4

Working with the Setup Utility

• Creating the initial configuration with the Setup utility
• Connecting to the 3-DNS for the first time
• Using the Setup utility for the first time
• Running the Setup utility after creating the initial configuration

Creating the initial configuration with the Setup utility

Once you install and connect the 3-DNS hardware, the next step in the installation process is to turn the system on and run the Setup utility. The Setup utility defines the initial configuration settings required to install the 3-DNS into the network. You can run the Setup utility remotely from a web browser, or from an SSH or Telnet client, or you can run it directly from the console.

Before you connect to the 3-DNS, we recommend that you gather the list of information outlined in the configuration worksheet provided with the system. Note that the screens you see are tailored to the specific hardware and software configuration that you have. For example, if you have a single system, the Setup utility skips the redundant system screens.

Note: If you are configuring the 3-DNS module on a BIG-IP, refer to the BIG-IP documentation for this part of the installation process.

Connecting to the 3-DNS for the first time

The Setup utility prompts you to enter the same information, whether you run the utility from a web browser or from the command line. When the utility completes, we recommend that you reboot the system. This automatically removes the default IP address and root password provided specifically for the purposes of running the Setup utility remotely. The 3-DNS replaces the default IP address and root password with the password and IP addresses that you define when you run the utility for the first time.

Running the utility from a console or serial terminal

Before you can run the Setup utility from either a console or a serial terminal, you must first log in. Use the following default user name and password to log in.

User name: root

Password: default

After you log in, you can start the utility directly from the console or serial terminal by typing the command config. Once you complete the utility, we recommend that you reboot the 3-DNS.

Note: If you want to set up a terminal connection directly to the 3-DNS, see Using a serial terminal, on page 3-6 .

Running the Setup utility remotely

You can run the Setup utility remotely only from a workstation that is on the same LAN as the unit. To allow remote connections for the Setup utility, the 3-DNS comes with two pre-defined IP addresses, and a pre-defined root password. The default root password is default, and the preferred default IP address is 192.168.1.245. If this IP address is unsuitable for your network, the 3-DNS uses an alternate IP address, 192.168.245.245. However, if you define an IP alias on an administrative workstation in the same IP network as the 3-DNS, the unit detects the network of the alias and uses the corresponding default IP address.

Once the utility finishes and the system reboots, these default IP addresses and the root password are replaced by the information that you entered in the Setup utility.

Setting up an IP alias for the default IP address before you turn on the system

You must set up an IP alias for your remote workstation before you turn on the system and start the Setup utility. The remote workstation must be on the same IP network as the system. If you add this alias prior to booting up the 3-DNS, the system detects the alias and uses the corresponding address.

To set up an IP alias for the alternate IP address

The IP alias must be in the same network as the default IP address you want the 3-DNS to use. For example, on a UNIX workstation, you might create one of the following aliases:

• If you want the unit to use the default IP address 192.168.1.245, then add an IP alias to the machine you want to use to connect to the system using the following command:
  
  

  ifconfig exp0 add 192.168.1.1

• If you want to use the default IP address 192.168.245.245, then add an IP alias such as:
  
  

  ifconfig exp0 add 192.168.245.1

Warning: On Microsoft Windows® or Windows NT® machines, you must use a static IP address, not DHCP. Within the network configuration, add an IP alias in the same network as the IP in use on the unit. For information about adding a static IP address to a Microsoft Windows operating system, please refer to your vendor's documentation.

Determining which default IP address is in use

After you configure an IP alias on the administrative workstation in the same IP network as the 3-DNS and you turn the system on, the 3-DNS sends ARPs on the internal VLAN to see if the preferred 192.168.1.245 IP address is in use. If the address is appropriate for your network and is currently available, the 3-DNS assigns it to the internal VLAN. You can immediately use it to connect to the unit and start the Setup utility.

If the alternate network is present on the LAN, 192.168.245.0/24, or if the node address 192.168.1.245 is in use, then the 3-DNS assigns the alternate IP address 192.168.245.245 to the internal VLAN instead.

Starting the Setup utility from a web browser

When you start the utility from a web browser, you use the selected default IP address as the application URL.

To start the Setup utility in a web browser

1. Open a web browser on a workstation connected to the same IP network as the internal VLAN of the system.
2. Type the following URL, where <default IP> is the IP address in use on the 3-DNS internal VLAN.
   https://<default IP>
3. At the login prompt, type root for the user name, and default for the password.
   The Configuration Status screen opens.
4. On the Configuration Status screen, click Start Wizard.
5. Fill out each screen using the information from the Setup utility configuration list. After you complete the Setup utility, the 3-DNS reboots and uses the new settings you defined.
   
   

Note: You can rerun the Setup utility from a web browser at any time by clicking the Setup utility link on the welcome screen.

