Hp sa3110, sa3150, sa3400, sa3450 installation guide

Download

Page 1

hewlett-packard

vpn server appliance

sa3110/s a31 50/sa34 00 /sa3 450

installation guide

Hewlett-Packard Company

HP: 5971-0872

P/N: A5 2437-00 1

March 2001

Page 2

Page 3

Disclaimer

DisclaimerDisclaimer

Information in this document is provided in connection with Hewlett-Packard Company products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this d ocument. Except as provided in Hewlett-Packard Company’s Terms and Conditi on s of Sale for such products, Hewlett-Packard Company assumes no liability whatsoever, and Hewlett-Packard Company disclaims any express or implied warranty, relating to sale and/or use of Hewlett-Packard Company products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Hewlett-Packard Company products are not intended for use in medical, life saving, or life sustaining applications.

Hewlett-Packard Company may make changes to specifications and product descriptions at any time, without notice.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/

This

SA3400/SA3450 Installation Guide

described in it is furnished under license and may only be used or copied in accordance with the terms of the license. The information in this manual is furnished for informational use only, is subject to change withou t notice, an d should not be construed as a commitment by Hewlett-Packard Company. Hewlett-Packar d Comp any assumes no respo nsibility or li ability for any errors or inaccuracies that may appear in thi s document or any software that may be provided in association with this document.

, as well as the software

Except as permitted by such license, no part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the express written consent of Hewlett-Packard Company.

iii

Page 4

Statement of Compliance for the HP VPN

Statement of Compliance for the HP VPN Statement of Compliance for the HP VPN

Server Appliance SA3110

Server Appliance SA3110Server Appliance SA3110

This produ ct follows the provisions of the Europea n Directive 1999/5/EC.

Dette produkt er i overensstemmelse med det europæiske direktiv 1999/5/EC

Dit product is in navolging van de bepalingen van Europees Directief 1999/5/EC.

Tämä tuote noudattaa EU-direktiivin 1999/5/EC määräyksiä. Ce produit est conforme aux exigences de la Directive

Européenne 1999/5/EC. Dieses Produkt entspricht den Bestimmungen der Europäischen

Richtlinie 1999/5/EC

Фп рсп ъьн бхфь рлзс пЯ фйт рс пвлЭшейт фзт ЕхсщрбъкЮт П дзгЯбт 1999/5/Е

Þessi vara stenst reglugerð Evrópska Efnahags Bandalagsins númer 1999/5/EC

Questo prodotto è conforme alla Direttiva Europea 1999/5/EC. Dette pro du ktet er i hen hold til best em mels ene i d et eur opei sk e

direktivet 1 999/5/EC. Este produto cumpre com as normas da Diretiva Européia 1999/

5/EC. Este producto cumple con las normas del Directivo Europeo

1999/5/EC. Denna produkt har till verk at s i enl ighe t med EG- direktiv 1999/5/

EC.

Page 5

Contents

ContentsContents

Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

Statement of Compliance for the HP VPN Server Appliance SA3110 . . . . . . . . . . . . . . iv

Getting Started

Getting StartedGetting Started

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Required Components of a VPN Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Before You Install

Before You InstallBefore You Install

Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Installation Preparation Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Performing the Initial Hardware Setup

Performing the Initial Hardware SetupPerforming the Initial Hardware Setup

Performing the Initial Hardware Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Preparing to Configure a New VPN Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Setting Up a Basic Routing Mode Configuration on a New Device . . . . . . . . . . . . . . . 3-5

Using Bridge Mode With the VPN Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Connecting the Device to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13

Configuring Syslog for Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Installing HP SA3000 Series VPN Manager

Installing HP SA3000 Series VPN ManagerInstalling HP SA3000 Series VPN Manager

Overview to Installing HP SA3000 Series VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Installing VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Adding a VPN Device With VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

Saving New Device Information to a Configuration File. . . . . . . . . . . . . . . . . . . . . . . . 4-7

Installing HP SA3000 Series VPN Client

Installing HP SA3000 Series VPN ClientInstalling HP SA3000 Series VPN Client

Overview to Installing HP SA3000 Series VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Installing VPN Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Configuring the VPN Client for a Basic Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Supplementary Procedures

Supplementary ProceduresSupplementary Procedures

Supplementary Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Installing or Replacing the X.21 or V.35 Serial Card in the VPN Device . . . . . . . . . . . 6-2

Using the Copy Command (TFTP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

Capturing a Terminal Emulation Session as Text. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8

Viewing a Terminal Emulation Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

Deleting the Current VPN Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

Restoring the VPN Device Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 6

Viewing the IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12

Using Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15

Appendix — Network Infrastructure Checklists

Appendix — Network Infrastructure ChecklistsAppendix — Network Infrastructure Checklists

Appendix — Network Infrastructure Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Router Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Firewall Checklists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4

Using An Existing Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6

Internal Network Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7

Authentication Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11

Port Combinations Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12

Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Index Index

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index-1

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Index-1

Index-1Index-1

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 7

Getting Started

Getting StartedGetting Started

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Required Components of a VPN Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3

G ee

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 8

et G

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 9

Getting Started

Purpose

Purpose The purpose of this Installation Guide is to provide you with

PurposePurpose

Overview

Overview This manual contai ns six chapters and one appen d ix that tell

OverviewOverview

Chapter and

Chapter and Chapter and Appendix

Appendix

Appendix Appendix Contents

Contents

ContentsContents

Getting Started

Getting StartedGetting Started

installation instructions for Release 6.8.2 of the HP VPN Server Appliance SA3110/S A3150/SA3400/SA3450. The term VPN device is used in this document to refer to all of these devices.

you:

• System hardware and software requirements for your VPN device

• The function of each required component of your VPN device

• Installation instructions for each of the components of the VPN device

• Upgrade instructions for your VPN device

• Supplementary procedures for the VPN device

The following list describes the contents and purpose of each chapter, and the appendix.

1. Getting Started This chapter gives an overview of the structure of this

manual and explains the function of each installation component.

2. Before You Install This chapter lists t h e s ys t em hardware and software

requirements for installing the VPN device and gives an overview of installation prerequisites and steps.

3. Performing the Initial Hardware Setup This chapter tells you how to perform the initial hardware

setup, connect your VPN device to the network, and set up a basic routing mode or bridge mode configuration on a new VPN device.

4. Installing HP SA3000 Series VPN Manager This chapter tells you how to install the VPN Manager

software on your PC, create a device list with entries for your

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 1-1

Page 10

Getting Started

VPN device, add your VPN device (meaning that the VPN Manager software "sees" the device, and knows it is accessible), and save your VPN device list and conf iguration information to a f ile .

5. Installing HP SA3000 Series VPN Client This chapter tells you how to install the VPN Cl ient software

on your PC.

6. Supplementary Procedures This chapter give s instructio ns for th e follow ing procedures :

• Install ing or Replacing the X.21 or V.35 Serial Card in the

VPN device

• Using the copy command

• Capturing a terminal emulation session as text

• Viewing a terminal emulation session

• Deleting the current VPN device configuration

• Reconfiguring the VPN device

• Viewing the IP configuration

• Using Telnet

7. Appendix — Network Infr astr uctu r e Chec kli sts This appendix p rovides checkli st tables t o complet e, to help

you ga ther all y our netw ork inf ormati on togeth er, befo re you install your VPN device.

1-2 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 11

Functions of the

Functions of the Functions of the VPN Device

VPN Device

VPN DeviceVPN Device

Required Components of a VPN Device

Required Components of a VPN DeviceRequired Components of a VPN Device

There are three primary required components for a new VPN device:

• VPN device

• VPN Manager

• VPN Client

This section explains th e functions of each of these three primary components.

The VPN device is a hardware/software security system that processes data p ackets as they pass between the publi c side a nd the private side of a network.

The device can be added to your network as the primary firewall, work in conjunction with an existing firewall, function as a bridge , wor k in conj unction with ro ut e rs, an d in conj unction with more than one VPN device can be used for load balancing and re dundancy for VPN Cl ient connec t ions.

The VPN device performs three major functions:

• At the communications level, the VPN device can act eithe r as an IP router or as an IP bridge; that is, it oper ate s at layer 3, not layer 2.

• As a packet encryptor, the VPN device can selectively encrypt and decrypt data b ased on source and dest in ation addresses and ports. This p ro v id es the flexibi lit y of sending both encrypted and clear data using the same infrastructure, without compromising your centrally managed security policy.

• As a firewall, the VPN device can be used as a packet filter and a stateful inspection prox y. The VPN device goes further than traditional fir ewalls, how ever, by adding au thentication to the creation of tunnel s , which a llo w s the creation of truly secure virtual private networks for VPN tunnels that terminate outside the firewall.

Functions of

Functions of Functions of VPN Manager

VPN Manager

VPN Manager VPN Manager

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

VPN Manager is a graphical tool, based in any Win32 operating

syste m, includ ing Windows 9 that lets you configure the VPN device. It enable s administrators

, Windows NT, or Windows 2000,

1-3

Page 12

Getting Started

Functions of

Functions of Functions of VPN Client

VPN Client

VPN Client VPN Client

to centrally manage multiple VPN devices across multiple sites within a network.

VPN Manager also works with the external authentication servers that define and grant access to VPN Client u se rs.

VPN Client is a software- bas ed package that allows for encryption in cooperation with the Windows 95, Windows 98, Windows 2000, o r Windows NT TC P/IP stack. This configuration permits true virtual private networking and allows you to form encrypted tunnels to other VPN device series products. This provides desktop-to-gateway security within a local area network or across any wide area network.

Because all HP VPN products operate at the network layer, the VPN Client is complete ly transparent to users and works with most applications. Users can dial in to any Internet service provider (ISP) and use the VPN Clien t to create a secu re channel back to your network, which eliminates the need for expensive dial-in equipment and toll-charges.

The VPN Client allows you to create and config ure tunnels through whic h encr ypte d data can travel sa fe l y withou t ri sk of tampering. After connecting to your local ISP or company LAN, only the IP traffic that the VPN Client is configured to process passes down the tunnel to the opposing VPN device. All other IP activities, such as Web browsing, cannot pass down the tunnel unless the VPN Client determines otherwise.

