Nortel 4050 Configuration

Part No. NN47230-501 (324108-A)
Document Version: 01.01
July 16, 2007
Document status: Standard

600 Technology Park Drive
Billerica, MA 01821-4130

Nortel Secure Network Access
Switch 4050 Configuration –
Using TunnelGuard System
Agent

Release 3.5

2

NN47230-501 (324108-A)

Copyright © 2007 Nortel Networks. All rights reserved.

The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks.

The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.

Trademarks

Nortel, Nortel Networks, the Nortel Networks logo, and the Globemark are trademarks of Nortel Networks.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Java is trademark of Sun Microsystems.
Microsoft Windows is trademark of Microsoft Corporation.
All other trademarks and registered trademarks are the property of their respective owners.
The asterisk after a name denotes a trademarked item.

Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

Statement of conditions

In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.

Nortel Networks does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.

Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).

3

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Nortel Networks software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full purchase price.

“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no
rights other than those granted to you under this License Agreement. You are responsible for the selection of the
Software and for the installation of, use of, and results obtained from the Software.

1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software
on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable.
To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”),
Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software
contains trade secrets and Customer agrees to treat Software as confidential information using the same care and
discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate.
Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement.
Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse
assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or
modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property
to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the
event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks
or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine
Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel
Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks
with respect to such third party software.

2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in
such event, the above exclusions may not apply.

3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF,
OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier
of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not
allow these limitations or exclusions and, in such event, they may not apply.

4. General

a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks

Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States

4

NN47230-501 (324108-A)

Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections

12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).

b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails

to comply with the terms and conditions of this license. In either event, upon termination, Customer must
either return the Software to Nortel Networks or certify its destruction.

c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from

Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.

d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.

e. The terms and conditions of this License Agreement form the complete and exclusive agreement between

Customer and Nortel Networks.

f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If

the Software is acquired in the United States, then this License Agreement is governed by the laws of the state
of New York.

Third Party Licenses

Copyright (c) 2000 - 2007 The Legion Of The Bouncy Castle (http://www.bouncycastle.org)
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated

documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to
whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Contents 5

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

How to get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Finding the latest updates on the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . 10

Getting help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Getting help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . . . 11

Getting help from a specialist by using an Express Routing Code . . . . . . . . . . . . 11

Getting help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . . 12

TunnelGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

TunnelGuard agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

TunnelGuard icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing the TunnelGuard agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Java Runtime Environment (JRE) Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installation kits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Command line and silent installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Custom installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Custom install options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

TunnelGuard system tray icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

TunnelGuard logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

No or limited pop-up messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Clickable link in TunnelGuard agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Recovery from initial check failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

TunnelGuard banner support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configuring TunnelGuard agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Logging on to NSNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Managing profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6 Contents

NN47230-501 (324108-A)

Managing user profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

System Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Managing global user profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Configuring the TunnelGuard agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Viewing the TunnelGuard agent status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

7

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Preface

This guide introduces the installation procedures for the Nortel Secure Network
Access Switch (SNAS) TunnelGuard System agent. Topics include:

• Installing the TunnelGuard agent

• Configuring the TunnelGuard agent

This guide is intended for network managers who are setting up Installable
TunnelGuard agent software. This guide assumes that you have experience with
windowing systems or Graphical User Interfaces (GUIs) and familiarity with
network management.

Before you begin

The minimum PC requirements for running the Nortel SNAS Installable
TunnelGuard Agent are:

• Windows 2000, XP, and Vista

• Windows Server 2003

• 200 MHz Pentium

• 64 MB memory

• 10 MB free hard disk space

• Java Virtual Machine (JVM)1.4.2_05 or later if you have the install kit
without the JVM

8 Preface

NN47230-501 (324108-A)

Text conventions

This guide uses the following text conventions:

angle brackets (< >) Indicate that you choose the text to enter based on the

description inside the brackets. Do not type the
brackets when entering the command.

Example: If the command syntax is

ping <ip_address>, you enter
ping 192.32.10.12

bold Courier text

Indicates command names and options and text that
you need to enter.

Example: Use the

show health command.

Example: Enter

terminal paging {off | on}.

braces ({}) Indicate required elements in syntax descriptions where

there is more than one option. You must choose only
one of the options. Do not type the braces when
entering the command.

Example: If the command syntax is

ldap-server

source {external | internal}

, you must enter

either

ldap-server source external or

ldap-server source internal

, but not both.

brackets ([ ]) Indicate optional elements in syntax descriptions. Do

not type the brackets when entering the command.
Example: If the command syntax is

show ntp [associations], you can enter

either

show ntp or show ntp associations.

