Avaya VPN Gateway User Manual

Vpn gateway

Table of Contents

Quick Links

Download this manual

User Guide

Avaya VPN Gateway

Release 9.0

NN46120-104

Issue 04.04

April 2013

Table of Contents

Summary of Contents for Avaya VPN Gateway

Page 1: User Guide
User Guide Avaya VPN Gateway Release 9.0 NN46120-104 Issue 04.04 April 2013...
Page 2 Units are accessing and using subsequent modifications, additions or deletions to this documentation, the Software at any given time. A “Unit” means the unit on which Avaya, to the extent made by End User.
Page 3: User Guide April
Avaya or its licensors and is the Avaya Support website: http://support.avaya.com, scroll to the protected by copyright and other intellectual property laws including the bottom of the page, and select Contact Avaya Support.
Page 4 User Guide April 2013 Comments? infodev@avaya.com...
Page 5: Table Of Contents
Getting technical support from the Avaya Web site................. 16 Chapter 2: New in this release................... Features..............................17 IPsec Two Factor authentication for Avaya VPN Gateway.............. 17 Android L2TP/IPsec support......................17 AES 256 support for IPsec....................... 18 Java RDP upgrade support......................18 Net Direct Mac OS X support......................
Page 6 Setting Up a Two-Armed Configuration.................... 44 Complete the New Setup......................... 46 Settings Created by the VPN Quick Setup Wizard................49 Joining a VPN Gateway to an Existing Cluster..................51 Setting up a One-Armed Configuration.................... 51 Setting up a Two-Armed Configuration.................... 53 Complete the Join Setup........................
Page 7 Licensing vdesktop........................... 121 Launch Vdesktop from Portal......................122 Virtual Desktop Operations......................122 Chapter 10: The Command Line Interface................ Connecting to the VPN Gateway......................123 Establishing a Console Connection....................123 Establishing a Telnet Connection..................... 124 Establishing a Connection Using SSH (Secure Shell)..............125 Accessing the AVG Cluster........................
Page 8 149 netdirect............................150 netdirect_packet..........................150 User Unable to Connect to the VPN Gateway through the Net Direct Client..........151 Cannot download the Net Direct Zipped file from client PC..............153 System Diagnostics........................... 153 Installed Certificates and Virtual SSL Servers.................. 153 Network Diagnostics.........................
Page 9 Appendix B: The SNMP Agent................... Supported MIBs............................163 SNMPv2-MIB............................ 164 SNMP-MPD-MIB..........................165 SNMP-FRAMEWORK-MIB......................165 The SNMP-TARGET MIB......................... 165 SNMP-NOTIFICATION-MIB......................165 SNMP-VIEW-BASED-ACM-MIB...................... 165 SNMP-USER-BASED-SM-MIB......................166 S5-ETH-MULTISEG-TOPOLOGY-MIB.................... 166 SYNOPTICS-ROOT-MIB......................... 166 S5-TCS-MIB............................. 166 S5-ROOT-MIB..........................166 IF-MIB............................... 167 IP-MIB.............................. 167 IP-FORWARD-MIB........................... 167 ENTITY-MIB............................. 167 DISMAN-EVENT-MIB........................
Page 10 Example of a Key Code Definition File..................... 241 Appendix G: SSH host keys....................Methods for Protection..........................243 The VPN Gateway............................ 243 Appendix H: Adding User Preferences Attribute to Active Directory......Install All Administrative Tools (Windows 2000 Server)................245 Register the Schema Management dll (Windows Server 2003)............... 245 Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows Server 2003)....
Page 11 Add isdUserPrefs Attribute to avayaSSLOffload Class..............251 Add the avayaSSLOffload Class to the User Class................. 252 Appendix I: Using the Port Forwarder API............... General..............................255 Creating a Port Forwarder......................... 255 Demo Application............................256 Creating a Port Forwarder Authenticator....................258 Adding a Port Forwarder Logger....................... 260 Connecting Through a Proxy........................
Page 12 User Guide April 2013...
Page 13: Chapter 1: Preface
Chapter 1: Preface The Avaya VPN Gateway User Guide describes how to perform basic configuration and maintenance of the Avaya VPN Gateway (AVG). Who Should Use This Book The Avaya VPN Gateway User Guide is intended for network installers and system administrators engaged in configuring and maintaining a network.
Page 14: Product Names
Product Names The software described in this manual runs on several different hardware models. Whenever the generic terms Avaya VPN Gateway, VPN gateway or AVG are used in the documentation, the following hardware models are implied: • Avaya VPN Gateway 3050–VM (AVG 3050–VM) •...
Page 15: Appendices
SSH host keys on page 243 provides information about the purpose of SSH host keys and how they are used to protect the connection between the SSH client and the VPN Gateway. Adding User Preferences Attribute to Active Directory on page 245 provides step-by-step instructions on how to add the User Preferences attribute to Active Directory.
Page 16: Customer Service
Preface Customer service Visit the Avaya Web site to access the complete range of services and support that Avaya provides. Go to http://www.avaya.com or go to one of the pages listed in the following sections. Navigation • Getting technical documentation on page 16 •...
Page 17: Chapter 2: New In This Release
Chapter 2: New in this release The following sections detail what’s new in Avaya VPN Gateway User Guide, (NN46120-104) Release 9.0. Features See the following sections for information about feature changes: IPsec Two Factor authentication for Avaya VPN Gateway Release 9.0 adds a two factor authentication method for authentication between servers and clients.
Page 18: Aes 256 Support For Ipsec
Beginning with Release 9.0, you can download one of the two versions of SPO: • Avaya Basic– contains basic software with Avaya 2050 IP Softphone and JRE 7. • Avaya Contact Center (ACC)– contains all the applications and software of Avaya Basic with the addition of Avaya Contact Center Express Desktop 5.0 and Avaya One-X...
Page 19: Other Changes
See the following sections for information about changes that are not feature-related: • Please note, while the Avaya Endpoint Access Control Agent (formerly Tunnel Guard) can be configured through both the BBI and CLI, the CLI configuration is performed under the former Tunnel Guard context.
Page 20 New in this release User Guide April 2013 Comments? infodev@avaya.com...
Page 21: Chapter 3: Introducing The Vpn Gateway
The Avaya VPN Gateway (AVG) software includes two major functionality groups: • SSL Acceleration • VPN These features can be used separately or be combined. The Avaya VPN Gateway User Guide covers the basic tasks that need to be completed irrespective of which feature you wish to deploy. SSL Acceleration The VPN Gateway can function as a peripheral Secure Sockets Layer (SSL) offload platform that attaches to an Application Switch or a comparable switch from another vendor.
Page 22: Software Features
Net Direct client, a simple and secure method for accessing intranet resources through the remote user's native applications. • From a computer with the Avaya VPN client (formerly Contivity VPN client) or the Avaya SSL VPN client installed (transparent mode).
Page 23: Transparent Mode Access
VPN clients are available: • Avaya SSL VPN client (TDI and LSP version). • Avaya VPN client (formerly the Contivity VPN client). Not supported on the ASA 310, ASA 310-FIPS and ASA 410 hardware models. • Net Direct installable client.
Page 24: User Authorization
Client Security • Avaya Endpoint Access Control Agent. Feature for checking the security aspects of the remote PC client, that is, installed antivirus software, DLLs, executables and so on. • WholeSecurity support. Lets you enable a scan of the client PC before the remote user is allowed to log in to the VPN.
Page 25: Networking
• Support for clustering over multiple subnets. • Supports assigning two physical network ports to one interface, to create a port failover (high availability) solution where one VPN Gateway is attached to two Application Switches. Secure Service Partitioning The AVG software provides the ability to partition a cluster of VPN Gateways into separate VPNs.
Page 26: Portal Guard
Feature used to "convert" an existing HTTP site to generate HTTPS links, secure cookies and so on. The VPN Gateway will not only handle the SSL processing but also see to it that all existing web links are rewritten to HTTPS. This eliminates the need to rewrite each link manually.
Page 27: Certificate And Key Management
Software Features • Provides dynamic plug and play – VPN Gateways can be added to or removed from a cluster dynamically without disrupting network traffic • Provides a single system image (SSI) – all VPN Gateways in a given cluster are configured as a single system •...
Page 28: Supported Handshake Protocols
Introducing the VPN Gateway Supported Handshake Protocols • SSL versions 2.0, 3.0 • TLS version 1.0 Hash Algorithms • Message Digest 5 (MD5) • SHA1 Cipher Suites All ciphers covered by SSL version 2.0, 3.0 and TLS version 1.0, except the IDEA and FORTEZZA ciphers.
Page 29: Secure Portable Office (Spo) Client
Secure Portable Office Client Release 9.0, in virtual mode, supports the following software in Windows 32–bit and 64–bit platforms. • Software released with Avaya Contact Center: - Microsoft Data Access 2.8 - Jet Database Endine 4.0 - Microsoft.Net Framework 3.5 - Avaya Contact Center Express Desktop 5.0...
Page 30 Introducing the VPN Gateway User Guide April 2013 Comments? infodev@avaya.com...
Page 31: Chapter 4: Introducing The Asa 310-Fips
Chapter 4: Introducing the ASA 310-FIPS This section provides information about the ASA 310-FIPS model, which comes installed with the HSM (Hardware Security Module) card. The HSM card complies with all the security requirements specified by the Federal Information Processing Standard (FIPS) 140-1, Level 3 standards. Each ASA 310-FIPSASA 310-FIPS device is equipped with two identical HSM cards.
Page 32: Extended Mode Vs. Fips Mode
(SBU) information, unless those agencies have been specifically exempted from compliance by the relevant U.S. laws referenced in the standard. For more information about the FIPS specification, visit http://csrc.nist.gov/publications/fips/ index.htmland scroll down to "FIPS 140-1". User Guide April 2013 Comments? infodev@avaya.com...
