background image

Report Wizard

Issue 4 May 2005

271

The first Report wizard screen allows you to specify the objects you wish to include in the report. 
The available objects include:

IP Group

User

User Group

Device (security gateway)

VPN

To create a report using the report wizard:

1. Move to the Main Console.

2. Click Report to start the Report Wizard.

3. In the Report Contents portion of the screen, select the object types to be included in the 

report.

4. The Select All and Deselect All buttons are provided for convenience. 

5. Click Next.

6. In the Show Report Title text box, type the report title.

7. Report format details including date and time, report title, author, page numbering, and the 

type font and font size.

8. The available font types are: Arial, Times Roman, and Helvetica. The available font sizes 

range from 8 points to 72 points.

9. Click Next

10. Depending on the objects selected in the initial screen, each object is displayed as part of 

the report wizard. 

11. Select the desired object groups to be included in the report.

Note:

Note:

The Summary button presents a single-screen overview of all the currently set 
report selections and options. Advanced users may wish to jump to this screen 
immediately.

12. Click Next.

13. Select additional information for the object group to be included in the report.

14. Click Next.

15. Click Finished when all report information has been selected. 

16. You then have a choice of the output file type, HTML or PDF. The output file may be viewed 

on the screen, then sent to a printer if hardcopy is desired. Be sure you have an Adobe 
Acrobat reader to view the PDF file, or a web browser to view the HTML file.

Содержание 3.7

Страница 1: ...VPNmanager Configuration Guide Release 3 7 670 100 600 Issue 4 May 2005...

Страница 2: ...mful tampering data loss or alteration regardless of motive or intent Be aware that there may be a risk of unauthorized intrusions associated with your system and or its networked equipment Also reali...

Страница 3: ...ding the Electromagnetic Compatibility Directive 89 336 EEC and Low Voltage Directive 73 23 EEC This equipment has been certified to meet CTR3 Basic Rate Interface BRI and CTR4 Primary Rate Interface...

Страница 4: ......

Страница 5: ...rt 19 Chapter 1 Overview of implementation 21 Components of the Avaya security solution 21 Security gateways 21 VPNremote Client software 22 VPNmanager software 22 Overview of the VPN management hiera...

Страница 6: ...ools menu 40 Help menu 40 Toolbar 40 VPN view pane 42 Network Diagram View 42 Tiled View 43 Tree View 43 Alarm monitoring pane 44 Configuration Console window 44 Configuration Console Menu bar 45 File...

Страница 7: ...Protocol Over Ethernet PPPoE Client 71 Local DHCP Server 71 DHCP Relay 73 Static 73 Changing network interfaces 73 Private port tab 76 Adding an IP Device Configuration 77 DHCP Relay 78 None 79 Device...

Страница 8: ...N configuration files on remote user s computer 108 Disable split tunneling 108 Dyna Policy Defaults Global tab 108 Dyna Policy Authentication tab 109 Local authentication 110 RADIUS authentication 11...

Страница 9: ...g a message 122 Enforce brand name 123 RADIUS ACE Services 124 Enable RADIUS ACE 124 Settings 125 RADIUS concepts 125 The RADIUS protocol 126 Add RADIUS ACE server 126 Authenticating secret password 1...

Страница 10: ...IP VPN 150 Configuring an IKE VPN 152 Enabling CRL checking 156 Exporting a VPN object to an extranet 158 VPN Object export checklist 159 Export procedure 160 Importing a VPN object from an extranet 1...

Страница 11: ...cy 187 From Where 188 To Where 189 The Filtering Policy in progress 189 Locating this filtering policy 189 The filtering policy in progress 189 Running the packet filtering policy wizard 189 Running t...

Страница 12: ...tes 215 Managing the resilient tunnel list 216 Stopping and starting resilient tunnel services 217 Primary end point service 217 Secondary end point service 217 Failover TEP 218 Configuring failover T...

Страница 13: ...ding Admin Users for SNMPv3 247 VPN active sessions 247 Syslog Services 248 Add Syslog Policy 249 Using Monitor 250 Enterprise MIB 250 Monitoring wizard 250 Define Custom 267 Monitoring wizard Present...

Страница 14: ...yption Strength 291 Remote Access VSU 100 Only 291 Appendix A Using SSL with Directory Server 293 When to Configure your VPNmanager for SSL 293 Installing the issuer s certificate in the policy server...

Страница 15: ...rivate Networks Each one listed below has been designed to meet the needs and requirements of either a small medium or large network VPNmanager Service Provider VPNmanager Enterprise VPNmanager Overvi...

Страница 16: ...k with one another into private wide area extranets Companies can quickly link and unlink to their suppliers customers consultants and other business associates with flexibility and speed unmatched by...

Страница 17: ...PNmanager graphical user interface GUI Related Documentation Be sure to read the VPNos Configuration Guide It contains important information on the proper procedure for setting up your VSUs which is a...

Страница 18: ...the individual VPN remote users reside Chapter 7 Configuring VPN objects explains VPN Objects as the method for linking VSUs remote terminals and LAN terminals in a fully configured VPN Chapter 8 Esta...

Страница 19: ...s available to support contract holders of Avaya VPN products Domestic support Toll free telephone support 866 462 8292 24x7 Email vpnsupport avaya com Web http www support avaya com International Sup...

Страница 20: ...Preface 20 Avaya VPNmanager Configuration Guide Release 3 7...

Страница 21: ...ya security solution consists of the following Avaya VPNmanager Avaya SG security gateways and VPN Service Units VSU Note Note Beginning with VPNmanager 3 4 this configuration guide uses security gate...

Страница 22: ...Console and the policy server The VPNmanager console is a client that is used for configuring managing and monitoring one or more VPNs The console is a Java application that can be run anywhere and is...

Страница 23: ...wall management The VPNmanager software is built on a policy based architecture that allows the administrator to start at a high level with a VPN domain then move down the hierarchy to create user gro...

Страница 24: ...at information you should know before you begin The following are functions or tasks that need to be addressed How the security gateway will be configured for your network Which remote users will be c...

Страница 25: ...ot considered part of the internal private network Servers in the DMZ typically have publicly routable IP addresses or should use advanced NAT within the security gateway Management zone Management zo...

Страница 26: ...l way to limit VPN traffic to specifically designated users Remote users and user groups VPNremote Client users who log in to the VPN through the security gateway must have their user authentication c...

Страница 27: ...apply these templates at the domain level for all security gateways for a specific gateway or for a defined group The integrated SMLI Stateful Multi Layer Inspection Firewall supports firewall rules...

Страница 28: ...width WinNuke Attack This attack attempts to completely disable networking on computers that are running Windows 95 or Windows NT This attack can be swift and crippling because it uses common Microsof...

Страница 29: ...address mapping is performed on a security gateway that is located between the private network and the public network You can set up three types of NAT mapping on the security gateway Static NAT With...

Страница 30: ...that can be recognized by an ACD so that user access is not blocked SSL for Directory Server As an added benefit all communications with the directory server can be secured by SSL Secure Sockets Layer...

Страница 31: ...configure your VPN Issue 4 May 2005 31 11 Configure firewall rules 12 Associate firewall rules with the correct gateway and security zone 13 Configure other features such as QoS VoIP gateway DHCP NAT...

Страница 32: ...Overview of implementation 32 Avaya VPNmanager Configuration Guide Release 3 7...

Страница 33: ...previous releases of VPNmanager the super user administrator was supported Beginning with VPNmanager 3 5 the super user administrator function has been expanded and in now included in the role based...

Страница 34: ...ate or upgrade devices modify or import configuration reboot or reset devices import or apply licenses or change other administrator s passwords To add an administrator The Admin object is used to cha...

