CA Certiﬁcates | HP VCX Software manual

Chapter 6. Basic Conﬁguration

Organization

The name of the organization/company owning the Telecommuting Module.

Organizational Unit

The department using the Telecommuting Module.

Serial number

If you generate more than one certiﬁcate with the same information, and you want to give them separate names and treat them as different certiﬁcates, you need to give them different serial number. Enter a serial number for this certiﬁcate here.

Challenge password

Enter a password. This will be used only when revoking a signed certiﬁcate.

Create a self-signed X.509 certiﬁcate

By entering the requested information above and pressing this button, you can create a cer- tiﬁcate that isn’t signed by any certiﬁcate authority (CA). Self-signed certiﬁcates are for free, while certiﬁcates signed by an ofﬁcial CA normally are not. Certiﬁcates signed by CAs are automatically accepted by web browsers, while you have to accept self-signed certiﬁcates manually when using them in your web browser.

Create an X.509 certiﬁcate request

When pressing this button, you make a certiﬁcate request which can be sent to a certiﬁcate authority for signing. The request is downloaded under View/Download on the certiﬁcate page. The signed certiﬁcate is uploaded under Import.

Abort

Press the Abort button to return to the Certiﬁcates page without creating a new certiﬁcate or certiﬁcate request.

CA Certiﬁcates

Here, you upload CA certiﬁcates and CRLs (Certiﬁcate Revocation Lists).

The CAs are used to authenticate peers using IPsec VPN or TLS. Upload one or more CA certiﬁcates here, and then select which CAs to trust for each function in the Telecommuting Module.

CRLs are used to let the Telecommuting Module know that some of the certiﬁcates signed by a certain CA should not be accepted. This could be useful when laptops with certiﬁcates are stolen. See instructions for your CA on how to make a CRL.

97

Image 105

HP VCX Software manual CA Certiﬁcates

Contents

Version 3Com Telecommuting ModulePage United States Government Legend Page Table of Contents Page Part I. Introduction to 3Com VCX IP Telecommuting Module Page What is a Telecommuting Module? Introduction to 3Com VCX IP Telecommuting ModuleConﬁguration alternatives DMZ/LAN Conﬁguration DMZ Conﬁguration Standalone Conﬁguration Quick guide to 3Com VCX IP Telecommuting Module installation Introduction to 3Com VCX IP Telecommuting Module About settings in 3Com VCX IP Telecommuting Module Introduction to 3Com VCX IP Telecommuting Module Installation Installing 3Com VCX IP Telecommuting ModuleInstallation with magic ping Installation with a serial cablePage Page Page Page Installation with a diskette Page Page Remember to lock up the Telecommuting Module Turning off a Telecommuting Module Installing 3Com VCX IP Telecommuting Module Conﬁguring 3Com VCX IP Telecommuting Module Logging onLog on again Navigation Log outSite Map SIP Services AdministrationBasic Conﬁguration Network Conﬁguration Overview of conﬁguration Quality of ServiceFailover Virtual Private Networks Preliminary and permanent conﬁguration Page Mask/Bits IP address No. of computers Mask Bits Name queries in 3Com VCX IP Telecommuting ModulePage Conﬁguring 3Com VCX IP Telecommuting Module Part II. How To Page How To Conﬁgure SIP DMZ Telecommuting Module, SIP server on the WANNetworks and Computers Surroundings Interoperability Basic Settings Routing Filtering Save/Load Conﬁguration DMZ Telecommuting Module, SIP server on the LAN Networks and Computers Basic Settings Routing Standalone Telecommuting Module, SIP server on the WAN Basic Settings Filtering Standalone Telecommuting Module, SIP server on the LAN Client Settings Basic Settings Interoperability DMZ/LAN Telecommuting Module, SIP server on the WAN Basic Settings Filtering DMZ/LAN Telecommuting Module, SIP server on the LAN Interoperability Filtering LAN Telecommuting Module Surroundings Filtering Remote SIP Connectivity Firewall How To Conﬁgure SIP Outgoing Calls How To Conﬁgure Advanced SIP Show One Number When Calling Show Different Numbers When Calling Incoming Calls Page Authentication by Accounts a.k.a SIP Trunk via SIP accounts Page Page Page Incoming Calls Page Multiple Operators Least Cost Routing Page Multiple PBXs How To Conﬁgure Advanced SIP How To Conﬁgure Advanced SIP Page Page Page Page Basic Conﬁguration Basic ConﬁgurationGeneral Name of this Telecommuting Module Default domain IP Policy DNS ServersPolicy For Ping To Your 3Com VCX IP Telecommuting Module Cancel Access ControlSave Look up all IP addresses again User Authentication For Web Interface Access Conﬁguration Allowed Via InterfaceConﬁguration Transport Conﬁguration via Https Conﬁguration via Http Conﬁguration Computers Conﬁguration via SSHDNS Name Or Network Address Netmask/Bits Network addressRange Via IPsec Peer Radius Radius server Radius ServersPort Secret Identiﬁer Contact IP AddressStatus for Radius Servers Sent requests ScoreReceived replies Consecutive sends Value Conﬁguration of a Radius server Telecommuting Module IP address to respond to Snmp requests Snmp v1 and v2cContact person Node location Access via SNMPv3 Access via SNMPv1 and SNMPv2cSnmp Community Authentication PasswordSnmp Traps User Trap sending function Resource MonitoringTrap receiver Version SIP Sessions Trap Levels Download the 3Com MIBSIP User Registrations Trap Levels CPU Load Trap Levels DynDNS service Dynamic DNS updateDynDNS General Conﬁguration Use DynDNS User, Smtp Server IP address for updatesWildcard hostnames Ofﬂine URL redirection Username Smtp server is backup DNS Names to Update at DynDNSSmtp server DNS Name Private Certiﬁcates CertiﬁcatesName Certiﬁcate Create certiﬁcate or certiﬁcate request CA Certiﬁcates Timeouts AdvancedCA Certiﬁcate Timeout for two-way UDP connections Timeout for one-way UDP connectionsTimeout for established TCP connections Timeout for Icmp connections DMZ/LAN Conﬁguration Telecommuting Module Type conﬁguration Current Telecommuting Module TypeChange Telecommuting Module Type to Change type Duration of limited test mode AdministrationSave/Load Conﬁguration Test Preliminary Conﬁguration Backup Show Message About Unapplied ChangesApply conﬁguration Save/Load CLI Command File Revert to Old Conﬁgurations Show ConﬁgurationAbort All Edits Reload Factory Conﬁguration User Administration Password For the ’admin’ AccountOld password Change administration password New password, Conﬁrm passwordOther Accounts Account Type Currently Logged In Administrators Upgrade UpgradeLog Out Step Accept upgrade Try the upgradeAbort upgrade Table Look Edit Column Change Time Zone Date and Time Date Change Date and Time ManuallyTime Set date and time manually NTP Servers To Use If NTP Is Enabled Change Date and Time With NTPSynchronize time with NTP Restart Reboot Your 3Com VCX IP Telecommuting ModuleRestart the SIP Module Automatic Restart of the SIP Module Administration Administration 118 Networks and Computers Network Conﬁguration Name SubgroupLower Limit Interface/VLAN Upper LimitDelete Row Create Main Default Gateways Default GatewayPriority Interface Gateway Reference Hosts Policy For Packets From Unused Gateways Interface Network Interface 1 Physical deviceInterface name Obtain IP Address Dynamically Directly Connected Networks Broadcast address AliasVlan Id Vlan Name Static Routing Router Routed network Named VLANs Vlan Interface Status Interface Status PPPoE Client Status Dhcp Client Status Authentication PPPoEKeep Alive Surroundings LCP echo-request intervalLog class for PPPoE negotiations Data Interfaces NetworkAdditional Negotiators Select a data interface here Network Conﬁguration 136 Display Log LoggingSearch the Log Display log Packet Selection Support Report IP Address Selection Packet Type SelectionProtocol/Port Selection All IP protocols Icmp Call-ID SIP Packet SelectionSIP Methods IP addresses Time Limits Show This Export the LogShow newest at top Clear form Log RST Display Load Time Period Packet LoadDirection Unit Value Diagram Size DiagramDiagram Heading View diagram Log class for non-SIP packets Inbound TrafﬁcLog class for spoofed packets Log class for broadcast packets Log class for Radius errors Log class for email errorsLog class for Snmp errors Log class for Dhcp requests Log class for IPsec key negotiations VPN EventsLog class for IPsec key negotiation debug messages Log class for ESP packets SIP Events Other Log Classes Email AddressLocal Log Syslog Log Sending Smtp Server Status for Outbound EmailSyslog Servers Reverts the ﬁelds to the previous conﬁguration 157 Logging 158 Administration of SIP SIP ServicesBasic Settings SIP Module Provisioning Relay Additional SIP Signaling PortsTransport Comment SIP Media Port Range Public IP address for NATed Telecommuting ModuleSIP Servers To Monitor Server SIP Logging Log class for SIP signaling Interoperability Loose RoutingRelaxed Refer-To Translation Exceptions Remove Via HeadersSIP Server Except this from translation Expires Header Force TranslationAlways Translate This URI Encoding Signaling Order of Re-INVITEs Loose Username CheckUser Matching Transmit RTP/AVP With sdescriptions Accept RTP/AVP With sdescriptionsForce Record-Route for Outbound Requests Force Record-Route for All Requests Accept TCP Marked As TLS Force Remote TLS Connection Reuse Remove Headers in 180 Responses Allow Large UDP Packets Forward Cancel Body Use Cancel Body In ACKPreserve RFC 2543 Hold Allow RFC 2069 Authentication Open Port 6891 For File TransferConvert Escaped Whitespaces in URIs Keep User-Agent Header When Acting as B2BUA Strip ICE AttributesPorts and the maddr Attribute Timeout for SIP over TCP/TLS Session timerSessions and Media Session Conﬁguration Media Conﬁguration Allowed number of concurrent sessionsLimitation of sender of media streams Limitation of RTP Codecs Type CodecsName This Codec Is Allowed Music on Hold Redirection Local RingbackLocal Ringback Played at Call Transfer Ring Tone for Local Ringback Maximum timeout for Invite requests Default timeout for Invite requestsRequests SIP blacklist interval Remote SIP Connectivity Base retransmission timeout for SIP requestsMaximum number of retransmissions for Invite requests Maximum number of retransmissions for non-INVITE requests Stun server Stun ServerStun server IP addresses Stun ports Remote NAT Traversal Remote Clients Signaling ForwardingRemote NAT traversal IP Address for Remote Clients NAT timeout for TCP NAT timeout for UDPForward Signaling from IP Address NAT keepalive method SIP Methods SIP Trafﬁc Trafﬁc To MethodAllow Auth Sender IP Filter Rules FilteringFrom Network Action Default Policy For SIP Requests Content TypesContent Type Allow Header Filter Rules Default Header Filter Policy Local RegistrarLocal SIP Domains Domain Local SIP User Database Authentication and Accounting Authentication NameRegister From SIP User Database Authentication settings Use P-Asserted-Identity Asserted-IdentityTrusted Domains Network Radius Accounting Dial PlanUse Dial Plan Emergency Number Reg Expr Matching From Header Preﬁx Matching Request-URIHead Tail Min. Tail Forward To Subno Replacement URI Dial Plan Forward To Request-URIAdd Preﬁx Enum Root Methods in Dial Plan MethodRegister in Dial Plan Enum Root Routing DNS Override For SIP Requests SIP Routing Order WeightRelay To Port Routing Function Class 3xx Message Processing Requests To User Static RegistrationsAlso Forward To User Always handle Refer locally Local Refer HandlingFor clients not supporting Refer Sip/sips For dialogs with speciﬁed From URI For clients not supporting replacesFor dialogs with speciﬁed User-Agent header From URIs For Which Refer is Handled Locally User Routing AliasRestrict Incoming Callers Forward Send To Voice MailAction Voice Mail Server From Domain Outbound ProxyRequest-URI Domain Domain or IP Address Gateway Tel URIs Registrar and Session Status Active SessionsMonitored SIP Servers Monitored SIP server Registered UsersMonitored SIP server status Registered from Packet Capture ToolsNetwork Interface Selection IP Address Selection Tools Any Icmp Collect data Check NetworkCheck Network Test ResultsPage Tools 222 DMZ type Firewall and Client ConﬁgurationSIP over UDP SIP over TCP/TLS SIP clients DMZ/LAN type Standalone type SIP clients Part IV Com VCX IP Telecommuting Module Serial Console Page Basic Administration Connecting to the serial consoleMain Menu Command line interface Set passwordExit admin Wipe email logs Deactivate other interfaces Physical device name Conﬁgure from multiple computers Conﬁgure from a single computer Password Wipe email logs Exit admin Set password Basic Administration 236 Command Line Reference Command ReferenceHelp and Troubleshooting Modifying Tables Load-factory List-tablesModify-row Revert-edits Table Deﬁnitions Conﬁg.allowconﬁg Conﬁg.allowviainterfaceConﬁg.authlogclass Conﬁg.httpservers Conﬁg.authenticationConﬁg.httpsservers Conﬁg.mgmtlogclass Fent.alwaysfent Failover.ifacerefhostsFentalwaysfentexceptions Fentalwaysfentinterfaces Field Name Field Type Explanation Enabled OnOffToggle Fent.mapsignaladdressFent.fentkeepalive Fent.mediarelease ﬁrewall.blindroutepolicy ﬁrewall.defaultpolicyﬁrewall.broadcastlogclass ﬁrewall.dhcplogclass ﬁrewall.networkgroups ﬁrewall.ownlogclassﬁrewall.pingpolicy ﬁrewall.policylogclass ﬁrewall.servicesﬁrewall.spooﬁnglogclass ﬁrewall.timeclasses Idsips.predeﬁnedipsrules Idsips.active Ipsec.cryptodef Idsips.ratelimitedipsIpsec.espproposals Ipsec.espahlogclass Ipsec.ikeproposals Ipsec.ikelogclassIpsec.ipsecnets Ipsec.nattkeepalive Ipsec.plutoverboselogclass Ipsec.plutologclassIpsec.radiusauthserver Field Name Field Type Ipsec.tunnelednets Ipsec.userauthlogclassIpsec.x509cacerts Ipsec.x509cert Misc.conntracktimeoutsMisc.dnsservers Misc.dyndns Misc.fversion Misc.dyndnsnameMisc.ntpservers Field Name Field Type Explanation DomainName Misc.unitname Monitor.cpuloadlevelalarmMisc.usentp Monitor.emailalertlogclass Monitor.radiuserrorslogclass Monitor.memorylevelalarmMonitor.hardwarelogclass Monitor.logclasses Monitor.siplevelalarms Monitor.snmpagentaddressMonitor.snmpagentlogclass Monitor.snmpmanagementstations Monitor.snmpcontactpersonMonitor.snmpnodelocation Monitor.snmppacketlogclass Monitor.snmpv3access Monitor.snmpv1v2caccessMonitor.snmptrapsending Monitor.snmpv1v2cauth Monitor.syslogservers Network.extradefaultgatewaysMonitor.watchdogs Network.aliasaddresses Network.interfaces Network.localnetsNetwork.pppoe Network.routes Network.routetestserversNetwork.vlans Field Name Field Type Explanation Server DnsIpAddress Pptp.pptpenable Password.adminusersPptp.grelogclass Pptp.pptplogclass Pptp.pptpusers Pptp.pptpserveripPptp.pptpneglogclass Field Name Field Type Explanation PPTPOwnIpReference Qos.classes Qos.bandwidths Qos.egressdefaultqueueing Qos.ingressdefaultqueueingQos.egressqueueing Qos.sipcac Qos.ingressqueueingQos.status Qos.tagging Sip.active Sip.acceleratedtlsSip.addexpireheader Sip.allowedcodecs Sip.authmethods Sip.defaultgatewaySip.b2buaofferfromtemplate Sip.codecﬁltering Sip.externradiusdb Sip.emergencySip.externalrelay Field Name Field Type Explanation DnsIpAddress Sip.ﬁxﬁletransferport Sip.forwardcancelbodySip.forcemodify Sip.forwardtoheader Sip.headerﬁlterrules Sip.headerﬁlterdefaultSip.ignoreuriportwhenmaddr Field Name Field Type Explanation Action Sipﬁlteractionsel Sip.lcscompanion Sip.largeudpSip.listen Sip.localdomains Sip.looseusernamecheck Sip.looserefertoSip.lrtrue Sip.mediaencryptionpolicy Sip.mediaencryptionsuite Sip.mediaencryptionsettingsSip.mediaports Field Name Field Type Explanation Portslower PortNumber Sip.mediarestriction Sip.mediatimeoutsSip.message Sip.mfull Sip.mimetypes Sip.optiontimeoutSip.monitorserver Sip.musiconhold Sip.outboundproxy Field Name Field Type Explanation Timeout OptionTimeoutSip.percent20towhitespace Sip.preserve2543hold Sip.recurseon3xxinb2bua Sip.radiusacctSip.registrarlimits Sip.relayrules Sip.replyconﬁg Sip.removeviaSip.rewritetoforregisterindp Sip.ringback Sip.routingorder Sip.routeusesportSip.rroutealways Sip.rrouteoutbound Sip.siperrorslogclass Sip.signaladdressfordestinationSip.sessionlimits Sip.sipalias Sip.siplicenselogclass Sip.sipsignalinglogclassSip.sipmedialogclass Sip.sipmessagelogclass Sip.sttype Sip.tcptimeoutSip.stripiceattributes Sip.surroundings Sip.tlscacerts Sip.tlssettingsSip.tlsclientcfg Sip.tlsservercfg Sip.trusteddomain Sip.transactionconﬁgSip.uriencoding Field Name Field Type Explanation Uriencodingsel Sipswitch.accounts Sip.usecancelbodyinackSipswitch.b2buatransferenable Sip.uaregister Sipswitch.dialplan Sipswitch.b2buatransferfromuserSipswitch.dialplanenable Field Name Field Type Explanation User AliasAlias Sipswitch.enumroot Sipswitch.dialplanmethodsSipswitch.forwardto Field Name Field Type Explanation Enabled Fallbacksel Sipswitch.requestfrom Sipswitch.incomingunauthSipswitch.requestto Field Name Field Type Explanation Url SipWildcardUrl Sipswitch.users Sipswitch.userrouting Userdb.radiuslocalendpoint Sipswitch.voicemailUserdb.radiusservers Voipsm.voipsm AdminTypeSel AdminPasswordField Types Voipsm.voipsmdomains AliasAlias AdminUserAliasIpReference AliasUser AuthData CertReference CaReferenceCryptoDefReference DepUsableVlanInterface DnsDynIpAddress DnsDynIpNetworkInterface DnsDynIpOtherHost DyndnsServiceSel DyndnsPasswordEnumReference EspCryptoReference FirewallLogclassReference InviteRetransmitCount InterfaceSelIpsRuleName IpsecAuthSel LogclassReference IsakmpSALifeMaxMessageSizeInteger MaxReg OnOffButton NonemptyStringOnOffToggle OnOffToggleOn OptComment OptDnsAutoRuntimeReachableHost OptDnsIpAddressOptDSCPInteger OptDepOwnIpReference OptIcmpRangeList OptForwardToReferenceOptIpsecNetReference OptIpsecPeerReference OptServicesReference OptPasswordOptPercent OptPercentFloat OptSipUserDomain OptionTimeoutOptString OptTimeclassReference RegTimeout PptpPasswordPPTPOwnIpReference Percent SipUserDomainDefaultAll SessionTimeoutSipUserPassword SIPRadiusSel TimerAFloat SnmpPasswordSipWildcardUrl SubGroup Accountvoicemailsel Accounttypesel Autonegsel AddexpireheaderselBlindsel Bypasstransportsel Dpactionsel ConﬁgauthselFallbacksel Fentkeepalivesel Fwtypesel FunctionselHitsnumber Mediaencryptionsuitesel Policysel PingpolicyselPqueuesel Qostypesel RegexpwithAt Rfc2782weightRestfuncsel Rfc2782priority Sipﬁlteractionsel SipauthdirselSipfunctionsel Sipsel Snmpv3authsel SnmptrapversionselSnmpv3privacysel Sttypesel Sysloglevelsel TlsclientmethodsTlsservermethods Trusteddomaintransportsel TlsconfselUriencodingsel Voipsmmethodsel CLI command examples Add and change ﬁrewall rulesWindownumber Apply a conﬁguration Part V. Appendices Page Why use SIP? Appendix A. More About SIPSIP Protocol Managing Your Own SIP Domain SIP and FirewallsConﬁguring the 3Com VCX IP Telecommuting Module Page Conﬁguring the PBX Conﬁguring the DNS ServerConﬁguring the SIP Clients SIP Sessions SIP in 3Com VCX IP Telecommuting ModuleEstablishing a SIP session Contact SIP Packet Headers Via Content-TypeRecord-Route Route Appendix A. More About SIP 328 Network troubleshooting Appendix B. TroubleshootingNo trafﬁc shown in the log Trafﬁc discarded as spoofed SIP users can’t register on the Telecommuting Module SIP troubleshootingSIP users can’t register through the Telecommuting Module SIP Trunking calls via SIP operator Call is established, but there is no voice Administration troubleshooting Log Messages SIP errorsSIP send failure -1 on socket -1 event number Destination IP addressport is known bad. Skipping Starting SIP TCP server at port IPsec key negotiationsStarting SIP UDP server at port Stopped SIP TCP server Conﬁguration server logins Name Port/protocol Description List of the most important reserved ports WWW Cmip Krcmd Kerberos encrypted remote shell -kfall Type Name List of Icmp types Icmp codes Type Name ReferenceIcmp type Name Code Description Unreachable for Type Protocol number Keyword Internet protocols and their numbers IP intervals Set bits Mask IP address class Class IP in- tervals Reserved IP addressesPage ARP Appendix D. Deﬁnitions of terms DMZ 349 Https NAT Nntp 353 PPP SIP Uucp 357 Appendix D. Deﬁnitions of terms 358 Software developed by Peter Åstrand Appendix E. License ConditionsBSD derived licenses Terms Software developed by Carnegie Mellon University Software developed by Cisco Systems Software developed by Gregory M Christy Software developed by Digital Equipment Corporation Software developed by Jason Downs Dhcp license Software developed by Brian Gladman GNU General Public License GPL Software developed by Google, IncVersion 2, June Preamble GNU General Public License 367 368 No Warranty IBM Public License Software developed in the GIE Dyade cooperation Software developed by Ingate Systems Software developed by Tommi Komulainen USA GNU Library General Public License Lgpl v 374 GNU Library General Public License 376 377 Page 379 380 Version 2.1, February GNU Lesser General Public License Lgpl v 382 GNU Lesser General Public License 384 385 386 Page Glibc Tzdata 2006a 388 Software in the GNU C distribution Appendix E. License Conditions Appendix E. License Conditions 392 More software in the GNU C distribution 394 License exceptions for gcc/libgcc2.c License for lilo License exceptions for libstdc++License Disclaimer Software developed by Paul Mackerras Software developed at M I T Software developed by Pedro Roque Marques Part 1 CMU/UCD copyright notice BSD like License for Net-SNMP Part 4 Sun Microsystems, Inc. copyright notice BSD Part 5 Sparta, Inc copyright notice BSD Part 6 Cisco/BUPTNIC copyright notice BSD License for OpenSSH License for NTP 404 Appendix E. License Conditions 406 407 Snprintf replacement Copyright Patrick Powell 409 License for OpenSSL License for OpenSWAN Release Derived Year Owner GPL- compatible? From Python license Terms and Conditions for Accessing or Otherwise Using Python Beopen Python Open Source License Agreement Version Cnri License Agreement for Python CWI License Agreement for Python 0.9.0 Through License for Python Imaging Library License for Rdisc More software developed by RSA Data Security, Inc Software developed by RSA Data Security, Inc License for SSL Software developed by Sun Microsystems, Inc License for stunnel License for Sun RPC More software developed by Sun Microsystems, Inc Software developed by Trusted Information Systems, Inc License for termcap Software developed by Paul Vixie Software developed by Andrew Tridgell Vovida Software License v Software developed by Rayan S ZachariassenVovida Software License, Version Software developed at University of California License for zlib Openswan-kernel 427 Appendix E. License Conditions Appendix E. License Conditions Readlink Appendix E. License Conditions 430 Solve Problems Online Register Your Product to Gain Service BeneﬁtsPurchase Extended Warranty Professional Services Appendix F. Obtaining Support for Your 3Com Products Contact Us Access Software DownloadsTelephone Technical Support and Repair Asia, Paciﬁc Rim Telephone Technical Support and Repair Country Telephone Number Latin America Telephone Technical Support and Repair US and Canada Telephone Technical Support and Repair Index For administration Conﬁguration logins From the Telecommuting Module MIBs