Well the month is up. I have managed to grow this.
It now has to come off, I cant put up with the “Wan Sheet” comments from my family.
Please donate to this worth while cause.
claranet
Configuring your First Virtual Appliance in the Claranet Virtual Data Centre
Login to the Virtual Datacentre Portal
To access with the Virtual Datacentre (VDC) portal you must go to the following web page https://portal.claranet.com/cloud.
When you go to the cloud portal the following web page is displayed, to enabled you to login to the portal. All configuration changes need to be made within the portal.
The User entry box is where you enter the User Name you have been allocated, this is the email address that you provided.
This is your password that was sent via email when you signed up the Claranet VDC service.
If you select this box then when you next login to the portal, your user name and password will be remembered. Do not select this on a public/shared computer.
Select your primary language.
Click here to login to the VDC portal.
After you have logged onto the VDC portal you are presented with the main portal screen. This screen is your looking glass into the VDC platform.
The screen is broken down into 5 sections:
1. Menu Bar
2. Enterprise Resources
3. Virtual Datacentres
4. Running Virtual Appliances
5. Events
The Menu Bar allows you to switch the display from the main screen to the following screens:
· Virtual Datacenters
· App library
· Users
· Events
· Documentation
· Support
· User Details
The Enterprise Resources section of the main screen shows the allocated resources as well as the amount of resources used.
In the above example the Enterprise Resources allocated are as follows:
· 3 – Virtual CPUs
· 40GB – Storage
· 6GB – Memory
· 100GB – External Storage
· 2 – VLANs
· 1 – Public IP Address
One of the VLANs is already in use, depicted by the red colour.
Note: The difference between Storage and External Storage is:
· Storage is the disk space that is used by the running operating system and is ephemeral in nature, i.e. when the virtual instance is un-deployed the changes made to the operating system is lost.
· External Storage is storage that is persistent in nature and is mounted on the ephemeral operating system instance.
Virtual Datacentres
This section of the main screen shows the Virtual Datacenters that you have allocated resources in.
Running Virtual Appliances
This section of the main screen shows the amount of running Virtual Appliances. A Virtual Appliance is a collection of Virtual Machines.
Events
This section of the main screen shows the events pertaining to you Virtual Datacenter.
Change Your Password
When you first login to the VDC Portal you will need to change the password you have been allocated, this is to ensure that only you know the password and increases security within your environment.
To change your password you need to click on your name in the top right hand corner of the menu bar, as highlighted in the red box on the graphic below:
When you click on your name, you will be presented with the following screen:
Enter your current password into the Current Password field, followed by your new password into the New Password and Repeat Password fields shown in the above screen shot. Then click the accept button. There will be no feedback, but rest assured your password will be changed to what you have entered into the New Password field.
Pre-Requisites to Your First Virtual Appliance
We first need to allocate a public IP address to your enterprise so that we can allocate it to the Virtual Firewall later in this guide.
· Click on the Virtual Data Centres icon in the top menu bar
· Click on the network tab.
· Select you Virtual Data Centre on the left, in this example it’s STAFF_UK_HIT1.
· Select Public to list the Public AP addresses allocated.
· Click on the “+” key to add a public IP address.
You will then be presented with a list of available public IP addresses. Select one and click accept:
Your First Virtual Appliance
The best way to learn how to use the Claranet VDC is to jump straight in and create a simple environment.
We will be creating a single Virtual Appliance (a container) containing a single firewall and a single web server. We will configure the firewall (basic configuration), allow traffic to the web server and patch the web server. The end environment will look like the following diagram.
Create Virtual Appliance
To create a Virtual Appliance you need to select the “Virtual Datacenters” button on the Menu Bar. The following screen will appear:
You will need to click on the + button in the bottom left of the right hand pane. The following window will appear:
Enter the name for the Virtual Appliance and select, from the drop down menu, the Virtual Datacenter you want to deploy this Virtual Appliance into. Click Accept.
An empty Virtual Appliance will be created for you, and the following screen will be displayed:
Click and drag the pfSense Firewall image from the left hand side to the right hand pane, labeled Virtual Machines.
Next click and drag the Ubuntu image from the left hand side to the right hand pane, labeled Virtual Machines.
Finally click the icon that looks like a floppy disk at the top left of the right hand pane to save the Virtual Appliance.
Configuring the Virtual Appliance
After saving the Virtual Appliance we need to configure the interfaces on the firewall at the Virtual Appliance level. Move your mouse over the pfSense Virtual Machine, two icons will appear, a wheel and a X. Click on the wheel, which configures the virtual machine. The following screen will appear:
You will now want to add a public IP address to the firewall, so go ahead and select the Network tab and then click on the + button near the bottom of the pane. The following window will appear:
Click on the Public Tab.
Select one of the available public IP addresses, and click accept:
The default gateway is now set to a public IP address. This is the firewalls default gateway.
We need to now move the public IP address from NIC1 to NIC0 as NIC0 is to be used as the outside interface of the firewall. So we first need to delete the existing NIC 0.
Select the line for NIC 0 and clicking the – button.
As you can see the public IP address is now on NIC0.
Now we need to re-add the internal network back on NIC 1 so click the + button and click default network.
Select the 192.168.0.1 . This will be the default gateway for your virtual servers on the LAN.
Click Accept.
Make sure the Default Gateway is in the same range as the Public IP Address, if it is not select the right gateway address from the dropdown box. If the right gateway is not listed in the dropdown, click save and try again.
Finally we need to secure the VNC access password, select the “General Information” tab, type a password into the Password field.
Click save then close.
Finally click on the deploy Virtual Appliance button on the top right hand side of the Virtual Machines pane.
The following windows will appear:
Updating the diagram with IP Addresses
We now need to update the diagram of the environment showing the IP addresses we have allocated.
Firewalling
This chapter outlines the basics around firewalling and how you configure your firewall within the VDC platform.
Configure the Firewall
You now need to configure the firewall to allow traffic to and from the firewall, as well as allowing traffic from inside to outside and finally allowing port 80 (HTTP to the web server).
Firstly open up a web browser enter the IP address of the public interface of the firewall that we allocated earlier in this procedure, in this case https://195.157.13.168.
Ignore the certificate error by clicking on “Continue to web site”. The following screen will appear:
The default user id and password is located on the ‘cloudhelp’ site. . For the pfSense firewall it is “admin” and “v1rtu4LDC”.
You will not be presented with the main web page of the firewall.
The first step we need to complete is changing the default password for the admin user. Move your mouse over the System menu item at the top left hand side of the page until a drop down box appears and select “User Manager”.
The following screen will appear:
Move the mouse over the edit icon to the right of the admin user’s line to edit the user.
The following screen will appear:
Type a new password where indicated (Twice). Scroll down and click save.
Next we need to move the SSH port, this will allow you to access the Web Server via SSH.
Select “System” – “Advanced” and the following screen will appear:
Scroll down to the SSH section:
Click to “Enable Secure Shell” and set the SSH port to “8022”.
Scroll down and click “Save”.
Next we need to configure the firewall with the following rules:
· Allow SSH on port 8022 to Firewall
Select “Firewall” – “Rules”
Select “WAN” and then click 
to add a new rule:
Enter the following:
Action: Pass
Disabled: not selected
Interface: WAN
Protocol: TCP
Source: any
Destination: Wan Address
Destination Port Range – From: 8022
Description: SSH to Firewall on Port 8022
Click Save
Click Apply Changes
You are now able to ssh using your preferred tool on port 8022.
· Allow SSH on port 22 to Web Server
Select “Firewall” – “Nat” and the select “Port Forward”
Click on the Add NAT Rule button 
Disabled: Not selected
No RDR (NOT): Not selected
Interface: WAN
Protocol: TCP
Source: Ignore
Destination: Wan Address
Destination Port Range – SSH
Redirect Target IP Address: 192.168.2.2
Redirect Target Port: SSH
Description: SSH to Web Server
NAT Reflection: leave as default
Filter Rule Association: Pass
Click on Save and then apply rule.
You can now SSH into the web server (IP address as firewall with port 22), with user sysadmin and password “v1rtu4LDC”.
· Allow HTTP on port 80 to Web Server
· Select “Firewall” – “Nat” and the select “Port Forward”
Click on the Add NAT Rule button 
Disabled: Not selected
No RDR (NOT): Not selected
Interface: WAN
Protocol: TCP
Source: Ignore
Destination: Wan Address
Destination Port Range – HTTP
Redirect Target IP Address: 192.168.2.2
Redirect Target Port: HTTP
Description: HTTP to Web Server
NAT Reflection: leave as default
Filter Rule Association: Pass
Click on Save and then apply rule.
· Allow all from inside out (NAT rule).
Select “Firewall” – “NAT”
Select Outbound:
A default rule has been applied, so no rule change is required:
Patching the Web Server
Now SSH to the public IP address of the firewall on port 22, you will get a security alert that states the public key is different from what is stored in the SSH client. You can safely connect, because we have moved the destination for the IP address and port to a different end point.
Logon to the Web Server using the default userid and password.
The default user id and password is located on the ‘cloudhelp’ site. For server image information follow this url: https://portal.claranet.com/cloudhelp/templates/logindetails.html.
When you are logged in change the default password by typing the following into the terminal window:
passwd
You will be prompted for the existing default password and prompted twice for the new password. Remember this password, because Claranet cannot obtain the password for you.
Next we will patch the operating system. Type the following into the terminal window:
And type the password you have just changed.
This will update the local repository for patches.
Next type the following into the terminal window:
After a few seconds you will be prompted to continue, type Y and press the Enter key.
After a few minutes the web server will be patched.
We now need to install the apache package to enable the server to be a web server. Type the following into the terminal window:
Again you will be prompted to continue, Select Y and press Enter.
The web server will start automatically. You can test this by starting your favorite web browser and entering the address for the public IP address of the firewall into the address box, and pressing Enter.
The following screen should be displayed.
This is the end of the example “Your First Virtual Appliance”, it provides a foundation for building on and can be extended to enhance your cloud infrastructure into whatever you want it to do.
By Jay Fearn Google
If your interested in using the Claranet VDC product please fill in your contact details below:
[recaptcha_form]
Using a SSL VPN to secure administrative access to your Enterprise in the Claranet VDC
Introduction
This post assumes the following:
- You are using the pfSense firewall.
- You are familiar with the Claranet VDC Platform.
Let’s imagine that you have been using the VDC platform for a while and have multiple virtual machines running in your account.
To gain access to your virtual machine you will either have:
- Setup a jump box to proxy access
To access the virtual machines, you will first need to logon to the jump virtual machine (AKA a bastion host), and then logon to the destination virtual machine, this can be achieved for Windows by a terminal server session or for Linux using SSH. Configuration for this on the firewall is a single firewall rule for either SSH (Port 22) or MS RDP (port 3389) from outside to the jump virtual machine.
- Setup multiple port forwarding rules on the firewall
To access virtual machines you will need to setup specific rules for each server to forward ports to backend servers. For example if we had 5 Linux machines that needed SSH access from the public internet and you only had 1 public IP address, you could setup port forwarding rules as follows to allow this:
- WAN Address Port 8022 forwards to port 22 on virtual machine 1
- WAN Address Port 8023 forwards to port 22 on virtual machine 2
- WAN Address Port 8024 forwards to port 22 on virtual machine 3
- WAN Address Port 8025 forwards to port 22 on virtual machine 4
- WAN Address Port 8026 forwards to port 22 on virtual machine 5
The disadvantages of this, is that you will need to remember which port maps to which server.
- Utilize multiple public IP addresses from the Shared Internet Access (SIA) range, and implement 1:1 NAT on each interface.
To access the virtual machines, you can configure multiple public SIA addresses on the pfSense firewall (instructions can be found at http://cloudhelp.claranet.com/content/getting-started-pfsense-firewall-image).
Each pfSense firewall can only have 8 interfaces, so if you have two VLANs in the private range where you deploy your virtual machines, then you are limited to 6 public IP addresses, 6 1:1 NAT rules, and 6 virtual machines that are directly accessible.
- Use a routed DIA range
Using this method you can have a range of IP addresses allocated to you that can be mapped as a Virtual IP (VIP) address on your firewall and then 1:1 NAT can be achieved for as many public IP addresses you have purchased.
Unless there is no other way of achieving your business goal, this should not be used, this is due to the exhaustion of the IPV4 network range, see http://www.ripe.net/internet-coordination/ipv4-exhaustion/business-and-enterprise for information.
- Use a MPLS connection with Claranet’s industry leading 3G network
Claranet have an industry leading wireless service that connects a 3G Dongle or 3G Router device directly into a secure private MPLS network (no traffic traverses the internet), see http://www.claranet.co.uk/networks/wireless-services.html for details.
This means that you can access virtual machines directly and securely from your PC or laptop.
- Use an SSL VPN.
It’s a simple process to configure the pfSense firewall image to create a secure private tunnel directly into your VDC infrastructure. This can scale to many users and the users can directly access the virtual machines in your VDC account. This can be used in conjunction with many of the above methods to add flexibility, for example you could use a MPLS connection for users in static locations and use a SSL VPN connection for roaming users.
By far the easiest and most cost effective solution for a low number of users is to use an SSL VPN. This document describes the process of setting up a simple low cost SSL VPN (costs apply for resources used on the VDC platform for the pfSense firewall, which it is assumed you are already running to provide security for your cloud application).
Installing the pfSense Firewall VPN Edition
There is a special edition that includes the SSL VPN Client Export functionality that needs to be installed. This can be obtained from the following location http://www2.sittingonthe.net/vdc/pfsense-vpn.vmdk , this will need to be imported into your VDC account.
Obtain the image at the above location, and using an FTP client upload to importer-uk-gsl2.cloud.claranet.com using your VDC account details as logon credentials.
After a few seconds the import process will complete and the image will appear in your application library, you may need to click on the refresh button highlighted in red below:
You will need to deploy the pfSense SSL VPN edition using the standard methods, making sure that the WAN interface is the first interface configured in the network section of the configuration.
The image has the following defaults:
- 1 vCPU, 1024MB Memory, 8GB Disk Space.
- Administrator Accounts:
- Admin username – admin
- Admin password – v1rtu4LDC
- Superuser user name – superuser
- Superuser password – v1rtu4LDC
- Management interface accessible on WAN interface via HTTPS on port 9443
- https://<WAN IP>:9443
- Replace <WAN IP> with your WAN IP Address.
Configuring the pfSense Firewall
Logon to the firewall on the management interface (listed above) using an administrator’s account.
Select OpenVPN from the VPN dropdown menu.
The following web page will appear:
Click on the + icon on the right to add an OpenVPN Server.
Select the “Wizards” tab, and the following page will appear.
Keep the Type of Server set at Local User Access, and select the “next” button.
The following web page will be displayed:
As in the example above, enter details for the following:
- Descriptive Name: This is to identify the CA Cert
- Keep the Key Length at 2048 bits
- Leave the Life Time at approximately 10 Years
- Insert your country code, state or province, city, organization and e-mail address.
Click the “Add new CA” button.
The following page will appear:
On this page you set up the server’s certificate, so you need to enter the fully qualified domain name, for this test I am using www2.sittingonthe.net, and as per the previous screen enter the remaining details.
Click the “Create new Certificate” button to create a self signed certificate.
On the next page we will configure the OpenVPN Server service:
In the top section of the page “General OpenVPN Server Information” make sure you select TCP as this is more reliable and doesn’t get screen by ISPs, and give the Service a name, in this case I chose “SSL VPN”.
In the next section “Cryptographic Settings” leave at the default settings:
In the next section you can configure “Tunnel Settings”.
In this section, the tunnel network is a spare network range that isn’t been used anywhere else in either your VDC or in any of the networks used to connect into the VDC. In this case I have chosen 10.0.10.0/24.
The local network is a route you can push to the OpenVPN client so that traffic for it is routed down the VPN Tunnel we are creating. If you have more than one range you want to route to, you will need to check the “Redirect Gateway” check box, if this is selected all traffic will be sent down the VPN tunnel and you will lose access to resources on the local network.
If you want to use compression check the “Compression” check box.
The remaining item in the “Client Settings” can be left blank or filled in as appropriate.
Click “Next”
On the next screen:
Make sure that the “Firewall Rule” and “OpenVPN Rule” check boxes are selected and then click the “Next” button
On the next screen:
Click the “Finish” button.
Configure Client Certificates
When you get back to the main screen:
Select System-> User Manager.
The following screen will appear:
Click the + icon as shown at the bottom right of the graphic above.
The following screen will appear:
Fill in relevant details, as shown below:
Make sure you select the “Certificate” check box and another section will appear on the screen:
A filled in screen will look like the following:
Click “Save”
Downloading the client software.
Click on the VPN->OpenVPN
Select the Client Export Tab
Make sure the “Quote Server CN” checkbox is selected.
At the bottom of the screen is a list of users with SSL Keys. Next to the user you want to export click on the 2.2 under the “Windows Installers:” section and save the file.
This file needs to be distributed to the end user.
Installing the client and connecting
When the end user has received the installation bundle, they will need to install it, this needs administration privileges.
Click “Next”
Click “I Agree” if you agree to the terms and conditions.
Click “Next”
Click “Install”
When the first part of the installation is complete click “Next”
Click “Finish”
Next the Clients configuration and keys are installed.
Click “Close”
In the Readme File that was opened during the install, it states that Windows 7 and Windows Vista users, and it is assumed that Windows 8 also needs this setting, needs to be run with administrative privileges.
To achieve this, right click on the “OpenVPN GUI” icon on your desktop:
And select “Properties” and select the “Compatibility” Tab.
Make sure that the “Run this program as an administrator” check box is selected, and then click the “Change Settings for all users”
Make sure the “Run this program as an administrator” is also selected on this window.
Click “Apply” and then “OK”.
Select the “Shortcut” Tab and then the “Advanced” button.
Make sure the “Run this program as an administrator” is also selected on this window.
Click on “OK” then click “Apply” and then “OK” again.
Now double click the “OpenVPN GUI” icon and select yes for the warning.
An icon will appear in the bottom right of your screen (Windows 7) 
Right click it and select “Connect”
The following window will appear:
Enter your VPN username and password.
You should now be connected.
To confirm this, if you open a “Command Prompt” and type “netstat –nr”, it should show a route for the LAN range via the VPN network (10.0.10.5 in my case).
By Jay Fearn Google
If your interested in using the Claranet VDC product please fill in your contact details below:
[recaptcha_form]
Exporting VDC Images from the Claranet Virtual Data Center
When you want to export a virtual machine from the VDC platform, you will first need to take a copy of your running image. A video of “Managing Instances” process is located at the following location http://cloudhelp.claranet.com/content/managing-instances-snapshots.
The file is exported as a thin provisioned vmdk sparse file. This will run in any recent copy of VMware Workstation, Server, Player, and ESXi (vSphere). It can however be converted using conversion tools to a format that is able to run on Microsoft Hyper-V, Xen, and other leading hypervisor products.
The export process below will only export the Operating System volume in a single vmdk file. External Volumes cannot be exported using this method. Standard copy/replication methods can be used to copy external volumes.
After logging in to the VDC, select the Virtual Data Centres tab.
Next select the running Virtual Appliance that the virtual machine in running in, by clicking on the right arrow next to the virtual appliance, circled in red.
This will open the Virtual Appliance and show the running Virtual Machines.
Left click on the Virtual Machine you want to take a export and then left click the Create Instance button.
A window will appear that shows all the running virtual machines, as shown above.
Select the check boxes of the virtual machines you want to export and click the Create Instance button at the bottom.
The following windows will appear to confirm your choice.
Notes:
· The running virtual machine will be frozen whilst the virtual machine is cloned.
· The operating system image will be cloned and not the external volumes.
Whilst the virtual machine is being cloned a window similar to the graphic on the left will be shown.
As stated previously whilst this window is shown the virtual machine will be frozen. It is suggested that copies are taken during quiet times for your application, where the impact of the cloning will have less of an effect on your application (note Claranet do not limit this by time and it is dependent upon your individual application needs).
When complete we now need to select the Apps Library tab.
Then select the relevant Data Centre.
Next select the template of which you took a clone. The templates that have clones are denoted with a yellow M in the top left hand side of the graphic, as shown to the left.
Click on the graphic, and in the bottom part of the screen a list of available images will appear.
When you move your mouse pointer over the image your want to export three icons will appear in the top right of the icon, as shown below:
The first icon from the left is the download image icon, click on it. A security warning will appear as shown.
The reason for this is that we at Claranet value your data as much as you do and mandate that all data should be exported in a secure manner. We redirect from the HTTP interface to HTTPS to encrypt the contents of the image whilst it is transferred over the internet. You will need to select “No” here to allow the transfer to take place.
You are now prompted for your username and password for your VDC account. Enter them. After you have logged on, the system will ask you to save the file:
The file will then be downloaded.
By Jay Fearn Google
If your interested in using the Claranet VDC product please fill in your contact details below:
[recaptcha_form]
You must be logged in to post a comment.