Page 1 VPNmanager® Configuration Guide Release 3.7 670-100-600 Issue 4 May 2005...
Page 2 However, information is subject to change. Warranty Avaya Inc. provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya’s standard warranty language as well as information...
Page 3 United States FCC Part 68 Supplier’s Declaration of Conformity (SDoC) Avaya Inc. in the United States of America hereby certifies that the equipment described in this document and bearing a TIA TSB-168 label identification number complies with the FCC’s Rules and Regulations 47 CFR Part 68, and the Administrative Council on Terminal Attachments (ACTA) adopted technical criteria.
Page 5: Table Of Contents
Chapter 1: Overview of implementation ......Components of the Avaya security solution ......
Page 6 TEP Policy......... . . 6 Avaya VPNmanager Configuration Guide Release 3.7...
Page 7 Chapter 3: Setting up the network ......New VPN Domain ......... Configuring a security gateway .
Page 8 Configuring a remote user object ....... . . 8 Avaya VPNmanager Configuration Guide Release 3.7...
Page 9 Information for VPNremote Client users......Using local authentication....... . . Using RADIUS authentication (VPNos 3.X and VPNos 4.31) .
Page 10 User defined templates ........10 Avaya VPNmanager Configuration Guide Release 3.7...
Page 11 Services ..........Device Group .
Page 12 Keep Alive ..........12 Avaya VPNmanager Configuration Guide Release 3.7...
Page 13 Policy Manager - My Certificates ....... . . About VSU certificates ........Creating and Installing a Signed Certificate.
Page 14 ........14 Avaya VPNmanager Configuration Guide Release 3.7...
Page 15: Preface
VPNs. What Products are Covered Avaya’s solution is a line of three products that are used for managing Virtual Private Networks. Each one, listed below, has been designed to meet the needs and requirements of either a small, medium, or large network.
Page 16: Network-Wide Visibility And Control
VPNmanager software provides global-level, VPN-level, group-level, client-level and equipment-level monitoring and control capabilities, and automates the task of managing configurations across multiple security gateways and Avaya VPNremote® Clients. Extensive alarm-reporting and statistics-gathering capabilities allow network managers to respond in real time to hardware, network, and security problems, and to plan the efficient growth and evolution of their networks.
Page 17: Complementary To Snmp Management Tools
VPNremote client software for distribution to end users via the web, or on portable storage media such as a CD or floppy disk. You can download these documents from www.avaya.com. Click on Product Documentation, select VPN and Security. How This Book Is Organized With this release of VPNmanager, the administrator’s guide was redesigned to present...
Page 18 (SSL) with the Directory Server. Appendix B: Firewall rules included in the VPNmanager. 18 Avaya VPNmanager Configuration Guide Release 3.7 implementation, provides an overview of how to use VPNmanger for network, explains how to create a domain and create and configure a...
Page 19: Contacting Technical Support
Contacting Technical Support Technical Support is available to support contract holders of Avaya VPN products. Domestic support Toll free telephone support: (866) 462-8292 (24x7) Email: vpnsupport@avaya.com Web: http://www.support.avaya.com International Support For regional support telephone numbers, go to http:www.avayanetwork.com/site/GSO/ default.htm Contacting Technical Support...
Page 20 Preface 20 Avaya VPNmanager Configuration Guide Release 3.7...
Page 21: Chapter 1: Overview Of Implementation
VPNmanager. Components of the Avaya security solution The Avaya security solution consists of the following: Avaya VPNmanager™ Avaya™ SG security gateways and VPN Service Units (VSU) Note: Beginning with VPNmanager 3.4, this configuration guide uses “security Note: gateway” to refer to both the security gateway and the VSU. The VPNmanager application uses the word “Device”...
Page 22: Vpnremote Client Software
VPNremote Clients. VPNmanager Service Provider. Use this version to manage an unlimited number of devices and VPNremote Clients. The Service Provider also supports multiple VPN domains, which meets the needs of ISPs. 22 Avaya VPNmanager Configuration Guide Release 3.7...
Page 23: Overview Of The Vpn Management Hierarchy
VPNmanager Enterprise Client. Use the Enterprise Client version for managing an unlimited number of security gateways and VPNremote Clients. VPNmanager Service Provider Client. Use the Service Provider Client version to manage an unlimited number of security gateways and VPNremote Clients. The Service Provider also supports multiple VPN domains.
Page 24: Preparing To Configure Your Network
Public zone. Public zone provides connection to the Internet, usually by way of a wide area network (WAN). Private zone. Private zone is used to provide connection to your private local area network (LAN) or to your corporate LAN. 24 Avaya VPNmanager Configuration Guide Release 3.7 (Table 1). Ethernet0 and...
Page 25 Public-backup zone. Public-backup zone is the backup interface to the primary public interface for use when Failover is configured. Semiprivate zone. Semiprivate zone is used for media such as wireless LAN, where the network is considered part of the protected network, but the media may be vulnerable to attack.
Page 26: Static Routes
A VPN object is the method used to link security gateways, remote terminals, and LAN terminals in a fully configured virtual private network. Creating a VPN involves naming each VPN, adding users and user groups, and adjusting the IKE and IPSec security protocols for VPN traffic. 26 Avaya VPNmanager Configuration Guide Release 3.7...
Page 27: Security Policies
Security policies VPNmanager security policy management provides the following security features that can be configured: Firewall rules Denial of Service (DoS) categories Quality of Service (QoS) rules Bandwidth management In addition, encryption security options include Internet Key Exchange (IKE) with IPSecuirty protocol (IPSec).
Page 28: Qos
The security gateway can be configured to protect and enable the communication of VoIP telephones either within a VPN or firewall. The security gateway can be configured to secure Avaya Multivantage™ and IP Office™ VoIP solutions as follows: Secure site-to-site voice trunks such as between headquarters and branch offices or between main offices and home offices using VPNs.
Page 29: Additional Features
Optimize bandwidth for VoIP traffic using the security gateway’s Quality of Service (QoS) policies In order to successfully use VoIP it is important to thoroughly plan the implementation of the feature. Avaya suggests that you read the Avaya IP Telephony Implementation Guide before implementing VoIP. Additional features The following is a list of some of features that can be configured depending on your VPN networking requirements.
Page 30: Syslog
6. Associate IP groups with the security gateway 7. Associate IP groups with the VPN 8. Create new users 9. Associate users with VPNs 10. Create a VPNremote Client address pool on the gateway 30 Avaya VPNmanager Configuration Guide Release 3.7...
Page 31 Sequence to configure your VPN 11. Configure firewall rules 12. Associate firewall rules with the correct gateway and security zone 13. Configure other features such as QoS, VoIP gateway, DHCP, NAT, routing, etc. Issue 4 May 2005...
Page 32 Overview of implementation 32 Avaya VPNmanager Configuration Guide Release 3.7...
Page 33: Chapter 2: Using Vpnmanager
Chapter 2: Using VPNmanager With Avaya VPNmanager you can define, configure, and manage VPNs and firewall policies, upgrade firmware, and manage remote user access policies. The VPNmanager graphical interface is modularized by functions and tasks to make configuring a VPN fast and easy.
Page 34 6. For the privacy settings, the only available value is DES_CBC. Enter the privacy password. 7. When finished, click Save. When you configure SNMPv3 for a device, the admin name is listed. 34 Avaya VPNmanager Configuration Guide Release 3.7...
Page 35: Log Into The Vpnmanager Console
Log into the VPNmanager console You log in to the VPNmanager from your computer’s Start menu, Programs>Avaya> VPNmanager>Console. You use the super user name and password that were configured when the VPNmanager software was installed. Figure 2: VPNmanager login screen The first time you log in to the VPNmanager Console, you log in as the super user and add the policy server address or the name associated with the address.
Page 36: Open Domain
No Domain Open. When you open a domain, the title bar shows the name of the domain that is opened. The main window includes a menu bar, a toolbar, the view VPN pane, and the alarms monitoring pane. 36 Avaya VPNmanager Configuration Guide Release 3.7...
Page 37: File Menu
Figure 3: VPNmanager console main window Header with domain name The menu bar on the main VPNmanager screen includes the following commands File, Edit, View, Tools, and Help. File menu The File menu includes the following commands: Domain. You can create a new domain, open, close, or delete an existing domain, and select from a list of recent domains that were accessed.
Page 38 Objects Device IPGroup User Service User Group 38 Avaya VPNmanager Configuration Guide Release 3.7 RADIUS/ACE Services Table 2 describes the new objects that can be configured. Description You create a new security gateway within a domain and configure the port interfaces You configure new IP groups to assign workstations and servers.
Page 39: Edit Menu
Table 2: New object (continued) Objects Device Group Admin Failover Converged Network Analyzer (CNA) Test Plug Edit menu From Edit, you can chose one of the following commands: Delete Object. Select an object from the VPN diagram and then select Edit>Delete Object.
Page 40: Tools Menu
Update Devices. Update Devices is used to update the security gateway configuration with the configuration currently in the Directory Server database. Show Trace Console. Trace Console is used to log some debugging information. This information is used by Avaya support to diagnose and troubleshoot any problems that may occur. Help menu From Help, you can access the VPNmanager Help, and About VPNmanager.
Page 41 Figure 5: Icons on toolbar Services Firewall Device Users IP Group Table 3: Toolbar commands Toolbar Description commands New Object The New Object button is a shortcut to the File>New Object command to create new objects within any of the categories listed Table dialog or a wizard is opened to configure the information.
Page 42: Vpn View Pane
VPN are displayed in a circular pattern around the Internet cloud which appears in the center. The security gateways are displayed graphically along with a device status icon directly over the security gateway graphic. 42 Avaya VPNmanager Configuration Guide Release 3.7...
Page 43: Tiled View
Figure 6: VPNmanager Network Diagram View Tiled View When six or more security gateways are present in the selected VPN, the presentation automatically switches from the diagram view to the tiled view. Figure 7: VPNmanager, Tiled View Tree View An alternative presentation style to the diagram and tiled views, the tree view mimics the Windows-style vertical directory presentation.
Page 44: Alarm Monitoring Pane
Console window. From this window you configure and modify the VPN network configuration. The Configuration Console window includes a menu bar, toolbars, contents pane and a details pane. 44 Avaya VPNmanager Configuration Guide Release 3.7 Monitoring alarms on page 268.
Page 45: Configuration Console Menu Bar
Figure 9: Configuration console window Configuration Console Menu bar The menu bar on the Configuration Console window includes the following commands File, Edit, View, Tools, and Help. File menu The File menu includes the following commands: New Object. You can create new objects within any of the categories listed in Table 2: New object on page Save Changes.
Page 46: View Menu
Only policies that can be configured are displayed. Table 4 lists the policies that could be configured. Table 4: Policy Services Client IP Configuration My Certificates Issuer Certificates 46 Avaya VPNmanager Configuration Guide Release 3.7 Update Devices on page 47. 289. on page 284. Syslog* NAT*...
Page 47: Toolbar
Table 4: Policy Services (continued) IKE Certificate Usage RADIUS/ACE a. Policies that can be configured for security gateways with VPNos 4.x. Beginning with VPNos 4.31, the Firewall configuration is not part of Policy Manager. Toolbar The toolbar includes the following shortcut buttons. New Object.
Page 48: Preferences
General tab The Preferences General tab is used to set how you want to save changes on the VPNmanager. You can choose either “Save configuration changes automatically”, or “Alert me before saving configuration changes”. 48 Avaya VPNmanager Configuration Guide Release 3.7...
Page 49: Dyna Policy Defaults (User)
Figure 10: Preferences, General Tab Save Configuration changes automatically - When this radio button is active, any changes made to an object are automatically saved upon moving to another object. Alert me before saving configuration changes - When this radio button is active, any changes made to an objects triggers a Save prompt upon attempting to move to another object.
