Page 1: Command Reference
Nortel VPN Gateway Command Reference Release: 7.0 Document Revision: 01.01 www.nortel.com NN46120-103 216369-E...
Page 2 Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. *Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks. Export This product, software and related technology is subject to U.S.
Page 3: Table Of Contents
How to Get Help 10 Getting help from Nortel Web site 10 Getting help over the phone from a Nortel Solutions Center Getting help from a specialist by using an Express Routing Code Getting help through a Nortel distributor or reseller...
Page 5: Preface
Preface This Command Reference lists all the CLI commands available in the Nortel VPN Gateway (NVG) software. The software supports both SSL Acceleration and VPN. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 6: Who Should Use This Book
This Command Reference is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ethernet concepts and IP addressing. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 7: Related Documentation
VPN management guide intended for end-customers in a Secure Service Partitioning configuration. • VPN Gateway 3050/3070 Hardware Installation Guide (part number 216213-B, March 2005) Describes installation of the VPN Gateway 3050 and 3070 hardware models. • VPN Gateway 7.0 Release Notes (part number 216372-P, September 2007) Lists new features available in version 7.0 and provides up-to-date...
Page 8: Product Names
8 Preface Product Names The software described in this manual runs on several different hardware models. Whenever the terms Nortel VPN Gateway, VPN Gateway or NVG are used in the documentation, the following hardware models are implied: • Nortel VPN Gateway 3050 (NVG 3050) •...
Page 9: Typographic Conventions
The following table describes the typographic styles used in this book. Table 1 Typographic Conventions Typeface or Symbol AaBbCc123 AaBbCc123 <AaBbCc123> Copyright © 2007 Nortel Networks Meaning This type is used for names of commands, files, and directories used within the text. It also depicts on-screen computer output and prompts.
Page 10: How To Get Help
This section explains how to get help for Nortel products and services. Getting help from Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
Page 11: Command Reference
Command Reference This chapter describes how to use the command line interface on the Nortel VPN Gateway (NVG). The chapter also provides explanations of all available commands. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 12: Menu Basics
This section describes the Main menu commands, and provides a list of commands and shortcuts that are commonly available from all the menus within the CLI. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 13: Global Commands
" <menu/path> " apply diff revert Copyright © 2007 Nortel Networks Getting help through a Nortel distributor or reseller Action Display a summary of the global commands. Displays help on a specific command in the command line interface. Example: Typing the "/cfg/sys" command at any prompt in the CLI will display the System menu.
Page 14 CTRL+^ netstat nslookup ping Copyright © 2007 Nortel Networks Action Lets you restore a previously dumped configuration. Before pasting the configuration, you need to provide the password phrase you specified when executing the dump command. For more information, see the dump command.
Page 15 Copyright © 2007 Nortel Networks Getting help through a Nortel distributor or reseller Action Use this command to identify the route used for station-to-station connectivity across the network. The format is as follows: traceroute <IP address or host name of target station>...
Page 16: Commandline History And Editing
<Ctrl-n> <Ctrl-a> <Ctrl-e> <Ctrl-b> <Ctrl-f> <Backspace> <Ctrl-d> Copyright © 2007 Nortel Networks Description Display a numbered list of the last 10 previously entered commands. Repeat the last entered command. Repeat the n command shown on the history list. "Bookmarks" your current position in the menu structure. After...
Page 17 <Ctrl-l> <Ctrl-c> <Ctrl-u> Other keys Copyright © 2007 Nortel Networks Getting help through a Nortel distributor or reseller Description Kill (erase) all characters from the cursor position to the end of the command line. Rewrites the most recent command. Abort an on-going transaction. If pressed when there is no on-going transaction, the current menu is displayed.
Page 18: Command Line Interface Shortcuts
TAB Value Presentation Pressing the TAB key also displays available options, for example if you want to view previously configured values. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 19 SSL user sessions: 250 Default gateway address = 192.168.128.3 Ports = 1 : 2 Hardware platform = 3070 Host Routes: No items configured Copyright © 2007 Nortel Networks UsingSubmenu Name as Command Argument 19 Net Direct link(2) 1(Local) Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 20 D = 0.0.0.D, i.e. 10translates to 0.0.0.10 Network Masks A network mask can be entered in number of bits or in dotted decimal notation. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 21 The network mask 255.255.0.0 can also be entered as 16. The network mask 255.255.255.0can also be entered as 24. The network mask 255.255.255.255can also be entered as 32. Copyright © 2007 Nortel Networks IP Address and Network Mask Formats 21 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 22: Variables
Variable <var:user> <var:password> <var:group> <var:portal> Copyright © 2007 Nortel Networks Usage Expands to the user name specified when the user logged in to the VPN, for example on the Portal login page. The variable can for example be included in...
Page 23 <var:clicert> <md5:...> <base64:...> <var:tgFailureReason > Copyright © 2007 Nortel Networks IP Address and Network Mask Formats 23 Usage Expands to the domain name specified for the authentication method by which the logged in user was authenticated. The domain name is specified with the /cfg /vpn #/aaa/auth #/domain command.
Page 24 Variables included in links are URL encoded whereas variables included in static texts (for example on the Portal page and on the Portal login page) are not URL encoded. Copyright © 2007 Nortel Networks Usage Expands to the software definition comment specified...
Page 25: The Main Menu
• Maintenance menu Is used for sending technical support information to an FTP/TFTP/SFTP server. For more information, see Maintenance Menu” (page Copyright © 2007 Nortel Networks shows the Main menu as it appears 26). “/stats Statistics Menu” (page 81). “/boot Boot Menu” (page 472).
Page 26: Info Information Menu
Displays the current SSL server settings, including SSL specific settings for each configured virtual SSL server. certs Copyright © 2007 Nortel Networks - Show configured SSL servers - Show configured certificates - Show local HSM information - Show configured VPNs...
Page 27 >> Information# users 2 joe For a sample screen output, see 33). idleusers <number of seconds> <VPN ID> <prefix> Copyright © 2007 Nortel Networks “/info/hsm HSM Command” (page Lists all currently logged in users for all VPNs. Lists all users currently logged in to VPN 2.
Page 28 >> Information# ipsec >> Information# ipsec 2 >> Information# ipsec 2 s* >> Information# ipsec 2 staff Copyright © 2007 Nortel Networks Lists all SSL users who have been idle more than 30 seconds. Lists all SSL users currently logged in to VPN 2 who have been idle more than 5 minutes.
Page 29 Information Menu Options (/info) (cont’d.) Command Syntax and Usage For a sample screen output, see Note: This command is not available if the VPN Gateway software runs on the ASA 310 or ASA 410 hardware platforms. botuns <VPN ID> <prefix>...
Page 30 IP, login time, user groups to which the user belongs, source IP allocated from IP pool and user profile information (access method, source IP, authentication server, client certificate present, Nortel IE cache wiper running, Tunnel Guard activated, domain). For a sample screen output, see...
Page 31 VPN Gateway to which you have connected. If you have connected to the MIP address, the information displayed relates to the VPN Gateway in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed.
Page 32 (NIC) on the particular VPN Gateway to which you have connected. If you have connected to the MIP address, the information displayed relates to the VPN Gateway in the cluster that currently is in control of the MIP. For each port, link status (up/down) and the Ethernet autonegotiation setting (on/off) is shown.
Page 33 (Extended mode or FIPS mode) is displayed, as well as current login status and login user information (HSM-SO or HSM-USER). info/users Users Command >>Main #/info/users Number of currently logged in users:1 Copyright © 2007 Nortel Networks info/users Users Command 33 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 34 ------ ---- ----- ------ --------- --------- 1 lisa 13:13 13:15 192.168.128.19 ssl 2 john 13:28 13:39 192.168.128.31 ssl The output shows VPN ID, user name, login time, last time active, source IP address and access method. Copyright © 2007 Nortel Networks SourceIP Access 47.102.177.57 134.177.220.2 “/cfg/vpn <id>...
Page 35 VPN Gateway and the destination host), the outer IP address (i.e. the IP address from which the remote user connects to the VPN Gateway), encrypted data in kBytes and decrypted data in kBytes. The output also shows the time the tunnel has been active (hours:minutes:seconds).
Page 36 The output also shows the time the tunnel has been active (hours:minutes:seconds). info/ippool Ippool Command >> information ippool *** Pool ’1’ for ’VPN 2’ type = local proxyarp= on hostroute= false range= 2.2.2.2.-2.2.2.100 free= Copyright © 2007 Nortel Networks phase1:0 up:0 State Enc (KB) phase1:0 up:0 2.2.2.2 2.2.2.3 2.2.2.4 2.2.2.5...
Page 37 An IP address from the IP pool is allocated as source IP address to unencrypted connections between the VPN Gateway and the requested destination when the remote user connects to the VPN Gateway through the Net Direct client or the Nortel IPsec VPN client (formerly the Contivity VPN client). info/ip Ip Command >>...
Page 38 38 Command Reference allocated from IP pool and user profile information (access method, source IP, authentication server, client certificate present, Nortel IE cache wiper running, Tunnel Guard activated, domain). /info/sonmp Sonmp Command >> Information# sonmp Slot IP address Seg MAC address...
Page 39 20 concurrent users for VPN no 1 and 30 to VPN no 2. The remaining 50 are not allocated and thus available to other VPNs in the cluster. Only the VPNs with a configured license allocation are included in this table. Copyright © 2007 Nortel Networks /info/licenses Licenses Command 39 Used...
Page 40 VPN Gateways in the cluster. An asterisk (*) in the MIP column indicates which VPN Gateway in the cluster is currently is control of the Management IP. An asterisk (*) in the Local column indicates the particular VPN Gateway to which you have connected.
Page 41 VPN Gateway in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed. Copyright © 2007 Nortel Networks /info/ethernet Information Ethernet Command 41...
Page 42: Stats Statistics Menu
Displays the IPsec statistics menu. To view menu options, see “/stats/ipsec IPsec Statistics Menu” (page Note: This command is not available if the VPN Gateway software is run on the ASA 310 or ASA 410 hardware platforms. Displays the AAA statistics menu. To view menu options, see “/stats/aaa AAA Statistics Menu”...
Page 43 SSL servers in the cluster. sslconnect Displays the total number of established SSL client connections on all virtual SSL servers in the cluster. tpshisto Copyright © 2007 Nortel Networks /stats/sslstats SSL Statistics Menu 43 47). “/stats/sslstats/server <number> Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 44 0 0 0 0 0 0 0 0 min(24) 0 0 0 0 0 0 0 0 min(32) 0 0 0 0 0 0 0 0 min(40) 0 0 0 0 0 0 0 0 Copyright © 2007 Nortel Networks “/stats/sslstats/tpshisto “/stats/sslstats/clihisto “/stats/sslstats/srvhisto...
Page 45 0 0 0 0 0 0 0 0 hour(16) 0 0 0 0 0 0 0 0 10.1.82.146:443 Histogram medium client data byte/s (last 31 days) Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 46 The output shows the data throughput in bytes per second from backend servers to each virtual SSL server in the cluster. It is divided in the following sections per virtual SSL server: Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 47 VPN. Table 9 Cluster Wide SSL Statistics for VPN Menu Options (/stats/sslstats/vpn) Command Syntax and Usage accept Copyright © 2007 Nortel Networks - SSL accept - SSL renegotiate requests - SSL handshakes completed - SSL cache misses - SSL cache timeout...
Page 48 To change the current cachettl value, use the /cfg/vpn #/server/ssl/cachettl command. The default SSL cache timeout value is 5 minutes. cachetimeo Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 49 Displays histograms of data throughput in bytes per second from clients for the specified VPN, as performed on all NVG devices in the cluster. srvhisto Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 50 SSL server. renegotiat Displays the number of times clients have requested a renegotiation of the SSL connection on the current virtual SSL server. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 51 Displays the number of times when a new client session could not be cached due to the cache being full. If the cachefull value is high, you may consider increasing the SSL cache size of the virtual SSL server. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 52 Displays all SSL statistics for the current virtual SSL server, except the histograms. For a sample screen output, see <number> /dump Cluster-Wide SSL Statistics for Server” (page Copyright © 2007 Nortel Networks “/stats/sslstats/server Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 53).
Page 53 NVG device basis. You can therefore easily compare the performance of a particular virtual SSL server on different NVG devices in the cluster. Copyright © 2007 Nortel Networks /stats/sslstats/local Local SSL Statistics Menu 53 - ISD local SSL server statistics menu...
Page 54 SSL server, on a per NVG device basis. srvhisto Displays histograms of data throughput in bytes per second from backend servers to each virtual SSL server, on a per NVG device basis. Copyright © 2007 Nortel Networks “/stats/sslstats/local/isdhost <number> Single iSD 56). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 55 10.1.82.146:443 HTTP weak cipher rewrites = 0 10.1.82.146:443 HTTP redirect rewrites = 2 10.1.82.146:443 Failed backend server connects = 0 10.1.82.146:443 SSL transactions/sec = 0 Copyright © 2007 Nortel Networks /stats/sslstats/local/dump Local SSL Statistics 55 “/stats/sslstats/local/dump 55). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 56 56 Command Reference The output shows all SSL statistics per VPN Gateway, except the histograms. The statistics are presented per virtual SSL server for each VPN Gateway. Histograms are not included in the output. The sample output above shows two virtual SSL servers. The server with number 1 is a virtual SSL server configured under /cfg/ssl.
Page 57 Displays various SSL properties for incoming client connections, as well as HTTP-related statistics. The statistics are presented for each virtual SSL server in the cluster, but where the figures relate only to the currently specified VPN Gateway. Histograms are not included in the output. /stats/sslstats/local/isdhost <number> /server <number>...
Page 58 SSL server on the currently selected VPN Gateway. The values are unique for the selected VPN Gateway, because the figures depend on the Nortel Application Switch load balancing configuration of the server group in which the VPN Gateway resides. The dump command will display all statistics available through the individual commands in the menu, except the health check status, pool status, and histograms.
Page 59 IP address specified as the Real Server IP (RIP) for the current virtual SSL server is listed under the RIP column. When using the NVG together with an Nortel Application Switch, the RIP typically corresponds to 0.0.0.0. By specifying 0.0.0.0 as the Real...
Page 60 IP address specified as the Real Server IP (RIP) for the current virtual SSL server is listed under the RIP column. When using the NVG together with an Nortel Application Switch, the RIP typically corresponds to 0.0.0.0. By specifying 0.0.0.0 as the Real...
Page 61 ID, and that session ID was found in the SSL cache. sslconnect Displays the number of completed SSL client connections on the current virtual SSL server. Copyright © 2007 Nortel Networks "cachettl" (page 97) Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 62 Displays the number of failed connections to backend servers. Displays the number of SSL transactions per second as performed by the specified virtual SSL server on the currently selected VPN Gateway. tpshisto Displays histograms of the number of SSL transactions per second for the specified virtual SSL server, as performed on the currently selected VPN Gateway.
Page 63 The IPsec Statistics menu is used for viewing performance statistics relating to IPsec sessions. Note: This menu is not available if the VPN Gateway software is run on the ASA 310 or ASA 410 hardware platforms. Copyright © 2007 Nortel Networks...
Page 64 Displays the total number of encoded kBytes for all VPNs in the cluster. The information includes all sessions since the system was first started or since the statistics were last cleared using the clear command. Copyright © 2007 Nortel Networks “/stats/ipsec/vpn <id> Cluster Wide 66).
Page 65 VPNs. The histograms show the average decryption times in kBytes per second. The information is shown per minute, hour and day up to 31 days. Copyright © 2007 Nortel Networks /stats/ipsec IPsec Statistics Menu 65 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 66 - Print all stats except histograms The Cluster Wide IPsec Statistics for VPN menu is used for viewing IPsec session statistics for a specific VPN. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 67 VPN. boenc Displays the number of encoded kBytes per second during the last minute, for branch office tunnel sessions in the selected VPN. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 68 VPN. The histograms show the average decryption times in kBytes per second. The information is shown per minute, hour and day up to 31 days. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 69 Copyright © 2007 Nortel Networks /stats/ipsec/local Local IPsec Statistics Menu 69 “/stats/ipsec/vpn <id> /dump - ISD local IPsec server statistics menu - ISD local IPsec user sess histogr for all VPNs/ISDs - ISD local IPsec user encrypt histogr for...
Page 70 70 Command Reference The Local IPsec Statistics menu is used for viewing IPsec statistics per VPN Gateway (iSD), if the cluster consists of several devices. For each VPN Gateway, the statistics are shown per VPN. Using the isdhost command, you can view statistics for specific VPN Gateways in the cluster.
Page 71 VPN(1) Ipsec decode kb/sec last minute = 0 VPN(1) Ipsec decode kb/sec last minute = 0 VPN(1) Ipsec decode kb/sec last minute = 0 The output shows all IPsec statistics per VPN Gateway and VPN, except the histograms. Copyright © 2007 Nortel Networks “/stats/ipsec/vpn <id>...
Page 72 - Dump all information The Single ISD IPsec Statistics menu is used for viewing IPsec statistics for a specific VPN Gateway (iSD), i.e. the statistics do not relate to the whole cluster of VPN Gateways. The statistics are shown per VPN.
Page 73 VPN Gateway. boenc Displays the number of encoded kBytes per second during the last minute, for branch office tunnels on the selected VPN Gateway. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 74 VPN Gateway. The histograms show the average decryption times in kBytes per second. The information is shown per minute, hour and day up to 31 days. dump Displays all IPsec statistics for the selected VPN Gateway, except the histograms. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 75 - Dump all information The Single ISD IPsec Statistics for VPN menu is used for viewing IPsec statistics for a specific VPN on the selected VPN Gateway (iSD). Table 18 Single ISD IPsec Statistics for VPN Menu Options (/stats/ipsec/local/isdh...
Page 76 Displays the number of encoded kBytes per second during the last minute, for user tunnels on the selected VPN Gateway and VPN. boenc Displays the number of encoded kBytes per second during the last minute, for branch office tunnels on the selected VPN Gateway and VPN.
Page 77 Single ISD IPsec Statistics for VPN Menu Options (/stats/ipsec/local/isdhost/vpn) (cont’d.) Command Syntax and Usage Displays the number of decoded kBytes per second during the last minute, for branch office tunnels on the selected VPN Gateway and VPN. sesshisto Displays IPsec session histograms for the selected VPN Gateway and VPN.
Page 78 - Dump all information The AAA Statistics menu is used for viewing authentication statistics related to the NVG cluster as a whole, or to one specific VPN Gateway in the cluster. The number of accepted and rejected authentication requests of VPN users are listed for each configured authentication method and authentication server.
Page 79 >> AAA Statistics# dump RADIUS Servers 192.168.128.1:1 10.1.0.10:1812 Local DB ------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------------------------------------------- Licenses ------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------------------------------------------- Vdesk SPIKE IPSEC Copyright © 2007 Nortel Networks “/stats/aaa/dump Accept/Reject Accepted Accepted Accepted Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 79). Rejected Time Rejected...
Page 80 Accepted and 2 under Rejected. This means that only 10 concurrent users are allocated to VPN 1. The figure under Rejected refers to connections exceeding the allowed number of concurrent users. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 81: Cfg Configuration Menu
“/cfg/cert <id> Certificate Management Configuration” (page Displays the VPN menu. To view menu options, see VPN Menu” (page test Copyright © 2007 Nortel Networks - SSL offload menu - Certificate menu - VPN menu - Create test vpn,portal and certificate...
Page 82 Name of VPN. Lets you enter a name for the VPN, for example My VPN. VPN used with Alteon switch yes/no. Choose yes if a Nortel Application Switch (formerly Alteon Application Switch) is connected to the VPN Gateway, otherwise choose no. If set to no, the portal server will be set to standalone mode.
Page 83 You can read more about IPsec in the "Transparent Mode" chapter in the Application Guide for VPN. Net Direct. Lets you configure the VPN Gateway to allow use with the Net Direct client (SSL VPN client downloadable from Portal).
Page 84 Certificate Administrator user role (by removing the admin user from the certadmin group), the certificate administrator must enter the passphrase that he or she defined by using the /cfg/sys/user/caphrase command. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 85 When pasted, the content is batch processed by the VPN Gateway. To view the pending configuration changes resulting from the batch processing, use the diff command. To apply the configuration changes, use the apply command.
Page 86 Displays the Server menu, after you have typed the index number of an existing virtual SSL server or a new server. To view menu options, see “/cfg/ssl/server <id> SSL Server Configuration” (page test Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 89).
Page 87 SSL server. When executing the test command, you are asked to specify the IP address of a virtual server (defined on the Nortel Application Switch). The virtual server you specify will then make use of the services the test SSL server provides (HTTPS offload by default).
Page 88 The real Web servers must also be configured to listen for NVG traffic on port 81. For security reasons, it is also important to define a filter on the Nortel Application Switch that blocks all incoming client traffic destined for port 81.
Page 89 - Socks settings menu - Advanced settings menu Copyright © 2007 Nortel Networks /cfg/ssl/server <id> SSL Server Configuration 89 authentication, you will be prompted to select an existing VPN (if any). The authentication scheme adhering to this VPN will then be used.
Page 90 "Stand-alone Web Server Accelerator" chapter in the Application Guide for SSL Acceleration. off: When set to off, the VPN Gateway is connected to an Nortel Application Switch for SSL offload purposes. The IP address set with the vips command corresponds to a virtual IP address on the Nortel Application Switch.
Page 91 (the default setting). This setting instructs the VPN Gateway to use the destination IP address found in the received packets, when initiating requests to the virtual server on the Nortel Application Switch to which the virtual SSL server has been mapped.
Page 92 Gateway ’s IP address (which is "transparent" to the real servers). To use the Transparent proxy mode, you need to make sure all client traffic is routed back to the clients through the Nortel Application Switch. The NVG real server group defined on the Nortel Application Switch must...
Page 93 VPN Gateway works in non-transparent proxy mode, that is. When using non-transparent proxy mode, firewall redirect hash method must not be applied to any real ports on the Nortel Application Switch. The default proxy mode value is on.
Page 94 The Trace menu is used for capturing and analyzing SSL and TCP traffic flowing between clients and the selected virtual SSL server on the VPN Gateway. The commands can be useful for debugging purposes. The ssldump command will decrypt transmitted data traffic, provided private keys and certificates have been configured properly on the selected virtual SSL server.
Page 95 To configure a DNS server for the virtual SSL server, use the /cfg/ssl/server #/dns/servers command or use the default DNS server (/cfg/sys/dns). dnslookup <host name or IP address> Copyright © 2007 Nortel Networks “ CLI Dumps” (page 479) Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 96 - Set list of CA chain certificates protocol - Set protocol version verify - Set certificate verification level ciphers - Set cipher list - Enable SSL - Disable SSL Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 97 To clear all specified CA certificates, press ENTER when asked to enter the certificate numbers, then answer yes to the question if you want to clear the list. Copyright © 2007 Nortel Networks /cfg/ssl/server <id> /ssl SSL Settings Configuration 97 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 98 • ssl23: Accept SSL 2.0, SSL 3.0, and TLS 1.0. • tls1: Only accept TLS 1.0. The default protocol value is ssl3. verify none|optional|require Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 99 - Set client TCP receive buffer size ssendbuf - Set server TCP send buffer size srecbuf - Set server TCP receive buffer size Copyright © 2007 Nortel Networks /cfg/ssl/server <id> /tcp TCP Settings Configuration 99 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 100 The default client keep alive timeout value is 15m = 15 minutes. skeep <SSL VPN client keep alive timeout> If the SSL VPN client stops communicating with the VPN Gateway, this timeout value determines for how long the SSL VPN client should be kept alive before the remote user is logged out.
Page 101 - Set server down reply status downurl - Set server down redirect URL rewrite - SSL triggered rewrite menu Copyright © 2007 Nortel Networks /cfg/ssl/server <id> /http HTTP Settings Configuration 101 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 102 Table 26 HTTP Settings Menu Options (/cfg/ssl/server/http) Command Syntax and Usage httpsredir on|off Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 103 Host: www.example.com may first be redirected by the web server to HTTP/1.0 302 Moved Temporarily Date: Thu, 01 Oct 2005 16:27:51 GMT Copyright © 2007 Nortel Networks /cfg/ssl/server <id> /http HTTP Settings Configuration 103 115). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 104 Command Syntax and Usage Server: inets/2.5.3 Location: http://www.example.com:81/login • With redirect set to on, the VPN Gateway rewrites http:// to https:// according to the following pattern: HTTP/1.0 302 Moved Temporarily Date: Thu, 01 Oct 2005 16:27:51 GMT Server: inets/2.5.3 Location: https://www.example.com/loginHTTP/1.0 302 Moved...
Page 105 Note: When using the redirect feature, the VPN Gateway must be configured to use a DNS server, and the responding DNS server must be able to perform reverse DNS lookups. When the VPN Gateway performs a reverse DNS query of the virtual server IP address (VIP), the resolved name must match the domain name in the Host header of the client request.
Page 106 Command Syntax and Usage • on: The VPN Gateway sets the Secure attribute on the NVG session cookie and all Set-Cookie headers generated by backend servers. It directs the user agent to use only secure means to contact the origin server whenever it sends back this cookie.
Page 107 Such a decision would then override the default cipher suite setting for a virtual SSL server on the VPN Gateway. Example of an added X-SSL header: X-SSL: decrypted=true, ciphers="TLSv1/SSLv3 RC4-MD5"...
Page 108 The default value for the addxfor setting is off. Note: If there are more than one NVG in a cluster and transparent proxy is set to off, then firewall load balancing (on the Nortel Application Switch) must also be set to off for the addxfor feature to work.
Page 109 VPN Gateway. When added, the extra HTTP-X-ISD header contains information about the IP addresses of both the VPN Gateway that initiated the request and the responding backend server, the internal index number of the...
Page 110 The command is only available for virtual SSL servers of the http type. The default value is off. addclicert on|off Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 111 Command Syntax and Usage Specifies how the virtual SSL server handles the optional X-Client-Cert HTTP header. When added, the VPN Gateway will insert the entire client certificate (in PEM format) as a multiline HTTP header. The backend web servers can then perform additional user authentication, based on the information in the client certificate.
Page 112 Specifies how the virtual SSL server handles the Host header in a HTTP client connection request. The rhost setting is mainly used when configuring the VPN Gateway for Global Server Load Balancing in conjunction with the related Nortel Application Switch settings. Valid options for the rhost command are: •...
Page 113 The Redir Map menu is used to configure HTTP to HTTPS redirect mappings, so that a request for an internal host using HTTP will be redirected to another (or the same) internal host through HTTPS. This Copyright © 2007 Nortel Networks 118). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 114 Entries with an index number higher than (and including) the one you specify will have their current index number incremented by 1. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 115 <header by index number> Removes the specified header. Use the list command to display the index numbers of all added entries. add <host/domain> <header pattern> Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 116 URI - Set URI with the weak cipher alert The Rewrite menu is used for enabling and configuring the HTTP rewrite functionality for a particular virtual SSL server. Copyright © 2007 Nortel Networks “Variables” (page 22) Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 117 Appendix A, Supported Ciphers, in the User’s Guide. response iSD|WebServer Specifies whether the iSD (VPN Gateway) or a web server should handle the response message sent back to the client. When response is set to WebServer, use the URI command to point to a resource on a web server that can provide a customized error message.
Page 118 SSL server types, see the type command on "type generic|http|socks" (page 92) Table 30 WWW-Authenticate Settings Menu Options (/cfg/ssl/server/http/auth) Command Syntax and Usage mode basic|digest|portal Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 119 Enables HTTP user authentication. Copyright © 2007 Nortel Networks basic: Displays a login popup window when the user tries to access the restricted resource. Use basic mode if you do not have a Portal through which users can be authenticated.
Page 120 - Set vpn defgroup - Set default group From VPN Gateway version 4.1, SOCKS support is also enabled for portal servers. The Socks Settings menu is still available for backward compatibility and for customers who wants support for the SSL VPN client only (that is .
Page 121 (,). The available options are: • • Copyright © 2007 Nortel Networks user: Username/Password client authentication is required. none: No client authentication is required. When setting the Socks authentication method to none, make sure you also specify a default user access group (using the defgroup command).
Page 122 SSL server. The number of menu items available in the Advanced Settings menu vary according to the type of virtual SSL server currently selected. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 123 Configuration” (page Note: The traflog menu item is only available when the virtual SSL server type is set to http or portal. loadbalanc Copyright © 2007 Nortel Networks /cfg/ssl/server <id> /adv AdvancedSettings Menu 123 “/cfg/ssl/server <id> /adv /string <load balancing 127).
Page 124 SSL server must be set to the generic or http type. Table 33 LB String Menu Options (/cfg/ssl/server/adv/string) Command Syntax and Usage match Copyright © 2007 Nortel Networks “/cfg/ssl/server <id> /adv /loadbalanc Load Balancing 130). 146). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 125 A match of the defined string will only occur if the match string is found in one of the known methods listed below. — unknown: unknown method for the VPN Gateway. A match will only occur if a method other than the known methods is found.
Page 126 A match will only occur if the match string is found in one of the known headers. — other: unknown header field for the VPN Gateway. A match will only occur if a header other than the known headers is found. (If...
Page 127 - Disable connection pooling The Pool Settings menu is used for configuring the connection pooling settings of the VPN Gateway. Connection pooling provides for the reuse of SSL sessions to improve throughput. When the VPN Gateway load balances the backend servers, it can pool both encrypted (port 443) and unencrypted (port 81) server side connections.
Page 128 In general, it is therefore recommended that traffic logging is performed on the backend web servers instead. The traffic logging performed by backend web servers can be enhanced by configuring the VPN Gateway to add certain HTTP headers. For more information about available extra HTTP headers, see the HTTP Settings menu on /server/http HTTP Settings Configuration”...
Page 129 Disables traffic logging through syslog messages to the specified syslog server. Traffic logging through syslog messages is disabled by default. Copyright © 2007 Nortel Networks debug: Messages that contain information mainly of use only for debugging purposes. info: Informational messages.
Page 130 Note: When the load balancing type is set to string, persistency options set to cookie or session are ignored. Copyright © 2007 Nortel Networks all: All backend servers are load balanced according to the specified load balancing metric. Load balancing strings that may have been defined are ignored.
Page 131 Specifies the load balancing metric to use for determining which of the configured backend servers that will be the target of the next client request. Valid options are: Copyright © 2007 Nortel Networks none: Specifies that no method is used to obtain persistency in client connections.
Page 132 • • • • Copyright © 2007 Nortel Networks hash: With this option, a hash metric on the source IP address information in a client connection request is used to select a backend server. roundrobin: Round robin. With this option, new client connection requests are issued to each backend server in turn in a continuously repeating sequence.
Page 133 Sets the interval in seconds for health checks of the backend servers to occur. The default health check interval is 10 seconds. Note: Each VPN Gateway in the cluster performs its own health checking of backend servers. Therefore, if you set the health check interval to a low value, a considerable amount of network traffic may be generated.
Page 134 (i): Insert mode. When a client sends a connection request without a cookie, the backend server responds with the requested data, and the VPN Gateway inserts a cookie into the data packet. The VPN Gateway then uses this cookie on all subsequent...
Page 135 — If the backend server embeds a string of characters as the cookie value, the VPN Gateway will perform a hash on the cookie value. The VPN Gateway will then select a backend server and direct all subsequent traffic within a given session to the same backend server, based on the hashed cookie value.
Page 136 IP address, as well as its own virtual server IP address that is used in a global server load balancing (GSLB) configuration. offset <cookie offset value in bytes (1-64)> Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 137 For Insert or Rewrite cookie mode, if you want the VPN Gateway to include both the IP address of the backend server and the IP address of the virtual server (the VIP on the Nortel Application Switch) in the cookie value, you must set the cookie length to 16.
Page 138 • • • • Copyright © 2007 Nortel Networks auto_open: Opens a TCP connection to the backend servers. For those backend servers on which SSL connect is enabled, the command also opens a SSL connection. auto_close: Closes the TCP connection that was opened using the auto_open command.
Page 139 (and including) the one you specify will have their current index number incremented by 1. Copyright © 2007 Nortel Networks ssl_close: Closes the SSL connection that was opened using the ssl_open command. The ssl_close script command must always be followed by the regular close command.
Page 140 • The default protocol value is ssl3. cert <client certificate by index number> Copyright © 2007 Nortel Networks ssl2: Propose using only SSL 2.0. ssl3: Propose using SSL 3.0 or TLS 1.0. ssl23: Propose using any of SSL 2.0, SSL 3.0, or TLS 1.0.
Page 141 /cfg/ssl/server <id> /adv/loadbalanc /remotessl/verify Remote SSL Connect Verify Configuration [Remote SSL Connect Verify Settings Menu] verify - Set certificate verification level Copyright © 2007 Nortel Networks “/cfg/ssl/server <id> /adv /sslconnect/verify SSL Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 Configuration 141 148).
Page 142 (http://) or any port numbers or pathnames in the common name. Wildcards (such as * or ?) and IP address are not allowed. Copyright © 2007 Nortel Networks none: No server certificate is required. optional: The server can authenticate by means of a valid certificate but it is not required.
Page 144 HTTP server. This feature can be used for setting up an HTTP to HTTPS redirect service. The default setting for remotessl is true. lbstrings <index number of match strings> Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 145 Enables the current backend server. By default, all backend servers are enabled when created. Copyright © 2007 Nortel Networks any: A match of one or more of the specified load balancing strings must be found in a client request for the backend server to be load balanced.
Page 146 Propose using any of SSL 2.0, SSL 3.0, or TLS 1.0. • tls1: Propose using only TLS 1.0. The default protocol value is ssl3. cert <client certificate by index number> Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 147 For greater control, you can disallow SSL connections to a particular backend server by using the sslconnect command in the Backend Server menu. For more information, see the sslconnect command on "sslconnect on|off" (page 144) Copyright © 2007 Nortel Networks 148). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 148 • The default value is none. commonname <common name of backend web server> Copyright © 2007 Nortel Networks none: No server certificate is required. require: The server must present a valid certificate in order for the selected virtual SSL server to establish a session.
Page 149 - Generate certificate request sign - Sign a certificate request test - Generate test certificate and key Copyright © 2007 Nortel Networks /cfg/cert <id> Certificate Management Configuration 149 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 150 When adding a new certificate, specify an unused index number. You can add up to 1500 certificates to the VPN Gateway. Any unused index number can be assigned to a certificate, including numbers higher than 1500. To view basic information about all certificates added to the VPN Gateway, use the /info/certs command.
Page 151 When using the cert command to add a certificate to the VPN Gateway, the certificate (and key, if present) must be in the PEM format. If a certificate is already installed using the current certificate index number, that certificate will be overwritten by pasting another certificate to the same index number.
Page 152 X509v3 Basic Constraints property in the generated certificate. The properties of a certificate available on the VPN Gateway can be viewed by entering the following command: /cfg/cert #/show client: Generates a client certificate that is signed using the private key associated with the currently selected certificate.
Page 153 SSL server to perform end to end encryption, and you want to sign a CSR generated on a backend web server by using a CA certificate on the VPN Gateway. (The signed CSR can then be installed on the backend web server as a server certificate).
Page 154 MS IIS 4. Keys from Netscape Enterprise Server or iPlanet Server can also be imported, but require that you first use a conversion tool. Contact Nortel for more information about the conversion tool.
Page 155 Displays the serial number, the expiration date, and the values specified for the subject part of the current certificate. Copyright © 2007 Nortel Networks /cfg/cert <id> Certificate Management Configuration 155 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 156 Provides information about how the private key associated to the currently selected certificate is protected. For the VPN Gateway s without the HSM card, private keys are protected by the cluster. For the ASA FIPS, private keys are protected by the HSM card.
Page 157 CA certificate that was used to generate the client certificates. import <protocol [tftp|ftp|scp|sftp]> <server by host name or IP address> <file name> Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 158 LDAP server is performed each time a CRL retrieval occurs. The bind operation uses the specified distinguished name and password. Directly after a successful bind operation, a search for the Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 159 When using HTTP or TFTP to retrieve a CRL, you don’t need to provide a distinguished name for binding and authentication. passwd <password for binding and authentication> Copyright © 2007 Nortel Networks /cfg/cert <id> /revoke/automatic Automatic CRL Menu 159 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 160 To clear all specified CA certificates, press ENTER when asked to enter certificate numbers, then answer yes to the question if you want to clear the list. Copyright © 2007 Nortel Networks true: The authDN and passwd commands (see above) can be set to anything, including an empty string.
Page 161 Assigns a name to the VPN. The name is not used by any other functions but is mainly for your own reference. ips <portal IP addresses, comma separated) Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 /cfg/vpn <id>...
Page 162 DNS name) should be entered in the client browser’s address field. For SSL VPN client connections (SOCKS encapsulated in SSL), the portal IP address or DNS name should be configured in the Nortel SSL VPN client. For IPsec connections, the portal IP address should be configured in the Nortel IPsec VPN client (formerly Contivity).
Page 163 Portal’s Home tab. To view menu options, see <id> Linkset Configuration” (page sslclient Displays the SSL VPN Client menu used for configuring the Nortel SSL VPN client settings. To view menu options, see Net Direct and SSL VPN Client Configuration” (page Displays the Advanced menu including options to configure a backend interface and a dedicated DNS server for the current VPN.
Page 164 The user is mapped to the trusted group. Members of the trusted group are authorized to all networks, services and paths. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 165 When closed, the user must provide his or her user name and password to log in again. This option helps prevent allocation of resources on the VPN Gateway for sessions that are no longer active. When 10% of the portal idle timeout is reached, a logout warning window is displayed.
Page 166 For other methods, the response times may wary depending on the current network load, server performance, number of users in the database etc. Example from a CLI session: Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 “/cfg/vpn...
Page 167 To view existing appspec entries, press TAB following the appspec command. To view menu options, see Application Specific Menu” (page filter Copyright © 2007 Nortel Networks /cfg/vpn <id> /aaa AAA Configuration 167 “/cfg/vpn <id> /aaa/network <id> 228). “/cfg/vpn <id> /aaa/service <id>...
Page 169 Configuration” (page ssoheaders Displays the SSO (Single-Sign-On) Headers menu. To view menu options, “ /cfg/vpn <id> /aaa/ssoheaders Single-Sign-On Headers Configuration” (page radacct Copyright © 2007 Nortel Networks /cfg/vpn <id> /aaa AAA Configuration 169 “/cfg/vpn <id> /ippool <id> 317). 255). 257).
Page 170 SRS rule. The SRS rule in its turn should be mapped to one or more user groups using the /cfg/vpn #/aaa/group #/tgsrs command. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 171 A group called tunnelguard with two extended profiles. Extended profile 1 is triggered when the Tunnel Guard checks have succeeded. Its access rule gives access to all networks. Extended profile 2 is triggered Copyright © 2007 Nortel Networks /cfg/vpn <id> /aaa/tg Tunnel Guard Menu 171 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 172 If the SRS rule check succeeds, an extended profile whose client filter is set to tg should be triggered instead. The extended profile’s access rights could be more generous. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 173 Guard agent, i.e. even if the setting is disabled on the NVG, it might be enabled in the Tunnel Guard agent settings. Copyright © 2007 Nortel Networks /cfg/vpn <id> /aaa/tg Tunnel Guard Menu 173 and the "Configure Tunnel Guard" chapter in the...
Page 174 <value in seconds> Lets you specify the interval between connection attempts from the Tunnel Guard server (on the VPN Gateway) to the Tunnel Guard client (on the client machine). This setting only applies to clients with the Tunnel Guard application installed not Tunnel Guard applets downloaded from the Portal.
Page 175 <version number as N.N.N.N> Lets you enter the minimum version of the Tunnel Guard agent. Clients with an older version will not be able to connect to the VPN Gateway. This setting only applies to clients with the Tunnel Guard application installed not Tunnel Guard applets downloaded from the Portal.
Page 176 WholeSecurity is enabled, the Login page will not be displayed when the user logs out from the Portal session. Enables WholeSecurity (disabled by default). Disables WholeSecurity.(disabled by default). Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 177 Lets you select an authentication mechanism to configure for the current VPN. The selected mechanism is mapped to the current authentication ID. name Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 178 Lets you specify a display name for the current authentication method. The name is displayed in the Login Service list box on the Portal login page and in the Nortel SSL VPN client’s login window. The user can thus select a specific authentication server, for example for token authentication or direction to a specific Windows domain.
Page 179 <id> /aaa/auth <id> /cleartrust ClearTrust Configuration” (page 212). Note: The cleartrust menu item is only available when the authentication mechanism is set to cleartrust. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 “/cfg/vpn <id>...
Page 180 Client certificate authentication, see /cert Client Certificate Authentication” (page Note: The ena menu item is only available when the authentication mechanism is set to cert. Copyright © 2007 Nortel Networks 225). “/cfg/vpn <id> /aaa/auth <id> Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 181 Displays the RADIUS Servers menu. To view menu options, see “/cfg/vpn <id> /aaa/auth <id> /radius/servers RADIUS Servers Menu” (page vendorid <integer value> Copyright © 2007 Nortel Networks 184). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 182 Note 2: If vendorid is set to 0, vendortype should be set to a standard attribute type as defined in RFC 2865. For example, to use the standard attribute Class, set vendorid to 0 and vendortype to 25. Copyright © 2007 Nortel Networks http://www.iana.com/ to the Vendor-Id attribute.
Page 183 If the timeout value elapses before a connection is established, authentication will fail. The default RADIUS server timeout value is 10s (10 seconds). idletimeou Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 184 ID that represents the RADIUS configuration is specified using the /cfg /vpn #/aaa/authorder command. Table 54 RADIUS Servers Menu Options (/cfg/vpn/aaa/auth/radius/servers) Command Syntax and Usage list Copyright © 2007 Nortel Networks 185). 187). 190). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 “/cfg/vpn...
Page 185 The Idle Timeout menu lets you configure your VPN to retrieve an idle timeout value in seconds from the RADIUS server. When the user’s VPN session has been idle longer than this value, the user is automatically logged out. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 186 0. Then configure the desired standard attribute type as the vendor type value (see next command). Note: If both Vendor-Id and Vendor-Type is set to 0, the VPN Gateway will pick up the Idle-Timeout standard attribute (if sent from the RADIUS server).
Page 187 If you want to use a standard attribute type as defined in RFC 2865, set vendorid to 0. Then configure the desired standard attribute type as the vendor type value (see next command). Copyright © 2007 Nortel Networks filehttp://www.iana.org/ Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 188 Session Timeout Menu Options (/cfg/vpn/aaa/auth/radius/sessiontim) (cont’d.) Command Syntax and Usage Note: If both Vendor-Id and Vendor-Type is set to 0, the VPN Gateway will pick up the Session-Timeout standard attribute (if sent from the RADIUS server). If vendor-specific attributes are specified on the RADIUS server and in the CLI (using Vendor-Id and Vendor-Type), the standard attribute will be overridden.
Page 189 • • insert <index number to insert at> <macro to add> Copyright © 2007 Nortel Networks Variable name, e.g. exchangeServer. By mapping the variable name to the RADIUS attribute (see below), the corresponding value can be retrieved from the logged in user’s user record in RADIUS.
Page 190 - Disable Radius Network Attribute The RADIUS Network Attributes menu is used to configure the VPN Gateway to retrieve network attributes from an external RADIUS server. The network attributes are automatically assigned to IPsec VPN client sessions once the user is successfully authenticated to the RADIUS server.
Page 191 Sets the vendor type for the primary NBNS server attribute. The default value is 6. secnbnsid Sets the vendor id for the secondary NBNS server attribute. The default value is 1872 (alteon). Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 192 Enables the settings made on the RADIUS network attributes menu. For the settings to take effect, the /cfg/vpn #/ippool #/type command should be set to radius. Disabled by default. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 193 Displays the LDAP Servers menu. To view menu options, see /cfg/vpn <id> /aaa/auth <id> /ldap/servers LDAP Servers Menu” (page searchbase <searchbase entry> Copyright © 2007 Nortel Networks /cfg/vpn <id> /aaa/auth <id> /ldap LDAP Configuration 193 198). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 194 The DN assigned here should point to a position in the DIT from where all user records can be found, using a subtree search. To be able to search the DIT, the VPN Gateway must authenticate itself towards the LDAP server, according to the settings made with the isdbinddn and isdbindpas commands.
Page 195 Thus, if userattr is defined as sAMAccountName, the user record Bill Smith will be found. To be able to search the DIT, the VPN Gateway must authenticate itself towards the LDAP server, according to the settings made with the isdbinddn and isdbindpas commands.
Page 196 Command Syntax and Usage By setting this command to true, LDAP requests between the VPN Gateway and the LDAP server will be made using a secure SSL connection, i.e. LDAPS. When applying the changes, a warning message will be displayed if the LDAP server ports are not the standard LDAPS ones (i.e.
Page 197 Displays the Active Directory menu. To view menu options, see “/cfg/vpn <id> /aaa/auth <id> /ldap/activedire Active Directory Settings Configuration” (page Copyright © 2007 Nortel Networks /cfg/vpn <id> /aaa/auth <id> /ldap LDAP Configuration 197 true: Strips the domain part from the login user name before LDAP authentication is performed.
