Page 1 Aurorean™ Virtual Network Aurorean™ Virtual Network Aurorean™ Virtual Network Aurorean™ Virtual Network RiverMaster RiverMaster RiverMaster RiverMaster Administrator Administrator Administrator Administrator s Guide s Guide s Guide s Guide ’ Version 3.1 Version 3.1 Version 3.1 Version 3.1...
Page 2 ©2001 Enterasys Networks. All rights reserved. This publication contains information that is the property of Enterasys Networks. No part of this publication may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine readable form without prior written consent of Enterasys Networks. Information in this publication is subject to change without notice.
Page 3: Table Of Contents
About This Guide Contents of the Guide ... ix Conventions Used in this Guide... xi Related Documents... xi Chapter 1 – Installing RiverMaster Software System Requirements ...1 Hardware Requirements...1 Software Requirements...2 Installing the Application ...2 Upgrading a Previous Release...2 Installation Steps...2 Starting the Application for the First Time ...4 Removing RiverMaster Files ...9 Chapter 2 –...
Page 4 Table of Contents Chapter 3 – Configuring an ANG-3000/7000 Before You Begin ... 26 Allocating IP/IPX Addresses to Remote Clients... 27 Virtual Subnets for Site-to-Site and Remote Access Tunnel Servers... 30 Intelligent Client Routing ... 31 NAT Server... 33 Site-to-Site Tunnels ... 34 AutoLink Recovery...
Page 5 Chapter 4 – Setting Up Aurorean Services Before You Begin ...75 Authorization Plug-in Options ...76 RADIUS Authentication Servers ... 76 Plug-in Planning ... 77 Threads... 77 Private/Public Keys for IPSec Authentication ...78 Problem Notification ...78 Trace Levels...79 Adding an Authorization Plug-In ...80 Enterasys Authentication ...81 RADIUS Authorization...83 SecurID Authorization ...87...
Page 6 Table of Contents Adding POPs for Corporate ISPs...114 Chapter 6 – Managing Users & Groups Before You Begin ... 120 Group Policies ... 121 Aurorean Client Installation Kits... 122 Client Synchronization... 124 Group Notices... 127 Creating a New Group ... 127 Adding Users to a Group...
Page 7 Chapter 8 – Generating Reports Report Contents...177 Server Anomaly Report ...177 Network Gateway Report...179 Client Anomaly Report ...182 Client Report...183 Accounting Report...187 Downloading, Viewing and Exporting Reports ...190 Printing Reports ...193 Exporting Reports...194 Exporting Reports to a Disk File ... 194 Exporting Reports to a Microsoft Exchange Folder...
Page 8 Creating Static Routes ... 239 Creating Remote Connections... 242 Loading the Floppy Disk... 247 Chapter 9 – License Agreement & Support Enterasys Networks License Agreement ... 249 License Grant ... 249 Warranty... 250 Infringement Indemnification... 251 Limitation of Liability... 251 Termination ...
Page 9: About This Guide
This guide describes how to use Version 3.1 of the RiverMaster management application to set up and monitor Aurorean Virtual Network systems. While written primarily to describe how to configure a Aurorean Virtual Network solution for the first time, this guide also addresses how to track usage and troubleshoot end-to-end VPN connectivity problems.
Page 10 H Appendix C, License Agreement & Support describes the agreement that governs the use and distribution of RiverMaster software and provides information for contacting Enterasys Networks for technical support. RiverMaster Administrator’s Guide...
Page 11: Conventions Used In This Guide
Conventions Used in this Guide The following conventions are used in this guide: NOTE CAUTION WARNING Bold Italics SMALL CAPS Courier font Related Documents The following publications are also supplied with Aurorean VN systems: H RiverMaster Quick Reference Card that contains shortcuts and tips for installing and using the RiverMaster application.
Page 12 About This Guide later), you can view these manuals on-line or print additional copies. Acrobat Reader can be downloaded from the Adobe web site (www.adobe.com). RiverMaster Administrator’s Guide...
Page 13: Chapter 1 - Installing Rivermaster Software
This chapter provides the system requirements and step-by-step instructions for installing RiverMaster software on your computer. If you have not already done so, Enterasys Networks recommends that you mount and connect your Aurorean Policy Server and Aurorean Network Gateway before performing these steps.
Page 14: Software Requirements
Installing the Application Software Requirements The following operating systems, applications, and protocols should be installed and configured before you install RiverMaster: H Windows NT 4.0 Workstation upgraded with Service Pack 4 (SP4) or later version or Windows 2000 Professional H TCP/IP protocol H To use Aurorean Policy Manager: Internet Explorer 5 or Netscape 4 Installing the Application Before installing RiverMaster, close any applications you have running.
Page 15 Chapter 1 Installing RiverMaster Software If a warning message appears stating that Microsoft ODBC is not present on your computer, click OK to install Microsoft ODBC. If this message does not appear, continue with the next step. The Microsoft ODBC text driver must be installed on your computer in order for RiverMaster to generate reports.
Page 16: Starting The Application For The First Time
Installing the Application 10 When the Setup Complete window appears, do one of the following: – – 11 At the second Setup Complete window, choose Yes to restart your computer and click Finish. When the reboot completes, RiverMaster is installed and ready to manage your Aurorean Virtual Network.
Page 17 Chapter 1 Installing RiverMaster Software To start RiverMaster, perform the following steps: On the main Windows NT/2000 desktop, double-click the RiverMaster icon. Alternatively, you can click the Start button, point to Programs, point to Indus River Networks, and then click RiverMaster. In the RiverMaster program group, click RiverMaster to launch the application.
Page 18 Installing the Application Do one of the following: – – This IP address is set using the Aurorean configuration wizard program; refer to the instructions supplied with this program for more information. RiverMaster needs this IP address to locate and synchronize with the Aurorean Policy Server.
Page 19 RiverMaster Login window in Figure 3. When the RiverMaster application starts, the main interface appears as shown in Figure 4. To prevent unauthorized RiverMaster access, Enterasys Networks recommends that you immediately create a new administrator account in the Admin group and delete the default login account. Refer to Chapter 6 for instructions on adding and deleting user accounts.
Page 20 Installing the Application Using the Delivery service running on all Aurorean components, RiverMaster establishes a Delivery session with each server. The Aurorean Policy Server reports service status, memory/hard disk usage, and a summary of alarms, alerts, and problem notification messages. The Aurorean Network Gateway reports an aggregated total of bytes sent and received over all tunnels, as well as memory/hard disk usage.
Page 21: Removing Rivermaster Files
Chapter 1 Installing RiverMaster Software Removing RiverMaster Files RiverMaster can be uninstalled from your computer using the standard Add/Remove Programs tool provided with Windows. After RiverMaster files are removed from your computer, you should restart the computer to clean up any files that were in use during the uninstall. To remove RiverMaster files from your computer, perform the following steps: On your desktop computer, click the Start button, point to Settings,...
Page 22 Removing RiverMaster Files 10 Locate the RiverMaster program folder. The default location for this folder is C:\Program Files\ Indus River Networks. 11 Delete the RiverMaster folder. 12 Restart your computer. Chapter 1 Installing RiverMaster Software RiverMaster Administrator’s Guide...
Page 23: Chapter 2 - Getting Started With Rivermaster
This chapter introduces the essential functions of RiverMaster, describes Aurorean Virtual Network system status information displayed on the main interface, and summarizes the steps required to use RiverMaster to configure your Aurorean Virtual Network for the first time. RiverMaster Overview When RiverMaster is installed on your PC, the computer becomes a “management station”...
Page 24 RiverMaster Overview Aurorean Policy Server • Updated configurations • Requests for logs Using the RiverMaster management application you can: H Quickly check a server’s operational status by determining if all services are running, reviewing alarm and alert messages that have accumulated, and displaying current tunnel activity (the number of users logged in and the amount of data passing over all tunnels).
Page 25: Logging Into Rivermaster
Chapter 2 Getting Started with RiverMaster H Organize users with groups and assign each group policies that govern the features available in Aurorean Client Software. H Create customized Aurorean Client Software installation kits to distribute to your remote users that contains the Aurorean Client Software application, POP packages, group policies, and destination IP addresses.
Page 26 Logging into RiverMaster To prevent unauthorized RiverMaster access, Enterasys Networks recommends that you immediately create a new administrator login account in the IRAdmin group and delete the default login account. Refer to Chapter 6 for more on adding and deleting user accounts.
Page 27: Checking Server Status
Chapter 2 Getting Started with RiverMaster Checking Server Status RiverMaster’s main interface is designed to quickly show the Aurorean Virtual Network’s “health” when you start the application. The health conditions are organized into three categories: H Problem summary and users logged in H Aurorean Network Gateway statistics H Aurorean Policy Server statistics Problem Summary &...
Page 28: Aurorean Network Gateway Statistics
Checking Server Status Indicates current alarms, alerts, and informational messages that appear in the System Activity window (refer to Chapter 7 for more information) Total number of remote users authenticated and connected to the corporate network via the Aurorean Network Gateway Aurorean Network Gateway Statistics Figure 9 shows the statistics information RiverMaster displays for the Aurorean Network Gateway.
Page 29: Chapter 2 Getting Started With Rivermaster
Chapter 2 Getting Started with RiverMaster Aggregated number of bytes received and sent over all tunnels processed by the Aurorean Network Gateway Memory usage Hard disk usage The memory and hard disk usage meters show how much system resources are being consumed supporting tunnel connections. You can use these values for capacity planning to determine when the number of concurrent tunnels is approaching the server’s limit.
Page 30 Checking Server Status Status of services running or stopped on the Aurorean Policy Server Memory usage Hard disk usage Table 1 Aurorean Policy Server Services Service Function Overlord Monitors the condition of all other Aurorean services and restarts a service if it fails to initialize properly or ceases to operate at any point.
Page 31 Chapter 2 Getting Started with RiverMaster Table 1 Aurorean Policy Server Services Service Function Notification Reports alarm, alert, and problem notification messages using E-mail. Provides the mechanism for transferring files between Aurorean Virtual Network servers and RiverMaster. FTP also allows Aurorean Client Software computers to synchronize group policy settings, TollSaver POP phone numbers,...
Page 32 Checking Server Status Table 1 Aurorean Policy Server Services Service Function Maintains a running record of system events and messages received by each Aurorean Virtual Network component. The RiverMaster application displays these logs and extracts information from them to produce daily reports. Authentication Provides the mechanism for authenticating remote users against user...
Page 33: Setting Up A Aurorean Virtual Network The First Time
Chapter 2 Getting Started with RiverMaster Setting Up a Aurorean Virtual Network the First Time When you start RiverMaster for the first time, you need to perform several basic configuration steps to put your Aurorean Virtual Network into operation. These basic steps are outlined below, with references to the detailed instructions provided throughout this manual.