Page 50: Dyna Policy Authentication
RADIUS, or LDAP. Whichever method selected is global (across the entire VPN). Selection is made by clicking on the desired radio button. Configuring a remote user object on page 118 Figure 12: Preferences, Dyna-Policy Authentication Tab 50 Avaya VPNmanager Configuration Guide Release 3.7 for details about configuring Dyna Policy.
Page 51: Advanced
Advanced The Advanced tab is used to either hide or display the LDAP directory context field that appears in a number of places throughout the VPNmanager Console. Users familiar with the LDAP directory structure may prefer having this field displayed. Figure 13: Preferences, Advanced Tab Remote Client The Remote Client tab is used to establish a path (tunnel) to a secure DNS server to resolve...
Page 52: Alarm/Monitoring
The Tunnel End Point (TEP) Policy tab lets you control the security policy applied to the traffic that flows between the end points of a tunnel. The default is off, that is, do not apply configured VPN policies to TEP traffic. See 52 Avaya VPNmanager Configuration Guide Release 3.7 TEP Policy on page 209.
Page 53 Preferences Figure 16: Tunnel End Point Policy Issue 4 May 2005...
Page 54 Using VPNmanager 54 Avaya VPNmanager Configuration Guide Release 3.7...
Page 55: Chapter 3: Setting Up The Network
Chapter 3: Setting up the network This chapter describes the following features that are configured for the domain and the security gateway New VPN domain Security gateway including: Domain name system resolution Zone interfaces NAT policies Static route table Routing information protocol (RIP) New VPN Domain A domain can be created to meet the networking needs of an entire organization, or a domain can be created to meet the needs of specific departments of an organization.
Page 56 The name of your new VPN domain appears in the title bar of the VPNmanager Console main window. The domain is open and ready to be configured. 56 Avaya VPNmanager Configuration Guide Release 3.7 Level of security The high security template enforces...
Page 57: Configuring A Security Gateway
Configuring a security gateway The New Object>Device function is used to create security gateways and VPN Service Units (VSU) in a VPN environment. The security gateway acts as the end-points of VPN tunnels. Note: Beginning with VPNmanager 3.4, this configuration guide uses the term “security Note: gateway”...
Page 58 12. Click Next. Select either to Setup Now or to Setup Later. Set up later sends the configuration information to the directory server, but not to the security gateway. 58 Avaya VPNmanager Configuration Guide Release 3.7 DNS tab on page...
Page 59: Using Device Tabs To Configure The Security Gateway
13. Click Finish to save the configuration information to the directory serve, to poll security gateway, and to exit the Setup Wizard. When you want to send configurations to one or more security gateway, click Update Devices from the Configuration Console window or use the Action tab to send the configuration to the security gateway.
Page 60: General Tab
Contents list. From the General tab you can change the IP address VPNmanager uses to communicate with the security gateway. All other information that is displayed is view only. 60 Avaya VPNmanager Configuration Guide Release 3.7 VPNos VPNos VPNos 4.0 and...
Page 61 Using Device tabs to configure the security gateway Figure 17: Device General tab Directory Name - The directory name is the location of the security gateway in the directory tree structure.The security gateway name is unique within the VPN domain to which it is assigned.
Page 62: Memo Tab
To create a memo: 1. From the Contents column, select the security gateway you want to configure. 2. Click the Memo tab to bring it to the front. 62 Avaya VPNmanager Configuration Guide Release 3.7...
Page 63: Dns Tab
3. In the Memo text box, type in any information about the security gateway. 4. When finished, click Save. DNS tab Use the DNS tab to define where to forward the Domain Name Service (DNS) name resolution requests from the IP devices on the private side of the security gateway. Figure 18: DNS tab Configuring the DNS tab for security gateways at 4.3 or later The security gateway includes a DNS name server, and accepts DNS queries from devices on...
Page 64 2. In the DNS Relay Configuration area, click Add. 3. Enter the Domain name and the Primary IP address of the DNS server. The secondary IP address is optional. Figure 19: Add DNS relay configuration 4. Click OK. 64 Avaya VPNmanager Configuration Guide Release 3.7...
Page 65: Configuring The Dns Tab For Vsu At Vpnos 4.2 Or Earlier
To add a static DNS server 1. From the Configuration Console Contents column, select the security gateway to be configured. Click the DNS tab to bring it to the front. 2. In the Static DNS Servers area, click Add. Enter the IP address of the DNS server and enable the back-up link, if required.
Page 66: Interfaces Tab
The status. Status identifies if the physical link is up or down, and if the interface is being used by network applications The IP address The mask The default route, if relevant The MAC address 66 Avaya VPNmanager Configuration Guide Release 3.7...
Page 67 Figure 20: Interface tab Config Media interfaces can be assigned to one of six different network uses, called zones. The number of zones that can be configured depends on the security gateway model Ethernet0 and Ethernet1 are present in all models and are assigned to the public and the private zones.
Page 68 If the idle timer is enabled, select Ignore Non-VPN Traffic if you do not want non-VPN traffic to reset the idle timer. Only one public-backup zone can be configured on the security gateway. 68 Avaya VPNmanager Configuration Guide Release 3.7 SG200 SG203...
Page 69 To set the amount of time delay to switch from a secondary interface to the primary interface once the primary link has been detected, configure the Hold Down Timer. This delay provides the necessary time for the primary interface to stabilize. The Hold Down Timer applies to failover conditions occurring due to a link-level failure on the public primary interface only.
Page 70: Options For Ip Addressing For Interface Zones
Network Mask Route DHCP addressing Use DHCP addressing if the gateway obtains its IP address dynamically from the internet service provider (ISP). This can be configured for public-backup. 70 Avaya VPNmanager Configuration Guide Release 3.7 Private Public-backup Semi-private Description The public IP address that is assigned...
Page 71: Point-To-Point Protocol Over Ethernet (Pppoe) Client
Point-to-Point Protocol Over Ethernet (PPPoE) Client Use PPPoE Client addressing as a convenient way to connect the public or public-backup zone of the security gateway to the Internet, if your ISP supports PPPoE addressing. PPPoE Client addressing requires user authentication. To configure PPPoE addressing, complete the following information Field PPPoE User...
Page 72 Note: with the security gateway. IP telephone configuration - If you are using the security gateway with the Avaya Definity® series of IP Telephones, you must configure the TFTP server IP, the TFTP file path, the Definity Clan IP and the Definity Clan port (See the Definity documentation for further information).
Page 73: Dhcp Relay
DHCP Relay This functionality allows the DHCP Relay agent to bind to the device’s private and semi-private interface zones and forward only DHCP requests from the network behind the device to the DHCP server(s) on the public network. DHCP Relay server can reside on either the private, semiprivate, public zones, or another remote network.
Page 74 2. Click IP Devices. The IP Device Configuration dialog is displayed. 3. Enter the following information The MAC address of the IP device. If the device is an Avaya IP telephone, the MAC address is on the back of the telephone.
Page 75 The IP address. This IP address must be within the same subnet as the DHCP server. Avaya recommends that you use an IP address for the device that falls into the DHCP subnet, but not in the DHCP range. 4. Click Add, and then click OK.
Page 76: Private Port Tab
IP Address subnet. The domain name is provided and the WINS server can be configured. When deploying the security gateway, you need a unique DHCP range for each security gateway on the VPN. 76 Avaya VPNmanager Configuration Guide Release 3.7...
Page 77: Adding An Ip Device Configuration
Figure 23: IP Device Configuration with VPNos 4.2 or VPNos 4.3 IP Device MAC Address. - Enter the MAC address of the IP device. If the device is an Avaya IP telephone, the MAC address can be found on the back of the phone.
Page 78: Dhcp Relay
Setting up the network The Avaya DEFINITY® series of IP telephones require entries for all four fields (refer to your Definity documentation for further information). Non-Avaya IP telephones require at a minimum, the TFTP server IP address. Note: The following IP telephone DHCP options are supported: Note: Option 150: Proprietary to Avaya IP telephones.
Page 79: None
Note: When the security gateway is acting as a DHCP Relay, the security gateway Note: cannot be a DHCP server at the same time. DHCP Relay and DHCP Server services are mutually exclusive. When the DHCP Relay agent receives DHCP client requests from the private port, the DHCP server(s) creates new DHCP messages and forwards the messages to the DHCP server(s) on the public network.
Page 80: Network Object Tab
By default, the network object includes the IP address and mask that have been configured for the corresponding zone. Besides this address, you can add additional addresses. 80 Avaya VPNmanager Configuration Guide Release 3.7...
Page 81: Routing
Using Device tabs to configure the security gateway Select a network object and click Add to configure additional IP addresses and mask. Figure 25: Device Network Objects tab Routing Routing is specified when more than one router exists on a network to which the security gateway must forward either VPN or non-VPN traffic.
Page 82 11. In the Network field, type in the network address for the LAN that is beyond the next hop router. 12. In the Mask text boxes, type in the subnet mask for the network address. 82 Avaya VPNmanager Configuration Guide Release 3.7...
Page 83: Default Gateway For Vpn Traffic (Vpnos 3.X)
13. Click Add to List to put the address/mask pair into the Current Network/Mask Pairs for this Hop list box, which also associates the pair with the IP address of the next hop router. 14. Click Finished to return to the Static Route tab. 15.
Page 84 9. Click OK to exit the RIP Advanced Settings window. 10. Click Save. 11. When you want to send the configuration to one or more VSUs, click Update Devices. 84 Avaya VPNmanager Configuration Guide Release 3.7 Client IP address pool configuration on page 120.
Page 85: Policies Tab, Nat Services
Policies tab, NAT services Network Address Translation (NAT) is an Internet standard that allows private (nonroutable) networks to connect to public (routable) networks. To connect private networks and public networks, address mapping is performed on a security gateway that is located between the private network and the public network.
Page 86: Configuring Nat (Vpnos 4.31)
Setting up the network Note: If your network contains any nonroutable addresses, Avaya recommends that Note: you enable the Share public address to reach the internet feature. Any firewall rules that are in use can block translated traffic. Priority of NAT types NAT is a rule-based policy, where the priority is based on the NAT type and then the order in which the NAT types appear in the NAT list.
Page 87 To add a NAT rule (VPNos 4.31) 1. From the Configuration Console Contents column, select the Policy tab to bring it to the front. Select NAT from the list. 2. Click GO. The NAT Rules dialog is displayed and the selected device’s name should be visible in the Object Names list.
Page 88: About Nat Types For Vpnos 3.X
Set up VPNs that include overlapping private addresses. Address mapping allows network administrators to set up VPNs between two sites that use the same private network addresses. For example, both sites may be using 10.0.0.0 private network addresses. 88 Avaya VPNmanager Configuration Guide Release 3.7...
Page 89: Accessing The Internet From Private Networks
Provide support for multi-gateway network configurations. Address mapping can be used to ensure that request and reply packets enter and exit the network through the same security gateway. Accessing the Internet from private networks Figure 28 shows an example of using NAT to allow hosts on a private non-routable or non-registered network to access the Internet.
Page 90: Setting Up Vpn With Overlapping Private Addresses
LA_VSU. Since the packet is leaving the SF_VSU through the Sales_VPN tunnel, the SF_VSU applies the tunnel NAT rule to the packet’s source address 90 Avaya VPNmanager Configuration Guide Release 3.7 Figure 28, when client 10.1.2.101 initially sends a packet to a host on .0/24 address pool.
