Applies To:Show Versions
3-DNS Controller versions 1.x - 4.x
- 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10
Using the Setup Utility
- Creating the initial software configuration with the Setup utility
- Connecting to the 3-DNS Controller for the first time
- Using the Setup utility for the first time
- Running the Setup utility after creating the initial software configuration
Creating the initial software configuration with the Setup utility
Once you install and connect the hardware and obtain a license, the next step in the installation process is to turn the system on and run the Setup utility. The Setup utility defines the initial configuration settings required to install the 3-DNS Controller into the network. You can run the Setup utility remotely from a web browser, or from an SSH or Telnet client, or you can run it directly from the console.
Before you connect to the unit, we recommend that you gather the list of information outlined in the configuration worksheet provided with the 3-DNS Controller. Note that the screens you see are tailored to the specific hardware and software configuration that you have. For example, if you have a stand-alone system, the Setup utility skips the redundant system screens.
Once you have configured the base network elements with the Setup utility, you might want to further enhance the configuration of these elements. For additional information about these configuration tasks, see Chapter 4, Post-Setup Tasks .
The license file installed on the system must be compatible with the latest version of the 3-DNS software before you run the Setup utility. If it is not, you must update the license using the registration key provided to you by your vendor. If you do not have a registration key, please contact your vendor to obtain one. If you choose to continue without obtaining a license, the 3-DNS software will not be fully functional.
Connecting to the 3-DNS Controller for the first time
The Setup utility prompts you to enter the same information, whether you run the utility from a web browser, or from the command line. If you run the utility from the console, no reboot is necessary; if you run the utility from the web, the unit reboots automatically; if you run the utility from an SSH client, we recommend that you reboot the unit after you complete the setup. This reboot automatically removes the default IP address and root password provided specifically for the purposes of running the Setup utility remotely. The 3-DNS software replaces the default IP address and root password with the password and IP addresses that you define while running the utility.
Running the utility from the console or serial terminal
Before you can run the Setup utility from either the console or a serial terminal, you must first log in. Use the following default user name and password to log in.
After you log in, you can start the utility directly from the console or serial terminal by typing the command setup.
Running the Setup utility remotely
You can run the Setup utility remotely only from a workstation that is on the same LAN as the unit. To allow remote connections for the Setup utility, the 3-DNS software comes with two pre-defined IP addresses, and a pre-defined root password. The default root password is default, and the preferred default IP address is 192.168.1.245. If this IP address is unsuitable for your network, the 3-DNS software uses an alternate IP address, 192.168.245.245. However, if you define an IP alias on an administrative workstation in the same IP network as the 3-DNS Controller, the unit detects the network of the alias and uses the corresponding default IP address.
Once the utility finishes and the system reboots, these default IP addresses are replaced by the information that you entered in the Setup utility.
Setting up an IP alias for the default IP address before you start the unit
You must set up an IP alias for your remote workstation before you turn on the unit and start the Setup utility. The remote workstation must be on the same IP network as the unit. If you add this alias prior to booting up the 3-DNS Controller, the unit detects the alias and uses the corresponding address.
To set up an IP alias for the alternate IP address
The IP alias must be in the same network as the default IP address you want the 3-DNS Controller to use. For example, on a UNIX workstation, you might create one of the following aliases:
- If you want the unit to use the default IP address 192.168.1.245, then add an IP alias to the machine you want to use to connect to the unit using the following command:
ifconfig exp0 add 192.168.1.1
- If you want to use the default IP address 192.168.245.245, then add an IP alias such as:
ifconfig exp0 add 192.168.245.1
On Microsoft Windows® or Windows NT® machines, you must use a static IP address, not DHCP. Within the network configuration, add an IP alias in the same network as the IP address in use on the unit. For information about adding a static IP address to a Microsoft Windows operating system, please refer to the vendor's documentation.
Determining which default IP address is in use
After you configure an IP alias on the administrative workstation in the same IP network as the 3-DNS Controller and you turn the system on, the 3-DNS software sends ARPs on the internal VLAN to see if the preferred 192.168.1.245 IP address is in use. If the address is appropriate for your network and is currently available, the 3-DNS software assigns it to the internal VLAN. You can immediately use it to connect to the unit and start the Setup utility.
