Nortel NN46120-104 User Manual Download Page 110 | Manualshive

Page: 110 / 300

background image

110

Certificates and Client Authentication

Generating client certificates

Before issuing client certificates, you should establish the means of
validating the identities of the users. The credentials users need to present
to obtain a client certificate may vary, depending on the type of service, the
size of your organization, and so on.

Step

Action

1

Specify a CA certificate by index number to use for
generating a client certificate, and generate the client
certificate.

In this example certificate number 1 is specified for generating a
client certificate. The private key corresponding with the public
key in the certificate you specify is used for signing the client
certificate.

>> Main#

cfg/cert

Enter certificate number:

(1-)

1

>> Certificate 1#

gensigned

Type of certificate (server/client) [client]:

<press

ENTER for client certificate>

The combined length of the following parameters may not

exceed 225 bytes.

Country Name (2 letter code):

State or Province Name (full name):

Locality Name (e.g., city):

Organization Name (e.g., company):

Organizational Unit Name (e.g., section):

Common Name (e.g., your name or your server’s

hostname):

Email Address:

Subject alternative name (blank or comma separated list

of

URI:<uri>, DNS:<fqdn>, IP:<ip-address>, email:<email

-address>):

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.

«
...
108
109
110
111
112
...
»

Summary of Contents for NN46120-104

Page 1: ...Nortel VPN Gateway User Guide Release 7 1 Document Revision 02 01 www nortel com NN46120 104 216368 G...

Page 2: ...rademarks of Nortel Networks Export This product software and related technology is subject to U S export control and may be subject to export or import regulations in other countries Purchaser must s...

Page 3: ...ntroducing the VPN Gateway 15 SSL Acceleration 16 VPN 17 Hardware Platforms 18 Feature List 19 Introducing the ASA 310 FIPS 27 HSM Overview 28 Extended Mode vs FIPS Mode 29 The Concept of iKey Authent...

Page 4: ...g the Virtual Desktop on Client Computers 132 Licensing vdesktop 132 Launch Vdesktop from Portal 133 Virtual Desktop Operations 134 The Command Line Interface 135 Connecting to the VPN Gateway 136 Acc...

Page 5: ...209 222 License Information 223 HSM Security Policy 233 Definition of Key Codes 253 Syntax Description 254 SSH host keys 257 Methods for Protection 258 The VPN Gateway 259 Adding User Preferences Att...

Page 6: ...6 Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 7: ...s User s Guide describes how to perform basic configuration and maintenance of the Nortel VPN Gateway NVG Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nor...

Page 8: ...work installers and system administrators engaged in configuring and maintaining a network It assumes that you are familiar with Ethernet concepts and IP addressing Nortel VPN Gateway User Guide NN461...

Page 9: ...ure VPN deployment through the BBI Browser Based Management Interface VPN Gateway 7 1 VPN Administrator Guide part number 217238 E April 2008 VPN management guide intended for end customers in a Secur...

Page 10: ...M 1000 Nortel SSL Accelerator 310 FIPS ASA 310 FIPS The integrated SSL Accelerator SSL processor on the Nortel 2424 SSL switch Nortel VPN Gateway Universal Serial Bus Similarly all references to the o...

Page 11: ...major release upgrade as well as upgrading from software versions earlier than 2 0 11 16 to version 3 0 7 Managing Users and Groups page 79 describes the management of users groups and passwords The c...

Page 12: ...des information about the purpose of SSH host keys and how they are used to protect the connection between the SSH client and the VPN Gateway Adding User Preferences Attribute to Active Directory page...

Page 13: ...exactly as shown Main sys AaBbCc123 This italicized type appears in command examples as a parameter placeholder Replace the indicated text with the appropriate real name or value when using the comman...

Page 14: ...port web site and have a Nortel support contract you can also get help over the phone from a Nortel Solutions Center In North America call 1 800 4NORTEL 1 800 466 7835 Outside North America go to the...

Page 15: ...oups SSL Acceleration VPN These features can be used separately or be combined This User s Guide covers the basic tasks that need to be completed irrespective of which feature you wish to deploy Norte...

Page 16: ...tch and performs all the SSL encryption and decryption for the session Combined with the load balancing features of the Nortel Application Switch the VPN Gateway offloads SSL encryption decryption fun...

Page 17: ...ugh a secure SSL connection through the web browser When successfully authenticated the user can access services and resources on the intranet from a Web Portal provided by the VPN Gateway Clientless...

Page 18: ...hnical specification of the hardware platforms see the Specifications appendix in the VPN Gateway 3050 3070 Hardware Installation Guide and the Alteon SSL Accelerator Hardware Installation Guide respe...

Page 19: ...able on the Portal s Advanced tab API provided for developing a custom application that automatically logs in the user to the desired VPN and executes a previously configured port forwarder link Suppo...

Page 20: ...crosoft Active Directory NTLM Windows NT Domain including Microsoft Active Directory Secure Computing SafeWord RADIUS Netegrity SiteMinder RSA SecurID native or through RADIUS RSA ClearTrust ActivCard...

Page 21: ...eating multiple interfaces within a cluster for example to separate client traffic and management traffic Not supported on the Nortel Application Switch 2424 SSL Support for clustering over multiple s...

Page 22: ...anch office tunnels can be configured per hardware model NVG 3070 2500 NVG 3050 1000 Nortel 2424 SSL Application Switch 500 For example a cluster of two NVG 3070s support 5000 branch office tunnels Po...

Page 23: ...k traffic Provides a single system image SSI all VPN Gateways in a given cluster are configured as a single system High level of redundancy in the master slave cluster design even if three master VPN...

Page 24: ...agement Web User Interface HTTP or HTTPS Command Line Interface CLI access through Telnet SSH or serial port SNMP version 1 version 2c and version 3 RADIUS authentication of CLI BBI administrator user...

Page 25: ...ironment for end users while accessing confidential information Secure Portable Office SPO Client The SPO client provides VPN access from portable storage such as USB compliant flash memory and CD ROM...

Page 26: ...26 Introducing the VPN Gateway Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 27: ...requirements specified by the Federal Information Processing Standard FIPS 140 1 Level 3 standards Each ASA 310 FIPS device is equipped with two identical HSM cards Note When using the ASA 310 FIPS de...

Page 28: ...ntruder Any sensitive information that is transferred between two HSM cards within the same ASA 310 FIPS or between any number of HSM cards within a cluster of ASA 310 FIPS devices is encrypted using...

Page 29: ...d in RAM where it remains accessible for subsequent operations Also when the ASA 310 FIPS is initialized in FIPS mode all private keys must be generated on the ASA 310 FIPS device itself Importing pri...

Page 30: ...SA 310 FIPS device After a HSM card has been initialized that card will only accept the HSM SO and HSM USER iKeys that were used when initializing that particular card You cannot create backup copies...

Page 31: ...require the correct passwords for successful authentication CAUTION If you enter the wrong password for the HSM USER fifteen 15 times in a row the HSM USER iKey will be rendered unusable This is due t...

