Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Using the Device Actions tab

Re-setupDevice

Allows a complete re-setupof the security gateway. This is normally done when the security gateway created did not exist in the network, or when the security gateway has been replaced with a new unit.

Import Device Configuration

You can use the Import Device Configuration feature in VPNmanager to import configuration data from security gateways running VPNos 4.31, for use in VPNmanager.

While it is feasible to configure a small number of security gateways using the VPNos Web interface or the security gateway’s CLI, it quickly becomes impractical for larger installations. When switching to VPNmanager for centralized management of devices which have already been configured, the Import Device Configuration feature allows the devices' existing configuration data to be easily migrated to VPNmanager.

When a device configuration is imported into VPNmanager, only the device-levelconfiguration settings are imported. Thedomain-levelsettings, e.g. VPNs, Firewall templates, Users and Failover are not imported. The configuration settings that are imported apply only to the specified device.

Note:

If VPNmanager already has any configuration data for a particular device, the retrieved data overwrites the existing data for that device.

In VPNmanager 3.4, the Import Device Configuration feature supports importing of the following configuration settings:

Interfaces

Static Routes

Network Objects

Services

VoIP

DNS

NAT

NAT Traversal

DoS

SSH/Telnet

Management Access

Issue 4 May 2005 281

Device management

To import configuration data for a device:

1.Select “Devices” on the Configuration window in VPNmanager.

2.Select the device from which configuration data will be imported. (If the device entry does not yet exist in VPNmanager, simply create a new device, specifying its IP address and selecting “Set Up Later” in the Device Setup Wizard.)

3.Select the device Actions tab.

4.Click the Import Configuration button.

Ethernet Speed

The Ethernet Speed button only appears when a VSU10000 is the selected device.

Ethernet Speed button allows the VPNmanager to configure the Ethernet speed on a per port basis.

When the Ethernet Speed button is selected, there is a short delay in presenting the Ethernet Speed dialog box. This delay is due to VPNmanager trying to contact the security gateway to retrieve the current port speed settings. When the VPNmanager has retrieved the current speed settings, the Ethernet Speed dialog box displays the public port settings by default. The current private port settings are displayed at the top of the Ethernet Speed dialog box.

Port. - Select the public or private port to configure the port speed of the selected security gateway.

Set Speed. - Configure the Ethernet speed by selecting one of the following speed options:

Note:

When selecting the port speed, be sure to select a speed that is supported by the host PC. If the host PC does not support the selected speed, the VPNmanager looses connectivity to the security gateway.

Auto Negotiate. - Auto negotiation allows the security gateway’s Ethernet port and host PC to automatically select the correct port speed and duplex mode to be used between the two ports.

1000 Mbps, Full Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 1000 Mbps in full duplex mode. In full duplex mode, the Ethernet port is capable of sending and receiving packets simultaneously over the network at 1000 Mbps.

1000 Mbps, Half Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 1000 Mbps in half duplex mode. In half duplex mode, the Ethernet port is capable of either sending or receiving packets over the network at 1000 Mbps.

282 Avaya VPNmanager Configuration Guide Release 3.7

Using the Device Actions tab

100 Mbps, Full Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 100 Mbps in full duplex mode. In full duplex mode, the Ethernet port is capable of sending and receiving packets simultaneously over the network at 100 Mbps.

100 Mbps, Half Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 100 Mbps in half duplex mode. In half duplex mode, the Ethernet port is capable of sending or receiving packets over the network at 100 Mbps.

10 Mbps, Full Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 10 Mbps in full duplex mode. In full duplex mode, the Ethernet port is capable of sending and receiving packets simultaneously over the network at 10 Mbps.

10 Mbps, Half Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 10 Mbps in half duplex mode. In half duplex mode, the Ethernet port is capable of sending or receiving packets over the network at 10 Mbps.

Redundancy

This button only appears when a VSU-1200/7500is the selected device.

This screen appears when the Redundancy button on the security gateway Action tab is clicked. It is used to set up specific redundancy attributes when two VSU-1200/7500sare being used to backup each other.

