Deploying Virtual Cyberoam Appliance in the Amazon Cloud

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

Document version 1.0 – 10.6.2.378 - 13/03/2015

Deploying Virtual Cyberoam Appliance in the Amazon Cloud

PAGE 1 OF 18

Important Notice Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER’S LICENSE Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam Network Security Appliances. You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam Network Security Appliances at http://kb.cyberoam.com. RESTRICTED RIGHTS Copyright 1999 - 2014 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters Cyberoam House, Saigulshan Complex, Opp. Sanskruti, Beside White House, Panchwati Cross Road, Ahmedabad - 380006, GUJARAT, INDIA. Tel: +91-79-66216666 Fax: +91-79-26407640 Web site: www.cyberoam.com

http://www.cyberoam.com/documents/EULA.html

http://kb.cyberoam.com/default.asp?id=487&SID=&Lang=1.

http://www.cyberoam.com/


PAGE 2 OF 18

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:

Corporate Headquarters

Cyberoam House,

Saigulshan Complex, Opp. Sanskruti,

Beside White House, Panchwati Cross Road,

Ahmedabad - 380006, GUJARAT, INDIA.

Tel: +91-79-66216666

Fax: +91-79-26407640

Web site: www.cyberoam.com

Cyberoam contact:

Technical support (Corporate Office): +91-79-66065777

Email: [email protected]

Web site: www.cyberoam.com

Visit www.cyberoam.com for the regional and latest contact information.


mailto:[email protected]




PAGE 3 OF 18

Contents

Deploying Virtual Cyberoam Appliance in the Amazon Cloud..................................... 4

Feature Overview ........................................................................................................................... 4 Base Configuration ......................................................................................................................... 4

Installation Steps ............................................................................................................ 5

Step 1. Choose Cyberoam AMI ...................................................................................................... 5 Step 2. Launching the Cyberoam AMI ........................................................................................... 6

Step 2.1. Choose Instance Type ..................................................................................... 9 Step 2.2. Configure Instance Details............................................................................ 10

Step 2.3. Configure Instance Details (Part 2) .............................................................. 10 Step 2.4. Add Storage Details ...................................................................................... 11 Step 2.5. Tag Instance .................................................................................................. 12 Step 2.6. Configure Security Group ............................................................................. 12

Step 2.7. Launch Status ................................................................................................ 12 Step 2.8. View Launched Instance ............................................................................... 13

Step 3. Allocate Elastic IP to Amazon Virtual Cyberoam Instance and Register Appliance ........ 14

Step 3.1. Allocate Elastic IP Address .......................................................................... 14

Step 3.2. Register Appliance ........................................................................................ 14

Step 3.3. Appliance defaults ........................................................................................ 15 Migrating to Higher Instance ........................................................................................................ 16


PAGE 4 OF 18

Deploying Virtual Cyberoam Appliance in the

Amazon Cloud

Welcome to Virtual Cyberoam Appliance in the Amazon Cloud deployment guide. This guide describes the installation instructions for launching a Cyberoam AMI (Amazon Machine Image) Instance on Amazon Web Services (AWS).

Feature Overview

Cyberoam Virtual Appliance for Amazon Web Services delivers a secure cloud computing platform that enables customers to deploy multilayer security in the cloud. By extending its security technology to Amazon's cloud, it protects assets in the cloud from attacks.

Cyberoam satisfies an organization's cloud security needs with flexible and manageable security features like the Firewall, IPS, Application Control and Anti Virus protect services in the public cloud from unauthorized access and attacks.

It also helps enforcing a consistent security policy across the organization by protecting data between the corporate network and Amazon Virtual Private Cloud and inspects data entering and leaving the private subnet in the Amazon's VPC.

A Virtual Cyberoam Instance can be launched on Amazon Web Services by using an Amazon Machine Image (AMI). An AMI is a specific type of virtual appliance that is used to create a virtual machine within the Amazon Elastic Compute Cloud (EC2) in the form of an Instance. You can launch a Cyberoam Instance once you have created your on Virtual Private Cloud (VPC) on the Amazon Web Services (AWS). Once an Instance is launched, your Virtual Cyberoam appliance is allocated an Elastic IP though which you can access the Cyberoam Web Admin console. Your entire appliance memory is migrated to the Amazon Servers and is entirely virtualized.

Cyberoam is available at the AWS Market Place. Cyberoam Network Security product can be used as a stand-alone AMI or as part of the VPC. Cyberoam offers BYOL and Hourly Licencing options for its Network Security product on the AWS market place. After selecting the product and license, Cyberoam Network Security instance can be launched as standalone EC2 Instance or into a VPC (if already configured).

Base Configuration

Prerequisite for Storage sizes:

Root - 4 GiB

EBS - 80 GiB

Prerequisite for Network Interfaces:

You need to configure at least 2 (Two) Network Interfaces to launch an Instance.

http://en.wikipedia.org/wiki/Virtual_appliance

http://en.wikipedia.org/wiki/Virtual_machine

http://en.wikipedia.org/wiki/Virtual_machine

http://en.wikipedia.org/wiki/Amazon_EC2

https://aws.amazon.com/marketplace/


PAGE 5 OF 18

Installation Steps

Pre-requisites to Installation:

Amazon Web Service (AWS) account.

Cyberoam AWS licenses. (You can also get a free 30 day evaluation license, with the option to buy at the end of the evaluation period with Cyberoam Network Security (BYOL) product.)

Step 1. Choose Cyberoam AMI

Logon to the AWS Management console using your AWS account on console.aws.amazon.com.

Screen – AWS Console Login Screen

The AWS home screen is displayed after Logging on.

Go to EC2 Console > Instances and click on Launch Instance.

https://console.aws.amazon.com/


PAGE 6 OF 18

From the left sidebar-menu, select AWS Market Place and search for “Cyberoam”.

Click to select from the available Cyberoam products:

1. Cyberoam Network Security – Cyberoam Network Security Pay As You Go (PAYG) is pre-licensed solution with all security modules subscribed. The usage charges are applied hourly.

2. Cyberoam Network Security (BYOL) – Cyberoam Network Security (BYOL) offers security solution with Trial Subscriptions of security modules. For further use, you can purchase licenses/module-subscriptions from your existing channel partners or Cyberoam website.

Review the product description and click Continue.

Note: Cyberoam AMI can also be searched directly from the AWS Market Place homepage. After selecting the required AMI, logon using your AWS account to continue with the selection and launch the Cyberoam AMI.

Step 2. Launching the Cyberoam AMI

To launch the AMI, Amazon provides the following two options:

a. 1-Click Launch

b. Manual Launch

a. 1-Click Launch

1-Click Launch is typically used to quickly get the AMI running. You can use 1-click Launch if you have the all details of the AMI.

For 1-Click Launch, the following details must be verified/specified before the AMI can be launched (refer on-screen instructions for specifying the details):

Software Pricing

Version

Region

VPC Settings

EC2 Instance Type

Key Pair

http://www.cyberoam.com/findpartner.html

https://aws.amazon.com/marketplace/


PAGE 7 OF 18

After specifying the details above, click Launch with 1-Click to continue and compete the launch Instance wizard. You will be redirected to Step-2 of the launch Instance wizard.

b. Manual Launch

You can use Manual Launch to configure the Instance launch options manually (including VPC configuration).

Specify/review the following details and click Launch with EC2 console to start the Instance launce


PAGE 8 OF 18

wizard:

Software Pricing

Select a Version

Software Pricing

Configuring VPC Settings

You can configure your Amazon Virtual Cyberoam Interface either on the default VPC given by Amazon, or by creating your custom VPC.

Follow the steps mentioned below to configure a custom VPC:


PAGE 9 OF 18

Step 1. Go to AWS Dashboard and select Networking > VPC.

Step 2. Select Your VPCs, under Virtual Private Cloud.

Step 3. Click Create VPC to configure a custom VPC dedicated to your AWS account.

Step 4. Select Subnet and click Create Subnet to configure the LAN/WAN subnets based on your requirement.

Step 5. Select Route Table and click Create Route Table to define required routes.

Step 6. Create and Associate Elastic IP Address

Select Elastic IP and click on Allocate New Address. In the Network platform list, select EC2-VPC, and then click Yes, Allocate.

Select the Elastic IP address from the list and click the Associate Address.

In the Associate Address dialog box, do the following, and then click Yes, Associate:

In the Associate Address dialog box, select Instance or Network Interface from the Associate with list, and then either the Instance or network interface ID.

You can also refer detailed Amazon VPC Help to know how to configure a customized VPC for your network.

Step 2.1. Choose Instance Type

Click on the first option next to Filter by: and select the Instance Type from the filtered list. Cyberoam supports all 64bit Para Virtualized (PV) Instances except “t1.micro”.

Screen – Choose Instance Type

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html


PAGE 10 OF 18

Step 2.2. Configure Instance Details

Click the Next: Configure Instance Details button.

Configure Instance Details based on your VPC Network and preferences.

Click the Next: Add Storage button.

Screen – Configure Instance Details

Step 2.3. Configure Instance Details (Part 2)

Based on your requirement, select the Tenancy for your Instance. For example, a dedicated Instance runs on a dedicated hardware and an Instance with Shared Tenancy runs on shared hardware.

Under Network Interfaces configure the Interface details of your Virtual Cyberoam.

Note: Your VPC Network Interfaces will by default be mapped to your Appliance as: eth0 - LAN eth1 - WAN In case your Instance has more than two network interfaces, you can add new network interface(s) manually after your Instance is launched in the following manner. 1. Stop your Instance, add Network Interface(s) to and Restart your Instance. 2. Add Network Interface(s) to your Instance without stopping it. The new interface(s), will only be

added on Instance reboot. None of your existing configuration will be altered on addition of Network Interface(s).


PAGE 11 OF 18

Screen – Configure Instance Details (Part 2)

Step 2.4. Add Storage Details

Click the Next: Add Storage button.

Configure the Storage Device settings for your Instance. You can select the Volume Type details.

Default Storage size-

Root: 4GiB

EBS: 80GiB

Screen – Add Storage Details

Note: Value(s) greater that the default size will not be considered for your Instance.


PAGE 12 OF 18

Step 2.5. Tag Instance

Click the Next: Tag Instance button.

You may Tag your Instance for identification purpose. The created Tag appears on the same page as a list.

Screen – Tag Instance

Step 2.6. Configure Security Group

Click the Next: Configure Security Group button.

Amazon by default has your VPC behind a Network Security Device in the form of Virtual Cyberoam Appliance. If you want additional Security, you can configure a Security Group for your Instance. Click here to learn more about security groups. The default Security group follows the Allow All Traffic policy.

Screen – Configure Security Group

Step 2.7. Launch Status

Click the Next: Review and Launch button.

This page displays the launch status of your Instance and also gives you links to some important

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html


PAGE 13 OF 18

resources that will help you maneuver though AWS with ease.

To view your launched Instance, click the Next: View Instances button.

Screen – Launch Status

Step 2.8. View Launched Instance

You are navigated to the Instances > Instances page. All the Instance details along with its Tag are displayed on this page.

Screen – Instance Details


PAGE 14 OF 18

Note: At any step you can click: Cancel: Abort Instance launch process Previous: To go to the Previous configuration step. Review and Launch: Move directly to step 2.7

Step 3. Allocate Elastic IP to Amazon Virtual Cyberoam Instance

and Register Appliance

Step 3.1. Allocate Elastic IP Address

Your Cyberoam Amazon Virtual machine Instance needs to be allocated with an Elastic IP Address for the AWS, so that you can access Cyberoam over the Web Admin Console.

Click here to know how to allocate an Elastic IP address to your Instance.

Step 3.2. Register Appliance

Use the Elastic IP allocated to you to access your Cyberoam Virtual Appliance via a secure connection and login by entering your credentials in the below screen:

Screen – Cyberoam Amazon Virtual Machine Login

On first time login, you will be prompted to register your Virtual Appliance.