Example: If the command syntax is default rsvp

[token-bucket

{depth | rate}], you can enter

default rsvp, default rsvp token-bucket
depth, or default rsvp token-bucket rate.

ellipsis points (. . . ) Indicate that you repeat the last element of the

command as needed.
Example: If the command syntax is

more diskn:<directory>/...<file_name>,

you enter

more and the fully qualified name of the file.

Preface 9

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Acronyms

This guide uses the following acronyms:

Related publications

For more information about SNAS refer to the following publications:

• Nortel Secure Network Access Solution Guide

• Nortel Secure Network Access Switch 4050 Installation Guide

italic text Indicates new terms, book titles, and variables in

command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.

Example: If the command syntax is

ping <ip_address>, ip_address is one variable

and you substitute one value for it.

plain Courier
text

Indicates system output, for example, prompts and
system messages.

Example:

File not found.

separator ( > ) Shows menu paths.

Example: Choose Status > Health Check.

vertical line (

| ) Separates choices for command keywords and

arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.

Example: If the command syntax is

terminal paging {off | on}, you enter either
terminal paging off or terminal paging on,

but not both.

SRS Software Requirement Set

LDAP Lightweight Directory Access Protocol

TG TunnelGuard

SNAS Secure Networks Access Switch

10 Preface

NN47230-501 (324108-A)

• Nortel Secure Network Access Switch 4050 User Guide for the CLI

• Nortel Secure Network Access Switch 4050 User Guide for the SREM

• Installing and Using the Security and Routing Element Manager

• Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software
Release 5.0.1

• Release Notes for the Ethernet Routing Switch 8300, Software Release 2.2.8

• Release Notes for the Nortel Secure Network Access Solution, Software
Release 1.6.1

• Release Notes for Enterprise Switch Manager, Software Release 5.2

• Using Enterprise Switch Manager Release 5.1

To print selected technical manuals and release notes for free, go to

www.nortel.com/documentation, find the product for which you need

documentation, then locate the specific category and model or version for your
hardware or software product. Use Adobe* Reader* to open the manuals and
release notes, search for the sections you need, and print them on most standard
printers. Go to the Adobe website at www.adobe.com to download a free copy of
the Adobe Reader.

How to get Help

This section explains how to get help for Nortel products and services.

Finding the latest updates on the Nortel Web site

The content of this documentation was current at the time the product was
released. To check for updates to the latest documentation and software for VPN
TunnelGuard, click one of the following links:

Link Takes you directly to the

Latest software Nortel page for VPN TunnelGuard software.

Latest documentation Nortel page for VPN TunnelGuard documentation.

Preface 11

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Getting help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel
Technical Support Web site:

www.nortel.com/support

This site provides quick access to software, documentation, bulletins, and tools to
address issues with Nortel products. From this site, you can:

• download software, documentation, and product bulletins

• search the Technical Support Web site and the Nortel Knowledge Base for
answers to technical issues

• sign up for automatic notification of new software and documentation for
Nortel equipment

• open and manage technical support cases

Getting help over the phone from a Nortel Solutions Center

If you do not find the information you require on the Nortel Technical Support
Web site, and you have a Nortel support contract, you can also get help over the
phone from a Nortel Solutions Center.

In North America, call 1-800-4NORTEL (1-800-466-7835).

Outside North America, go to the following web site to obtain the phone number
for your region:

www.nortel.com/callus

Getting help from a specialist by using an Express Routing
Code

To access some Nortel Technical Solutions Centers, you can use an Express
Routing Code (ERC) to quickly route your call to a specialist in your Nortel
product or service. To locate the ERC for your product or service, go to:

www.nortel.com/erc

12 Preface

NN47230-501 (324108-A)

Getting help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a distributor or
authorized reseller, contact the technical support staff for that distributor or
reseller.

13

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Chapter 1
TunnelGuard

TunnelGuard enables you to impose a security policy on the client PC when it is
connected to the corporate network through the Nortel Secure Network Access
Switch (SNAS). This policy defines the firewall and security software, or
Software Requirement Set (SRS), that must be installed and activated on the client
PC while the PC is connected to the gateway.

TunnelGuard is comprised of the following components:

• TunnelGuard agent — is the desktop application running on client desktop
PCs that connect to Secure Network. This application monitors the state of
rules on desktops that are enforced by TunnelGuard daemon and reports their
status back to Secure Network.
The installable TunnelGuard agent is installed on the end user's system as a
Windows System Service. The TunnelGuard agent provides single sign-on
and machine authentication functions.

• Software Requirement Set (SRS) builder — provides an interface for
administrators to create and modify Software Requirement Sets (SRS) and
rules. These requirements and rules are assigned to groups of users and
enforced on client PCs connecting to either VPN Router or SNAS.