Page 91 Using Device tabs to configure the security gateway changing it from 10.1.1.17 to 172.16.0.17. At this point, the packet’s source and destination addresses are: 172.16.0.17 -> 172.16.1.20. The packet is then tunneled across the public network to LA_VSU. Since the packet enters LA_VSU through a tunnel, the NAT rule on the tunnel interface is applied to the packet changing its destination address from 172.16.1.20 to 10.1.2.20, which is the IP address of the LA_Sales_Group server.
Page 92: Using Nat To Support Multiple Gateway Configurations
Using NAT to Support Multiple Gateways which sends packets destined for the X 92 Avaya VPNmanager Configuration Guide Release 3.7 Accessing the Internet from private .X) before sending the packet out the private interface. .X) back to the original address (X is to add a static route to the default router .0/24 network through security gateway-B.
Page 93: Interface For Vpnos 4.2
Figure 30: Using NAT to Support Multiple Gateways Interface for VPNos 4.2 The following three interface choices are available for devices with VPNos 4.2: Public – Primarily used to allow clients on a private network to access hosts on the Internet and for transport mode VPNs.
Page 94: Add Nat Rule (Vpnos 4.2 Or Earlier)
1. From the Configuration Console>Device Contents pane, select the Policy tab to bring it to the front. Select NAT from the list. Click GO. The NAT Rules dialog is displayed. 2. Click the Add to open the Add NAT Rule dialog box. 94 Avaya VPNmanager Configuration Guide Release 3.7...
Page 95: Tunnel Nat Rules
3. From the Translation Type list, select a translation type. 4. From the Translation will be applied on list, select which interface needs the NAT rule. 5. In the Original Address and Original Mask text boxes, type in the original address and mask.
Page 96 6. In the Translation area, Enter the translation IP address. Note: If Static NAT is selected, the subnet mask is automatically populated and is the Note: same as the original subnet mask. 7. Click OK, and then click Save. 96 Avaya VPNmanager Configuration Guide Release 3.7...
Page 97: Chapter 4: Configuring Ip Groups
Chapter 4: Configuring IP Groups An IP Group is composed of a set of hosts (workstations and servers) that are located behind a common security gateway. The hosts are defined by their IP address and mask. The security gateway must exist prior to creating IP Groups. Virtual private networks (VPNs) are made up of IP Groups at multiple locations linked across a public IP network.
Page 98: New Ip Group
The General tab is used to manage your IP Groups. In addition to displaying a list of all existing IP Groups, it also provides a means of adding new IP Groups and linking the IP Group to a specific device. 98 Avaya VPNmanager Configuration Guide Release 3.7...
Page 99 The IKE Identifier box is also activated when Extranet devices selected. Zones. - This is the zone that is used. The default is public. For Avaya SG203 and SG208 security gateways, if the semi-private zone is configured, it can be selected.
Page 100: Add Ip Group Member
Table 8: Deriving the Group Mask To specify a contiguous range of this many addresses: 100 Avaya VPNmanager Configuration Guide Release 3.7 Start from an IP address that meets these specifications: ###.###.###.### (any IP address) ###.###.###.n (n = multiple of 2); e.g., 130.57.4.2 or 130.57.4.4...
Page 101: Configuring An Ip Group
Table 8: Deriving the Group Mask (continued) To specify a contiguous range of this many addresses: 1024 2048 4096 8192 16384 32768 65536 Etc. Configuring an IP Group To configure an IP Group that communicates within its own VPN domain: 1.
Page 102: Configuring An Ip Group That Connects To An Extranet
2. From the Contents column, select the IP Group to be configured. Click the General tab to bring it to the front. 3. Click Add. The Add IP Group dialog is displayed. 102 Avaya VPNmanager Configuration Guide Release 3.7 Exporting a VPN object to an...
Page 103: Delete
4. Configure the address/mask pair. New IP Network. Type in the network address for a LAN. New IP Mask. Type in a mask to define the range of addresses that will become members of the IP Group. The larger the mask, the smaller and more focused the address range will be.
Page 104: Memo
Memo can be used to record notes about the IP Group, such as change history, where the group is located, etc. Information entered here is associated only with the security gateway in focus. This information is stored only in the database and not downloaded to the security gateway. 104 Avaya VPNmanager Configuration Guide Release 3.7...
Page 105: Chapter 5: Configuring Remote Access Users
Chapter 5: Configuring remote access users VPNremote™ Client users who log in to the VPN through the security gateway must have their user authentication configured on the security gateway. User objects are used for creating remote users. Those remote users connect to the VPN through an ISP (Internet Service Provider).
Page 106: Using Dyna-Policy
Although the file can be password protected, the file is encrypted using DES (Data Encryption Standard). The user then runs VPNremote Client to install the dyna-policy file. The RSA SecurID New PIN and Next Token CCD modes are supported. Figure 32: User Dyna-Policy tab 106 Avaya VPNmanager Configuration Guide Release 3.7...
Page 107: Configuring A Global Dyna-Policy
Configuring a global dyna-policy You configure the global CCD from the Preferences property sheet. You should set up the default global CCD before you configure user objects. The parameters can be changed any time. You configure the following Preferences property tabs to create a global dyna-policy: Dyna-Policy Defaults (User) Dyna-Policy Defaults (Global) Dyna-Policy Authentication...
Page 108: Vpn Configuration Files On Remote User's Computer
The Preferences Dyna-Policy Defaults (Global) tab is used to define the dyna-policy defaults for the number of times a user can enter an incorrect password before log on fails and the number of minutes that a user is locked out after the password fails. 108 Avaya VPNmanager Configuration Guide Release 3.7...
Page 109: Dyna-Policy Authentication Tab
Configuring a global dyna-policy Figure 34: Preferences, Dyna-Policy (Global) tab Dyna-Policy Authentication tab The Preferences Dyna-Policy Authentication tab is used to define how user authentication and Client Configuration Download (CCD) are performed. Choices are Local (security gateway-based), RADIUS, or LDAP. Whichever method you selected becomes the global used across the entire VPN.
Page 110: Local Authentication
Depending on your security policy, you may wish to have the VPN session client configuration download file (CCD, part of dyna-policy) reside in the security gateway while remote client authentication occurs via the RADIUS database. 110 Avaya VPNmanager Configuration Guide Release 3.7...
Page 111: Remote Client Tab
Note: Client. The remote Client must be running a version of VPNremote Client software which supports Client DNS Resolution Redirection. Check with Avaya Technologies for version support information. You can enable Client DNS Resolution Redirection and enter up to three subdomain names along with the IP address of the DNS server that will resolve DNS requests for the corresponding subdomain name.
Page 112: Client Dns Resolution Redirection
Send Syslog messages to receiving hosts after VPN session is inactive for XX minutes enables you to set the session inactivity time before issuing a Syslog message. The default time is 10 minutes. 112 Avaya VPNmanager Configuration Guide Release 3.7...
Page 113: Configure A Default Ccd With Global Dyna-Policy
Configure a default CCD with global dyna-policy The following procedure describes how to configure default dyna-policy parameters. These commands control how CCD automatically delivers dyna-policies to VPNremote Clients. By default, all user adopt these settings, but they can be rejected and custom configured from the Dyna-Policy tab of a specific user.
Page 114: Creating New User Object
DNS server to resolve client DNS names and to set the remote client idle time-out period. Check Enable Redirection Support if remote clients use private domain names, such as accounting.avaya.com, for navigating their VPN. Then enter the Domain and Protected DNS server address Enter the number of minutes of inactivity before sessions time out.
Page 115: Default User
Default user The Default User feature is normally used in conjunction with the default dyna-policy to establish a common template by which a desired VPN policy type is delivered to the remote clients in the domain. Multiple default users can exist in a domain, but only one default user can exist per VPN in a domain.
Page 116: Memo Tab
The Dyna-Policy tab is used to define an individual remote user’s dyna-policy to specify the security options for how the VPN configuration information is handled on the user’s computer. Dyna-Policy Defaults (User) tab 116 Avaya VPNmanager Configuration Guide Release 3.7 on page 107 for how to configure.
Page 117: Actions Tab
Actions tab The User Actions tab is used for non-dyna-policy alternatives. Figure 38: User’s Action tab Export My Configuration. - Exports your dyna-policy to a file for conveyance to the remote user’s machine. Enter a password and retype the password. Note: If Default User is configured, this button is disabled.
Page 118: Configuring A Remote User Object
4. (Optional) Click the Memo tab to bring it to the front, then in the Memo text box, type in some information about the user. For example where the user will be dialing from or the location their headquarters. 118 Avaya VPNmanager Configuration Guide Release 3.7...
Page 119: Information For Vpnremote Client Users
5. Click the Dyna Policy tab to bring it to the front. If you do not want the default Dyna-Policy settings, select Do Not Use Default Dyna-Policy. Then configure a customized method for storing the VPN configuration for the user. Select None to store the VPN session parameters locally on the remote user’s computer.
Page 120: Using Local Authentication
ACD is a problem for VPNremote Client users. The addresses which ISPs dynamically assign to VPNremote Clients is naturally blocked because it is impossible to know ahead of time which address is assigned. The security gateway solves this problem by using Client IP Address Pools. 120 Avaya VPNmanager Configuration Guide Release 3.7...
Page 121: Add Client Ip Address Pool
A Client IP Address Pool is a range of source IP addresses that is recognized by an ACD. The pool is stored in the security gateway, so when it recognizes an inbound packet from a VPNremote Client, it swaps the source address with one from the pool. When the security gateway recognizes an outbound packet having a pooled address, it changes the destination address to the remote client’s address.
Page 122: Add Client Wins
This message can be configured so that remote users are required to accept the message before the log in is complete. 122 Avaya VPNmanager Configuration Guide Release 3.7...
Page 123: Enforce Brand Name
However, in order for this feature to work correctly the brand name must be specified in VPNmanager and in the Avaya VPNremote Client. To customize the Avaya Remote Client, contact your sales representative.
Page 124: Radius/Ace Services
# - Rank in group of this particular RADIUS server. IP Address - IP Address of the RADIUS server. UDP Port - UDP port of the RADIUS server. The default value is 1645. 124 Avaya VPNmanager Configuration Guide Release 3.7...
Page 125: Settings
Settings RADIUS attempts before assuming failure - Integer from 1 to 10 indicating the number of attempts the security gateway makes before timing out with a failure. The default is 3. RADIUS time-out before assuming failure - Time in seconds from 10 to 500. This value is the total number of seconds that the security gateway waits for a response from any specified RADIUS server before timing out with a failure.
Page 126: The Radius Protocol
IP Address - Enter the IP address of the RADIUS/ACE server. UDP Port - Enter the UDP port of the server. The default value is 1645. Check your RADIUS server documentation to verify the value for this field. 126 Avaya VPNmanager Configuration Guide Release 3.7...
Page 127: To Add A Radius Server
Use this as my: - Select the role you wish this server to perform: Primary Server, Secondary Server, or Tertiary Server. To add a RADIUS server: 1. From the Contents column, select the security gateway you want to configure. 2. Click the Policies tab to bring it to the front. 3.
Page 128 15 characters in length. 15. Click Close to return to the Configuration Console window. 16. Click Save. 17. When you want to send the configuration to the security gateway, click Update Devices. 128 Avaya VPNmanager Configuration Guide Release 3.7...
Page 129: Chapter 6: Configuring User Groups
Chapter 6: Configuring user groups The User Group function is used to setup and maintain logical groups in which the individual VPN users reside. User groups have a single-level hierarchy - you cannot have a user group within another user group.
Page 130: User Group - General Tab
