New Meraki Firewall Installation Graphical Instructions
We are pleased to provide this technology to enable Church meetinghouse networks.
The installation / activation process has been simplified, and these instructions
provide needed information for performing the installation. If needed, more detailed instructions are available on the MH Tech website (mhtech.lds.org).
This document contains diagrams that show the proper layout for connecting network cables into firewall ports. The diagrams will illustrate how to connect various network regions to the Meraki firewall.
Table of Contents
Upgrade Preparation 2
Equipment List 3
Know Cisco ISP Connection 3
Step 1: Download Firmware
Connect Meraki to Cisco Firewall 4 Download Firmware
Step 2: Transfer Cables 7
Step 3: Configure firewall via TM
TM Activation 9
Step 4: Test new configuration
Test PCs and Printers 13
Appendix
USB Ethernet Dongle 14
Activation Error Messages 15
Configure Static IP or PPPoE Connections 17
ISP Connection Not Working 18
Contractor Login Information 19
Property Not Found 19
Page 1
Version 11
Version 11
Preparation
How to prepare for your firewall Upgrade
Power Concerns ??
New Access Point powered via PoE adapter Do you have open power plugs for Meraki
firewall? You may need another surge protector. Do you need an adapter from US to
local Connector?
Client Static IP Addresses
If your building uses Static IP addresses for clerk or Family History PCs,
configuration will be required
Access to Clerk PCs
You will want access to clerk PCs to test their connection. This may require bringing clerk with you.
Connecting with Laptop?
You may need to connect with the network via ethernet cable. Do you have an ethernet port or adapter for
your laptop?
Know Your Cabling
You will be connecting cables for various purposes. Make sure you
know the purpose of each cable.
Bring Tools
Screw drivers (Philips and flat), portable drill, wire cutters, Velcro
to bundle cables, 6’+ ethernet cable to connect laptop to firewall, Paper Clip – firewall reset
Know Your ISP Connection
Check with your Internet Service Provider ahead of time
DHCP Automatic Static IP 10.xx.xx.xx
PPPoE Username / Password
Page 2 Version 11
Know Your Property ID
You’ll be asked to provide property number or description during activation
process
Equipment List
You will receive one of these packages
Know your Internet
Service Provider (ISP Configuration This information will be required during setup
Your ISP Connection will use one of the following 3 methods:
DHCP (dynamic) – Nothing to note. It’s Dynamic Static IP
IP Address __________________________________
Netmask __________________________________
Gateway __________________________________
DNS 1. 8.8.8.8 2. 8.8.8.4 PPPoE
Username _________________
Password _________________
Please call your ISP ahead of time to ensure you have this information and that the link will be ready for the
installation.
Property Information
• Property ID _________________
• Property Description _________________
Page 3 Version 11
See Next Page for More details
4 Version 11
This is a standard meetinghouse configuration
Number of switches and Wireless Access Points will vary based on size of building and needs
This meetinghouse configuration accounts for a Family History Library (Special Purpose Zone)
Number of switches and Wireless Access Points will vary based on size of building and needs
Equipment List Options Equipment List Options
1-1 Step 1a: Download Firmware
Unpack Meraki MX64 & Connect to Power
1. Remove Meraki MX64 From boxes
3. Plug power cord into Meraki MX64
2. Note the Serial Numbers from the devices for later use
Firewall Q2KN-- ________________--_______________
Access Pt Q2PD---________________--_______________
Access Pt Q2PD---________________--_______________
Access Pt Q2PD---________________--_______________
Switch Q2HP--________________--_______________
Switch Q2HP--________________--_______________
1-2
You may have more equipment than the lines above accommodate. Please note all serial numbers
Step 1a: Download Firmware
Connect Cable from ISP Modem to Meraki Firewall
3. Connect the ISP cable (ethernet)( to the Meraki MX64 Internet Port
Page 5
Firewall Access Point
ISP Connection Method
• IF Dynamic (DHCP, no additional configuration is required
• Static IP. & PPPoE. For this configuration, follow the instruction on the next page and go to page 17 to configure the Static IP or PPPoE settings
Version 11
1-3 1-4
4. With Meraki MX64 now connected to the internet, new firmware (software) will be downloaded. The
Meraki Status light will change colors to indicate the progress
5. Wait for Solid White Light before moving to next step
6. As soon as Meraki firewall has a solid white status light,connect Meraki MR33 Access Point (if included) to Meraki firewall
Step 1a: Download Firewall Firmware Firmware Download
Normal time to update the firmware is 4 – 20 minutes, depending on your internet connection
Firewall (MX64) Status Light Indicators:
• Solid Orange – Powered on but not connected to internet
• Alternating Colors – Device is attempting to connect to Meraki
• Flashing White – Firmware upgrade in progress
• Solid White – Fully operational and ready for configuration. Device is connected to the internet.
• Blinking Orange – Hardware problem. May need RMA
• Front Panel
• Status Indicator
1. Connect Ethernet cable to Meraki MR33. Connect other end of Ethernet cable to PoE adapter or PoE switch port.
2. If PoE adapter is used, connect another ethernet cable from Power adapter LAN port to Meraki MX64 port 2.
Meraki MR33 will go through a power cycle where the status lights
change colors. Device has updated firmware when status is solid Green or Blue.
This may take from 20 – 35 minutes. It has not yet received it’s LDS Configuration yet. This will happen during activation process (page 12)
Step 1b: Download Access Point Firmware Connect Meraki Access Point (MR33)
Access Point (MR33) Status Light Indicators
• Orange - AP is booting (permanent Orange suggests hardware issue)
• Rainbow - AP is initializing/scanning
• Blinking Blue - AP is upgrading
• Green - AP in Gateway mode with no clients
• Blue - AP in Gateway mode with clients
• Blinking Orange - AP can't find uplink
Meraki firewall status light may change to solid orange after initial connection or firmware download. Wait 5 minutes
before trying something different.
If status light remains at Orange, your connection may be Static IP or PPPoE. Refer to page 17 for instructions
It is ok to proceed to steps 2 & 3 prior to Meraki MR33 reaching a solid green or solid blue state
Page 6
Power Restore
1 2 3 4 Internet
Version 11
Step 2: Connect Cables
1. Connect devices to the switches and then the switches to the Meraki firewall. Typically, Port 1 of the switch is used to do the uplink to the firewall
Meraki MS220 will go through a power cycle where the status lights change colors. Device has updated firmware when status is solid Green. This may take from 20 – 35 minutes. Status light indicators below:
• Solid Orange – Unable to connect to Meraki cloud
• Flashing green – Firmware upgrade in progress
• Solid green – Fully functional and connected to Meraki cloud
• ff – switch does not have power Switch Ports:
• Off – No client connected
• Solid Orange – 10/100 Mbps or PoE active
• Solid green – 1000 Mbps
It is critical that you connect the cables to their matching ports.
Page 7 Version 11
1 Restore
2 3 4 5 6 7 8
GbE
SFP GbE
9 10
2-1 Step 2: Connect Cables
1-4 Step 1b: Download Switch Firmware Connect Meraki Switch (MS220)
3-1
Wired Ethernet:
1. PC (Clerk of FHL) or Laptop.
Clerk or FHL PC. These PCs should now be connected to the
internet through the existing cabling that was transferred in Step 2.
Laptop. Connect laptop to Meraki MX64 via Ethernet cable. We suggest you connect to port 3 on the Meraki MX64. (You may need to temporarily disconnect the cable in Port 3).
If using a USB ethernet dongle for your laptop connection, please test beforehand. You likely need to download software. See Appendix A1 on page 14 for further information.
Wireless
1. You may be able to connect to LDSAccess if the Cisco Access Points have come back up. You may need to wait a few minutes for the Cisco AP’s to connect to the new firewall.
If you have Configuration B, which includes a Meraki Access Point, it will not yet have it’s configuration and cannot connect to
LDSAccess until it has received the new configuration later.