1-4 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 13

Before You Install

Before You InstallBefore You Install

Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-3

Installation Preparation Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4

B ee

Yo oo

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 14

ou YY

ef B

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 15

VPN Manager

VPN Manager VPN Manager Requ iremen t s

Requ iremen t s

Requ iremen t sRequ iremen t s

Before You Installl

Hardware and Software Requirements

Hardware and Software RequirementsHardware and Software Requirements

This section lists the system hardware and software requirement s for installing each of the following:

• VPN device

• HP SA3000 Series VPN Manager, Release 6.8.2

• HP SA3000 Series VPN Client, Release 6.8.2

The hardware and software requirements for VPN Manager Release 6.8.2 include:

• PC or PC-compatible desktop computer

• Windo ws 9 5 (B) or OSR2 , Wi ndows 98, Window s N T 4.0 , or Windows 2000 (Workstation or Server version with Service Pack 4, minimum, for year-2000 capability) running on:

— Intel Pentium® 100 MHz (minimum) processor perfor-

mance level or better — At least 5 MB of free disk space — At least 32 MB of RAM — Support for Win sock 2.0

VPN Client

VPN Client VPN Client Requ iremen t s

Requ iremen t s

Requ iremen t sRequ iremen t s

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 2-1

The hardware and software requirements for HP SA3000 Series VPN Client Release 6.8.2 include:

• PC or PC-compatible desktop computer

• Windows 95 (B) or OSR2 or Windows 98 running on: — Intel Pentium 90 MHz (minimum) processor or better — At least 5 MB of free disk space — At least 32 MB of RAM — Dial-Up Networking Release 1.3 or later — Support for Winsock 2.0 (required for protocol 99 and

IPSec features)

• Windows NT 4.0 (Service Pack 4 or later) running on: — Intel Pentium 90 MHz (minimum) processor or better — At least 5 MB of free disk space — At least 32 MB of RAM

• Windows 2000 Professional running on:

Page 16

Before You Install

— Intel Pentium 133 MHz (minimum) processor or better — 2 GB hard drive with 650 MB minimum free disk space — 64 MB minimum RAM

2-2 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 17

Installa t ion Ov ervie w

Installation Overview

Installation OverviewInstallation Overview

The following flowchart provides an overview of the installation process for your VPN device:

Complete preinstallation requirements

Perform the initial hardware setup

Set up a basic routing mode configuration

and connect the device to the network

Install and configure the VPN Manager software

Install and configure the

VPN Client software

Related Info

Related Info Installation Preparation Checklist (page 2-4)

Related InfoRelated Info

Refer to the Installation Preparation Checklist in Chapter 2

Refer to Chapter 3

Refer to Chapter 4

Refer to Chapter 5

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 2-3

Page 18

Before You Install

Installation Preparation Checkli st

Installation Preparation Checkli stInstallation Preparation Checkli st

Before you install the VPN device, complete the following tasks: ___Map out your current network topology, and determine IP

addresses and default gateways. Having the IP address scheme already decided helps you configure the unit.

Refer to the Appendix, "Network Infrastructure Checklists," for checklists to complete on your network’s infrastructure. The che c k lists can h elp you gather the network informa t i on you need to complete the VPN device installation.

The VPN devices can be integrated into your existing network in a variety of configurations. However , when these devices are added to an existing network, 80 percent of network administrators use one of the following configurations:

• One-Armed Router C onfiguration

• In-Line Router Configuration

• In-Parallel Configuration For more complete inform ation on these configurations, see

Network Layout Reference Guide

the

___Before you per form the initial har dware setup, y o u must have the follow ing in formatio n and termin al emu lation program available:

• Serial communication port number on your computer to which the console cable is connected and the IP address of the device

• IP and subnet mask addresses for the two Ethernet interfaces

• Default gateway IP address for the device

• Terminal emulation program such as HyperTerminal to communicate with a VPN device when the device is in a factory-default s t ate

___If the VPN device is behind your firewall, provide UDP 2233, for IPSec, or protocol 99, for access to the device from the Internet and, if you use certificate authentication, provide UDP 10027 for the X.509 certificate authority through your firewall. For information on how to configure your firewall, please contact the manufacturer.

2-4 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 19

Installation Preparation Checklist

___If you use a different subn et when creating site-to-site tunne ls, make the pro per rou ting changes for your organi zatio n. For example, if your internal network is 10.0.0.0 and you assign an incoming address from 192.168.x.x, all internal routers must be configured to send all 192.168.0.0 traffic to the VPN device.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 2-5

Page 20

Before You Install

2-6 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 21

Performing the Initial Hardware Setup

Performing the Initial Hardware SetupPerforming the Initial Hardware Setup

Performing the Initial Hardware Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Preparing to Configure a New VPN Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2

Setting Up a Basic Routing Mode Configuration on a New Device . . . . . . . . . . . . . . . .3-5

Using Bridge Mode With the VPN Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-10

Connecting the Device to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-13

Configuring Syslog for Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14

P ee

mi ii

Ha aa

wa aa

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 22

ar ww

ar HH

in mm

er P

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 23

Performing the I nitial Hardware Se tu p

Performing the Initial Hardware Setup

Next Step

Next Step Preparing to Configure a New VPN Device (page 3-2)

Next StepNext Step

Performing the Initial Hardware Setup

Performing the Initial Hardware SetupPerforming the Initial Hardware Setup

In this chapter, you complete the following tasks:

1. Physically con nec t the sup plie d DB-9 cable t o y our VPN device and your PC.

2. Check power supply voltage setting.

3. Turn on the VPN device.

4. Create a console window with your terminal emulation program.

5. Establish an initial session between your PC and your VPN device.

6. Run your setup script.

7. Configure Syslog for tr oublesh ooting.

8. Connect your device to the network.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 3-1

Page 24

Performing t h e Init ial Hardware Setu p

Preparing to Configure a New VPN Device

Preparing to Configure a New VPN DevicePreparing to Configure a New VPN Device

A set of keys is packed in the shipping container. These are universal keys that fit any HP VPN device. Keep the keys in a saf e place. It is n ot n eces s a ry to lock the device.

In preparation for configuring you r new VPN device, you mu st complete the follo wing task s:

1. Insert the flash card into the device.

2. Connect the supplied DB-9 cable to your device.

3. Set power supply voltage.

4. Turn on the device.

5. Create a console window with your terminal emulation

When the VPN device is in a factory-default state, the only way to communicate wi th it is thro ugh the cons ole cable. You ru n the console cable between the serial port on the device and the serial port on the computer on which you want to have the console window.

program.

After you make the physical connection, you open a console window so you can run the setup script to configure the new device.

Inserting the

Inserting the Inserting the Flash Card

Flash Card

Flash CardFlash Card

3-2 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Packed inside the shipp ing container is a flash card. To insert the flash card into the VPN device:

1. Unwrap the flash card.

2. Open the front panel of the device by twisting the lock mechanism clockw ise.

The front panel drops down.

3. Insert the flash card vertically in the flash card receptacle.

4. Close the front panel.

5. Secure the front panel by twisting the lock mechanism counterclockwise.

Page 25

Connecting the

Connecting the Connecting the Cable and

Cable and

Cable and Cable and Powering On the

Powering On the

Powering On the Powering On the Device

Device

Device Device

Creat ing a

Creat ing a Cr eati ng a Console

Console

Console Console Window

Window

WindowWindow

Preparing to Configure a New VPN Device

To connect the cable and turn on t he device:

1. Connect the supplied DB-9 console cable to the console port of the VPN device and to the COM port on your PC. Make a note of the communication port number on your PC .

2. Ensure that the voltage switch is set to the proper voltage used in your environment.

3. Plug in the power cable.

4. Turn on the VPN device by setting the power switch to the 1 (one) position.

To create a Console window:

1. In the Start menu:

• For NT systems, select Programs, then Accesso ries, then

HyperTerminal.

• For Windows 98 systems, select Programs, then

Accessories, th en Communicat io ns, then HyperTerminal.

The HyperTerminal window appears.

2. In the File menu, select New Connection. The Connection Description window appears.

3. In the Name field, enter a name for the session. The HewlettPackard Company recommends that you call the session Console.

4. In the Icon list box, select an ico n to represent the session on your des ktop.

5. Click OK. The Phone Number window appears.

6. In the Connect drop-down menu, select Direct to Com

where connected the console cable.

7. Click OK. The COM

8. In the Bits per second drop-down menu, select 9600.

9. In the Flow control drop-down menu, select None.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

is the number of the serial port to which you

Properties window appears.

3-3

Page 26

Performing t h e Init ial Hardware Setu p

10. Click OK. You return to the terminal emulation program window,

where the cursor is blinking in an otherwise blank white screen. You now have an active console session and can communicate from your computer to the device.

Next Step

Next Step Setting Up a Basic Routing Mode Configuration on a New Device

Next StepNext Step

(page 3-4)

3-4 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 27

Setting Up a Basic Ro uting Mode Configuration on a New Device

Setting Up a Basic Routing Mode

Setting Up a Basic Routing Mode Setting Up a Basic Routing Mode Configuration on a New Device

Configuration on a New Device

Configuration on a New DeviceConfiguration on a New Device

In this sectio n, to set up a basi c routing m ode configur ation, you complete the following tasks:

• Establish an initial session between your PC and your VPN device.

• Run y our set up script.

Prerequisites

Prerequisites Before you set up a basic routing mode configuration you must

PrerequisitesPrerequisites

have gathered the following information and completed the following tasks:

• You must have created a console window before setting up the device. See the previous sectio n, "Preparin g to Configure a New VPN device."

• You must know the IP address and subnet mask for the red Ethernet interface E0 and for t he black Ethernet interface E1 and the IP address for the default gateway.

• You want the device to be in normal mode before you start configuring it through the setup script. Allow the device 60 secon ds to boot th rough safe mode into normal mode. After 60 seconds, enter the command

enable

Establishing an

Establishing an Establishing an Initial Session

Initial Session

Initial SessionInitial Session

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

To set up the basic configuration of the VPN device, first establish a session between your PC and the device:

1. Ensure that t he power swi tc h o n t he device is in the 1 (one) position.

2. At your desktop, open the Console window. This window is emp ty.

3. To capture the session to a file, select Transfer, then select Capture Text.

4. In the File menu, select Save. The Save window appears.

5. In the Save in field, select the folder in which you want to keep the session file.

3-5

Page 28

Performing t h e Init ial Hardware Setu p

6. In the File name field, select the file name you want to give

7. Click Save.

8. Press Enter three times.

9. Press the space bar or press Enter to scroll through the

10. To accept the license agreement terms, press Y.

11. Wait 60 seconds.

the session file.

