Virtual Appliance (Server) Setup

Thunder Gateway  is a virtual server appliance. It is designed to be deployed on a bare metal server or can be deployed as a cloud VM. Gateway server is designed to run on Linux KVM, VMware, or Virtual Box and both .VMDK and .QCOW2 images are available for download.
While each deployment with vary, Thunder Gateway has the following minimum and general recommendations:
   Minimum Hardware Requirements
  • VM, Desktop, or Bare metal server with hardware virtualization enabled BIOS
  • CPU:  Dual Core 1.2 GHz
  • Memory: 2 GB
  • Disk Space: 20 GB
   Recommended Hardware
  • Bare metal server with hardware virtualization enabled BIOS
  • CPU:  Quad Core 1.2+ GHz
  • Memory: 4 GB
  • Disk Space: 20 GB
Server installation instructions for Thunder Gateway will vary depending on the operating system and server type. See for detailed instructions on server setup. 
Once the VM has been properly installed the server console should show the following message after boot up. 
Server Initial Console.png
Access the Web User Interface (UI) of the Thunder Gateway server by opening a web browser and navigating to port 8001 on the server's IP address as shown in the console (i.e. The server IP address is set to DHCP by default. The fallback IP address if no DHCP is present is
Once the UI has been accessed, the Admin needs to create and verify a user account. The user and server needs Internet access in order to successfully setup and authenticate the user account.
On the first login, the Gateway UI will ask for a license key to authenticate the Gateway server instance. Once the license key has been authenticated, then the Admin will be brought into the main control panel. 
License Key.png

Status Dashboard

Status Dashboard

The status dashboard is the initial page that loads once the admin log into their Gateway server. The status page provides a quick overview on the network status as well as provide constant monitoring of each client device and WAN connection connected to the server.
The tables on the left show the totals and health summary of each device on the gateway network. The WAN connection table displays all enabled WAN interfaces on each client device. From this table, the admin can quickly identify WAN connections that are struggling. The main table displays real time statistics of the server and client devices (i.e. throughput, CPU load).

Server Configuration

The server page is setup to provide all the configuration and network setting of the server in a single page. The admin can modify the server settings or perform server troubleshooting using this page.
Server Configuration.png
The configuration tab shows the current server settings along with allowing the admin to update the server name and default interface. The server actions allow the admin to perform standard server actions remotely (reboot, update firmware, etc).
Server Network Settings.png
The Network tab allows the admin to define the network settings for the server appliance. By default, the server is setup for DCHP. However, the admin can statically assign the IP address of the server in this section.

