How it Works
Avaya
Loading...
T
U
V
W
X
Loading...
Loading...
VPNmanager
User Manual
326 pgs3.14 Mb0
Table of contents
Loading...

Avaya VPNmanager User Manual

VPNmanager® Configuration Guide
Release 3.7
670-100-600
Issue 4
May 2005
Copyright 2005, Avaya Inc. All Rights Reserved
Every effort was made to ensure that the information in this document was complete and accurate at the time of release. However, information is subject to change.
Warranty
Avaya Inc. provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya’s standard warranty language as well as information regarding support for this product, while under warranty, is available through the following website:
http://www.avaya.com/support
Preventing Toll Fraud
“Toll fraud” is the unauthorized use of your telecommunications system by an unaut horized pa rty (for exam ple, a person who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf). Be aware that there may be a risk of toll fraud associated with your system and that, if toll fraud occurs, it can result in substantial additional charges for your telecommunications services.
Avaya Fraud Intervention
If you suspect that you are being victimized by toll fraud and you need technical assistance or support, in the United States and Canada, call the Technical Service Center's Toll Fraud Intervention Hotline at 1-800-643-2353.
Disclaimer
Avaya is not responsible for any modifications, additions or deletions to the original published version of this documentation unless such modifications, additions or deletions were performed by Avaya. Customer and/or End User agree to indemnify and hold harmless Avaya. Avaya’s agents, servants and employees against all claims, lawsuits, demands and judgements arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation to the extent made by the Customer or End User.
How to Get Help
For additional support telephone numbers, go to the Avaya Web site:
http://www.avaya.com/support/. If you are:
Within the United States, click Escalation Manageme nt link. Then click the appropriate link for the type of support you need.
Outside the United States, click Escalation Management link. Then click International Services link that includes telephone numbers for the International C ent ers of Excel lenc e.
Providing Telecommunications Security
Telecommunications security (of voice, data, and/or video communications) is the prevention of any type of intrusion to (that is, either unauthorized or malicio us access to or use of) your company's telecommunications equ ipm ent by some part y.
Your company's “telecommunications equipment” includes both this Avaya product and any other voice/data/video equipment that could be accessed via this Avaya product (that is, “networked equipment”).
An “outside party” is anyone who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf. Whereas, a “malicious party” is anyone (including someone who may be otherwise authorized) who accesses your telecommunications equipment with either malicious or mischievous intent.
Be aware that there may be a risk of unauthorized intrusions associated with your system and/or its networked equipment. Also realize that, if such an intrusion should occur, it could result in a variety of losses to your company (including but not limited to, human/data privacy, intellectual property, material assets, financial resources, labor costs, and/or legal costs).
Responsibility for Your Company’s Telecommunications Security
The final responsibility for securing both this system and its networked equipment rests with you - Avaya’s customer system administrator, your telecommunications peers, and your managers. Base the fulfillment of your responsibility on acquired knowledge and resources from a variety of sources including but not limited to:
Installation documents
System administration documents
Security documents
Hardware-/software-based security tools
Shared information between you and your peers
Telecommunications secu ri ty expe rts
To prevent intrusions to your telecommunications equipment, you and your peers should carefully program and configure:
Your Avaya-provided telecommunications systems and their interfaces
Your Avaya-provided software applications, as well as their underlying hardware/software platforms and interfaces
Any other equipment networked to your Avaya products.
TCP/IP Facilities
Customers may ex perien ce dif fer ences i n prod uct p erforma nce, relia bili ty and security depending upon network configurations/design and topologies, even when the product performs as warranted.
Standards Compliance
Avaya Inc. is not responsible for any radio or television interference caused by unauthorized modifications of this equipment or the substitution or attachment of connec ting cab le s and equ ipme nt oth er than those specified by Avaya Inc. The correction of interference caused by such unauthorized modifications, substitution or attachment will be the responsibility of the user. Pursuant to Part 15 of the Federal Communications Commission (FCC) Rules, the user is cautioned that changes or modifications not expressly approved by Avaya Inc. could void the user’s authority to operate this equipment.
Product Safety Standards
This product complies with and conforms to the following international Product Safety standards as applicable:
Safety of Information T echnology Equipment, IEC 60950, 3rd Edition including all relevant national deviations as listed in Compliance with IEC for Electrical Equipment (IECEE) CB-96A.
Safety of Information Technology Equipment, CAN/ CSA-C22.2 No. 60950-00 / UL 60950, 3rd Edition
Safety Requirements for Customer Equipment, ACA Technical Standard (TS) 001 - 1997
One or more of the following Mexican national standards, as applicable: NOM 001 SCFI 1993, NOM SCFI 016 1993, NOM 019 SCFI 1998
Electromagnetic Compatibility (EMC) Standards
This product complies with and conforms to the following international EMC standards and all relevant national deviations:
Limits and Methods of Measurement of Radio Interference of Information Technology Equipment, CISPR 22: 199 7 and EN5 50 22: 199 8.
Such intrusions may be either to/through synchronous (time-multiplexed and/or circuit-based) or asynchronous (character-, message-, or packet- based) equipment or interfaces for reasons of:
Utilization (of capabilities special to the accessed equipment)
Theft (such as, of intellectual property, financial assets, or toll-facility access)
Eavesdropping (priv acy invasions to humans)
Mischief (troubling, but apparently innocuous, tampering)
Harm (such as harmful tampering, data loss or alteration, regardless of motive or intent)
Information Technology Equipment – Immunity Characteristics – Limits and Methods of Measurement, CISPR 24:1997 and EN55024:1998, including:
Electrostatic Discharge (ESD) IEC 61000-4-2
Radiated Immunity IEC 61000-4-3
Electrical Fast Transient IEC 61000-4-4
Lightning Effects IEC 61000-4-5
Conducted Immunity IEC 61000-4-6
Mains Frequency Magnetic Field IEC 61000-4-8
Voltage Dips and Variations IEC 61000-4-11
Powerline Harmonics IEC 61000-3-2
Voltage Fluctuations and Flicker IEC 61000-3-3
Federal Communications Commission Statement
Part 15:
Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment gener ates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.
Canadian Department of Communications (DOC) In terference Information
This Class A digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.
This equipment meets the applicable Industry Canada Terminal Equipment Technical Specifications. This is confirmed by the registration number. The abbreviation, IC, before the registration number signifies that registration was performed based on a Declaration of Conformity indicating that Industry Canada technical specifications were met. It does not imply that Industry Canada approved the equipment.
DECLARATIONS OF CONFORMITY United States FCC Part 68 Supplier’s Declaration of Conformity
(SDoC)
Avaya Inc. in the United States of America hereby certifies that the equipment described in this document and bearing a TIA TSB-168 label identification number complies with the FCC’s Rules and Regulations 47 CFR Part 68, and the Administrative Council on Terminal Attachments (ACTA) adopted technical criteria.
Avaya further asserts that Avaya handset-equipped terminal equipment described in this document complies with Paragraph 68.316 of the FCC Rules and Regulations defining Hearing Aid Compatibility and is deemed compatible with hearing aids.
Copies of SDoCs signed by the Responsible Party in the U. S. can be obtained by contacting your local sales representative and are available on the following Web site:
http://www.avaya.com/support
Japan
This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may occur, in which case, the user may be required to take corrective actions.
China
BMSI (Chinese Warning Label)
Hardware, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countrie s. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, or import hardware.
Acknowledgments:
This product includes software developed by the Apache Software Foundation (http://www.apache.org).
Environmental Health and Safety:
!
WARNING:
Risk of explosion if battery is replaced by an incorrect type. Dispose of used batt e ries accor ding to Avaya Environmental Health and Safet y guidelines.
Documentation:
For the most current versions of documentation, go to the Avaya support Web site: http://www.avaya.com/support/
All Avaya media servers and media gateways are compliant with FCC Part 68, but many have been registered with the FCC before the SDoC process was available. A list of all Avaya registered products may be found at:
http://www.part68.org/
by conducting a search using “Avaya” as manufacturer.
European Union Declarations of Conformity
Avaya Inc. declares that the equipment specified in this document bearing the “CE” (Conformité Europeénn e) mark conforms to the European Union Radio and Telecommunications Terminal Equipment Directive (1999/5/EC), including the Electromagnetic Compatibility Directive (89/336/EEC) and Low Voltage Directive (73/23/EEC). This equipment has been certified to meet CTR3 Basic Rate Interface (BRI) and CTR4 Primary Rate Interface (PRI) and subsets thereof in CTR12 and CTR13, as applicable.
Copies of these Declarations of Conform ity (DoCs) can be obtai ne d by contacting your local sales representative and are available on the following Web site:
http://www.avaya.com/support

