ISA-ALNT-001E Configuring The Firewall For External Communications

INSTRUMENT SERVICE ADVISORY
ISA-ALNT-001/E
Configuring the Firewall for External Communications
I. PURPOSE:
This document provides the following Alinity Firewall configuration instructions:
• Configuring a Static IP address for X1 (WAN)
• Configuring the X2/X3 ports for separated LAS/LIS communication
• Configuring a customer proxy
• Configuring a different Maximum Transmission Unit (MTU)
• Configuring a Network Time Protocol (NTP) server for User Interface Computer (UIC) time synchronization
• Alternate configuration when the customer and Alinity networks overlap
• Configuring static routing for an LIS Network when the LIS Server and Alinity are on different networks
• Configuring a NAT Policy for an LIS Network when the LIS Server cannot utilize port 50020
• Connecting a network printer directly to the firewall
• Disaster Recovery
II. ADMINISTRATIVE NOTES:

• Access to the Abbott Medical Device Password Generator (AMDPG) is required to login to the System Software
as an FSE. The AMDPG application can be accessed via the Abbott internet, or a smart phone app, which can be
downloaded from the Abbott Apps store. Internet URL: https://amdpg.abbott.com/
Note: Graphics, displays or screens are for information and illustration purposes.
III. PARTS:
New Inventory Old Inventory Inventory
Part Description Notes
Number Number Disposition
SE20000151-101/A Alinity Firewall Customer Configuration N/A N/A
SE20000151-102/A Alinity Firewall Customer Configuration V2.0 N/A N/A
ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 1 of 33

IV. PROCEDURE:
Purpose Alinity Firewall Check and Configuration Module UIC
Tools and Blank Virus Free USB Drive Estimated 20 minutes
Materials USB Keyboard and Mouse Time
Abbott Medical Device Password Generator
Action Step Reference

Preparation
Note: If the System Software is not running, launch the System Software.
Note: The following TCP ports are blocked on the Alinity Firewall, do not use them for
your configuration of external communication systems:
TCP: 0 - 1024, 1433, 1494, 1521, 2000, 2049, 2598, 3389, 5500, 5631, 5800, 5900.
1. Connect the USB Keyboard and Mouse to the UIC.
2. Login to the System Software as an FSE.
3. At the Home Screen, open the File Explorer by selecting System > File Explorer.
4. Click on the Desktop link under the Favorites section.
5. Double-click on the Chromium link to launch the Chromium browser.
6. In the URL/Address Bar, type in https://172.16.1.1:8787 then press the Enter key.
7. If a privacy/certificate warning is displayed, select the Advanced link and then
select the Proceed to 172.16.1.1 (unsafe) link.
Note: To maintain cyber security of the Alinity UIC and customer’s data network, rules
governing the use of these credentials are as follows:
• MUST NOT BE PRINTED OR WRITTEN ON PAPER AND/OR OTHERWISE
DISTRIBUTED VIA A PAPER DOCUMENT!
• DO NOT PRINT AND ATTACH THE INFORMATION TO THE DEVICE OR ANY
PART OF THE ALINITY SYSTEM!
• DO NOT PROVIDE THE INFORMATION TO ANY NON-ABBOTT PERSON UNLESS
FIRST GETTING PERMISSION FROM COUNTRY SERVICE MANAGEMENT!
• DO NOT CHANGE THE LOGIN USERNAME OR PASSWORD WITHOUT
PERMISSION FROM COUNTRY SERVICE MANAGEMENT!
8. Enter the Username: admin, and Password: J5PK$f(v and select Login.
9. Depending on the configuration needed, perform the follow action(s):
• Configuring the firewall with a Static IP address
• Configuring the firewall for separated LAS/LIS communication
• Configuring the firewall with a customer proxy
• Configuring the firewall with a different MTU
• Configuring the UIC with a NTP server
• Alternate configuration when the customer and Alinity networks overlap
• Configuring static routing for an LIS Network when the LIS Server and
Alinity are on different networks
• Configuring a NAT Policy for an LIS Network when the LIS Server cannot
utilize port 50020
• Connecting a network printer directly to the firewall
• Firewall Disaster Recovery

Configuring the
1. Select the Network link (on the left-hand side of the screen).
firewall with a
Static IP
address

Configuring the
2. At the Network Interfaces menu, select the pencil icon for the X1 WAN
firewall with a
Interface configuration.
Static IP
address
(continued)
Note: If the customer is desiring to use MAC address reservation instead of setting a
Static IP, Select the Advanced tab and record the MAC address of the firewall for the
customer, like as shown below, then after they complete the MAC address
reservation and the firewall’s X1 WAN Interface has received an IP address via
DHCP, proceed to the Verification section. The MAC address can also be found on
the label of the firewall, as the Serial Number with the last digit incremented by 1.

