background image

Using Device tabs to configure the security gateway

Issue 4 May 2005

69

To set the amount of time delay to switch from a secondary interface to the primary interface 
once the primary link has been detected, configure the Hold Down Timer. This delay provides 
the necessary time for the primary interface to stabilize. The Hold Down Timer applies to 
failover conditions occurring due to a link-level failure on the public primary interface only.

The Hold Down Time value is expressed in seconds. The value range is 0 to 3600 seconds. The 
default value is 60 seconds.

Note:

Note:

There is a scenario in which the switchover from the public backup interface to 
the public interface will occur before the hold down timer has expired. If the idle 
timer is set to a value less than that of the hold down timer, and the public primary 
interface link becomes available while at roughly the same time traffic ceases to 
flow through the public backup interface, the switchover will occur when the idle 
time expires rather than when the hold down timer expires.

Private. - The private network interface usually provides connection to your private local area 
network (LAN) or your corporate LAN. The private network interface can be configured with 
Static, DHCP Server or DHCP Relay.

Semi-private. - The semi-private network interface provides connection to a network whose 
equipment can be made physically secure, but whose medium is vulnerable to attack, such as a 
wireless network used within a corporation’s private network infrastructure). Traffic on the 
semi-private interface is usually encrypted. Only one semi-private zone can be configured on 
the security gateway. 

DMZ. - The demilitarized zone (DMZ) network interface is usually used to provide Internet 
users with access to some corporate services without compromising the private network where 
sensitive information is stored. A DMZ network contains resources such as Web servers, FTP 
servers, and SMTP (e-mail) servers. Because DMZ networks are vulnerable to attack (that is 
denial of service), corporations usually add additional security devices such as intrusion 
detection systems, virus scanners, and so on. Only one DMZ zone can be configured on the 
device.

Management. - The management interface connection can be configured to simplify network 
deployments, to eliminate enterprise network dependencies on switches or routers. The 
management network interface is usually used as an access point for a dedicated VPNmanager 
management station or as a dedicated interface for dumping log messages to a syslog server.

Summary of Contents for 3.7

Page 1: ...VPNmanager Configuration Guide Release 3 7 670 100 600 Issue 4 May 2005...

Page 2: ...mful tampering data loss or alteration regardless of motive or intent Be aware that there may be a risk of unauthorized intrusions associated with your system and or its networked equipment Also reali...

Page 3: ...ding the Electromagnetic Compatibility Directive 89 336 EEC and Low Voltage Directive 73 23 EEC This equipment has been certified to meet CTR3 Basic Rate Interface BRI and CTR4 Primary Rate Interface...

Page 4: ......

Page 5: ...rt 19 Chapter 1 Overview of implementation 21 Components of the Avaya security solution 21 Security gateways 21 VPNremote Client software 22 VPNmanager software 22 Overview of the VPN management hiera...

Page 6: ...ools menu 40 Help menu 40 Toolbar 40 VPN view pane 42 Network Diagram View 42 Tiled View 43 Tree View 43 Alarm monitoring pane 44 Configuration Console window 44 Configuration Console Menu bar 45 File...

Page 7: ...Protocol Over Ethernet PPPoE Client 71 Local DHCP Server 71 DHCP Relay 73 Static 73 Changing network interfaces 73 Private port tab 76 Adding an IP Device Configuration 77 DHCP Relay 78 None 79 Device...

Page 8: ...N configuration files on remote user s computer 108 Disable split tunneling 108 Dyna Policy Defaults Global tab 108 Dyna Policy Authentication tab 109 Local authentication 110 RADIUS authentication 11...

Page 9: ...g a message 122 Enforce brand name 123 RADIUS ACE Services 124 Enable RADIUS ACE 124 Settings 125 RADIUS concepts 125 The RADIUS protocol 126 Add RADIUS ACE server 126 Authenticating secret password 1...

Page 10: ...IP VPN 150 Configuring an IKE VPN 152 Enabling CRL checking 156 Exporting a VPN object to an extranet 158 VPN Object export checklist 159 Export procedure 160 Importing a VPN object from an extranet 1...

Page 11: ...cy 187 From Where 188 To Where 189 The Filtering Policy in progress 189 Locating this filtering policy 189 The filtering policy in progress 189 Running the packet filtering policy wizard 189 Running t...

Page 12: ...tes 215 Managing the resilient tunnel list 216 Stopping and starting resilient tunnel services 217 Primary end point service 217 Secondary end point service 217 Failover TEP 218 Configuring failover T...

Page 13: ...ding Admin Users for SNMPv3 247 VPN active sessions 247 Syslog Services 248 Add Syslog Policy 249 Using Monitor 250 Enterprise MIB 250 Monitoring wizard 250 Define Custom 267 Monitoring wizard Present...

Page 14: ...yption Strength 291 Remote Access VSU 100 Only 291 Appendix A Using SSL with Directory Server 293 When to Configure your VPNmanager for SSL 293 Installing the issuer s certificate in the policy server...

Page 15: ...rivate Networks Each one listed below has been designed to meet the needs and requirements of either a small medium or large network VPNmanager Service Provider VPNmanager Enterprise VPNmanager Overvi...

Page 16: ...k with one another into private wide area extranets Companies can quickly link and unlink to their suppliers customers consultants and other business associates with flexibility and speed unmatched by...

Page 17: ...PNmanager graphical user interface GUI Related Documentation Be sure to read the VPNos Configuration Guide It contains important information on the proper procedure for setting up your VSUs which is a...

Page 18: ...the individual VPN remote users reside Chapter 7 Configuring VPN objects explains VPN Objects as the method for linking VSUs remote terminals and LAN terminals in a fully configured VPN Chapter 8 Esta...

Page 19: ...s available to support contract holders of Avaya VPN products Domestic support Toll free telephone support 866 462 8292 24x7 Email vpnsupport avaya com Web http www support avaya com International Sup...

Page 20: ...Preface 20 Avaya VPNmanager Configuration Guide Release 3 7...

Page 21: ...ya security solution consists of the following Avaya VPNmanager Avaya SG security gateways and VPN Service Units VSU Note Note Beginning with VPNmanager 3 4 this configuration guide uses security gate...

Page 22: ...Console and the policy server The VPNmanager console is a client that is used for configuring managing and monitoring one or more VPNs The console is a Java application that can be run anywhere and is...

Page 23: ...wall management The VPNmanager software is built on a policy based architecture that allows the administrator to start at a high level with a VPN domain then move down the hierarchy to create user gro...

Page 24: ...at information you should know before you begin The following are functions or tasks that need to be addressed How the security gateway will be configured for your network Which remote users will be c...

Page 25: ...ot considered part of the internal private network Servers in the DMZ typically have publicly routable IP addresses or should use advanced NAT within the security gateway Management zone Management zo...

Page 26: ...l way to limit VPN traffic to specifically designated users Remote users and user groups VPNremote Client users who log in to the VPN through the security gateway must have their user authentication c...

Page 27: ...apply these templates at the domain level for all security gateways for a specific gateway or for a defined group The integrated SMLI Stateful Multi Layer Inspection Firewall supports firewall rules...

Page 28: ...width WinNuke Attack This attack attempts to completely disable networking on computers that are running Windows 95 or Windows NT This attack can be swift and crippling because it uses common Microsof...

Page 29: ...address mapping is performed on a security gateway that is located between the private network and the public network You can set up three types of NAT mapping on the security gateway Static NAT With...

Page 30: ...that can be recognized by an ACD so that user access is not blocked SSL for Directory Server As an added benefit all communications with the directory server can be secured by SSL Secure Sockets Layer...