TunnelGuard agent

The TunnelGuard agent runs on the client desktop PC and is responsible for
processing and checking the SRS rules. For example, the TunnelGuard agent
checks that the required components (executable files, DLLs, configuration files)
necessary to comprise a personal firewall are installed and active. Because it is
completely provisioned from the gateway, the TunnelGuard agent is invisible to
the end user.

The TunnelGuard agent features are:

14 Chapter 1 TunnelGuard

NN47230-501 (324108-A)

1 starts at bootup

2 remains inactive in a listening state until a connection is established

3 returns to the listening state once a connection is torn down

Nortel SNAS supports the following TunnelGuard agents:

• Nortel TunnelGuard System Agent - This agent contains two individual
entities that are, a system service and the user interface application that are
accessible through Windows system tray. It is installed as Windows system
service.
The advantages of using the Nortel TunnelGuard System Agent are system
and user authentication, and single sign-on in Microsoft and Novell
environments.

• Nortel TunnelGuard Desktop Agent - This agent is installed through the
SNAS captive portal as a JAVA Webstart application on the Windows
platform and runs as Windows system tray application.
The advantages of using the Nortel TunnelGuard Desktop Agent are user
authentication and device compliance checking.

• Nortel TunnelGuard Browser Applet - This applet is a JAVA applet in the
web browser that runs on Windows and non-Windows operating systems.

TunnelGuard icons

There is an icon defined for each of the three TunnelGuard states. Table 1 shows
the color and state of each icon.

Table 1 TunnelGuard icons

Color State

Gray There is no connection to the server. TunnelGuard is in an idle

state.

Green TunnelGuard is connected to the server and compliant to policies.

Red Compliance has failed and a new error is reported.

Blue The system session is logged on to SNAS and the system policies

are compliant.

Blue with
red color X

The system session is logged on and the system policies have
failed.

Chapter 1 TunnelGuard 15

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Supported platforms

TunnelGuard is supported on the following operating system platforms:

• Windows 2000

• XP Professional

• Windows 2003 Server

•Windows Vista

Installing the TunnelGuard agent

TunnelGuard installation kits are provided on the Nortel SNAS portal/
TunnelGuard CD in the TunnelGuard directory.

Java Runtime Environment (JRE) Selection

There are two installation kits provided, one with the Java virtual machine (VM)
(1.6.0_01) bundled, one without VM bundled. NoVM installation kit is provided
to minimize the size of the kit for downloading.

JRE 1.4.2_05 (or later versions) is required for TunnelGuard installation. The VM
version of TunnelGuard installation allows you to install bundled VM (which is

1.6.0_01) with TunnelGuard. The VM is installed under the <TG install dir>\jre

directory. This JRE is local to the TunnelGuard and is only used by TunnelGuard.
Web browsers are not affected by it.

The “Select JVM" dialog box allows users to select:

• bundled JVM (not available for NoVM kit)

• JVM installed on local machine (with version greater than or equal to

1.4.2_05)

Attention: You require administrative rights to install the TunnelGuard
agent.

16 Chapter 1 TunnelGuard

NN47230-501 (324108-A)

If you select a bundled JVM, a jre directory is installed under the installation
directory and is used to launch the TunnelGuard application.

If you select JVM installed on the local machine, the jre directory is not installed.
The selected local JVM is used.

Installation kits

Two sets of kits are provided for TunnelGuard installation: a customizable
installation kit and a standard installation kit. Each kit has two versions.

If download time (size of the kit) is not a concern, administrators can deploy the
VM version of TunnelGuard. The VM version of TunnelGuard gives users the
option of installing the bundled JVM or using one already installed on the
machine (if it is JRE 1.4.2_05 or a later version).

If users have an older version of JRE installed and want to keep that version (for
example, JRE 1.3.1) to be used by browsers, they can install the bundled JVM and
limit the use of that JVM to TunnelGuard.

The NoVM version has no bundled JVM, thus the kit is smaller and downloads
faster. In this case, users must have the right version of JRE (1.4.2_05) installed
on the machine.

Customizable installation kit

Customizable VM kit

The customizable VM TunnelGuard installation kit is bundled with JRE 1.6.0_01.

Launch TgVm_3_5.exe if there is no correct version of Windows MSI service on
the target machine (such as a Windows 98 machine). After you install MSI
service, TgVm_3_5.msi is automatically launched.

TgVm_3_5.msi can be launched directly if there is a correct version of Windows

MSI on the machine. It can be customized using tools such as ORCA. See

“Custom installation” on page 18 for more information.

Chapter 1 TunnelGuard 17

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Customizable NoVM kit

The customizable NoVM TunnelGuard installation kit does not have JRE
bundled.

Launch TgNoVm_3_5.exe if there is no correct version of Windows MSI service
on the machine. After you install MSI service, TgNoVm_3_5.msi is automatically
launched.

Launch TgNoVm_3_5.msi directly if there is a correct version of Windows MSI
on the machine. It can be customized using tools such as ORCA. See “Custom

installation” on page 18 for more information.

Standard installation kit

Standard VM kit

TgVm_3_5.exe is a single file installer. It installs MSI if it is not on the machine.

JRE 1.6.0_01 is included.

Standard NoVM kit

TgNoVm_3_5.exe is a single file installer. It installs MSI if it is not on the

machine. No JRE is included.

18 Chapter 1 TunnelGuard

NN47230-501 (324108-A)

Command line and silent installation

Msiexec.exe can be used for installation from the command line. The command
line switch /qn is used to indicate a silent install.

For silent installation, the reboot dialog box is not necessary as a reboot is
performed automatically.

The property NN_CVC701PATH can be set as an installation parameter. For
example:

Msiexec NN_CVC701FORCEREBOOT=1 /I tgExeVM.msi /qn

More examples:

Msiexec /I tgExeVM.msi /qn
Msiexec /I tgExeNoVM.msi /qn

Other switches include:

/I - install
/X - uninstall

Custom installation

TunnelGuard installation uses Microsoft Installer, in MSI file format. A number
of tools are available to modify the MSI database, such as ORCA. With an MSI
installation file, you can customize installation by changing the title, changing the
icon, or changing the files to be installed.

Here are examples of how to make some of these changes using ORCA:

Attention: All commands are case sensitive.

Chapter 1 TunnelGuard 19

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Modify installation properties

Change default folder

Table: Directory

Row(s): Directory = NEW_DIRECTORY2 and its parent directories

Modify: DefaultDir field; replace "Nortel Networks" with your default folder.

Change default Program menu folder

Table: Directory

Row(s): Directory = nortel_1_nortel_networks

Modify: DefaultDir field; replace "Nortel Networks TunnelGuard" with your
default folder name.

Change shortcut icon

Table: Icon

Row: Add new row

Modify: Name = MyCustomIcon.ico

Data: upload your icon file: MyCustomIcon.ico

Table: Shortcut

Rows: Shortcut = NewShortcut1 and Shortcut = NewShortcut3

Modify: Icon_ = MyCustomIcon.ico

IconIndex = 0

20 Chapter 1 TunnelGuard

NN47230-501 (324108-A)

Change deafult JRE

Property NN_JREPATH can be used to set the JRE path. If NN_JREPATH is set,
the "Select JVM" dialog box is not shown. JVM represented by NN_JREPATH is
used.

In silent mode, if NN_JREPATH is provided, the corresponding JRE is used. If
NN_JREPATH is not provided for a VM kit, the default bundled JRE is installed
and used. If NN_JREPATH is not provided for a NoVM kit in silent mode, the
installation fails.

Change TunnelGuard icon

The TunnelGuard agent displays an icon in the Windows system tray. The icon
indicates TunnelGuard status. This icon also appears in the About dialog box of
the TunnelGuard agent.

To change the icons for the TunnelGuard agent,

• Modify the MSI files to replace the files under
[INSTALLDIR]\resources\*.ico with these icon files. [*]

To change the icons for the TunnelGuard agent, use the following naming
conventions:

• iconGray.ico: TunnelGuard inactive; normally gray

• iconNormal.ico: TunnelGuard user compliant; normally green

• iconError.ico: TunnelGuard user compliant; normally red

• iconActive.ico: TunnelGuard system compliant; normally blue

• iconWarning.ico: TunnelGuard system compliant; normally blue with red X

Modify Agent.properties

The Agent.properties file has settings for how the TunnelGuard agent runs.
Administrators can customize it and include it in the custom installation.

To change Agent.properties, do the following:

1 Do an installation or extract the Agent.properties from MSI.

Chapter 1 TunnelGuard 21

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

2 Modify Agent.properties according to your requirements.

3 Modify MSI file to replace Agent.properties under [INSTALLDIR]\resources

with the modified file. [*]

Example of modifying TunnelGuard MSI installation file

Use the following steps to modify the MSI file, replace icon, and property files.

The Microsoft SDK tools ORCA and cabarc.exe are used to extract the cab file
and re-bundle cab files. Here are the sample steps with TgExeVm.ms:

1 Open TgExeVm.msi with ORCA. In the Cabs table, export the cab file that

contains the icon files and property file to a file such as mycab.cab.

2 At a command prompt (make sure cabarc.exe is in your path), go to the

directory where mycab.cab is saved.

3 Run command:

cabarc L mycab.cab > list.txt

4 Modify text file list.txt, so that it only contains a list of file names. It can look

like:

log4j1.2.3.jar
TunnelGuard.jar
AgentTerminator.exe
TGIconApp.EXE
TGIcon.DLL
ProcessInfoWIN.DLL
PartnerAPI.DLL
TGIconAppRC.DLL
Agent.properties
CueAgent_srv.exe
CueAgent_app.exe
curves.jar1
EccpressoCore.jar2
EccpressoJcae.jar3
license.txt
iconError.ico
iconNormal.ico

5 Run command: cabarc X mycab.cab to extract all the files from the cab

file.

6 Replace the icon files and Agent.properties file with the files you have

customized. Make sure the file names are not changed.

22 Chapter 1 TunnelGuard

NN47230-501 (324108-A)

7 Run command: cabarc n mynewcab.cab @list.txt

8 In the ORCA Cabs table, import mynewcab.cab.

TgExeVm.msi is now successfully updated with the new files.

Customizing Login dialog box image

To customize the Login dialog box Image, use the following steps:

1 Create an 100x200 BMP graphic named LoginImage.bmp.

2 Place the graphic in the directory named as %INSTALL_DIR%\resources\.

Customizing About dialog box image

To customize the About dialog box image, use the following steps:

1 Create an 170x350 BMP graphic named AboutImage.bmp.

2 Place the graphic in the directory named as %INSTALL_DIR%\resources\.

Customizing Connection dialog box icon

To customize the Connection dialog box icon, use the following steps:

1 To simulate animation you can use up to10 custom icons using this naming

convention (connect0 ..... connect9) ico. You can use up to 10, 48x48 custom

icons.

2 Place the graphic in the directory named as %INSTALL_DIR%\resources\.

System preferences

When you distribute a profile.ini with the install package, you can hide the System
Profiles and Global User Profile from the end user by editing the profile.ini
manually and adding the following section:

[ Preferences ]

HideGlobalProfiles=1

Chapter 1 TunnelGuard 23

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

HideSystemProfiles=1

Custom install options

Currently TunnelGuard agent installs TunnelGuard Service as well as Desktop
Application to monitor and report SRS Rule failures as one feature. This release
separates TunnelGuard core functionality from desktop monitoring application.
Custom install options provide the end user with two features:

• TunnelGuard Core

• Desktop Monitor

This separation allows the administrator to configure MSI installer to provide
customized installer to the end user. TunnelGuard Core contains all of the
TunnelGuard functionality that includes TunnelGuard Service, but excludes the
desktop monitoring application. The Desktop Monitor application puts its icon in
the system tray and provides popups for failures and menu options.

The custom install options provide the following options to the end user:

• System tray icon

• Optional TunnelGuard logs

• No or limited popups

• Clickable link in the TunnelGuard agent

TunnelGuard system tray icon

When the TunnelGuard agent is running on a system, the TunnelGuard icon
appears in the system tray in the lower right corner of the window. This icon is
used for configuration and failure notification.

When you right-click on the TunnelGuard icon, the context menu shows these
commands:

• About — provides version and copyright information.

• Configure — enables a user to configure logging settings.

• Status — displays the TunnelGuard log.

24 Chapter 1 TunnelGuard

NN47230-501 (324108-A)

• Manage NSNA Profiles — enables a user to configure profiles.

• Login to NSNA — enables a user to log on to NSNA.

If there is a check failure, the TunnelGuard icon has a slash through it, which
indicates a failure condition. After you read the information in the Status dialog
box, the slash is cleared.

TunnelGuard logs

The TunnelGuard log file is located in the \Program
Files\Nortel\TunnelGuard\logs directory. This file contains the same alert
information as the status display, as well as some additional information.

TunnelGuard status log

The TunnelGuard agent logs are an optional feature with Windows Installer. By
default, logging is enabled for standard install. To view the TunnelGuard Status
log, right-click the TunnelGuard icon in the system tray and select the Status
menu option.

You can modify the registry settings on the desktop PC to enable or disable
TunnelGuard logging. To disable logs from being created on the desktop PC, set
DisableLogging to 1, as follows:

DisableLogging=1

No or limited pop-up messages

The TunnelGuard agent pops up a dialog window whenever there is an SRS check
failure, regardless of the policy set on the SNAS for the rule. In some installation
scenarios, this feature is not desirable. When SRS check failures are logged, the
Detail switch reveals all of the information about rule contents and exactly what is
expected on the system in order to be compliant. Some VPN administrators
choose to hide some or all of this information from end users.

You can hide pop-up messages in the following ways:

• Install TunnelGuard without Desktop Monitor feature. This ensures no
pop-up messages are generated on the desktop PC.

Chapter 1 TunnelGuard 25

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

• Install TunnelGuard with Installer property DisablePopup set to 1. This
ensures no pop-up messages are generated on the desktop PC, even when
Desktop Monitor is installed. This feature works on registry settings on
desktop PCs, so you can modify the registry settings to change the behavior.

