Page 1 Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.
Page 3: Revision History
Revision history May 2006 Standard 1.00. This document is a new NTP. It was created to support the Secure Multimedia Controller 2450. Secure Multimedia Controller Page 3 of 260 Implementation Guide...
Page 4 Page 4 of 260 Revision history 553-3001-225 Standard 1.00 May 2006...
Page 5: Table Of Contents
How to get help ......Getting help from the Nortel web site ......
Page 6 Page 6 of 260 Contents Traffic protection ......... Secure UNIStim proxy .
Page 7 Contents ..........Secure Multimedia Controller...
Page 8 Page 8 of 260 Contents Introduction ..........Management tools ..
Page 9 Contents ..........Secure Multimedia Controller...
Page 10 Page 10 of 260 Contents Format ..........Log message table ..
Page 11: List Of Procedures
Procedure 10 Starting the Web UI ......91 Secure Multimedia Controller Implementation Guide...
Page 12 Page 12 of 260 List of procedures Procedure 11 Creating a configuration ......94 Procedure 12 Viewing pending changes .
Page 13 Viewing the security keys ......137 Procedure 37 Verifying the IP phone connection ....137 Secure Multimedia Controller Implementation Guide...
Page 14 Page 14 of 260 List of procedures Procedure 38 Configuring the IP Phone 2001, IP Phone 2002, or IP Phone 2004 for security ..... . . 141 Procedure 39 Configuring the IP Phone 1140e and IP Phone 1120e for security .
Page 15 Enabling SSH using the CLI ..... . 187 Procedure 52 Configuring the SMC for RADIUS support ..194 Secure Multimedia Controller Implementation Guide...
Page 16: Procedure
Page 16 of 260 List of procedures 553-3001-225 Standard 1.00 May 2006...
Page 17: About This Document
About this document This document is a global document. Contact your system supplier or your Nortel representative to verify that the hardware and software described are supported in your area. Subject This document describes Secure Multimedia Controller (SMC) 2450 system architecture, software and hardware requirements, components, and network connections.
Page 18: Intended Audience
• Communication Server 1000E: Upgrade Procedures (553-3041-258) Intended audience This document is intended for individuals responsible for installation, configuration, administration, and maintenance of the SMC 2450. Conventions Terminology In this document, the following systems are referred to generically as “system”: •...
Page 19: Related Information
• Secure Multimedia Controller: Command reference (NN10300-091) Online To access Nortel documentation online, click the Technical Documentation link under Support & Training on the Nortel home page: www.nortel.com CD-ROM To obtain Nortel documentation on CD-ROM, contact your Nortel customer representative.
Page 20 Page 20 of 260 About this document 553-3001-225 Standard 1.00 May 2006...
Page 21: How To Get Help
How to get help This chapter explains how to get help for Nortel products and services. Getting help from the Nortel web site The best way to get technical support for Nortel products is from the Nortel Technical Support web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
Page 22: Getting Help From A Specialist By Using An Express Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: www.nortel.com/erc...
Page 23: Description
Product compliance ........Introduction Multimedia infrastructure components are currently deployed in enterprise networks with desktop access to data and Voice over IP (VoIP)/Multimedia Virtual LANs (VLAN). Desktop accessibility increases the vulnerability of Secure Multimedia Controller Page 23 of 260 Implementation Guide...
Page 24: Release Notes
To provide adequate service availability, VoIP and other multimedia systems must be protected from internal threats. The SMC 2450 is a security system that consists of a PC-based hardware platform with SMC software. As shown in Figure 3 on Zone (SMZ) between the enterprise Local Area Network (LAN)/Wide Area Network (WAN and the call servers.
Page 25: Security Zones
All traffic into and out of the zones flows through the multimedia controller. The SMC has six ports and supports up to four secure multimedia zones. The two remaining ports are used for management and intranet/untrusted traffic.
Page 26 Page 26 of 260 Description • SLAN subnet: The Server Lan (SLAN), which serves the CS 1000, is the location of Call Pilot, Symposium, and Optivity Telephony Manager. • MCS LAN subnet: The Multimedia Communication Server LAN (MCS LAN) subnet is the location of the MCS suite of servers. Note: You can substitute the optional networks with user-defined networks.
Page 27 Description Page 27 of 260 Figure 1 Basic subnet mappings. Secure Multimedia Controller Implementation Guide...
Page 28 Page 28 of 260 Description Management subnet The management subnet is required on all SMC installations. It is a separate protected network that handles management, cluster, and synchronization traffic. Management subnet configuration requires the following items: • dedicated ethernet port on the SMC •...
Page 29 Automatic rule generation The SMC can automatically generate rules to protect traffic flowing into the SMZs from the intranet. Rule sets are supported for the following subnets: Description Secure Multimedia Controller Page 29 of 260 Implementation Guide...
Page 30 See the release notes for recommendations for how to allocate the subnets to specific Nortel products. For release notes, click the Technical Documentation link under Support & Training on the Nortel home page: www.nortel.com External routing updates The SMC, a Layer-3 device, must be installed within the path of all traffic between the intranet and the SMZs for both the CS 1000 and MCS configurations.
Page 31 In VLAN networks, multiple devices are connected across routes but are part of the same subnet. Update these networks to identify the switch as the primary interface through the SMC. Description IMPORTANT! IMPORTANT! Secure Multimedia Controller Page 31 of 260 Implementation Guide...
Page 32: Ip Connectivity
Page 32 of 260 Description In a standard CS 1000 installation, the SMC is in the path of traffic between the Intranet and the protected subnets so that all traffic flows through the SMC. IP connectivity LAN ports The SMC supports six 10/100/1000 Base-TX (copper) ports. Each port must be on a separate subnet and the management and intranet networks must always be present.
Page 33: Smc Configurations
Each of the SMZ networks requires a unique port on the SMC device and an IP address. Figure 3 on illustrates a typical CS 100 topology Description Secure Multimedia Controller Page 33 of 260 page 34 Implementation Guide...
Page 34 Page 34 of 260 Description Figure 3 Stand-alone configuration The management network needs two IP addresses in the stand-alone configuration. The first address is the host IP address, which is the IP address for the SMC. The second IP address is the cluster Management IP (MIP) address.
Page 35 IP addressing so the existing SMC interface IP addresses are used as the Virtual IP addresses when the HA config is implemented." Description IMPORTANT! IMPORTANT! Secure Multimedia Controller Page 35 of 260 page 36 illustrates a Implementation Guide...
Page 36 Page 36 of 260 Description Figure 4 High Availability configuration VRRP IP addressing A high availability cluster consists of two SMC devices: one SMC acts at the active device and the other acts as the backup device. In this scenario, only one SMC processes traffic.
Page 37 In all routing tables in external device, use the floating IP address to route packets. The floating IP address is always available even when one SMC in the cluster fails. Secure Multimedia Controller Description 37, VRRP requires three IP addresses for each...
Page 38: Traffic Protection
Page 38 of 260 Description State synchronization To allow for faster connection re-establishment during a failover, the Secure UNIStim proxy master key is synchronized across both SMCs in the HA configuration. Master keys are also persistently stored on disk. Traffic protection The SMZ provides stateful filtering and Denial of Service (DoS) attack protection on all packets that flow through it.
Page 39: Secure Unistim Proxy
UNIStim servers in a protected fashion, with encryption terminated at the SMC before the unencrypted traffic is passed to the back-end server. Nortel recommends that you install the SMC in close proximity to the server to minimize the exposure of insecure traffic.
Page 40 Page 40 of 260 Description Figure 6 Secure UNIStim proxy UNIStim security enhances the basic UNIStim protocol by providing Advance Encryption Standard (AES) 128-bit encryption for confidentiality and an AES-based Message Authentication Code for authentication and integrity. Transparent proxy support Because the SMC is a transparent proxy, the clients communicate directly to the UNIStim signaling servers.
Page 41 Secure UNIStim handshake, the key fingerprint stored on the IP phone compared against the public key to ensure a match. The key fingerprint Description page 42 identifies the three RSA key types. Secure Multimedia Controller Page 41 of 260 Implementation Guide...
