Nortel Networks NORTEL 3050 User Manual

Nortel Networks

VPN Gateway 3050

RSA SecurID Ready Implementation Guide

Partner Information

Last Modified: March 14, 2008

Product Information

Partner Name Web Site www.nortelnetworks.com

Product Name Version & Platform Product Description

Product Category

Nortel Networks VPN Gateway 3050

7.0.1.0 The Nortel Networks VPN Gateway 3050 is a remote access security solution that extends the reach of enterprise applications and resources to remote users. The gateway performs on-the-fly content transformation to instantly convert most intranet resour ces into externally-viewable, secure HTML pages and employs an advanced network address and port translation (NAPT) utility to build SSL-secured VPN tunnels for client/server communications Perimeter Defense (VPN, Firewalls & Intrusion Detection)

Solution Summary

The Nortel Networks VPN Gateway 3050 is a remote access security solution that extends the reach of enterprise applications and resources to remote employees, partners, and customers. By using the native capability of widely deployed Web browsers, the SSL VPN Gateway offers a convenient clientless alternative for securely provisioning resources for remote users, without the need to install and manage client tunneling software on their PCs.

Due to the clientless nature of this solution, Strong two factor authentication is essential to ensure the identity of users connecting to your Enterprise from the internet. For this reason, Nortel Networks VPN Gateway 3050 provides support for the RSA Authentication Manager as a method of strong authentication for users using RSA SecurID Authentication.

For enterprises maintaining IPsec VPN environments, the Nortel VPN Gateway 3050 provides a new level of deployment flexibility and end-user support by incorporating IPsec VPN client termination to remove the network administrator's challenge of managing multiple devices to deliver both types of remote access service.

Partner Integration Overview

Authentication Methods Supported List Library Version Used RSA Authentication Manager Replica Support * Secondary RADIUS Server Support RSA Authentication Agent Host Type RSA SecurID User Specification RSA SecurID Protection of Administrative Users RSA Software Token and RSA SecurID 800 Automation

Native RSA SecurID Authentication, RADIUS

5.0.3 Full Replica Support Yes Support for 2 Secondary Serves Communication Server Designated Users, Yes via RADIUS. See Known issues. No

Product Requirements

Partner Product Requirements: Nortel VPN Gateway 3050

Firmware Version

7.0.1.0

Hardware Platform

Platform Required Patches

VPN 3050, ASA 310, ASA 410, ASA 310 FIPS N/A

Additional Software Requirements

Application Additional Patches

Internet Explorer 5.0, 5.5 and 6.0

RSA SecurID files

RSA SecurID Authentication Files

Files Location

sdconf.rec In Memory Node Secret In Memory sdstatus.12 In Memory sdopts.rec Not implemented

Go to the appendix of this document to get detailed information regarding these files.

Agent Host Configuration

Important: “Agent Host” and “Authentication Agent” are synonymous. “Agent Host” is a term used with the RSA Authentication Manager 6.x servers and below. RSA Authentication Manager 7.1 uses the term “Authentication Agent”.

Important: All “Authentication Agent” types for 7.1 should be set to “Standard Agent”.

To facilitate communication between the Nortel VPN Gateway and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database and the RADIUS server database if using RADIUS. The Agent Host record identifies the VPN Gateway

within its database and contains information about communication and encryption.

To create the Agent Host record, you will need the following information.

• Hostname

• IP Addresses for all network interfaces

When adding the Agent Host Record, you should configure the Nortel VPN Gateway as Communication

. This setting is used by the RSA Authentication Manager to determine how communication with

Server

Nortel VPN Gateway will occur.

the To create the RADIUS client record, you will need the following information.

• Hostname

• IP Addresses for all network interfaces

• RADIUS Secret

Nortel

Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.

Partner Authentication Agent Configuration

Before You Begin

This section provides instructions for integrating the partners’ product with RSA SecurID Auth entication. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All vendor products/components must be installed and working prior to the integration. Perf orm the necessary tests to confirm that this is true before proceeding.

Nortel VPN Gateway 3050 Agent configuration

Administrative tasks can be performed in the Command Line Interface (CLI) as well as the Web Administration GUI. All configuration steps and screenshots in this guide will refer to GUI administration. Please refer to Nortel Administrative documentation for more complete details on CLI and GUI Administration tasks.

RSA SecurID Authentication Configuration Overview

1. Create a User Group

2. Configure the RSA Server record

3. Configuring the RSA SecurID Authentication Servers

RADIUS Authentication Configuration Overview

1. Create a User Group

2. Configuring the RADIUS Authentication Servers

+ 10 hidden pages