Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Using Device tabs to configure the security gateway

Point-to-PointProtocol Over Ethernet (PPPoE) Client

Use PPPoE Client addressing as a convenient way to connect the public or public-backupzone of the security gateway to the Internet, if your ISP supports PPPoE addressing. PPPoE Client addressing requires user authentication. To configure PPPoE addressing, complete the following information

Field

Description

 

 

PPPoE User

Account user name which your ISP

ID

assigns

 

 

Password

Account password

 

 

Note:

Avoid resetting the security gateway by power cycling the unit when PPPoE is configured, as this method requires a proper shutdown in order to avoid a lockout condition during reconnection. This lockout period can last for a few minutes (time varies from ISP to ISP).

Local DHCP Server

The local DHCP server private port configuration is the default configuration to support the IP devices that are connected to your LAN. In the local DHCP server mode, the protected devices are automatically provided with an IP address, a default route, a domain name (the security gateway), and WINS.

To configure the local DHCP server, complete the following information:

Field

Description

 

 

IP Address

The IP address assigned. The default IP address is

 

192.168.1.1 for the private interface. If multiple interfaces on a

 

security gateway have DHCP server configured, their IP

 

addresses must be unique.

 

 

IP Range

The range of IP addresses that the DHCP server that runs on

From/To

the interface assigns to DHCP clients. The default DHCP

 

address range for the private interface is 192.168.1.32 to

 

192.168.1.127. Each security gateway on the VPN requires a

 

unique DHCP range. In addition, if multiple interfaces on a

 

security gateway have DHCP server configured, the DHCP

 

range on each also must be unique.

 

 

Domain

The domain assigned to the interface. This is only applicable

Name

to the private interface. The default for domain name is

 

“private.”

 

 

Issue 4 May 2005 71

Setting up the network

Field

Description

 

 

Primary

This is optional. Configure primary WINS when delivering

WINS

network configuration information to DHCP clients. The

 

security gateway will deliver the primary WINS server

 

information before the secondary WINS server information.

 

This order of delivery will ensure that DHCP clients will use

 

the WINS servers in the specified configuration order.

 

 

Secondary

This is optional. Configure secondary WINS when delivering

WINS

network configuration information to DHCP clients. The

 

security gateway will deliver the secondary WINS server

 

information after the primary WINS server information. This

 

order of delivery will ensure that DHCP clients will use the

 

WINS servers in the specified configuration order.

 

 

IP Device

This is configured to add support for additional IP devices to

Configuration

the DHCP Server.

 

 

IP Telephony

This is optional. Configure IP Telephony when IP telephones

Settings

are connected to the security gateway. See IP Telephony

 

Configuration below.

 

 

When DHCP server is configured, you can configure the IP Device and the IP Telephony settings. Click IP Devices to display a list of all IP devices that the DHCP server currently supports. The MAC address and IP address are listed, along with information that relates to IP telephony devices

Note:

Changing the DHCP Server IP address can result in losing current connectivity with the security gateway.

IP telephone configuration - If you are using the security gateway with the Avaya Definity® series of IP Telephones, you must configure the TFTP server IP, the TFTP file path, the Definity Clan IP and the Definity Clan port (See the Definity documentation for further information).Non-AvayaIP telephones require at a minimum, the TFTP server IP address.

The following IP telephone DHCP options are supported:

Option 150. Proprietary to Avaya IP telephones. This option is for the TFTP server IP address.

Option 176. Proprietary to Avaya IP telephones. Definity Clan IP address and port along with optional TFTP server IP address (all four fields in the IP Telephony Configuration section must contain entries).

Option 66. The standard DHCP option for TFTP server.

Note:

When you add an IP device, you must also configure the Device Account User.

72 Avaya VPNmanager Configuration Guide Release 3.7

Using Device tabs to configure the security gateway

DHCP Relay

This functionality allows the DHCP Relay agent to bind to the device’s private and semi-privateinterface zones and forward only DHCP requests from the network behind the device to the DHCP server(s) on the public network. DHCP Relay server can reside on either the private, semiprivate, public zones, or another remote network.

