OneFabric Connect and Lightspeed Systems Rocket Web Filtering Appliance Configuration and Installation Guide Abstract: This document covers the integration of Lightspeed Systems Rocket Web with Extreme Networks OneFabric Connect. Published: April 2014 Extreme Networks, Inc. 145 Rio Robles San Jose, California 95134 Phone / +1 408.579.2800 Toll-free / +1 888.257.3000 www.extremenetworks.com 2012 2014 Extreme Networks, Inc. All Rights Reserved. AccessAdapt, Alpine, Altitude, BlackDiamond, Direct Attach, EPICenter, ExtremeWorks Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ExtremeXOS ScreenPlay, ReachNXT, Ridgeline, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, XNV, the Extreme Networks logo, the Alpinelogo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries. sflow is the property of InMon Corporation. Specifications are subject to change without notice. All other registered trademarks, trademarks, and service marks are property of their respective owners. For additional information on Extreme Networks trademarks, see www.extremenetworks.com/company/legal/trademarks. 120939-00
Contents Overview... 3 Prerequisites... 4 Lightspeed Systems Rocket Configuration... 5 Configuring the Rocket Appliance... 6 1.1 Configure LDAP Settings... 6 1.2 Configure RADIUS Accounting... 9 1.3 Configure Policy Management... 9 Configuring OneFabric Connect... 12 Configuration Verification... 21 Initial Extreme Networks, Inc. All rights reserved. 2
Overview Integration between the Lightspeed Systems Rocket and Extreme Networks Mobile IAM solution is accomplished via OneFabric Connect Integration services. When an end-system such as a mobile device or tablet first connects to an Extreme Networks Mobile IAM enabled system, it is evaluated and an access rule is applied according to the criteria defined in the NAC rule set. If the end-system is classified as unregistered, the OneFabric Connect Lightspeed Systems module takes no action. By definition, unregistered systems are unknown systems and direct Internet access is not typically granted. Any required Internet access (such as the case for self-remediation) is usually proxied by the NAC appliance. Once the end-system is registered to an LDAP account and re-authenticated, the end-system is reevaluated by NAC and the appropriate access rule is applied. The OneFabric Connect Lightspeed Systems module collects username and IP address information of the end-system and sends this to the Rocket Web Filter appliance. The Rocket Web Filter appliance parses this information and performs a lookup in Active Directory for the username provided by the OneFabric Connect Lightspeed Systems module. Lastly, the Rocket Web Filter appliance applies the appropriate rule set to the end-system traffic, based on the username. Extreme Networks, Inc. All rights reserved. 3
Prerequisites Software Requirements Extreme NAC version 5.0.0.232 or later installed and running with 802.1X or Web Authentication / Registration where usernames are populated into NetSight (NAC-A-XX, NAC-V-XX) Extreme NetSight version 5.0.0.232 or later Advanced License NMS-ADV-XXX (e.g NMS-ADV- 10 - NetSight Advanced License for up to 10 devices and 100 thin APs) Lightspeed Systems Rocket Web filter software version 2.7.0 or later integrated with Active Directory or another LDAP server Hardware Requirements Extreme Networks switch running ExtremeXOS 15.5 or above Lightspeed Systems Rocket Web Filter Appliance License Requirements Extreme Networks OneFabric Connect License and Software - OF-CONNECT-SW Note: Software Only (Java Archive (JAR) 2.0 or higher, e.g. NMS_OFConnect_x.xx_xx.jar. Note: Does not installation services)* Service Requirements PS-OF-CONNECT-ESU - On-Site installation of OneFabric Connect using the Predefined Integration Option for integration with LightSpeed Rocket Web filtering appliance. Options PS-OFCONNECTREMOTE - Remote installation of OneFabric Connect using the Predefined Integration Option for integration with LightSpeed Rocket Web filtering appliance. Extreme Networks, Inc. All rights reserved. 4
Lightspeed Systems Rocket Configuration This integration highlights an in-line deployment scenario of the Lightspeed Systems Rocket appliance. In this configuration, the appliance is invisible to end-system and performs filtering by dropping the external traffic. Once the Rocket Web Filter appliance is aware of the username and IP address association, it performs an account lookup in Active Directory. Based on the AD account membership, the Rocket Web Filter appliance applies pre-configured rules and assignments to determine what type of content to allow or block. The Rocket Web Filter appliance s external connection will connect in line with the outbound connection to the Internet. Typically, this would be connected to the internal interface of a firewall. The Rocket Web Filter appliance's internal connection will typically go to the core network, where the internal interface on the firewall previously connected. The following network diagram shows a typical setup. This installation, configuration, and testing scenario includes Active Directory, the Rocket appliance, and Extreme Networks Mobile IAM solution. It is geared towards K-12 education, though the process is similar in other environments. This document covers the primary considerations for each integration stage and provides step-by-step instructions for some of the processes involved. Other steps, including installing/configuring Microsoft Active Directory, installing NetSight, NAC, and the Lightspeed Rocket appliance, are outside the scope of this document. Extreme Networks, Inc. All rights reserved. 5
Note This deployment guide assumes the reader has a technical understanding of the Extreme Mobile IAM solution and familiarity implementing a typical LDAPintegrated deployment of Mobile IAM. Integration of Rocket Web Filter appliance and Extreme Mobile IAM is accomplished in two steps: 1. Configuring the Rocket Web Filter appliance 2. Installing and Configuring OneFabric Connect Integration services Configuring the Rocket Appliance In addition to the standard configuration of the Rocket Web Filter appliance, three steps are required to integrate with Active Directory and Mobile IAM. Only the steps necessary for integration will be covered in this document. 1.1 Configure LDAP Settings Log in to the Rocket appliance, https://<ip address of Rocket Appliance>. This presents the appliance login screen. Provide the necessary credentials and click the Login button. Extreme Networks, Inc. All rights reserved. 6
Once login is complete, the dashboard configuration menu is presented. The first item to configure is LDAP access from the Rocket Web Filter appliance to Active Directory. Select the Administration menu in the top right corner of the dashboard. After selecting the Administration menu, scroll down to the Authentication Sources to configure the Active Directory settings. Select + Add Authentication Source, within this menu to add the required fields. Extreme Networks, Inc. All rights reserved. 7
Once the Active Directory server has been saved, verify it is listed in the Authentication Sources section. Select the Test button to verify the Active Directory configuration. Use a known valid domain username and password, click Test User Login. A Success message will appear upon a successful query. Extreme Networks, Inc. All rights reserved. 8
1.2 Configure RADIUS Accounting The RADIUS Shared Secret is a configurable field within the Rocket appliance. The Shared Secret can be found by accessing the Web Filter menu and scrolling to the bottom of the page. Input the desired Shared Secret to be used between the Lightspeed Systems Rocket Web Filter appliance and the OneFabric Connect Lightspeed Systems module. Also, note the Shared Secret value value for later configuration steps. 1.3 Configure Policy Management The next items to configure are the Rule Sets that the Rocket Web Filter appliance assigns to endsystems. Rule Sets are lists of web site categories, keywords, and actions that control how users access the Internet. Typically, customers will have pre-defined Assignments matching Rule Sets to directory objects or IP addresses, or both. For this document, the assumption is that no Assignments have been created in Policy Management. A pre-defined Rule Set (Block All) will be assigned to an Organizational Unit (OU=Solutions Eng,DC=testing,DC=local) that is defined in the previously added Active Directory Server. Extreme Networks, Inc. All rights reserved. 9
To access the Policy Management section of the Rocket Appliance, select Web Filter then select Policy Management from the left column. Verify that the Rule Set exists in the Rule Set section of Policy Management. Extreme Networks, Inc. All rights reserved. 10
After verifying the Rule Set exists, a new Assignment needs to be created to assign the Rule Set to an object, in this case, the Organizational Unit previously mentioned. Navigate to Assignments then select New Assignment. In the New Assignee window, select the Type of object to be used, in this example use User OU. To browse the Authentication Source, the Search feature can be used to list all OU s available on the server. Verify the Web Filter Rule in this new assignment at the bottom of the window. Extreme Networks, Inc. All rights reserved. 11
