How it Works
Avaya
Loading...
A
B
Loading...
Loading...
AVG 3050–VM
User Manual
274 pgs2.56 Mb0

Avaya AVG 3050–VM, AVG 3070–VM, AVG 3090–VM User Manual

User Guide Avaya VPN Gateway
Release 9.0
NN46120-104
Issue 04.04
April 2013
©
All Rights Reserved.
Notice
While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes.
Documentation disclaimer
“Documentation” means information published by Avaya in varying mediums which may include product information, operating instructions and performance specifications that Avaya generally makes available to users of its products. Documentation does not include marketing materials. Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of documentation unless such modifications, additions, or deletions were performed by Avaya. End User agrees to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User.
Link disclaimer
Avaya is not responsible for the contents or reliability of any linked websites referenced within this site or documentation provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages.
Warranty
Avaya provides a limited warranty on its hardware and Software (“Product(s)”). Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya’s standard warranty language, as well as information regarding support for this Product while under warranty is available to Avaya customers and other parties through the Avaya Support website: you acquired of the United States and Canada, the warranty is provided to you by said Avaya reseller and not by Avaya. “Software” means computer programs in object code, provided by Avaya or an Avaya Channel Partner, whether as stand-alone products or pre-installed on hardware products, and any upgrades, updates, bug fixes, or modified versions.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES
EXTEND
NOT FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER; AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS “YOU” AND “END USER”), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE (“AVAYA”).
assumes no liability for any errors. Avaya reserves the
http://support.avaya.com. Please note that if
the Product(s) from an authorized Avaya reseller outside
HTTP://SUPPORT.AVAYA.COM/LICENSEINFO ARE
THIS LICENSE IF THE SOFTWARE WAS OBTAINED
Avaya grants you a license within the scope of the license types described below, with the exception of Heritage Nortel Software, for which the scope of the license is detailed below. Where the order documentation does not expressly identify a license type, the applicable number of licenses and units of capacity for which the license is granted will be one (1), unless a different number of licenses or units of capacity is specified in the documentation or other materials available to you. “Designated Processor” means a single stand-alone computing device. “Server” means a Designated Processor that hosts a software application to be accessed by multiple users.
Licence types
Designated System(s) License (DS). End User may install and use each copy of the Software only on a number of Designated Processors up to the number indicated in the order. Avaya may require the Designated Processor(s) to be identified in the order by type, serial number, feature key, location or other specific designation, or to be provided by End User to Avaya through electronic means established by Avaya specifically for this purpose.
Concurrent User License (CU). End User may install and use the Software on multiple Designated Processors or one or more Servers, so long as only the licensed number of Units are accessing and using the Software at any given time. A “Unit” means the unit on which Avaya, at its sole discretion, bases the pricing of its licenses and can be, without limitation, an agent, port or user, an e-mail or voice mail account in the name of a person or corporate function (e.g., webmaster or helpdesk), or a directory entry in the administrative database utilized by the Software that permits one user to interface with the Software. Units may be linked to a specific, identified Server.
CPU License (CP). End User may install and use each copy of the Software on a number of Servers up to the number indicated in the order provided that the performance capacity of the Server(s) does not exceed the performance capacity specified for the Software. End User may not re-install or operate the Software on Server(s) with a larger performance capacity without Avaya’s prior consent and payment of an upgrade fee.
Named User License (NU). You may: (i) install and use the Software on a single Designated Processor or Server per authorized Named User (defined below); or (ii) install and use the Software on a Server so long as only authorized Named Users access and use the Software. “Named User”, means a user or device that has been expressly authorized by Avaya to access and use the Software. At Avaya’s sole discretion, a “Named User” may be, without limitation, designated by name, corporate function (e.g., webmaster or helpdesk), an e-mail or voice mail account in the name of a person or corporate function, or a directory entry in the administrative database utilized by the Software that permits one user to interface with the Software.
Heritage Nortel Software
“Heritage Nortel Software” means the software that was acquired by Avaya as part of its purchase of the Nortel Enterprise Solutions Business in December 2009. The Heritage Nortel Software currently available for license from Avaya is the software contained within the list of Heritage Nortel Products located at
LicenseInfo under the link “Heritage Nortel Products”
Nortel Software, Avaya grants Customer a license to use Heritage Nortel Software provided hereunder solely to the extent of the authorized activation or authorized usage level, solely for the purpose specified in the Documentation, and solely as embedded in, for execution on, or (in the event the applicable Documentation permits installation on non-Avaya equipment) for communication with Avaya equipment. Charges for Heritage Nortel Software may be based on extent of activation or use authorized as specified in an order or invoice.
Copyright
Except where expressly stated otherwise, no use should be made of materials on this site, the Documentation, Software, or hardware provided by Avaya. All content on this site, the documentation and the Product provided by Avaya including the selection, arrangement and
license
will be a Designated System License. The applicable
http://support.avaya.com/
. For Heritage
2 User Guide April 2013
Comments? infodev@avaya.com
design of the content is owned either by Avaya or its licensors and is protected by sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software unless expressly authorized by Avaya. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law.
Third Party Components
“Third Party Components” mean certain software programs or portions thereof included in the Software that may contain software (including open source software) distributed under third party agreements (“Third Party Components”), which contain terms regarding the rights to use certain portions of the Software (“Third Party Terms”). Information regarding distributed Linux OS source code (for those Products that have distributed Linux OS source code) and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply is available in the Documentation or on Avaya’s website at:
support.avaya.com/Copyright. You agree to the Third Party Terms for
any such Third Party Components.
Note to Service Provider
The Product may use Third Party Components that have Third Party Terms that do not allow hosting and may need to be independently licensed for such purpose.
