Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Converged Network Analyzer Test Plug

Typically, one CNA unit is configured in the network operations center, and another CNA unit is configured in the corporate network. The CNA unit in the network operations center (NOC) is used to set up network topologies, configure network tests, and schedule network tests. Multiple CNA units can be configured in the network to monitor network topology and test results.

The following network tests are available using the CNA test plug:

Ping test

The ping test includes unary and binary test. The ping test sends an ICMP echo message to a target IP address, and reports whether or not a response was returned.

The binary test plug requires a pair of test plugs.

RTP test

The real-timetransport protocol (RTP) test measures delay, packet loss, and jitter to another test plug by sending a simulated RTP data stream that is echoed back. The test provides data regarding the VoIP performance over the network.

To enable CNA test plug:

1.From the VPNmanager Console main window, select CNA as a New Object. The CNA general tab appears.

2.Select Enable to enable the CNA test plug in the network.

3.Select the CNA Test Plug Servicesinterface.

The public interface provides connection to the internet, usually by way of a wide area network (WAN). By default, DHCP client is used to configure the public IP address. Only one public zone can be configured on the security gateway.

The private interface provides connection to the private local area network (LAN) or your corporate LAN. By default, the private network interface is configured with the DHCP server. The private interface is the default setting for CNA.

4.Enter the test request portvalue.

The test request port value is the port that the test plug receives a test request. The test request includes authentication, and a validly formatted request from the CNA test plug scheduler. The value for the test report port ranges from 1 to 65535. The default value is 50000.

!Important:

When the default test request port value is modified, you must create a new CNA service to use the new test request destination port. If the security gateway is configured to allow CNA traffic, be sure to update the firewall rule to use the new CNA service.

5.Enter the RTP test port value.

The RTP test port value is the value of the real-timetransport protocol. The value for the RTP test port ranges from 1 to 65535. The default value is 50001.

Issue 4 May 2005 231

Using advanced features

!Important:

When the default RTP test port value is modified, you must create a new CNA service to use the new RTP test destination port. If the security gateway is configured to allow CNA traffic, be sure to update the firewall rule to use the new CNA service.

6.In the CNA Hive(s) area, click Add to enter the CNA hive configuration information. The CNA hive information includes the following:

CNA hive name

The CNA hive name identifies the CNA hive deployment. The CNA hive can have a maximum of 25 hives configured with each hive containing a maximum of 5 CNA units.

CNA unit port

The CNA unit port for registration is the value of the CNA registration port. The value for the CNA registration port ranges from 1 to 65535. The default value is 50002.

7.In the CNA Unit(s) for registration area, enter the CNA registration unit IP address of the security gateway in the network. Use the Move To Top button to adjust the hive priority. Click

OK.

The first hive configured in the CNA Unit(s) for registration area is pushed down to devices running VPNos 4.5. Adjust the CNA hive configuration priority to include devices running VPNos 4.5 in the first configured hive.

8.In the Apply above configuration to these devices in the domain area, select the device in the list and click Add. The Select Devices window appears.

9.Confirm that the appropriate device(s) is select to receive the CNA test plug configuration. Click OK.

10.Click Save to save this configuration.

Keep Alive

The Keep Alive feature allows the security gateway to send keep alive packets (ICMP) to the configured host at every configured interval in the network. Keep alive hosts can be configured anywhere in the network. This feature also allows traceroute capability when the traceroute criteria are met allowing network administrators to trace network path failures.

Keep alive packets can be sent to configured hosts that are in a protected networks and unprotected networks; therefore, these packets can be encrypted or clear traffic based on the VPN policy on the device.

232 Avaya VPNmanager Configuration Guide Release 3.7

Keep Alive

Figure 74: Keep alive tab

To configure keep alive:

1.From the Configuration Console window, select New Object>Keep Alive. The Keep ALive dialog is displayed.

2.In the Keep Alive name text box, enter a unique name. Click Apply. ClickClose to go to the Keep Alive tab.

3.Click Enable to enable the keep alive configuration.

4.From the Send From drop-downmenu, select a network zone.