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
What Products are Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
VPNmanager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Network-wide Visibility and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Intranet and Extranet Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Secure VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
No Special Consoles Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Complementary to SNMP Management Tools . . . . . . . . . . . . . . . . . . . . . . . . 17
Using VPNmanager Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Contacting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 1: Overview of implementation . . . . . . . . . . . . . . . . . . . . . . . . . 21
Components of the Avaya security solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Security gateways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
VPNremote Client software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
VPNmanager software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Overview of the VPN management hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Preparing to configure your network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
IP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Remote users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Additional features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Client IP address pooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
SSL for Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Sequence to configure your VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Issue 4 May 2005 5
Contents
Chapter 2: Using VPNmanager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
About VPNmanager administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Role Based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Log into the VPNmanager console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Add a policy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Open Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Navigating the main window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
VPN view pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Network Diagram View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Tiled View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Tree View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Alarm monitoring pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Configuration Console window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuration Console Menu bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Contents pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Details pane. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Update Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Dyna Policy Defaults (User). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Dyna Policy Defaults (Global). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Dyna Policy Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Remote Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Alarm/Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
TEP Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6 Avaya VPNmanager Configuration Guide Release 3.7
Chapter 3: Setting up the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
New VPN Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring a security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Creating a new security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Using Device tabs to configure the security gateway . . . . . . . . . . . . . . . . . . . . . . . 59
General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
DNS tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring the DNS tab for security gateways at 4.3 or later . . . . . . . . . . . . . . 63
Configuring the DNS tab for VSU at VPNos 4.2 or earlier . . . . . . . . . . . . . . . . 65
Interfaces tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Options for IP addressing for interface zones . . . . . . . . . . . . . . . . . . . . . . 70
Static addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
DHCP addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Point-to-Point Protocol Over Ethernet (PPPoE) Client . . . . . . . . . . . . . . . . . . 71
Local DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Changing network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Private port tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Adding an IP Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
None . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Device users tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Network Object tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Default Gateway for VPN Traffic (VPNos 3.X) . . . . . . . . . . . . . . . . . . . . . . . . 83
Policies tab, NAT services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
About NAT types for VPNos 4.31 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Configuring NAT (VPNos 4.31) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
About NAT types for VPNos 3.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
NAT applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Accessing the Internet from private networks. . . . . . . . . . . . . . . . . . . . . . . 89
Setting up VPN with overlapping private addresses . . . . . . . . . . . . . . . . . . . 90
Using NAT to support multiple gateway configurations . . . . . . . . . . . . . . . . . . 92
Interface for VPNos 4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Add NAT Rule (VPNos 4.2 or earlier). . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Original . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Tunnel NAT rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Contents
Issue 4 May 2005 7
Contents
Chapter 4: Configuring IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
About IP Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Creating a New IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
New IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
IP Group - General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Add IP Group member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Configuring an IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Configuring an IP Group that connects to an extranet . . . . . . . . . . . . . . . . . . . . 102
Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Memo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Chapter 5: Configuring remote access users . . . . . . . . . . . . . . . . . . . . . . 105
Default client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Using dyna-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Configuring a global dyna-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Dyna-Policy Defaults (User) tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
VPN configuration files on remote user’s computer . . . . . . . . . . . . . . . . . . . 108
Disable split tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Dyna-Policy Defaults (Global) tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Dyna-Policy Authentication tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Local authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Dynamic VPNs (VPNos 3.x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Remote Client tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Client DNS resolution redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Client DNS resolution redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Remote Client inactivity connection time-out (VPNos 3.x) . . . . . . . . . . . . . . . . 112
Send Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Configure a default CCD with global dyna-policy . . . . . . . . . . . . . . . . . . . . . . . . . 113
Creating new user object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Default user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
About creating individual dynamic-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
User - General tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Dyna-Policy tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring a remote user object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
8 Avaya VPNmanager Configuration Guide Release 3.7
Information for VPNremote Client users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Using local authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Using RADIUS authentication (VPNos 3.X and VPNos 4.31) . . . . . . . . . . . . . . 120
Using LDAP authentication (VPnos 3.X only). . . . . . . . . . . . . . . . . . . . . . . 120
Using Policy Manager for user configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Client IP address pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Add Client IP address pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Add Client DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Add Client WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
To configure the Client IP configuration. . . . . . . . . . . . . . . . . . . . . . . . . . 122
Configuring client attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Creating a message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Enforce brand name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
RADIUS/ACE Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Enable RADIUS/ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
RADIUS concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
The RADIUS protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Add (RADIUS/ACE server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Authenticating (secret) password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
RADIUS server data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
To add a RADIUS server: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Contents
Chapter 6: Configuring user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
New user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
User Group - General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
User Group - Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
User Group - Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Chapter 7: Configuring VPN objects . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Types of VPN objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
SKIP VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
IKE VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
VPN packet processing modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Default VPN policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Creating a new VPN object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Creating a default VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Creating a designated VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Issue 4 May 2005 9
Contents
Using the VPN tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
General tab with IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
General tab with SKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Members-Users tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Members-IP Groups tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Security (IKE) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Pre-Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Security (IPSec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
