Nortel SMC 2450 Скачать руководство пользователя страница 138 | Manualshive

Страница: 138 / 262

Nortel SMC 2450 Скачать руководство пользователя страница 138

Page 138 of 260

Secure UNIStim deployment

553-3001-225

Standard 1.00

May 2006

The following section explains why Secure UNISTIM reregistration can be
delayed and how to speed the process up.

When an insecure IP Client is rebooted, it goes through the following process:

1

The phone communicates to the CSE Node IP address on port 4100.

2

The Node TPS redirects the IP Client to either:

•

the TLAN IP of the same Node TPS

•

another TPS device TLAN address (load balancing process)

3

The IP Client communicates to the TPS TLAN IP at the supplied address
on port 7300

4

After registration completes, the IP client communicates to the same TPS
as step 3 on TLAN IP port 5100

The IP Client is now registered and ready to operate.

Note:

The 4100/7300/5100 port numbers are factory default.

When secure UNIStim is disabled and phones are operating normally, the
phones operate in the final state, as identified in step 4.

When security is enabled, the SMC firewall is designed to do the following
for both secure and insecure IP Clients:

•

recognize that an IP Client is communicating to the CSE Node address
on port 4100. During the configuration of the Secure Unistim feature on
the SMC, the TPS server IP address is provided.

•

watch IP client communications move to the assigned TPS TLAN
address using port 7300

•

watch the IP client finish registration on port 5100

•

track this activity using a firewall-based client table

When secure unistim is enabled on the SMC, the phones are most likely still
in step 4; therefore, the firewall does not get the opportunity to track the IP
client through the registration process.

«
...
136
137
138
139
140
...
»

Содержание SMC 2450

Страница 1: ...ithout notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users mus...

Страница 2: ......

Страница 3: ...Page 3 of 260 Secure Multimedia Controller Implementation Guide 4 Revision history May 2006 Standard 1 00 This document is a new NTP It was created to support the Secure Multimedia Controller 2450...

Страница 4: ...Page 4 of 260 Revision history 553 3001 225 Standard 1 00 May 2006...

Страница 5: ...nformation 19 How to get help 21 Getting help from the Nortel web site 21 Getting help over the telephone from a Nortel Solutions Center 21 Getting help from a specialist by using an Express Routing C...

Страница 6: ...ion 57 Deploying a new system 57 Hardware installation 59 Contents 59 Installation package contents 59 SMC physical features 60 Installation 67 Installing the SMC in a rack 69 Installing the SMC on a...

Страница 7: ...oip_users and voip_admins 119 Secure UNIStim deployment 121 Contents 121 Introduction 121 Security policy 123 First time deployment 131 Configuring Secure UNIStim 131 Troubleshooting Secure UNIStim 13...

Страница 8: ...ce CLI 183 Contents 183 Introduction 183 Accessing the CLI 184 Using the CLI 188 RADIUS authentication 194 Web User Interface UI 197 Contents 197 Introduction 197 Basics of the Web UI 198 Logging 207...

Страница 9: ...Contents 221 Hardware and power supply specifications 221 Regulatory specifications 223 Appendix C Regulatory information 225 Contents 225 System approval 225 Electromagnetic compatibility 225 DenAn r...

Страница 10: ...Page 10 of 260 Contents 553 3001 225 Standard 1 00 May 2006 Format 251 Log message table 253...

Страница 11: ...n a rack 69 Procedure 3 Installing the SMC on a shelf or tabletop 69 Procedure 4 Connecting the power supply 71 Procedure 5 Establishing a console connection 73 Procedure 6 Configuring the initial SMC...

Страница 12: ...ation using the Web UI 95 Procedure 16 Enabling TFTP 96 Procedure 17 Saving the current configuration using the CLI 96 Procedure 18 Restoring the current configuration using the Web UI 97 Procedure 19...

Страница 13: ...logging 111 Procedure 29 Viewing applied rules 113 Procedure 30 Viewing the system log 114 Procedure 31 Viewing system and host status 114 Procedure 32 Create a customer inbound rule 115 Procedure 33...

Страница 14: ...ing the private key 147 Procedure 42 Upgrading SMC software using a package upgrade Web UI 165 Procedure 43 Upgrading SMC software using a package upgrade CLI 167 Procedure 44 Activating the software...

Страница 15: ...age 15 of 260 Secure Multimedia Controller Implementation Guide Procedure 50 Enabling Telnet or SSH using the Web UI 186 Procedure 51 Enabling SSH using the CLI 187 Procedure 52 Configuring the SMC fo...

Страница 16: ...Page 16 of 260 List of procedures 553 3001 225 Standard 1 00 May 2006...

Страница 17: ...s Note on legacy products and releases This NTP contains information about systems components and features that are compatible with Nortel Communication Server 1000 and Nortel Multimedia Communication...

Страница 18: ...n see one or more of the following NTPs Communication Server 1000S Upgrade Procedures 553 3031 258 Communication Server 1000E Upgrade Procedures 553 3041 258 Intended audience This document is intende...

Страница 19: ...ian 1 PBX 51C Meridian 1 PBX 61C Meridian 1 PBX 61C CP PII Meridian 1 PBX 81 Meridian 1 PBX 81C Meridian 1 PBX 81C CP PII Related information This section lists information sources that relate to this...

Страница 20: ...Page 20 of 260 About this document 553 3001 225 Standard 1 00 May 2006...

Страница 21: ...products From this site you can download software documentation and product bulletins search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues sign up for au...

Страница 22: ...ess some Nortel Technical Solutions Centers you can use an Express Routing Code ERC to quickly route your call to a specialist in your Nortel product or service To locate the ERC for your product or s...

Страница 23: ...C configurations 33 Traffic protection 38 Secure UNIStim proxy 39 Administrative tools 44 Resiliency 46 Campus redundancy 50 Geographic redundancy 52 Engineering impact and limitations 54 Product comp...