Page 32: ...S ER CODE SO and CODE USER Changing the HSM SO iKey password Note To resume normal operations after having changed the HSM SO iKey password the HSM USER iKey is required to re login to the HSM card Ch...

Page 33: ...r how to change an HSM SO or HSM USER iKey password see the Hardware Security Module Menu under the Maintenance Menu in the User s Guide For information about how to reset the HSM cards see Resetting...

Page 34: ...34 Introducing the ASA 310 FIPS Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 35: ...for the Nortel VPN Gateway NVG It introduces the concept of clusters and provides detailed instructions for reinstalling the VPN Gateway software should it become necessary Nortel VPN Gateway User Gui...

Page 36: ...g the VPN Gateways designated as masters in a cluster By default the first four VPN Gateways in a given cluster are set up as masters Additional NVGs are automatically set up as slaves which means the...

Page 37: ...ter NVG Virtual IP Address VIP When the VPN Gateway is used in conjunction with a Nortel Application Switch e g for SSL acceleration the client connects to the VIP on the Nortel Application Switch The...

Page 38: ...port NICs numbered as 1 4 One with two copper port NICs number as 1 2 and two fiber optic ports numbered as 3 4 The ASA 410 Copper NIC has two copper port NICs numbered as 1 2 The ASA 410 Fiber NIC ha...

Page 39: ...traffic that is connecting the SSL VPN to internal resources and configuring the SSL VPN from a management station Figure 1 One Armed Configuration without Application Switch Two Armed Configuration...

Page 40: ...ed Configuration without Application Switch Note Two armed configuration is not available for the Application Switch 2424 SSL Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Cop...

Page 41: ...re information see Connecting to the VPN Gateway page 136 Press the power on button on the VPN Gateway Wait until you get a login prompt Log in as user admin password admin Note If you have the ASA 31...

Page 42: ...l guide you through the initial configuration 2 Specify the port you want to use for network connectivity Enter port number for the management interface 1 4 1 This port will be assigned to Interface 1...

Page 43: ...tag id or ENTER Specify the desired network mask or accept the suggested value by pressing ENTER If a connected router or switch attaches VLAN tag IDs to incoming packets specify the VLAN tag ID used...

Page 44: ...gh the initial configuration of the iSD 2 Configure the management interface port number Enter port number for the management interface 1 4 1 Specify the port you want to use for NVG management and ot...

Page 45: ...P address on the traffic public interface Enter IP address for this machine on traffic interface IP address This IP address will be assigned to Interface 2 on the VPN Gateway that is the public interf...

Page 46: ...this item after the initial setup is completed See the NTP Servers Configuration section under Configuration menu System Configuration in the Command Reference new setup continued Enter a timezone or...

Page 47: ...teps The VPN quick setup wizard creates all the settings required to enable a fully functional Portal for testing purposes You can later let your test Portal evolve to a fully operative Portal Run VPN...

Page 48: ...ess in your VPN run the IPsec quick setup wizard With IPsec access enabled remote users can access the VPN through a secure IPsec tunnel using the Nortel IPsec VPN client formerly Contivity Setup IPse...

Page 49: ...interface CLI log in as the admin user with the password you defined in and the Main menu is displayed For more information about the CLI see Step 2 If you rather configure the system through the Brow...

Page 50: ...an additional server of the HTTP type was created to redirect requests made with HTTP to HTTPS because the portal server requires an SSL connection Default Network The wizard also creates a default n...

Page 51: ...s Access Rules and Profiles chapter in the Application Guide for VPN for a full explanation of service definitions http Uses TCP port 80 https Uses TCP port 443 web Uses TCP ports 20 21 80 and 443 smt...

Page 52: ...NVG to the Access list This must be done before joining the new VPN Gateway otherwise the devices will not be able to communicate Use the cfg sys accesslist command If the Access list is empty this s...

Page 53: ...ort for existing VPN Gateways it is recommended for consistency that you configure port 1 for the NVG you are joining as well 3 Enter the VPN Gateway s host IP address Enter IP address for this machin...

Page 54: ...g up a Two Armed Configuration If the currently installed VPN Gateway s in the cluster are set up for a two armed configuration you probably want the new VPN Gateway to be set up like the previously i...

Page 55: ...host IP address on the management interface or accept the suggested value by pressing ENTER If a connected router or switch attaches VLAN tag IDs to incoming packets specify the VLAN tag ID used 5 En...

Page 56: ...ce Enter default gateway IP address on the traffic interface IP addr The default gateway IP address should be within the same network address range as the host IP address on the traffic interface Comp...

Page 57: ...is iSD master slave master ok 3 Wait until the Setup utility has finished Setup successful login The setup is now finished The VPN Gateway that has been joined to the cluster will automatically pick u...

Page 58: ...el two of the black cluster specific iKeys CODE SO and CODE USER respectively in advance For more information about the concept of iKeys and the ASA 310 FIPS model in general see Introducing the ASA 3...

Page 59: ...ds Step 4and Step 5 are related to initializing the HSM cards that your ASA 310 FIPS is equipped with The Setup utility will identify the first HSM card as card 0 and the second HSM card as card 1 Eac...

Page 60: ...urple is inserted in card 0 with flashing LED Hit enter when done Enter a new HSM SO password for card 0 define an HSM SO password Re enter to confirm The HSM SO iKey has been updated Verify that HSM...

Page 61: ...er wrap key onto another HSM card either within the same ASA 310 FIPS device as in Step 7 or to HSM cards in an ASA 310 FIPS device that is added to the current cluster Each ASA 310 FIPS device is shi...

Page 62: ...FIPS units you need to take steps so that you can identify to which cluster a pair of CODE SO and CODE USER iKeys is associated 7 Transfer the cluster wrap key from the CODE SO and CODE USER iKeys on...

Page 63: ...g the command line interface CLI For more information about the CLI see The Command Line Interface page 135 Note After successfully having initialized the HSM cards you are automatically logged in to...

Page 64: ...rsion on the new ASA before joining it see Reinstalling the Software page 70 or upgrade the whole cluster to the same software version as the new ASA see Performing Minor Major Release Upgrades page 7...

Page 65: ...iKeys used when initializing this particular HSM card Even if you choose to use the same HSM SO and HSM USER passwords when you initialize card 1 as the passwords you defined when initializing card 0...

Page 66: ...iKeys and the HSM card to which each set of iKeys is associated during the initialization Because each ASA 310 FIPS device in the cluster will have two HSM cards you must also take steps to identify t...

Page 67: ...pectively that you used when installing the first ASA 310 FIPS in the cluster If you have more than one cluster of ASA 310 FIPS units make sure that you can identify to which cluster the pair of CODE...

Page 68: ...ret passphrase as given during initialization of the first iSD in the cluster 8 Wait until the Setup utility has finished join setup continued Setup successful login The setup utility is now finished...

