Page 2
Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. *Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks. Export This product, software and related technology is subject to U.S.
How to Get Help 10 Getting help from Nortel Web site 10 Getting help over the phone from a Nortel Solutions Center Getting help from a specialist by using an Express Routing Code Getting help through a Nortel distributor or reseller...
VPN management guide intended for end-customers in a Secure Service Partitioning configuration. • VPN Gateway 3050/3070 Hardware Installation Guide (part number 216213-B, March 2005) Describes installation of the VPN Gateway 3050 and 3070 hardware models. • VPN Gateway 7.0 Release Notes (part number 216372-P, September 2007) Lists new features available in version 7.0 and provides up-to-date...
8 Preface Product Names The software described in this manual runs on several different hardware models. Whenever the terms Nortel VPN Gateway, VPN Gateway or NVG are used in the documentation, the following hardware models are implied: • Nortel VPN Gateway 3050 (NVG 3050) •...
This section explains how to get help for Nortel products and services. Getting help from Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
Page 29
Information Menu Options (/info) (cont’d.) Command Syntax and Usage For a sample screen output, see Note: This command is not available if the VPN Gateway software runs on the ASA 310 or ASA 410 hardware platforms. botuns <VPN ID> <prefix>...
Page 30
IP, login time, user groups to which the user belongs, source IP allocated from IP pool and user profile information (access method, source IP, authentication server, client certificate present, Nortel IE cache wiper running, Tunnel Guard activated, domain). For a sample screen output, see...
Page 31
VPN Gateway to which you have connected. If you have connected to the MIP address, the information displayed relates to the VPN Gateway in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed.
Page 32
(NIC) on the particular VPN Gateway to which you have connected. If you have connected to the MIP address, the information displayed relates to the VPN Gateway in the cluster that currently is in control of the MIP. For each port, link status (up/down) and the Ethernet autonegotiation setting (on/off) is shown.
Page 35
VPN Gateway and the destination host), the outer IP address (i.e. the IP address from which the remote user connects to the VPN Gateway), encrypted data in kBytes and decrypted data in kBytes. The output also shows the time the tunnel has been active (hours:minutes:seconds).
Page 37
An IP address from the IP pool is allocated as source IP address to unencrypted connections between the VPN Gateway and the requested destination when the remote user connects to the VPN Gateway through the Net Direct client or the Nortel IPsec VPN client (formerly the Contivity VPN client). info/ip Ip Command >>...
Page 38
38 Command Reference allocated from IP pool and user profile information (access method, source IP, authentication server, client certificate present, Nortel IE cache wiper running, Tunnel Guard activated, domain). /info/sonmp Sonmp Command >> Information# sonmp Slot IP address Seg MAC address...
Page 40
VPN Gateways in the cluster. An asterisk (*) in the MIP column indicates which VPN Gateway in the cluster is currently is control of the Management IP. An asterisk (*) in the Local column indicates the particular VPN Gateway to which you have connected.
Displays the IPsec statistics menu. To view menu options, see “/stats/ipsec IPsec Statistics Menu” (page Note: This command is not available if the VPN Gateway software is run on the ASA 310 or ASA 410 hardware platforms. Displays the AAA statistics menu. To view menu options, see “/stats/aaa AAA Statistics Menu”...
Page 56
56 Command Reference The output shows all SSL statistics per VPN Gateway, except the histograms. The statistics are presented per virtual SSL server for each VPN Gateway. Histograms are not included in the output. The sample output above shows two virtual SSL servers. The server with number 1 is a virtual SSL server configured under /cfg/ssl.
Page 57
Displays various SSL properties for incoming client connections, as well as HTTP-related statistics. The statistics are presented for each virtual SSL server in the cluster, but where the figures relate only to the currently specified VPN Gateway. Histograms are not included in the output. /stats/sslstats/local/isdhost <number> /server <number>...
Page 58
SSL server on the currently selected VPN Gateway. The values are unique for the selected VPN Gateway, because the figures depend on the Nortel Application Switch load balancing configuration of the server group in which the VPN Gateway resides. The dump command will display all statistics available through the individual commands in the menu, except the health check status, pool status, and histograms.
Page 59
IP address specified as the Real Server IP (RIP) for the current virtual SSL server is listed under the RIP column. When using the NVG together with an Nortel Application Switch, the RIP typically corresponds to 0.0.0.0. By specifying 0.0.0.0 as the Real...
Page 60
IP address specified as the Real Server IP (RIP) for the current virtual SSL server is listed under the RIP column. When using the NVG together with an Nortel Application Switch, the RIP typically corresponds to 0.0.0.0. By specifying 0.0.0.0 as the Real...
Page 62
Displays the number of failed connections to backend servers. Displays the number of SSL transactions per second as performed by the specified virtual SSL server on the currently selected VPN Gateway. tpshisto Displays histograms of the number of SSL transactions per second for the specified virtual SSL server, as performed on the currently selected VPN Gateway.
Page 70
70 Command Reference The Local IPsec Statistics menu is used for viewing IPsec statistics per VPN Gateway (iSD), if the cluster consists of several devices. For each VPN Gateway, the statistics are shown per VPN. Using the isdhost command, you can view statistics for specific VPN Gateways in the cluster.