Client Configuration

The client page allows the Admin to setup new clients and configure existing clients from a central location. Each client configuration is saved as its own template and can be re-used for future clients. 
Quick setup is designed to allow Admin's to configure new client devices in seconds. With quick setup, the Admin enters the new client device name, serial number, selects an existing client configuration, sets the client device username/password, selects the clients primary/secondary Gateway server, and then click apply.  The Gateway server will then add that client device to its network and push the configuration to the client device.
The client device automatically updates its settings as soon as it receives an Internet connection.
Quick Setup.png
Client Name: Every client device requires a unique device name. This name will also become the device client configuration template name. 
Client Serial: The client serial number is a 16 digit number found on the physical client device. The admin can save the configuration as a configuration template without the client serial number; however, the client serial must be entered to activate a client device. 
Client Configuration: The client configuration selection allows the admin to copy other client configuration templates on the new device. A new configuration sets the device with the default settings.
Local Login: Each client device also has a local UI which is primarily available for local troubleshooting. The local login section allows the admin to set the username/password for the local UI.
Primary/Secondary Gateway Server: The Gateway server acts as both a controller and WAN aggregator. The admin must select at least a primary gateway server for each client device.
Network settings of the client device can be modified in the network settings. These settings control how the device will connect and route traffic both locally and externally.
LAN Configuration: By default the client device automatically creates its own private LAN. The admin can modify the LAN subnet and device IP address by switching to manual mode and entering the desired LAN settings.
DHCP Server: Client devices are capable of running their own DHCP to provide downstream clients with IP addresses. If manual is selected then the admin sure ensure that the leased IP addresses are within the LAN subnet and the IP's do not overlap with the client device IP address. 
Secure Multi-Site: Clients using the same gateway server automatically create secure AES-256 tunnels to allow for private communications with remote networks. Multi-Site must be enabled for this feature to work. The Multi-Site ID can be modified to accommodate all types of IP subnet structures.  
Traffic Routing: Gateway clients support two different types of traffic routing. Aggregate routing virtualizes all WAN connections into a single WAN and the traffic exits the Gateway aggregation server into the local Internet. Standard routing has traffic exit through the local ISP's network. 
The interface section allows for granular control of each interface on the client device. Clients may have both wired and wireless interfaces. Both interface types can be modified in this section by clicking on the triangle in the left hand column.
Interface Details.png
Interface State: The admin can enable or disable specific interfaces. Once disabled, the interface will not pass any traffic even if a physical connection is made.
Connection Type: Each interface can be set as either a Internet connection (WAN) or a Local connection (LAN). 
Network Mode: If DHCP is enabled, then the interface will try to get an IP address from the upstream router for WAN connections and it will provide downstream devices with a DHCP IP address for LAN connections. Static mode follows the same pattern except the network settings are defined below instead of through DHCP.
IP Address: This is the statically assigned IP address of the interface.
Subnet Mask: This is the statically assigned subnet mask for the interface.
Router/Gateway: This is the statically assigned gateway for the interface. 
Advertise Routes: Each interface can advertise routes independently. Once added, traffic from advertised routes will automatically point to its interface.
The SD-WAN section enables the admin to configure how multiple Internet (WAN) connections should operate. Each connection can be configured for a unique purpose depending on the network requirements. SD-WAN rules are configured by first selecting the SD-WAN action, then selecting which traffic it should apply the action, and finally selecting which WAN interfaces should have the rule applied. SD-WAN rules listed at the top of the table will have the highest priority. 
SD-WAN Action: Clients support four SD-WAN actions (failover, load balance, aggregate, and local exit).
Traffic Type: The admin can elect to apply rules only for specific types of traffic. Thunder supports granular application by category, domain, or traffic type.
WAN Interface: The WAN Interface drop down lists all the interfaces that could be selected for a given SD-WAN rule.
The Cyber Security section is designed to ensure each client device is protected against internal and external threats including ransomware, malware, trojans, worms, spyware, and viruses. Cyber security definitions are updated every 5 minutes to ensure each device is protected against the newest threats.
Cyber Security.png
Anomaly Detection: An on agent service runs in the background and identifies network anomalies. New anomalies are reported back to the admin to investigate.
Download Verification: Files are scanned prior to being downloaded.
Web Protect: This is a Domain based security designed to protect devices from navigating to malicious domains. 
Advanced Firewall: IP based security definitions that auto updates to protect devices from known IP threats.
The Firewall & NAT section allows the admin to enter custom IP rules for each client device. These rules can be applied both for the internal and the external network.
Firewall & NAT.png
Priority: This sets the rules priority level. The client device applies firewall/NAT rules based on priority.
Rule Name: The admin must set a custom rule name for each rule.
Network Type: This allows the admin to setup rules for specific network types. The network options are WAN traffic, LAN, Load Balance, Private Tunnels, Aggregate, and Failover. 
Direction: Admin can select the rule to apply for a specific traffic direction (i.e inbound/outbound).
Protocol: Apply the rule only to specific protocols (i.e TCP, UDP)
Action: Select the rule action (i.e. accept, drop, sourceNAT, desNAT)
Source + Destination IP Address: Admin can specify the IP address/range for the new rule. The acceptable formats are single IP address (, IP with Port ( IP Range (,  IP Range with Port Range ( or any combination.  
The content filter is designed to enable customized experiences for each client device. The admin to can filter content based off category, domain, IP, or web reputation. Thunder has over 20M domains that have been categorized into 80+ categories.
Content Filter.png

Account Settings

Thunder Gateway allows for multiple user accounts to be setup on each server. Each user account has admin privileges and can modify the server configuration.
New admin users must be added to each individual server manually. Instructions for adding a new admin user can be found below.
  • Have the new admin create a User Account on the server
    • Open a web browser and enter Https://SERVER_IP_ADDRESS:8001​
    • Have the new admin click "Create Account"
    • The new admin must complete the new user account form and click "Submit"
    • Once submitted, the new admin must verify the account through their email address by clicking "Verify"
      • If the email does not arrive, have the new admin check their spam folder as the email may be mistaken as spam​
  • Have the existing admin log into the server and add the new admin's email address.
    • Open a web browser and enter https://SERVER_IP_ADDRESS:8001​
    • Have the existing admin log into the server and then navigate to the account page in the UI.
    • Add the email address that is associated with the new admin's user account.
    • Click "apply" 
    • Have the Existing Admin log out and allow the new admin to log into the server.