Page 69: ...f the ASA 310 FIPS units using the command line interface CLI Log in as the admin user and the Main menu is displayed For more information about the CLI see The Command Line Interface page 135 End Nor...

Page 70: ...Using the ptcfg command installed keys and certificates are included in the configuration data and can later be restored by using the gtcfg command For more information about these commands see the C...

Page 71: ...id or ENTER Enter IP address for this iSD 192 168 128 185 Press ENTER if the IP address displayed within square brackets is correct Enter network mask 255 255 255 0 Press ENTER if correct Enter gatew...

Page 72: ...ogin is the default option 4 Log in to the VPN Gateway as the admin user after the device has rebooted on the newly installed boot image reinstall procedure continued Restarting Restarting system Alte...

Page 73: ...jor release upgrade This kind of release may contain both bug fixes as well as feature enhancements The VPN Gateway may automatically reboot after a major upgrade because the operating system may have...

Page 74: ...release upgrade you only need to be connected to the Management IP address of the cluster The upgrade will automatically be executed on all the VPN Gateways in operation at the time of the upgrade All...

Page 75: ...mode Password password or press ENTER for default password in anonymous mode Received 28200364 bytes in 4 0 seconds Unpacking ok Software Management End Activating the Software Upgrade Package The VP...

Page 76: ...us 7 0 1 SSL unpacked 5 1 5 SSL permanent The downloaded software upgrade package is indicated with the status unpacked The software versions can be marked with one out of four possible status values...

Page 77: ...oftware cur Version Name Status 7 0 1 SSL permanent 5 1 5 SSL old In this example version 7 0 1 is now operational and will survive a reboot of the system while the software version previously indicat...

Page 78: ...78 Upgrading the NVG Software Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 79: ...govern administrator operator user rights how to add or delete users from the system how to set or change group assignments and how to change login passwords Nortel VPN Gateway User Guide NN46120 104...

Page 80: ...the same user rights as granted to members in the certadmin and oper group in addition to the specific user rights granted by the admin group membership The most permissive user rights become the eff...

Page 81: ...rver Access to the System menu cfg sys is limited and entails access only to the User Access Control submenu cfg sys user Step Action 1 Log in to the NVG cluster as the admin user login admin Password...

Page 82: ...n groups add Enter group name certadmin 5 Verify and apply the group assignment When typing the list command the current and pending group assignment of the user being edited is listed by index number...

Page 83: ...t passphrase defined by the Certificate Administrator is used instead to encrypt private keys in the configuration backup The encryption of private keys using the export passphrase defined by the Cert...

Page 84: ...embership When the admin user is removed from the certadmin group only the Certificate Administrator user can access the Certificate menu cfg cert User edit admin User admin groups list 1 tunnelguard...

Page 85: ...ired access rights to the CLI BBI When the user logs in to the CLI BBI and is successfully authenticated the RADIUS server returns the groups to which the user belongs The groups are compared to the f...

Page 86: ...ll add the admin user to the certadmin group The example assumes that the admin user previously removed himself or herself from the certadmin group to fully separate the Administrator user role from t...

Page 87: ...group assignment you must therefore always first add the user to the desired new group then remove the user from the old group 4 Verify and apply the changes Groups list Old 1 tunnelguard 2 admin 3 op...

Page 88: ...Change own password expire Set password expire time interval list List all users del Delete a user add Add a new user edit Edit a user caphrase Certadmin export passphrase 3 Type the passwd command t...

Page 89: ...contain spaces Step Action 1 Log in to the NVG cluster as the admin user login admin Password admin user password 2 Access the User Menu Main cfg sys user User Menu passwd Change own password expire S...

Page 90: ...r new password for cert_admin new password for user being edited Re enter to confirm confirm new password for user being edited 5 Apply the changes User cert_admin apply Changes applied successfully E...

Page 91: ...e member of a group Step Action 1 Log in to the NVG cluster as the admin user login admin Password admin user password 2 Access the User Menu Main cfg sys user User Menu passwd Change own password exp...

Page 92: ...pending configuration change by the minus sign To cancel a configuration change that has not yet been applied use the revert command User list oper root admin cert_admin User apply End Nortel VPN Gate...

Page 93: ...teway supports using up to 1500 certificates The basic steps to create a new certificate using the command line interface of the VPN Gateway are Generate a Certificate Signing Request CSR and send it...

Page 94: ...e Menu line such as Certificate Menu 1 Explanations for the requested units of information Note that you do not have to complete all fields Only one of Common Name and E mail Address is strictly requi...

Page 95: ...mail address Example URI http www example com email john example com IP 10 1 2 3 Generate new key pair y In most cases you will want to generate a new key pair for a CSR However if a configured certi...

Page 96: ...rtificate authority this step is only necessary if you want to create a backup copy of the private key When generating a CSR the private key is created and stored encrypted on the VPN Gateway using th...

Page 97: ...rver on which the certificate and the corresponding private key is to be used Note When using an ASA 310 FIPS the private key is protected by the HSM card and cannot be exported After you have receive...

Page 98: ...ite and follow the online instructions When prompted paste the CSR into the space provided on the CA s online request process If the CA requires that you specify a server software vendor whose softwar...

Page 99: ...n these fromats PEM NET DER PKCS7 certificate only PKCS8 keys only used in WebLogic PKCS12 also known as PFX Besides these formats keys in the proprietary format used in MS IIS 4 can be imported by th...

Page 100: ...umber as the certificate number you used when generating the CSR By doing so you do not have to add the private key because this key remains connected to the certificate number that you used when you...

Page 101: ...f certificate the CA generates registered or chain your certificate may appear substantially different from the one shown before Be sure to copy and paste the entire contents of the certificate file 4...

Page 102: ...you have received from a CA The public key in the certificate works in concert with the related private key when handling SSL transactions Open the key file in a text editor and copy the entire conte...

Page 103: ...ver ssl cert command If the NVG software is used for deployment of a VPN solution the certificate should be mapped to the portal server of the desired VPN using the cfg vpn server ssl cert command To...

Page 104: ...icate number not in use by an existing certificate To view basic information about all configured certificates use the info certs command Main cfg cert Enter certificate number 1 number of the certifi...

Page 105: ...1 import Select protocol tftp ftp scp sftp tftp ftp Enter host name or IP address of server server host name or IP address Enter filename on server filename key Retrieving VIP_1 key from 192 168 128...

Page 106: ...ired VPN using the cfg vpn server ssl cert command To view basic information about configured certificates use the cfg cur cert command End Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14...

Page 107: ...tion cert Enter certificate number 1 1500 3 Creating Certificate 3 3 Add the new certificate according to the instructions in Adding Certificates to the NVG page 99 4 Map the new certificate to the de...

Page 108: ...e clients private key and contains important information about the SSL session known to both the client and the server Upon receiving the CertificateVerify message the virtual SSL server will use the...

Page 109: ...the virtual SSL server to use for authenticating client certificates Only those client certificates that are issued by a certificate authority whose CA certificate you specify will be accepted Note t...