Preventing Toll Fraud
“Toll Fraud” is the unauthorized use of your telecommunications system by an unauthorized party (for example, a person who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf). Be aware that there can be a risk of Toll Fraud associated with in substantial additional charges for your telecommunications services.
Avaya Toll Fraud intervention
If you suspect that you are being victimized by Toll Fraud and you need technical assistance or support, call Technical Service Center Toll Fraud Intervention Hotline at +1-800-643-2353 for the United States and Canada. For additional support telephone numbers, see the Avaya Support website: vulnerabilities with Avaya products should be reported to Avaya by sending mail to: securityalerts@avaya.com.
Trademarks
The trademarks, logos and service marks (“Marks” site, the Documentation and Product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the Documentation and Product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party.
Avaya is a registered trademark of Avaya Inc.
All non-Avaya trademarks are the property of their respective owners, and “Linux” is a registered trademark of Linus Torvalds.
Downloading Documentation
For the most current versions of Documentation, see the Avaya Support website:
Contact Avaya Support
See the Avaya Support website: http://support.avaya.com for product notices and articles, or to report a problem with your Avaya product. For a list of support telephone numbers and contact addresses, go to
copyright and other intellectual property laws including the
http://
your system and that, if Toll Fraud occurs, it can result
http://support.avaya.com. Suspected security
) displayed in this
http://support.avaya.com.
the Avaya Support website: http://support.avaya.com, scroll to the bottom of the page, and select Contact Avaya Support.
User Guide April 2013 3
4 User Guide April 2013
Comments? infodev@avaya.com
Contents
Chapter 1: Preface..............................................................................................................
Who Should Use This Book......................................................................................................................
Related documentation.............................................................................................................................
Product Names.........................................................................................................................................
How This Book Is Organized.....................................................................................................................
Users Guide.....................................................................................................................................
Appendices.......................................................................................................................................
Customer service......................................................................................................................................
Getting product training....................................................................................................................
Getting help from a distributor or reseller.........................................................................................
Getting technical documentation......................................................................................................
Getting technical support from the Avaya Web site.........................................................................
Chapter 2: New in this release...........................................................................................
Features....................................................................................................................................................
IPsec Two Factor authentication for Avaya VPN Gateway..............................................................
Android L2TP/IPsec support............................................................................................................
AES 256 support for IPsec...............................................................................................................
Java RDP upgrade support..............................................................................................................
Net Direct Mac OS X support...........................................................................................................
Secure Portable Office (SPO) support.............................................................................................
Other changes...........................................................................................................................................
Chapter 3: Introducing the VPN Gateway.........................................................................
SSL Acceleration.......................................................................................................................................
VPN...........................................................................................................................................................
Software Features.....................................................................................................................................
Web Portal........................................................................................................................................
Transparent Mode Access...............................................................................................................
Bandwidth Management...................................................................................................................
User Authentication..........................................................................................................................
User Authorization............................................................................................................................
Client Security..................................................................................................................................
Accounting and Auditing...................................................................................................................
Networking.......................................................................................................................................
Secure Service Partitioning..............................................................................................................
Branch Office Tunnels......................................................................................................................
Portal Guard.....................................................................................................................................
SSL Acceleration..............................................................................................................................
Scalability and Redundancy.............................................................................................................
Certificate and Key Management.....................................................................................................
Public Key Infrastructure..................................................................................................................
Supported Key and Certificate Formats...........................................................................................
Supported Handshake Protocols......................................................................................................
Hash Algorithms...............................................................................................................................
Cipher Suites....................................................................................................................................
13 13 13 14 14 14 15 16 16 16 16 16
17 17 17 17 18 18 18 18 19
21 21 21 22 22 23 23 23 24 24 24 25 25 25 26 26 26 27 27 27 28 28 28
User Guide April 2013 5
Management....................................................................................................................................
Statistics...........................................................................................................................................
Virtual Desktop.................................................................................................................................
Secure Portable Office (SPO) client.................................................................................................
Chapter 4: Introducing the ASA 310-FIPS........................................................................
HSM Overview..........................................................................................................................................
Extended Mode vs. FIPS Mode................................................................................................................
FIPS140-1 Level 3 Security..............................................................................................................
The Concept of iKey Authentication..........................................................................................................
Types of iKeys..................................................................................................................................
Wrap Keys for ASA 310-FIPS Clusters............................................................................................
Available Operations and iKeys Required........................................................................................
Additional HSM Information......................................................................................................................
Chapter 5: Initial Setup.......................................................................................................
Clusters.....................................................................................................................................................
New and Join....................................................................................................................................
Configuration is Replicated among Master AVGs............................................................................
Clustering Over Multiple Subnets.....................................................................................................
IP Address Types......................................................................................................................................
Host IP Address...............................................................................................................................
Management IP Address (MIP)........................................................................................................
Virtual IP Address (VIP)...................................................................................................................
Portal IP Address.............................................................................................................................
Real Server IP Address (RIP)..........................................................................................................
Ports..........................................................................................................................................................
Interfaces..................................................................................................................................................
One-Armed Configuration................................................................................................................
Two-Armed Configuration................................................................................................................
Configuration at Boot Up...........................................................................................................................
The Setup Menu...............................................................................................................................
Installing an AVG in a New Cluster...........................................................................................................
Setting Up a One-Armed Configuration............................................................................................
Setting Up a Two-Armed Configuration............................................................................................
Complete the New Setup.................................................................................................................
Settings Created by the VPN Quick Setup Wizard...........................................................................
Joining a VPN Gateway to an Existing Cluster.........................................................................................
Setting up a One-Armed Configuration............................................................................................
Setting up a Two-Armed Configuration............................................................................................
Complete the Join Setup..................................................................................................................
Installing an ASA 310-FIPS.......................................................................................................................
Installing an ASA 310-FIPS in a New Cluster..................................................................................
Adding an ASA 310-FIPS to an Existing Cluster..............................................................................
Reinstalling the Software..........................................................................................................................
Chapter 6: Upgrading the AVG Software..........................................................................
Performing Minor/Major Release Upgrades..............................................................................................
Activating the Software Upgrade Package.......................................................................................
Chapter 7: Managing Users and Groups..........................................................................
28 28 28 29
31 31 32 32 33 33 33 34 35
37 37 37 37 38 38 38 38 38 39 39 39 40 40 40 41 41 42 42 44 46 49 51 51 53 55 56 56 61 66
69 69 71
75
6 User Guide April 2013
User Rights and Group Membership.........................................................................................................
Adding a New User...................................................................................................................................
Adding Users through RADIUS........................................................................................................
Changing a Users Group Assignment......................................................................................................
Changing a Users Password.....................................................................................................................
Changing Your Own Password........................................................................................................
Changing Another Users Password.................................................................................................
Deleting a User.........................................................................................................................................
Chapter 8: Certificates and Client Authentication...........................................................
Generating and Submitting a CSR Using the CLI.....................................................................................
Adding Certificates to the AVG.................................................................................................................
Copy-and-Paste Certificates............................................................................................................
Copy-and-Paste Private Key............................................................................................................
Using TFTP/FTP/SCP/SFTP to add Certificates and Keys..............................................................
Update Existing Certificate........................................................................................................................
Create a New Certificate..................................................................................................................
Configure a Virtual SSL Server to Require a Client Certificate.................................................................
Generating client certificates.....................................................................................................................
Export Client Certificate....................................................................................................................
Transmit Private Key and Certificate to User...................................................................................
Managing Revocation of Client Certificates..............................................................................................
Revoking Client Certificates Issued by an External CA....................................................................
Revoking Client Certificates Issued within your Own Organization..................................................
Creating Your Own Certificate Revocation List................................................................................
Automatic CRL Retrieval..................................................................................................................
Client certificate support............................................................................................................................
Signing CSRs............................................................................................................................................
Generate Test Certificate..........................................................................................................................
General Commands..................................................................................................................................
Show Certificate Information............................................................................................................
Show Subject Information................................................................................................................
Check if Key and Certificate Match..................................................................................................
Show Key Size.................................................................................................................................
Show Key Information......................................................................................................................
Chapter 9: Virtual Desktop.................................................................................................
Running the Virtual Desktop on Client Computers...................................................................................
Licensing vdesktop...........................................................................................................................
Launch Vdesktop from Portal...........................................................................................................
Virtual Desktop Operations..............................................................................................................
Chapter 10: The Command Line Interface........................................................................
Connecting to the VPN Gateway..............................................................................................................
Establishing a Console Connection..................................................................................................
Establishing a Telnet Connection.....................................................................................................
Establishing a Connection Using SSH (Secure Shell).....................................................................
Accessing the AVG Cluster.......................................................................................................................
CLI vs. Setup.............................................................................................................................................
Command Line History and Editing..........................................................................................................
75 76 80 80 82 82 83 84
87 87 92 93 96 98 100 100 101 103 107 108 108 108 109 111 112 115 116 117 118 118 118 119 119 119
121 121 121 122 122
123 123 123 124 125 126 128 128
User Guide April 2013 7
Idle Timeout..............................................................................................................................................
Chapter 11: Troubleshooting the AVG..............................................................................
Cannot Connect to VPN Gateway through Telnet or SSH........................................................................
Verify the Current Configuration.......................................................................................................
Enable Telnet or SSH Access..........................................................................................................
Check the Access List......................................................................................................................
Check the IP Address Configuration................................................................................................
Cannot Add an AVG to a Cluster..............................................................................................................
Cannot Contact the MIP............................................................................................................................
Check the Access List......................................................................................................................
Add Interface 1 IP Addresses and MIP to Access List.....................................................................
The AVG Stops Responding.....................................................................................................................
Telnet or SSH Connection to the Management IP Address.............................................................
Console Connection.........................................................................................................................
A User Password is Lost...........................................................................................................................
Administrator User Password...........................................................................................................
Operator User Password..................................................................................................................
Root User Password........................................................................................................................
Boot User Password.........................................................................................................................
An ASA 310-FIPS Stops Processing Traffic.............................................................................................
Resetting HSM Cards on the ASA 310-FIPS............................................................................................
An ASA 310-FIPS Cluster Must be Reconstructed onto New Devices.....................................................
A User Fails to Connect to the VPN..........................................................................................................
aaa...................................................................................................................................................
dns....................................................................................................................................................
ike.....................................................................................................................................................
ipsec.................................................................................................................................................
ippool................................................................................................................................................
ssl.....................................................................................................................................................
tg......................................................................................................................................................
upref.................................................................................................................................................
smb...................................................................................................................................................
ftp.....................................................................................................................................................
netdirect............................................................................................................................................
netdirect_packet...............................................................................................................................
User Unable to Connect to the VPN Gateway through the Net Direct Client............................................
Cannot download the Net Direct Zipped file from client PC......................................................................
System Diagnostics...................................................................................................................................
Installed Certificates and Virtual SSL Servers..................................................................................
Network Diagnostics.........................................................................................................................
Active Alarms and the Events Log File.............................................................................................
Error Log Files..................................................................................................................................
Unable to download Net Direct from VPN server.............................................................................
Appendix A: Supported Ciphers........................................................................................
Cipher List Formats...................................................................................................................................
Modifying a Cipher List..............................................................................................................................
Supported Cipher Strings and Meanings..................................................................................................
129 131
131 131 132 132 132 133 134 134 135 135 135 136 136 136 136 137 137 137 139 141 144 145 146 146 147 147 148 148 148 149 149 150 150 151 153 153 153 154 155 156 156
157 158 159 159
8 User Guide April 2013
Appendix B: The SNMP Agent...........................................................................................
Supported MIBs........................................................................................................................................
SNMPv2-MIB....................................................................................................................................
SNMP-MPD-MIB..............................................................................................................................
SNMP-FRAMEWORK-MIB..............................................................................................................
The SNMP-TARGET MIB.................................................................................................................
SNMP-NOTIFICATION-MIB.............................................................................................................
SNMP-VIEW-BASED-ACM-MIB......................................................................................................
SNMP-USER-BASED-SM-MIB........................................................................................................
S5-ETH-MULTISEG-TOPOLOGY-MIB............................................................................................
SYNOPTICS-ROOT-MIB.................................................................................................................
S5-TCS-MIB.....................................................................................................................................
S5-ROOT-MIB..................................................................................................................................
IF-MIB...............................................................................................................................................
IP-MIB..............................................................................................................................................
IP-FORWARD-MIB...........................................................................................................................
ENTITY-MIB.....................................................................................................................................
DISMAN-EVENT-MIB.......................................................................................................................
ALTEON-ISD-PLATFORM-MIB.......................................................................................................
ALTEON-ISD-SSL-MIB....................................................................................................................
ALTEON-SSL-VPN-MIB...................................................................................................................
IANAifType-MIB................................................................................................................................
Supported Traps.......................................................................................................................................
Appendix C: Syslog Messages..........................................................................................
List of Syslog Messages...........................................................................................................................
Operating System (OS) Messages...................................................................................................
System Control Process Messages.................................................................................................
Traffic Processing Messages...........................................................................................................
Startup Messages............................................................................................................................
Configuration Reload Messages......................................................................................................
AAA Subsystem Messages..............................................................................................................
IPsec Subsystem Messages............................................................................................................
Syslog Messages in Alphabetical Order...................................................................................................
Appendix D: License Information......................................................................................
Appendix E: HSM Security Policy.....................................................................................
Rainbow Technologies CryptoSwift® HSM Cryptographic Accelerator Scope
........................................................................................................................................................
2.0 Applicable Documents........................................................................................................................
3.0 Overview.............................................................................................................................................
4.0 Capabilities..........................................................................................................................................
5.0 Physical Security.................................................................................................................................
7.1 Module Interfaces................................................................................................................................
6.1 USB (Universal Serial Bus) Interface.........................................................................................
6.2 Status LED (Light Emitting Diode) Interface...............................................................................
6.3 Serial Interface...........................................................................................................................
6.4 PCI Interface..............................................................................................................................
6.5 Backup Battery Interface............................................................................................................
....................................................
163 163 164 165 165 165 165 165 166 166 166 166 166 167 167 167 167 168 168 168 169 169 169
171 171 171 173 176 181 182 183 185 189
213 219
219 219 220 220 221 223 223 223 223 224 224 224
User Guide April 2013 9
6.6 PCI Power Interface...................................................................................................................
7.1 Components........................................................................................................................................
7.1 Bulk Crypto.................................................................................................................................
7.2 Power Management and Tamper Detect...................................................................................
7.3 FastMap Processor....................................................................................................................
7.4 Flash...........................................................................................................................................
7.5 SRAM.........................................................................................................................................
7.6 Real Time Clock/Battery Powered RAM (RTC/BBRAM)............................................................
7.7 Programmable Logic Device (PLD)............................................................................................
7.8 USB (Universal Serial Bus) Controller........................................................................................
7.9 Universal Asynchronous Receiver Transmitter (UART).............................................................
7.10 33MHz Clock............................................................................................................................
8.0 Definition of Security Relevant Data Items.........................................................................................
9.0 Roles and Services.............................................................................................................................
9.1 Roles..........................................................................................................................................
9.2 Authentication.............................................................................................................................
9.3 Initialization.................................................................................................................................
9.4 User Creation.............................................................................................................................
9.5 Services......................................................................................................................................
10.0 Key Management..............................................................................................................................
10.1 Key Generation........................................................................................................................
10.2 Key Storage..............................................................................................................................
10.3 Key Entry and Output...............................................................................................................
10.4 Key Distribution........................................................................................................................
10.5 Key Destruction........................................................................................................................
10.6 Key Archiving...........................................................................................................................
11.0 Modes...............................................................................................................................................
11.1 FIPS 140-1 Mode.....................................................................................................................
11.2 Non-FIPS 140-1 Mode.............................................................................................................
12.0 Self-Tests..........................................................................................................................................
13.0 Conclusion........................................................................................................................................
Appendix F: Definition of Key Codes................................................................................
Syntax Description....................................................................................................................................
Allowed Special Characters.............................................................................................................
Redefinable Keys.............................................................................................................................
Example of a Key Code Definition File.............................................................................................
Appendix G: SSH host keys...............................................................................................
Methods for Protection..............................................................................................................................
The VPN Gateway....................................................................................................................................
Appendix H: Adding User Preferences Attribute to Active Directory............................
Install All Administrative Tools (Windows 2000 Server)............................................................................
Register the Schema Management dll (Windows Server 2003)...............................................................
Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows Server 2003)..............
Create a Shortcut to the Console Window.......................................................................................
Permit Write Operations to the Schema (Windows 2000 Server).............................................................
Create a New Attribute (Windows 2000 Server and Windows Server 2003)............................................
Create New Class.....................................................................................................................................
224 224 224 225 225 225 225 225 226 226 226 226 226 227 227 228 228 228 229 234 234 234 234 234 235 235 236 236 236 236 237
239 239 239 240 241
243 243 243
245 245 245 246 248 249 249 250
10 User Guide April 2013
Add isdUserPrefs Attribute to avayaSSLOffload Class....................................................................
Add the avayaSSLOffload Class to the User Class.........................................................................
Appendix I: Using the Port Forwarder API.......................................................................
General.....................................................................................................................................................
Creating a Port Forwarder.........................................................................................................................
Demo Application......................................................................................................................................
Creating a Port Forwarder Authenticator..................................................................................................
Adding a Port Forwarder Logger...............................................................................................................
Connecting Through a Proxy....................................................................................................................
Monitoring the Port Forwarder..................................................................................................................
Status...............................................................................................................................................
Statistics...........................................................................................................................................
Glossary...............................................................................................................................
251 252
255 255 255 256 258 260 262 263 263 264 267
User Guide April 2013 11
12 User Guide April 2013
Chapter 1: Preface
The Avaya VPN Gateway User Guide describes how to perform basic configuration and maintenance of the Avaya VPN Gateway (AVG).
Who Should Use This Book
The Avaya VPN Gateway User Guide is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ethernet concepts and IP addressing.
Related documentation
For full software, see the following manuals:
documentation on installing and using the many features available in the VPN Gateway
Avaya VPN Gateway Command Reference (NN46120-103). Describes each command in detail. The commands are listed for each menu, according to the order they appear in the Command Line Interface (CLI).
Avaya VPN Gateway Application Guide for SSL Acceleration (NN46120-100). Provides examples on how to configure Secure Socket Layer (SSL) Acceleration through the CLI.
Avaya VPN Gateway CLI Application Guide (NN46120-101). Provides examples on how to configure VPN deployment through the CLI.
Avaya VPN Gateway BBI Application Guide (NN46120-102). Provides examples on how to configure VPN deployment through the Browser-Based Interface (BBI).
Avaya VPN Gateway User Guide (NN46120-104). Describes the initial setup procedure, upgrades, operator user management, certificate management, troubleshooting and other general operations that apply to both SSL Acceleration and VPN.
Avaya VPN Gateway Administrator Guide (NN46120-105). VPN management guide intended for end-customers in a Secure Service Partitioning configuration.
Avaya VPN Gateway Configuration - Secure Portable Office Client (NN46120-301). Gives the feature list and provides general information about Secure Portable Office (SPO) based VPN client.
Avaya VPN Gateway VMware Getting Started Guide (NN46120–302). Describes how to install, configure, and deploy the Avaya VPN Gateway VMware appliances.
User Guide April 2013 13
Preface
Avaya VPN Gateway Release Notes (NN46120-400). Lists new features available in version and provides up-to-date product information.
Avaya VPN Gateway Troubleshooting Guide (NN46120-700). Describes the prerequisites and various tools used to troubleshoot the Avaya VPN Gateway (AVG).
The preceding manuals are available for download (see Customer service on page 16).
Product Names
The software described in this manual runs on several different hardware models. Whenever the generic the following hardware models are implied:
• Avaya VPN Gateway 3050–VM (AVG 3050–VM)
• Avaya VPN Gateway 3070–VM (AVG 3070–VM)
• Avaya VPN Gateway 3090–VM (AVG 3090–VM)
Similarly, all references to the old product name – iSD-SSL or iSD – in commands or screen outputs should be interpreted as applying to the preceding hardware models.
terms Avaya VPN Gateway, VPN gateway or AVG are used in the documentation,
Note:
Manufacturing of the Avaya SSL Accelerator (formerly Alteon SSL Accelerator) has been discontinued.
How This Book Is Organized
The chapters in this book are organized as follows:
Users Guide
Introducing the VPN Gateway on page 21 provides an overview of the major features of the
VPN Gateway, including its physical layout and the basic concepts of its operation.
Introducing the ASA 310-FIPS on page 31
with HSM cards, as well as information about the available security modes and the concept of iKey authentication.
Initial Setup on page 37 describes how to install the AVG in a new cluster, and how to add
AVG to an existing cluster. The chapter also provides information about the concept of AVG
an clusters, as well as the usage and configuration of ports and networks within a cluster. A section describing how to reinstall the software is also included.
provides information about the ASA 310 equipped
14 User Guide April 2013
Comments? infodev@avaya.com
Upgrading the AVG Software on page 69 describes how to upgrade the AVG software for a
minor release upgrade, and a major release upgrade, as well as upgrading from software versions earlier than 2.0.11.16 to version 3.0.7.
Managing Users and Groups on page 75 describes the management of users, groups, and
passwords. The chapter also explains how the Administrator user role can be fully separated from the Certificate Administrator user role.
Certificates and Client Authentication on page 87 describes how to generate and prepare
keys and certificates for use with the AVG.
The Command Line Interface on page 123 describes how to connect to the AVG and access
the information and configuration menus.
Troubleshooting the AVG on page 131 provides suggestions for troubleshooting basic
problems. Information about performing system diagnostics on the AVG is also included, as well as some operations related to the ASA 310-FIPS model.
Appendices
How This Book Is Organized
The appendices provide a list of ciphers supported in this product.
The SNMP Agent on page 163 provides information about the SNMP agent on the AVG, and
which MIBs (Management Information Bases) are supported.
Syslog Messages on page 171, contains a list of all syslog messages that can be sent to a
syslog server that is added to the AVG system configuration.
License Information on page 213 provides licensing information for the software used in this
product.
HSM Security Policy on page 219 provides detailed information about the security policy of
the CryptoSwift® HSM card that comes installed in the ASA 310-FIPS.
Definition of Key Codes on page 239 provides information about how to compile a keycode
definition file to be used with the Terminal applet available on the Telnet/SSH tab (located under the Portal's Advanced tab).
SSH host keys on page 243 provides information about the purpose of SSH host keys and
how they are used to protect the connection between the SSH client and the VPN Gateway.
Adding User Preferences Attribute to Active Directory on page 245 provides step-by-step
instructions to support storage of Portal bookmarks in Active Directory.
Using the Port Forwarder API on page 255 provides instructions on how to perform the tasks
needed through the Avaya VPN Gateway (AVG) without the user having to start any applets from the Portal.
on how to add the User Preferences attribute to Active Directory. This is required
when using the Port Forwarder API. The Port Forwarder API is used to provide tunnels
User Guide April 2013 15
Preface
Customer service
Visit the Avaya Web site to access the complete range of services and support that Avaya provides. Go to http://www.avaya.com or go to one of the pages listed in the following sections.
Navigation
Getting technical documentation on page 16
Getting product training on page 16
Getting help from a distributor or reseller on page 16
Getting technical support from the Avaya Web site on page 16
Getting product training
Ongoing product Web site at contacts link on the left-hand navigation pane.
training is available. For more information or to register, you can access the
http://www.avaya.com/support. From this Web site, you can locate the Training
Getting help from a distributor or reseller
If you purchased a service contract for your Avaya product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.
Getting technical documentation
To download and print selected technical publications and release notes directly from the Internet, go to http://www.avaya.com/support.
Getting technical support from the Avaya Web site
The easiest and most effective way to get technical support for Avaya products is from the Avaya Technical Support Web site at
http://www.avaya.com/support.
16 User Guide April 2013
Comments? infodev@avaya.com
Chapter 2: New in this release
The following sections detail what’s new in Avaya VPN Gateway User Guide, (NN46120-104) Release
9.0.
Features
See the following sections for information about feature changes:
IPsec Two Factor authentication for Avaya VPN Gateway
Release 9.0 adds a two factor authentication method for authentication between servers and clients. When assigning authentication servers, you have the option to specify a second authentication server to use after the first one succeeds.
IPsec Two Factor authentication adds more robust security by using client certificate authentication as first factor to represent "what user-has" and using other authentication methods as second factor, "what user-knows".
Configuring a new certificate authentication server automatically supports IPsec Two Factor authentication. IPsec Two Factor authentication supports only certificate authentication as primary servers and local, RADIUS or LDAP as secondary servers.
IPsec Two Factor authentication is added to the User Authentication methods list, see User
Authentication on page 23.
Android L2TP/IPsec support
Avaya VPN Gateway Release 9.0 adds support for clients connecting via L2TP/IPsec from Android devices. Android versions 2.x, 3.x, and 4.x are supported and an additional license key is not required.
For supported Android versions, refer to the compatibility matrix, AVG 9.0 Release Notes (NN46120–400).
User Guide April 2013 17
New in this release
AES 256 support for IPsec
Avaya VPN Gateway Release 9.0 adds AES 256 support for IPsec.
Java RDP upgrade support
Release 9.0 A new optional field was added for WTS links, KeyMap URL, a URL path that points to a custom key code definition file.
upgrades JavaRDP client for better support of the latest Windows Terminal server.
Net Direct Mac OS X support
Release 9.0 supports Net Direct on Mac OS X 10.7 (Lion).
Secure Portable Office (SPO) support
Release 9.0 adds Ceedo support on all Windows 64 bit platforms in virtualized mode.
Beginning with Release 9.0, you can download one of the two versions of SPO:
• Avaya Basic– contains basic software with Avaya 2050 IP Softphone and JRE 7.
Avaya Contact Center (ACC)– contains all the applications and software of Avaya Basic with the addition of Avaya Contact Center Express Desktop 5.0 and Avaya One-X Client.
Both SPO version (Basic and ACC) use security restrictions on Ceedo environment. Next host resources are blocked inside Ceedo:
• Access to network shares and drives
• Access to printing
• Drag and drop
• Clipboard access
For more information on the Release 9.0 support, refer to Configuration — Secure Portable Office Client Avaya VPN Gateway (NN46120-301).
For more information on SPO 9.0 features, refer to page 29
18 User Guide April 2013
Secure Portable Office (SPO) client on
Comments? infodev@avaya.com
Other changes
See the following sections for information about changes that are not feature-related:
• Please note, while the Avaya Endpoint Access Control Agent (formerly Tunnel Guard) can be configured through both the BBI and CLI, the CLI configuration is performed under the former Tunnel Guard context.
Other changes
User Guide April 2013 19
New in this release
20 User Guide April 2013
Comments? infodev@avaya.com
Chapter 3: Introducing the VPN Gateway
The Avaya VPN Gateway (AVG) software includes two major functionality groups:
• SSL Acceleration
VPN
These features can be used separately or be combined. The Avaya VPN Gateway User Guide covers the basic tasks that need to be completed irrespective of which feature you wish to deploy.
SSL Acceleration
The VPN Gateway can function as a peripheral Secure Sockets Layer (SSL) offload platform that attaches Gateway can also operate in standalone mode without being connected to a switch.)
The VPN Gateway performs a TCP three-way handshake with the client through the Application Switch and performs all the SSL encryption and decryption for the session. Combined with the load balancing features of the Application Switch, the VPN Gateway offloads SSL encryption/decryption functions from back-end servers.
to an Application Switch or a comparable switch from another vendor. (The VPN
VPN
For examples on how to configure the VPN Gateway for SSL Acceleration, see the Avaya Application Guide for SSL Acceleration.
For more information about the basic operations of the VPN Gateway, see the "Public Key Infrastructure and SSL" chapter in the Avaya Application Guide for SSL Acceleration.
The VPN files, intranet web pages) through a secure connection. What information should be accessible to the remote user after login is determined by access rules (ACLs).
The intranet's resources can be accessed in clientless mode, transparent mode or both:
feature supports remote access to intranet or extranet resources (applications, mail,
• From any computer connected to the Internet (clientless mode). The remote user connects to the VPN Gateway through a secure SSL connection through the web browser. When successfully authenticated, the user can access services and resources on the intranet from a Web Portal provided by the VPN Gateway. Clientless mode also enables
User Guide April 2013 21
Introducing the VPN Gateway
download of the Net Direct client, a simple and secure method for accessing intranet resources through the remote user's native applications.
• From a SSL VPN client installed (transparent mode).
For examples on how to configure the VPN Gateway for VPN deployment, see the Avaya Application Guide for VPN.
computer with the Avaya VPN client (formerly Contivity VPN client) or the Avaya
Software Features
This section describes software features in Avaya VPN Gateway.
Web Portal
• Web Portal interface for remote users accessing the VPN Gateway in clientless mode, that is, through the browser.
Corporate resources available to users as preconfigured group links or accessible through the Portal tabs.
• Support for native Telnet and SSH (including X11 forwarding) access to intranet servers through terminal Java applet (available on the Portal's Advanced tab).
• Support for handling plugins, Flash and Java applets using HTTP proxy Java applet (available on the Portal's Advanced tab).
• Support for application tunneling (port forwarding) through SOCKS encapsulated in SSL (available on the Portal's Advanced tab).
• API provided for developing a custom application that automatically logs in the user to the desired VPN and executes a previously configured port forwarder link
• Support for customizing the Web Portal, for example, color, logo, language and company name.
• Three user views available (novice, medium and advanced) to limit access to Portal tabs.
• Support for automatic redirection of requests to another URL (Portal pass-through).
• Support for Portal bookmarks.
• Ability to specify domains for which single sign-on is allowed.
• Net Direct client (SSL). VPN client temporarily downloaded from the Portal and removed when the user exits the session. On Windows, Net Direct is also available as an installable client (setup.exe file).
22 User Guide April 2013
Comments? infodev@avaya.com
Transparent Mode Access
Software Features
Access to is accomplished using Windows VPN clients installed on the client PCs. In this mode, remote users will experience network access as if sitting within the local area network. The following VPN clients are available:
• Avaya SSL VPN client (TDI and LSP version).
• Avaya VPN client (formerly the Contivity VPN client). Not supported on the ASA 310, ASA
• Net Direct installable client.
intranet resources in transparent mode, that is, without going through the Web Portal,
310-FIPS and ASA 410 hardware models.
Bandwidth Management
Bandwidth Management (BWM) enables administrators to allocate a portion of the available bandwidth for specific users or groups. The bandwidth policies take lower and upper bound. The lower bound (soft limit) is guaranteed and the upper bound (hard limit) is available according to and IPsec Passthrough. For more information about configuration, see Avaya VPN Gateway CLI Application Guide, (NN46120-101)
the requirement. The BWM provides bandwidth policy management for user traffic
User Authentication
User authentication is supported using the following methods:
• RADIUS (including Challenge/Response)
LDAP (including Microsoft Active Directory)
• NTLM (Windows NT Domain, including Microsoft Active Directory)
• Secure Computing SafeWord (RADIUS)
• Netegrity SiteMinder
• RSA SecurID (native or through RADIUS)
• RSA ClearTrust
• ActivCard (RADIUS)
• Novell NDS/eDirectory (LDAP)
• Client certificate authentication
• Local database authentication
User Guide April 2013
23
Introducing the VPN Gateway
• SSL Secondary authentication
• IPsec Two Factor authentication
User Authorization
User authorization is controlled through the user's group membership. Two different authorization profile types are supported:
• The base profile defines a group member's access rights to networks, services and paths.
The extended profile (optional) also defines a group member's access rights depending on conditions related to the user's connection, for example, source network, authentication method, access method, client certificate installed and/or Tunnel Guard checks passed.
Client Security
• Avaya Endpoint Access Control Agent. Feature for checking the security aspects of the remote PC client, that is, installed antivirus software, DLLs, executables and so on.
WholeSecurity support. Lets you enable a scan of the client PC before the remote user is allowed to log in to the VPN.
• User session auto-logoff.
• Cache and browser history automatically cleared (only for Internet Explorer).
Accounting and Auditing
Support for logging user session start and stop messages to a syslog or RADIUS
• accounting server. The messages can include VPN ID, user name, gateway address, session ID, session time and cause of termination.
Support for logging CLI and Web User Interface operations (for example, login, logout and executed operation) to a syslog or RADIUS accounting server.
24 User Guide April 2013
Comments? infodev@avaya.com
Networking
Software Features
• Supports creating and management traffic.
• Support for clustering over multiple subnets.
• Supports assigning two physical network ports to one interface, to create a port failover (high availability) solution where one VPN Gateway is attached to two Application Switches.
multiple interfaces within a cluster, for example, to separate client traffic
Secure Service Partitioning
The AVG software provides the ability to partition a cluster of VPN Gateways into separate VPNs. This on a shared Remote Access Services (RAS) platform. Requires a license.
• Supports hosting of up to 250 public termination points for end-customer SSL and IPsec VPNs.
• Secure VPN binding. Each VPN is bound to a private IP interface. VLAN tagging can be used when private IP address spaces overlap.
• Private network authentication. Existing authentication servers within the customer's private network can be used.
gives service providers (ISPs) the possibility to host multiple VPN end-customers
• Access control. Unique access rules can be specified for each user group in the various VPNs.
• Private network name resolution. If desired, private network DNS servers can be mapped to the VPN.
• Split administration. VPN Portal management is enabled for each VPN customer through a web interface, without exposing global administration access.
• High availability. The Secure Service Partitioning solution is compatible with the AVG cluster's high availability solutions.
Branch Office Tunnels
The AVG peer-to-peer branch office tunnels can be configured for each virtual private network (VPN).
software provides the ability to configure IPsec-based branch office tunnels. Several
User Guide April 2013 25
Introducing the VPN Gateway
The following number of branch office tunnels can be configured per hardware model:
• AVG 3050-VM: 500
• AVG 3070-VM: 1000
• AVG 3090-VM: 3000
For example, a cluster of two AVG 3070–VMs support 2000 branch office tunnels.
Portal Guard
Feature used so on. The VPN Gateway will not only handle the SSL processing but also see to it that all existing web links are rewritten to HTTPS. This eliminates the need to rewrite each link manually. Requires a license.
to "convert" an existing HTTP site to generate HTTPS links, secure cookies and
SSL Acceleration
The AVG software also includes features for SSL acceleration. Note that these features in some cases require interoperation with an Application Switch.
• Supports accelerated backend servers.
• Supports load balancing of encrypted and unencrypted traffic for up to 256 backend servers, with health checking and persistent client connections.
• Ability to create multiple clusters of VPN Gateways, each capable of serving its own group of real servers.
• Supports rewriting of client requests.
• Ability to transmit additional information to the backend servers.
• Supports end-to-end encryption.
SSL processing by offloading SSL encryption and decryption from
• Compatible with all Application Switches, Avaya Web Switches and comparable switches from other vendors.
SSL Acceleration is covered in the Avaya Application Guide for SSL Acceleration.
Scalability and Redundancy
• Support for 256 VPN Gateways per cluster
Support for 256 virtual SSL servers
26 User Guide April 2013
Comments? infodev@avaya.com
• Provides dynamic plug and play – VPN Gateways can be added to or removed from a cluster dynamically without disrupting network traffic
• Provides a single system image (SSI) – all VPN Gateways in a given cluster are configured as a single system
• High level of redundancy in the master/slave cluster design; even if three master VPN Gateways in a cluster would fail, additional slave AVGs will still be operational and can accept configuration changes
Certificate and Key Management
• Server and client authentication
Generation and revocation of client certificates
• Automatic retrieval of certificate revocation lists (CRLs)
• Validation of private keys and certificates
• Generation of certificate signing requests (CSRs)
Software Features
• Generation of self-signed certificates
Public Key Infrastructure
• RSA pair key generation
Server certificate enrollment
• Server key and certificate import/export
• Key and certificate renewal
Supported Key and Certificate Formats
PEM
DER
• NET
• PKCS12
• PKCS8
• KEY(MS IIS4.0)
User Guide April 2013
27
Introducing the VPN Gateway
Supported Handshake Protocols
• SSL versions 2.0, 3.0
TLS version 1.0
Hash Algorithms
• Message Digest 5 (MD5)
SHA1
Cipher Suites
All ciphers covered by SSL version 2.0, 3.0 and TLS version 1.0, except the IDEA and FORTEZZA ciphers. Also see Supported Ciphers on page 157.
Management
• Web User Interface (HTTP or HTTPS).
Command Line Interface (CLI) access through Telnet/SSH or serial port.
• SNMP version 1, version 2c and version 3.
• RADIUS authentication of CLI/BBI administrator users (including console access).
Statistics
• Statistics can as for specific VPN Gateways, SSL servers and VPNs.
• Support for histograms, for example, to measure transactions per second (TPS) and throughput.
Virtual Desktop
Symantec On-Demand based applications and services. Virtual Desktop is a Java application that provides protection against lost or theft of sensitive information. Files created while in the virtual desktop are
be viewed per access method (SSL or IPsec) for the whole cluster as well
Agent (SODA) provides a Virtual Desktop environment to secure Web-
28 User Guide April 2013
Comments? infodev@avaya.com
encrypted as they are saved to a hard drive or removable media. Integrating Virtual Desktop with AVG will provide a secure environment for end users while accessing confidential information.
Secure Portable Office (SPO) client
The SPO client provides VPN access from portable storage such as USB flash memory and CDROM.
The SPO client provides enhanced mobility, portability, and security compared to traditional VPN access methods. You can deploy and manage the SPO client from the AVG server to simplify SPO client maintenance and updates.
Software Features
SPO Release platforms:
Secure Portable Office Client Release 9.0, in virtual mode, supports the following software in Windows 32–bit and 64–bit platforms.
• Software released with Avaya Contact Center:
• Oracle Java Runtime Environment 1.7
• Avaya 2050 IP Softphone 4.2
• Avaya customized Ceedo 4.x
• Net Direct x64 bit support for Release 9.0
• Microsoft IE9
• Mozilla Firefox 7.x
For more information about Secure Portal Office Client, see Configuration - Secure Portable Client Guide.
9.0 in virtual mode supports the following software in Windows 32 bit and 64 bit
- Microsoft Data Access 2.8
- Jet Database Endine 4.0
- Microsoft.Net Framework 3.5
- Avaya Contact Center Express Desktop 5.0
- Avaya One-X Agent 2.0
User Guide April 2013 29
Introducing the VPN Gateway
30 User Guide April 2013
Comments? infodev@avaya.com
Loading...
+ 244 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use