Advertising

Advertising

IP40 Security Platform
User's Guide
Version 1.1
N450916002 Rev A
June 2004

Advertising

   Also See for Nokia IP40

   Summary of Contents for Nokia IP40

  • Page 1

    IP40 Security Platform User’s Guide Version 1.1 N450916002 Rev A June 2004...

  • Page 2

    IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services;...

  • Page 3

    Singapore 119968 Nokia Customer Support Web Site: https://support.nokia.com/ Email: tac.support@nokia.com Americas Europe Voice: 1-888-361-5030 or Voice: +44 (0) 125-286-8900 1-613-271-6721 Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666 Asia-Pacific Voice: +65-67232999 Fax: +65-67232897 040113 Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 4

    Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 5: Table Of Contents

    Nokia IP40 Satellite 16, Satellite 32, Satellite Unlimited ....20 Nokia IP40 Security Platform Features ....... . . 20 Connectivity .

  • Page 6: Table Of Contents

    Logging Off from Nokia IP40 Security Platform ......51 Understanding the Nokia IP40 Web GUI ....... . 52 Using the Nokia IP40 Security Platform Web-based User Interface .

  • Page 7: Table Of Contents

    Using Static Routes ..........91 Setting Up the Nokia IP40 Security Platform Security Policy ....95 Setting the Firewall Security Level .

  • Page 8: Table Of Contents

    High- Availability Solution with a Single Nokia IP40 Security Platform ..135 High Availability Solution with Dual Nokia IP40 ......136...

  • Page 9: Table Of Contents

    Setting Up Nokia IP40 as a VPN Server ....... .

  • Page 10: Table Of Contents

    Setting Up Nokia IP40 Satellite X ........

  • Page 11: Table Of Contents

    Checking for Software Updates When Remotely Managed ....210 Managing with Nokia Horizon Manager ....... . . 211 Check Point SmartCenter LSM .

  • Page 12: Table Of Contents

    FCC Notice (US) ..........236 Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 13: In This Guide

    Security Platform. This guide provides information about the new features incorporated into the Nokia IP40. This version of Nokia IP40 uses the SofaWare VPN-1 Embedded NG. For a quick reference on how to configure features in Nokia IP40, see the Nokia IP40 Security Platform Quick Start Guide and Nokia IP40 Security Platform Online Help, part of the graphical user interface (GUI) in the appliance.

  • Page 14: Conventions This Guide Uses

    Availability feature. Chapter 11, “Configuring Nokia IP40 Through Out-of-Band Management,” explains the method to configure the Nokia IP40 through Out of Band Management. Chapter 12, “Configuring Device Functions,” discusses how to configure device functions such as setting date and time, loading factory defaults and performing firmware upgrade.

  • Page 15: Command-line Conventions

    Notes provide information of special interest or recommendations. Command-Line Conventions This section defines the elements of commands that are available in Nokia products. You might encounter one or more of the following elements on a command-line path. Table 1 Command-Line Conventions...

  • Page 16: Text Conventions

    • Emphasizes a point or denotes new terms at the place where Italics they are defined in the text. • Indicates an external book title reference. • Indicates a variable in a command: if_name delete interface Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 17: Menu Items

    Nokia IP40 menu items in procedures are separated by the greater than sign (>). For example, Start > Programs > Nokia > Security indicates that you first click Start, then choose the Programs menu command, then choose Nokia, and finally choose Security.

  • Page 18

    Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 19: Introduction

    WAN connection to headquarters, and dual homing with BGP to route return traffic securely, over VPN. The Nokia IP40 Security Platform can be integrated with an overall enterprise security policy for maximum security. The IP40 facilitates centralized management and automatic deployment with the security management architecture of Check Point, and Nokia Horizon Manager.

  • Page 20: Nokia Ip40 Tele 8

    IP40 Tele 8 can act as a VPN server, which allows a single user to securely access resources protected by the appliance from home or while travelling.

  • Page 21

    Nokia IP40 Security Platform Table 3 Nokia IP40 Security Platform Connectivity Nokia IP40 Satellite Feature Nokia IP40 Tele 8 16/32/Unlimited Users (nodes) 16, 32, unlimited PPPoE client PPTP client DHCP client DHCP server Static IP MAC cloning Backup Internet connection, static NAT,...

  • Page 22: Firewall

    Introduction Firewall Table 4 Firewall Connectivity provides details about the IP40 Security Platform v1.1 firewall connectivity. Table 4 Firewall Connectivity Nokia IP40 Satellite Feature Nokia IP40 Tele 8 (16/32/Unlimited) Firewall Type Check Point Firewall-1 Check Point Firewall-1 Embedded NG Embedded NG...

  • Page 23: Vpn Connectivity

    Feature Nokia IP40 Tele 8 (16/32/Unlimited) Exposed host DMZ network VPN Connectivity Table 5 VPN Connectivity provides details about IP40 Security Platform v1.1 VPN connectivity. Table 5 VPN Connectivity Nokia IP40 Satellite Feature Nokia IP40 Tele8 16/32/Unlimited IPSEC VPN remote...

  • Page 24

    SecuRemote server RADIUS Client DAIP with VPN certificates Back up VPN gateways SmartCenter Connector (SSC) NG AI support Bypass NAT Route all traffic Route Based VPN and failover Multiple PPP connections Active tunnels Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 25: Management

    Nokia IP40 Security Platform Management Table 6 Management provides details about the IP40 Security Platform v1.1 management: Table 6 Management Nokia IP40 Satellite Feature Nokia IP40 Tele 8 (16/32/Unlimited) Web-based management Access to IP40 through OOB, SSH and SNMP Telnet access...

  • Page 26: Security Services

    Point Smart Update) Check Point Smart LSM Check Point Provider-1 Security Services Table 7 Security Services provides details about IP40 Security Platform v1.1 security services: Table 7 Security Services Nokia IP40 Satellite Feature Nokia IP40 Tele 8 (16/32/Unlimited) Firewall security...

  • Page 27: Diagnostics And Maintenance

    Protocol support for TCP/IP, ICMP, GRE, ESP and UDP Diagnostics and Maintenance Table 8 Diagnostics and Maintenance provides details about IP40 v1.1 diagnostics and maintenance: Table 8 Diagnostics and Maintenance Nokia IP40 Satellite Feature Nokia IP40 Tele 8 (16/32/Unlimited)

  • Page 28: Nokia Ip40 Security Platform Package Contents

    A country-specific power cord for universal power supply An Ethernet-crossover cable, labeled Crossover An RS-232 console (null modem) cable The IP40 CD. The IP40 CD includes the following documents needed to set up and use the device: Nokia IP40 Security Platform Quick Start Guide Nokia IP40 Security Platform User’s Guide Version 1.1 (this document)

  • Page 29: Appliance Overview

    The following sections provide an overview of Nokia IP40 Security Platform rear and front panels. Nokia IP40 Security Platform Rear Panel All physical connections (network and power) to the IP40 are made through the rear panel. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 30

    Connect the power adapter to this jack. The device connects to the power source. The auxiliary port or dial-in port is a 9-pin male connector. This port is used to dial in to IP40 through a modem when the IP40 is unreachable through other ports.

  • Page 31

    Appliance Overview Table 9 explains the items on the rear panel of the Nokia IP40. Table 9 Rear Panel of IP40 Label Description Console The console port is a 9-pin male connector that can be connected to the serial (COM) port of your computer.

  • Page 32: Nokia Ip40 Security Platform Front Panel

    You can monitor the IP40 operations by viewing the LEDs on the front panel. Figure 2 Front Panel of Nokia IP40 Security platform. The items on the front panel of the Nokia IP40 Security Platform are explained in Table 10 page 32.

