Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Sequence to configure your VPN

11.Configure firewall rules

12.Associate firewall rules with the correct gateway and security zone

13.Configure other features such as QoS, VoIP gateway, DHCP, NAT, routing, etc.

Issue 4 May 2005 31

Overview of implementation

32 Avaya VPNmanager Configuration Guide Release 3.7

Chapter 2: Using VPNmanager

With Avaya VPNmanager you can define, configure, and manage VPNs and firewall policies, upgrade firmware, and manage remote user access policies. The VPNmanager graphical interface is modularized by functions and tasks to make configuring a VPN fast and easy.

This chapter describes how to:

Log in

Navigate the VPNmanager Console interface

Configure Preferences for the VPNmanager Console

How to communicate with the security gateway

About VPNmanager administrators

When the VPNmanager software was installed, during the policy server login configuration, you configured the centralized management VPNmanager login ID and password.

A VPNmanager administrator can also be set up as a SNMPv3 administrator.

In previous releases of VPNmanager the super user administrator was supported. Beginning with VPNmanager 3.5, the super user administrator function has been expanded and in now included in the role based management feature.

Role Based Management

This features allows network administrator’s to assign one or more management role(s). Additionally, using role based access control (RBAC) in conjunction with corporate security guidelines, the network administrator can more effectively and efficiently manage the security of the corporate network.

Beginning with VPNmanager 3.5, the role based management feature will support three classes of users as follows:

1.Super User

2.One super user is configurable. The super user has unlimited access control over all VPN domains, and is the user configured from the policy server.

3.Only the super user can create VPN domains, create administrators, define RBACs for the administrators, and change administrator passwords.

Issue 4 May 2005 33

Using VPNmanager

4.Administrator with full access

5.An administrator with full access can modify the configuration for VPN domains, change their password, and be part of multiple VPN domains.

6.VPNmanager allows full-accessadministrator to modify objects and devices that are saved by VPNmanager. RBACfull-accessadministrators can create or delete objects, update or upgrade devices, and modify or import configuration.

7.Full-accessadministrators are not able to create new VPN domains, create new administrators, or change other administrator’s passwords.

8.Administrator with read-onlyaccess

9.An administrator with read-onlyaccess can view the configuration for VPN domains, change their password, and be part of multiple VPN domains.

10.Read-onlyadministrators cannot create, modify, or delete objects. Additionally,read-onlyadministrators cannot update or upgrade devices, modify or import configuration, reboot or reset devices, import or apply licenses, or change other administrator’s passwords.

To add an administrator

The Admin object is used to change the super user password and to create administrators.

1.Select Admin from the New Objects list. TheNew Admin dialog opens

2.Enter the administrator’s name and the admin directory password.

3.Click Apply and then clickClose.

To configure an administrator to be an SNMPv3 admin

1.From the Configuration Console>Admin Contents column, select the admin to be configured as an SNMPv3 admin. Select the SNMP tab to bring it to the front.

2.Check Enable.

3.For the Security Level, select either

Authentication and Privacy

Authentication and No Privacy

4.Based on the selection, the privacy settings are enable or disabled.

5.In the Authentication Protocol field, select either the default, HMAC_SHA1or HMAC_MD5 and enter a password.

6.For the privacy settings, the only available value is DES_CBC. Enter the privacy password.

7.When finished, click Save. When you configure SNMPv3 for a device, the admin name is listed.

34 Avaya VPNmanager Configuration Guide Release 3.7

Log into the VPNmanager console

Log into the VPNmanager console

You log in to the VPNmanager from your computer’s Start menu, Programs>Avaya> VPNmanager>Console. You use the super user name and password that were configured when the VPNmanager software was installed.

Figure 2: VPNmanager login screen

The first time you log in to the VPNmanager Console, you log in as the super user and add the policy server address or the name associated with the address. See Add a policy server on page 35.

Administrators that the super user creates can log in.

To log in:

1.In the User Name field, type the administrator name, if it is not displayed.

2.Type the password that was configured when the VPNmanager software was installed.

3.The IP address or name of the policy server is listed in the Policy Servers list. Select the Policy Server, if it is not highlighted and click Connect to log into the server.

Add a policy server

The policy server is installed during the installation of the VPNmanager Console. The policy server distributes configuration and security policies. The VPNmanager console is a client that communicates with the policy server to retrieve security policies. The policy server then communicates with the directory server.

You add the policy server address the first time you login into the VPNmanager Console.

1.From the VPNmanager Login dialog, click Add.

2.Enter the name that identifies the Policy Server, if available. This is the “user friendly name”

Issue 4 May 2005 35

Using VPNmanager

3.Enter the IP address of the Policy Server.

4.Enter the port. The default is 443.

5.Click OK. The name or address is displayed on the login screen You can edit or delete the policy server information.

Open Domain

When you connect to the directory server, an Open Domain screen appears. A list of all domains is displayed, with the last-selecteddomain highlighted.

Note:

The Open Domain screen does not appear if you add a context and then click Connect on the first logon dialog.

At this point, the main console display screen appears and the selected VPN appears in the View VPN window.

Navigating the main window

The VPNmanager Console consists of the console main window, the Configuration Console window and dialogs to configure and monitor domains, VPNs, and the security gateway and network configurations related to them.

When you log in to VPNmanager for the first time, the main window is blank.The title bar shows No Domain Open. When you open a domain, the title bar shows the name of the domain that is opened.

The main window includes a menu bar, a toolbar, the view VPN pane, and the alarms monitoring pane.

36 Avaya VPNmanager Configuration Guide Release 3.7

Navigating the main window

Figure 3: VPNmanager console main window

Header with

Menu bar

Icon toolbar

domain

 

name

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

View

 

pane

Alarm

 

pane

 

 

 

 

The menu bar on the main VPNmanager screen includes the following commands File, Edit, View, Tools, and Help.

File menu

The File menu includes the following commands:

Domain. You can create a new domain, open, close, or delete an existing domain, and select from a list of recent domains that were accessed.

When you select to create New, a dialog to create a new domain name is displayed. This name is the unique name assigned to an overall virtual private network. A VPN domain is a collection of VPN devices that compose a VPN network. SeeThis chapter describes the following features that are configured for the domain and the security gateway on page 55.

When you select Delete a list of all available domains is displayed. You can delete just the users within the domain, just the user groups within the domain, or all objects with the domain.

Issue 4 May 2005 37

Using VPNmanager

Note:

When you delete VPNs that include groups associated with RADIUS-enabledsecurity gateways, the VPNremote Client configuration records should be removed from the RADIUS database. SeeRADIUS/ACE Services on page 124.

New Object. When New Object is selected, a list of objects that can be created are displayed. When you select one of these commands, either a dialog or a wizard is opened to configure the information.Table 2 describes the new objects that can be configured.

Logoff. Logoff closes the current directory server without exiting VPNmanager. The Login screen appears immediately after you log off.

Exit. Exit closes the VPNmanager console.

Figure 4: File Menu>New Object list

Table 2: New object

Objects

Description

 

 

Device

You create a new security gateway within a domain and configure

 

the port interfaces

 

 

IPGroup

You configure new IP groups to assign workstations and servers.

 

 

User

For each remote user, you configure the name and password for

 

authentication

 

 

VPN

To create a virtual private network, you give it a name and select a

 

key management method.

 

 

Service

You create services to specify different traffic types.

 

 

User Group

You can set up logical groups in which the individual VPN users

 

reside.

 

 

 

1 of 2

 

 

38 Avaya VPNmanager Configuration Guide Release 3.7

Navigating the main window

Table 2: New object (continued)

Objects

Description

 

 

Device Group

You can group devices and assign users the those specific

 

devices.

 

 

QoS

You create a quality of service (QOS) policy to classify and

 

prioritize traffic based on a DSCP value and TCP/IP services and

 

networks.

 

 

Admin

You can configure VPNmanager administrators and assign

 

administrative roles.

 

 

Failover

You can configure up to five IP address for tunnel end points (TEP)

 

and properties for failover reconnection.

 

 

Converged

You can configure the CNA test plug feature to monitor your

Network Analyzer

network in real-timeto detect and diagnoseconverged-network

(CNA) Test Plug

related issues.

 

 

 

2 of 2

 

 

Edit menu

From Edit, you can chose one of the following commands:

Delete Object. Select an object from the VPN diagram and then selectEdit>Delete Object.

Modify Object. Select an object form the VPN diagram and then selectEdit>Modify Object.

Preferences.Edit>Preferences brings up a window with tabs to select from. SeePreferences on page 48 for a description of the tabs and how to configure VPNmanager preferences.

View menu

From View, you can select to view the Configuration, the Monitoring Screen, or the Report Wizard.

Configuration. SelectView>Configuration to open the Configuration Console, or you can click the Config icon on the toolbar. From the Configuration console you can configure and modify the VPN network. SeeConfiguration Console window on page 44.

Monitoring Screen. SelectView>Monitoring Screen to open the Monitoring wizard for the domain that is opened, or you can click the Monitor icon on the toolbar. The Monitor wizard assists you in selecting the various VPN objects you wish to monitor. A number of prebuiltMIB-IIand VPNet Enterprise MIB parameter groups can be selected to monitor desired VPN functions, or you can build a custom monitoring group from a comprehensive

Issue 4 May 2005 39

Using VPNmanager

list of enterprise MIB objects. Examples of ready-to-usegroups include an Attack log, Traffic log, security gateway CPU usage, and throughput.You select a type of group to monitor, or you can define a customer group to monitor. SeeUsing Monitor on page 250.

Report Wizard. SelectView>Report Wizard to open Reports, or you can click the Reports icon on the toolbar. The wizard guides you through creating various reports showing details of your network or an object in the network. SeeReport Wizard on page 270.

Tools menu

From Tools, you can access the following commands.

Update Devices. Update Devices is used to update the security gateway configuration with the configuration currently in the Directory Server database.

Show Trace Console. Trace Console is used to log some debugging information. This information is used by Avaya support to diagnose and troubleshoot any problems that may occur.

Help menu

From Help, you can access the VPNmanager Help, and About VPNmanager.

Note:

Many of the VPNmanager screens display a “?” icon that, when selected, opens a Help topic relevant to the screen.

Toolbar

The toolbar on the main VPNmanager screen contains buttons that are shortcuts for the tasks on the Menu bar and the Device Update button.

40 Avaya VPNmanager Configuration Guide Release 3.7