Reset Search
 

 

Article

KB10162 - Determine Topology and Connect the PCS device(s) to the network

« Go Back

Information

 
Last Modified Date9/19/2015 7:04 PM
Synopsis
This article describes possible topologies the PCS can be set up in and has a brief overview of connecting the devices to the network.
Problem or Goal
  • What Topology should I use for my PCS.
  • Where should I place the PCS in my network.
Cause
Solution

Topology

For all but the 6000 series you only have 2 ports to connect to your network, an Internal and an External port. Depending on your level of security needs you have several different options:

1 arm no DMZ

The simplest setup is to put the PCS device behind a NAT router allowing traffic to the PCS device. In this scenario only the internal port is connected.

1_arm_no_dmz.jpg
Pros:
  • Easiest to set up.
Cons:
  • Does not protect against external based attacks.
  • Your network will be relying only on the PCS configuration to secure your internal network.
  • Bandwidth can be an issue since the internal and external traffic travel on the same line.

1 arm in DMZ

This setup only involves the internal port. The difference between this setup and the last is that we are behind a firewall instead of a router. This setup is actually the most complex to setup because it requires 2 set of rules, one for traffic going to the PCS and one for traffic leaving the PCS.

At minimum the firewall needs to be configured to allow port 443 to the PCS. It is recommended you also allow port 80 and 4500 to the PCS. Port 80 will allow users to make a request to the PCS in HTTP the PCS will then redirect the request to HTTPS automatically. Port 4500 is for Network Connect if it is being used.

What ports you allow to your internal network depends on what you use your PCS for. For example if you are using the PCS to share you internal company website it would make sense to allow ports 80 and 443 from the PCS to your internal network.

1_arm_in_dmz.jpg
Pros:
  • You are relying on a firewall as well as the PCS policies to secure your network.
  • Deeper inspection of traffic can be done because traffic coming from the PCS is not encrypted when it reaches the firewall.
  • Can be set up to help protect against some attacks.
Cons:
  • Most complex to setup.
  • Bandwidth can be an issue since the internal and external traffic travel on the same line.

2 arm no DMZ

All of the topologies from here on use both the internal and external port. The internal port is connected to your internal network and the external port faces the internet. This setup is fairly simple. You set up the PCS so that it is parallel to your firewall (if you have one. If you are only using a NAT router simply connect the external port of the PCS to in and the internal port to a switch, router, or hub on your internal network.

2_arm_no_dmz.jpg
Pros:
  • Easy to set up.
  • The external client traffic and your internal traffic will be separated onto separate lines theoretically doubling available bandwidth.
Cons:
  • Your network will be relying only on the PCS configuration to secure your internal network.

2 arm external DMZ

In this scenario the external port is connected to a firewall which blocks all unneeded traffic to the PCS. The PCS's internal port connects directly to the internal network.

2_arm_ext_dmz.jpg
Pros:
  • Easy to set up.
  • Can be set up to help protect against some external based attacks.
  • The external client traffic and your internal traffic will be separated onto separate lines theoretically doubling available bandwidth.
Cons:
  • Your network will be relying only on the PCS configuration to secure your internal network.

2 arm internal DMZ

In this scenario the external port is connected to a router which goes to the internet The PCS's internal port connects to a firewall which restricts the traffic coming from the PCS.

2_arm_int_dmz.jpg
Pros:
  • Easy to set up.
  • Deeper inspection of traffic can be done because traffic coming from the PCS is not encrypted when it reaches the firewall.
  • The external client traffic and your internal traffic will be separated onto separate lines theoretically doubling available bandwidth.
Cons:
  • Does not protect against external based attacks.

2 arm 2 DMZ

The most secure setup. This puts the internal and external port behind firewalls. The external port connects to a firewall which connects to the internet and blocks all unneeded traffic. The internal port connects to a firewall which is connected to the internal network this firewall blocks any traffic the PCS generates that it shouldn't be sent to the internal network.

2_arm_2_dmz.jpg
Pros:
  • Can be set up to help protect against some external based attacks.
  • Deeper inspection of traffic can be done because it is not encrypted.
  • The external client traffic and your internal traffic will be separated onto separate lines theoretically doubling available bandwidth.
Cons:
  • Moderately difficult to setup.
 

The special case of the SA-6000 series

The SA-6000 series is a special case because we have 3 extra ports to worry about. The good news is we do not have to use these 3 ports if we don't want to. So the same topology can be used.

These devices come with a management port meant to separate management related traffic like SNMP, SYSLOG, archiving, etc. into a separate network meant for that purpose. If you do not have a separate network for your management data it is recommend to simply leave the management port disconnected and not configured. This data will go through the internal port.

The other two ports are SFP sockets (Small Form-Factor Pluggable) which allow different Network interfaces such as fiber to be used. The catch though is that the SFP port is only useable if their Ethernet counterpart is in a "Down" state. For example let's say you have plugged in 2 fiber connecters into the SFP ports. If you have all 4 ports connected: int, 1 (external), 2 (top fiber), 3 (bottom fiber) the top fiber will only enable itself if the int cannot establish a network connection. The same thing applies for ports 1 and 3. So your choice here really is whether to set this up to only use the SFP ports or to set this up to failover from the Ethernet to the SFP ports.

Hardware Setup

Hardware setup is fairly straight forward. The SA boxes all come with Rack mount attachments. If this will be rack mounted mount it in the appropriate rack slot. The RA-500 and SA-700 are 1U rack-mountable. The SA-1000, SA-2000, SA-3000, SA-4000 are all 19" rack mountable they are 1 U in height. The SA-5000 and SA-6000 series are 19" rack-mountable and are 2U in height.

Once the PCS's have been installed connect a standard Ethernet cord to the internal port. Connect the other end to the switch, router, or firewall that will connect the PCS to the internal network. If the external port is to be used connect it to the router or firewall that will connect it to the internet.

Connect the null modem cable included with the PCS to the serial port on the PCS and to a serial port on a PC. The PC will be used to setup the PCS with an initial configuration (e.g. IP address, subnet mask) so that it can be reached on the network.

For the SA-6000 devices connect the management port and if you are using the SFP ports remove the protective cover and insert the proper fiber or Ethernet connector. Plug the SFP ports into the appropriate switches.

If this is a FIPS installation then insert your smart card into the card reader. This will become your admin card.

 

The next step in configuration is to perform the Admin Console setup using the serial console. Please continue on to KB10163 - Serial Console and Admin GUI initial setup

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255