You return to the HyperTerminal window.

The license agreement appears in the Console window.

license agreement.

This creates a file called license.txt that tells the operating system to forego displaying the license agreement the next time that the VPN device starts.

Next, a name-and-state prompt similar to this one appears on the screen:

hostname:SAFE

The device changes from safe mode to normal mode. The device must be in normal mode before you run the setup script for it.

12. At the name-and-state prompt, enter

enable

A password prompt appears on the screen.

13. At the password prompt, enter

admin

The default password from the factory is

admin

in all

lowercase letters. Note:

Note: Passwords are case sensitive.

Note: Note: As you enter the password, a row of asterisks (*) appears.

When the VPN device acc epts the password, the word

Passed

appears on the screen. Then the name-and-state

prompt appears again:

hostname:NORMAL#

3-6 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 29

Running the

Running the Running the Setup Script

Setup Script

Setup ScriptSetup Script

Setting Up a Basic Ro uting Mode Configuration on a New Device

You run the setup script to configure your new VPN device. Notes:

Notes:

Notes:Notes:

1. You cannot communicate with a device from VPN Manager until you run the setup script.

2. Do not run the setup script on a device that has already been configured.

3. Words shown in square brackets provide examples of the required information. They are not defaults.

4. Every time you run the setup scrip t, you must complete each of the following steps 1-14.

To run the setup script:

1. To get into s et up m o de, at the n ame-an d- stat e pro mpt, en te r

setup

The prompt changes to the following:

hostna me (s et up ) #

Note:

Not e: The word "setup" in parentheses means that you are

Note: Note: in setup mode.

2. To set the host name of the device, at the prompt, enter the name you want to call the device. For example, if you want

at the following prompt

to call the device vpn1, enter Enter Hostname [hostname]: Hostnames are case sensitive. The following message appears:

Bridge Mode On (Y/N)

3. Enter N to disable bridge m ode and set the device to routing mode.

4. At the prompt, enter the IP address for the red (private) Ethernet int erf ace E0.

5. At the prompt, enter the subnet mask for the red (private) Ethernet int erf ace E0.

6. At the prompt, enter the IP address for the black (public) Ethernet int erf ace E1.

7. At the prompt, enter the su bnet mask for the black (publ i c ) Ethernet int erf ace E1.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

vpn1

3-7

Page 30

Performing t h e Init ial Hardware Setu p

8. At the prompt, enter the IP address for the default gateway. The default gateway is the gateway that provides a route to

the Internet. The VPN Gateway does not support Routing Information Protocol (RIP) or any other form of dynamic routing table updates. All other routing information must be configured statically using the command shell (through the console window) or VPN Manager.

9. To set the Manager Password, enter Note:

Note: Only the VPN Manager uses this password. It is not

Note: Note:

password

used for Telnet, nor is it the console password; it is used as an encryption key to encrypt communications betwe e n t he VPN Manager and the device. The factory-default manager user name is

Note:

Note: Passwords are case sensitive.

Note: Note:

admin

10. To set the time zon e o f th e devi ce, enter the time zone with respect to Greenw i ch Mean Time. For example, to set the time zone for Boston, enter:

timezone est 5 edt

11. To set the VPN device’s clock, enter the year, month, day, hour (in 24-hour format), minute, and second. For example, to set the system clock to December 31, 2000, at 2:18 p.m., enter the following responses for year, month, day, hour, minute, and second:

00 12 31 14 18 0 0

The device now asks you if you want to save the setup entries.

12. At the prompt, enter

13. Test the interfaces using ping. At the prompt, enter

and

ping

the full IP address of the E0 interface.

ping 10.1.1.2 255.255.255.0

The device informs you of the success of the ping. Note:

Note: The initial ping has a success rate o f 80 percent as the

Note: Note: device must use the Address Resolution Protocol (ARP) to resolve the physical address of the destination IP address.

14. At the prompt, enter

and the full IP address of the E1

ping

interface:

3-8 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 31

Setting Up a Basic Ro uting Mode Configuration on a New Device

ping 10.1.2.2 255.255.0

The device informs you of the success of the ping.

The setup scrip t is now co mple te. The in itial configu ratio n is set on the new VPN device.

Next Step

Next Step Using Bridge Mode With the VPN Device (page 3-8)

Next StepNext Step

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

3-9

Page 32

Performing t h e Init ial Hardware Setu p

Using Bridge Mode With the VPN Device

Using Bridge Mode With the VPN DeviceUsing Bridge Mode With the VPN Device

The VPN device has two basic operating modes:

•router

•bridge

VPN devices are usu ally deployed as router s, which is the default configuration. In certain network topologies, how ever, it is advantageous to configure a VPN device in bridge mode. The difference between router and bridge mode is how the VPN device is assigned IP addresses and how t he VPN device handles Address Resolution Protocol (ARP) requests that it picks up on the network.

Note:

Note: Switching from bridge mode to router mode or from

Note: Note: router mode to bridge mode requires you to reboo t the VPN device.

Router Mode

Router Mode Router Mode Address

Address

Address Address Assignm ent

Assignm ent

Assignm entAssignm ent

In router mode, each physical interface on the VPN device must be assigned an address from a different subnet. For example, Ethernet 0 could be assigned 192.168.1.1 and Eth ernet 1 could be assigned 172.16.1.1.

Use the VPN device that operates in router mode. To assign the addresses from the command line, use the following format:

3-10 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

interface

hostname: NORMAL# config hostname [config]: NORMAL# interface e 0 hostna me [c on fi g] [int e 0]: NORMAL# ip

address 192.168.1.1 255.255.255.0 hostna me [c on fi g] [int e 0]: NORMAL#

interface e 1 hostna me [c on fi g] [int e 1]: NORMAL# ip

address 176.16.1.1 255.255.255.0 hostna me [c on fi g] [int e 1]: NORMAL# end hostname: NORMAL# write

command when you assign addresses to a

Page 33

IP Bridge Mode

IP Bridge Mode IP Bridge Mode Address

Address

Address Address Assignm en t

Assignm en t

Assignm en tAssignmen t

Configuring IP

Configuring IP Configuring IP Bridge Mode

Bridge Mode

Bridge ModeBridge Mode

Using Bridge Mode With the VPN Device

In IP bridge mode, all physical interfaces on the VPN device are assigned the same IP address. Use the you assign an address to a VPN device that operates in bridge mode. To assign IP address 10.1.1.1 mask 255.255.255. 0 from the command line, use the following format:

hostname: NORMAL# config hostname [config]: NORMAL# bridge 10.1.1.1

255.255.255.0 hostname [config]: NORMAL# end hostname: NORMAL# write

To config ure IP bridge mode fr om VP N Ma nager, in the Configure Device window for the VPN device, on the Interfaces tab, select Bridge Mode in the Interface drop-down menu, and select the Enable Bridging Mode check box. Bridge mode command overrides the

To disable bridge mode from VPN Manager, in the Configure Devices window for the VPN device, on the Interfaces tab, clear the Enable Bridging Mode ch eck box. The VPN device r everts to router mode, using the IP addresses assigned in the interface commands.

interface

bridge

command.

command when

Note:

Not e: Using the

Note: Note: address to more than one physical interface on a VPN device causes severe network congestion on your network.

ARP Request

ARP Request ARP Request Handling

Handling

HandlingHandling

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

When a VPN device picks up an ARP request packet on one of its interfaces, it handles the request in one of several ways, depending on the mode of operation.

As a router, the VPN device ARP responds under the following conditions:

1. The ARP request is for an address that has been assigned to an interface on the VPN device.

2. The ARP request is for an address that has been assigned to a remote user tunnel as a client IP.

In router mode, the VPN device does not retransmit b ro adcast traffic from one interface to another interface.

interface

command to assign the same

3-11

Page 34

Performing t h e Init ial Hardware Setu p

As a bridge, the VPN device ARP respond s under the fo llo win g conditions:

1. The ARP request is for an address that has been assigned to

2. The ARP request is for an address that has been assigned to

3. The ARP request is for an ad dress that is currently in the VPN

4. If the ARP request is for an address that is not in the VPN

Note:

Not e: ARP requests and responses can become a significant

Note: Note: percentage of your network traffic if the devices on your network are misconfigured.

an interface on the VPN device.

a remote user tunnel as a client IP.

device device’s ARP cache for an interface other than the interface where the ARP request was picked up.

device device’s ARP cache for any of its interfaces, then the VPN device broadcasts a new ARP re quest out of all interfaces except for the interface where the original ARP request was picked up. If a device responds to the VPN device, the VPN device creates a new entry in its ARP cache and behaves as in condition 3 in the preceding paragraph.

When Bri dge

When Bri dge When Bri dge Mode Should Be

Mode Should Be

Mode Should Be Mode Should Be Used

Used

UsedUsed

Next Step

Next Step Connecting the Device to the Network (page 3-12)

Next StepNext Step

3-12 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

A VPN device should be configured as a bridge if you were going to connect two physically separate network segments that contain devices in the same logical subn et. This is often the case when the VPN device is going to be con nected between an existing firewall and a corporate network (referred to as inline configuration in the

SA3110/SA3150/SA3400/SA3450

Guide

Note:

Note: The mode of operation of the VPN device does not affect

Note: Note: the firewall or tunneling functionality of the VPN device. The physical interfaces of the VPN device can still be designated as black and red, and firewall rules can still be defined to allow or disallow IP traffic .

Hewlett-Packard VPN Server Appliance

Network Layout Reference

Page 35

Connecting the Device to the Network

Connecting the Device to the NetworkConnecting the Device to the Network

In this section, you connect your VPN device to the network behind your firewall.

Steps

Steps To connect the VPN device to the network:

StepsSteps

1. Turn the device off before connecting network cables.

2. Connect the supplied Ethernet cables t o the Ethern et interfaces.

3. Connect your Ethernet LAN cables to the shielded cables .

4. Turn the device on. Once you h ave connected your VPN device to the network

behind your firewall, configure the device using VPN Manager included on the CD-ROM. Follow the instructio ns in the next chapter, "Installing VPN Manager."

Next Step

Next Step Configuring Syslog for Troubleshooting (page 3-13)

Next StepNext Step

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

3-13

Page 36

Performing t h e Init ial Hardware Setu p

Configuring Syslog for Troubleshooting

Configuring Syslog for TroubleshootingConfiguring Syslog for Troubleshooting

Syslog is a utility you can activate through the console window or VPN Manager to help troubleshoot problems when running your VPN device.

This section explains how to use Syslog to view debugging messages.

Checking Sy slog

Checking Sy slog Checking Sy slog Level

Level

LevelLevel

Syslog’s levels of logging problems run from 0 (the factory default) to 7, with 0 being most basic (emergency messages only) and 7 being the most specific. You can select the level of debugging messages you want to use.

To check which level of specificity Syslog is set to on your device, enter of the lines of text returned by factory-default-mode Syslog is

syslog priority all 0

To set Syslog to level 7, in the console window (or, through a Telnet session, see "Using Telnet" in Chapter 7):

show syslog

at the console window prompt. One

Activating or

Activating or Activating or Deactivating

Deactivating

Deactivating Deactivating Syslog Messages

Syslog Messages

Syslog MessagesSyslog Messages

Syslog Online

Syslog Online Syslog Online Help

Help

HelpHel p

1. At the VPN prompt, enter

2. At the VPN prompt, enter

3. At the VPN prompt, enter

4. At the VPN prompt, enter

To start displaying Syslog debugging m essages, at the VPN shell enable prompt, enter

To stop displayi ng Syslo g debu ggin g mes s ages , at the VPN shell enable prompt, enter

For more extensive infor m a tio n on cu st o mizi n g your use of Syslog, consult the section in the VPN Manager online Help entitled "Configuring Syslog." Some examples of customized Syslog usage are:

• Setting Syslog to displa y tunnel messages by entering

syslog priority tunnel 7

• Setting Syslog to display certificate messages by entering

syslog priority certificate 7

debug all

debug all delete

Config syslog priority all 7 end write

3-14 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 37

Configuring Syslog for Troubleshooting

Next Step

Next Step Installing VPN Manager (page 4-1)

Next StepNext Step

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

3-15

Page 38

Performing t h e Init ial Hardware Setu p

3-16 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 39

Installing HP SA3000 Series VPN Manager

Installing HP SA3000 Series VPN ManagerInstalling HP SA3000 Series VPN Manager

Overview to Installing HP SA3000 Series VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Installing VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2

Adding a VPN Device With VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-4

Saving New Device Information to a Configuration File. . . . . . . . . . . . . . . . . . . . . . . . .4-7

HP PP

P S

A3 33

VP PP

PN NN

N M

Ma aa

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 40

an MM

M NN

N PP

PN VV

30 AA

S PP

P HH

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 41

Installing HP SA3000 Series VPN Manager

Overview to Installing HP SA3000 Series

Next Step

Next Step Installing VPN Manager (page 4-2)

Next StepNext Step

Overview to Installing HP SA3000 Series

Overview to Installing HP SA3000 Series Overview to Installing HP SA3000 Series

VPN Manager

VPN Manager VPN Manager

In this chapter, you complete the following tasks:

1. Install the HP SA3000 Series VPN Manager software.

2. Add your VPN device (meaning that the VPN Manager "sees" the device and knows it is accessible).

3. Create a device list.

4. Save the device list.

5. Save your VPN device configurat i o n info rmat ion to a file.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 4-1

Page 42

Installing HP SA3000 Series VPN Manager

Installing VPN Manager

Installing VPN ManagerInstalling VPN Manager

In this section, you install VPN Manager on your PC.

Steps

Steps To install VPN Manager on your PC:

StepsSteps

1. Place the VPN Manager CD-R OM into the CD-ROM drive bay. The VPN Manager CD-ROM menu appears.

Note:

Note: If the VPN Manager CD-ROM menu does not automat-

Note: Note: ically appear, use your file browser to locate the installation files on the VPN Manager CD-ROM. Double-click the setup.exe program to begin the installation procedure.

2. In the VPN Manager CD-ROM menu, select Install VPN Manager.

The Installation Wizard begins.

3. To advance to the licensing information screens, click Next.

4. To continue the installation, click Yes. A window prompts you for your user information.

5. Enter your user name and company name, then click Next. The next installation window displays the default directory

for the program files.

6. To accept the default directory, cl ick Next. Setup adds an icon to the Program Folder.

7. To accept the Hewlett-Packard Company VPN folder name, click Next.

The software begins to install. Then a window asks you if you would like to have a shortcut created on your desktop.

8. To create a shortcut, click Yes.

9. To complete the installation, click Finish.

Files are stored in the default directory. You can modify the directory name during installation (refer to

step 6 in the preceding list of steps). This directory contains the executable file and an encrypted binary file that stores the names and IP addresses of all the VPN devices on your network. Be sure to back up this file on a regular basis.

4-2 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 43

Installing VPN Manager

When you double-click the VPN Manager icon on your desktop, the VPN Manager application starts , and you are prompted for a password when opening the encrypted device list file.

Next Step

Next Step Adding a VPN device With VPN Manager (page 4-4)

Next StepNext Step

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

4-3

Page 44

Installing HP SA3000 Series VPN Manager

Adding a VPN Device W ith VPN Manager

Adding a VPN Device W ith VPN ManagerAdding a VPN Device With VPN Manager

In this section, you add your VPN device, so that VPN Manager knows the device is accessible.

Steps

Steps To add your device:

StepsSteps

1. Open the VPN Manager software.

2. In the File Menu, select Add Device. The Add Device window appears.

3. Enter the IP address of the device. Note:

Note: Because a VPN device can have many IP addresses,

Note: Note: you must enter an IP address on the same local network as VPN Manager, t h at is , a reach ab le address.

4. In the Host Name field, enter the Host Name of the device. By default, VPN Manager reads the host name that you

already configured on the device through the console window. If you do not want to change the host name, leave this field blank. If you do change the host name, click Commit to update the configuration.

5. In the Folder field, select the device list/network layout in which you want the device information to reside.

If you select All Devices, the device is placed in the All Devices folder.

Note:

Not e: After you add a device, you can create a new device

Note: Note: list/netwo rk layout folder by selecting Ad d Folder in the File menu.

6. In the User Name field, enter This is the default user name from the setup script, and is

required. Not e that it is case sensitive. Note:

Note: You can change the default user name by creating

Note: Note: other Manager user names in the General tab.

7. In the Password field, enter This is the same administrator password that you set when

you ran the setup script in the basic routing mode configuration. (See "Setting Up a Basic Routing Mode

4-4 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

admin

password

Page 45

Adding a VPN Device With VPN Manager

Configuration on a New Device" in Chapter 3 of this document.)

8. In the Reenter to confirm field, enter the password again.

9. Cli c k Add. The VPN Manager now displays the device in the color red.

When the device appears in green, the device is in normal mode, and you can configure it.

10. Double-click the device to configure it. The Configure Device window appears, displaying tabs. If

the device does not open, see Checking Setup in the online Help.

11. In the Device Details list box, select the device.

12. In the File menu, select Save As. The Save As window appears.

13. In the File name field, enter a name for the file. The VPN Manager attaches a .imn extension to th e file name

that you specify.

14. Click Save.

15. Click Add. You return to the VPN Manager main window.

16. In the Configure menu, select Login Passwo rd . The Set Login password appears.

17. In the New Password field, enter your Manager Password.

18. In the Reenter to confirm field, reenter your password.

19. Click Okay. You return to the VPN Manager main window.

Note:

Note: You must create a password for VPN Manager if the

Note: Note: following message appears:

This network layo ut has no password. Please e nter one in the Configure Manager dialog box.

See "Adding a Device" in VPN Manager’s online Help.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

4-5

Page 46

Installing HP SA3000 Series VPN Manager

Next Step

Next Step Saving New Device Information to a Configuration File (page 4-

Next StepNext Step

4-6 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 47

Saving New Device Information to a Conf iguration File

Saving New Device Information to a

Saving New Device Information to a Saving New Device Information to a Configuration File

Configuration File

Configuration FileConfiguration File

In this sectio n, y ou save the configuration information you entered in the preceding section, "Adding a VPN Device With VPN Manager," to a file.

Steps

Steps To save your configuration information to a file:

StepsSteps

1. In the Configure menu, select Manager, then select Password.

The VPN Manager window appears.

2. Enter and reenter the password to confirm it. Note:

Note: This password is for the device list only and is not

Note: Note: related to the password you entered when you initially ran the Setup Script (Chapter 3, "Setting Up a Basic Routing Mode Configuration on a New Device").

It is also unrelated to the password you entered in the preceding section, "Adding a VPN Device With VPN Manager," when you created a .imn extension file.

For more complete information about the passwords used with your VPN device, see VPN Manager online Help, under "passwords: about passwords."

3. Click OK. You return to the VPN Manager main window.

4. In the File menu, select Save As. The Save As window appears.

5. Enter a file name.

6. Click Save. The file is available immediately for use.

Next Step

Next Step Overview to Installing HP SA3000 Series VPN Client (page 5-1)

Next StepNext Step

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

4-7

Page 48

Installing HP SA3000 Series VPN Manager

4-8 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 49

Installing HP SA3000 Series VPN Client

Installing HP SA3000 Series VPN ClientInstalling HP SA3000 Series VPN Client

Overview to Installing HP SA3000 Series VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Installing VPN Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-3

Configuring the VPN Client for a Basic Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5

HP PP

P S

A3 33

VP PP

PN NN

N C

Cl ll

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 50

li CC

C NN

N PP

PN VV

30 AA

S PP

P HH

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 51

Prerequisites

PrerequisitesPrerequisites

Installing HP SA3000 Series VPN Client

Overview to Installing HP SA3000 Series

Overview to Installing HP SA3000 Series Overview to Installing HP SA3000 Series

VPN Clien t

VPN Clien tVPN Clien t

In this chapter, you complete the following tasks:

• Install the HP SA3000 Series VPN Client

• Configure the VPN Client software for a basic tunnel

Using Windows 95 (Gold or A) Versio ns

Using Windows 95 (Gold or A) Versio nsUsing Windows 95 (Gold or A) Versio ns

Because Windows 95 Gold and Window s 95A use DUN 1.0, these releases do not support data to transfer over tunnels established over PPP dial-up connections. Wi ndows 95B (OSR2) or Windows 95 C (OSR3) releases work successfully. To view your Windows 95 version, select System Properties.

If you use Wi ndow s 95 Go ld or W indow s 95A, follow t he se s tep s to upgrade to DUN 1.3 before you install the VPN Client:

1. Install the Windows 95 Dial-Up Networking (DUN) 1.3 upgrade. To obta in this upgrade, using your browser, go to URL http://support.microsoft.com/support/downloads/ dp3267.asp. Click the up grade file, msdun 13.exe, then fo llow the instructions on your screen to download the file.

2. Install the upgrade, then reboot your PC.

Required Information

Required InformationRequired Information

Installing and configuring the VPN Client software for the first time requires that you have accou nt information from your network a dministr ator.

Depending on how your network administrator has configured your network, only some of the following information may be required:

•User name

• Certificate name

• Certificate challenge phrase

• Certificate authority name

• Certificate authority IP address

• Peer host name

• Peer IP address

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 5-1

Page 52

Installing HP SA3000 Series VPN Client

• Peer challenge phrase

• Target network IP a ddres s and subnet mas k

• An account configured on a RADIUS server, if necessary

• An account configured with SecurID or SecureID Software Token’s ACE/Server, if necessary

• An account configured for Entrust, if necessary

Software Version Compatibility

Software Version CompatibilitySoftware Version Compatibility

The Hewlett-Packard Company strongly recommends that you use Release 6.8.2 of all VPN software.

Before installing the VPN Client, you may want to read some background inform at ion to becom e fam il iar with firewalls and encryption terminology that you are likely to encounter when using this product. Refer to the

Virtual Private Networking Concept s Guide

ROM.

Next Step

Next Step Installing VPN Client (page 5-3)

Next StepNext Step

Hewlett-Packard Company

, on the software CD-

5-2 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 53

Installing VPN Client

Installing VPN ClientInstalling VPN Client

In this section, you install VPN Client on your PC. Note:

Not e : All network adapters to be secured using the VPN Client

Note: Note: must have TCP/IP bound to them before installation.

Steps

Steps To install VPN Client on your PC:

StepsSteps

1. Quit all a pplications.

2. Place the CD-ROM into your computer’s CD-ROM drive.

3. In the Start menu, select Run.

4. In the Run window, select Browse and select your computer’s CD-ROM drive (for example, E:\ ).

5. Select setup.exe and click OK.

6. In the Run window, click OK.

7. Select Yes to accept the displayed License Agreement. The User Information Window appears.

Installing VPN Client

8. Enter your name and the name of yo ur company. Sele ct Next to continue.

The Choose Destination Location window appears.

9. Enter the lo cation where you want VPN Clien t to be ins talled or select Next to accept and use the default folder location.

The Select Program Folder window appears.

10. Enter the name you want to have appear under the desktop icon and in the pro gram fold ers list, or select Next to ac ce pt and use the default name.

The User Configuration Disk pop-up window appears with the following question:

Have you been provided with a User Configuration disk?

11. Unless your system administrator gave you a disk with the VPN Client configuration on it, select No.

12. In the Maximum number of WINS capable tunnels field, select the maximum number of concurrent Windows Internet Working Serv ices (WINS) enabled tunnels you wan t

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

5-3

Page 54

Installing HP SA3000 Series VPN Client

the VPN Client to make available by accepting the default value of 2 or entering another number of tunnels you want.

The maximum number of tunnels is four.

13. Select Next to continue. The User Configuration Files window appears.

14. Specify the location where you want to save future User Configuration files. Click Browse to select an alternate location.

15. Select Next to continue. The VPN Client software is installed on your computer. After the VPN Client is installed, the following question

appears: Do you want the VPN Clien t to start automatically every time

Windows restarts (recommended)?

16. Select Yes to have the V PN Client st art each time you reboot Windows or select No to have manual control over starting the VPN Client.

Note:

Note: You cannot undo this option once the VPN Client is

Note: Note: installed. T o undo this operation, you must reinstall the VPN Client. Reinstalling the VPN C lient does not remove any configuration parameters you have saved to file.

You are asked whether you want a shortcut for the VPN Client placed on the desktop.

17. Select Yes to create a shortcut or select No to continue without creating a shortcut. Follow the directions in the window to complete the i nstallation.

Note:

Note: You must restart your computer after you install the

Note: Note: VPN Client. If you do not restart your computer, you cannot use the VPN Client as the virtual network interface card.

Next Step

Next Step Configuring the VPN Client Software for a Basic Tunnel (page 5-

Next StepNext Step

5-4 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 55

Configuring the VPN Client for a Basic Tunnel

Configuring the VPN Client for a Bas ic

Configuring the VPN Client for a Bas ic Configuring the VPN Client for a Bas ic Tunnel

Tunnel

TunnelTunnel

In this section, you c onfigure the VPN Client softw are for a basic tunnel.

Steps

Steps To configure a basic tunnel:

StepsSteps

1. In the Start menu, select Programs, then HP SA3000 VPN Software, then VPN Client.

The VPN Client Logon window appears. The first time you run VPN Client after installing it on your

computer, you are prompted for a user name and password.

2. Enter your user name and password in the wi ndow that appears.

Note:

Note: The password is one that you make up, and is used

Note: Note: only for the purpose of running the VPN Client the first time.

3. In the Tunnels menu, select New. The General Tab appears.

Note:

No te: Set up your authenticatio n metho d now, unless you

Note: Note: are using a SecurID or RADIUS authenticated security p rofile.

4. Enter the tunnel name. This name is a unique descriptor that you choose. For

example, QA Lab Tunnel.

5. Enter a group name, if necessary. This group name is prov ided by your network admi nist ra tor.

6. Select the adap ter (D ial-up networking, Ethernet, a nd so on) that you want the tunnel to apply to.

7. Select the type of tunnel you want to use. You can cho ose from a S hiva Smart Tunnel (SST) o r an IPSec

tunnel.

8. Cli c k Add to add a VPN dev ice/Tu nne l Serv er nam e a nd I P address.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

5-5

Page 56

Installing HP SA3000 Series VPN Client

9. Enter Peer IP and Peer Name in the corresponding fields and click OK.

10. Select Enable WINS/DNS vi a VPN device and click OK. You now have created a basic VPN tunnel.

For more information on configuring advanced features of the VPN Client, see the online Help file within the V PN Client software.

5-6 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 57

Supplementary Procedures

Supplementary ProceduresSupplementary Procedures

Supplementary Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Installing or Replacing the X.21 or V.35 Serial Card in the VPN Device . . . . . . . . . . . .6-2

Using the Copy Command (TFTP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6

Capturing a Terminal Emulation Session as Text. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8

Viewing a Terminal Emulation Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9

Deleting the Current VPN Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-10

Restoring the VPN Device Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-11

Viewing the IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-12

Using Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-15

me ee

Pr rr

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 58

ro PP

en mm

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 59

Supplementary Procedur es

Supplementary Procedures

Supplementary ProceduresSupplementary Procedures

This chapter contai ns supplementary pr ocedure s, which are done occasiona lly, as required. This chapter gives instructions for the following supplementary procedures:

• Installing or replaci ng the X.21 o r V.35 seri al card i n the VPN device

command (TFTP)

• Using the

• Capturing a terminal emulation session as text

• Viewing a terminal emulation session

• Deleting the current VPN device configuration

• Reconfiguring the VPN device

• Viewing the IP configuration

• Using Telnet

copy

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 6-1

Page 60

Supplementary Procedures

Hardware

Hardware Hardware requirements

requirements

requirementsrequirements

Installing or Replacing the X .21 or V.35

Installing or Replacing the X .21 or V.35 Installing or Replacing the X .21 or V.35 Serial Card in the VPN Device

Serial Card in the VPN Device

Serial Card in the VPN DeviceSerial Card in the VPN Device

This section explains how to install or replace the X.21 or V.35 serial card in your HP VPN Server Appliance SA3400/SA3450, and covers the following topics:

• Hardware requirements

• Safety precautions

• Backing up your configuration file

• Removing the cover of the VPN device

• Installing/replacing the X.21 or V.35 serial card

• Closing and securing the cover of the VPN device

• Reconfiguring the VPN device

• Restoring the configuration

This section lists the hardware requirements for installing the X.21 or V.35 serial card into your HP VPN Server Appliance SA3400/SA3450.

You need the following hardware to inst all the X.21 or V.35 serial card into your VPN device:

• VPN device

• X.21 or V.35 serial card

• Phillips screwdri ver

• Disposable grounding wrist strap

Safety

Safety Safety Precautions

Precautions

PrecautionsPrecautions

6-2 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

WARNING:

WARNING: Turn the power off, disconnect the power cable,

WARNING: WARNING: and disconnect all other cables before you perform this procedure. Do not reattach any cables until you replace the cover of the unit chassis and tighten the cover screws on the chassis.

CAUTION

CAUTION: Attach the disposable grounding wrist strap to your

CAUTIONCAUTION wrist and an exposed portion of the chassis, as indicated in the instructions on the wrist strap packaging.

Note:

No te : Refer to the

Note: Note: with your serial card for detailed information on installing the serial card.

Regulatory Statements

document included

Page 61

Backing Up Your

Backing Up Your Backing Up Your Configuration

Configuration

Configuration Configuration File

File

FileFile

Removing the

Removing the Removing the Cover of the

Cover of the

Cover of the Cover of the VPN Device

VPN Device

VPN DeviceVPN Device

Installing or Replacing the X.21 or V.35 Serial Card in the VPN Device

When you modify the VPN device’s internal hardware by installing or replacing the X.21 or V.35 serial card, you lose your device’s existing configurat ion file (ISBR.cfg).

The Hewlett-Packard Company recommends that before you modify the VPN device’s in ternal hardware, you back up the ISBR.cfg file. You can use the VPN Manager or the TFTP command to back up the ISBR.cfg file.