This function also allows you to check the status of the redundant systems in the VSU-1200/7500, and allows you to manually switch over the active Ethernet ports from the primary to secondary ports or vice versa. Thisswitch-overfunction can be performed for both ports on a single card or for an individual active port.

Network Interface Status

Card 1, Card 2 - Shows the current status of the public and private Ethernet ports located on the primary and secondary Ethernet interface cards. The port names are shown next to three icons indicating the current port status. The first box indicates whether the port is on, off, or defective. The second box indicates if the port is connected and at what speed its operating (100 or 10 megabits per second), and the last box indicates Full or Half duplex.

Fan/Power Status - Indicates the power supply fan status. The Fan/Power Status section shows the current state of the redundant cooling fans and power supply modules. If a fan or power supply modules fails, a FAILED status is displayed indicating which component failed. Refer to theVSU-1200 User Guide for instructions on how to replace the failed component.

Issue 4 May 2005 283

Device management

IPSec Engine Status - The IPSec Engine Status section shows the current state of theVSU-1200’stwo packet processor engines (PPE). If either PPE fails, a FAILED status is displayed indicating which PPE failed. Both PPEs must be functional for theVSU-1200to operate correcting. The PPEs and Ethernet cards are enclosed in atamper-evidentcase and can only be serviced by an authorized technician. Contact your customer service representative for instructions on getting theVSU-1200repaired.

Switching

To individually switch the active public or private ports, select which active ports to switch from and which passive ports to switch to, then click the Switch Ports button. Note that the active public and private ports can only be switched to passive ports of the same type. A public port cannot be switched to a private port or vice versa.

Importing and exporting VPN configurations to a device

A secure, inter-companyextranet can be created by exporting a VPN configuration to a file that is then imported by other VPNmanager installations. Select Import VPN when you receive your exported VPN file and have it copied to a local directory. You will need the password from the exporting administrator.

Export VPN

Creating an extranet is a cooperative effort between system administrators running independent copies of VPNmanager and involves the same steps as creating any other VPN: create the VSUs, then the Groups and Clients, and finally the VPN.

The names chosen for VPN components must be synchronized within each corporation’s VPNmanager. This requires close coordination between the system administrators during the VPN component creation process and can be achieved by performing the following procedure:

The administrators at each corporation agree that all VPN components will be created by one of the administrators (the “exporting” administrator) and that the exporting administrator will create and deliver an export VPN configuration file to the other administrators (the “importing” administrators).

The exporting administrator then creates security gateways, groups, users, and VPNs required, with the exception of the security gateways under management control of importing administrators.

The VPN name must be unique to both the exporting and importing administrators’ VPNmanager databases.

284 Avaya VPNmanager Configuration Guide Release 3.7

Importing and exporting VPN configurations to a device

When creating an “alien Group,” which is a group that includes IP address/mask pairs residing within an importing administrator’s network, the exporting administrator associates each alien Group with an extranet device.

In the Group configuration, the IP address of the importing administrator’s security gateway must be specified if any tunnel mode VPNs include this security gateway.

After creating the VPN, the exporting administrator exports the VPN configuration file and delivers it, along with the password used to protect the file, to the importing administrators.

The importing administrators import the VPN configuration file using the supplied password.

Finally, the importing administrators edit the alien Group, modifying the security gateway association appropriately.

The Export VPN screen appears allowing you to select the VPN to be exported.

Once you have entered the password, click OK. The new VPN file decodes and is entered into the VPNmanager server and the new VPN objects appear.

If any pair in the “Current IP Network/Mask Pairs” list represents a network under your management control, associate the Group with the appropriate security gateway by modifying the “Associate this Group with security gateway” picklist.

For Groups with network/mask pairs that are not under your management control, leave the “Associate this Group with security gateway” picklist as an extranet device and confirm that the “Extranet IP Address” entry field contains the correct IP address, especially if any tunnel mode VPNs include this security gateway.

Repeat this step for all Groups in the imported VPN.

