Product Description
IP Office 8.1
© 2012 AVAYA All rights reserved.
Page 295
Issue 26.k.- (16 August 2012)
SSL/VPN Remote Access
The IP Office SSL/VPN remote access solution is a fast and easy way to set up a secure remote access at
broadband speeds. The solution is designed to provide Avaya and Avaya partners with reliable remote access
that enhances service delivery while reducing the cost associated with truck rolls. The solution enables partners
of any size to create an infrastructure that automates management and maintenance of IP Office systems.
The IP Office SSL/VPN Solution
The IP Office SSL/VPN solution offers secure remote accessibility to the IP Office devices with minimum
networking expertise required to set up the CPE at the customer site. The IP Office can be pre-configured with
SSL/VPN configuration before installation at the customer’s site.
Advantages of the IP Office SSL/VPN Solution
·
Secure remote access at broadband speeds for enhanced support
·
Simple configuration and deployment
·
Scaling to accommodate future growth requirements
·
Networking expertise not required at the customer site (No IT admin required at the customer site)
·
No requirement to open holes in the firewall (Firewall-agnostic as the connection is initiated from the
customers’ site to the Gateway)
·
Connection can be “Always-ON” or can be initiated via Dial-Up or Phone.
·
Facilitation of remote configuration, management, monitoring, diagnostics, and upgrades.
Operation of SSL/VPN Remote Access
IP Office Release 8.1 software includes an embedded SSL/VPN client. On the server side (should the partner
decide to host the server side), the partner will need to install a server (VM) and install the Avaya VPN Gateway
(AVG) software. The Partner will establish the SSL/VPN Gateway configuration on the IP Office so that the IP
Office can trigger a secure tunnel back to the Gateway.
A username/password is setup during the configuration step for security purposes. A second level of security is
also provided with a server-side certificate authentication. A radius server will then validate the username/
password upon connection request initiated from the IP Office. Once the credentials are validated, the secure
remote access is established.
System Requirements
At a minimum, the partner needs to ensure that a broadband connection is available at the customer site. A
partner deciding to host the server side can purchase (scale as you go) the SSL/VPN licenses based on how
many simultaneous connections are required. The AVG software is installed on a VM server software (the
partner can choose the server of their choice) and set up a radius server for username/password
authentication. The same VM server can also act as a radius server or the partner can use a separate radius
server or reuse an existing radius server based on their IT department’s recommendations and security policy.
Partners wanting to host the server side gateway should refer to the Avaya enterprise portal for more detailed
information about the Avaya VPN gateway solution (see
https://enterpriseportal.avaya.com/ptlWeb/gs/
products/P0623/AllCollateral
).
Exceptions to the SSL/VPN solution described above:
·
No support for IP Office 500v1 system
·
No support for the Unified Communications Module or the external expansion applications server
(Material Code – 269810) used with the IP Office
·
When the partner hosts the server side, configuration of the solution is performed using IP Office
Manager (as a result, the IP Office Basic Edition is not supported with the SSL/VPN solution)
Data Networking Features
Integral 10/100 Mbit Layer 3 Ethernet Switch
Layer 3 switching is particularly useful in situations where it is desirable to have a ‘trusted’ and ‘unsecured’
network, where the ‘unsecured’ network is uncontrolled and carries public traffic on it.
It is possible to set up a firewall between two LAN segments using the IP Office layer 3 switch. IP500 V2
supports a two-port Layer 3 Ethernet switch with the firewall between them. Both of these switched ports have
their own IP addresses (LAN1 and LAN2) and in order for traffic to pass from one port to the other, a route is
configured in the system’s routing tables.