Compatible Systems INTRAPORT 2 Administrator'S Manual Download

Page: 1 / 75

IntraPort 2 and IntraPort 2+

VPN Access Server

Administrator’s Guide

Compatible Systems Corporation

4730 Walnut Street

Suite 102

Boulder, Colorado 80301

303-444-9532
800-356-0283

http://www.compatible.com

Summary of Contents for INTRAPORT 2

Page 1: ...IntraPort 2 and IntraPort 2 VPN Access Server Administrator s Guide Compatible Systems Corporation 4730 Walnut Street Suite 102 Boulder Colorado 80301 303 444 9532 800 356 0283 http www compatible com ...

Page 2: ...or more U S Patent Nos 4 701 745 5 003 307 5 016 009 5 126 739 5 146 221 5 414 425 5 414 850 5 463 390 5 506 580 5 532 694 Other Patents Pending Part number A00 1619 FCC Notice This product has been certified to comply with the limits for a Class A computing device pursuant to Subpart J of Part 15 of FCC Rules It is designed to provide reasonable protection against radio or television communicatio...

Page 3: ...Server 6 Needed for Installation 6 Ethernet Connection Requirements 7 VPN Client Software Requirements 7 Chapter 3 Network Installation 9 Placing the Server 9 Connecting the Server to the Ethernet 9 Connecting a Management Console 10 Powering Up the Server 10 Chapter 4 CompatiView Software Installation 11 CompatiView for Windows 11 System Requirements 11 Installation and Operation 12 Transport Pro...

Page 4: ...ternate Protocols and Security Parameters 50 IPX Protocol 50 Required for IPX 50 Suggested for IPX 50 AppleTalk Protocol 51 Required for AppleTalk 51 Suggested for AppleTalk 51 SETTING UP RADIUS AUTHENTICATION 51 Setting the IntraPort for a RADIUS Server 51 RADIUS Server User Authentication Settings 52 SETTING UP SECURID AUTHENTICATION 53 Setting the IntraPort for an ACE Server 54 ACE Server Setti...

Page 5: ...atterns 61 Ethernet Back Panel Indicators LEDs 61 Front Panel LEDs 61 Sys Ready 61 Power On No Traffic 61 Ethernet Traffic Indicators 61 IntraPort 2 Connections Users LEDs 62 IntraPort 2 Connections Users LEDs 62 IntraPort 2 Special Indicators 63 IntraPort 2 Special Indicators 63 IntraPort 2 2 VPN Access Server Switch Settings 63 Appendix E Downloading Software From Compatible Systems 65 THE COMPA...

Page 6: ...iv ...

Page 7: ... to the Internet via PPP or Ethernet The IntraPort VPN Clients are applications which set up the remote access VPN tunnels to the IntraPort 2 2 VPN Access Server and make sure that appropriate data gets sent The clients work in conjunction with your communications software Connections can be made to the Internet via PPP software or over a local intranet via your workstation s LAN adapter Together ...

Page 8: ...ting Started This part of the manual describes the contents of the IntraPort 2 2 package and outlines the preparation and equipment you will need to install the device Network Installation This part of the manual includes step by step instructions on how to physically install the server and connect it to your local Ethernet Instructions are included for twisted pair Ethernet environments CompatiVi...

Page 9: ...IntraPort 2 2 VPN Access Server with protocols other than TCP IP and when using additional security parameters such as SecurID and RADIUS Appendices Additional information that might be of interest to you such as tech nical specifications default settings and how to download current soft ware from Compatible Systems website can be found at the end of this guide ...

Page 10: ... ...

Page 11: ...rvers are covered by the Compatible Systems Integrated Support Package which includes a lifetime comprehensive warranty a twenty four hour advanced replacement program unlimited phone support and software upgrades for the life of the product Compatible Systems maintains copies of current software updates on the Internet You may download product software from these sources at any time For more info...