Configuring the
3. Select the General tab, Select the IP Assignment: drop-down box, then select
firewall with a
the Static option.
Static IP
address
(continued)

Configuring the
4. Enter the following fields from the Pre-Site Inspection and press the OK button
firewall with a
to save the configuration changes.
Static IP
address • IP Address
(continued) • Subnet Mask
• Default Gateway
• DNS Server 1
• DNS Server 2 (Optional)
• DNS Server 3 (Optional)

Configuring the
5. Select the Network link (on the left-hand side of the screen) and then select the
firewall with a
Release/Renew button for the X1 WAN Interface to Release/Renew the
Static IP
firewall’s WAN Interface.
address
(continued)
6. If completed with all configurations, close the Chromium browser and proceed
to the Verification section.

Configuring the
Note: If the customer does not need a separate (discrete) network channel for LIS
firewall for
communication, then you can safely continue to use the X1 port for LIS
separated
communication (without any additional configuration).
LAS/LIS
communication 1. Select the Network link (on the left-hand side of the screen).

Configuring the
2. At the Network Interfaces menu, select the pencil icon for the X2 (for LAS) or
firewall for
X3 (for LIS) Interface configuration.
seperated
LAS/LIS
communication
(continued)
3. Select the Zone: drop-down box, then select the LAS (if configuring X2) or LIS (if
configuring X3) option.

Configuring the
4. Enter the following details into their respective fields and press the OK button
firewall for
seperated
LAS/LIS X2 (LAS) Configuration
communication • IP Address: 172.16.2.1
(continued)
• Subnet Mask: 255.255.255.0
• Select the Ping checkbox
X3 (LIS) Configuration*
• IP Address: (Determined by Site IT)*
• Subnet Mask: (Determined by Site IT)
• Select the Ping checkbox
*IMPORTANT NOTE: This should be the IP Address that the LIS assigns to that
Analyzer. For Track connected analyzers, this will be the Alinity Spur Node IP
Address (Ex. 10.0.0.20).
*IMPORTANT NOTE: The LIS Server IP Address should be entered in the Alinity
Software’s HL7/ASTM Communication configuration screen. For Track connected
analyzers, this will be the DMS Server IP Address (Ex. 10.0.0.100).

Configuring the
1. Select the Address Objects link (on the left-hand side of the screen).
firewall with a
customer proxy

Configuring the
2. If the customer has a Fully Qualified Domain Name (FQDN) Hostname, follow
firewall with a
the steps outlined below:
customer proxy
(continued) • Select the pencil icon for the object Site Proxy URL configuration.
• Replace the Customer.Defined.URL in the FQDN Hostname field with
the URL of the proxy server from the Pre-Site Inspection and press the
OK button to save the configuration change.
If the customer has a proxy IP address, follow the steps outlined below:
• Select the pencil icon for the object Site Proxy IP configuration.
• Replace the 0.0.0.0 in the IP Address field with the IP address of the
proxy server from the Pre-Site Inspection and press the OK button to
save the configuration change.

Configuring the
3. If the customer has a proxy port, follow the steps outlined below:
firewall with a
customer proxy • Select the Services link (on the left-hand side of the screen).
(continued)
• Select the pencil icon for the object Site Proxy Port configuration.
• Replace the 9999 - 9999 in the Port Range field with the Port Range of
the proxy server from the Pre-Site Inspection and press the OK button
to save the configuration change.

Configuring the
firewall with a
different MTU

Configuring the
2. At the Network Interfaces menu, select the pencil icon for the X1 WAN
firewall with a
different MTU
(continued)
3. Select the Advanced tab and in the Interface MTU field, enter the value
(provided to you by the site’s IT) into the field, then press the OK button to save
the configuration change.

Configuring the
Note: The Network Time Protocol (NTP) server is responsible for clock/time
UIC with a NTP
synchronization on the UIC.
server
1. Return to the File Explorer and navigate to the C:\Win8_OPK\Utils directory.
2. Double-click on the SetNtpServer.exe file.
3. Once the program launches, enter the NTP server (provided to you by the site’s
IT) into the field, then click on the OK button.
4. Enter a number between 1 and 30 into the field (or leave blank for every day),
then click on the OK button to continue.
5. An input confirmation box will be displayed, click on the OK button to continue.

6. The necessary changes are made to the UIC and a final summary is then
presented (a UIC power cycle is required for the changes to take effect), click on
the OK button to close the utility.
7. If completed with all configurations, proceed to the Verification section.

Alternate
Note: In cases where the LAN network of the Alinity system (172.16.x.x) conflicts
configuration
with the customer network follow these steps to reconfigure the Alinity system to
when the
use a 172.27.x.x network instead.
customer and
Alinity 1. Select the DHCP Server link (on the left-hand side of the screen).
networks
overlap
2. At the DHCP Server menu, select the pencil icon for the DHCPv4 Server Lease
Scope configuration.

Alternate
3. Enter the following details into their respective fields and press the OK button
configuration
when the
customer and Dynamic DHCP Scope Settings
Alinity • Range Start: 172.27.1.101
networks
overlap • Range End: 172.27.1.101
(continued) • Default Gateway: 172.27.1.1
• Subnet Mask: 255.255.255.0

Alternate
configuration
when the
customer and
Alinity
networks
overlap
(continued)
5. At the Interface Settings menu, select the pencil icon for the object SCCLanIP
configuration.
6. Change the IP Address to 172.27.1.101 and press the OK button to save the
configuration change.

Alternate
8. At the Network Interfaces menu, select the pencil icon for the X0 LAN Interface
configuration
configuration.
when the
customer and
Alinity
networks
overlap
(continued)
9. Change the IP Address to 172.27.1.1, press the OK button to save the

configuration change, then reboot the UIC to get the new IP Address.
IMPORTANT NOTE: Please note that in the rare case where the alternate network
range described above still conflicts with the customer network, another RFC 1918
network range that is not in conflict could be used. The settings described above
would have to be adjusted accordingly.
IMPORTANT NOTE: If the system is connected to AbbottLink, notify the AbbottLink
Support group and inform them that this system is no longer configured to use the
standard 172.16.1.101 IP address. They will need to know which system it is and
what IP address the system is now configured to use. They will then deploy a
package to the system via AbbottLink that will reconfigure the Firewall Admin
Console application so that the firewall can once again be managed via AbbottLink.

Configuring
Note: This configuration is necessary in cases where the Alinity system and the LIS
static routing
server are on different networks or VLANs you will need to add specific routing
for an LIS
information to the firewall so that communication will be successful.
Network when
the LIS Server IMPORTANT NOTE: The instructions below are for example only where the Alinity
and Alinity are system is on network 10.88.x.x and the LIS server is on network 10.101.x.x. The
on different Alinity firewall IP address in this example is 10.88.146.188 and the default gateway
networks for this network is 10.88.146.254. The IP address for the LIS (or AMS) server in this
case is 10.101.1.105. The IP addresses, subnet masks and default gateways that you
enter will be specific to each customer location and should be provided by the
customer’s IT organization.

Configuring
2. Click on the Add button, enter the following details into their respective fields
static routing
and press the Add button to save the configuration changes.
for an LIS
Network when Add Address Object
the LIS Server • Name: LIS Network
and Alinity are
on different • Zone Assignment: LIS
networks • Type: Network
(continued)
• Network: 10.101.1.0
• Netmask/Prefix Length: 255.255.255.0
Add Address Object
• Name: X3 Gateway
• Zone Assignment: LIS
• Type: Host
• IP Address: 10.88.146.254

Configuring
4. Select the Routing link (on the left-hand side of the screen).
static routing
for an LIS
Network when
the LIS Server
and Alinity are
on different
networks
(continued)

Configuring
static routing
and press the OK button to save the configuration changes.
for an LIS
Network when Route Policy Settings
the LIS Server • Source: Any
and Alinity are
on different • Destination: LIS Network
networks • Service: Any
(continued)
• Gateway: X3 Gateway
• Interface: X3
• Metric: 10

Configuring a
1. Select the Services link (on the left-hand side of the screen).
NAT Policy for
an LIS Network
when the LIS
Server cannot
utilize port
50020
Add Service
• Name: LIS_Rx_NAT
• Protocol: TCP
• Port Range: LIS Port

Configuring a
3. Select the NAT Policies link (on the left-hand side of the screen).
NAT Policy for
an LIS Network
when the LIS
Server cannot
utilize port
50020
(continued)
4. At the NAT Policies menu, select the pencil icon for either of the Service
Original LIS_Rx NAT Policies (depending on if you are using WAN or X3 for the
LIS communication).

Configuring a
5. At the NAT Policy Settings menu, change the Original Service to LIS_Rx_NAT
NAT Policy for
and the Translated Service to LIS_Rx and press the OK button to save the
an LIS Network
configuration changes.
when the LIS
Server cannot
utilize port
50020
(continued)

Connecting a
1. Utilizing a standard Category 5 Ethernet cable (customer supplied), connect the
network printer
printer to the X3 (or X4, if available) connection on the back of the Alinity ci-
directly to the
series SCM bulkhead.
firewall

Connecting a
3. At the Network Interfaces menu, select the pencil icon for the X3 (or X4)
network printer
directly to the
firewall
(continued)

Connecting a
4. At the Interface Settings section, enter the following details into their
network printer
respective fields and press the OK button to save the configuration changes.
directly to the
firewall • Zone: LIS
(continued) • Mode / IP Assignment: Static IP Mode
• IP Address: 172.16.4.1
• Subnet Mask: 255.255.255.0
5. Configure the network printer with a Static IP address that is within the same
network that the X3 (or X4) Interface was configured with (e.g. 172.16.4.100).
Make sure to set the printer’s Default Gateway to the IP address configured for
the X3 Interface (e.g. 172.16.4.1).

Firewall
Note: It is CRITICAL that prior to inserting a USB drive into an available USB port on
Disaster
the User Interface Computer (UIC), the FSE MUST verify that the USB drive does not
Recovery
contain a virus. As Abbott provides virus protection software for the FSE’s laptop, it
is REQUIRED that the FSE use the virus protection software on an Abbott Laptop to
scan the USB drive prior to its use on the UIC. If a virus is detected, format the USB
drive and repeat the virus scan.
1. Insert a blank virus free USB drive into your FSE issued laptop (minimum 116
KB of available free space is needed).
2. Verify that the USB drive has been formatted as NTFS (Open File Explorer >
Right click on the USB drive you inserted in step 1 > Click Properties > Verify
File System shown is NTFS).
3. If the USB drive File System is not NTFS, format the USB drive as NTFS (Open
File Explorer > Right click on the USB drive you inserted in step 1 > Click
Format… > Click the down arrow for File system and select NTFS > Select
Quick Format checkbox > Click the Start button > Wait till format completes).
4. Depending on the Alinity Firewall Customer Configuration needed,
perform either sub-step a or b:
a. If performing a LN 04S56-01 Alinity Firewall Disaster Recovery, download
the SE20000151-101A.zip file that is attached to this ISA Package (PN:
SE20000151-101/A) and extract the SonicWALL-
TZ_300_Customer_Config.exp file to a verified USB drive.
b. If performing a LN 04S56-02 Alinity Firewall Disaster Recovery, download
the SE20000151-102A.zip file that is attached to this ISA Package (PN:
SE20000151-102/A) and extract the SonicWALL-
TZ_300_Customer_Config_v2.00.exp file to a verified USB drive.

Firewall
5. Insert the USB drive containing Alinity Firewall Customer Configuration (PN:
Disaster
SE20000151-101/A or PN: SE20000151-102/A) into an available USB port on the
Recovery
User Interface Computer (UIC).
(continued)
6. Select the Settings link (on the left-hand side of the screen).
7. Click on the Import Settings… button.

8. Click on the Choose File button and in the pop-up dialog box, navigate to the
USB drive inserted in step 5, select the SonicWALL-
TZ_300_Customer_Config.exp or SonicWALL-
TZ_300_Customer_Config_v2.00.exp file and click the Open button.
9. Once chosen, click on the Import button to load the configuration file then the
OK button (to confirm the overwrite and reboot the firewall).

V. VERIFICATION:
Purpose Verify Alinity Firewall Configuration Module UIC
Tools and None Estimated 10 minutes
Materials Time

Verify
1. At the Home Screen, open the File Explorer by selecting System and then File
Firewall
Explorer.
Functionality
2. In the Address Bar of the File Explorer, type cmd.exe and press the Enter key.
3. In the Command Window, type ping abbottlinkdevice.abbott.com and press the
Enter key, if you do not receive a timeout, then you know that the ping test was a
success and you have a good connection, as shown in the below example.
4. Close out of the Command Window.

5. Log out of the System Software.
VI. ATTACHMENTS
Title File name Intended Use
Alinity Firewall Customer Configuration SE20000151-101A.zip For Firewall Disaster Recovery of LN 04S56-01
Alinity Firewall Customer Configuration V2.0 SE20000151-102A.zip For Firewall Disaster Recovery of LN 04S56-02

ISA-ALNT-001E Configuring The Firewall For External Communications

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISA-ALNT-001E Configuring The Firewall For External Communications

Uploaded by

Copyright:

Available Formats

INSTRUMENT SERVICE ADVISORY

II. ADMINISTRATIVE NOTES:

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 1 of 33

Action Step Reference

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 2 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 3 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 4 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 5 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 6 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 7 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 8 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 9 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 10 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 11 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 12 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 13 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 14 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 15 of 33

5. An input confirmation box will be displayed, click on the OK button to continue.

7. If completed with all configurations, proceed to the Verification section.

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 16 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 17 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 18 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 19 of 33

9. Change the IP Address to 172.27.1.1, press the OK button to save the

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 20 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 21 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 22 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 23 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 24 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 25 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 26 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 27 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 28 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 29 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 30 of 33

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 31 of 33

7. Click on the Import Settings… button.

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 32 of 33

Action Step Reference

4. Close out of the Command Window.

ISA-ALNT-001 Rev E, Released - Effective on: 25-Jun-2019 - Confidential - Page 33 of 33

You might also like