Page 31: ...configure your VPN Issue 4 May 2005 31 11 Configure firewall rules 12 Associate firewall rules with the correct gateway and security zone 13 Configure other features such as QoS VoIP gateway DHCP NAT...

Page 32: ...Overview of implementation 32 Avaya VPNmanager Configuration Guide Release 3 7...

Page 33: ...previous releases of VPNmanager the super user administrator was supported Beginning with VPNmanager 3 5 the super user administrator function has been expanded and in now included in the role based...

Page 34: ...ate or upgrade devices modify or import configuration reboot or reset devices import or apply licenses or change other administrator s passwords To add an administrator The Admin object is used to cha...

Page 35: ...not displayed 2 Type the password that was configured when the VPNmanager software was installed 3 The IP address or name of the policy server is listed in the Policy Servers list Select the Policy Se...

Page 36: ...a context and then click Connect on the first logon dialog At this point the main console display screen appears and the selected VPN appears in the View VPN window Navigating the main window The VPNm...

Page 37: ...select to create New a dialog to create a new domain name is displayed This name is the unique name assigned to an overall virtual private network A VPN domain is a collection of VPN devices that comp...

Page 38: ...ured Logoff Logoff closes the current directory server without exiting VPNmanager The Login screen appears immediately after you log off Exit Exit closes the VPNmanager console Figure 4 File Menu New...

Page 39: ...oring Screen to open the Monitoring wizard for the domain that is opened or you can click the Monitor icon on the toolbar The Monitor wizard assists you in selecting the various VPN objects you wish t...

Page 40: ...Report Wizard on page 270 Tools menu From Tools you can access the following commands Update Devices Update Devices is used to update the security gateway configuration with the configuration currentl...

Page 41: ...eleted from the network diagram view in the monitor pane and then click Delete Report The Report button is a shortcut to the View Report Wizard command that guides you through the steps to create a re...

Page 42: ...View selection bar contains two elements a list from which the desired VPN is selected and two radio buttons to select the view styles Diagram or Tree Note Note If more than five security gateways ar...

Page 43: ...om the diagram view to the tiled view Figure 7 VPNmanager Tiled View Tree View An alternative presentation style to the diagram and tiled views the tree view mimics the Windows style vertical director...

Page 44: ...pe Alarm information is presented in a vertically scrolling list A rotating red beacon appears at the top of this screen when a critical alarm is received See Monitoring alarms on page 268 Configurati...

Page 45: ...object on page 38 Save Changes This command saves any changes made through the Configuration Console Discard changes This command clears any changes you have made and reverts the configuration to the...

Page 46: ...hen imported by other VPNmanager installations See the Importing and exporting VPN configurations to a device on page 284 Export VPN Export VPN can be used to export the VPN configuration which in tur...

Page 47: ...ecific information about the selected object Details are organized into categories presented as tabs across the top of the screen Update Devices Located in the upper right hand corner of the VPNmanage...

Page 48: ...Console password type in that password If the security gateway did not have an existing security gateway Console password type in password Click OK 6 The Update Devices dialog will tell you when the...

Page 49: ...pt upon attempting to move to another object Dyna Policy Defaults User The Dyna Policy Defaults User tab is used to define how the Dyna Policy configuration data VPN session parameters are handled on...

Page 50: ...of how user authentication and Client Configuration Download CCD are performed Choices are Local security gateway based RADIUS or LDAP Whichever method selected is global across the entire VPN Selecti...

Page 51: ...liar with the LDAP directory structure may prefer having this field displayed Figure 13 Preferences Advanced Tab Remote Client The Remote Client tab is used to establish a path tunnel to a secure DNS...

Page 52: ...teways in all domains are scanned and a map file is created to cross reference the security gateway IP addresses to their respective security gateway names Default is enabled Alarm When Device is Unre...

Page 53: ...Preferences Issue 4 May 2005 53 Figure 16 Tunnel End Point Policy...

Page 54: ...Using VPNmanager 54 Avaya VPNmanager Configuration Guide Release 3 7...

Page 55: ...o other domains creating interconnected domains When you log in to the VPNmanager Console the first time you must create a domain You create a domain name and select firewall rules to be applied to th...

Page 56: ...ur new VPN domain appears in the title bar of the VPNmanager Console main window The domain is open and ready to be configured Select Level of security High The high security template enforces very st...

Page 57: ...ity gateways See Using SNMP to monitor the device on page 245 Whether the security gateway dynamically builds a routing table using RIP updates See Routing on page 81 Static routes if more than one ro...

Page 58: ...the device and retrieve the device details Select the device from the drop down menu in the Network Configuration screen 6 If the Public Interface Uses a Dynamic User VPN IP Address checkbox is select...

Page 59: ...VPNmanager displays the tabs you can use to make changes to the security gateway configuration This section describes the features to configure a basic device See Establishing security and Using adva...

Page 60: ...s VPNmanager uses to communicate with the security gateway All other information that is displayed is view only General X High Availability X Interfaces X Memo X Network Objects X Policies X Private p...

Page 61: ...the head end device to download the VPN policies through CCD The VPNmanager cannot manage the device in the User VPN mode IP Address DNS Name VPNmanager uses the address to communicate with the securi...

Page 62: ...ng NOS from one of two possible flash chips FIPS Mode Federal Information Processing Standards FIPS mode indicates if the security gateway is running in the normal or FIPS Level 2 mode It is recommend...

Page 63: ...r The security gateway server maintains a DNS database on all DHCP clients on the private interface Non DHCP clients have no DNS identity Note Note The security gateway performs DNS relay functionalit...

Page 64: ...terface IP address as the DNS server in the DHCP response In this way all of the DNS queries are automatically forwarded to the security gateway To add a DNS Relay To set up DNS Relay Configuration an...

Page 65: ...rver address Use Add to enter the initial or backup DNS server s Enter the IP address of the DNS server in the Resolve DNS name with this address field so that the targeted security gateway can regist...

Page 66: ...ress 5 Click Save to save the change 6 When you want to send the configuration to one or more VSUs click Update Devices Interfaces tab For security gateways with VPNos 4 31 or later the Interface tab...

Page 67: ...es that can be configured depends on the security gateway model Table 6 Ethernet0 and Ethernet1 are present in all models and are assigned to the public and the private zones The media interfaces that...

Page 68: ...and then redirects all encrypted traffic to this link Only one public backup zone can be configured on the security gateway Note Note If the public zone and the public backup zone are both configured...

Page 69: ...e LAN The private network interface can be configured with Static DHCP Server or DHCP Relay Semi private The semi private network interface provides connection to a network whose equipment can be made...

Page 70: ...assigned to the public interface of the security gateway To configure static addressing complete the following information DHCP addressing Use DHCP addressing if the gateway obtains its IP address dy...

Page 71: ...r mode the protected devices are automatically provided with an IP address a default route a domain name the security gateway and WINS To configure the local DHCP server complete the following informa...

Page 72: ...port along with optional TFTP server IP address all four fields in the IP Telephony Configuration section must contain entries Option 66 The standard DHCP option for TFTP server Note Note When you ad...

Page 73: ...n the public network send DHCP offer messages that contain the IP addresses to the DCHP relay agent The agent broadcasts the DHCP offer messages to the DHCP clients If the DHCP server resides on the r...

Page 74: ...t apply to that media interface are displayed From the IP Config Mode list select the IP addressing mode Depending on your selection complete the required information If public backup is selected comp...

Page 75: ...create a fully qualified domain name FQDN You can however enter host names using the FQDN form of myhost mydomain toplevel domain in which case you should leave the IP Telephone Domain name field empt...

Page 76: ...be configured to obtain IP addresses from this DHCP server If the DHCP server is unreachable the relay can be made to fall back to the local DHCP server Figure 22 Private port tab with VPNos 4 2 or V...

Page 77: ...IP Device Configuration This dialog is used to add IP devices to the virtual DHCP server The dialog contains a group of fields for IP telephony configuration when IP telephones are connected to the s...

Page 78: ...firmware is maintained for upgrade purposes TFTP File Path Used when the file path is other than the default path DEFINITY Clan IP The IP address of the DEFINITY Clan server DEFINITY Clan Port Port nu...

Page 79: ...in The Fallback to Local DHCP Server option allows the DHCP server to revert or fallback to the Local DHCP Server if the DHCP Relay is not functioning Note Note In order for the security gateway to su...

Page 80: ...op down menu Port Enter the number of the port to use The default is 1443 Authentication Select the authentication type to use either Standard CHAP or Rechallenge PAP 4 Click Save to complete the conf...

Page 81: ...sts on a network to which the security gateway must forward either VPN or non VPN traffic The Routing tab shows the VPN traffic default routes including the IP address of the hop and the IP address of...

Page 82: ...is selected or checked To disable the automatic forwarding of packets the Enable VPN Traffic Auto Forwarding box should be un checked When the VPN traffic auto forwarding is disabled the SG will dive...

Page 83: ...gateway that is used for decrypted traffic only This configuration is commonly applied to a VSU in the following topology Figure 27 Common Default Gateway for VPN Traffic topology Figure 27 shows the...

Page 84: ...s routing information about remote client address pools This information tells listeners to send packets to the security gateway if the address is a mapped address The security gateway translates the...

Page 85: ...ure Static NAT Port NAT With Port NAT addresses from internal nonroutable networks are translated to one routable address in Port NAT Port numbers in the case of TCP UDP packets and sequence numbers a...

Page 86: ...works The NAT screen displays the following information for each rule Scroll to see all the information The type of rule The types are static port or redirection The zone to which the NAT rule applie...

Page 87: ...om TCP UDP port number This port number can be from 1 to 65535 5 In the Translation area complete the areas that are not grayed out Option Select from the list IP Address Type the translated to addres...

Page 88: ...a client on the private network it is dynamically mapped to the public IP address and an available port number When the client traffic is idle for a specified period of time the port number is return...

Page 89: ...ons described in the previous section NAT applications Allow access to the Internet from private networks Provide support for more hosts with fewer public addresses Hide host addresses for security re...

Page 90: ...ponding public addresses thereby allowing communication between clients and hosts to be initiated from either the private or public network Setting up VPN with overlapping private addresses Figure 29...

Page 91: ...A_Sales_Group server Before the packet is sent out of the private interface the NAT rule on the private interface changes the packet s source address from 172 16 0 17 to 10 0 89 17 Figure 29 Setting U...

Page 92: ...packets sent out the private interface of the security gateway B to one of 16 addresses assigned to the security gateway B address pool Note that the IP address 0 0 0 0 0 matches any packet entering o...

Page 93: ...o Support Multiple Gateways Interface for VPNos 4 2 The following three interface choices are available for devices with VPNos 4 2 Public Primarily used to allow clients on a private network to access...

Page 94: ...ew NAT rule to the list Translation Type Choices are Static Dynamic and Port Translation will be applied on Choices are public Interface private Interface and Tunnel Interface Original Network Mask Wh...

Page 95: ...ic rule that was selected from the NAT Rule list shown in the Policy Manager for NAT window 8 If you want in the Memo text box type in a comment about this rule 9 If you want to create this rule witho...

Page 96: ...NAT rule cannot be applied to the tunnel zone 5 In the Original area complete the available or active areas Option From the list select a pair of configured VPN local members IP address and subnet ma...

Page 97: ...ns an IP address and IP mask An IP Group can be configured with many of these address mask pairs The address mask pair is used to create an address space range Pairs are used for identifying a range o...

Page 98: ...t off This field is used to define where the object is located in the LDAP directory tree All VPN components must have unique names To prevent naming conflicts l Add the suffix group to the group name...

Page 99: ...cted by the selected security gateway The list contains the names of all security gateways in the VPNmanager database a choice of None and a choice of Extranet device Extranet device You can create a...

Page 100: ...lable in this pane IP Network address and Mask or IP Range For the IP Range enter the starting and ending IP addresses Table 8 Deriving the Group Mask To specify a contiguous range of this many addres...

Page 101: ...1024 n 0 n multiple of 4 e g 130 57 4 0 or 130 57 8 0 255 255 252 0 2048 n 0 n multiple of 8 e g 130 57 8 0 or 130 57 16 0 255 255 248 0 4096 n 0 n multiple of 16 e g 130 57 16 0 or 130 57 32 0 255 25...

Page 102: ...curity gateway that the group must be associated with 8 The security gateway selected should be one that is protecting the LAN containing the IP Group 9 Click Save 10 Optional Go to the Memo tab to ma...

Page 103: ...et 10 From the IKE Identifier drop down list select a method for identifying the extranet s device The device must be an IKE IPSec compatible device Select IP Address if the extranet s device identifi...

Page 104: ...o Memo can be used to record notes about the IP Group such as change history where the group is located etc Information entered here is associated only with the security gateway in focus This informat...

Page 105: ...a secure DNS server to resolve client DNS names Use Policy Manager to configure client IP address pools Radius ACE authentication and create a legal notice for users Define the type of IKE identifier...

Page 106: ...bution method is called Client Configuration Download CCD The security gateways distributes the Dyna Policy when VPNremote Client connects to the VPN An individual dyna policy is configured from the u...

Page 107: ...to create a global dyna policy Dyna Policy Defaults User Dyna Policy Defaults Global Dyna Policy Authentication Remote Client The following describes each of the tabs For the procedure to configure a...

Page 108: ...connection This is the default You must check the Disable Split Tunneling check box to turn the default off When the default is off only secure VPN traffic from the VPNremote client computer is allow...

Page 109: ...b The Preferences Dyna Policy Authentication tab is used to define how user authentication and Client Configuration Download CCD are performed Choices are Local security gateway based RADIUS or LDAP W...

Page 110: ...y LDAP authentication Note Note This feature is only available for VPNos 3 x when iPlanet Directory Server is supported LDAP authentication uses the designated directory server database for user authe...

Page 111: ...s VPNremote Clients to use host names in place of IP addresses when accessing corporate network resources without exposing corporate DNS servers and name resolution databases to the public Thus a VPNr...

Page 112: ...e VPN services of the DNS server VPN will be applied to any DNS requests made by the Client to the subdomains defined within the Client DNS Resolution Redirection Client DNS resolution redirection Ena...

Page 113: ...mote client is disconnected This is the most secure method Select Secure Dyna Policy with a user defined key password to have the VPN session parameters reside on the user s hard disk and be activated...

Page 114: ...nt idle time out period Check Enable Redirection Support if remote clients use private domain names such as accounting avaya com for navigating their VPN Then enter the Domain and Protected DNS server...

Page 115: ...New User dialog is displayed 2 In the Name text box type the name of a remote user Any character except a comma can be used Note Note If you plan on using RADIUS as an authentication method this name...

Page 116: ...This displays a list of the User Groups to which the user belongs Memo tab Memo can be used to record notes about the user such as change history specific computer type etc Information entered here i...

Page 117: ...onfigured this button is disabled Rekey User VPNs Clicking the Rekey button causes the preshared secret to be rekeyed for this users VPNs Reset User Directory Password The user s password is reset Not...

Page 118: ...ue with step 6 1 From the Configuration Console window click Users to list all User Objects in the Contents column 2 From the Contents column select the User Object that needs to be configured 3 From...