Page 12: ... check your shipping package for the following items IntraPort 2 2 unit Wall mount power supply One DB 25 male to DB 25 female console cable CD ROM including 4 CompatiView software 4 Operating software 4 VPN Client software Windows and Mac OS versions 4 HTML version of product documentation which can be viewed with your favorite web browser CompatiView Management Software Reference Guide Text Base...

Page 13: ... the IntraPort 2 2 product Please contact your reseller or your Com patible Systems representative for information on obtaining the correct Ethernet cabling supplies VPN Client Software Requirements In order to run the VPN Client software your remote users will require one of the following A Windows PC with a 486 or later processor and either the Windows95 98 or Windows NT operating system A Macin...

Page 14: ... ...

Page 15: ...d alone on a desktop or equipment table v Note When stacking other equipment on the IntraPort 2 2 do not exceed 25 pounds of evenly distributed weight on top of the device Additional weight may bend the case Connecting the Server to the Ethernet Because Ethernet 1 is IPSec only meaning it will only handle IPSec packets and will drop all other traffic you need to pay special attention to your Ether...

Page 16: ...tion on obtaining the correct Ethernet cabling supplies If your twisted pair hub is already in place you can connect the server to an active network without interrupting network activity The server must be powered off Simply plug an unshielded twisted pair cable that is already connected to your 10BaseT compatible or 100BaseTx compatible twisted pair hub into the RJ 45 Ethernet connector on the ba...

Page 17: ...e with the IntraPort 2 2 VPN Access Server software You must use CompatiView for Windows versions 5 0 or later to manage your server with Com patiView PC emulator software such as SoftWindows may be used for this purpose if your Macintosh supports it v Note Once you have installed CompatiView you can find more information on how to use it in the CompatiView Management Software Reference Guide whic...

Page 18: ...tem files by the installation program see the README TXT file located in the CompatiView installation direc tory Transport Protocols and CompatiView CompatiView will be able to use the transport protocol IP or IPX you have selected to access Compatible Systems products anywhere on your internetwork Depending on your security setup you may also be able to use the IP transport option to manage devic...

Page 19: ...ecessary to either powerup the server before powering up the workstation or reboot the workstation after the server has completed its boot sequence This process will ensure that the worksta tion and the server have the proper IPX network bindings for communi cation For more information on using CompatiView management software to configure your server see Chapter 6 Basic Configuration Guide ...

Page 20: ... ...

Page 21: ...n band Telnet access In order to access the command line out of band do the following 1 Set a terminal or a PC equipped with VT100 terminal emulation to a baud rate of 9600 8 bits no parity 1 stop bit and no Flow Con trol 2 Connect it to the server s Console interface using the cable which was supplied with the IntraPort 2 2 3 Press the Return key one or two times 4 Enter the default password letm...

Page 22: ... original settings See the next section Setting Up Telnet Operation for information on setting the server to allow Telnet access from hosts on its network Setting Up Telnet Operation Telnet is a remote terminal communications protocol based on TCP IP With Telnet you can log into and manage the IntraPort 2 2 from anywhere on your IP internetwork including across the Internet if your security setup ...

Page 23: ...ons for these two methods are given in Chapter 4 CompatiView Soft ware Installation With CompatiView basic IP parameters can be set using the TCP IP Routing Ethernet 0 0 dialog box Use the Save to Device option under the File menu to save the changes After you have set these IP parameters and saved the changes you can use Telnet to access the server from any node on your IP network Invoke the Teln...

Page 24: ... ...

Page 25: ...apter v Note This Basic Configuration Guide does not include information on setting up packet filters See the CompatiView Management Software Reference Guide regarding IP IPX and AppleTalk packet filters for more information Refer to the VPN Client Refer ence Guide for information on the installation and operation of the VPN Client software Setup Options The IntraPort 2 2 can be set up in two diff...

Page 26: ...20 Chapter 6 Basic Configuration Guide Diagram of Dual Ethernet Setup Figure 2 Diagram of Dual Ethernet Setup ...

Page 27: ...Chapter 6 Basic Configuration Guide 21 Diagram of Single Ethernet Setup Figure 3 Diagram of Single Ethernet Setup ...

Page 28: ...te step for each setup is indicated v Note Remember that in single Ethernet setups Ethernet 1 must not be connected to anything or else it may cause difficult to diagnose problems on the IntraPort 2 2 and on your network 1 Turn off AppleTalk and IPX optional If you are using AppleTalk and or IPX you can either leave the default configuration parameters in place or see Chapter 7 for more informatio...

Page 29: ...ubnet Mask and the Network IP Broadcast Mask correctly entered Incorrect information can cause difficult to diagnose problems or disable the IntraPort until the informa tion is corrected C If you are using RIP select the correct version from the Rout ing Protocol pull down menu If you are not select None in the Routing Protocol pull down menu v Note Routing protocol options OSPF and all parameters...

Page 30: ...you have assigned the IntraPort 2 2 This address must not be in the same TCP IP network as Ethernet 0 or you will disable TCP IP in the IntraPort 2 2 Verify that you have the IP Address the Net work IP Subnet Mask and the Network IP Broadcast Mask correctly entered C Click OK 3 Single Ethernet Turn IP off on Ethernet 1 IP Connection Ethernet 1 To access this dialog box select TCP IP Routing under ...

Page 31: ...ar Dual Ethernet Static Route Single Ethernet Static Route B Click the IP Address radio button in the Gateway section For dual Ethernet setups enter the internal TCP IP address of your firewall or proxy whichever is applicable For single Ethernet setups enter the internal TCP IP address of your upstream Internet access firewalling router In either case this address must be on the same TCP IP net w...

Page 32: ...ment Soft ware Reference Guide for more advanced configuration set tings v Note For single Ethernet setups you must configure the firewall to allow UDP port 500 ISAKMP Protocol number 51 which is the AH Authentication Header protocol packet type and or Protocol number 50 which is the ESP Encapsulating Secu rity Payload protocol packet type C Click OK ...

Page 33: ... the TCP IP address of the upstream or Internet router for your network This must be an address on the same TCP IP network as the Ethernet 1 address of the IntraPort 2 2 For single Ethernet setups the IPSec Gateway is an optional setting It serves as a default gateway for all IPSec i e tun neled traffic Enter the TCP IP address of your Internet access firewalling router This must be an address on ...

Page 34: ...re are three pieces to the IKE protection suite 1 The first piece of each option is the authentication algorithm to be used for the negotiation MD5 is the message digest 5 hash algo rithm SHA is the Secure Hash Algorithm which is considered to be somewhat more secure than MD5 2 The second piece is the encryption algorithm DES Data Encryp tion Standard uses a 56 bit key to scramble the data 3DES us...

Page 35: ...later but that is an advanced con figuration parameter and not covered here The Bind To specifies which interface on the device will act as the local end point for tunnels defined by this configuration Choose the Max Connections value and keep this number in mind This number is the maximum number of concur rent Client sessions allowed in this VPN Group Configu ration Set a different Keep Alive Int...

Page 36: ...anagement Soft ware Reference Guide for more advanced configuration set tings VPN Group Configuration IKE Configuration Tab E On the IKE Configuration Tab select the authentication and encryption algorithms to be used for tunnel sessions v Note STEP STAMP Compatible System s proprietary tunnel negoti ation protocol encryption parameters may be set using the Manual Tab This can be used to allow con...

Page 37: ...n are adequate for most setups Click OK In the IKE Key Management dialog box you may click on the PFS checkbox to add additional security parameters during tunnel sessions This is optional v Note For more information regarding encryption authentication and Perfect Forward Secrecy refer to the CompatiView Manage ment Software Reference Guide ...

Page 38: ... assigned to client sessions under this config uration This address will be incremented by one for each new client session until the Max Connections number entered on the General tab is reached Since the Max Connections value is 30 for this VPN Group then the Start IP Address must be the first in a block of at least 30 unused IP addresses For this very basic setup it is recommended that these addr...

