Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Using Device tabs to configure the security gateway

Figure 17: Device General tab

Directory Name - The directory name is the location of the security gateway in the directory tree structure.The security gateway name is unique within the VPN domain to which it is assigned.

VPN Mode - The VPN mode can either be VPN Gateway or User VPN. In the VPN Gateway mode, the security gateway is configured in asite-to-siteVPN. The VPNmanager can manage the device in the VPN Gateway mode. In the User VPN mode, the security gateway connects to thehead-enddevice to download the VPN policies through CCD. The VPNmanager cannot manage the device in the User VPN mode.

IP Address/DNS Name - VPNmanager uses the address to communicate with the security gateway. This address does not change the security gateway’s address. You change the security gateway’s address and subnet mask from the security gateway console.

IP Default Route. - IP default route is the IP address to the gateway router on the wide area network (WAN).

IP Mask. - This is the address mask for the security gateway.

MAC Address. - Security gateway MAC Address

Device Type. - This shows the model number for the device.

Device Firmware Version. - This is the version of firmware running on the device.

Certificate Name. - Name of the certificate issuer.

Issue 4 May 2005 61

Setting up the network

Associated IP Groups area. - This area lists the names of the IP groups associated with this security gateway. You can select an IP group from the list and clickGo to go to the IP Group tab to view the group information.

For VSUs running VPNos 4.0 or earlier, the following additional information is shown.

Export Type. - Export type indicates the level of encryption used.

Serial Number - A unique number assigned during manufacturing for each security gateway. The serial number can be viewed from the security gateway and modified through the VPNmanager. When replacing a security gateway in an existing VPN configuration, use the serial number edit button in the VPNmanager to modify the replacement security gateway’s serial number. Modifying the security gateway’s serial number allows the flexibility to replace devices while maintaining the configuration.

Flash Version. - Version of the currently executing NOS from one of two possible flash chips.

FIPS Mode. - Federal Information Processing Standards (FIPS) mode indicates if the security gateway is running in the normal or FIPS Level 2 mode. It is recommended that this mode be used only if an organization’s policy requires FIPS140-1Level 2 certification for cryptographic devices.

The following are not supported in FIPS mode:

SKIP VPNs

VPNremote Clients

Any algorithm other than DES or 3DES,

Any authentication algorithm other than SHA-1.

RAS. - ForVSU-100Ronly. This option is used whendial-inVPNremote users are going to access a securitygateway-100R.When enabled, this feature allows the securitygateway-100Rto support remote clients using VPNremote remote access client software as shipped from the factory. The feature is either enabled or disabled.

Memo tab

The Memo tab is used to record notes about the security gateway, such as change history, physical location, firmware version, etc. This information is stored only in the database and is not downloaded to the security gateway.

To create a memo:

1.From the Contents column, select the security gateway you want to configure.

2.Click the Memo tab to bring it to the front.

62 Avaya VPNmanager Configuration Guide Release 3.7

Using Device tabs to configure the security gateway

3.In the Memo text box, type in any information about the security gateway.

4.When finished, click Save.

DNS tab

Use the DNS tab to define where to forward the Domain Name Service (DNS) name resolution requests from the IP devices on the private side of the security gateway.

Figure 18: DNS tab

Configuring the DNS tab for security gateways at 4.3 or later

The security gateway includes a DNS name server, and accepts DNS queries from devices on the private side. DHCP devices on the private side receive access to the DNS service automatically. Non-DHCPdevices must be manually configured to identify the security gateway as their DNS server. The security gateway server maintains a DNS database on all DHCP clients on the private interface.Non-DHCPclients have no DNS identity.

Note:

The security gateway performs DNS relay functionality only for the private zone.

To resolve DNS queries, the security gateway first consults its own database. If this is unsuccessful, the query is forwarded through the public interface. If DNS Relay Configuration domain entries exist, the security gateway tries to find the match of the DNS request domain with the entries’ domains. If a match is found, the security gateway only forwards the query to name servers associated with that domain. If no match occurs, the security gateway sequentially forwards the query to the specified static DNS servers. If no static DNS servers exist, queries go to Internet name servers. Note that once static DNS servers are added, Internet root name servers are no longer referenced.

Issue 4 May 2005 63

Setting up the network

When a DNS server is selected to send the DNS query, and no response is received within a short time, another DNS server is selected by continuing the process as described in the previous paragraph. But if the previous server replies to the DNS query, another DNS server is not selected, regardless of whether response is positive or negative.

By default, when a DHCP client in the private zone sends requests for an IP address and the private zone DHCP server is being used, the DHCP server on the private zone sends its interface IP address as the DNS server in the DHCP response. In this way, all of the DNS queries are automatically forwarded to the security gateway

To add a DNS Relay

To set up DNS Relay Configuration and the static DNS servers. The maximum number of DNS relay rules is 100. You cannot configure Dynamic DNS servers.