Page 110: ...te key corresponding with the public key in the certificate you specify is used for signing the client certificate Main cfg cert Enter certificate number 1 1 Certificate 1 gensigned Type of certificat...

Page 111: ...state or province in which the subject resides Locality Name for example city The name of the city or town where the subject resides Organization Name for example company The registered name of the o...

Page 112: ...ckets and will be used unless you specify a different number As you generate more client certificates the proposed serial number increments automatically Certificate 1 Valid for days 365 Key size 512...

Page 113: ...is required to unlock the certificate 5 Verify that the certificate you used for generating the client certificate is specified as a CA certificate for the appropriate virtual SSL server Main cfg ssl...

Page 114: ...ad the option to save it with a new certificate number In the previous example Step 4 the client certificate was saved as certificate number 2 Enter this certificate number when prompted then use the...

Page 115: ...r Never send the password phrase in an e mail message The user will then need to import the received client certificate into his or her Web browser or e mail program For more information about importi...

Page 116: ...hority by issuing your own client certificates you will also need to maintain your own certificate revocation lists This can be done by listing the serial numbers of the client certificates you want t...

Page 117: ...Certificates Issued within your Own Organization Step Action 1 Specify the CA certificate to which you want to add a CRL Specify the certificate number that represents the CA certificate of the certi...

Page 118: ...you have added serial numbers for particular client certificates by using the add command prior to using the import command you will be asked if you want to merge those serial numbers to the CRL in A...

Page 119: ...u choose to add serial numbers in hexadecimal form add a paragraph in the text document that reads HEX ASCII revocation Note You can add comments to a CRL ASCII file by preceding your comments with th...

Page 120: ...server for LDAP the server must support LDAP v3 When using LDAP a bind operation to the specified LDAP server is performed each time a CRL retrieval occurs The bind operation uses the specified disti...

Page 121: ...ck your LDAP server documentation for details on binding authentication and access control Example cn Bill Smith o Your Organization By setting the cfg cert revoke automatic anonymous command to true...

Page 122: ...ble certificates enter the info certs command When specifying more than one certificate use commas to separate the corresponding index numbers Example 1 2 5 To clear all specified CA certificates pres...

Page 123: ...a message indicating client certificate is required to connect 2 Click Connect The MSCAPI window appears 3 Select the certificate in the MSCAPI window 4 If secondary authentication is not required th...

Page 124: ...e entire contents including the text BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST Having pasted the CSR press ENTER to create a new line and type three periods Finally press ENTER once again...

Page 125: ...rrent value Enter certificate numbers separated by comma 1 5 Apply the changes The CSR is signed using the private key associated with the currently selected certificate End Nortel VPN Gateway User Gu...

Page 126: ...d information For a more detailed explanation of the requested information see Generating and Submitting a CSR Using the CLI page 94 The combined length of the following parameters may not exceed 225...

Page 127: ...server using the cfg ssl server ssl cert command If the NVG software is used for deployment of a VPN solution the certificate should be mapped to the portal server of the desired VPN using the cfg vp...

Page 128: ...ficate s subject information can be used extract to user name and password For usage examples see the Client Certificate Authentication section in the Authentication Methods chapter in the CLI BBI App...

Page 129: ...protected For the VPN Gateways without the HSM card private keys are protected by the cluster For the ASA FIPS private keys are protected by the HSM card However when generating a client certificate t...

Page 130: ...130 Certificates and Client Authentication Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 131: ...a Virtual Desktop environment to secure Web based applications and services Therefore you can access confidential information in a secure environment Nortel VPN Gateway User Guide NN46120 104 02 01 S...

Page 132: ...ra 7 2 or later FireFox 1 0 and later Java Runtime Environment JRE version 1 4 2 or later or Microsoft Java Virtual Machine JVM version 5 0 and later Licensing vdesktop Your copy of Symantec On Demand...

Page 133: ...ternet explorer 2 Enter the Protocol IP address and Port For example http 10 127 232 45 1234 3 Enter the user name and password 4 Click on Home 5 Click on the virtual desktop link 6 Click on the virtu...

Page 134: ...e files rather than the real versions Enable File Separation The vdesktop session may get terminated when the browser session is terminated to ensure that the Virtual Desktop session does not remain a...

Page 135: ...tion software or through a remote session using either a Telnet client or an SSH client When using a Telnet client or SSH client to connect to a cluster of VPN Gateways always connect to the IP addres...

Page 136: ...CII terminal or a computer running terminal emulation software set to the parameters shown in the following table Table 4 Console Configuration Parameters Parameter Value Baud Rate 9600 Data Bits 8 Pa...

Page 137: ...you must connect to the IP address of the particular VPN Gateway This also applies when using an SSH connection instead of a Telnet connection To view the IP addresses of all VPN Gateways in a cluste...

Page 138: ...abled by default However depending on the severity of your security policy you may want to enable SSH access You may also restrict SSH access to one or more specific machines For more information abou...

Page 139: ...recommended that you do so to maintain a high level of security when connecting to the VPN Gateway using a SSH client If you fear that your SSH host keys have been compromised you can create new host...

Page 140: ...oup and then remove himself or herself from the certadmin group For more information see Adding a New User page 81 Boot user can only perform a reinstallation For security reasons it is only possible...

Page 141: ...d read access to some of the menus and information available in the CLI oper admin admin oper certadmin The Administrator is allowed both read and write access to all menus information and configurati...

Page 142: ...system will run Setup see Installing an NVG in a New Cluster page 42 a utility designed to help you through the first time configuration process If the VPN Gateway has already been configured the Main...

Page 143: ...43 Command Line History and Editing For a description of global commands shortcuts and command line editing functions see the Command Reference Nortel VPN Gateway User Guide NN46120 104 02 01 Standard...

Page 144: ...ve your configuration changes regularly by using the global apply command If you have unapplied configuration changes when using the global exit command to log out from the command line interface you...

Page 145: ...setting the HSM cards on the ASA 310 FIPS on An ASA 310 FIPS Stops Processing Traffic page 153 An NVG cluster configuration needs to be reconstructed onto new devices on AnASA 310 FIPS Cluster Must be...

Page 146: ...ble SSH access Apply your configuration changes cfg sys adm ssh Current value off Allow SSH CLI access on off on Administrative Applications apply Changes applied successfully Check the Access List If...

Page 147: ...Gateways in the cluster If the IP address assigned to the VPN Gateway seems to be correct you may have a routing problem Try to run traceroute a global command available at any menu prompt or the tcp...

Page 148: ...e NVG s already in the cluster You can verify software versions by typing the command boot software cur where the active version is indicated as permanent Adjusting the software version on the NVG dev...

Page 149: ...ccess list cfg sys accesslist list 1 192 168 128 78 255 255 255 0 Add Interface 1 IP Addresses and MIP to Access List Use the cfg sys cluster cur command to view the Host Interface 1 IP address for th...