If the alternate network is present on the LAN, 192.168.245.0/24, or if the node address 192.168.1.245 is in use, then the 3-DNS software assigns the alternate IP address 192.168.245.245 to the internal VLAN instead.
Starting the utility from a web browser
When you start the utility from a web browser, you use the selected default IP address as the application URL.
To start the Setup utility in a web browser
- Open a web browser on a workstation connected to the same IP network as the internal VLAN of the unit.
- Type the following URL, where <default IP> is the IP address in use on the 3-DNS internal VLAN.
- At the login prompt, type root for the user name, and default for the password.
The Configuration Status screen opens.
- On the Configuration Status screen, click Setup Utility.
- Fill out each screen using the information from the Setup utility configuration list. After you complete the Setup utility, the 3-DNS Controller reboots and uses the new settings you defined.
You can rerun the Setup utility from a web browser at any time by clicking the Setup utility link on the welcome screen.
Starting the utility from the command line
You can run the command line version of the Setup utility from the console or serial terminal, or from a remote SSH client, or from a Telnet client.
To start the Setup utility from the console
- At the login prompt, type root for the user name, and default for the password.
- At the 3-DNS prompt, type the following command to start the command-line based Setup utility.
- Fill out each screen using the information from the Configuration worksheet. After you complete the Setup utility, the 3-DNS Controller uses the new settings you defined.
To start the Setup utility from the command line from a remote administrative workstation
- Start an SSH client on a workstation connected to the same IP network as the internal VLAN of the unit. (See Chapter 4, Post-Setup Tasks , for information on downloading the SSH client from the 3-DNS Controller.)
- Type the following command, where <default IP> is the IP address in use on the 3-DNS internal VLAN.
ssh <default IP>
- At the login prompt, type root for the user name, and default for the password.
- At the 3-DNS prompt, type the following command to start the command-line based Setup utility.
- Fill out each screen using the information from the Configuration worksheet. After you complete the Setup utility, reboot the 3-DNS Controller by typing the following command:
You can rerun the Setup utility at any time using the setup command.
Using the Setup utility for the first time
The following sections provide detailed information about the settings that you define in the Setup utility.
Select the type of keyboard you want to use with the 3-DNS Controller. The following options are available:
- Bulgarian MIK
- Japanese - 106 key
- US + Cyrillic
- US - Standard 101 key (default)
- United Kingdom
A root password allows you command line administrative access to the 3-DNS Controller. We recommend that the password contain a minimum of 6 characters, but no more than 32 characters. Passwords are case-sensitive, and we recommend that your password contain a combination of upper- and lower-case characters, as well as numbers and special characters (for example, !@#$%^&*). Once you enter a password, the Setup utility prompts you to confirm your root password by typing it again. If the two passwords match, your password is immediately saved. If the two passwords do not match, the Setup utility provides an error message and prompts you to re-enter your password.
The host name identifies the 3-DNS Controller itself. Host names must be fully qualified domain names (FQDNs). The host portion of the name must start with a letter, and must be at least two characters. The FQDN must be less than or equal to 256 characters, but not less than 1 character. Each label part of the name must be 63 characters or fewer. Only letters, numbers, and the characters underscore ( _ ), dash ( - ), and period ( . ) are allowed. For example:<host 63 characters or less>.<label 63 characters or less>.net
You should only change the host name of the system with the Setup utility. Editing /etc/hosts, or using the hostname command to change the host name renders the system inaccessible.
Redundant system settings
There are three types of settings you need to define for redundant systems: unit IDs, fail-over IP addresses, and fail-over type.
Assigning a unit ID
The default unit ID number is 1. If this is the first unit in the redundant system, use the default. When you configure the second unit in the system, type 2. These unit IDs are used for active-active redundant configuration.
Choosing a fail-over IP address
A fail-over IP address is the IP address of the unit that takes over if the current unit fails. Type in the IP address configured on the internal interface of the peer 3-DNS unit in the redundant system.
Choosing the fail-over type
There are two types of fail-over to choose from: hard-wired fail-over, and network fail-over. Choose hard-wired fail-over if you plan to connect the units together with the fail-over cable provided with the redundant system. Choose network fail-over if you plan to use the network that the units are connected to for fail-over functionality.
Hard-wired fail-over is available only if the platform supports hard-wired fail-over.
Setting the interface media type
Configure media settings for each interface. The media type options depend on the network interface card included in your hardware configuration. The Setup utility prompts you with the settings that apply to the interface installed in the unit. The 3-DNS Controller supports the following types:
- 10baseT, FDX
- 100baseTX, FDX
- Gigabit Ethernet
For best results, choose the auto setting. In some cases, devices configured for the auto media are incompatible, and the proper duplex setting will not be negotiated. In these cases you may need to set the media settings to the same speed and duplex on this device and the corresponding switch or host. Check your switch or hub documentation for this information.
The Setup utility lists only the network interface devices that it detects during system boot. If the utility lists fewer interface devices than you expected, a network adapter may have come loose during shipping. Check the LED indicators on the network adapters to ensure that they are working and are connected.
Configuring VLANs and IP addresses
You can create a new VLAN or use the default VLANs to create the 3-DNS Controller configuration.
Determine whether you want to have security enabled for a VLAN, or disabled for the VLAN. Then, type the IP address settings for the VLAN. The IP address settings include:
- Port lockdown settings
- IP address, netmask, and broadcast
- Floating self IP address, netmask, and broadcast
We recommend that you set the floating self IP address as the default route for target devices, such as servers. The floating self IP address is owned by the active unit in an active/standby configuration.
The IP address of the external VLAN is not the IP address of your site or sites. The IP addresses of the sites themselves are specified by the virtual IP addresses associated with each virtual server you configure.
Assigning interfaces to VLANs
After you configure the VLANs that you want to use on the 3-DNS Controller, you can assign interfaces to the VLANs. If you use the default internal and external VLANs, we recommend that you assign at least one interface to the external VLAN, and at least one interface to the internal VLAN. The external VLAN is the one on which the 3-DNS Controller receives connection requests. The internal VLAN is typically the one that is connected to the network of servers, firewalls, or other equipment that the 3-DNS Controller load balances.
Associating the primary IP address and VLAN with the host name
After you assign interfaces to VLANs, and if you have more than one VLAN defined, you can choose one VLAN/IP address combination as the primary IP address to associate with the unit host name.
Configuring a default gateway pool
If a 3-DNS Controller does not have a predefined route for network traffic, the unit automatically sends traffic to the pool that you define as the default gateway pool. You can think of the default gateway pool as a pool of default routes. Typically, a default gateway pool is set to two or more gateway IP addresses. If you type more than one default gateway IP address, the additional gateways provide high availability for administrative connections. The first address you type becomes the default route. If a gateway in the default gateway pool becomes inactive, existing connections through the inactive gateway are routed through another gateway in the default gateway pool. If you type one IP address, no pool is created, and that address is entered as the default route.
All default gateway IP addresses you add to the default gateway pool must be in the same IP network as the 3-DNS Controller.
Configuring remote web server access
The 3-DNS web server provides the ability to set up remote web access on each VLAN. When you set up web access on a VLAN, you can connect to the web-based configuration utility through the VLAN. To enable web access, specify a fully qualified domain name (FQDN) for each VLAN. The 3-DNS web server configuration also requires that you define a password for the admin user. If SSL is available, the configuration also generates authentication certificates.
If the host name portion of the FQDN is greater than 64 characters, the 3-DNS software cannot use it for the web server FQDN.
The Setup utility guides you through a series of screens to set up remote web access.
- The first screen prompts you to select the VLAN you want to configure for web access. After you select an interface to configure, the utility prompts you to type a fully qualified domain name (FQDN) for the interface. You can configure web access on one or more interfaces.
- After you configure the interface, the utility prompts you for a password for the admin user account.
- After you type a password for the admin user account, you have the option to type the IP addresses from which web-interface connections are allowed.
- After you type the IP addresses that are allowed to access the unit with the admin account, the certification screen prompts you for country, state, city, company, and division.
If you ever change the IP addresses or host names on the 3-DNS interfaces, you must reconfigure the 3-DNS web server and the portal to reflect your new settings.
You should add users, or change passwords for existing users, only through the Configuration utility.
If you have modified the remote web server configuration outside of the Configuration utility, be aware that some changes may be lost when you run the Setup utility. This utility overwrites the httpd.conf file and the openssl.conf file.
Configuring remote administrative access
After you configure remote web access, the Setup utility prompts you to configure remote command line access. On most 3-DNS units, the first screen you see is the Configure SSH screen, which prompts you to type an IP address for SSH command line access. If SSH is not available, you are prompted to configure access through Telnet, RSH, and FTP instead.
When the Setup utility prompts you to enter an IP address for administration, you can type a single IP address or a list of IP addresses, from which the 3-DNS Controller will accept administrative connections (either remote shell connections, or connections to the web server on the 3-DNS Controller). To specify a range of IP addresses, you can use the asterisk (*) as a wildcard character in the IP addresses.
The following example allows remote administration from all hosts on the 192.168.2.0/24 network:
For administration purposes, you can connect to the 3-DNS floating self IP address, which always connects you to the active unit in an active/standby redundant system. To connect to a specific unit, connect directly to the IP address of that 3-DNS unit.
Setting support access
Next, the Setup utility prompts you to set up a support access account. If you would like to activate a support access account to allow your vendor access to the 3-DNS unit, type a password for the support account. Next, select the access type you want for the support account.
Setting the time zone
Next, you need to specify your time zone. This ensures that the clock for the 3-DNS Controller is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the list to find the time zone at your location. Note that one option may appear with multiple names. Select the time zone you want to use, and press the Enter key to continue.
Configuring NTP support
You can synchronize the time on the unit to a public time server by using Network Time Protocol (NTP). NTP is built on top of TCP/IP and assures accurate, local timekeeping with reference to clocks located on the Internet. This protocol is capable of synchronizing distributed clocks, within milliseconds, over long periods of time. If you choose to enable NTP, make sure UDP port 123 is open in both directions when the unit is behind a firewall.
Configuring the 3-DNS mode
The 3-DNS Controller can run in three different modes: node, bridge, and router. The modes that you select from are:
- Node mode
The node mode is the traditional installation of the 3-DNS Controller. The 3-DNS Controller replaces a DNS server in a network and uses the DNS server's IP address. All DNS traffic is directed at the 3-DNS Controller because it is registered with InterNIC as authoritative for the domain. In node mode, you usually run BIND on the system to manage DNS zone files. In node mode, you may also use the NameSurfer application available to manage your zone files.
- Bridge mode
In bridge mode, the 3-DNS Controller acts as an IP bridging device by forwarding packets between two LAN segments (usually on the same IP subnet). The system usually has one IP address, and is installed between the router or switch, and the authoritative DNS server. The 3-DNS Controller does not replace the authoritative DNS server.
The 3-DNS Controller filters all DNS packets that match wide IPs, and forwards the remaining packets to the authoritative DNS server for resolution. Note that this may be the preferred method of using the 3-DNS Controller because you do not have to replace the authoritative DNS server, and you can perform out-of-band testing before you deploy 3-DNS software upgrades.
- Router mode
In router mode, the 3-DNS Controller acts as a router by forwarding packets between two different IP subnets. You can put the 3-DNS Controller anywhere in the network topology so that packets destined for the authoritative DNS server have to pass through it. Router mode requires at least two IP addresses and two VLANs. Router mode is probably most useful for Internet service providers (ISPs) that want to redirect traffic to local content servers. For example, by using the 3-DNS Controller in router mode, an ISP can redirect requests for ads.siterequest.net to a local ad server.
Activating one-time auto-discovery
The one-time auto-discovery option can automatically detect configuration information for the local system. One-time auto-discovery can also detect configuration information for the local system's peer unit, if you are configuring a redundant system. One-time auto-discovery has two parts: auto-discovery for servers, and auto-discovery for links. One-time auto-discovery for servers detects the self IPs for the local system. If you are running the 3-DNS module on a BIG-IP system, one-time auto-discovery also detects the BIG-IP virtual servers. One-time auto-discovery for links detects the routers and links in the same data center as the local system. Note that you must activate the one-time auto-discovery for servers option if you want to activate the one-time auto-discovery option for links.
Configuring user authentication
When you run the Setup utility, you can configure authentication for 3-DNS user accounts either through an external LDAP or RADIUS server, or locally on the 3-DNS Controller. The following sections describe these two authentication options.
The root and admin accounts are always authenticated locally.
Using the local LDAP database only
When you run the Setup utility, you are not required to configure an external LDAP or RADIUS database to manage user authentication. Instead, you can use the default authentication mechanism, which is the 3-DNS Controller's local LDAP database. In this case, the local LDAP database manages not only authorization for your 3-DNS users, but also authentication. All users subsequently attempting to log on to a 3-DNS Controller must enter a user name and password, which are checked against user data stored in the local database. If the user name and password are found and verified in that database, the user is authenticated.
Configuring the unit to use an external LDAP or RADIUS server
When you run the Setup utility, you can configure an external (remote) server, either LDAP or RADIUS, to manage user authentication for the 3-DNS Controller. When you choose this configuration option, all users subsequently attempting to log on to a 3-DNS Controller must enter a user name and password, which are checked against user data stored in that external database. If the user name and password are found and verified in that database, the user is authenticated.
In the event that authentication fails with an external LDAP or RADIUS server, you can log in with accounts locally, such as the root and admin accounts.
Configuring external LDAP authentication
When you configure the unit to use an external LDAP server for user authentication, you need the following information:
- The IP address of the LDAP server, or the IP address of the primary server if you have more than one LDAP server.
- The base distinguished name of each LDAP server. This name must be the same for each server.
- Optionally, the user name of the account that you want to bind to the LDAP server as the search account. The search account is a read-only account used to do searches. This account must be able to access passwords. If you have more than one LDAP server, this account must be the same on each server.
- If you configure an LDAP search account, you need the password for that account. If you have more than one LDAP server, you must use the same search account and password.
- After you configure external authentication, you need to set the authorization level, or role, for each user you want to allow to access the controller. You can do this after you complete the Setup utility. Add an account and role for each user in the User Administration screen of the Configuration utility. Since the external authentication server handles the password authentication, you do not need to enter a password for these users. For detailed instructions on setting roles for users, see Managing user accounts, in Chapter 6, Administration and Monitoring , in the 3-DNS Reference Guide.
Configuring external RADIUS authentication
When you configure the unit to use an external RADIUS server for user authentication you need the following information:
- The IP address of the RADIUS server, or the IP address of the primary server and secondary server if you have more than one RADIUS server.
- The port configured for RADIUS traffic on your RADIUS server. Typically, the port configured for RADIUS is port 1645, the traditional RADIUS port, or port 1812, the new official RADIUS port.
- The primary RADIUS secret, and if you have a secondary RADIUS server, the secondary RADIUS secret.
- After you configure external authentication, you need to set the authorization level, or role, for each user you want to allow to access the controller. You can do this after you complete the Setup utility. Add an account and role for each user in the User Administration screen of the Configuration utility. Since the external authentication server handles the password authentication, you do not need to enter a password for these users. For detailed instructions on setting roles for users, Managing user accounts, in Chapter 6, Administration and Monitoring , in the 3-DNS Reference Guide.
Configuring NameSurfer for zone file management
You can configure NameSurfer to handle DNS zone file management. We strongly recommend that you configure NameSurfer to handle zone file management by selecting NameSurfer to be the master on the unit. If you select NameSurfer as the master, NameSurfer converts the DNS zone files on the system, becomes the authoritative DNS, and automatically processes changes and updates to the zone files. (You can access the NameSurfer application directly from the Configuration utility for the 3-DNS Controller.)
In the final series of the Setup utility screens, you choose whether to have NameSurfer handle DNS zone file management on the 3-DNS Controller. If you configure the 3-DNS Controller in node mode, we strongly recommend that you configure NameSurfer to handle zone file management. If you designate NameSurfer as the primary name server, NameSurfer converts the DNS zone files on the system, becomes the authoritative DNS, and automatically processes changes and updates to the zone files. (You can access the NameSurfer application directly from the Configuration utility).
To open the NameSurfer application
- In the navigation pane, click NameSurfer.
The NameSurfer home screen opens.
- Edit the zone file information as required.
For help with the NameSurfer application, click Help in the NameSurfer navigation pane.
Remember that if you run the 3-DNS Controller in bridge or router mode, the system is not authoritative for any domains, so the NameSurfer application is not available to manage any zone files.
Running the Setup utility after creating the initial software configuration
You normally run the Setup utility when the system is first installed as part of the installation procedure. However, you can also use the command line Setup utility to change existing settings at any time. This section describes running the Setup utility to change settings after you run it initially.
To run the Setup utility from the command line, type in the following command:
After you complete the initial configuration, the Setup utility presents a menu of individual configuration options.
The Setup utility menu is divided into two different sections, Required and Optional. The Setup utility includes the following required configuration options:
- Set the default gateway pool
- Configure VLANs and networking
- Set host name
- Configure web servers
- Set the root password
The following configuration selections are optional:
- Configure DNS
- Configure FTP
- Set keyboard type
- Define time servers
- Configure NameSurfer
- Initialize the iControl portal
- Configure RSH
- Configure SSH
- Configure Telnet
- Set time zone
- Remote authentication
- License activation
- Configure remote access (for configuration synchronization)
- Set support access
lqq I N I T I A L S E T U P M E N U qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Choose the desired configuration function from the list below. x
x (A) Configure all services (R) Steps for redundant systems x
x REQUIRED x
x (E) Set default gateways (V) Configure VLANs & networking x
x (H) Set host name (W) Configure web servers x
x (P) Set root password x
x OPTIONAL x
x (C) Remote authentication (O) Configure remote access x
x (D) Configure DNS (S) Configure SSH x
x (F) Configure FTP (T) Configure Telnetd x
x (I) Initialize iControl portal (U) Configure RSH x
x (K) Set keyboard type (Y) Set support access x
x (L) License Activation (Z) Set time zone x
x (M) Define time servers (Q) Quit x
x (N) Configure NameSurfer x
x Enter Choice: x
Options available only through the Setup utility menu
This section contains descriptions of options that are available only through the Setup utility menu. These options include:
- Initializing the iControl portal
- Configuring RSH
- Configuring Telnet
- Configuring FTP
Initialize the iControl portal
This option is available in the menu only after you create the initial software configuration. Select this option to configure the CORBA ports (IIOP and FSSL). This option prompts you for a list of IP addresses or host names you want to embed as objects in the portal object reference. Typically, in a redundant system, this list includes the fail-over IP address of the other 3-DNS unit in the redundant system.
This option prompts you to set the portal to use IP addresses instead of DNS names. If the portal is set to use IP addresses, the 3-DNS Controller does not have to do a DNS lookup.
In addition to these settings, you can change the following iControl portal settings:
- The security mode of the portal. You can allow the portal to handle non-secure requests.
- The name of the portal object reference file.
- The portal PID file name.
This option is available only in the menu after you create the initial software configuration. Use this option to configure the remote shell (rshd) server. This utility prompts you for an IP address from which administrators may access the 3-DNS Controller. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.
If inetd is not currently configured, this utility configures inetd for the remote shell server (rshd). If the service port for rsh is closed, this utility opens the service port to permit rsh connections to the system.
Use this option to configure the Telnet server only on a 3-DNS Controller. The Setup utility prompts you to configure each service independently. This allows you to enable Telnet.
The utility prompts you for a configuration address for each service from which administrators may access the 3-DNS Controller. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.
If inetd is not currently configured, this utility configures inetd for the requested services. If the ports for Telnet are closed, this utility opens the ports to permit Telnet connections to the 3-DNS Controller.
Use this option to configure FTP on the 3-DNS Controller. The Setup utility prompts you for an IP address from which administrators may access the 3-DNS Controller with FTP. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.
If the service port for FTP is closed, this utility opens the service port to permit FTP connections to the 3-DNS Controller.
Although you can configure FTP and Telnet on a 3-DNS Controller, we recommend that you leave these services disabled, for security reasons.