Страница 35: ...not displayed 2 Type the password that was configured when the VPNmanager software was installed 3 The IP address or name of the policy server is listed in the Policy Servers list Select the Policy Se...

Страница 36: ...a context and then click Connect on the first logon dialog At this point the main console display screen appears and the selected VPN appears in the View VPN window Navigating the main window The VPNm...

Страница 37: ...select to create New a dialog to create a new domain name is displayed This name is the unique name assigned to an overall virtual private network A VPN domain is a collection of VPN devices that comp...

Страница 38: ...ured Logoff Logoff closes the current directory server without exiting VPNmanager The Login screen appears immediately after you log off Exit Exit closes the VPNmanager console Figure 4 File Menu New...

Страница 39: ...oring Screen to open the Monitoring wizard for the domain that is opened or you can click the Monitor icon on the toolbar The Monitor wizard assists you in selecting the various VPN objects you wish t...

Страница 40: ...Report Wizard on page 270 Tools menu From Tools you can access the following commands Update Devices Update Devices is used to update the security gateway configuration with the configuration currentl...

Страница 41: ...eleted from the network diagram view in the monitor pane and then click Delete Report The Report button is a shortcut to the View Report Wizard command that guides you through the steps to create a re...

Страница 42: ...View selection bar contains two elements a list from which the desired VPN is selected and two radio buttons to select the view styles Diagram or Tree Note Note If more than five security gateways ar...

Страница 43: ...om the diagram view to the tiled view Figure 7 VPNmanager Tiled View Tree View An alternative presentation style to the diagram and tiled views the tree view mimics the Windows style vertical director...

Страница 44: ...pe Alarm information is presented in a vertically scrolling list A rotating red beacon appears at the top of this screen when a critical alarm is received See Monitoring alarms on page 268 Configurati...

Страница 45: ...object on page 38 Save Changes This command saves any changes made through the Configuration Console Discard changes This command clears any changes you have made and reverts the configuration to the...

Страница 46: ...hen imported by other VPNmanager installations See the Importing and exporting VPN configurations to a device on page 284 Export VPN Export VPN can be used to export the VPN configuration which in tur...

Страница 47: ...ecific information about the selected object Details are organized into categories presented as tabs across the top of the screen Update Devices Located in the upper right hand corner of the VPNmanage...

Страница 48: ...Console password type in that password If the security gateway did not have an existing security gateway Console password type in password Click OK 6 The Update Devices dialog will tell you when the...

Страница 49: ...pt upon attempting to move to another object Dyna Policy Defaults User The Dyna Policy Defaults User tab is used to define how the Dyna Policy configuration data VPN session parameters are handled on...

Страница 50: ...of how user authentication and Client Configuration Download CCD are performed Choices are Local security gateway based RADIUS or LDAP Whichever method selected is global across the entire VPN Selecti...

Страница 51: ...liar with the LDAP directory structure may prefer having this field displayed Figure 13 Preferences Advanced Tab Remote Client The Remote Client tab is used to establish a path tunnel to a secure DNS...

Страница 52: ...teways in all domains are scanned and a map file is created to cross reference the security gateway IP addresses to their respective security gateway names Default is enabled Alarm When Device is Unre...

Страница 53: ...Preferences Issue 4 May 2005 53 Figure 16 Tunnel End Point Policy...

Страница 54: ...Using VPNmanager 54 Avaya VPNmanager Configuration Guide Release 3 7...

Страница 55: ...o other domains creating interconnected domains When you log in to the VPNmanager Console the first time you must create a domain You create a domain name and select firewall rules to be applied to th...

Страница 56: ...ur new VPN domain appears in the title bar of the VPNmanager Console main window The domain is open and ready to be configured Select Level of security High The high security template enforces very st...

Страница 57: ...ity gateways See Using SNMP to monitor the device on page 245 Whether the security gateway dynamically builds a routing table using RIP updates See Routing on page 81 Static routes if more than one ro...

Страница 58: ...the device and retrieve the device details Select the device from the drop down menu in the Network Configuration screen 6 If the Public Interface Uses a Dynamic User VPN IP Address checkbox is select...

Страница 59: ...VPNmanager displays the tabs you can use to make changes to the security gateway configuration This section describes the features to configure a basic device See Establishing security and Using adva...

Страница 60: ...s VPNmanager uses to communicate with the security gateway All other information that is displayed is view only General X High Availability X Interfaces X Memo X Network Objects X Policies X Private p...

Страница 61: ...the head end device to download the VPN policies through CCD The VPNmanager cannot manage the device in the User VPN mode IP Address DNS Name VPNmanager uses the address to communicate with the securi...

Страница 62: ...ng NOS from one of two possible flash chips FIPS Mode Federal Information Processing Standards FIPS mode indicates if the security gateway is running in the normal or FIPS Level 2 mode It is recommend...

Страница 63: ...r The security gateway server maintains a DNS database on all DHCP clients on the private interface Non DHCP clients have no DNS identity Note Note The security gateway performs DNS relay functionalit...

Страница 64: ...terface IP address as the DNS server in the DHCP response In this way all of the DNS queries are automatically forwarded to the security gateway To add a DNS Relay To set up DNS Relay Configuration an...

Страница 65: ...rver address Use Add to enter the initial or backup DNS server s Enter the IP address of the DNS server in the Resolve DNS name with this address field so that the targeted security gateway can regist...

Страница 66: ...ress 5 Click Save to save the change 6 When you want to send the configuration to one or more VSUs click Update Devices Interfaces tab For security gateways with VPNos 4 31 or later the Interface tab...

Страница 67: ...es that can be configured depends on the security gateway model Table 6 Ethernet0 and Ethernet1 are present in all models and are assigned to the public and the private zones The media interfaces that...

Страница 68: ...and then redirects all encrypted traffic to this link Only one public backup zone can be configured on the security gateway Note Note If the public zone and the public backup zone are both configured...

Страница 69: ...e LAN The private network interface can be configured with Static DHCP Server or DHCP Relay Semi private The semi private network interface provides connection to a network whose equipment can be made...

Страница 70: ...assigned to the public interface of the security gateway To configure static addressing complete the following information DHCP addressing Use DHCP addressing if the gateway obtains its IP address dy...

Страница 71: ...r mode the protected devices are automatically provided with an IP address a default route a domain name the security gateway and WINS To configure the local DHCP server complete the following informa...

Страница 72: ...port along with optional TFTP server IP address all four fields in the IP Telephony Configuration section must contain entries Option 66 The standard DHCP option for TFTP server Note Note When you ad...

Страница 73: ...n the public network send DHCP offer messages that contain the IP addresses to the DCHP relay agent The agent broadcasts the DHCP offer messages to the DHCP clients If the DHCP server resides on the r...

Страница 74: ...t apply to that media interface are displayed From the IP Config Mode list select the IP addressing mode Depending on your selection complete the required information If public backup is selected comp...

Страница 75: ...create a fully qualified domain name FQDN You can however enter host names using the FQDN form of myhost mydomain toplevel domain in which case you should leave the IP Telephone Domain name field empt...

Страница 76: ...be configured to obtain IP addresses from this DHCP server If the DHCP server is unreachable the relay can be made to fall back to the local DHCP server Figure 22 Private port tab with VPNos 4 2 or V...

Страница 77: ...IP Device Configuration This dialog is used to add IP devices to the virtual DHCP server The dialog contains a group of fields for IP telephony configuration when IP telephones are connected to the s...

Страница 78: ...firmware is maintained for upgrade purposes TFTP File Path Used when the file path is other than the default path DEFINITY Clan IP The IP address of the DEFINITY Clan server DEFINITY Clan Port Port nu...