Page 119: ...nnot browse the Internet while they are connected to the VPN 6 If Local Authentication is used for authentication method in the Authentication Password text box type in the a password for this VPNremo...

Page 120: ...deliver the following pairs to the respective users NAME The name created in Step 2 PASSWORD The password created in Step 2 Using Policy Manager for user configuration From the VPNmanager Policy Manag...

Page 121: ...IP address pool Add Client IP address pool From the Policy Manager properties you select Client IP Configuration to make add new client IP addresses At the top of the screen is the target security gat...

Page 122: ...ll required Client IP Address 8 Click Close to return to the Policy Manager for Client IP Address Pools window 9 The new pool is seen in the Current Client IP Address Pool list 10 Optional If a client...

Page 123: ...Enforce brand name VPNmanager allows administrators to restrict access to remote users by specifying client brands The default is Allow any brand The Administrator can allow any brand name or can res...

Page 124: ...DIUS servers to authenticate remote users A security gateway can query up to three RADIUS servers where two of the servers is recognized as backups Figure 42 The Policy Manager for RADIUS ACE Note Not...

Page 125: ...incoming traffic as new VPN traffic and initiates a request to the RADIUS server for user authentication requirements The RADIUS server responds to the security gateway indicating authentication is r...

Page 126: ...y that someone snooping on an unsecure network could determine a user s password Flexible Authentication Mechanisms The RADIUS server can support a variety of methods to authenticate a user when given...

Page 127: ...In the IP Address text boxes type in the address of the RADIUS server Note Note An IP address must be entered domain names are not valid There must be an IP route between the security gateway and the...

Page 128: ...ered to the remote client when the remote client authenticates throughout the security gateway to the RADIUS Server The VPNmanager provides the following attributes for the remote client to choose fro...

Page 129: ...me then populate them with user objects Users can belong to more than one user group When this is the case and policy conflicts exist permit wins over deny user group settings override individual user...

Page 130: ...e names of all individual Users currently assigned to this User Group A second pane titled Available Users lists all existing VPN users The left and right arrows are used to move the highlighted users...

Page 131: ...VPN This SKIP master key is used to generate session keys used for cryptographic functions In the case of Preshared Secret IKE VPNs rekeying generates and distributes a new negotiation key to all sec...

Page 132: ...one or more users To select multiple users which are listed adjacently hold the SHIFT key To select multiple users which are not adjacently listed hold the CTRL key Click Move Left to move your select...

Page 133: ...s of VPN objects can be built SKIP based VPN IKE based VPN Both types use IP Security Protocol IPSec for encrypting and decrypting VPN traffic The main difference between the two VPN types are the met...

Page 134: ...ally rekeyed Preshared Secret mode involves the Diffie Hellman algorithm for creating a shared secret key that is used for authenticating VPN traffic Large prime numbers and modular arithmetic equatio...

Page 135: ...only Default VPN policy Default VPN applies only to the IKE VPN and is used in conjunction with RADIUS authentication Only one VPN can be the default VPN in a domain When you create a VPN you can ena...

Page 136: ...ave your work Creating a default VPN To create a default VPN within a selected domain 1 Add the security gateway s Add an IPGroup s and associate this group with this security gateway 2 Create a defau...

Page 137: ...y 2 Create a default user or default user group in the VPNmanager 3 Create a new VPN Object see Creating a new VPN object on page 136 4 Add the default user and IPGroup s to the new VPN 5 Use the Poli...

Page 138: ...t VPN type you have selected IKE or SKIP General tab with IKE If the VPN type selected is IKE the following General tab appears Figure 45 VPN General Tab IKE From the General tab you can configure the...

Page 139: ...cted from the General tab you can configure the following information Tunnel Select the tunnel mode if IP packets between members are secured by encrypting and authenticating the entire packet includi...

Page 140: ...N and the security gateway is updated all non RADIUS enabled security gateways that are affected by the removal of the remote user are updated For RADIUS enabled security gateways the remote user is n...

Page 141: ...used at the end points of a VPN tunnel The configuration procedure involves setting a lifetime for public keys and a specific Diffie Hellman Group for automatically generating keys of a specific stre...

Page 142: ...d territories Any Accepts any encryption proposal that is made by the device on the other side IKE VPNs use ESP to encrypt IP packets as defined in RFC2406 You can choose either DES CBC or 3DES CBC Do...

Page 143: ...ased and throughput lifetimes Whichever occurs first triggers the new key Note Note For time based lifetime the following are the minimum values in each category Day 1 Minutes 1 and Seconds 60 Diffie...

Page 144: ...secret Security IPSec In IKE VPNs VPN traffic flows in tunnel mode Therefore the Security IPSec tab is used for configuring the parameters used for encapsulating the original packet header and payload...

Page 145: ...enabled Yes a Diffie Hellman Group number must be selected Diffie Hellman Group Diffie Hellman Group defines mathematical parameters used during IKE negotiations Group 1 specifies use of a 768 bit mod...

Page 146: ...ct to export regulation 3DES A robust encryption algorithm AES 128 The advanced encryption standard that uses a 128 bit block to help resist large attacks Any Accepts any encryption proposal made by t...

Page 147: ...onds 60 DH Group Diffie Hellman Group Diffie Hellman groups define the cryptographic key strengths used during IPSEC negotiations The level of security increases as the DH group number increases Using...

Page 148: ...ve effort between system administrators running independent copies of VPNmanager and involves the same steps as creating any other VPN create the device then the groups and users and finally the VPN T...

Page 149: ...s associated with the VPN This negotiation key is used to provide authentication during IKE negotiations in which the actual session key is dynamically generated Manual Keyed VPNs can be rekeyed by ma...

Page 150: ...Note Note Security gateways at each end of a tunnel must use the same SKIP settings To configure a new SKIP VPN object 1 Move to the Configuration Console window 2 From the Icon toolbar click VPN to l...

Page 151: ...curity SKIP tab to bring it to the front 10 From the Encryption Algorithm list do one of the following Select Triple DES to divide VPN traffic into 64 bit blocks and encrypt each block three times wit...

Page 152: ...bjects as members of this VPN Object do the following Click the Members Users tab to bring it to the front From the Available list select specific User Objects and User Group Objects User Group Object...

Page 153: ...ecret for authenticating security gateways and members of the VPN To manually create a secret type in an alphanumeric string in the text box To automatically create a secret click Auto generate 16 Cli...

Page 154: ...ed information about Group 1 and Group 2 algorithms see section 6 2 of IETF RFC 2395 26 Use the IPSec Proposals options to create one or more proposals 27 A proposal defines which IPSec parameters all...

Page 155: ...t to the front 30 Select Apply VPN to clients only if you have created a VPN Object where User and User Group Objects can communicate with IP Group Objects but IP Group Objects cannot communicate with...

Page 156: ...as crl content txt 3 Open the crl content txt file to extract the necessary CRL information 4 To extract the necessary CRL information open the crl content txt file 5 Locate the dn header with the org...

Page 157: ...ldif file 20 In the Import Database window browse to locate the crl ldif file 21 Click Open to import the crl ldif file 22 The Import Database message box appears upon successful import 23 From the VP...

Page 158: ...Show CRL information 3 After selecting 18 from the Utilities menu a list of serial numbers appear on the screen 4 Enter Y to delete the CRL list 5 From the VPNmanager main menu click Config 6 Select D...

Page 159: ...d to DomainB VPN ObjectA is built with IP GroupA and IP GroupB IP GroupA is configured with IP address masks for terminal devices in DomainA and IP GroupB is configured with IP address masks for termi...

Page 160: ...pe text box type in your password to confirm it AdministratorB creates security gateway ObjectB and supplies the IP address of that object to AdministratorA AdministratorA creates IP Group ObjectB Cre...

Page 161: ...le Importing a VPN object from an extranet To import a VPN Object data file 1 Copy the VPN Object data file created during the Export procedure into the computer running the VPNmanager Console 2 Open...

Page 162: ...Object 1 Open the Configuration Console window 2 From the Icon toolbar click VPN to list all VPN Objects in the Contents column 3 From the Contents column select the VPN Object that needs to be rekey...

Page 163: ...n a relatively short amount of time The security gateway uses a rules based method of packet inspection where the priority of each rule is determined by its position in the list highest is top priorit...

Page 164: ...of rules you select depends on the interface zones that are configured and your general network requirements The firewall templates can be used in their default state or as the basis from which a user...

Page 165: ...e the selected source to the Source column Click Next 7 From the Available Destination s column select the destination click Move Left Click Next 8 From the Available Service column select the service...

Page 166: ...ntifies the rule By default the Status is Enabled and the Action is Permit Change these if they are not the correct settings In the Memo area type notes to describe the firewall rule optional 5 Click...

Page 167: ...atic port NAT or redirection either the source IP address or the destination IP address of packets are changed When you set up your firewall rules you need to consider the type of NAT configured as yo...

Page 168: ...ave the potential to expose a large number of ports behind the firewall to outside snooping An example of a fairly safe configuration would be that of allowing FTP clients on the private zone network...

Page 169: ...he private side of the security gateway and the FTP server is on the public side of the security gateway define the interface and direction as Public In or Private Out 2 Click Next to display the Sour...

Page 170: ...irewall templates can be used as a general rule set or as a starting point for creating a customized firewall policy or user defined template that conforms to the corporate security requirements The t...

Page 171: ...all packets of the selected traffic type 15 Click Next 16 Select the set of sources from the available source list 17 Click Next 18 Select the set of destinations from the available destination list 1...

Page 172: ...ied to TCP UDP and ICMP packets 28 Keepstate sets up a state table with each entry set up by the sending side Reply packets pass through a matching filter based on the respective state table entry A s...

Page 173: ...ration complexity by allowing network administrator s to create groups of devices that share a common firewall configuration To create a device group object 1 Move to the Configuration Console window...

Page 174: ...an invalid IP address If the system accepts this IP address the attacker appears to reside on the private side of the security gateway The attacker is actually on the public side and bypasses the fire...

Page 175: ...able or disable Voice over IP VoIP and to configure the gatekeeper properties Definition of the gatekeeper location is with respect to the internal or external firewall definition Beginning with VPNos...

Page 176: ...tekeeper is known to the Gatekeeper wanting to send call signaling messages If the receiving Gatekeeper is not being NATed by the SG the Proxy IP and Proxy Port should not be configured Using the LRQ...

Page 177: ...field select the zone which the source endpoints are connected to For example if the calling trunk endpoints are connected to the public zone select public zone for this field In the Network Objects...

Page 178: ...endpoints are located with respect to the SG e g private when the IP endpoints are on private side of the SG Source Endpoints Network Objects The IP networks that define the IP address space of the IP...

Page 179: ...identify the gatekeeper Once the name is saved the name cannot be changed 4 In the Call Model field select Gatekeeper Routed from the drop down menu 5 In the Service Port field specify the H 225 RAS p...

Page 180: ...be created with up to four classes highest high medium and low Attributes that can be assigned to these classes are percentage of bandwidth allocation type of services network objects DSCP and burst Q...

Page 181: ...for media interface Ethernet0 DSCP value 10 cannot be assigned to Highest Medium or Low for Ethernet1 It can be assigned to the High class for Ethernet 1 When DSCP value of 0 is specified during conf...

Page 182: ...recommended to use Services containing ICMP or port ranges QoS does not support port ranges When the View QoS is selected the screen displays the QoS policies that have been created and their configu...

Page 183: ...Network combination in multiple classes 5 If DSCP will not be specified as a criteria in a class leave the DSCP default value of 0 In this case it is recommended to assign unique services networks to...

Page 184: ...mapping 3 Select the Zone to be configured 4 Select the QoS policy that should be applied 5 Click OK and then click Save Packet Filtering The Packet Filtering feature is available for devices with VPN...

Page 185: ...ltering is run first followed by NAT Table 10 Traffic types that can be filtered User defined TCP Exec Netware IP TCP VPN AuthGW User defined IP Finger Netware IP UDP VPN KeepAlive User defined UDP FT...

Page 186: ...rity policy They include Permit all non VPN traffic When checked all non VPN traffic is allowed to pass through the VSU Deny all IP non VPN traffic When checked all non IP traffic is prevented from pa...

Page 187: ...n Two basic actions may be selected Permit or Deny As you would expect Permit allows all packets of the Traffic type selected to pass while Deny blocks all packets of the Traffic type selected QoS Mar...

Page 188: ...the same port Keep State essentially remembers the port and lets the replying packet enter in the same port Source Port Appears when User defined TCP or User defined UDP selections are made Select th...

Page 189: ...ly updated summary of the filter parameters currently selected When you are satisfied with your filter configuration click on the Finished button to build the filter The filter is then automatically p...

Page 190: ...ring The Policy Manager for Packet Filtering is used for starting and stopping filtering services managing the ACL and for configuring advanced filtering options Figure 60 shows Policy Manager for pac...

Page 191: ...bring it to the front 4 From the drop down list select Packet Filtering then click GO to open the Policy Manager for Packet Filtering 5 From the ACL select a specific filtering policy 6 Use Table 11 f...

Page 192: ...n Permit all non VPN traffic Select this button to permit all non VPN packets Deny all IP non VPN traffic Select this button to block all IP non VPN packets Deny all non VPN traffic Select this button...

Page 193: ...he transmission precedence of one type of packet relative to other packets The identification system involves two kinds of marks User Defined and Predefined The user defined mark is in the form of a n...

Page 194: ...kets and the direction of packet flow in and or out of the VSU is needed to create a marking rule To create a packet marking rule 1 Move to the Configuration Console window 2 From the Contents column...

Page 195: ...e specific CS mark used must be the same as the one configured in your router s these marks serve as a backward compatibility mechanism for IP Precedence Marks which predate modern QoS Marks Select a...

Page 196: ...ined by its position in the list highest is top priority The first match determines the fate of the packet permit or deny If no matching rule is found the default action is to permit the packet Figure...

Page 197: ...is rule 5 Click Next 6 Select the set of sources from the available source list 7 Click Next 8 Select the set of destinations from the available destination list 9 Click Next 10 Select the set of serv...

Page 198: ...n be applied to TCP UDP and ICMP packets 18 Keepstate sets up a state table with each entry set up by the sending side Reply packets pass through a matching filter based on the respective state table...

Page 199: ...Advanced The Device Advanced tab contains properties that are used to configure security gateway parameters for unique circumstances Note Note The properties displayed within the Device Advanced tab...

Page 200: ...h port the Primary IP address is bound to the MAC address of the public port If a private IP address is configured that address is bound to the MAC address of the private port of the VSU In this mode...

Page 201: ...de which requires that only the private port be plugged into the network and you have used the Bind one IP address to each port setting This topology requires that the Advanced Filter setting be Permi...

Page 202: ...receiving security gateway ICMP messages indicating that fragmentation is needed The source of packets needing VPN services does not fragment packets even when notified by a security gateway ICMP mes...

Page 203: ...k Update Devices NAT Traversal Configurable NAT traversal is available for VPNos 4 31 and later Note Note For VPNos 3 2 NAT Traversal is enabled by default You cannot change or disable it When a NAT d...

Page 204: ...ection after the client has been issued an authentication challenge default port 2444 A response received on this port is then forwarded to the external LDAP or RADIUS server for authentication Privat...

Page 205: ...oxes type in the second address assigned to the VSU 6 In the Private IP Mask text boxes type in a subnet mask for the address 7 Select the Use this address when directly communicating with this device...

Page 206: ...to authenticate VPNmanager via SuperUser account first If this fails the VSU then attempts to authenticate via the VPNmanager user s LDAP account A successful connection requires that the VSU s author...

Page 207: ...henticate by either your LDAPuser account or SuperUser account Tunnel Persistence This feature consists of the following radio buttons Maintain VPN tunnels on device update Rebuild all VPN tunnels on...

Page 208: ...users RUser The addition of SGD to VPN2 SGA SGC SGD and Remote User interrupts tunnel persistence in VPN2 thus breaking the remote connection Once the configuration update is complete the remote conn...

Page 209: ...P Transport mode NOT being used Failing to meet these conditions packets be subject to the non VPN traffic policy Permit or Deny selected in the VSU Packet Filtering Advanced tab A typical example of...

Page 210: ...lowing procedure only establishes it as a backup server The Directory Servers tab is shown in Figure 66 Figure 66 The Directory Servers tab Servers list presents a list of available directory servers...

Page 211: ...always used first To edit change the sequence or delete a backup server 1 Move to the Configuration Console window 2 From the Device Contents column select the security gateway that has the backup ser...

Page 212: ...245 Note Note Resilient tunnels are configurable on VSUs running VPNos 3 x Figure 67 illustrates a simple example San Francisco LAN has two gateways to the WAN The high speed route is used by the prim...

Page 213: ...number of requests exceeds the Heartbeat Retry Limit VSUA then begins to establish a connection with VSUC 5 Since VSUC uses a low speed connection VSUA must anticipate a delayed response from VSUC Th...

Page 214: ...sure the heartbeat packets are not filtered The security gateway heartbeat listening port 1643 using UDP protocol Creating a resilient tunnel Resilient tunnels are configured from the Resilient Tunnel...

Page 215: ...dpoint security gateway is able to reconnect and when the switchover actually occurs This wait time ensures that the primary security gateway is stable before switching occurs Default is 20 seconds Pr...

Page 216: ...response from the secondary end point 11 From the Properties list click on Hold Down Time so the hold down time values appears In the Hold Down Time drop down list select a unit of time In the Hold D...

Page 217: ...lect the Enable Resilient Tunnel check box to start services Clear the Enable Resilient Tunnel check box to stop services 5 Click Save to save your work 6 To send the configuration to the device click...

Page 218: ...ide the same VPN services The most desirable configuration would include the same devices however this is not required as long as each device has a license to service the number of VPNs configured on...

Page 219: ...Click Save to save the Failover TEP configuration To complete the Failover TEP configuration you must enter the Failover Remote TEP information in the Failover tab 9 To configure the Failover Remote T...

Page 220: ...s indicated Flash 0 or Flash 1 Additional information can be found in the security gateway Data portion of the security gateway General tab Reset password Reset password is used to change the console...

Page 221: ...ay is visible in the security gateway contents list The active security gateway is listed with the passive security gateway visible in the Members pane of the High Availability tab Because configurati...

Page 222: ...ng all members in the HA group The public Virtual Address is used as the tunnel end point while the private Virtual Address can be used as the default route for the network behind the security gateway...

Page 223: ...s all configured members in the HA group By default the primary member displays an active status while the secondary and remaining members display a passive status The Member table also displays the p...

Page 224: ...dd This action allows a new member to be added to the HA group The minimum configuration of a new member is the public and private IP addresses By default the primary IP address is used as the managem...

Page 225: ...e selected security gateway to be updated If the selected security gateway is a HA member the Member Update screen displays By default all members in the HA group are selected for update To update HA...

Page 226: ...such as a public DNS server When a network path fails the remote security gateway tries to establish a network path through an alternate central site If the remote security gateway cannot use that se...

Page 227: ...lure criteria are met only when both hosts 2 and 3 concurrently fail to respond five times at the 130 second mark to the connectivity checks Host 3 failed to respond five consecutive times between the...

Page 228: ...he same time to each host The default is 10 seconds 8 Click the Advanced button to configure the traceroute settings during failover Select Enable and complete the following Enable traceroute during f...

Page 229: ...tempt to connect to an alternate TEP In some network configurations alternate TEPs are considered temporary and the expected behavior is that a system reboot would revert to the original TEP However t...

Page 230: ...verged Network Analyzer Test Plug The converged network analyzer CNA test plug feature provides a distributed system tool for real time network monitoring that detects and diagnoses converged network...

Page 231: ...A test plug in the network 3 Select the CNA Test Plug Services interface The public interface provides connection to the internet usually by way of a wide area network WAN By default DHCP client is us...

Page 232: ...rk Use the Move To Top button to adjust the hive priority Click OK The first hive configured in the CNA Unit s for registration area is pushed down to devices running VPNos 4 5 Adjust the CNA hive con...

Page 233: ...o your private local area network LAN or your corporate LAN 5 In the Keep Alive Interval field enter the interval in seconds that packets will be sent to configured hosts The default is 10 seconds 6 I...

Page 234: ...host IP address d Click Save Policy Manager My Certificates If you are creating VPNs that use certificates for authentication and security use the Policy Manager for My Certificates to install signed...

Page 235: ...hing secure connections with special targets The process of getting a certificate for a specific VSU is illustrated in Figure 75 Figure 75 Installing a Signed Certificate into a VSU Explanation for Fi...

Page 236: ...6 In the File name text box type in a name for the Certificate Request then click Save 7 The VSU saves a Certificate Request into this new file then update the Maintain Certificates list with informa...

Page 237: ...ed certificate file The manager uses DER as the default filename extension but TXT can be used 16 Select the signed certificate file then click Open to return to the Policy Manager window After the VS...

Page 238: ...they are needed to authenticate a Signed Certificate This section explains how to retrieve and install Issuer Certificates for VSU targets For information about installing Issuer Certificates on VPNre...

Page 239: ...y Manager for installing Issuer Certificates in a specific VSU The VSU then uses the Issuer Certificate to authenticate certificates received from other VSUs The process is explained in Figure 78 To i...

Page 240: ...Open dialog box 6 Use the Look in drop down list for navigating to the location of the Issuer Certificate 7 Select the Issuer Certificate then click Open to return to the Policy Manager window 8 After...

Page 241: ...in Policy Manager My Certificates on page 234 it must be assigned a target A Bundle is used to define a certificate having a specific target type address description and queue position The Policy Man...

Page 242: ...be IP Address VPN FQDN Fully Qualified Domain Name email Directory Name Any target endpoint Depending on the selection made an appropriate field type appears to capture the respective information for...

Page 243: ...ified Domain Name FQDN to identify the target by its absolute name For example a target having the name xyz and a root of vpnet com has an absolute name of xyz vpnet com The DNS Server that is used is...

Page 244: ...Using advanced features 244 Avaya VPNmanager Configuration Guide Release 3 7...

Page 245: ...the trap and monitor strings and trap targets for SNMPv1 and SNMPv2c You configure the trap targets and the SNMP user for SNMPv3 Since SNMPv1 and SNMPv2c send data in the clear you can disable access...

Page 246: ...on such as HP Open View Figure 81 The SNMP Tab for a security gateway Object To add SNMP trap targets To add an SNMP Trap Target for security gateway s at version VPNos 4 2 or later do the following N...

Page 247: ...Click the SNMP tab to bring it to the front 3 From the Trap Target list select the target you want to delete 4 Click Delete to remove the target 5 Click Save Adding Admin Users for SNMPv3 Configuring...

Page 248: ...gging system error messages The messages can be automatically sent to a destination running a Syslog server Use Policy Manager to configure and enable Syslog services then move to your computer s comm...

Page 249: ...check box so the security gateway will run Syslog services 4 Click Add to open the Add Syslog Policy dialog box 5 Use the Hosts to receive log messages options to configure the address of the Syslog S...

Page 250: ...and its presentation type is displayed on your VPNmanager console screen and is dynamically updated at your specified intervals A hardcopy can be printed on demand Enterprise MIB Monitoring is accompl...

Page 251: ...he MIB II IPRouteTable displays information provided from the ipRouteTable in the MIB II Filter Stats provides detailed reporting on filtering statistics for the current security gateway Filter Rules...

Page 252: ...Sec ESP 3 SKIP Algorithm mismatch The parameters of the VPN that this packet belongs to does not match the VPN parameters in the SKIP header 4 SKIP Authentication error The authentication key in the o...

Page 253: ...of this VPN indicating what key management is being used and what encryption authentication and compression algorithms are being used For example IKE 3DES MD5 Compression Pkts In Number of packets se...

Page 254: ...single destination can appear in the table but access to such multiple entries is dependent on the table access mechanisms defined by the network management protocol in use IP RouteTable Interface Ind...

Page 255: ...terface Route Type The type of route Note that the values direct 3 and indirect 4 refer to the notion of direct and indirect routing in the IP architecture Setting this object to the value invalid 2 h...

Page 256: ...knowledge of the routing protocol by which the route was learned Route Mask Indicate the mask to be logical ANDed with the destination address before being compared to the value in the ipRouteDest fi...

Page 257: ...rmant implementation of ASN 1 and BER must be able to generate and recognize this value Table 23 FilterStats Parameters Parameter Description FilterStatsName Interface name to which the filtering stat...

Page 258: ...ound packets not allowed to pass which have been logged When a filtering rule is declared using the log option different from log action and the rule action is declared to be block a log entry is gene...

Page 259: ...was full Log records are stored in a fixed size non circular buffer When the buffer is full no new log records are written until the buffer is drained via either the security gateway console or the V...

Page 260: ...ment table entry to be allocated This value does not reflect the size of the table only the number of entry allocations which succeeded Unneeded Frag Alloc In Number of successful but unnecessary atte...

Page 261: ...Number of successful attempts to allocated State table entries for inbound packets This occurs when a filter rule is declared using the keep state option Packets that match the rule cause a State tabl...

Page 262: ...e internal memory buffers and there is insufficient information available to properly process the packet Successive memory buffers are read until there is enough information to process the packet Bad...

Page 263: ...e No Match Block Out Number of outbound packets for a given interface which did not match any filtering rule and were ultimately blocked per the interface s default rule Table 24 Filter Rules Paramete...

Page 264: ...e Table Parameters Parameter Description Traffic Port Description A description of each port Traffic Port Index The index of this port Indices are Private 0 or 2 Public 1 or 3 2 and 3 appear only for...

Page 265: ...umber of LAN frames transmitted from this port LAN Frames Discard The total number of LAN frames discarded on this port because of errors Ethernet Header Errors The number LAN frames discarded on this...

Page 266: ...ss of the frame was determined by the bridge logic to be attached to the same network segment as this port Total Frames Discarded Total number of frames discarded on this port because of some error Lo...

Page 267: ...rt because of CRC errors Frame Errors The number of packets dropped on this port because of frame errors Overflow Errors The number of packets dropped on this port because of overflow errors No Xmit B...

Page 268: ...Display The display area offers two selections for how your security gateway groups are presented either one window per security gateway or a single window in which the desired security gateway is se...

Page 269: ...larm Type descriptions The default is Take action on Alarm Delete A Delete button appears at the bottom of the window The highlighted alarm s is deleted when the Delete button is clicked Figure 83 VPN...

Page 270: ...ithm Mismatch Indicates that a packet for which one of the three algorithms compression encryption or authentication used to secure it did not match the VPN configuration within the security gateway w...

Page 271: ...font types are Arial Times Roman and Helvetica The available font sizes range from 8 points to 72 points 9 Click Next 10 Depending on the objects selected in the initial screen each object is display...

Page 272: ...When you are satisfied with the report selections made click on the Finished button to generate the report The report window appears after a short pause If a hardcopy is desired you may save the repo...

Page 273: ...pe Description General Diagnostics Routing Table Shows information regarding how the network traffic flows within the network interfaces in the security gateway Flow Table Shows secure traffic packet...

Page 274: ...statistics are only applicable for SG200 SG203 and SG208 Flush Configuration Deletes existing firewall VPN QoS failover SNMP DNS relay NAT VoIP remote access and static routes configuration on the sec...

Page 275: ...to access the security gateway s CLI When you use SSH to transfer data the entire log in session including transmission of the password is encrypted If you use Telnet to communicate with the security...

Page 276: ...ed 8 For Telnet you must select a zone as all zones are disabled by default 9 Move the zones from Blocked to Allowed Click OK 10 Select Networks to configure the IP address to use to access the securi...

Page 277: ...w 2 From the Icon tool bar click Devices to list all security gateways in the Contents column 3 From the Contents column select the security gateway that requires the administrator passwords reset 4 C...

Page 278: ...etwork connection from the VPNmanager workstation to the security gateway exists The Ping This Device button initiates a clear text non VPN traffic ping from the VPNmanager workstation to the security...

Page 279: ...ing a specific security gateway 1 Move to the Configuration Console window 2 From the Contents column select the security gateway that you want to ping 3 Click the Connectivity tab to bring it to the...

Page 280: ...ot A Cold Start alarm is logged by VPNmanager and any other trap targets specified Note that any existing VPN connections are dropped and are re established following the security gateway reboot seque...

Page 281: ...anager for centralized management of devices which have already been configured the Import Device Configuration feature allows the devices existing configuration data to be easily migrated to VPNmanag...

Page 282: ...efault The current private port settings are displayed at the top of the Ethernet Speed dialog box Port Select the public or private port to configure the port speed of the selected security gateway S...

Page 283: ...ed device This screen appears when the Redundancy button on the security gateway Action tab is clicked It is used to set up specific redundancy attributes when two VSU 1200 7500s are being used to bac...

Page 284: ...other VPNmanager installations Select Import VPN when you receive your exported VPN file and have it copied to a local directory You will need the password from the exporting administrator Export VPN...

Page 285: ...ciate the Group with the appropriate security gateway by modifying the Associate this Group with security gateway picklist For Groups with network mask pairs that are not under your management control...

Page 286: ...r more of these entries These parameters are written by VPNmanager Note Note The export RADIUS Users file created by VPNmanager contains no entries in the authentication password field Consequently af...

Page 287: ...ays go the VPN and Security page from the Avaya Support Technical Database Web site at http support avaya com and select the security gateway type to be downloaded follow the links to the Readme file...

Page 288: ...gh the steps to upgrade using the centralized firmware management feature Note Note The upgrade devices wizard dose not allow downgrading of devices To upgrade the firmware using centralized firewall...

Page 289: ...Avaya Support Technical Database Web site at http support avaya com and select the security gateway type to be downloaded follow the links to the Readme file Note Note Because the upgrade procedure r...

Page 290: ...in step 14 select the upstage2 bin file If the security gateway subdirectory does not have an upstage2 bin file click YES If you answered YES to rebooting the security gateway your upgrade is complet...

Page 291: ...nitially launched the security gateway is polled for the current status of this feature which is displayed on the first line DES or 3DES Click on the radio button for the desired encryption method Cli...

Page 292: ...Upgrading firmware and licenses 292 Avaya VPNmanager Configuration Guide Release 3 7...

Page 293: ...cy server and the VPNmanager Console are started and during login SSL services are started Figure 88 Installing Certificates for Running SSL Explanation for Figure 88 1 An administrator uses Directory...

Page 294: ...ick Start Run to open the Run dialog box 3 In the Open text box type the following command line to install the certificate The filename is a name of the certificate file and aliasname is the alias you...

Page 295: ...ll installed issuer certificates 4 sh listcert bat To delete an installed issuer s certificates 1 Open a Console window 2 Move to the opt Avaya VPNmanager Console directory 3 Type the following comman...

Page 296: ...he Policy Manager window 8 After the device has received the Issuer Certificate the certificate appears in the Issuer Certificates list 9 Close the window Repeat Step 1 through Step 7 for each device...

Page 297: ...of packet filtering where the priority of the rule is determined by its position in the list first is highest priority Note Note The common services referred to in this appendix include all of the fo...

Page 298: ...n a higher inbound and outbound priority than IKE traffic None Selecting None as the firewall template allows all traffic VPN and non VPN through the gateway Security gateway policies are not enforced...

Page 299: ...ce Destination Service Direction Zone Keep State Description InBoundPu blicAccess Permit Any PublicIP IKE IN IKE AVAYA IN IPSEC NAT T IN AH ESP ICMPDEST UNREACH ABLE In Public no Permit incoming VPN t...

Page 300: ...P ublicActiveF TPActive Permit DMZNet Any ActiveFTP Out Public Yes Permit active FTP data connection from FTP server on DMZNet to any FTP client on INATERNE T OutboundP ublicNATed FTPActiveF TPActive...

Page 301: ...raffic OutBoundP ublicAcces s Permit PublicIP Any IKE_OUT IPSEC_NAT_T_OUT AH ESP ICMPDestUnreach Out Public no Permit outgoing VPN traffic OutBoundP ublickPing Access Permit DNZNet PrivateN et SemiPri...

Page 302: ...ublic no OutBoundPublic PingAccess Permit PublicIP DMZNet PrivateNet SemiPrivate Net Managemen tNet Any ICMPEchoRequest Out Public Yes OutBoundPublic GeneralAccess Permit Any Any ICMPEchoRequest PING...

Page 303: ...except traffic that is destined to the management zone For outgoing traffic to the private zone traffic initiated from DMZ is strictly denied All other traffic is allowed OutBoundPublic AccessVPNKey M...

Page 304: ...LIC OutBoundPrivateDM ZSemiPriDenyAccess Deny DMZ Net Any Any Out Privat e No Deny traffic from DMZNet and SemiPrivateNet OutBoundPrivatePer mitAll Permit Any Any Any Out Privat e Yes Permit incoming...

Page 305: ...outgoing packets as follows Incoming traffic to the semi private zone allowed includes VPN traffic The VPN tunnel endpoints could be semi private IP or Public IP Ping DNS ICMP unreachable packets The...

Page 306: ...InBoundSe miPrivatePi ngAccess Permit Any SemiPrivate IP PublicIP ICMPEchoReq PING In SemiP rivate Yes Permit incoming PING InBoundSe miPrivateto DMZAcces s Permit Any DMZNet ICMPEchoReq PING FTP Ctrl...

Page 307: ...is denied InBoundSe miPrivateV PNAccess Permit Any SemiPrivat eIP PublicIP IKE_IN IPSEC_NA T_T_IN AH ESP ICMPDest Unreach In SemiPrivat e no Permit incoming VPN traffic and ICMP unreachabl e packet I...

Page 308: ...eny DMZNet Any Any Out Semi Private No Deny traffic from DMZNet OutBoundSe miPrivateVP NAccess Permit SemiPri vateIP PublicIP Any IKE_OUT IPSEC_N AT_T_OU T AH ESP ICMPDest Unreach Out Semi Private no...

Page 309: ...s from the following networks private management semi private and the destination is the servers with the common services InBoundSemiPri vateAccessICM P Permit Any Semi Private IP ICMPDESTUNREACHAB LE...

Page 310: ...DMZ No Deny the rest of the traffic Table 41 DMZ high and medium security firewall rules continued 2 of 2 Table 42 DMZ low security firewall rules Rule Name Action Source Destination Service Direction...

Page 311: ...zer template The converged network analyzer CNA template is a set of firewall rules that can be configured to allow CNA traffic to travel through the network when the security gateway is setup as a fi...

Page 312: ...Direct ion Zone Keep State InBoundCNAPing Permit Any Public IP ICMP Ec hoReque st In Public Yes InBoundCNARTP Permit Any Public IP CNA RT P In Public No InBoundCNATestPlug Permit Any Public IP CNA Te...

Page 313: ...larm pane Authentication Generic The process of ensuring that the data received is the same data that was sent from the source Local Local Authentication is used in non dynamic VPNs VPNs not using RAD...

Page 314: ...ify the security gateway Certificate Certificate Revocation List CRL checking Certificate Revocation List checking looks to a directory server maintained by CAs to validate a new certificate by search...

Page 315: ...orate network uses VPN components that are managed separately by each company s system administrator F Firewall A network device acting as a filter to restrict access to private network resources from...

Page 316: ...terprise MIB information allows the administrator to obtain basic monitoring information such as the network table packet counter and general information regarding the security gateway using third par...

Page 317: ...own to all security gateways Public Key Certificate A special block of data used to identify the owner of a particular public key It describes the value of a public key the key s owner and the digital...

Page 318: ...e remote client s computer Control of Split Tunneling is normally set when the Dyna Policy configuration download to the remote client s computer occurs SSL Secure Sockets Layer is a protocol that pro...

Page 319: ...2 authentication 142 configuring IKE VPN 153 SKIP VPN 151 Password text box 119 RADIUS 126 authentication IPSec 146 Authentication Algorithm drop down list IKE VPN 153 IPSec 155 SKIP VPN 151 B backup...

Page 320: ...tiated Services about 192 Diffie Hellman Group 143 Diffie Hellman Group drop down list 154 Diffie Hellman Groups 145 DiffServ 193 Directory Name of Certificate Authority text box 155 Distinguishing En...

Page 321: ...ist 103 IKE radio button 136 IKE VPN about 134 adding IP Group Objects 152 adding User and User Group Objects 152 authentication method configuring the 153 Certificate Based radio button 152 compressi...

Page 322: ...Modify Secret button 153 modulus in IKE VPNs keying algorithm 154 Monitor Monitor Wizard 250 Monitoring Groups 251 MTU Drop all IP Fragments check box 192 path discovery configuring 202 N naming VPNs...

Page 323: ...perty sheet for CCD 113 Preferences Advanced Tab 51 Preferences General Tab 49 Preferences Remote Client Tab 51 111 Presentation monitoring 268 Preshared Secret 138 Preshared Secret IKE 144 Preshared...

Page 324: ...69 Send no VSU names radio button 206 Send Syslog messages 112 Send VSU Names control 205 server list managing 211 Servers tab detailed description 210 SHA1 authentication selecting 153 shared secret...

Page 325: ...oIP LRQ 177 VPN Create Designated 137 Default VPN 136 Domains about 55 hierarchy detailed view 55 IKE VPN see IKE VPN 134 rekeying 162 SKIP VPN see SKIP VPN 133 VPN Virtual Private Network key managem...

Page 326: ...326 Avaya VPNmanager Configuration Guide Release 3 7 Index X x 169 Z zone public 68 zone public backup 68 zones IP addressing 70 network 67 type of 25 67...

Reviews: