Manuals
/
Brands
/
Computer Equipment
/
Network Router
/
Avaya
/
Computer Equipment
/
Network Router
Avaya
3.7 manual
1
1
326
326
Download
326 pages, 3 Mb
VPNmanager® Confi
guration Guide
Release 3.7
670-100-600
Issue 4
May 2005
Contents
Main
Page
WARNING:
!
Page
Contents
Page
Page
Page
Page
Page
Page
Page
Page
Page
Preface
What Products are Covered
VPNmanager Overview
Network-wide Visibility and Control
Intranet and Extranet Support
Secure VPN Configuration
No Special Consoles Required
Complementary to SNMP Management Tools
Related Documentation
How This Book Is Organized
Page
Contacting Technical Support
Page
Chapter 1: Overview of implementation
Components of the Avaya security solution
Security gateways
VPNremote Client software
VPNmanager software
Overview of the VPN management hierarchy
Preparing to configure your network
Security gateway
Page
Static Routes
IP groups
Remote users and user groups
VPN
Security policies
Firewall policies
Denial of Service
QoS
VoIP
Additional features
NAT
SNMP
Syslog
Client IP address pooling
Sequence to configure your VPN
Page
Page
Chapter 2: Using VPNmanager
About VPNmanager administrators
Role Based Management
To add an administrator
To configure an administrator to be an SNMPv3 admin
Log into the VPNmanager console
Add a policy server
Open Domain
Navigating the main window
File menu
Page
Edit menu
View men u
Tools menu
Help menu
Toolb ar
Page
VPN view pane
Network Diagram View
Page
Alarm monitoring pane
Configuration Console window
Configuration Console Menu bar
File menu
Edit menu
View men u
Tools menu
Toolb ar
Contents pane
Details pane
Update Devices
Preferences
Dyna Policy Defaults (User)
Dyna Policy Defaults (Global)
Dyna Policy Authentication
Page
Alarm/Monitoring
TEP Policy
Page
Page
Chapter 3: Se tti n g up th e ne t wo rk
New VPN Domain
To create a new domain:
Page
Configuring a security gateway
Creating a new security gateway
To create a new security gateway:
Page
Using Device tabs to configure the security gateway
Page
Page
To create a memo:
DNS tab
Configuring the DNS tab for security gateways at 4.3 or later
To add a DNS Relay
To add a static DNS server
Configuring the DNS tab for VSU at VPNos 4.2 or earlier
To add a DNS server address
To edit an existing server address:
To delete a DNS server address:
Interfaces tab
Page
Page
Page
Options for IP addressing for interface zones
Static addressing
DHCP addressing
Point-to-Point Protocol Over Ethernet (PPPoE) Client
Local DHCP Server
Page
DHCP Relay
Static
Changing network interfaces
To change the media interface configuration:
To add an IP device to the security gateway:
To add an IP telephony device to the security gateway:
Private port tab
Adding an IP Device Configuration
To add an IP Device:
DHCP Relay
None
Device users tab
To add a device account user:
Network Object tab
Routing
To build a routing table using the default gateway:
Default Gateway for VPN Traffic (VPNos 3.X)
To build a RIP table:
Policies tab, NAT services
About NAT types for VPNos 4.31
Priority of NAT types
Configuring NAT (VPNos 4.31)
To add a NAT rule (VPNos 4.31)
To edit a NAT rule
To delete a NAT rule
About NAT types for VPNos 3.X
NAT applications
Accessing the Internet from private networks
Setting up VPN with overlapping private addresses
Page
Using NAT to support multiple gateway configurations
Interface for VPNos 4.2
Add NAT Rule (VPNos 4.2 or earlier)
Original
To configure a NAT rule:
Tunnel NAT rules
To add a tunnel NAT rule:
Chapter 4: Configuring IP Groups
About IP Groups
Creating a New IP Group
To create a new IP Group:
New IP Group
IP Group - General tab
Page
Add IP Group member
Configuring an IP Group
To configure an IP Group that communicates within its own VPN domain:
Configuring an IP Group that connects to an extranet
To configure an IP Group that is associated with an extranet:
Delete
Page
Chapter 5: Configuring remote access users
Default client configuration
Using dyna-policy
Configuring a global dyna-policy
Dyna-Policy Defaults (User) tab
VPN configuration files on remote users computer
Disable split tunneling
Dyna-Policy Defaults (Global) tab
Page
Local authentication
RADIUS authentication
LDAP authentication
Dynamic VPNs (VPNos 3.x)
Remote Client tab
Client DNS resolution redirection
Remote Client inactivity connection time-out (VPNos 3.x)
Send Syslog messages. . .
Configure a default CCD with global dyna-policy
Creating new user object
Default user
To create a new user object:
About creating individual dynamic-policy
User - General tab
Dyna-Policy tab
Actions tab
Configuring a remote user object
Information for VPNremote Client users
Using local authentication
Using RADIUS authentication (VPNos 3.X and VPNos 4.31)
Using LDAP authentication (VPnos 3.X only)
Using Policy Manager for user configuration
Client IP address pool configuration
Add Client IP address pool
Add Client DNS
Add Client WINS
To configure the Client IP configuration
Configuring client attributes
Creating a message
Enforce brand name
RADIUS/ACE Services
Enable RADIUS/ACE
Settings
RADIUS concepts
The RADIUS protocol
Add (RADIUS/ACE server)
Authenticating (secret) password
RADIUS server data
To add a RADIUS server:
Page
Chapter 6: Configuring user groups
New user group
To create a user group:
User Group - General tab
User Group - Memo tab
User Group - Actions tab
Configuring a user group
To configure a user group:
Page
Chapter 7: Configuring VPN objects
Types of VPN objects
SKIP VPNs
IKE VPNs
VPN packet processing modes
Default VPN policy
Creating a new VPN object
To create a new VPN object:
Creating a default VPN
To create a default VPN within a selected domain:
Creating a designated VPN
To set up a designated VPN within a selected domain, perform the following steps:
Using the VPN tabs
General tab with IKE
General tab with SKIP
Members-Users tab
Members-IP Groups tab
Security (IKE) tab
Page
Page
Pre-Shared Secret
Security (IPSec)
IPSec Proposals
Add IPSec proposal
Page
Actions tab
VPN configuration
Export
Rekey site-to-site VPN
Rekey
Advanced VPN tab
Configuring a SKIP VPN
To configure a new SKIP VPN object:
Page
Configuring an IKE VPN
To configure a new IKE VPN Object:
Page
Page
Page
Enabling CRL checking
Page
To remove the CRL from the VSU:
Exporting a VPN object to an extranet
Figure 51: Exporting a VPN Object to an Extranet
VPN Object export checklist
Export procedure
To export a VPN Object:
Importing a VPN object from an extranet
To import a VPN Object data file:
Rekeying a VPN object
To rekey a SKIP VPN Object:
Chapter 8: Establishing security
Firewall rules set up
Levels of firewall policy management
Firewall rules
Domain level firewall rules
To create domain level firewall rules:
Device level firewall rules
To create device level firewall rules:
Priority of Firewall rules versus NAT rules
Setting up firewall rules for FTP FTP and Firewall/NAT Operation
Security Gateways and FTP
To add a new firewall rule for FTP-control or passive FTP
To add a new firewall rule for active FTP
Firewall templates
Predefined templates
User defined templates
To create a user-defined firewall template:
Page
Services
Device Group
To create a device group object:
Denial of Service
Page
To select or deselect DOS categories
Voice Over IP
Using the IP Trunking Call Model
Using the LRQ Required checkbox of the IP Trunking Call Model
To enable VoIP and add IP Trunking:
Page
Using the Gatekeeper Routed Call Model
Add gatekeeper settings
To enable VoIP and add gatek eepe r settings
QoS policy and QoS mapping
QoS Policy
!
CAUTION:
To add a QoS policy
Page
QoS mapping
Mapping QoS policies
Packet Filtering
What can be filtered
Packet Filtering and NAT
Advanced
Permit/Deny non-VPN traffic Radio Buttons
Add Packet Filtering Policy
From/Where
To Where
The Filtering Policy in progress
Locating this filtering policy
The filtering policy in progress
Running the packet filtering policy wizard
Running the Policy Manager for packet filtering
Starting and stopping filtering services
To start or stop filtering services:
Managing the ACL
To edit, change the sequence, or delete a filtering policy:
Configuring advanced filtering options
To configure advanced filtering options:
Marking packets for differentiated services (QoS)
About Differentiated Services
How a VSU marks packets
Types of marking rules
How to create a packet marking rule
To create a packet marking rule:
Page
Packet filtering firewall
To use the firewall policy management:
Add firewall policy
To add a firewall policy:
Page
Chapter 9: Using advanced features
Device Advanced
ARP
you would then want to:
Path MTU Discovery
To configure the Path MTU Discovery:
NAT Traversal
Port for dyna-policy download
To change the port number:
Port for Secure Authentication
Private IP Address (VPNos 3.x)
To add a private IP address:
Send Device Names
To select a VSU name distribution method:
SuperUser Password (VPNos 3.x)
Tunnel Persistence
Page
TEP Policy
Servers
Add servers
To create a backup server:
Managing the server list
To edit, change the sequence, or delete a backup server:
Resilient Tunnel
Tunnel Switching
Creating a resilient tunnel
Add resilient tunnel
Prerequisites
To create a resilient tunnel:
Managing the resilient tunnel list
To edit, change the sequence, or delete a filtering policy:
Stopping and starting resilient tunnel services
Primary end-point service
To stop or start resilient tunnel services for a primary end-point:
Secondary end-point service
To stop or start resilient tunnel services for a secondary end-point:
Failover TEP
Configuring failover TEP
To configure failover TEP:
Advanced Action
Switch Flash
Reset password
Disable FIPS
High Availability
To configure the security gateway to deny all non-VPN traffic through the VPNmanager:
Virtual addresses
Advanced parameters
Members
Configuring high availability
Creating a High Availability Group
Use the following procedure to create High Availability (HA) groups:
Updating a high availability group using Update Device
To update HA VSUs:
Deleting a high availability group
Use the following procedure to delete High Availability (HA) groups:
Failover
The configuration is as follows:
To configure failover:
Page
Failover reconnect
To set up failover reconnect:
Converged Network Analyzer Test Plug
Page
Keep Alive
To configure keep alive:
Policy Manager - My Certificates
About VSU certificates
Creating and Installing a Signed Certificate
To install a signed certificate into a VSU:
Switching certificates used by VPNmanager Console
To switch certificates:
Issuer certificates
About Issuer Certificates
Installing an issuer certificate
To install an Issuer Certificate into a VSU (target):
IKE Certificate Usage
About Certificate Usage (Exchange)
Assigning a Target for a Certificate
To assign a target for a certificate:
Page
Page
Chapter 10: Monitoring your network
Using SNMP to monitor the device
To add SNMP trap targets
To delete SNMP trap targets
Adding Admin Users for SNMPv3
Configuring SNMP for a security gateway
VPN active sessions
Syslog Services
Add Syslog Policy
To run Syslog services:
Using Monitor
Enterprise MIB
Monitoring wizard
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Define Custom
Monitoring wizard (Presentation)
Presentation
Monitoring alarms
Alarm Types
Report Wizard
To create a report using the report wizard:
Page
Device diagnostics
Page
Chapter 11: Device management
Using the Management tab
Setting Up SSH and Telnet
To set up SSH or Telnet
Changing device administrators passwords
To reset the passwords
Using the Connectivity tab
Check connectivity by ping
To directly ping a specific security gateway:
Check Connectivity by Proxy Ping
To proxy ping a specific security gateway:
Using the Device Actions tab
Page
Re-setup Device
Import Device Configuration
To import configuration data for a device:
Ethernet Speed
Redundancy
Network Interface Status
Switching
Importing and exporting VPN configurations to a device
Export VPN
Exporting RADIUS
Page
Chapter 12: Upgrading firmware and licenses
Centralized firmware management
To upgrade the firmware using centralized firewall management:
Device - Upgrade tab
Upgrading a security gateways firmware
To upgrade a security gateways firmware:
License
Encryption Strength
Remote Access (VSU-100 Only)
Page
Appendix A: Using SSL with Directory Server
When to Configure your VPNmanager for SSL
Installing the issuers certificate in the policy server and the VPNmanager Console
Windows NT and Windows 2000 Computers
To install a certificate in VPNmanager Console:
To view all the installed issuers certificates:
To delete an installed issuers certificat es :
Installing the Issuers Certificate into a security gateway
To install the issuers certificate into a security gateway:
Page
Appendix B: Firewall rules template
General
Public zone firewall templates
Public zone firewall templates
Issue 4 May 2005 299
Table 31: Public high and medium security firewall rules (continued)
Public zone firewall templates
Issue 4 May 2005 301
Table 32: Public low security firewall rules
Table 33: Public VPN-only firewall rules
Private zone firewall templates
Table 35: Private medium security firewall rules
Semi-private zone firewall templates
Table 37: Semi-private high security firewall rules
Semi-private zone firewall templates
Issue 4 May 2005 307
Table 38: Semi-private medium security firewall rules
Table 37: Semi-private high security firewall rules (continued)
Table 39: Semi-private low security firewall rules
Table 40: Semi-private VPN-only security firewall rules
DMZ zone firewall templates
Table 41: DMZ high and medium security firewall rules (continued)
Table 42: DMZ low security firewall rules
Management zone security
Converged Network Anaylyzer template
Page
Glossary
A
B
C
D
E
F
H
L
M
N
O
P
R
S
Syslog
T
U
V
Index
Numerical
A
B
C
D
E
F
G
H
I
K
L
M
N
P
Q
R
S
T
U
V
W
X
Z