Page 150: ...d the software version in the cluster log in to the VPN Gateway you want to add as the Administrator user and select join from the Setup menu Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 1...

Page 151: ...again Console Connection If you are connected to a particular VPN Gateway through a console connection and that NVG stops responding you should first try pressing the key combination CTRL and press EN...

Page 152: ...er can change the Root user password For more information see the edit command in the User Access Configuration section under Configuration Menu System Configuration in the Command Reference Boot User...

Page 153: ...FIPS that has undergone a reboot as the admin or oper user login admin Password enter the admin user password Alteon iSD SSL Software version 7 1 When connecting to the ASA 310 FIPS you can use a con...

Page 154: ...ogin on card 1 Note If you enter the wrong password for the HSM USER fifteen 15 times in a row the HSM USER iKey will be rendered unusable This is due to the strict security specifications placed on t...

Page 155: ...h each HSM SO iKey Log in as the admin user to the particular ASA 310 FIPS device you want to delete If the ASA 310 FIPS device will be used in a different department or organization after it has been...

Page 156: ...te the iSD y n y Do you want to clear the HSM card s as well y n y press ENTER to accept resetting the HSM cards 3 Insert the HSM SO iKey associated with HSM card 0 in the card with flashing LED and p...

Page 157: ...isplayed after having logged in as the admin user through a console connection When selecting new or join in the Setup menu you will be prompted to insert the HSM SO iKey and HSM USER iKey associated...

Page 158: ...ed to transfer the wrap key used in the former cluster onto the HSM cards in the new ASA 310 FIPS devices as well as for decrypting private key information in the backup configuration file The secret...

Page 159: ...it enter when done Wrap key successfully combined to card 0 4 Transfer the cluster wrap key from the CODE SO and CODE USER iKeys to card 1 new setup continued Verify that CODE SO iKey black is inserte...

Page 160: ...ter page 63 up to and including Step 4 8 Transfer the cluster wrap key from the CODE SO and CODE USER iKeys to card 0 When asked to insert the CODE SO and the CODE USER iKeys make sure to use the same...

Page 161: ...g the HSM cards join setup continued Enter the secret passphrase as given during initialization of the first iSD in the cluster Enter the same secret passphrase as was used in the former cluster If yo...

Page 162: ...s supported Password Received 4960 bytes in 0 1 seconds Password for importing private keys in cfg password as defined when saving the configuration file to an FTP TFTP SCP SFTP server Configuration l...

Page 163: ...ftp sftp interactive Enter the desired tag s separated by comma for example aaa ssl to trace the user authorization and SSL handshake processes or press ENTER to trace all processes To limit tracing t...

Page 164: ...Gateway This is also the order in which the groups will be applied base implies that the group s base profile will be used TTL for user shows the idle timeout 15m 15 minutes in the preceding example a...

Page 165: ...P pool applies to Net Direct and IPsec ssl The ssl tag logs information related to the SSL handshake procedure e g used cipher tg The tg tag logs information related to a TunnelGuard check e g access...

Page 166: ...Bookmarks in the chapter The Portal from an End User Perspective in the CLI BBI Application Guide for VPN smb The smb tag shows information related to SMB Windows file share sessions initiated through...

Page 167: ...been accepted or rejected netdirect_packet The netdirect_packet tag logs information about packets being sent and received when the user has initiated a connection to a host Because of the large amoun...

Page 168: ...Application Guide for VPN for instructions on how to enable Net Direct and how to configure an IP pool 3 Is the Net Direct link visible to the end user on the Portal s Home tab If not the user may bel...

Page 169: ...9 Verify that the maximum number of users for the license currently loaded to the VPN Gateway has not been reached If required user s can be logged out from the VPN through the info kick command To a...

Page 170: ...the system tray blink green Does it ever blink green Check using maint starttrace and the netdirect_packet tag that traffic is flowing from and to the client machine If no traffic flows verify on your...

Page 171: ...m zip file in a folder named nortel_cacheable and zip the nortel _cacheable folder This is because after imported into the NVG the top directory will be unzipped in the NVG 4 Import the customized fil...

Page 172: ...rtificate index number is used by each configured SSL server Network Diagnostics To check if the VPN Gateway is able to contact configured gateways routes DNS servers authentication servers and IP add...

Page 173: ...istics for configured virtual SSL servers To check statistics for the local Ethernet network interface card type the following command info ethernet The screen output provides information about the to...

Page 174: ...ided you have configured the VPN Gateway to use a Syslog server the VPN Gateway will send log messages to the specified Syslog server For more information about how to configure a UNIX Syslog daemon s...

Page 175: ...s to load and produces an error To use the NetDirect with v5 1 3 4 or earlier release you need to manually remove the NetDirect and relaunch the portal and earlier NetDirect To remove the NetDirect fo...

Page 176: ...176 Troubleshooting the NVG Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 177: ...A1 DES CBC3 SHA SSLv3 RSA RSA 3DES 168 SHA1 DES CBC3 MD5 SSLv2 RSA RSA 3DES 168 MD5 DHE RSA AES128 SHA SSLv3 DH RSA AES 128 SHA1 AES128 SHA SSLv3 RSA RSA AES 128 SHA1 RC4 SHA SSLv3 RSA RSA RC4 128 SHA...

Page 178: ...40 MD5 EXPORT EXP RC4 MD5 SSLv3 RSA 512 RSA RC4 40 MD5 EXPORT EXP RC2 CBC MD5 SSLv2 RSA 512 RSA RC2 40 MD5 EXPORT EXP RC4 MD5 SSLv2 RSA 512 RSA RC4 40 MD5 EXPORT ADH AES256 SHA SSLv3 DH NONE AES 256 S...

Page 179: ...ain by later options moves the ciphers to the end of the list This option doesn t add any new ciphers it just moves matching existing ones STRENGTH is placed at the end of the cipher list and sorts th...

Page 180: ...hat all ciphers using either 40 or 56 bits symmetric ciphers are removed from the list This means that browsers running export controlled crypto software cannot access the server Using the OpenSSL com...

Page 181: ...encryption only EXPORT56 Cipher suites using 56 bit export encryption only eNULL NULL Cipher suites that do not offer any encryption at all Because the use of such ciphers pose a security threat they...

Page 182: ...lgorithms Cipher String Aliases Meaning DES Cipher suites using DES encryption algorithms but not triple DES RC4 Cipher suites using RC4 encryption algorithms RC2 Cipher suites using RC2 encryption al...

Page 183: ...nds used to configure the SNMP agent in a cluster see the SNMP Management Configuration section under Configuration Menu System Configuration in the Command Reference For detailed information about th...

Page 184: ...ROOT MIB S5 ETH MULTISEG TOPOLOGY MIB IF MIB IP MIB IP FORWARD MIB ENTITY MIB DISMAN EVENT MIB ALTEON ISD PLATFORM MIB ALTEON ISD SSL MIB ALTEON SSL VPN MIB ALTEON ROOT MIB IANAifType MIB SNMPv2 MIB...