Page 34 Setting Up a Aurorean Virtual Network the First Time Create mailing lists so that the Aurorean Policy Server sends you E-mail when alarm, alert, or notification messages are generated (optional). E-mail messages are generated by the Notification service as described in Chapter 4. Reboot the Aurorean Network Gateway to put the networking changes into effect.
Page 35 Chapter 2 Getting Started with RiverMaster Once remote users begin tunneling into the corporate network using Aurorean Client Software software, you can view this activity using the Tunnel Statistics window described in Chapter 7. You can also produce detailed daily usage reports as described in Chapter 8. Authentication requests and other user activity messages are also displayed in the System Activity window described in Chapter 7.
Page 37: Chapter 3 - Configuring An Ang-3000/7000
Configuring an ANG-3000/7000 Configuring an ANG-3000/7000 Configuring an ANG-3000/7000 Configuring an ANG-3000/7000 This chapter describes how to configure network settings for your local Aurorean Network Gateway (ANG-3000/7000). Local ANGs have an accompanying Aurorean Policy Server and are configured using RiverMaster. Remote ANGs are stand-alone systems configured by using the Web-based Aurorean Policy Manager utility.
Page 38: Before You Begin
Before You Begin These functions are grouped on the Configuration pullout as shown in Figure 11. Select the Network Gateway from the list of servers Click here to access the Network Gateway configuration windows Before You Begin Before performing the steps in this chapter, you should familiarize yourself with the following Aurorean Virtual Network concepts: H Methods available for allocating IP addresses and IPX network numbers to remote clients when they connect.
Page 39: Allocating Ip/Ipx Addresses To Remote Clients
Chapter 3 Configuring an ANG-3000/7000 Allocating IP/IPX Addresses to Remote Clients When remote clients tunnel into the corporate network, they must be able to access devices on the network just as if they were locally connected. To serve this need, the ANG acts as a router, forwarding packets between devices on the corporate network and remote clients.
Page 40: Chapter 3 Configuring An Ang-3000/7000
Before You Begin Virtual subnets can use both legitimate IP addresses (unique addresses purchased and registered by your company) and non-routable address ranges reserved for private network use only. These reserved address ranges include: H 10.0.0.0 to 10.255.255.254 on a Class A network H 172.16.0.0 to 172.30.255.254 on a Class B network.
Page 41 Chapter 3 Configuring an ANG-3000/7000 Figure 12 shows a sample corporate network that employs two virtual subnets. Each virtual subnet provides up to 255 client IP addresses depending upon the subnet mask used. By assigning different virtual subnets to each group, you can control what devices members of the group can access once they are connected.
Page 42: Virtual Subnets For Site-To-Site And Remote Access Tunnel Servers
Before You Begin H Using RiverMaster, adding a static route for all addresses in the Virtual Subnet #1 range with the router’s IP address as the default gateway. H On the router, create a static route to forward all packets addressed with IP addresses in the Virtual Subnet #1 range to the IP address of the ANG Trusted interface.
Page 43: Intelligent Client Routing
“Virtual Subnetting” on page 50. Intelligent Client Routing Enterasys Networks’ Intelligent Client Routing feature provides you with a measure of control over a Aurorean Client user’s access to the Internet. When enabled (this feature is enabled by default), Intelligent Client Routing allows remote clients to browse the Internet directly, outside of the tunnel.
Page 44 Before You Begin Packets that are addressed with non-routable addresses are typically blocked by firewalls and Internet gateways and will be dropped by any Internet router. The only exceptions to this rule are devices such as “proxy” servers that perform a network address translation (NAT) to dynamically re-address packets as they leave the corporate network.
Page 45: Nat Server
Chapter 3 Configuring an ANG-3000/7000 NAT Server RiverMaster’s NAT server feature provides support for security conscious administrators who want to conceal the physical IP address of their system (ANG or another Gateway) without affecting Aurorean service. By configuring a NAT Server with an alias IP address for the ANG (refer to page 41 for instructions), the real IP address of the ANG will remain hidden and any IP address received by the NAT Server will be translated to the real IP address of the destination for all incoming clients.
Page 46: Site-To-Site Tunnels
Before You Begin Aurorean’s NAT Server implementation cannot be employed as a client NAT where, for example, it operates within a cable modem/ISP topology. Aurorean’s NAT Server implementation is server-centric. Site-to-Site Tunnels Aurorean site-to-site tunnels optimize service between remote offices and their remotely linked corporate LANs.
Page 47: Autolink Recovery
Chapter 3 Configuring an ANG-3000/7000 When corporate networks are linked via one or more tunnels, users can utilize applications over these LANs simply by choosing a network- supported program or by using Windows Explorer to find a destination server. Using Aurorean Client to dial up a remote connection is not required. Remote Aurorean site-to-site connections are set up by first adding a remote ANG to an existing ANG configuration, then adding the tunnel itself.
Page 48 Before You Begin Primary Aurorean System Aurorean Network Gateway Aurorean Policy Server Primary & Secondary RiverMaster If the primary Aurorean Virtual Network system fails or is unreachable due to Internet congestion, corporate ISP outage, or router malfunction, the secondary Aurorean Virtual Network system provides continued VPN service to remote users and branch offices.
Page 49: General Aurorean Network Gateway Settings
Chapter 3 Configuring an ANG-3000/7000 General Aurorean Network Gateway Settings General network settings for the ANG include: H The current and possible future IP addresses for the server. H Enabling Aurorean Virtual Network’s Intelligent Client Routing feature which provides you with a measure of control over a Aurorean Client’s access to the Internet.
Page 50 General Aurorean Network Gateway Settings If you plan to change the Aurorean Network Gateway’s IP address in the future, enter the new address in the Future IP Address field; otherwise, leave this field blank and continue with the next step. When you build a custom Aurorean Client installation kit for your remote users (as described in Chapter 6), the ANG’s IP address is saved as part of the kit.
Page 51 Chapter 3 Configuring an ANG-3000/7000 To allow remote users to browse the Internet directly while they are tunneled into the corporate network, place a check next to Enable Intelligent Client Routing on the General page. For more information on Aurorean Virtual Network’s Intelligent Client Routing feature, refer to “Intelligent Client Routing”...
Page 52 General Aurorean Network Gateway Settings In the Primary DNS and Secondary DNS fields, enter the IP addresses of DNS servers on your network. You must identify a primary DNS server; the secondary DNS server is optional. The primary and secondary labels indicate the search order (primary first and then secondary).
Page 53 Chapter 3 Configuring an ANG-3000/7000 10 In the Primary WINS and Secondary WINS fields, enter the IP addresses of WINS servers on your network. If your remote clients use standard Microsoft Dial-Up Networking (DUN) on the corporate network, you must complete these fields to enable browsing and communication with other devices in the Network Neighborhood.
Page 54: Viewing Aurorean Alternate Address Information
Viewing Aurorean Alternate Address Information You must configure an IP address on your NAT Server that correlates with the alias IP address you set here. 13 Click Apply to save your changes. To return the parameters to their original settings without saving your changes, click Reset.
Page 55: Tunnel Protocols
Chapter 3 Configuring an ANG-3000/7000 Click here to open the Alt Addresses window If you want to change either the ANG or APS Alternate IP address, click Modify, enter a value and click Update. Tunnel Protocols The ANG supports two tunnel protocols: H Point-to-Point Tunneling Protocol (PPTP) developed by Microsoft, 3Com and others that uses Point-to-Point (PPP) protocol and Generic Routing Encapsulation (GRE) to route packets through the Internet.
Page 56 Tunnel Protocols Open the Configuration pullout. In the list of Aurorean devices, expand the tree list under Servers (click the + symbol). Expand the tree list under the name of your ANG. Click on Tunnel Protocols to display PPTP and IPSec protocol tab pages.
Page 57 Chapter 3 Configuring an ANG-3000/7000 Click the Authentication tab. Figure 24 shows the authentication parameters available for each tunnel protocol. Do one of the following: – – RiverMaster Administrator’s Guide Choose IPSec from the Protocol pull down menu. - Use the information in Table 2 to select the IPSec Signature Algorithm that determines how IPSec packets exchanged between the ANG and Aurorean users are signed and verified.
Page 58 Tunnel Protocols Parameter None HMAC-SHA HMAC-MD5 Time Period Data Transferred Click the Encryption tab. Do one of the following: – – Table 2 IPSec Authentication Parameters Explanation Disables the Signature Algorithm for IPSec packets; individual packets are no longer signed and verified during transmission. Enables hashing message authentication codes (HMAC) that are generated using the SHA cryptographic hashing function.
Page 59 Chapter 3 Configuring an ANG-3000/7000 ARCFOUR is a public domain algorithm designed to work with RC4 DES is a government standard block cipher that uses a 56-bit key. Triple-DES uses three keys to achieve the equivalent of 112-bit encryption. RiverMaster Administrator’s Guide IPSec Figure 25 Tunnel Protocol Encryption Settings Tunnel Protocols...
Page 60 Tunnel Protocols Tunnel Parameter Protocol IPSec None ARCFOUR 40 bit ARCFOUR 128 bit Triple-DES PPTP MPPE (40 bit) MPPE (128 bit) 10 Click the Compression tab. Table 3 Encryption Parameters Explanation Disables encryption on the tunnel; because this results in a less secure connection, this setting is not recommended.
Page 61 Chapter 3 Configuring an ANG-3000/7000 11 Enable or disable MPPC as required. For both IPSec and PPTP protocols, Microsoft Point-to-Point Compression (MPPC) is currently the only compression technique supported by the ANG. By default MPPC compression is enabled for both protocols. Compression settings are applied automatically to both tunnel protocols.
Page 62: Virtual Subnetting
Virtual Subnetting 13 Do one of the following: – – Virtual Subnetting Virtual subnets fall into two categories: H IP subnets that serve as IP address pools for allocation to remote clients when they connect. H An IPX network number that is shared by all remote clients when they connect and use IPX protocol to access Novell NetWare servers.
Page 63 Chapter 3 Configuring an ANG-3000/7000 Click here to access the Gateway configuration windows Click Remove to delete any configured virtual subnets. Click Add. The Add An IP Virtual Subnet window appears as seen in Figure 28. RiverMaster Administrator’s Guide Figure 27 IP Subnet Configuration for Remote Clients NOTE Figure 28 Adding An IP Virtual Subnet Virtual Subnetting...
Page 64: Ipx Virtual Networks
Virtual Subnetting Enter the starting address of the subnet in the Address fields. You can use actual IP addresses from your network or non-routable IP address ranges (such as 192.168.x.x for a Class C network). Enter a subnet mask to define the subnet range in the Mask field. Do one of the following: –...
Page 65 Chapter 3 Configuring an ANG-3000/7000 Click here to access the Gateway configuration windows In the IPX Virtual Network Number field, enter an IPX network number to be used by all remote clients. This number must be unique. The network number must be between 1 and 8 hexadecimal digits (1 to FFFFFFFD).
