Secure Mobile Access 12.4 Administration Guide

Moving the Appliance into Production

After you have tested the appliance sufficiently in your network environment and determined how you want it to work, you’re ready to move it into its permanent home.

To move the appliance into production

  1. Reconfigure the appliance with new address information.

    If the network environment changed when you moved the appliance into production, you must reconfigure the basic network settings and adjust any of the following values if they have changed:

    • IP addresses for the internal and external interfaces
    • Default gateway IP addresses
    • Static routes
    • Default DNS domain and DNS server IP address
  2. Register the appliance with DNS.

    If you haven’t already registered the appliance with your company’s DNS, do this now. This ensures that external users can access your network resources using a fully qualified domain name instead of an IP address. Edit your DNS server’s database to include the fully qualified domain name contained in the appliance’s certificate and any WorkPlace sites.

  3. Obtain a commercial SSL certificate.

    You may want to obtain a commercial certificate for the appliance to assure users of its identity. (Generally, a self-signed certificate is adequate for AMC.)

    For more information on generating server certificates, see Obtaining a Certificate from a Commercial CA.

  4. Adjust your firewall policies.

    If you have an Internet-facing firewall, you may need to adjust its policy to open ports required by the appliance. By default, the Web proxy service communicates using port 443/tcp (it uses port 443/tcp for HTTPS and port 80/tcp for HTTP). If you want to use SSH to connect to the appliance from outside the network, you'll need to open port 22/TCP.

    If you enable ESP encapsulation of tunnel network traffic, you'll need to open port 4500/UDP.

    ESP encapsulation is enabled by default, but the system falls back to the default SSL/TLS if ESP encapsulation cannot be brought up, as when port 4500/UDP is blocked by the firewall.

    If you have a firewall that faces the internal network, you may need to adjust the policy for that firewall to open ports for any back-end applications with which the appliance must communicate (if these ports are not already open). For instance, if you use an LDAP or Microsoft Active Directory server for authentication, you must open port 389/tcp on your internal firewall. For RADIUS, open ports 1645/ucp and 1812/udp.

    If you’re using WorkPlace to access Windows network shares, you must also open internal ports on your internal firewall so that WorkPlace can perform name resolution, make browse requests, and connect to file shares.

    For more information, see Gathering Information.

  5. Create shortcuts and deploy WorkPlace.

    If you use WorkPlace as an interface to Web-based resources and to provide Web-based access to Windows network share and graphical terminal resources, you must create shortcuts (seeWorking with WorkPlace Shortcuts). You should also publish the WorkPlace URLs so your users know how to access resources through your VPN.

    You may want to customize the appearance of WorkPlace for your environment. See Configuring WorkPlace General Settings for more information.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.