Starting the Setup utility from the command line

You can run the command line version of the Setup utility from a remote SSH client or from a Telnet client.

To start the Setup utility from the command line

1. Start an SSH client on a workstation connected to the same IP network as the internal VLAN of the 3-DNS.
2. Type the following command, where <default IP> is the IP address in use on the 3-DNS internal VLAN.
   ssh <default IP>
3. At the login prompt, type root for the user name, and default for the password.
4. At the 3-DNS prompt, type the following command to start the command-line based Setup utility.
   config
5. Fill out each screen using the information from the Setup utility configuration list. After you complete the Setup utility, the 3-DNS reboots and uses the new settings you defined.
   
   

Note: You can rerun the Setup utility at any time using the config command.

Using the Setup utility for the first time

The following sections provide detailed information about the settings that you define in the Setup utility when you run the utility for the first time.

Setting the keyboard type

Select the type of keyboard you want to use with the 3-DNS. The following options are available:

• Belgian
• Bulgarian MIK
• French
• German
• Japanese - 106 key
• Norwegian
• Spanish
• Swedish
• US + Cyrillic
• US - Standard 101 key (the default)
• United Kingdom
  
  

Defining the root password

A root password allows you command line administrative access to the 3-DNS system. The password must contain a minimum of 6 characters, but no more than 32 characters. Passwords are case-sensitive, and we recommend that your password contain a combination of upper- and lower-case characters, as well as numbers and punctuation characters. Once you enter a password, the Setup utility prompts you to confirm your root password by typing it again. If the two passwords match, your password is immediately saved. If the two passwords do not match, the Setup utility provides an error message and prompts you to re-enter your password.

Warning: When you run the Setup utility for the first time, you must change the root password from default to something else. See Chapter 12, Administration and Monitoring , if you later decide you want to change the root password again.

Defining the system host name

The host name identifies the 3-DNS itself. Host names must be fully qualified domain names (FQDNs). The host portion of the name can start with a letter or digit, and must be at least two characters. The entire host name must be less than 255 characters, and each label (between dots) must be less than 63 characters.

Configuring a default gateway pool

On this screen, if you enter two or more default route addresses, the 3-DNS creates a default gateway pool. If a 3-DNS does not have a predefined route for network traffic, the unit automatically sends traffic to the pool that you define as the default gateway pool. You can think of the default gateway pool as a pool of default routes. Typically, a default gateway pool is set to zero or more gateway IP addresses. If you type more than one default gateway IP address, the additional gateways provide high availability for administrative connections. If a gateway in the default gateway pool becomes inactive, existing connections through the inactive gateway are routed through another gateway in the default gateway pool.

Warning: All default gateway IP addresses that you add to the default gateway pool must be in the same IP network as the 3-DNS.

Configuring a redundant system's settings

There are two types of settings you need to define for redundant systems: unit IDs and fail-over IP addresses.

Unit IDs

The default unit ID number is 1. If this is the first unit in the redundant system, use the default. When you configure the second unit in the redundant system, type 2.

Choosing a fail-over IP address

A fail-over IP address is the IP address of the unit that will take over if the active unit in the redundant system fails.

Setting the interface media type

The media type options for each interface depend on the network interface card included in your hardware configuration. The Setup utility prompts you with the settings that apply to the interfaces installed in the system. The 3-DNS supports the following media types:

• auto (automatically detects the media type)
• 10baseT
• 10baseT, FDX
• 100baseTX
• 100baseTX, FDX
• Gigabit Ethernet
  
  

For the best results, choose the auto setting for each interface. In some cases, systems configured using the auto media setting are incompatible, and the proper duplex setting will not be negotiated. In these cases, you may need to set the media type to the same speed and duplex on this system, and on the corresponding switch or host. Check your switch or hub documentation for this information.

Warning: The Setup utility lists only the network interfaces that it detects during system boot. If the utility lists only one interface device, a network adapter may have come loose during shipping. Check the LED indicators on the network adapters to ensure that they are working and are connected.

Configuring VLANs and IP addresses

You can create a new VLAN, or use the default VLANs, internal and external, to create the 3-DNS base network configuration. Note that in general, you need only one configured VLAN for the 3-DNS. You may want to review Chapter 5, Configuring the Base Network , before you configure any VLANs other than the defaults.

Determine whether you want to have security turned on or off for each VLAN. Then, type the IP address settings for the VLAN. The IP address settings include:

• Security settings
• IP address, netmask, and broadcast address
• Floating self IP address, netmask, and broadcast (for redundant systems only)
  
  

Assigning interfaces to VLANs

After you configure the VLANs that you want to use on the 3-DNS, you can assign interfaces to the VLANs. If you use the default VLANS, internal and external, we recommend that you assign at least one interface to external, and at least one interface to internal. In a typical configuration, the external VLAN is the one on which the 3-DNS receives connection requests. Note that the VLAN internal is optional. If you plan on running the 3-DNS in bridge or router mode, you can configure a second VLAN for a particular IP subnet. For more information on the bridge and router modes, see Configuring the 3-DNS mode, on page 4-8 .