Page 66: Routing
Routing Do one of the following: – – Routing Configuring the routing behavior of the ANG consists of two general steps: H Setting parameters for the two routing protocols supported, RIP and OSPF. H Selecting routing protocols for each ANG Ethernet interface. Click here to access the Gateway...
Page 67: Setting Routing Protocol Parameters
Chapter 3 Configuring an ANG-3000/7000 Setting Routing Protocol Parameters To access RIP and OSPF parameters for the ANG, perform the following steps: Open the Configuration pullout. In the list of Aurorean devices, expand the tree list under Servers (click the + symbol). Expand the tree list under the name of your ANG.
Page 68 Routing If this list is blank, the Aurorean Network Gateway accepts RIP updates from all routers on the subnet. You can limit the amount of updates that the Aurorean Network Gateway will accept by specifying individual routers in this list. To turn on RIP for IPX packets, click Enable under IPX RIP Enable;...
Page 69: Setting Ospf Properties
Chapter 3 Configuring an ANG-3000/7000 Repeat Step 3 and Step 4 for each gateway required. Do one of the following: – – – Setting OSPF Properties Using the RiverMaster, you can define the following OSPF parameters: H Area ID shared by the routers and the ANG. H Router ID that identifies the ANG to other devices in the OSPF area.
Page 70 Routing Parameter AS Export Limit Interface Priority To configure OSPF properties for the ANG, perform the following steps. Perform the steps in “Setting Routing Protocol Parameters” on page 55 to access OSPF properties. The OSPF Configuration window appears as shown in Figure 33. Type the area ID shared by the ANG and routers within the subnet in the OSPF Area ID fields.
Page 71: Routing Interfaces
Chapter 3 Configuring an ANG-3000/7000 From the OSPF Authentication Algorithm menu, choose the authentication algorithm used by routers on your network. If the routers on your network do not require passwords to accept OSPF updates, set the algorithm to None and continue with the next step.
Page 72: Adding Or Removing A Routing Protocol For An Interface
Routing Click here to access the Gateway configuration windows Figure 34 Aurorean Network Gateway Routing Interface Configuration Adding or Removing a Routing Protocol for an Interface To add or remove a routing protocol from an interface, perform the following steps: Open the Configuration pullout.
Page 73 Chapter 3 Configuring an ANG-3000/7000 Select the interface (Trusted or External) from the list under Network Interfaces. The protocols already enabled for this interface appear in the Routing Protocols list. Do one of the following: – – When the Add an Interface Routing Protocol window appears as shown in Figure 35, select a routing protocol and click Add.
Page 74: Configuring Rip For The Interface
Routing Configuring RIP for the Interface To configure RIP on an interface, perform the following steps: Add RIP as described in the previous section or select RIP from the Routing Protocols list and click Properties. The RIP Interface Configuration window appears as shown in Figure 36.
Page 75 Chapter 3 Configuring an ANG-3000/7000 RIP update authentication is only supported by RIP Version 2. If the routers on your network only support RIP Version 1, you cannot enter values in the RIP Authentication fields. Refer to “Configuring RIP for the Interface”...
Page 76: Configuring Ospf On An Interface
Routing Configuring OSPF on an Interface To enable OSPF on an interface, perform the following steps: Add OSPF as described in “Adding or Removing a Routing Protocol for an Interface” on page 60 or select OSPF from the Routing Protocols list and click Properties. The OSPF Interface Configuration window appears as shown in Figure 37.
Page 77: Creating Static Routes
Chapter 3 Configuring an ANG-3000/7000 Do one of the following: – – – Creating Static Routes To configure a static route between an ANG interface and another device, perform the following steps: Open the Configuration pullout. In the list of Aurorean devices, expand the tree list under Servers (click the + symbol).
Page 78 Routing In the Gateway address fields, type the IP address of a gateway on this subnet. For External interfaces, enter the IP address of the router that provides access to the Internet. In the Reachable Subnet fields, type a starting IP address and subnet mask to define a subnet.
Page 79 Chapter 3 Configuring an ANG-3000/7000 10 Click Add. The static route you configured appears in the Internal Static Routes display. 11 Do one of the following: – – – RiverMaster Administrator’s Guide Click Apply to create the static route. Click Reset to the return the interface’s protocol properties to their default settings.
Page 80: Adding A Remote Server
Adding a Remote Server Adding a Remote Server An ANG can be added at a remote location in a Site-to-Site configuration. This section describes how to set up an initiating Network Gateway to connect to a Local or terminating ANG/APS pair. Local ANGs use an accompanying APS;...
Page 81 Chapter 3 Configuring an ANG-3000/7000 Click Add Remote Server. The Add Remote Server window appears as shown in Figure 40. Type the name of the Remote Server here Click either the IP Address or FQDN button and enter a value in the adjacent field Choose a name for the server in the Remote Server Name window.
Page 82 Adding a Remote Server Choose the tunneling protocol: IPSec or PPTP. Click Add. This action adds the remote ANG to the configuration on your Local ANG. A message will display stating you have successfully added the remote server. 10 Click Add Remote Tunnel or select the Remote Server just added and click Add Tunnel.
Page 83: Changing Server And Tunnel Properties
Chapter 3 Configuring an ANG-3000/7000 12 Click the arrow in the Remote Server Name field to bring up a pull- down list and select the Remote Server you just added. RiverMaster types the Server user name and password into the open fields.
Page 84 Adding a Remote Server To change properties for the Remote Tunnel, perform the following steps: Select your Remote Tunnel from the tree list under Remote Servers and click Properties in the display. The Remote Tunnel Properties window appears as shown in Figure 42.
Page 85 Chapter 3 Configuring an ANG-3000/7000 Re-open the Remote Tunnel Properties window and select Enabled in the Enabled State field if you want to create the tunnel immediately with the reconfigured properties. If you clicked Update, a window pops up again asking if you want to save the modified tunnel.
Page 87: Chapter 4 - Setting Up Aurorean Services
This chapter describes how to perform the following tasks: H Add an Authorization service plug-in to allow Aurorean Virtual Network systems to authenticate remote users against a local database on the Aurorean Policy Server, an external Remote Authentication Dial In User Service (RADIUS) server, or an RSA ACE/Server.
Page 88: Authorization Plug-In Options
Before You Begin Authorization Plug-in Options Within a Aurorean Virtual Network, the APS coordinates remote user authentication. Using an internal software service known as Authentication and a series of “plug-ins”, the APS can authenticate remote users in three ways: H Using the Enterasys Authentication plug-in, remote users are authenticated against a database residing on the APS’s hard drive.
Page 89: Plug-In Planning
Chapter 4 Setting Up Aurorean Services Enterasys Networks continually tests interoperability with other RADIUS server vendors. Contact Enterasys Networks Customer Support for an up-to-date list of approved RADIUS servers. Plug-in Planning You can add multiple plug-ins for RADIUS or SecurID authentication.
Page 90: Private/Public Keys For Ipsec Authentication
Before You Begin Private/Public Keys for IPSec Authentication Aurorean users who tunnel into your network using the IPSec protocol also require an El Gamal public key for authentication. The key is an embedded piece of data used to encrypt and decrypt packets exchanged between Aurorean Client and the Aurorean Network Gateway.
Page 91: Trace Levels
Chapter 4 Setting Up Aurorean Services that you select. You must first define a mailing list and then add E-mail addresses for each recipient to this list. You can select which types of messages (alarms, alerts, or problem notifications) will be sent to each address.
Page 92: Adding An Authorization Plug-In
Adding an Authorization Plug-In For example, a low trace level set for the Tunnel Management Service will produce messages similar to those in Figure 43. Note Tunnel Trace messages sent by the tunnel server Highlighted message here is detailed in description area below See message text...
Page 93: Enterasys Authentication
Chapter 4 Setting Up Aurorean Services Do not remove the Enterasys Authentication plug-in or convert it into a RADIUS or SecurID plug-in. Without a plug-in of this type, you will not be able to log into RiverMaster. Enterasys Authentication To modify the Enterasys Authentication plug-in, perform the following steps: Open the Configuration pullout.
Page 94 Adding an Authorization Plug-In From the list of Plug-ins, select Enterasys Authentication. Click Properties. The Properties for Plug-in - Enterasys Authentication window will appear as shown in Figure 45. In the Identifier field, type a name that remote users will use to select this plug-in.
Page 95: Radius Authorization
Chapter 4 Setting Up Aurorean Services Optionally, specify a value in the Num Threads field. This function allows the specified number of users to simultaneously log in without delay. The range of threads that can be set is 1 to 100, with a default value set to 10.
Page 96 Adding an Authorization Plug-In Type plug-in name and identifier here Click here to enter RADIUS Plug-in values In the Name field, type in a name to describe the plug-in. This name later appears in the plug-in tree list. For example, if you are adding a plug-in for a Steel-Belted RADIUS server, you can type Steel-Belted RADIUS as the name.
Page 97 Chapter 4 Setting Up Aurorean Services Optionally, specify a value in the Num Threads field. This function allows the specified number of users to simultaneously log in without delay. The range of threads that can be set is 1 to 100, with a default value set to 10.
Page 98 Adding an Authorization Plug-In 11 In the Timeout field, enter the number of seconds the APS should wait before resending an authentication request. If the RADIUS server fails to respond to an authentication request within the time specified, the APS automatically resends the request. Depending upon the type of RADIUS server you use, set this field as follows: Server Type...
Page 99: Securid Authorization
Chapter 4 Setting Up Aurorean Services 14 If you want the APS to apply an MD4 hash to the key returned by the RADIUS server, place a check next to the Apply Hash field. Place a check in this field only if all of the following statements are true: remote users will authenticate against a Steel-Belted RADIUS 2.1 or earlier server, the tunnel protocol negotiated for all connections by these users will be PPTP, and 128-bit encryption is enabled on the...
Page 100 Adding an Authorization Plug-In Type plug-in name and identifier here Click here to enter SecurID Plug-in values In the Name field, type in a name to describe the plug-in. This name later appears in the plug-in tree list. For example, if you are adding a plug-in for a SecurID server, you can type SecurID as the name.
Page 101 Chapter 4 Setting Up Aurorean Services In the Identifier field, type a name that remote users will use to select this plug-in. Aurorean users can include this identifier as part of their VPN user names to override the default authorization plug-in. For example, if you enter ACE as the identifier for this plug-in, Aurorean users can specify a user name such as Bob@ACE to authenticate against the ACE/Server instead of the default plug-in.
Page 102 Adding an Authorization Plug-In 10 Type the path of the SecurID configuration file ( SDCONF.rec ) in the ACE/Server and click OK or find the file on the network by clicking the browse button to the right of the field. If you typed the correct path of the configuration file, it is downloaded to its proper site on the APS and the plug-in saved.
