Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Configuring a global dyna-policy

Remote Client tab

The Preferences Remote Client tab is used to establish a path (tunnel) to a secure DNS server to resolve client DNS names (as opposed to using a public DNS server) and to set the remote client idletime-outperiod.

Figure 36: Preferences, Remote Client Tab

Client DNS resolution redirection

By using the Client DNS Resolution Redirection feature, VPNremote Client-initiatedDNS name resolution requests for specific subdomains can be directed to private DNS servers residing on a network protected by a security gateway. This allows VPNremote Clients to use host names in place of IP addresses when accessing corporate network resources without exposing corporate DNS servers and name resolution databases to the public. Thus, a VPNremote Client can use public DNS servers to resolve public resources and private DNS servers to resolve private resources.

Note:

DNS name resolution requests are redirected at the user side by VPNremote Client. The remote Client must be running a version of VPNremote Client software which supports Client DNS Resolution Redirection. Check with Avaya Technologies for version support information.

You can enable Client DNS Resolution Redirection and enter up to three subdomain names along with the IP address of the DNS server that will resolve DNS requests for the corresponding subdomain name.

Issue 4 May 2005 111

Configuring remote access users

To configure Client DNS Resolution Redirection for all VPNremote Clients:

Enter a subdomain name in the Domain Name field (for example, finance.mycompany.com).

Enter the IP address of the DNS server that will resolve DNS requests for the corresponding subdomain name in the Protected DNS Server field.

Repeat this procedure for up to two additional subdomains, then click Apply.

These settings apply to all Clients in all VPNs. Client DNS Resolution Redirection cannot be set uniquely for each Client.

For proper operation, a VPN protecting the specified DNS servers must be configured between the VPNremote Client and the security gateway. This VPN must contain a Group that includes the IP addresses of the DNS servers defined within the Client DNS Resolution Redirection. The VPN services of the “DNS server VPN” will be applied to any DNS requests made by the Client to the subdomains defined within the Client DNS Resolution Redirection.

Client DNS resolution redirection

Enable Client DNS Resolution Redirection and enter up to three subdomain names along with the IP address of the DNS server that will resolve DNS requests for the corresponding subdomain name.

Remote Client inactivity connection time-out(VPNos 3.x)

You can set the amount of time that a VPNremote Client can be idle before its assigned IP address is returned to the Client IP Address Pool. This is useful if you have VPNremote Client users that typically use TCP-basedapplications (e.g. Telnet, FTP, Web traffic) and leave those applications idle for long periods of time.

Units can be seconds or minutes. The maximum idle time is 65,535 minutes.

Send Syslog messages. . .

Send Syslog messages to receiving hosts after VPN session is inactive for XX minutes enables you to set the session inactivity time before issuing a Syslog message. The default time is 10 minutes.

112 Avaya VPNmanager Configuration Guide Release 3.7

Configure a default CCD with global dyna-policy

Configure a default CCD with global dyna-policy

The following procedure describes how to configure default dyna-policyparameters.

These commands control how CCD automatically delivers dyna-policiesto VPNremote Clients. By default, all user adopt these settings, but they can be rejected and custom configured from theDyna-Policytab of a specific user.

1.From the VPNmanager Console main window or from the Configuration Console window, select Edit Preferences to open thePreferences property sheet.

2.Click the Dyna-Policy Defaults (User) tab to bring it to the front. Select how the VPN session parameters are handled on the user’s computer.

Select None to store the VPN session parameters locally on the remote user’s computer. The policy is automatically downloaded to the user’s computer the first time that the VPNremote Client is initially connected. The policy is not password protected.

Select Download configuration when remote startsto automatically download the VPN session parameters at the beginning of every session. The policy is removed when VPNremote client is disconnected. This is the most secure method.

Select SecureDyna-Policywith auser-definedkey (password)to have the VPN session parameters reside on the user’s hard disk and be activated by a password at the start of a VPN session. The user is prompted to create a password to protect the policy.

Check Disable Split Tunneling if users cannot browse the Internet while they are connected to the VPN.

3.Click the Dyna-Policy Defaults (Global) tab to bring it to the front.

Enter the number of times a remote user can incorrectly login before they are locked out. The default is 3.

Enter the number of minutes a remote user is locked out if all login attempts fail. The default is 1 minute.

4.Click the Dyna-Policy Authentication tab to bring it to the front.

5.Before CCD begins, remote users must have a user name andpassword pair to authenticate themselves. From here, you configure the authentication method to use and where the authenticationdyna-policyis stored.

Select Local Authentication to have the security gateway authenticate the users and to store the authentication policy on the security gateway.

Select RADIUS Authentication to use a RADIUS server to authenticate users. Select a RADIUS method to store the policy.

Select Use local database for configuration to store theDyna-Policieson the security gateway.

Issue 4 May 2005 113

Configuring remote access users

Note:

This is the only choice for VPNos 4.31

Select Use RADIUS configuration to store theDyna-Policieson a dedicated RADIUS server.

Select Use LDAP for configuration to store theDyna-Policieson the Directory Server.

(Only with VPNos 3.x with iPlanet Directory Server) Select LDAP Authentication to use the directory server to authenticate remote users. Select a method to store the policy.

Select Use local database for configuration to store theDyna-Policieson VSUs.

Select Use LDAP for configuration to store theDyna-Policieson the Directory Server.

6.Click the Remote Client tab to bring it to the front. Configure the pat (tunnel) to a secure DNS server to resolve client DNS names and to set the remote client idletime-outperiod.

Check Enable Redirection Support if remote clients use private domain names, such asaccounting.avaya.com, for navigating their VPN. Then enter the Domain and Protected DNS server address

Enter the number of minutes of inactivity before sessions time out. Default is 4 minutes.

If Syslog services are running, enter the number of minutes the VPN session can be inactive before a Syslog message is sent. The default is 10 minutes.

7.Click OK to save your changes.

After the default parameters have been adjusted to meet your VPN’s needs, user can be created.

Creating new user object

A user object is built with either a default or a custom CCD. Using a default CCD speeds up the configuration process, but the existing default CCD might not meet all of your users’ requirements.

The New User dialog is used to enter information about a new user. Fields are included for the new user’s name, password, and confirmation of password. A default user check box is included to create a default user.

114 Avaya VPNmanager Configuration Guide Release 3.7

About creating individual dynamic-policy

Default user

The Default User feature is normally used in conjunction with the default dyna-policyto establish a common template by which a desired VPN policy type is delivered to the remote clients in the domain. Multiple default users can exist in a domain, but only one default user can exist per VPN in a domain. When a remote user is configured as a default user, the user password is not required to log in. Note that the Default User has a unique icon.

To create a new user object:

1.From the VPNmanager Console main page, click New Object and selectUsers. The New User dialog is displayed.

2.In the Name text box, type the name of a remote user. Any character, except a comma can be used.

Note:

If you plan on using RADIUS as an authentication method, this name must match the name used in the RADIUS server.

3.In the Password text box, type the user password for the local, RADIUS, and directory servers.

4.In the Confirm Password text box, retype the password.

5.Press Apply to save the user name.

6.You can continue to add users, or you can click Close to return to theConfiguration Console window.

About creating individual dynamic-policy

You configure the individual user object from Configuration Console>User Object.

User - General tab

The User General tab displays information about the user highlighted in the Contents column, including which VPNs and User Groups the user is a member of.

Issue 4 May 2005 115

Configuring remote access users

Figure 37: User General tab

Directory Name. - This is the unique users name within the directory structure. It is not duplicated anywhere within the VPN domain to which it is assigned.

Current VPN Membership. - This section lists VPNs to which the currently highlighted user is assigned membership.

Current User Groups. - This displays a list of the User Groups to which the user belongs.

Memo tab

Memo can be used to record notes about the user, such as change history, specific computer type, etc. Information entered here is associated only with this user. This information is stored only in the database and not downloaded to the security gateway.

Dyna-Policytab

The Dyna-Policytab is used to define an individual remote user’sdyna-policyto specify the security options for how the VPN configuration information is handled on the user’s computer.

See Dyna-Policy Defaults (User) tab on page 107 for how to configure.

116 Avaya VPNmanager Configuration Guide Release 3.7

About creating individual dynamic-policy

Actions tab

The User Actions tab is used for non-dyna-policyalternatives.

Figure 38: User’s Action tab

Export My Configuration. - Exports yourdyna-policyto a file for conveyance to the remote user’s machine. Enter a password and retype the password.

Note:

If Default User is configured, this button is disabled.

Rekey User VPNs. - Clicking the Rekey button causes the preshared secret to be rekeyed for this users VPNs.

Reset User Directory Password. - The user’s password is reset.

Note:

If Default User is configured, this button is disabled.

Advanced tab

The Advanced tab allows you to define the type of IKE identifier associated with the user currently highlighted. Internet Key Exchange (IKE) is a protocol by which a security association (secure tunnel) is established between the security gateway and the remote client.

Issue 4 May 2005 117

Configuring remote access users

Figure 39: User Advanced tab

Four types of identifiers can exist in the certificate generated for the remote user.

Directory Name

IP Address

DNS Name

Email Name (RFC 822)

Configuring a remote user object

If you remote users use the default CCD, you only need to complete steps 1 through 5. If a individual dyna-policyshould be created continue with step 6.

1.From the Configuration Console window, clickUsers to list all User Objects in the

Contents column.

2.From the Contents column, select the User Object that needs to be configured.

3.From the General tab, select theDES check box if the VPNremote Client is limited single

DES (Data Encryption Standard).

Note:

A remote user using single DES encryption can only connect to a VPN using single DES encryption.

4.(Optional) Click the Memo tab to bring it to the front, then in theMemo text box, type in some information about the user. For example where the user will be dialing from or the location their headquarters.

118 Avaya VPNmanager Configuration Guide Release 3.7

Information for VPNremote Client users

5.Click the Dyna Policy tab to bring it to the front. If you do not want the defaultDyna-Policysettings, selectDo Not Use Default Dyna-Policy.Then configure a customized method for storing the VPN configuration for the user.

Select None to store the VPN session parameters locally on the remote user’s computer. The policy is automatically downloaded to the user’s computer the first time that the VPNremote Client is initially connected. The policy is not password protected.

Select Download configuration when remote startsto automatically download the VPN session parameters at the beginning of every session. The policy is removed when VPNremote client is disconnected.

Select SecureDyna-Policywith auser-definedkey (password)to have the VPN session parameters reside on the user’s hard disk and be activated by a password at the start of a VPN session. The policy is automatically downloaded. The user is prompted to create a password to protect the policy.

Check Disable Split Tunneling if users cannot browse the Internet while they are connected to the VPN.

6.If Local Authentication is used for authentication method, in theAuthentication Password text box, type in the a password for this VPNremote Client user.

Note:

These text boxes are not available if the RADIUS or LDAP authentication is used. For more information about authentication methods, see Dyna-Policy Authentication tab on page 109.

7.If the User object can communicate with an extranet, click the Advanced tab to bring it to the front.

8.If the method used to identify a remote user is different than within your VPN, use the IKE identifier options to configure a method which is used in the extranet. SeeExporting a VPN object to an extranet on page 158 for information about connecting to an extranet.

After configuring a User object, the user name and password pairs must be given to the VPNremote Client user.

Information for VPNremote Client users

Users who receive their Dyna-Policiesby theClient Configuration Download (CCD) method must have a user name and password pair. When trying to connect, they use the pair to authenticate themselves. After passing authentication, CCD is used to send theDyna-Policyto the VPNremote Client. Which pairs to use depends on the authentication method used.

Issue 4 May 2005 119

Configuring remote access users

Using local authentication

If the security gateway uses authenticating remote users for CCD, deliver the following pairs to the respective users.

NAME: The name created in Step 2.

PASSWORD: The password created in Step 3

Using RADIUS authentication (VPNos 3.X and VPNos 4.31)

If a RADIUS server is used for authenticating remote users for CCD, deliver the following pairs to the respective users.

NAME: The name created in Step 2

PASSWORD: The password stored in the user’s record of the RADIUS server.

Using LDAP authentication (VPnos 3.X only)

If the directory server is used authenticating remote users for CCD, deliver the following pairs to the respective users.

NAME: The name created in Step 2.

PASSWORD: The password created in Step 2

Using Policy Manager for user configuration

From the VPNmanager Policy Manager property, you can configure the client IP address pool for the remote users and define to users when they log on. (VPNos 3.x and VPNos 4.31 only) You can configure the RADIUS/ACE services.

Client IP address pool configuration

Access control devices (ACD), such as firewalls, guard the networks from unauthorized users. Analyzing source addresses is one method ACDs use to decide which packets can enter the network. ACD is a problem for VPNremote Client users. The addresses which ISPs dynamically assign to VPNremote Clients is naturally blocked because it is impossible to know ahead of time which address is assigned. The security gateway solves this problem by usingClient IP Address Pools.

120 Avaya VPNmanager Configuration Guide Release 3.7