This section guides you through the interactive configuration dialogue to configure the first appliance. This configuration dialogue will ask you to create a system administration password for "admin". Remember this as you will need it later to log in to the Admin UI.
Log in to the appliance
To run cz-setup, you will need console access the appliance.
In this example, the ISO appliance image was used to create a new VM:
Run cz-setup
To start the Appliance setup process:
Enter
sudo cz-setupYou will see the following Appliance setup screen:
Select the first option: Seed - Configure the appliance as a first Controller
NOTE
The other options shown here are not needed at this time and are detailed in the cz-setup and cz-config commands section.
Configure the appliance
Go to each section in the Configure appliance as first Controller menu to configure the Controller:
Hostnames
The AppGate ZTNA system works with self-signed certificates, so the proper hostnames for the Appliance and the Profile DNS must be established to avoid the need to re-issue certificates later. Both names will be added to the certificate.
Appliance Hostname
Choose a unique hostname (FQDN) that will appear in the Appliance Hostname/IP field in System Settings for the new appliance. The hostname must be unique within the first 39 bytes (39 characters). This hostname will be used by the other appliances within the Collective including Controllers.
It is not recommended to use an IP address for the following reasons:
For the correct HA operation (DNS round robin)
To allow the underlying IP address to be changed, as you cannot so easily change the hostname
To avoid issues in which the Controller can't talk to itself when behind a NATing firewall
Profile DNS Name
A default DNS name starting with sdp-controllers is created for you but can be edited before moving to the next step.
NOTE
If you want to change the DNS name, do this now as changing it later will require certificates to be renewed, new Client profiles to be generated, and these will have to be re-distributed to all your users.
The Profile DNS Name will be used by the Clients when they connect to the Controllers in the Collective. They will connect on port 443 which is protected by SPA with encrypted traffic, so make sure this hostname is also resolvable by any external DNS server (see Network connectivity). If you need to change the Profile DNS name later, it will appear in Global Settings as the Global Client Profile DNS name.
NOTE
it is also possible to add extra hostnames (to the certificate) later.
Customization
Although disabled by default, the appliance can run a script to support third party add-ons such as external reporting or monitoring agents. This can be enabled by setting this to true. See Adding third party executables for more information.
NICs
Add interface
The system should automatically detect interfaces at boot. If network adapters need to be added manually, selecting Add interface will add a new adapter to the interface list. The first network adapter will be labeled eth0, the second will be labeled eth1, and so on.
The system requires only one interface, so once the necessary interface(s) are created you can configure each of them by selecting Configure ethX. If you want to remove an interface, select Configure ethX.
NOTE
When configuring a public interface, use the static IP addresses option and ensure that your end user Clients, and any machines connecting to that interface for use with the Admin UI, can connect to that IP address and/or Hostname.
Configure ethX
Selecting Configure ethX will bring up the following options:
Use DHCP for IPv4/IPv6. Select this option if you do not need to use a static address.
Press Enter to change the value to True. If you use DHCP, make sure that the DNS is also properly set for that IP using the hostname that you specified in the Hostnames section. If this is not possible, use a static IP allocation.
IPv4/IPv6 static addresses. Enter the static IP address and the correct netmask bit. You can optionally add a hostname that will be linked to this IP address.
If two interfaces were used, then one could be used for making the connection with the Internet and one attached to the internal network. The internal network adapter could be set up for administration of the appliance, for example. Undesired Client traffic can be blocked to this administration interface later using the Admin UI by specifying which source networks are allowed to connect. Alternatively, we could add a Gateway to this appliance later and use the interface to connect to applications and services.
Routes
In this section you can configure your network routes for IPv4 and IPv6. If you have selected DHCP on one of the interfaces, you may not need a default Gateway.
Add route. If the internal network has non-adjacent networks, you can configure those additional static routes in this section. Leave this field empty if no additional routes are needed.
Add default gateway for IPv4/IPv6. If you selected all static IPv4 or IPv6 addresses, you need to set a default Gateway here. This is not needed if you selected DHCP on the network interface.
Hosts
Add hosts-file entry. Adding a host entry to this field adds it to the /etc/hosts file of the system. For example, you can set additional host entries to reach other Gateways or LogServers, which could not be resolved by an external DNS. However, we recommend you always use a proper DNS server set up.
If you are not using a DNS server to configure your domains, do not add any of the hostnames you configured as host entries. You can add any other hostnames as host entries.
DNS Servers
Add DNS server. If you are not using DHCP, use this field to add the DNS server that the system will use to resolve DNS names. If you want to set additional DNS servers that can be used for resolving, select Add DNS server again after configuring the first. If DHCP is used, then a DNS server will be inherited.
NTP Servers
Add NTP Server. Use this field to add an NTP server or select an existing server. Standard Ubuntu servers will be automatically assigned.
Passwords
Set "cz" user password. Enter the password you will use for the cz user. The "cz" user is a Linux user account on your Appliance. With this account, you will be able to log in on the console or over SSH and run administrative commands with the built-in sudo utility.
Set "admin" user password. Enter the password you will use for the admin user. The “admin” user account exists in the Controller's local database as "Builtin Administrator," and will have system administration privileges. Using this account, you will be able to log in to the web-based admin UI and configure the AppGate ZTNA system.
You need to set a password for both users to continue for non-Cloud deployments. Images pre-configured for Cloud deployments may only allow private key based access.
Step 4. Apply configuration
After completing each step in the menu, click Apply configuration.
Click <Yes> to continue. Your settings will be applied, and the Controller will be initialized.
Clicking <No> to go back to the menu and change any of the settings.
NOTE
It may take some time for the initialization process to complete.
NOTE
If you wish to cancel the configuration process, you can quit from the menu by pressing <Esc>. You will be prompted to confirm, but if you quit the menu without applying the configuration, any settings that you have entered will be lost.
Step 5. Registration complete
Once the registration process is complete, some suggested next steps are presented.
The URL of your first Controller is shown at the bottom. Use that to go to the sign-in screen.