Page 42 Page 42 of 260 Description is unique to the public key and the public key to key fingerprint match authenticates the SMC to the IP phone.. Public key fingerprints are currently exported as both 16- and 32-character hexadecimal strings; however, only the 16-character string is currently employed to configure the IP phones.
Page 43 Because session keys are used for every packet sent, Nortel recommends you regenerate the session keys periodically. Dynamic Host Configuration Protocol The IP phones can use a static IP address or use full or partial Dynamic Host Configuration Protocol (DHCP) to acquire its own IP address and the IP address of the Terminal Proxy Server (TPS) in CS 1000 setups.
Page 44: Administrative Tools
Web UI the preferred administration tool. Web User Interface (UI) SMC 2450 supports Web UI, a web-based graphical user interface (GUI) that offers an alternative to the command line interface (CLI). Web UI 553-3001-225 Standard 1.00...
Page 45 Traditional command line interface (CLI) SMC 2450 supports traditional CLIs. See “The Command Line Interface (CLI)” on page 183. Other supported administrative tools and features SMC 2450 supports the following administrative tools and features: •...
Page 46: Resiliency
Port bypass H.225 sessions can take many minutes to re-establish when an SMC failover occurs. Due to the stateful firewall and long timeout of the clients, Nortel recommends that you create a port bypass for H.225 traffic. The Port Bypass feature allows all traffic destined to, or originating from, a particular port to flow through the SMC but bypass the stateful firewall.
Page 47 In an intranet phone to intranet phone call, the media does not cross the SMC. The phone attempts to re-establish signaling communication with the signaling server. During this time, the call is dropped. The phone creates a new secure signaling channel. Description Secure Multimedia Controller Page 47 of 260 Implementation Guide...
Page 48 Page 48 of 260 Description The existing media channel between the IP phones continues. The IP phone reboots and re-registers with the signaling server. Intranet phone to TDM phone or phone in the SMZ During a call from an intranet phone to a TDM phone or a phone in the SMZ, media traverses the SMC.
Page 49 The SMC is a Layer-3 device. The failure of a single SMC that is not part of a high availability configuration drops all packets directed to it, thereby effectively blocking connectivity. Nortel recommends that you install a high-availability cluster in all critical SMC installations. Description...
Page 50: Campus Redundancy
Page 50 of 260 Description Campus redundancy The Nortel Communications Server (CS) 1000E system is a highly-scalable and robust IP PBX that offers support of IP-based applications using industry-standard interfaces, while providing an industry-leading set of telephony features and applications.
Page 51 Description Page 51 of 260 Figure 7 SMC campus redundancy Secure Multimedia Controller Implementation Guide...
Page 52: Geographic Redundancy
Page 52 of 260 Description Requirements and recommendations No special configuration is required on the SMC to support campus redundancy; however, additional system-wide configuration changes are required to deploy the SMC system into the campus redundant environment: • To avoid potential routing problems, IP addresses from the same subnet must be assigned to the SMCs connected to the two different TLAN switches.
Page 53 SMC clusters must be defined appropriately. If the IP phones support two fingerprints, the two SMCs can have different private fingerprints; however, automatically generating two private Description Secure Multimedia Controller Page 53 of 260 Implementation Guide...
Page 54: Engineering Impact And Limitations
Note: Nortel recommends that both SMC clusters share the same private key, and hence fingerprint, in a geographically redundant configuration. Engineering impact and limitations...
Page 55: Product Compliance
Description Page 55 of 260 Port recommendations Nortel recommends that port 1 be used for the management subnet, port 2 for the intranet subnet, and ports 3 through 6 for the secure multimedia zones. Product compliance For a complete list of supported products, Nortel recommends that you refer to the release notes post on the Nortel Web site.
Page 56 Page 56 of 260 Description 553-3001-225 Standard 1.00 May 2006...
Page 57: Overview Of The Deployment Process
This chapter contains the high level information required to deploy a new system or a system upgrade. Deploying a new system Nortel recommends that you install a new SMC deployment through the following primary steps: Install the SMC hardware. See “Hardware installation” on Install and configure the SMC software.
Page 58 Page 58 of 260 Overview of the deployment process Incorporate the SMC into the network with the firewall unhooked (disabled) and UNIStim security turned off. All traffic passes through the box unhindered so that you can verify network connectivity. See “Firewall deployment”...
Page 59: Hardware Installation
Troubleshooting installation ....... . . Installation package contents Table 2 lists the contents of the SMC 2450 installation package. Table 2...
Page 60: Smc Physical Features
Console cable Bezel adapter kit with (2) brackets and (4) rubber feet Set of (4) mounting screws Secure Multimedia Controller: Implemen- tation guide (553-3001-225) SMC physical features The SMC front panel has buttons and indicators for normal operation. The front panel bezel is removable for access to the CD drive. The SMC rear panel has port and power supply access.
Page 61 CPU, or device temperature problems Blinks during hard disk drive activity Reboots the SMC Turns on or off SMC power Shows green when power is on Secure Multimedia Controller Page 61 of 260 Reset button System power LED Hard disk...
Page 62 Page 62 of 260 Hardware installation Remove the bezel from the faceplate. Figure 10 Bezel removal Figure 11 shows the front panel without the bezel. Figure 11 Front panel view without bezel 553-3001-225 Standard 1.00 End of Procedure May 2006...
Page 63: Attaching The Front Panel Bezel
With the release flap open, engage the bezel onto the track and slide it to the left until it locks into place (Figure 12). Close the release flap. Figure 12 Bezel attachment Hardware installation End of Procedure Secure Multimedia Controller Page 63 of 260 Implementation Guide...
Page 64: Rear Panel
LAN ports All ports are Gigabit 10/100/1000 LAN ports. Ports 1 and 2 are on-board ports. Ports 3 through 6 are NIC (Network Interface Controller) ports. Nortel recommends that port 1 be used for the management subnet, port 2 for the intranet subnet, and ports 3 through 6 for the secure multimedia zones.
Page 65 When the LEDs are flashing, the port is sending or receiving network data. One or more of the above conditions is not met. Secure Multimedia Controller Page 65 of 260 Implementation Guide...
Page 66 Page 66 of 260 Hardware installation Table 6 explains LED status indicators for ports 3 through 4 Table 6 Ports 3 through 6 LED status indicators Port speed Left LED 10 Mb/s 100 Mb/s Green 1000 Mb/s All speeds All speeds 553-3001-225 Standard 1.00 Right LED...
Page 67: Installation
CAUTION — Service Interruption This device is a Class A product. In a domestic environment, this device can cause radio interference, in which case the user may be required to take appropriate measures. Secure Multimedia Controller Page 67 of 260 Implementation Guide...
Page 68 Page 68 of 260 Hardware installation ambient temperature of the room. Take appropriate steps to ensure that the device does not overheat. For proper air circulation, the vents on the front and back of the device must not be blocked or obstructed by cables, panels, rack frames, or other materials.
Page 69: Installing The Smc In A Rack
Installing the SMC in a rack Install the SMC in a rack using the four supplied rack mount screws. For rack installation. Nortel ships the SMC with the mounting brackets attached to the front of the unit. Procedure 2 Installing the SMC in a rack Follow these steps to install the unit in a rack: Identify a rack location and hole spacing alignment.
Page 70: Supplying Power To The Smc
Page 70 of 260 Hardware installation Result: you can now connect the power supply. See “Connecting the power supply” on page 71. Supplying power to the SMC Supply power after installing the unit in a rack or on a flat surface. Use of both the rear and front power switches is required for full SMC operation.
Page 71: Setting Up Terminal Access To The Smc
For instructions on viewing and configuring system settings using either a console connection or network connection (via Telnet or SSH), see the “Installation and configuration” on page 77. Hardware installation End of Procedure IMPORTANT! Secure Multimedia Controller Page 71 of 260 Implementation Guide...
Page 72 Console configuration parameters Baud Rate Data Bits Parity Stop Bits Flow control • A console cable, male to female, with DB-9 connectors and a straight cable as shipped with the SMC 2450. 553-3001-225 Standard 1.00 Parameter 9600 None None May 2006...
