Avaya 3.7 - Manuals

Preface 16 Avaya VPNmanager Configuration Guide Release 3.7 Network-wide Visibility and Control The logical VPNmanager representation of virtual private networks simplifies their installation and control. From a single workstation, network managers can assign users anywhere on the network to one or ...

Related Documentation Issue 4 May 2005 17 Complementary to SNMP Management Tools The VPNmanager software is designed specifically for securely defining, configuring, monitoring, and upgrading VPNs. The VPNmanager software is required to configure and modify VPNs. Secure traffic running between VSUs ...

Contacting Technical Support Issue 4 May 2005 19 Contacting Technical Support Technical Support is available to support contract holders of Avaya VPN products. Domestic support ● Toll free telephone support: (866) 462-8292 (24x7) ● Email: [email protected] ● Web: http://www.support.avaya.com Inte...

Issue 4 May 2005 21 Chapter 1: Overview of implementation Planning how your virtual private network should be configured is critical to the successful deployment of a secure virtual private network.This chapter provides an overview of the major features that you will configure. Note: Note: This chap...

Overview of implementation 22 Avaya VPNmanager Configuration Guide Release 3.7 VPNremote Client software VPNremote Client software is a communications application that runs on remote computers that use dialup, DSL and cable connection supplied by Internet Service Providers (ISP), to connect to the c...

Overview of the VPN management hierarchy Issue 4 May 2005 23 ● VPNmanager Enterprise Client. Use the Enterprise Client version for managing an unlimited number of security gateways and VPNremote Clients. ● VPNmanager Service Provider Client. Use the Service Provider Client version to manage an unlim...

Overview of implementation 24 Avaya VPNmanager Configuration Guide Release 3.7 An IP Group contains the IP addresses that belong to a specific LAN. Any device connected to the LAN can use these addresses. A VPN can have many IP Groups so addresses can be consolidated to meet the needs of an organiza...

Preparing to configure your network Issue 4 May 2005 25 ● Public-backup zone. Public-backup zone is the backup interface to the primary public interface for use when Failover is configured. ● Semiprivate zone. Semiprivate zone is used for media such as wireless LAN, where the network is considered p...

Overview of implementation 26 Avaya VPNmanager Configuration Guide Release 3.7 Static Routes Static routes are specified when more than one router exists on a network to which the security gateway must forward either VPN traffic or non-VPN traffic. You can build a static route table with up to 32 ne...

Preparing to configure your network Issue 4 May 2005 27 Security policies VPNmanager security policy management provides the following security features that can be configured: ● Firewall rules ● Denial of Service (DoS) categories ● Quality of Service (QoS) rules ● Bandwidth management In addition, ...

Overview of implementation 28 Avaya VPNmanager Configuration Guide Release 3.7 Ping of Death. - The ping of death sends packets with invalid lengths. When the receiving system attempts to rebuild the packets, the system crashes because the packet length exhausts the available memory. IP Spoofing. - ...

Preparing to configure your network Issue 4 May 2005 29 ● Allow voice-secure communication with Avaya’s IP Softphone and IP Office Phone Manager Pro using VPNremote Client ● Enable NAT traversal of H.323 VoIP traffic ● Optimize bandwidth for VoIP traffic using the security gateway’s Quality of Servi...

Overview of implementation 30 Avaya VPNmanager Configuration Guide Release 3.7 Syslog The security gateway has a syslog messaging facility for logging system error messages. The message can be automatically sent to a destination running a Syslog server. Client IP address pooling Access control devic...

Issue 4 May 2005 33 Chapter 2: Using VPNmanager With Avaya VPNmanager you can define, configure, and manage VPNs and firewall policies, upgrade firmware, and manage remote user access policies. The VPNmanager graphical interface is modularized by functions and tasks to make configuring a VPN fast an...

Using VPNmanager 34 Avaya VPNmanager Configuration Guide Release 3.7 4. Administrator with full access 5. An administrator with full access can modify the configuration for VPN domains, change their password, and be part of multiple VPN domains. 6. VPNmanager allows full-access administrator to modi...

Log into the VPNmanager console Issue 4 May 2005 35 Log into the VPNmanager console You log in to the VPNmanager from your computer’s Start menu, Programs>Avaya> VPNmanager>Console. You use the super user name and password that were configured when the VPNmanager software was installed. Fig...

Using VPNmanager 36 Avaya VPNmanager Configuration Guide Release 3.7 3. Enter the IP address of the Policy Server. 4. Enter the port. The default is 443. 5. Click OK. The name or address is displayed on the login screen You can edit or delete the policy server information. Open Domain When you conne...

Navigating the main window Issue 4 May 2005 37 Figure 3: VPNmanager console main window The menu bar on the main VPNmanager screen includes the following commands File, Edit, View, Tools, and Help. File menu The File menu includes the following commands: ● Domain. You can create a new domain, open, ...

Using VPNmanager 38 Avaya VPNmanager Configuration Guide Release 3.7 Note: Note: When you delete VPNs that include groups associated with RADIUS-enabled security gateways, the VPNremote Client configuration records should be removed from the RADIUS database. See RADIUS/ACE Services on page 124. ● Ne...

Navigating the main window Issue 4 May 2005 39 Edit menu From Edit, you can chose one of the following commands: ● Delete Object. Select an object from the VPN diagram and then select Edit>Delete Object. ● Modify Object. Select an object form the VPN diagram and then select Edit>Modify Object....

Using VPNmanager 40 Avaya VPNmanager Configuration Guide Release 3.7 list of enterprise MIB objects. Examples of ready-to-use groups include an Attack log, Traffic log, security gateway CPU usage, and throughput.You select a type of group to monitor, or you can define a customer group to monitor. Se...

Navigating the main window Issue 4 May 2005 41 Figure 5: Icons on toolbar Table 3: Toolbar commands Toolbar commands Description New Object The New Object button is a shortcut to the File>New Object command to create new objects within any of the categories listed in Table 2 . When you select one...

Using VPNmanager 42 Avaya VPNmanager Configuration Guide Release 3.7 VPN view pane The VPN view pane is empty until you define your VPN. As devices are configured and added to the VPN, they are displayed in the view pane. The VPN view pane automatically selects one of three presentation types: netwo...

Navigating the main window Issue 4 May 2005 43 Figure 6: VPNmanager Network Diagram View Tiled View When six or more security gateways are present in the selected VPN, the presentation automatically switches from the diagram view to the tiled view. Figure 7: VPNmanager, Tiled View Tree View An alter...

Using VPNmanager 44 Avaya VPNmanager Configuration Guide Release 3.7 Figure 8: VPNmanager, Tree View Alarm monitoring pane To the right of the VPN view pane is the alarm monitor pane. The alarm monitor pane contains summary alarm information, including a time stamp, security gateway name, and alarm ...

Configuration Console window Issue 4 May 2005 45 Figure 9: Configuration console window Configuration Console Menu bar The menu bar on the Configuration Console window includes the following commands File, Edit, View, Tools, and Help. File menu The File menu includes the following commands: ● New Ob...

Using VPNmanager 46 Avaya VPNmanager Configuration Guide Release 3.7 View menu From the View menu, you can view the configured objects, and you can refresh the screen. Tools menu The Tools menu consists of functions used for normal VPN maintenance. These functions include the following. ● Update Dev...

Update Devices Issue 4 May 2005 47 Toolbar The toolbar includes the following shortcut buttons. ● New Object. You can select one of the icons in the toolbar below New Object and then click New Object to launch the appropriate configuration dialog, or you can click the arrow tip next to New Object an...

Using VPNmanager 48 Avaya VPNmanager Configuration Guide Release 3.7 5. If the Update Configuration dialog appears, do the following. ● In the User Name text box, type in the superuser name you configured through the Console Quick Setup Menu when the device was being installed. If the device had a f...

Using VPNmanager 50 Avaya VPNmanager Configuration Guide Release 3.7 Figure 11: Preferences, Dyna-Policy (Global) Tab Dyna Policy Authentication The Dyna Policy Authenticating tab offers a selection of how user authentication and Client Configuration Download (CCD) are performed. Choices are Local (...

Preferences Issue 4 May 2005 51 Advanced The Advanced tab is used to either hide or display the LDAP directory context field that appears in a number of places throughout the VPNmanager Console. Users familiar with the LDAP directory structure may prefer having this field displayed. Figure 13: Prefe...

Preferences Issue 4 May 2005 53 Figure 16: Tunnel End Point Policy

Issue 4 May 2005 55 Chapter 3: Setting up the network This chapter describes the following features that are configured for the domain and the security gateway ● New VPN domain ● Security gateway including: ● Domain name system resolution ● Zone interfaces ● NAT policies ● Static route table ● Routi...