Page 72
- Dump all information The Single ISD IPsec Statistics menu is used for viewing IPsec statistics for a specific VPN Gateway (iSD), i.e. the statistics do not relate to the whole cluster of VPN Gateways. The statistics are shown per VPN.
Page 75
- Dump all information The Single ISD IPsec Statistics for VPN menu is used for viewing IPsec statistics for a specific VPN on the selected VPN Gateway (iSD). Table 18 Single ISD IPsec Statistics for VPN Menu Options (/stats/ipsec/local/isdh...
Page 76
Displays the number of encoded kBytes per second during the last minute, for user tunnels on the selected VPN Gateway and VPN. boenc Displays the number of encoded kBytes per second during the last minute, for branch office tunnels on the selected VPN Gateway and VPN.
Page 77
Single ISD IPsec Statistics for VPN Menu Options (/stats/ipsec/local/isdhost/vpn) (cont’d.) Command Syntax and Usage Displays the number of decoded kBytes per second during the last minute, for branch office tunnels on the selected VPN Gateway and VPN. sesshisto Displays IPsec session histograms for the selected VPN Gateway and VPN.
Page 78
- Dump all information The AAA Statistics menu is used for viewing authentication statistics related to the NVG cluster as a whole, or to one specific VPN Gateway in the cluster. The number of accepted and rejected authentication requests of VPN users are listed for each configured authentication method and authentication server.
Page 82
Name of VPN. Lets you enter a name for the VPN, for example My VPN. VPN used with Alteon switch yes/no. Choose yes if a Nortel Application Switch (formerly Alteon Application Switch) is connected to the VPN Gateway, otherwise choose no. If set to no, the portal server will be set to standalone mode.
Page 83
You can read more about IPsec in the "Transparent Mode" chapter in the Application Guide for VPN. Net Direct. Lets you configure the VPN Gateway to allow use with the Net Direct client (SSL VPN client downloadable from Portal).
Page 85
When pasted, the content is batch processed by the VPN Gateway. To view the pending configuration changes resulting from the batch processing, use the diff command. To apply the configuration changes, use the apply command.
Page 87
SSL server. When executing the test command, you are asked to specify the IP address of a virtual server (defined on the Nortel Application Switch). The virtual server you specify will then make use of the services the test SSL server provides (HTTPS offload by default).
Page 88
The real Web servers must also be configured to listen for NVG traffic on port 81. For security reasons, it is also important to define a filter on the Nortel Application Switch that blocks all incoming client traffic destined for port 81.
Page 90
"Stand-alone Web Server Accelerator" chapter in the Application Guide for SSL Acceleration. off: When set to off, the VPN Gateway is connected to an Nortel Application Switch for SSL offload purposes. The IP address set with the vips command corresponds to a virtual IP address on the Nortel Application Switch.
Page 91
(the default setting). This setting instructs the VPN Gateway to use the destination IP address found in the received packets, when initiating requests to the virtual server on the Nortel Application Switch to which the virtual SSL server has been mapped.
Page 92
Gateway ’s IP address (which is "transparent" to the real servers). To use the Transparent proxy mode, you need to make sure all client traffic is routed back to the clients through the Nortel Application Switch. The NVG real server group defined on the Nortel Application Switch must...
Page 93
VPN Gateway works in non-transparent proxy mode, that is. When using non-transparent proxy mode, firewall redirect hash method must not be applied to any real ports on the Nortel Application Switch. The default proxy mode value is on.
Page 94
The Trace menu is used for capturing and analyzing SSL and TCP traffic flowing between clients and the selected virtual SSL server on the VPN Gateway. The commands can be useful for debugging purposes. The ssldump command will decrypt transmitted data traffic, provided private keys and certificates have been configured properly on the selected virtual SSL server.
Page 100
The default client keep alive timeout value is 15m = 15 minutes. skeep <SSL VPN client keep alive timeout> If the SSL VPN client stops communicating with the VPN Gateway, this timeout value determines for how long the SSL VPN client should be kept alive before the remote user is logged out.
Page 104
Command Syntax and Usage Server: inets/2.5.3 Location: http://www.example.com:81/login • With redirect set to on, the VPN Gateway rewrites http:// to https:// according to the following pattern: HTTP/1.0 302 Moved Temporarily Date: Thu, 01 Oct 2005 16:27:51 GMT Server: inets/2.5.3 Location: https://www.example.com/loginHTTP/1.0 302 Moved...
Page 105
Note: When using the redirect feature, the VPN Gateway must be configured to use a DNS server, and the responding DNS server must be able to perform reverse DNS lookups. When the VPN Gateway performs a reverse DNS query of the virtual server IP address (VIP), the resolved name must match the domain name in the Host header of the client request.
Page 106
Command Syntax and Usage • on: The VPN Gateway sets the Secure attribute on the NVG session cookie and all Set-Cookie headers generated by backend servers. It directs the user agent to use only secure means to contact the origin server whenever it sends back this cookie.
Page 107
Such a decision would then override the default cipher suite setting for a virtual SSL server on the VPN Gateway. Example of an added X-SSL header: X-SSL: decrypted=true, ciphers="TLSv1/SSLv3 RC4-MD5"...
Page 108
The default value for the addxfor setting is off. Note: If there are more than one NVG in a cluster and transparent proxy is set to off, then firewall load balancing (on the Nortel Application Switch) must also be set to off for the addxfor feature to work.
Page 109
VPN Gateway. When added, the extra HTTP-X-ISD header contains information about the IP addresses of both the VPN Gateway that initiated the request and the responding backend server, the internal index number of the...
Page 111
Command Syntax and Usage Specifies how the virtual SSL server handles the optional X-Client-Cert HTTP header. When added, the VPN Gateway will insert the entire client certificate (in PEM format) as a multiline HTTP header. The backend web servers can then perform additional user authentication, based on the information in the client certificate.
Page 112
Specifies how the virtual SSL server handles the Host header in a HTTP client connection request. The rhost setting is mainly used when configuring the VPN Gateway for Global Server Load Balancing in conjunction with the related Nortel Application Switch settings. Valid options for the rhost command are: •...
Page 117
Appendix A, Supported Ciphers, in the User’s Guide. response iSD|WebServer Specifies whether the iSD (VPN Gateway) or a web server should handle the response message sent back to the client. When response is set to WebServer, use the URI command to point to a resource on a web server that can provide a customized error message.
Page 120
- Set vpn defgroup - Set default group From VPN Gateway version 4.1, SOCKS support is also enabled for portal servers. The Socks Settings menu is still available for backward compatibility and for customers who wants support for the SSL VPN client only (that is .
Page 125
A match of the defined string will only occur if the match string is found in one of the known methods listed below. — unknown: unknown method for the VPN Gateway. A match will only occur if a method other than the known methods is found.
Page 126
A match will only occur if the match string is found in one of the known headers. — other: unknown header field for the VPN Gateway. A match will only occur if a header other than the known headers is found. (If...
Page 127
- Disable connection pooling The Pool Settings menu is used for configuring the connection pooling settings of the VPN Gateway. Connection pooling provides for the reuse of SSL sessions to improve throughput. When the VPN Gateway load balances the backend servers, it can pool both encrypted (port 443) and unencrypted (port 81) server side connections.
Page 128
In general, it is therefore recommended that traffic logging is performed on the backend web servers instead. The traffic logging performed by backend web servers can be enhanced by configuring the VPN Gateway to add certain HTTP headers. For more information about available extra HTTP headers, see the HTTP Settings menu on /server/http HTTP Settings Configuration”...
Page 133
Sets the interval in seconds for health checks of the backend servers to occur. The default health check interval is 10 seconds. Note: Each VPN Gateway in the cluster performs its own health checking of backend servers. Therefore, if you set the health check interval to a low value, a considerable amount of network traffic may be generated.
Page 134
(i): Insert mode. When a client sends a connection request without a cookie, the backend server responds with the requested data, and the VPN Gateway inserts a cookie into the data packet. The VPN Gateway then uses this cookie on all subsequent...
Page 135
— If the backend server embeds a string of characters as the cookie value, the VPN Gateway will perform a hash on the cookie value. The VPN Gateway will then select a backend server and direct all subsequent traffic within a given session to the same backend server, based on the hashed cookie value.
Page 137
For Insert or Rewrite cookie mode, if you want the VPN Gateway to include both the IP address of the backend server and the IP address of the virtual server (the VIP on the Nortel Application Switch) in the cookie value, you must set the cookie length to 16.
Page 150
When adding a new certificate, specify an unused index number. You can add up to 1500 certificates to the VPN Gateway. Any unused index number can be assigned to a certificate, including numbers higher than 1500. To view basic information about all certificates added to the VPN Gateway, use the /info/certs command.
Page 151
When using the cert command to add a certificate to the VPN Gateway, the certificate (and key, if present) must be in the PEM format. If a certificate is already installed using the current certificate index number, that certificate will be overwritten by pasting another certificate to the same index number.
Page 152
X509v3 Basic Constraints property in the generated certificate. The properties of a certificate available on the VPN Gateway can be viewed by entering the following command: /cfg/cert #/show client: Generates a client certificate that is signed using the private key associated with the currently selected certificate.
Page 153
SSL server to perform end to end encryption, and you want to sign a CSR generated on a backend web server by using a CA certificate on the VPN Gateway. (The signed CSR can then be installed on the backend web server as a server certificate).
Page 154
MS IIS 4. Keys from Netscape Enterprise Server or iPlanet Server can also be imported, but require that you first use a conversion tool. Contact Nortel for more information about the conversion tool.
Page 156
Provides information about how the private key associated to the currently selected certificate is protected. For the VPN Gateway s without the HSM card, private keys are protected by the cluster. For the ASA FIPS, private keys are protected by the HSM card.
Page 162
DNS name) should be entered in the client browser’s address field. For SSL VPN client connections (SOCKS encapsulated in SSL), the portal IP address or DNS name should be configured in the Nortel SSL VPN client. For IPsec connections, the portal IP address should be configured in the Nortel IPsec VPN client (formerly Contivity).
Page 163
Portal’s Home tab. To view menu options, see <id> Linkset Configuration” (page sslclient Displays the SSL VPN Client menu used for configuring the Nortel SSL VPN client settings. To view menu options, see Net Direct and SSL VPN Client Configuration” (page Displays the Advanced menu including options to configure a backend interface and a dedicated DNS server for the current VPN.
Page 165
When closed, the user must provide his or her user name and password to log in again. This option helps prevent allocation of resources on the VPN Gateway for sessions that are no longer active. When 10% of the portal idle timeout is reached, a logout warning window is displayed.
Page 174
<value in seconds> Lets you specify the interval between connection attempts from the Tunnel Guard server (on the VPN Gateway) to the Tunnel Guard client (on the client machine). This setting only applies to clients with the Tunnel Guard application installed not Tunnel Guard applets downloaded from the Portal.
Page 175
<version number as N.N.N.N> Lets you enter the minimum version of the Tunnel Guard agent. Clients with an older version will not be able to connect to the VPN Gateway. This setting only applies to clients with the Tunnel Guard application installed not Tunnel Guard applets downloaded from the Portal.
Page 178
Lets you specify a display name for the current authentication method. The name is displayed in the Login Service list box on the Portal login page and in the Nortel SSL VPN client’s login window. The user can thus select a specific authentication server, for example for token authentication or direction to a specific Windows domain.
Page 186
0. Then configure the desired standard attribute type as the vendor type value (see next command). Note: If both Vendor-Id and Vendor-Type is set to 0, the VPN Gateway will pick up the Idle-Timeout standard attribute (if sent from the RADIUS server).
Page 188
Session Timeout Menu Options (/cfg/vpn/aaa/auth/radius/sessiontim) (cont’d.) Command Syntax and Usage Note: If both Vendor-Id and Vendor-Type is set to 0, the VPN Gateway will pick up the Session-Timeout standard attribute (if sent from the RADIUS server). If vendor-specific attributes are specified on the RADIUS server and in the CLI (using Vendor-Id and Vendor-Type), the standard attribute will be overridden.
Page 190
- Disable Radius Network Attribute The RADIUS Network Attributes menu is used to configure the VPN Gateway to retrieve network attributes from an external RADIUS server. The network attributes are automatically assigned to IPsec VPN client sessions once the user is successfully authenticated to the RADIUS server.
Page 194
The DN assigned here should point to a position in the DIT from where all user records can be found, using a subtree search. To be able to search the DIT, the VPN Gateway must authenticate itself towards the LDAP server, according to the settings made with the isdbinddn and isdbindpas commands.
Page 195
Thus, if userattr is defined as sAMAccountName, the user record Bill Smith will be found. To be able to search the DIT, the VPN Gateway must authenticate itself towards the LDAP server, according to the settings made with the isdbinddn and isdbindpas commands.
Page 196
Command Syntax and Usage By setting this command to true, LDAP requests between the VPN Gateway and the LDAP server will be made using a secure SSL connection, i.e. LDAPS. When applying the changes, a warning message will be displayed if the LDAP server ports are not the standard LDAPS ones (i.e.
Page 201
The group entry DN could for example be cn=Staff,ou=groups=,d c=nortel,dc=com. This would however be quite a long group name to configure in the VPN. To simplify configuring group names in the VPN, enable the /cfg/vpn #/aaa/auth #/enashortgr setting (see 59 "LDAP Menu Options (/cfg/vpn/aaa/auth/ldap)"...
Page 208
Note: SiteMinder’s tools for authorization are not supported. Access is granted based on the group access rules defined on the VPN Gateway. Challenge-based authentication replies (i.e. the New PIN and Next Token modes of SecurID) from SiteMinder are not supported.
Page 209
When creating the Agent Type in SiteMinder, the Agent Type Attribute identifier must be equal to this value. For instructions on how to create an agent type in SiteMinder, see the Technical Configuration Guide Using Netegrity SiteMinder with Nortel VPN Gateway available on. The default value is 64. timeout Sets a timeout value in seconds for a connection request to a SiteMinder server.
Page 210
Note: If sso is set to true but no display name or authentication order is configured for the SiteMinder authentication method on the VPN Gateway, it will not be possible to log in to the VPN without a valid SMSESSION cookie.
Page 212
ClearTrust components (see the ClearTrust documentation) on the desired machines in your network, you should also configure the VPN Gateway to act as a ClearTrust web server agent and point out existing ClearTrust dispatcher(s) or authorization server(s). The VPN Gateway sets a ClearTrust single-sign-on cookie in the client browser.
Page 214
Command Syntax and Usage • The default value is basic. connection clear|ssl_anon Sets the desired connection type for the ClearTrust web server agent (the VPN Gateway) when connecting to other RSA ClearTrust components. • • The default value is ssl_anon.
Page 215
Note: If sso is set to true but no display name or authentication order is configured for the ClearTrust authentication method on the VPN Gateway, it will not be possible to log in to the VPN without a valid CTSESSION cookie.
Page 219
/cfg/sys/rsa command (see Configuration” (page rsagroup Sets the user access group (as defined on the VPN Gateway) to which authenticated users will be assigned. The access rules pertaining to this group will determine the user’s access rights. /cfg/vpn <id> /aaa/auth <id> /local Local Database...
Page 220
Enter user name: john Enter passwd: [press enter to leave unchanged] * Enter group names (comma separated): staff For instructions on how to configure the VPN Gateway to perform external database authentication in conjunction with local database authorization, see the groupauth command on Settings Menu Options (/cfg/vpn/aaa/auth/adv)"...
Page 222
Values in the client certificate’s subject part, identified as user OID and group OID, will be extracted to authenticate the remote user to the VPN Gateway and assign one or several group names to the user. No password is required, which means that single sign-on to backend servers will not be possible.
Page 223
To view available OIDs and values for an existing certificate, use the /cfg/cert #/subject command. For information about how to use the VPN Gateway to generate a new client certificate and export it to a file, see the "Certificates and Client Authentication"...
Page 235
This command can be used if you wish to create an extended profile with more generous access rules for remote users who have installed the Nortel IE cache wiper on their local machines. Upon Portal login, the user is offered to download the Nortel IE cache wiper (if enabled). • •...
Page 236
SSL VPN client (transparent mode). ipsec. The user authenticates to the VPN and sets up an IPsec tunnel using the Nortel IPsec VPN client (formerly Contivity). netdirect. The user authenticates to the VPN through the browser and sets up an SSL session using the Net Direct client. The Net Direct client is downloaded to the remote user’s machine for full...
Page 241
Sets the period during which a user’s VPN session can be idle before the connection is automatically closed. This option helps prevent allocation of resources on the VPN Gateway for sessions that are no longer active. When 10% of the portal idle timeout is reached, a logout warning window is displayed.
Page 245
VPN. The IP pool comes into play when a remote user tries to establish a connection using the Nortel IPsec VPN client (formerly the Contivity VPN client) or the Net Direct client. A new source IP address has to...
Page 246
To view menu options, see IPsec Group Configuration” (page Note: This command is not available if the VPN Gateway software is run on the ASA 310 or ASA 410 hardware platforms. comment Lets you enter a comment for the current group.
Page 250
(for example authentication method or source network) matches the client filter referenced in the extended profile. For example, if the remote user authenticates to the VPN Gateway through a secure method, the access rules defined in the extended profile could be more generous.
Page 252
Sets the period during which a user’s VPN session can be idle before the connection is automatically closed. This option helps prevent allocation of resources on the VPN Gateway for sessions that are no longer active. The idle timeout value can be set on VPN level as well, using the /cfg/vpn #/aaa /idlettl command.
Page 253
To view menu options, see /linkset Linkset Mapping Configuration” (page wiper on|off This command is only visible if Nortel IE cache wiper support has been delegated to group level, i.e. the /cfg/vpn #/portal/wiper command has been set to group. •...
Page 255
VPN Gateway) with group authentication. The shared secret entered here must be equal to the shared secret/password configured for group authentication in the Nortel IPsec VPN client (formerly Contivity). Note: If user name and password authentication is used (ISAKMP tunnel), a shared secret is not required. This login type however requires that the user is configured in the NVG ’s local database, using the...
Page 256
256 Command Reference The SSO (Single Sign-On) Domains menu lets you configure domains for which single-sign-on is allowed. The VPN Gateway will automatically log in remote users to hosts in the specified domains, provided the required credentials are identical with those entered at Portal login. The feature supports web servers using HTTP-based authentication (basic or NTLM), as well as FTP and SMB (Windows file share) file servers.
Page 271
The default client keep alive timeout value is 15m = 15 minutes. skeep <SSL VPN client keep alive timeout> If the SSL VPN client stops communicating with the VPN Gateway, this timeout value determines for how long the SSL VPN client should be kept alive before the remote user is logged out.
Page 273
(see below). reset: Lets the client try to access the server again. on: The VPN Gateway sets the Secure attribute on the NVG session cookie and all Set-Cookie headers generated by backend servers. It directs the user agent to use only secure means to contact the origin server whenever it sends back this cookie.
Page 275
The default value for the addxfor setting is off. Note: If there are more than one NVG in a cluster and transparent proxy is set to off, then firewall load balancing (on the Nortel Application Switch) must also be set to off for the addxfor feature to work.
Page 276
Specifies how the virtual SSL server handles the through HTTP header. When added, the through HTTP header contains information about the IP address of the virtual server on the Nortel Application Switch. Valid options for the addvia command are: •...
Page 277
Command Syntax and Usage Specifies how the virtual SSL server handles the optional X-Client-Cert HTTP header. When added, the VPN Gateway will insert the entire client certificate (in PEM format) as a multiline HTTP header. The backend web servers can then perform additional user authentication, based on the information in the client certificate.
Page 279
No-cache/no-store headers for ICA files are not added. off:No-cache/no-store headers for ICA files are added. on: The VPN Gateway closes Windows MSIE SSL sessions with a TCP FIN but without an SSL shutdown. This circumvents the MSIE SSL session termination bug.
Page 282
Rewrite Menu Options (/cfg/vpn/server/http/rewrite) (cont’d.) Command Syntax and Usage Specifies whether the iSD (VPN Gateway) or a web server should handle the response message sent back to the client. When response is set to WebServer,use the URI command to point to a resource on a web server that can provide a customized error message.
Page 284
Command Syntax and Usage authentica on|off By setting this command to off, the VPN Gateway can make use of the VPN functionality to SSL accelerate an existing intranet web site, for example a portal. The NVG ’s AAA system is then bypassed. This feature is also known as the PortalGuard.
Page 288
The traffic logging performed by backend web servers can be enhanced by configuring the VPN Gateway to add certain HTTP headers. For more information about available extra HTTP headers, see the HTTP Settings menu on “/cfg/ssl/server <id>...
Page 293
- Branch Office Tunnel Profile cacerts - Set list of accepted signers of remote end certificate cert - Set our server certificate The IPsec menu is used to configure the VPN Gateway to support IPsec-based user tunnels and branch office tunnels. Note: The IPsec menu is not available if the VPN Gateway software is run on the ASA 310 or ASA 410 hardware platforms.
Page 294
The cert command specifies which server certificate should be sent to authenticate the VPN Gateway to an IPsec VPN client (for user tunnels) or to a remote endpoint (for branch office tun. The server certificate must exist on the VPN Gateway. To view basic information about available certificates, use the /info/certs command.
Page 296
Lets you specify whether or not to pass a unique, vendor-defined constant to the responding side. The constant is used by the NVG to identify and recognize remote instances of a Nortel ISAKMP implementation. Reception of a familiar Vendor ID payload allows an implementation to make use of payload numbers 128-255 for vendor-specific extensions.
Page 297
Sets the maximum number retransmissions. This is the number of times that the client retransmits a keepalive packet to the VPN Gateway to check for connectivity. replaywins Provides a way to define the accepted range of sequence numbers.
Page 300
- Set keepalive timeout NAT (Network Address Translation) devices on the network path between the client PC and the VPN Gateway may or may not be IPsec aware. IPsec aware NAT devices can handle IPsec traffic but if the NAT device is not IPsec aware, the client PC and the VPN Gateway can negotiate to encapsulate the IPsec packets within UDP (i.e.
Page 301
If there is no traffic received from the client on the IPsec SA and if the VPN Gateway does not receive any keep alive messages from the client during the time frame set as dead peer detect interval (multiplied with the configured number of retransmissions), the VPN Gateway assumes that client connectivity is lost and the tunnel will be brought down.
Page 302
The default value is 3m20s (3 minutes and 20 seconds). retransmit Sets the maximum number of times for the VPN Gateway to check if a keep alive message has been received from the IPsec client. The interval between the retransmissions is set with the interval command (see above).
Page 303
Lets you set the desired split tunnel mode. Split tunneling allows client data to travel either through a tunnel to the VPN Gateway or directly to the Internet. All IPsec client traffic is tunneled through the VPN Gateway by default.
Page 304
Networks Configuration” (page banner Lets you enter a text string of your own choice to customize the login banner for the Nortel IPsec VPN client (formerly Contivity). The banner appears at the top of the IPsec VPN client upon login. usebanner on|off Enables/disables display of the banner (if any) configured with the banner command (see above).
Page 305
- Auto connect network menu The Auto menu includes commands to configure the auto connect feature, enabling remote Nortel IPsec VPN clients to connect their IPsec tunnel sessions in a single step. Example: The remote user clicks a web link to a page on the private internal network.
Page 312
Example: To set up a branch office tunnel to a specific VPN (as defined on a Nortel VPN Gateway at the branch office) the remote IP address would be the Portal IP address of that specific VPN.
Page 313
Finally – with the remoteid command – specify a string to match the extracted value against. on: Nailed Up mode. The VPN Gateway will always try to bring up the tunnel, even though there is no traffic. If the NVG fails to bring up the tunnel it will keep on trying until the tunnel is up.
Page 317
(formerly the Contivity VPN client) or Net Direct client connection. The IP address is used as a new source IP for connections between the VPN Gateway and the destination host, once the remote user is authenticated and the VPN tunnel is set up.
Page 319
/cfg/vpn <id> /ippool <id> IP Pool Configuration 319 321). on. The VPN Gateway that handed out the pool IP address for a specific client connection will respond to ARP requests on behalf of the IPsec VPN client for return traffic. The VPN Gateway then acts as a router and forwards IP packets to the client through the existing tunnel.
Page 321
The Network attributes menu includes commands for example to configure primary and secondary NBNS and DNS servers. The information configured here is pushed to the Nortel IPsec VPN client (formerly the Contivity VPN client) or the Net Direct VPN client when assigned to the current IP pool.
Page 323
You can for example change the banner image, portal colors, portal language and define a company name. You can also configure automatic redirection, enable the Nortel IE cache wiper and configure URL rewrite behaviour. Table 125...
Page 324
324 Command Reference Table 125 Portal Menu Options (/cfg/vpn/portal) (cont’d.) Command Syntax and Usage Restores the default Nortel banner. banner Displays the file name of the banner image file currently in use. redirect <URL, e.g. https://vpn.example.com/ http/inside. example.com> Sets the URL to which users should automatically be redirected after having authenticated to the Portal.
Page 326
Sets your own company name. This name will be displayed instead of "Nortel" on the Portal pages. The company name is displayed as a "tool tip" when hovering the mouse pointer over the Portal banner (logo) and in the browser window’s title bar.
Page 327
“/cfg/vpn <id> /portal/content Portal Custom Content 330). 334). on: The remote user will have the option to download the Nortel IE cache wiper when logging in to the Portal. If downloaded, the IE cache wiper will clear the cache and browser history when the Portal session is terminated or when the browser is closed.
Page 332
Net Direct VPN client is started (if enabled). For the Nortel IPsec VPN client to be able to connect to a Nortel VPN Router (formerly Contivity), the Full Access menu also lets you configure the required parameters for authentication to the Nortel VPN Router.
Page 333
<IP address> Sets the IP address of the Nortel VPN Router. contid <group ID> Sets the Nortel VPN Router group ID. This is only required if the IPsec VPN client uses group authentication to authenticate to the VPN Router.
Page 336
- Enable URL rewrite white-list dis - Disable URL rewrite white-list One of the fundamental features of the VPN Gateway product is the act of rewriting URLs to ensure that traffic is sent through a secure SSL connection, through the NVG. When the remote user enters a URL (e.g.
Page 349
When the user clicks the FTP proxy link, one or several SOCKS tunnels (encapsulated in SSL) are created between the user’s local machine and the VPN Gateway. The NVG acts as an FTP Proxy and relays data to and from the remote host by setting up sockets to a remote TCP port.
Page 352
When the user clicks a port forwarder link, one or several SOCKS tunnels (encapsulated in SSL) are created between the user’s local machine and the VPN Gateway. The NVG relays data to and from the remote host by setting up sockets to remote TCP or UDP ports.
Page 373
If the client has access to intranet DNS servers, communication will fail as well. To test DNS resolution, the VPN Gateway should be able to ping the Exchange server from the CLI, using the fully qualified domain name (FQDN).
Page 383
For detailed step-by-step instructions on how to configure the VPN Gateway for use with the Net Direct client, see the "Net Direct" chapter in the Application Guide for VPN. Table 150...
Page 385
Both the external and internal link types are designed to direct the remote user to a web page. The difference between an external and an internal link is that the internal link is secured by the VPN Gateway, i.e. the internal link directs the HTTP/HTTPS request to the VPN Gateway, where the NVG rewrite prefix (boldface) is added to the link.
Page 387
SSL connection. This feature is useful when a web server requires user authentication, such as a web server providing Outlook Web Access. The iauto link directs the HTTP request to the VPN Gateway where the rewrite prefix (boldface) is added to the link. See example below: https://portal.example.com/https/inside.example.com/login/login.asp The VPN Gateway manages authentication to the backend server.
Page 391
Represents an input field (= input name) on the form, e.g. user. value. Tells the VPN Gateway what value to insert in the field, for example a macro, a specific text string or a combination of both. The <var:user> and <var:password> macros expand to the logged in Portal user’s credentials.
Page 395
Having entered/pasted the text, press ENTER and type three periods (...). Finally press ENTER once again. Note: A license text from Nortel is supplied by default. By entering a new license text, you will replace the default license text. If desired, you can copy and save the default license text before replacing it.
Page 396
Lets you configure UDP ports to be used by the Net Direct client. The Net Direct client will use configured ports for sending encrypted UDP packets to the VPN Gateway. If this fails (due to for example firewalls between the client and the ), the fallback is to use TCP.
Page 397
Sets the maximum lifetime of the single session key. The setting controls how often new session keys are exchanged between the Net Direct client and the VPN Gateway. Limiting the lifetime of a single key used to encrypt data is a way of increasing session security.
Page 399
Remote users are allowed to connect to the VPN Gateway using the TDI client. When set to on, the tdioslist and tdivsn commands become visible (see below). off: Remote users are not allowed to connect to the VPN Gateway using the TDI client. Nortel VPN Gateway Command Reference NN46120-103 01.01 Standard...
Page 401
Command Syntax and Usage Lets you specify the minimum version of TDI clients that are allowed to connect to the VPN Gateway. When the TDI client tries to connect, it sends its version number to the NVG. Syntax example: 7.0.0.0 In the preceding example, TDI clients with version 7.0.0.0 or higher...
Page 402
<client version number> Lets you specify the minimum version of LSP clients that are allowed to connect to the VPN Gateway. When the LSP client tries to connect, it sends its version number to the NVG. Syntax example: 7.0.0.0 In the preceding example, LSP clients with version 7.0.0.0 or higher...
Page 403
SSL VPN client (not the Net Direct client), for example which domains and IP addresses should be routed through the VPN Gateway when the remote user tries to access a resource. To produce a configuration file, install the SSL VPN client, make the desired settings in the SSL VPN client and export the configuration file.
Page 408
Secure Service Partitioning feature. This interface should be configured to process traffic relating to a specific VPN customer’s private network. For example, it has its own default gateway routing the customer’s backend traffic. To configure the interface, use the /cfg/sys/host #/interface command (see Configuration”...
Page 415
SSL and IPsec users to the currently selected VPN. A license is valid for a certain number of concurrent users, for example 1000. The license can be loaded to any master VPN Gateway in the cluster but is valid for the whole cluster.
Page 416
If a user logs in through IPsec and there is no IPsec user license available, an SSL user license will instead be used (if available). Note: This command is not available if the VPN Gateway software is run on the ASA 310 or ASA 410 hardware platforms.
Page 423
The iSD Host menu is used for configuring basic TCP/IP properties for a particular VPN Gateway (iSD) in a cluster, as well as setting the VPN Gateway type to either master or slave. You can also halt, reboot or delete a VPN Gateway remotely through the iSD Host menu.
Page 424
Command Syntax and Usage The NVG software supports clustering over multiple subnets. If more than one VPN Gateway is required and the NVG you wish to join to the cluster is installed in a different subnet, the new VPN Gateway must be configured as a slave.
Page 425
IPsec (IPsec VPN client access). Available for 250, 500 and 1000 users. TPS (transactions per second). Available for 300 TPS and 1000 TPS. Required for the Nortel Application Switch 2424-SSL. Other hardware platforms: No license required. PortalGuard. Enables SSL acceleration of existing Portal (see the /cfg/vpn # /server/portal/authentica command.
Page 426
Stops the currently selected VPN Gateway. Always use this command before turning off the device. If the VPN Gateway you want to halt has become isolated from the cluster, you will receive an error message when performing the halt command. You can then try logging in to the VPN Gateway through a console connection (or a Telnet or SSH connection to the NVG ’s individually assigned IP address) and use the...
Page 427
Log in as the admin user with the admin password to enter the Setup menu. Note 1: You cannot delete a VPN Gateway that is included in the cluster configuration of other NVGs if the VPN Gateway you want to delete is the only machine in the cluster with the status up.
Page 428
The Interface menu is used for configuring an IP interface and assigning physical ports (on the VPN Gateway) to this interface. If you add more than one port to an interface, the ports can be used in two different modes: failover or trunking.
Page 429
DNS servers), and only for VPNs that point to this interface (using the /cfg/vpn #/adv/interface command). If no VPN points to this interface, the gateway specified here will be ignored. When the NVG cluster is used for Secure Service Partitioning (hosting of multiple VPN customers), a default gateway should be specified here for each dedicated VPN interface.
Page 433
<destination IP address> <subnet mask> <gateway IP address> Adds a static route to the system configuration. Specify the destination IP address, the subnet mask, and the gateway IP address. /cfg/sys/time Date and Time Configuration [Date and Time Menu]...
Page 434
<IP address of NTP server> Adds an NTP server to the system configuration. The NTP server you add is used by the NTP client on the VPN Gateway to synchronize its clock. NTP should have access to a number of servers (at least three) to compensate for any discrepancies in the servers.
Page 436
The default TTL value is 3 hours (3h). health <value in seconds> Sets the DNS server health check interval. The VPN Gateway will perform a DNS query to each of the DNS servers added to the system configuration at the specified interval to determine the health check status.
Page 438
The Syslog Servers menu is used to configure syslog servers. The NVG software can send log messages to the specified syslog hosts. For a list of all log messages that the VPN Gateway can send to a syslog server, see Appendix C, Syslog Messages, in the User’s Guide.
Page 440
Adds a single machine, or a range of machines on a specific network, to the access list. Only those machines listed will be allowed to access the VPN Gateway through a Telnet or SSH connection (assuming that Telnet or SSH connections, or both, are enabled).
Page 441
Table 187 Administrative Applications Menu Options (/cfg/sys/adm) (cont’d.) Command Syntax and Usage Lets you enable SONMP (SynOptics Network Management Protocol) participation. SONMP is a Nortel-proprietary layer-2 protocol for discovering the topology of a network that contains SONMP-aware devices. • •...
Page 443
SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant agents on the VPN Gateway s store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.
Page 452
For backup purposes, several RADIUS audit servers can be added. The VPN Gateway will contact the server with lowest index number first. If contact could not be established, the NVG will try to contact the server with the next index number in sequence and so on.
Page 453
The local passwords (for example the admin password) are used as fallback if the RADIUS servers are unreachable. Note that unwanted access to a VPN Gateway through serial cable will be possible if the network cable is disconnected and the local password is known.
Page 454
For backup purposes, several RADIUS servers can be added. The VPN Gateway will contact the server with lowest index number first. If contact could not be established, the NVG will try to contact the server with the next index number in sequence and so on.
Page 455
- Enable group attribute usage dis - Disable group attribute usage The RADIUS Group Attribute menu lets you configure the VPN Gateway to authorize administrator users based on a group attribute sent by the RADIUS authentication server. When the user is successfully authenticated, the RADIUS server returns the groups to which the user belongs.
Page 457
- Disable server The HTTPS menu is used for enabling/disabling browser-based configuration of your VPN Gateway through a secure SSL tunnel. To access the Browser-Based Management Interface (BBI), enter the Management IP address assigned to your NVG cluster in your web browser.
/boot Boot Menu The Boot menu is used for managing software versions, and to shutdown, reboot, or reset the configuration of a particular VPN Gateway. To use the Boot menu, you must be logged in as the Administrator user. [Boot Menu]...
Page 469
Log in as the admin user with the admin password to enter the Setup menu. Note 1: If you receive a warning saying that the VPN Gateway you are trying to delete has no contact with any (other) master VPN Gateway...
Page 470
470 Command Reference The Software Management menu is used to show the current software status of the particular VPN Gateway to which you have connected. The menu is also used to download software upgrade packages through TFTP/FTP/SCP/SFTP, as well as activating or deleting a software upgrade package.
<destination file name> <collect info from all iSDs?> <FTP user name and password> Collects system log file information from the VPN Gateway you are connected to (or optionally, all NVGs in the cluster) and sends the information to a file in the gzip compressed tar format on the TFTP or FTP server you have specified.
Page 473
Checks if the VPN Gateway is able to contact configured gateways, routes, DNS servers and authentication servers. The command also checks if the VPN Gateway can connect to web servers specified in group links. Besides checking the connection, the method (for example ping) for checking each item is displayed.
Page 488
<p>From this page you can gain full network access. This <strong>requires</strong> that Net Direct is enabled or that you have either Nortel's IPSEC client (version 4.89 or better) and/or SSL-VPN (TDI version 1.1 or better) client installed. If the Net Direct installable client is installed it will be used if Net Direct is enabled.</p>...
Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. *Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks. Export This product, software and related technology is subject to U.S.