Страница 24: ...l Area Network LAN Wide Area Network WAN and the call servers The SMZ protects the signaling and media infrastructures of the MCS 5100 and CS 1000 product lines All signaling and media traffic enterin...

Страница 25: ...used for management and intranet untrusted traffic Two networks are mandatory in each SMC system installation Management subnet The management subnet transmits clustering and synchronization traffic b...

Страница 26: ...e location of Call Pilot Symposium and Optivity Telephony Manager MCS LAN subnet The Multimedia Communication Server LAN MCS LAN subnet is the location of the MCS suite of servers Note You can substit...

Страница 27: ...Description Page 27 of 260 Secure Multimedia Controller Implementation Guide Figure 1 Basic subnet mappings...

Страница 28: ...ndancy Protocol VRRP with both SMCs in a HA configuration a cross over cable to connect the management ports in a HA configuration Management IP address A single cluster management IP MIP address is s...

Страница 29: ...access rules The administrator specifies inbound access control rules for traffic that originates in the intranet and flows into a security zone and outbound access control rules for traffic that exi...

Страница 30: ...ected to an outbound TLAN policy and then an inbound MCS LAN policy The administrator can customize and configure the rules in each SMZ For example the administrator can add and delete custom rules an...

Страница 31: ...er 2 switch The SMC does not support Virtual LANS VLAN therefore a single interface is required for each subnet In VLAN networks multiple devices are connected across routes but are part of the same s...

Страница 32: ...r Multi link Trunking MLT networks in which more than a single port is used for a logical trunk an additional switch device is required to work in tandem with the SMC The switch interfaces with the SM...

Страница 33: ...configurations Stand alone High Availability HA Stand alone configuration The stand alone configuration contains a management network intranet network and one or more security zones Each of the SMZ n...

Страница 34: ...guration The management network needs two IP addresses in the stand alone configuration The first address is the host IP address which is the IP address for the SMC The second IP address is the cluste...

Страница 35: ...ia Zones uses the SMC Interface IP addresses as their gateway address For example a CSE 1000 Signaling Server TLAN Gateway address is the SMC TLAN IP address IMPORTANT In a High Availability configura...

Страница 36: ...P IP addressing A high availability cluster consists of two SMC devices one SMC acts at the active device and the other acts as the backup device In this scenario only one SMC processes traffic If the...

Страница 37: ...shown in Figure 5 on page 37 VRRP requires three IP addresses for each cluster interface two real IP addresses one for each SMC in the cluster a floating IP address owned by the master SMC Figure 5 V...

Страница 38: ...ll traffic that originates or terminates on the multimedia devices Stateful filtering is more secure than a simple packet filtering in that stateful filtering keeps track of the protocol s state in ev...

Страница 39: ...nes however the first release of the SMC supports only CS 1000 Using UNIStim a UNIStim IP phone communicates with a UNIStim server TPS using the User Datagram Protocol UDP The SMC Secure UNIStim proxy...

Страница 40: ...rent proxy the clients communicate directly to the UNIStim signaling servers The clients have no knowledge that the SMC is inserted itself between the server and client and intercepting the signaling...

Страница 41: ...public key cryptography system employed in both encryption and authentication Comparison of the public and private keys The private key is 1024 bit RSA key that is associated with a unique public key...

Страница 42: ...g Examples 16 characters 9d581d2cca15141b 32 characters 9d581d2cca15141b80623a942a59d7d3 Table 1 RSA key types Key Description Server private key The SMC maintains a 1024 bit RSA private key which is...

Страница 43: ...a client runs firmware that supports secure UNIStim but does not have a primary key fingerprint the SMC can automatically update the fingerprint to the client Master key The master key is generated by...

Страница 44: ...updates on page 154 Session caching The SMC supports session caching which enhances the performance of the client handshake When the UNIStim IP phone logs in a second time the server reuses the previo...

Страница 45: ...dministration Two primary management roles exist on the SMC administrators and operators Administrators can add and delete users modify all aspects of the configuration and update the software Operato...

Страница 46: ...l secure UNIStim handshake requires high SMC CPU resource utilization Using the session cache synchronization feature a phone can reconnect and establish a secure connection with much less CPU resourc...

Страница 47: ...ty and re register to the backup SMC In secure mode this registration can use session cache synchronization to lessen the resource utilization of many IP phones simultaneously re registering In this s...

Страница 48: ...dia channel ceases The intranet phone can re establish the signaling through the new master SMC even while it is off hook during a live call Unistim session state is re established on the new master S...

Страница 49: ...guration drops all packets directed to it thereby effectively blocking connectivity IMPORTANT In a branch office failover scenario one UNIStim phone can be redirected to register securely with differe...

Страница 50: ...nd registered IP phones To help eliminate any potential system down time configure a pair of CS 1000E CPUs to form a completely redundant IP telephony network You can install the following equipment a...

Страница 51: ...Description Page 51 of 260 Secure Multimedia Controller Implementation Guide Figure 7 SMC campus redundancy...

Страница 52: ...outer to the intranet To route packets properly to the CS 1000 devices the router must use the Virtual Router IP address of the SMC intranet interface as the gateway IP address The SMS as a router can...

Страница 53: ...to the secondary the traffic is redirected to the second SMC cluster The IP phones re establish a secure UNIStim connection with the SMC before access permission is granted to the CS 1000 signaling s...

Страница 54: ...stems Nortel estimates that the hardware provides at least 100 megabytes MByte throughput for 100 byte packets or 125 kilo packets per second Kpps This is sufficient to support more than 1000 concurre...

Страница 55: ...subnet port 2 for the intranet subnet and ports 3 through 6 for the secure multimedia zones Product compliance For a complete list of supported products Nortel recommends that you refer to the releas...

Страница 56: ...Page 56 of 260 Description 553 3001 225 Standard 1 00 May 2006...

Страница 57: ...grade an Secure Multimedia Controller SMC you need to understand the overall process This chapter contains the high level information required to deploy a new system or a system upgrade Deploying a ne...