• Install TunnelGuard with Installer property HideTaskbarIcon set to 1. This
ensures no pop-up messages are generated and no taskbar icon appears in the
system tray, even when Desktop Monitor is installed and running on the
system. This feature works on registry settings on desktop PCs, so you can
modify the registry settings to change the behavior.

Clickable link in TunnelGuard agent

The TunnelGuard agent presents an error message on desktop PCs whenever an
SRS rule fails. This error message is comprised of an SRS rule and an SRS
comment. The SRS comment has clickable links that provide rule-specific
locations to download information for compliance in cases where the user fails to
comply. Any text that begins with http:// or https:// automatically transforms to a
clickable link.

Recovery from initial check failure

Initial Failure Recovery Mode overcomes many situations that make you stay in
restricted mode of tunnel for long durations. If the TunnelGuard agent detects
SRS FAILURE/UPDATE on the first check, it goes into Failure Recovery
Mode. This mode enables a faster, more frequent SRS compliance checking by
the TunnelGuard agent. The TunnelGuard agent does not engage the SNAS until
there is a change in compliance. Once the system falls into compliance, or the
Failure Recovery Mode interval expires, TunnelGuard comes out of Failure
Recovery Mode. The default failure recovery interval is 10 seconds and is
configured using TunnelGuard properties. The duration of Failure Recovery
Mode is the length of the first intra-interval checking.

26 Chapter 1 TunnelGuard

NN47230-501 (324108-A)

TunnelGuard banner support

It is important that TunnelGuard is configured to effectively communicate
information and instructions to end users who are expected to use the
TunnelGuard agent. The TunnelGuard banner is a mechanism that is used to
communicate information to the user, including a standard banner message
informing the users that a restricted filter is in place until the SRS conditions are
met.

Build scripts and targets are provided to stamp the executable and jar file with
updated version information. The banner for the TunnelGuard agent is displayed
on the Help > About dialog box. The banner for the jar file is displayed in the Java
Console Logs.

27

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Chapter 2
Configuring TunnelGuard agent

This chapter provides information about configuring the TunnelGuard agent.

Navigation

• “Logging on to NSNA” on page 27

• “Managing profiles” on page 28

• “Configuring the TunnelGuard agent” on page 38

• “Viewing the TunnelGuard agent status” on page 40

Logging on to NSNA

The TunnelGuard agent provides the option of single sign-on log on. Every time a
user logs on to the network domain the TunnelGuard agent collects the log on
credentials of the user. The TunnelGuard agent forwards these log on credentials
to the SNAS server as a part of the logon request.

Additionally, the user can also log on using the TunnelGuard agent GUI.

Logging on to NSNA

To log on to NSNA using the TunnelGuard agent, use the following procedure:

28 Chapter 2 Configuring TunnelGuard agent

NN47230-501 (324108-A)

1 In the Windows taskbar notification area, right-click the TunnelGuard agent

icon and select Login.
The Login to NSNA dialog box appears.

2 Select the profile with which you want to log on or enter the logon credentials.

The following table describes the Login fields.

3 Click Connect.

The TunnelGuard is connected to SNAS.

Managing profiles

You can create and maintain user profiles and configure them to logon to SNAS.
You can also create and maintain system profiles to check for the credentials of
the system that connects to SNAS.

This section contains information about the following procedures:

Field Description

Profile Specifies the user profile, which is used to log on to

the TunnelGuard.

Server Specifies the SNAS IP address.

Username Specifies the user name.

Password Specifies the password.

Chapter 2 Configuring TunnelGuard agent 29

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

• “Managing user profiles” on page 29

• “System Profiles” on page 32

Managing user profiles

To manage the user profiles, use the following procedures:

• “Creating a user profile” on page 29

• “Modifying a user profile” on page 31

• “Deleting a user profile” on page 31

Creating a user profile

To create a user profile, use the following procedure:

30 Chapter 2 Configuring TunnelGuard agent

NN47230-501 (324108-A)

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Manage NSNAProfiles.
The Manage Profiles dialog box appears.

2 Select User Profiles.

3 Click New Profile.

4 Enter the user profile details. The following table describes the User Profiles

fields.

Field Description

Profile Name Specifies the unique name assigned to the user

profile.

Use Domain User
Information

Specifies that the TunnelGuard gets the logon
credentials from the domain.

Chapter 2 Configuring TunnelGuard agent 31

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

5 Click Save Profile.

6 Click Done.

Modifying a user profile

To modify a user profile, use the following procedure:

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Manage NSNA Profiles.
The Manage Profiles dialog box appears.