Memo can be used to record notes about the User Group, such as change history, function of this group (such as all administrators, etc.). Information entered here is associated only with this User Group. This information is stored only in the database and not downloaded to the security gateways. 130 Avaya VPNmanager Configuration Guide Release 3.7...
Page 131: User Group - Actions Tab
User Group - Actions tab The Actions tab is used to control authentication for specific user groups. Figure 44: User Group, Actions Tab User/Manager authentication - Rekey is used to change the key of the highlighted user group. You should change the key regularly to ensure maximum security. Only SKIP and Preshared Secret IKE VPNs can be manually rekeyed.
Page 132 Click Move Left to move your selected users to the Current Users column. 5. (Optional) Click the Memo tab to bring it to the front, then type in a message about the group, such as its purpose, or who it serves. 6. Click Save. 132 Avaya VPNmanager Configuration Guide Release 3.7...
Page 133: Chapter 7: Configuring Vpn Objects
Chapter 7: Configuring VPN objects A VPN object is the method used for linking security gateways, remote terminals, and LAN terminals in a fully configured virtual private network. To create a VPN, you name the VPN, select a key management method, and optionally, designate it as the Default VPN. After that you can configure the VPN using VPNmanager, using the tabs associated with the created VPN.
Page 134: Ike Vpns
IP packet payload, leaving the original addressing header unchanged. Source Address Address Source Address Address 134 Avaya VPNmanager Configuration Guide Release 3.7 Original IP Packet Dest. Payload Dest. IPSec/SKIP Overhead Payload with Applied VPN Services Transport Mode...
Page 135: Default Vpn Policy
In tunnel mode (security gateways and VPNremote Client only), IP packets between members are secured by encrypting and authenticating the entire packet, including the addressing header. The encrypted and authenticated packet is then used as the payload of a new packet with a new addressing header.
Page 136: Creating A New Vpn Object
7. Update this configuration to the security gateway(s). The security gateway(s) should now have a default VPN in its configuration. 8. On the RADIUS server, add a user. Enter the user credentials. 136 Avaya VPNmanager Configuration Guide Release 3.7 Creating a new VPN object on page 136 and check Default...
Page 137: Creating A Designated Vpn
9. On the LDAP server, a local server or an external server with a different context, add user. Enter the user credentials. 10. Log in to the security gateway through the VPNremote client using the credentials entered in the RADIUS/LDAP server. The user should be authenticated successfully by the RADIUS/LDAP server.
Page 138: Using The Vpn Tabs
Preshared Secret. - Preshared Secret authentication is the simplest key management method used to construct a VPN. Authentication key exchanges between security gateways in the VPN are based on a single pre-shared secret known to all security gateways in the VPN. 138 Avaya VPNmanager Configuration Guide Release 3.7...
Page 139: General Tab With Skip
Enable VPN. - When this box is checked and the security gateway has been updated, the VPN is active. Unchecking the box disables the VPN and is typically used during the troubleshooting process. Default VPN. - When this box is checked, this VPN is the default VPN for the domain. Only one VPN can be the default VPN in a domain.
Page 140: Members-Users Tab
Members list while all available IP Groups appear in the Available list. Use the right and left arrows to move the IP Groups to the desired column. 140 Avaya VPNmanager Configuration Guide Release 3.7...
Page 141: Security (Ike) Tab
Using the VPN tabs Figure 47: VPN, Members [IP Groups] Tab Security (IKE) tab The Security (IKE) tab is used for configuring the encryption and authentication algorithms used at the end-points of a VPN tunnel. The configuration procedure involves setting a lifetime for public-keys, and a specific Diffie-Hellman Group for automatically generating keys of a specific strength.
Page 142 DES. A common encryption algorithm that is not subject to export regulations. 3DES. A robust encryption algorithm. 3DES is subject to government regulation. Contact Avaya for a current list of controlled and uncontrolled application and territories. Any. Accepts any encryption proposal that is made by the device on the other side.
Page 143 Field Description Lifetime Payload key lifetime defines the extent to which a single set of cryptographic keys is used when applying VPN services to IP packets. Lifetimes are either time based or based on throughput. Time-based lifetimes are based on the amount of time that the keys are used without a key change.
Page 144: Pre-Shared Secret
Figure 48: VPN, Security (IPSec) Tab In the IPSec area you set up the IPSec protocol information that you want the VPN to use 144 Avaya VPNmanager Configuration Guide Release 3.7...
Page 145: Ipsec Proposals
Using the VPN tabs LZS. - This refers to Lempel-Ziv-Stac hardware date compression technique used prior to encryption. Yes/No enables or disables its use. AH/ESP. - This is the Authentication Header (AH)/Encapsulation Security Payload (ESP). IKE VPNs authenticate IP packets using either an ESP trailer as defined in RFC2406, IP Protocol 51, or AH as defined in RFC2402, IP Protocol 52.
Page 146: Add Ipsec Proposal
VPN services to IP packets and the order this proposal is in the list. Field Encryption Authentication Compression 146 Avaya VPNmanager Configuration Guide Release 3.7 Description Select one of the following types: DES. A common encryption algorithm not subject to export regulation.
Page 147 Field Description Lifetime Payload key lifetime defines the extent to which a single set of cryptographic keys is used when applying VPN services to IP packets. Lifetimes are either time based or based on throughput. Time-based lifetimes are based on the amount of time that the keys are used without a key change.
Page 148: Actions Tab
Exports the VPN to another VPN domain without the keys. Typically used to create an extranet. Creating an extranet of Avaya VPN devices is a cooperative effort between system administrators running independent copies of VPNmanager and involves the same steps as creating any other VPN: create the device, then the groups and users, and finally the VPN.
Page 149: Rekey Site-To-Site Vpn
Rekey site-to-site VPN Rekey Used to change the preshared secret key of a site-to-site VPN. This should be done regularly to ensure maximum security. Only SKIP and Preshared Secret IKE VPNs can be manually rekeyed. In the case of SKIP, rekeying generates and distributes a new master key to all security gateways associated with the VPN.
Page 150: Configuring A Skip Vpn
If you plan on defining the VPN Object with IP Group Objects, Transport mode Note: must be used. 6. (Optional) Click the Memo tab to bring it to the front, then type in a note about this specific VPN Object. 150 Avaya VPNmanager Configuration Guide Release 3.7...
Page 151 7. If you want to add User Objects or User Group Objects as members of this VPN Object, do the following. Click the Members-Users tab to bring it to the front. From the Available list, select specific User Objects and User Group Objects. User Group Objects are always located at the bottom of the list.
Page 152: Configuring An Ike Vpn
Select Any if you want the security gateways to automatically negotiate which algorithm to use. Select DES to divide VPN traffic into 64 bit blocks and encrypt each block with a 56-bit key. 152 Avaya VPNmanager Configuration Guide Release 3.7...
Page 153 Select 3DES to divide VPN traffic into 64 bit blocks and encrypt each block three times with three different keys. 12. Use the Authentication Algorithm list to select a specific type of algorithm that each security gateway must use to authenticate each other. Select Any if you want the security gateways to automatically negotiate which algorithm to use.
Page 154 3DES Triple. DES encryption is applied to the payload. AES-128. AES-128 advanced encryption is applied to the payload. RC5. Applies RC5 encryption. Any. Let the security gateways negotiate which encryption method to use. 154 Avaya VPNmanager Configuration Guide Release 3.7...
Page 155 From the Authentication drop-down list, select the type of authentication to use. None. Packets are not authenticated. HMAC-MD5. Packets are authenticated using the Hash-based Message Authentication Code (HMAC) coupled with the Message Digest 5 (MD5) hash function. HMAC-SHA. Packets are authenticated using the Hash-based Message Authentication Code (HMAC) coupled with the Secure Hash Algorithm (SHA).
Page 156: Enabling Crl Checking
10. Add a certificate dn header to the crl.idif file. Use the following dn header format: Note: dn: cacertificate=IssuerCRL, ou=VPN Domain, o=DNS Domain Note: objectclass: certificationAuthority Note: dn specifies where the CRL file is filed. Note: 156 Avaya VPNmanager Configuration Guide Release 3.7...
Page 157 11. Import the crl.ldif file by opening the Netscape Console login dialog box. Solaris OS: In the server root, enter ./startconsole. Windows NT: From the windows Taskbar, click Start/Programs/Netscape Server Family/Netscape Console. 12. In the User ID text box, type in the Administrative ID string used during the server installation procedure.
Page 158: Exporting A Vpn Object To An Extranet
9. Clear the CRL checking box. 10. Click Update Devices. Exporting a VPN object to an extranet Exporting a VPN object is a feature used for interconnecting VPN domains. Each domain views other domains as extranets. 158 Avaya VPNmanager Configuration Guide Release 3.7...
Page 159: Vpn Object Export Checklist
Figure 51: Exporting a VPN Object to an Extranet Domain created the VPN Object that was exported to an extranet (Domain method allows members of VPN Object Object to privately share network resources and communicate. Domain VPN Object IP Group Object IP Group Object Extranet Device Device Object...
Page 160: Export Procedure
7. In the Password text box, type in a password to protect the exported data. 8. From 1 to 16 characters can be used. 9. In the Retype text box, type in your password to confirm it. 160 Avaya VPNmanager Configuration Guide Release 3.7 creates security gateway Object creates IP Group Object...
Page 161: Importing A Vpn Object From An Extranet
10. Click OK to open the Save dialog. 11. Use the controls in the Save dialog to select a location for the VPN Object data file. 12. In the File name text box, type in a name for the file, and use VPN as the file name extension.
Page 162: Rekeying A Vpn Object
5. Click Rekey to create the new key and open the Rekey message box. 6. Click OK to return to the Configuration Console window. 7. Click Update security gateways to send the key to all security gateways in the VPN. 162 Avaya VPNmanager Configuration Guide Release 3.7...
Page 163: Chapter 8: Establishing Security
Chapter 8: Establishing security This chapter describes the VPNmanager security measures you can configure to establish a secure domain. Included in this chapter is how to set up the following: Firewall rules set up Denial of Service (4.X) Services Voice Over IP controls (4.X only) QoS policy and QoS mapping (4.31) Packet Filtering (3.x only) Firewall rules set up...
Page 164: Firewall Rules
If no matching rule is found, the default action is to permit the packet. Domain level firewall rules Domain, or global, level firewall rules apply to all devices, to device groups, and specific devices within the domain. 164 Avaya VPNmanager Configuration Guide Release 3.7...
Page 165 You select View>Firewall to add domain firewall rules. You can apply common rules to all or some of the devices within the domain when firewall rules are added at the domain level. When firewall rules are applied at the domain level, they can be applied to several devices at the same time which can reduce the complexity of defining security for each device.
Page 166: Device Level Firewall Rules
10. In the Direction list, select In or Out. The direction is in respect to the security gateway. 11. If you want this rule to be logged. select Enable Log. If you do not select Enable Log, this rule does not appear in the Monitor>Firewall Log display. 166 Avaya VPNmanager Configuration Guide Release 3.7...
Page 167: Priority Of Firewall Rules Versus Nat Rules
12. If the filter rule set for the intended traffic is also to be applied to the reply packets, select Keep State. This function can be applied to TCP, UDP, and ICMP packets. 13. If you want to change the default time-out settings for the TCP state, UDP state, or ICMP state, click Advanced.
Page 168: Security Gateways And Ftp
If network address translation or filter rules are applied to other zone interfaces on the SG that are the source or destination of the FTP traffic, these rules can impact the ability of the proxy to function. 168 Avaya VPNmanager Configuration Guide Release 3.7...
Page 169: Firewall Templates