Page 185: ...target command The following groups are implemented snmpTargetCommandResponderGroup snmpTargetBasicGroup snmpTargetResponseGroup Write access to snmpTargetParamsTable is turned off in VACM SNMP NOTIF...

Page 186: ...are products It is required by the S5 ETH MULTISEG TOPOLOGY MIB MIB S5 TCS MIB This MIB is used when the NVG participates in SONMP It is required by theS5 ETH MULTISEG TOPOLOGY MIB MIB S5 ROOT MIB Thi...

Page 187: ...EVENT MIB The DISMAN EVENT MIB is a MIB module for defining event triggers and actions for network management purposes See the cfg sys adm snmp event command in the Command Reference for instructions...

Page 188: ...llowing groups are implemented sslBasicGroup sslEventGroup ALTEON SSL VPN MIB The ALTEON SSL VPN MIB contains SSL IPsec user statistics and SSL IPsec license information for all VPNs It also contains...

Page 189: ...dStart Sent when the VPN Gateway reboots Defined in SNMPv2 MIB isdAlarmCleared Sent when an alarm is cleared isdDown Signifies that a VPN Gateway in the cluster is down and out of service isdLicense S...

Page 190: ...t one of the links interfaces has gone up Defined in IF MIB vpnLicenseExhau sted Sent when the VPN has run out of SSL or IPsec user licenses No more than one event per hour is sent for one VPN Defined...

Page 191: ...pliant with the SYSLOG SRD specifications They can be stored locally on the hard disk or in a memory buffer Syslog servers are added to the system configuration by using the menu options in the Syslog...

Page 192: ...Messages The OS system messages are divided into three categories EMERG CRITICAL ERROR EMERG Root filesystem corrupt The system cannot boot but stops with a single user prompt fsck failed Reinstall t...

Page 193: ...filesystem re initialized reinstall required or Config filesystem restored from backup if software upgrade is in progress that is if failure at first boot on new OS version System Control Process Mess...

Page 194: ...NVG cluster is down This alarm is only sent if the cluster contains more than one VPN Gateway Name single_master Sender system Cause down Extra Severity warning Only one master VPN Gateway in the clus...

Page 195: ...icenses using the cfg sys cur command Name license Sender IP Cause license_expire_soon Extra Expires TIME Severity warning The demo license loaded to the local VPN Gateway expires within 7 days Check...

Page 196: ...Tells that the MIP management IP address is now located at the VPN Gateway with the IP host IP address Name license_expire_soon Sender IP Indicates that the loaded demo license at the IP VPN Gateway e...

Page 197: ...e loaded at host IP has expired Check the loaded licenses with cfg sys cur Name audit Sender CLI Extra Start session details Update session details Stop session details Sent when a CLI system administ...

Page 198: ...o send traffic logging syslog messages Traffic syslogging was disabled as a result www_authenticate bad credentials The browser sent a malformed WWW Authenticate credentials header Most likely a broke...

Page 199: ...id Reconfigure Unable to find client private key for server Key for doing sslconnect is not valid Reconfigure Unable to use client certificate for server Certificate for doing sslconnect is not valid...

Page 200: ...failure Host Cert automatic retrieval of HTTP CRL failed parse error Cert auto crl over HTTP failed reason Reason Cert automatic retrieval of HTTP CRL failed Cert failed to create TFTP CRL temp file C...

Page 201: ...Gateway IPSEC server id uses default interface interface n not configured A specific interface is configured to be used by the IPsec server but this interface is not configured on the VPN Gateway Cert...

Page 202: ...is up again Backend health check detected backend ip port to be up Startup Messages The Traffic Processing Subsystem Startup messages only include the INFO category INFO HSM mode mode Hardware Securi...

Page 203: ...tarting reloading of certificates reload cert config done Certificate reloading done reload configuration start Virtual server configuration reloading start reload configuration network down Accepting...

Page 204: ...adv log is enabled If the log value contains login the following messages can be displayed VPN LoginSucceeded Vpn id Method ssl ipsec SrcIp ip User user Groups groups VPN LoginSucceeded Vpn id Method...

Page 205: ...jected Vpn id User user SrcIP ip Request request IPsec Subsystem Messages The IPsec subsystem messages are divided into these categories ERROR WARNING NOTICE INFO ERROR There are several ERROR message...

Page 206: ...not found Ignoring request to roam from s to s due to invalid source Expecting s Dropping roam request message because mismatch in source in payload and header Ignoring request to roam from s to s Dr...

Page 207: ...The client certificate with serial number d was revoked and thus login failed Ike not started due No license If no licence can be found such as on old ASA 310 IKE is not started INFO Using new IKE IK...

Page 208: ...ke Profile s Creating Loading a new IKE profile called s Updating Ike profile s A CLI BBI change in IKE profile s forces an update of the profile Deleting ike profile s IKE profile s has been deleted...

Page 209: ...once it has finished processing its current sessions All credits are exhausted for IPSec SA WARNING IPsec Maximum number of outstanding IPsec SA create requests have exceeded the limit All credits ar...

Page 210: ...p found script op ERROR Traffic Processing Bad script operation found in health check script Reconfigure This should normally be captured earlier by the CLI Bad string found string ERROR Traffic Proce...

Page 211: ...the same version as all other VPN Gateway s in the cluster The failing VPN Gateway tries to catch up with the other cluster members as it was not up and running when the new software version was insta...

Page 212: ...ping the clear text notify message Error in Diffie Hellman Setup group u WARNING IPsec Error in DH Setup Error while decoding certificate DER Id NOTICE IPsec A client sent a certificate where the X509...

Page 213: ...ilesystem EMERG OS Probable hardware error Reinstall Found size meg of phys mem INFO Startup Amount of physical memory found on system gzip error reason INFO Traffic Processing Problem encountered whe...

Page 214: ...fic Processing The server sent a bad HTTP header HTTP NotLoggedIn Vpn id Host host SrcIP ip Request method host path INFO AAA The remote user was not logged in to the specified web server requested fr...

Page 215: ...c SA Established IPSEC server s uses default interface interface p not configured WARNING IPsec This indicates possible badly configured default gateways on some Secure Service Partitioning interface...

Page 216: ...fg sys cur command license_expire_soon EVENT System Control Indicates that the loaded demo license at the IP VPN Gateway expires within 7 days license_expired EVENT System Control Indicates that the t...

Page 217: ...nfig filesystem restored from backup No cert supplied by backend server INFO Traffic Processing No certificate supplied by backend server when doing SSL connect Session terminated to backend server No...

Page 218: ...e Path path INFO AAA The remote user failed to access the specified folder directory on the specified file server requested from the Portal s Files tab PORTAL Vpn id User user Proto proto Host host Sh...

Page 219: ...te length d INFO IPsec Loading certificate revocation list of length d Root filesystem corrupt EMERG OS The system cannot boot but stops with a single user prompt fsck failed Reinstall to recover Root...