Page 103: Generating Private/Public Keys
Chapter 4 Setting Up Aurorean Services Generating Private/Public Keys A unique El Gamal private/public key pair is produced on all APSs. In most cases, these keys do not need to change. However, if you believe the keys have been compromised and your network security is subject to risk, you can generate a new El Gamal private/public key pair by performing the following steps: When you regenerate the El Gamal private/public keys, Aurorean...
Page 104 Generating Private/Public Keys Select the Authentication Service Click Start to begin generating a new private/public key pair. This display can also be used to start and stop the Authentication Service. Because terminating this service can prevent remote clients from connecting to the Aurorean Network Gateway, stopping this service should be done only when recommended by Enterasys Networks Customer Support personnel.
Page 105: Using The Notification Service To Send E-Mail
Chapter 4 Setting Up Aurorean Services Using the Notification Service to Send E-Mail There are two stages to setting up the Notification service: H Creating a mailing list H Adding addresses to a list Creating a Mailing List The RiverMaster installation process creates an initial mailing list called DEFAULT.
Page 106 Using the Notification Service to Send E-Mail Click Add (the Add button to the right of Mailing Lists). In the Name field, type a descriptive name for this mailing list. In the From Address field, enter the E-mail address that will appear as the originator for E-mails sent to members of this list.
Page 107: Adding An Address To A Mailing List
Chapter 4 Setting Up Aurorean Services Adding an Address to a Mailing List To add E-mail addresses to a mailing list, perform the following steps: Open the Configuration pullout. Choose Notifications from the Configure pull-down box in the top left corner of the pullout.
Page 108 Using the Notification Service to Send E-Mail In the E-Mail Address field, type the E-mail address of the person you want to receive notification messages. Use the check boxes to select the events which will generate E-mail and click OK. You can select from the following events: –...
Page 109: Setting Trace Levels
Chapter 4 Setting Up Aurorean Services Setting Trace Levels To set the trace level for any of the ten services, perform the following steps: Open the Configuration pullout. Click on the Activity icon in the lower left corner of the pullout to view the Active Service List.
Page 110: Backing Up The Database
Backing Up the Database Click the arrow in the Trace Level field and select None, Low, Medium or High. Medium and High trace levels are recommended only for diagnostic purposes and with the supervision of Enterasys Customer Support personnel. Click Set to enable the Trace Level. RiverMaster now begins tracing messages at the level you set.
Page 111 This display can also be used to start and stop the Access Service. Because stopping this service can prevent remote clients from connecting the Aurorean Network Gateway, stopping this service should only be done when recommended by Enterasys Networks Customer Support. RiverMaster Administrator’s Guide Click...
Page 112 RiverMaster copies the database file to the directory of your choice. For instructions on using this file to restore your management database, contact Enterasys Networks Customer Support as described in Appendix C of this guide. Figure 55 Select a Path to Save the Database to...
Page 113: Before You Begin
This chapter describes how to: H Create or modify a POP Package (a group of ISPs from those available in the TollSaver database) for customized dial-up connections. H Add or modify corporate ISP information to provide direct dial-up access to the corporate network. H Add or modify POP information for direct dial-up connections.
Page 114: Tollsaver Database
POP package and build that group’s installation kit. Refer to Chapter 6 for more information on building Aurorean Client installation kits. Because ISPs are constantly opening new POP locations, Enterasys Networks provides a mechanism for updating the master TollSaver database on the APS with new POP phone numbers.
Page 115: Corporate Dial-Up Access
Chapter 5 Controlling Remote User Dialing & Access Corporate Dial-Up Access Within RiverMaster, the terms corporate ISP and corporate POPs are used to describe two types of connections: H Direct dial-up remote access to equipment on your corporate network, such as a Windows NT Server equipped with modems and running remote access service (RAS).
Page 116: Problem Notification
Before You Begin Problem Notification Each Aurorean Policy Server is able to accept reported problems from Aurorean users when they cannot tunnel into the corporate network. The Aurorean Client application issues a Problem Notification when it is unable to build a tunnel while dialing the list of POP phone numbers. Aurorean Client uses RAS to transfer a Prescriber session report detailing the problem to the APS.
Page 117: Creating Pop Packages
Chapter 5 Controlling Remote User Dialing & Access Creating POP Packages To configure a POP package, perform the following steps: Do not build a POP package while installing or upgrading the APS software - the installation will fail. Open the Configuration pullout. Expand the tree list (click the + symbol) under POP Packages.
Page 118 Creating POP Packages Select Make New Package or you may click the arrow next to the Configure menu item at the top left edge of the pullout and select POP Packages. Either option will display a window similar to the one shown in Figure 58.
Page 119 Chapter 5 Controlling Remote User Dialing & Access A message appears indicating the build may take several hours to complete. Also, a trace message indicating the build has started displays in the Message Viewer and, after some time, a trace message indicating the build is complete.
Page 120: Adding Corporate Isps
Adding Corporate ISPs Adding Corporate ISPs To add a new corporate ISP profile, perform the following steps: Open the Configuration pullout. Click on the down arrow next to the Configure menu item at the top left edge of the pullout and select POP/ISP from the drop-down menu.
Page 121 Chapter 5 Controlling Remote User Dialing & Access Type a name for the new ISP in the field next to the Name menu. This name will appear on the Aurorean Client interface exactly as you typed it. If you are describing a corporate dial-up server, enter a name that identifies your company and the particular server.
Page 122 Adding Corporate ISPs 13 Click the ISP Properties tab. The ISP Properties display will appear as show in Figure 61. View View messages here 14 In the IP Address field, enter the IP Address of the dial-up server. If the ISP did not supply this address, you can leave this field blank. 15 In the Primary DNS and Secondary DNS fields, enter the IP addresses of DNS servers used for name resolution.
Page 123 Chapter 5 Controlling Remote User Dialing & Access 18 In the Cost Index field, enter a number between 0 and 999 to indicate the relative cost of using this ISP. This number is factored into the Weight value that appears on the Aurorean Client interface and affects how POP phone numbers are ordered for dialing.
Page 124 Adding Corporate ISPs 22 When the Select New Script Files window appears, click the browse button in the Look in field and find the script you wrote or obtained from your ISP. When finished, click Open. The Script window appears as shown in Figure 62. In order for Windows NT logon scripts to run automatically upon connection with Aurorean Client, the following conditions must be met.
Page 125 Chapter 5 Controlling Remote User Dialing & Access 23 Choose the dial-up protocols supported by the ISP from the Frame Protocols menu. Nearly all ISPs and dial-up Remote Access Service (RAS) servers support the default Point-to-Point Protocol (PPP). If the dial-up server at the ISP supports other protocols, such as Serial Line Interface Protocol (SLIP), you may choose another protocol from the menu.
Page 126: Adding Pops For Corporate Isps
Adding POPs for Corporate ISPs Adding POPs for Corporate ISPs To add a new POP phone number for a corporate ISP, perform the following steps: Open the Configuration pullout. Click on the down arrow next to the Configure menu item at the top left edge of the pullout.
Page 127 Chapter 5 Controlling Remote User Dialing & Access From the Corporate ISP Name list, choose the ISP that provides the POP or corporate dial-up access. Click Add. In the Country Code field, click the arrow and scroll down the list to select the country where the POP is located.
Page 128 Adding POPs for Corporate ISPs 10 In the Cost Index field, enter a number between 0 and 999 to indicate the relative cost of using this POP. This number is factored into the Weight value that appears on the Aurorean Client interface and affects how POP phone numbers are ordered for dialing.
Page 129 Chapter 5 Controlling Remote User Dialing & Access 14 When the Select New Script Files window appears, click the browse button in the Look in field and find the script you wrote or obtained from the ISP. When finished, click Open. The Script window appears as shown in Figure 65.
Page 131: Chapter 6 - Managing Users & Groups
This chapter describes how to: H Add, modify, and remove groups from a database residing on the Aurorean Policy Server. Group settings include policies that determine the Aurorean Client features and functions that your remote users are allowed to use. H Add, modify, and remove individual user accounts that are used to authenticate remote users via the Enterasys Authorization service.
Page 132: Before You Begin
Before You Begin Click here to add and modify groups Before You Begin Before performing the steps in this chapter, you should familiarize yourself with the following Aurorean Virtual Network concepts: H Group policies H Aurorean Client installation kits H Client synchronization of the TollSaver database, policy settings, Prescriber remedies and Aurorean Client application updates H Group Notices Click here to add...
Page 133: Group Policies
Chapter 6 Managing Users & Groups Group Policies To manage the remote users that will tunnel into your corporate network, you should organize users that share similar access and security needs into groups. For each group, you assign a set of policies that determine the Aurorean Client features and functions that members of that group can use.
Page 134: Aurorean Client Installation Kits
Before You Begin Aurorean Client Installation Kits To reduce the challenges of remote access, Enterasys Networks designed Aurorean Client to be embedded with critical access information when it is first installed. Because this information is already present when the remote user tries to connect, the connection occurs quickly and with less chance of error.
Page 135 Chapter 6 Managing Users & Groups Once you create a build for one POP package’s associated client group, the kits you build for other groups can reuse this customized TollSaver database, reducing the build time. For other groups, you need to build only core files that contain group-specific information (such as policy settings).
Page 136: Client Synchronization
Before You Begin Client Synchronization The Aurorean Client installation kit provides your remote users with all the information they need to tunnel into your network for the first time, including ISPs, POP phone numbers, policies, and the IP address of the destination ANG.
Page 137 Chapter 6 Managing Users & Groups The APS downloads group policy settings, El Gamal keys, and group notices over the management channel, overwriting the existing policies, keys and notices on the Aurorean Client computer. Policy settings are automatically updated on the Aurorean Client computer regardless of whether or not they changed since Aurorean Client was installed and whether or not Software or Data Synchronization is enabled or disabled.
Page 138 Before You Begin Aurorean Client requests any remaining core and TollSaver POP files that have changed since Aurorean Client was installed or last synchronized. – – The APS relinquishes the management channel and a message appears on the Aurorean Client Prescriber pullout informing the remote user that synchronization is complete.
Page 139: Group Notices
RiverMaster. This group contains the default login user account (netadmin). For administration security, Enterasys Networks recommends that you add a new login account to the Admin group and then remove the Enterasys user account.
Page 140 Creating a New Group Use the tab pages to assign policies to each group After you create a group it appears here Assign a pool of IP addresses for all members of this group or indicate that you will individually specify addresses for each user Group view button...
Page 141 Chapter 6 Managing Users & Groups In the Description field, enter information that describes the members of the group. There is no character limit to descriptions, and they may contain letters, numbers, and most symbols. This field is provided for information purposes only, and does not affect authentication.
Page 142 Creating a New Group Policy Allow ISP Selection Allow POP Ordering Allow Dial String Editing Allow Manual Dialing Allow 800 Number Dialing When enabled, Aurorean users can dial a nationwide POP Click the Password tab and set the group’s password policies as described in Table 6 and shown in Figure 69.
Page 143 Chapter 6 Managing Users & Groups Policy Save VPN Password Save Corporate Password Save ISP Passwords 10 Click the Credit Card tab and set the group’s credit card billing policies as described in Table 7 and shown in Figure 70. RiverMaster Administrator’s Guide Table 6 Password Policies Explanation...
Page 144 Creating a New Group Policy Enable Credit Card Dialing Save Credit Card PIN 11 Click the Tunnel tab and set the group’s tunnel policies as described in Table 8 and shown in Figure 71. Table 7 Credit Card Policies Explanation When enabled, Aurorean users can bill long distance or international dial-up connections against a calling card.
Page 145 Chapter 6 Managing Users & Groups Policy Explanation Allow IPX When enabled, Aurorean Client negotiates IPX protocol with the ANG and the user can access Novell NetWare servers on the network. This policy is disabled by default. Allow When enabled, Aurorean Client traverses firewalls or NAT servers to Firewall successfully connect with the ANG.
Page 146: Adding Users To A Group
Creating a New Group If you allow IPX, rebuild the client kit for that group after setting this policy, then have your users uninstall their old Aurorean Client and install the new Aurorean Client. Client synchronization does not support this change. 12 Do one of the following: –...
Page 147 Chapter 6 Managing Users & Groups Click here to choose the group you want the user to join Use these fields to assign a static IP address to the user or dynamically allocate an IP address from the group’s virtual subnet Individual view button...
Page 148 Creating a New Group The following symbols are not permitted in the Corporate User Name field: single (‘) and double quote (“), space, apostrophe (‘), tilde (~), percent sign (%), ampersand (&), exclamation point (!), backslash (|), forward slash (/), at sign (@), and asterisk (*).
Page 149: Modifying User & Group Information
Chapter 6 Managing Users & Groups Modifying User & Group Information After a user or group has been created, you can modify any setting associated with the user or group name, including group policies, IP address allocation methods, and user passwords. Although you cannot rename a user or group, you can accomplish the same goal by removing the user or group and then reentering the information using a new name.
Page 150: Removing Users & Groups
Creating a New Group Removing Users & Groups Do not remove the Admin group from the APS database. To log into RiverMaster, you must enter the user name and password of a member of that group. If you remove the group, you will be unable to use RiverMaster in the future.
Page 151: Creating An Aurorean Client Installation Kit
Chapter 6 Managing Users & Groups Creating an Aurorean Client Installation Kit To build a Aurorean Client installation kit for a group, perform the following steps: While the installation kit is built, client synchronization is disabled for that group. You must manually re-enable Data Synchronization after the build is complete in order for group members to receive TollSaver database or policy updates or re-enable Software Synchronization to disburse new Prescriber scripts and an updated Aurorean application.
Page 152 Creating an Aurorean Client Installation Kit In the field next to the Build Custom Installation kit button, click the browse arrow and choose a POP package to associate with the selected group. Click Update. If you have not already built a POP package, refer to Chapter 5, “Creating POP Packages”, for instructions.
Page 153 Chapter 6 Managing Users & Groups In the Kit Filename field, specify a name for the self-extracting Aurorean installation kit file. The default Aurorean installation kit file name is RP_Group_Release#.EXE where Group indicates which group policies are applied to the Aurorean application and Release# specifies the version of Aurorean included in the kit (for example, V3 indicates Aurorean Release 3.0).
Page 154 Creating an Aurorean Client Installation Kit 10 In the Data Files area, specify the destination directory on your computer for POP phone number data files and indicate whether you want the data files preserved or deleted after the kit is built. POP data files for each area code are created on the APS and then copied to the RiverMaster computer.
Page 155 Chapter 6 Managing Users & Groups 12 In the Aurorean Client Kits area, specify the source directory of the Aurorean application you want to distribute. By default, Aurorean is copied into C:\Program Files\Indus River Networks\RiverMaster\ RiverPilotKits when you install RiverMaster. Aurorean Client files are stored in directories named after the software’s version number (for example, the Version 3 directory contains Aurorean Software Release 3.0 software).
Page 156 Creating an Aurorean Client Installation Kit 16 If you opt to keep the Build Client Install Kit window open during the build, a message appears at the bottom of the window when the build completes as shown in Figure 76; click Close to close the window. An Access message indicating the build completed also displays in the Message Viewer.
Page 157: Controlling Client Synchronization
Chapter 6 Managing Users & Groups Controlling Client Synchronization After you enable client synchronization for a group and distribute Aurorean Client installation kits to its members, you can manage the process of updating these clients in these ways: H View a summary of each group’s current policies H Build new Aurorean Client core data files that contain policy settings, destination Aurorean Network Gateway IP address, and other critical access information...
Page 158: Viewing Group Policies
Controlling Client Synchronization Viewing Group Policies To view a summary of each group’s policy settings, follow these steps: Open the Configuration pullout. Click the Update tab. In the Global Area, expand the tree list under Group Areas (click the + symbol). Expand the tree list under the name of the group you want to view.
Page 159: Building Core Data Files
Chapter 6 Managing Users & Groups Building Core Data Files Typically, you build new sets of core data files in the following situations: H If you have changed the IP address for the External port on the ANG. H If you encounter configuration-related problems that prevent Aurorean users from connecting and receiving new policy and Prescriber updates using the normal Client Synchronization method.
Page 160 Controlling Client Synchronization Choose Build Patch Program from the toolbar on the top edge of the pullout. Figure 79 shows the Configuration pullout with the Build Aurorean Client Core Data Files display selected. Green (data) or (software) indicates what type of sync is enabled.
Page 161: Uploading Software Synchronization Files
Chapter 6 Managing Users & Groups If you have not previously built core files for this group, a Directory Not Found window appears asking you to create a new directory for the core files; click Yes to create the directory. If you installed RiverMaster in the default location on your computer, the new core files are stored in C:\Program Files\Indus River Networks\RiverMaster\DataFiles\RiverPilot\...
Page 162 Controlling Client Synchronization You must enable software synchronization for each group in order for Aurorean users to automatically receive new Prescriber and Aurorean Client application files. Refer to page 146 for directions to enable software synchronization. To upload new software synchronization files, perform the following steps: Open the Configuration pullout.
Page 163 Chapter 6 Managing Users & Groups Select the directory where the new software sync files reside by clicking the browser. In addition to Software Synchronization files (Prescriber remedies and Aurorean Client executables), a table of contents file (rx- toc.txt) is transferred to the APS. This text file lists all the synchronization files contained in the ZIP file and is used during client synchronization to determine if the Aurorean user requires new software files.
Page 164: Setting Up Group Notices
Setting Up Group Notices Setting Up Group Notices Group Notices can be written to notify Aurorean users in each group or all Aurorean users in a global message. The notice displays in a standard pop-up window as shown in Figure 81 below. The message disappears after 30 seconds or when the user clicks OK.
Page 165 Chapter 6 Managing Users & Groups Click here to expand Global Area entries Click this icon to open the Group Notice display Click here to view the client update options RiverMaster Administrator’s Guide Choose a group A message indicating Notice status displays here Figure 82 Group Notice Display Setting Up Group Notices Choose...
Page 166 Setting Up Group Notices Click the arrow in the Group field and select a group. The Group pull-down screen appears as shown in Figure 83. Select the Group you want to notify Click the arrow in the Expiration Date field and set the date for this notice.
Page 167 Chapter 6 Managing Users & Groups Write your notice in the text box. The message you write is limited to 256 characters. See Figure 82. Click Apply to set the Notice for members of the selected Group or Apply to All to set the Notice for members of all groups. If you made an error or want to change the selected date or group before applying the notice, edit the text and click Apply.
Page 169: Chapter 7 - Viewing Server Activity & Statistics
This chapter describes how to check activity on Aurorean Virtual Network systems by: H Monitoring system activity, such as the messages exchanged between Aurorean Virtual Network servers and the RiverMaster. H Viewing statistics information on active tunnel connections, including GRE packet and compression performance. H Using SNMP to gather network statistics.
Page 170 Monitoring System Activity To view message activity, perform the following steps: Open the View System Activity pullout. A sample message activity view is shown in Figure 85. Use these controls to start and pause the message display Click here to open the advanced Message Viewer to display messages for other days Select the types of messages you want to view by choosing one of the following: –...
Page 171 Chapter 7 Viewing Server Activity & Statistics Use the play and pause buttons in the upper left corner to start and pause the message display. During peak periods of activity, messages may scroll at a high rate. To pause the display to allow you to select a particular message to examine in detail, click the pause button.
Page 172 Monitoring System Activity Heading App ID Msg ID Date Sent To view a detailed description of a particular message, highlight the message in the display and examine the contents of the Message Description area. Use the scroll bar in this area to view the entire description, or click the maximize button to expand the area.
Page 173 Chapter 7 Viewing Server Activity & Statistics Message ID Message Type AAClientAuth AAchallenge AANewElgamalKey AAresponse ADNameChange AMInvalidElgamalKeys ANAuthFailed ANBadDomain APAuthorization Trace AYAuthSucceeded CBCconnStart CBCconnStop CDRxTrace CNRxNotify CPCallhomeProblem RiverMaster Administrator’s Guide Table 10 System Activity Messages Detailed Description Authentication The Client needs to be authorized Authorization Authentication Challenge a user...
Page 174 Monitoring System Activity Table 10 System Activity Messages (Continued) Message ID Message Type CPCallhomeTrace GAauthenticate GAquery GASet LMlowDiskSpaceMsg MAconfig MBUserLoggedIn MBUserLoggedOut MMolordRebooting MMolordRestartingProc MMolordRestarProc FailedMsg MMolordUpOK MNGenericProblem Msg MNntfyConfigRtrvFailed MNntfyMsgNotSent MNntfyNoSMTPsvrs MYGenericTraceMsg Detailed Description Client Problem Activity Client trace completed Trace General Authorization Authenticate a User...
Page 175 Chapter 7 Viewing Server Activity & Statistics Table 10 System Activity Messages (Continued) Message ID Message Type RYretReqDoneOKMsg TBUserLoggedIn TBUserLoggedOut TNDisconnect TNAuthFailure TNTunnelProblem TNTunnelStop TYConfiguration UpdateNfy TYTunnelSvcStart Success TYTunnelTrace XYBuildClientData SetCompleted XYBuildClientData SetStarted XYBuildIspPackage Completed XYBuildIspPackage Started XYClientSyncComplete RiverMaster Administrator’s Guide Detailed Description Retrieval Service Statistics derived from completing request...
Page 176: Advanced Message Viewer
Monitoring System Activity Advanced Message Viewer While the standard message viewer displays current message activity, the advanced message viewer allows you to access messages that were sent on previous days or locate current messages buried in a large output of generated messages.
Page 177 Chapter 7 Viewing Server Activity & Statistics Use these fields to set the start and end range of the message trace Click here to start retrieving messages from the Aurorean Policy Server Using the Time Criteria fields, specify the period of time to display messages.
Page 178 Monitoring System Activity Using the Message Type check boxes, specify the types of messages you want to view. Table 11 describes the six types of messages available. To view Aurorean Virtual Network server activity, select Problem Notification, Alarm, and/or Alert messages. To view activity for an individual Aurorean user, select Activity Trace, Authentication, and/or Accounting messages.
Page 179 Chapter 7 Viewing Server Activity & Statistics Choose the server that you want to monitor from the Servers list. This option allows you to select either the APS or ANG and only applies when you are viewing Problem Notification, Alarm, or Alert messages.
Page 180 Monitoring System Activity Click here to start a new trace Double-click on a message to view a detailed description To view a detailed description of a message, double-click on the message. Figure 87 shows the details of a Connection Start message that reveals information on how the Aurorean Client connected a client named Paul.
Page 181 Chapter 7 Viewing Server Activity & Statistics Do one of the following: – – – – If you do not have at least one printer driver installed on your computer, the printer button is disabled. To install a printer, follow the instructions provided in Windows on-line Help.
Page 182: Rivermaster Options
Monitoring System Activity RiverMaster Options The RiverMaster Options button performs the following functions: H Controls the number of messages and the frequency they are shown in the Message Viewer. Messages are displayed in the Tunnel Statistics window every 5 seconds (default) and are rolled over after reaching the default maximum of 2000 messages.
Page 183 Chapter 7 Viewing Server Activity & Statistics Enter a new value here to change the frequency that tunnel statistics are displayed in the Tunnel Statistics Window RiverMaster session start and duration times shown here In the Performance Options area, enter a value for any message interval.
Page 184 Monitoring System Activity If you wish to change the Max Message List Size or any of the four ListView sizes, enter a value in the provided field. Size values refer to the maximum number of messages displayed in the Message Viewer according to the message type selected. Message Types include All Messages, Login/Logout, Trace, and Alarm/Alert/Notices.
Page 185: Viewing Tunnel Activity
Chapter 7 Viewing Server Activity & Statistics Viewing Tunnel Activity The Tunnel Statistics window displays counters in graphic and column form. The graphical window can be configured to display any Generic Routing Encapsulation (GRE) or compression counters you select in the available checkboxes.
Page 186 Viewing Tunnel Activity From the Active Users list, click on a user name. Using the GRE and Compression checkboxes, choose the types of statistics you want to graph for the selected user. Table 12 describes the types of statistics you can choose. Value GRE (Generic Flow Pkts...
Page 187 Chapter 7 Viewing Server Activity & Statistics Value GRE (Generic Bytes Rcvd Routing Encapsulation) Bytes Sent Compression Comp Bytes Comp Bytes Uncomp Bytes In Uncomp Bytes Out Using the controls shown in Figure 91, control the graph display as follows: –...
Page 188: Using Snmp To Gather Statistics
Using SNMP to Gather Statistics You can disconnect an active user by selecting a user from the Active Users list and clicking the Disconnect User button, as shown in Figure 90. To gain additional details about the user (such as how the user was authenticated), use the System Activity pullout as described in “Monitoring System Activity”...
Page 189: Chapter 8 - Generating Reports
This chapter describes the contents of the customized reports available from RiverMaster and describes how to download, view, export and print these reports. Report Contents Each initial (Preview) Aurorean report shows all activity for the selected period. Subsequent, “drill-down” displays categorize activity into user- specific data for Accounting and Client reports.
Page 190 Alarms for server alarm conditions. Alerts for alert conditions that may lead to an alarm state. Problem for problem notification messages. An ID number useful for Enterasys Networks Customer Support personnel to isolate the problem. The Aurorean Policy Server Domain name assigned to servers within this Aurorean Virtual Network.
Page 191: Network Gateway Report
Chapter 8 Generating Reports Network Gateway Report This report reveals the Aurorean Network Gateway’s throughput performance by showing byte/packet traffic over all tunnels connected to the Aurorean Network Gateway. Separate performance statistics are shown for tunnels using GRE (PPTP) and IPSec protocols. These statistics are reported for each 1-hour period.
Page 192 Report Contents Heading Max Tunnels Bytes IN Bytes OUT Packets IN Packets OUT The first page of the Network Gateway Report is a bar graph, as shown in Figure 93, displaying the peak number of IPSec and GRE tunnels (number of remote clients) generated hourly for the selected period.
Page 193 Chapter 8 Report Contents Generating Reports Figure 93 Max Tunnels GRE/IPSEC Display Figure 94 Network Gateway Report RiverMaster Administrator’s Guide...
Page 194: Client Anomaly Report
Alarms for Aurorean Client Software alarm conditions. Alerts for alert conditions that may lead to an alarm state. Problem for problem notification messages. An ID number useful for Enterasys Networks Customer Support personnel to isolate the problem. The computer name assigned to the remote client’s computer.
Page 195: Client Report
Chapter 8 Generating Reports In addition to the information listed in Table 15, an anomaly event may include a session report produced by Aurorean Client Software’s Prescriber feature. This session report describes the remedies that Prescriber attempted to correct the problem; for more information on Prescriber and this session report, refer to the Aurorean Client Software User’s Guide.
Page 196 Report Contents The report also indicates the ISP that was used for each session (or shows “Pre-existing Connection” for non-dialed LAN link or cable modem connections). In addition to the data described in the following table, throughput averages and sums, and login session totals and average intervals are reported for each user and ISP.
Page 197 Chapter 8 Generating Reports Heading CONN SPEED ISP KBYTES OUT ISP KBYTES IN VPN KBYTES OUT Total bytes of data sent end-to-end over the tunnel from the VPN KBYTES IN PKTS LOST User # of logins Total time Average login time RiverMaster Administrator’s Guide Table 16 Client Session Report Values Explanation...
Page 198 Report Contents Figure 96 displays a typical Client Session Summary Report. Double-clicking on the user name line above with the magnifier icon produces a drill-down view similar to Figure 97. Figure 96 Client Session Summary Report Figure 97 Client Session Details Report Chapter 8 Generating Reports RiverMaster Administrator’s Guide...
Page 199: Accounting Report
Chapter 8 Generating Reports Accounting Report This report lists all tunnel sessions that occurred during the selected period, sorted by user name. In addition to a wide range of tunnel performance statistics for each session, this report indicates the virtual subnet IP address allocated to the remote client, the duration of each session, and the reason the session ended.
Page 200 Report Contents Heading VPN KBYTES VPN KBYTES IN ISP KBYTES OUT ISP KBYTES IN PKTS OUT PKTS IN PKTS RETRNS DUP PKTS LOST PKTS User # of logins Total time Average login time Figure 98 displays a typical Accounting Summary Report. Table 17 Accounting Report Values Explanation Total bytes of data sent end-to-end over the tunnel from the...
Page 201 Chapter 8 Generating Reports Double-clicking on the client1 user name line above with the magnifier icon produces a drill-down Accounting Detail Report similar to Figure 99 below. RiverMaster Administrator’s Guide Figure 98 Accounting Summary Report Figure 99 “Drill-down” Accounting Detail Report Report Contents...
Page 202: Downloading, Viewing And Exporting Reports
Downloading, Viewing and Exporting Reports Downloading, Viewing and Exporting Reports To download and view, print or export a report, perform the following steps: Open the Configuration pullout. Expand the list under Reports by clicking the + symbol. Choose the type of report you want to download and view. Figure 100 shows the Accounting Report display.
Page 203 Chapter 8 Generating Reports Because source data appearing in each daily report is not collected by the APS until the end of the day, you cannot generate a report for the current day. Do one of the following: – – Depending upon the level of activity and interval queried, you may need to wait a while for a report viewing window to appear as shown in Figure 101.
Page 204 Downloading, Viewing and Exporting Reports Use the arrows to page through the report Click here to reset the display to the Preview window Click these buttons to toggle between views Double-click here to view user details Click here to automatically print the report to your computer’s default printer Click here to export the report Figure 101 Report Viewing Window...
Page 205: Printing Reports
Chapter 8 Generating Reports Printing Reports To print reports, you must have a default printer defined for your computer. Click the printer button along the top edge of the report display. A Print window appears as shown in Figure 102; set the printing options and click If you do not have at least one printer driver installed on your computer, the printer button is disabled.
Page 206: Exporting Reports
Downloading, Viewing and Exporting Reports Exporting Reports Aurorean Virtual Network supports the exporting of reports in more than a dozen formats to either a file on disk, a Microsoft Exchange folder, or your mail server via the Microsoft Application Programming Interface (MAPI) program.
Page 207 Chapter 8 Generating Reports Select a program file Format to export the report in and click OK. Refer to the table below to begin. If you want this export format ... Crystal Reports Excel versions 2.1, 3.0, 4.0, or 5.0 Lotus 1-2-3 (all versions) Rich Text Format Tab-separated text...
Page 208 Downloading, Viewing and Exporting Reports If you selected one of the following formats: Crystal Reports, Excel versions 2.1, 3.0, 4.0, or 5.0, Lotus 1-2-3, Rich Text Format, Tab- separated text, Text, or Word for Windows, the Choose Export File appears immediately as shown in Figure 104. Choosing other formats may bring up this window after performing the initial step.
Page 209 Chapter 8 Generating Reports Select the directory to store the report and click Save. Optionally, you may also rename the file or save it in a different format. The Exporting Records window appears as shown in Figure 105. This window is a running tally of the number of records exported and percentage of the job completed.
Page 210 Downloading, Viewing and Exporting Reports If you selected HTML versions 3.0, 3.2 Extended or 3.2 Standard, you are prompted to specify the name of a directory where the report - titled default.htm - will be written. The Export To Directory window appears as shown in Figure 106. Enter a Directory Name and click OK to export the file to the default directory shown or search the directory and Drives fields for the desired destination and click OK.
Page 211 Chapter 8 Generating Reports If you chose Character-separated values, you are prompted to enter characters to separate and delimit the output text. Accept the defaults or set new values and click OK. The Character-Separated Values dialog box appears as shown in Figure 107.
Page 212 Downloading, Viewing and Exporting Reports 11 If you selected the following versions of ODBC: Account.txt. CIAnom.txt, Client.txt, DBASE Files, Fox Pro Files, PHD_Files_32 bit, SvrAnom.txt, Text Files, or TnlServr.txt., you are prompted to enter a name for the ODBC table. The Enter ODBC Table Name dialog box appears as shown in Figure 109.
Page 213 Chapter 8 Generating Reports 13 If you selected the Excel Files or MS Access 97 Database versions of ODBC, you are prompted to select a database name and location for the .XLS file (Excel) or .MDB file MS Access. The Select Workbook Window (Excel) appears as shown in Figure 110.
Page 214 Downloading, Viewing and Exporting Reports 15 If you chose the Paginated Text format, you are prompted to set the number of lines per page or keep the default of 60 lines and click OK. The Lines Per Page dialog box appears as shown in Figure 111. The Choose Export File window follows as shown in Figure 104.
Page 215: Exporting Reports To A Microsoft Exchange Folder
Chapter 8 Generating Reports Exporting Reports to a Microsoft Exchange Folder To export reports to a Microsoft Exchange folder, perform the following steps: Click the Export button along the top edge of the report display. The Export window appears as shown in Figure 103. Select a program file Format that the report will be exported in by clicking the arrow under the Format field.
Page 216 Downloading, Viewing and Exporting Reports Select Exchange Folder in the Destination field and click OK. The window that appears will depend on your selected format. Go to the “Exporting Reports to a Disk File” section and find the starting step for the format you selected. When you complete the next step or two, the Choose Profile window appears as shown in Figure 114.
Page 217 Chapter 8 Generating Reports Select a Profile Name by clicking the arrow next to the field and click OK. You can also create a new profile or configure two options. The Select a folder window appears as shown in Figure 115. RiverMaster Administrator’s Guide Downloading, Viewing and Exporting Reports Figure 115 Select a Folder Window...
Page 218 Downloading, Viewing and Exporting Reports Click on a folder to store the report and click OK. The Exporting Records window appears as shown in Figure 116. This window is a running tally of the number of records exported and percentage of the job completed. Optionally, you may click Cancel Exporting if necessary.
Page 219: Exporting Reports Using Mapi
Chapter 8 Generating Reports Exporting Reports Using MAPI To export reports to your mail server using MAPI, perform the following steps: Click the Export button along the top edge of the report display. The Export window appears as shown in Figure 117. Select a program file Format to export the report in by clicking the arrow under the Format field.
Page 220 Downloading, Viewing and Exporting Reports Select a Profile Name by clicking the arrow next to the field and click OK. You can also create a new profile or configure two options. The Send Mail window appears as shown in Figure 119. Fill in the open fields as you would any mail message and click Send.
Page 221: Aurorean Client Software
Aurorean Network Gateway An Enterasys Networks device that creates a secure virtual private circuit over the Internet between itself and a remote user’s computer. The Aurorean Network Gateway encapsulates data packets using to prevent third-parties from intercepting and examining it.
Page 222: Appendix A Glossary
Appendix A Glossary AutoLink Recovery An extension of the fault recovery capabilities of the includes automatic fail-over to a backup event of a service outage or VPN hardware failure. (ALR) is implemented with the installation of a second Aurorean Client system consisting of a pair of Network Gateways.
Page 223 permitting them to dial out of the network across the firewall to their own corporate network and returning to their computer. Aurorean Client uses this feature in conjunction with the HyperText Transfer Protocol Secure (HTTP-S) to successfully traverse the firewall without causing harm to the native network.
Page 224: Network Administrator
The person responsible for installing and maintaining a company’s network equipment, and also insuring that network resources (such as servers and the applications running on them) are consistently available and performing well. In terms of Enterasys Networks products, this person physically installs Aurorean Policy Servers Aurorean Client...
Page 225 POP package and its associated ISPs. Prescriber A feature of Enterasys Networks products that diagnoses why a tunnel connection failed and attempts to correct the problem, either on its own or with user assistance. On Enterasys Networks...
Page 226 Appendix A Glossary distance phone service, connection to the settings, and so forth. On the Enterasys Networks the Prescriptive Diagnostics Engine uses the call home feature to provide an alternate route that tests end-to-end operation and isolates tunnel problems, and also allows the remote user to download missing or updated files.
Page 227: Virtual Private Network (Vpn)
TollSaver Database A feature of Enterasys Networks products that provides remote users with a list of ISPs, phone numbers of available POPs, and connection rates. The master TollSaver database is maintained on the downloaded to the portion of the tunnel connection.
Page 229 ANG-3000/7000 Preconfiguration Stored ANG-3000/7000 Preconfiguration Stored ANG-3000/7000 Preconfiguration Stored ANG-3000/7000 Preconfiguration Stored This appendix describes how to preconfigure the Aurorean Network Gateway (ANG-3000/7000) using a floppy disk to store the configuration. This procedure is similar to configuring the ANG using the RiverMaster application.
Page 230: Appendix B - Ang-3000/7000 Preconfiguration Stored On A Floppy Disk
Adding Remote Gateways Adding Remote Gateways This section describes how to add a Remote ANG including its Name, IP Address, User Name and Password and tunnel Protocol. To add a Remote ANG, perform the following steps: Open the Configuration pullout. In the list of Aurorean devices, expand the tree list under Systems (click the + symbol) and again under Remote Gateways as shown in Figure 120.
Page 231 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Unless you are configuring a tunnel from the ANG/APS pair to a Remote ANG, you only need to enter the Remote Gateway Name and IP Address. Enter a Remote Gateway Name and IP address in the fields provided. Type a User Name, User Password and confirm the password.
Page 232: Configuring Ang Ip Addresses
Configuring ANG IP Addresses Configuring ANG IP Addresses This section describes how to configure the ANG’s name and Domain names, IP addresses and subnets, and Intelligent Client Routing. This action marks the actual start of the process to write information to the floppy disk. If the Remote Gateway configuration procedure is canceled at any point, it must be restarted here.
Page 233: Configuring Tunnel Protocols
Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Enter values in the open fields as follows: – – – – – Click Next. The Tunnel Protocols window appears with the General tab selected as shown in Figure 123. Configuring Tunnel Protocols This section describes how to configure the ANG’s two supported tunnel protocols: H Point-to-Point Tunneling Protocol (PPTP) developed by Microsoft,...
Page 234 Configuring Tunnel Protocols For each tunnel protocol, you can configure authentication, encryption, and compression parameters. To set tunnel protocol parameters, continue floppy disk configuration with the following steps. If you want to prevent the Remote Gateway from using one of the tunnel protocols, select the protocol and click Remove.
Page 235 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Click on the Authentication tab. Figure 124 shows the authentication parameters available for each tunnel protocol. Do one of the following: – – RiverMaster Administrator’s Guide Choose IPSec from the Protocol pull down menu. - Use the information in Table 18 to select the IPSec Signature Algorithm that determines how IPSec packets exchanged between the ANG and Aurorean users are signed and...
Page 236 Configuring Tunnel Protocols Parameter None HMAC-SHA HMAC-MD5 Time Period Data Transferred Click the Encryption tab. Do one of the following: – – ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Table 18 IPsec Authentication Parameters Explanation Disables the Signature Algorithm for IPSec packets; individual packets are no longer signed and verified during transmission.
Page 237 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk ARCFOUR is a public domain algorithm designed to work with RC4 DES is a government standard block cipher that uses a 56-bit key. Triple-DES uses three keys to achieve the equivalent of 112-bit encryption.
Page 238 Configuring Tunnel Protocols Tunnel Parameter Protocol IPSec None ARCFOUR 40 bit ARCFOUR 128 bit Triple-DES PPTP MPPE (40 bit) MPPE (128 bit) Click the Compression tab. The Compression properties screen appears as shown in Figure 126. ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Table 19 Encryption Parameters Explanation Disables encryption on the tunnel;...
Page 239 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Enable or disable MPPC as required. For both IPSec and PPTP protocols, Microsoft Point-to-Point Compression (MPPC) is currently the only compression technique which you can select via this utility on the ANG (Stac LZS is available using the Command Line Interface).
Page 240: Configuring Virtual Subnets
Configuring Virtual Subnets Configuring Virtual Subnets This optional section describes how to create virtual subnets that serve as IP address pools for allocation to remote clients when they connect. Virtual subnets are configured for terminating ANGs only. If you are configuring an initiating ANG, skip to “Configuring Routing Protocols”...
Page 241 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Click Add. The Add an IP Virtual Subnet popup window appears as shown in Figure 128. Enter the starting address of the subnet in the Address fields. You can use actual IP addresses from your network or non-routable IP address ranges (such as 192.168.x.x for a Class C network).
Page 242: Configuring Routing Protocols
Configuring Routing Protocols Configuring Routing Protocols Configuring the routing behavior of the Aurorean Network Gateway consists of two general steps: H Setting parameters for the two routing protocols supported, RIP and OSPF. H Selecting routing protocols for each Aurorean Network Gateway Ethernet interface.
Page 243 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Do one of the following: – – In the RIP Configuration popup window, if you want to turn on RIP for IPX packets, click Enable under IPX RIP Enable; otherwise, continue with the next step.
Page 244: Ospf Properties
Configuring Routing Protocols Do one of the following: – – The Add A Trusted Gateway window appears as shown in Figure 131. In the Address field, type the address for the router that the Aurorean Network Gateway will accept updates from and click Add. You can later modify this address or delete it using the Modify and Remove buttons.
Page 245 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Type the IP address for the Trusted interface in the OSPF Router ID fields. From the OSPF Authentication Algorithm menu, choose the authentication algorithm used by routers on your network. If the routers on your network do not require passwords to accept OSPF updates, set the algorithm to None and continue with the next step.
Page 246: Configuring Routing Interfaces
Configuring Routing Interfaces Configuring Routing Interfaces This section describes how to configure the ANG’s two Ethernet interfaces: H The Trusted interface should be connected to a protected network segment (one behind a firewall or router that offers protection against unauthorized access). Typically, you should enable a routing protocol (RIP, OSPF, or both) on the Trusted interface so that the Aurorean Network Gateway can advertise to other devices that its virtual subnets are reachable to the corporate network.
Page 247 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Select the interface (Trusted or External) from the list under Network Interfaces. The protocols already enabled for this interface appear in the Routing Protocols list. Do one of the following: – –...
Page 248: Configuring Rip For The Interface
Configuring Routing Interfaces For the External interface, you can only add or remove static routing. Because the External interface is optimized for tunnel protocols only, you cannot use RIP or OSPF on this interface. Do one of the following: – –...
Page 249 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk In the RIP Authentication fields, choose the algorithm (simple or none) used by routers on your network. If the routers on your network do not require passwords to accept RIP updates, set the algorithm to None and skip to Step 6. RIP update authentication is only supported by RIP Version 2.
Page 250: Configuring Ospf On An Interface
Configuring Routing Interfaces Set the RIP Route Importing/Exporting options as follows: – – Do one of the following: – – – Configuring OSPF on an Interface To enable OSPF on an interface, perform the following steps: In the OSPF Interface window, shown in Figure 136, Type the OSPF password used by routers on your network in the Authentication Password field.
Page 251: Creating Static Routes
Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Type the same password in the Re-Type Authentication Password field exactly as you entered it in Step 2. Do one of the following: – – – Creating Static Routes The trusted interface should be connected to a protected network segment - one behind a firewall or router that offers protection against unauthorized access.
Page 252 Configuring Routing Interfaces If you use static routes, the ANG will not broadcast IP pools. You must add a static route on your internal router for that subnet. The internal IP address of the ANG is the gateway. To configure a static route between a Aurorean Network Gateway interface and another device, perform the following steps: In the Routing Configuration window, with the Interfaces tab selected, choose the ANG Ethernet interface to configure (External or Trusted)
Page 253 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk In the Gateway address fields, type the IP address of a gateway on this subnet. For External interfaces, enter the IP address of the router that provides access to the Internet. In the Reachable Subnet fields, type a starting IP address and subnet mask to define a subnet.
Page 254: Creating Remote Connections
Creating Remote Connections Creating Remote Connections This section describes how to configure the connections between your ANGs. Connection and User names are employed to identify the ANGs at both ends of the tunnel connection. See Figure 138 for a graphical representation of an Aurorean Virtual Network meshed network.
Page 255 Appendix B Creating Remote Connections ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Figure 139 Remote Connection Configuration Window RiverMaster Administrator’s Guide...
Page 256 Creating Remote Connections Enter a name which describes the destination ANG of this ANG. Choosing a Remote ANG name that matches the name of the terminating ANG of this tunnel connection will make it easier to view system activity and statistics later. Refer to Figure 138 for a graphical view of this configuration.
Page 257 Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk A User specified here also must be added to the connecting Local ANG User and Group database. Refer to Chapter 6, “Managing Users and Groups,” for instructions. Also be aware that you cannot use this floppy configuration utility to add Users and Groups to standalone ANGs which terminate tunnels.
Page 258 Creating Remote Connections Do one of the following: – – ANG-3000/7000 Preconfiguration Stored on a Floppy Disk Figure 141 Remote Connection Configuration Window Add another Remote Connection. Click Finish. The Save Configuration window appears as shown in Figure 142. Appendix B RiverMaster Administrator’s Guide...
Page 259: Loading The Floppy Disk
Appendix B ANG-3000/7000 Preconfiguration Stored on a Floppy Disk 10 Select a directory, either on your computer, the A: drive, or another site on the network and click Save to store the configuration. When saving configuration information, you cannot change its default name config.irx.
Page 260 Loading the Floppy Disk Remove the floppy disk. If you forget to remove the floppy disk, the next time the ANG is rebooted, any configuration changes you made with the APS will be replaced with the information stored on the disk. The ANG is now up and the site-to-site connection running.
Page 261: Chapter 9 - License Agreement & Support
License Grant Enterasys Networks, 35 Industrial Way, Rochester, New Hampshire 03866 hereby grants to Licensee a personal, nonexclusive, non-transferable license to use the Licensed Software on the servers on which the Software is first installed ("Licensed Servers") and on an unlimited number of client...
Page 262: Warranty
Enterasys Networks License Agreement scope of the license that Licensee has purchased from Enterasys. Should one or more the above Licensed Servers be upgraded and/or replaced by other Enterasys servers purchased by Customer pursuant to Enterasys's then current upgrade policy, the license may be transferred and the Software may be used on the replacement server(s).
Page 263: Infringement Indemnification
OF ACTION ARISING IN CONNECTION WITH THIS AGREEMENT, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT OR IN TORT INCLUDING NEGLIGENCE, SHALL BE LIMITED TO THE ACTUAL DOLLAR AMOUNT ENTERASYS RECEIVED HEREUNDER RiverMaster Administrator’s Guide Enterasys Networks License Agreement...
Page 264: Termination
Enterasys Networks License Agreement FROM CUSTOMER FOR THE PARTICULAR PRODUCTS WHICH ARE THE SUBJECT MATTER OF THE CAUSE OF ACTION. IN NO EVENT SHALL ENTERASYS BE LIABLE FOR ANY LOST OR ANTICIPATED PROFITS OR SAVINGS, OR ANY INCIDENTAL, EXEMPLARY, PUNITIVE, SPECIAL OR...
Page 265: U. S. Government - Commercial Computer Software
The use of the Licensed Software by the Government constitutes acknowledgment of Enterasys' proprietary rights in the Licensed Software. The manufacturer is Enterasys Networks, 35 Industrial Way, Rochester, New Hampshire 03866. The licensee or user of this product agrees not to remove any of the RESTRICTED RIGHTS legends and markings included in this software and associated documentation.
Page 266: Technical Support
H A list of the error messages appearing in the RiverMaster message/alarm display H Details about any recent configuration changes, if applicable Enterasys Networks also recommends that you have this guide on hand when you call. AppendixC RiverMaster Administrator’s Guide...
Page 267: Index
Symbols .authloc file Numerics 128-bit encryption 40-bit encryption 800 Number policy Access Method Access service Access. See Access service accounting messages Accounting Report ACE/Server RADIUS extensions acknowledgment packets Activity Trace messages Admin group advanced message viewer Alarms definition E-mail notification viewing messages Alerts definition...
Page 268 Index Aurorean Policy Server backing up the database memory and disk usage RX-TOC.TXT file statistics uploading login scripts Aurorean Software Update Service Aurorean VPN Name field authentication plug-in options tunnel protocols – viewing messages Authentication service Authentication. See Authentication service Authorization plug-ins Enterasys –...
Page 269 default authorization plug-in default gateway Default Gateway field default login Delivery service Delivery. See Delivery service DES. See also Triple-DES dial policies Dial String Editing policy dial-up server IP address direct dial-up remote access disabling client synchronization disallowed symbols Disconnect User button Domain Name System (DNS) IP addresses servers...
Page 270 Index Install Kit Options installation kits.See Aurorean Client Software installation kits Intelligent Client Routing description enabling interface priority (OSPF) interfaces External Trusted international dial-up Internet Engineering Task Force (IETF) Internet Service Provider (ISP) IP Address field IP addresses allocating to remote clients assigning to users changing addresses...
Page 271 magnifier icon mailing lists adding addresses – creating – Manage Users and Groups pullout management channel description dropped by Aurorean Policy Server supporting TollSaver download management database description management station management workstation Manual Dialing policy MAPI Mask field memory usage message viewer advanced –...
Page 272 Index packets lost password policies passwords patch packages Performance Index field Performance Options Phone number field plug-ins Enterasys Authentication general RADIUS SecurID Point of Presence (POP) Point-to-Point Protocol (PPP) Point-to-Point Tunneling Protocol (PPTP) authentication parameters compression parameters description encryption parameters removing policy definition...
Page 273 – exporting using MAPI generating reports – output of the magnifier icon printing selecting date options Server Anomaly setting default intervals supported export formats Tunnel Server using the magnifier icon Retrieval service Retrieval. See Retrieval service Retry field configuring for the interface effect on virtual subnets general properties route updates...
Page 274 Index subnet mask system requirements Tables Accounting Report Values Aurorean Policy Server Services Client Anomaly Report Values Client Session Report Values Credit Card Policies Dial Policies Encryption Parameters Fixed OSPF Parameters IPSec Authentication Parameters Message Types Password Policies Protocol Statistics –...
Page 275 virtual subnets advantages assigning to groups defined as address pools defining IP subnets – example scaling support by RIP and OSPF VPN Password policy VPN passwords VPN user name VPN. See Virtual Private Network (VPN) warranty Web Site field weight definition entered for Cost Index entered for Performance Index...

Enterasys Network Card User Manual

Chapter 1 - Installing Rivermaster Software

Chapter 2 - Getting Started with Rivermaster

Chapter 3 - Configuring an ANG-3000/7000

Chapter 4 - Setting up Aurorean Services

Chapter 5 - Controlling Remote User Dialing & Access

Chapter 6 - Managing Users & Groups

Chapter 7 - Viewing Server Activity & Statistics

Chapter 8 - Generating Reports

Appendix A Glossary

Appendix B - ANG-3000/7000 Preconfiguration Stored on a Floppy Disk

Chapter 9 - License Agreement & Support

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Enterasys Network Card

Summary of Contents for Enterasys Network Card

Table of Contents