Note:

For any Certificate Based IKE extranet VPNs, verify that the proper certificates are installed on all devices.

Exporting RADIUS

The Export RADIUS function is used to export VPN information to an existing RADIUS database. This is primarily for backwards compatibility, but also useful if you wish to convert your existing VPN (using local security gateway-baseduser authentication) into a dynamic VPN for future scalability. It is, however, expected that LDAP will be the preferred method of building dynamic VPNs.

In this procedure, your existing client configuration information is migrated to the RADIUS database through a RADIUS-compatibleexport file. The Export RADIUS pane appears with a list of all users you wish to include in the export. When you click OK, VPNmanager creates a text file.

The saved text file consists of entries that must be added to the RADIUS server “users” file.

Issue 4 May 2005 285

Device management

The Users file variable parameters are:

<Client_name> – The name of the Client as entered in VPNmanager. Case and spelling are significant. This parameter is written by VPNmanager.

<authentication password> – The response required from the Client to the authentication challenge sent through the security gateway by the RADIUS server. Case and spelling are significant. This field must be entered by the system administrator.

<VPN-specificalgorithm and key information> – Information specific to the VPNs for which the Client is a member. There may be one or more of these entries. These parameters are written by VPNmanager.

Note:

The export RADIUS Users file created by VPNmanager contains no entries in the authentication password field. Consequently, after creating the file, you must edit it to add the authentication password field to each Client. Additionally, the security of cryptographic keys used to secure VPNs are not compromised during the VPNmanager-to-RADIUStransfer. All VPN keys are encrypted with Triple DES encryption(56-bitDES encryption for the DES only version of VPNmanager).

This completes the process for configuring RADIUS support. If any Clients are rekeyed, they must be re-exportedto the RADIUS server to reflect the new key.

Note:

Telnet sends traffic, including the login password in the clear. Remember to disable telnet after you use it.

286 Avaya VPNmanager Configuration Guide Release 3.7

Chapter 12: Upgrading firmware and licenses

You can upgrade the VPNos firmware and license from the VPNmanager and set encryption strength and remote access for VSU100s.

Centralized firmware management

The VPNmanager centralized firmware management allows you to upgrade the firmware for one or many security gateways at one time. You can quickly verify the firmware release for any security gateway or VSU model. VPNmanager validates that the firmware image is correct before upgrading the device. The available firmware images are stored in the policy server.

Before upgrading the firmware using the centralized firmware management feature, you must download the latest firmware from Avaya Inc.

The security gateway firmware download is password-protected.Contact technical support at vpnsupport@avaya.com to request a password prior to beginning the download.

Read the latest security gateway product readme file, before beginning the upgrade. For the latest version of the file for all security gateways, go the VPN and Security page from the Avaya Support Technical Database Web site, at http://support.avaya.com, and select the security gateway type to be downloaded, follow the links to the Readme file.

Following are a few definitions that you should be familiar with prior to using the centralized firmware management feature:

Device Inventory

The device inventory is displayed when the Upgrade Firmware button is selected. The device inventory lists the name of the available devices to be upgraded, type of the device available for upgrade, current firmware version, and the available versions of firmware for the specific device.

Firmware Library

The firmware library list the devices and the available firmware versions for that specific device. The firmware library is a repository that is stored and maintained on the policy server. The various versions of firmware for the different devices are stored in the firmware library.

Firmware versions can be added to the firmware library. Click the Add button to Browse to the firmware location and add to the firmware library repository on the policy server. Previous or older versions of the firmware can be deleted from the firmware library repository on the policy server.

Issue 4 May 2005 287

Upgrading firmware and licenses

Upgrade Options

The upgrade options are:

Skip devices that are up-to-date

This option is the default setting. The devices that up-to-datewill not display in the upgrade list. If a device should be downgraded, this option must be unchecked to view all devices in the upgrade list.

Prompt for reboot

This option is not the default setting. All devices selected in the upgrade list to be upgraded will reboot when the upgrade is completed. All devices must be rebooted in order for the upgrade to take effect.