Note:

The Delete,Move Up andMove Down buttons in the DNS Relay Configuration area apply to the IP Address that is currently highlighted.

1.From the Configuration Console Contents column, select the security gateway to be configured. Click theDNS tab to bring it to the front.

2.In the DNS Relay Configurationarea, click Add.

3.Enter the Domain name and thePrimary IP address of the DNS server. The secondary IP address is optional.

Figure 19: Add DNS relay configuration

4. Click OK.

64 Avaya VPNmanager Configuration Guide Release 3.7

Using Device tabs to configure the security gateway

To add a static DNS server

1.From the Configuration Console Contents column, select the security gateway to be configured. Click theDNS tab to bring it to the front.

2.In the Static DNS Servers area, clickAdd. Enter the IP address of the DNS server and enable theback-uplink, if required.

3.The backup link is the DNS server that is used when backup ethernet is in use. Only one of the interfaces, either public or public-backupcan be in use at the same time.

4.Click OK.

5.The maximum number of Static DNS servers is four.

Configuring the DNS tab for VSU at VPNos 4.2 or earlier

The VSU can resolve addressing for traffic using the Domain Name Service (DNS). However, the security gateways must know the DNS Server IP address. Up to three server addresses can be referenced by a security gateway. DNS servers can be edited or deleted.

To add a DNS server address

Use Add to enter the initial or backup DNS server(s). Enter the IP address of the DNS server in the “Resolve DNS name with this address” field so that the targeted security gateway can register itself with the DNS server. Click Apply to add the new DNS server entry.

1.From the Contents column, select the VSU you want to configure.

2.Click the DNS tab to bring it to the front.

3.Click Add to open theAdd DNS Rule dialog box.

4.Type the IP address.

5.Click Apply to add the IP address to the DNS servers list.

6.Click Close to return to theDNS tab, orApply to add another address.

7.When finished, click Save.

8.When you want to send the configuration to one or more VSUs, click Update Devices.

To edit an existing server address:

1.From the Contents column, select the security gateway you want to edit.

2.Click the DNS tab to bring it to the front.

3.From the Current DNS Servers list, select the address you want to change.

4.Click Edit to open theAdd DNS Rule dialog box.

5.Change the IP address.

6.Click Apply to add the edited IP address to the DNS servers list. TheAdd DNS Rule dialog box automatically closes.

Issue 4 May 2005 65

Setting up the network

7.Click Close to return to theDNS tab. Clicking close ignores any changes made in theAdd DNS Rule dialog box.

8.Click Save to save the change.

9.When you want to send the configuration to one or more VSUs, click Update Devices.

To delete a DNS server address:

1.From the Contents column, select the security gateway you want to delete.

2.Click the DNS tab to bring it to the front.

3.From the Current DNS Servers list, select the address you want to delete.

4.Click Delete to remove the address.

5.Click Save to save the change.

6.When you want to send the configuration to one or more VSUs, click Update Devices.

Interfaces tab

For security gateways with VPNos 4.31 or later, the Interface tab is used to edit the configuration of the media interfaces on a security gateway.

When you select the Interfaces tab, the screen displays the available media interfaces, with a summary of their configuration and current status. Scroll to see all the information.

The name of the media interface

The zone that is assigned to the media interface

The IP configuration mode

The status. Status identifies if the physical link is up or down, and if the interface is being used by network applications

The IP address

The mask

The default route, if relevant

The MAC address

66 Avaya VPNmanager Configuration Guide Release 3.7

Using Device tabs to configure the security gateway

Figure 20: Interface tab

Config Media interfaces can be assigned to one of six different network uses, called zones. The number of zones that can be configured depends on the security gateway model (Table 6). Ethernet0 and Ethernet1 are present in all models and are assigned to the public and the private zones. The media interfaces that remain are unused and can be configured as required.

Table 6: Network zones

Media

SG5 and

SG200

SG203

SG208

type

SG5X

 

 

 

 

 

 

 

 

Ethernet0

Public

Public

Private

Private

 

 

 

 

 

Ethernet1

Private

Private

Public

Public

 

 

 

 

 

1 of 2

Issue 4 May 2005 67

Setting up the network

Table 6: Network zones (continued)

Media

SG5 and

SG200

SG203

SG208

type

SG5X

 

 

 

 

 

 

 

 

 

 

 

 

Ethernet2

NA

NA

Unused

Unused

 

 

 

Public backup

Public backup

 

 

 

Private

Private

 

 

 

Semiprivate

Semiprivate

 

 

 

DMZ

DMZ

 

 

 

Management

Management

 

 

 

 

 

 

 

Ethernet3

NA

NA

Unused

Unused

to

 

 

 

Public backup

 

Public backup

Ethernet5

 

 

 

 

 

Private

Private

 

 

 

Semiprivate

Semiprivate

 

 

 

DMZ

DMZ

 

 

 

Management

Management

 

 

 

 

 

 

 

2 of 2

The following section describes the six network zones.

Public. - The public network interface provides connection to the Internet, usually by way of a wide area network (WAN). When VPNmanager is used, the security gateway must be configured with a static IP address. Only one public zone is configured on the security gateway and the configuration for this zone cannot be changed from VPNmanager.

Public-backup. - Thepublic-backupnetwork interface is used in conjunction with the Failover function on some security gateway models, seeFailover on page 226 to configure failover. If apublic-backupnetwork interface is configured, and the public primary network interface cannot reach the Internet, the failover module deactivates the public primary interface, activates thepublic-backupinterface, and then redirects all encrypted traffic to this link. Only onepublic-backupzone can be configured on the security gateway.

Note:

If the public zone and the public-backupzone are both configured, only one zone can operate at a given time.

To have the interface automatically revert to public, you can configure the Idle Timer Settings. When you enable the idle timer, if no VPN or other traffic flows through thepublic-backupin the configured amount of time, the public primary interface is automatically reestablished. If the idle timer is enabled, selectIgnore Non-VPN Traffic if you do not wantnon-VPNtraffic to reset the idle timer. Only onepublic-backupzone can be configured on the security gateway.

68 Avaya VPNmanager Configuration Guide Release 3.7

Using Device tabs to configure the security gateway

To set the amount of time delay to switch from a secondary interface to the primary interface once the primary link has been detected, configure the Hold Down Timer. This delay provides the necessary time for the primary interface to stabilize. The Hold Down Timer applies to failover conditions occurring due to alink-levelfailure on the public primary interface only.

The Hold Down Time value is expressed in seconds. The value range is 0 to 3600 seconds. The default value is 60 seconds.

Note:

There is a scenario in which the switchover from the public backup interface to the public interface will occur before the hold down timer has expired. If the idle timer is set to a value less than that of the hold down timer, and the public primary interface link becomes available while at roughly the same time traffic ceases to flow through the public backup interface, the switchover will occur when the idle time expires rather than when the hold down timer expires.

Private. - The private network interface usually provides connection to your private local area network (LAN) or your corporate LAN. The private network interface can be configured with Static, DHCP Server or DHCP Relay.

Semi-private. - Thesemi-privatenetwork interface provides connection to a network whose equipment can be made physically secure, but whose medium is vulnerable to attack, such as a wireless network used within a corporation’s private network infrastructure). Traffic on thesemi-privateinterface is usually encrypted. Only onesemi-privatezone can be configured on the security gateway.

DMZ. - The demilitarized zone (DMZ) network interface is usually used to provide Internet users with access to some corporate services without compromising the private network where sensitive information is stored. A DMZ network contains resources such as Web servers, FTP servers, and SMTP(e-mail)servers. Because DMZ networks are vulnerable to attack (that is denial of service), corporations usually add additional security devices such as intrusion detection systems, virus scanners, and so on. Only one DMZ zone can be configured on the device.

Management. - The management interface connection can be configured to simplify network deployments, to eliminate enterprise network dependencies on switches or routers. The management network interface is usually used as an access point for a dedicated VPNmanager management station or as a dedicated interface for dumping log messages to a syslog server.

Issue 4 May 2005 69

Setting up the network

Options for IP addressing for interface zones

You can configure each zone with different addressing options and the private port can be configured as a DHCP server or DHCP relay used to obtain IP addresses from the DHCP server (Table 7). This section explains the options in detail.

Table 7: Type of IP addressing available by zone

Public Private Public-backupSemi-privateDMZManage-ment

Address assigned

Static

X

X

X

X

X

X

 

 

 

 

 

 

 

DHCP Client

X

X*

X

 

 

 

 

 

 

 

 

 

 

PPPoE

X

 

X

 

 

 

 

 

 

 

 

 

 

Server modes

 

 

 

 

 

 

 

 

 

 

 

 

 

Static

 

 

X

X

X

X

 

 

 

 

 

 

 

DHCP Server

 

X

 

X

X

 

 

 

 

 

 

 

 

DHCP Relay

 

X

 

X

 

 

 

 

 

 

 

 

 

H.323

X

X

 

X

X

 

 

 

 

 

 

 

 

* The DHCP Client for the private zone is for SG5/5X/200 and VSU5/5X/500 bootcode only.

Static addressing

Use static addressing if a dedicated IP address should be assigned to the public interface of the security gateway. To configure static addressing, complete the following information:

Field

Description

 

 

IP Address

The public IP address that is assigned

 

to the security gateway

 

 

Network Mask

The subnet mask

 

 

Route

The IP address of the gateway router

 

to the Internet

 

 

DHCP addressing

Use DHCP addressing if the gateway obtains its IP address dynamically from the internet service provider (ISP). This can be configured for public-backup.

70 Avaya VPNmanager Configuration Guide Release 3.7