VM Config

VM Specifications:

• CPU: 1vCPU (2 cores)
• RAM: 2 GB
• HD: 100 GB

Change the hostname:

sudo hostnamectl set-hostname unifi01.domain.local

Update the IP:

sudo sed -i 's/192.168.30.200/192.168.30.106/g' /etc/netplan/00-installer-config.yaml sudo cat /etc/netplan/00-installer-config.yaml

Install

Update the system

sudo apt update sudo apt -y upgrade

Install the bits

sudo apt -y install wget ca-certificates apt-transport-https openjdk-8-jre-headless sudo apt-mark hold openjdk-11-* echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee -a /etc/apt/sources.list.d/100-ubnt-unifi.list sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg sudo apt -y update sudo apt -y install unifi

Configure the services

sudo systemctl restart unifi sudo systemctl status unifi sudo systemctl enable unifi

Firewall Changes

IPv6 is disabled in the template.

UFW is enabled in the template with a default policy to deny incoming, allow outgoing, and allow ssh.

Add firewall rules:

sudo ufw allow 3478/udp comment UniFi_-_STUN sudo ufw allow 5514/udp comment UniFi_-_remote_syslog_capture sudo ufw allow 8080/tcp comment UniFi_-_device_and_application_communication sudo ufw allow 8443/tcp comment UniFi_-_application_GUI/API_as_seen_in_a_web_browser sudo ufw allow 8880/tcp comment UniFi_-_HTTP_portal_redirection sudo ufw allow 8843/tcp comment UniFi_-_HTTPS_portal_redirection sudo ufw allow 6789/tcp comment UniFi_-_UniFi_mobile_speed_test sudo ufw allow 27117/tcp comment UniFi_-_local-bound_database_communication sudo ufw allow 5656:5699/udp comment UniFi_-_AP-EDU_broadcasting sudo ufw allow 10001/udp comment UniFi_-_device_discovery sudo ufw allow 1900/udp comment UniFi_-_L2_device_discovery

Restart UFW.

sudo systemctl restart ufw

Show the policies in a numbered order.

sudo ufw status numbered

Certificate Creation

Certificate creation is out of the scope of this document.

Certificate Install

Linux (Ubuntu)

You must be logged in as root.

sudo su -

Stop the UniFi service.

systemctl stop unifi

Make a backup of the current keystone.

mv /var/lib/unifi/keystore /var/lib/unifi/keystore.bak

Upload the "unifi01.pfx" certificate to:

/tmp

Change the owner to root.

chown root:root /tmp/unifi01.pfx

Create a directory:

mkdir -p /tmp/keystore

Move the cert to the tmp path:

mv /tmp/unifi01.pfx /tmp/keystore/unifi01.pfx

Run the following command to get the alias.

keytool -list -keystore /tmp/keystore/unifi01.pfx -storetype pkcs12

You will prompted for the password, which is:

aircontrolenterprise

The alias will look something like the following and the characters will change with each new cert.

te-webserver10years-b1d6c734-d1dd-...

Replace the existing keystore.

cd /var/lib/unifi/ keytool -importkeystore -srcstoretype pkcs12 -srcalias te-webserver10years-b1d6c734-d1dd-... -srckeystore /tmp/keystore/unifi01.pfx -keystore keystore -destalias unifi

The password to open unifi01.pfx is:

aircontrolenterprise

Set the keystore password (prompted twice):

aircontrolenterprise aircontrolenterprise

Clean it up.

rm -rf /tmp/keystone

You could restart the service, but go ahead and reboot.

reboot

Windows

Follow the inststructions on: https://cracknells.co.uk

Config UniFi Controller

Go to: https://unifi01.domain.local:8443/

Troubleshooting

Log locations:

sudo tail /usr/lib/unifi/logs/mongod.log sudo tail /usr/lib/unifi/logs/server.log

References

Install

• https://help.ui.com/hc/en-us/articles/220066768-UniFi-How-to-Install-and-Update-via-APT-on-Debian-or-Ubuntu
• https://gist.github.com/davecoutts/5ccb403c3d90fcf9c8c4b1ea7616948d
• https://devopstales.github.io/home/install-unifi-controller/
• https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used

Certificat Managewrment (Linux and Windows)

• https://www.cracknells.co.uk/servers-side/installing-a-custom-ssl-certificate-on-a-unifi-controller/
• https://kallelilja.com/2017/07/install-pfx-certificate-unifi-controller/