Page 33: The Concept Of Ikey Authentication
The Concept of iKey Authentication The Concept of iKey Authentication Access to sensitive data on a ASA 310-FIPS is protected by a combination of hardware tokens (called iKeys), passwords, and encryption procedures. The iKey is a cryptographic token that is used as part of the authentication process for certain operations involving the HSM cards.
Page 34: Available Operations And Ikeys Required
■ password Note: To resume normal operations after having changed the HSM- SO iKey password, the HSM- USER iKey is required to re- login to the HSM card. Changing the HSM-USER iKey ■ password User Guide April 2013 Comments? infodev@avaya.com...
Page 35: Additional Hsm Information
Additional HSM Information Additional HSM Information • For detailed information about installing a new ASA 310-FIPS ASA 310-FIPS in a new cluster or adding an ASA 310-FIPS ASA 310-FIPS in an existing cluster, see Installing an ASA 310-FIPS on page 56. •...
Page 36 Introducing the ASA 310-FIPS User Guide April 2013 Comments? infodev@avaya.com...
Page 37: Chapter 5: Initial Setup
Chapter 5: Initial Setup This chapter covers the basic setup and initialization process for the Avaya VPN Gateway (AVG ). It introduces the concept of clusters, and provides detailed instructions for reinstalling the VPN Gateway software, should it become necessary.
Page 38: Clustering Over Multiple Subnets
The SSL VPN software supports clustering over multiple subnets. If more than one VPN Gateway is required and the VPN Gateway you wish to join to the cluster is installed in a different subnet, the new AVG must be configured as a slave. Master AVGs cannot exist on different intranet subnets.
Page 39: Portal Ip Address
Ports Portal IP Address When the VPN Gateway is used to set up a web Portal, the Portal IP address is the address that is assigned to the VPN Gateway's portal server. To display the web Portal, the remote user should enter the Portal IP address or the corresponding domain name in the available browser.
Page 40: Interfaces
Figure 1: One-Armed Configuration without Application Switch Two-Armed Configuration In a two-armed configuration, two separate interfaces are configured on the VPN Gateway. Interface 1 will handle private traffic (between the SSL VPN and the trusted intranet), that is, connecting the SSL VPN to internal resources and configuring the SSL VPN from a management station.
Page 41: Configuration At Boot Up
Installing an ASA 310- FIPS on page 56 page 54 and onwards. The Setup Menu When you log in after having started the VPN Gateway the first time, you will enter the Setup menu. After selecting join User Guide April 2013...
Page 42: Installing An Avg In A New Cluster
- Exit [global command, always available] Installing an AVG in a New Cluster When you are installing a VPN Gateway as the first (or only) member in a new cluster, you can either create a one-armed or a two-armed configuration.
Page 43 (for example, SSL VPN management and connections to intranet resources) and public traffic (for example, client connections from the Internet). 3. Specify the current host IP address of the VPN Gateway. Enter IP address for this machine (on management interface):<IP address>...
Page 44: Setting Up A Two-Armed Configuration
46. Setting Up a Two-Armed Configuration In a two-armed configuration, two separate interfaces are configured on the VPN Gateway, one private interface for AVG management and intranet connections and one public interface for Internet connections. Also see figure on Two-Armed Configuration on page 40.
Page 45 7. Specify a host IP address on the traffic (public) interface. Enter IP address for this machine (on traffic interface):<IP address> This IP address will be assigned to Interface 2 on the VPN Gateway, that is, the public interface. 8. Enter network mask and VLAN tag ID.
Page 46: Complete The New Setup
If you don't have access to the IP address of an NTP server at this point, you can configure this item after the initial setup is completed. See the "NTP Servers Configuration" section under Configuration menu>System Configuration in the Avaya Command Reference. (new setup, continued) Enter a timezone or 'select' [select]:<Press ENTER to select>...
Page 47 2. Generate new SSH host keys and define a password for the admin user. To maintain a high level of security when accessing the VPN Gateway through an SSH connection, it is recommended that you accept the default choice to generate new SSH host keys.
Page 48 47). • Lower/upper IP address in pool range. Lets you specify an IP address range for use in the unencrypted connection between the VPN Gateway and the destination host. • Network mask for IP pool range. Lets you enter a custom network mask if the default network mask does not cover the pool range.
Page 49: Settings Created By The Vpn Quick Setup Wizard
Note: The IPsec quick setup wizard is only displayed if the VPN quick setup wizard has been run and if the VPN Gateway has a default IPsec license (not available on the ASA 310 models). 5. When the Setup utility has finished you can continue with the configuration.
Page 50 • https. Uses TCP port 443. • web. Uses TCP ports 20, 21, 80 and 443. • smtp. Uses TCP port 25. • pop3. Uses TCP port 110. • imap. Uses TCP port 143. User Guide April 2013 Comments? infodev@avaya.com...
Page 51: Joining A Vpn Gateway To An Existing Cluster
The following applies when joining a new VPN Gateway to an existing cluster: • If the VPN Gateway you are about to join is installed on a different subnet than existing AVGs, this new device must be configured as a slave. Master AVGs cannot exist on different subnets.
Page 52 If you have configured port 1 as the management interface port for existing VPN Gateways, it is recommended (for consistency) that you configure port 1 for the AVG you are joining as well. 3. Enter the VPN Gateway 's host IP address. Enter IP address for this machine (on management interface):<IP address>...
Page 53: Setting Up A Two-Armed Configuration
55. Setting up a Two-Armed Configuration If the currently installed VPN Gateway(s) in the cluster are set up for a two-armed configuration you probably want the new VPN Gateway to be set up like the previously installed AVG(s).
Page 54 The traffic interface port number will automatically be assigned to Interface 2. 7. Specify a host IP address and network mask on the traffic interface for the current VPN Gateway. Enter IP address for this machine (on traffic interface):<IP address>...
Page 55: Complete The Join Setup
If needed, you can always reconfigure a VPN Gateway by changing the Type setting after the initial setup. For more information, see the type command in the "iSD Host Configuration" section under Configuration Menu>System Configuration in the Avaya Command Reference.
Page 56: Installing An Asa 310-Fips
Setup successful. login: The setup is now finished. The VPN Gateway that has been joined to the cluster will automatically pick up all configuration data from one of the already installed AVG(s) in the cluster. After a short while you will get a login prompt.
Page 57 >> Setup# Setup will guide you through the initial configuration of the iSD. 2. Follow the instructions for installing a VPN Gateway in a new cluster. Read the sections starting with Installing an AVG in a New Cluster on page 42.
Page 58 Remember to take steps to label each pair of HSM-SO and HSM-USER iKeys and the HSM card to which each set of iKeys is associated during the initialization. (newsetup, continued) Verify that HSM-SO iKey (purple) is inserted in card 1 (with flashing LED). Hit enter when done. User Guide April 2013 Comments? infodev@avaya.com...
Page 59 Installing an ASA 310-FIPS Enter a new HSM-SO password for card 1:<define a new HSM-SO password, or use the same HSM-SO password as for card 0> Re-enter to confirm: The HSM-SO iKey has been updated. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED).
Page 60 Enter a secret passphrase (it will be used during addition of new iSDs to the cluster): Re-enter to confirm: 9. When the Setup utility has finished, log in to the ASA 310-FIPS again and continue with the configuration. (newsetup, continued) User Guide April 2013 Comments? infodev@avaya.com...
Page 61: Adding An Asa 310-Fips To An Existing Cluster
Installing an ASA 310-FIPS Initializing system..ok Setup successful. Relogin to configure. login: The setup is now finished, and after a short while you will get a login prompt. Log in as the admin user with the password you defined during the initial setup. The Main menu is then displayed.
Page 62 >> Setup# Setup will guide you through the initial configuration of the iSD. 2. Follow the instructions for joining a VPN Gateway to an existing cluster. Read the sections starting with Joining a VPN Gateway to an Existing Cluster page 51. When the basic setup is completed, new prompts for configuring the ASA 310-FIPS will automatically appear (see on page 62).
Page 63 Installing an ASA 310-FIPS inserting an HSM iKey, a flashing LED will direct you to the USB port on the correct HSM card. (joinsetup, continued) Verify that HSM-SO iKey (purple) is inserted in card 0 (with flashing LED).<insert the HSM-SO iKey specific for this HSM card> Hit enter when done.
Page 64 310-FIPS in the cluster> Hit enter when done. Wrap key successfully combined to card 0. 6. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys onto HSM card 1. (joinsetup, continued) User Guide April 2013 Comments? infodev@avaya.com...
Page 65 Installing an ASA 310-FIPS Verify that CODE-SO iKey (black) is inserted in card 1 (with flashing LED).<insert the same CODE-SO iKey that you used in Step 5 > Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED).
Page 66: Reinstalling The Software
VPN Gateway. Otherwise, reinstalling the software is seldom required except in case of serious malfunction. When you log in as the boot user and perform a reinstallation of the software, the VPN Gateway is reset to its factory default configuration. All configuration data and current software is wiped out, including old software image versions or upgrade packages that may be stored in the flash memory card or on the hard disk.
Page 67 Note: If the VPN Gateway has not been configured for network access previously, or if you have deleted the VPN Gateway from the cluster by using the /boot/ delete command, you must provide information about network settings such as interface port, IP address, network mask, and gateway IP address.
Page 68 If the FTP server does not support anonymous login, enter the required FTP user name and password. Anonymous login is the default option. 4. Log in to the VPN Gateway as the admin user, after the device has rebooted on the newly installed boot image.
Page 69: Chapter 6: Upgrading The Avg Software
The Avaya VPN Gateway (AVG) software image is the executable code running on the VPN Gateway. A version of the image ships with the VPN Gateway, and comes pre-installed on the device. As new versions of the image are released, you can upgrade the software running on your VPN Gateway. Before upgrading, check the accompanying release notes for any specific actions to take for the particular software upgrade package or install image.
Page 70 Telnet and SSH connections, see Connecting to the VPN Gateway on page 123. When you have gained access to the VPN Gateway, use the following procedure. 1. To download the software upgrade package, enter the following command at the Main menu prompt.
Page 71: Activating The Software Upgrade Package
Note: If more than one software upgrade has been performed to a cluster while a VPN Gateway has been out of operation, the VPN Gateway must be reinstalled with the software version currently in use in that cluster.
Page 72 This may take up to 2 minutes, depending on your type of hardware platform and whether the system reboots. 3. After having logged in again, verify the new software version: boot/software/cur >> Main# Version Name Status ------- ---- ------ 9.0.0 permanent 5.1.5 User Guide April 2013 Comments? infodev@avaya.com...
Page 73 Performing Minor/Major Release Upgrades In this example, version 9.0.0 is now operational and will survive a reboot of the system, while the software version previously indicated as permanent is marked as old. Note: If you encounter serious problems while running the new software version, you can revert to the previous software version (now indicated as old).
Page 74 Upgrading the AVG Software User Guide April 2013 Comments? infodev@avaya.com...
Page 75: Chapter 7: Managing Users And Groups
Chapter 7: Managing Users and Groups This chapter describes the rules that govern administrator/operator user rights, how to add or delete users from the system, how to set or change group assignments, and how to change login passwords. User Rights and Group Membership Group membership dictates user rights, according to User Rights and Group Membership.
Page 76: Adding A New User
The maximum length for a user name is 255 characters. No spaces are allowed. Each time the new user logs in to the AVG cluster, the user must enter the name you designate as the user name in this step. User Guide April 2013 Comments? infodev@avaya.com...
Page 77 Adding a New User >> User# cert_admin Name of user to add: (maximum 255 characters, no spaces) 4. Assign the new user to a user group. You can only assign a user to a group in which you yourself are a member. When this criteria is met, users can be assigned to one or more of the following groups: •...
Page 78 User menu is hidden. Only users who are members of the certadmin group should know the export passphrase. The export passphrase can contain spaces and is case sensitive. User Guide April 2013 Comments? infodev@avaya.com...
Page 79 Adding a New User ../caphrase >> User cert_admin# Enter new passphrase: Re-enter to confirm: Passphrase changed. 9. Remove the admin user from the certadmin group. Again, this step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. Note however, once the admin user is removed from the certadmin group, only a user who is already a member of the certadmin group can grant the admin user certadmin group membership.
Page 80: Adding Users Through Radius
Managing Users and Groups Adding Users through RADIUS The RADIUS system administrator can add VPN Gateway administrator users to the RADIUS configuration without being an administrator of the AVG, because the users do not need to be configured locally on the AVG. By assigning suitable administrator groups to these users in RADIUS, the users can be given the desired access rights to the CLI/BBI.
Page 81 Changing a Users Group Assignment list - List all users - Delete a user - Add a new user edit - Edit a user caphrase - Certadmin export passphrase 3. Assign the admin user certadmin user rights by adding the admin user to the certadmin group.
Page 82: Changing A Users Password
- Certadmin export passphrase 3. Type the passwd command to change your current password. When your own password is changed, the change takes effect immediately without having to use the apply command. passwd >> User# User Guide April 2013 Comments? infodev@avaya.com...
Page 83: Changing Another Users Password
Changing a Users Password Enter cert_admin's current password:(current cert_admin user password) Enter new password:(new cert_admin user password) Re-enter to confirm:(reconfirm new cert_admin user password) Password changed. Changing Another Users Password Only the admin user can change another user's password, and also only if the admin user is a member of the other user's first group, the group that is listed first for the user with the /cfg/ sys/user/edit <username>/groups/list command.
Page 84: Deleting A User
1. Log in to the AVG cluster as the admin user. admin login: Password:( admin user password) 2. Access the User Menu. >> Main# /cfg/sys/user ------------------------- ------------------------- ---------- [User Menu] User Guide April 2013 Comments? infodev@avaya.com...
Page 85 Deleting a User passwd - Change own password expire - Set password expire time interval list - List all users - Delete a user - Add a new user edit - Edit a user menu caphrase - Certadmin export passphrase 3.
Page 86 Managing Users and Groups User Guide April 2013 Comments? infodev@avaya.com...
Page 87: Chapter 8: Certificates And Client Authentication
The certificates must conform to the X.509 standard. You can create a new certificate, or use an existing certificate. The VPN Gateway supports using up to 1500 certificates. The basic steps to create a new certificate using the command line interface of the VPN Gateway are: •...
Page 88 • Locality Name: The name of the city where the head office of the organization is located. • Organization Name: The registered name of the organization. This organization must own the domain name that appears in the common name of the Web server. User Guide April 2013 Comments? infodev@avaya.com...
Page 89 Generating and Submitting a CSR Using the CLI Do not abbreviate the organization name and do not use any of the following characters: < > ~ ! @ # $ % ^ * / \ ( ) ? • Organizational Unit Name: The name of the department or group that uses the secure Web server.
Page 90 (encrypted) on the VPN Gateway using the specified certificate number. When you receive the certificate (containing the corresponding public key) and add it to the VPN Gateway, make sure you specify the same certificate number that is User Guide April 2013...
Page 91 Generating and Submitting a CSR Using the CLI used for storing the private key. Otherwise, the private key and the public key in the certificate will not match. Type the display command and press ENTER. Choose to encrypt the private key, and specify a password phrase.
Page 92: Adding Certificates To The Avg
Using the encryption capabilities of the VPN Gateway requires adding a key and certificate that conforms to the X.509 standard to the VPN Gateway. If you have more than one VPN Gateway in a cluster, the key and certificate need only be added to one of the devices. As with configuration changes, the information is automatically propagated to all other devices in the cluster.
Page 93: Copy-And-Paste Certificates
16 for contact information. When it comes to exporting certificates and keys from the VPN Gateway, you can specify to save in the PEM, NET, DER, or PKCS12 format when using the export command. If you choose to use the display command (which requires a copy-and-paste operation), you are restricted to saving certificates and keys in the PEM format only.
Page 94 If you have obtained a key and a certificate by other means than generating a CSR using the request command on the VPN Gateway, specify a certificate number not used by a configured certificate before pasting the certificate. If the private key and the certificate are not in the same file, use the key or import command to add the corresponding private key.
Page 95 >> Certificate 1# Changes applied successfully. If you have used the request command on the VPN Gateway to generate a CSR, and have specified the same certificate number as the CSR when pasting the contents of the certificate file, your certificate is now fully installed.
Page 96: Copy-And-Paste Private Key
You may be prompted for a password phrase after having completed the paste operation. The password phrase you are requested to type is the one you specified when creating (or exporting) the private key. Your screen output should now resemble the following example. User Guide April 2013 Comments? infodev@avaya.com...
Page 97 Adding Certificates to the AVG 4. Apply your changes. apply >> Certificate 1# Changes applied successfully. Your certificate and private key is now fully installed and ready to be taken into use. If the AVG software is used for SSL acceleration purposes, the certificate should be mapped to the virtual SSL server, using the /cfg/ssl/server #/ssl/ cert command.
Page 98: Using Tftp/Ftp/Scp/Sftp To Add Certificates And Keys
Using TFTP/FTP/SCP/SFTP to add Certificates and Keys The following is an example of how to input a certificate into the VPN Gateway using TFTP, FTP, SCP, or SFTP. 1. Put the certificate file and key file on your TFTP/FTP/SCP/SFTP server.
Page 99 Adding Certificates to the AVG Log in to the FTP server with your user name and password. For anonymous mode, the following string is used as the password (for logging purposes): admin@hostname/IP.isd. You may also be prompted for a password phrase (if specified when creating or exporting the private key) FTP User (anonymous):<username or press ENTER for anonymous mode>...
Page 100: Update Existing Certificate
>> Configuration# Enter certificate number: (1-1500) Creating Certificate 3 3. Add the new certificate according to the instructions in Adding Certificates to the on page 92. 4. Map the new certificate to the desired servers. User Guide April 2013 Comments? infodev@avaya.com...
Page 101: Configure A Virtual Ssl Server To Require A Client Certificate
VPN deployment, see the "Authentication Methods" chapter in the Application Guide for VPN. As explained previously in this chapter, each virtual SSL server on the VPN Gateway should be configured to use a server certificate to authenticate itself towards the clients. Besides, the server can be configured to require client certificates to authenticate clients before granting access to the requested service.
Page 102 To authenticate client certificates issued within your own organization, the CA certificate used for generating the issued client certificates must be specified as a CA certificate. cacerts >> SSL Settings# "" Current value: Enter certificate numbers (separated by comma):<CA certificates by index number> User Guide April 2013 Comments? infodev@avaya.com...
Page 103: Generating Client Certificates