Страница 79: ...in The Fallback to Local DHCP Server option allows the DHCP server to revert or fallback to the Local DHCP Server if the DHCP Relay is not functioning Note Note In order for the security gateway to su...

Страница 80: ...op down menu Port Enter the number of the port to use The default is 1443 Authentication Select the authentication type to use either Standard CHAP or Rechallenge PAP 4 Click Save to complete the conf...

Страница 81: ...sts on a network to which the security gateway must forward either VPN or non VPN traffic The Routing tab shows the VPN traffic default routes including the IP address of the hop and the IP address of...

Страница 82: ...is selected or checked To disable the automatic forwarding of packets the Enable VPN Traffic Auto Forwarding box should be un checked When the VPN traffic auto forwarding is disabled the SG will dive...

Страница 83: ...gateway that is used for decrypted traffic only This configuration is commonly applied to a VSU in the following topology Figure 27 Common Default Gateway for VPN Traffic topology Figure 27 shows the...

Страница 84: ...s routing information about remote client address pools This information tells listeners to send packets to the security gateway if the address is a mapped address The security gateway translates the...

Страница 85: ...ure Static NAT Port NAT With Port NAT addresses from internal nonroutable networks are translated to one routable address in Port NAT Port numbers in the case of TCP UDP packets and sequence numbers a...

Страница 86: ...works The NAT screen displays the following information for each rule Scroll to see all the information The type of rule The types are static port or redirection The zone to which the NAT rule applie...

Страница 87: ...om TCP UDP port number This port number can be from 1 to 65535 5 In the Translation area complete the areas that are not grayed out Option Select from the list IP Address Type the translated to addres...

Страница 88: ...a client on the private network it is dynamically mapped to the public IP address and an available port number When the client traffic is idle for a specified period of time the port number is return...

Страница 89: ...ons described in the previous section NAT applications Allow access to the Internet from private networks Provide support for more hosts with fewer public addresses Hide host addresses for security re...

Страница 90: ...ponding public addresses thereby allowing communication between clients and hosts to be initiated from either the private or public network Setting up VPN with overlapping private addresses Figure 29...

Страница 91: ...A_Sales_Group server Before the packet is sent out of the private interface the NAT rule on the private interface changes the packet s source address from 172 16 0 17 to 10 0 89 17 Figure 29 Setting U...

Страница 92: ...packets sent out the private interface of the security gateway B to one of 16 addresses assigned to the security gateway B address pool Note that the IP address 0 0 0 0 0 matches any packet entering o...

Страница 93: ...o Support Multiple Gateways Interface for VPNos 4 2 The following three interface choices are available for devices with VPNos 4 2 Public Primarily used to allow clients on a private network to access...

Страница 94: ...ew NAT rule to the list Translation Type Choices are Static Dynamic and Port Translation will be applied on Choices are public Interface private Interface and Tunnel Interface Original Network Mask Wh...

Страница 95: ...ic rule that was selected from the NAT Rule list shown in the Policy Manager for NAT window 8 If you want in the Memo text box type in a comment about this rule 9 If you want to create this rule witho...

Страница 96: ...NAT rule cannot be applied to the tunnel zone 5 In the Original area complete the available or active areas Option From the list select a pair of configured VPN local members IP address and subnet ma...

Страница 97: ...ns an IP address and IP mask An IP Group can be configured with many of these address mask pairs The address mask pair is used to create an address space range Pairs are used for identifying a range o...

Страница 98: ...t off This field is used to define where the object is located in the LDAP directory tree All VPN components must have unique names To prevent naming conflicts l Add the suffix group to the group name...

Страница 99: ...cted by the selected security gateway The list contains the names of all security gateways in the VPNmanager database a choice of None and a choice of Extranet device Extranet device You can create a...

Страница 100: ...lable in this pane IP Network address and Mask or IP Range For the IP Range enter the starting and ending IP addresses Table 8 Deriving the Group Mask To specify a contiguous range of this many addres...

Страница 101: ...1024 n 0 n multiple of 4 e g 130 57 4 0 or 130 57 8 0 255 255 252 0 2048 n 0 n multiple of 8 e g 130 57 8 0 or 130 57 16 0 255 255 248 0 4096 n 0 n multiple of 16 e g 130 57 16 0 or 130 57 32 0 255 25...

Страница 102: ...curity gateway that the group must be associated with 8 The security gateway selected should be one that is protecting the LAN containing the IP Group 9 Click Save 10 Optional Go to the Memo tab to ma...

Страница 103: ...et 10 From the IKE Identifier drop down list select a method for identifying the extranet s device The device must be an IKE IPSec compatible device Select IP Address if the extranet s device identifi...

Страница 104: ...o Memo can be used to record notes about the IP Group such as change history where the group is located etc Information entered here is associated only with the security gateway in focus This informat...

Страница 105: ...a secure DNS server to resolve client DNS names Use Policy Manager to configure client IP address pools Radius ACE authentication and create a legal notice for users Define the type of IKE identifier...

Страница 106: ...bution method is called Client Configuration Download CCD The security gateways distributes the Dyna Policy when VPNremote Client connects to the VPN An individual dyna policy is configured from the u...

Страница 107: ...to create a global dyna policy Dyna Policy Defaults User Dyna Policy Defaults Global Dyna Policy Authentication Remote Client The following describes each of the tabs For the procedure to configure a...

Страница 108: ...connection This is the default You must check the Disable Split Tunneling check box to turn the default off When the default is off only secure VPN traffic from the VPNremote client computer is allow...

Страница 109: ...b The Preferences Dyna Policy Authentication tab is used to define how user authentication and Client Configuration Download CCD are performed Choices are Local security gateway based RADIUS or LDAP W...

Страница 110: ...y LDAP authentication Note Note This feature is only available for VPNos 3 x when iPlanet Directory Server is supported LDAP authentication uses the designated directory server database for user authe...

Страница 111: ...s VPNremote Clients to use host names in place of IP addresses when accessing corporate network resources without exposing corporate DNS servers and name resolution databases to the public Thus a VPNr...

Страница 112: ...e VPN services of the DNS server VPN will be applied to any DNS requests made by the Client to the subdomains defined within the Client DNS Resolution Redirection Client DNS resolution redirection Ena...

Страница 113: ...mote client is disconnected This is the most secure method Select Secure Dyna Policy with a user defined key password to have the VPN session parameters reside on the user s hard disk and be activated...

Страница 114: ...nt idle time out period Check Enable Redirection Support if remote clients use private domain names such as accounting avaya com for navigating their VPN Then enter the Domain and Protected DNS server...

Страница 115: ...New User dialog is displayed 2 In the Name text box type the name of a remote user Any character except a comma can be used Note Note If you plan on using RADIUS as an authentication method this name...

Страница 116: ...This displays a list of the User Groups to which the user belongs Memo tab Memo can be used to record notes about the user such as change history specific computer type etc Information entered here i...

Страница 117: ...onfigured this button is disabled Rekey User VPNs Clicking the Rekey button causes the preshared secret to be rekeyed for this users VPNs Reset User Directory Password The user s password is reset Not...

Страница 118: ...ue with step 6 1 From the Configuration Console window click Users to list all User Objects in the Contents column 2 From the Contents column select the User Object that needs to be configured 3 From...

Страница 119: ...nnot browse the Internet while they are connected to the VPN 6 If Local Authentication is used for authentication method in the Authentication Password text box type in the a password for this VPNremo...

Страница 120: ...deliver the following pairs to the respective users NAME The name created in Step 2 PASSWORD The password created in Step 2 Using Policy Manager for user configuration From the VPNmanager Policy Manag...

Страница 121: ...IP address pool Add Client IP address pool From the Policy Manager properties you select Client IP Configuration to make add new client IP addresses At the top of the screen is the target security gat...

Страница 122: ...ll required Client IP Address 8 Click Close to return to the Policy Manager for Client IP Address Pools window 9 The new pool is seen in the Current Client IP Address Pool list 10 Optional If a client...

Страница 123: ...Enforce brand name VPNmanager allows administrators to restrict access to remote users by specifying client brands The default is Allow any brand The Administrator can allow any brand name or can res...

Страница 124: ...DIUS servers to authenticate remote users A security gateway can query up to three RADIUS servers where two of the servers is recognized as backups Figure 42 The Policy Manager for RADIUS ACE Note Not...

Страница 125: ...incoming traffic as new VPN traffic and initiates a request to the RADIUS server for user authentication requirements The RADIUS server responds to the security gateway indicating authentication is r...

Страница 126: ...y that someone snooping on an unsecure network could determine a user s password Flexible Authentication Mechanisms The RADIUS server can support a variety of methods to authenticate a user when given...

Страница 127: ...In the IP Address text boxes type in the address of the RADIUS server Note Note An IP address must be entered domain names are not valid There must be an IP route between the security gateway and the...

Страница 128: ...ered to the remote client when the remote client authenticates throughout the security gateway to the RADIUS Server The VPNmanager provides the following attributes for the remote client to choose fro...

Страница 129: ...me then populate them with user objects Users can belong to more than one user group When this is the case and policy conflicts exist permit wins over deny user group settings override individual user...

Страница 130: ...e names of all individual Users currently assigned to this User Group A second pane titled Available Users lists all existing VPN users The left and right arrows are used to move the highlighted users...

Страница 131: ...VPN This SKIP master key is used to generate session keys used for cryptographic functions In the case of Preshared Secret IKE VPNs rekeying generates and distributes a new negotiation key to all sec...

Страница 132: ...one or more users To select multiple users which are listed adjacently hold the SHIFT key To select multiple users which are not adjacently listed hold the CTRL key Click Move Left to move your select...

Страница 133: ...s of VPN objects can be built SKIP based VPN IKE based VPN Both types use IP Security Protocol IPSec for encrypting and decrypting VPN traffic The main difference between the two VPN types are the met...

Страница 134: ...ally rekeyed Preshared Secret mode involves the Diffie Hellman algorithm for creating a shared secret key that is used for authenticating VPN traffic Large prime numbers and modular arithmetic equatio...

Страница 135: ...only Default VPN policy Default VPN applies only to the IKE VPN and is used in conjunction with RADIUS authentication Only one VPN can be the default VPN in a domain When you create a VPN you can ena...

Страница 136: ...ave your work Creating a default VPN To create a default VPN within a selected domain 1 Add the security gateway s Add an IPGroup s and associate this group with this security gateway 2 Create a defau...

Страница 137: ...y 2 Create a default user or default user group in the VPNmanager 3 Create a new VPN Object see Creating a new VPN object on page 136 4 Add the default user and IPGroup s to the new VPN 5 Use the Poli...

Страница 138: ...t VPN type you have selected IKE or SKIP General tab with IKE If the VPN type selected is IKE the following General tab appears Figure 45 VPN General Tab IKE From the General tab you can configure the...

Страница 139: ...cted from the General tab you can configure the following information Tunnel Select the tunnel mode if IP packets between members are secured by encrypting and authenticating the entire packet includi...

Страница 140: ...N and the security gateway is updated all non RADIUS enabled security gateways that are affected by the removal of the remote user are updated For RADIUS enabled security gateways the remote user is n...

Страница 141: ...used at the end points of a VPN tunnel The configuration procedure involves setting a lifetime for public keys and a specific Diffie Hellman Group for automatically generating keys of a specific stre...

Страница 142: ...d territories Any Accepts any encryption proposal that is made by the device on the other side IKE VPNs use ESP to encrypt IP packets as defined in RFC2406 You can choose either DES CBC or 3DES CBC Do...

Страница 143: ...ased and throughput lifetimes Whichever occurs first triggers the new key Note Note For time based lifetime the following are the minimum values in each category Day 1 Minutes 1 and Seconds 60 Diffie...

Страница 144: ...secret Security IPSec In IKE VPNs VPN traffic flows in tunnel mode Therefore the Security IPSec tab is used for configuring the parameters used for encapsulating the original packet header and payload...

Страница 145: ...enabled Yes a Diffie Hellman Group number must be selected Diffie Hellman Group Diffie Hellman Group defines mathematical parameters used during IKE negotiations Group 1 specifies use of a 768 bit mod...

Страница 146: ...ct to export regulation 3DES A robust encryption algorithm AES 128 The advanced encryption standard that uses a 128 bit block to help resist large attacks Any Accepts any encryption proposal made by t...

Страница 147: ...onds 60 DH Group Diffie Hellman Group Diffie Hellman groups define the cryptographic key strengths used during IPSEC negotiations The level of security increases as the DH group number increases Using...

Страница 148: ...ve effort between system administrators running independent copies of VPNmanager and involves the same steps as creating any other VPN create the device then the groups and users and finally the VPN T...

Страница 149: ...s associated with the VPN This negotiation key is used to provide authentication during IKE negotiations in which the actual session key is dynamically generated Manual Keyed VPNs can be rekeyed by ma...

Страница 150: ...Note Note Security gateways at each end of a tunnel must use the same SKIP settings To configure a new SKIP VPN object 1 Move to the Configuration Console window 2 From the Icon toolbar click VPN to l...

Страница 151: ...curity SKIP tab to bring it to the front 10 From the Encryption Algorithm list do one of the following Select Triple DES to divide VPN traffic into 64 bit blocks and encrypt each block three times wit...

Страница 152: ...bjects as members of this VPN Object do the following Click the Members Users tab to bring it to the front From the Available list select specific User Objects and User Group Objects User Group Object...

Страница 153: ...ecret for authenticating security gateways and members of the VPN To manually create a secret type in an alphanumeric string in the text box To automatically create a secret click Auto generate 16 Cli...

Страница 154: ...ed information about Group 1 and Group 2 algorithms see section 6 2 of IETF RFC 2395 26 Use the IPSec Proposals options to create one or more proposals 27 A proposal defines which IPSec parameters all...

Страница 155: ...t to the front 30 Select Apply VPN to clients only if you have created a VPN Object where User and User Group Objects can communicate with IP Group Objects but IP Group Objects cannot communicate with...

Страница 156: ...as crl content txt 3 Open the crl content txt file to extract the necessary CRL information 4 To extract the necessary CRL information open the crl content txt file 5 Locate the dn header with the org...

Страница 157: ...ldif file 20 In the Import Database window browse to locate the crl ldif file 21 Click Open to import the crl ldif file 22 The Import Database message box appears upon successful import 23 From the VP...

Страница 158: ...Show CRL information 3 After selecting 18 from the Utilities menu a list of serial numbers appear on the screen 4 Enter Y to delete the CRL list 5 From the VPNmanager main menu click Config 6 Select D...

Страница 159: ...d to DomainB VPN ObjectA is built with IP GroupA and IP GroupB IP GroupA is configured with IP address masks for terminal devices in DomainA and IP GroupB is configured with IP address masks for termi...

Страница 160: ...pe text box type in your password to confirm it AdministratorB creates security gateway ObjectB and supplies the IP address of that object to AdministratorA AdministratorA creates IP Group ObjectB Cre...

Страница 161: ...le Importing a VPN object from an extranet To import a VPN Object data file 1 Copy the VPN Object data file created during the Export procedure into the computer running the VPNmanager Console 2 Open...

Страница 162: ...Object 1 Open the Configuration Console window 2 From the Icon toolbar click VPN to list all VPN Objects in the Contents column 3 From the Contents column select the VPN Object that needs to be rekey...

Страница 163: ...n a relatively short amount of time The security gateway uses a rules based method of packet inspection where the priority of each rule is determined by its position in the list highest is top priorit...

Страница 164: ...of rules you select depends on the interface zones that are configured and your general network requirements The firewall templates can be used in their default state or as the basis from which a user...

Страница 165: ...e the selected source to the Source column Click Next 7 From the Available Destination s column select the destination click Move Left Click Next 8 From the Available Service column select the service...

Страница 166: ...ntifies the rule By default the Status is Enabled and the Action is Permit Change these if they are not the correct settings In the Memo area type notes to describe the firewall rule optional 5 Click...

Страница 167: ...atic port NAT or redirection either the source IP address or the destination IP address of packets are changed When you set up your firewall rules you need to consider the type of NAT configured as yo...

Страница 168: ...ave the potential to expose a large number of ports behind the firewall to outside snooping An example of a fairly safe configuration would be that of allowing FTP clients on the private zone network...

Страница 169: ...he private side of the security gateway and the FTP server is on the public side of the security gateway define the interface and direction as Public In or Private Out 2 Click Next to display the Sour...

Страница 170: ...irewall templates can be used as a general rule set or as a starting point for creating a customized firewall policy or user defined template that conforms to the corporate security requirements The t...

Страница 171: ...all packets of the selected traffic type 15 Click Next 16 Select the set of sources from the available source list 17 Click Next 18 Select the set of destinations from the available destination list 1...

Страница 172: ...ied to TCP UDP and ICMP packets 28 Keepstate sets up a state table with each entry set up by the sending side Reply packets pass through a matching filter based on the respective state table entry A s...

Страница 173: ...ration complexity by allowing network administrator s to create groups of devices that share a common firewall configuration To create a device group object 1 Move to the Configuration Console window...

Страница 174: ...an invalid IP address If the system accepts this IP address the attacker appears to reside on the private side of the security gateway The attacker is actually on the public side and bypasses the fire...

Страница 175: ...able or disable Voice over IP VoIP and to configure the gatekeeper properties Definition of the gatekeeper location is with respect to the internal or external firewall definition Beginning with VPNos...

Страница 176: ...tekeeper is known to the Gatekeeper wanting to send call signaling messages If the receiving Gatekeeper is not being NATed by the SG the Proxy IP and Proxy Port should not be configured Using the LRQ...

Страница 177: ...field select the zone which the source endpoints are connected to For example if the calling trunk endpoints are connected to the public zone select public zone for this field In the Network Objects...

Страница 178: ...endpoints are located with respect to the SG e g private when the IP endpoints are on private side of the SG Source Endpoints Network Objects The IP networks that define the IP address space of the IP...

Страница 179: ...identify the gatekeeper Once the name is saved the name cannot be changed 4 In the Call Model field select Gatekeeper Routed from the drop down menu 5 In the Service Port field specify the H 225 RAS p...

Страница 180: ...be created with up to four classes highest high medium and low Attributes that can be assigned to these classes are percentage of bandwidth allocation type of services network objects DSCP and burst Q...

Страница 181: ...for media interface Ethernet0 DSCP value 10 cannot be assigned to Highest Medium or Low for Ethernet1 It can be assigned to the High class for Ethernet 1 When DSCP value of 0 is specified during conf...

Страница 182: ...recommended to use Services containing ICMP or port ranges QoS does not support port ranges When the View QoS is selected the screen displays the QoS policies that have been created and their configu...

Страница 183: ...Network combination in multiple classes 5 If DSCP will not be specified as a criteria in a class leave the DSCP default value of 0 In this case it is recommended to assign unique services networks to...

Страница 184: ...mapping 3 Select the Zone to be configured 4 Select the QoS policy that should be applied 5 Click OK and then click Save Packet Filtering The Packet Filtering feature is available for devices with VPN...

Страница 185: ...ltering is run first followed by NAT Table 10 Traffic types that can be filtered User defined TCP Exec Netware IP TCP VPN AuthGW User defined IP Finger Netware IP UDP VPN KeepAlive User defined UDP FT...

Страница 186: ...rity policy They include Permit all non VPN traffic When checked all non VPN traffic is allowed to pass through the VSU Deny all IP non VPN traffic When checked all non IP traffic is prevented from pa...

Страница 187: ...n Two basic actions may be selected Permit or Deny As you would expect Permit allows all packets of the Traffic type selected to pass while Deny blocks all packets of the Traffic type selected QoS Mar...

Страница 188: ...the same port Keep State essentially remembers the port and lets the replying packet enter in the same port Source Port Appears when User defined TCP or User defined UDP selections are made Select th...

Страница 189: ...ly updated summary of the filter parameters currently selected When you are satisfied with your filter configuration click on the Finished button to build the filter The filter is then automatically p...

Страница 190: ...ring The Policy Manager for Packet Filtering is used for starting and stopping filtering services managing the ACL and for configuring advanced filtering options Figure 60 shows Policy Manager for pac...

Страница 191: ...bring it to the front 4 From the drop down list select Packet Filtering then click GO to open the Policy Manager for Packet Filtering 5 From the ACL select a specific filtering policy 6 Use Table 11 f...

Страница 192: ...n Permit all non VPN traffic Select this button to permit all non VPN packets Deny all IP non VPN traffic Select this button to block all IP non VPN packets Deny all non VPN traffic Select this button...

Страница 193: ...he transmission precedence of one type of packet relative to other packets The identification system involves two kinds of marks User Defined and Predefined The user defined mark is in the form of a n...

Страница 194: ...kets and the direction of packet flow in and or out of the VSU is needed to create a marking rule To create a packet marking rule 1 Move to the Configuration Console window 2 From the Contents column...

Страница 195: ...e specific CS mark used must be the same as the one configured in your router s these marks serve as a backward compatibility mechanism for IP Precedence Marks which predate modern QoS Marks Select a...

Страница 196: ...ined by its position in the list highest is top priority The first match determines the fate of the packet permit or deny If no matching rule is found the default action is to permit the packet Figure...

Страница 197: ...is rule 5 Click Next 6 Select the set of sources from the available source list 7 Click Next 8 Select the set of destinations from the available destination list 9 Click Next 10 Select the set of serv...

Страница 198: ...n be applied to TCP UDP and ICMP packets 18 Keepstate sets up a state table with each entry set up by the sending side Reply packets pass through a matching filter based on the respective state table...

Страница 199: ...Advanced The Device Advanced tab contains properties that are used to configure security gateway parameters for unique circumstances Note Note The properties displayed within the Device Advanced tab...

Страница 200: ...h port the Primary IP address is bound to the MAC address of the public port If a private IP address is configured that address is bound to the MAC address of the private port of the VSU In this mode...

Страница 201: ...de which requires that only the private port be plugged into the network and you have used the Bind one IP address to each port setting This topology requires that the Advanced Filter setting be Permi...

Страница 202: ...receiving security gateway ICMP messages indicating that fragmentation is needed The source of packets needing VPN services does not fragment packets even when notified by a security gateway ICMP mes...

Страница 203: ...k Update Devices NAT Traversal Configurable NAT traversal is available for VPNos 4 31 and later Note Note For VPNos 3 2 NAT Traversal is enabled by default You cannot change or disable it When a NAT d...

Страница 204: ...ection after the client has been issued an authentication challenge default port 2444 A response received on this port is then forwarded to the external LDAP or RADIUS server for authentication Privat...

Страница 205: ...oxes type in the second address assigned to the VSU 6 In the Private IP Mask text boxes type in a subnet mask for the address 7 Select the Use this address when directly communicating with this device...

Страница 206: ...to authenticate VPNmanager via SuperUser account first If this fails the VSU then attempts to authenticate via the VPNmanager user s LDAP account A successful connection requires that the VSU s author...

Страница 207: ...henticate by either your LDAPuser account or SuperUser account Tunnel Persistence This feature consists of the following radio buttons Maintain VPN tunnels on device update Rebuild all VPN tunnels on...

Страница 208: ...users RUser The addition of SGD to VPN2 SGA SGC SGD and Remote User interrupts tunnel persistence in VPN2 thus breaking the remote connection Once the configuration update is complete the remote conn...

Страница 209: ...P Transport mode NOT being used Failing to meet these conditions packets be subject to the non VPN traffic policy Permit or Deny selected in the VSU Packet Filtering Advanced tab A typical example of...

Страница 210: ...lowing procedure only establishes it as a backup server The Directory Servers tab is shown in Figure 66 Figure 66 The Directory Servers tab Servers list presents a list of available directory servers...

Страница 211: ...always used first To edit change the sequence or delete a backup server 1 Move to the Configuration Console window 2 From the Device Contents column select the security gateway that has the backup ser...

Страница 212: ...245 Note Note Resilient tunnels are configurable on VSUs running VPNos 3 x Figure 67 illustrates a simple example San Francisco LAN has two gateways to the WAN The high speed route is used by the prim...

Страница 213: ...number of requests exceeds the Heartbeat Retry Limit VSUA then begins to establish a connection with VSUC 5 Since VSUC uses a low speed connection VSUA must anticipate a delayed response from VSUC Th...

Страница 214: ...sure the heartbeat packets are not filtered The security gateway heartbeat listening port 1643 using UDP protocol Creating a resilient tunnel Resilient tunnels are configured from the Resilient Tunnel...

Страница 215: ...dpoint security gateway is able to reconnect and when the switchover actually occurs This wait time ensures that the primary security gateway is stable before switching occurs Default is 20 seconds Pr...

Страница 216: ...response from the secondary end point 11 From the Properties list click on Hold Down Time so the hold down time values appears In the Hold Down Time drop down list select a unit of time In the Hold D...

Страница 217: ...lect the Enable Resilient Tunnel check box to start services Clear the Enable Resilient Tunnel check box to stop services 5 Click Save to save your work 6 To send the configuration to the device click...

Страница 218: ...ide the same VPN services The most desirable configuration would include the same devices however this is not required as long as each device has a license to service the number of VPNs configured on...

Страница 219: ...Click Save to save the Failover TEP configuration To complete the Failover TEP configuration you must enter the Failover Remote TEP information in the Failover tab 9 To configure the Failover Remote T...

Страница 220: ...s indicated Flash 0 or Flash 1 Additional information can be found in the security gateway Data portion of the security gateway General tab Reset password Reset password is used to change the console...

Страница 221: ...ay is visible in the security gateway contents list The active security gateway is listed with the passive security gateway visible in the Members pane of the High Availability tab Because configurati...

Страница 222: ...ng all members in the HA group The public Virtual Address is used as the tunnel end point while the private Virtual Address can be used as the default route for the network behind the security gateway...

Страница 223: ...s all configured members in the HA group By default the primary member displays an active status while the secondary and remaining members display a passive status The Member table also displays the p...

Страница 224: ...dd This action allows a new member to be added to the HA group The minimum configuration of a new member is the public and private IP addresses By default the primary IP address is used as the managem...

Страница 225: ...e selected security gateway to be updated If the selected security gateway is a HA member the Member Update screen displays By default all members in the HA group are selected for update To update HA...

Страница 226: ...such as a public DNS server When a network path fails the remote security gateway tries to establish a network path through an alternate central site If the remote security gateway cannot use that se...

Страница 227: ...lure criteria are met only when both hosts 2 and 3 concurrently fail to respond five times at the 130 second mark to the connectivity checks Host 3 failed to respond five consecutive times between the...

Страница 228: ...he same time to each host The default is 10 seconds 8 Click the Advanced button to configure the traceroute settings during failover Select Enable and complete the following Enable traceroute during f...

Страница 229: ...tempt to connect to an alternate TEP In some network configurations alternate TEPs are considered temporary and the expected behavior is that a system reboot would revert to the original TEP However t...

Страница 230: ...verged Network Analyzer Test Plug The converged network analyzer CNA test plug feature provides a distributed system tool for real time network monitoring that detects and diagnoses converged network...

Страница 231: ...A test plug in the network 3 Select the CNA Test Plug Services interface The public interface provides connection to the internet usually by way of a wide area network WAN By default DHCP client is us...

Страница 232: ...rk Use the Move To Top button to adjust the hive priority Click OK The first hive configured in the CNA Unit s for registration area is pushed down to devices running VPNos 4 5 Adjust the CNA hive con...

Страница 233: ...o your private local area network LAN or your corporate LAN 5 In the Keep Alive Interval field enter the interval in seconds that packets will be sent to configured hosts The default is 10 seconds 6 I...

Страница 234: ...host IP address d Click Save Policy Manager My Certificates If you are creating VPNs that use certificates for authentication and security use the Policy Manager for My Certificates to install signed...

Страница 235: ...hing secure connections with special targets The process of getting a certificate for a specific VSU is illustrated in Figure 75 Figure 75 Installing a Signed Certificate into a VSU Explanation for Fi...

Страница 236: ...6 In the File name text box type in a name for the Certificate Request then click Save 7 The VSU saves a Certificate Request into this new file then update the Maintain Certificates list with informa...

Страница 237: ...ed certificate file The manager uses DER as the default filename extension but TXT can be used 16 Select the signed certificate file then click Open to return to the Policy Manager window After the VS...

Страница 238: ...they are needed to authenticate a Signed Certificate This section explains how to retrieve and install Issuer Certificates for VSU targets For information about installing Issuer Certificates on VPNre...

Страница 239: ...y Manager for installing Issuer Certificates in a specific VSU The VSU then uses the Issuer Certificate to authenticate certificates received from other VSUs The process is explained in Figure 78 To i...

Страница 240: ...Open dialog box 6 Use the Look in drop down list for navigating to the location of the Issuer Certificate 7 Select the Issuer Certificate then click Open to return to the Policy Manager window 8 After...

Страница 241: ...in Policy Manager My Certificates on page 234 it must be assigned a target A Bundle is used to define a certificate having a specific target type address description and queue position The Policy Man...

Страница 242: ...be IP Address VPN FQDN Fully Qualified Domain Name email Directory Name Any target endpoint Depending on the selection made an appropriate field type appears to capture the respective information for...

Страница 243: ...ified Domain Name FQDN to identify the target by its absolute name For example a target having the name xyz and a root of vpnet com has an absolute name of xyz vpnet com The DNS Server that is used is...

Страница 244: ...Using advanced features 244 Avaya VPNmanager Configuration Guide Release 3 7...

Страница 245: ...the trap and monitor strings and trap targets for SNMPv1 and SNMPv2c You configure the trap targets and the SNMP user for SNMPv3 Since SNMPv1 and SNMPv2c send data in the clear you can disable access...

Страница 246: ...on such as HP Open View Figure 81 The SNMP Tab for a security gateway Object To add SNMP trap targets To add an SNMP Trap Target for security gateway s at version VPNos 4 2 or later do the following N...

Страница 247: ...Click the SNMP tab to bring it to the front 3 From the Trap Target list select the target you want to delete 4 Click Delete to remove the target 5 Click Save Adding Admin Users for SNMPv3 Configuring...

Страница 248: ...gging system error messages The messages can be automatically sent to a destination running a Syslog server Use Policy Manager to configure and enable Syslog services then move to your computer s comm...

Страница 249: ...check box so the security gateway will run Syslog services 4 Click Add to open the Add Syslog Policy dialog box 5 Use the Hosts to receive log messages options to configure the address of the Syslog S...

Страница 250: ...and its presentation type is displayed on your VPNmanager console screen and is dynamically updated at your specified intervals A hardcopy can be printed on demand Enterprise MIB Monitoring is accompl...

Страница 251: ...he MIB II IPRouteTable displays information provided from the ipRouteTable in the MIB II Filter Stats provides detailed reporting on filtering statistics for the current security gateway Filter Rules...

Страница 252: ...Sec ESP 3 SKIP Algorithm mismatch The parameters of the VPN that this packet belongs to does not match the VPN parameters in the SKIP header 4 SKIP Authentication error The authentication key in the o...

Страница 253: ...of this VPN indicating what key management is being used and what encryption authentication and compression algorithms are being used For example IKE 3DES MD5 Compression Pkts In Number of packets se...

Страница 254: ...single destination can appear in the table but access to such multiple entries is dependent on the table access mechanisms defined by the network management protocol in use IP RouteTable Interface Ind...

Страница 255: ...terface Route Type The type of route Note that the values direct 3 and indirect 4 refer to the notion of direct and indirect routing in the IP architecture Setting this object to the value invalid 2 h...

Страница 256: ...knowledge of the routing protocol by which the route was learned Route Mask Indicate the mask to be logical ANDed with the destination address before being compared to the value in the ipRouteDest fi...

Страница 257: ...rmant implementation of ASN 1 and BER must be able to generate and recognize this value Table 23 FilterStats Parameters Parameter Description FilterStatsName Interface name to which the filtering stat...

Страница 258: ...ound packets not allowed to pass which have been logged When a filtering rule is declared using the log option different from log action and the rule action is declared to be block a log entry is gene...

Страница 259: ...was full Log records are stored in a fixed size non circular buffer When the buffer is full no new log records are written until the buffer is drained via either the security gateway console or the V...

Страница 260: ...ment table entry to be allocated This value does not reflect the size of the table only the number of entry allocations which succeeded Unneeded Frag Alloc In Number of successful but unnecessary atte...

Страница 261: ...Number of successful attempts to allocated State table entries for inbound packets This occurs when a filter rule is declared using the keep state option Packets that match the rule cause a State tabl...

Страница 262: ...e internal memory buffers and there is insufficient information available to properly process the packet Successive memory buffers are read until there is enough information to process the packet Bad...

Страница 263: ...e No Match Block Out Number of outbound packets for a given interface which did not match any filtering rule and were ultimately blocked per the interface s default rule Table 24 Filter Rules Paramete...

Страница 264: ...e Table Parameters Parameter Description Traffic Port Description A description of each port Traffic Port Index The index of this port Indices are Private 0 or 2 Public 1 or 3 2 and 3 appear only for...

Страница 265: ...umber of LAN frames transmitted from this port LAN Frames Discard The total number of LAN frames discarded on this port because of errors Ethernet Header Errors The number LAN frames discarded on this...

Страница 266: ...ss of the frame was determined by the bridge logic to be attached to the same network segment as this port Total Frames Discarded Total number of frames discarded on this port because of some error Lo...

Страница 267: ...rt because of CRC errors Frame Errors The number of packets dropped on this port because of frame errors Overflow Errors The number of packets dropped on this port because of overflow errors No Xmit B...

Страница 268: ...Display The display area offers two selections for how your security gateway groups are presented either one window per security gateway or a single window in which the desired security gateway is se...

Страница 269: ...larm Type descriptions The default is Take action on Alarm Delete A Delete button appears at the bottom of the window The highlighted alarm s is deleted when the Delete button is clicked Figure 83 VPN...

Страница 270: ...ithm Mismatch Indicates that a packet for which one of the three algorithms compression encryption or authentication used to secure it did not match the VPN configuration within the security gateway w...

Страница 271: ...font types are Arial Times Roman and Helvetica The available font sizes range from 8 points to 72 points 9 Click Next 10 Depending on the objects selected in the initial screen each object is display...

Страница 272: ...When you are satisfied with the report selections made click on the Finished button to generate the report The report window appears after a short pause If a hardcopy is desired you may save the repo...

Страница 273: ...pe Description General Diagnostics Routing Table Shows information regarding how the network traffic flows within the network interfaces in the security gateway Flow Table Shows secure traffic packet...

Страница 274: ...statistics are only applicable for SG200 SG203 and SG208 Flush Configuration Deletes existing firewall VPN QoS failover SNMP DNS relay NAT VoIP remote access and static routes configuration on the sec...

Страница 275: ...to access the security gateway s CLI When you use SSH to transfer data the entire log in session including transmission of the password is encrypted If you use Telnet to communicate with the security...

Страница 276: ...ed 8 For Telnet you must select a zone as all zones are disabled by default 9 Move the zones from Blocked to Allowed Click OK 10 Select Networks to configure the IP address to use to access the securi...

Страница 277: ...w 2 From the Icon tool bar click Devices to list all security gateways in the Contents column 3 From the Contents column select the security gateway that requires the administrator passwords reset 4 C...

Страница 278: ...etwork connection from the VPNmanager workstation to the security gateway exists The Ping This Device button initiates a clear text non VPN traffic ping from the VPNmanager workstation to the security...

Страница 279: ...ing a specific security gateway 1 Move to the Configuration Console window 2 From the Contents column select the security gateway that you want to ping 3 Click the Connectivity tab to bring it to the...

Страница 280: ...ot A Cold Start alarm is logged by VPNmanager and any other trap targets specified Note that any existing VPN connections are dropped and are re established following the security gateway reboot seque...

Страница 281: ...anager for centralized management of devices which have already been configured the Import Device Configuration feature allows the devices existing configuration data to be easily migrated to VPNmanag...

Страница 282: ...efault The current private port settings are displayed at the top of the Ethernet Speed dialog box Port Select the public or private port to configure the port speed of the selected security gateway S...

Страница 283: ...ed device This screen appears when the Redundancy button on the security gateway Action tab is clicked It is used to set up specific redundancy attributes when two VSU 1200 7500s are being used to bac...

Страница 284: ...other VPNmanager installations Select Import VPN when you receive your exported VPN file and have it copied to a local directory You will need the password from the exporting administrator Export VPN...

Страница 285: ...ciate the Group with the appropriate security gateway by modifying the Associate this Group with security gateway picklist For Groups with network mask pairs that are not under your management control...

Страница 286: ...r more of these entries These parameters are written by VPNmanager Note Note The export RADIUS Users file created by VPNmanager contains no entries in the authentication password field Consequently af...

Страница 287: ...ays go the VPN and Security page from the Avaya Support Technical Database Web site at http support avaya com and select the security gateway type to be downloaded follow the links to the Readme file...

Страница 288: ...gh the steps to upgrade using the centralized firmware management feature Note Note The upgrade devices wizard dose not allow downgrading of devices To upgrade the firmware using centralized firewall...

Страница 289: ...Avaya Support Technical Database Web site at http support avaya com and select the security gateway type to be downloaded follow the links to the Readme file Note Note Because the upgrade procedure r...

Страница 290: ...in step 14 select the upstage2 bin file If the security gateway subdirectory does not have an upstage2 bin file click YES If you answered YES to rebooting the security gateway your upgrade is complet...

Страница 291: ...nitially launched the security gateway is polled for the current status of this feature which is displayed on the first line DES or 3DES Click on the radio button for the desired encryption method Cli...

Страница 292: ...Upgrading firmware and licenses 292 Avaya VPNmanager Configuration Guide Release 3 7...

Страница 293: ...cy server and the VPNmanager Console are started and during login SSL services are started Figure 88 Installing Certificates for Running SSL Explanation for Figure 88 1 An administrator uses Directory...

Страница 294: ...ick Start Run to open the Run dialog box 3 In the Open text box type the following command line to install the certificate The filename is a name of the certificate file and aliasname is the alias you...

Страница 295: ...ll installed issuer certificates 4 sh listcert bat To delete an installed issuer s certificates 1 Open a Console window 2 Move to the opt Avaya VPNmanager Console directory 3 Type the following comman...

Страница 296: ...he Policy Manager window 8 After the device has received the Issuer Certificate the certificate appears in the Issuer Certificates list 9 Close the window Repeat Step 1 through Step 7 for each device...

Страница 297: ...of packet filtering where the priority of the rule is determined by its position in the list first is highest priority Note Note The common services referred to in this appendix include all of the fo...

Страница 298: ...n a higher inbound and outbound priority than IKE traffic None Selecting None as the firewall template allows all traffic VPN and non VPN through the gateway Security gateway policies are not enforced...

Страница 299: ...ce Destination Service Direction Zone Keep State Description InBoundPu blicAccess Permit Any PublicIP IKE IN IKE AVAYA IN IPSEC NAT T IN AH ESP ICMPDEST UNREACH ABLE In Public no Permit incoming VPN t...

Страница 300: ...P ublicActiveF TPActive Permit DMZNet Any ActiveFTP Out Public Yes Permit active FTP data connection from FTP server on DMZNet to any FTP client on INATERNE T OutboundP ublicNATed FTPActiveF TPActive...

Страница 301: ...raffic OutBoundP ublicAcces s Permit PublicIP Any IKE_OUT IPSEC_NAT_T_OUT AH ESP ICMPDestUnreach Out Public no Permit outgoing VPN traffic OutBoundP ublickPing Access Permit DNZNet PrivateN et SemiPri...

Страница 302: ...ublic no OutBoundPublic PingAccess Permit PublicIP DMZNet PrivateNet SemiPrivate Net Managemen tNet Any ICMPEchoRequest Out Public Yes OutBoundPublic GeneralAccess Permit Any Any ICMPEchoRequest PING...

Страница 303: ...except traffic that is destined to the management zone For outgoing traffic to the private zone traffic initiated from DMZ is strictly denied All other traffic is allowed OutBoundPublic AccessVPNKey M...

Страница 304: ...LIC OutBoundPrivateDM ZSemiPriDenyAccess Deny DMZ Net Any Any Out Privat e No Deny traffic from DMZNet and SemiPrivateNet OutBoundPrivatePer mitAll Permit Any Any Any Out Privat e Yes Permit incoming...

Страница 305: ...outgoing packets as follows Incoming traffic to the semi private zone allowed includes VPN traffic The VPN tunnel endpoints could be semi private IP or Public IP Ping DNS ICMP unreachable packets The...

Страница 306: ...InBoundSe miPrivatePi ngAccess Permit Any SemiPrivate IP PublicIP ICMPEchoReq PING In SemiP rivate Yes Permit incoming PING InBoundSe miPrivateto DMZAcces s Permit Any DMZNet ICMPEchoReq PING FTP Ctrl...

Страница 307: ...is denied InBoundSe miPrivateV PNAccess Permit Any SemiPrivat eIP PublicIP IKE_IN IPSEC_NA T_T_IN AH ESP ICMPDest Unreach In SemiPrivat e no Permit incoming VPN traffic and ICMP unreachabl e packet I...

Страница 308: ...eny DMZNet Any Any Out Semi Private No Deny traffic from DMZNet OutBoundSe miPrivateVP NAccess Permit SemiPri vateIP PublicIP Any IKE_OUT IPSEC_N AT_T_OU T AH ESP ICMPDest Unreach Out Semi Private no...

Страница 309: ...s from the following networks private management semi private and the destination is the servers with the common services InBoundSemiPri vateAccessICM P Permit Any Semi Private IP ICMPDESTUNREACHAB LE...

Страница 310: ...DMZ No Deny the rest of the traffic Table 41 DMZ high and medium security firewall rules continued 2 of 2 Table 42 DMZ low security firewall rules Rule Name Action Source Destination Service Direction...

Страница 311: ...zer template The converged network analyzer CNA template is a set of firewall rules that can be configured to allow CNA traffic to travel through the network when the security gateway is setup as a fi...

Страница 312: ...Direct ion Zone Keep State InBoundCNAPing Permit Any Public IP ICMP Ec hoReque st In Public Yes InBoundCNARTP Permit Any Public IP CNA RT P In Public No InBoundCNATestPlug Permit Any Public IP CNA Te...

Страница 313: ...larm pane Authentication Generic The process of ensuring that the data received is the same data that was sent from the source Local Local Authentication is used in non dynamic VPNs VPNs not using RAD...

Страница 314: ...ify the security gateway Certificate Certificate Revocation List CRL checking Certificate Revocation List checking looks to a directory server maintained by CAs to validate a new certificate by search...

Страница 315: ...orate network uses VPN components that are managed separately by each company s system administrator F Firewall A network device acting as a filter to restrict access to private network resources from...

Страница 316: ...terprise MIB information allows the administrator to obtain basic monitoring information such as the network table packet counter and general information regarding the security gateway using third par...

Страница 317: ...own to all security gateways Public Key Certificate A special block of data used to identify the owner of a particular public key It describes the value of a public key the key s owner and the digital...

Страница 318: ...e remote client s computer Control of Split Tunneling is normally set when the Dyna Policy configuration download to the remote client s computer occurs SSL Secure Sockets Layer is a protocol that pro...

Страница 319: ...2 authentication 142 configuring IKE VPN 153 SKIP VPN 151 Password text box 119 RADIUS 126 authentication IPSec 146 Authentication Algorithm drop down list IKE VPN 153 IPSec 155 SKIP VPN 151 B backup...

Страница 320: ...tiated Services about 192 Diffie Hellman Group 143 Diffie Hellman Group drop down list 154 Diffie Hellman Groups 145 DiffServ 193 Directory Name of Certificate Authority text box 155 Distinguishing En...

Страница 321: ...ist 103 IKE radio button 136 IKE VPN about 134 adding IP Group Objects 152 adding User and User Group Objects 152 authentication method configuring the 153 Certificate Based radio button 152 compressi...

Страница 322: ...Modify Secret button 153 modulus in IKE VPNs keying algorithm 154 Monitor Monitor Wizard 250 Monitoring Groups 251 MTU Drop all IP Fragments check box 192 path discovery configuring 202 N naming VPNs...

Страница 323: ...perty sheet for CCD 113 Preferences Advanced Tab 51 Preferences General Tab 49 Preferences Remote Client Tab 51 111 Presentation monitoring 268 Preshared Secret 138 Preshared Secret IKE 144 Preshared...

Страница 324: ...69 Send no VSU names radio button 206 Send Syslog messages 112 Send VSU Names control 205 server list managing 211 Servers tab detailed description 210 SHA1 authentication selecting 153 shared secret...

Страница 325: ...oIP LRQ 177 VPN Create Designated 137 Default VPN 136 Domains about 55 hierarchy detailed view 55 IKE VPN see IKE VPN 134 rekeying 162 SKIP VPN see SKIP VPN 133 VPN Virtual Private Network key managem...

Страница 326: ...326 Avaya VPNmanager Configuration Guide Release 3 7 Index X x 169 Z zone public 68 zone public backup 68 zones IP addressing 70 network 67 type of 25 67...

Отзывы: