Avaya 3.7 User Manual
Size:
3.14 Mb
Download

VPNmanager® Confi guration Guide

Release 3.7

670-100-600Issue 4 May 2005

Copyright 2005, Avaya Inc.

All Rights Reserved

Notice

Every effort was made to ensure that the information in this document was complete and accurate at the time of release. However, information is subject to change.

Warranty

Avaya Inc. provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya’s standard warranty language as well as information regarding support for this product, while under warranty, is available through the following website:

http://www.avaya.com/support

Preventing Toll Fraud

“Toll fraud” is the unauthorized use of your telecommunications system by an unauthorized party (for example, a person who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf). Be aware that there may be a risk of toll fraud associated with your system and that, if toll fraud occurs, it can result in substantial additional charges for your telecommunications services.

Avaya Fraud Intervention

If you suspect that you are being victimized by toll fraud and you need technical assistance or support, in the United States and Canada, call the Technical Service Center's Toll Fraud Intervention Hotline at 1-800-643-2353.

Disclaimer

Avaya is not responsible for any modifications, additions or deletions to the original published version of this documentation unless such modifications, additions or deletions were performed by Avaya. Customer and/or End User agree to indemnify and hold harmless Avaya. Avaya’s agents, servants and employees against all claims, lawsuits, demands and judgements arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation to the extent made by the Customer or End User.

How to Get Help

For additional support telephone numbers, go to the Avaya Web site: http://www.avaya.com/support/. If you are:

Within the United States, click Escalation Management link. Then click the appropriate link for the type of support you need.

Outside the United States, click Escalation Management link. Then clickInternational Services link that includes telephone numbers for the International Centers of Excellence.

Providing Telecommunications Security

Telecommunications security (of voice, data, and/or video communications) is the prevention of any type of intrusion to (that is, either unauthorized or malicious access to or use of) your company's telecommunications equipment by some party.

Your company's “telecommunications equipment” includes both this Avaya product and any other voice/data/video equipment that could be accessed via this Avaya product (that is, “networked equipment”).

An “outside party” is anyone who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf. Whereas, a “malicious party” is anyone (including someone who may be otherwise authorized) who accesses your telecommunications equipment with either malicious or mischievous intent.

Such intrusions may be either to/through synchronous (time-multiplexedand/orcircuit-based)or asynchronous(character-,message-,orpacket-based)equipment or interfaces for reasons of:

Utilization (of capabilities special to the accessed equipment)

Theft (such as, of intellectual property, financial assets, or toll-facilityaccess)

Eavesdropping (privacy invasions to humans)

Mischief (troubling, but apparently innocuous, tampering)

Harm (such as harmful tampering, data loss or alteration, regardless of motive or intent)

Be aware that there may be a risk of unauthorized intrusions associated with your system and/or its networked equipment. Also realize that, if such an intrusion should occur, it could result in a variety of losses to your company (including but not limited to, human/data privacy, intellectual property, material assets, financial resources, labor costs, and/or legal costs).

Responsibility for Your Company’s Telecommunications Security

The final responsibility for securing both this system and its networked equipment rests with you - Avaya’s customer system administrator, your telecommunications peers, and your managers. Base the fulfillment of your responsibility on acquired knowledge and resources from a variety of sources including but not limited to:

Installation documents

System administration documents

Security documents

Hardware-/software-basedsecurity tools

Shared information between you and your peers

Telecommunications security experts

To prevent intrusions to your telecommunications equipment, you and your peers should carefully program and configure:

Your Avaya-providedtelecommunications systems and their interfaces

Your Avaya-providedsoftware applications, as well as their underlying hardware/software platforms and interfaces

Any other equipment networked to your Avaya products.

TCP/IP Facilities

Customers may experience differences in product performance, reliability and security depending upon network configurations/design and topologies, even when the product performs as warranted.

Standards Compliance

Avaya Inc. is not responsible for any radio or television interference caused by unauthorized modifications of this equipment or the substitution or attachment of connecting cables and equipment other than those specified by Avaya Inc. The correction of interference caused by such unauthorized modifications, substitution or attachment will be the responsibility of the user. Pursuant to Part 15 of the Federal Communications Commission (FCC) Rules, the user is cautioned that changes or modifications not expressly approved by Avaya Inc. could void the user’s authority to operate this equipment.

Product Safety Standards

This product complies with and conforms to the following international Product Safety standards as applicable:

Safety of Information Technology Equipment, IEC 60950, 3rd Edition including all relevant national deviations as listed in Compliance with IEC for Electrical Equipment (IECEE) CB-96A.

Safety of Information Technology Equipment, CAN/ CSA-C22.2No.60950-00 /UL 60950, 3rd Edition

Safety Requirements for Customer Equipment, ACA Technical Standard (TS) 001 - 1997

One or more of the following Mexican national standards, as applicable: NOM 001 SCFI 1993, NOM SCFI 016 1993, NOM 019 SCFI 1998

Electromagnetic Compatibility (EMC) Standards

This product complies with and conforms to the following international EMC standards and all relevant national deviations:

Limits and Methods of Measurement of Radio Interference of Information Technology Equipment, CISPR 22:1997 and EN55022:1998.

Information Technology Equipment – Immunity Characteristics – Limits and Methods of Measurement, CISPR 24:1997 and EN55024:1998, including:

Electrostatic Discharge (ESD) IEC 61000-4-2

Radiated Immunity IEC 61000-4-3

Electrical Fast Transient IEC 61000-4-4

Lightning Effects IEC 61000-4-5

Conducted Immunity IEC 61000-4-6

Mains Frequency Magnetic Field IEC 61000-4-8

Voltage Dips and Variations IEC 61000-4-11

Powerline Harmonics IEC 61000-3-2

Voltage Fluctuations and Flicker IEC 61000-3-3

Federal Communications Commission Statement

Part 15:

Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

Canadian Department of Communications (DOC) Interference Information

This Class A digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe A est conforme à la norme NMB-003du Canada.

This equipment meets the applicable Industry Canada Terminal Equipment Technical Specifications. This is confirmed by the registration number. The abbreviation, IC, before the registration number signifies that registration was performed based on a Declaration of Conformity indicating that Industry Canada technical specifications were met. It does not imply that Industry Canada approved the equipment.

DECLARATIONS OF CONFORMITY

United States FCC Part 68 Supplier’s Declaration of Conformity (SDoC)

Avaya Inc. in the United States of America hereby certifies that the equipment described in this document and bearing a TIA TSB-168label identification number complies with the FCC’s Rules and Regulations 47 CFR Part 68, and the Administrative Council on Terminal Attachments (ACTA) adopted technical criteria.

Avaya further asserts that Avaya handset-equippedterminal equipment described in this document complies with Paragraph 68.316 of the FCC Rules and Regulations defining Hearing Aid Compatibility and is deemed compatible with hearing aids.

Copies of SDoCs signed by the Responsible Party in the U. S. can be obtained by contacting your local sales representative and are available on the following Web site:

http://www.avaya.com/support

All Avaya media servers and media gateways are compliant with FCC Part 68, but many have been registered with the FCC before the SDoC process was available. A list of all Avaya registered products may be found at:

http://www.part68.org/

by conducting a search using “Avaya” as manufacturer.

European Union Declarations of Conformity

Avaya Inc. declares that the equipment specified in this document bearing the “CE”Conformité(Europeénne ) mark conforms to the European Union Radio and Telecommunications Terminal Equipment Directive (1999/5/EC), including the Electromagnetic Compatibility Directive (89/336/EEC) and Low Voltage Directive (73/23/EEC). This equipment has been certified to meet CTR3 Basic Rate Interface (BRI) and CTR4 Primary Rate Interface (PRI) and subsets thereof in CTR12 and CTR13, as applicable.

Copies of these Declarations of Conformity (DoCs) can be obtained by contacting your local sales representative and are available on the following Web site:

http://www.avaya.com/support

Japan

This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may occur, in which case, the user may be required to take corrective actions.

China

BMSI (Chinese Warning Label)

Hardware, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export,or import hardware.

Acknowledgments:

This product includes software developed by the Apache Software Foundation (http://www.apache.org).

Environmental Health and Safety:

! WARNING:

Risk of explosion if battery is replaced by an incorrect type. Dispose of used batteries according to Avaya Environmental Health and Safety guidelines.

Documentation:

For the most current versions of documentation, go to the Avaya support Web site: http://www.avaya.com/support/

Contents

Preface

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

What Products are Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

VPNmanager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

Network-wide Visibility and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

Intranet and Extranet Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

Secure VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

No Special Consoles Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

Complementary to SNMP Management Tools . . . . . . . . . . . . . . . . . . . . . . . .

17

Using VPNmanager Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

Contacting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

19

Chapter 1: Overview of implementation . . . . . . . . . . . . . . . . . . . . . . . . .

21

Components of the Avaya security solution . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21

Security gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21

VPNremote Client software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22

VPNmanager software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22

Overview of the VPN management hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . .

23

Preparing to configure your network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

24

Security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

24

Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

IP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

Remote users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

Security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27

Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27

Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27

QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

28

VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

28

Additional features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29

NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29

Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30

Client IP address pooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30

SSL for Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30

Sequence to configure your VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30

Issue 4 May 2005 5

Contents

Chapter 2: Using VPNmanager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33

About VPNmanager administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33

Role Based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33

Log into the VPNmanager console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

Add a policy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

Open Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

36

Navigating the main window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

36

File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

37

Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

39

View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

39

Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

40

Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

40

Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

40

VPN view pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

42

Network Diagram View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

42

Tiled View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

43

Tree View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

43

Alarm monitoring pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

44

Configuration Console window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

44

Configuration Console Menu bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45

File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45

Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45

View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

46

Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

46

Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

Contents pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

Details pane. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

Update Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

48

General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

48

Dyna Policy Defaults (User) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

49

Dyna Policy Defaults (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

49

Dyna Policy Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

50

Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

51

Remote Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

51

Alarm/Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52

TEP Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52

6 Avaya VPNmanager Configuration Guide Release 3.7

 

Contents

Chapter 3: Setting up the network . . . . . . . . . . . . . . . . . . . . . . . . . . . .

55

New VPN Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

55

Configuring a security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

57

Creating a new security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

57

Using Device tabs to configure the security gateway . . . . . . . . . . . . . . . . . . . . . . .

59

General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

60

Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

62

DNS tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

63

Configuring the DNS tab for security gateways at 4.3 or later . . . . . . . . . . . . . .

63

Configuring the DNS tab for VSU at VPNos 4.2 or earlier . . . . . . . . . . . . . . . .

65

Interfaces tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

66

Options for IP addressing for interface zones . . . . . . . . . . . . . . . . . . . . . .

70

Static addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

70

DHCP addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

70

Point-to-Point Protocol Over Ethernet (PPPoE) Client . . . . . . . . . . . . . . . . . .

71

Local DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

71

DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

73

Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

73

Changing network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

73

Private port tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

76

Adding an IP Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .

77

DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

78

None . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

79

Device users tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

79

Network Object tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

80

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

81

Default Gateway for VPN Traffic (VPNos 3.X) . . . . . . . . . . . . . . . . . . . . . . . .

83

Policies tab, NAT services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85

About NAT types for VPNos 4.31 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85

Configuring NAT (VPNos 4.31) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

86

About NAT types for VPNos 3.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

88

NAT applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

88

Accessing the Internet from private networks. . . . . . . . . . . . . . . . . . . . . . .

89

Setting up VPN with overlapping private addresses . . . . . . . . . . . . . . . . . . .

90

Using NAT to support multiple gateway configurations . . . . . . . . . . . . . . . . . .

92

Interface for VPNos 4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

93

Add NAT Rule (VPNos 4.2 or earlier) . . . . . . . . . . . . . . . . . . . . . . . . . . .

94

Original . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

94

Tunnel NAT rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

95

Issue 4 May 2005 7

Contents

Chapter 4: Configuring IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . .

97

About IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

97

Creating a New IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

97

New IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

98

IP Group - General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

98

Add IP Group member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

100

Configuring an IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

101

Configuring an IP Group that connects to an extranet . . . . . . . . . . . . . . . . . . . .

102

Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

103

Memo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

104

Chapter 5: Configuring remote access users . . . . . . . . . . . . . . . . . . . . . .

105

Default client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

105

Using dyna-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

106

Configuring a global dyna-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

107

Dyna-Policy Defaults (User) tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

107

VPN configuration files on remote user’s computer . . . . . . . . . . . . . . . . . . .

108

Disable split tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

108

Dyna-Policy Defaults (Global) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

108

Dyna-Policy Authentication tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

109

Local authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110

RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110

LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110

Dynamic VPNs (VPNos 3.x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110

Remote Client tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

111

Client DNS resolution redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

111

Client DNS resolution redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

112

Remote Client inactivity connection time-out (VPNos 3.x) . . . . . . . . . . . . . . . .

112

Send Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

112

Configure a default CCD with global dyna-policy . . . . . . . . . . . . . . . . . . . . . . . . .

113

Creating new user object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

114

Default user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

115

About creating individual dynamic-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

115

User - General tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

115

Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

116

Dyna-Policy tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

116

Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

117

Configuring a remote user object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

118

8 Avaya VPNmanager Configuration Guide Release 3.7

 

Contents

Information for VPNremote Client users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

119

Using local authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

120

Using RADIUS authentication (VPNos 3.X and VPNos 4.31) . . . . . . . . . . . . . .

120

Using LDAP authentication (VPnos 3.X only). . . . . . . . . . . . . . . . . . . . . . .

120

Using Policy Manager for user configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .

120

Client IP address pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

120

Add Client IP address pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

121

Add Client DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

121

Add Client WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

122

To configure the Client IP configuration. . . . . . . . . . . . . . . . . . . . . . . . . .

122

Configuring client attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

122

Creating a message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

122

Enforce brand name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

123

RADIUS/ACE Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

124

Enable RADIUS/ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

124

Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

125

RADIUS concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

125

The RADIUS protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

126

Add (RADIUS/ACE server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

126

Authenticating (secret) password . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

126

RADIUS server data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

126

To add a RADIUS server: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

127

Chapter 6: Configuring user groups . . . . . . . . . . . . . . . . . . . . . . . . . . .

129

New user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

User Group - General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

User Group - Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

User Group - Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . .

129

. . . . .

130

. . . . .

130

. . . . .

131

. . . . .

131

Chapter 7: Configuring VPN objects . . . . . . . . . . . . . . . . . . . . . . . . . . .

133

Types of VPN objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

133

SKIP VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

133

IKE VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

134

VPN packet processing modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

134

Default VPN policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

135

Creating a new VPN object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

136

Creating a default VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

136

Creating a designated VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

137

Issue 4 May 2005 9

Contents

 

Using the VPN tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

138

General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

138

General tab with IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

138

General tab with SKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

139

Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

139

Members-Users tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

140

Members-IP Groups tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

140

Security (IKE) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

141

Pre-Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

144

Security (IPSec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

144

IPSec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

145

Add IPSec proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

146

Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

148

VPN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

148

Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

148

Rekey site-to-site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

149

Rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

149

Advanced VPN tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

149

Configuring a SKIP VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

150

Configuring an IKE VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

152

Enabling CRL checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

156

Exporting a VPN object to an extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

158

VPN Object export checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

159

Export procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

160

Importing a VPN object from an extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

161

Rekeying a VPN object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

162

Chapter 8: Establishing security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

163

Firewall rules set up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

163

Levels of firewall policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

163

Firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

164

Domain level firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

164

Device level firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

166

Priority of Firewall rules versus NAT rules . . . . . . . . . . . . . . . . . . . . . . . .

167

Setting up firewall rules for FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

167

FTP and Firewall/NAT Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

167

Security Gateways and FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

168

Firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

169

Predefined templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

170

User defined templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

170

10 Avaya VPNmanager Configuration Guide Release 3.7

 

Contents

Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

172

Device Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

173

Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

173

Voice Over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

175

Using the IP Trunking Call Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

175

Using the LRQ Required checkbox of the IP Trunking Call Model . . . . . . . . . . . .

176

Using the Gatekeeper Routed Call Model. . . . . . . . . . . . . . . . . . . . . . . . . . .

178

Add gatekeeper settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

179

QoS policy and QoS mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

180

QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

180

QoS mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

184

Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

184

What can be filtered. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

185

Packet Filtering and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

185

Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

186

Permit/Deny non-VPN traffic Radio Buttons . . . . . . . . . . . . . . . . . . . . . . .

186

Add Packet Filtering Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

187

From/Where. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

188

To Where . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

189

The Filtering Policy in progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

189

Locating this filtering policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

189

The filtering policy in progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

189

Running the packet filtering policy wizard. . . . . . . . . . . . . . . . . . . . . . . . .

189

Running the Policy Manager for packet filtering . . . . . . . . . . . . . . . . . . . . .

190

Starting and stopping filtering services . . . . . . . . . . . . . . . . . . . . . . . . . .

190

Managing the ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

190

Configuring advanced filtering options . . . . . . . . . . . . . . . . . . . . . . . . . .

191

Marking packets for differentiated services (QoS) . . . . . . . . . . . . . . . . . . . . . .

192

About Differentiated Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

193

How a VSU marks packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

193

Types of marking rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

194

How to create a packet marking rule . . . . . . . . . . . . . . . . . . . . . . . . . . .

194

Packet filtering firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

196

Add firewall policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

197

Chapter 9: Using advanced features . . . . . . . . . . . . . . . . . . . . . . . . . . .

199

Device Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

199

ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

200

Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

201

NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

203

Issue 4 May 2005 11

Contents

 

Port for dyna-policy download. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

204

Port for Secure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

204

Private IP Address (VPNos 3.x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

204

Send Device Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

205

SuperUser Password (VPNos 3.x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

206

Tunnel Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

207

TEP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

209

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

210

Add servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

210

Managing the server list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

211

Resilient Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

212

Tunnel Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

213

Creating a resilient tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

214

Add resilient tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

215

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

215

Managing the resilient tunnel list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

216

Stopping and starting resilient tunnel services . . . . . . . . . . . . . . . . . . . . . . . .

217

Primary end-point service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

217

Secondary end-point service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

217

Failover TEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

218

Configuring failover TEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

219

Advanced Action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

219

Switch Flash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

220

Reset password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

220

Disable FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

220

High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

221

Virtual addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

222

Advanced parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

222

Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

223

Configuring high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

224

Creating a High Availability Group . . . . . . . . . . . . . . . . . . . . . . . . . . . .

224

Updating a high availability group using Update Device . . . . . . . . . . . . . . . . .

225

Deleting a high availability group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

225

Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

226

Failover reconnect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

229

Converged Network Analyzer Test Plug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

230

Keep Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

232

12 Avaya VPNmanager Configuration Guide Release 3.7

 

Contents

Policy Manager - My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

234

About VSU certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

234

Creating and Installing a Signed Certificate. . . . . . . . . . . . . . . . . . . . . . . .

235

Switching certificates used by VPNmanager Console . . . . . . . . . . . . . . . . . .

237

Issuer certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

238

About Issuer Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

238

Installing an issuer certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

239

IKE Certificate Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

240

About Certificate Usage (Exchange) . . . . . . . . . . . . . . . . . . . . . . . . . . .

241

Assigning a Target for a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . .

241

Chapter 10: Monitoring your network . . . . . . . . . . . . . . . . . . . . . . . . . .

245

Using SNMP to monitor the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

245

Adding Admin Users for SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

247

VPN active sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

247

Syslog Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

248

Add Syslog Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

249

Using Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

250

Enterprise MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

250

Monitoring wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

250

Define Custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

267

Monitoring wizard (Presentation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

268

Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

268

Monitoring alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

268

Alarm Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

269

Report Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

270

Generating the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

272

Device diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

273

Chapter 11: Device management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

275

Using the Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

275

Setting Up SSH and Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

275

Changing device administrator’s passwords . . . . . . . . . . . . . . . . . . . . . . . . .

276

Using the Connectivity tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

277

Check connectivity by ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

278

Check Connectivity by Proxy Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

279

Using the Device Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

279

Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

280

Reset Device Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

280

Reboot Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

280

Issue 4 May 2005 13

Contents

 

 

Re-setup Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

281

Import Device Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

281

Ethernet Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

282

Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

283

 

Network Interface Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

283

 

Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

284

Importing and exporting VPN configurations to a device . . . . . . . . . . . . . . . . . . . . .

284

Export VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

284

Exporting RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

285

Chapter 12: Upgrading firmware and licenses . . . . . . . . . . . . . . . . . . . . .

287

Centralized firmware management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

287

Device - Upgrade tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

288

Upgrading a security gateway’s firmware . . . . . . . . . . . . . . . . . . . . . . . . . . .

289

License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

290

Encryption Strength . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

291

Remote Access (VSU-100 Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

291

Appendix A: Using SSL with Directory Server . . . . . . . . . . . . . . . . . . . . .

293

When to Configure your VPNmanager for SSL . . . . . . . . . . . . . . . . . . . . . . . . . .

293

Installing the issuer’s certificate in the policy server and

 

the VPNmanager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

294

Windows NT and Windows 2000 Computers . . . . . . . . . . . . . . . . . . . . . . . . .

294

Solaris OS Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

295

Installing the Issuer’s Certificate into a security gateway . . . . . . . . . . . . . . . . . . . . .

295

Appendix B: Firewall rules template . . . . . . . . . . . . . . . . . . . . . . . . . . .

297

General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

297

Public zone firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

298

Private zone firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

303

Semi-private zone firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

305

DMZ zone firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

309

Management zone security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

311

Converged Network Anaylyzer template . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

311

Glossary

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

313

Index

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

319

14 Avaya VPNmanager Configuration Guide Release 3.7