After you install or replace the X.21 or V.35 serial card, you can preserve all the advanced settings in your old ISBR.cfg file by combining it with the new ISBR.cfg file. See the final topic in this section, "Rest oring the Con figuration, " for complet e instructio ns on restoring your original configuration’s settings.

To remove the cover of the VPN device:

1. Loosen and remo ve the six cov er screws located on the sides and rear of the unit chassis.

2. Remove the top cover of the VPN device.

Copy

Installing or

Installing or Installing or Replacing the

Replacing the

Replacing the Replacing the X.21 or V.35

X.21 or V.35

X.21 or V.35 X.21 or V.35 Serial Card

Serial Card

Serial CardSerial Card

Closing and

Closing and Closing and Securing the

Securing the

Securing the Securing the Cover of the

Cover of the

Cover of the Cover of the VPN Device

VPN Device

VPN DeviceVPN Device

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

To install or replace the X.21 or V.35 serial card:

1. Remove the screw that holds the Ethernet card in place in the slot labe led E1.

2. Push the X.21 or V.35 serial card into the connector, and ensure that it is firmly seated.

3. Replace and tighten the screw back into place, so that it firmly holds the X.21 or V.35 serial card.

To replace the cover of the VPN device:

1. Lower the top cover of the chassis, then slide it forward.

2. Replace and tighten the two rear screws first, to ensure proper alignment.

3. Replace and tighten the remaining four screws on the sides of the unit chassis.

4. Reconnect all the cables, including the power cable, to the unit chassis.

6-3

Page 62

Supplementary Procedures

Reconfiguring

Reconfiguring Reconfiguring the VPN Devi ce

the VPN Devi ce

the VPN Devi cethe VPN Devi ce

To reconfigure your VPN device:

1. Configure and ru n your terminal emul ation program (such as HyperTerminal) to create an active console session.

The VPN device recognizes a changed configuration and promp ts you to rebo ot th e device .

2. Press Enter to reboot the device . The VPN device reboots and displays its Manufacturing

Mode Main menu:

1. Configuration

2. Self-diagnostics test

3. User-diagnostics test

4. Burn-in traffic tests

5. Final Assembly and Serializations

3. In the Main menu, select A new men u ap pe ars with tw o options:

4. In the menu, select

5. In the Main Menu, select

Serializations

The device asks:

Installed? Please confirm (y/n)

6. Enter n. The device prompts:

7. Enter the serial number of your device (located on the rear side of the chassis directly beneath the handle).

The device prompts:

8. Enter y. The device prompts:

9. Enter y. The device prompts:

10. Enter y. The VPN device reboots into pro duction mode, whereby the

License Agreement appear s. Follow the instructions in this

Is there an Access Pro

Configuration

WAN

Final Assembly and

Enter the serial no:

Please confirm (y/n)

Do you want to reboot...

Please confirm (y/n)

LAN

and

WAN

6-4 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 63

Restoring the

Restoring the Restoring the Configuration

Configuration

ConfigurationConfiguration

Installing or Replacing the X.21 or V.35 Serial Card in the VPN Device

Hewlett-Packard VPN Server Appliance SA3110/SA3150/ SA3400/SA3450 Installation Guide.

After you install or replace the X.21 or V.35 serial card in your VPN device, you need to again create the basic configuration file of the device.

To restore your advanced configuration settings that you saved in your existing ISBR.cfg file, you need to open your old ISBR.cfg file and copy and paste the sectio ns you want to reta in in to y our newly created configuration in your Console window.

To create the new configuration file and restore the advanced settings of your saved ISBR .cfg file:

1. Follow the instructions in this

Appliance SA 3110/SA3150/SA3400/SA3450 Instal lation Guide

in Chapter 3 in the section entitled "Setting Up a Basic Routing Mode Configuration on a New Device." Begin with the subsection entitled "Establishing an Initial Session."

2. Follow the instructions in the subsection entitled "Running the Setup Script."

3. Using a text editor such as Microsoft Notepad, open your previously saved ISBR.cfg file.

4. Copy and paste the sections of your old ISBR.cfg file that you want to retain into your Console window.

This combines t h e advanced configuration settings of your previous ISBR .cfg file with your newly creat ed configurat ion file.

Hewlett-Packard VPN Server

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

6-5

Page 64

Supplementary Procedures

Using the Copy Command (TFTP)

Using the Copy Command (TFTP)Using the Copy Command (TFTP)

The TFTP (Trivial File Transfer Protocol) transfers a file to or from a TFTP server. The can be used t o u pgrade firm ware . Also, the be used to back up or restore configuration files.

This transfer retai ns p asswords and displa ys them in clear text. This section tells you how to copy new or modified

configuration files from the computer running the TFTP server to the VPN device.

Steps

Steps To use the TFTP

StepsSteps

1. Write or edit the isbr.exe and lrvg.exe files in a plain text editor, such as Notepad.

2. Ensure the source computer has a TFTP daemon running.

3. Install the isbr.exe and lrvg.exe files on your TFTP server.

4. Open the Console window. See "Preparing to Configure a New VPN device" in Chapter 3.

5. In the Console window, enter:

from <ip address of the source computer with the

copy

TFTP daemon running> isbr.exe The isbr.exe file is transferred immediately from the

computer to the VPN device.

copy

command:

copy

command

command can

Note:

Note: If you copy a new version of an existing file to a VPN

Note: Note: device, the device overwrites the existing file without any warning prompt.

6. In the Console window, enter:

from <ip address of the source computer with the

copy

TFTP daemon running> lrvg.exe The lrvg.exe file is transferred immediately from the

computer to the VPN device.

7. From t he Console window or the VPN Manager window, issue a

You are prompted to confirm your

8. To confirm your

6-6 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

reboot

command to the device, then press Enter.

command.

reboot

command, enter Y.

Page 65

Using the Copy Command (TFTP)

The device reboots and the new settings take effect upon restart.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

6-7

Page 66

Supplementary Procedures

Capturing a Terminal Emulation Session

Capturing a Terminal Emulation Session Capturing a Terminal Emulation Session as Text

as Text

as Textas Text

This section tells you how to use a terminal emulation program such as HyperTerminal to capture a consol e session with a VPN device as a text file.

Prerequisite

Prerequisite You must have configured a console window before using it for

PrerequisitePrerequisite

text capture. See "Preparing to Configure a VPN device" in Chapter 3.

Steps

Steps To capture a console session as a text file for later review:

StepsSteps

1. At your desktop, double-click the Console icon. The Console-HyperTerminal window appears.

2. In the Transfer menu, select Capture Text. The Capture Text window appears.

3. Accept the default folder location and file name, or browse to select a new location and enter a new file name in the File field.

4. To s tart captu ring the ses sion, cl ick Start. You return to the Console-HyperTerminal window.

5. To minimize the HyperTerminal screen and leave the program running, click the Minimize i c on.

You return to your desktop.

6. To close the program, in the File menu, select Exit.

6-8 Hewlett-Packard VPN Server Appliance SA3 110/SA3150/SA3400/SA3450 Inst all ation Guide

Page 67

Viewing a Terminal Emulation Session

Viewing a Terminal Emulation SessionViewing a Terminal Emulation Session

This section tells you how to view a previously recor ded terminal emulation session.

Steps

Steps To view a previously recorded terminal emulation session:

StepsSteps

1. Open Notepad (or similar text editor).

2. In the Start menu, select Programs, then Accessories, t he n Notepad.

3. In the File menu, select Open. The Open window appears.

4. In the list box, sele ct the desired session.

5. Click Open. You return to the Notepad window. The selected

HyperTerminal session appears.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

6-9

Page 68

Supplementary Procedures

Deleting the Current VPN Device

Deleting the Current VPN Device Deleting the Current VPN Device Configuration

Configuration

ConfigurationConfiguration

This section tells you how to delete the current VPN device configuration and restore the factory defaults.

Steps

Steps To delete the current VPN device configuration:

StepsSteps

1. At yo ur desktop, doub le -click th e HyperTe r m inal icon. The Console HyperTerminal window appears.

2. Press Enter three times. This causes HyperTerminal to send a handshake to the VPN

device attached to COM port When you receive a response from the device, a name-and-

state prom pt similar to the f ollowing example ap pears on the screen:

namevpn:NORMAL>

on your PC.

3. At the name-and-state prompt, enter A password prompt appe a r s.

4. At the password prompt, enter your VPN device password. As you hit Enter, a row of stars appears. When the VPN device acc epts the password, the word

Passed

5. The name-and-state prompt appears again:

namevpn:NORMAL#

6. At the name-and-state prompt, enter A directory listing for the VPN device appears.

appears on the screen.

enable

show d i r

6-10 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 69

Restoring the VPN Device Configuration

Restoring the VPN Device ConfigurationRestoring the VPN Device Configuration

This section tells you how to restore the VPN device config uration to near-fa ctory def ault condit ion, by de leting the se four files:

•isbr.cfg

• safe.cfg

• lrvg.acl

• safe.acl

Steps

Steps To delete these four files, and restore the VPN device

StepsSteps

configuration to near-factory default condition:

where

exit

1. At the name-and-state prompt, enter

filename

be deleted. The specif ied file is d eleted immedi ately. The nam e-and-state

prompt reappears.

2. Repeat the previous step to delete the remaining three files.

3. At the name-and-state prompt, enter A refreshed directory listing for the VPN device appears.

Ensure that the deleted files no longer appear in the list.

4. Leave the terminal emulation program by entering The VPN device is restored to near-fact ory defa ult conditio n

while retaining the existing passwords.

equals the filename.extension of the first file to

del filename

show d i r

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

6-11

Page 70

Supplementary Procedures

Viewing the IP Configuration

Viewing the IP ConfigurationViewing the IP Configuration

This section tells you how to use your computer’s operating system to identify the IP address of your computer’s interfaces.

Steps

Steps To view your IP configuration:

StepsSteps

1. In the Start menu, select Programs, then the MS-DOS prompt.

The MS-DOS prompt appears.

IP Configuration

IP Configuration IP Configuration Window

Window

WindowWindow

2. At the

•

winipcfg

•

ipconfig

•either The basic IP Configuration window appears.

3. Accept the default adapter that ap pears, or in the Ethernet Adapter drop-down menu, select another one.

4. Click More Info>>. The expanded IP Configuration window appears. A

description fol lows.