Associating a primary IP address and VLAN with the system host name

If you have defined more than one VLAN, you have assigned interfaces to them, you can choose one VLAN/IP address combination as the primary IP address to associate with the system's host name.

Configuring remote web server access

The 3-DNS web server provides the ability to set up remote web access on each VLAN. When you set up web access on a VLAN, you can connect to the web-based Configuration utility through the VLAN. To enable web access, specify a fully qualified domain name (FQDN) for each VLAN. The 3-DNS web server configuration also requires that you define a user name and password. If SSL is available, the configuration also generates authentication certificates.

The Setup utility guides you through a series of screens to set up remote web access.

• The first screen prompts you to select the VLAN you want to configure for web access. After you select an interface to configure, the utility prompts you to type a fully qualified domain name (FQDN) for the interface. You can configure web access on one or more interfaces.
• After you configure the interface, the utility prompts you for a user name and password. After you type a user name and password, the utility prompts you for a vendor support account. The vendor support account is not required.
• The certification screen prompts you for country, state, city, company, and division.
  
  

Warning: If you ever change the IP addresses or host names on the 3-DNS interfaces, you must use the Setup utility to reconfigure the 3-DNS web server and the portal to reflect your new settings.

You can also add users to the existing password file, change a password for an existing user, or recreate the password file, without actually repeating the remote web server configuration process. Refer to Managing users on the 3-DNS , in Chapter 12, Administration and Monitoring .

Warning: If you have modified the remote web server configuration outside of the Configuration utility, be aware that some changes may be lost when you run the Configure web servers option in the Setup utility. This utility overwrites the httpd.conf file and openssl.conf, but does not warn you before doing so.

Setting the time zone

Next, you need to specify the time zone for the region that the 3-DNS is in. This ensures that the clock for the 3-DNS is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the list to find the time zone at your location. Note that one option may appear with multiple names. Select the time zone you want to use, and press the Enter key to continue.

Configuring the 3-DNS mode

The 3-DNS can now run in three different modes: node, bridge, and router.

• Node mode
  The node mode is the traditional installation of the 3-DNS. The 3-DNS replaces a DNS server in a network and uses the DNS server's IP address. All DNS traffic is directed at the 3-DNS because it is registered with InterNIC as authoritative for the domain. In node mode, you usually run BIND on the system to manage DNS zone files. In node mode, you may also use the NameSurfer application available to manage your zone files.
• Bridge mode
  In bridge mode, the 3-DNS acts as an IP bridging device by forwarding packets between two LAN segments (usually on the same IP subnet). The system usually has one IP address, and is installed between the router or switch and the authoritative DNS server. The 3-DNS does not replace the authoritative DNS server. The 3-DNS filters all DNS packets that match wide IPs, and forwards the remaining packets to the authoritative DNS server for resolution. Note that this may be the preferred method of using the 3-DNS because you do not have to replace the authoritative DNS server, and you can perform out-of-band testing before you deploy 3-DNS software upgrades.
• Router mode
  In router mode, the 3-DNS acts as a router by forwarding packets between two different IP subnets. You can put the 3-DNS anywhere in the network topology so that packets destined for the authoritative DNS server have to pass through it. Router mode requires at least two IP addresses and two VLANs. Router mode is probably most useful for Internet service providers (ISPs) that want to redirect traffic to local content servers. For example, by using the 3-DNS in router mode, an ISP can redirect requests for ads.mydomain.net to a local ad server.
  
  

Configuring remote administrative access

After you configure remote web access, the Setup utility prompts you to configure remote command line access. On most 3-DNS units, the first screen you see is the Configure SSH screen, which prompts you to type an IP address for SSH command line access. If SSH is not available, you are prompted to configure access through RSH instead.

When you configure remote command line access, the Setup utility prompts you to create a support account for that method. You can use this support account to provide a support engineer access to the 3-DNS.

When the Setup utility prompts you to enter an IP address for administration, you can type a single IP address or a list of IP addresses, from which the 3-DNS will accept administrative connections (either remote shell connections, or connections to the web server on the 3-DNS). To specify a range of IP addresses, you can use the asterisk (*) as a wildcard character in the IP addresses.

The following example allows remote administration from all hosts on the 192.168.2.0/24 network:

192.168.2.*

Note: For administration purposes, you can connect to the 3-DNS floating self IP address, which always connects you to the active unit in an active/standby redundant system. To connect to a specific unit, connect directly to the IP address of that 3-DNS.

Configuring SSH

Use this option to configure secure shell server (ssh) on a 3-DNS. This utility prompts you for an IP address from which administrators may access the 3-DNS with SSH. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.

If the service port for SSH is closed, this utility opens the service port to permit SSH connections to the 3-DNS.

Configuring RSH

Use this option to configure the remote shell (rsh) server on a 3-DNS. This utility prompts you for an IP address from which administrators may access the 3-DNS. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.

If inetd is not currently configured, this utility configures inetd for the remote shell server (rshd). If the service port for rsh is closed, this utility opens the service port to permit rsh connections to the 3-DNS.

Initializing the iControl portal

Select this option to configure the CORBA ports (IIOP and FSSL). This option prompts you for a list of IP addresses or host names you want to embed as objects in the Portal object reference.

This option prompts you to set the Portal to use IP addresses instead of DNS names. If the Portal is set to use IP addresses, the 3-DNS does not have to do a DNS lookup.

In addition to these settings, you can change the following iControl portal settings:

• You can set the security mode of the portal. You can allow the portal to handle non-secure requests.
• You can change the name of the Portal object reference file.
• You can specify the Portal PID file name.
  
  

Configuring NTP support

You can synchronize the time on the 3-DNS to a public time server by using Network Time Protocol (NTP). NTP is built on top of UDP and assures accurate, local timekeeping with reference to clocks located on the Internet. The NTP protocol is capable of synchronizing distributed clocks, within milliseconds, over long periods of time. If you choose to enable NTP, make sure UDP port 123 is open in both directions when the 3-DNS is behind a firewall.

Configuring NameSurfer for zone file management

In the final series of the Setup utility screens, you choose whether to have NameSurfer handle DNS zone file management on the current 3-DNS. If you configure the 3-DNS in node mode, we strongly recommend that you configure NameSurfer to handle zone file management. If you designate NameSurfer as the primary name server, NameSurfer converts the DNS zone files on the system, becomes the authoritative DNS, and automatically processes changes and updates to the zone files. (You can access the NameSurfer application directly from the Configuration utility).

To open the NameSurfer application

1. In the navigation pane, click NameSurfer.
   The NameSurfer home screen opens.
2. Edit the zone file information as required.
   For help with the NameSurfer application, click Help in the NameSurfer navigation pane.
   
   

Note: Remember that if you run the 3-DNS in bridge or router mode, the system is not authoritative for any domains, so the NameSurfer application is not available to manage any zone files.

Running the Setup utility after creating the initial configuration

You can also use the Setup utility to change existing settings at any time. After you complete the initial configuration, the Setup utility presents a menu of individual configuration options. There is a section of required configuration options and a section of optional configuration options.

To run the Setup utility from the command line, type in the following command:

config

Figure 4.1 shows the Setup utility menu.

Figure 4.1 The Setup utility menu

 lqq I N I T I A L   S E T U P   M E N U qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk    
   x                                                                              x    
   x                                                                              x    
   x    Choose the desired configuration function from the list below.            x    
   x                                                                              x    
   x                                                                              x    
   x    (A) All configuration steps        (R) Steps for redundant systems        x    
   x                                                                              x    
   x    REQUIRED                                                                  x    
   x    (E) Set default gateway pool       (V) Configure VLANs & networking       x    
   x    (H) Set host name                  (W) Configure web servers              x    
   x    (P) Set root password                                                     x    
   x                                                                              x    
   x    OPTIONAL                                                                  x    
   x    (D) Configure DNS                  (O) Configure remote access            x    
   x    (F) Configure FTP                  (S) Configure SSH                      x    
   x    (I) Initialize iControl portal     (T) Configure Telnetd                  x    
   x    (K) Set keyboard type              (U) Configure RSH                      x    
   x    (M) Define time servers            (Z) Set time zone                      x    
   x    (N) Configure NameSurfer           (Q) Quit                               x    
   x                                                                              x    
   x    Enter Choice:                                                             x    
   x                                                                              x    
   mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj  

Additional configuration options in the Setup utility

The following Setup utility options are available after you have configured the 3-DNS for the first time. Note that while these options are available as part of the platform, you may not want to enable them for security reasons.

Configuring FTP

Use this utility to configure FTP on the 3-DNS. This utility prompts you for an IP address from which administrators may access the 3-DNS with FTP. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.

If the service port for FTP is closed, this utility opens the service port to permit FTP connections to the 3-DNS.

Configuring Telnet

Use this option to configure Telnet on the 3-DNS. The utility prompts you for a configuration address for each service from which administrators may access the 3-DNS. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.

If inetd is not currently configured, this utility configures inetd for the requested services. If the ports for Telnet or FTP are closed, this utility opens the ports to permit Telnet or FTP connections to the 3-DNS.

Warning: Although you can configure FTP and Telnet on a 3-DNS, we recommend that you leave these services disabled, for security reasons.