Страница 58: ...Turn on Secure UNIStim security for a subset of clients to troubleshoot UNIStim connectivity and populate the secure UNIStim server tables with the redirect information See Secure UNIStim deployment...

Страница 59: ...shelf or tabletop 69 Supplying power to the SMC 70 Setting up terminal access to the SMC 71 Troubleshooting installation 74 Installation package contents Table 2 lists the contents of the SMC 2450 ins...

Страница 60: ...ort and power supply access Front panel Figure 9 shows the SMC front panel view Table 3 describes front panel features Console cable To connect the SMC to a personal computer or local terminal Bezel a...

Страница 61: ...el release flap Figure 10 2 Grasp the bezel and slide the bezel to the right until disengaged Table 3 Front panel features Indicator or Button Description Amber system status LED On when system needs...

Страница 62: ...re installation 553 3001 225 Standard 1 00 May 2006 3 Remove the bezel from the faceplate End of Procedure Figure 10 Bezel removal Figure 11 shows the front panel without the bezel Figure 11 Front pan...

Страница 63: ...ion Procedure 1 Attaching the front panel bezel To attach the bezel follow these steps 1 Align the bezel on the faceplate slightly to the right of the front panel 2 With the release flap open engage t...

Страница 64: ...er ports Nortel recommends that port 1 be used for the management subnet port 2 for the intranet subnet and ports 3 through 6 for the secure multimedia zones Status LEDs for each port are located abov...

Страница 65: ...ght LED is flashing the port is sending or receiving network data The flash frequency varies with the amount of network traffic 100 Mb s Yellow flashing Off Port operates at 100 Mb s Cable connection...

Страница 66: ...ction between the port and network device switch hub or router is good 100 Mb s Green Green Port operates at 100 Mb s Cable connection between the port and network device is good 1000 Mb s Red Green P...

Страница 67: ...You can rack mount the SMC in a standard 19 inch in rack or install it on a shelf or other flat surface You need the following tools and supplies to install the components 2 Phillips screwdriver stra...

Страница 68: ...ck power load is equal to a maximum of eighty percent of the branch circuit rating Power cords are free of obstructions Power cords at plugs convenience receptacles and points of exit from the SMC are...

Страница 69: ...four mounting screws through the front brackets and into the rack frame End of Procedure Result you can now connect the power supply See Connecting the power supply on page 71 Installing the SMC on a...

Страница 70: ...lat surface Use of both the rear and front power switches is required for full SMC operation Power reliability The SMC is a critical component in the enterprise communications system The SMC does not...

Страница 71: ...the front panel The system power LED turns green to indicate that power is supplied End of Procedure Setting up terminal access to the SMC The SMC has a console port for system diagnostics and config...

Страница 72: ...nents An ASCII terminal or a computer running ASCII terminal emulation software standard terminal emulation type is VT100 with the parameters shown in Table 7 A console cable male to female with DB 9...

Страница 73: ...The standard terminal emulation type is VT100 Procedure 5 Establishing a console connection To establish a console connection follow these steps 1 Using the supplied console cable connect the terminal...

Страница 74: ...lation Two situations require troubleshooting The system does not power on correctly The system powers on but shows no display text for initiating a session with the SMC No power If the SMC does not p...

Страница 75: ...chnical Support at www nortel com support No display text If the system powers on and no boot messages or console prompt appears perform the following checks Make sure the console cable is securely co...

Страница 76: ...Page 76 of 260 Hardware installation 553 3001 225 Standard 1 00 May 2006...

Страница 77: ...configurations The SMC supports two types of configurations Stand alone High Availability HA Stand alone configuration The stand alone configuration contains a management network intranet network and...

Страница 78: ...iguration the equipment residing on the SMZs uses the SMC Interface IP addresses as their gateway address For example a CSE 1000 Signaling Server TLAN Gateway address is the SMC TLAN IP address IMPORT...

Страница 79: ...he gateway router so packets from the Intranet IP clients and Administrators are routed to the SMC which routes to the correct SMZ In a stand alone configuration the static route points to the Intrane...

Страница 80: ...t same as first SMC same as first SMC 3 same as first SMC same as first SMC 4 same as first SMC same as first SMC 5 same as first SMC same as first SMC 6 same as first SMC same as first SMC Table 11 O...

Страница 81: ...located on the back of the SMC and have the numbering scheme shown in Figure 14 Figure 14 SMC port mappings Port recommendations Nortel recommends that port 1 be used for the management subnet port 2...

Страница 82: ...nd alone SMC or the first SMC in a high availability configuration 1 Disconnect the ethernet cable on all SMC ports except the management port 2 Apply power to the SMC The SMC boots from the factory i...

Страница 83: ...net b Enter the IP address for this port c Enter the network mask for the entire management subnet d Enter the cluster Management IP MIP address information The cluster MIP address must reside in the...

Страница 84: ...SSH host key Note Nortel recommends that you generate a new SSH key to maintain a high level of security when connecting to the SMC using an SSH client For more information about SSH see Using Secure...

Страница 85: ...bnet b Enter the port number for the ELAN subnet c Enter the ELAN subnet IP address d Enter the ELAN subnet netmask 16 Configure the CS 1000 TLAN subnet a Enter yes to configure the TLAN subnet b Ente...

Страница 86: ...nistration in step 10 of Procedure 6 the access list is updated automatically for Web browsers with IP addresses on the management subnet If you chose not to enable Web administration you must allow a...

Страница 87: ...to DHCP usage 6 Enter the network mask Note A mask of 255 255 255 255 will allow only the single IP address identified in step 5 to access the SMC system The Access list prompt is accesslist is displa...

Страница 88: ...To enable HTTPS access using SSL enter cfg sys adm web ssl ena 3 Generate a temporary certificate if using HTTPS An SSL server certificate is required for HTTPS access to the Web UI The SMC can genera...

Страница 89: ...ou can remotely manage the SMC using Telnet SSH or the Web UI For security purposes access to these features is restricted through the remote access list Using the remote access list you can specify I...