Public. The public network interface provides connection to the Internet, usually by way of a wide area network (WAN). By default, DHCP Client is used to configure the public IP address.

Private. The private network interface usually provides connection to your private local area network (LAN) or your corporate LAN.

5.In the Keep Alive Interval field, enter the interval in seconds that packets will be sent to configured hosts. The default is 10 seconds.

6.In the Hosts area, clickAdd and enter the network host IP address or the network host DNS name that you want to monitor connectivity. You can define up to five DNS names or IP addresses. These hosts can be either within the VPN or outside the VPN. If the host is within the VPN, the host information is encapsulated in the associated VPN policy. If the host is outside the VPN, the host information is sent in the clear

7.In the Apply this configuration to these devicesarea, click Addand select the device(s) that the configured keep alive interval will be applied. Use the left and right arrows to move the highlighted devices from one column to the other.

Issue 4 May 2005 233

Using advanced features

8.In the Traceroute Criteria area, select Initiate Traceroute when criteria are met, and complete the following:

a.In the Number of Failed Hosts field, enter the number of hosts from the configured keep alive hosts that can fail to receive keep alive responses. If multiple hosts are configured and all hosts are critical, enter 1. If any one of the configured hosts failed to respond, network path failover occurs.

b.In the Consecutive “No”Responses field, enter the number of consecutive connectivity checks without a keep alive response before traceroute is initiated. The default is 10.

c.In the Target Host area, select the host type.

lFirst Failed Host. The network host IP address specified in the keep alive host list. Traceroute will be initiated to the first failed host from the configured keep alive host list that meets the traceroute criteria.

lHost IP. The network host IP address to monitor connectivity.Traceroute will be initiated on the specified host IP address.

d.Click Save.

Policy Manager - My Certificates

If you are creating VPNs that use certificates for authentication and security, use the Policy Manager forMy Certificates to install signed certificates into specific VSU.

After one or more certificates have been installed, see IKE Certificate Usage on page 240 about configuring a target for a signed certificate, andIssuer certificates on page 238 about installing issuer certificates on a target.

About VSU certificates

VSUs use public-key certificates based on CCITT Recommendation X.509. Within the framework of the recommendation, each certificate includes aRivest, Shamir, and Adleman (RSA) Public-Key Cryptography Standard (PKCS) Number 10 for authentication.

A VSU can store up to nine certificates. One is a default certificate which is only used for the SSL connection between the VSU and the VPNmanager Console. The remaining eight certificates areMy Certificates and are statically stored in the flash memory of the VSU. The default certificate is issued by Avaya Inc..

Note:

The default certificate has a six year period of validity, which starts at the factory when it’s put into the VSU. Reprogramming the flash is the only way to change the default certificate.

234 Avaya VPNmanager Configuration Guide Release 3.7

Policy Manager - My Certificates

Up to eight certificates can be stored in a VSU. During IKE negotiation, a VSU sends a specified certificate to its target. Those other VSUs and clients are called targets. Likewise, the target that received a certificate must distribute its [unique] certificate to the sender to complete the exchange. The VSUs use the exchange to authenticate each other and to distribute their public keys. These additional certificates can be created then installed into a VSU. Each certificate is assigned a target (see IKE Certificate Usage on page 240 for additional information about making those assignments). A VSU only needs a single certificate to distribute itspublic-keyto multiple VSUs, but additional certificates can be created for establishing secure connections with special targets. The process of getting a certificate for a specific VSU is illustrated inFigure 75

Figure 75: Installing a Signed Certificate into a VSU

1

2

3

4

LAN

security WAN

PKI

VPNmanager Console

Note: For this process to work, the security gateway must have already been configured with an IP address.

Explanation for Figure 75:

1.An administrator uses VPNmanager Console to get a Certificate Request from a specific VSU.

2.The administrator sends the Certificate Requestto a Public Key Infrastructure (PKI) System.

3.The PKI System sends aSigned Certificate to the administrator.

4.The administrator uses VPNmanager Console to install the Signed Certificate into the VSU.

Creating and Installing a Signed Certificate

Shown in Figure 76 is the Policy Manager for My Certificates. Use it for generating certificate requests, installing signed certificates in a VSU, and for selecting which certificate the VPNmanager Console must be configured as the target.