Upgrade Devices

The upgrade devices button activates the upgrade wizard. Use the upgrade wizard to walk you through the steps to upgrade using the centralized firmware management feature.

Note:

The upgrade devices wizard dose not allow downgrading of devices.

To upgrade the firmware using centralized firewall management:

1.From the configuration console, click the Upgrade Firmware button.

2.The Device Inventory dialog appears.

3.Select the Upgrade Devices button to begin the upgrade devices wizard.

4.Select the device(s) to be upgraded from the Available Devices column.

5.Click the Move Left button to move the selected devices into the Device(s) to Upgrade column.

6.Click Next to review pending device(s) upgrade.

7.Click Upgrade to complete the device(s) upgrade.

Device - Upgrade tab

The Upgrade tab provides access to security gateway upgrade facilities including firmware upgrades and optional feature activation. For devices with firmware version 4.2 or later, license files can be uploaded from the Upgrade tab.

288 Avaya VPNmanager Configuration Guide Release 3.7

Device - Upgrade tab

Figure 87: Device Upgrade tab

Upgrading a security gateway’s firmware

Use the Upgrade Firmware button for upgrading the firmware of a specific security gateway. Before upgrading firmware from the VPNmanager, you must download the latest firmware from Avaya Inc.

The security gateway firmware download is password-protected.Contact technical support at vpnsupport@avaya.com to request a password prior to beginning the download.

Read the latest security gateway product readme file, before beginning the upgrade. For the latest version of the file for all security gateways, go the VPN and Security page from the Avaya Support Technical Database Web site, at http://support.avaya.com, and select the security gateway type to be downloaded, follow the links to the Readme file.

Note:

Because the upgrade procedure removes the security gateway from service, firmware upgrades should be a scheduled maintenance activity.

To upgrade a security gateway’s firmware:

1.Once you have received your password, go to the Avaya Support Technical Database Web page at http://support.avaya.com, click VPN and Security and select the appropriate security gateway type to download.

2.Click Software Downloads and follow the links. Click thesecurity gateway type link to begin the download process.

3.Select Save this file to disk. Click OK.

4.Browse to the directory where the VPNos download files should be saved. Click Save.

5.Navigate to the directory where the VPNos file was saved.

Issue 4 May 2005 289

Upgrading firmware and licenses

6.Double-clickthe firmware zip file to begin extracting the VPNos image. The Password screen appears.

7.Enter the password from technical support.

8.Go to the VPNmanager Console, then move to the Configuration Console window.

9.Click View>Device to list all the security gateway in theContents column.

10.From the Contents column, select the security gateway to upgrade.

11.Click the Upgrade tab, to bring it to the front.

12.Click Upgrade Firmware; theOpen dialog box appears.

13.Navigate to the directory where the VPNos firmware image was saved.

14.Select the update.bin file.

15.Click Open to install the update.bin file.

16.When installation is complete, a message box appears asking if you want to reboot the security gateway.

If the subdirectory has an upstage2.bin file, clickNO. Do not reboot the security gateway. You need to install theupstage2.bin file. Follow the instructions, starting from Step 9; in step 14, select theupstage2.bin file.

If the security gateway subdirectory does not have anupstage2.bin file, clickYES. If you answeredYES to rebooting the security gateway, your upgrade is complete.

17.Click OK to return to the VPNmanager Console.

18.The task summary is displayed.

19.Close the task summary window and check the security gateway status. The security gateway status should be success.

20.If you have not communicated with the target security gateway, the security gateway logon screen appears: enter your login credentials to complete the download.

21.When the download is finished, click Reboot Device to reboot the security gateway.

Note:

A security gateway takes at least two minutes to reboot.

License

Beginning with VPNos 4.2, you can obtain additional licenses to increase the number of remote users and site-to-siteVPN connections that are allowed during a secure session.

When you purchase additional licenses, you receive a file with the encrypted information. This file is created based on the serial number of the security gateway and the number of licenses that are available on that security gateway. This file cannot be applied to another security gateway.

290 Avaya VPNmanager Configuration Guide Release 3.7