Generating client certificates To view basic information about all certificates currently added to the VPN Gateway, use the /info/certs command. 4. Apply your settings. apply >> SSL Settings# Changes applied successfully. Generating client certificates Before issuing client certificates, you should establish the means of validating the identities of the users.
Page 104 When generating a new client certificate, the lowest available serial number is displayed in square brackets and will be used unless you specify a different number. As you generate more client certificates, the proposed serial number increments automatically. User Guide April 2013 Comments? infodev@avaya.com...
Page 105 Generating client certificates >> Certificate 1# Valid for days [365]: Key size (512/1024) [512]: Serial number of client certificate [1]: 4. Decide whether to save the client certificate and define a pass phrase for the private key. You should save the client certificate and assign a certificate index number to it. The lowest available index number available is displayed in square brackets and will be used unless you specify a different number.
Page 106 Current value: , type the certificate index number and apply your changes. If the correct certificate index number is already listed by Current value: User Guide April 2013 Comments? infodev@avaya.com...
Page 107: Export Client Certificate
Generating client certificates , press ENTER and answer no to the question if you want to clear the list. Export Client Certificate Before you transfer the private key and client certificate to the subject, you should save the key and the certificate to a file using the export or display command on the Certificate menu.
Page 108: Transmit Private Key And Certificate To User
The certificate you specify must be a CA certificate from the same certificate authority that published the CRL you are about to add. To view basic information about available certificates, use the /info/certs command. cfg/cert >> Main# Enter certificate number: (1-) (example) User Guide April 2013 Comments? infodev@avaya.com...
Page 109: Revoking Client Certificates Issued Within Your Own Organization
Managing Revocation of Client Certificates revoke >> Certificate 1# 2. Download and add a CRL from a TFTP/FTP/SCP/SFTP server. Specify the host name or IP address of the TFTP/FTP/SCP/SFTP server, and provide the file name of the CRL. The CRL is retrieved and added to Certificate 1 (used as an example).
Page 110 For more information about how to build your own CRL, see Creating Your Own Certificate Revocation List on page 111. 3. Verify that the serial numbers of the client certificates you want to revoke have been added. list >> Revocation# User Guide April 2013 Comments? infodev@avaya.com...
Page 111: Creating Your Own Certificate Revocation List
Managing Revocation of Client Certificates Revoked certificates: 4. Apply your changes. apply >> Revocation# Changes applied successfully. Creating Your Own Certificate Revocation List You can easily build and manage certificate revocation lists for client certificates issued within your own organization. The CRL can then be added by using TFTP/FTP/SCP/SFTP. For more information about how to accomplish this, see Revoking Client Certificates Issued within your Own Organization...
Page 112: Automatic Crl Retrieval
# Last update: 2005-02-01 HEX ASCII revocation 4. Save the file, and upload it to a TFTP/FTP/SCP/SFTP server that can be accessed from your VPN Gateway(s). Automatic CRL Retrieval Automatic CRL retrieval is used for configuring access to a server containing CRLs (certificate revocation lists), and retrieving such lists at regular intervals to automate the task of keeping the CRL up-to-date.
Page 113 Managing Revocation of Client Certificates CRL attribute specified in the URL is performed on the LDAP server. For more information about the implementation details behind these operations, see RFC 2251. 1. Specify the URL from which the CRL list should be retrieved. This step sets the complete URL for retrieving a CRL using LDAP, HTTP, or TFTP.
Page 114 When specifying more than one certificate, use commas to separate the corresponding index numbers. Example: 1,2,5 To clear all specified CA certificates, press ENTER when asked to enter certificate numbers, then answer yes to the question if you want to clear the list. User Guide April 2013 Comments? infodev@avaya.com...
Page 115: Client Certificate Support
Client certificate support cacert >> Automatic CRL# "" Current value: Enter certificate numbers (separated by comma): 6. Enable automatic retrieval of CRLs. >> Automatic CRL# When using the apply command the first time after having enabled automatic retrieval of CRLs, a first retrieval is invoked immediately. After that, retrievals will occur at the specified time interval (where the default value is once every 24 hours).
Page 116: Signing Csrs
CSR (Certificate Signing Request) generated on a backend web server by using a CA certificate on the VPN Gateway. 1. Specify the CA certificate that you want to use for signing the CSR.
Page 117: Generate Test Certificate
Generate Test Certificate In the preceding example, the newly signed certificate is saved as certificate number 3. Use the export command to export the signed certificate to a file. The signed CSR can then be installed on the backend web server as a server certificate. 4.
Page 118: General Commands
Parts of a client certificate's subject information can be used extract to user name and password. For usage examples, see the "Client Certificate Authentication" section in the "Authentication Methods" chapter in the Avaya CLI/BBI Application Guide for VPN. User Guide April 2013 Comments? infodev@avaya.com...
Page 119: Check If Key And Certificate Match
= Avaya OU/organizationalUnitName (2.5.4.11) = Switching CN/commonName (2.5.4.3) = John emailAddress/emailAddress (1.2.840.113549.1.9.1) = john@avaya.com Check if Key and Certificate Match To check if the private key matches the public key in the selected certificate, use the following command: validate >> Certificate 1# Validate: key and certificate match.
Page 120 Certificates and Client Authentication The key is protected by the iSD Cluster. User Guide April 2013 Comments? infodev@avaya.com...
Page 121: Chapter 9: Virtual Desktop
Chapter 9: Virtual Desktop Symantec On-Demand Agent (SODA) provides a Virtual Desktop environment to secure Web-based applications and services. Therefore, you can access confidential information in a secure environment. Running the Virtual Desktop on Client Computers The Virtual Desktop runs on computers meeting the following specifications: •...
Page 122: Launch Vdesktop From Portal
The vdesktop session may get terminated when the browser session is terminated to ensure that the Virtual Desktop session does not remain active indefinitely on halted or shared machines. Note: If you want to enable or disable some of the options in this, contact your system administrator. User Guide April 2013 Comments? infodev@avaya.com...
Page 123: Chapter 10: The Command Line Interface
However, when using the halt, reboot, or delete commands (available in the Boot menu), you should connect to the IP address of the particular VPN Gateway on which you want to perform these commands, or connect to that VPN Gateway through a console connection.
Page 124: Establishing A Telnet Connection
IP address of the MIP. However, if you want to halt or reboot a particular VPN Gateway in a cluster, or reset all configuration to the factory default settings, you must connect to the IP address of the particular VPN Gateway. This also applies when using an SSH connection instead of a Telnet connection.
Page 125: Establishing A Connection Using Ssh (Secure Shell)
Configuration " section in the same chapter. Running Telnet Once the IP parameters on the VPN Gateway are configured and Telnet access is enabled, you can access the CLI using a Telnet connection. To establish a Telnet connection with the VPN Gateway, run the Telnet program on your workstation and issue the Telnet command, followed by the VPN Gateway 's IP address.
Page 126: Accessing The Avg Cluster
SSH host keys. It is recommended that you do so, to maintain a high level of security when connecting to the VPN Gateway using a SSH client. If you fear that your SSH host keys have been compromised, you can create new host keys at any time by using the /cfg/sys/ adm/sshkeys/generate command.
Page 127 Access to the AVG command line interface and settings is controlled through the use of four predefined user accounts and passwords. Once you are connected to the VPN Gateway through a console connection or remote connection (Telnet or SSH), you are prompted to enter a user account name and the corresponding password.
Page 128: Cli Vs. Setup
CLI vs. Setup Once the Administrator user password is verified, you are given complete access to the VPN Gateway. If the VPN Gateway is still set to its factory default configuration, the system will run Setup (see Installing an AVG in a New Cluster on page 42), a utility designed to help you through the first-time configuration process.
Page 129: Idle Timeout
Idle Timeout Idle Timeout The VPN Gateway will disconnect your local console connection or remote connection (Telnet or SSH) after 10 minutes of inactivity. This value can be changed to a maximum value of 1 hour using the /cfg/sys/adm/clitimeout command.
Page 130 The Command Line Interface User Guide April 2013 Comments? infodev@avaya.com...
Page 131: Chapter 11: Troubleshooting The Avg
• User fails to connect to the VPN, on A User Fails to Connect to the VPN on page 144. • User unable to connect to the VPN Gateway through the Net Direct client, on User Unable to Connect to the VPN Gateway through the Net Direct Client on page 151.
Page 132: Enable Telnet Or Ssh Access
Check the Access List If you find that Telnet or SSH access is enabled but you still can't connect to the VPN Gateway using a Telnet or SSH client, check whether any hosts have been added to the Access List.
Page 133: Cannot Add An Avg To A Cluster
IP address information for all VPN Gateways in the cluster. If the IP address assigned to the VPN Gateway seems to be correct, you may have a routing problem. Try to run traceroute (a global command available at any menu prompt) or the tcpdump command (or some other network analysis tool) to locate the problem.
Page 134: Cannot Contact The Mip
Management IP address (MIP). This could be the case if you are trying to join a VPN Gateway to a cluster and there are existing entries in the Access list. Typically, the Access list contains valid IP addresses for Telnet or SSH management.
Page 135: Add Interface 1 Ip Addresses And Mip To Access List
66. If there is still a difference in software version after this, you need to adjust the software version on the VPN Gateway you want to add as well. After having upgraded the software version in the cluster, log in to the VPN Gateway you want to add as the Administrator user and select join from the Setup menu.
Page 136: Console Connection
Gateway should continue to process SSL traffic without the need of a reboot. If the operational status of the VPN Gateway is indicated as down, try rebooting the device by typing the command /boot/reboot. You will be asked to confirm your action before the actual reboot is performed.
Page 137: Root User Password
The fact that the Boot user password cannot be changed should not imply a security issue, because the Boot user can only access the VPN Gateway through a console connection using a serial cable, and the VPN Gateway presumably is set up in a server room with restricted access.
Page 138 HSM-USER iKey will be rendered unusable. This is due to the strict security specifications placed on the ASA 310-FIPS. 3. Verify that the alarms that caused the ASA 310-FIPS to stop processing SSL traffic have been cleared. /info/events/alarms >> # ** (alarm) Active Alarm List *************************************** User Guide April 2013 Comments? infodev@avaya.com...
Page 139: Resetting Hsm Cards On The Asa 310-Fips
Resetting HSM Cards on the ASA 310-FIPS The hsm_not_logged_in alarms that were triggered during the reboot should now be cleared from the active alarm list, after the successful login to both HSM cards. The ASA 310-FIPS is now ready to process SSL traffic again. Resetting HSM Cards on the ASA 310-FIPS When removing an ASA 310-FIPS device from a cluster, you have the option to reset (or de- initialize) the HSM cards.
Page 140 Enter the current HSM-SO password for card 1: iSD 192.168.128.185 deleted. Logging out. The ASA 310-FIPS device is now removed from the cluster and reset to its factory default settings. Both HSM cards are also reset, which means that all sensitive User Guide April 2013 Comments? infodev@avaya.com...
Page 141: An Asa 310-Fips Cluster Must Be Reconstructed Onto New Devices
An ASA 310-FIPS Cluster Must be Reconstructed onto New Devices cryptographic information stored on the cards is deleted. The next time a user turns on the ASA 310-FIPS device, the Setup menu will be displayed after having logged in as the admin user through a console connection. When selecting new or join in the Setup menu, you will be prompted to insert the HSM-SO iKey and HSM-USER iKey associated with each HSM card, and provide the current password stored on the respective iKey.
Page 142 Re-enter to confirm: 6. Wait for the initial setup of the first ASA 310-FIPS in the cluster to finish. User Guide April 2013 Comments? infodev@avaya.com...
Page 143 An ASA 310-FIPS Cluster Must be Reconstructed onto New Devices (new setup, continued) Initializing system..ok Setup successful. Relogin to configure. login: 7. Add an additional ASA 310-FIPS to the newly created cluster by following the instructions on pageAdding an ASA 310-FIPS to an Existing Cluster on page 61 up to and including step 4...
Page 144: A User Fails To Connect To The Vpn
A User Fails to Connect to the VPN There can be different reasons for why a user is having difficulty authenticating to the VPN or why a client connection cannot be established: the user name or password is wrong, the User Guide April 2013 Comments? infodev@avaya.com...
Page 145: Aaa
A User Fails to Connect to the VPN configured authentication server cannot be reached, the group name retrieved from the authentication server does not exist on the VPN Gateway and so on. Note: The Disable new IPSec Logins feature may have been enacted to allow maintenance of the gateway.
Page 146: Dns
VPN Gateway. Matching groups are listed in the order they are configured on the VPN Gateway. This is also the order in which the groups will be applied. <base> implies that the group's base profile will be used.
Page 147: Ipsec
A User Fails to Connect to the VPN ipsec The ipsec tag logs any AAA-related output concerning the establishment of an IPsec tunnel. ippool The ippool tag logs messages related to the allocation of IP addresses from the IP pool (applies to Net Direct and IPsec).
Page 148: Ssl
Portal bookmarks. For more information about how to enable this feature, see the section "The Tools tab, Edit Bookmarks" in the chapter "The Portal from an End-User Perspective" in the CLI/BBI Application Guide for VPN. User Guide April 2013 Comments? infodev@avaya.com...
Page 149: Smb
A User Fails to Connect to the VPN The smb tag shows information related to SMB (Windows file share) sessions initiated through the Portal's Files tab. The ftp tag shows information related to FTP sessions initiated through the Portal's Files tab.
Page 150: Netdirect
The netdirect_packet tag logs information about packets being sent and received when the user has initiated a connection to a host. Because of the large amount of information, we recommend logging to a TFTP/FTP/SFTP server. User Guide April 2013 Comments? infodev@avaya.com...
Page 151: User Unable To Connect To The Vpn Gateway Through The Net Direct Client
User Unable to Connect to the VPN Gateway through the Net Direct Client Start by verifying on your own PC that Net Direct works towards the same VPN Gateway as the end-user's device. Then check the following in the specified order: 1.
Page 152 Notice any error message in the splash screen (progress bar) and act accordingly. 8. On Windows, is the Avaya Net Direct icon visible on the system tray (next to the clock bottom right)? If the end user is using Windows, make sure Windows XP or Windows 2000 and Internet Explorer 5.0 or later is used.
Page 153: Cannot Download The Net Direct Zipped File From Client Pc
5. Login as root and we can find the imported file in the path /config/isd/ user_content/docroot. You can access <https://vpn-ip/nortel_cacheable/NetDirect_Setup_Custom.zip>. System Diagnostics A few system diagnostics can be performed on the VPN Gateway. Installed Certificates and Virtual SSL Servers To view the currently installed certificates, type the following command: /info/certs >>...
Page 154: Network Diagnostics
DNS server) and shows whether the network test was successful or not. Besides checking the connection, the method (For example, ping) for checking each item is displayed. To check various network settings for a specific VPN Gateway, access the iSD Host menu by typing the following commands: /cfg/sys/host >>...
Page 155: Active Alarms And The Events Log File
System Diagnostics To check if the VPN Gateway(s) is getting network traffic, type the following command: /stats/dump >> # The screen output provides information about currently active request sessions, total completed request sessions, as well as SSL statistics for configured virtual SSL servers.
Page 156: Error Log Files
UNIX Syslog daemon, see the Syslog manpages under UNIX. For more information about how to configure the VPN Gateway to use a Syslog server, see the "Syslog Servers Configuration " section under Configuration Menu>System Configuration in the Avaya Command Reference.
Page 157: Appendix A: Supported Ciphers
Appendix A: Supported Ciphers The Avaya VPN Gateway (AVG) supports SSL version 2.0, SSL version 3.0, and TLS version 1.0. All ciphers covered in these versions of SSL are supported, except the IDEA and FORTEZZA ciphers and ciphers using DH or DSS authentication.
Page 158: Cipher List Formats
The default cipher list used for all virtual SSL servers on the VPN Gateway is ALL@STRENGTH. A cipher list consisting of the string...
Page 159: Modifying A Cipher List
Modifying a Cipher List translates into a preferred list of ciphers that begins with all ciphers using RC4 as the encryption algorithm, followed by all cipher suites except the eNULL ciphers (ALL). The final string means that all cipher suites containing the DH (Diffie-Hellman) cipher are removed from the list.
Page 160 Cipher suites using DH encryption algorithms, including anonymous DH. Cipher suites using anonymous DH encryption algorithms. Cipher suites using AES encryption algorithms. 3DES Cipher suites using triple DES encryption algorithms. Cipher String Aliases Meaning User Guide April 2013 Comments? infodev@avaya.com...
Page 161 Supported Cipher Strings and Meanings Cipher String Aliases Meaning Cipher suites using DES encryption algorithms, but not triple DES. Cipher suites using RC4 encryption algorithms. Cipher suites using RC2 encryption algorithms. Cipher suites using MD5 encryption algorithms. SHA1, SHA Cipher suites using SHA1 encryption algorithms. User Guide April 2013...
Page 162: User Guide April
Supported Ciphers User Guide April 2013 Comments? infodev@avaya.com...
Page 163: Appendix B: The Snmp Agent
Appendix B: The SNMP Agent There is one SNMP agent on each Avaya VPN Gateway (AVG), and the agent listens to the IP address of that particular device. On the VPN Gateway that currently holds the cluster's Management IP address (MIP), the SNMP agent also listens to the MIP.
Page 164: Snmpv2-Mib
• ALTEON-ISD-SSL-MIB • ALTEON-SSL-VPN-MIB • ALTEON-ROOT-MIB • IANAifType-MIB SNMPv2-MIB The SNMPv2-MIB is a standard MIB implemented by all agents. The following groups are implemented: • snmpGroup • snmpSetGroup • systemGroup • snmpBasicNotificationsGroup • snmpCommunityGroup User Guide April 2013 Comments? infodev@avaya.com...
Page 165: Snmp-Mpd-Mib
Supported MIBs SNMP-MPD-MIB The following group is implemented: • snmpMPDGroup SNMP-FRAMEWORK-MIB The following group is implemented: • snmpEngineGroup The SNMP-TARGET MIB The SNMP-TARGET-MIB contains information about where to send traps. This is also configurable/viewable from the CLI, using the /cfg/sys/adm/snmp/target command. The following groups are implemented: •...
Page 166: Snmp-User-Based-Sm-Mib
This MIB is used when the AVG participates in SONMP. It is required by the S5-ETH- MULTISEG-TOPOLOGY-MIB MIB. S5-ROOT-MIB This MIB is used when the AVG participates in SONMP. It is required by the S5-ETH- MULTISEG-TOPOLOGY-MIB MIB. User Guide April 2013 Comments? infodev@avaya.com...
Page 167: If-Mib
Supported MIBs IF-MIB The following groups are implemented: • ifPacketGroup • ifStackGroup Limitations The agent does not implement the following objects: • ifType • ifSpeed • ifLastChange • ifInUnknownProtos • ifOutNUnicast IP-MIB The following groups are implemented: • ipGroup • icmpGroup IP-FORWARD-MIB The following group is implemented: •...
Page 168: Disman-Event-Mib
The ALTEON-ISD-PLATFORM-MIB contains the following groups and objects: • isdClusterGroup • isdResourceGroup • isdAlarmGroup • isdBasicNotificatioObjectsGroup • isdEventNotificationGroup • isdAlarmNotificationGroup ALTEON-ISD-SSL-MIB The ALTEON-ISD-SSL-MIB contains objects for monitoring the SSL gateways. The following groups are implemented: • sslBasicGroup • sslEventGroup User Guide April 2013 Comments? infodev@avaya.com...
Page 169: Alteon-Ssl-Vpn-Mib
Defines the IANAifType Textual Convention, and thus the enumerated values of the ifType object defined in MIB-II's ifTable. Supported Traps The following SNMP traps are supported by the VPN Gateway: Table 7: Traps Supported by the VPN Gateway Trap Name...
Page 170 The SNMP Agent Trap Name Description isdDown Signifies that a VPN Gateway in the cluster is down and out of service. isdLicense Sent when the VPN Gateways in the cluster have different licenses and when a demo license has 7 days left before expiration. Defined in ALTEON-ISD-PLATFORM-MIB.
Page 171: Appendix C: Syslog Messages
Appendix C: Syslog Messages This appendix contains a list of the syslog messages that are sent from the Avaya VPN Gateway (AVG) to a Syslog server (when added to the system configuration). All the syslog messages follow common specifications. These messages are compliant with the SYSLOG SRD specifications. They can be stored locally on the hard disk or in a memory buffer.
Page 172 Loss of logs. • Root filesystem repaired - rebooting fsck found and fixed errors. Probably OK. • Config filesystem restored from backup Loss of recent configuration changes. • Rebooting to revert to permanent OS version User Guide April 2013 Comments? infodev@avaya.com...
Page 173: System Control Process Messages
Alarms are formatted according to the following pattern: Id: <alarm sequence number> Severity: <severity> Name: <name of alarm> Time. <date and time of the alarm> Sender: <sender, e.g. system or the VPN Gateway 's IP address> Cause: <cause of the alarm> Extra: <additional information about the alarm>...
Page 174 A VPN Gateway failed to install a software release while trying to install the same version as all other VPN Gateways in the cluster. The failing VPN Gateway tries to catch up with the other cluster members as it was not up and running when the new software version was installed.
Page 175 Sent to indicate that a VPN Gateway is recovering from a partitioned network situation. • Name: ssi_mipishere Sender: ssi Extra: <IP> Tells that the MIP (management IP address) is now located at the VPN Gateway with the <IP> host IP address.
Page 176: Traffic Processing Messages
Syslog Messages Indicates that a VPN Gateway (<IP>) is rebooting on a new release (that is, a VPN Gateway that was not up and running during the normal installation is now catching up). • Name: license_expired Sender = <IP> Indicates that the demo license loaded at host <IP> has expired. Check the loaded licenses with /cfg/sys/cur.
Page 177 List of Syslog Messages VBScript parsing error encountered when parsing content from <host><path>. This could be a problem in the AVG VBScript parser, but most likely a syntactical error in the VBScript on that page. • jscript.encode error: <reason> Problem encountered when parsing an encoded JavaScript. It may be a problem with the JavaScript parser in the AVG or it could be a problem on the processed page.
Page 178 • Unable to use client certificate for <server #> Certificate for doing sslconnect is not valid. Reconfigure. • Failed to initialize SSL hardware Problem initializing SSL acceleration hardware. This will cause the VPN Gateway to run with degraded performance. • Could not find SSL hardware.
Page 179 List of Syslog Messages Socks request of version <version> received and rejected. Most likely a non-standard socks client. • Failed to log to CLI:<reason> -- disabling CLI log Failed to send troubleshooting log to CLI. Disabling CLI troubleshooting log. • Can't bind to local address: <ip>:<port>: <reason> Problem encountered when trying to set up virtual server on <ip>:<port>.
Page 180 The transactions per second (TPS) limit has been exceeded. • No PortalGuard license loaded: VPN <id> *will* use portal authentication The PortalGuard license has not been loaded on the VPN Gateway but /cfg/vpn # / server/portal/authenticate is set to • No Secure Service Partitioning loaded: server <id> *will not* use interface <n>...
Page 181: Startup Messages
• accept() turned off (<nr>) too many fds The VPN Gateway has temporarily stopped accepting new connections. This will happen when the VPN Gateway is overloaded. It will start accepting connections once it has finished processing its current sessions. • No cert supplied by backend server No certificate supplied by backend server when doing SSL connect.
Page 182: Configuration Reload Messages
Configuration Reload Messages The Traffic Subsystem Configuration Reload messages only include the INFO category. INFO • reload cert config start Starting reloading of certificates. • reload cert config done Certificate reloading done. • reload configuration start User Guide April 2013 Comments? infodev@avaya.com...
Page 183: Aaa Subsystem Messages
List of Syslog Messages Virtual server configuration reloading start. • reload configuration network down Accepting new sessions are temporarily put on hold. • reload configuration network up Resuming accepting new sessions after loading new configuration. • reload configuration done Virtual server configuration reloading done. AAA Subsystem Messages The AAA (Authentication, Authorization and Accounting) subsystem messages are divided into these categories:...
Page 184 If the log value contains socks , the following messages can be displayed: • SOCKS Vpn="<id>" User="<user>" SrcIP="<ip>" Request="<request>" This message refers to the features on the Portal's Advanced tab. If the log value contains reject User Guide April 2013 Comments? infodev@avaya.com...
Page 185: Ipsec Subsystem Messages
List of Syslog Messages , the following messages can be displayed: • HTTP Rejected Vpn="<id>" Host="<host>" User="<user>" SrcIP="<ip>" Request="<method> <host> <path>" • PORTAL Rejected Vpn="<id>" User="<user>" Proto="<proto>" Host="<host>" Share="<share>" Path="<path>" • SOCKS Rejected Vpn="<id>" User="<user>" SrcIP="<ip>" Request="<request>" IPsec Subsystem Messages The IPsec subsystem messages are divided into these categories: •...
Page 186 Secure Service Partitioning license not loaded. • IPsec server ~s uses default interface (interface ~p not configured) This indicates possible badly configured default gateways on some Secure Service Partitioning interface. • Failed to allocate IP addr from empty pool User Guide April 2013 Comments? infodev@avaya.com...
Page 187 List of Syslog Messages The IP address pool is empty and a login attempt was rejected due to not being able to allocate an IP address from the pool. Note that Net Direct clients also use IPs from the IP pool. NOTICE •...
Page 188 A client tried to login with a client certificate when the corresponding CA certificate was not loaded in IKE. • failed rsa private encrypt Failure to encrypt data while signing with the CA certificate. User Guide April 2013 Comments? infodev@avaya.com...
Page 189: Syslog Messages In Alphabetical Order
Traffic Processing The VPN (<nr>) too many Gateway has temporarily stopped accepting new connections. This will happen when the VPN Gateway is overloaded. It will start accepting connections once it has finished processing its current sessions. User Guide April 2013...
Page 190 CA certificate was not loaded in IKE. Bad CN supplied INFO Traffic Processing Malformed CN in server cert found in subject of <subject> the certificate supplied by the backend server. User Guide April 2013 Comments? infodev@avaya.com...
Page 191 Syslog Messages in Alphabetical Order Message Severity Type Explanation Bad IP:PORT ERROR Traffic Processing Bad ip:port found data <line> in hc in health check script script. Reconfigure the health script. This should normally be captured earlier by the CLI. Bad regexp ERROR Traffic Processing Bad regular...
Page 192 Traffic Processing Connect to <reason> backend server failed with <reason>. copy_software_re ALARM (CRITICAL) System Control A VPN Gateway lease_failed failed to install a software release while trying to install the same version as all other VPN Gateway(s) in the cluster. The failing...
Page 193 Syslog Messages in Alphabetical Order Message Severity Type Explanation VPN Gateway tries to catch up with the other cluster members as it was not up and running when the new software version was installed. Could not find ERROR Traffic Processing Failed to detect SSL hardware.
Page 194 DNS alarm: all CRITICAL Traffic Processing All DNS servers dns servers are are down. The DOWN VPN Gateway cannot perform any DNS lookups. DNS alarm: dns INFO Traffic Processing At least one DNS server(s) are UP server is now up.
Page 195 CA certificate. Failed to initialize ERROR Traffic Processing Problem SSL hardware initializing SSL acceleration hardware. This will cause the VPN Gateway to run with degraded performance. failed to locate ERROR Traffic Processing Portal corresponding authentication portal for portal has been...
Page 196 Host <host ip> is INFO A host that has up: accounted for been down too in the license long is up again pool. and is now sharing its licenses in the license pool. User Guide April 2013 Comments? infodev@avaya.com...
Page 197 Syslog Messages in Alphabetical Order Message Severity Type Explanation HSM mode: INFO Startup Hardware <mode> Security Mode <mode>. hsm_not_logged_ ALARM (CRITICAL) System Control After a reboot, login to the HSM card is required. hsm_tampered_w ALARM (CRITICAL) System Control The HSM card has been tampered with.
Page 198 Ignoring WARNING IPsec Dropping unauthenticated message without informational the authentication message from %s hash. ike Connected INFO IPsec IKE daemon has successfully to started and erlang connected to the registry database. User Guide April 2013 Comments? infodev@avaya.com...
Page 199 <id> uses default interface is interface configured to be (interface <n> not used by the IPsec configured) server but this interface is not configured on the VPN Gateway. ISAKMP SA INFO IPsec ISAKMP SA Established with Established. isd_down ALARM (CRITICAL) System Control...
Page 200 Syslog Messages Message Severity Type Explanation more than one VPN Gateway. javascript error: ERROR Traffic Processing JavaScript <reason> for: parsing error <host><path> encountered when parsing content from <host><path>. This could be a problem in the AVG JavaScript parser, but most...
Page 201 <IP> has expired. Check the loaded licenses with /cfg/sys/ License expired WARNING Traffic Processing The loaded (demo) license on the VPN Gateway has expired. The VPN Gateway now uses the default license. Loaded INFO Startup Initializing virtual <ip>:<port> server <ip>:<port>.
Page 202 - reinstall required" or "Config filesystem restored from backup". No cert supplied INFO Traffic Processing No certificate by backend server supplied by backend server when doing SSL connect. Session terminated to backend server. User Guide April 2013 Comments? infodev@avaya.com...
Page 203 No PortalGuard WARNING Traffic Processing The PortalGuard license loaded: license has not VPN <id> *will* been loaded on use portal the VPN Gateway authentication /cfg/vpn # / server/portal/ authenticate is set to No response from INFO IPsec Maximum number...
Page 204 Syslog Messages Message Severity Type Explanation <id> *will not* use the VPN Gateway interface <n> but the server is configured to use a specific interface. No TPS license INFO Startup Unlimited TPS limit license used. partitioned_netwo EVENT System Control Sent to indicate...
Page 205 Syslog Messages in Alphabetical Order Message Severity Type Explanation Quick mode WARNING IPsec Quickmode initiation to %s initiation failed. failed, error - %s Rebooting to ERROR Happens after revert to "Config filesystem permanent OS re-initialized - version reinstall required" or "Config filesystem restored from backup"...
Page 206 Generated if the clicerts, force size of the SSL adjust totalcache session cache size to : <size> per has been server that use modified. clicerts single_master ALARM (WARNING) System Control Only one master VPN Gateway in User Guide April 2013 Comments? infodev@avaya.com...
Page 207 Syslog Messages in Alphabetical Order Message Severity Type Explanation the cluster is up and running. slave_not_startin ALARM (WARNING) System Control The portal handling subsystem cannot be started. socks error: ERROR Traffic Processing Error encountered <reason> when parsing the socks traffic from the client.
Page 208 <reason>. ssl_hw_fail ALARM (MAJOR) System Control The SSL hardware acceleration card could not be found or initiated. This will cause the VPN Gateway to run with degraded performance. Started ssl-proxy INFO Startup Traffic subsystem started. System started INFO System Control Sent whenever [isdssl-<version>]...
Page 209 Syslog Messages in Alphabetical Order Message Severity Type Explanation certificate has to be changed. TPS license limit WARNING Traffic Processing The transactions (<limit>) per second (TPS) exceeded limit has been exceeded. TPS license limit: INFO Startup TPS limit set to <limit>...
Page 210 Vpn="<id>" remote user's Method=<"ssl"|"ip access method, sec"> client IP address, SrcIp="<ip>" user name and User="<user>" group Groups="<groups membership is >" TunIP="<inner shown as well as tunnel ip>" the IP address allocated to the connection User Guide April 2013 Comments? infodev@avaya.com...
Page 211 Syslog Messages in Alphabetical Order Message Severity Type Explanation between the VPN Gateway and the destination address (inner tunnel). VPN Logout INFO Remote user has Vpn="<id>" logged out from SrcIp="<ip>" the VPN. User="<user>" www_authenticat ERROR Traffic Processing The browser sent e: bad credentials a malformed WWW-...
Page 212 Syslog Messages User Guide April 2013 Comments? infodev@avaya.com...
Page 213: Appendix D: License Information
Appendix D: License Information OpenSSL License Issues The OpenSSL toolkit stays under a dual license, that is, both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See the following for the actual license texts. Both licenses are actually BSD-style Open Source licenses.
Page 214 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION User Guide April 2013 Comments? infodev@avaya.com...
Page 215 0. This License applies to any program or other work that contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The following Program , refers to any such program or work. A "work based on the Program" means either the Program or any derivative work under copyright law: that is, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language.
Page 216 License be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable User Guide April 2013 Comments? infodev@avaya.com...
Page 217 under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims;...
Page 218 Software Foundation. For more information about the Apache Software Foundation, see http:// www.apache.org/. Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. User Guide April 2013 Comments? infodev@avaya.com...
Page 219: Appendix E: Hsm Security Policy
Appendix E: HSM Security Policy All information in this Appendix is Copyright 2001 Rainbow Technologies. ® Rainbow Technologies CryptoSwift HSM Cryptographic Accelerator FIPS 140-1 Non-Proprietary Cryptographic Module Security Policy Hardware P/N 107316 Firmware version 5.6.27 Ver 25 7/29/01for Level 3 Overall Level 4 for Self-Test Validation Scope This document describes the security policy for the HSM cryptographic accelerator.
Page 220: Applicable Documents
Key-Wrapping-Key. When two or more boards contain the same Key-Wrapping-Key, they are said to be in the same family. The Key-Wrapping-Key is used to encrypt other keys. These encrypted keys can then be transmitted between boards over untrusted paths under the control User Guide April 2013 Comments? infodev@avaya.com...
Page 221: Capabilities
4.0 Capabilities of a Rainbow Technologies key management utility. This allows boards to share keys as be appropriate for load distribution or redundancy needs. The key wrapping key also makes it possible for keys to be stored in encrypted form on backup tapes or hard drives for archival purposes.
Page 222 PCI interface. Therefore, this algorithm is not available in the FIPS 140-1 Mode. Keys pairs of modulus size in the range 512 through 1024 bits, in 64 bit increments. User Guide April 2013 Comments? infodev@avaya.com...
Page 223: Physical Security
5.0 Physical Security 5.0 Physical Security The board is designed to detect tampering attempts and will zeroize critical security parameters under a variety of prescribed circumstances. These circumstances include penetration of the module's cryptographic envelope. The cryptographic envelope consists of an opaque tamper resistant lid and circuit board, and will provide clear visual evidence of tampering.
Page 224: Serial Interface
HSM will be erased. 6.6 PCI Power Interface The PCI Power Interface will provide the power necessary to perform all other HSM functions. 7.1 Components 7.1 Bulk Crypto This component performs cryptographic hashing and symmetric cryptographic operations. User Guide April 2013 Comments? infodev@avaya.com...
Page 225: Power Management And Tamper Detect
7.1 Components 7.2 Power Management and Tamper Detect This component monitors battery voltage and the security envelope to detect conditions that will result in the zeroization of critical security parameters. Battery voltage is also monitored to determine when it is necessary to replace the battery. 7.3 FastMap Processor This component contains a processor and internal SRAM.
Page 226: Programmable Logic Device (Pld)
Generate Key service, or may be entered into the module using the Combine Key service, which combines two key shares entered through the trusted USB interface. In the non-FIPS 140-1 mode, the Key-Wrapping-Key may also be created User Guide April 2013 Comments? infodev@avaya.com...
Page 227: Roles And Services
9.0 Roles and Services through the Derive Key service. PRNG3DES Key (PRNGKey)= This 3DES2Key is used for seeding the X9.17 Pseudo-random Number Generator (PRNG). The PRNG 3DES Key is generated randomly using the hardware random number generator (RNG) within the FastMap processor.
Page 228: Authentication
Once the board has been initialized, the Security Officer can create a User account. Creating the User account generates a random PIN, which is stored in the User's iKey token. The SHA-1 hash of this random PIN is associated with the User account. User Guide April 2013 Comments? infodev@avaya.com...
Page 229: Services
9.0 Roles and Services 9.5 Services The following table describes which services can be performed by which role, and the SRDI(s) which each service accesses. Service FIPS140-1 Level 3 Mode Non- FIPS140-1 Mode User User SRDIs authen Role Role authen Role Role Accessed...
Page 230 (SPK, VPK) or (EPK, DPK) Store Public Object Enter and (Public RSA Key, store: EPK user data object) or VPK Store Vendor- None Defined Data Object User Guide April 2013 Comments? infodev@avaya.com...
Page 231 9.0 Roles and Services Service FIPS140-1 Level 3 Mode Non- FIPS140-1 Mode User User SRDIs authen Role Role authen Role Role Accessed ticated ticated Store Private Object Enter and (Private RSA Key) Store: SPK (note 4) or DPK Get Public Object Read: SPK (RSA public key, or DPK...
Page 232 Unwrap Key (note 4) NO KWK (use), Unwrap: SPK, DPK Modify Object None RSA Sign (note 4) SPK (use) RSA Verify VPK (use) Generate Key (note (create) Split Key KWK (split), PRNGKey (create, destroy), KWKShare s (created User Guide April 2013 Comments? infodev@avaya.com...
Page 233 9.0 Roles and Services Service FIPS140-1 Level 3 Mode Non- FIPS140-1 Mode User User SRDIs authen Role Role authen Role Role Accessed ticated ticated and written to trusted interface) Combine Key (created), KWKShare s (read from trusted interface) Set LED State None.
Page 234: Key Management
Security Officer. The second key part is written to an iKey controlled by the User. The Security Officer must logout User Guide April 2013 Comments? infodev@avaya.com...
Page 235: Key Destruction
10.0 Key Management and the User must login before the second "Write Key Split" can be performed. The two iKey tokens used for carrying key parts are labeled with the word "CODE". The two key parts are then physically carried by separate trusted individuals to another device. If this device is also an HSM, the two parts may loaded into it using the "Read Key Split"...
Page 236: Modes
HSM commands in the non-FIPS140-1 mode. 12.0 Self-Tests The following table describes all of the cryptographic self-tests performed by the HSM module. The following abbreviation is used: KAT = Known Answer Test User Guide April 2013 Comments? infodev@avaya.com...
Page 237: Conclusion
13.0 Conclusion Self-Test FIPS 140-1 Non-FIPS 140-1 When performed Mode Mode RSA Encrypt/ Power-up, Self-Test Service Decrypt and Sign/ (ondemand) Verify KATs DES KAT Power-up, Self-Test Service (ondemand) 3DES KAT Power-up, Self-Test Service (ondemand) SHA-1 KAT Power-up, Self-Test Service (ondemand) DSA KAT Power-up, Self-Test Service (ondemand)
Page 238 HSM Security Policy performance and security include (but are not limited to) banking, telecommunications, e- commerce, and medical services. In the area of self-test, the HSM provides capabilities consistent with FIPS 140-1 Level 4. User Guide April 2013 Comments? infodev@avaya.com...
Page 239: Appendix F: Definition Of Key Codes
Appendix F: Definition of Key Codes Syntax Description When using the Telnet applet available under the Portal's Advanced tab, there is an option to specify a keymap URL that points to a key code definition file. If your application uses a different keyboard layout than the standard VT320, a key code definition file can be created and uploaded to the keymap URL.
Page 240: Redefinable Keys
Remarks F1-F20 The Function keys, that is, F1, F2 and so on. up to F20. PGUP The Page Up key. PGDOWN The Page Down key. The End key. HOME The Home (Pos 1) key. User Guide April 2013 Comments? infodev@avaya.com...
Page 241: Example Of A Key Code Definition File
Syntax Description Key Representation Remarks INSERT The Insert key. REMOVE The Remove key. The Cursor Up key. DOWN The Cursor Down key. LEFT The Cursor Left key. RIGHT The Cursor Right key. NUMPAD0-NUMPAD9 The numbered Numeric keypad keys. ESCAPE The Escape key. BACKSPACE The Backspace key.
Page 242 Definition of Key Codes User Guide April 2013 Comments? infodev@avaya.com...
Page 243: Appendix G: Ssh Host Keys
(e.g. due to the server administrator having generated new keys). The VPN Gateway The VPN Gateway can act both as SSH server (when a user connects to the CLI using a SSH client) and as SSH client (when file or data transfers are initiated from the VPN Gateway using the SCP or SFTP protocols).
Page 244 SSH host keys menu concerns the latter. The VPN Gateway supports the use of three different SSH host key types: SSH protocol version 1 always uses RSA keys, while for SSH protocol version 2, either RSA or DSA keys can be used. The RSA keys for version 1 differ in form from those for version 2, and are referred to as "RSA1".
Page 245: Appendix H: Adding User Preferences Attribute To Active Directory
Appendix H: Adding User Preferences Attribute to Active Directory For the remote user to be able to store user preferences on the Avaya VPN Gateway (AVG), you need to add the isdUserPrefs attribute to Active Directory. This attribute will contain an opaque data structure, containing various information that the user may have saved during a Portal session.
Page 246: Add The Active Directory Schema Snap-In (Windows 2000 Server And Windows Server 2003)
/a instead. Note that there is a space between mmc and /a. 3. Click OK. The Console window is displayed. 4. On the File (Console) menu, select Add/Remove Snap-in. The Add/Remove Snap-in window is displayed. User Guide April 2013 Comments? infodev@avaya.com...
Page 247 Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows Server 2003) 5. Click Add. The Add Standalone Snap-in window is displayed. User Guide April 2013...
Page 248: Create A Shortcut To The Console Window
10. Save the console in the Windows\System 32 root folder. 11. As file name, enter schmmgmt.msc. 12. Click Save. Create a Shortcut to the Console Window 1. Right-click Start, and select Open all Users. 2. Double-click the Programs and Administrative Tools folders. User Guide April 2013 Comments? infodev@avaya.com...
Page 249: Permit Write Operations To The Schema (Windows 2000 Server)
Permit Write Operations to the Schema (Windows 2000 Server) 3. On the File menu, point to New, and then select Shortcut. The Create Shortcut Wizard is displayed. 4. In the Type the location of the item field, type schmmgmt.msc. 5. Click Next. The Select a Title for the Program page is displayed.
Page 250: Create New Class
You will now receive a warning that creating schema classes is a permanent operation and cannot be undone. 2. Click Continue. The Create New Schema Class window is displayed. 3. Create the avayaSSLOffload class as shown: User Guide April 2013 Comments? infodev@avaya.com...
Page 251: Add Isduserprefs Attribute To Avayassloffload Class
Create New Class 4. Click Next. 5. Click Finish. Add isdUserPrefs Attribute to avayaSSLOffload Class 1. In the Console window, on the left pane, expand Classes. 2. Select the avayaSSLOffload class. 3. Right-click and select Properties. The Properties window is displayed. 4.
Page 252: Add The Avayassloffload Class To The User Class
7. Click OK. Add the avayaSSLOffload Class to the User Class 1. In the Console window, on the left pane, expand Classes and select user. 2. Right-click and select Properties. User Guide April 2013 Comments? infodev@avaya.com...
Page 253 4. Next to Auxiliary Classes, click Add Class (Add). 5. Add the avayaSSLOffload class as an auxiliary class as shown: 6. Click OK. Once you have enabled the User Preferences feature on the VPN Gateway (using the CLI command /cfg/vpn #/aaa/auth #/ldap/enauserpre or the BBI User Guide...
Page 254 Adding User Preferences Attribute to Active Directory setting User Preferences under VPN Gateway>VPN# >Authentication->Auth Servers#(Ldap) the remote user should now be able to store user preferences in Active Directory. User Guide April 2013 Comments? infodev@avaya.com...
Page 255: Appendix I: Using The Port Forwarder Api
The Port Forwarder API is a collection of functions used to provide applications with the ability to send traffic through a previously defined port forwarder link. For instructions on how to configure a port forwarder link on the AVG Portal, see the chapter "Group Links" in the Avaya Application Guide for VPN.
Page 256: Demo Application
The number of the link in the linkset, for example 1. When run as a regular application, the arguments are simply passed on the command line: java com.avaya.avg.demo.PortForwarderDemo -vpnurl https:// vpn.example.com -linktype custom -vpn 1 -linkset 1 -link 1 For Java Web Start, parameters are passed through the jnlp file. A template jnlp file is provided along with a corresponding html file.
Page 257 Demo Application The Custom Content concept (/cfg/vpn #/portal/content) can be used to host Java Web Start applications on the Portal. Building the demo project results in a content.zip file suitable for content area upload. A precompiled one is also provided. For the material in the content area to be cacheable by the client web browser, it has to be put in a top directory called "/ nortel_cacheable".
Page 258: Creating A Port Forwarder Authenticator
Creating a Port Forwarder Authenticator A Port Forwarder authenticator must implement the PortForwarderAuthenticator interface: public PortForwarderCredentials getCredentials(); public java.net.PasswordAuthentication getProxyCredentials(); Example Following is an example of the code for creating a Port Forwarder authenticator. User Guide April 2013 Comments? infodev@avaya.com...
Page 259 Creating a Port Forwarder Authenticator User Guide April 2013...
Page 260: Adding A Port Forwarder Logger
String msg, Throwable throwable); The first function is used when the Port Forwarder logs a message in the Messages.properties file, i.e. messages of type PortForwarderConstants.LOG_LEVEL_INFO and PortForwarderConstants.LOG_LEVEL_ERROR and the second one is used for messages of User Guide April 2013 Comments? infodev@avaya.com...
Page 261 Adding a Port Forwarder Logger type PortForwarderConstants.LOG_LEVEL_DEBUG and PortForwarderConstants.LOG_LEVEL_DEBUG_VERBOSE. The PortForwarderLogger is added to the Port Forwarder by calling the setLogger function. Example Following is an example of the code for adding a Port Forwarder logger. public class PortForwarderLoggerImpl implements PortForwarderLogger { private final ResourceBundle messages;...
Page 262: Connecting Through A Proxy
The proxy username for HTTP & HTTPS accesses. com.avaya.avg.portforwarder.http.proxyPassword The proxy password for HTTP & HTTPS accesses. If the username and/or password is not set, the Port Forwarder API will call the PortForwarderAuthenticator.getProxyCredentials() function to obtain them. User Guide April 2013 Comments? infodev@avaya.com...
Page 263: Monitoring The Port Forwarder
Monitoring the Port Forwarder Monitoring the Port Forwarder The Port Forwarder uses the Observer/Observable framework, meaning that anyone wanting to have information from/about the Port Forwarder can add a Listener to it. Currently, you can monitor Port Forwarder status and statistics. Note: When using these features, it is important that the Observer.update() function does not block.
Page 264: Statistics
An added statistics listener will receive a PortForwarderStatistics object either when a change has occurred or at a defined interval. Following is an example of the code for monitoring Port Forwarder statistics. User Guide April 2013 Comments? infodev@avaya.com...
Page 265 Monitoring the Port Forwarder This will print current statistics every 3 seconds. User Guide April 2013...
Page 266 Using the Port Forwarder API User Guide April 2013 Comments? infodev@avaya.com...
Page 267: Glossary
IP address in the request then replies with its physical hardware address. Avaya Endpoint Avaya Endpoint Access Control Agent is an application that maintains checks that Access Control the required components (executables, DLLs, configuration files, etc.) are installed Agent and active on the remote user's machine.
Page 268 CSR (Certificate Signing Request) CSR (Certificate A request for a digital certificate, sent to a CA. On the VPN Gateway, you can Signing Request) generate a CSR from the command line interface by using the request command. DCE (Data A device that communicates with a Data Terminal Equipment (DTE) in RS-232C Communications communications.
Page 269 VLANs (if used). Master A VPN Gateway in a cluster that is in control of the MIP address, or can take over the control of the MIP address should another master fail. Configuration changes in the cluster are propagated to other members through the master VPN Gateways.
Page 270 IP) Address are made to a virtual server IP address (VIP). RPort (Real Server The real server port, which a virtual SSL server on the VPN Gateway uses when Port) sending and receiving information to and from the real servers.
Page 271 The source IP address of a frame. Address Slave A VPN Gateway that depends on a master device in the same cluster for proper configuration. SNMP (Simple A network monitoring and control protocol. Data is passed from SNMP agents, which...
Page 272 VLAN to which the associated IP interface has been added. Virtual SSL Server A virtual SSL server handles a specific service on the VPN Gateway, such as HTTPS, SMTPS, IMAPS, or POP3S. You can create an unlimited number of virtual SSL servers per AVG cluster, and each virtual SSL server is mapped to a virtual server on the Application Switch.
Page 273 X.509 ARP, the Layer 2 device attached to the switch will not know that the MAC address had moved in the network. For a more detailed description, refer to RFC 2338. X.509 A widely-used specification for digital certificates that has been a recommendation of the ITU since 1988.
Page 274 X.509 User Guide April 2013 Comments? infodev@avaya.com...

This manual is also suitable for:

3050-vm Avg 3050-vm 3070-vm Avg 3070-vm 3090-vm Avg 3090-vm

Avaya VPN Gateway User Manual

Chapter 1: Preface

Chapter 2: New in this Release

Chapter 3: Introducing the VPN Gateway

Vpn

Chapter 4: Introducing the ASA 310-FIPS

Chapter 5: Initial Setup

Chapter 6: Upgrading the AVG Software

Chapter 7: Managing Users and Groups

Chapter 8: Certificates and Client Authentication

Chapter 9: Virtual Desktop

Chapter 10: The Command Line Interface

Chapter 11: Troubleshooting the AVG

Appendix A: Supported Ciphers

Appendix B: the SNMP Agent

Appendix C: Syslog Messages

Appendix D: License Information

Appendix E: HSM Security Policy

Appendix F: Definition of Key Codes

Appendix G: SSH Host Keys

Appendix H: Adding User Preferences Attribute to Active Directory

Appendix I: Using the Port Forwarder API

Glossary

Quick Links

User Guide

Related Manuals for Avaya VPN Gateway

Summary of Contents for Avaya VPN Gateway