Issue 4 May 2005 235

Using advanced features

Figure 76: The Policy Manager for My Certificates

To install a signed certificate into a VSU:

1.From the Device>Contents column, select the VSU that needs a Signed Certificate.

2.Click the Policies tab to bring it to the front.

3.From the drop-down list, selectMy Certificates, then clickGO to open thePolicy Manager forMy Certificates.

4.Click Generate Certificate Request to open theSave as dialog box.

5.Use the Look in drop-downlist to navigate to a directory where you want to save the certificate request.

6.In the File name text box, type in a name for theCertificate Request, then clickSave.

7.The VSU saves a Certificate Request into this new file then update theMaintain Certificates list with information about the newCertificate Request. The status column for theunsigned request displaysRequest Ready. The request exists in thePrivacy-EnhancedMail (PEM) using PKCS #10 format.

8.Send the Certificate Request to a PKI System.

9.The PKI System must use the Distinguishing Encoding Rules (DER) format for creating the

Signed Certificate.

10.The PKI System creates a Signed Certificate for the VSU.Figure 77 shows what a certificate in PEM format looks like (its body has been shortened for the example). Currently a VSU accepts the certificate delivery formats of PEM, DER, Base64X509, and PKCS#7.

236 Avaya VPNmanager Configuration Guide Release 3.7

Policy Manager - My Certificates

Figure 77: An Example of a Signed Certificate

Header

-----BEGINCERTIFICATE-----

nfi897rho987fb+mht>,oi$s25hgj98iJop)kjh

GrDfgyui987jg55dJ99KJY6%$3@@Sd5()~

43dbi0oMl=_+;mhjuuhJ8*&tfeEckiooplkjghf

hkjhyytuUTffRgYyYUy^6676%$$RgLo0l0LI

-----ENDCERTIFICATE-----

Footer

11.Cut the signed certificate from whatever file the PKI System sent it in, then paste it to the file you created in Step 6. Include the header and footer.

Note:

The alignment of the right side of the certificate must be even (justified), so if the certificate was sent to you in a web page where the last line may run past the right side, just place a carriage return in the appropriate place of the line to even it up. Also, place a carriage return at the end of the footer line.

12.Return to the Policy Manager forMy Certificates for the specific VSU.

13.From the Maintain Certificates list, select the item identifying the requested certificate.

14.Click Download Fulfilled Request to VSUto open the Open dialog box.

15.Use the Look in drop-downlist for navigating to the location of the signed certificate file. The manager uses DER as the default filename extension, but TXT can be used.

16.Select the signed certificate file, then click Open to return to thePolicy Manager window. After the VSU has received the signed certificate, theStatus column changes fromRequest Ready toCert Accepted.

Switching certificates used by VPNmanager Console

VPNmanager Console uses the default certificate of the VSU for establishing a secure connection with a VSU. The default certificate can be used until it expires (6 years), or until the VPNmanager Console is made to use a different certificate. The VSU certificate used by VPNmanager Console can be changed anytime.

To switch certificates:

1.From the Device>Contents column, select the VSU you want to configure.

2.Click the Policies tab to bring it to the front.

3.From the drop-down list, select, then clickGO to open thePolicy Manager forMy Certificates.

Issue 4 May 2005 237

Using advanced features

4.From the Maintain Certificates list select the certificate that you want the VPNmanager Console to use.

5.The default VSU certificate is identified by an asterisk in the MGR column. Although a specific certificate may have other targets, as assigned through theIKE Certificate Usage tab (SeeIKE Certificate Usage on page 240), the VPNmanager Console can still use it.

6.Click Use as Manager Certificate to make the VPNmanager Console a target of the certificate.

Issuer certificates

Targets use an Issuer Certificate to authenticate aSigned Certificate. VSU targets can dynamically store up to eightIssuer Certificates. Storage on VPNremote Client targets is only limited by the amount of physical memory of the computer.Issuer Certificates must be installed on targets before they are needed to authenticate aSigned Certificate. This section explains how to retrieve and installIssuer Certificates for VSU targets. For information about installing

Issuer Certificates on VPNremote clients, see the VPNremote Administrator’s Guide.

About Issuer Certificates

The Signed Certificates stored in VSUs are X.509public-keycertificates. They’re used for distributing apublic-keyof the VSU to targets (other VSUs, VPNremote Clients, and IKE compatible clients). EverySigned Certificate identifies whichPublic Key Infrastructure (PKI) System has signed it. However, targets must use a method to authenticate everySigned Certificate they receive.

An Issuer Certificate may be called a “Signing Certificate” or “Certification Authority (CA) Certificate.”Targets use an Issuer Certificate to authenticate aSigned Certificate. Therefore, the

Issuer Certificate must be from the same PKI System,as the Signed Certificate was signed by the issuer’s private key. Figure 78 illustrates how Issuer Certificatesfit in the scheme of signed certificate exchange.

238 Avaya VPNmanager Configuration Guide Release 3.7

Policy Manager - My Certificates

Figure 78: Issuer Certificates

PKI

4

1

2 3

VSUA

 

WAN

 

VSUB

 

 

Target of VSUA

Targets use Issuer Certificates to authenticate Signed Certificates they receive. The Issuer Certificate must be from the same PKI System that created the Signed Certificate. Issuer Certificates are stored on targets.

Explanation for Figure 78:

1.A Certificate Request from VSUA is sent to a PKI System to be signed.

2.The PKI uses the Certificate Request to create aSigned Certificate specifically for VSUA. TheSigned Certificate is then stored on VSUA.

3.Every target of VSUA must haveVSUA’s Signed Certificate.

Note:

The target uses an Issuer Certificateto authenticate VSUA’s Signed Certificate. The Issuer Certificatemust be from the same PKI which created the VSUA’s Signed Certificate.

Installing an issuer certificate

Use the Policy Manager for installing Issuer Certificates in a specific VSU. The VSU then uses the Issuer Certificate to authenticate certificates received from other VSUs.

The process is explained in Figure 78.

To install an Issuer Certificate into a VSU (target):

1.Get an Issuer Certificate from a PKI System. Use the same PKI System that created the

Signed Certificate.

2.The PKI System must use the Distinguishing Encoding Rules (DER) format for creating theIssuer Certificate.Figure 79 shows what a certificate looks like (its body has been shortened for the example).

Issue 4 May 2005 239

Using advanced features

Figure 79: An Example of an Issuer Certificate

Header

-----BEGINCERTIFICATE-----

nfi897rho987fb+mht>,oi$s25hgj98iJop)kjh

GrDfgyui987jg55dJ99KJY6%$3@@Sd5()~

43dbi0oMl=_+;mhjuuhJ8*&tfeEckiooplkjghf

hkjhyytuUTffRgYyYUy^6676%$$RgLo0l0LI

-----ENDCERTIFICATE-----

Footer

3.Cut the issuer certificate from whatever file the PKI system sent it in, then paste it into a text file. The file can have a DER or TXT file name extension.

Note:

The alignment of the right side of the certificate must be even (justified), so if the certificate was sent to you in a web page where the last line may run past the right side, just place a carriage return in the appropriate place of the line to even it up. Also, place a carriage return at the end of the footer line.

4.Return to the Policy Manager forIssuer Certificates for the VSU needing the certificate.

5.Click Add to open theOpen dialog box.

6.Use the Look in drop-downlist for navigating to the location of theIssuer Certificate.

7.Select the Issuer Certificate, then clickOpen to return to thePolicy Manager window.

8.After the VSU has received the Issuer Certificate, the certificate appears in the Issuer Certificates list.

IKE Certificate Usage

If you are creating VPNs which use certificates for authentication and security, use the Policy Manager forIKE Certificate Usage to configure howVSU Certificates must be used. Those certificates were created and installed in VSUs from theMy Certificates policies (SeePolicy Manager - My Certificates on page 234). TheIKE Certificate Usage policies is the mechanism used for exchanging certificates in a VPN.

240 Avaya VPNmanager Configuration Guide Release 3.7