IPSec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Add IPSec proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
VPN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Rekey site-to-site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Advanced VPN tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Configuring a SKIP VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Configuring an IKE VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Enabling CRL checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Exporting a VPN object to an extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
VPN Object export checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Export procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Importing a VPN object from an extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Rekeying a VPN object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Chapter 8: Establishing security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Firewall rules set up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Levels of firewall policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Domain level firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Device level firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Priority of Firewall rules versus NAT rules . . . . . . . . . . . . . . . . . . . . . . . . 167
Setting up firewall rules for FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
FTP and Firewall/NAT Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Security Gateways and FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Predefined templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
User defined templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
10 Avaya VPNmanager Configuration Guide Release 3.7
Contents
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Device Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Voice Over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Using the IP Trunking Call Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Using the LRQ Required checkbox of the IP Trunking Call Model . . . . . . . . . . . . 176
Using the Gatekeeper Routed Call Model. . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Add gatekeeper settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
QoS policy and QoS mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
QoS mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
What can be filtered. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Packet Filtering and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Permit/Deny non-VPN traffic Radio Buttons . . . . . . . . . . . . . . . . . . . . . . . 186
Add Packet Filtering Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
From/Where. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
To Where . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
The Filtering Policy in progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Locating this filtering policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
The filtering policy in progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Running the packet filtering policy wizard. . . . . . . . . . . . . . . . . . . . . . . . . 189
Running the Policy Manager for packet filtering . . . . . . . . . . . . . . . . . . . . . 190
Starting and stopping filtering services . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Managing the ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Configuring advanced filtering options . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Marking packets for differentiated services (QoS) . . . . . . . . . . . . . . . . . . . . . . 192
About Differentiated Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
How a VSU marks packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Types of marking rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
How to create a packet marking rule . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Packet filtering firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Add firewall policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Chapter 9: Using advanced features . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Device Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Issue 4 May 2005 11
Contents
Port for dyna-policy download. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Port for Secure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Private IP Address (VPNos 3.x). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Send Device Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
SuperUser Password (VPNos 3.x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Tunnel Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
TEP Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Add servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
Managing the server list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Resilient Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Tunnel Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Creating a resilient tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Add resilient tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Managing the resilient tunnel list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Stopping and starting resilient tunnel services . . . . . . . . . . . . . . . . . . . . . . . . 217
Primary end-point service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Secondary end-point service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Failover TEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Configuring failover TEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Advanced Action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Switch Flash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Reset password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Disable FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Virtual addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Advanced parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Configuring high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Creating a High Availability Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Updating a high availability group using Update Device . . . . . . . . . . . . . . . . . 225
Deleting a high availability group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Failover reconnect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Converged Network Analyzer Test Plug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Keep Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
12 Avaya VPNmanager Configuration Guide Release 3.7
Policy Manager - My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
About VSU certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Creating and Installing a Signed Certificate. . . . . . . . . . . . . . . . . . . . . . . . 235
Switching certificates used by VPNmanager Console . . . . . . . . . . . . . . . . . . 237
Issuer certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
About Issuer Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Installing an issuer certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
IKE Certificate Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
About Certificate Usage (Exchange) . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Assigning a Target for a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Chapter 10: Monitoring your network . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Using SNMP to monitor the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Adding Admin Users for SNMPv3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
VPN active sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Syslog Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Add Syslog Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Using Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Enterprise MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Monitoring wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Define Custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Monitoring wizard (Presentation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Monitoring alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Alarm Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Contents
Report Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Generating the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Device diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Chapter 11: Device management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Using the Management tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Setting Up SSH and Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Changing device administrator’s passwords . . . . . . . . . . . . . . . . . . . . . . . . . 276
Using the Connectivity tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Check connectivity by ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Check Connectivity by Proxy Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Using the Device Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Reset Device Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Reboot Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Issue 4 May 2005 13
Contents
Re-setup Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Import Device Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Ethernet Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Network Interface Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Importing and exporting VPN configurations to a device . . . . . . . . . . . . . . . . . . . . . 284
Export VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Exporting RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Chapter 12: Upgrading firmware and licenses . . . . . . . . . . . . . . . . . . . . . 287
Centralized firmware management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Device - Upgrade tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Upgrading a security gateway’s firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Encryption Strength . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Remote Access (VSU-100 Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Appendix A: Using SSL with Directory Server . . . . . . . . . . . . . . . . . . . . . 293
When to Configure your VPNmanager for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Installing the issuer’s certificate in the policy server and
the VPNmanager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Windows NT and Windows 2000 Computers . . . . . . . . . . . . . . . . . . . . . . . . . 294
Solaris OS Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Installing the Issuer’s Certificate into a security gateway . . . . . . . . . . . . . . . . . . . . . 295
Appendix B: Firewall rules template . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Public zone firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Private zone firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Semi-private zone firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
DMZ zone firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Management zone security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Converged Network Anaylyzer template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
14 Avaya VPNmanager Configuration Guide Release 3.7

Preface

This Avaya VPNmanager® Configuration Guide is written for individuals who have an understanding of how computer networks are installed, configured, and managed. It provi des detailed information about using the Avaya VPNmanager solution to build small, medium, or large scale Virtual Private Networks (VPNs).
VPNmanager is a Java-based software application that brings convenience, ease of use, extended functionality, and platform independence to the management of VPNs.

What Products are Covered

Avaya’s solut ion i s a li ne of thr ee pr oduct s that ar e used for managi ng V ir tual Privat e Networks. Each one, listed below, has been designed to meet the needs and requirements of either a small, medium, or large network.
VPNmanager Service Provider
VPNmanager Enterprise

VPNmanager Overview

The VPNmanager application lets network managers def ine, configure, and manage Virtual Private Networks (VPNs) from any location equipped with a computer running Window NT, Window 2000, Windows 2003 Server, or Solaris.
Network managers can configure and check the status of Avaya security gateways and VPN Service Units (VSU), add or remove remote sites and dial-in users to a VPN, configure user authentication servers using LDAP directo ry servers or RADIUS servers, and monitor the state of all security gateways, as well as the perfor man ce of private data transmissions using Java-interface technology.
Issue 4 May 2005 15
Preface

Network-wide Visibility and Control

The logical VPNmanager representation of virtual private networks simplifies their installation and control. From a single workstation, network managers can assign users anywhere on the network to one or more logical Groups and integrate local and remote Groups into VPNs. The VPNmanager software provides global-level, VPN-level, group-level, client-level and equipment-level monitoring and control capabilities, and automates the task of managing configurations across multiple security gateways and Avaya VPNremote® Clients. Extensive alarm-reporting and statistics-gathering capabilities allow network managers to respond in real time to hardware, network, and security p roblems, and t o plan the ef ficient growth and ev olution of their networks.

Intranet and Extranet Support

The VPNmanager software makes it easy to extend intranet servi ces to remote sites and users securely. In addition, the VPNmanager’s sophisticated import and export capabilities enable network managers from different organizations to securely link with one another into private wide-area “extranets.” Companies can quickly link and unlink to their suppliers, customers, consultants, and other business associates with flexibility and speed unmatched by tr aditional communications services.

Secure VPN Configuration

Several mechanisms are employed to insure sec uri ty when ma naging VPNs. I ndustry -st andard Secure Socket Layer (SSL) technology is used to keep confi guration traffic between the VPNmanager and VSUs private. In addition, X.509 certificates are used by both VSUs and the VPNmanager console providing an authentication capability, thus allowing only authorized administrators to configure VSUs. Once authenticated, administrators can configure, modify, restart, or upgrade any securi ty gateway in the corporate network. Finally, sensitive cryptographic keying informati on stored in the VPNmanager database is encrypted using a password key to prevent compromising secure network traffic.

No Special Consoles Required

The VPNmanager software runs on host environment s that support the Java Virtual Machine (see the VPNmanager README file for a current list of supported platforms). Expensive management consoles and proprietary management interfaces are not needed. Regardless of the host platform, the VPNmanager software presents the same appearance and user controls.
16 Avaya VPNmanager Configuration Guide Release 3.7

Complementary to SNMP Management Tools

Note:
The VPNmanager software is designed specifically for securely defining, configuring, monitoring, and upgrading VPNs. The VPNmanager software is required to configure and modify VPNs. Secure traffic running between VSUs or between VSUs and VPNremote Clients does not require an active VPNmanager . After c onfiguring the required VPNs, the VPNmanager can be shutdown if desired, or used to monitor securi ty gateway activity. In addition, standard MIBs available with the VSUs enable monitoring from standard SNMP management stations.

Using VPNmanager Help

The VPNmanager comes with a context-sensitive-Help system. Use the Help system for gett ing information about a specific command in the VPNmanager graphical user interface (GUI).

Related Documentation

Related Documentation
Be sure to read the VPNos Configur ation Gui de. I t contains important information on the proper procedure for setting up your VSUs, which is a prerequisite to setting up a Virtual Private Network.
VPNremote Client software inst al lati on an d usage inf ormation is found in the VPNremote Cl ient Administrator’s Guide. This software allows the network administrator to pre-configure the VPNremote client software for distribution to end users via the web, or on portable storage media such as a CD or floppy disk.
You can download these documents from www.avaya.com. Click on Product Documentation, select VPN and Security.

How This Book Is Organized

With this release of VPNmanager, the administrator’s guide was redesigned to present information in the order that you use VPNmanager to configure a secure network.
Note: Depending on the VPNmanager version, some features described in this guide
may not apply.
Issue 4 May 2005 17
Preface
Chapter 1: Overview of implementation, provides an overview of how to use VPNmanger for
centralized administration of your VPN and security gateway. It includes a checklist for implmeneting the network.
Chapter 2: Using VPNmanager
, explains how to log in to VPNmanager. It also explains how to use the VPNmanager interface, including the VPNmanager main console and the configuration console. The VPNmanager Preferences are described here.
Chapter 3: Setting up the network
, explains how to create a domain and creat e and configur e a security gateway. This chapter explains how to configure the Device object, including mu ltiple zones, NAT services, DNS, and Static Route.
Chapter 4: Configuring IP Groups
, describes how to configure IP Group Objects for Data Terminal Equipment (DTE) such as computers, printers, and network servers as members of your VPN.
Chapter 5: Configuring remote access users
, describes how to setup and maintain individual remote access users in the VPN. This chapter includes Dyna-Policy configuration and information about the Policies tab including Client IP configuration RADIUS/ACE services, and client attributes
Chapter 6: Configuring user groups
, describes how to setup and maintain logical groups that
the individual VPN remote users reside.
Chapter 7: Configuring VPN objects
, explains VPN Objects as the method for linking VSUs,
remote terminals, and LAN terminals in a fully configured VPN.
Chapter 8: Establishing security
, describes the levels of Firewall policy management and De nial of Service available, how to configure t he security gateway for Voice over IP and how to create and map Quality of Service (Qos) rules.
Chapter 9: Using advanced features
, describes about using certificat es, configuring the
Directory Server, resilient tunnels, and high availability groups.
Chapter 10: Monitoring your network
, describes the monitoring and reporting features of the VPNmanager software. This includes SNMP, Syslog Services, Reports, and Alarms. These features allow virtual real-time monitoring of the VPN performance and specific security gateways.
Chapter 11: Device management,
describes how to optimize the VPNmanager, check
connectivity, reset the device time, reboot, resetup a secur ity gateway and how to import a VPN.
Chapter 12: Upgrading firmware and licenses
, describes how to use the automatic upgrade feature to upgrade the firmware for a secur it y gateway or for a group of secruity gateways, and how to add new licenses to your security gateway.
Appendix A: Using SSL with Directory Server
, describes the benefit of using secure socke t layer
(SSL) with the Directory Server.
Appendix B: Firewall rules template
, describes the predefined firewall templates that are
included in the VPNmanager.
18 Avaya VPNmanager Configuration Guide Release 3.7

Contacting Technical Support

Technical Support is available to support contract holders of Avaya VPN products. Domestic support
Toll free telephone support: (866) 462-8292 (24x7)
Email: vpnsupport@avaya.com
Web: http://www.support.avaya.com
International Support
For regional support telephone numbers, go to http:www.avayanetwork.com/site/GSO/
default.htm
Contacting Technical Support
Issue 4 May 2005 19
Preface
20 Avaya VPNmanager Configuration Guide Release 3.7

Chapter 1: Overview of implementation

Note:
Note:
Planning how your virtual private network should be configured is critical to the successful deployment of a secure virtual private network.This chapter provides an overview of the major features that you will configure.
Note: This chapter does not explai n how to set up a VPN or how to dete rmine what type
of security policies are required. You should understand about networking, establishing firewall policies, and VPNs before implementing a VPN using VPNmanager.