2 Select User Profiles.

3 Select the profile to be modified.

4 Modify the required details.

5 Click Save Profile.

6 Click Done.

Deleting a user profile

To delete a user profile, use the following procedure:

Use Profile Defined User
Information

Specifies that the TunnelGuard agent uses the logon
credentials that are given for the current profile.

Username Specifies the username.

You can specify the Username only when the Profile
Defined User Information option is selected.

Password Specifies the password assigned to the user.

You can specify the Password only when the Profile
Defined User Information and the Save Password
options are selected.

Save Password You can only select the Save Password when the

Profile Defined User Information option is selected.

Server Specifies the name of the server.

Default Profile Specifies that the current profile is the default profile.

Field Description

32 Chapter 2 Configuring TunnelGuard agent

NN47230-501 (324108-A)

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Manage NSNA Profiles.
The Manage Profiles dialog box appears.

2 Select User Profiles.

3 Select the profile to be deleted.

4 Click Delete Profile. A confirmation dialog box appears.

5 Click OK to delete the user profile.

System Profiles

System profile allows you to configure the system for multiple locations with
different sets of credentials. To configure this you need to specify the server as a
hostname rather than an IP address. DNS servers resolve the hostname to a
different address. So the system profile possesses different credentials based on
the DNS query result.

E.g. For two offices at Boston and Los Angeles. The DNS server in Boston would
resolve the hostname nsna.example.com as 10.10.10.10 and the DNS server in
Los Angeles would resolve it to 20.20.20.20. So you can add two sets of
credentials.

Illustration:

SNAS Address SNAS Mask System ID Password

10.10.10.0 255.255.255.0 Boston PasswordX

20.20.20.0 255.255.255.0 LosAngeles PasswordY

With the above configuration your system, in Boston will be authenticated using
the first set of credentials.

If you do not want to use multiple system profiles, specify the SNAS Address and
Mask as 0.0.0.0.

This section contains information about the following procedures:

• “Creating a system profile” on page 33

Chapter 2 Configuring TunnelGuard agent 33

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

• “Modifying a system Profile” on page 34

• “Deleting a system profile” on page 35

Creating a system profile

To create a system profile, use the following procedure:

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Manage NSNA Profiles.
The Manage Profiles dialog box appears.

2 Select System Profile.

3 Specify the name of the server.

34 Chapter 2 Configuring TunnelGuard agent

NN47230-501 (324108-A)

4 Click Add.

The Add New System Id dialog box appears.

5 Enter the system profile details. The following table describes the Add New

System Id fields.

6 Click OK.

7 Click Save Profile.

The system profile is added to the Credentials table.

Modifying a system Profile

To modify a system profile, use the following procedure:

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Manage NSNA Profiles.
The Manage Profiles dialog box appears.

2 Select System Profile.

3 Select the server for which you want to modify the details.

Field Description

SNAS Network Address Specifies the network address of SNAS.

SNAS Network Mask Specifies the network mask of SNAS.

System ID Specifies the system ID.

Password Specifies the password.

Chapter 2 Configuring TunnelGuard agent 35

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

4 Click Modify.

The existing credentials are displayed.

5 Modify the details.

6 Click OK to save the changes.

7 Click Save Profile to save the changes.

Deleting a system profile

To delete the system profile, use the following procedure:

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Manage NSNA Profiles.
The Manage Profiles dialog box appears.

2 Select System Profiles.

3 Select the system profile that you want to delete.

4 Click Delete. A confirmation dialog box appears.

5 Click OK.

The selected system profile is deleted from the Credentials table.

Managing global user profiles

To manage the global user profiles, use the following procedures:

• “Creating a global user profile” on page 35

• “Modifying a global user profile” on page 37

• “Deleting a global user profile” on page 37

Creating a global user profile

To create a global user profile, use the following procedure:

36 Chapter 2 Configuring TunnelGuard agent

NN47230-501 (324108-A)

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Manage NSNAProfiles.
The Manage Profiles dialog box appears.

2 Select Global User Profiles.

3 Click New Profile.

4 Enter the global user profile details. The following table describes the Global

User Profiles fields.

Field Description

Profile Name Specifies the unique name assigned to the user

profile.

Use Domain User
Information

Specifies that the TunnelGuard gets the logon
credentials from the domain.

Chapter 2 Configuring TunnelGuard agent 37

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

5 Click Save Profile.

6 Click Done.

Modifying a global user profile

To modify a global user profile, use the following procedure:

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Manage NSNA Profiles.
The Manage Profiles dialog box appears.

2 Select Global User Profiles.

3 Select the profile to be modified.

4 Modify the required details.

5 Click Save Profile.

6 Click Done.

Deleting a global user profile

To delete a global user profile, use the following procedure:

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Manage NSNA Profiles.
The Manage Profiles dialog box appears.

Use Profile Defined User
Information

Specifies that the TunnelGuard agent uses the logon
credentials that are given for the current profile.

Username Specifies the username.

You can specify the Username only when the Profile
Defined User Information option is selected.

Password Specifies the password assigned to the user.

You can specify the Password only when the Profile
Defined User Information and the Save Password
options are selected.

Save Password You can only select the Save Password when the

Profile Defined User Information option is selected.

Server Specifies the name of the server.

Field Description

38 Chapter 2 Configuring TunnelGuard agent

NN47230-501 (324108-A)

2 Select Global User Profiles.

3 Select the profile to be deleted.

4 Click Delete Profile. A confirmation dialog box appears.

5 Click OK to delete the global user profile.

Configuring the TunnelGuard agent

You can configure the TunnelGuard agent default setting. You can also configure
the single sign-on option.

Certificate Management

TunnelGuard Agent manages its individual Java based Keystore that is installed
as <installdir>/resources/keystore file. You can pre-populate this certificate store
by Installing TunnelGuard Agent on a system and while attempting a User
Session for SNAS. TunnelGuard prompts you with Certificate warning and when
"Always" option is selected, the certificate is added to the specified keystore.
This keystore can be used as pre-populated keystore and deployed with
TunnelGuard Installation, using MSI Customization.

Alternatively, you can take certificates that are already installed on your desktop
in MSCAPI Certificate stores. To use MSCAPI Certificates, TunnelGuard Agent
must be installed either with bundled JRE or with any JRE 6 or above.

If JRE 6 is used, TunnelGuard trusts all the certificates that are present in system’s
ROOT Certificate store. If Trusted Certificate is not found either in TG Keystore
or MSCAPI ROOT Truststore of machine (with JRE 6), System Profiles cannot
login to SNAS. If trusted certificate is not found in any of the truststores, User
Profiles prompts the user with a Certificate warning.

If you choose to deploy TunnelGuard with an empty keystore using JRE 5 or
below and without using MSI Customization, you must attempt a User Session to
accept SNAS Certificate with "Always" Option, before attempting system session
for the first time.

Chapter 2 Configuring TunnelGuard agent 39

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

Configuring the TunnelGuard agent

To configure the TunnelGuard agent, use the following procedure:

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Configure.
The TunnelGuard Configuration dialog box appears.

40 Chapter 2 Configuring TunnelGuard agent

NN47230-501 (324108-A)

2 Enter the TunnelGuard agent configuration details. The following table

describes the Configuration fields.

3 Click OK to save the details.

Viewing the TunnelGuard agent status

This section provides information about viewing the current status of the
TunnelGuard agent. You can view the current IP address of the system and the log
file details such as number of checking results and TunnelGuard events.

Viewing the TunnelGuard agent status

To view the TunnelGuard status, use the following procedure:

Field Description

Default User Profile Specifies the default user profile.

Enable Single Sign-on Check to enable single sign-on for the TunnelGuard

agent.

Log All Check Results Check to register all checking results on the

TunnelGuard.

Log Tunnel Up and Down
Events

Check to log TunnelGuard up and down events.

Number of recent checking
logs shown in status dialog

Specifies the total number of checking logs that are
displayed in the TunnelGuard Status Logs dialog
box.

Java Runtime Specify the default JRE version for the

TunnelGuard agent.

Chapter 2 Configuring TunnelGuard agent 41

Nortel Secure Network Access Switch 4050 Configuration – Using TunnelGuard System Agent

1 In the Windows taskbar notification area, right-click the TunnelGuard icon

and select Status.
The TunnelGuard Status Logs dialog box appears.

2 To view the policy details, click Policy.

3 To view the SNAS status, click SNAS Status.

4 To clear the logs, click Clear Logs.

5 Click OK to close the TunnelGuard Status Logs dialog box.

42 Chapter 2 Configuring TunnelGuard agent

NN47230-501 (324108-A)

Configuration – Using TunnelGuard System Agent

Nortel Secure Network Access Switch 4050
Release 3.5

Document Number: NN47230-501

Document Status: Standard

Document Version: 01.01

Part Code: 324108-A

Release Date: July 16, 2007

Copyright © Nortel Networks Limited 2007 Alll Rights Reserved
The information in this document is subject to change without notice. The statements, configurations,
technical data, and recommendations in this document are believed to be accurate and reliable, but are
presented without express or implied warranty. Users must take full responsibility for their applications
of any products specified in this document. The information in this document is proprietary to Nortel Net­works.
Nortel, Nortel Networks, the Nortel Networks logo, and the Globemark are trademarks of Nortel Net­works.
Microsoft Windows is trademark of Microsoft Corporation.

All other trademarks and registered trademarks are the property of their respective owners.
To provide feedback, or to report a problem in this document, go to www.nortel.com/documentfeedback.