Installation Guidelines for WebSAMS Router Replacement
1. Installation and configuration guidelines for the router replacement This guideline served as a reference for schools which plan to replace the existing WebSAMS router by the recommended router, and is based on the assumption that all the functions of WebSAMS using the existing router is workable and the new router will be installed or placed in the same location of the existing one.
The targeted audience of this guideline are network engineers or professionals with in-depth knowledge and experience in designing, configuring or maintaining the network systems and devices.
A typical router setup between WebSAMS and ITEd network is shown below for reference. Router Optional Proxy Server / Firewall Internet Router DSU
ITEd Servers and Workstations ) WebSAMS Workstations and Servers
Switch (10M/100M)
Switch (10M/100M)
For details of rules and configuration of WebSAMS Router, please refer to “Document 36 – Rules for Configuration of WebSAMS Router and Internet Gateway”.
Installation Guidelines for WebSAMS Router Replacement
1.1 Preparation
(i) Site Preparation Please ensure that:
a) All servers, workstations, LAN switches, Internet connection and firewall are connected and are being used in the existing network. b) The site provisions including lockable rack, power supply,
air-conditioners and cabling are ready.
c) There is no additional site preparation work to be done for the new router.
(ii) Information Preparation
The parameters to be used in the configuration of the router replacement shown as below should be collected in advance. They can be obtained from the configuration of the existing router or school’s own record. a) IP address of router port connecting to WebSAMS network b) IP address of router port connecting to ITEd network c) IP address of WebSAMS Server
(For 1 Server 2 WebSAMS, 2 IP addresses are assigned to the WebSAMS server)
d) IP address of HTTP Server
(For 1 Server 2 WebSAMS, 2 IP addresses are assigned to the HTTP server)
e) All port numbers defined (permit or deny) f) Access Control List (ACL)
g) IP addresses of ITEd file servers / printers shared for WebSAMS network, if any
1.2 Disconnection of the existing Router
Installation Guidelines for WebSAMS Router Replacement
(ii) Shut down and then power off the existing Router (iii) Unplug all cables (power cords and all network cables) (iv) Remove the existing Router and then store it properly.
1.3 Installation of the new Router
(i) If the router is rack-mount support, mount the router in the lockable rack. Otherwise, place it properly in the lockable rack.
(ii) Connect the router to the power supply and then power on the router. (iii) Connect the router with the network cables between the WebSAMS and
ITEd network segments.
1.4 Configuration of the new Router
The following will describe the key components of the configuration for the router used for WebSAMS and ITEd network integration. The exact configuration of the router will depend on its make and model, and also on the individual network environment in each school. For instance, the network IP addresses will be different in each school and the number of network segments may also be different. Details of access rules and sample configuration are shown in “Document 36 – Rules for Configuration of WebSAMS Router and Internet Gateway”
(i) Connect to a console terminal
By using the console cable, connect the router (via the console port on the router) to a console terminal (i.e. a notebook / workstation).
For Windows workstation, open HyperTerminal or putty and define the port setting as below:
Bits per second: 9600; Data bits: 8;
Parity: None; Stop bits: 1;
Installation Guidelines for WebSAMS Router Replacement
(ii) Disable unnecessary services
Certain services will be provided by router by default and should be disabled for security reasons.
(iii) Set the router host name and disable domain lookup
Set the host name which will be used in default configuration filename and disable DNS host name-to-address translation.
(iv) Disable source-route option to prevent spoofing
IP datagram containing a source-route option should be discarded to avoid IP spoofing.
(v) Configure router interface with WebSAMS network
Configure the router Ethernet interface connecting to the WebSAMS network with basic security settings.
(vi) Configure router interface with ITEd network
Configure the router Ethernet interface connecting to the WebSAMS network with basic security settings and the user-defined access group.
(vii) Configure user-defined access list
Configure the user-defined access list to allow access to ITEd network from WebSAMS network while deny access of WebSAMS network from ITEd network and other networks. This will be the core of the access control where only packets that are absolutely required would be allowed to go into WebSAMS network and all other packets should be rejected.
(viii) Configure router console port login and set login security
Installation Guidelines for WebSAMS Router Replacement
(ix) School specific access control requirement
For an individual school that may have additional network requirements, the technical support services staff should be consulted to address those school specific access control requirements (e.g. Netmeeting between WebSAMS and ITEd) between WebSAMS network and ITEd network by adding additional access-list into the router configuration file.
(x) Connection from WebSAMS network to Internet
The above steps of sample router configuration will allow WebSAMS network to access ITEd network of specific IP range. For WebSAMS network to access other network segment within school or to the Internet, additional IP range and other changes will have to be incorporated into the router configuration file depending on other network segment configuration and Internet connection of individual schools. The ISP, other vendor or technical support service provider responsible for setting up any Internet proxy or firewall and school network administrator have to be consulted to customize the required related configurations.
However, it has to be noted that risks can exist in exposing the WebSAMS network to the Internet. As the WebSAMS server(s) contain sensitive and confidential school and student information, excessive security threats originating from the Internet should be guarded against. It is advisable to allow only basic web traffic, namely HTTP and HTTPS protocols for browsing, to go between the Internet and WebSAMS network. Opening of additional protocols, such as FTP, SMTP, POP3 and others, have to be considered on a definitely needed basis and the latest security implication has to be fully understood. Continuous Internet traffic monitoring and periodic security review has to be performed to ensure the safeguard of the confidentiality and integrity of the WebSAMS database and other information in the WebSAMS network.
(xi) Enable and Change password
Installation Guidelines for WebSAMS Router Replacement
2. Fall-back procedure in case of installation failure
The following steps describe the fall-back procedures in case of installation failure of the new router:
2.1 Disconnect the new router
(i) Switch off the power of the router.
(ii) Unplug the power cable and network cable from the newly installed router, un- mount the router from the server rack.
2.2 Reconnect the existing router
(i) Install the existing router to the server rack, plug the power cord and network cables to the corresponding ports.
2.3 Verification
(i) Review the connectivity of the network routing on both WebSAMS and ITED network
(ii) Test the internet connection on both WebSAMS and ITED network. (iii) Perform the WebSAMS system test. (Please refer to Sample Acceptance