Components of the Avaya security solution

The Avaya security solution cons ists of the following:
Avaya VPNmanager™
Avaya™ SG security gateways and VPN Service Units (VSU)
Note: Beginning with VPNmanager 3.4, this configuration guide uses “security
gateway” to refer to both the security gateway and the VSU. The VPNmanager application uses the word “Device” to refer to both of these components.
Avaya VPNremote™ Client

Security gateways

The security gateways are desi gned to provide fi rewall coverage and VPN gateway functionali ty for enterprises migrating towards conver ged network environments. The security gateway performs cryptography, authentication, and filtering tasks at the boundary of the VPN.
After the security gateway is installed and configured, the secu rity gateway is transparent to users who are logged into the VPN.
Issue 4 May 2005 21
Overview of implementation

VPNremote Client software

VPNremote Client software is a communicati ons application t hat runs on remot e computers that use dialup, DSL and cable connection supplied by Internet Service Providers (ISP), to connect to the corporate VPN. When communicating with a VPN, the software seamlessly performs authentication and cryptography tasks. To install and use the software, an account with an ISP must first be created.
The software is install ed on the remote user’s computer and then Client Configuration Download (CCD) can be used to configure the remote user’s Dyna-Policy™ for authentication to a specific VPN.
When remote users log in, they connect to the ISP and type in their user authe ntication information, if asked. Upon authent ication, an y traf fi c that use s the VPN is safel y encrypted as it is transported through the public networks.

VPNmanager software

VPNmanager software lets network managers define, configure, manage VPN and firewall policies, upgrade firmware, and manage remote user access policies from a central location.
The VPNmanager software combines two components, the VPNmanager Console and the policy server.
The VPNmanager console is a client that is used for configuring, managing, and
monitoring one or more VPNs. The consol e is a Java app licatio n that can be r un anywhere and is used as a front-end to the policy server and the directory server.
The policy server distri butes configurati on and security policies. The VPNmanager console
is a client that communicates with the policy server to retrieve security policies. The policy server then communicates with the directory server.
The VPNmanager Console and the directory server can reside on separate, dedicated servers within the network to provide better performance for updating and configuring large numbers of security gateways. You can use either an existing Sun One Server or Microsoft Active Directory Server to store the policies that are created.
VPNmanager software consists of different versions to meet the needs of various networks.
VPNmanager Small Office. Use the small office version for managing up to fi ve security
gateways and unlimited VPNremote Clients.
VPNmanager Enterprise. Use the VPNmanager Enterprise version for managing an
unlimited number of devices and VPNremote Clients.
VPNmanager Service Provider. Use this version to manage an unlimited number of
devices and VPNremote Clients. The Service Provider also supports multiple VPN domains, which meets the needs of ISPs.
22 Avaya VPNmanager Configuration Guide Release 3.7

Overview of the VPN management hierarchy

VPNmanager Enterprise Client. Use the Enterprise Client version for managing an
unlimited number of security gateways and VPNremote Clients.
VPNmanager Service Provider Client. Use the Service Provider Client version to
manage an unlimited number of security gateways and VPNremote Clients. The Service Provider also supports multiple VPN domains.
Overview of the VPN management hierarchy
With the VPNmanager software, you can configure and manage VPNs and firewalls from a central location. By focusing on secur ity policy instead of individual device management, administration of large-scale networks is simplified. Central management allows you to make configuration updates automatica lly to al l af f ecte d security gateways. This dist ribut ed approach also applies to firewall management.
The VPNmanager software is built on a policy-based architecture that allows the administrator to start at a high-lev el with a VPN domain, then move down t he hierarchy to create user gr oups, IP groups for protected resources, and security groups that define membe rship and policies of the VPN.
Figure 1: Domain hierarchy
At the peak of the hierarchy is the VPN domain. A domain is as sig ned a name to ident ify i t from other domains. Usually one domain is configured fo r an entire or ganizat ion. A domain is bui lt of one or more VPNs.
Each VPN is built of users, user groups and IP groups. VPNs are assigned names. These names can associate the VPN to a regional location or purpose.
Users are the individual remote ac cess user s who log in to the VPN thr ough a securit y gateway. The VPNremote Client software is used to connect to the VPN services.
A User Group contains or organizes user accounts. These accounts are assigned to remote VPN members who dial in to the network and run VPNremote Client software to access the VPN.
Issue 4 May 2005 23
Overview of implementation
An IP Group contains the IP addresses that belong to a specif ic LAN. Any device connected to the LAN can use these addresses. A VPN can have many IP Groups so addresses can be consolidated to meet the needs of an organization.
The security gateway is configured to provide VPN gateway functionally and firewall coverage. VPNmanager security management includes creating domain-level firewall rules and
device-level firewall rules. VPNmanager provides multiple firewall templates that can be used as a general rule set or as a starting point for creating a customized firewall template. You can apply these templates at the domain level for al l security gateways, for a specific security gateway (device-level), or for a defined device group.

Preparing to configure your network

Before you use VPNmanager to build your VPN and establish your VPN security policies, you need to know how the VPN should be implemented. This section gives a overview of what information you should know before you begin.
The following are functions or tasks that need to be addressed:
How the security gateway will be configured for your network
Which remote users will be configured on a security gateway
What IP addresses to configure and group
What type of security policies you want to implement
What VPN services to use
What advanced features, such as VoIP, Failover, or SNMP will be implemented

Security gateway

The security gateway is preconfigured with default settings for the media interface zones and Network Address Tr anslation (NAT). You may need to change default configuration for your specific network environment.
Up to six media interfaces can be configured with different zone interfaces. The number of zones that can be configured depends on the security gateway model (Table 1 Ethernet1 are present in all models and are assigned to the public and the private zones. The media interfaces that remain are unused and can be configu red as required.
). Ethernet0 and
Public zone. Public zone provides connection to the Internet, usually by way of a wide
area network (WAN).
Private zone. Private zone is used to provide connection to your private local area
network (LAN) or to your corporate LAN.
24 Avaya VPNmanager Configuration Guide Release 3.7
Preparing to configure your network
Public-backup zone. Public-backup zone is the backup interface to the primary public
interface for use when Failover is configured.
Semiprivate zone. Semiprivate zone is used for media such as wireless LAN, where the
network is considered part of the protected network, but the media may be vulnerable to attack. The semi-private zone provides the additional security measure of IPSec encryption to prevent compromise to the network, for example, VPN over wireless protection.
DMZ zone. DMZ (Demilitarized zone) is used for an area in the company network that
needs to be accessible from the public networks, for example, email, FTP, and Web servers, but the area is not considered p art of the internal private network. Serv ers in the DMZ typically have publicly rout able IP addres ses or shou ld use adva nced NAT within the security gateway.
Management zone. Management zone is used to simplify network deployments, to
eliminate enterprise network dependencies on switches or routers. The management network interface is usually used as an access poi nt for a dedicated VPNmanager management station or as a dedicated interfac e for dumping log messages to a syslog server.
Table 1: Network zones
Media type SG5 and SG5X SG200 SG203 SG208
Ethernet0 Public Public Private Private Ethernet1 Private Private Public Public Ethernet2 NA
Ethernet3 to
NA NA
Unused
Public backup
Private
Semiprivate
DMZ
Management
Unused
Unused
Public backup
Private
Semiprivate
DMZ
Management
Unused
Ethernet5
Public backup
Private
Semiprivate
DMZ
Management
Public backup
Private
Semiprivate
DMZ
Management
Issue 4 May 2005 25
Overview of implementation
St atic Routes
Static routes are specified when more than one router exists on a network to which the security gateway must forward either VPN traffic or non-VPN tr affic. You can build a static route table with up to 32 network address/mask pair s.

IP groups

Data Terminal Equipment (DTE); such as computers, print ers, and network server s, are devices that can be members of a VPN. To make these devices members, you create IP Group s. An IP Group is composed of a set of hosts (workstati ons and servers) that are located behind a common security gateway. The hosts are defined by their IP address and mask. VPNs are made up of IP groups at multiple locations linked across a public IP network (Internet). Assigning workstations and servers to different IP groups offers a powerful way to limit VPN traffic to specifically designated users.

Remote users and user groups

VPNremote Client users who log in to the VPN through the security gateway must have their user authentication configured on that security gateway.
If RADIUS is not used, you must configure the user name and the password for each remote user . With RADIUS, you can configure a remote user as a default user. When a remote user is configured as a default user, the user password is not required to log in. The user is authenticated by a third-party authentication server, such as RADIUS.
You can also change the default Internet Key Exchange (IKE) identity, the split tunneling option and the security option.
You can configure User Groups to setup and maintain logical groups of users.
VPN
A VPN object is the method used to link security gateways, remote terminals, and LAN terminals in a fully configured virtual private network. Creating a VPN involves naming each VPN, adding users and user groups, and adjusting the IKE and IPSec security protocols for VPN traffic.
26 Avaya VPNmanager Configuration Guide Release 3.7

Security policies

Note:
VPNmanager security policy management provides the following security features that can be configured:
Firewall rules
Denial of Service (DoS) categories
Quality of Service (QoS) rules
Bandwidth management
In addition, encryption security options include Internet Key Exchange (IKE) with IPSecuirty protocol (IPSec). It applies globally to the VPN.
Firewall policies
VPNmanager firewall policy management includes domain firewall rules, device firewall rules, and firewall templates . The VPNmanager software provi des multiple firewall templates that can be used as a general rule set or as a starting point for creating a customized firewall template. You can apply these templates at the domain level for all security gateways, for a specific gateway, or for a defined group. The integrated SMLI (Stateful Multi-Layer Inspection) Firewall supports firewall rules criteria based on the following:
Preparing to configure your network
Source/Destination IP address or range
TCP/UDP/ICMP protocol
Port or port ranges
IP protocol
Interface
Direction
A set of common network services is provided, and custom network services or objects can be easily defined for use in both firewall and QoS policies. Firewall rules can be individually enabled to track state i nformation on TCP/UDP/ICMP packet flows and can be us er-configured with advanced state timers. Logi n can also be enabl ed for each rule.
Note: Domain level rules and firewall templates are available for VPNos release 4.2
and later.
Denial of Service
The following Denial of Service (DOS) categories are enabled to protect the security gateway from attack by hackers.
Issue 4 May 2005 27
Overview of implementation
Ping of Death. - The ping of death sends packets with invalid lengths. When the receiving
system attempts to rebuil d the packets, the system crashes because the packet length exhausts the available memory.
IP Spoofing. - This attack sends an IP p acket with an invalid IP addres s. If the system accepts this IP address, the attacker appears to reside on the private side of the security gateway. The attacker is actually on the public side, and bypasses the firewall rules of the private side.
Smurf Attack. - This attack floods the system with broadcast IP packet pings. If the flood is large enough and long enough, the attacked host is unable to receive or distinguish real traffic.
Tear Drop. - This attack sends IP fragments to the system that the receiving system cannot reassemble and the system can crash.
Flood Attack. - This attack floods the system with TCP connecti on requests, which exhausts the memory and the processing resources of the firewall. Flood attacks also attack the UDP ports. This attack attempts to flood the network by exhausting the available network bandwidth.
WinNuke Attack. - This attack attempts to completel y disable networking on computers that are running Windows 95 or Windows NT. This attack can be swift and crippling because it uses common Microsoft NetBIOS services.
QoS

VoIP

Buffer Overflow. - This attack overflows the internal buf fers o f the a ppli cati on by sendi ng mor e
traffic than the buffers can process.
Quality of Service (QoS) allows you to classify and prioritize traffic based on DHCP values and TCP/IP services and networks. The bandwidt h available to a class of traffic can be allotted to a specific percentage of the total upstream bandwidth. Confi guring QoS allows VoIP traffic to receive a higher priority. If QoS is disabled, all traffic receives the same priority.
The security gateway can be configured to protect and enable the communication of VoIP telephones either within a VPN or firewall. The security gateway can be configured to secure Avaya Multivantage™ and IP Office™ VoIP solutions as follows:
Secure site-to-site voice trunks such as between headquarters and branch offices or
between main offices and home offices using VPNs.
Secure VoIP servers or endpoints (IP telephones) by providing perimeter security using
the V oIP aware firewall fi ltering that is able t o dynamically open and clos e all port s required to pass VoIP communication between servers and endpoints
28 Avaya VPNmanager Configuration Guide Release 3.7
Allow voice-secure communication wit h Avaya’s IP Softphone and IP Office Phone
Manager Pro using VPNremote Client
Enable NAT traversal of H.323 VoIP traffic
Optimize bandwidth for VoIP traffic using the security gateway’s Quality of Service (QoS)
policies
In order to successfully use VoIP it is important to thoroughly plan the implementation of the feature. Avaya suggests that you read the Avaya IP Telephony Implementation Guide before implementing VoIP.

Additional features

The following is a list of some of features that can be configured depending on your VPN networking requirements.
NAT
Preparing to configure your network
Network Address Tr anslation (NAT) is an Internet standard that allows private (nonrout able) networks to connect to public (routable) networks. To connect private networks and public networks, address mapping is performed on a security gateway that i s located between the private network and the public network.
You can set up three types of NAT mapping on the security gateway:
By default, NAT is enabled and the Share public address to reach the Internet feature is selected. NAT affects only clear traffic.
SNMP
The VPNmanager uses the SNMP protocol to monitor the security gateway. The security gateway includes a SNMP agent that supports MIB-II and a proprietary MIB. This agent is read-only and cannot be used to configure the security gateway. The agent can send traps to a list of trap agents that you configure. SNMPv1, SNMPv2c, or VNMPv3 can be selected.
Static NAT. With static NAT, addresses from one network are permanently mapped to
addresses on another network.
Port NAT. With port NA T, addresses from internal, nonroutable networks are t ransl ated to
one routable address in Port NAT.
Port Redirection. With port redirection, addresses from a specific IP address and a
specific port are redirected to another IP address and port.
Issue 4 May 2005 29
Overview of implementation
Syslog
The security gateway has a syslog messaging facility for logging system error messages. The message can be automatically sent to a destination running a Syslog server.
Client IP address pooling
Access control devices (ACD), such as firewal ls, guard networks from unauthorized users. Analyzing source addresses is one method ACDs use to decide which packets can enter a network. The addresses that ISPs dynamically assign to VPNremote Client users is naturally blocked because it is i mpossibl e to k now ahe ad of ti me whi ch addr ess is ass igne d. You need to configure the VPNremote Cli ent IP add ress po ols f eature with th e source IP addres ses that can be recognized by an ACD so that user access is not blocked.
SSL for Directory Server
As an added benefit, all communications with the direc tory server can be secured by SSL (Secure Sockets Layer).
You can configure your VPN to run SSL at any time. However it is recommended that you configure SSL before you put the VPN into service, so that the VPN services do not have to be stopped.

Sequence to configure your VPN

The suggested order to set up your VPN is as follows. Refer to the chapters in this VPNmanager Administrator’s Guide for details about how to create and configure these features.
1. Create a VPN domain
2. Create the VPN
3. Create a security gateway
4. Configure needed static routes on the gateway
5. Create IP groups
6. Associate IP groups with the security gat eway
7. Associate IP groups with the VPN
8. Create new users
9. Associate users with VPNs
10. Create a VPNremote Client address pool on the gateway
30 Avaya VPNmanager Configuration Guide Release 3.7
Loading...
+ 296 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use