Setting up the network 56 Avaya VPNmanager Configuration Guide Release 3.7 ● Use organization names (for example, “WorldWideSales_VPN” or “ApplicationsEngineering_VPN”) since VPNs usually represent functional organizations within a corporation. Note: Note: Once the domain name is created, you cannot...

Configuring a security gateway Issue 4 May 2005 57 Configuring a security gateway The New Object>Device function is used to create security gateways and VPN Service Units (VSU) in a VPN environment. The security gateway acts as the end-points of VPN tunnels. Note: Note: Beginning with VPNmanager ...

Using Device tabs to configure the security gateway Issue 4 May 2005 59 13. Click Finish to save the configuration information to the directory serve, to poll security gateway, and to exit the Setup Wizard. When you want to send configurations to one or more security gateway, click Update Devices fr...

Setting up the network 60 Avaya VPNmanager Configuration Guide Release 3.7 General tab The Device General tab, Figure 17 , displays information specific to the security gateway highlighted in the Contents list. From the General tab you can change the IP address VPNmanager uses to communicate with th...

Using Device tabs to configure the security gateway Issue 4 May 2005 61 Figure 17: Device General tab Directory Name - The directory name is the location of the security gateway in the directory tree structure.The security gateway name is unique within the VPN domain to which it is assigned. VPN Mod...

Setting up the network 62 Avaya VPNmanager Configuration Guide Release 3.7 Associated IP Groups area. - This area lists the names of the IP groups associated with this security gateway. You can select an IP group from the list and click Go to go to the IP Group tab to view the group information. For...

Using Device tabs to configure the security gateway Issue 4 May 2005 63 3. In the Memo text box, type in any information about the security gateway. 4. When finished, click Save. DNS tab Use the DNS tab to define where to forward the Domain Name Service (DNS) name resolution requests from the IP dev...

Setting up the network 64 Avaya VPNmanager Configuration Guide Release 3.7 When a DNS server is selected to send the DNS query, and no response is received within a short time, another DNS server is selected by continuing the process as described in the previous paragraph. But if the previous server...

Using Device tabs to configure the security gateway Issue 4 May 2005 65 To add a static DNS server 1. From the Configuration Console Contents column, select the security gateway to be configured. Click the DNS tab to bring it to the front. 2. In the Static DNS Servers area, click Add. Enter the IP a...

Setting up the network 66 Avaya VPNmanager Configuration Guide Release 3.7 7. Click Close to return to the DNS tab. Clicking close ignores any changes made in the Add DNS Rule dialog box. 8. Click Save to save the change. 9. When you want to send the configuration to one or more VSUs, click Update D...

Using Device tabs to configure the security gateway Issue 4 May 2005 67 Figure 20: Interface tab Config Media interfaces can be assigned to one of six different network uses, called zones. The number of zones that can be configured depends on the security gateway model ( Table 6 ). Ethernet0 and Eth...

Setting up the network 70 Avaya VPNmanager Configuration Guide Release 3.7 Options for IP addressing for interface zones You can configure each zone with different addressing options and the private port can be configured as a DHCP server or DHCP relay used to obtain IP addresses from the DHCP serve...

Using Device tabs to configure the security gateway Issue 4 May 2005 71 Point-to-Point Protocol Over Ethernet (PPPoE) Client Use PPPoE Client addressing as a convenient way to connect the public or public-backup zone of the security gateway to the Internet, if your ISP supports PPPoE addressing. PPP...

Using Device tabs to configure the security gateway Issue 4 May 2005 73 DHCP Relay This functionality allows the DHCP Relay agent to bind to the device’s private and semi-private interface zones and forward only DHCP requests from the network behind the device to the DHCP server(s) on the public net...

Setting up the network 74 Avaya VPNmanager Configuration Guide Release 3.7 Figure 21: Media interface configuration dialog Note: Note: The fields displayed in the screen are based on the type of zone selected. 3. The media option choices depend on the media type selected and the capabilities of the ...

Using Device tabs to configure the security gateway Issue 4 May 2005 75 ● The IP address. This IP address must be within the same subnet as the DHCP server. Avaya recommends that you use an IP address for the device that falls into the DHCP subnet, but not in the DHCP range. 4. Click Add, and then c...

Setting up the network 76 Avaya VPNmanager Configuration Guide Release 3.7 Private port tab For SGs with VPNos 4.2 or VPNos 4.3, the Private Port tab is used to configure of the private IP address. In addition, you can configure the device to act as a DHCP server on the private port or you can confi...

Using Device tabs to configure the security gateway Issue 4 May 2005 77 Note: Note: Changing the DHCP Server IP address may result in losing connectivity to the security gateway, if the VPNmanager is on the private side of the security gateway. Also all active DHCP clients may require renewal throug...

Setting up the network 78 Avaya VPNmanager Configuration Guide Release 3.7 The Avaya DEFINITY® series of IP telephones require entries for all four fields (refer to your Definity documentation for further information). Non-Avaya IP telephones require at a minimum, the TFTP server IP address. Note: N...

Using Device tabs to configure the security gateway Issue 4 May 2005 79 Note: Note: When the security gateway is acting as a DHCP Relay, the security gateway cannot be a DHCP server at the same time. DHCP Relay and DHCP Server services are mutually exclusive. When the DHCP Relay agent receives DHCP ...

Setting up the network 80 Avaya VPNmanager Configuration Guide Release 3.7 Figure 24: Device Users tab To add a device account user: 1. From the Configuration Console Contents column, select the device to be configured. Click the Device Users tab to bring it to the front. 2. Click on the Device Acco...

Using Device tabs to configure the security gateway Issue 4 May 2005 81 Select a network object and click Add to configure additional IP addresses and mask. Figure 25: Device Network Objects tab Routing Routing is specified when more than one router exists on a network to which the security gateway ...

Setting up the network 82 Avaya VPNmanager Configuration Guide Release 3.7 The Network/Mask Pairs for this Hop list indicates the static route destination address. You can build a static route table with up to 32 network address/mask paris. This limit allows for any combination ranging from a single...

Using Device tabs to configure the security gateway Issue 4 May 2005 83 13. Click Add to List to put the address/mask pair into the Current Network/Mask Pairs for this Hop list box, which also associates the pair with the IP address of the next hop router. 14. Click Finished to return to the Static ...

Setting up the network 84 Avaya VPNmanager Configuration Guide Release 3.7 If the security gateway is in a network with many routers (gateways) to other TCP/IP networks, there can be more than one possible path to a specific router. In that case, routers are probably building routing tables from the...

Using Device tabs to configure the security gateway Issue 4 May 2005 85 Policies tab, NAT services Network Address Translation (NAT) is an Internet standard that allows private (nonroutable) networks to connect to public (routable) networks. To connect private networks and public networks, address m...

Setting up the network 86 Avaya VPNmanager Configuration Guide Release 3.7 Note: Note: If your network contains any nonroutable addresses, Avaya recommends that you enable the Share public address to reach the internet feature. Any firewall rules that are in use can block translated traffic. Priorit...

Using Device tabs to configure the security gateway Issue 4 May 2005 87 To add a NAT rule (VPNos 4.31) 1. From the Configuration Console Contents column, select the Policy tab to bring it to the front. Select NAT from the list. 2. Click GO. The NAT Rules dialog is displayed and the selected device’s...

Setting up the network 88 Avaya VPNmanager Configuration Guide Release 3.7 About NAT types for VPNos 3.X For VPNos 3.X, you can set the following types of NAT mapping on the VSU. ● Static Mapping – Addresses from one network are permanently mapped to addresses on another network. Static mapping work...

Using Device tabs to configure the security gateway Issue 4 May 2005 89 ● Provide support for multi-gateway network configurations. Address mapping can be used to ensure that request and reply packets enter and exit the network through the same security gateway. Accessing the Internet from private n...

Setting up the network 90 Avaya VPNmanager Configuration Guide Release 3.7 In the example shown in Figure 28 , when client 10.1.2.101 initially sends a packet to a host on the public network, the security gateway dynamically maps the client’s private address 10.1.2.101 to a public address selected f...

Using Device tabs to configure the security gateway Issue 4 May 2005 91 changing it from 10.1.1.17 to 172.16.0.17. At this point, the packet’s source and destination addresses are: 172.16.0.17 -> 172.16.1.20. The packet is then tunneled across the public network to LA_VSU. Since the packet enters...

Setting up the network 92 Avaya VPNmanager Configuration Guide Release 3.7 When the SF_VSU receives the reply packet through the tunnel, the tunnel NAT rule changes the packet’s destination address from 172.16.0.17 to 10.1.1.17 and the private interface NAT rule changes the packet’s source address f...

