25. Kernun Branch Access

Kernun Branch Access is a device with the primary task to provide a remote branch of a company with a secure connection to a central Kernun UTM. In addition, Kernun Branch Access provides another security features for the perimeter of the network such as network packet filtering and VPN. Optionally, the device can also serve as a Remote Access Server for VPN. Kernun Branch Access is designed to be used together with Kernun UTM and should not be used separately.

25.1. Description and Plug-in

Figure 5.109. A schema of the front and the back face of Kernun Branch Access

A schema of the front and the back face of Kernun Branch Access

  1. Status LEDs (1a, 1b, 1c) — Three LEDs, which are intended to indicate the status of some key functions of the device.

  2. Button — Serves for confirming configuration application and starting the Remote Help Service. In order to press the button, use a paperclip or a similar tool.

  3. A serial console connector

  4. Ethernet ports (4a, 4b, 4c) — Kernun Branch Access is equipped with three Ethernet ports. The ports serve for connecting the device to LAN and WAN.

  5. USB ports — Kernun Branch Access is equipped with two USB 2.0 ports.

  6. Power supply input

In order to power Kernun Branch Access on and connect it to the network properly, the following steps should be taken:

  • Plug-in a power supply connector to the power supply input (6)

  • Plug-in an Ethernet cable connected to LAN into an Ethernet port (4b)

  • Plug-in an Ethernet cable connected to WAN into an Ethernet port (4a)

25.2. Installation

In order to install Kernun Branch Access, you need a Kernun Branch Access installation medium[46]. Since the device is equipped with serial console output only, it is also necessary to modify installation process according to the guide described in Section 5.5, “Enabling Serial Console Output”. After this modification, the operating system will output to serial console while booting and the installation will be similar to the installation of Kernun UTM from standalone installer described in Section 5.1, “Standalone Installer”.

25.3. Configuration

Configuration of Kernun Branch Access can be performed in two different ways:

  1. Initial configuration using a USB flash drive, which is typically applied when Kernun Branch Access is configured for the first time.

  2. Standard configuration applied remotely from a central Kernun UTM.

Both of the configuration options will be described in the following sections.

25.3.1. Initial Configuration

Kernun Branch Access is usually supplied in the form of a compact device configured to default factory settings. Since the supplied device has no active network connection available yet, no remote configuration technique similar to the one described in Section 24, “High Availability Clusters” can be used. In order to configure the Kernun Branch Access for the first time, it is necessary to apply the configuration using a USB flash drive.

The procedure consists of two steps. Firstly, the configuration for Kernun Branch Access is defined on the central Kernun UTM and then, using a series of commands, it is exported into a special configuration file. Secondly, the exported file is copied to an arbitrary USB flash disk and the disk inserted into one of USB ports on the device. The whole procedure is described in details in the following paragraphs:

  1. Exporting a configuration file from a central Kernun UTM

    • Defining configuration for Kernun Branch Access on central Kernun UTM

      The configuration is defined as a single system section (see Section 2.2, “System” for more details on system configuration basics).

    • Generating and exporting the system configuration into a file using the kat(8) command line tool

      The tool can be launched either directly using an SSH remote access to the terminal of the central Kernun UTM or by pressing the GUI Console icon (marked as number 6 in Figure 3.14, “Main window toolbar buttons, listed together with the corresponding menu items, and sometimes keyboard shortcuts:”).

      KAT@central-utm> cml
      CMLR-710-K File '/usr/local/kernun/conf/kernun.cml' loaded
      CML> /generate
      CKGB-710-N ---- Preparing files for system 'kba-office'...
      CKGB-719-N ---- System 'kba-office' successfully generated
      CML> /quit
      CMLI-709-N CLI interactive mode closed
      KAT@central-utm> export kba-office
      CMLK-821-N [root] Exporting 'SYSTEM-kba-office' configuration
      Exporting configuration to /root/SYSTEM-kba-office.tar
      tar: Removing leading '/' from member names
      KAT@central-utm> quit

      After applying the export function, the configuration file named SYSTEM-kba-office.tar should be exported to the home directory of the user who launched the command.

    • Transporting the generated file to the administrator manipulating the Kernun Branch Access.

      In case the administrator who generated the configuration file does not have physical access to Kernun Branch Access, the file must be transported to the administrator manipulating the device itself. It might, for example, be sent by an e-mail.

  2. Preparing and inserting the configuration USB flash drive into Kernun Branch Access

    Once the configuration file is exported and delivered to the administrator having physical access to Kernun Branch Access, the following steps should be taken:

    • Copy the configuration file (e.g. SYSTEM-kba-office.tar) to the root directory of an arbitrary USB flash drive

    • Insert the USB flash drive into one of USB ports of Kernun Branch Access (5)

      After inserting, the device will beep once shortly and then wait 30 seconds for confirming the application by pressing the button (2). If the timeout runs out, the device will beep nine times shortly and no configuration will be applied. In such case, the USB flash drive must be reinserted and confirmed.

    • Confirm the configuration by pressing the button (2) with a paperclip or a similar tool

      If the button is pressed, the device beeps three times shortly and automatically starts the configuration process. If the process succeeds, the device beeps once longly, otherwise it beeps three times longly.

    • After successful configuration, the network connection with central Kernun UTM should be established and Kernun Branch Access can be further configured remotely using the process described in the following section.


The way of configuration using a USB flash drive is primarily intended for setting the very first configuration, when Kernun Branch Access has no network connection with the central Kernun UTM available. However, it may be reused arbitrarily when needed in the future.

25.3.2. Remote Configuration

If the initial configuration using a USB flash drive has already been successfully applied, Kernun Branch Access can be further configured remotely. The desired configuration can be prepared as a standalone system on the central Kernun UTM with apply-host configuration directive applied. Instructions for proper setting and applying the apply-host directive can be found at Section 24, “High Availability Clusters”.

25.4. Diagnostics and Troubleshooting

Kernun Branch Access is intended to operate without a monitor or any kind of a administrator's console. Therefore, it has only limited possibilities to indicate its current state or communicate with users and administrators. Three build-in LEDs serve for basic diagnostics of the key functions of Kernun Branch Access. In this section the meaning and the purpose of each LED will be described. It will also be explained how the Remote Help Service can be started and what its purpose is. Finally, steps to be taken in order to reset the device back into the default factory settings will be described.

25.4.1. Status LEDs

Kernun Branch Access is equipped with three LEDs, which are intended to indicate the status of some key functions of the device. The meaning of each LED is as follows:

  • The left LED (1a)

    Indicates whether Kernun Branch Access is powered on. If so, the diode should light continuously without interruptions.

  • The middle LED (1b)

    Indicates a status of all configured KBA components after a boot of the system. After the system boots, the diode starts to blink, which indicates that the KBA components are being verified. If all the components are successfully started, Kernun Branch Access beeps once long and the diode starts to light continuously. If not, Kernun Branch Access beeps three times long and the diode turns off.

  • The right LED (1c)

    Serves for indicating a status of the Remote Help Service. When the service is started by pressing a Remote Help Service button (see Section 25.4.2, “Remote Help Service Button”), the diode will blink quickly until the service is ready (the process should not last longer then 60 seconds). If the service was started successfully, the diode should begin to light continuously, if not, it turns off. Similarly, when the service shuts down, the diode begins to blink until the process is finished and then it turns off.

25.4.2. Remote Help Service Button

The Remote Help Service is a service allowing the technicians of the manufacturer of Kernun UTM temporary access to Kernun Branch Access in order to diagnose and maintain it remotely. The service can be both started and stopped by pressing the button located on the front side of the device. The entire starting procedure consists of the following steps:

  • Press the button (2) with a paperclip or a similar tool for 5 seconds.

  • The right LED (1c) starts to blink.

  • When the right LED begins to light continuously, the Remote Help Service was started successfully. The diode will light all the time the service will be active.

[46] You can use dd on Linux / BSD or ImageWriter on Windows to copy the USB flash drive image to the device.