Description:
Access to the Unified Firewall is required for configuration and error analysis. If there is no remote maintenance available for accessing the device, it may be necessary to connect to the Unified Firewall from the Internet.
This article describes how to enable access with the web client and SSH, and which IP addresses have to be set in order to enable remote access by LANCOM Systems Support.
Important:
Where an upstream router is operated, port forwarding to be set up on it to enable access to the Unified Firewall. This is described in step 3 for LANCOM routers.
If access by LANCOM Support is no longer required, LANCOM Systems recommends that you deactivate the remote access.
Requirements:
Procedure:
1) Allow access via SSH:
1.1) In your browser, open the configuration for the United Firewall and switch to the menu item Firewall → Firewall Access → SSH Settings.
1.2) Access restrictions are implemented by a whitelist. The IP address or the interface have to be entered into this list to permit access to the Unified Firewall.
Access from the Internet via SSH can be enabled by setting a checkmark for Internet. However, we do not recommend this as access to the device would be unrestricted. Instead, access should be restricted to certain IP addresses only.
Two entries are available in the whitelist, which allow the LANCOM Support Team (Rohde & Schwarz ...) to access the device. As this involves another location, it is necessary to enter a further IP address.
1.3) Under Source, enter the IP address 217.6.21.90 in CIDR notation (Classless Inter-Domain Routing) in order to allow access via SSH (i.e. from 217.6.21.90/32) and enter a meaningful name under Title.
Then click on the “+” icon to save the entry.
Info:
As of LCOS FX 10.4, this IP address is available by default. It does not have to be entered again.
1.4) Set check marks for Rohde & Schwarz Internet Gateway and Rohde & Schwarz Cybersecurity Customer Support and click Save.
2) Allow access via HTTPS:
2.1) Open the configuration interface of the LANCOM R&S®Unified Firewall in your browser and go to the menu Firewall → Firewall Access → Webclient Settings.
2.2) Access restrictions are implemented by a whitelist. The IP address or the interface have to be entered into this list to permit access to the Unified Firewall.
Access from the Internet via HTTPS can be enabled by setting a checkmark for Internet. However, we do not recommend this as access to the device would be unrestricted. Instead, access should be restricted to certain IP addresses only.
Two entries are available in the whitelist, which allow the LANCOM Support Team (Rohde & Schwarz ...) to access the device. As this involves another location, it is necessary to enter a further IP address.
2.3) Under Source, enter the IP address 217.6.21.90 in CIDR notation (Classless Inter-Domain Routing) in order to allow access via HTTPS (i.e. from 217.6.21.90/32) and enter a meaningful name under Title.
Then click on the “+” icon to save the entry.
Info:
As of LCOS FX 10.4, this IP address is available by default. It does not have to be entered again.
2.4) Set check marks for Rohde & Schwarz Internet Gateway and Rohde & Schwarz Cybersecurity Customer Support and click Save.
3) Setting up port forwarding in the LANCOM router (optional)
If a LANCOM router is operated upstream, it needs to be set up with port forwarding to enable access to the Unified Firewall. This is the case when using the layer-3 loop and a “series” connection.
3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq. → Port forwarding table.
3.2) Set up port forwarding for access by SSH:
3.2.1) Create a new entry and modify the following parameters:
3.3) Set up port forwarding for access by web client:
3.3.1) Create a new entry and modify the following parameters:
3.4) This concludes the configuration steps in the LANCOM router. Write the configuration back to the router.