FTP-Proxy does have some issues when operating within a NAT gateway. A protected FTP server must have a routable address, and the router on the unprotected side of the gateway must have static route to it the security gateway interface address is the route. Because this is a proxy application, FTP (TCP) packets destined for external FTP servers or clients will typically have as source address the address of the interface to which the FTP-Proxy rule was applied.
Page 170: Predefined Templates
2. From the Objects column, select Firewall Template . 3. Click New Object to start the New Firewall Template wizard. 4. In the Name text box, type in a name for your new firewall template. 170 Avaya VPNmanager Configuration Guide Release 3.7 Firewall rules template on...
Page 171 5. Select Template, Device, or None. Parameter Template Device None 6. Click Apply. 7. To create a user-defined firewall template, type in a name for your new firewall template, otherwise click Cancel. 8. Confirm that the correct user-defined firewall template is selected in the Contents column. 9.
Page 172: Services
Figure 54: Services property The VPNmanager provides predefined services. The supported predefined services are listed in the Contents column of the Services object. 172 Avaya VPNmanager Configuration Guide Release 3.7...
Page 173: Device Group
The predefined services can be used as a general service set or as a starting point for creating a customized service, or user-defined service, that is required for use in the firewall definition. The service types IP, TCP, UDP, and ICMP are provided and parameters for each of these types can be specified in the user-defined service.
Page 174 This attack attempts to flood the network by exhausting the available network bandwidth. Note: When you enable Flood Attack, you must also enable the Keep State feature in Note: the Firewall Rules Setup in the Security tab. 174 Avaya VPNmanager Configuration Guide Release 3.7...
Page 175: Voice Over Ip
WinNuke Attack. - This attack attempts to completely disable networking on computers that are running Windows 95 or Windows NT. This attack can be swift and crippling because it uses common Microsoft NetBIOS services. WinNuke attacks ports 135 to port 139 on platforms that are based on Windows 95 and Windows NT.
Page 176: Using The Lrq Required Checkbox Of The Ip Trunking Call Model
3. Select Enable to enable the VoIP Rule configuration. 4. In the Name field, enter a descriptive, unique name to identify the IP trunk. 5. In the Call Model field, select IP Trunking from the drop-down menu. 176 Avaya VPNmanager Configuration Guide Release 3.7...
Page 177 6. Select LRQ Required to enable the location request. When learn request (LRQ) is enabled, the voice packets are routed using domain names. The security gateway uses LRQ to locate the destination and returns the appropriate IP address to route the voice packet to the correct destination.
Page 178: Using The Gatekeeper Routed Call Model
Gatekeeper is known to IP endpoints wanting to register with that Gatekeeper. If the Gatekeeper IP address is not being NATed by the SG, the Proxy IP and Proxy Port do not need to be configured. 178 Avaya VPNmanager Configuration Guide Release 3.7...
Page 179: Add Gatekeeper Settings
Add gatekeeper settings When you add a gatekeeper, you include the gatekeeper name or IP address, the location of the gatekeeper with respect to the firewall, the registration, authentication, status protocol, and time-out. Click Add to configure gatekeeper settings for the VoIP configuration. Only one gatekeeper can be configured for a device.
Page 180: Qos Policy And Qos Mapping
QoS policy should be 1 to 98%.The remaining 2% is internally allocated by default to ICMP, IGMP, and RSVP. The excess bandwidth not specified in the sum of allocations of the policy is reserved for all other traffic not defined in the classes. 180 Avaya VPNmanager Configuration Guide Release 3.7...
Page 181 Therefore, it is not necessary to create a class for all other traffic. If 0% is allocated, the class is removed from the existing configuration. Note: When the media interface is configured, the total upstream bandwidth can be Note: specified in Media Settings and this setting is partitioned to the specified classes. Whether Burst is enabled.
Page 182 2. In the QoS Policy Name text box, enter a unique QoS policy name. Click Apply. Click Close to go to the QoS General tab. 3. Next configure each class setting with associated values. Click the row for the type to be configured. The Class Based Queuing dialog appears. 182 Avaya VPNmanager Configuration Guide Release 3.7...
Page 183 Figure 59: Modify QoS bandwidth. burst and DSCP value screen 4. Configure bandwidth, burst and DSCP values. Enter the percentage of bandwidth to be allocated for this type. When classes are configured, it is recommended that the sum total allocation of all the classes be less than 98% and allow bursting to take advantage of the unused bandwidth.
Page 184: Qos Mapping
Policies are semi-automatically created (one at a time) by using the Packet Filtering Policy Wizard. As an auxiliary method, policies can also be created at the VSU Console (not explained in this guide). 184 Avaya VPNmanager Configuration Guide Release 3.7...
Page 185: What Can Be Filtered
What can be filtered Table 10 lists the specific types of traffic that can be filtered. Table 10: Traffic types that can be filtered User-defined TCP User-defined IP User-defined UDP AURP Bootpc Bootps Bordergw Chargen Chargen/UDP Discard Domain Domain/TCP Discard/UDP Dynamic/TCP Dynamic/UDP Echo...
Page 186: Advanced
Deny all non-VPN traffic - When checked, all non-VPN traffic is prevented from passing through the VSU. This mode blocks non-IP traffic and non-VPN traffic including broadcast traffic, IP-multicast traffic and other traffic containing routing information. 186 Avaya VPNmanager Configuration Guide Release 3.7...
Page 187: Add Packet Filtering Policy
Note: This mode should be used when the VSU is dedicated to VPN traffic and is in Note: parallel with another device (such as a router or firewall) that can resolve ARPs from the private network to the Internet gateway. This mode should not be used when the VSU is the only path between network devices and a router with which those devices need to communicate.
Page 188: From/Where
1024 to 1250 and select = as the comparator value. From/Where Type. Choices are Network/Mask Pair or Any. IP Network Mask Pair. Identify the source IP address to which the filter rule applies. 188 Avaya VPNmanager Configuration Guide Release 3.7...
Page 189: To Where
To Where Type. NetworkMask Pair or Any. IP Network Mask Pair. Identify the source IP address to which the filter rule applies. The Filtering Policy in progress This area presents a dynamically updated summary of the filter parameters based on the current selections.
Page 190: Running The Policy Manager For Packet Filtering
A VSU starts from the top of the ACL when it begins to filter a specific packet. Keep the first policy you want to apply to the packet first at the top of the list. 190 Avaya VPNmanager Configuration Guide Release 3.7 Figure 60...
Page 191: Configuring Advanced Filtering Options
Note: A packet is filtered against the ACL policies defined in the ACL list in the list Note: order. The packet is matched against policy number 1 first, then policy number 2, then policy number 3, and so on until the packet finds a match or it exhausts the list.
Page 192: Marking Packets For Differentiated Services (Qos)
Marking packets for differentiated services (QoS) If your network is running Differentiated Services, a VSU can be configured to mark specific IP packets for specific types of services. 192 Avaya VPNmanager Configuration Guide Release 3.7 Description Select this button to permit all non VPN packets.
Page 193: About Differentiated Services
About Differentiated Services IP packets move from router to router by using Routing and Packet Forwarding processes. The routing process involves building and maintaining a routing table. The packet forwarding process involves comparing the destination address of a packet with entries in a routing table to determine where to send the packet.
Page 194: Types Of Marking Rules
4. From the Type of Policy drop-down list, select Packet Filtering to view the Policy Manager for Packet Filtering. 5. Click the Add button to start the Packet Filtering Policy Wizard. 194 Avaya VPNmanager Configuration Guide Release 3.7 Description Identify which user defined marks are being read by your routers.
Page 195 6. From the Action drop-down list, select Permit to activate the QoS Mark drop-down list. Note: As you build your Packet Marking Rule, its parameters populate the “Filtering Note: Policy in Progress” text box, which is located at the bottom of the wizard. 7.
Page 196: Packet Filtering Firewall
If no matching rule is found, the default action is to permit the packet. Figure 61: Policy Manager for firewalls 196 Avaya VPNmanager Configuration Guide Release 3.7 Description Use the To Where controls to configure which destination address the rule must contain.
Page 197: Add Firewall Policy
To use the firewall policy management: 1. Move to the Configuration Console window. 2. From the Contents column, select the security gateway that the policy is applied. 3. Click the Policies tab to bring it to the front. 4. Select Firewall from the Policies drop-down list. 5.
Page 198 A state entry is not created for packets that are denied. 19. Click Advanced to change the default keepstate values to TCP, UDP, or ICMP. 20. Click Finish to return to the Policy Manager for Firewall. 198 Avaya VPNmanager Configuration Guide Release 3.7...
Page 199: Chapter 9: Using Advanced Features
Chapter 9: Using advanced features This chapter explains about the advanced functions of VPNmanager. The following tabs can be used to configure advanced functions for domains and for security gateways: Device Advanced TEP Policy Servers Resilient Tunnel Failover TEP Advanced Action High Availability Failover Converged Network Analyzer Test Plug...
Page 200: Arp
Traps sent to a VPNmanager console residing on the public side of the VSU Also in the default mode, all packets originating from the VSU destined for the private network use the private port’s MAC address as the packets’ source address. 200 Avaya VPNmanager Configuration Guide Release 3.7...
Page 201: Path Mtu Discovery
Examples of traffic destined for the private network are: Decapsulated IPSec packets destined for the private network. SNMP Get Responses being sent to a VPNmanager console residing on the private side of the VSU Traps sent to a VPNmanager console residing on the private side of the VSU Note: It is important to remember that ARP often works in conjunction with the Note:...
Page 202 When the timeout expires, the SG will attempt to send the maximum configured packet size. The default value is1000. The timeout value 0 means that the path MTU will never timeout. 202 Avaya VPNmanager Configuration Guide Release 3.7...
Page 203: Nat Traversal
NAT traversal is enabled. You can do the following: Disable NAT traversal. Avaya recommends that you do not disable NAT traversal even if a NAT device does not exist in the network path of two VPNs. Set the value for KeepAlive. The time configured here is used when the security gateway is in the private network of a NAT device.
Page 204: Port For Dyna-Policy Download
VSU (having a single address). VPNmanager Console-to-VSU communication then has to be routed to the public port of the VSU, which may not be a direct path. The direct path would be to the private port. 204 Avaya VPNmanager Configuration Guide Release 3.7...
Page 205: Send Device Names
A typical use of the private IP address is when the VSU’s private side IP network is a different network (different network number and/or mask) from the VSU’s public side IP network. For example, when you deploy the VSU in parallel with a firewall or other access device. If you are using the VSU’s primary IP address as the management IP address, use caution when changing it from the VPNmanager.
Page 206: Superuser Password (Vpnos 3.X)
Before re-attempting to connect, the VPNmanager must set VSU/Advanced/SuperUser Password back to ON, or only a single connection is authenticated, and with SuperUser password left in the OFF position, the VSU only allows LDAP authentication on the next attempt. 206 Avaya VPNmanager Configuration Guide Release 3.7...
Page 207: Tunnel Persistence
Note: The VSU determines what type of authentication it permits, but this is dependent Note: upon the authentication policy last downloaded from VPNmanager (SuperUser Password OFF or ON). Remember that if you set the SuperUser Password to OFF you are no longer able to connect to the VSU using the SuperUser account. The only way to recover SuperUser authentication is to change the setting to back to ON, then do one of the following: 1.
Page 208 Because modifications have not been made in VPN ) and VPN Figure 64: Remote User Tunnel Persistence 208 Avaya VPNmanager Configuration Guide Release 3.7 , SG , and Remote User) interrupts tunnel persistence in VPN and SG...
Page 209: Tep Policy
TEP Policy The Tunnel End Point (TEP) Policy tab provides control of the security policy applied to the traffic that flows between the end points of a tunnel. The default is off, or Do not apply configured VPN policies to TEP traffic. Figure 65: Tunnel End Point Policy Enabling apply configured VPN policies to TEP traffic encrypts the traffic destined to and from tunnel end points when the following conditions are met:...
Page 210: Servers
Brings up a dialog box to add additional servers. Enter the new server’s IP address or DNS Name. The Locate This Server box contains three radio buttons used to place the new server: Beginning of List End of List (default) After Selected Item 210 Avaya VPNmanager Configuration Guide Release 3.7...
Page 211: Managing The Server List
To create a backup server: 1. Move to the Configuration Console window. 2. From the Device>Contents column, select the security gateway that needs to have the backup server. 3. Click the Directory Servers tab to bring it to the front. 4.
Page 212: Resilient Tunnel
. Once VSU is back in-service, VPN traffic then switches to the primary tunnel. The switching is controlled by VSU 212 Avaya VPNmanager Configuration Guide Release 3.7 Description Use this command to edit the server with the Add Directory Server dialog box.
Page 213: Tunnel Switching
Figure 67: Primary and Resilient Tunnels Resilient Tunnels are used for backing-up Primary Tunnels. Should a Primary Tunnel go out of service, the Resilient Tunnel will automatically be used for VPN traffic. Tokyo LAN Tunnel Switching The switching mechanism involves time and a packet called a Heartbeat. how tunnels are switched.
Page 214: Creating A Resilient Tunnel
Therefore, the interval is much longer than a normal heartbeat request interval. 214 Avaya VPNmanager Configuration Guide Release 3.7 , the resilient tunnel is used for VPN traffic. continues to request a heartbeat from VSU...
Page 215: Add Resilient Tunnel
Add resilient tunnel There are four parameters associated with Resilient Tunnel automatic backup mode. They are: Heartbeat Interval The time, in seconds, between heartbeat request attempts made by the remote security gateway to the primary security gateway. Default is 10 seconds. Heartbeat Retry Limit The number of times a heartbeat request is sent by the remote security gateway before the primary security gateway is declared inactive.
Page 216: Managing The Resilient Tunnel List
2. From the Device>Contents column, select the security gateway that acts as the primary end-point for a tunnel. 3. Click the Resilient Tunnel tab to bring it to the front. 4. From the Resilient Tunnel List, select a specific secondary end-point. 216 Avaya VPNmanager Configuration Guide Release 3.7...
Page 217: Stopping And Starting Resilient Tunnel Services
5. You can edit, move up, move down or delete. 6. When finished, click Save to save your work. Stopping and starting resilient tunnel services Resilient tunnel services for a specific primary end-point or secondary end-point can be stopped or started at any time. Primary end-point service To stop or start resilient tunnel services for a primary end-point: 1.
Page 218: Failover Tep
VSUs with a similar Failover TEP configuration, see page 212. Note: Beginning with VPNmanager 3.6, Failover TEP is configurable on security Note: gateways running VPNos 4.5. Figure 70: The Failover TEP tab for a security gateway object 218 Avaya VPNmanager Configuration Guide Release 3.7 Resilient Tunnel...
Page 219: Configuring Failover Tep
Configuring failover TEP Failover TEP is configured from the Failover TEP tab. To configure failover TEP: 1. Move to the Configuration Console window. The Device tabs are displayed. 2. From the Device>Contents column, select the device that is operating as the head- end device.
Page 220: Switch Flash
This key is used to turn Federal Information Processing Standards (FIPS) mode off. FIPS indicates whether the VSU is running in the normal or FIPS level 2 mode. Avaya recommends that this mode be used only if an organization’s policy requires FIPS 140-1 level 2 certification for cryptographic devices.
Page 221: High Availability
High Availability High Availability This tab provides access to the High Availability (HA) functions for the security gateway including enabling high availability, setting the public and private virtual addresses, adding security gateway members to the HA group, viewing the status of the HA group, converting a passive member to an active member, configuring member VSUs, the VRRP advertisement interval, version number, third party reference points for the public and private interfaces, and minimum connectivity to reference hosts.
Page 222: Virtual Addresses
At least one advertisement must be received by the passive member from the active member. If the passive member does not receive the advertisement, the passive member assumes that the active 222 Avaya VPNmanager Configuration Guide Release 3.7...
Page 223: Members
member is down and will force the election to become the active member. The value for missed advertisement ranges from 3 to 16. Group ID. - The Group ID allows configuration of a unique identifier for the HA group. By using the Group ID, the HA group avoids conflicts with other VRRP implementations on the network.
Page 224: Configuring High Availability
5. Enter the Virtual Addresses for the public and the private interfaces. Configuring the virtual addresses in this manner ensures that any member in the HA group has the same configuration. 224 Avaya VPNmanager Configuration Guide Release 3.7 Configuring a...
Page 225: Updating A High Availability Group Using Update Device
Note: Virtual Addresses must be valid routable addresses. Note: 6. Click the Add button to add members to the HA group. 7. Enter the private IP addresses of the Active security gateway. 8. The private IP address may have been entered during the initial creation of the security gateway object.
Page 226: Failover
If the configured idle time elapses, the public-backup interface is taken down. The security gateway then tries to reestablish the network connectivity through the primary network path. 226 Avaya VPNmanager Configuration Guide Release 3.7...
Page 227 Note: If the public-backup interface idle timer is disabled, the security gateway Note: continues to use the alternate network interface. Network path failure is defined as the configured number of consecutive connectivity checks without a response from the number of hosts that need to fail. The following is an example of a network path failure criteria.
Page 228 In previous releases of VPNos 4.x, a system reboot would not restore the original RTEP. Restore primary RTEP In the event of tunnel failover, restore the original, primary remote tunnel endpoint in effect following a system reboot. 228 Avaya VPNmanager Configuration Guide Release 3.7...
Page 229: Failover Reconnect
10. In the Hosts field, click Add, to enter the network host or hosts for which you want to monitor connectivity. You can define up to five DNS names or IP addresses. These hosts can be either within the VPN or outside the VPN. If the host is within the VPN, the host information is encapsulated in the associated VPN policy.
Page 230: Converged Network Analyzer Test Plug
If potential network problems are detected, they are escalated using standards-based alarms and notification. This feature includes enabling CNA, setting the test plug services, configuring the RTP test port and CNA unit port, and adding CNA units for registration. 230 Avaya VPNmanager Configuration Guide Release 3.7...
Page 231 Typically, one CNA unit is configured in the network operations center, and another CNA unit is configured in the corporate network. The CNA unit in the network operations center (NOC) is used to set up network topologies, configure network tests, and schedule network tests. Multiple CNA units can be configured in the network to monitor network topology and test results.
Page 232: Keep Alive
Keep alive packets can be sent to configured hosts that are in a protected networks and unprotected networks; therefore, these packets can be encrypted or clear traffic based on the VPN policy on the device. 232 Avaya VPNmanager Configuration Guide Release 3.7...
Page 233 Figure 74: Keep alive tab To configure keep alive: 1. From the Configuration Console window, select New Object>Keep Alive. The Keep ALive dialog is displayed. 2. In the Keep Alive name text box, enter a unique name. Click Apply. Click Close to go to the Keep Alive tab.
Page 234: Policy Manager - My Certificates
The default certificate has a six year period of validity, which starts at the factory Note: when it’s put into the VSU. Reprogramming the flash is the only way to change the default certificate. 234 Avaya VPNmanager Configuration Guide Release 3.7 IKE Certificate Usage on page 240 Issuer certificates on page 238 about installing...
Page 235: Creating And Installing A Signed Certificate
Up to eight certificates can be stored in a VSU. During IKE negotiation, a VSU sends a specified certificate to its target. Those other VSUs and clients are called targets. Likewise, the target that received a certificate must distribute its [unique] certificate to the sender to complete the exchange.
Page 236 PEM format looks like (its body has been shortened for the example). Currently a VSU accepts the certificate delivery formats of PEM, DER, Base64X509, and PKCS#7. 236 Avaya VPNmanager Configuration Guide Release 3.7 Figure 77 shows what a...
Page 237: Switching Certificates Used By Vpnmanager Console
Figure 77: An Example of a Signed Certificate -----BEGIN CERTIFICATE----- nfi897rho987fb+mht>,oi$s25hgj98iJop)kjh GrDfgyui987jg55dJ99KJY6%$3@@Sd5()~ 43dbi0oMl=_+;mhjuuhJ8*&tfeEckiooplkjghf hkjhyytuUTffRgYyYUy^6676%$$RgLo0l0LI -----END CERTIFICATE----- 11. Cut the signed certificate from whatever file the PKI System sent it in, then paste it to the file you created in Step 6. Include the header and footer. Note: The alignment of the right side of the certificate must be even (justified), so if the Note:...
Page 238: Issuer Certificates
Issuer Certificate must be from the same PKI System, as the Signed Certificate was signed by the issuer’s private key. certificate exchange. 238 Avaya VPNmanager Configuration Guide Release 3.7 240), the VPNmanager Console can still use it. Figure 78 illustrates how Issuer Certificates fit in the scheme of signed...
Page 239: Installing An Issuer Certificate
Figure 78: Issuer Certificates Explanation for Figure 1. A Certificate Request from VSU 2. The PKI uses the Certificate Request to create a Signed Certificate specifically for VSU The Signed Certificate is then stored on VSU 3. Every target of VSU Note: The target uses an Issuer Certificate to authenticate VSU Note:...
Page 240: Ike Certificate Usage
VSUs from the My Certificates policies (See Manager - My Certificates used for exchanging certificates in a VPN. 240 Avaya VPNmanager Configuration Guide Release 3.7 on page 234). The IKE Certificate Usage policies is the mechanism Header...
Page 241: About Certificate Usage (Exchange)
About Certificate Usage (Exchange) Every certificate identifies its owner and contains the owner’s public-key. The concept of certificate usage is based on Owners and Targets. An owner sends its certificate to a target, who then uses it to encrypt any information it sends to the owner. Owners and targets can be a VSU, Remote Client, or any device that can use the Internet-Key Exchange (IKE) protocol to exchange certificates.
Page 242 Type of Policy drop-down list, select My Certificates. 6. In the Description text box, type in information about the target. If the target is a VSU, typing in its name could be useful. 242 Avaya VPNmanager Configuration Guide Release 3.7...
Page 243 Select a specific VPN to be a target for the certificate. This only applies to Avaya Inc. VSUs of Version 3.0 and higher. FQDN. Select to show the Enter Target Information text box. Type in the Fully Qualified Domain Name (FQDN) to identify the target by its absolute name.
Page 244 Using advanced features 244 Avaya VPNmanager Configuration Guide Release 3.7...
Page 245: Chapter 10: Monitoring Your Network
Chapter 10: Monitoring your network This chapter describes the real-time monitoring facilities that the VPNmanager application provides. This includes the following Using SNMP to monitor the device Syslog Services Using Monitor Monitoring alarms Report Wizard Using SNMP to monitor the device The VPNmanager uses the SNMP protocol to monitor the security gateway.
Page 246 5. Click Close to return to the SNMP tab, or Apply to add an other address. 6. When finished, click Save. 7. When you want to send the configuration to one or more security gateways, click Update Devices. 246 Avaya VPNmanager Configuration Guide Release 3.7 Adding Admin Users for SNMPv3 on page 247.
Page 247: Adding Admin Users For Snmpv3
To add an SNMP Trap Target for security gateway’s running versions prior to VPNos 4.2, do the following: 1. From the Contents column, select the security gateway you want to configure. 2. Click the SNMP tab to bring it to the front. 3.
Page 248: Syslog Services
Host Name or IP Address. The domain name or IP address of the target logging archive machine. Type. UDP. Port. The port number of the Syslog host. Send From. Public, private, any. 248 Avaya VPNmanager Configuration Guide Release 3.7 Using SNMP to monitor...
Page 249: Add Syslog Policy
Add Syslog Policy The Add Syslog Policy screen allows you to designate the host to which syslog messages are sent by the selected security gateway or all devices. It also enables syslog messages to be sent to the VPNmanager through a designated UDP port. Hosts to receive log messages.
Page 250: Using Monitor
The first Monitoring wizard dialog allows you to perform a high-level selection of the domain and VPN(s), then to choose specific network devices within the VPN. You can also select a monitoring group, which is a predefined suite of VPN parameters to monitor. 250 Avaya VPNmanager Configuration Guide Release 3.7...
Page 251 Device List For VPN Domain. - This drop-down menu allows you to select a specific domain, or all domains to monitor. Select Device(s). - A list of all available network objects available for monitoring. You can select a single device, or select all devices displayed. Select Monitoring Group.
Page 252 Packet Header (Hex) Table 19: System Group Parameters Parameter CPU Utilization 252 Avaya VPNmanager Configuration Guide Release 3.7 Description An integer identifying this row in the Log table. sysUpTime value when this attack occurred. Indicates the reason that the packet was registered in the attack log.
Page 253 Table 20: ActiveSessions Parameters Parameter Description ActiveSessions A VPNremote client name or a security Name gateway name as defined in VPNmanager. Length Length of this session in seconds. Original IP VPNremote client’s originating IP address or remote security gateway IP address. Xlated IP VPNremote client’s assigned address from the Client IP Address pool if configured.
Page 254 Destination IP RouteTable Interface Index Metric 1 Metric 2 254 Avaya VPNmanager Configuration Guide Release 3.7 Description The interface on which this entry’s equivalence is effective. The interface identified by a particular value of this index is the same interface as identified by the same value of ifIndex.
Page 255 Table 22: ipRouteTable Parameters (continued) Parameter Description Metric 3 An alternate routing metric for this route. The semantics of this metric are determined by the routing-protocol specified in the route’s ipRouteProto value. If this metric is not used, its value should be set to -1. Metric 4 An alternate routing metric for this route.
Page 256 Table 22: ipRouteTable Parameters (continued) Parameter Route Proto Route Age Route Mask 256 Avaya VPNmanager Configuration Guide Release 3.7 Description The routing mechanism via which this route was learned. Inclusion of values for gateway routing protocols is not intended to imply that hosts should support those protocols.
Page 257 Table 22: ipRouteTable Parameters (continued) Parameter Description Metric 5 An alternate routing metric for this route. The semantics of this metric are determined by the routing-protocol specified in the route’s ipRouteProto value. If this metric is not used, its value should be set to -1. Route Info A reference to MIB definitions specific to the particular routing protocol which is responsible...
Page 258 Pass Log Out Block Log In Block Log Out No Match Log No Match Log 258 Avaya VPNmanager Configuration Guide Release 3.7 Description Number of outbound packets that did not match any rule. This count includes all non-rule-matching packets, regardless of whether the packets were ultimately passed or blocked per the default rule.
Page 259 Table 23: FilterStats Parameters (continued) Parameter Description Packets Total number of inbound packets that should Logged In have been logged. This number includes packets that matched filtering rules declared using either the ‘log option’ or the ‘log action’. Packets Total number of outbound packets that should Logged Out have been logged.
Page 260 New Frag Alloc Unneeded Frag Alloc In Unneeded Frag Alloc Out 260 Avaya VPNmanager Configuration Guide Release 3.7 Description Number of failed attempts to allocate a Fragment table entry for outbound packets. This occurs when a filter rule is declared using the ‘keep frag’...
Page 261 Table 23: FilterStats Parameters (continued) Parameter Description Bad State Alloc Number of failed attempts to allocated State table entries for inbound packets. This occurs when a filter rule is declared using the ‘keep state’ option. Packets that match the rule cause a State table entry to be allocated.
Page 262 Good Pullup Bad Pullup In Bad Pullup Out No Match Pass 262 Avaya VPNmanager Configuration Guide Release 3.7 Description Number of cache hits for inbound packets on this interface. Each outbound packet is examined to see if a packet with identical characteristics exists in the outbound cache for this interface.
Page 263 Table 23: FilterStats Parameters (continued) Parameter Description No Match Pass Number of outbound packets for a given interface which did not match any filtering rule and were ultimately allowed to pass per the interface’s default rule. No Match Block Number of inbound packets for a given interface which did not match any filtering rule and were ultimately blocked per the interface’s default rule.
Page 264 Traffic Port Interface Index Summary Interval Packets From Port Packets To Port 264 Avaya VPNmanager Configuration Guide Release 3.7 Description The number of active ports on this security gateway. Traffic Rate Table Parameters on page 264. Overview Statistics Table Parameters on page 265.
Page 265 Table 26: Traffic Rate Table Parameters (continued) Parameter Description KBits From The average rate (in KBits per second) at Port which packets have been transmitted from this port over the last <Summary Interval> seconds. KBits To Port The average rate (in KBits per second) at which packets have been received on this port over the last <Summary Interval>...
Page 266 Buffers No-Receive-B uffer Errors Missed Frames 266 Avaya VPNmanager Configuration Guide Release 3.7 Description The number of packets dropped on this port because of an invalid IP header length. The number of packets dropped because of IP Address Map errors.
Page 267: Define Custom
Table 28: Ethernet Statistics Table Parameters (continued) Parameter CRC Errors Frame Errors Overflow Errors No-Xmit-Buffer Errors Lost Carrier Errors Xmit Collisions Time Underflow Errors Timeout Errors Retry Overflow Errors Miscellaneous Errors Define Custom The Define Custom screen allows you to define a custom monitoring group that only collects the data you specify.
Page 268: Monitoring Wizard (Presentation)
Two buttons appear at the bottom of the pane: Properties, and Delete. By default, all device alarms are displayed, however, alarms from a specific security gateway can also be shown. All alarm information is stored locally on the VPNmanager Console. 268 Avaya VPNmanager Configuration Guide Release 3.7...
Page 269: Alarm Types
This window provides detailed information about the alarm including a time stamp, the security gateway generating the alarm, alarm definition, first and last occurrence. This window appears even if it does not contain any content. The most recent entry is at the top of the list. Properties.
Page 270: Report Wizard
VPN, its components, and how they are performing. This is especially useful in the configuration debugging process, and as an audit trail to document the overall VPN configuration. (For accounting, see SYSLOG). 270 Avaya VPNmanager Configuration Guide Release 3.7 Description Indicates that a packet for which one of the...
Page 271 The first Report wizard screen allows you to specify the objects you wish to include in the report. The available objects include: IP Group User User Group Device (security gateway) To create a report using the report wizard: 1. Move to the Main Console. 2.
Page 272: Generating The Report
The report window appears after a short pause. If a hardcopy is desired, you may save the report as a PDF or html file, then print from Acrobat or a browser (respectively). Figure 84: Report Sample 272 Avaya VPNmanager Configuration Guide Release 3.7...
Page 273: Device Diagnostics
Device diagnostics Beginning with VPNmanager 3.7, device specific diagnostic reports can be retrieved from a security gateway running VPNos 4.6 or higher The device diagnostic capability allows the network administrator to run any of the available diagnostic reports from a central network management location.
Page 274 Flush Configuration Reset Configuration to Factory Defaults 274 Avaya VPNmanager Configuration Guide Release 3.7 Description Shows information about each firewall rule configured in the security gateway. Shows firewall timer information for the various IP protocols. Shows information about all user processes that are currently running in the security gateway.
Page 275: Chapter 11: Device Management
Chapter 11: Device management From the VPNmanager Console, you can manage and check that status of the security gateways This chapter describes: Using the Management tab Telnet to connect to a security gateway Using the Connectivity tab Using the Device Actions tab configuration Importing and exporting VPN configurations to a device Exporting RADIUS...
Page 276: Changing Device Administrator's Passwords
VPNmanager is used to make configuration changes on the security gateway. For centralized management, the security gateway must have the Permit Centralized Management feature enabled. See the VPNos Configuration Guide for details. 276 Avaya VPNmanager Configuration Guide Release 3.7 Appendix B: Firewall rules template on page 297.
Page 277: Using The Connectivity Tab
Root is the login name for the security gateway administrator. The root administrator has full privileges to configure and maintain a specific security gateway network and user configuration. Monitor is the login name for an administrator who can view the Inspect properties and monitor sub functions of the security gateway’s interface software.
Page 278: Check Connectivity By Ping
A result of “<IP address of security gateway> is alive” indicates a reply was received from the IP address of this security gateway. A result of “security gateway unreachable” indicates no reply was received. 278 Avaya VPNmanager Configuration Guide Release 3.7...
Page 279: Check Connectivity By Proxy Ping
To directly ping a specific security gateway: 1. Move to the Configuration Console window. 2. From the Contents column, select the security gateway that you want to ping. 3. Click the Connectivity tab to bring it to the front. 4. Click Ping This Device to start the ping. 5.
Page 280: Update Configuration
The time for the reboot process to complete varies with each security gateway series. The VSU-1200/7500 series taking up to approximately two minutes during which VPN connections through this security gateway are down. For this reason, security gateway reboots should be performed during scheduled maintenance whenever possible. 280 Avaya VPNmanager Configuration Guide Release 3.7...
Page 281: Re-Setup Device
Re-setup Device Allows a complete re-setup of the security gateway. This is normally done when the security gateway created did not exist in the network, or when the security gateway has been replaced with a new unit. Import Device Configuration You can use the Import Device Configuration feature in VPNmanager to import configuration data from security gateways running VPNos 4.31, for use in VPNmanager.
Page 282: Ethernet Speed
1000 Mbps, Half Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 1000 Mbps in half duplex mode. In half duplex mode, the Ethernet port is capable of either sending or receiving packets over the network at 1000 Mbps. 282 Avaya VPNmanager Configuration Guide Release 3.7...
Page 283: Redundancy
100 Mbps, Full Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 100 Mbps in full duplex mode. In full duplex mode, the Ethernet port is capable of sending and receiving packets simultaneously over the network at 100 Mbps.
Page 284: Switching
The exporting administrator then creates security gateways, groups, users, and VPNs required, with the exception of the security gateways under management control of importing administrators. The VPN name must be unique to both the exporting and importing administrators’ VPNmanager databases. 284 Avaya VPNmanager Configuration Guide Release 3.7...
Page 285: Exporting Radius
When creating an “alien Group,” which is a group that includes IP address/mask pairs residing within an importing administrator’s network, the exporting administrator associates each alien Group with an extranet device. In the Group configuration, the IP address of the importing administrator’s security gateway must be specified if any tunnel mode VPNs include this security gateway.
Page 286 This completes the process for configuring RADIUS support. If any Clients are rekeyed, they must be re-exported to the RADIUS server to reflect the new key. Note: Telnet sends traffic, including the login password in the clear. Remember to Note: disable telnet after you use it. 286 Avaya VPNmanager Configuration Guide Release 3.7...
Page 287: Chapter 12: Upgrading Firmware And Licenses
Read the latest security gateway product readme file, before beginning the upgrade. For the latest version of the file for all security gateways, go the VPN and Security page from the Avaya Support Technical Database Web site, at http://support.avaya.com, and select the security gateway type to be downloaded, follow the links to the Readme file.
Page 288: Device - Upgrade Tab
The Upgrade tab provides access to security gateway upgrade facilities including firmware upgrades and optional feature activation. For devices with firmware version 4.2 or later, license files can be uploaded from the Upgrade tab. 288 Avaya VPNmanager Configuration Guide Release 3.7...
Page 289: Upgrading A Security Gateway's Firmware
Read the latest security gateway product readme file, before beginning the upgrade. For the latest version of the file for all security gateways, go the VPN and Security page from the Avaya Support Technical Database Web site, at http://support.avaya.com, and select the security gateway type to be downloaded, follow the links to the Readme file.
Page 290: License
This file cannot be applied to another security gateway. 290 Avaya VPNmanager Configuration Guide Release 3.7...
Page 291: Encryption Strength
Use the License button to upload the licenses from the VPNmanager Console. Once you have received the license file from your sales representative, upload the license file to the security gateway as follows: 1. Save the license file to a directory on the computer. 2.
Page 292 Upgrading firmware and licenses 292 Avaya VPNmanager Configuration Guide Release 3.7...
Page 293: Appendix A: Using Ssl With Directory Server
Appendix A: Using SSL with Directory Server As an added benefit, all communications with the Directory Server can be secured by SSL (Secure Sockets Layer). In order to enable SSL, a Public Key Infrastructure (PKI) is used for creating a signed certificate and an issuer’s certificate.
Page 294: Installing The Issuer's Certificate In The Policy Server And The Vpnmanager Console
Windows NT and Windows 2000 Computers To install a certificate in VPNmanager Console: 1. Copy the certificate to the C:\Program Files\Avaya\VPNmanager\ Console directory. 2. From the task bar, click Start >Run to open the Run dialog box. 3. In the Open text box, type the following command line to install the certificate. The filename is a name of the certificate file, and aliasname is the alias you choose for the certificate file.
Page 295: Solaris Os Computers
Solaris OS Computers To install a certificate in VPNmanager Console: 1. Copy the certificate to the opt/Avaya/VPNmanager/Console directory. 2. Open a Console window. 3. Move to the opt/Avaya/VPNmanager/Console directory. 4. Type in the following command to install the certificate. The filename is a name of the certificate file, and aliasname is the alias you choose for the certificate file.
Page 296 VPN. They are only for securing the communications between the VPNmanager Console, Directory Server, and the device. For information about certificate based VPNs, see objects. 296 Avaya VPNmanager Configuration Guide Release 3.7 Chapter 7: Configuring VPN...
Page 297: Appendix B: Firewall Rules Template
Appendix B: Firewall rules template General The security gateway contains a powerful multi-layer inspection engine to provide extensive filtering capabilities, essential for a full-time connection to the Internet. You can configure your own rules, but, as a convenience in setting up the Firewall on the security gateway, predefined general firewall rules (templates) can be selected to protect the public, private, semi-private, DMZ, and maintenance zones.
Page 298: Public Zone Firewall Templates
Publicly accessible DMZ services allowed include ping, FTP, SSH, Telnet, HTTP, HTTPS, POP3, IMAP, SMTP, NNTP and DNS. All other incoming traffic is blocked. Outgoing traffic from the public zone allowed include: Outgoing VPN traffic ICMP unreachable Ping from any IP to any 298 Avaya VPNmanager Configuration Guide Release 3.7...
Page 299 Source InBoundPu Permit blicAccess InBoundPu Permit blictoDMZA ccess InBoundPu Deny blicBlockAll OutBoundP Permit PublicIP ublicAccess Destination Service Direction PublicIP IKE-IN IKE-AVAYA- IPSEC-NAT -T-IN AH/ESP ICMPDEST UNREACH ABLE DMZNet ICMPECHO REQUEST SSH/ TELNET FTP-CTRL PASSIVEFT HTTP/ HTTPS DNS-TCP/ DNS-UDP NETBIOS-N S-TCP/UDP...
Page 300 Permit ublicGenera lAccess OutboundP Permit DMZNet ublicActiveF TPActive OutboundP Permit PublicIP ublicNATed FTPActiveF TPActive OutBoundP Deny ublicBlockAl 300 Avaya VPNmanager Configuration Guide Release 3.7 Destination Service Direction ICMPECHO REQUEST SSH/ TELNET FTP-CTRL PASSIVEFT HTTP/ HTTPS DNS-TCP/ DNS-UDP NETBIOS-N S-TCP/UDP NETBIOS-D...
Page 301 Rule Name Action Source Destination InBoundPu Permit PublicIP blicAccess InBoundPu Permit DMZNet blictoDMZA ccess InBoundPu Deny blicBlockAll OutBoundP Permit PublicIP ublicAcces OutBoundP Permit DNZNet ublickPing PrivateN Access SemiPriv ateNat Manage mentNet OutBoundP Permit PublicIP ublicDNSA DMZNet ccess PrivateN SemiPriv ateNet Manage mentNet OutBoundP...
Page 302 Deny BlockAll Table 33: Public VPN-only firewall rules Rule Name Action InBoundPublicA Permit ccessVPNData OutBoundPublic Permit AccessVPNDat InBoundPublicA Permit ccessVPNKeyM 302 Avaya VPNmanager Configuration Guide Release 3.7 Source Destination Service PublicIP IKE_IN IPSEC_NAT_T_IN AH/ESP ICMPDestUnreach DMZNet HTTP/HTTPS POP3/IMAP/SMTP PublicIP IKE_OUT...
Page 303: Private Zone Firewall Templates
Any incoming traffic from the private zone is allowed except traffic that is destined to the management zone. For outgoing traffic to the private zone, traffic initiated from DMZ is strictly denied. All other traffic is allowed. Public-IP IKE-IN IKE-AVAYA-IN Public-IP ICMPDESTUNREACHAB ICMPTIMEEXCEEDED Public-IP ICMPDESTUNREACHAB...
Page 304 Table 35: Private medium security firewall rules Rule Name Action InBoundPrivateDeny Deny Access InBoundPrivatePermit Permit OutBoundPrivateDen Deny yAccess OutBoundPrivatePer Permit mitAll 304 Avaya VPNmanager Configuration Guide Release 3.7 Sour Destinati Service Direc tion Managem entNet Sour Destinatio Service Direc- tion Manageme...
Page 305: Semi-Private Zone Firewall Templates
Table 36: Private low security firewall rules Rule Name Action Source InBoundPriv Deny ateDenyAcc InBoundPriv Permit atePermitAll OutBoundPri Deny DMZNet vateDenyAcc OutBoundPri Permit vateDenyAll Semi-private zone firewall templates A semi-private network interface provides connection to a network whose equipment can be made physically secure, but whose medium is vulnerable to attack (such as a Wireless network used within a corporation’s Private network infrastructure).
Page 306 InBoundSe Permit miPrivateto DMZAcces InBoundSe Deny miPrivateD enyAccess InBoundSe Permit miPrivateto PublicAcce InBoundSe Deny miPrivateBl ockAll 306 Avaya VPNmanager Configuration Guide Release 3.7 Destination Service SemiPrivate IKE_IN IPSEC_NAT_T_IN PublicIP AH/ESP ICMPDestUnreach SemiPrivate ICMPEchoReq(PING) PublicIP DMZNet ICMPEchoReq(PING) FTP-Ctrl/PassiveFTP SSH/TELNET HTTP/HTTPS...
Page 307 Table 37: Semi-private high security firewall rules (continued) Rule Name Action Source Destination OutBoundS Permit SemiPriv emiPrivate ateIP VPNAcces PublicIP OutBoundS Permit emiPrivate PermitAll Table 38: Semi-private medium security firewall rules Rule Name Action Source InBoundSe Deny miPrivateD enyAccess InBoundSe Permit miPrivateV PNAccess...
Page 308 Rule Name Action InBoundPublicA Permit ccessVPNData OutBoundSemi Permit PrivateAcessVP NData InBoundSemiPri Permit vateAccessVPN KeyMgmt OutBoundSemi Permit PrivateAccessV PNKeyMgmt 308 Avaya VPNmanager Configuration Guide Release 3.7 Source Destination Service Manageme ntNet SemiPrivate IKE_IN IPSEC_N PublicIP AT_T_IN AH/ESP ICMPDest Unreach DMZNet SemiPri IKE_OUT...
Page 309: Dmz Zone Firewall Templates
Table 40: Semi-private VPN-only security firewall rules (continued) InBoundSemiPri Permit vateAccessICM OutBoundSemi Permit PrivateAccessI InBoundSemiPri Block vateBlockAll OutBoundSemi Block PrivateBlockAll DMZ zone firewall templates The Demilitarized Zone (DMZ) network interface is typically used to allow Internet users access to some corporate services without compromising the private network where sensitive information is stored.
Page 310 Table 42: DMZ low security firewall rules Rule Name Action Source InBoundD Deny MZBlockAll OutBound Permit DMZAcces OutBound Deny DMZBlock 310 Avaya VPNmanager Configuration Guide Release 3.7 DMZNet ICMPECHOREQUEST SSH/TELNET FTP-CTRL PASSIVEFTP HTTP/HTTPS DNS-TCP/DNS-UDP NETBIOS-NS-TCP/UDP NETBIOS-DGM-TCP/UDP NETBIOS-SSN-TCP/UDP POP3/IMAP/SMTP NNTP Destination...
Page 311: Management Zone Security
Management zone security Management interface connection can be configured to simplify network deployments to eliminate enterprise network dependencies on switches or routers. The Management zone is a trusted network similar to the Private zone. Outgoing traffic is allowed, but incoming traffic is restricted. Only traffic initiated by the security gateway is allowed. High, medium and low security rules are the same.
Page 312 - high, medium, low, or none. Table 44: Converged network analyzer firewall rules Rule Name InBoundCNAPing InBoundCNARTP InBoundCNATestPlug OutBoundCNAPing OutBoundCNAALLTCP OutBoundCNAALLUDP InBoundCNABlockUDPICMPUnre achable 312 Avaya VPNmanager Configuration Guide Release 3.7 Action Source Destination Permit Public-IP Permit Public-IP Permit Public-IP Permit...
Page 313: Glossary
Glossary Aggressive mode An IKE mechanism used in the first phase of establishing a security association. Aggressive mode accomplishes the same authentication negotiating goal between clients as Main mode but faster (three packets versus six). AH/ESP In an IPSec packet, the Authentication Header (AH) and Encapsulation Security Payload (ESP) header.
Page 314 CAs) to validate a new certificate by searching a list of no longer valid digital (CRL), checking certificates. Direct Configuration Interface is a Avaya Inc. proprietary protocol developed to facilitate passing setup and configuration data between the VPNmanager console and the security gateway. DCI traffic can pass in the clear if the LAN on which they both reside is behind a firewall, or over SSL if not.
Page 315 LDAP or RADIUS. Dyna Policy An Avaya VPN term relating to a dynamic configuration download of VPN session security parameters to the remote client computer upon connection to a security gateway. This technique assures maximum security in a VPN session.
Page 316 MIB-II The non-enterprise specific Management Information Base in the Avaya Inc. (Non-Enterprise) security gateways. The MIB-II allows the administrator to obtain basic monitoring information such as device ethernet information, routing and ARP tables, SNMP traps, packet statistics, and other general information regarding the security gateway using third party software.
Page 317 Oakley A key exchange protocol used in IPSec as part of the Internet Key Exchange protocol. Packet Filter Hardware or software mechanism used in firewalls to discards packets based on the contents of the packet headers. Perfect Forward Perfect Forward Secrecy defines a parameter of ISAKMP in which disclosure of Secrecy long-term secret keying material does not compromise the secrecy of the exchanged keys from previous communications.
Page 318 User Groups have a single-level hierarchy. Users can belong to more than one User Group. Virtual Private Network. A VPN allows the sending of sensitive, secured data through an unsecure network like the Internet by using dynamically created connections between member of the VPN. 318 Avaya VPNmanager Configuration Guide Release 3.7...
Page 319: Index
Index Numerical ..... . . 3DES Access Control List (ACL), using the ... . ACE/Server AccessManager .
Page 320 DHCP Server, configure Differentiated Services ..... about 320 Avaya VPNmanager Configuration Guide Release 3.7 Diffie-Hellman Group Diffie-Hellman Group drop-down list Diffie-Hellman Groups...
Page 321 Extranet, (continued) ... . . IP Address text boxes ... . IP Group, configuring an ... . . IPSec Proposals, About .
Page 322 ..... Tunnel ....Modify Secret button modulus in IKE VPNs, keying algorithm 322 Avaya VPNmanager Configuration Guide Release 3.7 Monitor Monitor Wizard Monitoring Groups .238...
Page 323 ..Packet Fowarding Behavior, what is ..Packet Marking Rule, creating a ....packet mode .
Page 324 Servers tab ....detailed description 324 Avaya VPNmanager Configuration Guide Release 3.7 SHA1 authentication, selecting ..shared secret...
Page 325 ....templates, firewall TEP policy ....detailed description terminal equipment to a VPN, adding Topology, VPN Access Control One-armed...
Page 326 ....network ....25, type of 326 Avaya VPNmanager Configuration Guide Release 3.7...

This manual is also suitable for:

Vpnmanager

Avaya 3.7 Configuration Manual

Chapter 1: Overview of Implementation

Chapter 2: Using Vpnmanager

Chapter 3: Setting up the Network

Chapter 4: Configuring IP Groups

Chapter 5: Configuring Remote Access Users

Chapter 6: Configuring User Groups

Chapter 7: Configuring VPN Objects

Chapter 8: Establishing Security

Chapter 9: Using Advanced Features

Quick Links

Need help?

Questions and answers

Related Manuals for Avaya 3.7

Summary of Contents for Avaya 3.7