The DHCP Relay area on theInterface Configuration dialog is used to configure the security gateway to support DHCP Relay functionality.

Note:

DHCP relay and DHCP server services are mutually exclusive. When the security gateway acts as a DHCP relay, the security gateway cannot also be a DHCP server at the same time.

When the DHCP relay agent receives DHCP client requests from the private or semiprivate interface zones, the DHCP server(s) creates new DHCP messages and forwards the messages to the DHCP server(s) on the public, private, semiprivate zones, or remote networks. The DHCP servers on the public network send DHCP offer messages that contain the IP addresses to the DCHP relay agent. The agent broadcasts the DHCP offer messages to the DHCP clients.

If the DHCP server resides on the remote network, the DHCP server and the DHCP clients must be part of the VPN so that the client can obtain the IP address from the DHCP server.

Static

When you select Static, the security gateway is configured with a static IP address and Mask. This is the default configuration. If Static is selected and the VPNmanager is on the private side, then the IP address of the computer running VPNmanager should be statically or dynamically configured through other DHCP server.

Changing network interfaces

From the VPNmanager Console Device Interfaces tab, you can modify the media settings, change the IP information, add an IP device, and configure IP telephony settings. You can configure any zone but Public.

To change the media interface configuration:

1.From the Configuration Console Contents column, select the security gateway to be configured. Click theInterfaces tab to bring it to the front.

2.Click on the media interface that you want to modify. Click Edit. TheInterface Configuration dialog is displayed.

Issue 4 May 2005 73

Setting up the network

Figure 21: Media interface configuration dialog

Note:

The fields displayed in the screen are based on the type of zone selected.

3.The media option choices depend on the media type selected and the capabilities of the underlying device hardware and driver. QoS is used by the QoS module to restrict the bandwidth of the interface to the upstream limit of the network. For example, to allow QoS to regulate maximum bandwidth of a 100 mbps to 25 mbps, enter 25 mbps.

4.In the IP Configuration area, make the required changes.

From the Zone list, select the zone. Only the zones that apply to that media interface are displayed.

From the IP Config Mode list, select the IP addressing mode. Depending on your selection, complete the required information.

If public-backupis selected, complete theIdle Timer Settings configuration if failover is enabled.

5.Click Save when you finish.

To add an IP device to the security gateway:

1.From the Configuration Console Contents column, select the security gateway to be configured. Click theInterface tab to bring it to the front property, select the media interface that is configured with private, DHCP Server. ClickEdit. The Media Interface Configuration dialog is displayed.

2.Click IP Devices. The IP Device Configuration dialog is displayed.

3.Enter the following information

The MAC address of the IP device. If the device is an Avaya IP telephone, the MAC address is on the back of the telephone.

74 Avaya VPNmanager Configuration Guide Release 3.7

Using Device tabs to configure the security gateway

The IP address. This IP address must be within the same subnet as the DHCP server. Avaya recommends that you use an IP address for the device that falls into the DHCP subnet, but not in the DHCP range.

4.Click Add, and then clickOK.

To add an IP telephony device to the security gateway:

1.Click IP Telephony. The IP Telephony Settings dialog is displayed.

2.Enter the following information

TFTP File Path Name. The TFTP file path name is used when the TFTP file path is other than the default path.

Definity CLAN Port. The port number for the Definity server. The default port is 1719. The port range is 1 to 65535.

Option 66. The standard DHCP option for TFTP server.

IP Telephony Domain. This is the domain name that the IP telephone device is assigned.

!Important:

When symbolic host names are included in the TFTP server or CLAN lists, the IP telephone will append the IP Telephony Domain name (if entered) to the list entry in order to create a fully qualified domain name (FQDN). You can, however, enter host names using the FQDN form of <myhost>@<mydomain>.<toplevel domain>, in which case you should leave the IP Telephone Domain name field empty.

Also, be aware that the current version of IP telephone firmware will truncate the TFTP and CLAN lists to a maximum of 255 characters each. Thus, when using the FQDN form of host name entries, it would be possible to exceed that limitation very quickly.

TFTP Server. This is the server on which the latest version of the IP telephone firmware is maintained for upgrade purposes. A maximum of five TFTP servers with IP addresses or symbolic host names can be configured on security gateways running VPNos 4.6 and higher.

Definity CLAN List. The IP address of the Definity Clan server. A maximum of 20 CLAN IP addresses or symbolic host names can be configured on security gateways running VPNos 4.6 and higher.

3.Click OK, and then clickSave.

Note:

When you configure an IP telephone, secure tunnels are created for TFTP and Definity Clan. However, if only VPN users are connected, the secure tunnels are created on demand. That is, the secure tunnels are created only when traffic exists on the associated tunnel.

Issue 4 May 2005 75

Setting up the network

Private port tab

For SGs with VPNos 4.2 or VPNos 4.3, the Private Port tab is used to configure of the private IP address. In addition, you can configure the device to act as a DHCP server on the private port or you can configure a DHCP relay.

Note:

For SGs with VPNos 4.4 and higher, configure the private port address using the Interfaces tab.

If a local DHCP server is configured, the security gateway assigns IP addresses to the computers or the IP telephones that are behind the security gateway. If your DHCP server is on the public side, a DHCP relay can be configured to obtain IP addresses from this DHCP server. If the DHCP server is unreachable, the relay can be made to fall back to the local DHCP server.

Figure 22: Private port tab with VPNos 4.2 or VPNos 4.3

If you plan to use the security gateway’s private port local DHCP server capability to support the IP devices connected to your LAN (default), be sure to complete the DHCP setup under the local DHCP Server portion of the screen.

Local DHCP Server. - This portion of the screen is used to configure the security gateway as a DHCP server on the private port. The IP Address range must be configured and should fall within the range of the private IP Address subnet. The domain name is provided and the WINS server can be configured.

When deploying the security gateway, you need a unique DHCP range for each security gateway on the VPN.

76 Avaya VPNmanager Configuration Guide Release 3.7

Using Device tabs to configure the security gateway

Note:

Changing the DHCP Server IP address may result in losing connectivity to the security gateway, if the VPNmanager is on the private side of the security gateway. Also all active DHCP clients may require renewal through an OS utility (e.g., using winipcfg or ipconfig in Windows), or rebooting.

Note:

When changing the DHCP IP address range, execute an ipconfig release and renew command.

IP Devices Configuration. - The table displays a list of all IP devices currently supported by the DHCP server. The device MAC Address and IP Address are listed, along with information relating to IP telephony devices, such as the Avaya Definity® IP telephone device information.

Adding an IP Device Configuration

This dialog is used to add IP devices to the virtual DHCP server. The dialog contains a group of fields for IP telephony configuration when IP telephones are connected to the security gateway.

Figure 23: IP Device Configuration with VPNos 4.2 or VPNos 4.3

IP Device MAC Address. - Enter the MAC address of the IP device. If the device is an Avaya IP telephone, the MAC address can be found on the back of the phone.

IP Device IP Address. - This IP address must be within the same subnet as the DHCP server. It is recommended that the IP device address fall in the DHCP subnet, but not in the DHCP range. Also, each IP device should have an unique IP address.

IP Telephony Configuration. - This section is used to enter configuration information for an IP telephone connected to the security gateway. This information is sent in response to the IP telephone’s DHCP request (this information can also be configured locally in the IP telephone).

Issue 4 May 2005 77

Setting up the network

The Avaya DEFINITY® series of IP telephones require entries for all four fields (refer to your Definity documentation for further information). Non-AvayaIP telephones require at a minimum, the TFTP server IP address.

Note:

The following IP telephone DHCP options are supported:

Option 150: Proprietary to Avaya IP telephones. This option is for the TFTP server IP address.

Option 176: Proprietary to Avaya IP telephones. Definity Clan IP address and port along with optional TFTP server IP address (all four fields in the IP telephony Configuration section must contain entries).

Option 66: Standard DHCP option for TFTP server.

TFTP Server IP. - This is the address of the TFTP server on which the latest version of the IP Phone firmware is maintained for upgrade purposes.

TFTP File Path. - Used when the file path is other than the default path.

DEFINITY Clan IP. - The IP address of the DEFINITY Clan server.

DEFINITY Clan Port. - Port number for the DEFINITY server. Default port 1719. Port ranges 1 to 65535.

To add an IP Device:

1.From security gateway Objects, select the Private Port tab from the Properties pane.

2.Select the Local DHCP Server radio button.

3.Click Add.

4.Enter the required information to complete the IP Device configuration.

5.Click OK.

6.Click Save.

DHCP Relay

Select DHCP Relay to configure the security gateway to support DHCP Relay functionality. This functionality allows the DHCP Relay agent to bind to the device’s private port and forwards only DHCP requests from the network behind the device to the DHCP server(s) on the public network.

The IP devices are supported in the case of DHCP relay. To configure the IP devices, from the local DHCP Server configure the IP devices. Return to the DHCP Relay and save.

78 Avaya VPNmanager Configuration Guide Release 3.7

Using Device tabs to configure the security gateway

Note:

When the security gateway is acting as a DHCP Relay, the security gateway cannot be a DHCP server at the same time. DHCP Relay and DHCP Server services are mutually exclusive.

When the DHCP Relay agent receives DHCP client requests from the private port, the DHCP server(s) creates new DHCP messages and forwards the messages to the DHCP server(s) on the public network. The DHCP server(s) on the public network sends DHCP offer messages that contain the IP addresses to the DCHP Relay agent. The agent broadcasts the DHCP offer messages to the DHCP clients.

!Important:

The remote DHCP server(s) and the device’s private port IP addresses must be part of the VPN in order for the DHCP Relay process to begin.

The Fallback to Local DHCP Server option allows the DHCP server to revert or fallback to the Local DHCP Server if the DHCP Relay is not functioning.

Note:

In order for the security gateway to support the DHCP Relay Fallback feature, Local DHCP Server must be configured. IP Devices are not supported in Fallback mode.

None

Select None to configure the security gateway without the Local DHCP Server configuration or the DHCP Relay configuration. None is the default configuration. If None is selected and the VPNmanager is on the private side of the security gateway, then the IP address of the computer running VPNmanager should be statically or dynamically configured through other DHCP servers.

Device users tab

The Device>Device Users tab displays the device account user configuration and the VPN authentication profile associated with the device account user. The device account user acts as a proxy VPN user for all configured IP devices. You cannot delete the device account user.

Issue 4 May 2005 79

Setting up the network

Figure 24: Device Users tab

To add a device account user:

1.From the Configuration Console Contents column, select the device to be configured. Click the Device Users tab to bring it to the front.

2.Click on the Device Account User drop-downmenu to select the user.

3.In the VPN Authentication Profile area, enter the following information:

VSU/SG Address. Select the primary device from thedrop-downmenu or enter the DNS name of the device.

(Optional) Backup VSU/SG Address. Enter a backup device address to be used from thedrop-downmenu.

Port. Enter the number of the port to use. The default is 1443.

Authentication. Select the authentication type to use, either Standard (CHAP) or Rechallenge (PAP).

4.Click Save, to complete the configuration.

To use this configuration on another device, click the Clone To button. Select the device to configure, clickOK to clone the configuration to the selected device.

Network Object tab

The Device>Network Object tab displays the hosts or networks that are located behind the security gateway. The type of predefined network objects that are listed depends on the type of zones that are configured for the security gateway.

By default, the network object includes the IP address and mask that have been configured for the corresponding zone. Besides this address, you can add additional addresses.

80 Avaya VPNmanager Configuration Guide Release 3.7