  • Page 33: Installing Nokia Ip40 Security Platform

    Installing Nokia IP40 Security Platform Installing Nokia IP40 Security Platform This chapter describes how to set up and install the Nokia IP40 Security Platform in a networking environment. The chapter covers the following topics: Before You Install Nokia IP40 Security Platform...

  • Page 34

    In the Network window, check if TCP/IP appears in the network components list and if it is already configured with the Ethernet card installed on your computer. If TCP/IP is already installed and configured on your computer, skip the following procedure about how to install TCP/IP. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 35

    If you are prompted for original Windows installation files, provide the installation CD and relevant path, D:\win98, D:\win95, and so on. 5. Restart your computer if prompted. If you are connecting the IP40 to an existing LAN, consult your network manager/system administrator for the correct configuration. To make TCP/IP settings 1.

  • Page 36

    2. Click the Gateway tab and remove any installed gateways. 3. Click the DNS Configuration tab and click Disable DNS. 4. Click the IP Address tab, and click Obtain an IP address automatically. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 37: Microsoft Windows Xp And 2000 Operating Systems

    Before You Install Nokia IP40 Security Platform Note Nokia recommends that you use DHCP to assign IP addresses instead of assigning a static IP address to your computer. To assign a static IP address, click Specify an IP address and enter an IP address in the range of 192.168.10.129 to 254.

  • Page 38

    2. Double-click the Network and Dial-up Connections icon (in Windows XP double-click the Network Connections icon). The Network and Dial-up Connections window appears. 3. Right-click the Local Area Connection icon and select Properties from the drop-down list. The Local Area Connection Properties window appears. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 39

    Before You Install Nokia IP40 Security Platform 4. Check for TCP/IP in the Component list and whether it is configured with the Ethernet card installed on your computer. If TCP/IP does not appear in the Components list, install it as described in the section “To...

  • Page 40

    TCP/IP protocol is installed on your computer. To make TCP/IP settings 1. In the Local Area Connection Properties window, double-click Internet Protocol (TCP/IP) and click Properties. The Internet Protocol (TCP/IP) Properties window opens. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 41: Setting Up Nokia Ip40 Security Platform With An Apple Computer

    2. Click Obtain an IP address automatically. Note Nokia recommends that you use DHCP to assign IP addresses instead of assigning a static IP address to your computer. To assign a static IP address, select Specify an IP address and enter an IP address in the range of 192.168.10.129 to 254. Enter 255.255.255.0 as the subnet mask.

  • Page 42: Connecting Nokia Ip40 Security Platform To The Network

    The following topology examples illustrate proper network cabling. Figure 3 IP40 Topologies Installing Your Network Plan your network and the location of the IP40, then install your network. To install the network 1. Connect the LAN cable: a. Connect one end of the Ethernet cable to the LAN port at the back of the appliance.

  • Page 43: Getting Started

    213 in this document. Note The IP40 ships without a password defined. If you are logging in for the first time, you are prompted to define the password by entering it twice. If you already logged in before, enter the username and password you previously defined.

  • Page 44: Configuring Nokia Ip40 Security Platform For Internet Connection

    Configuring Nokia IP40 Security Platform for Internet Connection This section provides information about how to make the initial settings for your Nokia IP40 Security Platform by using the Setup wizard and connecting to the Internet. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 45: Making Initial Nokia Ip40 Security Platform Settings

    This section provides the information about how to use the Setup wizard to set the device time, and to make the initial Nokia IP40 Security Platform settings. Setting Nokia IP40 Security Platform Time Use the following procedure to set the time of Nokia IP40 Security Platform. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 46

    Getting Started To set the IP40 Security Platform time 1. When the IP40 Set Time wizard dialog box appears, click the appropriate setting, for the time settings you want to make. If you click the computer’s clock, the IP40 is automatically updated with the time settings of your computer.

  • Page 47: Registering With The Nokia Support Site

    3. Specify the IP addresses of the Primary and Secondary servers, to use as NTP time servers. Select your time zone from the Time Zone drop down list. 4. Click Next. The IP40 Set Time Wizard dialog box appears, indicating that time settings are changed successfully. 5. Click Finish to exit the Set Time wizard.

  • Page 48: Connecting To A Central Management Server

    When you are registered for support, the Subscription Services window appears. This window allows you to define the central management server that the IP40 connects to. The IP40 can connect to a central management server to allow central management of the firewall and VPN policies.

  • Page 49: Logging On To Nokia Ip40 Security Platform

    Making Initial Nokia IP40 Security Platform Settings If your IP40 is centrally managed by any of these servers, check I wish to connect to a service center and enter the IP address of the central management server in the Specified IP text box, then click Next.

  • Page 50: Accessing Nokia Ip40 Securely

    Getting Started Note The default user name for all Nokia IP40 licenses is admin. For the IP40 Satellite X licenses, you can define additional users. These additional users have separate usernames and passwords. For the IP40 Tele 8 license, you can only log on with the username admin.

  • Page 51: Logging Off From Nokia Ip40 Security Platform

    IP40 is not yet known to the browser, so a security alert appears. 2. Click Yes to install the security certificate of the IP40 that you are trying to access. If you are using Internet Explorer 5.0 or later, do the following: a.

  • Page 52: Understanding The Nokia Ip40 Web Gui

    52. Understanding the Nokia IP40 Web GUI When you log on to Nokia IP40 security platform by using HTTP or HTTPS, you can configure the device by using the following methods: Quick Setup Wizard—configures the most common settings required for the IP40 to be up and running.

  • Page 53: Using The Nokia Ip40 Security Platform Web-based User Interface

    Figure 4 Main Components of the Nokia IP40 Security Platform GUI Note The Tele 8 license of IP40 does not support all of the features mentioned in the table 12 below. For information on features supported by the Tele configuration, see “Nokia IP40...

  • Page 54

    Getting Started Table 12 gives the name and functionality of each element in the Nokia IP40 GUI. Table 12 Names and Functions of the Nokia IP40 GUI Elements Main Tab Secondary Tabs Description Welcome Displays Welcome and configuration information. Reports...

  • Page 55

    Understanding the Nokia IP40 Web GUI Table 12 Names and Functions of the Nokia IP40 GUI Elements Main Tab Secondary Tabs Description Tools Comprises several tools to effectively manage your IP40. Users Internal Users Allows you to view, add, edit, and delete list of IP40 users.

  • Page 56

    Your Internet connection status. You have different fields under Internet status. They are: Connected: your IP40 device is connected to the Internet Not Connected: your IP40 device is not connected to the Internet Establishing Connection: your IP40 device is connecting to the Internet.

  • Page 57: Accessing Nokia Ip40 Security Platform

    Typically the WAN port for your device is connected to your Internet service provider (ISP), while the LAN port is connected to your computer, or to a hub, if you are using IP40 between your computer network and the outside world. You can connect your computer to the console port of your IP40 to manage the device by using the command-line interface (CLI).

  • Page 58: Configuration Methods

    Connecting Nokia IP40 Security Platform to a Computer by Using the Console Port Your Nokia IP40 Security Platform has a console serial port. Connect the RS-232 cable (that is shipped along with the appliance) from the serial port of your computer to the console port of IP40.

  • Page 59

    Select the following port settings: Bits per second: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: None 5. Click Ok to continue. 6. The login prompt is displayed by default. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 60: Using Telnet To Connect To Nokia Ip40 Security Platform

    Accessing Nokia IP40 Security Platform The IP40 ships without a password defined. If you are logging in for the first time,you are prompted to define the password by entering it twice. If you logged in before, enter the username and password you previously defined.

  • Page 61: Enabling And Disabling Telnet Access To Nokia Ip40

    4. Enter your username and password.You can now, manage your IP40 Security Platform by using simple commands. 5. Press the tab key to view a list of useful, simple commands to start managing your IP40. For more information, see Nokia IP40 Security Platform CLI Reference Guide Version 1.1.

  • Page 62: Using Secure Shell To Connect To Nokia Ip40 Security Platform

    Accessing Nokia IP40 Security Platform Using Secure Shell to Connect to Nokia IP40 Security Platform You can use Secure Shell (SSH) to access your IP40 Security Platform, securely. SSH is an application protocol and software suite that allows secure network services over an insecure network such as the Internet.

  • Page 63: Deploying Nokia Ip40 Security Platform With Nokia Horizon Manager

    You can use Nokia Horizon Manager to perform software inventory, configuration, and image management operations. Note You can manage the IP40 Security Platform by using Nokia Horizon Manager v1.3.1 and later. Deploying Nokia IP40 Security Platform with Check Point SmartCenter Large Scale Manager The Check Point SmartCenter Large Scale Manager (LSM) allows you to manage many Check Point Remote Office/Branch Office (ROBO) gateways from a single SmartCenter Server.

  • Page 64

    Accessing Nokia IP40 Security Platform Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 65: Connecting To The Internet With Nokia Ip40 Security Platform

    You must configure the Internet connection on initial operation, and reset to defaults operations. Using the Setup Wizard You can use the Setup Wizard to configure the Internet connection for Nokia IP40 Security Platform through graphical user interface (GUI). The Setup Wizard guides you through the configuration process, step by step.

  • Page 66

    Connecting to the Internet with Nokia IP40 Security Platform PPTP or PPPoE dialer Dial-up Internet access by using V90 or ISDN T/A modems To configure the Internet connection by using the Setup wizard 1. Click Network from the main menu.

  • Page 67

    When you are connected, the wizard prompts you to register your details and set up your subscription options, which vary from product to product. For information about configuring device time, registering with Nokia Support Center and subscribing to additional services with the Setup wizard, see Chapter 3, “Getting Started”...

  • Page 68: Cable Modem Connection Settings

    Connecting to the Internet with Nokia IP40 Security Platform 2. Follow the instructions until the wizard is done, and then click Finish. You are now connected to the Internet through a direct LAN connection. Cable Modem Connection Settings If you selected cable modem connection through the procedure “To configure the Internet...

  • Page 69: Cloning A Mac Address

    Configuring Internet Connection The Nokia IP40 takes the place of the computer behind the cable modem and you can use MAC cloning to enter the original computer MAC address without contacting the ISP to change that information. To configure for cable modem connection 1.

  • Page 70: Dsl Connection Settings

    Connecting to the Internet with Nokia IP40 Security Platform 3. Do one of the following: a. Click This Computer to automatically clone the MAC address of your computer to the IP40. b. If the ISP requires authentication by using the MAC address of a different computer, enter the MAC address in the MAC cloning field.

  • Page 71

    3. Follow the instructions until the wizard is finished, and then click Finish. To connect by using the PPTP connection method Select PPTP in the . The PPTP configuration window appears. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 72

    Connecting to the Internet with Nokia IP40 Security Platform 1. Enter the following information: Username and Password, and confirm the password. Service name. IP address of the DSL modem in the Server IP field. Internal IP address (The IP address required to access the DSL modem).

  • Page 73: Manually Configuring The Internet Setting

    Manually Configuring the Internet Setting Manually Configuring the Internet Setting You can configure the Internet settings for your IP40 manually also. To configure the Internet connection 1. Proceed as per steps 1 and 2 in “Using the Setup Wizard” on page 65 to connect using DHCP, PPTP and PPPoE 2.

  • Page 74

    This field is optional. If a service center requires it, the Host Name is provided by them. 3. Enter the maximum transmission unit (MTU-1500) 4. If you do not want the IP40 to obtain an IP address automatically by using DHCP, do the following: a.

  • Page 75

    If you choose PPPoE type Internet connection in procedure as described in “Manually Configuring the Internet Setting” on page 73, the following window appears: 1. Enter the following information: Enter your Username and Password and confirm the Password. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 76

    If your service center did not provide you with a service name, leave this text box empty. You can set the maximum transmission unit size (MTU). Nokia recommends that you leave this field empty. However, to modify the default MTU, consult with your service provider.

  • Page 77: Direct Dial-up Ppp

    3. Click Apply. Direct Dial-Up PPP You can connect the Nokia IP40 Security Platform to the Internet by using a dial-up connection. The device can establish a PPP connection to an ISP by using an external modem connected to an auxiliary port. The modem can be an analog modem or an ISDN terminal adapter.

  • Page 78: Configuring Dial-up With The Gui

    Connecting to the Internet with Nokia IP40 Security Platform Configuring Dial-Up with the GUI The following sections give details about how to configure dial-up and direct dial-up connections on the Nokia IP40 Security Platform: Dial-up—when enabled, the WAN connection is established only when interesting traffic enters the network.

  • Page 79: Configuring Dial-up With The Cli

    Use the following command to configure dial-up by using the CLI wizard: wizard dialup For more information about how to use other dialup commands, see the Nokia IP40 Security Platform CLI Reference Guide, Version 1.1. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 80: Multiple Dial-up Profiles

    The Internet connection retains its connected or not connected status until Nokia IP40 is rebooted. The IP40 then connects to the Internet if the connection is enabled. For information on how to enable the Internet connection, see the section on “Enabling or Disabling the Internet...

  • Page 81: Configuring A Backup Internet Connection

    IP40 remains connected to the Internet. You can configure different DNS servers for the two connections. The IP40 device acts as a DNS relay and routes requests from computers within the network to the appropriate DNS server for the active Internet connection.

  • Page 82

    Connecting to the Internet with Nokia IP40 Security Platform Table 14 Internet Connection Information Field Description Status Indicates the connection status. Duration Indicates the connection duration, if active. The duration is given in the format hh:mm:ss, where: hh = hours...

  • Page 83: Managing Your Local Area Network

    IP40 to its factory settings. To reset the Nokia IP40 Security Platform to its factory default settings, choose Setup > Firmware > Tools > Factory Settings. You can also press the Reset button at the rear panel of the device.

  • Page 84: Enabling And Disabling The Dhcp Server

    IP addresses in your network by using the IP40 Satellite X licenses. You might want to do this if, for example, you are adding the IP40 to a large existing network and do not want the network IP address range to change, or if you are using a DHCP server other than the IP40, that assigns addresses within a different range.

  • Page 85: Enabling Or Disabling Hide Nat

    Network Address Translation (NAT) enables you to share a single IP address among several computers. Note NAT is enabled by default. NAT can only be disabled in IP40 Satellite X licenses. If NAT is disabled, you need to buy an IP address range. To enable NAT 1.

  • Page 86: Configuring A Dmz Network

    3. Go to the DMZ Network Settings area. 4. If desired, enable or disable Hide NAT. 5. In the IP40 DMZ IP text box, enter the IP address of the DMZ network default gateway. Note The DMZ network must not overlap the LAN network.

  • Page 87: Using Static Nat

    IP40 supports Proxy Address Resolution Protocol (ARP). When an external source attempts to communicate with a computer that has static NAT enabled, the IP40 automatically replies to ARP queries with its own MAC address, thereby enabling communication. As a result, the static NAT Internet IP addresses appear to external sources to be real computers connected to the WAN interface.

  • Page 88

    The Static NAT wizard opens, with the Static NAT Mapping dialog box displayed. 3. Complete the fields using the information given in the Table 15 on page 90 4. Click Next The Static NAT Mapping Updated dialog box appears. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 89

    Using Static NAT 5. Click Finish. If you added a new mapping, it appears in the static NAT page. To edit an existing static NAT mapping, click Edit tab. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 90: Viewing And Deleting Static Nat Mappings

    The following procedures explain how to view and delete static NAT mappings. To view static NAT mappings 1. Click Network in the main menu. 2. Click the Static NAT tab. The Static NAT page appears with a list of existing static NAT mappings. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 91: Using Static Routes

    To add a static route 1. Click Network in the main menu, and click the Static Routes tab. The Static Routes page appears, with a listing of existing static routes. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 92

    4. Click Apply. The new static route is saved. Table 16 Edit Route Page Fields Field Action Destination Type the network address of the destination network. Network Subnet Mask Select the subnet mask. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 93

    The Static Routes page appears, with a listing of existing static routes. 2. In the desired route row, click the Erase tab. A confirmation message appears. 3. Click OK. The route is deleted. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 94

    Managing Your Local Area Network Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 95: Setting Up The Nokia Ip40 Security Platform Security Policy

    Setting Up the Nokia IP40 Security Platform Security Policy This chapter describes how to set up the Nokia IP40 security policy. It includes the following topics: Setting the Firewall Security Level Configuring Virtual Servers Creating Firewall Rules Allow and Block Rules...

  • Page 96: Configuring Virtual Servers

    Setting Up the Nokia IP40 Security Platform Security Policy To change the firewall security level 1. Click Security on the main menu. The Firewall page appears. 2. To set the security level, drag the slider or click on the security level that you want to select.

  • Page 97

    3. In the Allow column, check the check box of the desired service or application. If you are using IP40 Satellite X, the appropriate check box in the VPN Only column is to be enabled. 4. To allow connections made through a VPN only, select the VPN Only check box.

  • Page 98: Security Policy

    The following sections describe how to customize your security policy. Creating Firewall Rules The Nokia IP40 Security Platform checks the protocol used, the ports range, and destination IP address when deciding whether to allow or block traffic. By default, in the medium security level, the IP40 blocks all connection attempts from the Internet (WAN) to the LAN, and allows all outgoing connection attempts from the LAN to the Internet (WAN).

  • Page 99

    Customizing Nokia IP40 Security Platform Security Policy Depending on the button you select, the Allow and Forward rule, or the Allow Rules, or the Block Rules page appears. The following table gives more information about the firewall rules that you create.

  • Page 100

    Internet to a specific service in your internal network. Note In IP40 Tele 8, the Allow Rules page does not contain a VPN Only column, and the Block Rules page does not contain an Also VPN column. 4. Complete the fields using the information in Table 19 on page 101.

  • Page 101

    Customizing Nokia IP40 Security Platform Security Policy 6. Complete the fields using information from the table below The Done dialog box appears. 7. Click Finish. The new rule appears in the Firewall Rules page. Table 19 on page 101 gives more information about the firewall rule fields.

  • Page 102: Deleting Rules

    The rule is deleted. Defining an Exposed Host The Nokia IP40 Security Platform allows you to define an exposed host, which is a computer that is not protected by the firewall. This allows unlimited incoming and outgoing connections between the Internet and the exposed host computer.

  • Page 103

    Caution Entering an IP address can make the designated computer vulnerable to external attacks. Nokia recommends that you not define an exposed host unless you are fully aware of the security risks. To define a computer as an exposed host The exposed host receives all traffic that is not forwarded to another computer by using Allow and Forward rules.

  • Page 104

    Setting Up the Nokia IP40 Security Platform Security Policy Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 105: Configuring Network Access

    Access Control Changing Your Password You can change the password of your Nokia IP40 Security Platform, any time. The method for changing password varies depending on the IP40 configuration you are using. The default username and password for Nokia IP40 Tele 8 Configuration is admin.You can change the password for this user.

  • Page 106

    Use five to twenty five alphanumeric characters for the new password. 3. Click Apply. Your changes are saved. In Nokia IP40 Satellite X, you can define multiple users and perform the following tasks: Change your password Add users View and edit users...

  • Page 107: Adding Users

    4. Click Apply. Your changes are saved. Adding Users You can add users with IP40 Satellite X only. The number of IP40 users you can add is limited according to your software. To add a user 1. Click Users on the main menu.

  • Page 108: Viewing And Editing Users

    Configuring Network Access Viewing and Editing Users You can view and edit users with IP40 Satellite X only. To view or edit users 1. Click Users on the main menu. The Users page appears. 2. Click Edit against the user you want to edit.

  • Page 109: Deleting Users

    You can set up VPN access for users with IP40 Satellite X only. If you are using the IP40 as a VPN server, you can allow users to access it remotely through their VPN clients (a Check Point SecureClient, Check Point SecuRemote, IP40 Tele 8, or another IP40 Satellite X).

  • Page 110: Using Radius Authentication

    You can use RADIUS to authenticate both Nokia IP40 Security Platform users, and VPN clients trying to connect to the IP40. When a user accesses the IP40 GUI and tries to log on, the IP40 sends the entered username and password to the RADIUS server. The server then checks whether the RADIUS database contains a matching username and password pair.

  • Page 111: Access Control

    Type the shared secret to use for secure communication with the RADIUS server. Administrator Select the level of access to the IP40 portal to assign to all users Level that the RADIUS server authenticates. The levels are: No Access: The user cannot access the IP40.

  • Page 112: Telnet Access

    60 Secure Shell Nokia IP40 supports SSH 2.0. The SSH feature in IP40 provides secure remote access to the appliance. In addition, SCP is supported to enable secure upgrade of the device, downloading of public keys, HTTPS certificates, import and export features.

  • Page 113: Enabling Or Disabling Ssh Service

    IP Address Range Click Internal Network to enable only computers from your internal network to access your IP40 through SSH. Similarly, click ANY to enable any host (with any IP address) to connect to IP40 through SSH, and so on.

  • Page 114: Ssh Authentication Methods

    Using SSH Client You need an SSH client to connect to the SSH server running on IP40. Install an SSH client if you do not have one already. You can use the SSH client to connect to the IP40 by using password authentication or public key authentication.

  • Page 115: Configuring And Managing Ssh Key Pairs

    Use the following commands to show service detail configurations: show ssh server log-level Configuring and Managing SSH Key Pairs This section provides details about how to configure and manage your SSH key pairs. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 116: Managing Authorized Keys

    Enabling HTTPS Web Access You can enable HTTPS remote access, so that IP40 users can securely access the IP40 portal from the Internet, by accessing the URL https://X.X.X.X:981, where X.X.X.X is the IP40 Internet IP address.

  • Page 117: Generating A Self-signed Certificate And Private Key

    The Management page appears. 3. In the HTTPS menu, click : Internal Network— to enable only users of your internal network to access your IP40 through HTTPS. Internal Network + VPN— to enable users of your internal network and users connected to your IP40 through a VPN tunnel to access your IP40 through HTTPS.

  • Page 118: Installing A Certificate And Private Key

    <cert-file path | cert-request-file path> key-file path For more information see the Nokia IP40 Security Platform CLI Reference Guide Version 1.1. Installing a Certificate and Private Key Use the following commands to copy a certificate and its associated private key in the /var/etc/ https_ssl_cert_server.crt and /var/etc/https_ssl_server.key files.

  • Page 119: Configuring And Monitoring Snmp

    MIB-II (for more information, see RFC 1213) Host Resource MIB (for more information, see RFC 1514) SNMP Configuration from Nokia IP40 Security Platform You can use the Nokia IP40 GUI portal and the command-line interface (CLI) to set, change, and view parameters for SNMP. Security Platform...

  • Page 120: Configuring The Snmp Parameters

    IP Address Range Disabled If you select Internal Network, SNMP access to the IP40 is allowed from computers in your internal network or LAN only; if you select IP Address Range, you can specify a range of IP addresses from which SNMP access is allowed to your IP40.

  • Page 121: Configuring Snmp Parameters From The Command-line Interface

    IP address of the device from where a trap is generated. Use the command set snmp trappduAgent ip_address from the IP40 CLI for setting the trapPduAgent. You cannot set the trapPduAgent from the IP40 GUI portal. For more information, see the Nokia IP40 Security Platform CLI Reference Guide Version 1.1.

  • Page 122: Viewing Snmp Parameters

    - snmp Trapreceiver traps - SNMP Traps For additional and detailed information on how to use the set and show commands, see the Nokia IP40 Security Platform CLI Reference Guide Version 1.1. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 123: High Availability

    Nokia IP40 supports VRRP that caters to device failures, connects to multiple ISP supporting Demand Dialing, Internet link selection by using BGP to cater to ISP link failures, and seamless routing of encrypted traffic across multiple WAN links.

  • Page 124: Configuring Vrrp With Cli Commands

    (addressed to the Internet) to IP40 (R1), default router. VRRP specifies a mechanism that IP40 (R2) uses to start acting as the default router when IP40 (R1) fails, and the hosts in the LAN do not become isolated. As shown in the preceding figure, the branch office network uses a single virtual router ID (V1).

  • Page 125: Dual Homing

    Use the following commands to delete the VRRP configuration: delete vrrp interface <lan | dmz> virtual-router vrid <value> For more information about VRRP commands, see the Nokia IP40 Security Platform CLI Reference Guide Version 1.1. Dual Homing Nokia IP40 Security Platform supports dual homing Internet connection, which provides an uninterrupted link to the ISP.

  • Page 126: Isp Connectivity

    A simple dual home configuration is shown in the following figure. Configuring Nokia IP40 Security Platform for Dual Homing ISP Connectivity The following sections give information about how to configure the Nokia IP40 dual homing feature: Configuring primary Internet profile for DSL/ Cable/Automatic DHCP (see “Configuring...

  • Page 127: Configuring Isp Dial-up Profiles

    Use the following command to configure ISP dial-up profiles by using the CLI wizard: wizard dialup For more information about how to use other dial-up commands, see th Nokia IP40 Security Platform CLI Reference Guide, Version 1.1. Use the following commands to modify ISP dial-up profiles: set dialup profile <id>...

  • Page 128: Border Gateway Protocol

    BGP peers. The central office BGP peer advertises the CO networks to the IP40 and BGP. The traffic originating from the IP40 LAN destined to the central office network is tunneled and sent.

  • Page 129: Enabling Bgp Routing

    Route Based VPN and BGP Note You can configure BGP by using the Nokia IP40 CLI only. This feature is not supported in the IP40 GUI. Use the command-line options from a command shell (such as Hyper terminal) to configure these options. A brief list of important commands are included in this guide to provide an introduction.

  • Page 130: Viewing Debugging Information

    <on | off > Adding a BGP Peer to Nokia IP40n Security Platform Nokia IP40 Security Platform supports both internal and external BGP neighbors. Internal neighbors are in the same autonomous system; external neighbors are in different autonomous systems. Normally, external neighbors are adjacent to each other and share a subnet, while internal neighbors can be anywhere in the same autonomous system.

  • Page 131: Creating Access- Lists On Nokia Ip40 Security Platform

    Route Based VPN and BGP Creating Access- Lists on Nokia IP40 Security Platform Access lists are filters that enable you to restrict the routing information a router advertises to a neighbor. BGP uses address-based access lists. Use the following commands to configure access lists: add bgp access-list <list-name>...

  • Page 132: Configuring A Remote Bgp Peer With Md5 Authentication

    BGP peers or the connection between them is not established. The authentication feature uses the MD5 algorithm. Invocation of this feature enables Nokia IP40 to generate and check the MD5 digest of every segment sent on the TCP connection. If authentication is invoked and a segment fails authentication, a message appears on the console.

  • Page 133: Configuring A Local Loopback Interface

    Internet connection (optionally with multiple profiles). In this mode, device fails over to secondary Internet connection (dial-up) if all high priority BGP peers become unreachable. It continues to monitor the status of high priority BGP peers and falls back to primary Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 134: Configuring Criteria For Path Selection

    VPN device or a router connected to frame relay network. In this mode, IP40 uses DMZ as backup to the primary Internet connection. The traffic is tunneled as long as BGP peer is reachable over VPN through primary Internet connection.

  • Page 135: High- Availability Solution With A Single Nokia Ip40 Security Platform

    VPN. If this BGP session fails because of any service interruption, dial-up is activated. Nokia IP40 (R1) connects to RO2 and establishes a VPN connection. R1, and the BGP peer (R4) located in RO2 establish a BGP connection over VPN, and the traffic from the branch office flows through this alternative path.

  • Page 136: High Availability Solution With Dual Nokia Ip40

    RO1 by using DSL or a cable connection (preferred path). If any service interruption occurs in the R1 LAN , Nokia IP40 (R2) takes over as the default virtual router and forwards the branch office traffic on the DMZ to RO1 securely. If the IP40 (R1) device fails, R2 becomes master and dial-up is activated.

  • Page 137: Out-of-band Management

    Nokia IP40 Security Platform supports remote management by using Out-Of-Band management (OOB), where IP40 acts as a remote access server (RAS) and waits for the incoming call. To use OOB, connect a modem to the AUX port of your appliance with dial-up Internet connection.

  • Page 138: Configuring Oob From The Nokia Ip40 Security Platform Gui

    Configuring OOB from the Nokia IP40 Security Platform GUI Configure the modem settings from the IP40 GUI before you use the OOB feature. To configure the modem settings from the IP40 Security Platform GUI 1. Click Network from the main menu.

  • Page 139: Secure Shell And Https Access Through Out-of-band Dial-in

    OOB for a time period of 30 minutes, irrespective of the current firewall filters. To boot your Nokia IP40 in Remote Configuration Mode, hold the Reset button and connect the power to the device. The default username and password for OOB are admin and password respectively, if the first time password is not set.

  • Page 140

    Configuring Nokia IP40 Through Out-of-Band Management Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 141: Configuring Device Functions

    Use the following commands to view or change your platform host name: show hostname set hostname name For more information on setting the host name, see Nokia IP40 Security Platform CLI Reference Guide Version 1.1. Date and Time Configuration For information on setting the date and time, see “Setting Nokia IP40 Security Platform Time”...

  • Page 142: System Logging Configuration

    Configuring Device Functions System Logging Configuration You can configure the Nokia IP40 Security Platform to send event logs to a syslog server that resides in your internal network or on the Internet. The logs detail the date and the time each event occurred.

  • Page 143: Network Utilities

    Network Utilities For more information about how to set the syslog server, see Nokia IP40 Security Platform CLI Reference Guide, Version 1.1. Network Utilities You can use the following network utilities from the IP40 Security Platform GUI: Ping Traceroute WHOIS...

  • Page 144: Managing Configuration

    Exporting the Nokia IP40 Security Platform Configuration You can export the Nokia IP40 Security Platform configuration to a *.cfg file, and use this file to back up and restore IP40 settings, as needed.The configuration file includes all of your settings.

  • Page 145: Importing The Nokia Ip40 Security Platform Configuration

    5. Type a name for the configuration file and click Save. The *.cfg configuration file is created and saved to the specified directory. Importing the Nokia IP40 Security Platform Configuration To restore the configuration of your appliance from a configuration file, you must import the file: Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 146

    6. Click OK. The Tools page reappears. Note You can use the HTTP, TFTP, FTP, SCP protocols through the IP40 CLI for configuration export and import. For additional information, see Nokia IP40 Security Platform CLI Reference Guide, Version 1.1. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 147: Upgrading Firmware

    Upgrading Firmware Upgrading Firmware You can upgrade Nokia IP40 Security Platform to a new firmware version of the product. If you are subscribed to Software Updates, firmware updates are performed automatically. These updates include new product features and protection against new security threats.

  • Page 148

    3. Click Upgrade Product. The Setup wizard opens, with the Install Product Key dialog box displayed. 4. Select Product Key. 5. In the Product Key field, enter the new product key. 6. Click Next. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 149: Dynamic Dns

    IP address on the Internet. This is useful for Nokia Horizon Manager to locate the IP40 devices that it manages by the host names that are used at remote office and branch offices. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 150: Configuring Ddns

    Resetting Nokia IP40 Security Platform to Factory Defaults You can reset Nokia IP40 to its default settings. When you reset your IP40, it reverts to the state it was originally in when you purchased it, and your firmware reverts to the version that shipped with the device.

  • Page 151: By Using The Reset Button

    Resetting Nokia IP40 Security Platform to Factory Defaults by Using the Reset Button The Restore Defaults button is inside a hole on the back panel of Nokia IP40. To press the button, use a large flat-tipped object, such as a thick paper clip. Pressing the Restore Defaults button for seven seconds restores all IP40 settings back to factory defaults.

  • Page 152

    Configuring Device Functions Note You can also reset your Nokia IP40 to factory defaults by using the GUI, or the CLI, and remote config mode. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 153: Viewing Reports

    Viewing Reports This chapter provides an overview of the reports you can view from the Nokia IP40 Security Platform GUI, and how to view them. This chapter includes the following topics: Viewing the Event Log Viewing Active Computers Viewing Active Connections...

  • Page 154: Viewing Active Computers

    IP address of the attacking computer. Nokia IP40 queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. This information is useful in tracking down external attacks.

  • Page 155

    If you exceed the maximum number of computers allowed by your license, a warning message appears, and the computers that exceed the node limit are marked in red. These computers might not be able to access the Internet through IP40. Note To increase the number of computers that your license allows, you must upgrade your product.

  • Page 156: Viewing Active Connections

    1. Click Reports on the main menu, and then choose Active Connections. The Active Connections page appears. 2. Do the following: Click Refresh to refresh the display. To view information about the destination computer, click its IP address. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 157: Viewing Vpn Tunnels

    Viewing Reports on Nokia IP40 Security Platform The IP40 queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. Viewing VPN Tunnels You can view a list of currently established VPN tunnels.

  • Page 158: Viewing The Diagnostics Summary

    You can refresh the table by refreshing the browser. Viewing the Diagnostics Summary You can view the diagnostics summary for your device from the IP40 GUI. The diagnostics summary provides useful information about your device, such as node limit, network status, primary network status, secondary network status, my network status, setup state, users state, security, and subscription services.

  • Page 159

    Viewing Reports on Nokia IP40 Security Platform 5. Use the scroll bar to view more information. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 160

    Viewing Reports Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 161: Working With Vpns

    The Nokia IP40 Tele 8, and Satellite 16/32/U licenses provide VPN functionality. Nokia IP40 Tele 8 contains a VPN client and can act as a VPN server. Nokia IP40 Satellite 16/32/U can act as a VPN client, a VPN server, or a VPN gateway.

  • Page 162

    Nokia IP40 Satellite (Gateway) Check Point NG AI, NG, FP3, FP2, FP1 Nokia IP40 Satellite Check Point NG AI using VPN-1 Edge/ Embedded Gateway Check Point Smart LSM using VPN-1 Edge/Embedded ROBO Gateway. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 163: Setting Up Nokia Ip40 As A Vpn Server

    VPN mode. IP40 Tele and Satellite both provide VPN functionality. Nokia IP40 Tele license contains a VPN client and can act as a VPN server. Nokia IP40 satellite can act as a VPN client, a VPN server, or a VPN gateway.

  • Page 164: Configuring Remote Access Vpns

    1. Click VPN in the main menu, and click the VPN Sites tab. 2. Click New Site at the bottom of the page. 3. The IP40 VPN site wizard appears. If you select Remote Access VPN, the VPN Network Configuration dialog box appears.

  • Page 165

    To configure the site for manual login, select Manual Login. Enter a username and password to be used for logging on to the VPN site. b. To enable the IP40 to log on to the VPN site automatically, Select Automatic Login Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 166: Configuring Site-to-site Vpn

    “Completing Site Creation” on page 169. Note The automatic login option in the GUI is supported for Nokia IP40 Satellite X and only manual login is available for Nokia IP40 Tele license. Configuring Site-to-Site VPN If you selected site-to-site VPN, the VPN Gateway Address window appears.

  • Page 167

    Check Use Shared Secret or Use Certificate, depending on the secure communication method to be used. c. If you choose Use Shared Secret, enter the Shared Secret. 6. If Specify Configuration option is selected, the following window appears: Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 168

    In the Subnet mask column, select the subnet masks for the destination network addresses. Note Obtain the destination networks and subnet masks from the VPN site system administrator. c. Click Next. The Authentication window appears. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 169: Completing Site Creation

    You can see the downloaded topology on your IP40 device from http://my.firewall/ vpntopo.html Deleting a VPN Site You can delete a VPN site from the IP40 Tele 8 and IP40 Satellite X. To delete a VPN site 1. Click VPN on the main menu.

  • Page 170: Logging To A Vpn Site

    If you chose manual login, log on to a VPN site every time you want to access the VPN site. You can log on to a VPN site either through the Nokia IP40 GUI or the my.vpn page. When you log on, a VPN tunnel is established.

  • Page 171: Logging On From The Nokia Ip40 Security Platform Gui

    If your IP40 is configured to automatically download the network configuration, the IP40 downloads the network configuration. If you specified a network configuration when you add the VPN site, the IP40 attempts to create a tunnel to the VPN site.

  • Page 172: Logging On Through My.vpn

    You do not need to know the my.firewall page administrator's password to use the my.vpn page. To log on to a VPN site through the my.vpn page 1. Go to http://my.vpn.The VPN Login window appears. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 173: Logging Off A Vpn Site

    To log off from a VPN site, in the VPN Login Status dialog box, click Close. All open tunnels from the IP40 to the VPN site are closed, and the VPN Login Status dialog box closes. Closing the browser or dismissing the VPN Login Status box also terminates the VPN session within a short time.

  • Page 174

    5. Type the pass-phrase that your received from the network administrator. 6. Click Ok. Your certificate is installed, and a success message appears. 7. Click Ok. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 175: Installing Vpn Certificates By Using Cli

    SmartCenter NG AI that uses Check Point Large Scale Manager and the dynamically configured IP40 security platform that uses the DAIP. The certificate created on the Check Point NG AI can be uploaded to the IP40 Satellite. To upload VPN certificates and to create a dynamic VPN site by using Check Point Smart LSM 1.

  • Page 176: Security Platform

    Working with VPNs 7. Click the VPN Sites tab to see the Dynamic VPN tunnel created between your Nokia IP40 and the Check Point NG AI management station. Uninstalling the Certificate from your Nokia IP40 Security Platform Follow this procedure to uninstall VPN certificate from Nokia IP40 Security Platform.

  • Page 177: Installing The Security Policy By Using Gui

    To install the security policy by using GUI 1. Click Setup on the main menu. The Firmware window appears 2. Click Firmware Update. The Firmware Update window appears. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 178: Vpn Scenarios

    Note The following sections provide only an introduction to the VPN scenarios supported by Nokia IP40 Security Platform. They DO NOT discuss the complete usage scenario. For more information about usage scenarios, contact the Nokia support site. Nokia IP40 as VPN Server Nokia IP40 as a VPN server supports the following scenario: Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 179: Setting Up Nokia Ip40 Satellite X

    SecuRemote to Nokia IP40 Satellite X (VPN Client to Gateway) This VPN topology enables Nokia IP40 Tele 8, Nokia IP40 Satellite X, Check Point SecuRemote and SecureClient VPN clients to connect to an IP40 Satellite X acting as a VPN server. Note In this configuration, the IP40 Satellite X VPN server must have a static IP address and domain name.

  • Page 180: Nokia Ip40 As Vpn Client

    If you are using the IP40 in a standalone mode, add the license manually. Adding VPN Sites by Using Nokia IP40 Tele 8 Using Nokia IP40 Tele 8 licenses, you can define only remote access VPN sites. To define site- to-site VPN gateways, you must have IP40 Satellite X license.

  • Page 181

    To add a VPN site, click New Site. b. To edit a VPN site, click Edit in the desired VPN site row.: If you click the option a, the Nokia VPN Site Wizard opens, as shown in the following window: 3.

  • Page 182

    Note You can download the network configuration only if you are connecting to a Check Point VPN-1 or Nokia IP40 Satellite X VPN Gateway. To specify configuration 7. If you chose Specify Configuration in the preceding procedure, a dialog box appears.

  • Page 183

    VPN sites list. To route all traffic If you chose Route All Traffic in Adding VPN sites by using the IP40 Tele 8, the VPN Network Configuration dialog box appears with the following message: Only one VPN Profile can be configured as Route All Traffic.

  • Page 184: Nokia Ip40 Site-to-site Vpns Support

    The following sections describe about site-to-site VPNs, and the modes they support. Adding VPN Sites by Using Nokia IP40 Satellite X You can define each VPN site according to the function you want IP40 Satellite X to perform when connecting to the site: VPN Client—define the VPN site as a remote access VPN site using the following...

  • Page 185

    IP40 Satellite IP40 Tele If the VPN client is enabled, the IP40 GUI main menu includes a VPN menu option. In addition, the Reports pages include an additional VPN Tunnels submenu that allows you to view the active VPN tunnels.

  • Page 186: Setting Up Nokia Ip40 Tele 8

    FP1,FP2, FP3, NG, or NG AI You can use the IP40 Tele 8 as a VPN client to establish a Remote to Site VPN connectivity with a Check Point server by using version 4.1, FP1, FP2, FP3, NG, or NG AI.

  • Page 187

    Nokia IP40 Tele 8 to Check Point NG AI Setting Up Nokia IP40 Tele 8 To configure a VPN tunnel between Nokia IP40 Tele 8 and Check Point FP3, on IP40 Tele 8, (VPN client) add a VPN site. Setting Up Check Point NG AI Configure a VPN-1 Edge/Embedded gateway object on the Check Point Smart Dashboard.

  • Page 188

    To set up the IP40 Satellite X 1. Specify the IP address of Nokia IP40 Satellite X on the remote Nokia IP40 Satellite X. 2. Enter the shared secret (a password that is known to both the IP40 Satellite X devices).

  • Page 189: Unrestricted Mode

    Solution A: Nokia IP40 Satellite X to VPN-1 (Site-to-Site VPN) Hosts on Network 1 establish the TCP/IP connection to the external IP address of the IP40 Satellite X site-to-site VPN gateway. The IP40 Satellite X device is configured through the IP40 GUI Security page to port forward the inbound traffic to the defined host.

  • Page 190: Defining A Backup Vpn Gateway

    Check Point Multiple Entry Point document. Nokia IP40 Satellite X to VPN-1 (Site-to-Site VPN) Nokia IP40 Satellite X to VPN-1 or Check Point v4.1, FP1, FP2, FP3, NG, or NG AI configuration enables you to establish site-to-site VPN connections between an IP40 Satellite X site-to-site VPN gateway and a VPN-1 site-to-site VPN gateway.

  • Page 191

    To configure Nokia IP40 Satellite X 1. Specify the IP address of Nokia IP40 Satellite X on the VPN-1 server. 2. Enter the shared secret (a password that is known to both the IP40 Satellite X and the VPN- 1 Server).

  • Page 192

    Certificate instead of Use Shared Secret. Nokia IP40 Satellite X to Check Point SmartCenter FP3/NG AI You can use Nokia IP40 Satellite X as a VPN server to establish a VPN connectivity with SmartCenter FP3/NG AI server by using VPN-1 Edge/Embedded gateway or using VPN-1 Edge/Embedded ROBO gateway in case of Smart LSM (VPN Star Community).

  • Page 193: For Vpn Connection With Smartcenter Fp3

    To configure the IP40 Satellite X for VPN connection with SmartCenter FP3 1. Specify the IP address of Nokia IP40 Satellite X on the VPN-1 server. 2. Enter the shared secret (a password that is known to both the IP40 Satellite X and the VPN- 1 Server).

  • Page 194: Site-to-site Vpn With Windows 2000

    2. Enter the IP address of the Check Point NG AI Management station. The Connecting window appears. 3. Enter the Gateway ID and Registration Key that is used while creating the IP40 dynamic object on the LSM. 4. The Connecting window appears.

  • Page 195: Site-to-site Vpn With Nokia Cryptocluster

    For more information on how to configure the Windows 2000 server, see SofaWare’s Configuring Windows 2000/ XP IPSec to Site-to-Site VPN. Site-to-Site VPN with Nokia CryptoCluster You can configure for VPN connectivity between the Nokia IP40 Satellite X, and a Nokia VPN Gateway (CryptoCluster) for site-to-site VPN. Authentication supported: preshared secret...

  • Page 196: Vpn Routing Between Two Nokia Ip40 Security Platforms

    The Nokia IP40 Security Platform supports mesh VPN topology using Check Point where different IP40 Security Platforms are configured as site to site VPNs within a mesh topology. The limitation in this scenario is that the IP40 configured on Check Point should have a static WAN IP address.

  • Page 197: Using Managed Services

    Using Managed Services You can integrate your IP40 Security Platforms into an overall enterprise security policy, for maximum security. The Check Point Security Management Architecture (SMART) delivers a single enterprise-wide security policy that you can centrally manage and automatically deploy an unlimited number of IP40 gateways.

  • Page 198

    To specify a Service Center, do the following: Select Specified In the Specified text box, enter the IP address of the desired Service Center, as given to you by the service center. 5. Click Next. The Connecting screen appears. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 199

    Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider. b. Click Next. The Connecting window appears. The Confirmation dialog box appears with a list of services to which you are subscribed. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 200

    When the download is complete, the IP40 restarts by using the new firmware. The Welcome page appears. The services to which you are subscribed are now available on your IP40 and listed as such on the Account page. For more information, see “Viewing Service Information...

  • Page 201: Viewing Service Information From The Account

    The refresh option restarts the connection to the service center and refreshes the service settings of your device. To refresh your service center connection 1. Click Services in the main menu, and click the Account tab. The Account page appears. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 202: Configuring Your Account

    Using Managed Services 2. In the Service Account area, click Refresh. The IP40 reconnects to the Service Center. Your service settings are refreshed. Configuring Your Account You to access your service center Web site, which might offer additional configuration options for your account.

  • Page 203: Disconnecting From Your Service Center

    The following things happen: You are disconnected from the Service Center. The services to which you were subscribed are no longer available on your IP40. Sofaware Security Management Portal The SofaWare Management Center (SMC) is a Web-based application for managing, and configuring the SofaWare Security Management Portal (SMP).

  • Page 204: Web Filtering

    If you are remotely managed, contact your service center to change these settings. To enable or disable Web filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web filtering page appears. 2. Drag the On/Off lever upwards or downwards. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 205: Selecting Categories To Block

    1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2. Click Snooze. Web filtering is temporarily disabled for all internal network computers. Snooze changes to Resume. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 206: Virus Scanning

    Enabling or Disabling Email Antivirus This section gives you information about how to enable or disable the email antivirus option. Note If you are remotely managed, contact your service center to change these settings. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 207: Selecting Protocols For Scanning

    Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol is scanned. Email sending (SMTP). If enabled, all outgoing email is scanned. Protocols marked with a check mark are scanned, while those marked with cross mark (x) are not. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 208: Temporarily Disabling Email Antivirus

    1. Click Services in the main menu, and click the Email Antivirus tab. The Email Antivirus page appears. 2. Click Snooze. Email antivirus is temporarily disabled for all internal network computers. Snooze changes to Resume. The Email Antivirus Off popup window opens. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 209: Automatic And Manual Updates

    If you are subscribed to Software Updates, you can check for new security and software updates. Checking for Software Updates when Locally Managed If your Nokia IP40 security platform is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates can be checked manually.

  • Page 210: Checking For Software Updates When Remotely Managed

    When the Software Updates service is set to Automatic, you can still manually check for updates. 3. To set the IP40 so that software updates must be checked for manually, drag the Automatic/ Manual level downwards. The IP40 does not check for software updates automatically.

  • Page 211: Managing With Nokia Horizon Manager

    To use Nokia Horizon Manager Interface to access and manage your IP40 Security Platform: 1. Click Devices in the main menu and choose Create Devices to create an IP40 device. 2. Click Nokia Small Office Series Platform - IP40 for device type.

  • Page 212

    Topology was loaded to the device. This should be verified from http://my.firewall/vpntopo.html. 3. You can verify that the tunnel is open by sending packets from IP40 to the VPN-1 gateway. To configure NG AI and Nokia IP40 Security Platform for site-to-site by using LSM...

  • Page 213: Troubleshooting

    The performance of the device does not get affected even if debugging is disabled. But when debugging is enabled for many features, it can affect the primary firewall and VPN task of Nokia IP40. Debugging should be enabled judiciously and for brief periods.

  • Page 214: Viewing Debugging Levels

    I cannot access the Internet. What should I do? Check for the following: Check if the PWR LED is active. If not, check the power connection to the IP40. Check if the WAN LED is on. If not check the network cable to the modem and make sure the modem is turned on.

  • Page 215

    Every time I start Internet Explorer, the application searches for an Internet connection. This is unnecessary, since I am connected through the IP40. What should I do? For Internet Explorer, versions 5 and 6, do the following: 1.

  • Page 216

    I changed the network settings to incorrect values and am unable to correct my error. What should I do? Reset the network to its default settings by using the reset button on the back of the IP40 device. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 217

    Set the router to direct all incoming connections to the external IP address of IP40. Keep in mind that if you use IP40 behind another NAT device, you might lose some of the advantages of the IP40, such as broad application support and high performance.

  • Page 218

    Check for the correct username, Authentication Failure password given for the VPN site during login. I cannot connect to IP40 Satellite VPN site by using IP40 Satellite X. What should I do? Check for the following error messages in Report->Event Log: Error Message Verify...

  • Page 219: Viewing Firmware Status

    I cannot download the certificate. What should I do? Ensure that the device date and management date matches. Viewing Firmware Status The firmware is the software program embedded in the IP40. You can view your current firmware version and additional details. To view the firmware status 1.

  • Page 220: Failsafe Mode

    Nokia IP40 Security Platform enters failsafe mode when the main kernel becomes corrupted. If the main kernel becomes corrupted, the IP40 loads a failsafe kernel to the RAM. For the device to function properly, it must be upgraded with a new firmware.

  • Page 221: Upgrading Firmware From Failsafe Kernel

    If the firmware of your device gets corrupted, and your device is not working properly, you need to reload the firmware in it. You can reload your firmware by using the Faisafe Kernel. You can use the OOB feature in the IP40 for remote HTTPS or SSH access and to perform firmware upgrades.

  • Page 222

    Troubleshooting 3. Click Diagnostics. Technical information about the IP40 appears in a new window. 4. To refresh the contents of the window, click Refresh. The contents are refreshed. 5. To close the window, click Close. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 223: A Specifications

    Read the installation and operation procedures provided in this User Guide. Failure to follow the instructions can result in damage to equipment, and or personal injuries. Before cleaning the IP40, unplug the power cord. Use only a soft cloth dampened with water for cleaning.

  • Page 224

    Specifications Do not route the cables in a walkway or in a location that will crimp the cables. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 225: B Warranty

    Software to provide managed services provided that each copy of the Software is used solely on behalf of and for the benefit of a single client on the single piece of equipment provided by Nokia. An MSP may discontinue use of the Software on behalf of one client and use the Software to provide managed services to another single client.

  • Page 226

    Software error. Furthermore, the above warranty does not apply to any portion of the product supplied by a third party. In no event does Nokia warrant that the Software is error-free or that the Customer will be able to operate it without problems or service interruptions.

  • Page 227

    Upon termination, Customer shall cease all use of the Software and shall destroy or return to Nokia the original(s) and all copies of the Software and documentation made or furnished hereunder. Customer may terminate the License at any time by destroying all copies of the Software and documentation.

  • Page 228

    US. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 229: C End User License Agreement

    You does not come with a License Key then the Licensed Configuration shall be the minimum configuration allowed by the user manual of SofaWare S-Box, and upon which the licensing fee was based. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 230

    (or permit others to) decipher, reverse translate, decompile, disassemble or otherwise reverse engineer or attempt to reconstruct or discover any source code or underlying ideas or algorithms or file formats or programming or interoperability interfaces of Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 231

    Agreement infringes any patent, copyright, or other ownership rights of a third party. You agree to provide SofaWare with written notice of any such claim within ten (10) days of Your notice thereof and provide reasonable assistance in its defense. SofaWare has sole discretion and Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 232

    SofaWare's export regulation information page (www.sofaware.com or www.s- box.com) for specific information. You agree that You will not ship, transfer, or export the Product into any country, or make available or use the Product in any manner, prohibited by law. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 233

    Agreement, and no license to the Product is granted to any government requiring different terms. 9.4 Questions? Should You have any questions concerning this Agreement contact the manufacturer at SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan, Israel 52522. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 234

    End User License Agreement Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 235: D Compliance Information

    “The product complies with the requirements of the Low Voltage Directive 73/23/EEC and the EMC Directive 89/ 336/EEC.” Alan Hutchinson Quality Engineer Mountain View, California European contact:Greg Shortell Nokia Telecommunications 2 Heathrow Blvd, 284 Bath Road Heathrow, Middlesex UB7 ODQ England Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 236: Compliance Statement

    Consult the dealer or an experienced radio/TV technician for help. Caution Any changes or modifications not expressly approved by the grantee of this device could void the user’s authority to operate the equipment. Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 237

    FCC Notice (US) Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 238

    Compliance Information Nokia IP40 Security Platform User’s Guide v1.1...

  • Page 239

    105 deleting users 109 border gateway protocol (BGP) 128 viewing users 108 configuring NG AI and IP40 for site-to-site using LSM profiles 211 configuring Nokia IP40 for dual homing ISP changing IP addresses in your network 85 connectivity 126...

  • Page 240

    123 downloading pre-compiles policy 176 high-availability solution DSL connection settings 70 with dual Nokia IP40 Security Platform 136 using automatic DHCP 72 with single Nokia IP40 Security Platform 135 using PPPoE 71 HTTPS access through OOB 139...

  • Page 241

    172 FP3/NG AI 192 logging on to a VPN site from GUI 171 Nokia IP40 Satellite X to VPN-1 (Site-to-Site VPN) 190 logging on to Nokia IP40 Security Platform 49 Nokia IP40 Security Platform Features 20...

  • Page 242

    142 uploading VPN certificates setting up Check Point FP3 191 by using Check Point Smart LSM 175 Setting up IP40 Satellite X for VPN connection with using managed services 197 SmartCenter FP3 193 using network utilities from IP40 GUI 143...

  • Page 243

    225 Web filtering 204 enabling Web filtering 204 selecting categories to block 205 temporarily disabling Web filtering 205 to allow or block a category 205 working with VPNs 161 Nokia IP40 Security Platform User’s Guide v1.1 Index - 243...

  • Page 244

    Index - 244 Nokia IP40 Security Platform User’s Guide v1.1...

Comments to this Manuals

Symbols: 0
Latest comments: