Implementing ISPadmin
You will find here all steps needed for implementing ISPadmin into your company. Go one by one. There are links to other useful articles in the bottom.
Hardware requirements
To run ISPadmin, a dedicated server is required, or you can use one of the supported platforms (VMWARE, Proxmox). Hardware requirements may differ from number of clients, supported routers and devices.
We recommend to use high-quality equipment with the following recommended configuration:
| Recommended configurations | 1 000 clients and 100 routers | 5 000 clients | 10 000 clients |
|---|---|---|---|
| Processor | 2GHz and more, 64-bit architecture required!, recommended: Xeon with two, for or more cores | Xeon 6 Core (12 cores in total) | 2 Xeon Core (24 cores in total) |
| RAM | 4 GB RAM and more | 32 GB RAM | |
| Hard disks | 2x 250GB and more (SATA or SAS) with RAID1 for system, 1x 500GB (1000GB is better) for NETflow module Use a hardware controller as RAID, if possible. Otherwise we should be able to set up software RAID during the instalation (attention - software RAID cannot be set up in the installation utility!). The size of the system even after a five-year-long operation does not usually exceed 35GB + the backup system data. The data bulk for NetFlow at the operation 200 Mbit/s is about 1,5 GB a day, which is approximately 300 GB for 180 days (half of a year). |
SAS HDD (15k RPM, ideally), 2x 300 GB of capacity at least (system and database), and 2x 600 GB for stored data. Consider using SSD disks for their I/O speed. | |
| CD-ROM | The drive is necessary only for the installation of the system and in case of serious system failure; an external drive can be used. | ||
| COM port | If you want to connect your own SMS gateway to the server and send client reminders, plans to technicians, outage messages from Nagios etc. through it, we recommend to purchase a server with this port. It is possible to connect telephone/SMS gateway through USB as well, but the instalation is more complicated and it may not be always possible to activate the device. An optional solution of a missing COM port is an additional extension card with COM ports. In this case, it is necessary to find out before the purchase whether this particular type is supported by Linux (if there are available drivers for it). Another option is to use SMPP protocol for connection of SMS gateway which is connected in the network and uses TCP/IP protocol. |
||
Note
In case of virtual installation with more applications / system on the same HW, bear in mind that all operations share the same HDD, and may reduce their speed due to IOPS which the HDD is capable of managing. Disproportional use of IOPS on HDD may affect the actual operation speed of ISPadmin. We recommend sufficiently configured HW, or a dedicated HW solution solely for purposes of ISPadmin. Consider having the database on separate HW for higher number of clients. If you are not sure with regards to the right HW configuration contact us on support@ispadmin.eu.
For cases of blackout, it is advisable to connect the server to a UPS back up source because a sudden disconnection of the system might cause a damage of the database or of the system itself.
Sometimes HW RAID driver or a network card problems arise. A lot of problems can be solved even when the purchased server is not supported (ie. patch cores, driver compilation, or copying of installing archive through the Internet, etc.).
You may also host the installation of ISPadmin on our servers thus leaving all HW-related troubles to us. We guarantee you a 100%-availability and security of your data. Also, unlimited technical support is provided.
Installation
There are several ways of installing ISPadmin. Select the one that suits you best. You can carry out the installation on your own hardware, or have the system hosted in our data centre leaving all the hassle for us
| Hosted installation |
|
|---|---|
| Local installation | As a must, you will have to have basic knowledge of Linux system for local installation hence we recommend this type of installation to more experienced users. Otherwise you should opt for remote installation. |
| Remote installation | This manual is intended primarily for users who do not have adequate knowledge of Linux systems needed for independent local installation or for those, who do not have enough time for it. The following procedure will show you how to set up the installation so that it can be remotely performed by our technical support. |
| Virtual installation | We support VMware. In this case, you will be fully responsible for the technical solution and its operation on a virtual machine. |
Installation configuration
You will need to choose symbolic DNS addresses for web administration interface and client portal to complete the basic installation. Third level domains must be selected at least.
Take these as inspirations:
- Admin interface: ispadmin.yourcompany.cz, admin.yourcompany.cz, administration.yourcompany.cz…
- Client portal: klient.yourcompany.cz, client.yourcompany.cz, portal.yourcompany.cz, support.yourcompany.cz…
DNS records pointing to IP address of installed ISPadmin server must be created for selected symbolic addresses. These should usually be configured by your Internet provider, or you should be able to configure them yourself through your administration account (each provider has a different solution).
Set up domain names
If DNS records point correctly to your server, test them by ping. Then continue with system configuration.
ping admin.yourcompany.cz
PING to yourcompany.cz [81.0.237.137] - 32 bytes of data:
...
Ping statistics for 81.0.237.137:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Let´s assume that IP address of your server is 10.0.0.1, translated to public IP 81.0.237.137. DNS records point to IP 81.0.237.137, and server IP address is 10.0.0.1
Enter server name into /etc/hostname: admin
pico -w /etc/hostname
Enter IP address and hostname into /etc/hosts like this: 10.0.0.1 admin.yourcompany.cz klient.yourcompany.cz admin klient
pico -w /etc/hosts
Modified marked address in /etc/apache2/httpd.conf so that the file looks like this:
pico -w /etc/apache2/httpd.conf
#Listen 81 ### comment port 81 at the beginning
#Listen 82
#Listen 84
options FollowSymLinks
#NameVirtualHost 10.0.0.1:80 ### modify address for virtual hosts for relevant ports
#NameVirtualHost 10.0.0.1:443
### ISP Admin
### modify domain name for unsecured access
ServerName admin.vasefirma.cz
DocumentRoot "/data/support_nossl/"
## ISP Admin SSL
ServerName admin.yourcompany.cz
DocumentRoot "/data/support/ispadmin/"
AddDefaultCharset UTF-8
Options ExecCGI
AllowOverride All
CustomLog /var/log/apache2/access_support_ispadmin.log combined
AddType application/x-httpd-php .php .php3 .php4
php_admin_value open_basedir "/data/support/:/tmp/:/data/:/usr/local/script/ispadmin/:/data/backup/"
php_admin_value include_path ".:/usr/local/lib/php/:/tmp/:/data/support/:/usr/local/script/ispadmin/"
php_admin_value disable_functions "openlog, exec, passthru, proc_open, proc_close, shell_exec"
php_admin_value display_errors "On"
php_admin_value safe_mode "Off"
php_admin_value safe_mode_exec_dir "/usr/local/script/ispadmin/"
php_admin_value safe_mode_allowed_env_vars none
php_admin_value safe_mode_include_dir ".:/usr/local/lib/php/:/tmp/:/data/support/:/usr/local/script/ispadmin/" php_admin_value register_globals "On"
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@ispadmin.cz"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/cert/server.crt
SSLCertificateKeyFile /etc/httpd/conf/cert/server.key
SSLCertificateChainFile /etc/httpd/conf/cert/ca.crt
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
#### ISP Admin support
#
# DocumentRoot "/data/support_nossl/"
#
## ISP Admin support SSL
ServerName klient.yourcompany.cz
DocumentRoot "/data/support/ispadmin/new/www/clientinterface/"
AddDefaultCharset UTF-8
Options ExecCGI
AllowOverride All
CustomLog /var/log/apache2/access_support_ispadmin_support.log combined
AddType application/x-httpd-php .php .php3 .php4
php_admin_value open_basedir "/data/support/ispadmin/:/tmp/:/usr/local/script/ispadmin/"
php_admin_value include_path ".:/usr/local/lib/php/"
php_admin_value disable_functions "openlog, exec, passthru, proc_open, proc_close, shell_exec"
php_admin_value display_errors "On"
php_admin_value safe_mode "Off"
php_admin_value register_globals "On"
# SSLEngine on
# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# SSLCertificateFile /etc/httpd/conf/cert/server.crt
# SSLCertificateKeyFile /etc/httpd/conf/cert/server.key
# SSLCertificateChainFile /etc/httpd/conf/cert/ca.crt
# SetEnvIf User-Agent ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
Options ExecCGI FollowSymLinks
AllowOverride None
Options ExecCGI
AllowOverride All
include /usr/local/script/ispadmin/apache_ispadmin_vhost.conf
Further steps to be made:
Password setup
We strongly recommend to follow the principles of so called strong passwords. This way you will greatly reduce the possibility of compromising the system, database, even the application itself.
Do not use ISPadmin with default passwords included in the installation!
An example: Suppose you want an easy to remember password, which meets the requirements for a strong password: it contains both uppercase and lowercase letters, numbers and special characters, and is at least 8 characters long.
Weak password: frantavomacka
The transformation of a weak password into a strong one:
1)You put uppercase letters instead of some lowercase ones - this way you will meet the condition of uppercase and lowercase letters.
2)Replace "o" with "0", "i" or "l” with "1" or use a few numbers at the end of the password - this way you will meet the condition of numbers presence in a password.
3)Replace "a" with "@" or between words frantavomacka you will use the underscore sign "_" - this way you will meet the condition of special character in a password.
Strong password: Fr@nta_V0macka957
Change default SQL database passwords; you can use help:
/usr/local/script/ispadmin/ispadmin_change_pass.pl
Change of default password for user SQL DB "ispadmin":
/usr/local/script/ispadmin/ispadmin_change_pass.pl ispadmin ispadmin new_password
Change of default password for user SQL DB "root":
/usr/local/script/ispadmin/ispadmin_change_pass.pl mysql_root ispadmin new_password
Also, change root password for access to Linux via SSH:
passwd root
You don´t have to be afraid about it. If you accidentally change the password and forget it, contact our technical support. There is no need to reinstall the system.
Now restart the server again with reboot to apply all changes in the system.
reboot
When the system is restarted, log into web interface using default data (user: admin, password: ispadmin) and change system administrator password - admin - in Settings Administrators Administrators to a new, more secure one following rules for strong passwords.
Licence activation
For full use of ISPadmin you need to purchase and activate licence for certain amount of clients.
Update to latest stable version
If you have configured your installation correctly, run a command to update to the latest stable version of ISPadmin.
System security
To prevent server attacks, you have to configure firewall for ISPadmin. If you wish to access the server remotely, you will need to define the appropriate firewall rules to allow traffic via SSH and other protocols only from strictly necessary IP addresses (networks). To do so, go to Settings System Settings Security where you enable SSH access for administrator devices only, or directly for your network only.
Backups
A must; no doubt it belongs among first steps during implementation. It is important to realize that the entire business of your ISP company will now be dependent on the availability of ISPadmin. System recovery from a backup can be performed in tens of minutes, which is absolutely crucial for a company providing connectivity to hundreds of homes and dozens of companies in case of a sudden system failure.
Please do not underestimate the importance of backups.
Initial setup
After system installation you can proceed with ISPadmin system implementation into your network. Implementation of our control system usually proceeds relatively smoothly and in most cases it can run in parallel with a gradual shut down of previous solutions.
Under no circumstances it is a "Start-Stop" action in the course of one afternoon, which might have fatal effects on the functionality of your entire network. Therefore we recommend gradual activation of specified routers in a manner of proceeding from the outermost points of the network towards the centre of your network or to the backbone. This way you can disconnect only a small number of clients in the old system. You will re-connect them with one click. By switching the router from passive to active mode, all necessary rules will be recorded into its configuration and the clients will be re-connected immediately.
Good preparation for such a fundamental system change will prevent future problems and you will significantly reduce the occurrence of common problems during the implementation of ISPadmin into your network. However, it is necessary to point out that integration of such an extensive system into an ISP’s network can be highly individual. It is therefore appropriate to prepare in advance for possible complications and to earmark workforce to deal with them at least in the very first days of system implementation.
The following procedure should make it easier for you when implementing the system so that the transition to it would be as smooth as possible. Please go through ISPadmin tabs following these points:
Administrator accounts
The very first step on clean installation is creating administrator accounts, under which individual employees will be logging into the system. It is recommended to create a few administrator accounts with different access to the system administration.
Add/control administrator accounts in Settings Administrators. We recommend you create various administrator accounts with different access rights for ISPadmin.
A correct adding and using of admin accounts is important mainly for logging of events in changes history which can be accessed via Client card / History for individual contacts, or via Statistics History for the entire system.
Email addresses
Change the following emails to know what´s happening in ISPadmin:
- Settings System settings General, ID: admin_email, checklimit_mail_copy, checklimit_mail_from, sms_notify_inbox_mail, system_mail, user_ending_contract_email
- Settings System settings Scheduling, ID: planning_email_from
- Settings System settings Client portal, ID: ci_auth_requests_forwarding_email
routers
Code lists related to routers
At first, fill in some code lists related to routers:
- Settings Code lists Router groups
- HardwareSettings End devices
- Settings Code lists Localities
- Settings Code lists IP ranges
- Settings Code lists Nagios .
Add routers
Add routers in Hardware Routers All, always in monitoring mode. Correct router functionality is conditioned by correct login to router services (SNMP, SSH, API), it is thus appropriate to verify connection to the router. Also, to ensure correct communication between a router and ISPadmin you have to assign FULL Mikrotik rights to user that will be used by ISPadmin for connection to router.
IP Ranges
IP ranges must be defined so that you can connect clients to routers. Networks which are routed by a router are listed in Routed Networks settings.
Clients, services
Before you start adding clients define the following: Service type, Tariffs, Client groups, Client status, Invoice groups.
Add clients (here is how) and add them service(s) (here is how).
You can also import clients from your old system.
As soon as routers are configured you can switch them from monitoring mode to a normal one. It is only now when ISPadmin starts applying settings to routerboard configuration. Therefore we recommend gradual activation of specified routers in a manner of proceeding from the outermost points of the network towards the centre of your network or to the backbone. This way you can disconnect only a small number of clients in the old system. You will re-connect them with one click. By switching the router from passive to active mode, all necessary rules will be recorded into its configuration and the clients will be re-connected immediately.
If you activate Apply firewall rules for a router all clients added through ISPadmin will be recorded into its configuration, and the entire range will be dropped in the end. This ensures that no unauthorised access is allowed. However, if you wish to enter clients into ISPadmin on the router progressively from your old system, you have to temporarily disable this firewall rules application, otherwise the system would "cut off" your original clients.
Introduction to Invoicing
Invoicing is an important functionality of ISPadmin. Therefore we recommend you read carefully Introduction to Invoicing and familiarize yourself with it.
Useful
| Mikrotik shaping | System migration | Linux update |
| SMS gateway setup | Google Maps setup | SNMP templates setup |
| Available extensions and modules: | ||
| Client portal | Radius | NETflow |
| Dealer | CMTS | Task Manager |