Page 39: ... box will appear THIS IS A VERY IMPORTANT FIELD The values you enter here determine what TCP IP traffic is tunneled or more com monly where a client who belongs to this VPN Group Configuration can go on your network If you enter the internal network in the dual Ethernet example 192 168 233 0 24 all traffic from a client going to the internal network will be tunneled through the IntraPort 2 2 This ...

Page 40: ... net work number entered here must not be the same network number as any other IPX network on your network and you must choose a network number which will not overlap as Client sessions are established In this example the first client to connect will be assigned the IPX network CAFEB00 The next client which connects concurrently will be assigned the IPX network CAFEB01 and so on Leave all other pa...

Page 41: ...emote com puter VPN User Configuration To access this dialog box select VPN User Configuration in the Device View A Click the Add button The following dialog box will appear VPN User B Enter the user name in the Name field This name can be any thing within reason but cannot exceed 60 ASCII characters The VPN Group specifies the VPN Group to which this user belongs Select the VPN Group using the pu...

Page 42: ...File menu choose Save To File This will bring up a file save dialog box Name the device configuration file making sure that you associate the file name with the IntraPort 2 2 and can find the file later B From the File menu choose Save To Device This will bring up a download configuration dialog window Choose the IntraPort 2 2 if given the option When asked if you are sure that you want to downloa...

Page 43: ...oose VPN Port Add VPN Port This will bring up the Add VPN Port dialog box and will allow you to select a number for the virtual port Add VPN Port B Click OK 2 Set up the Tunnel Partner Once you have created a VPN port you need to provide information about the remote Tunnel Partner and specify which interface on the local device will act as the endpoint for the tunnel A In the Device View click on ...

Page 44: ...Partner IKE Key Management is recommended IKE Key Management Once a VPN port has been created you may access the IKE Key Management dialog box by clicking on the port s icon in the Device View and selecting IKE Key Management A From the pull down menu select the Key Manage method to use for this tunnel If Auto key management is selected IKE will be used to allow two devices to negotiate between th...

Page 45: ...unnel sessions using the IKE Configuration Transform list box Click on the Add button in the Transform section to access the IKE Configuration Transform List dialog box IKE Configuration Transform List The default settings of MD5 for Authentication and DES for Encryption are adequate for most setups Click OK D In the IKE Key Management dialog box you may click on the PFS checkbox to add additional...

Page 46: ...e menu choose Save To Device This will bring up a download configuration dialog window Choose the IntraPort 2 2 if given the option When asked if you are sure that you want to download the configuration and restart the device click on the Yes button You should see a new window with a log of the download process CompatiView will then tell you that the download is complete and the device is reboo ti...

Page 47: ...server see the previous section in this chapter Configuration using CompatiView VPN Client Tunnel Settings Configuration of the server for both dual and single Ethernet setups is very similar but when there are differences between them the appro priate step for each setup is indicated v Note Remember that in single Ethernet setups Ethernet 1 must not be connected to anything or else it may cause d...

Page 48: ...06 45 55 255 3 Dual Ethernet Set basic IP parameters for Ethernet 1 Enter the external TCP IP address you have assigned the IntraPort 2 2 This address must not be in the same TCP IP network as Ethernet 0 or you will disable TCP IP in the IntraPort 2 2 Use configure and set the IPAddress SubnetMask and IPBroadcast keywords in the IP Ethernet 1 section Example config IP Ethernet 1 IP Ethernet 1 ipad...

Page 49: ...tion Mask Gateway Port Metric Redist RIP none Dual Ethernet Setup Example Edit IP Static append 1 Enter lines at the prompt To terminate input enter a on a line all by itself Append 0 0 0 0 0 0 0 0 192 168 233 3 1 redist none Append Edit IP Static exit Single Ethernet Setup Example Edit IP Static append 1 Enter lines at the prompt To terminate input enter a on a line all by itself Append 0 0 0 0 0...

Page 50: ...k as the Ethernet 0 address of the IntraPort 2 2 Use configure and set the IPSecGateway keyword in the General section Example configure general General ipsecgateway 206 45 55 2 6 Set an IKE Policy There are two phases to the IKE negotiation During Phase 1 negotia tion the IntraPort and Client must authenticate each other The IKE Policy section controls this Phase 1 negotiation Phase 2 negotiation...

Page 51: ...those used for any other VPN Groups v Note For large numbers of users i e over 50 it s recommended that the block of addresses be specified as a Local IP Net because address administration is easier Using a Start IP Address is recommended for smaller numbers of users because the routing setup is simpler See the Text Based Configuration and Command Line Management Reference Guide for more informati...

Page 52: ...sic vpn config Section vpn group basic vpn config not found in the config Do you want to add it to the config y Configure parameters in this section by entering Keyword Value To find a list of valid keywords and additional help enter VPN Group basic vpn config bindto ethernet 0 VPN Group basic vpn config maxconnections 30 VPN Group basic vpn config startipaddress 192 168 233 50 VPN Group basic vpn...

Page 53: ... keywords specify STEP STAMP Com patible System s proprietary tunnel negotiation protocol parame ters for users These can be used to allow connections from users running older versions of the VPN Client software but is not rec ommended for new users 9 Save the Configuration and download it to the device Use the save command to save the configuration and download it to the device When asked if you ...

Page 54: ...ote Tunnel Partner and specify how tunnels will be set up Use configure and set keywords in the Tunnel Partner VPN port number section this will be the number of the port you just created Partner Specifies the IP address of the remote Tunnel Partner with which this VPN port will communicate via the tunnel This will be an interface on the remote router which has been set to route IP and will also b...

Page 55: ...d alphanumeric secret which is used to generate session keys for authenticating and or encrypting each packet sent or received through the tunnel Dual Ethernet Setup Example configure tunnel partner vpn 0 Tunnel Partner VPN 0 partner 10 10 5 3 Tunnel Partner VPN 0 bindto ether 1 Tunnel Partner VPN 0 keymanage auto Tunnel Partner VPN 0 transform esp md5 des Tunnel Partner VPN 0 sharedkey babaganous...

Page 56: ...ments v Note Refer to the VPN Client Reference Guide for information on the installation and operation of the VPN Client software In this chapter CV Parameters configured using CompatiView management software TB Parameters configured using Text Based or Command Line Management IPX Protocol Required for IPX Generally there are no required changes from the shipping Ethernet configuration for IPX The...

Page 57: ...re and set keywords in the AppleTalk Phase 2 Ethernet 0 section Setting up RADIUS Authentication If you are using a RADIUS server for user authentication you must set up the IntraPort to communicate with a RADIUS server and also set some special parameters in the RADIUS server itself Setting the IntraPort for a RADIUS Server Just a few basic settings are required for the IntraPort to communicate w...

Page 58: ...gned to the client by the IntraPort as it begins to account for the client To use this feature the two attribute numbers for these two IP address strings must also be configured in the RADIUS server s dictionary file and in the RADIUS section of the IntraPort s configuration The following is an example for a Livingston RADIUS server dictio nary file ATTRIBUTEClient Real IP 66 string ATTRIBUTEClien...

Page 59: ...rID authentication Dynamic two factor authentication combines something the user knows a memorized personal identifica tion number PIN with something the user possesses a SecurID token which generates an unpredictable code every 60 seconds This combination of PIN and SecurID tokencode represents a one time PASSCODE and is transmitted to the ACE Server software for verifica tion See Appendix C of t...

Page 60: ...structions on adding and removing users in the ACE Server database v Note The IntraPort should be configured as a communication server in the Client Type pull down menu in the ACE Server s Add Client dialog box under Client Add Client v Note The first time the IntraPort contacts the ACE Server they exchange a secret based in part on the IntraPort s IP address After the first exchange the Sent Node...

Page 61: ...Flash ROM Once a configuration is complete you can save it to the router s Flash ROM Until saved all changes are made in a separate buffer and the server s interfaces continue to run as before the changes were made CV Use the Save to Device option from the File menu TB Use the save command ...

Page 62: ... ...

Page 63: ...fault Password letmein IP Defaults Ethernet 0 is on Address 198 41 12 1 Subnet mask 255 255 255 0 Broadcast address 198 41 12 255 Mode Routed Ethernet 1 is off IPX Defaults Ethernet 0 is on Mode Routed Ethernet 1 is off AppleTalk Defaults Ethernet 0 is on Mode Routed Ethernet 1 is off ...

Page 64: ...r and Cable Pin Outs Pin Outs for DB 25 Male to DB 25 Female RS 232 Data Console Cable The cable supplied with the IntraPort 2 2 VPN Access Server is 25 conductors connected straight through Connections on the Console interface follow the standard RS 232 pin outs ...

Page 65: ... directly from Security Dynamics Technologies Inc Use the following informa tion to contact Security Dynamics for more information Security Dynamics Technologies Inc 20 Crosby Drive Bedford MA 01730 U S A 800 SECURID 800 732 8743 or 888 732 8743 To telephone from outside the U S 781 687 7000 E mail info securitydynamics com Web site http www securitydynamics com ...

Page 66: ... ...

Page 67: ...cates that there is a good connection to the hub Activity The Activity light indicates that there is activity across the link Front Panel LEDs The IntraPort 2 and IntraPort 2 VPN Access Servers use a number of light patterns on their front LED bars to indicate various operating conditions Sys Ready The server booted properly without detecting any failures Power On No Traffic The server will scan t...

Page 68: ...IntraPort 2 Connections Users LEDs Connections Users LED User Range 1 1 5 6 6 11 12 12 17 18 18 23 24 24 29 30 30 35 36 36 41 42 42 47 48 48 53 54 54 64 Connections Users LED User Range 1 1 19 20 20 39 40 40 59 60 60 79 80 80 99 100 100 119 120 120 139 140 140 159 160 160 179 180 180 200 ...

Page 69: ...ash ROM Scanning from the outside toward the center Flash ROM erase due to switch setting five or six is complete Set switch to zero and cycle power Ethernet Lights Connections Users Indication 4 5 flashing 120 140 flashing Router stacks starting up 2 3 flashing 1 20 80 100 160 180 flashing No OS loaded Running from ROM 1 4 5 flashing 120 140 and Sys Rdy flashing Erasing OS or config in Flash ROM ...

Page 70: ... ...

Page 71: ...ent software is also available To download software follow the instructions below The Compatible Systems WWW Server The WWW Server is accessible via the Internet 1 Use your browser to access http www compatible com and find the link on our home page to Software Downloads 2 Select the product and software version you want then click on the appropriate file to download it v Note These files are also...

Page 72: ... ...

Page 73: ... specifications published by Compatible Systems for such Products as of the shipping date b the Products are free from all material defects in materials and workman ship under normal use and service and c that as a result of the purchase of the Products from Compatible Systems the Customer will have good title to the Products free and clear of all liens and encumbrances Compatible Systems obligati...

Page 74: ...eure All orders accepted by Compatible Systems are subject to postponement or cancellation for any cause beyond the reasonable control of Compatible Systems including without limitation inability to obtain nec essary materials and components strikes labor disturbances and other unavailability of workers fire flood and other acts of God war riot civil insurrection and other disturbances production ...

Page 75: ...tation on remedies shall apply even if Compatible Systems is advised of the possibility and nature of any special consequential or incidental damages 7 Governing Law Merger This agreement and all Terms and Condi tions hereof shall be governed by and construed in accordance with the internal laws of the State of Colorado Except as superseded by a separate written contract signed by both Compatible ...

Search results

Summary of Contents for INTRAPORT 2

Reviews:

Related manuals for INTRAPORT 2

Brands by name

Popular brands

Compatible Systems INTRAPORT 2, Administrator'S Manual

Search results

Summary of Contents for INTRAPORT 2

Reviews:

Related manuals for INTRAPORT 2

Brands by name

Popular brands