Using Device tabs to configure the security gateway Issue 4 May 2005 93 Figure 30: Using NAT to Support Multiple Gateways Interface for VPNos 4.2 The following three interface choices are available for devices with VPNos 4.2: ● Public – Primarily used to allow clients on a private network to access ...

Setting up the network 94 Avaya VPNmanager Configuration Guide Release 3.7 ● Tunnel – This is a special interface used to support tunneling between overlapping private networks while still allowing connections to the Internet. Group - If you select “Use existing groups,” the original address and mas...

Using Device tabs to configure the security gateway Issue 4 May 2005 95 3. From the Translation Type list, select a translation type. 4. From the Translation will be applied on list, select which interface needs the NAT rule. 5. In the Original Address and Original Mask text boxes, type in the origi...

Setting up the network 96 Avaya VPNmanager Configuration Guide Release 3.7 To add a tunnel NAT rule: 1. From the Configuration Console>Device Contents pane, select the Policy tab to bring it to the front. Select NAT from the list. Click GO. The NAT Rules dialog is displayed. 2. Click the Add to o...

Issue 4 May 2005 97 Chapter 4: Configuring IP Groups An IP Group is composed of a set of hosts (workstations and servers) that are located behind a common security gateway. The hosts are defined by their IP address and mask. The security gateway must exist prior to creating IP Groups. Virtual privat...

Configuring IP Groups 98 Avaya VPNmanager Configuration Guide Release 3.7 5. Your new IP Group appears in the Contents column. 6. Click Save. After an IP Group is created, use the General and Memo tabs to record notes about the IP group. New IP Group The New IP Group screen is displayed when New>...

IP Group - General tab Issue 4 May 2005 99 Figure 31: IP Group General tab One or more address/mask pairs can be created, and the group can be associated with a specific security gateway. Your new group can even be associated with a security gateway belonging to an extranet, a VPN outside your domai...

Configuring IP Groups 100 Avaya VPNmanager Configuration Guide Release 3.7 IKE Identifier. - Extranet security gateway using IKE key management can be based on the following IKE Identifier types: ● IP Address ● DNS Name ● Directory Name ● Email Name When one of the above is selected, an appropriate ...

Add IP Group member Issue 4 May 2005 101 Configuring an IP Group To configure an IP Group that communicates within its own VPN domain: 1. Select the IP Group to be configured. Click the General tab to bring it to the front. 2. Click Add. The Add IP Group dialog is displayed. 128 ###.###.###.n (n = z...

Configuring IP Groups 102 Avaya VPNmanager Configuration Guide Release 3.7 3. Configure the address/mask pair. ● New IP Network. Type in the network address for a LAN. ● New IP Mask. Type in a mask to define the range of addresses that will become members of the IP Group. The larger the mask, the sm...

Add IP Group member Issue 4 May 2005 103 4. Configure the address/mask pair. ● New IP Network. Type in the network address for a LAN. ● New IP Mask. Type in a mask to define the range of addresses that will become members of the IP Group. The larger the mask, the smaller and more focused the address...

Configuring IP Groups 104 Avaya VPNmanager Configuration Guide Release 3.7 Memo Memo can be used to record notes about the IP Group, such as change history, where the group is located, etc. Information entered here is associated only with the security gateway in focus. This information is stored onl...

Issue 4 May 2005 105 Chapter 5: Configuring remote access users VPNremote™ Client users who log in to the VPN through the security gateway must have their user authentication configured on the security gateway. User objects are used for creating remote users. Those remote users connect to the VPN th...

Configuring a global dyna-policy Issue 4 May 2005 107 Configuring a global dyna-policy You configure the global CCD from the Preferences property sheet. You should set up the default global CCD before you configure user objects. The parameters can be changed any time. You configure the following Pre...

Configuring remote access users 108 Avaya VPNmanager Configuration Guide Release 3.7 VPN configuration files on remote user’s computer ● None. The VPN session parameter information is stored locally on the remote users computer. No password is required when VPNremote is subsequently launched. ● Down...

Configuring a global dyna-policy Issue 4 May 2005 109 Figure 34: Preferences, Dyna-Policy (Global) tab Dyna-Policy Authentication tab The Preferences Dyna-Policy Authentication tab is used to define how user authentication and Client Configuration Download (CCD) are performed. Choices are Local (sec...

Configuring remote access users 110 Avaya VPNmanager Configuration Guide Release 3.7 Local authentication Local authentication is used in non-dynamic VPNs, that is VPNs that are not using RADIUS or a directory server as the authentication database. The user is authenticated from the database stored ...

Configuring a global dyna-policy Issue 4 May 2005 111 Remote Client tab The Preferences Remote Client tab is used to establish a path (tunnel) to a secure DNS server to resolve client DNS names (as opposed to using a public DNS server) and to set the remote client idle time-out period. Figure 36: Pr...

Configure a default CCD with global dyna-policy Issue 4 May 2005 113 Configure a default CCD with global dyna-policy The following procedure describes how to configure default dyna-policy parameters. These commands control how CCD automatically delivers dyna-policies to VPNremote Clients. By default...

Configuring remote access users 114 Avaya VPNmanager Configuration Guide Release 3.7 Note: Note: This is the only choice for VPNos 4.31 ● Select Use RADIUS configuration to store the Dyna-Policies on a dedicated RADIUS server. ● Select Use LDAP for configuration to store the Dyna-Policies on the Dir...

About creating individual dynamic-policy Issue 4 May 2005 115 Default user The Default User feature is normally used in conjunction with the default dyna-policy to establish a common template by which a desired VPN policy type is delivered to the remote clients in the domain. Multiple default users ...

Configuring remote access users 116 Avaya VPNmanager Configuration Guide Release 3.7 Figure 37: User General tab Directory Name. - This is the unique users name within the directory structure. It is not duplicated anywhere within the VPN domain to which it is assigned. Current VPN Membership. - This...

About creating individual dynamic-policy Issue 4 May 2005 117 Actions tab The User Actions tab is used for non-dyna-policy alternatives. Figure 38: User’s Action tab Export My Configuration. - Exports your dyna-policy to a file for conveyance to the remote user’s machine. Enter a password and retype...

Configuring remote access users 118 Avaya VPNmanager Configuration Guide Release 3.7 Figure 39: User Advanced tab Four types of identifiers can exist in the certificate generated for the remote user. ● Directory Name ● IP Address ● DNS Name ● Email Name (RFC 822) Configuring a remote user object If ...

Information for VPNremote Client users Issue 4 May 2005 119 5. Click the Dyna Policy tab to bring it to the front. If you do not want the default Dyna-Policy settings, select Do Not Use Default Dyna-Policy. Then configure a customized method for storing the VPN configuration for the user. ● Select N...

Configuring remote access users 120 Avaya VPNmanager Configuration Guide Release 3.7 Using local authentication If the security gateway uses authenticating remote users for CCD, deliver the following pairs to the respective users. ● NAME: The name created in Step 2 . ● PASSWORD: The password created...

Using Policy Manager for user configuration Issue 4 May 2005 121 A Client IP Address Pool is a range of source IP addresses that is recognized by an ACD. The pool is stored in the security gateway, so when it recognizes an inbound packet from a VPNremote Client, it swaps the source address with one ...

Configuring remote access users 122 Avaya VPNmanager Configuration Guide Release 3.7 Add Client WINS The Client WINS address entered here is sent to the security gateway that is used for the VPNremote virtual adapter configuration. This information is then sent to the VPNremote Client through CCD. T...

Using Policy Manager for user configuration Issue 4 May 2005 123 Figure 41: Policy Manager for client attributes Enable Client Legal Message. - The check box is used to enable the Client legal message. The default is disabled. Require Acceptance. - Select Yes to require the remote user to accept the...

Configuring remote access users 124 Avaya VPNmanager Configuration Guide Release 3.7 RADIUS/ACE Services (VPNos 3.x and VPNos 4.31 only) Note: Note: If a RADIUS server is used, the name assigned to a VPNremote Client must be identical to the one used in the RADIUS server. A popular tool for managing...

Configuring remote access users 126 Avaya VPNmanager Configuration Guide Release 3.7 The RADIUS protocol The RADIUS protocol is documented in an Internet Engineering Task Force (IETF) Request for Comment (RFC), specifically RFC 2058. ● Client/Server Model – A Network Access Server (NAS) operates as ...

RADIUS/ACE Services Issue 4 May 2005 127 Use this as my: - Select the role you wish this server to perform: Primary Server, Secondary Server, or Tertiary Server. To add a RADIUS server: 1. From the Contents column, select the security gateway you want to configure. 2. Click the Policies tab to bring...

Configuring remote access users 128 Avaya VPNmanager Configuration Guide Release 3.7 14. From the Settings options, use the following to configure the connection expiration times for the server. ● RADIUS Attempts. The number of times a RADIUS server is contacted before failure is assumed and the nex...

Issue 4 May 2005 129 Chapter 6: Configuring user groups The User Group function is used to setup and maintain logical groups in which the individual VPN users reside. User groups have a single-level hierarchy - you cannot have a user group within another user group. A User Group Object is a method f...

Configuring user groups 130 Avaya VPNmanager Configuration Guide Release 3.7 User Group - General tab The User Group General tab is used to manage your users and their respective user group assignments. Figure 43: User Group, General tab All existing user groups are displayed in the Contents list. T...

User Group - Actions tab Issue 4 May 2005 131 User Group - Actions tab The Actions tab is used to control authentication for specific user groups. Figure 44: User Group, Actions Tab User/Manager authentication - Rekey is used to change the key of the highlighted user group. You should change the key...

Configuring user groups 132 Avaya VPNmanager Configuration Guide Release 3.7 4. Use the General tab to populate the group with specific users. ● From the Available Users column, select one or more users. To select multiple users which are listed adjacently, hold the SHIFT key. To select multiple use...

Issue 4 May 2005 133 Chapter 7: Configuring VPN objects A VPN object is the method used for linking security gateways, remote terminals, and LAN terminals in a fully configured virtual private network. To create a VPN, you name the VPN, select a key management method, and optionally, designate it as...

Configuring VPN objects 134 Avaya VPNmanager Configuration Guide Release 3.7 IKE VPNs Note: Note: IKE VPNs are supported in VPNremote Client 3.0 and later. An IKE VPN can run in certificate or preshared secret authentication mode. Also, IKE VPNs always operate in tunnel mode, which means the entire ...

Default VPN policy Issue 4 May 2005 135 In tunnel mode (security gateways and VPNremote Client only), IP packets between members are secured by encrypting and authenticating the entire packet, including the addressing header. The encrypted and authenticated packet is then used as the payload of a ne...

Configuring VPN objects 136 Avaya VPNmanager Configuration Guide Release 3.7 Creating a new VPN object To create a new VPN object: 1. From the VPNmanager Console main window, click New Object and select VPN. The New VPN dialog is displayed. 2. In the Name text box, type in a name for your new VPN Ob...

Creating a designated VPN Issue 4 May 2005 137 9. On the LDAP server, a local server or an external server with a different context, add user. Enter the user credentials. 10. Log in to the security gateway through the VPNremote client using the credentials entered in the RADIUS/LDAP server. The user...

Configuring VPN objects 138 Avaya VPNmanager Configuration Guide Release 3.7 Using the VPN tabs After you have created a VPN object, you can use the VPN tabs to change the default settings or modify configuration. The tabs displayed are dependent on the VPNos release for the device. General tab The ...

Using the VPN tabs Issue 4 May 2005 139 Enable VPN. - When this box is checked and the security gateway has been updated, the VPN is active. Unchecking the box disables the VPN and is typically used during the troubleshooting process. Default VPN. - When this box is checked, this VPN is the default ...

Configuring VPN objects 140 Avaya VPNmanager Configuration Guide Release 3.7 Members-Users tab The Members-Users tab is used to establish the user membership of the VPN. A list of currently assigned users appears in the Current VPN Members list. Use the right and left arrows to move the users to the...

Configuring VPN objects 144 Avaya VPNmanager Configuration Guide Release 3.7 Pre-Shared Secret The Pre-Shared Secret area appears only when the VPN type is IKE with Preshared Secret selected. The preshared secret appears in the Secret field as either ASCII or hexadecimal. Select Modify Secret to cha...

Using the VPN tabs Issue 4 May 2005 145 LZS. - This refers to Lempel-Ziv-Stac hardware date compression technique used prior to encryption. Yes/No enables or disables its use. AH/ESP. - This is the Authentication Header (AH)/Encapsulation Security Payload (ESP). IKE VPNs authenticate IP packets usin...

Configuring VPN objects 146 Avaya VPNmanager Configuration Guide Release 3.7 Add IPSec proposal You can add up to four IPSec proposals.You determine the encryption method, the authentication methods, how long a single set single set of cryptographic keys is used when applying VPN services to IP pack...

Configuring VPN objects 148 Avaya VPNmanager Configuration Guide Release 3.7 Actions tab The Actions tab is used to export the VPN (without keys) and to change the VPN security key (Rekey). Figure 49: VPN, Actions tab VPN configuration Export Exports the VPN to another VPN domain without the keys. T...

Advanced VPN tab Issue 4 May 2005 149 Rekey site-to-site VPN Rekey Used to change the preshared secret key of a site-to-site VPN. This should be done regularly to ensure maximum security. Only SKIP and Preshared Secret IKE VPNs can be manually rekeyed. In the case of SKIP, rekeying generates and dis...

Configuring VPN objects 150 Avaya VPNmanager Configuration Guide Release 3.7 In the Exchange area, check Use Aggressive mode for clients to enable the IKE Aggressive mode between a user and then security gateway, which accomplishes the same goals as Main mode, only faster. Note: Note: Aggressive mod...

Configuring VPN objects 152 Avaya VPNmanager Configuration Guide Release 3.7 Configuring an IKE VPN Note: Note: security gateways at each end of a tunnel must use the same IKE settings. To configure a new IKE VPN Object: 1. Move to the Configuration Console window. 2. From the Icon toolbar, click VP...

Configuring VPN objects 154 Avaya VPNmanager Configuration Guide Release 3.7 22. Perfect Forward Secrecy (PFS) is a key-creation method used for assuring that a new key is not related to any previous keys. This is done by using key creation values which are independent of past values. ● Select Yes t...

Configuring an IKE VPN Issue 4 May 2005 155 ● From the Authentication drop-down list, select the type of authentication to use. ● None. Packets are not authenticated. ● HMAC-MD5. Packets are authenticated using the Hash-based Message Authentication Code (HMAC) coupled with the Message Digest 5 (MD5)...

Configuring VPN objects 156 Avaya VPNmanager Configuration Guide Release 3.7 Enabling CRL checking For certificate-based VPNs using IKE negotiation, a security gateway must verify the other certificate of the VSU. When Certification Revocation List (CRL) Checking is enabled, the VSU validates the ce...

Configuring VPN objects 158 Avaya VPNmanager Configuration Guide Release 3.7 If the Directory Server has been updated using a new CRL, the cached CRL must be manually removed from the VSU console. To remove the CRL from the VSU: 1. From the VSU Console, enter 3 for the Utilities menu. 2. From the Ut...

Exporting a VPN object to an extranet Issue 4 May 2005 159 Figure 51: Exporting a VPN Object to an Extranet VPN Object export checklist Table 9 lists what to do before you export a VPN Object. The terms used by Figure 51 are used for orientation. IP Group Object A Domain A IP Group Object B VPN Obje...

Configuring VPN objects 160 Avaya VPNmanager Configuration Guide Release 3.7 Export procedure Exporting a VPN Object involves copying the object data to a file, then sending the file to the extranet administrator, who will import the file into their VPN Domain. To export a VPN Object: 1. Move to the...

Importing a VPN object from an extranet Issue 4 May 2005 161 10. Click OK to open the Save dialog. 11. Use the controls in the Save dialog to select a location for the VPN Object data file. 12. In the File name text box, type in a name for the file, and use VPN as the file name extension. 13. Click ...

Configuring VPN objects 162 Avaya VPNmanager Configuration Guide Release 3.7 Rekeying a VPN object Use the Rekey command to create a new key that SKIP VPN tunnel endpoints (security gateways and VPNremote Clients) must use for encryption tasks. To rekey a SKIP VPN Object: 1. Open the Configuration C...

Issue 4 May 2005 163 Chapter 8: Establishing security This chapter describes the VPNmanager security measures you can configure to establish a secure domain. Included in this chapter is how to set up the following: ● Firewall rules set up (4.2 and later) ● Denial of Service (4.X) ● Services ● Voice ...

Establishing security 164 Avaya VPNmanager Configuration Guide Release 3.7 Figure 52: Firewall tab At the domain level, firewall policy management allows the network administrator to set rules across the domain. These rules are referred to as domain level firewall rules. These rules can be applied t...

Firewall rules set up Issue 4 May 2005 165 You select View>Firewall to add domain firewall rules. You can apply common rules to all or some of the devices within the domain when firewall rules are added at the domain level. When firewall rules are applied at the domain level, they can be applied ...

Establishing security 166 Avaya VPNmanager Configuration Guide Release 3.7 Note: Note: Although UDP is connectionless, if a packet is first sent out from a given port, a reply is expected in the reverse direction on the same port. Keep State “remembers” the port and ensures that the replying packet ...

Firewall rules set up Issue 4 May 2005 167 12. If the filter rule set for the intended traffic is also to be applied to the reply packets, select Keep State. This function can be applied to TCP, UDP, and ICMP packets. 13. If you want to change the default time-out settings for the TCP state, UDP sta...

Establishing security 168 Avaya VPNmanager Configuration Guide Release 3.7 Active-FTP is beneficial to the FTP server administrator, but detrimental to the client side adman. If the FTP server attempts to make connections to random high ports on the client, these packets would almost certainly be bl...

Firewall rules set up Issue 4 May 2005 169 FTP-Proxy does have some issues when operating within a NAT gateway. A protected FTP server must have a routable address, and the router on the unprotected side of the gateway must have static route to it the security gateway interface address is the route....

Establishing security 170 Avaya VPNmanager Configuration Guide Release 3.7 Predefined templates The predefined templates can be used as a basis for user-defined templates, however; the predefined templates cannot be modified. For detailed information regarding the predefined templates, see Firewall ...

Firewall rules set up Issue 4 May 2005 171 5. Select Template, Device, or None. 6. Click Apply. 7. To create a user-defined firewall template, type in a name for your new firewall template, otherwise click Cancel. 8. Confirm that the correct user-defined firewall template is selected in the Contents...

Establishing security 172 Avaya VPNmanager Configuration Guide Release 3.7 22. For maximum flexibility and capability, the firewall rules can be specified on each interface: Public, Private, or Tunnel. The packets are checked against the firewall rules at the interface where they are defined. 23. Se...

Device Group Issue 4 May 2005 173 The predefined services can be used as a general service set or as a starting point for creating a customized service, or user-defined service, that is required for use in the firewall definition. The service types IP, TCP, UDP, and ICMP are provided and parameters ...

Establishing security 174 Avaya VPNmanager Configuration Guide Release 3.7 The security gateway objects Denial of Service tab is used to change the settings for specific devices. Changing the settings here overrides the domain level settings for that category. When devices are updated, the DOS categ...

Voice Over IP Issue 4 May 2005 175 WinNuke Attack. - This attack attempts to completely disable networking on computers that are running Windows 95 or Windows NT. This attack can be swift and crippling because it uses common Microsoft NetBIOS services. WinNuke attacks ports 135 to port 139 on platfo...

Establishing security 176 Avaya VPNmanager Configuration Guide Release 3.7 When using the IP Trunking Call Model, configure the following: ● Service Port. The port to which the gatekeeper sends call-signaling messages. ● Source Trunk Zone. The zone where the gatekeeper is located with respect to the...

Establishing security 178 Avaya VPNmanager Configuration Guide Release 3.7 Figure 56: Voice over IP tab Using the Gatekeeper Routed Call Model The Gatekeeper Routed call model should be used when there is an SG in the network path between IP endpoints (e.g. IP hard phones and IP soft phones) and the...

Voice Over IP Issue 4 May 2005 179 Add gatekeeper settings When you add a gatekeeper, you include the gatekeeper name or IP address, the location of the gatekeeper with respect to the firewall, the registration, authentication, status protocol, and time-out. Click Add to configure gatekeeper setting...

Establishing security 180 Avaya VPNmanager Configuration Guide Release 3.7 Note: Note: If the network object does not exist, cancel the configuration and create one. 8. Click Next. The Gatekeeper(s) dialog appears. ● In the Zone field, select the zone which the destination endpoints are connected to...

Establishing security 182 Avaya VPNmanager Configuration Guide Release 3.7 Note: Note: It is not recommended to assign similar traffic in different classes. Example: One class containing any FTP and another class containing “ANY TCP”. This would be ambiguous because “ANT+YTCP” would include FTP also...

QoS policy and QoS mapping Issue 4 May 2005 183 Figure 59: Modify QoS bandwidth. burst and DSCP value screen 4. Configure bandwidth, burst and DSCP values. ● Enter the percentage of bandwidth to be allocated for this type. When classes are configured, it is recommended that the sum total allocation ...

Establishing security 184 Avaya VPNmanager Configuration Guide Release 3.7 QoS mapping QoS Mapping is the mapping of a QoS policy to a zone. A zone can map to only one QoS policy, but a QoS policy can be applied to multiple zones. When you map QoS policies consider the following: ● If QoS is configu...

Packet Filtering Issue 4 May 2005 185 What can be filtered Table 10 lists the specific types of traffic that can be filtered. Packet Filtering and NAT Network address translation (NAT) and packet filtering services can be run simultaneously. Depending on the direction of the traffic, the VSU automat...

Establishing security 186 Avaya VPNmanager Configuration Guide Release 3.7 Figure 60: Policy Manager, Packet Filtering/QoS Clicking on the Edit or Add buttons launches a Packet Filtering Policy Wizard that guides you through configuration of the desired packet filtering. Advanced The Advanced tab ac...

Packet Filtering Issue 4 May 2005 187 Note: Note: This mode should be used when the VSU is dedicated to VPN traffic and is in parallel with another device (such as a router or firewall) that can resolve ARPs from the private network to the Internet gateway. This mode should not be used when the VSU ...

Packet Filtering Issue 4 May 2005 189 To Where ● Type. NetworkMask Pair or Any. ● IP Network Mask Pair. Identify the source IP address to which the filter rule applies. The Filtering Policy in progress This area presents a dynamically updated summary of the filter parameters based on the current sel...

Establishing security 190 Avaya VPNmanager Configuration Guide Release 3.7 Note: Note: As you build your policy, its parameters populate the “Filtering Policy in Progress” text box, which is located at the bottom of the wizard. 7. If you want to make a note about this policy, in the Memo text box, t...

Packet Filtering Issue 4 May 2005 191 Note: Note: A packet is filtered against the ACL policies defined in the ACL list in the list order. The packet is matched against policy number 1 first, then policy number 2, then policy number 3, and so on until the packet finds a match or it exhausts the list...

Establishing security 192 Avaya VPNmanager Configuration Guide Release 3.7 4. From the drop-down list, select Packet Filtering, then click GO to open the Policy Manager for Packet Filtering. 5. Click Advanced to open the Packet Filter Rule-Advanced dialog box. 6. Use Table 12 for determining which o...

Packet Filtering Issue 4 May 2005 193 About Differentiated Services IP packets move from router to router by using Routing and Packet Forwarding processes. The routing process involves building and maintaining a routing table. The packet forwarding process involves comparing the destination address ...

Establishing security 194 Avaya VPNmanager Configuration Guide Release 3.7 Types of marking rules Two kinds of packet marking rules can be created. ● A rule can be made to examine the ToS field of a header and copy the existing mark to the TOS field of the new packet, which is entering or exiting th...

Packet Filtering Issue 4 May 2005 195 6. From the Action drop-down list, select Permit to activate the QoS Mark drop-down list. Note: Note: As you build your Packet Marking Rule, its parameters populate the “Filtering Policy in Progress” text box, which is located at the bottom of the wizard. 7. Fro...

Establishing security 196 Avaya VPNmanager Configuration Guide Release 3.7 9. Continue using any remaining controls in the wizard to complete your new rule. 10. Click Finished to return the Policy Manager for Packet Filtering window. 11. Your new rule appears in the Access Control List. 12. Click Sa...

Packet Filtering Issue 4 May 2005 197 To use the firewall policy management: 1. Move to the Configuration Console window. 2. From the Contents column, select the security gateway that the policy is applied. 3. Click the Policies tab to bring it to the front. 4. Select Firewall from the Policies drop...

Establishing security 198 Avaya VPNmanager Configuration Guide Release 3.7 17. The keepstate function allows a rule set for the intended traffic to also be applied to the reply packets. The function can be applied to TCP, UDP, and ICMP packets. 18. Keepstate sets up a state table with each entry set...

Issue 4 May 2005 199 Chapter 9: Using advanced features This chapter explains about the advanced functions of VPNmanager. The following tabs can be used to configure advanced functions for domains and for security gateways: ● Device Advanced ● TEP Policy ● Servers ● Resilient Tunnel ● Failover TEP ●...

Using advanced features 200 Avaya VPNmanager Configuration Guide Release 3.7 ● VPNos 4.4 includes MTU Path Discovery, NAT Traversal, and Port for Dyna Policy Download ● VPNos 4.5 includes Path MTU Discovery, NAT Traversal, and Port for Dyna Policy Download Note: Note: The Private IP Address and the ...

Device Advanced Issue 4 May 2005 201 Examples of traffic destined for the private network are: ● Decapsulated IPSec packets destined for the private network. ● SNMP Get Responses being sent to a VPNmanager console residing on the private side of the VSU ● Traps sent to a VPNmanager console residing ...

Using advanced features 202 Avaya VPNmanager Configuration Guide Release 3.7 As a packet is routed through different networks, it may be necessary for a router to divide the packet into smaller pieces because it might be too large to transmit as a single packet on a different network. This may occur...

Device Advanced Issue 4 May 2005 203 6. In the Fragmentation Control for Encapsulated VPN Traffic area, select the appropriate Do Not Fragment (DF) bit property. Note: Note: If DF bit is set in the IP header, the packet would not be fragmented further down the network path. ● Copy DF bit from the so...

Using advanced features 204 Avaya VPNmanager Configuration Guide Release 3.7 Port for dyna-policy download If a VSU is configured to receive dyna-policies from a remote server instead of storing them locally, it uses a specific port for listening to the remote server. The port uses the Secure Socket...

Device Advanced Issue 4 May 2005 205 A typical use of the private IP address is when the VSU’s private side IP network is a different network (different network number and/or mask) from the VSU’s public side IP network. For example, when you deploy the VSU in parallel with a firewall or other access...

Device Advanced Issue 4 May 2005 207 Note: Note: The VSU determines what type of authentication it permits, but this is dependent upon the authentication policy last downloaded from VPNmanager (SuperUser Password OFF or ON). Remember that if you set the SuperUser Password to OFF you are no longer ab...

Using advanced features 208 Avaya VPNmanager Configuration Guide Release 3.7 Figure 63: VSU Tunnel Persistence Figure 64 , illustrates tunnel persistence between SGs and remote users (RUser). The addition of SG D to VPN 2 (SG A , SG C , SG D , and Remote User) interrupts tunnel persistence in VPN 2 ...

TEP Policy Issue 4 May 2005 209 TEP Policy The Tunnel End Point (TEP) Policy tab provides control of the security policy applied to the traffic that flows between the end points of a tunnel. The default is off, or Do not apply configured VPN policies to TEP traffic. Figure 65: Tunnel End Point Polic...

Using advanced features 210 Avaya VPNmanager Configuration Guide Release 3.7 Servers The Servers tab is used for adding backup directory servers to a specific security gateway. There is no practical limit on how many backups you can configure. Backup servers can be added at anytime, and they can be ...

Servers Issue 4 May 2005 211 To create a backup server: 1. Move to the Configuration Console window. 2. From the Device>Contents column, select the security gateway that needs to have the backup server. 3. Click the Directory Servers tab to bring it to the front. 4. Click Add to open the Add Dire...

Using advanced features 212 Avaya VPNmanager Configuration Guide Release 3.7 4. From the Servers list, select a specific secondary end-point. 5. Use Table 16 for performing specific management tasks. When finished, click Save to save your work. Resilient Tunnel Tunnels are used to protect VPN traffi...

Resilient Tunnel Issue 4 May 2005 213 Figure 67: Primary and Resilient Tunnels Tunnel Switching The switching mechanism involves time and a packet called a Heartbeat. Figure 68 illustrates how tunnels are switched. Figure 68: Tunnel Switching Explanation for Figure 68 1. VSU A listens to VSU B ’s he...

Using advanced features 214 Avaya VPNmanager Configuration Guide Release 3.7 6. After VSU A establishes a connection with VSU C , the resilient tunnel is used for VPN traffic. 7. On a periodic basis, VSU A continues to request a heartbeat from VSU B . The period is called Dead Primary Poll Interval....

Resilient Tunnel Issue 4 May 2005 215 Add resilient tunnel There are four parameters associated with Resilient Tunnel automatic backup mode. They are: ● Heartbeat Interval The time, in seconds, between heartbeat request attempts made by the remote security gateway to the primary security gateway. De...

Using advanced features 216 Avaya VPNmanager Configuration Guide Release 3.7 7. From the Properties list, click on Heartbeat Interval so the heartbeat interval values appears. ● In the Heartbeat Interval drop-down list, select a unit of time. ● In the Heartbeat Interval text box, type in a duration ...

Resilient Tunnel Issue 4 May 2005 217 5. You can edit, move up, move down or delete. 6. When finished, click Save to save your work. Stopping and starting resilient tunnel services Resilient tunnel services for a specific primary end-point or secondary end-point can be stopped or started at any time...

Using advanced features 218 Avaya VPNmanager Configuration Guide Release 3.7 Failover TEP Failover TEP is used to protect site-to-site VPN traffic that moves through the public networks. The endpoints for tunnels are located in SGs. Up to four head-end devices can be configured to backup a specific ...

Advanced Action Issue 4 May 2005 219 Configuring failover TEP Failover TEP is configured from the Failover TEP tab. To configure failover TEP: 1. Move to the Configuration Console window. The Device tabs are displayed. 2. From the Device>Contents column, select the device that is operating as the...

Using advanced features 220 Avaya VPNmanager Configuration Guide Release 3.7 Figure 71: Advanced Action tab Switch Flash Switch flash is used to switch the flash chip from which the security gateway is executing its NOS. Normally, a duplicate image of the NOS is loaded into the second flash bank, ho...

High Availability Issue 4 May 2005 221 High Availability This tab provides access to the High Availability (HA) functions for the security gateway including enabling high availability, setting the public and private virtual addresses, adding security gateway members to the HA group, viewing the stat...

Using advanced features 222 Avaya VPNmanager Configuration Guide Release 3.7 To configure the security gateway to deny all non-VPN traffic through the VPNmanager: 1. Move to the Configuration Console window. Select Devices. 2. From the Device>Contents column, select the security gateway you want ...

High Availability Issue 4 May 2005 223 member is down and will force the election to become the active member. The value for missed advertisement ranges from 3 to 16. Group ID. - The Group ID allows configuration of a unique identifier for the HA group. By using the Group ID, the HA group avoids con...

Using advanced features 224 Avaya VPNmanager Configuration Guide Release 3.7 By selecting the member in the table, the following actions can be performed: ● Edit - This action allows the member to be edited. ● Update - This action allows the selected member configuration to be updated. If you suspec...

High Availability Issue 4 May 2005 225 Note: Note: Virtual Addresses must be valid routable addresses. 6. Click the Add button to add members to the HA group. 7. Enter the private IP addresses of the Active security gateway. 8. The private IP address may have been entered during the initial creation...

Using advanced features 226 Avaya VPNmanager Configuration Guide Release 3.7 5. Click the Enable High Availability check box to disable High Availability on the remaining security gateway. 6. Click Update Devices from the Configuration Console. Click OK to complete update. Failover Use the Failover ...

Failover Issue 4 May 2005 227 Note: Note: If the public-backup interface idle timer is disabled, the security gateway continues to use the alternate network interface. Network path failure is defined as the configured number of consecutive connectivity checks without a response from the number of ho...

Using advanced features 228 Avaya VPNmanager Configuration Guide Release 3.7 4. Select Get IP List for DNS Names so that when a DNS query is made, the security gateway keeps all the IP addresses that are returned in the cache. The security gateway attempts to respond to the queries in the same order...

Failover Issue 4 May 2005 229 10. In the Hosts field, click Add, to enter the network host or hosts for which you want to monitor connectivity. You can define up to five DNS names or IP addresses. These hosts can be either within the VPN or outside the VPN. If the host is within the VPN, the host in...

Using advanced features 230 Avaya VPNmanager Configuration Guide Release 3.7 In previous releases of VPNos 4.x, a system reboot would not restore the original RTEP. ● Restore primary RTEPIn the event of tunnel failover, restore the original, primary remote tunnel endpoint in effect following a syste...

Using advanced features 232 Avaya VPNmanager Configuration Guide Release 3.7 ! Important: Imp ortant: When the default RTP test port value is modified, you must create a new CNA service to use the new RTP test destination port. If the security gateway is configured to allow CNA traffic, be sure to u...

Keep Alive Issue 4 May 2005 233 Figure 74: Keep alive tab To configure keep alive: 1. From the Configuration Console window, select New Object>Keep Alive. The Keep ALive dialog is displayed. 2. In the Keep Alive name text box, enter a unique name. Click Apply. Click Close to go to the Keep Alive ...

Using advanced features 234 Avaya VPNmanager Configuration Guide Release 3.7 8. In the Traceroute Criteria area, select Initiate Traceroute when criteria are met, and complete the following: a. In the Number of Failed Hosts field, enter the number of hosts from the configured keep alive hosts that c...

Policy Manager - My Certificates Issue 4 May 2005 235 Up to eight certificates can be stored in a VSU. During IKE negotiation, a VSU sends a specified certificate to its target. Those other VSUs and clients are called targets. Likewise, the target that received a certificate must distribute its [uni...

Using advanced features 236 Avaya VPNmanager Configuration Guide Release 3.7 Figure 76: The Policy Manager for My Certificates To install a signed certificate into a VSU: 1. From the Device>Contents column, select the VSU that needs a Signed Certificate. 2. Click the Policies tab to bring it to t...

Policy Manager - My Certificates Issue 4 May 2005 237 Figure 77: An Example of a Signed Certificate 11. Cut the signed certificate from whatever file the PKI System sent it in, then paste it to the file you created in Step 6. Include the header and footer. Note: Note: The alignment of the right side...

Using advanced features 238 Avaya VPNmanager Configuration Guide Release 3.7 4. From the Maintain Certificates list select the certificate that you want the VPNmanager Console to use. 5. The default VSU certificate is identified by an asterisk in the MGR column. Although a specific certificate may h...

Policy Manager - My Certificates Issue 4 May 2005 239 Figure 78: Issuer Certificates Explanation for Figure 78 : 1. A Certificate Request from VSU A is sent to a PKI System to be signed. 2. The PKI uses the Certificate Request to create a Signed Certificate specifically for VSU A . The Signed Certif...

Using advanced features 240 Avaya VPNmanager Configuration Guide Release 3.7 Figure 79: An Example of an Issuer Certificate 3. Cut the issuer certificate from whatever file the PKI system sent it in, then paste it into a text file. The file can have a DER or TXT file name extension. Note: Note: The ...

Policy Manager - My Certificates Issue 4 May 2005 241 About Certificate Usage (Exchange) Every certificate identifies its owner and contains the owner’s public-key. The concept of certificate usage is based on Owners and Targets. An owner sends its certificate to a target, who then uses it to encryp...

Using advanced features 242 Avaya VPNmanager Configuration Guide Release 3.7 When a VSU recognizes that an target wants to communicate, the VSU uses the IKE Certificate Usage list to determine which bundle to send to the target. The search always starts at the top of the list, so it’s important to p...

Issue 4 May 2005 245 Chapter 10: Monitoring your network This chapter describes the real-time monitoring facilities that the VPNmanager application provides. This includes the following ● Using SNMP to monitor the device ● Syslog Services ● Using Monitor ● Monitoring alarms ● Report Wizard Using SNM...

Monitoring your network 246 Avaya VPNmanager Configuration Guide Release 3.7 The traps that are generated by the security gateway are sent to the list of trap targets that are configured. The version of the trap that is sent is the same as the version of the SNMP Agent, that is, if the security gate...

Using SNMP to monitor the device Issue 4 May 2005 247 To add an SNMP Trap Target for security gateway’s running versions prior to VPNos 4.2, do the following: 1. From the Contents column, select the security gateway you want to configure. 2. Click the SNMP tab to bring it to the front. 3. In the Tra...

Monitoring your network 248 Avaya VPNmanager Configuration Guide Release 3.7 Note: Note: If your organization’s security policy dictates that this traffic be secure, TEP Policy (in the Main Console Preferences tab) can be turned on to encrypt this traffic. For additional information about using thir...

Syslog Services Issue 4 May 2005 249 Add Syslog Policy The Add Syslog Policy screen allows you to designate the host to which syslog messages are sent by the selected security gateway or all devices. It also enables syslog messages to be sent to the VPNmanager through a designated UDP port. ● Hosts ...

Monitoring your network 250 Avaya VPNmanager Configuration Guide Release 3.7 12. Type in the following command line to create a directory for the syslog file, its size limit, protocol used, port number. ● If you want the size of the log file to be limited to a specific size, type in a specific size ...

Using Monitor Issue 4 May 2005 251 Device List For VPN Domain. - This drop-down menu allows you to select a specific domain, or all domains to monitor. Select Device(s). - A list of all available network objects available for monitoring. You can select a single device, or select all devices displaye...

Using Monitor Issue 4 May 2005 253 Table 20: ActiveSessions Parameters Parameter Description ActiveSessionsName A VPNremote client name or a security gateway name as defined in VPNmanager. Length Length of this session in seconds. Original IP VPNremote client’s originating IP address or remote secur...

Using Monitor Issue 4 May 2005 257 Metric 5 An alternate routing metric for this route. The semantics of this metric are determined by the routing-protocol specified in the route’s ipRouteProto value. If this metric is not used, its value should be set to -1. Route Info A reference to MIB definition...

Using Monitor Issue 4 May 2005 263 No Match Pass Out Number of outbound packets for a given interface which did not match any filtering rule and were ultimately allowed to pass per the interface’s default rule. No Match Block In Number of inbound packets for a given interface which did not match any...

Monitoring your network 264 Avaya VPNmanager Configuration Guide Release 3.7 Table 25: Active Ports Parameters Parameter/Group Description Active Ports The number of active ports on this security gateway. Traffic Rate Table Group See Traffic Rate Table Parameters on page 264 . Overview Statistics Ta...

Using Monitor Issue 4 May 2005 265 KBits From Port The average rate (in KBits per second) at which packets have been transmitted from this port over the last <Summary Interval> seconds. KBits To Port The average rate (in KBits per second) at which packets have been received on this port over t...

Monitoring your network 266 Avaya VPNmanager Configuration Guide Release 3.7 IP Header Length Errors The number of packets dropped on this port because of an invalid IP header length. Address Map Discards The number of packets dropped because of IP Address Map errors. Table 28: Ethernet Statistics T...

Using Monitor Issue 4 May 2005 267 Define Custom The Define Custom screen allows you to define a custom monitoring group that only collects the data you specify. You select the desired MIB parameters from the Available Data column, then moving them into the Current Data in Group column. All of the a...

Monitoring your network 268 Avaya VPNmanager Configuration Guide Release 3.7 Monitoring wizard (Presentation) The Monitoring presentation screen is used to select the display type for the monitored data. The update frequency is also indicated here. Presentation There are four types of presentations:...

Monitoring alarms Issue 4 May 2005 269 This window provides detailed information about the alarm including a time stamp, the security gateway generating the alarm, alarm definition, first and last occurrence. This window appears even if it does not contain any content. The most recent entry is at th...

Monitoring your network 270 Avaya VPNmanager Configuration Guide Release 3.7 You can select to either ignore the alarm or take action on the alarm. If “Take Action on Alarm” is checked, the User Defined Action Upon Alarm is executed. User Defined Action Upon Alarm. - Enter the name of the applicatio...

Report Wizard Issue 4 May 2005 271 The first Report wizard screen allows you to specify the objects you wish to include in the report. The available objects include: ● IP Group ● User ● User Group ● Device (security gateway) ● VPN To create a report using the report wizard: 1. Move to the Main Conso...

Monitoring your network 272 Avaya VPNmanager Configuration Guide Release 3.7 Generating the report When you are satisfied with the report selections made, click on the Finished button to generate the report. The report window appears after a short pause. If a hardcopy is desired, you may save the re...

Device diagnostics Issue 4 May 2005 273 Device diagnostics Beginning with VPNmanager 3.7, device specific diagnostic reports can be retrieved from a security gateway running VPNos 4.6 or higher The device diagnostic capability allows the network administrator to run any of the available diagnostic r...

Issue 4 May 2005 275 Chapter 11: Device management From the VPNmanager Console, you can manage and check that status of the security gateways This chapter describes: ● Using the Management tab to change administrative passwords and set up SSH and Telnet to connect to a security gateway ● Using the C...

Device management 276 Avaya VPNmanager Configuration Guide Release 3.7 Note: Note: To restrict access to hosts or networks, Firewall rules limit access from specific zones. See Appendix B: Firewall rules template on page 297 . To set up SSH or Telnet 1. Move to the Configuration Console window. 2. F...

Using the Connectivity tab Issue 4 May 2005 277 ● Root is the login name for the security gateway administrator. The root administrator has full privileges to configure and maintain a specific security gateway network and user configuration. ● Monitor is the login name for an administrator who can v...

Device management 278 Avaya VPNmanager Configuration Guide Release 3.7 Figure 85: The Connectivity tab for a security gateway Object Two methods for testing the connectivity of a security gateway are: ● Ping between the VPNmanager workstation and a security gateway ● Proxy ping, which has been initi...

Using the Device Actions tab Issue 4 May 2005 279 To directly ping a specific security gateway: 1. Move to the Configuration Console window. 2. From the Contents column, select the security gateway that you want to ping. 3. Click the Connectivity tab to bring it to the front. 4. Click Ping This Devi...

Device management 280 Avaya VPNmanager Configuration Guide Release 3.7 Figure 86: The Actions tab for a security gateway Object Update Configuration When changes are made to a Device Object, use the Update Configuration button to send the changes from the server to a specific security gateway. Reset...

Using the Device Actions tab Issue 4 May 2005 281 Re-setup Device Allows a complete re-setup of the security gateway. This is normally done when the security gateway created did not exist in the network, or when the security gateway has been replaced with a new unit. Import Device Configuration You ...

Device management 282 Avaya VPNmanager Configuration Guide Release 3.7 To import configuration data for a device: 1. Select “Devices” on the Configuration window in VPNmanager. 2. Select the device from which configuration data will be imported. (If the device entry does not yet exist in VPNmanager,...

Using the Device Actions tab Issue 4 May 2005 283 100 Mbps, Full Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 100 Mbps in full duplex mode. In full duplex mode, the Ethernet port is capable of sending and receiving packets simultaneously over...

Device management 284 Avaya VPNmanager Configuration Guide Release 3.7 IPSec Engine Status - The IPSec Engine Status section shows the current state of the VSU-1200’s two packet processor engines (PPE). If either PPE fails, a FAILED status is displayed indicating which PPE failed. Both PPEs must be ...

Importing and exporting VPN configurations to a device Issue 4 May 2005 285 ● When creating an “alien Group,” which is a group that includes IP address/mask pairs residing within an importing administrator’s network, the exporting administrator associates each alien Group with an extranet device. In...

Issue 4 May 2005 287 Chapter 12: Upgrading firmware and licenses You can upgrade the VPNos firmware and license from the VPNmanager and set encryption strength and remote access for VSU100s. Centralized firmware management The VPNmanager centralized firmware management allows you to upgrade the firm...

Upgrading firmware and licenses 288 Avaya VPNmanager Configuration Guide Release 3.7 ● Upgrade OptionsThe upgrade options are: ● Skip devices that are up-to-dateThis option is the default setting. The devices that up-to-date will not display in the upgrade list. If a device should be downgraded, thi...

Device - Upgrade tab Issue 4 May 2005 289 Figure 87: Device Upgrade tab Upgrading a security gateway’s firmware Use the Upgrade Firmware button for upgrading the firmware of a specific security gateway. Before upgrading firmware from the VPNmanager, you must download the latest firmware from Avaya I...

Upgrading firmware and licenses 290 Avaya VPNmanager Configuration Guide Release 3.7 6. Double-click the firmware zip file to begin extracting the VPNos image. The Password screen appears. 7. Enter the password from technical support. 8. Go to the VPNmanager Console, then move to the Configuration C...

Device - Upgrade tab Issue 4 May 2005 291 Use the License button to upload the licenses from the VPNmanager Console. Once you have received the license file from your sales representative, upload the license file to the security gateway as follows: 1. Save the license file to a directory on the comp...

Issue 4 May 2005 293 Appendix A: Using SSL with Directory Server As an added benefit, all communications with the Directory Server can be secured by SSL (Secure Sockets Layer). In order to enable SSL, a Public Key Infrastructure (PKI) is used for creating a signed certificate and an issuer’s certifi...

Using SSL with Directory Server 294 Avaya VPNmanager Configuration Guide Release 3.7 Installing the issuer’s certificate in the policy server andthe VPNmanager Console Installing an Issuer’s Certificate into VPNmanager Console is done from the command line. The same Issuer’s Certificate that was ins...

Installing the Issuer’s Certificate into a security gateway Issue 4 May 2005 295 Solaris OS Computers To install a certificate in VPNmanager Console: 1. Copy the certificate to the opt/Avaya/VPNmanager/Console directory. 2. Open a Console window. 3. Move to the opt/Avaya/VPNmanager/Console directory...

Issue 4 May 2005 297 Appendix B: Firewall rules template General The security gateway contains a powerful multi-layer inspection engine to provide extensive filtering capabilities, essential for a full-time connection to the Internet. You can configure your own rules, but, as a convenience in settin...

Firewall rules template 298 Avaya VPNmanager Configuration Guide Release 3.7 Medium Security. - Selecting medium security enforces the same security policy as high security for all zones except the semi-private zone. The semi-private zone with medium security is trusted the same as the private zone....

Public zone firewall templates Issue 4 May 2005 299 ● DNS from any IP to any ● Common services originating from all internal networks, private, DMZ, management and semi-private. All other outgoing traffic is blocked. The medium security policy for the public zone is the same as that of the high secu...

Firewall rules template 302 Avaya VPNmanager Configuration Guide Release 3.7 Table 32: Public low security firewall rules Rule Name Action Source Destination Service Direc-tion Interface Keep State InBoundPublicAccess Permit Any PublicIP IKE_INIPSEC_NAT_T_INAH/ESPICMPDestUnreach In Public no InBound...

Private zone firewall templates Issue 4 May 2005 303 Private zone firewall templates The private network interface provides connection to the private/corporate LAN. Private zones are considered trusted networks and because of this most traffic is allowed. The private high security rules are enforced...

Firewall rules template 304 Avaya VPNmanager Configuration Guide Release 3.7 The private medium security rules and the low security rules are the same as the private high security rules. Table 34: Private high security firewall rules Rule Name Action Source Destination Service Direction Zone Keep St...

Semi-private zone firewall templates Issue 4 May 2005 305 Semi-private zone firewall templates A semi-private network interface provides connection to a network whose equipment can be made physically secure, but whose medium is vulnerable to attack (such as a Wireless network used within a corporati...

Firewall rules template 306 Avaya VPNmanager Configuration Guide Release 3.7 ● The destination is Public and the services are FTP, SSH, Telnet, HTTP, HTTPS, POP3, IMAP, or ICMPechorequest. All other incoming traffic is blocked. Outgoing traffic to the semi-private zone that is allowed includes ● Any...

Semi-private zone firewall templates Issue 4 May 2005 307 OutBoundSemiPrivateVPNAccess Permit SemiPrivateIPPublicIP Any IKE_OUTIPSEC_NAT_T_OUTAHESPICMPDestUnreach Out SemiPrivate No Permit outgoing VPN traffic. OutBoundSemiPrivatePermitAll Permit Any Any Any Out SemiPrivate Yes Permit everything wit...

Firewall rules template 308 Avaya VPNmanager Configuration Guide Release 3.7 Table 39: Semi-private low security firewall rules Rule Name Action Source Destination Service Direction Zone Keep State Description InBoundSemiPrivateDenyAccess Deny Any ManagementNet Any In Semi Private No Traffic to Mana...

DMZ zone firewall templates Issue 4 May 2005 309 DMZ zone firewall templates The Demilitarized Zone (DMZ) network interface is typically used to allow Internet users access to some corporate services without compromising the private network where sensitive information is stored. For all the services...

Firewall rules template 310 Avaya VPNmanager Configuration Guide Release 3.7 OutBoundDMZAccess Permit Any DMZNet ICMPECHOREQUESTSSH/TELNETFTP-CTRLPASSIVEFTPHTTP/HTTPSDNS-TCP/DNS-UDPNETBIOS-NS-TCP/UDPNETBIOS-DGM-TCP/UDPNETBIOS-SSN-TCP/UDPPOP3/IMAP/SMTPNNTP Out DMZ Yes Permit outgoing traffic with com...

Management zone security Issue 4 May 2005 311 Management zone security Management interface connection can be configured to simplify network deployments to eliminate enterprise network dependencies on switches or routers. The Management zone is a trusted network similar to the Private zone. Outgoing...

Firewall rules template 312 Avaya VPNmanager Configuration Guide Release 3.7 The CNA template can be combined with any other preconfigured firewall template security level - high, medium, low, or none. Table 44: Converged network analyzer firewall rules Rule Name Action Source Destination Service Di...

Issue 4 May 2005 313 Glossary A Aggressive mode An IKE mechanism used in the first phase of establishing a security association. Aggressive mode accomplishes the same authentication negotiating goal between clients as Main mode but faster (three packets versus six). AH/ESP In an IPSec packet, the Au...

Certificate Authority 314 Avaya VPNmanager Configuration Guide Release 3.7 Certificate Authority A trusted company or organization that serves as a repository of digital certificates. Once a CA accepts your public key (with some other proof of identity), others can then request verification of your ...

Issue 4 May 2005 319 Index Index Numerical 3DES . . . . . . . . . . . . . . . . . . . . . . . 142 A Access Control List (ACL), using the . . . . . . . . 190 ACE/Server AccessManager . . . . . . . . . . . . 126 action tab, device . . . . . . . . . . . . . . . . . 279 Active VPN Sessions . . . . . . ....