Académique Documents
Professionnel Documents
Culture Documents
SA-250 Server
Please read the End User License Agreement before installing the SA-250 server. The End User License
Agreement is available at the following location -.http://www.airtightnetworks.com/fileadmin/pdf/AirTight-EULA.pdf.
Installing the SA-250 server constitutes your acceptance of the terms and conditions of the End User License
Agreement.
DISCLAIMER
THE INFORMATION IN THIS GUIDE IS SUBJECT TO CHANGE WITHOUT ANY PRIOR NOTICE.
AIRTIGHT NETWORKS, INC. IS NOT LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS
OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER
PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THIS PRODUCT.
THIS PRODUCT HAS THE CAPABILITY TO BLOCK WIRELESS TRANSMISSIONS FOR THE PURPOSE OF
PROTECTING YOUR NETWORK FROM MALICIOUS WIRELESS ACTIVITY. BASED ON THE POLICY
SETTINGS, YOU HAVE THE ABILITY TO SELECT WHICH WIRELESS TRANSMISSIONS ARE BLOCKED AND,
THEREFORE, THE CAPABILITY TO BLOCK AN EXTERNAL WIRELESS TRANSMISSION. IF IMPROPERLY
USED, YOUR USAGE OF THIS PRODUCT MAY VIOLATE US FCC PART 15 AND OTHER LAWS. BUYER
ACKNOWLEDGES THE LEGAL RESTRICTIONS ON USAGE AND UNDERSTANDS AND WILL COMPLY WITH
US FCC RESTRICTIONS AS WELL AS OTHER GOVERNMENT REGULATIONS. AIRTIGHT IS NOT
RESPONSIBLE FOR ANY WIRELESS INTERFERENCE CAUSED BY YOUR USE OF THE PRODUCT.
AIRTIGHT NETWORKS, INC. AND ITS AUTHORIZED RESELLERS OR DISTRIBUTORS WILL ASSUME NO
LIABILITY FOR ANY DAMAGE OR VIOLATION OF GOVERNMENT REGULATIONS ARISING FROM YOUR
USAGE OF THE PRODUCT, EXCEPT AS EXPRESSLY DEFINED IN THE INDEMNITY SECTION OF THIS
DOCUMENT.
LIMITATION OF LIABILITY
AirTight Networks will not be liable to customer or any other party for any indirect, incidental, special,
consequential, exemplary, or reliance damages arising out of or related to the use of AirTight Wi-Fi, AirTight
WIPS, AirTight Cloud Services, and AirTight devices under any legal theory, including but not limited to lost profits,
lost data, or business interruption, even if AirTight Networks knows of or should have known of the possibility of
such damages. Regardless of the cause of action or the form of action, the total cumulative liability of AirTight
Networks for actual damages arising out of or related to the use of AirTight Wi-Fi, AirTight WIPS, AirTight Cloud
Services or AirTight devices will not exceed the respective price paid for AirTight Wi-Fi, AirTight WIPS, AirTight
Cloud Services, or AirTight devices.
TM
TM
TM
TM
Powered by Marker Packet , Active Classification , Live Events , VLAN Policy Mapping , Smart Forensics ,
TM
TM
WEPGuard and WPAGuard . AirTight Networks and the AirTight Networks logo are trademarks and AirTight is
a registered trademark of AirTight Networks, Inc.
This product contains components from Open Source software. These components are governed by the terms
and conditions of the GNU Public License. To read these terms and conditions visit
http://www.gnu.org/copyleft/gpl.html.
Protected by one or more of U.S. patent Nos. 7,002,943; 7,154,874; 7,216,365; 7,333,800; 7,333,481; 7,339,914;
7,406,320; 7,440,434; 7,447,184; 7,496,094; 7,536,723; 7,558,253; 7,710,933; 7,751,393; 7,764,648; 7,804,808;
7,856,209; 7,856,656; 7,970,894; 7,971,253; 8,032,939; and international patents: AU 200429804; GB 2410154;
JP 4639195; DE 60 2004 038 621.9; and GB/NL/FR/SE 1976227. More patents pending. For more information on
patents, please visit: www.airtightnetworks.com/patents.
1.
The SA-250 Server Installation Guide gives an overview of the power connector and the ports on the SA-250
server and explains how to configure it.
Important! Please read the EULA before installing the SA-250 server. Installing the server constitutes your
acceptance of the terms and conditions of the EULA mentioned above in this document.
Intended Audience
This guide is intended for anyone who wants to install and configure the SA-250 server.
Document Overview
This guide contains the following chapters:
1. Package Contents: Lists the components included in the system package.
2. SA-250 Server Overview: Provides an overview of the SA-250 server.
3. Installing the SA-250 Server: Describes how to power on the server, connect the server to the network
and your computer, and configure the server.
4. Server Config Shell Commands: Lists a pre-defined set of commands that allow you to configure and
view the status of the Server.
5. Set Up and Manage Server Cluster: Describes how to set up and manage a server cluster.
6. Troubleshooting: Provides troubleshooting tips while installing the server and sensor.
7. Backup and Restore Database: Provides instructions to backup and restore database.
Contact Information
AirTight Networks, Inc.
339 N, Bernardo Avenue, Suite #200,
Mountain View, CA 94043
Tel: (650) 961-1111
Fax: (650) 963-3388
For technical support, send an email to support@airtightnetworks.com.
2.
Package Contents
This chapter lists the components included in the SA-250 server package.
Please ensure that the following items are included in the server package:
Users Guide
Installation Guide
Release Notes
Upgrade Instructions
Power cord
Serial cable
If the package is not complete, please contact AirTight Networks, Inc. Technical Support at
support@airtightnetworks.com, or return the package to the vendor or dealer where you purchased the product.
3.
This chapter provides an overview of the SA-250 server and describes in detail about the following:
The front panel of SA-250 server has a power switch, power LED, HDD activity LED, network interface LED, high
availability interface LED, and temperature LED.
Figure 3-1: Front Panel of SA-250 Server
System Behavior
The following table provides information about what the LED lights on the server indicate.
Hard Disk
LED Color
Meaning of LED
Solid Green
Off
Blinking Green
Off
Blinking Green
Off
Blinking Green
Off
Network Interface
High Availability
Interface
The rear panel of the SA-250 server has a power connector to provide power supply to the server and ports to
connect the server to the network and a computer.
Figure 3-2: Rear Panel Ports of SA-250 Server
The rear panel of SA-250 Server has a serial port (RS 232 F-F), a network interface port (RJ-45 10/100/1000
Ethernet), a high availability (HA) port (RJ-45 10/100/1000 Ethernet), and a power connector. Use the power
connector to power the server using 110-240V 50/60 Hz AC input. Connect the power connectors to two different
power sources to optimize the redundancy. The following table describes the serial, network interface, and high
availability ports.
Table 3-3: SA-250 Server Rear Panel Ports
Port
Serial
Description
Connector
Type
DB-9
Settings/Protocol
Settings:
Bits per second: 9600
Data Bits: 8
Parity: None
Stop Bits: 1
Flow Control: None
Protocol: RS-232
Port
Description
Connector
Type
Network Interface
RJ-45
High Availability
RJ-45
Settings/Protocol
Settings: 10/100/1000
Mbps
Protocol: Ethernet
Settings: 10/100/1000
Mbps
Protocol: Ethernet
4.
You must set up the server before using it to monitor and protect your network. This chapter explains how to
connect and configure the SA-250 server.
Note: The default IP address of the server is 192.168.1.246. Ensure that no other device on your network uses
the same IP address as the server.
Using an SSH Secure Shell (SSH) client to access the server (Recommended)
1. Launch the HyperTerminal from Start > All Programs > Accessories > HyperTerminal on your system.
Figure 4-6 HyperTerminal
10
Click OK.
Figure 4-7: Connection Description
3. Specify the HyperTerminal connection details by selecting or entering the appropriate connection
information and click OK.
Figure 4-8: HyperTerminal Connection
11
4. Edit the serial port settings to ensure proper communication between the server and your computer, and
click OK. Alternately, click Restore Defaults to use the default settings.
Data bits: 8
Parity: None
Stop bits: 1
12
The Server Initialization and Setup Wizard appears as shown in the following figure.
Figure 4-11: Server Initialization and Setup Wizard
13
IP Address: Choose an IP address that is compatible with the network segment on which the server is
connected. The server must belong to the same subnet.
Subnet Mask: Enter the mask of the network segment to which the server is connected.
Gateway IP Address: Enter the IP address of the gateway, for the subnet on which the server is
connected. Ethernet traffic from the subnet is forwarded to another network through the gateway.
Primary DNS IP Address: Specify the IP address of the primary DNS server used by the enterprise
server to resolve DNS entries.
Secondary DNS IP Address: Specify the IP address of the secondary (alternate) DNS server used by
the enterprise server to resolve DNS entries.
Tertiary DNS IP Address: Specify the IP address of the tertiary (alternate) DNS server used by the
enterprise server to resolve DNS entries.
DNS Suffix: Append this suffix to the unqualified domain name to generate a fully qualified domain name.
14
15
16
You can reset the server tag using the set server tag command. For details, refer to the Server Tagging
chapter in this guide.
17
The server initialization completion message screen appears as shown in the following figure.
Figure 4-19: Server Initialization Completion Message
Press y to reboot the server for the changes to take effect. If you choose to reboot later press n. The server
Config Shell prompt appears. You must reboot the server on completion of the Initialization and Setup Wizard
before you access the server from the AirTight Management Console (GUI).
Note: On the Config Shell prompt, you can type the help command to view the list of available commands.
18
Sensors/APs on a DHCP enabled subnet can connect to the server with zero-configuration.
Requirements
Processor
Processor Speed
Memory
1 GB (minimum)
Screen Resolution
1024X768 (recommended)
Requirements
Windows 2000 or XP
Browser
19
If the license key is valid, the Login screen is displayed. Else, an error message is displayed.
You can log in with user name admin and password admin.
20
5.
This chapter describes the commands in the Server Config Shell used to reconfigure and maintain the server after
running the Server Configuration Wizard. Some commands display the status of the server.
Table 5-1: Database Commands
Command
Description
db backup
db clean
db maintain
db reset
db restore
upload db backup
Description
get allowed ip
Displays the list of IP addresses or subnets that are allowed to access this
device
get cert
get certreq
get date
Displays the current time zone, date, and time on the server
get debug
If the server is in FIPS 140-2 mode, the command returns ON. If the server is in
default mode, the command returns OFF.
get ha
21
Command
Description
get ha help
get interface
get hddcheck
Displays the number of bad blocks found on the hard disk drive.
get lldp
get msmcontroller
cert
get msmcontroller
certreq
get network
get route
Displays the complete server configuration which includes the server ID, server
version, server build, MAC address of the network and HA interface, server
mode, server time zone, date and time settings, WLSE integration settings,
settings of network interfaces, and server processes
22
Command
Description
Runs a server consistency check and displays the results. If any fatal item fails,
a failure result is recorded
get serverid
get ssh
get status
get version
Displays the version and build information of all the server components
Description
set allowed ip
Sets the list of IP addresses or subnets that are allowed to access this device
set cert
Installs a signed SSL certificate issued for the request generated using get
certreq
set date
Sets the current time zone, date, and time information on the server; the server
must be rebooted for the date/time information to take effect
set dbserver
set erase
set communication
passphrase
Set a passphrase of 10-127 characters. The shared secret is derived from this
passphrase
set communication
key
Set a passphrase of 10-127 characters. The shared secret is derived from this
passphrase
set communication
key default
Sets the operation mode of the server to either FIPS 140-2 validated mode or
default mode
23
Command
Description
set ha
set ha failover
Sets the timeout, in seconds, after which the data sync link down event is
generated. The default timeout is 10 seconds.
set ha redirector
addrs
set ha standby
password
set interface
IPv6 configuration
set license
Downloads license from remote server and applies it on the AirTight server.
set network
Sets the network interface (eth0) configuration including the IP address, subnet
mask, gateway, DNS address, and DNS prefix
Changes the product name. The default product name is AirTight Management
Console. This can be changed to SpectraGuard Enterprise, if required. No other
names are allowed.
set route
24
Command
Description
set sensor
discovery
Sets the state of the pinhole reset button on the sensor (available for select
sensor models only)
set server
set serverid
set server
discovery
Sets a custom tag on the server to identify the server and the files and objects
associated with the server.
set ssh
set lldp
set webserver
Description
exit
help
passwd
Allows the admin to change the config shell password that adheres to the
password policy set for users from the GUI. The password policy will be enforced
only at the time of change in password, and, therefore, will not be effective for
current password.
traceroute6 <IPv6
address or
hostname>
25
ping <Hostname/IP
Address>
Pings a host
reboot
reset factory
Sets the Graphical User Interface (GUI) password for the user admin to the
factory default admin
shutdown
traceroute
upgrade
Upgrades the server using the specified upgrade bundle from an HTTP location
force autodeletion
Description
cluster set
cluster reset
Adds a child to a server cluster. This command must be executed on the parent
server in the server cluster.
cluster delete
child
Displays the status of a server cluster. Using this command you can check
whether a server is in a cluster and/or the status of a server in a cluster. This
command can be executed on any server regardless of whether it is in a server
cluster or not.
26
6.
A server cluster is an interconnected group of servers. A server cluster comprises a parent server and one or
more child servers.
A server cluster is created to manage multiple servers using a single server. This managing server is called the
parent server and the servers that are managed from the parent server are called the child servers. The parent
server retrieves aggregated data from multiple child servers in the cluster and displays it on the AirTight
Management Console along with the parent server data. You can also push common policies onto multiple child
servers from a parent server.
A server (parent server or child server) can be a part of only one cluster at any given point. A child server cannot
be the parent of any other server in the cluster.
The creation of a server cluster and management of servers in the server cluster is done using the server
command line console. Viewing of the aggregated server cluster data and management of policies on the child
servers from the parent server in the cluster is done through AirTight Management Console.
Following are the prerequisites to create a server cluster.
The AirTight Wi-Fi/AirTight WIPS servers that form a cluster must have the same version and build
number.
A valid license must have been applied to all child servers to be added to the server cluster.
The child server must not be a part of any other server cluster.
You can perform five cluster-related operations from the server command line console. They are as follows.
1. Set up a server cluster/assign parent server to a server cluster.
2. Add a child server to a server cluster.
3. Delete or remove a child server from a server cluster.
4. Delete an entire server cluster.
5. Check the status of servers in a cluster or check if a server is part of a cluster.
The servers in a server cluster are assigned IDs when they become a part of the server cluster. A parent server is
assigned 1 as ID in the cluster. As and when the child servers are added, they are assigned sequentially
incrementing IDs. The child server added first is assigned 2 as ID, the next one is assigned 3 as ID and so on.
After creating the cluster, you must mount the child servers on the parent server location tree, to be able to view
aggregated server data on the UI or push policies from parent server to child server. For details, refer to the
AirTight Management Console User Guide.
27
28
5. Enter the config user password. If all the data entered is correct, the server having the specified
hostname/IP address is added as a child server in the server cluster.
Refer to the screenshot below for the cluster add child command.
Figure 6-2: cluster add child Command
29
Refer to the screenshot below for the cluster delete child command.
Figure 6-3: cluster delete child Command
30
31
7.
An AirTight server can be assigned a tag to identify the server and specific files and objects associated with that
server.
Prior to 7.1U4r1 release, if you have a setup with multiple AirTight servers and you download a specific-type of
file, say Audit Log, from each server, you would notice that the files have similar names. This similar file naming
applies to multiple downloadable files and files related server database backup. Although you can identify the type
of file and the content from the filename, identifying the source of the file is not possible. This makes it difficult to
distinguish which file belongs to which server.
Starting with 7.1U4r1 release, a tag assigned to a server is used in the names of files that are downloaded from
that server and in database backup-related files for that server. This makes it easier to identify the point of origin
for these files.
32
Debug file
Old Name: server_$ETH0MAC_MMDDHHMM.tgz
New Name: AMC_Srv-USeast-03_debug_ETH0MAC_YYYYMMDDHHMMSS.tgz
This file is dependent on the AMC build number and not AMC server itself
Generated Report
Old Name: AMCReport_ID_21_2_RANDOM_MMDDYYYY_HH_MM_SS.pdf
New Name: AMC_Srv-USeast-03_Report_ID_REPORTID_REPINSTID_YYYYMMDDHHMMSS.pdf
Archived Report
Old Name: Archived_Report_1_1_RANDOMSTRING.pdf
New Name: AMC_Srv-USeast-03_Archived_Report_USERID_ARCHIVEREPORTID_RANDOMUUID.pdf
33
Audit logs
Old Name: UAL_MMDDYYYY_HH_MM_SS.csv
New Name: AMC_Srv-USeast-03_UAL_ETH0MAC_YYYYMMDDHHMMSS.log
Visibility Analytics
Old Name: Visibility_Analytics_MMDDYYYY_HH_MM_SS.csv
New Name: AMC_Srv-USeast-03_Visib_Analytics_YYYYMMDDHHMMSS.csv
Association Analytics
Old Name: Association_Analytics_MMDDYYYY_HH_MM_SS.csv
New Name: AMC_Srv-USeast-03_Assoc_Analytics_YYYYMMDDHHMMSS.csv
34
8.
Solution
The subnet mask of the computer used to configure the server may not
be the same as that of the server. Change the subnet mask of the
computer so that it is in the same subnet as the server.
The default gateway and preferred DNS server settings of the computer
used to access the server console may be incorrect. Ensure that the
default gateway and preferred DNS server settings of the computer used
to access the server console match the server settings.
The server ID used by the server may be used by another server on the
network. Verify that no other server with the server ID set for the server
is running on the network.
Change the server ID using the set serverid command.
Check if the server is powered on. If the server is not powered on,
switch it on. Else, check the IP Address or the DNS name on the Server
Config Shell.
Important: Ensure that you have used the correct IP address or the
DNS name to connect to the server.
If the IP address or the DNS name is correct, try pinging other
computers on the network from the Server Config Shell interface.
If the problem still exits, reset the server and attempt to reconnect to the
server.
If you are logging in for the first time, refer to the Initializing section for
the default login name and password.
Try recovering the password using the Recover option in the Forgot
Password? section of the Login Screen.
35
Problem
Solution
Close the browser and try connecting to the server in another window.
If you cannot connect to the server, follow the steps listed in the first
problem of this table.
Please log into the sensor and set the correct passphrase.
or
or
36
9.
Starting with the 7.1U4r1 release, AirTight server provides CLI commands that enable you to define an Ethernet
interface dedicated for management traffic. Management traffic comprises traffic from the UI, API calls, database
backup, etc. Other traffic, such as infrastructure /operational traffic, would then be made available only on the
network interface eth0. This traffic comprises server-sensor communication, HA data synchronization, cluster,
WLAN controller, AirTight Mobile, etc.
AP/Sensor connection
MSU Cluster
You can also specify which traffic originating from the server destined to specific remote hosts/networks must go
through the management interface rather than the network interface eth0. To achieve this, you must provide list of
such hosts/networks in the set management interface command.
Some examples of outgoing traffic and remote hosts/networks are:
NTP server
LLDP receiver
Upgrade availability
In the case of an HA setup, the management interface must be set on the active and standby server. The HTTP
redirector is started in the management interface of the standby server and it redirects the HTTP/HTTPS traffic to
the management interface of the active server.
Prior to the 7.1U4r1 release, only the HA traffic was routed from eth1, if Data Sync Link was set to eth1. Starting
with the 7.1U4r1 release, if a management interface is enabled in an HA setup, then Data Sync Link cannot be
set to eth1. The data synchronization would happen over eth0.
Note: eth0 and eth1 interfaces must be on different subnets. In the case of an HA setup, all the four interfaces
(eth0 and eth1 on the active and standby servers) must be on different subnets.
On running the set management interface command, a CLI wizard is initiated.
1. If disabled, enable the management interface.
The management interface is disabled by default.
2. The command results in a restart of the Web server. Confirm whether you want to continue with running
the command.
3. Specify the IP address, subnet mask, and gateway IP address of the management interface.
37
38
39
40
Events
Performance data
Analytics data
All OSS/BSS CSV files of Performance Statistics
Archived Reports
Fetched AirTight Mobile reports
Transient Data
o SSIDs Probed by Clients
o Client fingerprinting
Note: For full backup, the analytics data and performance data can be backed up only if the appropriate
license for Analytics and Performance features is applied on the server.
41
When performing a configuration-only backup, you can choose whether the data related to client devices must be
backed up or not. This includes all Client devices and related data, such as probed SSIDs, and other transient
data. The default option is to exclude Client data.
Description
The available options are:
Remote server IP
address/DNS name
4.
42
The following figures show an example of full backup and configuration-only backup by using the db backup
command.
Figure 10-2: Full Backup
43
44
You can view the backup file details on the AirTight Management Console under Configuration>System
Settings>System Status. The following image illustrates the backup files stored on the server as seen on the
AirTight Management Console.
Figure 10-4: Backup Files on AirTight Management Console
45
Description
The available options are:
46
47
48
Note: When the server is backward compatible, that is, pre version 6.2 sensors can connect to a version 6.8
server. However, this is not recommended. After all sensors have been upgraded to version 6.8, the set
sensor legacy authentication CLI command can be used to disable older sensors from connecting to
the server.
49