The IP Configuration window has three parts:

• Host Information

• Ethernet Adapter Information

• Comm a nd buttons

Host Information

Host InformationHost Information

The Host Information area displays the following information for review only:

• Host Name, showing th e name of your host computer, t hat is, the computer at which you are working

• DNS (Domain Name Service) Servers, showing the IP address of the DNS ser v e r on your n etwork; to ste p through the DNS servers available on your network, click on the Lookup icon to the right of the DNS servers text Node Enter,

prompt, enter one of the following:

C:\

for Windows 95/Windows 98 (GUI) for Windows NT/Windows 2000 (text only)

winipcfg

ipconfig

for Windows 98

6-12 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 71

Viewing the IP Configuration

showing the node enter of your host compute r, for example, hybrid

• NetBIOS Scope Id, showing th e identification of the NetBIOS (Network Basic Input/Output System) scope, if any

• IP Routing Enabled, showing IP routing is enabled when checked; disabled when clear

• WINS Proxy Enabled, showing WINS (Windows Internet Naming Service) proxy routing is enabled when checked; disabled when clear

• NetBIOS Reso lu ti on Uses DNS, showing the NetBIOS resolution uses the DNS wh en checked; doe s not use it when clear

Ethernet Adapter Information

Ethernet Adapter InformationEthernet Adapter Information

The Ethernet Adapter Information area allows you to select installed Ethernet adapters in the Ethernet Adapter drop-down menu. The information in the text boxes changes to reflect this selection. Information appears for review only:

• Adapter Address, showing the hardware address of the adapter card; six two-digit hexadecimal characters separ a t e d by h y phens

• IP Address, showing the IP address of the adapter

• Subne t Mask, showing the subnet m ask of th e adapte r

• Default Gateway, showing the IP address of the default gateway of the adapter

• DHCP Server, showing the IP address of the DHCP (Dynamic Host Configuration Protocol) server for the adapter

• Primary WINS Server, showing the IP addre ss o f th e pri mary WINS (Windows Internet Naming Service) server for the adapter

• Secondary WINS Server, showing the IP address of the secondary WINS (Window s Internal Naming Service) server for the adapter

• Lease Obtained, showing the date and time the lease began for the temporary IP address issued from the pool (this lease actually is measured in seconds, but appears in larger units of time)

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

6-13

Page 72

Supplementary Procedures

• Lease Expires, showing the date and time the lease ends for the temporary IP address issued from the pool

Command Buttons

Command ButtonsCom mand But tons

The IP Configuration window has the following command buttons:

Button

Button Function

ButtonButton

Function

FunctionFunction

OK Lets you close the window and apply the

configuration parameters shown

Release Releases the current TCP/IP binds for the

displayed adapter only so that a new stack can be created

Renew Renews the curren t TCP/IP binding for the

displayed adapter only

Release All Releases the current TCP/IP bindings for all

adapters so that a new stack can be created

Renew All Renews the current TCP/IP binding for all

adapters

6-14 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 73

Using Telnet

Using TelnetUsing Telnet

This section tells you how to specify a remote connect ion using Telnet.

One of the TCP/IP suite of prot oco ls, T elnet provides virtual emulation across the Internet. Using IP as its transport mechanism, Telnet is received on application port number 23. Telnet provides a way to check device configuration in addition to using VPN Manager.

Note:

Note : Telnet is supported only on red (private) interfaces.

Note: Note:

Steps

Steps To specify a remote connection using Telnet:

StepsSteps

1. In the Start menu, select Run. The Run window appears.

Using Telnet

2. In the Open field, enter red (private) interface of the VPN device.

The Telnet window appears.

3. In the Connect menu, select Remote System. The Connect window appears.

4. In the Host Name drop-down men u, select a previously used host name, or enter the name or IP address of the VPN device to which you want to telnet in th e Host Name fie l d.

5. In the Port field, accept the default display of telnet, or in the Port drop-dow n me nu, selec t another connect ion port.

6. In the TermEnter fie ld, accept the default display of vt100, or in the TermEnter drop-do wn menu , sel ect anot her ter minal , then press Enter.

7. To open Telnet, from the St art menu, selec t Ru n, then Tel net. The Run window appears.

8. In the Open field, enter mstelnet.exe.

9. Click OK. The Telnet window appears.

10. In the Terminal menu, select Preferences. The Preferences window appears.

telnet

, then the IP address of the

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

6-15

Page 74

Supplementary Procedures

11. Select the VT 100 arrows check box, then click OK. You return to the Connect window.

12. Click Connect. A Password prompt appears on the screen.

13. Enter the enable password. A row of asterisks (*) appears as you enter your password. The status

Passed

appears.

Information concerning the device to which you are connected appears.

You are provided with the command line prompt of the destination host.

6-16 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 75

Appendix — Network Infrastructure Checklists

Appendix — Network Infrastructure ChecklistsAppendix — Network Infrastructure Checklists

Appendix — Network Infrastructure Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Router Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Firewall Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4

Using An Existing Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6

Internal Network Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7

Authentication Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11

Port Combinations Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12

A pp

—

——

— N

Ne ee

wo oo

Ch hh

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 76

he CC

or ww

et NN

N ——

—

pp A

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 77

Appendix — Network Infrastructure Ch ecklists

Appendix

Appendix — Network Infrastructure

AppendixAppendix

Checklists

ChecklistsChecklists

This appendix pr ovides:

• Checklist tables for you to complete, to gather network

information that you need, before you install your VPN device

• A Port Combinations table to provide the ports you must

use through any firewall that is in front of a VPN device, dependi ng upon w hi ch protocols you support on y our corporate network

Complete the following checklists before you install the VPN device.

Checklist

Checklist Task

ChecklistChecklist

Router Checklists You provide each router’s

— Network Infrastructure

— Network Infrastructure — Network Infrastructure

Task

TaskTask

manufacturer, m od el, o perating system, IP address, and subnet mask.

Firewall Checklists

Internal Network Checklists

Authentication Checklists

The Port Combinat ions table at the end of this appendix provi des the por ts you use , de pend ing upo n whic h pr otoc ols you suppo rt on your corpor a t e net work.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide A-1

You provide the firewall’s manufacturer, typ e, and version. A ls o specify the I P addresses.

You pr o vi d e t h e IP add re sses, subnet masks, and protocols on your internal network.

You pr ovi de aut he ntic a tion meth od and IP address of authentication server.

Page 78

Appendix — Net work Infrastructure Checklists

Router Checklists

Router ChecklistsRouter Checklists

The router checklists ask for information about the external router that connects your network to the Internet.

Complete the following router checklists:

• Router classification

• External router IP address and subnet mask

• Filter information

• VPN device a ddress and subnet m ask

Router

Router Router Classification

Classification

ClassificationClassification

If you are using an external router, specify the following information.

Router

Router Router Manufacturer

Manufacturer

ManufacturerManufacturer

Router Mode l

Router Mode lRoute r Model

Operating System

Operating System Operating System

and Version

and Version and Version

Currently Used

Currently UsedCurrently Used

External Router

External Router External Router IP Address and

IP Address and

IP Address and IP Address and Subnet Mask

Subnet Mask

Subnet MaskSubnet Mask

A-2 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Specify your router’s IP addresses and subnet masks.

Interface

Interface IP Address

InterfaceInterface

Internal External Additional Interface 1 Additional Interface 2

IP Address Subnet Mask

IP AddressIP Address

Subnet Ma sk

Subnet Ma skSubnet Mask

Page 79

Router Checklists

Filters

Filters Determine if your exis ting router has filters. Do you plan to apply

FiltersFilters

the filters to the incoming and outgoing traffic in the VPN device?

Yes

VPN Device IP

VPN Device IP VPN Device IP Address and

Address and

Address and Address and Subnet Mask

Subnet Mask

Subnet MaskSubnet Mask

Yes No

YesYes

Assign the IP addresses and su bnet masks to th e VPN device that you plan t o use as a router . If you plan to use the VPN devic e for a bridge, assign the same IP address and subnet mask to both interfaces.

Interface

Interface IP Address

InterfaceInterface

NoNo

IP Address Subnet Mask

IP AddressIP Address

Subnet Mas k

Subnet Mas kSubnet Mask

E1 S0 S1

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide A-3

Page 80

Appendix — Net work Infrastructure Checklists

Firewall Chec kl ists

Firewall Chec kl istsFirewall Chec kl ists

Firewall rules determine:

• Who can communicate from the corporate network to t he Internet, and who can communicate from the Inte rnet to the corporate network (by their I P addresses and subnet mask s)

• What specific applications any individual user may access

With unrestricted access, a user’s IP address and subnet mask is

0.0.0.0, and the user can gain access to any applicatio n (http, ftp,

and so on). The outbound and inbound firewall checklists ask for IP

addresses, subnet masks, and the applications each user can access.

Outbound

Outbound Outbound Firewall Access

Firewall Access

Firewall Access Firewall Access Rights

Rights

RightsRight s

Complete the following outbound and inbound firewall access rights checklis t s:

Outbound

Outbound O utbound Users

Users

UsersUsers

IP Address

IP Addre s s Subnet Mas k

IP AddressIP Address

Subnet Mask

Subnet MaskSubnet Mask

Accessible

Accessible Accessible Applications

Applications

ApplicationsApplications

A-4 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 81

Inbound

Inbound Inbound Firewall Access

Firewall Access

Firewall Access Firewall Access Rights

Rights

RightsRight s

Inbound

Inbound Inbound

Users

UsersUsers

IP Address

IP Address Subnet Mask

IP AddressIP Address

Subnet Mask

Subnet MaskSubnet Mask

Firewall Ch ecklists

Accessible

Accessible Accessible Applications

Applications

ApplicationsApplications

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide A-5

Page 82

Appendix — Net work Infrastructure Checklists

Using An Existing Firewall

Using An Existing FirewallUsing An Existing Firewall

If you are using an existi ng firewall , you need to ensure t hat you do not duplicate any of its IP addresses with those that you provide to your new VPN device.

Existing

Existing Existi ng Firewall

Firewall

Firewall Firewall Information

Information

InformationInformation

Firewall

Firewall Firewall Interface

Interface

Interface Interface Addresses

Addresses

AddressesAddresses

Provide the manufacturer, type, and version of your existing firewall in the following table.

