Cyberoam AMI can also be searched directly from the AWS Market Place homepage. After selecting the required AMI, logon using your AWS account to continue with the selection and launch the Cyberoam AMI. Step 2. Launching the Cyberoam AMI To launch the AMI, Amazon provides the following two options: a. 1-Click Launch b. Manual Launch a. 1-Click Launch 1-Click Launch is typically used to quickly get the AMI running. You can use 1-click Launch if you have the all details of the AMI. For 1-Click Launch, the following details must be verified/specified before the AMI can be launched (refer on-screen instructions for specifying the details): Software Pricing Version Region VPC Settings EC2 Instance Type Key Pair PAGE 6 OF 18

After specifying the details above, click Launch with 1-Click to continue and compete the launch Instance wizard. You will be redirected to Step-2 of the launch Instance wizard. b. Manual Launch You can use Manual Launch to configure the Instance launch options manually (including VPC configuration). Specify/review the following details and click Launch with EC2 console to start the Instance launce PAGE 7 OF 18

wizard: Software Pricing Select a Version Software Pricing Configuring VPC Settings You can configure your Amazon Virtual Cyberoam Interface either on the default VPC given by Amazon, or by creating your custom VPC. Follow the steps mentioned below to configure a custom VPC: PAGE 8 OF 18

Step 1. Go to AWS Dashboard and select Networking > VPC. Step 2. Select Your VPCs, under Virtual Private Cloud. Step 3. Click Create VPC to configure a custom VPC dedicated to your AWS account. Step 4. Select Subnet and click Create Subnet to configure the LAN/WAN subnets based on your requirement. Step 5. Select Route Table and click Create Route Table to define required routes. Step 6. Create and Associate Elastic IP Address Select Elastic IP and click on Allocate New Address. In the Network platform list, select EC2-VPC, and then click Yes, Allocate. Select the Elastic IP address from the list and click the Associate Address. In the Associate Address dialog box, do the following, and then click Yes, Associate: In the Associate Address dialog box, select Instance or Network Interface from the Associate with list, and then either the Instance or network interface ID. You can also refer detailed Amazon VPC Help to know how to configure a customized VPC for your network. Step 2.1. Choose Instance Type Click on the first option next to Filter by: and select the Instance Type from the filtered list. Cyberoam supports all 64bit Para Virtualized (PV) Instances except t1.micro. Screen Choose Instance Type PAGE 9 OF 18

Step 2.2. Configure Instance Details Click the Next: Configure Instance Details button. Configure Instance Details based on your VPC Network and preferences. Click the Next: Add Storage button. Step 2.3. Configure Instance Details (Part 2) Screen Configure Instance Details Based on your requirement, select the Tenancy for your Instance. For example, a dedicated Instance runs on a dedicated hardware and an Instance with Shared Tenancy runs on shared hardware. Under Network Interfaces configure the Interface details of your Virtual Cyberoam. Note: Your VPC Network Interfaces will by default be mapped to your Appliance as: eth0 - LAN eth1 - WAN In case your Instance has more than two network interfaces, you can add new network interface(s) manually after your Instance is launched in the following manner. 1. Stop your Instance, add Network Interface(s) to and Restart your Instance. 2. Add Network Interface(s) to your Instance without stopping it. The new interface(s), will only be added on Instance reboot. None of your existing configuration will be altered on addition of Network Interface(s). PAGE 10 OF 18

Screen Configure Instance Details (Part 2) Step 2.4. Add Storage Details Click the Next: Add Storage button. Configure the Storage Device settings for your Instance. You can select the Volume Type details. Default Storage size- Root: 4GiB EBS: 80GiB Screen Add Storage Details Note: Value(s) greater that the default size will not be considered for your Instance. PAGE 11 OF 18

Step 2.5. Tag Instance Click the Next: Tag Instance button. You may Tag your Instance for identification purpose. The created Tag appears on the same page as a list. Step 2.6. Configure Security Group Click the Next: Configure Security Group button. Screen Tag Instance Amazon by default has your VPC behind a Network Security Device in the form of Virtual Cyberoam Appliance. If you want additional Security, you can configure a Security Group for your Instance. Click here to learn more about security groups. The default Security group follows the Allow All Traffic policy. Screen Configure Security Group Step 2.7. Launch Status Click the Next: Review and Launch button. This page displays the launch status of your Instance and also gives you links to some important PAGE 12 OF 18

resources that will help you maneuver though AWS with ease. To view your launched Instance, click the Next: View Instances button. Deploying Virtual Cyberoam Appliance in the Amazon Cloud Step 2.8. View Launched Instance Screen Launch Status You are navigated to the Instances > Instances page. All the Instance details along with its Tag are displayed on this page. Screen Instance Details PAGE 13 OF 18