Configuring OneFabric Connect OneFabric Connect is an add-on element for the Extreme NetSight server that provides integration functionality between the NetSight Suite and various third-party devices and tools. OneFabric Connect is delivered as a Java module installed on the NetSight server (Windows or Linux) and configured via a Web UI. Note For purposes of this document, OneFabric Connect will be installed on a NetSight virtual appliance. Installation on a Windows NetSight server may have slightly different directory paths and filenames. The first step is to copy the OneFabric Connect installation file to the NetSight server. Login to the server as root and transfer the file to a folder on the appliance. The destination folder is not important, so in this case it will be put the file in /root directory. Extreme Networks, Inc. All rights reserved. 12
SSH into the appliance as root and navigate to the folder containing the OneFabric Connect installation file. Install the file by issuing the command /usr/local/extreme_networks/netsight/java/jre/bin/java jar {name of file} console as shown below: Note For installations utilizing NetSight 5 the install directory will be: /usr/local/enterasys_networks/netsight Extreme Networks, Inc. All rights reserved. 13
Press 1 to begin the installation. OneFabric Connect will display general instructions on installing the module on the system. Press 1 again to continue, then specify the target path for the installation. For Linux installations of NetSight, the default path is /usr/local/extreme_networks/netsight. Specify this path, press Enter, and then press 1 to continue. Next, select the installation mode. For first time installation, press 0 to install the package, then press 1 to continue. Extreme Networks, Inc. All rights reserved. 14
After selecting the Installation Mode select the username that will be used to connect to the Extreme NetSight webservice. The default is root. The next option to set is the NMS Server IP and URL. OneFabric Connect displays the current server IP address and URL as the default. Press Enter to accept this default. Extreme Networks, Inc. All rights reserved. 15
At this point, the package is unpacked and installed on the NetSight server. This completes the installation of the OneFabric Connect. The next step is to configure the Lightspeed Systems integration module. Open a web browser and navigate to https://{ip Net Sight}:8443/fusion_jboss/ to access the OneFabric Connect login page. Ignore the certificate warning and login to OneFabric Connect as a NetSight Administrator. Extreme Networks, Inc. All rights reserved. 16
After successful login, navigate to the Lightspeed Systems tab to access the Rocket Web Filter appliance configuration settings. Extreme Networks, Inc. All rights reserved. 17
In the field labeled Lightspeed Systems Server IP address, enter the IP address of the Rocket Web Filter appliance, then click on the Save link to the right of the field. Enter the previously noted RADIUS Shared Secret in the corresponding field and select the Save link to the right. Extreme Networks, Inc. All rights reserved. 18
After adding the IP address of the Lightspeed Systems appliance, the Lightspeed Systems module must be enabled by setting the value to true, then select save. Extreme Networks, Inc. All rights reserved. 19
In addition to enabling the Lightspeed Systems module, also enable the Check end system username after deleting from NAC: option by setting the value to true and select save. The configuration of the OneFabric Connect Lightspeed Systems module is now complete. Extreme Networks, Inc. All rights reserved. 20
Configuration Verification The final step is to test the integration. Both NAC Manager and the Rocket Web Filter management interface will be used to confirm successful integration configuration. Register an end-system using Authenticated Registration, and then locate the endsystem in the NAC Manager. For this example, a Windows 7 machine has been registered using the username (alara). To see the corresponding information in Rocket Web Filter, navigate to the Identification History Report via the Reports menu. Extreme Networks, Inc. All rights reserved. 21
The report below validates the RADIUS authentication of the username alara and the associated IP address of its registered end-system. Note that both NAC and the Rocket Web Filter list the same end-system IP address and AD user name for the end-system. This indicates that integration is working and our configuration is correct. Successful integration can also be verified by using a web browser on the end-system. Attempt to navigate to www.extremenetworks.com. The web traffic will be intercepted by the Rocket Web Filter appliance, which will be blocked due to the current Rule Set being applied to the user. Note the user that is currently logged on to the client below. This completes the integration between Microsoft Active Directory, Lightspeed Systems Rocket Web Filter, and Extreme Mobile IAM. Extreme Networks, Inc. All rights reserved. 22