Firewall

Firewall Firewall Manufacturer

Manufacturer

ManufacturerManufacturer

Provide the IP addresses of the interfaces on your existing firewall.

Firewall Type

Firewall TypeFirewall Type

Firewall

Firewall Firewall

Version

VersionVersion

Can Firewall

Can Firewall Can Firewall Pass UDP

Pass UDP

Pass UDP Pass UDP Traffic?

Traffic?

Traffic?Traffic? Yes/N o

Yes/N o

Yes/N o Yes/N o

Interface

Interface IP Address

InterfaceInterface

Internal External Addit ional 1 Addit ional 2

A-6 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

IP Address

IP AddressIP Address

Page 83

Internal Default

Internal Default Internal Default Router

Router

RouterRouter

LAN Cables and

LAN Cables and LAN Cables and Connectors

Connectors

ConnectorsConnectors

Internal Network Checklists

Internal Network ChecklistsInternal Network Checklists

The internal network checklists pertain to how traffic is routed through your inter nal network.

Determine if your curr ent network topology includ es an internal default router. If yes, provide the IP addres s and subnet mas k.

IP Address

IP Address Subnet Mask

IP AddressIP Address

The VPN device includes two RJ-45 UTP female connections. Provide the physical type of your LAN: _______________________________________________________ Provide the types of cables and connect o rs it requ ires in the

following table.

Subnet Mask

Subnet MaskSubnet Mask

Required?

Connectors or Cable s

Connectors or Cable sConnectors or Ca bl e s

10 BaseT/UTP 100BaseTX/UTP 10Base2/thin Ethernet (transceiver

required for interface) 10Base5/thick Ethernet

(transceiver required for interface)

WAN Cables and

WAN Cables and WAN Cables and Connectors

Connectors

ConnectorsConnectors

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide A-7

Provide the physical type of your WAN: _______________________________________________________

Required?Required? Yes/No

Yes/No

Yes/NoYes/No

Page 84

Appendix — Net work Infrastructure Checklists

Provide the types of cables and con necto rs it requ ires in the following table.

Required?

Connectors or Cable s

Connectors or Cable sConnectors or Ca bl e s

Required?Required? Yes/No

Yes/No

Yes/NoYes/No

V.35 serial interface for Frame Relay

X.21 serial interface for dedicated leased lines

DTE or DCE adapter cable

Note:

Note: T o select the correct adapter cable, you must know

Note: Note: whether the VPN device is being connected to a DTE or DCE device (see next section).

Adapter C able

Adapter C able Devices that communi cat e over serial devices are either Data

Adapter C ableAdapte r Cabl e

Terminal Equipment (DTE) or Data Communications Equipment (DCE) devices . D CE devices supp ly the clock signal to pace the communications.

The VPN device is itself a DTE device. Follow these rules to choose which type of adapter cable to use , and see the following illustration:

• If connecting the VPN device to a Data Service Unit/

Channel Service Unit (DSU/CSU device with a DCE interface, use a DTE adapter cable.

• If connecting the VPN device to a DSU/CSU device with

a DTE interface, use a DCE adapter cable.

• If you connect the VPN device in frame relay bridge

mode, it connects a frame relay device (having a DTE interface) with a DSU/CSU (having a DCE interface).

A-8 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 85

Internal Network Checklists

VPN Device

(DTE)

DTE Adapter Cable DCE Adapter Cable

DSU/CSU

(DCE) (DTE)

Frame Relay Device

(DCE)

This allows the VPN device to encrypt frame relay traffic before it is sent out on the frame relay network.

In this configuration, you connect the VPN device to on e port of the serial card with a DCE cable, and you connect the other s erial card port to the DSU/CSU with a DTE cable.

Provide the type of adapter cable required (DTE or DCE): _______________________________________________________

Internal

Internal Internal Network IP

Network IP

Network IP Network IP Addresses and

Addresses and

Addresses and Addresses and Subnet Masks

Subnet Masks

Subnet MasksSubnet Masks

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide A-9

Provide the IP addresses and subnet masks of your internal network in the follow i ng table :

IP Addresses

IP Addresses Subnet Mask s

IP AddressesIP Addresses

Subnet Mask s

Subnet Mask sSubnet Mask s

Page 86

Appendix — Net work Infrastructure Checklists

IP Addresses

IP Addresses Subnet Masks

IP AddressesIP Addresses

Network

Network Network Protocols

Protocols

ProtocolsProtocols

Provide the protoc ols you run on y our network in the followi ng table:

Protocols

Protocols Yes

ProtocolsProtocol s

TCP/IP IPX/SPX

Subnet Masks

Subnet MasksSubnet Masks

Yes No

YesYes

NoNo

NETBEUI AppleTalk Other_________________

A-10 Hewlett-Packard VPN Server Appl iance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 87

Authentication

Authentication Authentication Types

Types

TypesTypes

Authentication Checklists

Authentication ChecklistsAuthentication Checklists

To set up authentication for the VPN device, complete the following checklists:

• Authenticat ion types

• IP address and port for certificate authority (if applicable)

Determine which authentication methods to use, and provide this information in the following table. You may use a combination of authenticatio n applications for remote users and site-to-site connections. If you use a third-party authentication method, specify the version number.

Remote

Security Type

Security Type Version

Security TypeSecurity Type

Certificate Authority N/A Challenge Phrases N/A

Version

VersionVersion

Remote

Remote Remote Users

Users

UsersUsers

Site-to-

Site-to-Site-toSite

Site

SiteSite

SecurID RADIUS NT Domain Other 1 Other 2

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide A-11

Page 88

Appendix — Net work Infrastructure Checklists

Port Combinations Table

Port Combinations TablePort Combinations Table

The following protocol and port combinations must be opened through any firewall that is in front of a VPN device.

Protocol

Protocol Destinat io n Por t

ProtocolProtocol

Destination Port

Destination PortDestination Port

Source

Source Source Port

Port

PortPort

Actions

ActionsActions

UDP In: 2233

Out: 2233

UDP In: 10025

Out: 10025

All All

These data packets are encrypted. They must be allowed through the firewall and should be directed to the device and no other destination address.

These packets are encrypted management packets between the HP SA3000 Series VPN Manager and the VPN device. You should not open this firewall rule unless the VPN Manager is running outside the firewall.

A-12 Hewlett-Packard VPN Server Appl iance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 89

Protocol

Protocol Desti na t i on Po rt

ProtocolProtocol

Destination Port

Destination PortDestination Port

Source

Source Source

Port

PortPort

Port Combinations Table

Actions

ActionsActions

UDP In: 10026

Out: 10026

UDP In: 10027

Out: 10027

All All

These are encrypted statis tics packets bound for the VPN Manager. You should not open this fire wal l rule unless the VPN Manager is running outside the firewall.

These packets are certificate requests between the certificate authority server and a VPN device or HP client.

Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide A-13

Page 90

Appendix — Net work Infrastructure Checklists

A-14 Hewlett-Packard VPN Server Appl iance SA3110/SA3150/SA3400/SA3450 Installation Guide

Page 91

Index

IndexIndex

AAAA administrator password

BBBB bridge mode

CCCC cables

connecting

DB-9 checklists configurations

basic routing mode

deleting

restoring to factory defaults

viewing Console window

creating Copy command

DDDD default settings deleting VPN device configuration device host name

FFFF factory-default state, VPN device flash cards, inserting functions of

HP SA3000 Series VPN Client

VPN device

VPN Manager HHHH

hardware requirements host name of device HP SA3000 Series VPN Client

functions of

installing

removing

starting

........................................

.....................................

..............................................

..............................

.........................................

..........................................

.....................................

.......................

.....................................

....................................

............................

........................................

..........................................

.........................

2-4, A-1–A-13

..........................

............

..................................

.............................

..................................

..........................

..............................

4-4

3-10

3-3 3-2

3-5 6-10 6-11 6-12

3-3

6-6

3-2, 3-6, 6-11

.........

....

...........

2-1, 5-1, 5-3

6-10

3-7

3-2, 6-11

3-2

1-4

1-3

2-1

3-7

1-4

5-1

5-4

HP SA3000 Series VPN Manager

functions of installing

HyperTerminal

IIII

initial session

establishing

installation

preparation checklist process

installing

VPN C lient

VPN Manager IP Configu ra tion Window IP configu rati on, viewing

KKKK

keys

.....................................................

LLLL license agreement Login password

MMMM Manager Password modes

normal mode

operating modes

passwords

port combinations table powering on the VPN device

remote connections

..........................................

NNNN

OOOO

PPPP

default Manager password

RRRR

....................................

..................................

.....................................

....................................

......................

..........................................

.........................

............................

.....................

......................

.................................

....................................

................................

........................................

...........................

......................................

...........................................

..........................

.......................

..................

1-3

2-1, 4-2

3-3

3-5 2-4

2-3

2-1, 5-1, 5-3

2-1, 4-2

6-12 6-12

3-2

3-6 4-5

3-8

3-6, 3-10

3-6

3-6, 3-10

4-4–4-7

3-6 3-8

A-12

3-3

Index-1

Page 92

using Telnet required components, VPN device requirements, for installing restoring factor y-def a ult setting s

passwords

VPN device router mode

SSSS safe mode setup script

running software requirements Syslog

configuring for troubleshooting TTTT

Telnet

.................................................

terminal emulation session

capturing as text

HyperTerminal

viewing text file, of terminal emulation session TFTP copy command time zone, setting troubleshooting turning on the VPN device

...................................

..........

....................

......................................

....................................

........................................

............................................

..........................................

...........................

.......

.............................

...............................

..........................................

............................

..................................

...................................

.....................

...

6-15

1-3 2-1

3-6 6-11 3-10

3-6

3-7

2-1 3-14

6-15

6-8

6-9

6-8

6-6

3-8 3-14

3-3

VVVV viewing

VPN device VPN Manager

IP configuration configuring functions of

installing

...............................

....................................

........................................

.............................

3-5–3-9

6-12

1-3

4-2

Index-2

Hp sa3110, sa3150, sa3400, sa3450 installation guide

Specifications and Main Features

Frequently Asked Questions

User Manual