Note: At any step you can click: Cancel: Abort Instance launch process Previous: To go to the Previous configuration step. Review and Launch: Move directly to step 2.7 Step 3. Allocate Elastic IP to Amazon Virtual Cyberoam Instance and Register Appliance Step 3.1. Allocate Elastic IP Address Your Cyberoam Amazon Virtual machine Instance needs to be allocated with an Elastic IP Address for the AWS, so that you can access Cyberoam over the Web Admin Console. Click here to know how to allocate an Elastic IP address to your Instance. Step 3.2. Register Appliance Use the Elastic IP allocated to you to access your Cyberoam Virtual Appliance via a secure connection and login by entering your credentials in the below screen: Screen Cyberoam Amazon Virtual Machine Login On first time login, you will be prompted to register your Virtual Appliance. Screen Register Appliance You need to register your Virtual Cyberoam Appliance before you can access its features. Browse to http://customer.cyberoam.com. Click here to know more about Cyberoam Appliance registration process. PAGE 14 OF 18

Once your Virtual Cyberoam Appliance is registered, click Synchronize button in the above screen. In case your Appliance is not synchronized automatically. You will be prompted with the following screen. Screen Activate Appliance Follow the steps displayed in the screen to activate your Appliance. You can now access Virtual Cyberoam Appliance via web admin console through the Elastic IP allocated to your Appliance. Step 3.3. Appliance defaults Subscriptions The Appliance default services vary based on the product you have subscribed. Cyberoam Network Security PAYG option offers the following subscriptions which are preregistered with your appliance: Web and Application Filter IPS Gateway Anti Virus Gateway Anti Spam 24 x 7 Support WAF Cyberoam Network Security (BYOL) option offers only Trial Subscriptions for the subscription modules (Web and Application Filter, IPS, Gateway Anti Virus/Anti Spam, 24 X 7 Support, WAF). For using the required subscription modules, you must purchase and synchronize your licenses. Appliance Access Your Cyberoam Amazon Virtual machine LAN and WAN Interfaces will be bound to the eth Interfaces as defined in the Network created by you on your VPC. Go to Network > Interface > Interface to view the Appliance Interface information. Screen Default Interface Information PAGE 15 OF 18

When Cyberoam is connected and powered up for the first time, it will have a default Access configuration. Go to System > Administration > Appliance Access to view the Appliance Access information. Screen Default Appliance Access Information The following are the accessible Services: Admin Services HTTP (TCP port 80), HTTPS (TCP port 443), Telnet (TCP port 23) and SSH (TCP port 22) services will be enabled for administrative functions in LAN zone. HTTPS (TCP port 443) services will be enabled for administrative functions in WAN zone. Authentication Services Windows/Linux Client (UDP port 6060), Captive portal Authentication (TCP port 8090) and NTLM will be enabled for User Authentication Services in LAN zone. User Authentication Services are not required for any of the Administrative functions but required to apply user based internet surfing, bandwidth, and data transfer restrictions. Network Services Ping/Ping6 and DNS services will be enabled for LAN zone. Other Services Web Proxy service will be enabled for LAN zone. SSL VPN (TCP port 8443) service will be enabled for LAN and WAN zone Two Default LAN to WAN IPv4 Firewall Rules on Appliance activation. Go to Firewall > Rule > IPv4 Rule to view the Firewall Rule configuration. Screen Default Firewall Rule Information Virtual Cyberoam on Amazon does not support following of the Cyberoam features: DHCP Server and Relay VLAN Bridge Interface High Availability LAG Migrating to Higher Instance You can migrate to higher 64 bit Instance in the following manner: Step 1. (To be executed on the 32-bit Cyberoam Appliance)Take a backup of existing 32 bit PAGE 16 OF 18

configuration. To take backup, go to System > Maintenance > Backup & Restore and click Backup Now in the Backup Restore section. Step 2. (To be executed on the Amazon Web Services cloud) Launch the higher 64 bit Instance. This is shown in the Installation Steps section. Step 3. Restore backup of 32 bit configuration on the higher 64 bit Virtual Cyberoam Instance running on the Amazon cloud. You can restore a backup Instance on Cyberoam from System > Maintenance > Backup & Restore. Click Browse and select the backup file to be uploaded. Note: Do not configure any Network Interface before restoring your backup. Since 32bit Instances support 2 interfaces, you will have to manually configure the remaining interface(s) if your 64bit Instance supports more than two network interfaces. PAGE 17 OF 18