Step 3: Configure Firewall via TM Connect Laptop or PC to Meraki network
3-2 Step 3: Configure Firewall via TM
Use Browser (Chrome, Internet Explorer, etc.) from PC/Laptop to Activate Equipment
2. Clear the browser “cache”. When you are in the browser (Internet Explorer, Chrome, Firefox, etc.) press the
following keystroke combination: “Ctrl + Shift + Delete”.
This will open a screen to allow you to clear the cache.
3. URL: http://tm.lds.org/#/meraki/activation Same login ID as LDS.org
Page 8
TM should be run in the normal browser mode (not in “private” or “incognito” mode).
OR
Version 11
3-3 Step 3: Configure Firewall via TM 3-4
Select Configuration and Enter Meraki MX64 Serial Number
4. Select the Configuration
“(Meetinghouse)”
5. Enter the Meraki MX64 Serial Number You recorded earlier 6. Select “Verify”
If your Serial number matches, you will see a screen like this.
If wrong serial number you’ll get an error. Please re-enter the serial number.
Pay close attention to characters that look alike S or 5, B or 8.
Please read the number from the device, not the Box.
Step 3: Configure Firewall via TM Adding a Meraki MR33 Access Point?
7. Received MR33 – Enter MR33 Serial Number Select “Verify”
Select “Continue”
8. Did Not Receive MR33 – Select “Continue”
If using a smartphone or tablet to enter Serial number, be careful to check the “autofill”. It may
change your serial number and you will get an error
Page 9These Steps are for those who received a Meraki
Access Point (MR33) or Switches (MS220)
Version 11
Repeat these steps for additional MR33s or MS220s
3-5 3-6
9. Enter property information from page 3
10. Correct Property Shown?
1. Yes –
Select Radio Button for Destination Building Select “Continue”
Go to Next Instruction page 2. No –
Check the information and re-enter it.
Still No match! Contact the Global Service Center.
Step 3: Configure Firewall via TM Search for Firewall Serial Number
11. Select “New Firewall”
It is important that you select the correct property. If you select the wrong property, it will
make managing the network more difficult
because property searches won’t correlate.
Page 10If entering a property description, you may have multiple selections to choose from
If the Cisco firewall is assigned to the wrong property contact the Global Services Service Center for resolution.
Version 11
3-7 Step 3: Configure Firewall via TM 3-8
Enter / Update ISP Information
This step is optional
13. Enter updates about your Internet Service Provider (ISP).
Include the following (where possible) ISP Name
Bandwidth Speeds Account Information 14. Select “Continue”
Step 3: Configure Firewall via TM Verify and Activate
15. Verify that the information you entered is correct
16. Select: “Activate Firewall”
Page 11 When installing the Meraki MR33 Access Point or MS220 switch, the
devices need to complete firmware download prior to pressing the
“activate” button in the next step. The status light on the MR33 should be solid blue or solid green before moving to next step.
This would be a good time to disconnect your laptop from the Meraki ethernet port and replace the cable that belongs in that port (if previously removed)
Version 11
3-9 Step 3: Configure Firewall via TM Activation Success. Configuration Download
If successful, you will see a message that the Firewall is in Process of Activating. It will take about 5 minutes for the configuration to download.
As the new configuration is downloaded to the MR33, you may see the MR33 power cycle and the status light will change.
MR33 configuration is complete when:
• The status light is solid green or blue
• From a wireless device if you see “Meraki Setup” as an SSID, it has not received the LDSAccess configuration. Please wait until you see LDSAccess, which could take up to 30 minutes.
Remember that the initial firmware download for the MR33 can take up to 35 minutes
Please allow 5 minutes for this process to complete
4-1
3. Test Wireless Connections Connect Mobile Device to LDSAccess
Use browser to connect to LDS.org or another favorite website We suggest doing this at several locations in the building
LDS.ORG LDS.ORG
Login to clerk PC
Use browser to connect to LDS.org or Another favorite website
If this fails, see Troubleshooting section
LDS.ORG
2. Test Facilities Devices Have FM test Facility devices
Your Facility Manager should have tools that allow them to test connections to facilities devices, such as door access, heating and cooling systems, etc.
1. Test Wired PCs
Step 4: Test the New Connections Test Wireless Access Point
Page 12 Version 11
4-2 Congratulations! Your Firewall is Upgraded
Does your network cabling follow Church standard?
Although correcting network cabling is not part of the upgrade, it might be a good time for you to check to see if you are following standards.
The charts below show the correct network configuration for the new firewall.
Dedicated Firewall Port Assignments Firewall Port(s) Connection Description
Internet ISP Connection
GbE LAN Ports 1 and 2 Public Network GbE LAN Port 3 Special Purpose Zone GbE LAN Port 4 Facilities Zone
13
Page 13
A-1
Appendix
USB Ethernet Dongle for Laptop Connection
Most modern laptops do not have a built in ethernet
connection port. In order to accommodate an ethernet RJ45 cable, a dongle (adapter) must be added to the laptop. The dongle often requires software to be installed for it to work properly. This software is typically provided with the dongle.
Please make sure to download the software and run through the installation prior to going on-site. It is best if you test this connection beforehand.
Example: USB Ethernet Dongle
Version 11
A-2
14
A-3
What happens if an Error Occurs?
If an error occurs during the activation process, please review the next few pages for solutions. If no solution is found, please call the Global Support Center - 1 855- 537-4357 or dial toll-free number for your area.
Appendix
Activation Error: Firewall Could Not be Found in Meraki Inventory Inventory message – when entering the serial numberfor a Meraki device into the activation screen, you could get the following error message:
• This message will typically mean you have entered an incorrect serial number. Some letters / numbers can be difficult to distinguish, such as 5 and S.
Please look at the serial number on the device and on the box, making sure they are the same. You need to use the serial number on the device.
• If you have confirmed the right serial number, please call the GSC for assistance.
Page 14 Version 11
A-4
15
A-5 Activation Error: Any Other Message
Any other error message received from TM during activation will be caused by an internal processing error.
• Try the TM activation process again. Start at the point where you login to TM again. Enter the serial numbers for the devices again. Select property, etc.
If you select activate firewall and it again comes back with an error, please contact the GSC. GSC personnel at this point should escalate to the TM development team.
Activation Error: Firewall XXXX-XXXX-XXXX is already Activated
If you get this error message, it is because the firewall has already been activated in the inventory. It’s likely an error related to an FM having multiple firewalls and he’s using the same serial number from a previous
activation. If the firewall is being moved from one building to another and the user is trying to activate in the new building, please call the GSC to deactivate the firewall from another network.
If you experience any problems performing the
Meetinghouse Firewall upgrade, please contact the Global Service Center (GSC) at +1 855-537-4357 or dial the toll-free number for your area.
Page 15 Version 11
A-6 A-7
Configure Static IP or PPPoE ISP Connection
Connect PC/Laptop to Meraki firewall
Connect your Meraki MX64 firewall to the ISP modem. This will attempt a dynamic (DHCP) connection. If it fails to connect, the status light will turn solid orange, which means you may need to configure a Static IP or PPPoE connection. Connect a PC directly to the Meraki firewall. If using a laptop, you may need a dongle adapter to provide the ethernet connection. Please test your laptop connecting via ethernet cable beforehand. You will
probably need to download a software driver to make the adapter work.
Login to Meraki Setup
From modern browser, connect to
http://setup.meraki.com (do not use https) Username – Device Serial Number
Password – leave blank
Note: If Meraki firmware was previously downloaded, the
username / password will be different. Use the following instead:
Username – admin Password -- ld5b@53
Configure Static IP Connections Click “Configure” tab at top
•VLAN Tagging Don’t Use
•Connection Type: Direct
•IP Assignment: Static
•Address: Enter IP address*
•Netmask: Enter netmask*
•Gateway: Enter Gateway*
•DNS Server 1 8.8.8.8
•DNS Server 2 8.8.8.4
•Port 4 LAN
•Web Proxy No
Go to the bottom of the page and select “Save” button
The Meraki Firewall will reboot. Proceed to Activation Section.
Your ISP may require a Static IP or PPPoE connection on the firewall in order to allow access to the internet. Follow the instructions below to configure the Meraki firewall to support one of these connection types. Contact your ISP provider if you have questions about your connection type. The GSC does not have this information.
Configure PPPoE Connections Click “Configure” tab at top
•VLAN Tagging Don’t Use
•Connection Type: PPPoE
•Authentication: User Authen..
•Username: Enter username*
•Password: Enter password*
•IP Assignment Dynamic
•Port 4 LAN
•Web Proxy No
We suggest you try all installations with the DHCP (dynamic) option first. Often times we have seen that the firmware will download and then you configure the
Static IP or PPPoE after.
Page 16*The Address, netmask, gateway, username, and password are provided by the ISP
Case Sensitive
Version 11
A-8 ISP Connection Not Working PPPoE
With PPPoE connections, we have seen various configurations by the ISPs that affect how the Meraki firewall will connect. You may need to call the ISP to determine what type of configuration they are using.
When talking to the ISP ask the following questions:
• Can you change from PPPoE to DHCP? If yes, is there an additional charge (normally, if available, it is less expensive to have a DHCP connection)
• We prefer DHCP connections – easier to deal with
• Can we have the PPPoE credentials (username / password placed on the ISP modem? This is our preferred configuration for PPPoE
ISP Connection Not Working DHCP
DHCP Connection is Not working. Status light is solid Orange
The most common cause of this is that the ISP modem is looking for the MAC address of the previous firewall. Since there is a new firewall, with a different MAC address, the ISP modem won’t automatically connect
Note: If you are not comfortable with these instructions, please contact the GSC
• To solve this, power off and disconnect the Meraki firewall from the ISP modem
• Power off the ISP modem for at least 15 seconds
• Power the ISP modem back on
• Allow 5 minutes for the ISP modem to reconnect to the internet and clear it’s buffer
• Power on the Meraki firewall and Connect to ISP modem
• Meraki firewall will go through it’s connection status light changes
• Solid Orange – Powered on but not connected to internet
• Alternating Colors – Device is attempting to connect to Meraki
• Flashing White – Firmware upgrade in progress
• Solid White – Fully operational and ready for configuration.
Device is connected to the internet.
A-9
Page 17 ISP Connection Not Working
Static IP
Our experience has been very positive with Static IP connections.
We haven’t had one fail unless you have the wrong information from the ISP. Our only recommendation is to call you ISP to verify the IP address, Netmask and Gateway information. Then make sure you have correctly typed that into the Static IP configuration screen (instructions on page 17)
Version 11
A-
10 Contractor Login
If you are using a contractor for the installations, they will need to setup an LDS login account to gain access to the TM website.
They do not need to be members to access the website. We have set this up so any LDS login will have access to the activation site.
Anyone with an LDS login account can access the URL for activation – tm.lds.org/#/meraki/activation. This is the same LDS credential
that would be used for things like Family Search. To create a new account, please go to the following URL:
https://ldsaccount.lds.org/register
Page 18
A-
11 For Property Not Found
1. Fill out this form
2. When finished, Select “Continue”
There are a few scenarios that may exist that require you to select
“Property Not Found”.
• Upgrading from old ASA or PIX firewall. These firewalls do NOT have Serial numbers that are tracked in TM.
• You do not have the correct Property or Unit ID for your building Whatever the circumstance is, please call the GSC for assistance.
They can assign the proper firewall serial number to a property, locate the property information, etc. They will instruct you to follow the simple instructions below once everything is identified and hopefully corrected.
Please inform your FM that you made this selection. He/she will need to work with Church HQ to properly connect the new firewall to the correct property
Version 11
