Searching...

Matching results

    AMM Management Tunnel for ALEOS Devices

    In normal operation, an ALEOS device only communicates data to the AirLink Manager server via individual transactions. There are benefits to this approach from a data usage perspective, but there are also limitations, in that all communication is device-initiated and therefore limited. The Management Tunnel allows for a persistent encrypted connection (SSL VPN tunnel) from the device to the server and some communication gets routed through that VPN.

    A side benefit to using the Management Tunnel is that a user logged into the AirLink Manager server, can log in remotely to an individual device via ACEmanager without allowing remote access (it comes through as a local connection from the LAN side), and this works even if the device has a private cellular (or other WAN) address. This can be beneficial, since enabling WAN access is generally considered a poor security practice, while private address cellular connections are generally cheaper, safer, and easier to acquire in the current cellular environment.

    For AMM 2.17.2+, if the management tunnel is up, a software upgrade will now be routed through the management tunnel. If the tunnel is not available, a software upgrade will occur using port 80.

    Additional Information:

    • ALEOS Device Limitations and AMM Server Requirements for Management Tunnel

      • ALEOS devices must be running ALEOS 4.11.0 or higher with AAF application support and have the AMMER application (minimum 1.0.3.005) installed. This feature is not supported on systems for which the minimum required ALEOS version is not available.
      • The ALEOS devices must be using the default port 9443 for local (LAN) https access (MSCIID=1172) and for the remote Access ACEmanager feature to work. ACEmanager remote access is not required.
      • The AMM server version must be a minimum of 2.16.2 or higher, and have a valid TLS/SSL certificate to support the management tunnel feature (the AAF application is not distributed with earlier server images).

    • Configuration Steps for AMM Management Tunnel running ALEOS 4.11

      To configure the AMM Management Tunnel for ALEOS 4.11:

      1. Confirm that the AirLink Manager server has a valid TLS/SSL certificate. Verify this, by attempting to log in to it using https://[Server name or IP address]/sierrawireless. If you can connect without having to accept a security exception, it has a valid certificate.
      2. Ensure that AAF is enabled (MSCIID 10250=1; this change does not require a reboot to take effect).
      3. On the AMM server, navigate to Admin > Software Distribution, select the desired devices, and click the Upgrade Application(s) button. Select the AMMER application and the latest version (minimum version 1.0.3.005). Note:
        • This procedure will perform a first-time installation as well as application upgrade.
        • Only one application can be installed at a time, and the device must be rebooted in order for the application to be initialized. More than one application may be installed prior to rebooting the device to make them active.
      4. Schedule the installation if desired; otherwise it will download and install immediately when the device checks in.
      5. Once the desired application(s) are installed, right-click on the device in the navigation tree and select Request reboot.
      6. After the reboot, navigate to Configuration > Deployment > Configuration Control on the AMM server, select the affected devices, and click the Revert button. This will update the server’s collection of those devices’ configuration files. Once the check-in is completed, the ammerconfig file will appear as part of the collection of configuration files.
      7. Click on the ammerconfig file to edit it, and make sure the tun_enabled option is set to 1:
        <tun_enabled>1</tun_enabled> If you do not see the clickable filenames, then please contact your AMM administrator or Sierra Wireless Support and request access to the specific privilege “Configuration/Deployment/Configuration Control/Files”. This is a new feature in AMM 2.17.
      8. Save the file and apply the changes. Once the configuration is confirmed, reboot the device to activate the management tunnel.

    • Configuration Steps for AMM Management Tunnel running ALEOS 4.12+

      For ALEOS 4.12+, the AMM Management Tunnel can be set up as follows :

      1. On the ACEmanager server, navigate to Services .
      2. Expand the MSCI section .
      3. Set the AMM Management Tunnel to Enable .
      4. Set the AMM Management Tunnel Port. By default, this is port 1190. A standard AMM installation is configured to accept ports 1190-1193, to support load balancing across multiple tunnels for large fleets.
      5. Press Apply to apply the changes. Reboot the device to activate the management tunnel.

    • Accessing ACEmanager through the Management Tunnel

      Once the management tunnel has been activated, you will be able to access ACEmanager from the AMM gateway tree. To access the ACEmanager, refer to the Gateway Details under the Gateway Tree.

    • Tunnel IP Addresses and Management Tunnel Ports

      The AMM server is configured with four possible ports for the AMM management tunnel, but ALEOS (as of 4.11) does not contain any configuration elements or logic for selecting ports for load-balancing purposes.

      MSCIID 10034 is used to configure the ports (1190-1193) and the AMM has a limit of 2047 VPN connections per port. If a very large fleet is being added or the fleet is being added to a multi-tenant server, consider allocating the AMM Management Tunnels across all four available ports. This can be accomplished via the AMM’s Admin > Gateways spreadsheet upload feature, once devices are communicating with the server.

      The following table provides the private tunnel IP addresses associated with each AMM management tunnel port. These can be changed on the AMM server if these addresses are in conflict with addresses already used within the customer network. Contact Sierra Wireless Support if the addressing needs to be modified.
      Port Starting IP Ending IP Network
      1190 10.4.32.1 10.4.63.254 10.4.32.0/19
      1191 10.4.96.1 10.4.127.254 10.4.96.0/19
      1192 10.4.160.1 10.4.191.254 10.4.160.0/19
      1193 10.4.224.1 10.4.255.254 10.4.224.0/19

    • Displaying the Connection Status for an AMM Management Tunnel

      ALEOS does not currently have any UI indication of whether or not a management tunnel is connected, but a threshold can be added to the AMM dashboard to display the management tunnel address, which will only be present if the tunnel is in place. The server stat is ManagementTunnel-IPAddress.

    • Ensuring the Correct Time on the Device

      As with any VPN, the time on the router must be accurate in order to establish the VPN connection. Typically, the router gets the time from the cellular signal and from GPS. If you are working on a bench without cellular or GPS, ensure that you have enabled NTP and that the configured NTP servers are reachable.

    • For a list of related ports and protocols for this functionality see: ALEOS TCP/UDP Port Summary.

    TOP