Introduction

This guide provides detailed step-by-step information to launch Zentera CoIP Access Platform from AWS Marketplace.

Estimated Time to Complete and Skills Required

The estimated time to complete the deployment steps below is 30 minutes.

This deployment requires access to, and basic competence in operating the AWS console.

Licensing and Costs

The Zentera zCenter controller is instantiated with a trial license, which allows you to test and evaluate all features with a limited number of users/endpoints.  The product is licensed on a Bring Your Own License (BYOL) plan.  Contact us through this web form to request a license.

Prior to installing a BYOL license, you will be able to use some limited features of the zCenter controller for testing and evaluation.

The costs of running the zCenter include:

• AWS instance charges
• AWS EBS storage charges
• AWS networking charges (VPC, elastic IPs, and data egress charges)

Typical Deployment

A typical deployment is shown in the diagram below, and involves creating a public subnet  (or VPC) for providing Zero Trust services, such as ZTNA and Application Chambers.  Application subnets may remain private, but do need to be able to access the zCenter controller.  After deploying, you may create ZTNA connections for remote users to access individual servers in the cloud environment, or provide access back to services or servers in an on-prem environment, while relying on the cloud security groups and NACLs to keep application instances safe from direct access.

The Zero Trust Chamber can also be used to cloak individual machines from other instances on the same subnet, so that the ZTNA method is required for access.  This ensures that accesses to those instances follow the Zero Trust model, effectively preventing lateral migration.

Deployment Options

The steps below demonstrate how to set up the zCenter controller in a single Availability Zone.  Multiple zCenter controllers may be set up in a single region (different AZ) for high availability.  

Typically, only one zCenter controller is needed to manage worldwide policy control, but for global deployments, Zentera also offers a ZNS switch that can be deployed in different regions to optimize routing latency and performance.

The details of multi-region and HA deployment are outside the scope of this guide; please contact Zentera for guidance on these topics.

Deployment Steps

1. Login to AWS Portal, in one of the supported regions.
   
   
2. Under Services, select EC2
   
   
3. Under Resources, select Instances
   
   
   
4. Click Launch Instances
   
   
   
   
5. Click AWS Marketplace and search for Zentera AMI
   
   
6. Choose the Instance Type depending on the number of endpoints to be supported.  Click here to review sizing guidance.
   
   
   
   
7. Click Next: Configuration Instance Details
   
   
8. Under Network, select the target VPC.
   
   
9. Select a public subnet for the zCenter controller.  You may create a new subnet, or use an existing public subnet.  Note that this subnet must have an Internet Gateway to be accessible.
   
   
10. Enable Auto-assign Public IP.  All servers and gateways will access the zCenter using its public IP address.
    
    
11. Click Next: Add Storage
    
    
12. Volume size must be over 50GB (100G recommended).  You may choose any storage type.
    
    
13. Click Review and Launch
    
    
14. Select the key pair to securely access the instance and click Launch
    
    

    The installation process creates a user account (zadmin); you may log in to the zCenter using ssh with the zadmin account and the key pair to manage or upgrade the zCenter; do not lose access to the key pair.  Do not to use the root user to manage the zCenter instance, and ensure to follow principles of least privilege when choosing a shared key pair.

    
    
    
15. Verify the instance is successfully launched
    
    
    
    
16. Open port 443 in AWS VM Security Group: Select the AWS instance launched above using Zentera provided AMI.  Under Security, select the Security Group
    
    
    
    
17. Edit Inbound Rules and allow HTTPS (port 443) as shown below
    
    
    
    
18. Browse to the zCenter web portal using URL https://<publicIPorDNS>/zcenter.  The default username is "admin", and the default password in your instance ID that can be found in AWS Portal -> EC2 -> Instances -> [select your instance for this VM].  Please remember to change this default password, or connect the zCenter to your identity provider.
    
    
    
    
    
    
    
19. After logging in, please be sure to change the default admin password by clicking on "Change Password" in the top menu bar, entering the current password, and entering your new password.
    
    
    
    
    

Please note, the marketplace controller instance comes with a 1-year limited trial license.  To request full service BYOL license, please reach out to us at https://www.zentera.net/byol-aws.

Once you have received your BYOL license, you may update your license file.

Troubleshooting deployment issues

This section provides guidance on troubleshooting common issues in deployment:

Cannot access zCenter portal through the browser

Possible causes:

• Instance is not running.  Ensure that the instance is running in the AWS console.
• Access blocked by security groups.  Doublecheck security group settings to ensure that inbound port 443 is open on the zCenter instance.
• Access blocked by NACL.  Doublecheck network ACL rules to ensure they allow inbound port 443.
• No Internet Gateway.  Instantiate an Internet Gateway and attach it to the subnet.
• Instance is in a private subnet.  Terminate this instance, and re-launch a zCenter controller in a public subnet.
• The zCenter instance is hung.  Restart the zCenter instance from the AWS console.
• If none of the above solutions work, the zCenter EBS volume may have become corrupted.  Please follow the steps for your backup solution (e.g. AWS Backup) to restore zCenter from a snapshot.  Contact Zentera support for more assistance.

Can access the portal, but cannot log in using the default admin credentials

Possible causes:

• Credentials used are incorrect.  Doublecheck the instance name in the AWS console.

Monitoring the health of your zCenter instance

You may use tools such as AWS Cloudwatch or 3rd party tools to monitor the status of the zCenter controller.  Typically, it is sufficient to monitor the login page of the zCenter's built-in web server.

The zCenter controller also monitors for failure conditions such as HA failover or disk full conditions. If you have configured an SMTP server under Advanced Mode > Service Management > Mail Sender, you will receive email notifications for these events.  You may edit the default notification templates in Advanced Mode > Service Management > Email Notifications.

Data storage and backup

The zCenter controller stores policy and connection information in a local MySQL database.  This database is not encrypted, and contains connection-related information (endpoint IP addresses, etc). Make sure to restrict access to the zCenter controller to those personnel directly involved with maintaining the system.

As the database is stored in the filesystem, you may simply back up EBS for the zCenter controller with services such as AWS Backup.

For further support

For instructions and reference to use the zCenter administrative portal and to contact us, please visit our support portal: https://support.zentera.net

In addition to basic support, premium support options are available.  Please review this article for information on the support tiers and options.