Page 198 To view the current authentication order in the VPN, use the /cfg/vpn #/aaa/authorder command. Table 60 LDAP Servers Menu Options (/cfg/vpn/aaa/auth/ldap/servers) Command Syntax and Usage list Copyright © 2007 Nortel Networks 204). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 199 - Delete a value by number - Add a new value insert - Insert a new value move - Move a value by number Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 200 (and including) the one you specify will have their current index number incremented by 1. Copyright © 2007 Nortel Networks Variable name. The name of the variable, e.g. exchangeServer. By mapping the variable name to the LDAP attribute (see below), the corresponding value can be retrieved from the logged in user’s...
Page 201 The group entry DN could for example be cn=Staff,ou=groups=,d c=nortel,dc=com. This would however be quite a long group name to configure in the VPN. To simplify configuring group names in the VPN, enable the /cfg/vpn #/aaa/auth #/enashortgr setting (see 59 "LDAP Menu Options (/cfg/vpn/aaa/auth/ldap)"...
Page 202 Directory settings, for example expired account/password checks. Table 63 Active Directory Settings Menu Options (/cfg/vpn/aaa/auth/ldap/activedire) Command Syntax and Usage enaexpired true|false Copyright © 2007 Nortel Networks “/cfg/vpn <id> /aaa/group <id> Group Configuration” (page Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 203 Group configuration is described on <id> Group Configuration” (page pwdexppopu true|false Copyright © 2007 Nortel Networks true: The system will perform an account/password-expired check against Active Directory upon remote user login. false: No account/password-expired check will be performed.
Page 204 Advanced LDAP Menu Options (/cfg/vpn/aaa/auth/ldap/adv) Command Syntax and Usage enaxfilter true|false Copyright © 2007 Nortel Networks true: A popup window is displayed to the user when 5 days (or less) remain before the password expires. false: No popup warning is displayed.
Page 205 To access the NTLM menu, the authentication type for the current authentication ID must be set to ntlm. Copyright © 2007 Nortel Networks /cfg/vpn <id> /auth <id> /ntlm NTLM Configuration 205 true: The search filter is enabled. Continue with specifying the desired attribute/value using the commands below.
Page 206 ID that represents the NTLM configuration is specified using the /cfg/vpn # /aaa/authorder command. Table 66 Servers Menu Options (/cfg/vpn/aaa/auth/ntlm/servers) Command Syntax and Usage list Copyright © 2007 Nortel Networks 206). “/cfg/vpn <id> /aaa/group 237). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 207 Copyright © 2007 Nortel Networks - SiteMinder servers menu - Set fail over mode - Set SiteMinder agent name - Set SiteMinder shared secret - Set SiteMinder protected resource - Set SiteMinder group attribute - Set SiteMinder server timeout - Allow SiteMinder Single-Sign for the VPN’s domain...
Page 208 Note: SiteMinder’s tools for authorization are not supported. Access is granted based on the group access rules defined on the VPN Gateway. Challenge-based authentication replies (i.e. the New PIN and Next Token modes of SecurID) from SiteMinder are not supported.
Page 209 When creating the Agent Type in SiteMinder, the Agent Type Attribute identifier must be equal to this value. For instructions on how to create an agent type in SiteMinder, see the Technical Configuration Guide Using Netegrity SiteMinder with Nortel VPN Gateway available on. The default value is 64. timeout Sets a timeout value in seconds for a connection request to a SiteMinder server.
Page 210 Note: If sso is set to true but no display name or authentication order is configured for the SiteMinder authentication method on the VPN Gateway, it will not be possible to log in to the VPN without a valid SMSESSION cookie.
Page 211 A maximum of three SiteMinder servers can co-exist in the configuration. insert <index number to insert at> <IP address of SiteMinder server to add> Copyright © 2007 Nortel Networks - List all values - Delete a value by number - Add a new value...
Page 212 ClearTrust components (see the ClearTrust documentation) on the desired machines in your network, you should also configure the VPN Gateway to act as a ClearTrust web server agent and point out existing ClearTrust dispatcher(s) or authorization server(s). The VPN Gateway sets a ClearTrust single-sign-on cookie in the client browser.
Page 213 Sets the desired authentication type for the ClearTrust web server agent, i.e. the VPN Gateway. • • Copyright © 2007 Nortel Networks standard: The NVG sends requests to the first available ClearTrust authorization server in the list (see <id> /cleartrust /servers ClearTrust Servers Configuration”...
Page 214 Command Syntax and Usage • The default value is basic. connection clear|ssl_anon Sets the desired connection type for the ClearTrust web server agent (the VPN Gateway) when connecting to other RSA ClearTrust components. • • The default value is ssl_anon.
Page 215 Note: If sso is set to true but no display name or authentication order is configured for the ClearTrust authentication method on the VPN Gateway, it will not be possible to log in to the VPN without a valid CTSESSION cookie.
Page 216 Adds a dispatcher with port number to the configuration. Syntax example: add www.example.com 5608 The next available index number is assigned automatically by the system. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 217 <ClearTrust server by index number> Removes the specified server from the configuration. Use the list command to display the index numbers of all added ClearTrust authorization servers. Copyright © 2007 Nortel Networks “/cfg/vpn <id> /aaa/auth <id> Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 218 To access the RSA menu, the authentication type for the current authentication ID must be set to rsa. Table 72 RSA Menu Options (/cfg/vpn/aaa/auth/rsa) Command Syntax and Usage rsaname Copyright © 2007 Nortel Networks 437)). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 219 /cfg/sys/rsa command (see Configuration” (page rsagroup Sets the user access group (as defined on the VPN Gateway) to which authenticated users will be assigned. The access rules pertaining to this group will determine the user’s access rights. /cfg/vpn <id> /aaa/auth <id> /local Local Database...
Page 220 Enter user name: john Enter passwd: [press enter to leave unchanged] * Enter group names (comma separated): staff For instructions on how to configure the VPN Gateway to perform external database authentication in conjunction with local database authorization, see the groupauth command on Settings Menu Options (/cfg/vpn/aaa/auth/adv)"...
Page 221 Exports the local database as a file (e.g. db.txt) in ASCII format to a TFTP/FTP/SCP/SFTP server. Below is an example of an exported user record with the password encrypted: john:$2$7á?yLs...ßìöonž±†:trusted where $2$ indicates an encrypted password Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 222 Values in the client certificate’s subject part, identified as user OID and group OID, will be extracted to authenticate the remote user to the VPN Gateway and assign one or several group names to the user. No password is required, which means that single sign-on to backend servers will not be possible.
Page 223 To view available OIDs and values for an existing certificate, use the /cfg/cert #/subject command. For information about how to use the VPN Gateway to generate a new client certificate and export it to a file, see the "Certificates and Client Authentication"...
Page 224 Command Syntax and Usage list Lists configured group OIDs. Deletes the desired entry by index number. Use the list command to view the index numbers. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 225 The Advanced Settings menu includes commands for configuring the current authentication method to retrieve user group information from other authentication schemes besides the current one and for configuring a second authentication server. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 226 Portal login page. This command is only available if the authentication method is set to radius, cert or rsa. validatedn <ClearTrust authentication method ID> Copyright © 2007 Nortel Networks Table 73 "Local database Menu Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 227 • • The default value is false. Copyright © 2007 Nortel Networks true: Reverses the certificate DN string before sending it to the ClearTrust authorization server for validation. Using the string in the preceding example (see the validatedn command) the string sent...
Page 228 Lets you enter a comment for the current network definition, for example a text explaining which network segment(s) the entry refers to. Removes the network definition from the current configuration. Copyright © 2007 Nortel Networks “/cfg/vpn <id> /aaa/network <id > /subnet <id> 229).
Page 229 Defines the hosts that together with the subnet mask (see below) make up one of the subnet definitions for the current network. The default net address is set to 0.0.0.0. mask <network mask> Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 230 Guide for VPN for a full explanation of groups, access rules and profiles. Table 80 Service Menu Options (/cfg/vpn/aaa/service) Command Syntax and Usage name Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 231 (separated by comma) or a range of port numbers, or both. Example: 80,443 comment Copyright © 2007 Nortel Networks http. Uses TCP port 80. https. Uses TCP port 443. web. Uses TCP ports 20, 21, 80 and 443. smtp. Uses TCP port 25.
Page 232 Assigns a name to the current appspec entry. This name should be referenced when configuring the access rules for a specific user group, using the /cfg/vpn #/aaa/group #/access # /appspec command. path Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 233 Copyright © 2007 Nortel Networks For SMB, write the path as /WORKGROUP/FILESHARE/FILE PATH, e.g. /NORTEL/homes/public. This will give access to the public directory in the homes share in the NORTEL workgroup/domain. For FTP, write the path as ABSOLUTE FILE PATH, e.g.
Page 234 • • Copyright © 2007 Nortel Networks true: The client filter triggers when the remote user authenticates with a client certificate. To grant this user more generous access rights, create an extended profile, reference the client filter you have just created and specify the desired access rules.
Page 235 This command can be used if you wish to create an extended profile with more generous access rules for remote users who have installed the Nortel IE cache wiper on their local machines. Upon Portal login, the user is offered to download the Nortel IE cache wiper (if enabled). • •...
Page 236 SSL VPN client (transparent mode). ipsec. The user authenticates to the VPN and sets up an IPsec tunnel using the Nortel IPsec VPN client (formerly Contivity). netdirect. The user authenticates to the VPN through the browser and sets up an SSL session using the Net Direct client. The Net Direct client is downloaded to the remote user’s machine for full...
Page 237 - Set comment del - Remove group The Group menu is used to define the user groups that reside on the VPN Gateway. Copyright © 2007 Nortel Networks /cfg/vpn <id> /aaa/group <id> Group Configuration 237 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 238 The name you assign to the user group depends on which type of authentication mechanism you deploy. • • Copyright © 2007 Nortel Networks RADIUS: The group name must correspond to an existing group name defined in the vendor-specific attribute used by the RADIUS server. Contact your RADIUS system administrator for information.
Page 239 “/cfg/vpn <id> /aaa/group <id> /access <rule number> Access Rule Configuration” (page print Copyright © 2007 Nortel Networks /cfg/vpn <id> /aaa/group <id> Group Configuration 239 NTLM: The group name must correspond to an existing group name in the Windows domain to which the user belongs. The most common examples of Windows domains to which a user belongs are "Domain Users", "Administrators", "Power Users"...
Page 240 <value in seconds (s), minutes (m), hours (h) or days (d)> Copyright © 2007 Nortel Networks advanced: Displays all tabs on the Portal. medium: Displays all tabs but the Advanced tab. novice: Limits display to the Home tab (containing group links) and the Tools tab.
Page 241 Sets the period during which a user’s VPN session can be idle before the connection is automatically closed. This option helps prevent allocation of resources on the VPN Gateway for sessions that are no longer active. When 10% of the portal idle timeout is reached, a logout warning window is displayed.
Page 242 /sslclient Net Direct and SSL VPN Client Configuration” (page 393). ndwapasswo <Windows administrator password> Copyright © 2007 Nortel Networks true. The VPN Administration option (link to BBI) is added to the Portal’s Tools tab for all members of this group.
Page 243 The system check the groups for SRS rules in the order the order they are configured in the CLI. Copyright © 2007 Nortel Networks /cfg/vpn <id> /aaa/group <id> Group Configuration 243 “/cfg/vpn <id> /aaa/group <id>...
Page 244 Copyright © 2007 Nortel Networks on: Users belonging to the current group will have the option to download the Nortel IE cache wiper when logging in to the Portal (if using Internet Explorer). If downloaded, the IE cache wiper will clear the cache and browser history when the Portal session is terminated or when the browser is closed.
Page 245 VPN. The IP pool comes into play when a remote user tries to establish a connection using the Nortel IPsec VPN client (formerly the Contivity VPN client) or the Net Direct client. A new source IP address has to...
Page 246 To view menu options, see IPsec Group Configuration” (page Note: This command is not available if the VPN Gateway software is run on the ASA 310 or ASA 410 hardware platforms. comment Lets you enter a comment for the current group.
Page 247 Example: To restrict access to a specific application, reference the service name whose definition corresponds to that application’s well-known port number. To configure a service, use the /cfg/vpn #/aaa/service command. appspec Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 248 If a remote user belongs to several groups, all links in all linksets pertaining to the user’s different groups will displayed on the Portal’s Home tab when the user logs in. Copyright © 2007 Nortel Networks accept: The user’s request is accepted, and access to the resource is granted.
Page 249 Specifying access rules on Group level is sufficient to have a working AAA system. However, if security considerations in your company require more fine-grained authorization control, one or more extended profiles can be added to a user group. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 250 (for example authentication method or source network) matches the client filter referenced in the extended profile. For example, if the remote user authenticates to the VPN Gateway through a secure method, the access rules defined in the extended profile could be more generous.
Page 251 • • idlettl <value in seconds (s), minutes (m), hours (h) or days (d)> Copyright © 2007 Nortel Networks “/cfg/vpn <id> /aaa/group <id> advanced: Displays all tabs on the Portal. medium: Displays all tabs but the Advanced tab. novice: Limits display to the Home tab (containing group links) and the Tools tab.
Page 252 Sets the period during which a user’s VPN session can be idle before the connection is automatically closed. This option helps prevent allocation of resources on the VPN Gateway for sessions that are no longer active. The idle timeout value can be set on VPN level as well, using the /cfg/vpn #/aaa /idlettl command.
Page 253 To view menu options, see /linkset Linkset Mapping Configuration” (page wiper on|off This command is only visible if Nortel IE cache wiper support has been delegated to group level, i.e. the /cfg/vpn #/portal/wiper command has been set to group. •...
Page 254 The default setting is off. Removes the current extended profile from the group. Copyright © 2007 Nortel Networks on: When users assigned to the current extended profile logs in to the Portal, a Java applet is started. The applet enables support for Citrix Metaframe web links on the Portal.
Page 255 VPN Gateway) with group authentication. The shared secret entered here must be equal to the shared secret/password configured for group authentication in the Nortel IPsec VPN client (formerly Contivity). Note: If user name and password authentication is used (ISAKMP tunnel), a shared secret is not required. This login type however requires that the user is configured in the NVG ’s local database, using the...
Page 256 256 Command Reference The SSO (Single Sign-On) Domains menu lets you configure domains for which single-sign-on is allowed. The VPN Gateway will automatically log in remote users to hosts in the specified domains, provided the required credentials are identical with those entered at Portal login. The feature supports web servers using HTTP-based authentication (basic or NTLM), as well as FTP and SMB (Windows file share) file servers.
Page 257 Use the list command to display the index numbers of all added SSO headers. add <host/domain> <header pattern> Copyright © 2007 Nortel Networks — normal: For web servers requiring user name and password only. — add_domain: Some web servers require a domain name in addition to the user name to be inserted in the user name field.
Page 258 The index numbers you specify must be in use. To view all headers currently added to the configuration, use the list command. Copyright © 2007 Nortel Networks Host or domain, e.g. www.example.com or example.com. Header pattern. Lets you define a custom header to be included in requests to the specified host or to hosts in the specified domain.
Page 259 Displays the RADIUS accounting servers menu. To view menu options, Servers Configuration” (page vpnattribu Displays the VPN Attribute menu. To view menu options, see “/cfg/vpn <id> /aaa/radacct/vpnattribu VPN Attribute Configuration” (page Copyright © 2007 Nortel Networks “/cfg/vpn <id> /aaa/radacct/servers RADIUS Accounting 260). 261). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 260 Note: The default port number used for RADIUS accounting is 1813. insert <index number to insert at> <IP address of RADIUS accounting server to add> Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 261 RADIUS configuration in line with the value used by the remote RADIUS system. Contact your RADIUS system administrator for more information. The default vendor-Id is 1872 (Alteon). Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 262 Command Syntax and Usage port <TCP port number> Sets the TCP port number to which the portal server should listen. The default is port 443. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 263 Displays the Proxy Mapping menu. To view menu options, see “/cfg/vpn <id> /server/proxymap Proxy Mapping Configuration” (page portal Copyright © 2007 Nortel Networks /cfg/vpn <id> /server Portal Server Configuration 263 “/cfg/vpn <id> /linkset <id> /link 282). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 264 NVG cluster. For more information, see the /cfg/sys/distrace command on page Table 94 Trace Menu Options (/cfg/vpn/server/trace) Command Syntax and Usage ssldump interactive|tftp|ftp|sftp Copyright © 2007 Nortel Networks 284). 287). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 "distrace"...
Page 265 For detailed information about the default flags used when issuing the tcpdump command, as well as customizing the default filter expression, see the TCPDUMP (8) manual pages under UNIX. ping <host name or IP address> Copyright © 2007 Nortel Networks /cfg/vpn <id> /server/traceTrace Configuration 265 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 266 /cfg/vpn <id> /server/ssl SSL Settings Configuration [SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 267 Sets the maximum Time To Live (TTL) value for items in the SSL cache, before they are discarded. The default TTL value is 5 minutes. cacerts <certificate index number> Copyright © 2007 Nortel Networks /cfg/vpn <id> /server/ssl SSL Settings Configuration 267 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 268 Note: When configuring the virtual SSL server to use chain certificates, the protocol version must be set to SSL3 or SSL23. protocol ssl2|ssl3|ssl23|tls1 Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 269 ALL@STRENGTH. For more information about cipher lists, see the "Cipher List Formats" section in Appendix A, Supported Ciphers, in the User’s Guide. Copyright © 2007 Nortel Networks /cfg/vpn <id> /server/ssl SSL Settings Configuration 269 ssl2: Only accept SSL 2.0.
Page 270 The default client write timeout value is 15m = 15 minutes. ckeep <client keep alive timeout> Copyright © 2007 Nortel Networks - Set client TCP write timeout - Set client TCP keep alive timeout...
Page 271 The default client keep alive timeout value is 15m = 15 minutes. skeep <SSL VPN client keep alive timeout> If the SSL VPN client stops communicating with the VPN Gateway, this timeout value determines for how long the SSL VPN client should be kept alive before the remote user is logged out.
Page 272 - Set compress http data to the client allowimage - Allow image caching allowdoc - Allow document caching allowscrip - Allow script caching Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 273 (see below). reset: Lets the client try to access the server again. on: The VPN Gateway sets the Secure attribute on the NVG session cookie and all Set-Cookie headers generated by backend servers. It directs the user agent to use only secure means to contact the origin server whenever it sends back this cookie.
Page 274 If very long serial numbers are used, and/or hexadecimal representation is desired, change the sslheader command to off and the sslxheader command to on. Copyright © 2007 Nortel Networks on: An X-SSL header is added to the client request. off: No X-SSL header is added to the client request.
Page 275 The default value for the addxfor setting is off. Note: If there are more than one NVG in a cluster and transparent proxy is set to off, then firewall load balancing (on the Nortel Application Switch) must also be set to off for the addxfor feature to work.
Page 276 Specifies how the virtual SSL server handles the through HTTP header. When added, the through HTTP header contains information about the IP address of the virtual server on the Nortel Application Switch. Valid options for the addvia command are: •...
Page 277 Command Syntax and Usage Specifies how the virtual SSL server handles the optional X-Client-Cert HTTP header. When added, the VPN Gateway will insert the entire client certificate (in PEM format) as a multiline HTTP header. The backend web servers can then perform additional user authentication, based on the information in the client certificate.
Page 278 (if Internet Explorer is used). In this case the default allowdoc setting can be kept. Copyright © 2007 Nortel Networks on: Scripts and HTML are compressed to enable faster HTTP data transfer to the clients. This may however reduce the encryption throughput on the NVG because the CPU will also be engaged in data compression.
Page 279 No-cache/no-store headers for ICA files are not added. off:No-cache/no-store headers for ICA files are added. on: The VPN Gateway closes Windows MSIE SSL sessions with a TCP FIN but without an SSL shutdown. This circumvents the MSIE SSL session termination bug.
Page 280 - Set source of response URI - Set URI with the weak cipher alert The Rewrite menu is used for enabling and configuring the HTTP rewrite functionality for the portal server. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 281 /cfg/vpn/server/ssl/ciphers command (where the default cipher list is ALL@STRENGTH). For more information about supported ciphers and cipher list formats, see Appendix A, Supported Ciphers, in the User’s Guide. response iSD|WebServer Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 282 Rewrite Menu Options (/cfg/vpn/server/http/rewrite) (cont’d.) Command Syntax and Usage Specifies whether the iSD (VPN Gateway) or a web server should handle the response message sent back to the client. When response is set to WebServer,use the URI command to point to a resource on a web server that can provide a customized error message.
Page 283 Entries with an index number higher than (and including) the one you specify will have their current index number incremented by 1. Copyright © 2007 Nortel Networks Host or domain. Enter the desired host or domain, e.g. www.example.com or example.com. Requests to the specified host or domain will be redirected through the specified proxy server.
Page 284 Command Syntax and Usage authentica on|off By setting this command to off, the VPN Gateway can make use of the VPN functionality to SSL accelerate an existing intranet web site, for example a portal. The NVG ’s AAA system is then bypassed. This feature is also known as the PortalGuard.
Page 285 The default setting is off. dhost <backend server host name or IP address and path> Copyright © 2007 Nortel Networks on: The NVG clears all cookies set by the browser when the user logs out/is logged out from the Portal. This also includes the SiteMinder SMSESSION and the ClearTrust CTSESSION cookies.
Page 286 SSL servers within the same DNS domain. The domain to which the cookie is sent should be specified with this command. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 287 Displays the Traffic Log Settings menu. To view menu options, see “/cfg/vpn <id> /server/adv/traflog Traffic Logging” (page 288). sslconnect Displays the SSL Connect Settings menu. To view menu options, Configuration” (page Copyright © 2007 Nortel Networks “/cfg/vpn <id> /server/adv/sslconnect SSL Connection 290). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 288 The traffic logging performed by backend web servers can be enhanced by configuring the VPN Gateway to add certain HTTP headers. For more information about available extra HTTP headers, see the HTTP Settings menu on “/cfg/ssl/server <id>...
Page 289 Disables traffic logging through syslog messages to the specified syslog server. Traffic logging through syslog messages is disabled by default. Copyright © 2007 Nortel Networks /cfg/vpn <id> /server/adv/traflog Traffic Logging 289 debug: Messages that contain information mainly of use only for debugging purposes.
Page 290 /info/certs command. To generate a client certificate, see the "Generating Client Certificates" section in the "Certificates and Client Authentication" chapter in the User’s Guide. Copyright © 2007 Nortel Networks ssl2: Propose using only SSL 2.0. ssl3: Propose using SSL 3.0 or TLS 1.0.
Page 291 The menu is also used to specify the common name of backend servers, as well as setting the CA certificates used for backend server authentication. Copyright © 2007 Nortel Networks “/cfg/ssl/server <id> /adv /sslconnect/verify SSL Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 292 User’s Guide. When specifying more than one certificate, use commas to separate the corresponding index number: Example: 1,2,5 Copyright © 2007 Nortel Networks none: No server certificate is required. require:The server must present a valid certificate in order for the selected virtual SSL server to establish a session.
Page 293 - Branch Office Tunnel Profile cacerts - Set list of accepted signers of remote end certificate cert - Set our server certificate The IPsec menu is used to configure the VPN Gateway to support IPsec-based user tunnels and branch office tunnels. Note: The IPsec menu is not available if the VPN Gateway software is run on the ASA 310 or ASA 410 hardware platforms.
Page 294 The cert command specifies which server certificate should be sent to authenticate the VPN Gateway to an IPsec VPN client (for user tunnels) or to a remote endpoint (for branch office tun. The server certificate must exist on the VPN Gateway. To view basic information about available certificates, use the /info/certs command.
Page 295 “/cfg/vpn <id> /ipsec/ikeprof <id> /enc IKE Profile Encryption” (page Displays the Diffie-Hellman group menu. To view menu options, see “/cfg/vpn <id>/ipsec/ikeprof <id> /dh Diffie-Hellman Group Configuration” (page pfs on|off Copyright © 2007 Nortel Networks 297). 299). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 “/cfg/vpn <id>...
Page 296 Lets you specify whether or not to pass a unique, vendor-defined constant to the responding side. The constant is used by the NVG to identify and recognize remote instances of a Nortel ISAKMP implementation. Reception of a familiar Vendor ID payload allows an implementation to make use of payload numbers 128-255 for vendor-specific extensions.
Page 297 Sets the maximum number retransmissions. This is the number of times that the client retransmits a keepalive packet to the VPN Gateway to check for connectivity. replaywins Provides a way to define the accepted range of sequence numbers.
Page 298 3des_md5 on|off Enables/disables 3DES with MD5 encryption. The default value is off. 3des_sha on|off Enables/disables 3DES with SHA encryption. The default value is on. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 299 Enables/disables the Diffie-Hellman group 5 option with 128 bit AES. The default value is off. dh2_aes128 on|off Enables/disables the Diffie-Hellman group 2 option with 128 bit AES. The default value is off. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 300 - Set keepalive timeout NAT (Network Address Translation) devices on the network path between the client PC and the VPN Gateway may or may not be IPsec aware. IPsec aware NAT devices can handle IPsec traffic but if the NAT device is not IPsec aware, the client PC and the VPN Gateway can negotiate to encapsulate the IPsec packets within UDP (i.e.
Page 301 If there is no traffic received from the client on the IPsec SA and if the VPN Gateway does not receive any keep alive messages from the client during the time frame set as dead peer detect interval (multiplied with the configured number of retransmissions), the VPN Gateway assumes that client connectivity is lost and the tunnel will be brought down.
Page 302 The default value is 3m20s (3 minutes and 20 seconds). retransmit Sets the maximum number of times for the VPN Gateway to check if a keep alive message has been received from the IPsec client. The interval between the retransmissions is set with the interval command (see above).
Page 303 Lets you set the desired split tunnel mode. Split tunneling allows client data to travel either through a tunnel to the VPN Gateway or directly to the Internet. All IPsec client traffic is tunneled through the VPN Gateway by default.
Page 304 Networks Configuration” (page banner Lets you enter a text string of your own choice to customize the login banner for the Nortel IPsec VPN client (formerly Contivity). The banner appears at the top of the IPsec VPN client upon login. usebanner on|off Enables/disables display of the banner (if any) configured with the banner command (see above).
Page 305 - Auto connect network menu The Auto menu includes commands to configure the auto connect feature, enabling remote Nortel IPsec VPN clients to connect their IPsec tunnel sessions in a single step. Example: The remote user clicks a web link to a page on the private internal network.
Page 306 Moves a domain up or down in the list of configured domains. The index numbers you specify must be in use. To view all domains currently added to the system configuration, use the list command. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 307 Moves a network up or down in the list of configured networks. The index numbers you specify must be in use. To view all networks currently added to the system configuration, use the list command. Copyright © 2007 Nortel Networks Network IP address, e.g. 10.2.3.4 Network mask, e.g. 24 (=255.255.255.0).
Page 308 Moves a network up or down in the list of configured networks. The index numbers you specify must be in use. To view all networks currently added to the system configuration, use the list command. Copyright © 2007 Nortel Networks Network IP address, e.g. 10.2.3.4 Network mask, for example 24 (=255.255.255.0).
Page 309 • • The default value is on. Copyright © 2007 Nortel Networks on. Screen saver password required. Security feature that forces the client to use a password in association with a screen saver. If the user leaves the system and is connected to a tunnel, the system gets locked out of the tunnel once the screen saver kicks in.
Page 310 The index numbers you specify must be in use. To view all policy rules currently added to the system configuration, use the list command. Copyright © 2007 Nortel Networks TCP or UDP. Specifies the protocol used by the application. Port number. Specifies the port used by the application. 0 means any port.
Page 311 Sets the name of the branch office tunnel profile. This name is mainly for your own reference. Copyright © 2007 Nortel Networks - Set BO tunnel profile name - Remove BO Tunnel Profile - Set IKE profile for this BO tunnel...
Page 312 Example: To set up a branch office tunnel to a specific VPN (as defined on a Nortel VPN Gateway at the branch office) the remote IP address would be the Portal IP address of that specific VPN.
Page 313 Finally – with the remoteid command – specify a string to match the extracted value against. on: Nailed Up mode. The VPN Gateway will always try to bring up the tunnel, even though there is no traffic. If the NVG fails to bring up the tunnel it will keep on trying until the tunnel is up.
Page 314 “/cfg/vpn <id> /ipsec/botunprof /remotenets Remote Branch Office Networks” (page localnets Copyright © 2007 Nortel Networks on: Branch office networks are announced on the private side through the RIPv2 protocol. The announcement is made on all interfaces for the relevant VPN except the traffic interface. This setting is required when the cluster consists of several NVGs.
Page 315 Removes the network entry that is represented by the index number you specify. Use the list command to view all entries and related index numbers currently added to the list. Copyright © 2007 Nortel Networks 316). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 316 Removes the network entry that is represented by the index number you specify. Use the list command to view all entries and related index numbers currently added to the list. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 317 (formerly the Contivity VPN client) or Net Direct client connection. The IP address is used as a new source IP for connections between the VPN Gateway and the destination host, once the remote user is authenticated and the VPN tunnel is set up.
Page 318 This command is only available if the type command (see above) has been set to dhcp. Copyright © 2007 Nortel Networks local: Lets you configure an IP address range on the NVG, using the lowerip and upperip commands (see below). This range will be used to allocate IP addresses to IPsec and Net Direct client sessions.
Page 319 /cfg/vpn <id> /ippool <id> IP Pool Configuration 319 321). on. The VPN Gateway that handed out the pool IP address for a specific client connection will respond to ARP requests on behalf of the IPsec VPN client for return traffic. The VPN Gateway then acts as a router and forwards IP packets to the client through the existing tunnel.
Page 320 <IP address of DHCP server> Adds a DHCP server to the configuration. Specify the IP address of the DHCP server. The next available index number is automatically assigned by the system. Copyright © 2007 Nortel Networks 320). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 321 The Network attributes menu includes commands for example to configure primary and secondary NBNS and DNS servers. The information configured here is pushed to the Nortel IPsec VPN client (formerly the Contivity VPN client) or the Net Direct VPN client when assigned to the current IP pool.
Page 322 This is particularly important for clients that use Microsoft Outlook or Exchange, to ensure that the mail server is mapped to the correct domain. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 323 You can for example change the banner image, portal colors, portal language and define a company name. You can also configure automatic redirection, enable the Nortel IE cache wiper and configure URL rewrite behaviour. Table 125...
Page 324 324 Command Reference Table 125 Portal Menu Options (/cfg/vpn/portal) (cont’d.) Command Syntax and Usage Restores the default Nortel banner. banner Displays the file name of the banner image file currently in use. redirect <URL, e.g. https://vpn.example.com/ http/inside. example.com> Sets the URL to which users should automatically be redirected after having authenticated to the Portal.
Page 325 <var:group> macro in a Java-script. linkurl on|off Copyright © 2007 Nortel Networks /cfg/vpn <id> /portal SSL VPN Portal Configuration 325 clean. Displays simple icons using a single one color. The color used is color3 (see“/cfg/vpn <id>...
Page 326 Sets your own company name. This name will be displayed instead of "Nortel" on the Portal pages. The company name is displayed as a "tool tip" when hovering the mouse pointer over the Portal banner (logo) and in the browser window’s title bar.
Page 327 “/cfg/vpn <id> /portal/content Portal Custom Content 330). 334). on: The remote user will have the option to download the Nortel IE cache wiper when logging in to the Portal. If downloaded, the IE cache wiper will clear the cache and browser history when the Portal session is terminated or when the browser is closed.
Page 328 Enables/disables support for Portal links to Citrix Metaframe servers. • • Copyright © 2007 Nortel Networks on: When the user logs out from the Portal, the cache is cleared for all instances of the current IE process. This means that if the user is logged in to another web site, he will be automatically logged out from that site.
Page 329 <#hexadecimal color code> Refers to the large background area below the tabs. The default value is #ACCDD5. color2 Copyright © 2007 Nortel Networks /cfg/vpn <id> /portal/colors Portal Colors Configuration 329 #/citrix command to enable or disable Citrix Metaframe support on group level.
Page 330 "Using the Port Forwarder API" in the User’s Guide. Note: Content uploaded to the Custom Content area is accessible without the user having to log on to the Portal. Copyright © 2007 Nortel Networks 385)). For a usage example, see Appendix I, Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 331 Shows the Portal’s available space in kbytes. Enables access to custom content for the remote user. Disabled by default. Copyright © 2007 Nortel Networks used to allow or deny caching of different file types. Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 332 Net Direct VPN client is started (if enabled). For the Nortel IPsec VPN client to be able to connect to a Nortel VPN Router (formerly Contivity), the Full Access menu also lets you configure the required parameters for authentication to the Nortel VPN Router.
Page 333 <IP address> Sets the IP address of the Nortel VPN Router. contid <group ID> Sets the Nortel VPN Router group ID. This is only required if the IPsec VPN client uses group authentication to authenticate to the VPN Router.
Page 334 The user will also be able to switch languages manually. Table 129 Portal Language Menu Options (/cfg/vpn/portal/lang) Command Syntax and Usage setlang <ISO 639 language code> Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 335 VPN (i.e. SHIFT_JIS) before sending the file list to the browser. The VPN’s existing character set can be checked with the charset command (see Configuration” (page Copyright © 2007 Nortel Networks 335). “/cfg/vpn <id> /portal/lang Portal Language 334)). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 336 - Enable URL rewrite white-list dis - Disable URL rewrite white-list One of the fundamental features of the VPN Gateway product is the act of rewriting URLs to ensure that traffic is sent through a secure SSL connection, through the NVG. When the remote user enters a URL (e.g.
Page 337 Requests for domains listed as whitelist domains will be rewritten with the NVG rewrite prefix (see add command below). All other requests will pass directly to the destination, without passing the NVG. Copyright © 2007 Nortel Networks 337). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 338 Table 133 Black-list Settings Menu Options (/cfg/vpn/portal/blacklist) Command Syntax and Usage domains Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 “/cfg/vpn <id>...
Page 339 Example: By adding public.example.com as a black-list domain, all requests for URLs matching the public.example.com domain will not be rewritten with the NVG rewrite prefix (see /portal/whitelist White-list settings menu” (page Copyright © 2007 Nortel Networks 339). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 340 Exchange server and start Microsoft Outlook. As soon as the user enters the Portal, the connection to the Exchange server is automatically set up and Microsoft Outlook is started. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 341 Copyright © 2007 Nortel Networks “/cfg/vpn <id> /linkset <id> /link 341). Link text. Enter the clickable link text to be displayed on the Portal’s Home tab. Type of link. Press TAB to view available link types. Then enter the name of the desired link type.
Page 342 <press TAB following this command to view available link types> Copyright © 2007 Nortel Networks - Iauto settings menu - Remove link Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 343 Configuration” (page proxy Displays the Proxy settings menu. To view menu options, see “/cfg/vpn <id> /linkset <id> /link <id> /proxy Proxy Link Configuration” (page ftpproxy Copyright © 2007 Nortel Networks 345). 346). 347). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 344 Displays the Iauto settings menu. To view menu options, see “/cfg/vpn <id> /linkset <id> /link <id> /iauto Iauto Link Configuration” (page Removes the current link from the configuration. Copyright © 2007 Nortel Networks 348). “/cfg/vpn <id> /linkset <id> /link <id> /forwarder 382).
Page 345 SMB server. • • • Copyright © 2007 Nortel Networks SMB host. Enter the IP address or host name of the SMB file server, e.g. 10.1.10.1 or smb.example.com. Short names can be used, (e.g. smb) if example.com has been configured as a search domain using the /cfg/vpn #/adv/dns/search command).
Page 346 Lets you enter a wizard for creating a link to a directory on an FTP server. • • Copyright © 2007 Nortel Networks to provide access to a project folder or other folder shared by a group of users. Note: Specifying a shared network folder is required for an SMB link to work on a PDA Portal.
Page 347 HTTPS requests through the Java applet, the traffic will be tunneled through SOCKS (encapsulated in SSL) to the NVG ’s proxy server, where it is unpacked and redirected to its destination. Copyright © 2007 Nortel Networks Example: home/share/ <var:user> — <var:group> This macro expands to the name of the group in which the currently logged in user is a member.
Page 348 Set remote port app - Set application path appargs - Set application arguments Copyright © 2007 Nortel Networks Update client proxy settings. Selecting yes means that the client browser’s proxy settings are automatically updated when the user clicks the link. Note that this setting only applies to Internet Explorer running on Windows.
Page 349 When the user clicks the FTP proxy link, one or several SOCKS tunnels (encapsulated in SSL) are created between the user’s local machine and the VPN Gateway. The NVG acts as an FTP Proxy and relays data to and from the remote host by setting up sockets to a remote TCP port.
Page 350 The lport command corresponds to the local port step in the Quick Setup wizard. rhost Copyright © 2007 Nortel Networks Application path (optional). Defines the application to be started when the user clicks the link. By default, cmd /c start ftp is suggested, which means that the FTP session will be run in the command window.
Page 351 VPN Gateway. The phost command corresponds to the HTTP proxy host step in the Quick Setup wizard. pport Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 352 When the user clicks a port forwarder link, one or several SOCKS tunnels (encapsulated in SSL) are created between the user’s local machine and the VPN Gateway. The NVG relays data to and from the remote host by setting up sockets to remote TCP or UDP ports.
Page 353 • • • • Copyright © 2007 Nortel Networks Traffic mode. Lets you specify which network protocol (UDP or TCP) should be used for the connection. Local host IP address. Sets the IP address associated with the client computer, e.g. 127.0.0.1 or any other IP address in the 127.x.y.z range.
Page 354 • For further examples, see the "Group Links" chapter in the Application Guide for VPN. tunnel Copyright © 2007 Nortel Networks %windir%\system32\drivers\etc\hosts on NT, XP and Windows 2000. Yet another port forwarder. Lets you configure yet another tunnel to be set up when the user clicks the link.
Page 355 VPN Gateway. The phost command corresponds to the HTTP proxy host step in the Quick Setup wizard. pport Copyright © 2007 Nortel Networks “/cfg/vpn <id> /linkset <id> 356). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 356 Tunnel Menu (/cfg/vpn/linkset/link/forwarder/tunnel) Command Syntax and Usage tmode <TCP/UDP> Lets you specify which network protocol (UDP or TCP) should be used for the selected tunnel. lhost Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 357 Hosts and lmhosts files are located in %windir%\hosts on Windows 98 and ME and in %windir%\system32\drivers\etc\hosts on NT, XP and Windows 2000. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 358 • • • Copyright © 2007 Nortel Networks Local host IP address. Sets the IP address associated with the client computer, e.g. 127.0.0.1 or any other IP address in the 127.x.y.z range. Local port. Arbitrary local port number. The wizard suggests the applications-specific port so that you do not have to change reconfigure the mail client.
Page 359 To view menu options, see /link <id> /forwarder <type> /tunnel Port Forwarder Tunnel Configuration” (page Copyright © 2007 Nortel Networks Remote port. Sets the application-specific port number of the service (SMTP, IMAP4 and POP3 respectively). Host mapping. See the custom port forwarder for a detailed description.
Page 360 Lets you specify the port number of an intermediate intranet HTTP Proxy server. The pport command corresponds to the HTTP proxy port step in the Quick Setup wizard. puser Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 361 The Quick Setup wizard (invoked with the quick command) prompts you for information specific for a Telnet connection. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 362 • • • • Copyright © 2007 Nortel Networks Local host IP address. Sets the IP address associated with the client computer, e.g. 127.0.0.1 or any other IP address in the 127.x.y.z range. Source port. Arbitrary local port number. Ports just preceding 5000 are usually free to use.
Page 363 The splash command corresponds to the application arguments step in the Quick Setup wizard. phost Copyright © 2007 Nortel Networks Skipping the prompt means that all applet traffic is tunneled straight to the VPN Gateway. HTTP Proxy user name/password. If a HTTP Proxy host/port is specified and the HTTP Proxy host requires authentication, you have the option to enter a user name and password.
Page 365 Note: Network drive mapping is not supported on Windows 98 and XP clients. • • Copyright © 2007 Nortel Networks Local host IP address. Sets the IP address associated with the client computer, e.g. 127.0.0.2 or any other IP address in the 127.x.y.z range.
Page 366 To view menu options, see /link <id> /forwarder <type> /tunnel Port Forwarder Tunnel Configuration” (page Copyright © 2007 Nortel Networks Remote host. Sets the IP address or host name of the remote server. Remote port. Sets the application-specific port number of the service, i.e.
Page 367 Lets you specify the port number of an intermediate intranet HTTP Proxy server. The pport command corresponds to the HTTP proxy port step in the Quick Setup wizard. puser Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 368 The Quick Setup wizard (invoked with the quick command) prompts you for information specific for setting up a connection to a Windows Terminal Server. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 369 • • • • Copyright © 2007 Nortel Networks Local host IP address. Sets the IP address associated with the client computer, e.g. 127.0.0.2 or any other IP address in the 127.x.y.z range. Local port. Arbitrary local port number. The wizard suggests 3390, which is the application-specific port number for Windows Terminal Server.
Page 370 The splash command corresponds to the application arguments step in the Quick Setup wizard. phost Copyright © 2007 Nortel Networks Skipping the prompt means that all applet traffic is tunneled straight to the VPN Gateway. HTTP Proxy user name/password. If a HTTP Proxy host/port is specified and the HTTP Proxy host requires authentication, you have the option to enter a user name and password.
Page 371 /cfg/vpn <id> /linkset <id> /link <id> /forwarder <outlook> Outlook Port Forwarder Link Configuration [Port forwarder settings Menu] quick tunnel Copyright © 2007 Nortel Networks - Quick port forwarder wizard - Tunnel menu - Set application path Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 372 The following prerequisites must be fulfilled for the Outlook Port forwarder to work: • • • Copyright © 2007 Nortel Networks - Set application arguments - Set splash text in Applet window - Set proxy host - Set proxy port...
Page 373 If the client has access to intranet DNS servers, communication will fail as well. To test DNS resolution, the VPN Gateway should be able to ping the Exchange server from the CLI, using the fully qualified domain name (FQDN).
Page 374 For a configuration example, see the "Group Links" chapter in the Application Guide for VPN. tunnel Copyright © 2007 Nortel Networks each port forwarder must have a unique source IP address. A new source IP address is automatically suggested by the system if you choose to add another port forwarder.
Page 375 Lets you specify the text to appear in the Java applet window if you want custom user instructions to be displayed. The splash command corresponds to the application arguments step in the Quick Setup wizard. phost Copyright © 2007 Nortel Networks “/cfg/vpn <id> /linkset <id> 356). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 376 /cfg/vpn <id> /linkset <id> /link <id> /wts Window terminal server configuration wts menu Menu quick tunnel Copyright © 2007 Nortel Networks - Quick wts forwarder wizard - Tunnel menu Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 377 Allows you to run through the quick wizard to setup a WTS link. It suggests same defaults for most of the items. tunnel Copyright © 2007 Nortel Networks - Set application path - Set working directory - Set screen size...
Page 378 Whether to hide the port forwarder window or not. Possible values are ‘on’ and ‘off’. Default value is ‘on’ which means port forwarder is not visible. splash Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 380 If the Citrix server uses a non-standard port, please specify it here. Default value is 1494. Valid range is 1 through 65535. icabrowser Copyright © 2007 Nortel Networks - Set enable Java as default citrix client - Set enable single sign on...
Page 381 ‘Settings’ dialog of the client and setup drive mapping and printer mapping manually. The Java client does not support setting this up automatically without end user intervention. enabletzon Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 382 IP address assignment (see the /cfg/vpn # /ippool command on (page 317)). Finally, one of the configured IP pools should be selected as the default IP pool. Copyright © 2007 Nortel Networks “/cfg/vpn <id> /ippool <id> IP Pool Configuration” Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 383 For detailed step-by-step instructions on how to configure the VPN Gateway for use with the Net Direct client, see the "Net Direct" chapter in the Application Guide for VPN. Table 150...
Page 384 • • • • • Copyright © 2007 Nortel Networks Remote host. Sets the IP address or host name of the remote terminal server. Remote port. Sets the application-specific port number of the service, i.e. 23 (Telnet) or 22 (SSH).
Page 385 Both the external and internal link types are designed to direct the remote user to a web page. The difference between an external and an internal link is that the internal link is secured by the VPN Gateway, i.e. the internal link directs the HTTP/HTTPS request to the VPN Gateway, where the NVG rewrite prefix (boldface) is added to the link.
Page 386 - Set internal host path - Set path on internal server proxy- Use this as a proxy link Copyright © 2007 Nortel Networks Method. HTTP or HTTPS. Host. Web server by IP address or host name, e.g. inside.exam ple.com.
Page 387 SSL connection. This feature is useful when a web server requires user authentication, such as a web server providing Outlook Web Access. The iauto link directs the HTTP request to the VPN Gateway where the rewrite prefix (boldface) is added to the link. See example below: https://portal.example.com/https/inside.example.com/login/login.asp The VPN Gateway manages authentication to the backend server.
Page 388 • • • • Copyright © 2007 Nortel Networks Login URL. Enter the URL to the password-protected web page, e.g. https://inside.example.com/login/login.asp. Values for input fields found on form. Specify which values to insert in the fields when the remote user clicks the iauto link.
Page 389 For more information about the HTTP Proxy applet (when invoked through the proxy link), see <id> Link Configuration” (page Copyright © 2007 Nortel Networks <id> /aaa/auth <id> Authentication Method Configuration” (page 177)) will automatically be included in the iauto link.
Page 390 - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 390).
Page 391 Represents an input field (= input name) on the form, e.g. user. value. Tells the VPN Gateway what value to insert in the field, for example a macro, a specific text string or a combination of both. The <var:user> and <var:password> macros expand to the logged in Portal user’s credentials.
Page 392 Lets you move an entry up or down in the list. To view all entries, use the list command. Copyright © 2007 Nortel Networks key. Enter the key here, for example icaClientCode. value. Enter the value here, e.g. 1.
Page 393 "Net Direct" and "Transparent Mode" chapters respectively in the Application Guide for VPN. Table 157 SSL VPN Client Menu Options (/cfg/vpn/sslclient) Command Syntax and Usage netdirect on|group|off Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 394 The default value is off. ndbanner <banner text> Copyright © 2007 Nortel Networks on: Net Direct is enabled. For the user to be able to download the Net Direct client, a Net Direct link must also be created on the Portal’s Home tab.
Page 395 Having entered/pasted the text, press ENTER and type three periods (...). Finally press ENTER once again. Note: A license text from Nortel is supplied by default. By entering a new license text, you will replace the default license text. If desired, you can copy and save the default license text before replacing it.
Page 396 Lets you configure UDP ports to be used by the Net Direct client. The Net Direct client will use configured ports for sending encrypted UDP packets to the VPN Gateway. If this fails (due to for example firewalls between the client and the ), the fallback is to use TCP.
Page 397 Sets the maximum lifetime of the single session key. The setting controls how often new session keys are exchanged between the Net Direct client and the VPN Gateway. Limiting the lifetime of a single key used to encrypt data is a way of increasing session security.
Page 398 VPN Gateway or directly to the Internet. • • Copyright © 2007 Nortel Networks on: The NVG clamps the MSS (maximum segment size) of a TCP SYN packet to the MSS of the real interface. This way packet fragmentation does not occur for TCP traffic, which optimizes the performance.
Page 399 Remote users are allowed to connect to the VPN Gateway using the TDI client. When set to on, the tdioslist and tdivsn commands become visible (see below). off: Remote users are not allowed to connect to the VPN Gateway using the TDI client. Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 400 • The default value is all. tdivsn <client version number> Copyright © 2007 Nortel Networks all: All TDI client connections are allowed, irrespective of what OS the client runs on. unknown: TDI clients running on an OS that cannot be identified (for example new OS versions) are allowed to connect.
Page 401 Command Syntax and Usage Lets you specify the minimum version of TDI clients that are allowed to connect to the VPN Gateway. When the TDI client tries to connect, it sends its version number to the NVG. Syntax example: 7.0.0.0 In the preceding example, TDI clients with version 7.0.0.0 or higher...
Page 402 <client version number> Lets you specify the minimum version of LSP clients that are allowed to connect to the VPN Gateway. When the LSP client tries to connect, it sends its version number to the NVG. Syntax example: 7.0.0.0 In the preceding example, LSP clients with version 7.0.0.0 or higher...
Page 403 SSL VPN client (not the Net Direct client), for example which domains and IP addresses should be routed through the VPN Gateway when the remote user tries to access a resource. To produce a configuration file, install the SSL VPN client, make the desired settings in the SSL VPN client and export the configuration file.
Page 404 - Add a new value The Split Nets menu is used to configure the network ranges or IP addresses to which traffic should be tunneled through the VPN Gateway. Copyright © 2007 Nortel Networks Enable/disable mobility per VPN or per group.
Page 405 /cfg/vpn <id> /sslclient/mobility/roamnetsRoaming networks configuration [Roamnets menu] list – List all values add - Add a new value del – Delete a value by a number Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 406 /cfg/vpn <id> /sslclient/failoverClient fail over configuration [Fail Over Menu] list – Lists all values add – Add a new value delete – Delete a value by number Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 407 VPN to a specific VPN customer’s network, specifying the VPN customer’s DNS server, allocate licenses to the VPN and setting the rights for VPN administration. Copyright © 2007 Nortel Networks /cfg/vpn <id> /adv Advanced VPN Configuration 407 - Set backend interface used by VPN...
Page 408 Secure Service Partitioning feature. This interface should be configured to process traffic relating to a specific VPN customer’s private network. For example, it has its own default gateway routing the customer’s backend traffic. To configure the interface, use the /cfg/sys/host #/interface command (see Configuration”...
Page 409 Allocation Configuration” (page Note: The license command is only available if the Secure Service Partitioning license is loaded. Copyright © 2007 Nortel Networks /cfg/vpn <id> /adv Advanced VPN Configuration 409 on: Sets the NVG to use the default routing for accounting services.
Page 410 The default value is false. Note: The vpnadmin command is only available if the Secure Service Partitioning license is loaded. Copyright © 2007 Nortel Networks all: Logs all following options, i.e. login, http, portal, reject, and socks. login: Logs Portal logins and logouts.
Page 411 VPN. If a Secure Service Partitioning license has been loaded, you can also specify local DNS servers to be used by the VPN. Copyright © 2007 Nortel Networks /cfg/vpn <id> /adv/dns DNS Settings Configuration 411 strict: When set to strict mode, the session information is recorded in the master-master database.
Page 412 The DNS servers menu is used to configure one or more DNS servers for the current VPN. This possibility is used together with the Secure Service Partitioning feature, to enable name resolution queries against the end-customers’ private DNS servers. Copyright © 2007 Nortel Networks 412). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 413 Moves a DNS server up or down in the list of configured servers. The index numbers you specify must be in use. To view all DNS servers currently added to the VPN, use the list command. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 414 Authentication will then fail until the Node secret created check box is unchecked in the Edit Agent Host window on the RSA server. Deletes the current RSA server information. Copyright © 2007 Nortel Networks 218)). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 415 SSL and IPsec users to the currently selected VPN. A license is valid for a certain number of concurrent users, for example 1000. The license can be loaded to any master VPN Gateway in the cluster but is valid for the whole cluster.
Page 416 If a user logs in through IPsec and there is no IPsec user license available, an SSL user license will instead be used (if available). Note: This command is not available if the VPN Gateway software is run on the ASA 310 or ASA 410 hardware platforms.
Page 417 A TunnelGuard check is run and a portal matching the selected extended profiles is displayed. Table 168 virtual desktop menu options (/cfg/vpn/<id>/vdesktop) Command Syntax and Usage Copyright © 2007 Nortel Networks /cfg/vpn <id> /vdesktopVirtual desktop configuration 417 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 418 When set to on, save files and map drives through windows SMB. cryptlevel Sets encryption level for vdesktop. timeout Sets inactivity timeout for vdesktop. The time should be entered in mins. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 419: Cfg/ Vpn #/Syslog Syslog Vpn Configuration
<id>/sslclient/mobility Mobility configuration [Mobility Menu] roaming - Enable mobility per VPN or per group roamtime - Mobility Roamtime per VPN or per group Copyright © 2007 Nortel Networks cfg/vpn <id>/sslclient/mobility Mobility configuration 419 - List all values - Delete a value by number...
Page 420 Adds a roaming network Deletes a roaming network. /cfg/vpn #/sslclient/advRoute table monitoring [Route table monitoring menu] routemon - Set the route table monitoring behavior on client. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 421 Setup" chapter in the User’s Guide. host Displays the iSD Host menu. To view menu options, see “/cfg/sys/host <id> iSD Host Configuration” (page routes Copyright © 2007 Nortel Networks /cfg/sys System Configuration 421 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 423).
Page 422 Trace menu (/cfg/ssl/server #/trace/ssldu mp|tcpdump). This command is used to improve security and cannot be reversed by other means than a boot install. Copyright © 2007 Nortel Networks “/cfg/sys/adm Administrative Applications Configuration” (page 460). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 423 The iSD Host menu is used for configuring basic TCP/IP properties for a particular VPN Gateway (iSD) in a cluster, as well as setting the VPN Gateway type to either master or slave. You can also halt, reboot or delete a VPN Gateway remotely through the iSD Host menu.
Page 424 Command Syntax and Usage The NVG software supports clustering over multiple subnets. If more than one VPN Gateway is required and the NVG you wish to join to the cluster is installed in a different subnet, the new VPN Gateway must be configured as a slave.
Page 425 IPsec (IPsec VPN client access). Available for 250, 500 and 1000 users. TPS (transactions per second). Available for 300 TPS and 1000 TPS. Required for the Nortel Application Switch 2424-SSL. Other hardware platforms: No license required. PortalGuard. Enables SSL acceleration of existing Portal (see the /cfg/vpn # /server/portal/authentica command.
Page 426 Stops the currently selected VPN Gateway. Always use this command before turning off the device. If the VPN Gateway you want to halt has become isolated from the cluster, you will receive an error message when performing the halt command. You can then try logging in to the VPN Gateway through a console connection (or a Telnet or SSH connection to the NVG ’s individually assigned IP address) and use the...
Page 427 Log in as the admin user with the admin password to enter the Setup menu. Note 1: You cannot delete a VPN Gateway that is included in the cluster configuration of other NVGs if the VPN Gateway you want to delete is the only machine in the cluster with the status up.
Page 428 The Interface menu is used for configuring an IP interface and assigning physical ports (on the VPN Gateway) to this interface. If you add more than one port to an interface, the ports can be used in two different modes: failover or trunking.
Page 429 DNS servers), and only for VPNs that point to this interface (using the /cfg/vpn #/adv/interface command). If no VPN points to this interface, the gateway specified here will be ignored. When the NVG cluster is used for Secure Service Partitioning (hosting of multiple VPN customers), a default gateway should be specified here for each dedicated VPN interface.
Page 430 Removes the current interface from the system configuration. Copyright © 2007 Nortel Networks failover: In this mode, only one link is active at any given time. If a link is active on a port that fails, the active link is immediately switched over to one of the other configured ports.
Page 431 The interface ports configuration is only applied to those NVG devices in the cluster that are equipped with the physical port represented by the port number you specify. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 432 (duplex) mode are ignored. speed <port speed in Mbits per second [10|100|1000]> Sets the speed for the currently selected host and NIC port when autonegotiation is set to off. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 433 <destination IP address> <subnet mask> <gateway IP address> Adds a static route to the system configuration. Specify the destination IP address, the subnet mask, and the gateway IP address. /cfg/sys/time Date and Time Configuration [Date and Time Menu]...
Page 434 <IP address of NTP server> Adds an NTP server to the system configuration. The NTP server you add is used by the NTP client on the VPN Gateway to synchronize its clock. NTP should have access to a number of servers (at least three) to compensate for any discrepancies in the servers.
Page 435 <integer value> Sets the maximum number of times a DNS query is retransmitted. The default value is 3. ttl <integer value> Copyright © 2007 Nortel Networks /cfg/sys/dns DNS Settings Configuration 435 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007 436).
Page 436 The default TTL value is 3 hours (3h). health <value in seconds> Sets the DNS server health check interval. The VPN Gateway will perform a DNS query to each of the DNS servers added to the system configuration at the specified interval to determine the health check status.
Page 437 /cfg/vpn #/adv/rsa command. Irrespective of where the RSA servers are configured, all configured RSA servers (both VPN-specific and global) will be available for selection using the /cfg/vpn #/aaa/auth #/rsa/rsaname command. Copyright © 2007 Nortel Networks /cfg/sys/rsa RSA Server Configuration 437 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 438 The Syslog Servers menu is used to configure syslog servers. The NVG software can send log messages to the specified syslog hosts. For a list of all log messages that the VPN Gateway can send to a syslog server, see Appendix C, Syslog Messages, in the User’s Guide.
Page 439 NVG. Otherwise the devices will not be able to communicate. This is however required only if the Access list consists of other entries, i.e. IP addresses for control of Telnet and SSH access. Copyright © 2007 Nortel Networks /cfg/sys/accesslist System Access Configuration 439 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 440 Adds a single machine, or a range of machines on a specific network, to the access list. Only those machines listed will be allowed to access the VPN Gateway through a Telnet or SSH connection (assuming that Telnet or SSH connections, or both, are enabled).
Page 441 Table 187 Administrative Applications Menu Options (/cfg/sys/adm) (cont’d.) Command Syntax and Usage Lets you enable SONMP (SynOptics Network Management Protocol) participation. SONMP is a Nortel-proprietary layer-2 protocol for discovering the topology of a network that contains SONMP-aware devices. • •...
Page 442 Displays the HTTPS access menu. To view menu options, see “/cfg/sys/adm/https Browser-Based Management Configuration with SSL” (page sshkeys Displays the SSH Host Keys menu. To view menu options, see “/cfg/sys/adm/sshkeys SSH Host Keys Configuration” (page Copyright © 2007 Nortel Networks 439). 439). 457). 457). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 443 SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant agents on the VPN Gateway s store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.
Page 444 Designates a contact person for the managed NVG cluster, together with information on how to contact this person. snmpEnable disabled|enabled Enables or disables generating authentication failure traps. The default value is disabled. Copyright © 2007 Nortel Networks “/cfg/sys/adm/snmp/users <number> SNMPv3 445). 447). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 445 - Remove SNMP User The SNMP User menu is used for adding an SNMPv3 user to the configuration, based on the User-based Security Model (USM) for version 3 of SNMP. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 446 Sets the authentication protocol for SNMP transmissions. The default value is md5. authpasswd <password of at least 8 characters> Copyright © 2007 Nortel Networks none. SNMP access is granted without authentication. auth. Sets the SNMP user password to be verified before granting SNMP access.
Page 447 Command Syntax and Usage ip <SNMP manager IP address> Sets the IP address of the SNMP manager, to which trap messages are sent. port <TCP port [162]> Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 448 <name of monitor> To delete a previously configured monitor, type the name of the monitor following the delmonitor command. addevent Enter help addevent for on-screen instructions. Copyright © 2007 Nortel Networks “/cfg/sys/adm/snmp/users <number> 445)). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 449 Audit Menu Options (/cfg/sys/adm/audit) Command Syntax and Usage servers Displays the RADIUS Audit Servers menu. To view menu options, Configuration” (page vendorid Copyright © 2007 Nortel Networks /cfg/sys/adm/audit Audit Configuration 449 “/cfg/vpn <id> /aaa/radacct “/cfg/sys/adm/audit/servers RADIUS Audit Server 451). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 450 If you want to use a standard attribute type as defined in RFC 2865, set vendorid to 0. Then configure the desired standard attribute type as the vendor type value. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 451 Removes the specified RADIUS audit server from the configuration. Use the list command to display the index numbers of all added RADIUS audit servers. add <IP address> <TCP port number> <shared secret> Copyright © 2007 Nortel Networks “/cfg/sys/adm/audit/servers RADIUS 451)). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 452 For backup purposes, several RADIUS audit servers can be added. The VPN Gateway will contact the server with lowest index number first. If contact could not be established, the NVG will try to contact the server with the next index number in sequence and so on.
Page 453 The local passwords (for example the admin password) are used as fallback if the RADIUS servers are unreachable. Note that unwanted access to a VPN Gateway through serial cable will be possible if the network cable is disconnected and the local password is known.
Page 454 For backup purposes, several RADIUS servers can be added. The VPN Gateway will contact the server with lowest index number first. If contact could not be established, the NVG will try to contact the server with the next index number in sequence and so on.
Page 455 - Enable group attribute usage dis - Disable group attribute usage The RADIUS Group Attribute menu lets you configure the VPN Gateway to authorize administrator users based on a group attribute sent by the RADIUS authentication server. When the user is successfully authenticated, the RADIUS server returns the groups to which the user belongs.
Page 456 RFC 2865. For example, to use the standard attribute Class, set vendorid to 0 and vendortype to 25. Enables usage of group attributes (disabled by default). Disables usage group attributes (disabled by default). Copyright © 2007 Nortel Networks filehttp://www.iana.org/ Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 457 - Disable server The HTTPS menu is used for enabling/disabling browser-based configuration of your VPN Gateway through a secure SSL tunnel. To access the Browser-Based Management Interface (BBI), enter the Management IP address assigned to your NVG cluster in your web browser.
Page 458 (MIP) will always appear to a SSH client to be to the same host. After having generated new SSH host keys, activate the new keys by using the apply command. show Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 459 Command Syntax and Usage list Lists the type and fingerprint of the known SSH keys for remote hosts. Deletes the desired known SSH host key by index number. Copyright © 2007 Nortel Networks 459). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 460 (only the boot user can do this). For more information about default user accounts and related access levels, see the "Accessing the NVG "section in the "Command Line Interface" chapter in the User’s Guide. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 461 <username> Displays the User <username> menu. To view menu options, see “/cfg/sys/user/edit <username> Edit User Menu” (page Copyright © 2007 Nortel Networks /cfg/sys/user User Access Configuration 461 "groups" (page 463) "groups" (page 463) Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 463 Groups Menu Options (/cfg/sys/user/edit/groups) Command Syntax and Usage list Lists the current group assignment of the specified user. del <group by index number> Copyright © 2007 Nortel Networks 463). Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 464 Host Interface Routes: No items configured Interface Ports: Host Port 1: Autonegotiation = on Speed = 0 Full or half duplex mode = full Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 466 - To display the current configuration Settings. All the log messages will be stored in the internal memory. Table 207 Citrix menu (/cfg/log/in-memory) Command Syntax Usage onoff Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 467 Displays the following configuration settings: • • • Copyright © 2007 Nortel Networks /cfg/log/ in-memoryInternal memory configuration 467 the internal memory status whether it is set to on or off. the internal memory log status. maximum message in the memory (which is 300).
Page 468: Boot Boot Menu
/boot Boot Menu The Boot menu is used for managing software versions, and to shutdown, reboot, or reset the configuration of a particular VPN Gateway. To use the Boot menu, you must be logged in as the Administrator user. [Boot Menu]...
Page 469 Log in as the admin user with the admin password to enter the Setup menu. Note 1: If you receive a warning saying that the VPN Gateway you are trying to delete has no contact with any (other) master VPN Gateway...
Page 470 470 Command Reference The Software Management menu is used to show the current software status of the particular VPN Gateway to which you have connected. The menu is also used to download software upgrade packages through TFTP/FTP/SCP/SFTP, as well as activating or deleting a software upgrade package.
Page 471 After activating a software version indicated as either unpacked or old, that version’s status is propagated to permanent (after the VPN Gateway has performed a reboot). Copyright © 2007 Nortel Networks /boot/software/cur Current Software Status Command 471...
Page 472: Maint Maintenance Menu
<destination file name> <collect info from all iSDs?> <FTP user name and password> Collects system log file information from the VPN Gateway you are connected to (or optionally, all NVGs in the cluster) and sends the information to a file in the gzip compressed tar format on the TFTP or FTP server you have specified.
Page 473 Checks if the VPN Gateway is able to contact configured gateways, routes, DNS servers and authentication servers. The command also checks if the VPN Gateway can connect to web servers specified in group links. Besides checking the connection, the method (for example ping) for checking each item is displayed.
Page 474 CLI, press ENTER to redisplay the CLI prompt. Copyright © 2007 Nortel Networks — ike: Logs any output that is produced by the IKE daemon, for example all messages related to actual ISAKMP negotiations between the client and the IKE daemon.
Page 475 SSL traffic again. For detailed information on how to perform this operation, see the section "An ASA HSM Stops Processing Traffic" in the "Troubleshooting the NVG " chapter in the User’s Guide. splitkey Copyright © 2007 Nortel Networks /maint/hsm Hardware Security Module Menu 475 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 476 HSM-USER is logged out from the HSM card. To resume normal operations after the HSM-SO iKey password has been changed, you will therefore be prompted to insert the HSM-USER iKey and specify the associated HSM-USER password. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 477: Maint/Loglogging System Configuration
Displays the following configuration settings: • • • Copyright © 2007 Nortel Networks /maint/log/ in-memoryInternal memory configuration 477 the internal memory status whether it is set to on or off. the internal memory log status. maximum message in the memory (which is 300).
Page 479: Cli Dumps
0.0.0.0 rport 81 type http proxy on loopback on ena enabled /cfg/ssl/server 1/trace/. /cfg/ssl/server 1/ssl/. cert 1 cachesize 4000 cachettl 5m protocol ssl3 Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 480 /cfg/ssl/server 1/http/dynheader/. /cfg/ssl/server 1/http/rewrite/. rewrite off ciphers HIGH:MEDIUM response iSD URI "/cgi-bin/weakcipher" /cfg/ssl/server 1/http/auth/. mode basic realm Xnet proxy off ena disabled /cfg/ssl/server 1/dns/. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 481 ZGVwdDEgMB4GA1UEAxMXd3d3LmR1bW15c3NsdGVzdGlu Zy5jb20xKTAnBgkqhkiG 9w0BCQEWGnRlc3RlckBkdW1teXNzbHRlc3Rpbmc uY29tMB4XDTA2MDIwMzA5NTcz OVoXDTA3MDIwMzA5NTczOVowgb8xCzAJBg NVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMRAwDgYDVQQHEwdUZXN0a W5nMSgwJgYDVQQKEx9UZXN0IEluYy4gMSAx MDo1NzozOCAyMDA2LTAyLTAz MRIwEAYDVQQLEwl0ZXN0IGRlcHQxIDAeBgNVBAMT F3d3dy5kdW1teXNzbHR lc3RpbmcuY29tMSkwJwYJKoZIhvcNAQkBFhp0ZXN0ZXJA ZHVtbXlzc2x0Z XN0aW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA oH4WLo 0VfetyGo1byrPpfIKFeZW2Lx5STmqT/IvxADsW5jOCr672RvyZ+vBUwRuc 2pLauMR0Y87nde3Z9brVVrxReKEVjdltw0hFHEqHB5bE/T6fAjrlo6m1Lz3 75lXh wj7Fsv4h9TVQCXIL66q9bPo/+HkzsqAh/jl0u3i0iPsCAwEAAaOCAX Copyright © 2007 Nortel Networks /cfg/dump Configuration Dump 481 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 482 /cfg/vpn 1/aaa/auth 1/. type local name local /cfg/vpn 1/aaa/auth 1/local/. /cfg/vpn 1/aaa/auth 1/adv/. /cfg/vpn 1/aaa/network 1/. name intranet /cfg/vpn 1/aaa/network 1/subnet 1/. net 192.168.0.0 Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 483 22 /cfg/vpn 1/aaa/service 10/. name ftp protocol tcp ports 20,21 /cfg/vpn 1/aaa/service 11/. name smb protocol tcp Copyright © 2007 Nortel Networks /cfg/dump Configuration Dump 483 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 484 0 usertype advanced idlettl 0 sessionttl 0 vpnadmin false tgsrs srs-rule-test ippool 0 /cfg/vpn 1/aaa/group 2/linkset/. /cfg/vpn 1/aaa/group 2/extend 1/. filter tg_passed Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 485 5m protocol ssl3 ciphers ALL@STRENGTH verify none ena enabled /cfg/vpn 1/server/tcp/. cwrite 15m ckeep 15m skeep 2m swrite 15m Copyright © 2007 Nortel Networks /cfg/dump Configuration Dump 485 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 486 /cfg/vpn 1/server/portal/urlrewrite/. rewrite on jrewrite on cssrewrite on gziprewrite on ena enabled /cfg/vpn 1/server/adv/. /cfg/vpn 1/server/adv/traflog/. sysloghost 0.0.0.0 udpport 514 Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 487 /cfg/vpn 1/portal/colors/. color1 #58b2c9 color2 #d0e4e9 color3 #2088a2 color4 #accdd5 /cfg/vpn 1/portal/content/. ena disabled /cfg/vpn 1/portal/faccess/. Copyright © 2007 Nortel Networks /cfg/dump Configuration Dump 487 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 488 <p>From this page you can gain full network access. This <strong>requires</strong> that Net Direct is enabled or that you have either Nortel's IPSEC client (version 4.89 or better) and/or SSL-VPN (TDI version 1.1 or better) client installed. If the Net Direct installable client is installed it will be used if Net Direct is enabled.</p>...
Page 489 /cfg/sys/host 1/. type master ip 10.1.82.145 gateway 10.1.82.2 /cfg/sys/host 1/routes/. /cfg/sys/host 1/interface 1/. ip 10.1.82.145 netmask 255.255.255.0 gateway 0.0.0.0 vlanid 0 Copyright © 2007 Nortel Networks /cfg/dump Configuration Dump 489 Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 490 /cfg/sys/adm/snmp/. ena true versions v1,v2c,v3 /cfg/sys/adm/snmp/snmpv2-mib/. snmpEnableAuthenTraps disabled /cfg/sys/adm/snmp/community/. read public trap trap /cfg/sys/adm/snmp/event/. /cfg/sys/adm/audit/. vendorid "1872 (alteon)" vendortype 2 ena false Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 491 41 7d 0f 75 d3 18 96 5b 2d ef 13 20 74 a2 dd 94 cf d9 5b a1 cf cf f6 74 8f 2c 5c 28 f5 84 33 4d Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 492 39 71 b9 ca cd 99 c0 29 9a ec aa 93 b2 64 d6 49 ca db 70 84 76 37 d4 f2 47 5e d5 7b 44 54 1d Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 493 SSL server. The command is also available for portal servers (/cfg/vpn # /server/trace/tcpdump). Below is an example of TCP traffic captured for a portal server. Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 494 45) 1 0.1.82.145.1087 > 10.1.0.10.53: [udp sum ok] 0 NS? . (17) 16:45:28.293998 IP (tos 0x0, ttl 63, id 65210, offset 0, flags [none], length: Copyright © 2007 Nortel Networks Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard 10 September 2007...
Page 495: Index
LDAP menu command 197 activesess Cluster wide IPsec stats for VPN menu command 67 IPsec statistics menu command 64 Copyright © 2007 Nortel Networks Single iSD IPsec stats for VPN menu command 75 Single iSD IPsec stats menu command 72...
Page 496: Command Reference
Portal settings menu command 284 Authentication menu 177 authorder, AAA menu command 166 authpasswd, SNMP users menu command 446 Copyright © 2007 Nortel Networks authproto, SNMP users menu command 446 authserver, Client Filter menu command 234 authtype Branch ofﬁce tunnel proﬁle menu...
Page 497: Command Reference
Single iSD SSL statistics server menu command 58 cachehits Cluster Wide SSL Statistics Server menu command 47, 50 Copyright © 2007 Nortel Networks Single iSD SSL statistics server menu command 58 cachemisse Cluster Wide SSL Statistics Server menu command 47, 50...
Page 498: Command Reference
User tunnel proﬁle (IPsec) menu command 304 VPN menu command 163 client authentication 269 specify CA certiﬁcate 97, 267 Copyright © 2007 Nortel Networks specify level of 98, 269 client certiﬁcate authentication 222 client certiﬁcates generate 152 list revoked 157...
Page 499 219 main menu 81 master 423 Network Time Protocol (NTP) 434 physical ports on interface 431 Copyright © 2007 Nortel Networks portal links 341 RADIUS accounting 259 RADIUS auditing 449, 452, 454 RADIUS authentication 181 restore from TFTP server 84...
Page 500: Command Reference
Boot menu command 469 Host Interface menu command 429 iSD Host menu command 423 delevent, SNMP Event menu command 449 Copyright © 2007 Nortel Networks delmonitor, SNMP Event menu command 448 des_md5, IKE encryption menu command 298 des_sha, IKE encryption menu...
Page 501: Command Reference
Statistics menu command 42 dump conﬁguration on screen 85 dumplogs, Maintenance menu command 472 dumpstat, Maintenance menu command 473 Copyright © 2007 Nortel Networks dynheader, HTTP Settings menu command 103 Audit menu command 450 Automatic CRL menu command 160 HTTP menu command 457...
Page 502: Command Reference
203 extend, Group menu command 238 Extended Proﬁle menu 249 external, Link menu command 344 faccess, Portal menu command 327 Copyright © 2007 Nortel Networks facility, Trafﬁc Log Settings menu command 129, 289 failedsess Cluster wide IPsec stats for VPN...
Page 503: Command Reference
(global command) 13 hidepf WTS menu command 378 history functions, command line 16 hmac_md5, IKE encryption menu command 298 Copyright © 2007 Nortel Networks hmac_sha, IKE encryption menu command 298 hmap, Port forwarder tunnel menu command 357 host Iauto Settings menu command 389...
Page 504: Command Reference
Advanced menu command 408 Interface menu 428 Interface Ports menu 431 interface, iSD Host menu command 423 internal, Link menu command 344 Copyright © 2007 Nortel Networks interval Automatic CRL menu command 160 IKE dead peer menu command 301 Load Balancing Settings menu...
Page 505: Command Reference
Linksets menu 248 linktext, Portal menu command 325 linkurl, Portal menu command 325 linkwidth, Portal menu command 326 list Copyright © 2007 Nortel Networks Language suppport menu command 465 Local database menu command 219 Portal language menu command 335–336 Revocation menu command 157 syslog per vpn Menu 416 WTS menu command 419–420...
Page 506: Command Reference
Branch ofﬁce tunnel proﬁle menu command 313 name Appspec menu command 232 Authentication menu command 177 Copyright © 2007 Nortel Networks Branch ofﬁce tunnel proﬁle menu command 311 Certiﬁcate menu command 150 Client Filter menu command 234 Cookie Settings menu command 134 Group menu command 238 IKE proﬁle menu command 295...
Page 507: Command Reference
User tunnel proﬁle (IPsec) menu command 304 Pool Settings menu 127 poolstatus, Single iSD SSL statistics server menu command 58 Copyright © 2007 Nortel Networks port Backend Server menu command 144 HTTP menu command 457 HTTPS menu command 457 Notiﬁcation Target menu command 447...
Page 508: Command Reference
WholeSecurity menu command 176 WTS menu command 377, 466, 477 quick AAA setup wizard 164 quiet (screen display option) 15 Copyright © 2007 Nortel Networks radacct, AAA menu command 169 RADIUS Accounting menu 259 RADIUS Accounting Servers menu 260 RADIUS Audit Server menu 451...
Page 509: Command Reference
Routes menu 433 rport Port forwarder tunnel menu command 357 Server menu command 91 Copyright © 2007 Nortel Networks Advanced menu command 409 System menu command 422 RSA SecurID menu 218 RSA servers menu 437 rsa, Authentication menu command 179...
Page 510: Command Reference
18 show Certiﬁcate menu command 155 SSH Host Keys menu command 458 Copyright © 2007 Nortel Networks sign, Certiﬁcate menu command 153 Single iSD Statistics menu 56 Single iSD Statistics Server menu 57 SiteMinder Menu 207...
Page 511: Command Reference
141, 148 SSL menu 86 SSL server (portal) menu 262 SSL Settings menu 96 Copyright © 2007 Nortel Networks SSL settings menu (portal server) 266 SSL VPN client, enable full access 332 ssl, License allocation menu command 415 sslaccept, Statistics menu command 43...
Page 512: Command Reference
84 AAA menu command 164 Client ﬁlter menu command 234 tgsrs, Group menu command 238 theme, Portal Colors menu command 330 Copyright © 2007 Nortel Networks time Date and Time menu command 434 specify system 434 timeout...
Page 513: Command Reference
Extended Proﬁle menu command 251 Group menu command 238 utunnel, IPsec menu command 255 utunprof, IPsec menu command 293 Copyright © 2007 Nortel Networks validate, Certiﬁcate menu command 156 validatedn, Advanced menu command 226 <var clicert>, variable 22 domain>, variable 22 group>, variable 22...
Page 514: Command Reference
381 WTS menu command 378 write, SNMP Community menu command 445 Link menu command 344 Copyright © 2007 Nortel Networks xﬁlteratt, Advanced LDAP menu command 204 xﬁlterval, Advanced LDAP menu command 204 xmlconﬁg, SSL VPN Client menu...
Page 516: Command Reference
Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. *Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks. Export This product, software and related technology is subject to U.S.

This manual is also suitable for:

3070 Nvg 3050 Nvg 3070 Svm 1000 1000 con?guration guide

Nortel 3050 Command Reference Manual

Preface

Info Information Menu

Stats Statistics Menu

Cfg Configuration Menu

Cfg/ Vpn #/Syslog Syslog VPN Configuration

Boot Boot Menu

Maint Maintenance Menu

Maint/Loglogging System Configuration

Maint/Log/ In-Memoryinternal Memory Configuration

CLI Dumps

Index

Quick Links

Command Reference

Related Manuals for Nortel 3050

Summary of Contents for Nortel 3050

This manual is also suitable for:

Table of Contents