Страница 90: ...nds cfg sys accesslist Select access list menu Access List add 201 10 14 7 255 255 255 255 Add single address Access List add 214 139 0 0 255 255 255 0 Add range of addresses 6 Enter base IP address t...

Страница 91: ...make sure JavaScript is enabled Starting the Web UI Procedure 10 Starting the Web UI 1 Start a Web browser on a PC that is using an IP address included in the Access List created in Procedure 9 on pa...

Страница 92: ...he account name and password for the system administrator or operator account For more login and password information see Users and passwords on page 162 Note Expect a delay of a few seconds while the...

Страница 93: ...ections provide useful information that can help you as you continue the deployment process For an overview of Web UI tasks see Global command buttons on page 93 To learn how to save and restore the S...

Страница 94: ...uration 1 Select the appropriate menu item and sub page 2 Modify fields in the appropriate forms display areas 3 Click Update to submit the changes to the pending configuration End of Procedure Proced...

Страница 95: ...Click Submit End of Procedure Saving and restoring the SMC configuration Periodically it is necessary to upgrade or reinstall the SMC software Before doing so Nortel recommends that you save the exis...

Страница 96: ...at location specified You can view the configuration using a standard text editor Procedure 16 Enabling TFTP TFTP and FTP are disabled by default If you want to use TFTP or FTP to save or restore the...

Страница 97: ...Web UI 1 Using a Web browser enter the URL to the Web UI The SMC login prompt appears 2 Enter the administrator account and password 3 On the left side of page click Operation The Operation Menu expan...

Страница 98: ...n is now active Installing the redundant SMC To set up a High Availability SMC cluster using a redundant SMC the following conditions are required Install and configure the primary SMC with basic para...

Страница 99: ...ministration Access List Procedure 20 Installing the redundant SMC 1 Make sure that the first SMC is on and operational 2 Rack mount the redundant SMC hardware See Hardware installation on page 59 3 C...

Страница 100: ...mple in this procedures shows how to set the IP address of the physical interfaces and virtual IP on the intranet zone All three addresses need to be in the same subnet Each zone further needs to have...

Страница 101: ...d The join process can take several minutes to complete End of Procedure Result The SMCs are joined Because the system is now an SMC cluster all configuration is shared across both SMCs So redundant S...

Страница 102: ...er is running VRRP CLI info net vrrp status Web UI Main System Page at the top of left hand menu End of Procedure Result The SMC cluster is now in High Availability Mode All packets are now be directe...

Страница 103: ...guration although the diagrams show a HA system See High Availability HA configuration on page 78 to review the configuration required to set up a high availability cluster Additional chapters in this...

Страница 104: ...evices on either side of the SMC so that traffic is directed through the SMC The routing updates affect the VoIP equipment in the multimedia zones and the router that interfaces to the intranet Figure...

Страница 105: ...at the firewalls are unhooked view the firewall status on the initial System page in the Web UI Note You can add and update firewall rules while the firewall is unhooked however the rules do not go in...

Страница 106: ...does not affect current network functionality Hooking the firewall After you verify the SMC placement you can turn the firewall on If the firewall rules are properly configured the traffic and service...

Страница 107: ...the SMC such as Call Pilot or OTM sessions are terminated and required to recreate a session even if there is an applicable rule for the connection Current Telnet and Secure Shell SSH connections are...

Страница 108: ...e 18 HTTPS and UNIStim traffic flow Use the following methods to troubleshoot firewall problems Allowing ping If the end to end connectivity between the client and the server is in question it is help...

Страница 109: ...lect ICMP as the protocol 6 Select the appropriate Source and Destination for the client and server 7 Set Action to allow 8 Click Update 9 The rule will be added to the end of the current list 10 Clic...

Страница 110: ...earch The latest firewall log messages are displayed 4 Enter the IP address of the client or server of the problem machine 5 Click Search End of Procedure Result All logs for that machine are now list...

Страница 111: ...or a particular installation Procedure 28 Enabling unavailable policy logging 1 Log on to the Web UI 2 Navigate to Multimedia Security Security Settings Log Messages 3 Enable Unavailable Policies 4 Cl...

Страница 112: ...ny rule is hit by a packet Mar 1 13 21 14 127 0 0 1 id firewall time 2006 03 01 13 21 14 fw a10 10 10 10 pri 1 proto 6 tcp src 2 2 2 100 32808 dst 3 3 3 200 22 mid 2077 mtp 7 msg Deny access policy ma...

Страница 113: ...nostics Applied Rules Note The Applied Rules page defines all currently applied rules on the firewall not just the rules specified in the configuration inbound outbound lists Additional rules are list...

Страница 114: ...he system log 1 Log on to the Web UI 2 Navigate to Logs System Log 3 Click Search 4 Click Next Page to step through the log messages End of Procedure System and host status You can view the system sta...

Страница 115: ...inbound rule to allow this traffic through The rule should map the source and destination networks for the traffic the protocol either TCP UDP SVP or ICMP and the port if not ICMP or SVP Procedure 32...

Страница 116: ...n specify an ICMP rule to allow the Desktop Messaging Client to communicate with the CallPilot Server Flow control is used to limit the number of ICMP packets transmitted per second Before starting ga...

Страница 117: ...9 Click Finish 10 Click Apply End of Procedure Result The CallPilot Desktop Messaging Wizard creates a new network for the Desktop Messaging Servers and adds an appropriate rule to the designated Sec...

Страница 118: ...Server and single SWC Server they are generally collocated Some deployments have multiple Symposium Servers use a single SWC Server Note 2 Optionally Symposium components can use unicast in place of m...

Страница 119: ...reation The networks are fully customizable and have no relevance other than as placeholders voip_users The voip_users network refers to user level access that is access by IP phones and other devices...

Страница 120: ...Page 120 of 260 Firewall deployment 553 3001 225 Standard 1 00 May 2006...

Страница 121: ...131 Configuring the IP clients 139 Managing the keys 146 Signaling servers 147 IP client firmware management 151 Private key updates 154 Licensing 155 Troubleshooting 156 Scenarios 156 Client policy a...

Страница 122: ...m The proxy is transparent meaning that neither the client nor the server recognize the SMC is handling the connection The client talks directly to the server and the server communicates with the clie...

Страница 123: ...t security Allows only secure sessions and denies all insecure sessions Enable session caching Provides a quicker handshake if the phone restarts Nortel recommends session caching Key renewal Specifie...

Страница 124: ...ng server The default rule in the SMC maps a network called voip_users to a nonsecure Policy The Client Rules can be viewed in the Web UI at Multimedia Security UNIStim Security Client Rules Security...

Страница 125: ...roup of IP clients the subnet they are on and the SMC network name that has been given to those clients Figure 22 on page 126 shows in the Web UI how the IP client network is tied to the policy and Fi...

Страница 126: ...Page 126 of 260 Secure UNIStim deployment 553 3001 225 Standard 1 00 May 2006 Figure 22 Sample policy page...

Страница 127: ...gure 23 Sample rules page Security in External Redirections feature When an IP phone is redirected to a server that is not located in an SMZ protected by the current SMC the Security in External Redir...

Страница 128: ...prompted when it is redirected to make a secure connection to the external server If the external server is not protected by an SMC the phone connection fails with a security error As illustrated in...

Страница 129: ...re Multimedia Controller Implementation Guide Figure 24 Virtual Office redirection scenario Note Even if both servers are protected by SMCs the redirection may still fail if the IP phone does not have...

Страница 130: ...ions feature so that the IP phones are redirected insecurely to CS 1000 Remote and they can establish connectivity however this methodology is not fully secure To support a fully secure Virtual Office...

Страница 131: ...rs to be proxied IMPORTANT Prior to deploying Secure UNIStim install the supported firmware image on all IP phones served by the SMC Turn on the default Secure UNIStim policies for an initial deployme...

Страница 132: ...ith a letter and consist of letters and numbers Since the fingerprint for this key is stored on all IP phones export and store this key after the wizard has completed 8 Click Next 9 Select Yes to add...

Страница 133: ...called if it is first in the list You will need to re order the Rule list to place the new more restrictive Rule first 14 Extract the private key to a secure location a Navigate to the Multimedia Sec...

Страница 134: ...dministration Monitor UNIStim Security Server page This page displays both primary servers and secondary servers separately for each SMC in a HA cluster 17 To examine the clients navigate to the Admin...

Страница 135: ...an IP Client is programmed to communicate with each Primary UNIStim server in the servers list When this IP Client is redirected to the various secondary servers those servers are added to the SMC Dyn...

Страница 136: ...ss The MAC address internally maps to port 1 b Obtain the license from Nortel c Paste the license into the New License window and save it Repeat this step for each SMC for each host in a HA cluster It...

Страница 137: ...ne connection Using the Web UI you can check whether a phone is connected in secure or non secure mode Procedure 37 Verifying the IP phone connection 1 Log on the Web UI 2 Navigate to the Administrati...

Страница 138: ...nd ready to operate Note The 4100 7300 5100 port numbers are factory default When secure UNIStim is disabled and phones are operating normally the phones operate in the final state as identified in st...

Страница 139: ...sharing the various TPS servers are discovered to push all phones immediately during a maintenance window reset all phones through Element Manager on all TPS servers Configuring the IP clients Table 1...

Страница 140: ...y on the SMC for the server to which the client connects For more information about UNIStim see Secure UNIStim deployment on page 121 WLAN handset 2211 No Yes Polycom Yes Yes IMPORTANT All IP clients...

Страница 141: ...t appears 3 Change the action byte from 1 insecure to 6 secure 4 Set the RSA public key fingerprint using the 16 byte fingerprint corresponding to the public private key pair stored on the SMC Note Th...

Страница 142: ...ay appear this way during the configuration Instead the two allowed fingerprints are treated as a pool of fingerprints either one can authenticate S1 or S2 WARNING The automatic update feature is avai...

Страница 143: ...cter fingerprint is 8a166e6cc08be496 Key in the numerals 0 9 using the phone keypad Key in the letters using the convention of the pound key plus the corresponding number For example 1 a and 6 f 6 If...

Страница 144: ...C the fingerprint currently in use is overwritten DHCP Using DHCP you can initially configure IP phones and then the IP phones dynamically retrieve their configuration when they are turned on You can...

Страница 145: ...limited in flexibility DHCP recommendations Nortel recommends that you initially keep the action byte at 1 in DHCP and on the IP phones so that the automatic fingerprint update can work correctly and...

Страница 146: ...rting the private key Using the Web UI you can generate private keys on the SMC device or import private keys The SMC supports 1024 bit RSA keys Import of the key is facilitated by the use of PEM enco...

Страница 147: ...generates firewall rules for the different security zones that it protects however you can customize the firewall rules By default the autogenerated rules allow UNIStim traffic through the SMC for bot...

Страница 148: ...s or signaling servers that perform load balancing such as TPS Update server database When secure UNIStim is enabled in an environment with IP phones already communicating on port 5100 through a firew...

Страница 149: ...ORTANT Secondary servers are propagated to the backup SMC HA configuration and stored persistently The initial database priming is performed only at installation or when the internal server mappings c...

Страница 150: ...eterministic such is the case when one server re directs to multiple other servers such as for load balancing If the IP phones have not been registered with the SMC Nortel recommends that you reset th...

Страница 151: ...mage UNIStim security support is present but limited To protect against phone firmware issues you can specify which firmware types fully support Secure UNIStim and what level that support includes You...

Страница 152: ...ware checking older firmware images that support security in a limited fashion are upgraded along with phones running the officially supported phone firmware Nortel recommends you disable firmware che...

Страница 153: ...he Secure UNIStim client policy You can view the IP client firmware table in the Web UI at the following page Multimedia Security UNIStim Security IP Client Firmware Using the firmware checking featur...

Страница 154: ...as been compromised or as part of standard security policy to limit the period an individual key is in use After a private key update all IMPORTANT Clients with images that do not support security are...

Страница 155: ...nts replaced when they change their session keys Licensing The SMC requires a license to support the total number of Secure UNIStim users Without a license key the SMC supports 50 Secure UNIStim users...

Страница 156: ...a proxied server and that pass through the firewall insecurely using a firewall rule are not included in these counts Statistics View the UNIStim proxy statistics at the Statistics UNIStim Proxy page...

Страница 157: ...nt firmware version and client policies based on client IP address and subnet information These policies impact client connectivity in the following ways allow or deny a client non secure register req...

Страница 158: ...connect in secure mode and IP phones without secure capability get rejected Policy setting upgrade y Security y Example 3 The client subnet consists of IP phones running the newer firmware as well as...

Страница 159: ...irmware policy for 0602B75 cache deny IMPORTANT Once firmware checking is enabled you must ensure that all firmware versions that need to run secure UNIStim are present in the firmware database The SM...

Страница 160: ...Page 160 of 260 Secure UNIStim deployment 553 3001 225 Standard 1 00 May 2006...

Страница 161: ...required for collecting system information configuring system parameters beyond initial setup establishing security policies and monitoring policy effectiveness Management tools The SMC provides the f...

Страница 162: ...emented on the SMC The default usernames and password for each access level are listed in Table 14 Usernames and passwords are case sensitive Note Nortel recommends that you change all the default pas...

Страница 163: ...ernal access to the operating system and software Root access is NOT RECOMMENDED unless under the direction of Nortel support personnel CAUTION Service Interruption The root login on this system is on...

Страница 164: ...his upgrade process DOES NOT retain the current configuration so the configuration must be saved prior to the upgrade Use this upgrade when there is concern that the SMC application software may be co...

Страница 165: ...es 4 Click Packages A screen appears listing the Installed Packages and providing an option to upload the new package 5 Click Browse to locate the package you wish to upload to SMC Note The package fi...

Страница 166: ...ent indicating that it is now the active version The pervious package has a status of old with an Activate button in the Actions column of the page The Activate button provides the option to revert to...

Страница 167: ...ish the connection Result The SMC login prompt appears 3 Log on with the admin user and password 4 Enter cur to verify the current versions of the software 5 Choose one of the following 4 Enter cur to...

Страница 168: ...e the boot software cur command When a new version of the software is downloaded to the SMC the software package is automatically decompressed and marked as unpacked After you activate the unpacked so...

Страница 169: ...mpt and then wait two more minutes for the SMC to be reinitialized 5 Enter info clu to check that the SMC is running 6 Log on to the SMC 7 Enter boot software cur to check the software status The soft...

Страница 170: ...sult When the upgrade is completed the configuration for at least one network interface must be added so the configuration can be downloaded using FTP TFTP Reinstalling the software Reinstalling the s...

Страница 171: ...ROM If the CD ROM is correctly burned and inserted you will see the following message Loading OS from CDROM 5 When prompted log on to the console as the root user No password is required 6 Enter insta...

Страница 172: ...on the network The host name or IP address of the FTP SCP SFTP server The name of the IMG file This process assumes that FTP and TFTP are enabled on the SMC See Procedure 16 on page 96 Note You can pr...

Страница 173: ...fg to restore the configuration from the TFTP server 15 Reboot the SMC to apply the restored configuration file End of Procedure Resetting the SMC to factory defaults Procedure 48 Resetting the SMC to...

Страница 174: ...h SMC owns the MIP in the following manner CLI info summary Web UI System page ii Delete the machine not currently logged on connectivity is not lost CLI cfg sys cluster host n delete Web UI Operation...

Страница 175: ...goes down and comes back up VRRP does not support preferred master The SMC does not work with Spanning Tree Protocol STP because STP interferes with VRRP When STP is enabled the SMC host with the hig...

Страница 176: ...added to the first SMC Only two SMCs can reside in a cluster The general procedure for joining the SMCs is presented in Installing the redundant SMC on page 98 Clustered SMCs act as virtual routers in...

Страница 177: ...ster continuously broadcasts advertisement packets at regular intervals as defined by the advertisement interval adint value If advertisement packets are not received within the advertisement interval...

Страница 178: ...failover based on links Link failures decrement the internal priority value that VRRP maintains for both SMCs A link failure is defined as a loss of link at the VRRP interface At initialization VRRP...

Страница 179: ...heck Active Standby The active standby parameter enables Active Standby which is also referred to as HA You can apply Active Standby only when there are two SMCs in the cluster Advertisement interval...

Страница 180: ...t their ARP entries for the virtual router Increasing the Gratuitous Broadcast value cuts down on the GARP traffic but lengthens the interval between end host ARP cache updates VRRP interface Define t...

Страница 181: ...he vrid and virtual router addresses at the VRRP Interface menu on the same interface as the virtual router interface The virtual router IP address and the subaddresses must be unique but all three IP...

Страница 182: ...Page 182 of 260 Maintenance 553 3001 225 Standard 1 00 May 2006...

Страница 183: ...view the text based CLI using a basic terminal The CLI commands are grouped into a series of menus and submenus Each menu displays a list of commands and or submenus along with a summary of what each...

Страница 184: ...n you can manage the SMC from any workstation connected to the network Telnet access provides the same management options as those available through the local serial port By default Telnet access is d...

Страница 185: ...H or the Web UI there is no need to perform step 5 End of Procedure Starting the Telnet session Remote Telnet access requires a workstation with Telnet client software To establish a Telnet session ru...

Страница 186: ...50 Enabling Telnet or SSH using the Web UI 1 Using a Web browser access the Web UI 2 Log on using the administrator account and password 3 Click Administration Telnet SSH A page is displayed that sho...

Страница 187: ...nds that you select the option to generate new SSH host keys This is required to maintain a high level of security when connecting to the SMC using an SSH client If you fear that the SSH host keys are...

Страница 188: ...the following manner 1 From a series of menu and submenu items modify parameters to create the desired configuration 2 Use the global cur command to view the current settings for the commands in the...

Страница 189: ...ime out parameter as shown in the following command cfg sys adm idle time out period where the time out period is specified as an integer from 300 to 3600 seconds Or you can specify time out in minute...

Страница 190: ...nt menu or up Goes up one level in the menu structure If placed at the beginning of a command goes to the Main Menu Otherwise separates multiple commands placed on the same line apply Applies and save...

Страница 191: ...ved configuration dump file that includes encrypted private keys ping address tries delay Verifies station to station connectivity across the network pwd Displays the command path used to reach the cu...

Страница 192: ...use this command multiple times to navigate backward through the last 10 commands Ctrl n or the down arrow key Recalls the next command from the history list You can use this command multiple times to...

Страница 193: ...s in the same menu or submenu For example you can enter the preceding command as follows Main c s acc Tab completion Enter the first letter of a command at any menu prompt and press Tab to display all...

Страница 194: ...t The SMC login prompt appears 3 Enter admin for the default login name 4 Enter admin for the default password 5 Set a password a Enter edit xxxx where xxx represents the name of the user b Enter pass...

Страница 195: ...IUS authentication 9 Enter apply to apply the configuration End of Procedure You can set the RADIUS server up in an HA configuration The console session in the current master takes over and login is p...

Страница 196: ...Page 196 of 260 The Command Line Interface CLI 553 3001 225 Standard 1 00 May 2006...

Страница 197: ...Controller SMC system management features from your web browser Characteristics of the Web UI Following are the characteristics of the Web UI installation not required the Web UI is part of the SMC op...

Страница 198: ...ipt is not the same as Java Please ensure that JavaScript is enabled in your web browser End of Procedure Using the VRRP virtual IP address to access the SMC Web UI To use the VRRP virtual IP address...

Страница 199: ...eveal its associated sub categories Config The Config tab is the default tab for the Web UI main page and provides access to all of the monitoring and configuration functions SMC Config main menu tree...

Страница 200: ...for each form Global command buttons The global command buttons are always available at the top of each form These commands summon forms used for saving examining or canceling configuration changes lo...

Страница 201: ...e set of parameters concurrently the latest applied changes take precedence Pending change exceptions After submission most changes are considered pending and are not immediately put into effect or pe...

Страница 202: ...without submitting the information to the pending configuration Click the Update or Submit button on the form to submit changes to the pending configuration Pending changes are also discarded if they...

Страница 203: ...Changes When selected this command updates the SMC with any pending configuration changes Pending changes are first validated for correctness see Validate Configuration on page 24 If no problems are f...

Страница 204: ...lists users configured with default passwords that require change Submit button Click to perform the action selected in the Apply Changes pull down list Back button Click to return to the previously v...

Страница 205: ...out form to terminate the current user session The global Logout form includes the following items Logout button Click the Logout button to terminate the current user session TIP Any un applied config...

Страница 206: ...e menu Click Pages to display Help for the selected form Click Tasks to activate the task based Help system see Figure 13 Task topic menu Select from a list of tasks using the menu on the left side of...

Страница 207: ...tion The SMC has an extensive logging infrastructure which includes three primary types of logs system security and UNIStim This chapter discusses each type of log file and details how logging can pot...

Страница 208: ...tim security information and errors generated by the Secure UNIStim proxy You can view the UNIStim log in the Web UI at the Logs UNIStim Proxy Log page Log configuration Remote logging You can configu...

Страница 209: ...ecurity Settings Log Messages page you can enable or disable logging for certain types of messages such as particular attacks globally allowed packets and globally denied packets Limit by count You ca...

Страница 210: ...he previous option not all messages are logged however because uses sampling one does not get the large blocks of messages discarded Logging thresholds For better performance you can configure the SMC...

Страница 211: ...lf policies can trap for certain messages and then send details to the Security Log Rule id mappings Firewall log messages often map to a specific firewall rule as defined by a rule ID listed in the l...

Страница 212: ...Page 212 of 260 Logging 553 3001 225 Standard 1 00 May 2006...

Страница 213: ...plementation Guide 216 Limits and Scaling Contents This section contains information about the following topics Configuration limits 214 Firewall limits 214 Engineering limitations 214 Secure UNIStim...

Страница 214: ...sentially zero packet loss This throughput is sufficient to support approximately 1000 concurrent calls assuming 50 100 pps call in each direction It is important to note that this applies to packet t...

Страница 215: ...a certain limit connections are dropped due to CPU over utilization and SMC latency If the sessions have a master key cached on the SMC the full RSA handshake can be bypassed and the successful rate...

Страница 216: ...te signaling conditions The testing was performed with loads as high as 12500 simultaneous secure UNIStim connections and the CPU remained far within acceptable limitations when steady state was achie...

Страница 217: ...configuration is added and enabled or an SMC is added to the cluster but not responding perform the following 1 Check the cabling and that all the ports have link traffic LED indication as expected 2...

Страница 218: ...tch of the fingerprints That is the currently configured client fingerprint does not match either the primary or secondary fingerprint For more information about fingerprints see Managing the keys on...

Страница 219: ...client perform the following steps 1 On the IP client set the Action Byte must to 1 for non secure mode 2 On the SMC configure a client policy default policy with the following rules Upgrade y Securit...

Страница 220: ...requires clients from this subnet to run Secure UNIStim The failed clients receives a Service Unreachable error message To resolve this error change SMC policy to Upgrade y and Security n Then the pol...

Страница 221: ...ions for each characteristic of the SMC Table 20 Hardware specifications Characteristic Measurement Form Factor 1U high custom base chassis Dimensions H x W x D 1 72 inches 44 millimeters x 16 9 inche...

Страница 222: ...Base TX GB E IDE PCI card PWLA8492MT Console port Console port DCE DB9 F RS 232C see Table 8 on page 73 System management Thermal voltage and fan monitoring Light emitting diodes LED power green disk...

Страница 223: ...s Table 24 on page 224 lists certification marks Table 22 Safety specifications Compliance Country UL60950 USA CSA22 2 No 60950 Canada EN60950 Europe IEC60950 Europe Table 23 Emissions specifications...

Страница 224: ...260 Appendix B Specifications 553 3001 225 Standard 1 00 May 2006 Table 24 Certification marks Compliance Country cULus USA Canada CE Europe Gost Russia NOM Mexico S Mark Argentina TUV GS Germany Euro...

Страница 225: ...ecure Multimedia Controller SMC has approvals to be sold in many global markets The regulatory labels on the back of system equipment contain national and international regulatory information Electrom...

Страница 226: ...24 Information technology equipment Immunity characteristics Limits and methods of measurement EN 6100 3 2 Limits for harmonic current emissions equipment input current 16 A per phase EN 6100 3 3 Limi...

Страница 227: ...uency energy and if not installed and used in accordance with the instruction manual can cause harmful interference to radio communications Operation of this equipment in a residential area is likely...

Страница 228: ...Page 228 of 260 Appendix C Regulatory information 553 3001 225 Standard 1 00 May 2006 DenAn regulatory notice for Japan...

Страница 229: ...re Licence The Apache Software License Version 1 1 Copyright c 2000 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms with or without modification ar...

Страница 230: ...SSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION O...

Страница 231: ...e following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following ack...

Страница 232: ...ED OF THE POSSIBILITY OF SUCH DAMAGE OpenSSL and SSLeay Licenses LICENSE ISSUES The OpenSSL toolkit stays under a dual license i e both the conditions of the OpenSSL License and the original SSLeay li...

Страница 233: ...is product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WA...

Страница 234: ...that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young shou...

Страница 235: ...ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTO...

Страница 236: ...laimer in the documentation and or other associated materials 3 the copyright holder s name is not used to endorse products built using this software without specific written permission ALTERNATIVELY...

Страница 237: ...ary form must reproduce the copyright notice in the documentation and or other materials provided with the distribution 3 A copy of any bugfixes or enhancements made must be provided to the author pgu...

Страница 238: ...number Once covered code has been published under a particular version of the license you may always continue to use it under the terms of that version You may also choose to use such covered code un...

Страница 239: ...IABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contribution...

Страница 240: ...but the software remains copyrighted by the author Don t intermix this with the general meaning of Public Domain software or such a derivated distribution label The author reserves the right to distri...

Страница 241: ...translate to certain responsibilities for you if you distribute copies of the software or if you modify it For example if you distribute copies of such a program whether gratis or for a fee you must g...

Страница 242: ...ing the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program independent of having been made by running the Program Whether...

Страница 243: ...required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered inde...

Страница 244: ...rce code This alternative is allowed only for non commercial distribution and only if you received the program in object code or executable form with such an offer in accord with Subsection b above Th...

Страница 245: ...the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance...

Страница 246: ...incorporates the limitation as if written in the body of this License 11 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new...

Страница 247: ...OPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARIS...

Страница 248: ...GNU General Public License for more details You should have received a copy of the GNU General Public License along with this program if not write to the Free Software Foundation Inc 59 Temple Place S...

Страница 249: ...aims all copyright interest in the program Gnomovision which makes passes at compilers written by James Hacker signature of Ty Coon 1 April 1989 Ty Coon President of Vice This General Public License d...

Страница 250: ...Page 250 of 260 Appendix D Software licenses 553 3001 225 Standard 1 00 May 2006...

Страница 251: ...Format SMC firewall logs use the industry standard Webtrends Extended Log Format WELF for logging network activity A sample of a log message in WELF generated by syslog is shown here Apr 18 04 25 52 1...

Страница 252: ...e event Id Identifies the type of record time Shows the date and time of the event in terms of local time fw Identifies the SMC that generated the log record pri Identifies the priority of the event p...

Страница 253: ...rce Limit Reached This log message indicates that respective direction s connection table to be reached and no additional connections can be made in that direction Apr 29 20 07 53 172 16 7 225 id fire...

Страница 254: ...width Reached This log message indicates that the maximum bandwidth to pass is reached and further packets are dropped Apr 29 19 52 41 172 16 7 225 id firewall time 2004 04 29 14 35 41 fw a10 10 10 10...

Страница 255: ...there is no policy configured for the packet to traverse the SMC Apr 29 20 14 11 172 16 7 225 id firewall time 2004 04 29 14 57 11 fw a10 10 10 10 pri 4 proto 6 tcp src 172 16 8 226 dst 172 16 8 225...

Страница 256: ...9 10 fw a10 10 10 10 pri 1 proto 197 src 89 128 155 52 dst 172 16 7 224 mid 2031 mtp 2048 msg Unable to find route for source from ext n w agent Firewall IP Reassembly This log message is generated wh...

Страница 257: ...erated when the SMC detects an invalid sequence number Apr 15 05 23 31 172 16 1 250 id firewall time 2002 04 15 17 04 45 fw a10 10 10 10 pri 1 proto 6 tcp src 172 16 2 244 dst 172 16 2 249 msg Invalid...

Страница 258: ...g of Death This log message is generated when the SMC detects a Ping of death attack Apr 15 05 01 59 172 16 1 250 id firewall time 2002 04 15 16 43 17 fw a10 10 10 10 pri 1 proto 1 icmp src 172 16 1 1...

Страница 259: ...6 8 226 dst 172 16 8 225 mid 2086 mtp 32768 msg Connection closed Bytes transferred 22837 Src 36636 Dst 80 from ext n w ruleid 3 agent Firewall Connection Terminated This log message is generated when...

Страница 260: ...Page 260 of 260 Appendix E SMC packet filter log messages 553 3001 225 Standard 1 00 May 2006...

Страница 261: ......

Страница 262: ...atements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsi...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды