Ruckus CP_ES 5.1 (GA) Pre Deployment Checklist (Private VM) Private VM

CP_ES 5.1 (GA) Pre-Deployment Checklist (Private VM) PreDeploymentChecklistPrivateVM

2017-06-29

User Manual: Ruckus CP_ES 5.1 (GA) Pre-Deployment Checklist (Private VM)

Open the PDF directly: View PDF PDF.
Page Count: 5

DownloadRuckus  CP_ES 5.1 (GA) Pre-Deployment Checklist (Private VM) Pre Deployment Private VM
Open PDF In BrowserView PDF
Cloudpath ES
Pre-Deployment Checklist
Private VM

Customer Name ________________________________________________________________
Please read through this document thoroughly, complete the pre-deployment requests, and have the
project lead sign off on this checklist on Page 4.

Pre-Deployment Checklist for Enrollment System (ES)
Please review the following document and if White Glove Deployment services have been purchased
please return to your Cloudpath Deployment PM.

Information Required From Customer
Which brand of AP/Controller are you using? _________________________________
Are you currently utilizing certificate based authentication in your network? _______________
Are you currently utilizing a RADIUS server in your network for certificate authentication? __________
Are you using NAC in your network? ___________________________________
Do you plan to use replication in your network? _____
If yes, which configuration do you expect to use?
____Master-Master
____Hub and spoke
Do you have a load balancer? _______ If yes, which vendor? __________________

Information the Customer Should Consider
Before we implement the Enrollment System in your network, you should consider the following
network configurations:
Note: This is a summary of the information provided in the ES Deployment Guide.


The initial firewall configuration should be set up to allow Internet access for following:
o Access from ES -> xpc.cloudpath.net (TCP 80/443-HTTP/HTTPS)
o Access from ES -> dist2.cloudpath.net (used for ES updates TCP 80/443-HTTP/HTTPS)
o Access from ES -> NTP (UDP 123) Note: 0.centos.pool.ntp.org on the standard NTP port
(123). This can be configured to point to a local server during system setup, if you
prefer.
2

o


















Internally the guest/onboarding vlan will need access to the wireless controller (this can
be locked down to specific ports after the initial setup)
o The WLAN controller will need layer 3 access to the Cloudpath Server
If using Active Directory, you need the AD domain information (plus any subdomains) and the IP
address of the AD server. AD groups should be set up before the implementation call.
o The ES/VM should have layer 3 access to Active Directory. (Port 636 for LDAPs, Port 389
for LDAP)
Your wireless controller must be WPA2-Enterprise capable.
You should have knowledge about how to configure a captive portal on your wireless
controller(s).
o The open SSID typically has pre-authentication ACLs defined, which permit access to the
VM. The WLAN controller is configured to point to the Enrollment System VM as an
external captive portal.
The WPA2-Enterprise SSID should be setup to delegate authentication to the onboard AAA
server or your existing AAA.
o If using an existing AAA server, it requires layer 3 access to the Enrollment System VM to
verify certificate status (optional).
A web server certificate is required for HTTPS. The system can be configured prior to the WWW
server certificate being installed, but it should be installed before attempting to enroll endusers.
o The WWW certificate may be a wildcard certificate (*.company.com) or a named
certificate (test.company.com).
o The WWW certificate must match the DNS name used by the end-users to enroll.
o To request a WWW certificate, you may need to provide a Certificate Signing Request
(CSR). If so, you can download a CSR from ES after the system is set up.
If using NPS, set up the NPS server role and a RADIUS server. Note: The new RADIUS server
certificates and root CA can be uploaded after ES is configured.
If using a pre-existing RADIUS server, you need the IP address and access to the RADIUS serversigned certificates.
If using an existing CA, and you would like to use ES as an intermediates CA to issue client
certificates, you need the public and private key of the existing CA to upload into the Enrollment
System.
If using the ES as a proxy for an existing CA (Microsoft CA or Custom External CA) you need the
CA URL and CA chain for the remote CA.
DNS should be configured for Enrollment System and other components appropriate for your
network.
You should have some idea about your deployment scheme for employees, partners,
contractors and guests. For example, some use cases might be:

3

Initial Setup
Before the implementation call, you should review the Customer Checklist and Deployment Guide. If
deploying to a local VMware server, be sure to download the OVA file prior to the setup call.
During the implementation call, we can help you with:




Discussion about what you are trying to achieve
Initial product setup
Workflow basics

Who Should Be Involved in the Initial Setup Call
The ES implementation touches different aspects of your environment. Therefore, you might want to
involve other members of your network team.









The ES is installed as a virtual appliance. If you have a VM team, they should be contacted
regarding the ES deployment.
The open and secure SSIDs are set up on the wireless controller. The person/team that manages
this aspect of your network should be available for making adjustments to the wireless
controller.
The ES can be set up to authenticate users to an Active Directory or LDAP server. Typically, you
do not need to make adjustments to the authentication server. However, if there are issues
connecting to the secure network, this person/team might be required.
If you plan to use the onboard RADIUS server, which we recommend, you do not need the
RADIUS server team. However, if you plan to use NPS or another external RADIUS server, this
person/team should attend the setup meeting as user certificates are authenticated to the
RADIUS server.
After the initial setup, the Enrollment System provides a list of the inbound and outbound traffic
of your Cloudpath Enrollment System. Firewall updates may be required for getting the ES up
and running in your network.

Deployment Testing
Ideally, you should have devices on hand, for each operating system that you plan to support, for
deployment testing. While the enrollment workflow behaves the same on each device, the Wizard
application behaves slightly different on each operating system. With Android, this issue is compounded
by the fact that each vendor can make modifications to the Android operating system, causing the
application, in some cases, to behave slightly different between models.
Contact your Sales or Support representative to review the End-User Experience documentation for your
supported OSes.

4

5



Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 5
Language                        : en-US
Tagged PDF                      : Yes
XMP Toolkit                     : 3.1-701
Producer                        : Microsoft® Word 2016
Creator                         : CPN
Creator Tool                    : Microsoft® Word 2016
Create Date                     : 2017:05:22 15:56:20-06:00
Modify Date                     : 2017:05:22 15:56:20-06:00
Document ID                     : uuid:EF0EC673-6850-4C2D-8E10-5CDF50170445
Instance ID                     : uuid:EF0EC673-6850-4C2D-8E10-5CDF50170445
Author                          : CPN
EXIF Metadata provided by EXIF.tools

Navigation menu