Cisco Systems 2.1(1) Using IPSecurity with Support Tools

Using IPSecurity with Support Tools

Optionally, you can use IPSecurity to secure communication between the Support Tools Server

and Support Tools Nodes. Authentication occurs at the Node when the Support Tools Server

makes a request. As such, an IPSec-secured Support Tools Server can make requests to an

unsecured Node, but a secured node will not accept requests from an unsecured server.

The Support Tools Server uses a client-policy with a ﬁlter that requests security. The Support

Tools Node uses a client-policy that requires security. The ﬁlter does not monitor one-to-one

connections. Instead, the ﬁlter monitors all incoming IP trafﬁc that uses the default Support

Tools TCP Port (39100). The Support Tools Server, by requesting but not requiring IPSEC

from each Node, does not deny trafﬁc from a Node that is unable to use IPSEC.

Support Tools uses the ESP protocol (Encapsulating Security Payload) for authentication but

does not use encryption. ESP is used to authenticate instead of the AH protocol (Authentication

Header) for the ability to support NAT.

Support Tools uses SHA1 for the integrity algorithm in ESP. The policy uses preshared keys.

On Windows 2003 Server machines, Support Tools gi v es you the option of using an automated

implementation of IPSec.

Support Tools implements IPSec as follows:

•You specify the IPSec preshared authentication key to use during Support Tools Server and

Node installation. Keys are case-sensitive and limited to 256 characters. Any character except

single and double quotation marks, back slash, and pipe can be used.

Note: For Cisco Uniﬁed products that include a bundled install of the Support Tools Node

(e.g., CVP 4.0), leaving the IP Shared Key value unspeciﬁed during installation may cause

Support Tools to install disabled. When this occurs, to enable the node you must manually

start the Node Agent Service on the target machine.

•Authentication occurs at the Node when the Support Tools Server makes a request. As such,

an IPSec-secured Support Tools Server can make requests to an unsecured Node, but a secured

node will not accept requests from an unsecured server.

•During installation, Support Tools only prompts for a preshared key when a security policy

can be created and assigned. Support Tools creates a security policies subject to these

conditions:

–If a Cisco policy already exists on the target machine (whether assigned or not) Support

Tools will not create a new policy.

–If a non-Cisco policy already exists on the target machine and is assigned, Support Tools

will not create or assign a Cisco policy.

Cisco Support Tools User Guide for Cisco Unified Software Release 2.1(1)

Chapter 6: - About Support Tools Security

Using IPSecurity with Support Tools