Initial Setup Wizard: setting up from scratch

This guide explains how to configure a fresh Defguard 2.0 instance using the Initial Setup Wizard in the Core UI.

It assumes that the Defguard stack has already been deployed using one of the supported deployment methods and that the Core UI is accessible in your browser.

If you prefer a video guide please watch the following:

Overview

The Initial Setup Wizard guides you through the first configuration of your Defguard instance.

During the process, you will:

create the initial administrator account
configure connection parameters
create an internal Certificate Authority
adopt the Edge component
configure Core and Edge URLs
configure TLS
create the first VPN Location
adopt the Gateway component
verify that the VPN connection works

Open the Core UI

Open the Defguard Core UI in your browser.

If this is a fresh instance, the Initial Setup Wizard starts automatically.

Create the initial admin user

The first step is creating the initial administrator account.

Provide the required user details and continue.

This account will be used to complete the initial configuration and manage the Defguard instance.

Create the internal Certificate Authority

Create a custom Certificate Authority.

This CA is used to issue certificates for Defguard components, including:

Edge
Gateway

It can also be used to issue a certificate for the Core UI if you want Defguard to handle TLS directly.

Provide:

CA name
administrator email address

After the CA is created, download the CA certificate.

If you use a certificate issued by this CA for the Core UI, import and trust it in your browser or operating system.

Adopt the Edge component

The next step is adopting the Edge component.

Edge is the public-facing component used for enrollment and client-facing API access.

In the wizard:

Confirm that the Edge component has been deployed.
Provide a name for the Edge component
Provide the Edge address reachable by Core.
Start the adoption process.

During adoption, Defguard issues a certificate for Edge using the internal Certificate Authority.

This secures communication between Core and Edge.

Configure the Core URL

Next, provide the URL used to access the Core UI.

This should be the final URL users and administrators will use to access Core, for example:

https://core.example.com

Depending on your deployment, this may be:

an internal domain
a private DNS name
a URL exposed through a reverse proxy

Defguard will redirect you to the configured URL after the general configuration wizard.

Configure SSL for Core

Choose how SSL should be configured for Core.

Available options include:

skipping SSL configuration, useful if SSL is handled by a reverse proxy
uploading your own certificate
generating a certificate using Defguard’s internal Certificate Authority

If you generate a certificate using Defguard’s internal CA, download and trust the CA certificate on client machines that need to access Core.

Configure the Edge external URL

Next, provide the external URL for Edge.

This is the URL used by users and clients to access enrollment and related services, for example:

https://edge.example.com

Make sure this URL points to the deployed Edge component.

Configure SSL for Edge

Choose how SSL should be configured for Edge.

Available options include:

skipping SSL configuration
uploading your own certificate
generating a certificate using Defguard’s internal Certificate Authority
obtaining a certificate using Let’s Encrypt

If you choose Let’s Encrypt, make sure the required HTTP and HTTPS ports are reachable by the certificate validation process.

Defguard can then automatically obtain and renew the certificate.

After this step, the general system configuration is complete.

Create the first VPN Location

After the initial system configuration, Defguard opens the Location wizard.

Provide a name for the Location, for example:

Office

Then configure the VPN endpoint:

public IP address or DNS name that the clients will use to establish the VPN connection - depending on your deployment, this should be the address of the Gateway you configure in the following steps or it might be the address of a load balancer that's in front of your gateway cluster
WireGuard UDP port used by clients

You can also configure:

Internal VPN address
Allowed IPs
DNS settings
default VPN Location settings
MFA requirements
group access
firewall module settings

At the end of the wizard, keep the option enabled to activate the Location by setting up a Gateway.

Adopt the Gateway component

The Gateway wizard guides you through connecting a Gateway to the Location.

In the wizard:

Confirm that the Gateway component has been deployed.
Provide a name for the Gateway.
Provide the Gateway address reachable by Core.
Start the adoption process.

During adoption, Defguard issues certificates for Gateway and secures communication between Core and Gateway.

After adoption, the Gateway is connected to the Location.

Verify the setup

After the setup is complete, go to the Locations view. You should see the Location created and the Gateway connected.

Go to the Edge components view. You should see the Edge component connected.

After completing the wizard, your Defguard instance is ready for further configuration, such as adding users, enabling MFA, configuring identity providers, and defining access policies.

PreviousServer migration and licence transfer NextMigrating from Defguard 1.6 to 2.0

Last updated 5 days ago

Was this helpful?

Good afternoon

hashtagOverview

hashtagOpen the Core UI

hashtagCreate the initial admin user

hashtagCreate the internal Certificate Authority

hashtagAdopt the Edge component

hashtagConfigure the Core URL

hashtagConfigure SSL for Core

hashtagConfigure the Edge external URL

hashtagConfigure SSL for Edge

hashtagCreate the first VPN Location

hashtagAdopt the Gateway component

hashtagVerify the setup