Page 220: ..._changed EVENT System Control Indicates that release VSN version has been Status unpacked installed permanent software_release_copying EVENT System Control Indicates that IP is copying the release VSN...

Page 221: ...figure Unable to use the certificate for server nr ERROR Traffic Processing Unsuitable certificate configured for server unknown WWW Authenticate method closing ERROR Traffic Processing Backend server...

Page 222: ...VPN LoginSucceeded Vpn id Method ssl ipsec SrcIp ip User user Groups groups TunIP inner tunnel ip INFO AAA Login to the VPN succeeded The remote user s access method client IP address user name and gr...

Page 223: ...g disclaimer 2 Redistributions in binary form must reproduce the preceding copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided wi...

Page 224: ...pyright 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Ne...

Page 225: ...ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITU...

Page 226: ...ublish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and give any other recipients o...

Page 227: ...gregation of another work not based on the Program with the Program or with a work based on the Program on a volume of a storage or distribution medium does not bring the other work under the scope of...

Page 228: ...not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by...

Page 229: ...luding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9...

Page 230: ...AINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CON...

Page 231: ...AL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY TH...

Page 232: ...232 License Information Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 233: ...rall validation and a level 4 validation in the area of Self Test The following table describes the compliance level for each section of the FIPS 140 1 specification Cryptographic Modules Level 3 Modu...

Page 234: ...plications The board has two modes These are the non FIPS140 1 mode and the FIPS140 1 mode In the FIPS140 1 mode the board can be used in servers to improve the performance associated with high rate s...

Page 235: ...is controlled through its PCI interface Commands are entered through the PCI bus and status is read from the PCI bus Also both plaintext and encrypted data is transmitted over the PCI interface The se...

Page 236: ...SHA 1 Hashing of host provided data Hashing for the purpose of verifying the RSA digital signature of a firmware image Hashing a 3DES key for the purpose of checking its integrity after it is split a...

Page 237: ...tain a pin used to authenticate the Security Officer One will contain a pin used to authenticate the User One will contain a key part to be controlled by the Security Officer One will contain a key pa...

Page 238: ...ters Battery voltage is also monitored to determine when it is necessary to replace the battery 7 3 FastMap Processor This component contains a processor and internal SRAM The processor executes the s...

Page 239: ...for user authentication or to store key parts for moving keys from one HSM to another HSM 7 9 Universal Asynchronous Receiver Transmitter UART This component is disabled in the production version of t...

Page 240: ...user who created it cannot be used for any other purpose such as key exchanges or encryption decryption of data The user may specify through Boolean attributes whether the private key may be used for...

Page 241: ...s identity based authentication to allow subjects to assume one of the two roles Usernames are transmitted to the HSM over the PCI interface to identify the user A corresponding personal identificatio...

Page 242: ...ity Officer can create a User account Creating the User account generates a random PIN which is stored in the User s iKey token The SHA 1 hash of this random PIN is associated with the User account 9...

Page 243: ...ata input interface Note 2 This is a PKCS 12 method for deriving a 3DES key from a password salt and iteration count Note 3 The Exponentiation Using CRT and Exponentiation functions are generic math f...

Page 244: ...ing a 3DES key from a password salt and iteration count Note 3 The Exponentiation Using CRT and Exponentiation functions are generic math functions all parameters are input through the PCI interface d...

Page 245: ...a 3DES key from a password salt and iteration count Note 3 The Exponentiation Using CRT and Exponentiation functions are generic math functions all parameters are input through the PCI interface data...

Page 246: ...Using CRT and Exponentiation functions are generic math functions all parameters are input through the PCI interface data input interface Note 4 When operating in the FIPS140 1 mode it is not possibl...

Page 247: ...count Note 3 The Exponentiation Using CRT and Exponentiation functions are generic math functions all parameters are input through the PCI interface data input interface Note 4 When operating in the F...

Page 248: ...ed using the Key Wrapping Key Note 5 User Login is the process that takes the board from an unauthenticated state to the authenticated state Only one user may be authenticated at a particular time Con...

Page 249: ...together generate the Key Wrapping Key The key splitting occurs when the Write Key Split command is first issued by the Security Officer This command will cause one of the key parts to be written to a...

Page 250: ...ne so that keys may be stored on backup media such as tape or hard drives The Rainbow Technologies key management utility utilizes the Wrap Key command to perform key archival All archived keys are 3D...

Page 251: ...certain operations e g DES RSA CRT exponentiation It is still possible to store keys on the board so that they cannot be extracted These non extractable keys will be erased if a tamper attempt is det...

Page 252: ...ate Verify Firmware Image Service 13 0 Conclusion The HSM provides FIPS 140 1 Level 3 cryptographic processing acceleration and security for RSA signing and verifying functions In the non FIPS140 1 mo...

Page 253: ...253 Appendix Definition of Key Codes Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 254: ...ou wish to redefine F1 PGUP and so on The new STRING to be sent when pressing the key should come after the equals character Hash marks in the file declare the line as a comment and will be ignored Th...

Page 255: ...Vertical Tabulator Sends a vertical tabulator character a Bell Sends a terminal bell character which should make the terminal sound its bell number Inserts the character that is defined by this number...

Page 256: ...T The Cursor Right key NUMPAD0 NUMPAD9 The numbered Numeric keypad keys ESCAPE The Escape key BACKSPACE The Backspace key TAB The Tab key Example of a Key Code Definition File Following is an example...

Page 257: ...frastructure and no certificate authorities for the SSH host keys Instead the security of SSH sessions depends on SSH clients keeping track of the public keys that should be used to authenticate diffe...

Page 258: ...ion with the server administrator OR Pre installing the remote host key previously transferred by some out of band means in the client s key storage i e effectively making the remote host known even b...

Page 259: ...ands in the cfg sys adm sshkeys menu concern the former case while the knownhosts menu concerns the latter The VPN Gateway supports the use of three different SSH host key types SSH protocol version 1...

Page 260: ...260 SSH host keys Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 261: ...ve Directory This attribute will contain an opaque data structure containing various information that the user may have saved during a Portal session This description is based on Windows 2000 Server a...

Page 262: ...Action 1 Click Start and select Run 2 In the Open field enter regsvr32 schmmgmt dll Note that there is a space between regsvr32 and schmmgmt dll 3 Click OK This command will register schmmgmt dll on y...

Page 263: ...ver 2003 263 4 On the File Console menu select Add Remove Snap in The Add Remove Snap in window is displayed 5 Click Add The Add Standalone Snap in window is displayed Nortel VPN Gateway User Guide NN...

Page 264: ...e Schema snap in go to the File Console menu and select Save The Save As windows is displayed 10 Save the console in the Windows System 32 root folder 11 As file name enter schmmgmt msc 12 Click Save...

Page 265: ...Schema 2 Select Operations Master 3 Select the check box The Schema may be modified on this Domain Controller 4 Click OK End Create a New Attribute Windows 2000 Server and Windows Server 2003 To crea...

Page 266: ...on 1 In the Console window right click Classes point to New and select Class You will now receive a warning that creating schema classes is a permanent operation and cannot be undone 2 Click Continue...

Page 267: ...ndow on the left pane expand Classes 2 Select the nortelSSLOffload class 3 Right click and select Properties The Properties window is displayed 4 Select the Attributes tab and click Add 5 Add the isdU...

Page 268: ...SSLOffload Class to the User Class Step Action 1 In the Console window on the left pane expand Classes and select user 2 Right click and select Properties The Properties window is displayed 3 Select t...

Page 269: ...and cfg vpn aaa auth ldap enauserpre or the BBI setting User Preferences under VPN Gateway VPN Authentication Auth Servers Ldap the remote user should now be able to store user preferences in Active D...

Page 270: ...270 Adding User Preferences Attribute to Active Directory Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 271: ...271 Appendix Using the Port Forwarder API Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 272: ...ons are set by defining a port forwarder in the CLI BBI It is then referred to when setting up the Port Forwarder API Note Defined applications are only started automatically if the port forwarder API...

Page 273: ...URL for the Portal login called loginUrl in the following examples Example http vpn example com login_post yaws user test password test authmethod default url The parameters are the same as if access...

Page 274: ...le 1 linkset The number of the linkset in the VPN for example 1 link The number of the link in the linkset for example 1 When run as a regular application the arguments are simply passed on the comman...

Page 275: ...rea to be cacheable by the client web browser it has to be put in a top directory called nortel_cacheable The demo project zip file has such a directory at it s top level When uploaded to the content...

Page 276: ...arderAuthenti cator interface public PortForwarderCredentials getCredentials public java net PasswordAuthentication getProxyCredenti als Example Following is an example of the code for creating a Port...

Page 277: ...Example 277 Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 278: ...null catch MalformedURLException e e printStackTrace catch IOException e e printStackTrace return null PortForwarderAuthenticator pfa new PortForwarderAuthenticator public PortForwarderCredentials get...

Page 279: ...ger function Example Following is an example of the code for adding a Port Forwarder logger public class PortForwarderLoggerImpl implements PortForwarderLogger private final ResourceBundle messages pr...

Page 280: ...f throwable null portForwarderGui appendInfo throwable getMessage System getProperty line se parator throwable printStackTrace public void log final int logLevel final String msg final Throwable throw...

Page 281: ...Example 281 Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Copyright 2007 2008 Nortel Networks...

Page 282: ...m nortel nvg portforwarder http proxyPort The proxy port for HTTP HTTPS accesses com nortel nvg portforwarder http proxyUserN ame The proxy username for HTTP HTTPS accesses com nortel nvg portforwarde...

Page 283: ...Forwarder status gives you the ability to always know the state of the Port Forwarder for example if it is ready to receive connections Following is an example of the code for monitoring the status o...

Page 284: ...ollowing is an example of the code for monitoring Port Forwarder statistics This will print current statistics every 3 seconds Nortel VPN Gateway User Guide NN46120 104 02 01 Standard 14 April 2008 Co...

Page 285: ...s with its physical hardware address Base Profile Refers to links and access rules specified for a user group directly under the Group level If extended profiles are used the base profile s links and...

Page 286: ...line interface by using the request command DCE Data Communicatons Equipment A device that communicates with a Data Terminal Equipment DTE in RS 232C communications DER Distinguished Encoding Rules A...

Page 287: ...ontrols data flowing to or from a computer The term is most often used in reference to serial communications defined by the RS 232C standard This standard defines the two ends of the communication cha...

Page 288: ...of the MIP address should another master fail Configuration changes in the cluster are propagated to other members through the master VPN Gateways MIB Management Information Base An SNMP structure th...

Page 289: ...s passphrases more secure PEM Privacy Enhanced Mail A standard for secure e mail on the Internet It supports encryption digital signatures and digital certificates as well as both private and public k...

Page 290: ...ess an intranet application by connecting to localhost on the specified port number Real Server Group A group of real servers that are associated with a virtual server IP address VIP or filter on a No...

Page 291: ...tions by easily integrating other security technologies e g SSL SOCKS includes two components the SOCKS server and the SOCKS client The SOCKS server is implemented at the application layer while the S...

Page 292: ...redundant paths and makes only one of them active at any given time TLS Transport Layer Security The TLS protocol provides communications privacy over the Internet The protocol allows client server ap...

Page 293: ...to split up groups of network users into manageable broadcast domains to create logical segmentation of workgroups and to enforce security policies among logical segments Up to 246 VLANs are supporte...

Page 294: ...had moved in the network For a more detailed description refer to RFC 2338 X 509 A widely used specification for digital certificates that has been a recommendation of the ITU since 1988 Nortel VPN Ga...

Page 295: ...ate 94 submit 94 certificates add using TFTP 103 client 110 managing 93 revoke client certificates 116 view installed certificates 172 ciphers list formats 179 meaning of string aliases 181 string ali...

Page 296: ...IP 37 host keys SSH 257 HSM iKey authentication 30 the ASA 310 FIPS 27 wrap key 30 HSM SO iKey 30 HSM USER 30 I idle timeout command line interface 144 iKey 30 authentication 30 HSM CODE 30 HSM SO 30...

Page 297: ...19 minor or major release upgrade 74 reinstall 70 version handling when upgrading 75 ssh host keys 257 SSH host keys 257 ssh known hosts 257 SSH see Secure Shell 138 146 SSL view configured servers 1...

Page 298: ...te software package 76 handling software versions 75 minor or major release upgrade 74 user access levels 140 Boot user for reinstall 70 categories 140 passwords 141 user preferences 261 V virtual IP...

Page 299: ......

Page 300: ...el Networks Nortel Nortel Networks the Nortel logo and the Globemark are trademarks of Nortel Networks Export This product software and related technology is subject to U S export control and may be s...

Reviews:

No comments

Related manuals for NN46120-104

NETWORK INTERFACE CARDS

Brand: Secure Computing Pages: 17

MicroTrac Gateway

Brand: YASKAWA Pages: 33

MSR3610-I Series

Brand: H3C Pages: 33

Brand: Sangoma Pages: 4

Brand: Qiagen Pages: 22

NXB-CCG-K NetLinx Clear Connect

Brand: AMX Pages: 2

Brand: AMX Pages: 5

NetLinx NXR-ZGW

Brand: AMX Pages: 42

NetLinx NXR-ZGW-PRO

Brand: AMX Pages: 46

Brand: tiko Energy Solutions Pages: 40

Brand: Galaxy Pages: 18

Brand: ELKOR Pages: 2

Brand: ICPDAS Pages: 52

AWGTY-DGOISG86A0

Brand: AWPLC Pages: 25

Brand: PiiGAB Pages: 48

Brand: Nateks Pages: 67

Brand: SICK Pages: 130

Sigfox Access Station Micro SMBS-T4

Brand: Sigfox Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands