When configuring SSB for the first time, click Next

Figure 3.6. The Welcome Wizard

It is also possible to import an existing configuration from a backup file. Use this feature to restore a backup configuration after a recovery, or to migrate an existing SSB configuration to a new device.

Step a. Click Browse and select the configuration file to import.

The initial connection to SSB

Note

It is not possible to directly import a GPG-encrypted configuration into SSB, it has to be decrypted locally first.

Step b. Enter the passphrase used when the configuration was exported into the Encryption passphrase field.

For details on restoring configuration from a configuration backup, see Procedure 16.7, Restoring SSB configuration and data (p. 236)

Step c. Click Import.

Warning

If you use the Import function to copy a configuration from one SSB to another, do not forget to configure the IP addresses of the second SSB. Having two devices with identical IP addresses on the same network leads to errors.

Step 3. Accept the End User License Agreement and install the SSB license

The initial connection to SSB

Figure 3.7. The EULA and the license key

Step a. Read the End User License Agreement and select Accept.

Step b. Click Browse, select the SSB license file received with SSB, then click Upload.

Note

It is not required to manually decompress the license file. Compressed licenses (for example.ziparchives) can also be uploaded.

Step c. Click Next.

Step 4. Fill the fields to configure networking. The meaning of each field is described below. The background of unfilled required fields is red. All parameters can later be modified using the regular interface of SSB.

The initial connection to SSB

Figure 3.8. Initial networking configuration

Step a. Hostname: Name of the machine running SSB (for exampleSSB).

Step b. Domain name: Name of the domain used on the network.

Step c. DNS server: IP address of the name server used for domain name resolution.

Step d. NTP server: The IP address or the hostname of the NTP server.

Step e. SMTP server: The IP address or the hostname of the SMTP server used to deliver e-mails.

Step f. Administrator's e-mail: E-mail address of the SSB administrator.

Step g. Timezone: The timezone where the SSB is located.

Step h. External interface — IP address: IP address of the external interface of SSB (for example 192.168.1.1). The IP address can be chosen from the range of the corresponding physical subnet. Clients will connect the external interface, therefore it must be accessible to them.

The initial connection to SSB

Note

Do not use IP addresses that fall into the following ranges:

■1.2.0.0/16(reserved for communication between SSB cluster nodes)

■127.0.0.0/8(localhost IP addresses)

Step i. External interface — Netmask: The IP netmask of the given range in IP format. For example, general class C networks have the 255.255.255.0 netmask.

Step j. Default gateway: IP address of the default gateway. When using several network cards, the default gateway is usually in the direction of the external interface.

Step k. HA address: The IP address of the high availability (HA) interface. Leave this field onautounless specifically requested by the support team.

Step l. Click Next.

Step 5. Enter the passwords used to access SSB.

Figure 3.9. Passwords

Note

SSB accepts passwords that are not longer than 150 characters. The following special characters can be used:

!"#$%&'()*+,-./:;<=>?@[\]^-`{|}

Step a. Admin password: The password of theadminuser who can access the web interface of SSB.

Step b. Root password: The password of therootuser, required to access SSB via SSH or from the local console.

The initial connection to SSB

Note

Accessing SSB using SSH is rarely needed, and recommended only for advanced users for troubleshooting situations.

Step c. If you want to prevent users from accessing SSB remotely via SSH or changing the root password of SSB, select the Seal the box checkbox. Sealed mode can be activated later from the web interface as well. For details, see Section 6.5, Sealed mode (p. 107).

Step d. Click Next.

Step 6. Upload or create a certificate for the SSB web interface. This SSL certificate will be displayed by SSB to authenticate administrative HTTPS connections to the web interface.

Figure 3.10. Creating a certificate for SSB

To create a self-signed certificate, fill the fields of the Generate new self-signed certificate section and click Generate. The certificate will be self-signed by the SSB appliance; the hostname of SSB will be used as the issuer and common name.

Step a. Country: Select the country where SSB is located (for example HU-Hungary).

Step b. Locality: The city where SSB is located (for example Budapest).

The initial connection to SSB

Step d. Organization unit: The division of the company who owns SSB (for example IT Security Department).

Step e. State or Province: The state or province where SSB is located.

Step f. Click Generate.

If you want to use a certificate that is signed by an external Certificate Authority, in the Server X.509 certificate field, click to upload the certificate.

Figure 3.11. Uploading a certificate for SSB

Then in the Server private key field click , upload the private key, and enter the password protecting the private key.

The initial connection to SSB

Figure 3.12. Uploading a private key

Note

SSB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.

Balabit recommends using 2048-bit RSA keys (or stronger).

Note

SSB accepts passwords that are not longer than 150 characters. The following special characters can be used:

!"#$%&'()*+,-./:;<=>?@[\]^-`{|}

Step 7. Review the data entered in the previous steps. This page also displays the certificate generated in the last step; the RSA SSH key of SSB, and information about the license file.

The initial connection to SSB

Figure 3.13. Review configuration data

If all information is correct, click Finish.

Warning

The configuration takes effect immediately after clicking Finish. Incorrect network configuration data can render SSB unaccessible.

SSB is now accessible from the regular web interface via the IP address of its external interface.

Step 8. Your browser is automatically redirected to the IP address set as the external interface of SSB, where you can login to the web interface of SSB using theadminusername and the password you set for this user in the Welcome Wizard.

Figure 3.14. Logging in to SSB

The initial connection to SSB