Screen – Register Appliance

You need to register your Virtual Cyberoam Appliance before you can access its features. Browse to http://customer.cyberoam.com. Click here to know more about Cyberoam Appliance registration process.

http://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/EIP.html

http://customer.cyberoam.com/

http://kb.cyberoam.com/default.asp?id=1639


PAGE 15 OF 18

Once your Virtual Cyberoam Appliance is registered, click Synchronize button in the above screen.

In case your Appliance is not synchronized automatically. You will be prompted with the following screen.

Screen – Activate Appliance

Follow the steps displayed in the screen to activate your Appliance.

You can now access Virtual Cyberoam Appliance via web admin console through the Elastic IP allocated to your Appliance.

Step 3.3. Appliance defaults

Subscriptions

The Appliance default services vary based on the product you have subscribed.

Cyberoam Network Security PAYG option offers the following subscriptions which are pre-registered with your appliance:

Web and Application Filter

IPS

Gateway Anti Virus

Gateway Anti Spam

24 x 7 Support

WAF

Cyberoam Network Security (BYOL) option offers only Trial Subscriptions for the subscription modules (Web and Application Filter, IPS, Gateway Anti Virus/Anti Spam, 24 X 7 Support, WAF). For using the required subscription modules, you must purchase and synchronize your licenses.

Appliance Access

Your Cyberoam Amazon Virtual machine LAN and WAN Interfaces will be bound to the eth Interfaces

as defined in the Network created by you on your VPC. Go to Network > Interface >

Interface to view the Appliance Interface information.

Screen – Default Interface Information


PAGE 16 OF 18

When Cyberoam is connected and powered up for the first time, it will have a default Access

configuration. Go to System > Administration > Appliance Access to view the Appliance Access information.

Screen – Default Appliance Access Information

The following are the accessible Services: Admin Services – HTTP (TCP port 80), HTTPS (TCP port 443), Telnet (TCP port 23) and SSH (TCP port 22) services will be enabled for administrative functions in LAN zone. HTTPS (TCP port 443) services will be enabled for administrative functions in WAN zone. Authentication Services – Windows/Linux Client (UDP port 6060), Captive portal Authentication (TCP port 8090) and NTLM will be enabled for User Authentication Services in LAN zone. User Authentication Services are not required for any of the Administrative functions but required to apply user based internet surfing, bandwidth, and data transfer restrictions. Network Services – Ping/Ping6 and DNS services will be enabled for LAN zone. Other Services – Web Proxy service will be enabled for LAN zone. SSL VPN (TCP port 8443) service will be enabled for LAN and WAN zone

Two Default LAN to WAN IPv4 Firewall Rules on Appliance activation. Go to Firewall > Rule >

IPv4 Rule to view the Firewall Rule configuration.

Screen – Default Firewall Rule Information

Virtual Cyberoam on Amazon does not support following of the Cyberoam features:

DHCP Server and Relay

VLAN

Bridge Interface

High Availability

LAG

Migrating to Higher Instance

You can migrate to higher 64 bit Instance in the following manner:

Step 1. (To be executed on the 32-bit Cyberoam Appliance)Take a backup of existing 32 bit


PAGE 17 OF 18

configuration. To take backup, go to System > Maintenance > Backup & Restore and click Backup Now in the Backup Restore section.

Step 2. (To be executed on the Amazon Web Services cloud) Launch the higher 64 bit Instance. This is shown in the Installation Steps section.

Step 3. Restore backup of 32 bit configuration on the higher 64 bit Virtual Cyberoam Instance running on the Amazon cloud. You can restore a backup Instance on Cyberoam from System > Maintenance > Backup & Restore. Click Browse and select the backup file to be uploaded.

Note: Do not configure any Network Interface before restoring your backup. Since 32bit Instances support 2 interfaces, you will have to manually configure the remaining interface(s) if your 64bit Instance supports more than two network interfaces.

Documents

Deploying Virtual Cyberoam Appliance in the Amazon Cloud