Page 73: Establishing A Console Connection
Using the supplied console cable, connect the terminal to the console port. Power on the terminal and the SMC. Hardware installation Signal Shell Secure Multimedia Controller Page 73 of 260 Description Data carrier detect Received data Transmitted data Data terminal ready...
Page 74: Troubleshooting Installation
“Hardware and power supply specifications” on 553-3001-225 Standard 1.00 WARNING If you change the default password, Nortel strongly recommends that you record the new password. Passwords are not recoverable; if a password is lost, you must reinstall the SMC. End of Procedure...
Page 75 • Make sure you connected the console cable supplied with the SMC system. If the system display does not function after checking these items, contact Nortel Technical Support at www.nortel.com/support. Hardware installation www.nortel.com/support. Secure Multimedia Controller Page 75 of 260...
Page 76 Page 76 of 260 Hardware installation 553-3001-225 Standard 1.00 May 2006...
Page 77: Installation And Configuration
The management network needs two IP addresses in the stand-alone configuration. The first address is the host IP address, which is the IP address for the SMC. The second IP address is the cluster Management IP (MIP) Secure Multimedia Controller Page 77 of 260 Implementation Guide...
Page 78 Page 78 of 260 Installation and configuration address. The host IP address and the cluster MIP address must reside in the same subnet. In a stand-alone configuration, the equipment residing on the SMZs uses the SMC Interface IP addresses as their gateway address. For example, a CSE-1000 Signaling Server TLAN Gateway address is the SMC TLAN IP address High Availability (HA) configuration...
Page 79 Intranet Virtual IP address. Installation and configuration page 80 provides SMC network engineering IP Address Mask same as above See note Secure Multimedia Controller Page 79 of 260 High Availability VRRP Virtual Router Gateway Virtual IP See note See note Implementation Guide...
Page 80 Page 80 of 260 Installation and configuration Table 10 SMC network engineering worksheet for second SMC in a HA configuration Port Zone Management Management address Intranet Table 11 provides a worksheet to identify other important IP addresses. Table 11 Other important addresses and networks Item IP Address SMC Admin PC/Subnet...
Page 81 SMC port mappings Port 1 Port 2 Port recommendations Nortel recommends that port 1 be used for the management subnet, port 2 for the intranet subnet, and ports 3 through 6 for the secure multimedia zones. Installation and configuration Port 3 Port 4...
Page 82: Configuring The Initial Smc
Connect the console cable to the SMC. Connect the console cable from the serial port on the SMC to the serial port of a computer that runs terminal emulation software. Nortel recommends that you use VT100 for emulation and 9600-8-N-1 for the communication port speed on the terminal connection.
Page 83 Enter no to indicate you do not want to enable Web administration. 11 Initialize the intranet subnet. Enter the port number for the intranet subnet. Enter the IP address for the intranet subnet. Secure Multimedia Controller Installation and configuration IMPORTANT! Implementation Guide...
Page 84 Installation and configuration 12 Configure the cluster settings. Note: Nortel recommends that you generate a new SSH key to maintain a high level of security when connecting to the SMC using an SSH client. For more information about SSH, see “Using Secure Shell (SSH)” on...
Page 85 18 Choose one of the following: • Enter yes to indicate you have an MCS setup. Enter the port number for the intranet subnet. Enter the IP address for the intranet subnet. Secure Multimedia Controller Installation and configuration Implementation Guide Page 85 of 260...
Page 86: Accessing The Smc Through The Web Ui
Page 86 of 260 Installation and configuration • CS 1000 Result: The system initializes and rules generate for the ELAN subnet, TLAN subnet, and Server LAN subnet. The system logs you out and you must log on again to continue management on the SMC. MCS Result: The MCS filters are configured.
Page 87 SMC. For example, if the SMC intranet interface address was 10.1.1.2, you would browse to http://10.1.1.2. On a HA system, browse to the VRRP address shared on the intranet interfaces. Secure Multimedia Controller Installation and configuration End of Procedure Implementation Guide...
Page 88: Enabling The Web Ui
For a list of country codes, refer to the International Standards Organization (ISO) website for the ISO 3166 standard for two-letter country codes. For example: >> SSL configuration# certs/serv/gen Nortel US 1024 Enter Y to verify that you want to generate a self-signed certificate with the generated key. May 2006 page 184.
Page 89 By default, the access list is empty, meaning that all remote management access is initially blocked. Nortel recommends that you add trusted management clients to the access list when initially enabling any remote management feature. It is also vital that you review the access list regularly and keep it up to date.
Page 90: Adding Items To The Access List
Page 90 of 260 Installation and configuration Adding items to the access list Procedure 9 Adding items to the access list Start a console terminal. Press <Enter> on the console terminal to establish the connection. The SMC login prompt appears. Enter admin for the login name.
Page 91: Starting The Web Ui
IP address as a name, provided that the IP address is assigned a name on the local domain name server • cluster MIP address • virtual IP address. The SMC login window appears. Installation and configuration page Secure Multimedia Controller Page 91 of 260 Implementation Guide...
Page 92 Page 92 of 260 Installation and configuration Figure 15 SMC Web UI login page To log on, enter the account name and password for the system administrator or operator account. For more login and password information, see “Users and passwords” on Note: Expect a delay of a few seconds while the default page collects data from all of the cluster components.
Page 93 • logging out Figure 16 identifies the location of the global command buttons. Figure 16 SMC Web UI components Installation and configuration 103. page Secure Multimedia Controller Page 93 of 260 page Global command buttons Implementation Guide...
Page 94: Creating A Configuration
Page 94 of 260 Installation and configuration Web UI task summary In general, you would perform Web UI tasks in the following order: Create a configuration. See Procedure 11. View pending changes. See Procedure 12. (Optional) Clear pending changes. See Procedure 13. Submitting changes.
Page 95: Saving And Restoring The Smc Configuration
Click Submit. Saving and restoring the SMC configuration Periodically, it is necessary to upgrade or reinstall the SMC software. Before doing so, Nortel recommends that you save the existing configuration using the either the Web UI or the CLI. Procedure 15 Saving the current configuration using the Web UI Using a Web browser, enter the URL to the Web management interface.
Page 96: Enabling Tftp
Enter a password to be used to encrypt sensitive data in the configuration file. You will need this password to be able to restore the configuration later. Note: Nortel recommends that you record the password used to encrypt sections of the configuration file. Click Export.
Page 97: Restoring The Current Configuration Using The Web Ui
Click Ok. The Web session is logged off and you are returned to logon page. 10 Log on to the SMC again. Secure Multimedia Controller Installation and configuration End of Procedure End of Procedure...
Page 98: Installing The Redundant Smc
Page 98 of 260 Installation and configuration Result: The restored/imported configuration is now active. Procedure 19 Restoring the current configuration using the CLI In the CLI, enter /cfg/gtcfg to start the restore (get) configuration wizard. Select the protocol when prompted. The default is TFTP. The protocol options are: TFTP, FTP, SCP, or SFTP.
Page 99: Preconfiguring The First Smc
SMC prior to adding the second to the cluster. Preconfiguration allows the second SMC to immediately set the IP addresses after the two SMCs join and limits the number of error messages generated when the device starts up. Secure Multimedia Controller Installation and configuration page page...
Page 100 Page 100 of 260 Installation and configuration In a HA configuration, three IP addresses are used for each cluster interface. One IP address per interface is defined for each SMC device in the cluster, and a third is a floating Virtual IP used by the routers for directing traffic. You can specify these values and apply prior to actually joining the second device to the cluster.
Page 101: Joining The Second Smc
Turn on High Availability. • CLI: /cfg/net/vrrp/ha y • Web UI: Network > VRRP > High Availability Apply the changes: • CLI: Enter apply • Web UI: Click apply. Secure Multimedia Controller End of Procedure Implementation Guide Page 101 of 260...
Page 102 Page 102 of 260 Installation and configuration Validate that the cluster is running VRRP. • • Result: The SMC cluster is now in High Availability Mode. All packets are now be directed to the Virtual IP addresses. To continue the deployment process, continue to “Firewall deployment” on page 103.
Page 103: Firewall Deployment
1000 and MCS multimedia equipment resides. The SMC supports six subnets: two mandatory subnets (management and intranet) and up to four optional subnets used for the SMZs. page 78 to review the configuration Secure Multimedia Controller Page 103 of 260 Implementation Guide...
Page 104: Unhooking The Firewall
Figure 17 on Figure 17 Routing updates Unhooking the firewall Prior to placing the SMC into full service, disable (or unhook) the firewall and allow all traffic to flow through the SMC. Nortel recommends that the 553-3001-225 Standard 1.00 page page 104 illustrates the devices that require routing updates.
Page 105: Unhooking The Firewall
IP phones are communicating through a proxied server, current UNIStim sessions are disrupted. UNIStim communication re-establishes and all existing calls drop. Insecure sessions—sessions that are not currently running through the Secure UNIStim proxy—are not affected. Secure Multimedia Controller Firewall deployment End of Procedure IMPORTANT!
Page 106: Hooking The Firewall
SMC as they did prior to SMC integration Procedure 25 Hooking the firewall Nortel strongly recommends that you hook the firewall during a maintenance window. Log on to the Web UI. Note: This procedure cannot be performed using the CLI.
Page 107 After you hook the firewall, any problems, such as services no longer working, are generally caused by the firewall blocking traffic that should be allowed through. These problems are likely due to missing firewall policies. Firewall deployment End of Procedure IMPORTANT! IMPORTANT! Secure Multimedia Controller Page 107 of 260 Implementation Guide...
Page 108 Page 108 of 260 Firewall deployment You can troubleshoot the firewall policies by first determining what traffic is denied and then adding an appropriate policy for the relevant SMZ. Figure 18 shows HTTPS and UNIStim traffic flowing correctly through the SMC.
Page 109: Allowing Ping
Result: You can ping the server through the SMC. If you allowed pinging, and the SMC is still blocking the traffic, verify connectivity between the client and the SMC, and the SMC and the server. Nortel recommends that you disable the ICMP rule when not in use.
Page 110: Viewing Firewall Logs
Page 110 of 260 Firewall deployment Firewall logs Using the Web UI, you can view firewall logs by stepping through the logs in chronological order or view a specific log by specifying an appropriate search string, such as the IP address of the problem machine. Viewing the firewall logs is the best method to troubleshoot packets that are not traversing the SMC.
Page 111: Enabling Unavailable Policy Logging
Mar 1 13:01:37 127.0.0.1 id=firewall time="2006-03-01 13:01:37" fw=a10-10-10-10 pri=4 proto=6(tcp) src=2.2.2.100 : 32802 dst=3.3.3.200 : 22 mid=2076 mtp=10 msg="Access Policy not found, dropping packet from ext n/ w" agent=Firewall Secure Multimedia Controller Firewall deployment End of Procedure Implementation Guide Page 111 of 260...
Page 112 Page 112 of 260 Firewall deployment Mapping rule IDs in the firewall log Log messages are assigned a rule ID, which represents the dynamic identifier of this rule entry within the running firewall. You can use rule IDs to determine the exact rule that mapped the dropped packet. To generate log messages for specific firewall rules, you must enable logging for each rule and Allow/Deny log messages must be enabled in the Multimedia Security >...
Page 113: Viewing Applied Rules
Additional rules are listed for secure UNIStim server traffic and self traffic, which is traffic to and from the SMC device. The basic firewall rules do not map to the configuration rules perfectly (for example, duplicate rules are removed). Firewall deployment Secure Multimedia Controller Page 113 of 260 Implementation Guide...
Page 114: Viewing The System Log
Page 114 of 260 Firewall deployment Search for the appropriate rule ID. Determine the details of the rule. System log To determine why particular traffic is not traversing an SMC, you can explore the current system logs to make sure there are no system-level failures affecting connectivity.
Page 115: Custom Firewall Rules
Designate Service as Custom with the appropriate protocol. Select the Source and Destination for the client and server networks. Set Action to allow. Click Update. Click Apply to save the current configuration. Firewall deployment End of Procedure Secure Multimedia Controller Page 115 of 260 Implementation Guide...
Page 116: Configuring Callpilot Desktop Messaging
Page 116 of 260 Firewall deployment Result: The rule is added to the end of the current list. turn on logging for new rules, at least until you are sure they are working appropriately. Firewall rules are evaluated in top-down fashion. The rules with lower IDs have precedence over rules with higher IDs.
Page 117: Configuring Symposium Multicast
SWC Server. These components of Symposium can be in the same network or across multiple networks. If these components are across multiple networks, all the routers in between these individual components Firewall deployment End of Procedure Secure Multimedia Controller Page 117 of 260 Implementation Guide...
Page 118: Configuring Symposium Multicast
Page 118 of 260 Firewall deployment need to support multicast routing. The SMC is one of the routers that can be deployed in between these Symposium components. The ports and multicast addresses used by symposium components are: • A configurable multicast address on SWC Servers (SWC Server to Web Clients for RTD) •...
Page 119: Voip_Users And Voip_Admins
You must update this network with specific management IP addresses or subnets before any auto-generated rules containing the network will be accessible. Firewall deployment End of Procedure Secure Multimedia Controller Page 119 of 260 Implementation Guide...
Page 120: Standard 1.00 May
Page 120 of 260 Firewall deployment 553-3001-225 Standard 1.00 May 2006...
Page 121: Secure Unistim Deployment
Client policy and client firmware policy issues ....Introduction UNIStim is a Nortel-proprietary signaling protocol used within the MCS and CS 1000 product lines. Using UNIStim, a UNIStim IP phone communicates with a UNIStim server (TPS) using the User Datagram Protocol (UDP).
Page 122 Page 122 of 260 Secure UNIStim deployment Note: The SMC currently supports Secure UNIStim for the CS 1000 but not for the MCS 5100. The SMC acts as a Secure UNIStim proxy; it terminates the Secure UNIStim handshake from the UNIStim client and then communicates with the back-end server using insecure UNIStim.
Page 123: Security Policy
Firmware check: Enables the SMC to consult the IP Client Firmware table to confirm that the IP phones support UNIStim security for new connections. Nortel recommends firmware checking if you have a heterogeneous mix of IP phones, including IP phones that do not support security.
Page 124 Page 124 of 260 Secure UNIStim deployment By default, the SMC keeps all IP client in an insecure mode. This allows the administrator to control the Secure Unistim roll-out so that licences are not exceeded. To add enhanced security for all IP phones protected by a given policy, client security is required.
Page 125 Web UI, how the IP client network is tied to the policy and Figure 23 on UNIStim. Figure 21 Security policy diagram Secure UNIStim deployment page 127 shows group of IP clients that does not support secure Secure Multimedia Controller Page 125 of 260 page 126 Implementation Guide...
Page 126 Page 126 of 260 Secure UNIStim deployment Figure 22 Sample policy page 553-3001-225 Standard 1.00 May 2006...
Page 127 When an IP phone is redirected to a server that is not located in an SMZ protected by the current SMC, the Security in External Redirections feature determines how the action byte is set. If the action byte is 1 (insecure), the IP Secure UNIStim deployment Secure Multimedia Controller Page 127 of 260 Implementation Guide...
Page 128 Page 128 of 260 Secure UNIStim deployment phone is redirected insecurely. If the action byte is 6 (secure), the phone is redirected securely. Table 12 identifies the default Security in External Redirection settings for a new SMC installation. Table 12 Default Security in External Redirection settings Policy nonsecure...
Page 129 Note: Even if both servers are protected by SMCs, the redirection may still fail if the IP phone does not have a fingerprint that matches the second server. Secure Multimedia Controller Secure UNIStim deployment Implementation Guide Page 129 of 260...
Page 130 Secure UNIStim deployment In a Virtual Office configuration configuration in which all Signaling servers are not protected by an SMC, Nortel recommends that you disable the Security in External Redirections feature so that the IP phones are redirected insecurely to CS 1000 Remote and they can establish connectivity;...
Page 131: First-Time Deployment
First-time deployment Nortel recommends that Secure UNIStim be enabled on a small group of target users first to ensure the process is understood. After operation has been confirmed for a couple of days, the Policies or Network definitions can be changed to include additional IP clients.
Page 132: Configuring Secure Unistim
Page 132 of 260 Secure UNIStim deployment Procedure 35T Configuring Secure UNIStim Login to the Web UI. Navigate to the following page: Wizards > Configure > Secure UNIStim The Secure UNIStim Wizard page is displayed. Read Wizard instructions on page. Select Yes to enable Secure UNIStim.
Page 133 Cut and paste the key into a file for storage. Maintain the private key in a safe location. It may be needed for another SMC install. 15 Click Apply. Secure Multimedia Controller Secure UNIStim deployment IMPORTANT! Implementation Guide Page 133 of 260...
Page 134 Page 134 of 260 Secure UNIStim deployment Now the SMC is ready to transparently proxy connections from a UNIStim IP phone to the primary servers entered within the wizard. It may take one minute for the SMC to start handling connections in an HA environment. If any phones on secure subnets do not explicitly support Secure UNIStim, enable Firmware Checking in the policy.
Page 135 This reset forces them to start from the initial primary servers, and all redirection pathways are captured by the SMC. You can monitor the server additions through the UNIStim Servers page. 19 Examine the IP Clients after priming the Secondary Servers. Secure Multimedia Controller Secure UNIStim deployment IMPORTANT! Implementation Guide...
Page 136: Viewing The Security Keys
Each host in a HA cluster will have a different MAC address. The MAC address internally maps to port 1. Obtain the license from Nortel. Paste the license into the New License window and save it. Repeat this step for each SMC for each host in a HA cluster. It takes approximately 30 seconds before the license goes into effect.
Page 137: Troubleshooting Secure Unistim
Administration > Monitor > UNIStim Security > Client page in the Web UI. Secure UNIStim deployment Private Key Public key Public key fingerprint End of Procedure End of Procedure Secure Multimedia Controller Page 137 of 260 Implementation Guide...
Page 138 Page 138 of 260 Secure UNIStim deployment The following section explains why Secure UNISTIM reregistration can be delayed and how to speed the process up. When an insecure IP Client is rebooted, it goes through the following process: The phone communicates to the CSE Node IP address on port 4100. The Node TPS redirects the IP Client to either: •...
Page 139: Configuring The Ip Clients
IP Phone 2004 (Phase 2) IP Phone 2007 (Phase 2) IP Phone 1120E IP Phone 1140E IP Softphone 2050 WLAN handset 2210 Secure UNIStim deployment Secure UNIStim Secure Multimedia Controller Page 139 of 260 . This causes inSecure UNIStim Implementation Guide...
Page 140: Enable Security
IP phone. This is not practical when there are many IP phones in the enterprise. In large installations, Nortel recommends the server auto-update. The following section describes the manual configuration of security.
Page 141: Ip Phone 2004 For Security
If the IP client can register to an alternate server (S2 IP), change the action byte and key fingerprint as required for S2. Press the Apply and Reset button. Secure Multimedia Controller Secure UNIStim deployment End of Procedure Implementation Guide...
Page 142: Security
Page 142 of 260 Secure UNIStim deployment For Phase 2 IP Phone 2001/IP Phone 2002/IP Phone 2004 phones, you can set the RSA public key fingerprint after the action byte is set to 6 for either the S1 or S2 servers. The key fingerprints, however, are not tied to either of the S1 or S2 servers even though it may appear this way during the configuration.
Page 143 Automatic fingerprint update For IP phones running in insecure mode with default security settings, the SMC can automatically update/populate the public key fingerprint on the Secure UNIStim deployment End of Procedure Secure Multimedia Controller Page 143 of 260 Implementation Guide...
Page 144 Nortel recommends that you export the current SMC private key to a secure location. Encrypt the key when you export it from the SMC. This private key is required for fingerprint updating of the current IP phones when the primary key changes.
Page 145 IP phones and therefore is limited in flexibility. DHCP recommendations Nortel recommends that you: • initially keep the action byte at 1 in DHCP and on the IP phones so that the automatic fingerprint update can work correctly and push the correct fingerprint to new IP phones.
Page 146: Managing The Keys
Page 146 of 260 Secure UNIStim deployment Managing the keys If you have already enabled Secure UNIStim and generated keys using the wizard in Procedure 6 on page 70, the keys are already generated and you do not need to perform the Procedure 25 and Procedure 26. If you have already enabled Secure UNIStim and generated keys using the wizard in Procedure 6 on not need to perform the Procedure 40 and Procedure 41.
Page 147: Secure Unistim Rules
5100. In this context, a server is a combination IP address and port. Figure 25 illustrates a standard redirection in a CS 1000 system. Secure UNIStim deployment End of Procedure Secure Multimedia Controller Page 147 of 260 Implementation Guide...
Page 148 Page 148 of 260 Secure UNIStim deployment Figure 25 CS 1000 standard redirection Configure primary server Only the initial primary server is configured in the SMC. The two secondary servers are automatically discovered and stored persistently in the configuration as dynamic servers. This discovery occurs during the server redirection;...
Page 149 Secondary servers are displayed in the Web UI. You can delete secondary servers but you can not add them. Deleting these servers is discouraged unless the server is not longer in use. Secure Multimedia Controller Secure UNIStim deployment IMPORTANT! Implementation Guide...
Page 150 If the IP phones have not been registered with the SMC, Nortel recommends that you reset the IP phones directly through the Signaling Server using its management interfaces. The reset redirects the IP client back through a primary server and the SMC captures any missed redirections and adds them to its database.
Page 151: Ip Client Firmware Management
The SMC operates in a heterogeneous environment with many different phone types. Some versions of the phone images either support UNIStim security in a limited fashion or do not support UNIStim security at all. Nortel highly recommends that all phones in the SMC-protected network have appropriate Secure UNIStim images.
Page 152 Without firmware checking, older firmware images that support security in a limited fashion are upgraded along with phones running the officially supported phone firmware. Nortel recommends you disable firmware checking only if no legacy Secure UNIStim phones exist on the network.
Page 153 Using the firmware checking feature, the SMC validates that the IP client firmware accurately supports the Secure UNIStim protocol. The SMC handles new IP client requests as before the firmware check; however before Secure UNIStim deployment Secure Multimedia Controller Page 153 of 260 Implementation Guide...
Page 154: Private Key Updates
Page 154 of 260 Secure UNIStim deployment upgrading the client to Secure UNIStim or turning on session caching, the SMC checks the client firmware to make sure the firmware is supported. If not, the client request proceeds without intervention by the SMC. See Figure 28.
Page 155: Licensing
Because of the possibility of delayed private key updating, Nortel recommends that the primary and secondary keys co-exist for the length of time equal to the maximum session timeout plus the master key timeout.
Page 156: Troubleshooting
Page 156 of 260 Secure UNIStim deployment • In the CLI, type /cfg/sys/cluster/host <n>/license, where <n> is the host number. Troubleshooting Current servers View the number of primary and secondary servers on the System page or at the Administration > Monitor > UNIStim Security > Servers page in the Web UI.
Page 157: Client Policy And Client Firmware Policy Issues
This section provides specific examples to clarify how to apply these policies to serve your specific needs. Secure UNIStim deployment IMPORTANT! Secure Multimedia Controller Page 157 of 260 Implementation Guide...
Page 158 Page 158 of 260 Secure UNIStim deployment Example 1 In this example, use the default policy to control the access so that IP phones with secure capability connect in secure mode and IP phones without secure capability connect in insecure mode. Policy setting: upgrade = y Security = n...
Page 159 UNIStim are present in the firmware database. The SMC assumes that if the firmware is not in the database, it does not have secure UNIStim capabilities. Secure Multimedia Controller Secure UNIStim deployment IMPORTANT! Implementation Guide...
Page 160 Page 160 of 260 Secure UNIStim deployment 553-3001-225 Standard 1.00 May 2006...
Page 161: Maintenance
You can access the CLI accessed locally at the SMC or remotely through Telnet or Secure Shell (SSH) after access is granted. See “Defining the remote access list” on Secure Multimedia Controller Page 161 of 260 page...
Page 162: Users And Passwords
SMC. The default usernames and password for each access level are listed in Table 14. Usernames and passwords are case sensitive. Note: Nortel recommends that you change all the default passwords after initial configuration and as regularly as required under your network security policies.
Page 163 The root login is available only through a local console terminal. The root user has complete internal access to the operating system and software. Root access is NOT RECOMMENDED unless under the direction of Nortel support personnel. CAUTION — Service Interruption The root login on this system is only intended for debugging and emergency repair, typically under the direction of support personnel.
Page 164: Smc Software Upgrades
This process is used to restore the SMC to the factory default state. The upgrade files are provided on the Nortel web site. The package files have a .PKG extension, and the ISO Install CD has an .ISO extension.
Page 165: Procedure
Click Browse to locate the package you wish to upload to SMC. Note: The package file is already downloaded from the Nortel Web site and saved onto the PC. Package files end with the extension .PKG.
Page 166 Page 166 of 260 Maintenance A confirmation dialog appears and displays the following message: Are you sure you want to activate this image? Click Ok. The page refreshes and the package is marked as old. 10 Click Activate again. The SMC installs the package and then reboots. The reboot can take up to 5 minutes to complete.
Page 167: Procedure
Enter cur to verify the current versions of the software. Choose one of the following: FTP or TFTP download CD-ROM download Enter cur to verify the current versions of the software. Secure Multimedia Controller Maintenance Page 167 of 260 Then Enter /boot/software/ download.
Page 168 Page 168 of 260 Maintenance Verify that the version you downloaded has a status of unpacked. The software versions are marked with one out of four possible status values. The meaning of each status value is described in Table 15. Table 15 Software status values Status...
Page 169: Activating The Software For A Stand-Alone Upgrade
Telnet/SSH. Enter /cfg/sys/accesslist/list to verify that an access list exists that includes all addresses on the management interface. If this entry does not exist, add it. Secure Multimedia Controller Maintenance End of Procedure Implementation Guide Page 169 of 260...
Page 170 A reinstallation erases all configuration data, which includes installed keys, network settings, and certificates. Nortel recommends that you save all configuration data to a file on a TFTP/FTP/SCP/SFTP server using the ptcfg command.
Page 171: Reinstalling The Software Using The .Iso Image
.IMG image of the software. See Procedure 47 on Procedure 46 Reinstalling the software using the .ISO image Nortel recommends this method to copy the .ISO version of the software on a CD-ROM and boot from it. This reinstall removes the current configuration and reimages the SMC.
Page 172: Reinstall The Software Using The .Img Image
Page 172 of 260 Maintenance Procedure 47 Reinstall the software using the .IMG image This method installs the IMG version of the software using TFTP or FTP. This reinstall overwrites the current configuration. In this procedure, you instruct the SMC to use a specific network interface and use a specific IP address to pull the Image file from the TFTP or FTP server.
Page 173: Resetting The Smc To Factory Defaults
Enter f to select FTP. End of Procedure WARNING Resetting the SMC to factory defaults halts all current operations on the SMC. Reset a standalone SMC installation to factory default. — CLI: /cfg/sys/cluster/host 1/delete Secure Multimedia Controller Maintenance Page 173 of 260 Implementation Guide...
Page 174 Page 174 of 260 Maintenance • Restart the SMCs. 553-3001-225 Standard 1.00 — Web UI: Operation > SMC Host(s) Select the host you want to delete and then click Delete. WARNING Deleting the host to which the Web UI is connecting causes the browser to lose connectivity.
Page 175: Vrrp Overview
A single port pair behaving as previously described invokes the master election process behavior. Note 2: In VRRP election, the only relevant IP address is the cluster MIP address. End of Procedure IMPORTANT! Secure Multimedia Controller Maintenance Page 175 of 260 Implementation Guide...
Page 176 Page 176 of 260 Maintenance The SMC that assumes the virtual router IP addresses is called the active master, and it forwards packets intended for these IP addresses. If the active master becomes unavailable, VRRP provides dynamic failover in the forwarding responsibility to a redundant VRRP router.
Page 177 ARP requests (one per second) to the active master virtual router IP addresses. This gives the active master ample opportunity to respond, Maintenance page 177. Secure Multimedia Controller Page 177 of 260 Implementation Guide...
Page 178 Page 178 of 260 Maintenance enabling the backup virtual routers to confirm that it is down before going on to the next step: • If ARP replies from the active master are not received, failover occurs. • If ARP replies from the active master are received, no failover occurs. Note: If VRRP multicast advertisement packets are not received on any backup router, the reason might be that the traffic on the active master is too heavy for it to send advertisement packets within the advertisement...
Page 179 Increasing the advertisement interval lowers the chance for unnecessary disruption of packet forwarding, but increases the length of service disruption in the event that the active master fails. Maintenance page Secure Multimedia Controller Page 179 of 260 180. If the backup does Implementation Guide...
Page 180 Page 180 of 260 Maintenance Gratuitous ARP (GARP) After the backup detects a failure in the active master, the backup immediately flashes a Gratuitous ARP (GARP) message to the end-hosts on the virtual router interface. The GARP, an unsolicited ARP response, forces end-hosts to update their ARP caches with the new MAC address and IP address mapping.
Page 181 IP addresses must belong to the same subnet. Advanced failover check If Advanced Failover Check (AFC) is enabled, the system sends an ARP message before initiating a failover caused by missed VRRP advertisements. Secure Multimedia Controller Implementation Guide...
Page 182 Page 182 of 260 Maintenance 553-3001-225 Standard 1.00 May 2006...
Page 183: The Command Line Interface (Cli)
Introduction The Command Line Interface (CLI) is the most direct method for viewing information about the Secure Multimedia Controller (SMC). In addition, you can use the CLI for performing all levels of system configuration. You can view the text-based CLI using a basic terminal. The CLI commands are grouped into a series of menus and submenus.
Page 184: Accessing The Cli
Page 184 of 260 The Command Line Interface (CLI) Accessing the CLI Using the local serial port Any SMC serial port provides direct local access for managing the SMC. For details on attaching a console terminal to the serial port and establishing a connection, see “Hardware installation”...
Page 185: Enabling Telnet Using The Cli
Using Secure Shell (SSH) Using an SSH connection, you can manage the SMC from any workstation connected to the network. SSH access provides the same management options as those available through the local serial port. Secure Multimedia Controller page End of Procedure page 162.
Page 186: Enabling Telnet Or Ssh Using The Web Ui
Page 186 of 260 The Command Line Interface (CLI) SSH access provides the following security benefits: • server host authentication • encryption of management messages • encryption of passwords for user authentication By default, SSH access is disabled and all remote access is restricted. Depending on the severity of the security policy, you may enable SSH and permit remote access to one or more trusted client stations.
Page 187: Enabling Ssh Using The Cli
Generate new SSH keys. During the initial setup of the SMC, Nortel recommends that you select the option to generate new SSH host keys. This is required to maintain a high level of security when connecting to the SMC using an SSH client. If you fear that the SSH host keys are compromised, or at any time the security policy dictates, you can create new host keys.
Page 188: Using The Cli
Use the global revert command to clear all pending changes and then continue the configuration session. Use the global exit command to logout from the system. Closing the remote session also discards pending changes, though Nortel May 2006 page page...
Page 189: The Main Menu
However, if multiple CLI or Web UI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence. The Command Line Interface (CLI) Secure Multimedia Controller Page 189 of 260 Implementation Guide...
Page 190 Page 190 of 260 The Command Line Interface (CLI) Global commands Some basic commands are recognized throughout the entire menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving configuration changes. Table 16 Global CLI commands Command Description...
Page 191 0 = Quiet: Nothing appears except errors—not even prompts. 1 = Normal: Prompts and requested output are shown, but no menus. 2 = Verbose: Everything is shown. The Command Line Interface (CLI) Secure Multimedia Controller Page 191 of 260 Implementation Guide...
Page 192 Page 192 of 260 The Command Line Interface (CLI) Command Line history and editing Using the CLI history and editing commands, you can retrieve and modify previously entered commands with just a few keystrokes. Table 17 Command Line history and editing options Command history !<n>...
Page 193 <Enter>. If the <Tab> key is pressed without any input on the command line, the currently active menu appears. The Command Line Interface (CLI) Description Clears the entire line. Inserts new characters at the cursor position. Secure Multimedia Controller Page 193 of 260 Implementation Guide...
Page 194: Radius Authentication
Page 194 of 260 The Command Line Interface (CLI) RADIUS authentication SMC 2450 enables you to log on using RADIUS authentication. The RADIUS client on the SMC forwards the RADIUS message to a single or multiple RADIUS servers configured for authentication. RADIUS authentication applies to both stand-alone and cluster configurations.
Page 195 Web UI. If failover occurs, the web session may log off and you must authenticate again. Secure Multimedia Controller End of Procedure Implementation Guide...
Page 196: Standard 1.00 May
Page 196 of 260 The Command Line Interface (CLI) 553-3001-225 Standard 1.00 May 2006...
Page 197: Web User Interface (Ui)
• provides configuration and monitoring functions similar to those available through the Command Line Interface (CLI) • supports up to ten simultaneous Web UI sessions Secure Multimedia Controller Page 197 of 260 Implementation Guide...
Page 198: Basics Of The Web Ui
Page 198 of 260 Web User Interface (UI) Getting started Following are the requirements to enable the Web UI: • installed SMC • PC or workstation with network access to the SMC host IP address • frame-capable web browser software, such as the following: •...
Page 199 The Warning display area provides important warnings for the user, such as information about CLI users logged on or the status of the GUI lock. Any user Web User Interface (UI) Secure Multimedia Controller Page 199 of 260 Implementation Guide...
Page 200 Page 200 of 260 Web User Interface (UI) logged on as an administrator can activate the GUI lock before changing or creating a configuration. Lock the GUI before making changes. Forms display area The Forms display area contains fields that display information or allow you to specify information for configuring the system.
Page 201: Basic Operation
Click the global Revert button to cancel all pending changes. Click the global Apply button. WARNING To prevent conflicts, any user logged on as administrator can take control of the GUI lock before changing or creating a configuration. Secure Multimedia Controller Page 201 of 260 Implementation Guide...
Page 202 Page 202 of 260 Web User Interface (UI) Lost changes Changes are lost if a new form is selected or the session is ended without submitting the information to the pending configuration. Click the Update or Submit button on the form to submit changes to the pending configuration. Pending changes are also discarded if they are not submitted before the inactivity timeout value on Web UI sessions elapses.
Page 203 The pending configuration changes are examined to ensure that they are complete and consistent. If problems are found, the following types of messages are displayed: Web User Interface (UI) Secure Multimedia Controller Page 203 of 260 Implementation Guide...
Page 204 Page 204 of 260 Web User Interface (UI) — Run a Security Audit: When selected, this command lists security • Submit button: Click to perform the action selected in the Apply Changes pull-down list. • Back button: Click to return to the previously viewed form without applying changes.
Page 205 Select any sub-menu item to display Help for that form. • Load: Click Load to display the form referenced on the bar. Secure Multimedia Controller Web User Interface (UI) Implementation Guide Page 205 of 260...
Page 206 Page 206 of 260 Web User Interface (UI) • Forms area: This area displays detailed information about the selected topic. • Close button: Click Close to close the context-sensitive Help window. Task-based Help Task-based Help directs the administrator through the steps of various common procedures.
Page 207: Logging
System Log The System Log contains general device-level status information and errors. You can view the contents of the System Log in the Web UI at the Logs > System Log page. Secure Multimedia Controller Page 207 of 260 Implementation Guide...
Page 208: Log Configuration
Page 208 of 260 Logging Note: Many System Log messages have Log IDs, such as LIBADMIN_32 or USECPD_16. In the Web UI log display page, you can search on these IDs and show additional information about the log message (and possible resolutions). Security Log The Security Log displays attack and packet-level information, including potential exploits and problem packets, logged from the SMC firewall.
Page 209: Security Log Rate-Limiting
Limiting by count prevents the CPU from becoming over-used in managing log resources; however, it also provides an inaccurate report of the state of the current system because log messages beyond the limit are dropped. Logging IMPORTANT! Secure Multimedia Controller Page 209 of 260 logging Implementation Guide...
Page 210 Page 210 of 260 Logging Limit by sampling The SMC supports logging ever n’th message (for example, storing 1 out of every 10 messages). Limiting by sampling has the same problem as the previous option (not all messages are logged); however because uses sampling, one does not get the large blocks of messages discarded.
Page 211: Security Log Details
Note: Adding a UNIStim server adds rules to the database as well. These rules are called autogenerated rules and are displayed in green on the rule mappings page. Logging Secure Multimedia Controller Page 211 of 260 page 251. Implementation Guide...
Page 212 Page 212 of 260 Logging 553-3001-225 Standard 1.00 May 2006...
Page 213: Limits And Scaling
Scaling beyond 5000 clients ....... . . Secure Multimedia Controller...
Page 214: Configuration Limits
Page 214 of 260 Limits and Scaling Configuration limits Parameter Secure Multimedia Zones Networks Services Flows Keys UNIStim Policies UNIStim Rules UNIStim Servers Firewall Rules Firewall limits Parameter Connections Engineering limitations Because the hardware is a PC platform, small packet performance can be a limitation for high-end systems.
Page 215: Secure Unistim Limitations
(attacked) if packets are forged and sent at very high rates (several Mbps). Note that these rates far exceed the rates that the UNIStim proxy is required to handle in a typical deployment. To “protect” the UNIStim Limits and Scaling Secure Multimedia Controller Page 215 of 260 Implementation Guide...
Page 216: Scaling Beyond 5000 Clients
Page 216 of 260 Limits and Scaling proxy a full variety of rate limiting settings are available under the /maint/ unistim/adv/flow menu. The UNIStim proxy is not designed to accommodate tens of Mbps of UNIStim control traffic. Although not supported, the secure UNIStim proxy is tested at steady state capacities of over 12000 simultaneous secure UNIStim clients.
Page 217: Appendix A: Troubleshooting
Ping the initial SMC to the gateway IP address on the intranet. Ping the initial SMC to the interface IP addresses on the second SMC. This assumes that the networks are connected through the Layer 2 device. Secure Multimedia Controller Page 217 of 260 Implementation Guide...
Page 218: Security Error And Fingerprint Update Issues
Page 218 of 260 Appendix A: Troubleshooting Security error and fingerprint update issues During the initial Secure UNIStim deployment, common error message seen on the client phone screen. The cause of this error is typically the mismatch of the fingerprints. That is, the currently configured client fingerprint does not match either the primary or secondary fingerprint.
Page 219 This ensures that clients with the old fingerprint can still register securely. Generate a new RSA key and attach it as the Primary RSA key. The SMC automatically writes the new FP to all the registered IP clients. Secure Multimedia Controller Page 219 of 260 Implementation Guide...
Page 220: Server Unreachable Error
Page 220 of 260 Appendix A: Troubleshooting Server Unreachable error Unsecure clients that reside in the same subnet as Secure UNIStim clients can fail if the SMC policy requires clients from this subnet to run Secure UNIStim. The failed clients receives a message.
Page 221: Appendix B: Specifications
(559 millimeters) approximately 12 Kg rack-mount hardware to allow mounting in 19 inch standard rack plastic front bezel with Nortel name/logo and SMC 2450 model name and number Intel Pentium-4, 2.8 Gigahertz (GHz) 512 Megabyte (MB) DDR 200.266 Mhz...
Page 222 Page 222 of 260 Appendix B: Specifications Table 20 Hardware specifications (Continued) Characteristic Drives LAN ports I/O expansion slot PCI Card Console port System management Light-emitting diodes (LED) LAN connection speeds Table 21 lists LAN connection speeds accommodated by the SMC. Table 21 LAN connection speeds LAN connection speed...
Page 223: Regulatory Specifications
Canada ICES-003 Class A AS/NZ 3548 EN55022 (emissions) & EN55024 (immunity) CISPR-22 VCCI Appendix B: Specifications Country Canada Europe Europe Country Canada Australia & New Zealand (standard replaced by EN55022) Europe Europe Japan Secure Multimedia Controller Page 223 of 260 Implementation Guide...
Page 224 Page 224 of 260 Appendix B: Specifications Table 24 Certification marks Compliance cULus Gost S-Mark TUV-GS 553-3001-225 Standard 1.00 Country USA & Canada Europe Russia Mexico Argentina Germany/Europe Korea May 2006...
Page 225: Appendix C: Regulatory Information
Electromagnetic compatibility ....... System approval The Secure Multimedia Controller (SMC) has approvals to be sold in many global markets. The regulatory labels on the back of system equipment contain national and international regulatory information.
Page 226 Page 226 of 260 Appendix C: Regulatory information Table 25 describes the EMC specifications for Class A devices: Table 25 EMC specification for Class A devices Jurisdiction Standard United States FCC CFR 47 Par 15 Canada ICES-003 Europe EN 55022/ CISPR 22 EN 55024 EN 6100-3-2...
Page 227 Note 4: The user should not make changes or modifications not expressly approved by Nortel. Any such changes can void the user’s authority to operate the equipment. Note 5: EN 55022/CISPR 22 Statement: “Warning...
Page 228: Denan Regulatory Notice For Japan
Page 228 of 260 Appendix C: Regulatory information DenAn regulatory notice for Japan 553-3001-225 Standard 1.00 May 2006...
Page 229: Appendix D: Software Licenses
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Secure Multimedia Controller Page 229 of 260 Implementation Guide...
Page 230 Page 230 of 260 Appendix D: Software licenses The end-user documentation included with the redistribution, if any, must include the following acknowledgment: “This product includes software developed by the Apache Software Foundation (http://www.apache.org/).” Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.
Page 231: Mod_Ssl License
Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/).” Appendix D: Software licenses Secure Multimedia Controller Page 231 of 260 Implementation Guide...
Page 232: Openssl And Ssleay Licenses
Page 232 of 260 Appendix D: Software licenses THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 233 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Secure Multimedia Controller Page 233 of 260 Implementation Guide...
Page 234 Page 234 of 260 Appendix D: Software licenses Original SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscape’s SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to.
Page 235 The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] Secure Multimedia Controller Page 235 of 260 Implementation Guide...
Page 236: Brian Gladman's License
Page 236 of 260 Appendix D: Software licenses Brian Gladman’s License --------------------------------------------------------------------------- Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK. All rights reserved. LICENSE TERMS The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: 1.
Page 238 Page 238 of 260 Appendix D: Software licenses Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Page 239: Smtpclient License
Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of Secure Multimedia Controller Implementation Guide...
Page 240: Gnu General Public License
Page 240 of 260 Appendix D: Software licenses MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License in the file COPYING along with this program; if not, write to: Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Page 241 To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Secure Multimedia Controller Implementation Guide...
Page 242 Page 242 of 260 Appendix D: Software licenses The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Page 243 Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. Secure Multimedia Controller Page 243 of 260 Implementation Guide...
Page 244 Page 244 of 260 Appendix D: Software licenses You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: The source code for a work means the preferred form of the work for making modifications to it.
Page 245 It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; Secure Multimedia Controller Page 245 of 260 Implementation Guide...
Page 246 Page 246 of 260 Appendix D: Software licenses this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system;...
Page 247 To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion Secure Multimedia Controller Page 247 of 260 Implementation Guide...
Page 248 Page 248 of 260 Appendix D: Software licenses of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> Copyright (C) 19yy <name of author>...
Page 249 If this is what you want to do, use the GNU Library General Public License instead of this License. Secure Multimedia Controller Page 249 of 260 Implementation Guide...
Page 250 Page 250 of 260 Appendix D: Software licenses 553-3001-225 Standard 1.00 May 2006...
Page 251: Smc Packet Filter Log Messages
(WELF) for logging network activity. A sample of a log message in WELF generated by syslog is shown here. Apr 18 04:25:52 172.16.1.247 id=firewall time="2002-04-18 16:15:34" fw=DEVICE1 pri=6 proto=6(tcp) src=172.16.7.246 dst=66.218.70.149 msg=Service access request successful Src 3171 Dst 80 from EXT n/w agent=Firewall Page 251 of 260 Secure Multimedia Controller...
Page 252 Page 252 of 260 Appendix E: SMC packet filter log messages Various fields in the above sample syslog message are explained in Table 26: Table 26 Syslog message fields Field Syslog header time proto agent 553-3001-225 Standard 1.00 Description Contains the time stamp of the event. Identifies the type of record.
Page 253: Log Message Table
This log message indicates that the maximum packet rate is reached and no extra packets are allowed. Apr 29 19:53:28 172.16.7.225 id=firewall time="2004-04-29 14:36:28" fw= a10-10-10-10 pri=1 mid=2102 mtp=2048 msg="Rate-Limiting: Maximum Packet Rate reached, dropping the packet from ext n/w" ruleid=23 agent=Firewall Page 253 of 260 Secure Multimedia Controller...
Page 254 Page 254 of 260 Appendix E: SMC packet filter log messages Table 27 Log messages Maximum Connection Rate Reached Maximum Bandwidth Reached Deny Policies Deny Policy Matched 553-3001-225 Standard 1.00 This log message indicates that the maximum connection rate is reached and new connections within that rate limiting time are not formed.
Page 255 80 percent of its limit, and SMC activates TCP SYN Flooding protection. Apr 29 20:30:04 172.16.7.225 id=firewall time="2004-04-29 15:13:03" fw= a10-10-10-10 pri=1 proto=6(tcp) src=172.16.7.224 dst=172.16.8.226 mid=2066 mtp=1 msg="Crossed 80% of resource. Possible flooding(TCP) Src 1048 Dst 23 from corp n/w" agent=Firewall Page 255 of 260 Secure Multimedia Controller...
Page 256 Page 256 of 260 Appendix E: SMC packet filter log messages Table 27 Log messages General attacks LAND Unable to Determine Route IP-Reassembly IP-Source Route Options 553-3001-225 Standard 1.00 This log message is generated when the SMC detects a land attack.
Page 257 This log message is generated when the SMC detects an invalid TCP connection. Apr 29 21:27:55 172.16.7.225 id=firewall time="2004-04-29 16:10:55" fw= a10-10-10-10 pri=1 proto=6(tcp) src=172.16.7.224 dst=172.16.8.226 count=9 mid=2002 mtp=2048 msg="Invalid TCP Connection request Src 23 Dst 2058 from corp n/w" agent=Firewall Page 257 of 260 Secure Multimedia Controller...
Page 258 Page 258 of 260 Appendix E: SMC packet filter log messages Table 27 Log messages IP Spoof IP Spoof Ping of Death Ping of Death IP Option Attacks IP Option Attack 553-3001-225 Standard 1.00 This log message is generated when the SMC detects and IP-Spoof attack.
Page 259 This log message is generated when a connection times out. Apr 29 20:44:40 172.16.7.225 id=firewall time="2004-04-29 15:27:40" fw= a10-10-10-10 pri=6 proto=17(udp) src=172.16.7.225 dst=172.16.7.224 mid=2088 mtp=32768 msg="Connection timed out.Bytes transferred : 6554 Src 32777 Dst 514 from self n/w" ruleid=12 agent=Firewall Page 259 of 260 Secure Multimedia Controller...
Page 260 Page 260 of 260 Appendix E: SMC packet filter log messages 553-3001-225 Standard 1.00 May 2006...
Page 262 Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.

Nortel SMC 2450 Implementation Manual

List of Procedures

About this Document

How to Get Help

Description

Overview of the Deployment Process

Hardware Installation

Installation and Configuration

Firewall Deployment

Secure Unistim Deployment

Maintenance

The Command Line Interface (CLI)

Web User Interface (UI)

Logging

Limits and Scaling

Appendix A: Troubleshooting

Appendix B: Specifications

Appendix C: Regulatory Information

Appendix D: Software Licenses

Appendix E

Appendix E: SMC Packet Filter Log Messages

Quick Links

Troubleshooting

Related Manuals for Nortel SMC 2450

Summary of Contents for Nortel SMC 2450

Table of Contents