Asentria SiteBoss 530 User Manual
58
VPNs
This section of the Features chapter is a discussion of Virtual Private Networks relating to how the S530
communicates with SitePath, Asentria’s secure, unified administration portal software. For a full description of how
SitePath is configured and administered, please refer to the SitePath User Manual and other user documentation that
comes with SitePath.
A Virtual Private Network (VPN) is a network that is tunneled (the virtual part), typically across a public network, and
secured (the private part), typically with IPsec or SSL.
VPN on-demand (VOD)
VPN on-demand (VOD) is a feature where the VPN between a deployed unit and SitePath is not always up. Instead it
is brought up in response to:
•
a command to bring it up sent by SitePath
•
a purpose to bring it up generated by the unit, after that purpose has been authorized by the SitePath
Message Processor (SMP).
It is brought down in response to USC Proxy (USCP) authorizing a request made by the unit to bring down its VPN.
SitePath examines conditions and determines yes/no decisions for authorizing a VPN to come up and go down.
The VPN architecture in SitePath version
1.00.xxx
is one where all deployed units always have a VPN up to SitePath.
Remote access, alarm management, and configuration management were handled transparently with the assumption
that there is always a secure tunnel between SitePath and every deployed unit.
The VPN architecture in SitePath versions
>= 1.01.000
is one where deployed units can be commissioned to either
always have a VPN up to SitePath, or only have a VPN up when needed. To make more conservative use of
resources, it is recommended such that units be commissioned such that VPNs are brought up only when needed.
That is, with VOD is enabled (this is done by enabling it in the unit web UI upon commissioning). Because units are
typically deployed behind firewalls at customer sites, the unit must initiate any kind of network traffic -- SitePath cannot
ordinarily initiate a VPN to a unit deployed behind a firewall. For this reason a lightweight UDP network channel is
implemented called the Unit SitePath Channel (USC). When the VPN is not up, the USC is used to control when the
VPN must be raised. When the VPN is up, the USC (which then operates over the VPN) is used to control what the
VPN can be used for and when the VPN can go down.
If SitePath needs to do remote access or configuration management of a deployed unit, it commands the unit to raise
the VPN via the USC. When the unit needs to send any traffic to SitePath (alarm traffic, email, etc.), it uses the USC to
raise the VPN. When the VPN is no longer needed (no remote access or configuration management, and no traffic to
send to SitePath from the unit), the VPN is taken down. The USC is always running between the unit and SitePath
and the unit can only initiate the USC (because the unit is typically behind a firewall). Without the USC, the VPN
cannot be raised, and without the VPN, you cannot do remote access, alarming, email, FTP push, and SNMP
notifications via SitePath.
The USC itself is selectively secure. That is, traffic is only secure (i.e., encrypted and authenticated with 256-bit
Blowfish and HMAC-SHA1) when it needs to be secured and is not secure when it does not need to be secured.
Currently the only USC traffic that is transmitted non-secure is traffic that does not need to be secure: the serial
number of the unit. This data is transmitted in keepalive frames which are used to keep the channel between SitePath
and the unit open through routers and firewalls.
Configuration
To use VPN on-demand, configure
net.vpn.ondemand.enable
=on
on the unit. This setting is on by default in unit
version >= 2.04.040 and off by default in previous versions. No SitePath configuration is necessary.
Usage
In addition to the two areas where the user notices the impact of VPN on-demand –
.
Summary of Contents for SiteBoss 530
Page 6: ......