mGuard device manager User`s Manual
Contents
1. 8 The installer can optionally add shortcuts to the Start menu If this is desired choose a folder to which to add the shortcuts ol Setup mGuard Device Manager Select Start Menu Folder Where should Setup place the program s shortcuts 11 of 130 Installation 9 Click on the Install button alex Ready to Instal _ MGuard Setup is now ready to begin installing mGuard Device P Manager on your computer device manager Click Install to continue with the installation or dick Back if you want to review or change any settings Destination location C Program Files mGuard Device Manager components mdm Server and mdm Client mandatory Java Runtime Environment JRE Database PostgreSQL mdm Service Launcher Apache Web Server mdm Certification Authority optional d gt Visit homepage Cancel The mdm components will be installed on the system After the installation has finished the locations served through the Apache web server will be reported mdm is now ready to be used If you use the installer program the following chapters describing the manual installation procedure do not apply You can skip to Chapter 2 9 2 4 Manual installation of the mdm client the mdm server and the database Client server communication Communication between mdm and mGuard This section describes how to install mGuard device manager manually Prior to the installatio2. 31 of 130 Installation keyStoreType The password to access the private key default ENV PASSWORD_ CA has to be configured in the ca preferences xmil file in the node certificateFactory keyPassword e The alias default ca of the key has to be configured in the ca preferences xmI file in the node certificateFactory keyAlias https keystore jks A keystore containing ICeert and ICey The full pathname of this keystore has to be configured in the ca preferences xml file in the node httpServer https keyStore The format of this keystore JKS has to be configured in the ca preferences xmil file in the node httpServer https keyStoreType The password to access the keystore default ENV PASSWORD_ SSL has to be configured in the ca preferences xmil file in the node httpServer https keyStorePassword e https truststore jks A keystore containing IS cert The filename including the path of this keystore has to be configured in the ca preferences xml file in the node hitpServer https trustStore The format of this keystore JKS has to be configured in the ca preferences xmil file in the node httpServer https trustStoreType The password to access the keystore default ENV PASSWORD_SSL has to be configured in the ca preferences xmil file in the node httpServer https trustStorePassword e database truststore jks A keystore containing DB cay e The location
3. fig Add network Copy network 10 12 0 0 16 192 168 128 0 19 ox Cancel Figure 34 Definition of a CIDR pool The CIDR pool in the example contains all addresses defined in the table Network List The field Network Mask defines the range of single values to be taken out of the pool i e when using this pool in a variable mdm will automatically assign an IP address range with a mask of 24 out of the available Source Networks to that variable E g if the pool is used for the template variable Remote network in a VPN connection then mdm will automatically assign a value to the variable Remote network of all devices using the respective template The pool overview table in the main window shows how many values have been taken out of the pool Use count and how many values are still available in the pool Available count Please note that once defined it is not possible to change or delete the source address ranges and the network mask in the pool any more e g it is not possible to decrease the network range 10 12 0 0 16 to 10 12 0 0 19 in the example above It is only possible to add further ranges to the pool i e increase the pool value range Please carefully plan the definition of the pool ranges in advance Pool values can only be used in templates For certain variables you can choose the pool you would like to use from the drop down box e g in Figure 35 a number of pools London
4. The mdm client is made available to other hosts through the web server Such hosts need to have a Java runtime environment installed To run the client download the Z P file from the web server unpack it and start the mdm client 1 6 x jar file 4 Provide a license file for the mdm server ret ee MmMeGuard se se a valid license file A device manager Please select now the license file that you received from your system partner License file Visit homepage lt Back Cancel 9 of 130 Installation 5 The installer program creates a self signed X 509 certificate and matching private key to be used by the https web server Enter attributes to be used for the certificate Setup mGuard Device Manager Apache Web Server Certificate and Private Key The Apache Web Server requires an X 509 certificate and corresponding private key i i 6 Access to the directories served by the web server can optionally be protected with a user name and password Choose whether you want this protection and if so enter a user name and password Setup mGuard Device Manager o xi 10 of 130 Installation 7 The following applies only if the mdm CA is installed The installer program creates a CA certificate and matching private key Enter attributes to be used for the certificate Setup mGuard Device Manager 4 S
5. 3 11 4 User authentication oo ze cletwactealsen gs due trddastcul ances ea Geaseding au stanetineshadttaennees 75 3 12 Managing firmware upgrades with mdm ssssssssesessssessesessssessessrssressessrssressessessees 75 DAS Hardware flaVolS esrtis sss saascacseeatces bean A AA AEAEE AEO A EEEIEE E Naet 71 Template device pool and VPN group configuration oessseossosssoossoossosssssesssesesooee 78 MY General femarkS es seee ys e e N n A A a a aatoses 78 4 2 The Template Properties Dialog s osssoesessssessessssseesseesseseesseeseeseosseeseesrssseesseseessresse 85 4 2 1 Template configuration ascececchatsiiec cn evades ecusseaalceovacens evans eveaeacneuaasseaateaailaens 87 4 3 The Device Properties Dialog sss iieasts Atanees gna aeeversds dts Mea hide Gunes 88 44 gt The Pool Properties Dialog a1 51 sh2s8 es tavcarssuasans hanes E NERE oE REAS EARE ANES cases 91 4 5 MPN configuration seinci a a a a a n 93 4 6 Managing X 509 certificates essssesseseeeseessesssseessesseesresseesessresseeseesresseesseseessesse 95 4 6 1 Machine certificates rocne iena a e aii 95 4 6 2 CA certificates mGuard firmware 5 0 or newer ccececeseceesseeeesteeees 97 4 6 3 Remote certificates mGuard firmware 5 0 or newer ou ceeeeeseeeeees 97 4 6 4 Connection certificates sxscase dune dcaucecci deste tates a i a a aiaa 98 4 7 Using X 509 certificates mGuard firmware 5 0 or newer essssssseesessssessesessssesse 98 4 8 The VPN G
6. 3 No override a May append tables only lt 8 No value defined value None i e the value has to be set in the Device Properties Dialog or in one of the intermediate templates 102 of 130 Working with templates The following figures illustrate the inheritance mechanism Figure 38 shows the settings for the DHCP server options in the parent template i Edit Template Production Tokyo GA mGuard configuration E General settings Management 2 Blade Control 4 Network Gh Interfaces ons 4 DHCP Internal DHCP E Mode B Server options E Relay options External DHCP E Proxy settings Authentication I Network security Virus Protection IPsec VPN Quality of Service Redundancy Logging Server options Enable dynamic IP address pool DHCP lease time a Inherited 14400 No override w DHCP range start i Local Nooverrde DHCP range end 2 Locale Localnetmask a Inherited 255 255 255 0 Broadcast address a Inherited 192 168 1 255 No override v Default gateway 192 168 11 May override DNS server 192 168 1 1 WINS server 46 None May override v Static mapping May append fil Add entry Figure 38 Settings in the parent template ox cancel Figure 39 shows the settings in the device configuration child They are the
7. Gateway Berlin 4 mGuard configuration gt _ Eb General settings Gateway Berlin ion 2 mGuard 6 0 6 0 2 default Template lM Gateway Accessible via 10 226 26 150 Pull filename 00000004 atv Serial Number 15X22024 FlashID 00040005413fdf2b Comment Additional ATV include Figure 32 The mdm Device Properties Dialog Similar to the Template Properties Dialog see Chapter 4 2 the Device Properties dialog contains a navigation tree on the left side that resembles the menu structure of the mGuard Web GUI The navigation tree allows you to conveniently navigate to each mGuard variable General settings The Device Properties Dialog contains the entry General settings for the configuration ofadditional parameters related to mdm The following parameters can be set in the General settings Management ID This ID is used to identify the device within mdm The Management ID must be unique Firmware Version Since different releases of the mGuard software have different sets of variables the firmware version corresponding to the installed firmware on the mGuard has to be selected here 7 It is not possible to downgrade to an older release So please be very careful when changing the firmware version See Chapter 5 2 2 for more details For more information on how to manage firmware upgrades of your devices with mdm please refer to Chapter 3 12 Firmware Versi
8. e ca keystore jks This is the keystore for your CA containing the certificate chain and the private CA key Please copy the keystore to its final destination The filename including the absolute or relative path of this keystore has to be configured in the ca preferences xml file in the node certificate Factory keyStore The password to access the keystore in the example caPW has to be configured in the ca preferences xml file in the node certificate Factory keyStorePassword The format of this keystore JKS has to be configured in the ca preferences xmil file in the node certificateFactory keyStoreType The password to access the private key in the example caPW has to be configured in the ca preferences xmi file in the node certificate Factory keyPassword e The alias ca of the key has to be configured in the ca preferences xmI file in the node certificateFactory keyAlias 126 of 130 Creating and managing certificates The file caCertWithChain pem is not needed any more and should be deleted 7 2 3 Requirements for certificates For proper function of the VPN certificates also with future versions of the mGuard firmware and the mdm the certificates have to satisfy the following requirements l The private key should have a length of at least 1024 bits Innominate recommends a key length of 2048 bits for long term security Any certificate must conform to RFC 3280 Any CA certificate mus
9. mGuard device manager Client admin File Edit New Upload Extras Options Help aleo sS Devices Templates Pools VPN Groups Name a Templates Version Comment __Use count Gateway mGuard 6 1 Production mGuard 6 1 Production Berlin Production mGuard 7 6 Production London Production mGuard 7 1 Production New York Production mGuard 6 1 Production Paris Production mGuard 7 4 Production San Francisco Production mGuard 7 6 Production Tokyo Production mGuard 7 1 EE Ls o o o o o o o o o Production Vienna Production mGuard 7 4 Logged Events Date a User Message 2013 09 05 14 26 25 353 a mdm version mdm 1 5 0 build 6821ea6 2013 09 05 14 26 25 358 mdm client initialized 2013 09 05 14 26 29 129 admin Connected to mdm server localhost 127 0 0 1 7001 mdm 1 5 0 build 6821ea6 as admin 127 0 0 1 35 Figure 11 The mdm main window with template table Template table The template overview table contains the following columns columns 7 The column width can be changed by placing the cursor on the header of the table at the border of two columns and dragging the border to the desired location The order of the columns can be changed by dragging the column header to a different location Status The status icon shows whether the template is currently locked Name The name assigned to the template The name can be set in the General Settings of the T
10. 4 General Configuration of peer device Z Custome Peer device Gateway Paris E LztP over IPsec Quality of Service Redundancy Enabled Yes Logging Gateway address of peer a Inherited Any gateway Connection startup a Inherited Wait ox Cra Figure 36 Automatic configuration of VPN peer The local and the remote machine certificate are known to mdm in many typical usage scenarios when VPN configuration for the peer device is generated by mdm mdm can make use of this information to set the Local VPN Identifier and the Remote VPN Identifier variables automatically i e derive the identifiers from the known certificates It is necessary to set these variables when CA certificates are used to authenticate VPN connections To make use of this feature open the IPsec VPN Connections Connection Name Authentication VPN Identifiers node and set the variable Set VPN Identifiers automatically to yes In this mode the Local VPN Identifier and the Remote VPN Identifier variables are ignored the identifiers are derived from the cerificates 94 of 130 Template device pool and VPN group configuration Copying firewall rules Hints for VPN configurations The firewall tables within VPN connections contain a Copy from Main button Clicking this button copies the content of the corresponding firewall table for non VPN traffic i e
11. Innominate Security Technologies AG OU Research amp Development CN Test Root CA Please note also the root ext section of the configuration file which is important for the proper generation of the root certificate please refer to Section Certificate extensions for an explanation root _ext keyUsage cRLSign keyCertSign basicConstraints critical CA true pathlen 1 118 of 130 Creating and managing certificates Generate the private key CAootKey has to be created first using the following command openssl genrsa des3 passout pass rootPW out rootKey pem 2048 Explanation of the arguments genrsa genrsa instructs OpenSSL to generate an RSA key des3 Use 3DES to encrypt the key passout pass password The password used to encrypt the private key in the example rootPW rootPW is just an example and should be replaced by a secure password out filename Name of the file containing CA ootKey in the example rootKey pem 2048 The length of the key The command above generates one output file e rootKey pem This file contains CA ootKey in PEM format The key is encrypted with the 3DES algorithm To access the key you have to know the passphrase specified above in the example rootPW Please use your own secure password to encrypt the private key Generate the root certificate The OpenSSL command used to generate CA ootCert 18 openssl req batch new config rootCert conf x509 key root
12. MM is the month of the year between 01 and 12 and DD is the day of the month between 01 and 31 optionally followed by an ISO time hh mm ss where hh is the hour according to the 24 hour timekeeping system mm is the minute and ss is the second For example a quarter past 4 p m and 20 seconds on December 22nd 2010 would be written as 2010 12 22 16 15 20 Alternatively click on the Y icon to select the date from a calender Last Entries Loads the latest i e newest entries The number of entries must be specified Configuration The configuration history table contains the following columns history table 7 The column width can be changed by placing the cursor on the header of columns the table at the border of two columns and dragging the border to the desired location The order of the columns can be changed by dragging the column header to a different location Selection A B The checkboxes in the A and B columns are used to activate either one or two history entires The activated history entries are used when an action is performed please refer to the sections below for more details e Check the checkboxes A and B in the same row to activate the corresponding history entry e Check the checkboxes A and B in different rows to activate two history entires When two different history entries are activated the entry checked in the A column is always older than the entry checked in the B column Whenever a checkbox
13. Scripts to generate the mdm server certificates e gen ssl postgres bat gen ssl postgres sh Scripts to generate the certificates for the PostgreSQL database 30 of 130 Installation Adapting the scripts Running the scripts Using the output of the scripts The scripts have to be adapted to your environment Default passwords The passwords in the scripts set env bat set env sh have to be changed PASSWORD ROOT geheimRoot PASSWORD CA geheimCa PASSWORD SSL geheimSSL Please use your own secure passwords Location of OpenSSL If you are using Windows you might have to adapt the installation path for openssl exe in the file set env bat to your environment OpenSSL configuration files For further information on certificate extensions and on the Subject Distinguished Name please refer to Chapter 7 2 In all three configuration files caCert conf rootCert conf templateCert conf the section which determines the Subject Distinguished Name has to be adapted to your environment C DE O Innominate Security Technologies AG OU Research amp Development CN Test Root CA Furthermore in the extension section of the files caCert conf and templateCert conf the entries cr1DistributionPoints and authorityInfoAccess have to be adapted to your environment crlDistributionPoints URI http ca example ca crl authorityInfoAccess OCSP URI http ca example ocsp ca The gen all scripts require as argument the
14. The name assigned to the pool Comment Optional comment Reference count This column shows how many variables reference this pool see Chapter 4 4 Use count This column shows how many values have been used from the pool see Chapter 4 4 Available count This number shows how many values are still available in the pool see Chapter 4 4 Filtering and The header of the table can be used to sort the table entries A click on a header sorting the table of a column will activate the primary sort based on this column This is indicated by the arrow in the column header A second click on the same header will reverse the sort order Clicking on another column header activates the sort based on this new column the previously activated column will be used as secondary sorting criterion The first row of the table accepts the input of regular expressions please refer to Chapter 8 Regular expressions which can be used to efficiently filter the table entries Filtering based on regular expressions is not used for the column that does not contain text i e column S 57 of 130 mdm client overview Creating pools Editing pools Deleting pools The filter criterion for the three count columns is not interpreted as a regular expression but as a comma separated list of numbers or number ranges e g 0 2 3 The filter history will be saved for the current user and can be accessed using the drop down functionality of the
15. if a permission is changed from May override to No override the value of the variable is discarded in all inheriting templates and devices e Templates that are still assigned to devices or other templates cannot be deleted This chapter gives more detailed information on the template mechanism 5 1 Inheritance Templates are the means to efficiently configure a large number of devices Templates contain the common aspects of a group of devices or a group of child templates By assigning a template to a child this may be a device or another template the child inherits the parent template s settings and may optionally override some of the settings if the permission in the parent template allows this Any change made to the parent template will potentially have an impact on all inheriting templates and devices depending on the setting of the value and permission in the parent template The permission setting in a template limits the choices in inheriting templates and devices Whether or not a child inherits settings from an ancestor template is indicated by an icon in front of the variable name in the Properties Dialog If no icon is shown then either there is no template assigned or the variable has the value Inherited in all ancestor templates i e no restrictions are defined for this variable According to the permissions listed in Chapter 4 2 1 the following icons are shown in front of the variable name 4g May override
16. out templateCert pem outdir Explanation of the arguments ca The ca command is a minimal CA application It can be used to sign certificate requests and generate CRLs batch Non interactive mode config filename The name and the location of the openssl configuration file in the example templateCert conf days 1826 The period for which the certificate will be valid in filename The name of the file containing the certificate request in the example templateCertReq pem cert filename The name of the file containing the root certificate in the example caCert pem keyfile filename The name of the file containing the key used to sign the certificate request in the example caKey pem passin pass password Password required to decrypt the private key in the example caP W 124 of 130 Creating and managing certificates md sha256 Use the SHA256 algorithm to create the message digest for the signature recommended notext openssl has an option to include human readable explanatory text in the certificate But this would create problems later in the process when creating the keystores therefore do not include any text in the certificate outdir directoryName The output directory in the example the current working directory The command above generates one output file templateCert pem This file contains CA tempicert The file should be copied to its final destination the location
17. table e g mGuard 6 1 The Template Name must either be the name of an existing template which is assigned to the new device or empty in which case no template is assigned Scalar variables i e variables that store a single value and are not contained in a table can be set with an assignment of the form lt VARIABLE_NAME gt lt VALUE gt Example record My Device mGuard 6 1 192 168 2 3 17X46201 ROUTERMODE router MY LOCAL IP 192 168 2 3 Please note that the record must be contained in a single line If a record is not valid it is skipped and an error message is logged Import X 509 Certificates Import certificates created during the manual certificate enrollment process Please refer to Chapter 4 6 1 for more detailed information For an overview of the configuration upload process and the different upload methods please refer to Chapter 3 9 Selected Uploads configurations to the devices currently selected in the device table 65 of 130 mdm client overview 3 8 2 Licenses Users Options The mdm Changed Uploads configurations to the devices with a configuration status of out of date All Uploads configurations to all devices Please refer to Chapter 3 10 for information on how to manage licenses and vouchers Change Own Password Opens a dialog that enables the current user to change the password Manage Users And Roles Please refer to Chapter 3 11 for details on how to manage
18. to every other member device A device can be a member of multiple VPN groups If this results in multiple VPN connections between the same two devices mdm generates only one such connection VPN groups are not available for firmware versions earlier than 6 0 The VPN Group Properties Dialog allows to configure common variables used in all VPN connections within the group For information on how to create delete or edit VPN groups and how to add or remove member devices please refer to Chapter 3 6 imi Edit VPN Group Europe Mesh x I4 General settings mGuard configuration W E General settings Name Europe Mesh General Authentication IKE Options Firmware Version mGuard 6 0 J Production 5397 Production 5398 Production 5399 Member devices 2j Comment 0K cance Figure 37 The mdm VPN Group Properties Dialog Similar to the Device and Template Properties Dialogs the VPN Group Properties Dialog contains a navigation tree on the left side It allows you to conveniently navigate to each variable 98 of 130 Template device pool and VPN group configuration General se VPN group ttings The VPN Group Properties Dialog contains the entry General settings for the configuration of additional parameters related to mdm The following parameters can be set in the General settings Name The name is used to identify the VPN group within mdm It must be unique Firmware
19. 195 254 17X08387 BUY Production 0355 A Production 0356 EJ Production 2974 EJ Production 2975 A Production 2976 Production Vienna Prod mGuard 7 4 1 default 10 134 195 76 16X07061 16X16362 15x13293 16X23173 16X25326 17x02233 16X16319 15X22142 Production Vienna Prod mGuard 7 4 1 default 10 134 195 217 B B 4 B Zi a Zi Production New York Pr mGuard 6 1 S default 10 154 162 111 NS Production New York Pr i mGuard 6 1 5 default 10 154 162 70 Production New York Pr mGuard 6 1 5 default 10 154 162 217 w Production 4075 Production London Prod i mGuard 7 1 1 default 10 148 206 215 00000007 atv London UK default Seeeceocogocneooogorroes ics A Production 4076 M Production 4077 Logged Events Production London Prod mGuard 7 1 l default 10 148 206 164 00000015 atv London UK default Production London Prod mGuard 7 1 l default_10 148 206 112 00000016 atv_London UK default Date I User Message 2013 08 20 2013 08 20 2013 08 20 13 14 30 734 admin mdm version mdm 1 5 1 build bb354ff mdm client initialized mdm server 1 5 1 build bb354ff on dirac 127 0 1 1 alive and kicking Connected to mdm server localhost 127 0 0 1 7001 mdm 1 5 1 build bb354ff as admin 127 0 0 1 52626 session 0 The mdm instance nu Licensee Innominate Security Technologies AG Internal Development Expires 2013 10 01 01 5
20. 4 For detailed information on the template and inheritance concept please refer to Chapter 5 The VPN group configuration is described in Chapter 4 8 On the left side of the dialog you can find the navigation tree which resembles the menu structure of the mGuard Web GUI Compared to the mGuard GUI the navigation tree contains an additional entry General Settings which contains template and device parameters only used in mdm For more information on the General Settings please refer to the following chapters The navigation tree also has a context menu which can be opened by clicking on the tree with the right mouse button The context menu contains various entries to fold unfold parts of the tree Furthermore the context menu shows the key shortcuts to access the menu entries The navigation tree allows to navigate conveniently to the mGuard variables If you click on a leaf of the tree the corresponding mGuard variables and the associated settings are shown in the right area of the Properties Dialog Depending on the variable different value types can be selected exemplarily shown for the Device Properties Dialog Hostname mode Inheriteds User defined From field below User defined from field below Figure 18 Value types of an mGuard variable with a fixed value set Hostname prodz975 x rited mguard E prod2975 Incoming rules EE Add rule Pr
21. Alt Up 4 Move range down Alt Down _ Select All Cth A Figure 28 Context menu 84 of 130 Template device pool and VPN group configuration Modifying complex table variables Applying changes to the configuration For the definition of a complex table variable please refer to the section mGuard configuration above Basically the previous section also applies to complex table variables However there are some differences that the user should be aware of The following figure shows an example of a complex table variable VPN connections Gil Edit Device Gateway London Connections GA mGuard configuration E General settings 4 Management The connection table contains all VPN connections that have been set up for this device Blade Control To create a new connection please add an entry to the connection table GQ Network To edit an existing connection please open the respective sub node under Connections in the Authentication menu on the left GQ Network security Please note that the VPN configuration of the remote device if the remote device is an mGuard E Virus Protection can be automatically generated Automatically generated connections will show up as read only in GA IPsec VPN the connection table and can not be deleted Gi Ghbal You can activate or deactivate each individual connection GA Connections To enable or disable VPN connections from remote connectto the mGuard using the f
22. CA The root CA will in return issue CA coy First the configuration file has to be adapted to your needs as described in the previous section Adapt the OpenSSL configuration file and the environment Please copy the file caCert conf contained in the installation archive mdm ca 1 6 x zip to your working directory Adapt the ca_dn section of the file which contains the Subject Distinguished Name of your root CA certificate ca_dn C DE O Innominate Security Technologies AG OU Research amp Development CN Test CA Please adapt also entries cr1DistributionPoints and authorityInfoAccess of the ca_ext section of the configuration file please refer to Section Certificate extensions for an explanation ca_ext crlDistributionPoints URI http ca example com ca ca crl authorityInfoAccess OCSP URI http ca example com ocsp ca Ca The configuration file contains some parameters which cannot be entered on the command line The entries specify files that have to be present in the file system Therefore the files have to be created manually first the filenames are also used in the configuration file caCert conf therefore please use exactly the file names as stated below e Create a subdirectory archive in your working directory Linux mkdir archive e Create a file named serial containing a valid serial number for the certificate in the subdirectory archive Linux echo 1234 gt archive serial e Create an empty file to
23. HEY LOCAL MACHINE SYSTEM CurrentControlSet Services lt Service name gt g HEY LOCAL MACHINE SYSTEM CurrentControlSet Services mdm_ Server 1 6 Create a new key called Parameters Beneath Parameters create the following three REG_SZ entries Application AppDirectory AppParameters Assign the following values to the entries Application lt Full path to java exe gt e g Application C Program Files Java jre7 bin java exe AppDirectory lt Path in which mdm server 1 6 x jar is located gt e g AppDirectory C Program Files Innominate mdm Server AppParameters lt application arguments gt e g AppParameters Xmx1024m jar C Program Files Innominate mdm Server mdm server 1 6 x jar start c Inno mdm preferences xml To start the service from the command line execute net start lt Service name gt e g net start mdm Server 1 6 The service appears to be running if the the wrapper service srvany has been started successfully It could therefore be possible that the mdm server has not been started even if the service is running To stop the service from the command line execute net stop lt Service name gt e g net stop mdm Server 1 6 To remove the service execute instsrv lt Service name gt remov e g instsrv mdm Server 1 6 remove If you would like to run the server as an application but start it automatically with the login add the following REG_SZ value to the HK EY LOCA
24. New York Paris etc are available to be used for the variable IP of external interface Only pools that match the variable type e g CIDR pool and variable of type IP address are shown in the drop down box If a pool is used in a template no value is assigned to the respective variable the pool is only referenced at this point Therefore the Reference count in the pool table will be increased by one If a value is assigned to a variable which happens 92 of 130 Template device pool and VPN group configuration on device level not on template level the Use count is increased by one This assignment happens automatically either if the Device Properties Dialog for the respective device is opened or if the configuration for the device is uploaded to the mGuard i Edit Template Production London External networks 4 mGuard configuration General settings Management Blade Control h Interfaces L K General 3 Inherited 10 0 0 152 a E Network Mode B 10 0 0 152 Lae Netmask of external network Obtain external configuration via DHCP m No May override v E Stealth configuration Locale May override x E Static Stealth configuration None gt External networks B Internal networks New York E PPPoE settings Paris E PPTP settings Default gateway San Francisco E Modem settings Use VLAN Ethernet Serial port E Hardware VLAN ID 4 Inherited 1 on
25. Users Manage Users and Roles menu entry jo Administer Users and Roles x Users h Roles Add Delete e Assign Role Remove Role Ada Edit Delete as User Name Real Name Roles s Name a Permissions Lad Ix IZ a ual Id F admin Administrator admin admin All audit Auditor audit audit Read Devices Read Templates Read Pools Read V root Superuser ax Permissions uj R Permission gt B h Devices FE O write Devices Read Configuration History O Read Event Log Read Pools O Write Pools Read Templates LO write Templates E Cg Figure 17 The users and roles dialog The dialog consists of three panels the Users Panel the Roles Panel and the Permissions Panel 7 The Users Panel does not appear if RADIUS authentication is used please refer to Chapter 3 11 4 for more details The buttons to modify users or roles do not appear if the user opening the Users and Roles Dialog does not have the permission to modify users and roles Managing users Users are managed in the Users Panel of the Users and Roles Dialog They can be added with the Add button deleted with the Delete button and edited with the Edit button or by double clicking on the user in the table The following data must be specified when adding or editing a user The username which the user uses to log into the mdm client Usernames mu
26. VPN group table when the dialog was opened Likewise click on the Detach Selected Devices button to revoke the membership of the selected devices from the selected VPN groups 7 A device can only be a member of a VPN group if the device s firmware version is equal to or newer than the firmware version of the VPN group Any attempt to add a device to a VPN group of which it is already a member or to remove a device from a VPN group of which it is not a member is ignored Devices are added to or removed from VPN groups in the background The dialog can be closed while the operation is still being performed 3 7 Log window Sorting the table The log window shows various events including the following Upload results e Creation deletion modification of a device template pool VPN group user or role e Connect or disconnect of the client For each event the severity the date and time the username and a message are logged If an event is not the result of a user action is logged instead of the username Double clicking on a log entry opens a window with detail information The header of the table can be used to sort the table entries A click on a header of a column will activate the primary sort based on this column This is indicated by the arrow in the column header A second click on the same header will reverse the sort order Clicking on another column header activates the sort based on thi
27. be used as openssl database Linux touch archive index txt Windows copy NUL archive index txt 120 of 130 Creating and managing certificates Generate a private key The private key CAxey has to be created first using the following command openssl genrsa des3 passout pass caPWw out caKkey pem 2048 Explanation of the arguments genrsa genrsa instructs OpenSSL to generate an RSA key des3 Use 3DES to encrypt the key passout pass password The password used to encrypt the private key in the example caPW caPW is just an example and should be replaced by a secure password out filename Name of the file containing the private key in the example caKey pem 2048 The length of the key This command creates one output file e caKey pem This file contains CA ey in PEM format The key is encrypted with the 3DES algorithm To access the key you have to know the passphrase specified above in the example caPW Please use your own secure password to encrypt the private key Generate a certificate request To create a certificate request enter the following command openssl req batch new config caCert conf key caKey pem keyform PEM passin pass caPW sha256 out caCertReq pem outform PEM Explanation of the arguments req req instructs OpenSSL to generate a certificate request default or a certificate batch Non interactive mode new Create a new request config filename The name and th
28. certificate of the CA Private key of the CA Important This is not the key used to sign certificate requests mdm server certificate Private key of the mdm server DB server certificate Private key of the DB server Figure 7 Communication paths between mdm components 2 11 1 Create the private key and the keystore for each component PostgreSQL It is recommended to create a working directory e g named security in your mdm installation directory where all the keys certificates and keystores are located The PostgreSQL database does not need a keystore the key and the certificate are located in the filesystem 1 First create a self signed certificate DB and an unencrypted private key DBxey for the database server as described in Chapter 7 1 Please do not encrypt DB ey see Chapter 7 1 for details 2 The database server is looking for the certificate and the private key in the PostgreSQL data directory i e the subdirectory of the PostgreSQL directory usually named pgdata therefore copy the files server crt DBge and server key DBxey to this directory 3 Edit the PostgreSQL configuration file postgresql conf so that it contains the following line ssl on 4 Restart the PostgreSQL server 40 of 130 Installation mdm server mdm CA 1 First create an unencrypted private key IS ey as described in Chapter 7 1 openssl genrsa des3 passout pass yourSSLPWw out mdm https client key
29. certificates issued by a CA are to be used but requesting them online from the mdm CA or via SCEP is not an option mdm supports manual certificate enrollment Any CA software or service can be used Follow these steps to enrol certificates manually for a number of devices 1 Select one or more devices in the device overview table and select Certificate Handling Issue and Export Certificate Requests from the context menu 2 A file selection dialog opens Select a directory and click on the Choose button 3 mdm will generate private keys and certificate requests for the devices The private keys are invisibly associated with the respective devices The certificate requests are stored in the selected directory as PEM encoded files one request per device 4 Import the certificate requests into the CA and let the CA issue certificates Please consult the documentation of your CA software or service for details of how to do this 5 Select New Import X 509 Certificates from the main menu 6 A file selection dialog opens Select the certifictate files issued by the CA 7 Select from the Import Settings whether to add the certificates or replace any certficate that may already exist in a device Click on the Choose button 8 mdm automatically associates the certificates with the correct devices and stores them in the machine certificate tables Only one pending certificate request per device is stored If the Certificate Ha
30. connection certificates The connection certificate can only be imported in a VPN connection To import the certificate navigate to IPsec VPN Connections Connection Name Authentication To import a certificate select Custom as value for the Remote X 509 certificate and click on the amp icon Select the file containing the certificate and click on Open Subsequently the content of the file is shown in the certificate field The validity of the data is checked when uploading the configuration to the mGuard 4 7 Using X 509 certificates mGuard firmware 5 0 or newer The certificates which are managed in the tables discussed in Chapter 4 6 can be used for the configuration of SSH and HTTPS authentication The usage is exemplarily explained for the SSH authentication Please navigate in the Device Properties Dialog to Management System settings Shell access X 509 authentication To use a certificate e g a CA certificate you have to select Custom for the CA certificate table and then click on Add certificate Please enter the short name of the certificate as specified in the CA certificate table in Authentication Certificates CA Certificates mdm does not check whether the short name of the certificate exists 4 8 The VPN Group Properties Dialog Meshed VPN networks The member devices of a VPN group form a meshed VPN network For each member device mdm generates a VPN connection referred to as a VPN group connection
31. editing the rows does not change the rows in the template You may also add new rows to the table 79 of 130 Template device pool and VPN group configuration 7 Please note that it is possible to switch between Custom and the other value types without losing any data But if you switch from Custom to e g Inherited and then apply your settings and leave the dialog all custom rows you entered will be lost e Custom Locally appendable Device Properties Dialog only Basically the same as Custom but this option allows the user netadmin on the mGuard to add further rows The rows defined in mdm cannot be edited or deleted by the user netadmin on the mGuard Complex table variables e g VPN connections Contrary to normal table variables adding a row to or deleting a row from a complex table variable additionally adds or deletes a node from the navigation tree An example for a complex table variable are the VPN connections a VPN connection is represented by a table row in the overview table and by an additional node in the navigation tree in which the settings for the connection can be made Please note that the table cells of complex tables are not editable i e all settings have to be made in the leafs of the navigation tree node Complex table variables allow the following choices for more information on tables please see below in the Chapter Modifying mGuard table variables e Inherited The behaviour is b
32. encryption Configuration profiles exported by the mdm server can optionally be encrypted with a device specific key The mdm server downloads the key from the Innominate license server Only the public encryption key is known to Innominate the corresponding private decryption key is stored within the mGuard in a special hardware module and cannot be extracted Profile encryption can only be used with mGuard hardware that supports this feature Firmware version 7 6 0 or newer is required 7 Since profiles are encrypted with a device specific key only the mGuard for which the profile has been encypted can read it 68 of 130 mdm client overview Follow these steps to encrypt profiles e Obtain a username and password to download profile keys from Innominate support Configure the mdm server to use the username and password see Chapter 2 6 nodes license licenseServer reqUsername and license licenseServer reqPassword e Select the devices for which to encrypt profiles in the device overview table e Select the menu entry Get Profile Key in the context menu to download the keys to the mdm server The serial numbers and flash IDs of the devices are used to identify them to the licsense server and must therefore be known to mdm set them if necessary e Select the menu entry Enable Disable profile encryption in the context menu to enable profile encryption Performing an You have the following options to initiate an u
33. field must exactly match the string shown in the icon in the upper left corner of the mGuard s web interface e g 6 1 0 default There are two ways to schedule a firmware upgrade e Explicitly specify the target firmware To do so please navigate in the Device Properties Dialog to Management Firmware upgrade Schedule firmware upgrade for 4 2 devices or navigate to Management Update Firmware upgrade Schedule firmware upgrade for 5 0 or newer devices Enter the name of the package in the field Package set name and set Install package set to Yes Perform an automated upgrade If you wish to use the automatic upgrade please navigate in the Device Properties Dialog to Management Firmware upgrade Schedule firmware upgrade for 4 2 devices or navigate to Management Update Firmware upgrade Schedule firmware upgrade for 5 0 devices Select one of the following options in Automatic upgrade e Install latest patches This option will upgrade your device to the latest available patch release e g from release 4 2 1 to release 4 2 3 e Install latest minor release This option will upgrade your device to the latest available minor release e g from release 5 0 1 to release 5 1 0 Install next major version This option will upgrade to the next major release e g from release 4 2 3 to release 5 1 0 Please make sure that the major upgrade licenses for the devices are present in mdm see Chapter 3 10 prior to initiating a majo
34. filter fields There are several ways to create new pools 1 Open the context menu by clicking on the pool table with the right mouse button To open the Pool Properties Dialog for a new pool please select Add in the context menu 2 Select the Pool tab and click on the icon in the menu bar to open the Pool Properties Dialog for a new pool 3 Select New Pool in the main menu to open the Pool Properties Dialog for a new pool There are several ways to edit a pool 1 Double click with the left mouse button on the pool in the table to open the Pool Properties Dialog 2 Select the pool with the left mouse button and open the context menu by pressing the right mouse button Then select Edit to open the Pool Properties Dialog 3 Select the pool to be modified in the pool table Select Edit Edit Item in the main menu to open the Pool Properties Dialog The Edit entry in the context menu and the Edit button in the toolbar are only enabled if exactly one pool is selected in the pool table There are several methods to delete pools 1 Select the pool s and open the context menu by clicking with the right mouse button To delete the pools please select Delete in the context menu 2 Select the pools to be deleted in the pool table and click on the x icon in the menu bar Please note that pools that are still referenced by variables cannot be deleted 3 5 1 The pool context menu Add Edit Delete Select
35. it is possible to manage multiple machine certificates prior to release 5 0 only one machine certificate was supported manage CA certificates prior to release 5 0 CA certificates were not supported manage connection certificates at a central location prior to 5 0 the connection certificate was part of the VPN connection only beginning with 5 0 the connection certificates can be managed centrally and then be referenced for SSH or HTTPS authentication e manage CRLs prior to release 5 0 CA CRLs were not supported You can export certificates e g if you would like to use the machine certificate as connection certificate fora VPN connection To export a certificate please navigate to the respective certificate table see below for more information and click on the Export button You can export the certificate to a folder of your choice 4 6 1 Machine certificates You can either import a machine certificate PEM or PKCS 12 file request a certificate from the mdm CA request a certificate from any CA supporting the Simple Certificate Enrollment Protocol SCEP or manually enrol certificates 7 Ina template it is not possible to request or import a machine certificate It is only possible to import the connection certificate of the peer The file to be imported can be in PEM format containing the unencrypted private key and the certificate or in PKCS 12 format protected by a password The file type is automatically d
36. mdm client 1 6 x zip into that directory 2 4 2 Installation on Linux Required components For a full installation of mdm you need the following files and components Java Runtime Environment JRE SE 7 PostgreSQL installation files postgresqIl 9 1 9 zip mdm server mdm server 1 6 x zip e mdm client mdm client 1 6 x zip e License file mdm_license dat mdm CA mdm ca 1 6 x zip optional OpenSSL optional 17 of 130 Installation Database installation Except for the license file these components are contained on the mdm CD ROM Please install the PostgreSQL database first Choose the installation method that is suitable for your distribution e g for Debian use aptitude or Synaptic You will also find installation packages for Fedora and Red Hat on www postgresgl org PostgreSQL initialization After the installation of PostgreSQL the mdm database has to be created and initialized 1 Ifthe mdm server and the database will not be installed on the same computer add the following line to the configuration file pg hba confin the PostgreSQL directory e g for Debian etc postgresql 9 0 main host your_database_name your_user 0 0 0 0 0 0 0 0 md5 Please make sure that the values your_database_name and your_user are identical to the values specified in the preference file of the mdm server see Chapter 2 6 2 Restart the PostgreSQL service etc init d postgresql 9 0 restart 3 Enter the follo
37. of 130 mdm client overview 3 9 Uploading configurations to the mGuards Upload methods SSH push mdm offers several methods to upload the configuration files to the mGuards The mdm server accesses the mGuards using the SSH protocol Subsequently the configuration file is copied to the device and put into operation Any failures during the upload process are shown in the log window To use this method the following requirements have to be met Inthe General Settings of the Device Properties Dialog an IP address or a hostname has to be set for the field Accessible via The mGuard has to be accessible from the mdm server using the Accessible via address i e a firewall must not block the traffic and a NAT device in the communication path has to be configured appropriately to allow the communication between the mdm server and the mGuard Incase the mGuard is accessed on the untrusted interface the SSH remote access from the mdm server has to be enabled on the mGuard e The passwords to access the device have to be set correctly For uploading the device configuration to the mGuard mdm logs in as user admin In case of a password change there are 2 passwords involved the old password which is used to access the device and the new password which will be set after logging in Therefore mdm automatically keeps track of the active password to be used to access the device and does not use the password configured in the Device P
38. of 130 mdm client overview is the second For example a quarter past 4 p m and 20 seconds on December 22nd 2010 would be written as 2010 12 22 16 15 20 Alternatively click on the Y icon to select the date from a calender Last Entries Loads the latest i e newest entries The number of entries must be specified 3 7 2 Logging events via syslog The same events logged in the persistent event log cf Chapter 3 7 1 or a subset selected by the severity can be sent to a syslog server Please refer to Chapter 2 6 for more details 3 8 The mdm main menu and tool bar 3 8 1 The mdm main menu File Connect to Server Disconnect from Server Connects to or disconnects from the server Exit Exits the client Edit Edit Item Opens the Properties Dialog of the currently selected item device template pool or VPN group in the overview table Web Configure Opens the Web GUI for the selected devices in the device table Only active if at least one device in the device table is selected The Accessible via address is required for this option It can be configured in the General settings of the Device Properties Dialog see Chapter 4 3 Cut Cuts the marked text in the currently active table filter field to the clipboard Copy Copies the marked text in the currently active table filter field to the clipboard Paste Pastes the clipboard contents to the currently active table filter field Select All Se
39. of this keystore has to be configured in the ca preferences xmI file in the node certificateFactory storage database security trustStore The format of this keystore JKS has to be configured in the ca preferences xml file in the node certificateFactory storage database security trustStoreType The password to access the keystore default ENV PASSWORD_ SSL has to be configured in the ca preferences xml file in the node certificateFactory storage database security trustStorePassword templateCert pem This file contains CA tempicert The location of this file has to be configured in the ca preferences xml file in the node certificate Factory certTemplate Subdirectory mdm_server e keystore jks A keystore containing IScert and IS ey e The location of this keystore has to be configured in the preferences xml file of the mdm server in the node service security keyStore 32 of 130 Installation The format of this keystore JKS has to be configured in the preferences xml file of the mdm server in the node service security keyStoreType The password to access the keystore default ENV PASSWORD_SSL has to be configured in the preferences xml file of the mdm server in the node service security keyStorePassword e truststore jks A keystore containing DBgey and IC gat e The location of this keystore has to be configured in the preferences xml file of the mdm serve
40. or a NAT device 2 11 Securing the communication between mdm components Since critical information is exchanged between the mdm components it is highly recommended to secure the communication paths This chapter describes the required steps to manually create the keys and certificates required for SSL If you prefer to use the demoCA scripts instead of manually creating and installing the required components you can skip this chapter and read Chapter 2 8 3 instead If you are not familiar with OpenSSL it is highly recommended to read Chapter 7 first which introduces some of the basic concepts and the usage of the OpenSSL command line tool Figure 7 shows an overview over the mdm components and their communication paths Please note that the truststore and the keystore of the CA shown in Figure 7 are used for SSL communication only The certificates and keys used to issue certificates are stored in a different keystore 39 of 130 Installation PostgreSQL DB PostgreSQL data directory DBkey DBcert SSL server NAAN NNN SSL client Ae KANAAAAAAANN OSSA Truststore Truststore Keystore Truststore Keystore IScert ICcert ICkey IScert ISkey DBcert DBkey DBcert ISkey ICoert IScert DBcert ICkey ICcert 2 D 2 D n N an I CA certificate Important This is not the root
41. please make sure that the respective environment variables are initialized before starting the server The entries in the preferences file are Key expertMode If set to true some unsupported configuration variables which are normally hidden are made available in the Device and Template Properties Dialog default false Additionally the mGuards are configured such that unsupported configuration variables become visible in their web interfaces Please do not change this value Key defaultAdminPassword The password of the admin user on newly created mGuards default mGuard The default value corresponds to the mGuard factory default If mGuard devices are per configured before they are used with mdm a different default admin password can be set Key defaultRootPassword The password of the root user on newly created mGuards default root The default value corresponds to the mGuard factory default If mGuard devices are per configured before they are used with mdm a different default root password can be set Node license Key license File Name and path of the license file Node device Node licenseServer Key proto The protocol to be used to access the license server default http Please do not change this value Key address The address of the license server default online license innominate com Please do not change this value 19 of 130 Installation Key port The port to be used to access the licen
42. r Comment M TEMP IY CONNECT WITH GRANT OPTION Help OK Cancel Zi Zi Figure 6 PostgreSQL installation Configure the new database Securing the communication with the database Server installation Client installation If you install the database and the mdm server or the mdm CA on differerent computers it is highly recommended to encrypt the communication between the components Please refer to Chapter 2 11 on how to setup a secure connection to the database server Create a directory Innominate in your standard software installation directory e g C Program Files Innominate and unpack the file mdm server 1 6 x zip into that directory Complete the server installation by configuring the server Chapter 2 6 and by creating entries in the registry if you would like to start the server automatically Chapter 2 7 Finally initialize the database Make sure that the preferences file matches the values you used when installing the database To initialize the database you have to start the mdm server with the init option java Xmx512m jar mdm server 1 6 x jar init preferences xml Remarks e You have to add the full path for mdm server 1 6 x jar and preferences xml e Make sure that the environment variables containing passwords are initialized see Chapter 2 6 Create a directory Innominate in your standard software installation directory e g C Program Files Innominate and unpack the file
43. should be specified Key revocationDirectory The path within the URL the mdm server uses for certificate revocation requests default revoke When using the mdm CA revoke must be used Not applicable when SCEP is used 25 of 130 Installation Key rsaKeySize The size in bits of the RSA modulus the mdm server uses to generate RSA key pairs default 2048 Node SCEP Key name The instance name used in SCEP requests default mdm Please note that some CAs ignore the instance name but still require a non empty value 2 7 Start the mdm server and the mdm client 7 To configure the mdm server a preferences file is required A standard preferences file preferences xml is contained in the mdm server 1 6 x zip file Please unpack the ZIP file to get access to the preferences xml file 7 In general the server is started with the following command in a single line java Xmx1024m jar mdm server 1 6 x jar start preferences xml Remarks e You have to add the full path for mdm server 1 6 x jar and preferences xml e Make sure that the environment variables containing passwords are initialized see Chapter 2 6 Memory allocation You should also specify the size of the memory allocation pool using the Xmx and Xms options Initial size of the memory allocation pool Use the option Xms to specify the initial size in bytes of the memory allocation pool This value must be a multiple of 1024 Append the letter k o
44. target directory e g gen all my directory incl full path If a target directory is omitted a subdirectory named security will be automatically created in the mdm installation directory All generated scripts and certificates will be created in subdirectories of the target directory The gen all script creates all required files in the target directory The location of the files has to be manually configured in the preferences file of the respective mdm component The names used for certificates and keys in the following sections refer to the names introduced in Figure 7 and in Chapter 7 2 1 The preferences files support the construct ENV MY_ PASSWORD for passwords i e the password is read from the environment variable MY PASSWORD the name of the environment variable is just an example and can be changed if desired Subdirectory mdm_ca e ca keystore jks A keystore in JKS format containing the certificate chain up to the root certificate CA cert CArootCert and CAkey The filename of this keystore including the absolute or relative path has to be configured in the ca preferences xmil file in the node certificate Factory keyStore The password to access the keystore default ENV PASSWORD_ CA has to be configured in the ca preferences xmil file in the node certificateFactory keyStorePassword The format of this keystore JKS has to be configured in the ca preferences xmil file in the node certificateFactory
45. the Import button is only enabled if Custom or Custom Locally appendable is selected as value for the machine certificate table Select the file containing the machine certificate and click on Open The machine certificate is subsequently shown in the table if the import was successful otherwise an error message will be displayed To delete a machine certificate navigate to Authentication Certificates Machine Certificates select the certificate in the certificate table and click on the Delete certificate button Deleting a certificate does not automatically revoke the certificate To revoke a machine certificate navigate to Authentication Certificates Machine Certificates select the certificate and click on the button Revoke certificate This button is enabled only if exactly one machine certificate is selected After revoking a certificate the text REVOKED is automatically shown in the corresponding info field of the table Any time a 96 of 130 Template device pool and VPN group configuration Manual certificate enrollment certificate is revoked the mdm CA exports a new file containing all revoked certificates of this issuer For more information on the export of CRL files please refer to Chapter 2 8 5 SCEP does not support revoking certificates CRLs are only supported by mGuard firmware 5 0 and newer amp Revoking a certificate does not delete the certificate from the table If
46. the device table Select Edit Edit Item in the main menu to open the VPN Group Properties Dialog 7 The Edit entry in the context menu and the Edit button in the toolbar are only enabled if exactly one VPN group is selected in the VPN group table There are several methods to delete VPN groups 1 Select the VPN group s in the VPN group table and open the context menu by clicking with the right mouse button To delete the VPN groups please select Delete in the context menu 2 Select the VPN groups to be deleted in the table and click on the x icon in the menu bar 7 Please note that VPN groups that still have member devices cannot be deleted 3 6 1 The VPN group context menu Add Edit Duplicate The following entries are available in the context menu of the VPN group overview table Create anew VPN group and open the VPN Group Properties Dialog of the new VPN group Edit the selected VPN group only active if exactly one VPN group is selected in the overview table To create a duplicate of a VPN group please open the context menu by clicking with the right mouse button on the VPN group in the VPN group table Select Duplicate in the context menu mdm will create a copy of the VPN group and append the string copy lt n gt lt n gt is a number to the name of the new VPN group Please note that the Duplicate menu entry is only enabled if exactly one VPN group is selected in the VPN group table 60 of 130 mdm
47. the role in the table Each role has a name which must be unique Assigning permissions to roles If one or more roles in the Roles Panel and one or more permissions in the Permissions Panel are selected the permissions can be assigned to the roles by clicking the Grant Permission button or removed by clicking the Revoke Permission button All of the selected permissions are assigned to or removed from all of the selected roles Initial roles Two roles exist in a fresh mdm installation admin and audit The admin role has all permissions except modification of users and roles The audit role has read permissions but no modification permissions 3 11 3 Permissions The permissions table in the Permissions Panel of the Users and Roles Dialog lists all available permissions The permissions grant the following actions Permission Granted Actions Read Devices View the list of devices device configurations device licenses and license vouchers Write Devices Edit add remove or duplicate device configurations add or remove device licenses add license vouchers If the user has the Read Configuration History permission in addition to this permission Reconstruct devices from device configuration history entries Upload Device Configuration Initiate the upload of configurations to devices or the export of pull configuration files Read Configuration History View and compare device config
48. to S indicating that a firmware upgrade is ongoing on the device the icon is only shown when performing a push upload mdm polls the device periodically to get a feedback on the result of the firmware upgrade which will finally be shown in the Version on Device field in the device overview table and in the U column of the device overview table The Version on Device field should now indicate a firmware mismatch since the device has been upgraded to 5 1 0 but the mdm configuration for the device is still set to version 4 2 Therefore you should change the firmware version for the device to match the currently installed firmware This has to be performed after the firmware upgrade on the device took place You can change the firmware version in the field Firmware Version on Device in the Device Properties Dialog or using the context menu of the device overview table You can now start to configure features introduced with the new firmware version The firmware upgrade progress and the result is indicated by the icon in the column Version on device in the device overview table Please refer to Chapter 3 3 for more information 3 13 Hardware flavors Most mGuard devices support the same configuration variables irrespective of their hardware However the mGuard rs2000 rs2000 3G supports only a limited set of variables rs2000 devices can be managed with mdm through its hardware flavor mechanism A device can be set to one of two hardware fl
49. to start the mdm server with the init option Enter the following command in a single line ee java Xmx512m jar mdm server 1 6 x jar init preferences xml Remarks e You have to add the full path for mdm server 1 6 x jar and preferences xml e Make sure that the environment variables containing passwords are initialized with the correct values see Chapter 2 6 18 of 130 Installation Client installation Unpack the file mdm client 1 6 x zip into your home directory 2 5 Installation of the license Copy the license file to a folder of your choice and configure the path in the preferences xml file see next chapter If you do not specify a path for the license file in the preferences xmil file mdm assumes the license file to be in the same directory as the mdm server Install the license file prior to the start of the server 2 6 mdm server configuration In order to operate properly the server requires an XML preferences file as a configuration file which can be specified during server start up see Chapter 2 7 A default configuration file preferences xml is contained in the mdm server 1 6 x zip file Please unpack the ZIP file to get access to the preferences xmil file There are several passwords to be configured in the preferences xm1 file The respective keys accept the ENV VARNAME pattern as value to take the password from the environment variable with name VARNAME If you decide to use this pattern
50. to the documentation of your CA server for details on how to obtain these certificate s For example if the CA server uses a root certificate scep ca cert pem and an intermediate certificate scep intermediate cert pem java cp ImportKey alias scep storetype JKS file scep ca cert pem storepass pass yourSSLPW keystore mdm truststore jks java cp ImportKey alias scepl storetype JKS file scep intermediate cert pem storepass pass yourSSLPW keystore mdm truststore jks 4 Copy the truststore to its final location and configure the preferences file preferences xml of the mdm server e The location of the truststore has to be configured in the preferences xml file of the mdm server in the node service security trustStore 42 of 130 Installation The format of the truststore JKS has to be configured in the preferences xml file of the mdm server in the node service security trustStore Type e The password to access the truststore in the example yourSSLPW has to be configured in the preferences xmil file of the mdm server in the node service security trustStorePassword mdm CA The certificates of the database and the mdm server are stored in different truststores 1 Create the database truststore and add DB as described in Chapter Import a certificate on page 114 java cp ImportKey alias postgres storetype JKS file serverCert pem storepass pass yourSSLPW keystor
51. unchanged default nas identifier example Nodes 0 1 up to the number of RADIUS servers minus one Each numbered node identifies a single RADIUS server Node locale Key host The hostname or IP address of the RADIUS server default localhost Key port The port on which the RADIUS server listens for incoming requests default 1812 Key sharedSecret The shared secret used to authenticate the RADIUS request The same shared secret must be configured in the RADIUS server default secret Country and language specific settings Please leave the defaults since these settings are not fully supported yet Node logging Node syslog Key numReceivers Set this to the number of syslog receivers to which mdm sends log messages If set to 0 logging via syslog is disabled default Key logLevel The minimum severity of the messages to log via syslog Messages with a severity lower than the specified one are suppressed default INFO 24 of 130 Installation The following severities can be used SEVERE highest severity e WARNING INFO e CONFIG e FINE e FINER FINEST lowest severity Nodes 0 1 up to the number of syslog servers minus one Each numbered node identifies a single syslog server Key host The hostname or IP address of the syslog server default localhost Key port The port on which the syslog server listens for incoming log messages default 574 Node configuratio
52. users and roles Default Browser Please specify a command line to be used to start the browser The command line should start with the full path and the name of the binary Append the string url which will be replaced with the URL of the mGuard e g on Windows enter C Program Files Firefox Firefox exe url Default Firmware Version This is the firmware version that will be used when creating a new device or template Filter The filter in the device template pool and VPN group table can be switched on and off using this option tool bar The tool bar offers short cuts to some of the functions in the main menu or the context menu S No connection to server if clicked connect to server Connection established if clicked disconnect from server Lg Edit the selected entry device template pool or VPN group i Upload the configuration to the selected devices G Open the Web GUI of the selected devices in the device table Add an entry device template pool or VPN group and open its Properties Dialog x lt Delete the currently selected entries i Open a dialog to generate request licenses from the Innominate license server for the selected devices TF ilter of the current overview table device template pool or VPN group is active If clicked deactivate the filter x Filter of the current overview table device template pool or VPN group is inactive If clicked activate the filter 66
53. 19 16 31 mGuard 6 0 admin o ao 2011 08 09 19 16 28 mGuard 6 0 admin 2011 08 09 19 16 15 mGuard 6 0 admin 2011 08 09 19 16 20 admin 0000000c atv 2011 08 09 19 16 12 mGuard 6 0 admin xx BR HRS 2011 08 09 19 16 08 mGuard 6 0 admin Compare Close Figure 40 The configuration history dialog Range selection Since a device may have a large number of history entries not all entries are automatically loaded from the mdm server when the dialog is opened By changing the criteria in the Range Selection field and clicking the Apply button the history entries matching the specified critera can be loaded By default the latest i e newest 100 entries are loaded All Entries Loads all history entries associated with the device If the numer of entries is large i e thousands or more loading all entries may incur a significant delay Time Range Loads all entries which have been created during a time range The time range must be specified e Ifa lower bound but not an upper bound is specified all entries newer than the lower bound are loaded Ifan upper bound but not a lower bound is specified all entries older than the upper bound are loaded e If both a lower and an upper bound are specified all entries created during the time interval given by the bounds are loaded 105 of 130 Configuration history Times are specified as an ISO date YYYY MML DD where YYYY is the year
54. 9 59 Maximum allowed number of devices unlimi Preparing to retrieve MutableRoleinfo 1 2 H 2013 08 20 13 14 30 813 admin 2013 08 20 13 14 30 815 admin 2013 08 20 13 14 30 946 admin 28 28 Figure 9 The mdm main window The mdm main window is divided into a tab area for the device template pool VPN group overview tables and a log window It also contains a tool bar and the main menu The different sections and their functionality are explained in the following chapters 3 3 Device overview table Device table columns Status C Please select the Device tab to access the device overview table The device overview table contains the following columns 7 The column width can be changed by placing the cursor on the header of the table at the border of two columns and dragging the border to the desired location The order of the columns can be changed by dragging the column header to a different location The column labeled with C shows the configuration status of the device which indicates whether the configuration on the Innominate mGuard differs from the configuration of the device in mdm The configuration status can take the following values e Unknown a mdm is not able to determine whether the configuration of your Innominate mGuard is up to date K0 The configuration in mdm is identical to the current configuration of your mGuard e Changed Fi The configuration in mdm is different
55. All The following entries are available in the context menu of the pool overview table Create a new pool and open the Pool Properties Dialog of the new pool Edit the selected pool only active if exactly one pool is selected in the overview table Delete the selected pools Select all pools not excluded by the table filter 58 of 130 mdm client overview 3 6 VPN group overview table Please select the VPN Groups tab to access the VPN group overview table A VPN group is used to group devices into a meshed VPN network For detailed information on VPN groups and their usage please refer to Chapter 4 8 mGuard device manager Client root File Edit New Upload Extras Options Help O s Devices Templates Pools VPN Groups Members Version Comment Member Count Id FI Production 0354 Production 407 mGuard 6 0 Name North America Mesh Production 2974 Production 9723 mGuard 6 0 ae Logged Events i Date user T Message 2013 09 05 14 34 24 882 root Updated VPN group North America Mesh 2 2013 09 05 14 34 46 172 root Added devices Production 0354 Production 5397 Production 4075 to VPN group Europe Mesh 2013 09 05 14 34 58 834 root Added devices Production 9723 Production 2974 to VPN group North America Mesh Figure 13 The mdm main window with VPN group table VPN group table The VPN group overview table contains t
56. If this is selected the mGuard will generate ssh and https keys on the next configuration upload or pull 7 It is recommended to generate new keys if 1024 bit keys are still in use Device Replacement Resets all settings specific to a device to default values This can be used if a defective device has been replaced The following settings are reset e Firmware Version on Device e Serial Number Flash ID SSH Hostkey e Profile Encryption Key e Licenses associated with the device Set Redundancy Mode Open a dialog in which redundancy mode can be enabled or disabled for the selected devices Generate Redundancy Passphrases Set the redundancy passphrase variables in the device configuration to random values Generate License Please refer to Chapter 3 10 for details regarding the license management Refresh License Please refer to Chapter 3 10 for details regarding the license management Get Profile Key Obtain a profile key from the Innominate license server Please refer to section Profile encryption on page 68 for details Enable Disable profile encryption Enable or disable encryption of configuration profiles for the selected devices Please refer to section Profile encryption on page 68 for details Firmware Upgrade Schedule upgrade to latest patches Schedule a firmware upgrade to the latest available patches Please refer to Chapter 3 12 for more details Firmware Upgrade Schedule upgrade to latest mi
57. In cases where the variable value cannot be displayed e g password variables the text Custom is used instead 7 If the single value Custom is displayed for a password variable this indicates that the password has not changed However if the value Custom is displayed twice the password has changed between the older and the newer configuration Ifa table variable has changed the change is indicated by the background color of the changed row s and by a character in the column e indicator green background The row has been inserted i e it exists in the newer but not in the older configuration indicator red background The row has been deleted i e it exists in the older but not in the newer configuration e M indicator blue background The row has changed between the older and newer configuration This indicator is only used for complex table variables e g VPN connections otherwise a changed row is treated as a deletion of the row with the old contents followed by an insertion of a row with the new contents In addition to the variable value or Custom two special values are used Local indicates that the variable has no value known to mdm The value is set by the user netadmin on the mGuard e Custom Locally appendable is only applicable to table variables It 108 of 130 Configuration history indicates that the user netadmin on the mGuard has the permission to append r
58. KS has to be configured in the ca preferences xml file of the mdm server in the node AttpServer https keyStoreType The password to access the keystore in the example yourSSLPW has to be configured in the ca preferences xml file of the mdm server in the node AttpServer https keyStorePassword To enable the SSL communication to the mdm server and to the database the following keys of the ca preferences xml file have to be configured e certificateFactory storage database ssl true httpServer protocol https To enable client authentication the following key has to be set to true httpServer https clientAuth true 2 11 2 Create the truststores mdm server Each component except for the database has a truststore containing the certificates of the trusted peers 1 Create the truststore and add DB as described in Chapter Import a certificate on page 114 java cp ImportKey alias postgres storetype JKS file serverCert pem storepass pass yourSSLPW keystore mdm truststore jks 2 Add IC 4 as described in Chapter Import a certificate on page 114 to the truststore java cp ImportKey alias ca storetype JKS file ca https client cert pem storepass pass yourSSLPW keystore mdm truststore jks 3 If SCEP is used the root certificate and any intermediate certificates the CA server uses to authenticate its reply must be imported into the truststore Please refer
59. Key pem keyform PEM passin pass rootPW sha256 days 5479 outform PEM out rootCert pem Explanation of the arguments req req instructs OpenSSL to generate a certificate request default or a certificate batch Non interactive mode new Create a new request or a new certificate config filename The name and the location of the openssl configuration file in the example rootCert conf x509 Create a self signed certificate instead of a certificate request key filename The corresponding private key in the example rootKey pem keyform PEM The private key is in PEM format passin pass password Password required to decrypt the private key in the example rootPW sha256 Use the SHA256 algorithm to create the message digest for the signature recommended 119 of 130 Creating and managing certificates Create the CA certificate days 5479 The period for which the certificate will be valid outform PEM The format of the output file is PEM out filename The name of the output file i e the certificate in the example rootCert pem The command above generates one output file e rootCert pem This file contains the self signed root certificate CA ootCert The intermediate CA certificate CA cert 1s not self signed but will be issued signed by the root CA Therefore you first have to create a private key and a corresponding certificate request and then send this certificate request to the root
60. L MACHINE SOFTWARE Microsoft Windows CurrentVersion Run folder of your registry name mdm Server value full _path java exe Xmx1024m jar full_path mdm server 1 6 x jar start full_path preferences xml e g 27 of 130 Installation C Program Files Java jre7 bin java exe Xmx1024m jar C Program Files Innominate mdm server 1 6 x jar start C Program Files Innominate preferences xml Client You can start the client either with the command line full_path java Xmx384m jar mdm client 1 6 x jar or with a double click on mdm client 1 6 x jar in the Explorer Window Linux Server The server can be started manually with the command in a single line full path java Xmx1024m jar full path mdm server 1 6 x jar start full path preferences xml Client You can start the client by entering the command full _path java Xmx384m jar mdm client 1 6 x jar 2 8 mdm Certification Authority CA installation mdm provides its own Certification Authority CA The mdm CA is a separate server instance The CA is used to issue machine certificates for the mGuards e g if you would like to use X 509 authentication for your VPN tunnels Please refer to Chapter 4 5 on how to request certificates for an mGuard using the CA If you are not going to configure VPN tunnels with mdm or if you would like to use your own CA or pre shared keys PSK the installation of the mdm CA is not required 2 8 1 Overview The purpos
61. Management Blade Control C4 Network CA Interfaces General By Network Mode E Stealth configuration J Static Stealth configuration Netmask of internal network 255 255 0 0 May override v Use VLAN 3 Inheriteds No E External networks E Secondary External Interf 3 Internal networks PPPoE settings E PPTP settings E Modem settings F Internal aliases i Locale May override v Ethernet E ARP settings VLAN ID 4 Inherited 1 E MTU settings 8 Serial port General E PPP Dial in E Incoming rules PPP IP address Use VLAN E Outgoing rules PPP Modem E External Modem E Built in Modem ISDN E Built in Modem analog E Hardware Figure 31 Template configuration Compared to the Device Properties Dialog there are additional settings in the template configuration which are explained in the following sections For detailed information on the template and inheritance concept please refer to Chapter 5 87 of 130 Template device pool and VPN group configuration None value type Permission setting In the template None can be selected as value as you can see in the variable IP of internal interface in Figure 31 This means that the template designer does not want to define a value in the template but wants to make sure the value is overridden in an inheriting template or devi
62. Node feedback Key port The mGuards can pull their configurations from an HTTPS server Since the HTTPS server is a separate application mdm does not get any direct feedback about the result of a configuration pull To enable the feedback mechanism mdm has to be configured as a Syslog server in the HTTPS server settings mdm will then receive and analyze the HTTS server 23 of 130 Installation Node service syslog messages and display the result of configuration pulls in the client It is recommend to use an unprivileged port above 1024 so that the server can be run without administrator root privileges default 7514 Node radius Key numServers Set this to the number of RADIUS servers to enable RADIUS authentication Please refer to Chapter 3 11 4 for more detailed information If set to 0 RADIUS authentication is disabled default 0 Key timeout The number of seconds that the mdm server waits for a reply from a RADIUS server Only used if RADIUS authentication is enabled default 5 Key retries The number of times that the mdm server sends requests to the RADIUS servers If no reply is received within timeout seconds for retries times the authentication request is considered failed Only used if RADIUS authentication is enabled default 3 Key nasIdentifier The NAS Identifier included in RADIUS requests sent by the mdm server Some RADIUS servers ignore this in which case the default value can be left
63. To add change or delete VPN connections please open the node IPsec VPN Connections To create a new connection create a new table row see Chapter 4 1 Modifiying table entries As soon as you create a connection it appears as node in the navigation tree To edit the connection open its node in the navigation tree and navigate to the desired settings The structure of the connection node resembles the menu structure on the mGuard The connection table is read only i e you have to navigate to the respective node to make changes to the connection e g change the name of the connection or disable a connection Please note that the permission setting of the connection table in a template applies to the table only and not to the contents of the connections If you set the table to No override the settings of the VPN connection can still be modified on a device which uses this template 93 of 130 Template device pool and VPN group configuration Automatic configuration of the VPN peer Setting VPN identifiers automatically but the user on the device level is not allowed to add further connections to the table You can automatically generate the VPN configuration for the peer device see Figure 36 Place the cursor in the field Peer device and press the Cursor Down key A list of available devices appears You can limit the number of devices in the list by entering the first characters of the Manage
64. Version Since different releases of the mGuard software have different sets of variables the firmware version corresponding to the installed firmware on the mGuard has to be selected here 7 It is not possible to downgrade to an older release So please be very careful when changing the firmware version See Chapter 5 2 2 for more details Only devices with a firmware version equal to or newer than the firmware version of the VPN group can become its members Member devices read only The devices which are currently members of the VPN group Comment An optional comment When generating VPN group connections mdm combines the variables in the connections VPN group with additional variables in the device While the variables in the VPN group are common to all connections in this group the additional variables in the device are specific to the device but common to all VPN group connections of the device The VPN group contains the following variables e General VPN settings e Protocol settings e Authentication settings IKE options Devices and templates contain variables under the IPsec VPN VPN Group Configuration node which are used when mdm adds VPN group connections to a device Tunnel settings e NAT settings Firewall settings The local VPN The local VPN network to be used in VPN group connections can either be network specified in the template or device IPsec VPN VPN Group Configuration Tunne
65. abase The command line tools pg_dump or pg_dumpal1 part of the PostgreSQL distribution the graphical front end pgAdmin III or another mechanism can be used for this See the PostgreSQL documentation for details 3 If the mdm CA is used dump the content of the CA database It is strongly advised to keep a copy of the database dumps as a backup 4 Install the mdm 1 6 server Since the server configuration file preferences xml has been extended it is recommended to use and customize the file provided with mdm 1 6 By default the passwords for the Java trust 7 of 130 Installation store Java key store and database connection are read from environment variables set these environment variables accordingly Note that the CA type IDM CA has been renamed to mdm CA It is necessary to adapt the key com innominate innomms is CA type in preferences xml accordingly or communication with the mdm CA will fail 5 mdm 1 6 requires the Java SE 7 Runtime Environment JRE Make sure the java command refers to a JRE of this version or use an appropriate pathname to run a Java SE 7 JRE 6 Invoke the server with the following command java Xmx1024m jar mdm server 1 6 x jar update preferences xml The server will connect to the PostgreSQL database upgrade it and terminate After this step the database is ready to be used by mdm 1 6 i e the mdm 1 6 server can now be started 2 3 Installation on a Micr
66. al configuration upload above for a description how to export configuration and license files Additionally the following requirements have to be met e An HTTPS configuration pull server has to be configured see Chapter 2 10 e The configuration pull has to be configured on the mGuards please refer to the Reference Manual mGuard Firmware Additionally the mGuards have to be configured with the 2 following commands to pull their configuration according to the mdm file name convention gaiconfig set GAI PULL HTTPS DIR lt your_ directory gt gaiconfig set GAI PULL HTTPS FILE lt identifier gt atv Incase that the mdm server and the configuration server are installed on different machines you have to make sure that the mdm export files are synced to the file system of the configuration server e Additional steps are necessary if you would like to get a feedback whether or not the configuration pull was successful mdm is able to receive Syslog messages on port UDP 7514 in order to detect the configuration status of a device if mdm is configured as Syslog server in the configuration server settings Remark The pull request contains information about the current configuraton status of the mGuard This information will be sent as Syslog message from the configuration server to mdm The port on which mdm listens for Syslog messages can be configured in the preferences file of the mdm server see Chapter 2 6 Profile
67. ame spaces it is required to create a different database schema user for the CA e g mdmca Create the database schema from scratch analogous to the mdm server but instead of initializing the database using the init option of the mdm server use the script mdmca sq from the archive mdm ca 1 6 x zip see below For Windows please refer to the section Database installation in Chapter 2 4 1 For Linux refer to the section Database installation in Chapter 2 4 2 To initialize the database schema on Linux please enter the following command in a single line psql h 127 0 0 1 f mdmca sql your database_name your CA user password To initialize the database schema on Windows please start pgAdmin III as described in Chapter 2 4 1 Select the database schema you just created in the previous steps and click on the icon select File Open in the menu of the query window select the mdm initialization script mdmca sq in the file chooser and finally start the query by clicking on the Da icon in the query window The database is initialized now Adapt the database node of the ca preferences xml file see Chapter 2 8 5 to your environment Either create the required keys and certificates automatically using the demoCA scripts see Chapter 2 8 3 or follow the instructions in Chapter 2 8 4 manual creation After this step the keys certificates and keystores should be located in your file system Ifrequired change furth
68. an crlUpdatePeriodMinutes but note that crlUpdatePeriodMinutes is specified in minutes while nextUpdatePeriodDays is specified in days Node storage Node database Key host The IP address or host name the mdm CA should connect to to get access to the PostgreSQL database default 727 0 0 1 Key port The port that the mdm CA should use to connect to the database default 5432 Key name The name of the database default mdmca Key user The user of the database default mdmca Key password The password to be used to connect to the database the default value ENV PASSWORD_DB will cause the mdm CA server to read this password upon startup from the environment variable named PASSWORD_DB the name PASSWORD _DB is just an example and can be changed if desired Please make sure that the values for port name user and password match the values you specified during the database initialization Key ssl Enable disable secure connection between the mdm CA and the PostgreSQL server Use the value true to enable secure connections see Chapter 2 11 1 Key loglevel Internal use only Please do not change default 0 Node security Key trustStore Name and path of the truststore file containing the trusted certificate of the database server 35 of 130 Installation Key trustStoreType Format of the truststore either JKS Java JRE keytool default or PKCS12 OpenSSL Key trustStorePassword Password for
69. and Windows e g as stand alone binary or as part of the cygwin package The tools to create the certificates keys and keystores need not be installed on the mdm CA target system amp The use of OpenSSL 0 9 8zc 1 0 00 or 1 0 1 or newer is recommended due to the support of SHA 256 and several important security fixes 28 of 130 Installation Certificate Revocation Lists CRLs are not supported by mGuard 4 2 but are supported with mGuard firmware 5 0 and newer If using mGuard 4 2 it is recommended to include the CRL distribution points CDP information already in the certificates when rolling out a PKI since then an exchange of the certificates will not be required when updating to a newer mGuard firmware Chapter 2 8 2 contains an overview over the installation procedure Chapter 2 8 3 describes how to use the demoCA scripts contained in the installation archive mdm ca 1 6 x zip to create the required keys and certificates Chapter 2 8 4 provides detailed information on how to manually create and install the keys and certificates 2 8 2 Installation procedure l 8 Create an OS user for the mdm CA server The user for the mdm server could be reused though that is not recommended isolation Unpack mdm ca 1 6 x zip into that user s home directory Make sure the PostgreSQL database 9 0 is installed see Chapter 2 4 The mdm CA can use the same database instance as the mdm server but for separation of n
70. asically the same as described for the normal table variables above Inherited rows from a template which also appear as navigation tree nodes are all set to read only if Inherited is selected for the complex table variable The usage of templates and inherited values is further explained in Chapter 4 2 and Chapter 5 e Custom If you select Custom the table and its associated menu elements become enabled Contrary to normal table variables the inherited table rows are not copied from the template to the device when switching to Custom Inherited rows cannot be deleted but can be edited if Custom is selected Please note that changing or editing the rows does not change the rows in the template You may also add new rows nodes to the table Please note that it is possible to switch between Custom and Inherited without losing any data while the Properties Dialog is open But if you switch from Custom to Inherited apply your settings and then leave the dialog all custom rows you entered will be lost Additional In the Template Properties Dialog you can find additional settings for the configuration in the variables These settings are explained in Chapter 4 2 template 80 of 130 Template device pool and VPN group configuration Indication of invalid Invalid input will be immediately indicated by a red variable name and by error input address il Edit Device Gateway London G4 mGuard configuration E Gen
71. ate parent template 61 of 130 mdm client overview Version The firmware version of the VPN group VPN Groups A comma separated list of VPN groups that the device is currently a member of Filtering and The header of the table can be used to sort the table entries A click on a header sorting the table Selecting devices Assigning or removing VPN group membership of a column will activate the primary sort based on this column This is indicated by the arrow in the column header A second click on the same header will reverse the sort order Clicking on another column header activates the sort based on this new column the previously activated column will be used as secondary sorting criterion The first row of the table accepts the input of regular expressions please refer to Chapter 8 Regular expressions which can be used to efficiently filter the table entries Filtering based on regular expressions is not used for the columns that do not contain text i e columns I and V Select the device s for which to modify the VPN group membership e Click on a device to select it e Click ona device then hold down the Shift key and click on a second device to select a range of devices e Click on a device while holding down the Ctrl key to toggle its selection state Click on the Attach Selected Devices button to make the selected devices members of the selected VPN groups i e the VPN groups that were selected in the
72. ave been successfully exported to the file system Pull feedback received 2 The mdm server has received a configuration pull feedback from the HTTPS server but it could not be determined whether the configuration on the device is now up to date This status indicates that the device has pulled a configuration file but has not yet applied it or that the configuration is outdated because it has been changed in mdm after the export to the HTTPS server SSH hostkey reset f Indicates that an SSH host key reset was performed Configuration invalid A mdm indicates that the current configuration is invalid e g a None value see Chapter 4 2 1 in the template has not been overriden in the device Upload or export error A permanent error has occured and mdm could not recover from the error or the maximum number of retries for the SSH configuation push has been reached without accessing the mGuard The cause of the error is displayed in the log window 46 of 130 mdm client overview Host authentication failed This error indicates that the SSH host authentication failed This can be an indicator of an attack but most likely it is due to the fact that a failing device was replaced Before you continue please make sure that the devices in question was indeed replaced To continue remove the device s active SSH hostkey with the option Set Current Device Credentials in the context menu of the device overview table select the Res
73. avors default or rs2000 Setting it to rs2000 has the effect that variables not supported by this platform are omitted Templates have no hardware flavor they always contain all the variables corresponding to the default flavor If variables not supported by a device set to the rs2000 flavor are inherited from a template such variables are ignored Some variables are supported on 7s2000 devices but have only a limited range of supported values If such a variable is inherited by a device set to the rs2000 flavor and the inherited value is not supported the variable becomes invalid and must be corrected in the configuration dialog before the device can be uploaded The mdm 1 6 does not support mGuard rs2000 3G devices as a separate hardware flavor The hardware flavor rs2000 with network mode Router should be used instead 77 of 130 Template device pool and VPN group configuration 4 Template device pool and VPN group configuration 4 1 General remarks Navigation tree mGuard configuration The Device Properties Dialog the Template Properties Dialog the Pool Value Properties Dialog and the VPN Group Properties Dialog are used to configure devices templates pools or VPN groups respectively The device and template dialogs are very similar therefore the common parts are described in this chapter Chapter 4 2 and Chapter 4 3 discuss the differences between the two dialogs The pool configuration is explained in Chapter 4
74. be assigned in the device configuration This is indicated by the icon in front of the variable name and the blue colored label If a device for which None values have not been assigned is uploaded an error occurs Static mapping In the template the table Static mapping is set to Custom and its permission is set to May append As Figure 39 shows rows can be added to the table in the device configuration after switching the table variable to Custom Rows inherited from the template cannot be changed 5 2 Miscellaneous 5 2 1 Complex table variables and permissions The permission setting for complex table variables see Chapter 4 1 in the parent template applies to the table itself but not to the contents of the rows If the table is set to No Override it is not possible to add or delete rows in the child configuration but it might be possible to change the value of variables in the inherited rows in the child Each variable of a row node has a separate permission setting in the parent template that determines whether the variable can be overridden in the child The permission setting of the table and the permission setting of a single variable within the table are completely independent 5 2 2 Firmware release settings and inheritance Certain restrictions apply to the Firmware Version setting in the General Settings of the child and the parent template e A child cannot inherit from a parent template that has a newer firmware
75. cate openssl req batch new x509 key privkey pem keyform PEM passin pass yourSSLPW sha256 outform PEM out serverCert pem Explanation of the arguments req req instructs OpenSSL to generate a certificate request default or a certificate batch Non interactive mode new 112 of 130 Creating and managing certificates Create a keystore Create a new request or a new certificate x509 Create a self signed certificate instead of a certificate request key filename The corresponding private key in the example privkey pem keyform PEM The private key is in PEM format passin pass password Password required to decrypt the private key in the example yourSSLPW sha256 Use the SHA256 algorithm to create the message digest for the signature recommended outform PEM The format of the output file is PEM out filename The name of the output file i e the certificate in the example serverCert pem The command above generates one output file e serverCert pem This file contains the self signed certificate ET gert The keys and certificates have to be included in keystores The installation archive mdm ca 1 6 x zip contains the proprietary java tool ImportKey in the demoCA directory which can be used to create and manage keystores Please copy the file JmportKey class to your working directory First ET ey has to be converted to PKCS 8 format and both ETkey and ET ger have to be included in a k
76. ce Any attempt to upload a device in which a None value has not been overridden or has been overridden with a Local value results in an error In Figure 31 the variable Netmask of internal network has an additional permission setting The permission controls whether and how an inheriting device or template can override the settings The permission settings can be assigned on a per variable basis Please note that the permission combo box is not visible if Inherited or None is selected as value The following permissions can be selected May override The value can be changed overridden in an inheriting template or device No override The value cannot be changed in an inheriting template or device May append This setting is only available for tables e g firewall rules If a table variable is set to May append additional table rows can be appended in an inheriting device or template but the inherited rows cannot be changed or removed If Local is selected as value and May append as permission new entries can be added in an inheriting device or template as well as on the mGuard by the netadmin user 4 3 The Device Properties Dialog The Device Properties Dialog allows to configure the mGuard variables and their associated settings for a device 88 of 130 Template device pool and VPN group configuration For information on how to create delete or edit devices please refer to Chapter Gil Edit Device
77. cheduleDelay Intervall in seconds between two attempts to obtain the result of a firmware upgrade from the device default 300 Node ssh Key connectTimeout Timeout for the initial SSH connect to a device default 60 Key socketTimeout Timeout for the SSH connection TCP IP socket e g lost connection default 720 Key deadPeerDetection Timeout This timeout will get activated if a device did not answer a command started on the device default 720 Node pull Node export Key directory The export base directory on the server where the configuration files should be exported to e g for the configuration pull Please note that the configuration files are always exported by the server and not the client i e the client does not have any access to the files The specified directory pathname should have the appropriate format of the respective OS default the default temporary directory of your installation e g tmp for Linux Key filenames A comma separated list of naming schemes for pull configuration exports dbid A unique ID automatically assigned is used as filename and the files are written to the export base directory serial The serial number is used as filename and the files are written to the serial subdirectory of the export base directory mgntid The Management ID is used as filename and the files are written to the mgntid subdirectory of the export base directory default dbid serial mgntid
78. client overview Delete Delete the selected VPN groups Set Firmware Version Upgrade the firmware version to a new version Please refer to Chapter 3 12 for more details Assign Remove Member Devices Edit member devices of one or more VPN groups Please refer to Chapter 3 6 2 for more details Select All Select all VPN groups not excluded by the table filter 3 6 2 Editing device membership in VPN groups When Assign Remove Member Devices in the VPN group context menu is activated a dialog opens to edit the device membership of the selected VPN groups Members of Selected VPN Group live Management ID Templates Version VPN Groups Ox T E Z485 x Proaucuon TORyO PrOOUctIOr l roura U a a Ja O C Gateway Tokyo Gateway mGuard 5 0 Production 0355 Production Vienna Production mGuard 5 1 OCF Production 2975 Production New York Production mGuard 4 2 O Production 0356 Production Vienna Production mGuard 5 1 O Production 4076 Production London Production mGuard 5 0 fe A Production 2976 Production New York Production mGuard 4 2 O Production 4077 Production London Production mGuard 5 0 O OF Production 7249 Production Tokyo Production mGuard 5 0 Production 8421 Production Paris Production mGuard 5 1 O CF Production 7250 Production Tokyo Production mGuard 5 0 O OCF Production 8422 Production Paris Production mGuard 5 1 WM Production 5397 Production Berlin Production mGuar
79. d 6 0 Europe Mesh O M Gateway Berlin Gateway mGuard 6 0 O M Production 9723 Production San Francisco Production mGuard 6 0 North America Mesh M Gateway San Francisco Gateway mGuard 6 0 Production 5398 Production Berlin Production mGuard 6 0 Europe Mesh M Production 5399 Production Berlin Production mGuard 6 0 Europe Mesh O M Production 9724 Production San Francisco Production mGuard 6 0 North America Mesh O M Production 9725 Production San Francisco Production mGuard 6 0 North America Mesh Figure 14 The dialog to edit device membership in VPN groups VPN group The VPN group membership table contains the following columns e table The column width can be changed by placing the cursor on the header of columns the table at the border of two columns and dragging the border to the desired location The order of the columns can be changed by dragging the column header to a different location Status J The I status icon indicates whether a device is a member of none some or all of the selected VPN groups Click on the icon to open a dialog which explains the available icons and their meanings Status V The V status icon shows whether the firmware version of the device is compatible with i e equal to or newer than the firmware version of the selected VPN groups Management ID The Management ID of the device Templates A comma separated list of the device s ancestor templates The first item in the list is the immedi
80. d Y It is recommended to renew 1024 bit keys See Set Current Device Credentials on page 52 for more details The header of the table can be used to sort the table entries A click on a header of a column will activate the primary sort based on this column This is indicated by the arrow in the column header A second click on the same header will reverse the sort order Clicking on another column header activates the sort based on this new column the previously activated column will be used as secondary sorting criterion 49 of 130 mdm client overview Creating devices Editing devices Deleting devices The first row of the table accepts the input of regular expressions please refer to Chapter 8 Regular expressions which can be used to efficiently filter the table entries Filtering based on regular expressions is not used for columns that do not contain text columns C U V or F The filter history will be saved for the current user and can be accessed using the drop down functionality of the filter fields There are several ways to create new devices 1 Open the context menu by clicking on the device table with the right mouse button To open the Device Properties Dialog for a new mGuard please select Add in the context menu 2 Select the Device tab and click on the icon in the menu bar to open the Device Properties Dialog for a new mGuard 3 Select New Device in the main menu to open the Device Pro
81. d required to decrypt the contents of the keystore in the example yourSSLPW keypass pass password Additional password required to decrypt the private key in the keystore chain filename The certificate in the example serverCert pem The command above creates one output file e serverKeyStore jks This is the keystore containing the certificate and the private key Import a certificate After creating the keystore it is sometimes necessary to import additional certificates into the keystore This can be accomplished by using the following command java cp ImportKey alias yourAlias storetype JKS file additionalCertificate pem storepass pass yourSSLPW keystore serverKeystore jks Explanation of the JmportKey arguments alias name A keystore can contain multiple entries The alias identifies the entry and therefore has to be unique in the keystore Aliases are case insensitive keystore filename The file containing the keystore in the example serverKeyStore jks storetype JKS The format for the keystore storepass pass password Password required to decrypt the contents of the keystore in the example yourSSLPW file filename The certificate to be imported in the example additionalCertificate pem 7 2 Certificates and keys for a PKI When rolling out a Private Key Infrastructure PKI which is basically your intent when using the mdm CA there are more requirements to be taken into account than me
82. dard extensions X 509version3 are defined in RFC 3280 Internet X 509 Public Key Infrastructure Certificate and CRL Profile Here is a short description of the extensions that are important for the mdm CA Critical Bit The Critical Bit is not an extension but used to force the usage of extensions in the certificate The Critical Bit can be set for any extensions in the certificate Applications verifying a certificate must be able to interpret an extension with the Critical Bit If the application is not able to interpret the extension the certificate must be rejected Basic Constraints The Basic Constraints extension is used to indicate whether the certificate is a CA certificate or not Basic Constraints consists of 2 fields e cA field of type BOOLEAN and pathLenConstraint field optional of type INTEGER For CA certificates the cA field must be set to true pathLenConstraint is only used if the cA field is set to true and specifies the number of CA levels allowed below this certificate Basic Constraints should be always marked as critical Please refer to Chapter 7 2 3 for requirements regarding the Basic Constraints extension 116 of 130 Creating and managing certificates Key Usage Key Usage controls the intended use of the certificate s corresponding keys A key can be e g used to sign Certificate Revocation Lists CRL encrypt data or to sign certificates Please refer to Chapter 7 2 3 for requirements regarding t
83. dows Server 2003 or later or Linux Java Runtime Environment JRE SE 7 PostgreSQL Version 9 0 or later The product has been renamed from Innominate Device Manager IDM to mdm mGuard device manager File and directory names have been changed accordingly Please note that external scripts etc relying on file or directory names need to be adapted The PostgreSQL database does not support the FAT32 file system In case you would like to install the PostgreSQL database on a system with FAT32 file system it is strongly recommended to convert the file system to NTFS by using the convert exe command before installing PostgreSQL For more information on the convert tool please enter help convert on the command line Contact the Innominate Sales Department for information on how to obtain the software and a license Please visit the web site http www innominate com and click on Contacts Inquiries 2 2 Upgrading from an earlier version Since mdm 1 5 and later no longer supports firmware versions 4 2 x all devices and templates must be set to at least firmware versions 5 0 before installing mdm 1 6 To upgrade from an earlier version to mdm 1 6 it is necessary to make irreversible changes to the backing PostgreSQL database Once these changes have been made the database can no longer be accessed with an earlier version 1 Stop the mdm formerly IDM server if it is running 2 Dump the content of the mdm IDM dat
84. dresses or networks If a Combine field is set to No the corresponding address or network is used in the VPN group connection without modification If a Combine field is set to Yes the address or network entered in the table is combined with the local or remote VPN network to calculate the network used in the VPN group connection e In the incoming firewall rules the From IP field is combined with the remote VPN network and the To IP field is combined with the local VNP network e In the outgoing firewall rules the From IP field is combined with the local VPN network and the To IP field is combined with the remote VNP network The value of the From IP or To IP field is combined with the VPN network by adding the addresses octet wise i e each octet is added individually If the result of adding two octets overflows i e if it is greater than 255 the value 256 is subtracted i e the addition wraps around The network mask of the value of the From IP or To IP field or 32 if the field does not contain a network mask is applied to the result Examples Ifthe From IP or To IP field has the value 0 0 78 0 24 and the VPN network is 10 6 0 0 16 the combined value is 10 6 78 0 24 Ifthe From IP or To IP field has the value 0 1 78 0 24 and the VPN network is 10 6 0 0 16 the combined value is 10 7 78 0 24 4 9 Rollback support Configuration rollback is supported on devices with firmware version 5 0 or newer A rollback is pe
85. e Please copy the file templateCert conf contained in the installation archive mdm ca 1 6 x zip to your working directory Adapt the entries crlDistributionPoints and authorityInfoAccess of the template_ext section of the configuration file please refer to Section Certificate extensions for an explanation template ext crlDistributionPoints URI http ca example com ca ee crl authorityInfoAccess OCSP URI http ca example com ocsp Ca t ee Please note that the configuration file templateCert conf expects files to be existent that have to be manually created see previous section Create the CA certificate subsection Adapt the OpenSSL configuration file and the environment Generate a private key The private key has to be created first using the following command openssl genrsa des3 passout pass caPWw out templateKey pem 2048 Explanation of the arguments genrsa genrsa instructs OpenSSL to generate an RSA key des3 Use 3DES to encrypt the key passout pass password The password used to encrypt the private key in the example caPW caPW is just an example and should be replaced by a secure password out filename Name of the file containing the private key in the example templateKey pem 2048 The length of the key This command creates one output file templateKey pem This file contains the encrypted private key Generate a certificate request To create a certificate request enter the fol
86. e Account expires z Connection Limit IV WITH ADMIN OPTION Help Cancel D A Figure 4 PostgreSQL installation Configure the new login role 6 Create a database by selecting New database in the context menu lox File Edit Plugins View Tools Help C Qs USER amp e Object browser ad Properties Statistics Dependencies Dependents owner H Server Groups B Servers 1 M PostgreSQL 9 0 localhost 5432 postgres postgres fy Tablespa Refresh Group Re Login Rol Retrieving Databases details Done Figure 5 PostgreSQL installation Create a new database 7 Enter your_user as owner and your_database_name as name set the Encoding to UTF 8 grant all privileges and close the dialog by clicking on OK Make sure that the values your_user and your_database_name are identical to the values specified in the preference file of the mdm server see 16 of 130 Installation Chapter 2 6 xi Properties variables Privileges SQL Name finnomms_development OID x Properties Variables Privileges squ User Group Privileges Owner innomms X Encoding futrs Template bd Tablespace lt default tablespace gt bad Schema restriction o i y y O Collation Character type O Connection time ft 7 Remove Privileges Role public z ANT OPTION M a al Z CREATE aii r
87. e If possible all mandatory arguments for the example commands below are explicitly stated i e if you use the commands as described below the important information is taken from the command line and not from the configuration file If the configuration file is required for the respective command it is explicitly mentioned in the text For further information about the syntax and content of the configuration files please refer to OpenSSL s documentation particularly to the manual pages genrsa 1ssl req 1ssl ca 1ssl and openssl 1ssl 7 1 Certificates and keys for SSL To set up a secure connection between entities e g ET1 ET2 usually the following components are required e aprivate key for each entity participating in the communication ET ley od ET2key The term private key already implies that it is important to keep these keys private and store them at a location only accessible to the administrator 111 of 130 Creating and managing certificates e and the corresponding certificates ET Ioer ET2eert The certificates contain among other information e the public key of the entity e information about the entity e g the name and or the IP address further information about the certificate e g the intended usage The certificate is either digitally signed with the private key of the respective entity self signed or with a CA key The certificates are public and can be distributed to anyone participating in th
88. e communication ET1 will use the public key contained in ET2 to encrypt the data sent to ET2 This assures that only ET2 is able to decrypt the data If ET2 is self signed it is assured that public key contained in ET2 4 corresponds to ET2 ey If ET2 cer is signed by a CA it is assured that the public key contained in ET2 really belongs to ET2 authentication Create the private ET ey has to be created first using the following command key openssl genrsa des3 passout pass yourSSLPW out privkey pem 2048 Explanation of the arguments genrsa genrsa instructs OpenSSL to generate an RSA key des3 Use 3DES to encrypt the key passout pass password The password used to encrypt the private key in the example yourSSLPW yourSSLPW is just an example and should be replaced by a secure password out filename Name of the file containing ET ey in the example privkey pem 2048 The length of the key The command above generates one output file e privkey pem This file contains ET ey in PEM format The key is encrypted with the 3DES algorithm To access the key you have to know the passphrase specified above in the example yourSSLPW Please use your own secure password to encrypt the private key Sometimes it is necessary to create an unencrypted key In this case just omit the des3 and the passout option in the command above Create the The certificate is created with the following command certifi
89. e environment variable named PASSWORD_DB the name PASSWORD_DB is just an example and can be changed if desired Please make sure that the values for port name user and password match the values you specified during the PostgreSQL installation Key ssl Enable disable secure connection between the mdm server and the PostgreSQL server Please note that enabling this option requires additional installation steps see Chapter 2 11 default false Node update Node scheduler Key tries Maximum number of attempts for an upload or export of a device configuration If this maximum is reached mdm will stop trying to upload a configuation to the device default 5 Key timeout Maximum number of seconds until an upload of the device configuration is cancelled After the timeout is reached mdm will stop trying to upload a configuation to the device default 600 Key rescheduleDelay Number of seconds between upload attempts default 45 Node firmware UpgradeScheduler Key tries Maximum number of connections mdm should attempt to get feedback from the device on the result of the firmware upgrade If 22 of 130 Installation this maximum is reached mdm will stop trying to contact the device default 5 Key timeout Maximum number of seconds until mdm stops to contact a device for the result of a firmware upgrade After the timeout is reached mdm will indicate that the firmware upgrade failed default 3600 Key res
90. e account needs read permissions on all directories leading up to the service directory It needs write permissions on the data directory only Specifically it should not be granted anything other than read permissions on the directories containing binary files All directories below the installation directory are set by the installer so unless you change something there should be no problem with this PostgreSQL also needs read permissions on system DLL files like kernel32 dll and user32 dll among others which is normally granted by default and on the CMD EXE binary which may in some scenarios be locked down and need opening PostgreSQL initialization After the installation the database has to be created and initialized 1 To initialize the database start pgAdmin III All programs PostgreSQL 90 pgAdmin ITI which has been installed with PostgreSQL 2 Connect to the database by opening the context menu in the menu tree on the 14 of 130 Installation left and by selecting Connect Te xlct x Eile Edit Plugins View Tools Help fC So B EE F c Object browser Madi Properties Statistics Dependencies Dependents H Server Groups i B Servers 1 R PostgreSQL 9 0 localhost E 5432 So i postgresa 3 0 ESE Maintenance database peeters Username postgres Reports p Store password No Restore environment Properties Retrieving Server details Done Figure 1 Co
91. e ca database truststore jks 2 Copy the truststore to its final location and configure the preferences file ca preferences xml of the mdm CA e The location of the truststore has to be configured in the ca preferences xmI file in the node certificateFactory storage database security trustStore e The format of the truststore JKS has to be configured in the ca preferences xmI file in the node certificateFactory storage database security trustStoreType e The password to access the truststore in the example yourSSLPW has to be configured in the ca preferences xml file in the node certificate Factory storage database security trustStorePassword 3 Create the mdm server truststore and add IS as described in Chapter Import a certificate on page 114 java cp ImportKey alias mdm storetype JKS file mdm https client cert pem storepass pass yourSSLPW keystore ca mdm truststore jks 4 Copy the truststore to its final location and configure the preferences file ca preferences xml of the mdm CA The name including the path of the truststore has to be configured in the ca preferences xmi file in the node httpServer https trustStore The format of the truststore JKS has to be configured in the ca preferences xmil file in the node httpServer https trustStoreType The password to access the truststore in the example yourSSLPW has to be configured in the ca p
92. e export directory can be configured in the preferences file of the server see Chapter 2 6 The filename for each configuration file is shown in the General settings of the Device Properties Dialog and in the device table 7 In case the files cannot be written to the file system no permission disk capacity exceeded export directory not existent etc mdm displays an error in the log and the upload status will be set to error Auto Depending on whether or not Accessible via in General settings is set mdm will either perform an SSH upload or an export of the configuration to the file system 69 of 130 mdm client overview Upload time The time when upload should be performed Times are specified as an ISO date YYYY MM DD where YYYY is the year MM is the month of the year between 01 and 12 and DD is the day of the month between 01 and 31 optionally followed by an ISO time hh mm ss where hh is the hour according to the 24 hour timekeeping system mm is the minute and ss is the second For example a quarter past 4 p m and 20 seconds on December 22nd 2010 would be written as 2010 12 22 16 15 20 Alternatively click on the F icon to select the date from a calender If the current time which is the default value or a time in the past is specified the upload is performed as soon as possible The Upload within minutes after field is used to specify an upper bound on the time frame in which mdm will attempt t
93. e is used The following variables may be set to different values for the physical devices The hostname The SNMP system name location and contact The MTU settings The http s proxy settings The passwords of the mGuard users The Quality of Service settings The redundancy priority The redundancy connectivity check settings The remote logging settings When an upload to a redundant device pair is initiated the two configurations are uploaded to the physical devices The two uploads to the mGuards forming a redundant pair are never performed simultaneously but may be performed simultaneously with uploads to other devices An upload to a redundant pair is considered successful once the upload to both physical devices has succeeded A pull configuration export for a redundant device pair creates two configuration profiles The filename of the profile for the second device has _2 appended to the base name 101 of 130 Working with templates 5 Working with templates Changes made to a template can potentially affect a large number of devices or other templates Therefore please keep the following rules in mind when working with templates e Before making changes to a variable in a template make sure that the effect on inheriting templates or devices is really desired In particular changes to a variable permission can have an irreversible effect on inheriting templates or devices E g
94. e location of the openssl configuration file in the example caCert conf key filename The corresponding private key in the example caKey pem keyform PEM The private key is in PEM format passin pass password Password required to decrypt the private key in the example caP W sha256 Use the SHA256 algorithm to create the message digest for the signature recommended outform PEM The format of the output file is PEM 121 of 130 Creating and managing certificates out filename The name of the output file i e the certificate in the example caCertReq pem The command above generates one output file caCertReq pem This file contains the certificate request Request the CA certificate The request has to be sent to the root CA Since the mdm CA is the root CA in the example you can issue the certificate with the following command openssl ca batch config caCert conf days 3653 in caCertReq pem cert rootCert pem keyfile rootKey pem passin pass rootPW md sha256 notext out caCert pem outdir Explanation of the arguments ca The ca command is a minimal CA application It can be used to sign certificate requests and generate CRLs batch Non interactive mode config filename The name and the location of the openssl configuration file in the example caCert conf days 3653 The period for which the certificate will be valid in filename The name of the file containing the certificate reques
95. e mGuard This requires that mdm can log into the mGuard with the ssh protocol the Accessible via address must be set Import into lt A gt lt B gt If the device is in redundancy mode see Chapter 4 10 for more details the profile can be imported into the configuration variables for the first or the second physical device A few configuration variables cannot be imported and must be set manually if necessary the passwords of the root and admin users the passwords of the user firewall users and certificate revocation lists CRLs ATV profiles downloaded from an mGuard either do not contain these variables at all or contain them in encrypted hashed form Please note that mdm does import the password of the netadmin user if it is found in the ATV profile but a profile downloaded from an mGuard does not contain it Web Configure Open the Web GUI of the device if the device is accessible see also Accessible via address in Chapter 4 3 Any change made with the Web GUI will be overwritten by the next mdm configuration upload except for changes made as netadmin to local variables Export Generate a CSV file containing the basic properties but not the configurations of the selected devices The file is suitable to imported into mdm again see Chapter 3 8 1 Device Import 51 of 130 mdm client overview Delete Delete the selected devices Set Firmware Version Upgrade the firmware version to a new version Plea
96. e of the mdm CA is to issue certificates which are requested by the mdm server to be used as machine certificates for mGuards The mdm CA is implemented as a stand alone server Its interface to the mdm server is a servlet driven web server HTTP which can be secured with SSL HTTPS and which can enforce client authentication Especially in production environments Innominate highly recommends to use HTTPS with client authentication because only then is it assured that the mdm CA will issue certificates to authenticated clients only The configuration file of the mdm CA server allows to configure different keystores isolation for the generation of certificates CA keystore and for the SSL authentication SSL keystore SSL truststore This assures that the CA private key intended for issuing machine certificates is not accidentally used for SSL authentication The mdm CA stores all required information in a PostgreSQL database The communication between the mdm CA and the database should be also secured using SSL All the required keys and certificates to secure the communication between mdm CA mdm server and the database have to be generated installed in the file system and configured in the ca preferences xml file of the CA component and also in the preferences xml file of the mdm server There are many tools to create and manage keys and certificates This document describes the usage of the OpenSSL tools which are available for Linux
97. ease refer to Chapter 8 Regular expressions which can be used to efficiently filter the table entries Filtering based on regular expressions is not used for the column that does not contain text i e column S 59 of 130 mdm client overview Creating VPN groups Editing VPN groups Deleting VPN groups The filter criterion for the Member Count column is not interpreted as a regular expression but as a comma separated list of numbers or number ranges e g 0 2 3 The filter history will be saved for the current user and can be accessed using the drop down functionality of the filter fields There are several ways to create new VPN groups 1 Open the context menu by clicking on the VPN group table with the right mouse button To open the VPN Group Properties Dialog for a new VPN group please select Add in the context menu 2 Select the VPN Group tab and click on the icon in the menu bar to open the VPN Group Properties Dialog for a new VPN group 3 Select New VPN Group in the main menu to open the VPN Group Properties Dialog for a new VPN group There are several ways to edit a VPN group 1 Double click with the left mouse button on the VPN group in the table to open the VPN Group Properties Dialog 2 Select the VPN group with the left mouse button and open the context menu by pressing the right mouse button Then select Edit to open the VPN Group Properties Dialog 3 Select the device to be modified in
98. echanism to conveniently configure and manage a large number of devices By assigning a template to a device cf Chapter 4 3 the device inherits the template settings and will use the values that are defined in the template Depending on the permission settings the template settings might be overridden in the device configuration Please read this chapter for an introduction to the template concept and refer to Chapter 5 for detailed information on templates and inheritance For information on how to create delete or edit templates please refer to Chapter 3 2 85 of 130 Template device pool and VPN group configuration The following screenshot shows the Template Properties Dialog i Edit Template Production Berlin 1 mGuard configuration B General settings Production Berlin Management Blade Control Network i Za mGuard 6 0 Authentication SS Network securit ty Virus Protection amp Production IPsec VPN Quality of Service Redundancy Logging increceticrein 4 Inherited Not online manageable Default Permission m May override Figure 30 The mdm Template Properties Dialog General settings Similar to the Device Properties Dialog see Chapter 4 3 the Template Properties Dialog contains a menu corresponding to the mGuard s Web GUI structure on the left side of the window Additionally the Template Properties Dialog contains the entry Gen
99. ed by the mdm CA shall be valid i e each certificate will be valid for the specified number of days starting from the time of its issuance Key certTemplate Name and path of a certificate file to be used as template for new VPN certificates issued by the mdm CA Key keyStore Name and path of the keystore file see Chapter 2 11 1 and Chapter 2 8 Key keyStoreType Format of the keystore either JKS Java JRE keytool default or PKCS 2 OpenSSL Key keyStorePassword Password for the keystore file see Chapter 2 11 1 and Chapter 2 8 The special value ENV PASSWORD_CA will cause the mdm server to read this password upon startup from the environment variable named PASSWORD_CA the name PASSWORD_CA is just an example and can be changed if desired Key keyAlias Name of the entry within the keystore where the private key and associated public key certificate can be found the keystore may contain more than one entry default matches the one from the example scripts described in Chapter 2 8 3 To find out the alias names in a p 2 file please use the command openssl pkcs12 in lt filename gt p1l2 nodes The alias is shown as Friendly Name in the output To find out the alias names in a JKS file please use the command keytool list filename Key keyPassword Password to decrypt the RSA private key contained within the keystore see entry keyAlias the special value ENV PASSWORD CA will cause the mdm CA server to read this password
100. ed configuration will be appended to the generated mdm settings and therefore settings for the same variable in the include field will override settings generated by mdm 90 of 130 Template device pool and VPN group configuration 4 4 The Pool Properties Dialog The Pool Properties Dialog allows to define value pools which can be used to automatically configure certain variables e g the virtual address for VPNs Currently mdm allows to define address range pools CIDR notation see below for an example i Edit Pool Berlin Pool type IP Networks in CIDR Notation Figure 33 The mdm Pool Properties Dialog General settings The entry General settings contains the following parameters for the pool Name A name for the pool This name will be used when referencing the pool in a variable see section Pool values usage in variables below Pool type Currently only the pool type JP Networks in CIDR Notation is available Comment A comment optional 91 of 130 Template device pool and VPN group configuration Pool definition Pool value usage in variables The entry Pool Definition allows to define the value range of the pool and the address range of the values to be taken out of the pool The following figure contains an example of a pool definition Edit Pool Berlin xi KI Pool Definition setting Network Mask w x y z 24 Network List Custome
101. eesressesseserssesse 28 2 8 1 OV CTTW a a a T aR N aa ea aaah 28 2 8 2 Jostallation proced re isisisi io aaronii ini aka aaan 29 2 8 3 Creation of the keys and certificates using the demoCA scripts 29 2 8 4 Manual creation of the CA keys and certificates 20 0 eeceeseeeteeteeeeees 33 2 8 5 Configuration of the mdm CA oo ee ceececcceesseceteceteeeeeeenseeeaecneeeeeeeenseees 34 2 8 6 Starting the CAs sci itece esas cosas E E eal gad 37 2 9 Pre configuration of the mGuards s ssssssessessesseessessresressteseeseesseestesresseessesresseesse 39 2 10 Installation of an HTTPS configuration pull server ssessssessessseessesessseessesessssesse 39 2 11 Securing the communication between mdm components sssssssssseseesesseseesssseees 39 2 11 1 Create the private key and the keystore for each component 40 DANS SCRA the trUStStOrES lt aischs eles cs reien a E me igh E tah Sa eaten 42 3 mdm ch ntoyervieW iacacinsiacssencencaseusesdcesessecactessncsncupandcdessadecsuhestesraswavanenssadetsbeasdenectactecsos 44 Ms EOL Arke e a a a a e a e E E atta N aE 44 3 2 Themdm main Window oiner aar E aa E A EEEE E Aas aes 45 3 3 DEVICE OVERVIEW table sirere nanim anaa a aaiae aaa ae iadan 45 3 3 1 The device context menu sssssessessssseessessrssressessresresseeseesresseeseesresseesee 50 3 4 Template Overview table snncesnnucrnicn iain e a 54 3 4 1 The template context menu 5544 es ase scincte ease ae
102. ement ID of the device Templates Status V Version Status F A comma separated list of the device s ancestor templates The first item in the list is the immediate parent template VPN group status Not a member of a VPN group Member of exactly one VPN group w Member of more than one VPN group Hovering over one of the latter two icons with the mouse cursor will display a tooltip listing the VPN group s in which the device is a member The firmware version currently selected in mdm for this device Firmware status Unknown B ok The firmware upgrade was successful and the firmware version configured in mdm corresponds to the firmware version on the device Upgrade scheduled a Upgrade running g Version mismatch a Firmware version configured in mdm and firmware version on device do not match Error An error occured during firmware upgrade 48 of 130 mdm client overview Version on device The firmware version currently installed on the device Please refer to Chapter 4 3 for more information If the device is in redundancy mode see Chapter 4 10 for more details the firmware versions of both devices separated by a comma are shown Accessible via The IP address or host name which is used by mdm to access the device This address can be configured in the General settings of the Device Properties Dialog see Chapter 4 3 Without an Accessible via address it is not possible to p
103. emplate Properties Dialog see Chapter 4 2 54 of 130 mdm client overview Templates Version Comment Use count Filtering and sorting the table Creating templates Editing templates Deleting templates A comma separated list of the template s ancestor templates The first item in the list is the immediate parent template The mGuard firmware version that is used for the template Optional comment The comment can be set in the General Settings of the Template Properties Dialog see Chapter 4 2 This column shows the number of devices or other templates using this template The header of the table can be used to sort the table entries A click on a header of a column will activate the primary sort based on this column This is indicated by the arrow in the column header A second click on the same header will reverse the sort order Clicking on another column header activates the sort based on this new column the previously activated column will be used as secondary sorting criterion The first row of the table accepts the input of regular expressions please refer to Chapter 8 Regular expressions which can be used to efficiently filter the table entries Filtering based on regular expressions is not used for the column that does not contain text i e column S The filter criterion for the Use count column is not interpreted as a regular expression but as a comma separated list of numbers or number ran
104. entioned here e Certificates and private keys Certificates are the means in a PKI to assure authentication The identity of the certificate owner is approved by a CA by signing the certificate request of the respective owner The public and private keys are used to encrypt decrypt data and therefore assure data confidentiality e Certification Authority CA A Certification Authority is a component in a PKI which assures authenticity of the participating entities by signing certificate requests i e issuing certificates Usually there are multiple CAs in a PKI organized in a hierarchical structure with one root CA at the top e CRL Distribution Points CDP See the following section Certificate extensions e Entities communicating with each other The entities using a PKI use certificates to authenticate themselves and use the public private key pairs to encrypt decrypt the exchanged data The entities request certificates from the CA Usually a Registration Authority RA is also part of a PKI The RA is responsible for the initial registration of entities that would like to use the PKI An RA is not required in the mdm usage scenario Contents of a As mentioned in the previous chapter a certificate contains the following certificate information e the public key of the entity e information about the entity e g the name and or the IP address e further information e g about the certificate and the infrastructure The following sections
105. ept the default settings in the following windows and start the installation process 13 of 130 Installation Here are some common recommendations in case you encounter problems during the installation They were copied from the Running amp Installing PostgreSQL On Native Windows FAQ which can be found at http wiki postgresql org wiki Running 26 Installing PostgreSQL On Native Windows In case the following hints cannot solve your problems please check the FAQ for more detailed information If you cannot install PostgreSQL using mstsc use mstsc console You cannot use a Terminal Server console to install PostgreSQL but only a local console If you decide to create the user account to run the PostgreSQL service manually make sure that the account has Log on as a service and Log on locally rights The Log on locally is only required for the install part and can be removed once the installation is completed if security policies require it Rights are granted and revoked using the Local Security Policy MMC snapin Log on locally is default and Log on asa service will normally be granted automatically by the installer Note that if your computer is a member of a domain the settings of the security policies may be controlled at the domain level using Group Policy 7 Make sure that the specific postgres account has the correct access rights for the PostgreSQL installation directory The PostgreSQL servic
106. er keys of the ca preferences xml file not mentioned in the previous step for an explanation of all keys refer to Chapter 2 8 5 Start the CA server see Chapter 2 8 6 2 8 3 Creation of the keys and certificates using the demoCA scripts Instead of manually creating the keys and certificates you can also use the scripts provided in the installation archive mdm ca 1 6 x zip This chapter describes how to adapt the scripts and configuration files to meet your requirements If you 29 of 130 Installation prefer to create the certificates and keys manually you can skip this chapter and continue with Chapter 2 8 4 However if you are interested in detailed information about creating keys and certificates please refer to Chapter 7 The scripts generate all required keys keystores and certificates including the CA certificates and the SSL certificates i e after following the steps described in this chapter the communication paths between the mdm components are already secured see Chapter 2 11 If you would like to use an OpenSSL version older than version 0 9 8 you have to change the digest algorithm in the scripts to an algorithm supported by your OpenSSL version The digest algorithm is configured in the files set env bat set env sh Installation The demoCA directory contains scripts to be used with Linux and with Windows The names of the scripts for the different OS are alike just the extension differs sh for Linux a
107. er to www regular expressions info Template A set of mGuard variables and the corresponding values and permissions The template can be used i e inherited from by a device or another template A change in the template applies to all inheriting devices and templates depending on the access privilege settings The template is used in mdm only but not on the mGuard See also Inherited value and Permissions X 509 certificates Digital certificates have been specified in the standard X 509 issued by the ITU T A profile of that standard is published as RFC 3280 Such certificates certify the identity of an entity The certificate includes the entity s public key and an electronic signature from the Certification Authority CA X 509 certificates are organized hierarchically A root CA creates a self signed trust anchor which needs to be configured as such for applications verifying digital signatures or certificates The identity and trustworthyness of the intermediate CAs is certified with a CA certificate issued by the root CA respectively the upstream intermediate CA The identity of the end entities is certified with a certificate issued by the lowest CA Each certificate can contain extensions for the inclusion of arbitary additional information The mdm supports the creation of end entity certificates for VPN connection end points and the optional inclusion of the CDP and AIA extensions For detailed information on digital certificates plea
108. eral settings 4 Management Blade Control 1G Network Gh Interfaces 9 General By Network Mode E Stealth configuration E Static Stealth configuration gt External networks E Internal networks E PPPoE settings E PPTP settings E Modem settings Ethernet Serial port E Hardware ons DHP E Proxy settings Authentication CA Network security Virus Protection IPsec VPN Quality of Service Redundancy Logging External networks Obtain external configuration via DHCP IP of external interface Netmask of external network Default gateway Use VLAN 10 73 127 256 255 255 255 0 10 73 127 254 F inheritede 1 External aliases ea Ej z IP address Netmask Use VLAN icons in the navigation tree as shown in the following figure for the external IP Figure 22 Input verification invalid input Indication of changed values ug Edit Device Gateway Londo 4 mGuard configuration E General settings 4 Management Blade Control Network A Interfaces General Ey Network Mode 1 E Stealth configuration E Static Stealth configuration F gt External networks E Internal networks E PPPoE settings E PPTP settings E Modem settings Ethernet Serial port wo E Hardware ons Hce E Proxy settings Authentication CQ Network security Virus P
109. eral settings for the configuration of parameters related to mdm Name The name of the template Firmware version Since different firmware versions of the mGuard have different sets of variables the firmware version or variable set the template should use has to be selected here Template 7 It is not possible to downgrade to an older release So please be very careful when changing the firmware version See Chapter 5 2 2 for more details For more information on how to manage firmware upgrades of your devices with mdm please refer to Chapter 3 12 The parent template of this template Accessible via This is the address used by the mdm server to access the mGuard for an SSH push of the configuration or to open the web interface Please refer to Chapter 3 9 for more information on the upload procedure The following values are available for Accessible via Not online manageable The device is not managed via SSH push Internal interface in auto stealth mode 1 1 1 1 mdm accesses the mGuard using the address 1 1 1 1 address of internal interface in automatic stealth mode Stealth management address mdm accesses the external or internal interface of the mGuard in stealth mode First external IP address mdm accesses the external interface of the mGuard in router mode First internal IP address 86 of 130 Template device pool and VPN group configuration mdm accesses the internal interface of the mGua
110. es Karsten Lentzsch All rights reserved TinyRadius Copyright 2005 2010 Matthias Wuttke See the license texts included in the software distribution for the copying terms applying to these software components The source code for these software components is contained on the mGuard device manager CD Innominate Document Number UG301602914 055 Contents 1 EPO GUCGION ssgascisscelse ess teaddcasachessdseassaesensteescbduncenedasbededsadscs alse srota ieor eseria eseese otiose 6 2 Installation sssisscsssecsssiosoosessorosasssssososssososesessssoss essesossisiovassoosrse ess os re ince eioneaeeexenapnestincaness 7 21 System TEQUITSM STS erennere iia a Agee ino Mies ids Aaa es 7 2 2 Upgrading from an earlier version 12 scststesccasarsginstsntadtaseest ap baedunesbanedcashandataaseasbeasleees 7 2 3 Installation on a Microsoft Windows server sssssessssssessessesseessessessressessessresseeseese 8 2 4 Manual installation of the mdm client the mdm server and the database 12 2 4 1 Installation on Windows ss sesssesseeseseseessesessssessessrssessesstssessesseesresseeseese 12 242 Installation on LinuX cinsini ae aia 17 2 5 Installation of the licensi ceni s s ecpuec doles ginea an a a des 19 2 6 Mdm server configuration ennn in enni a a a E 19 2 7 Start the mdm server and the mdm chent 1c0 ccc asiciee dgetien shane 26 2 8 mdm Certification Authority CA installation sseseeseesseeseesesssees
111. et SSH Host Key checkbox The new SSH hostkey will be set with the next SSH connection User authentication failed This error indicates that the user credentials username admin and the password stored in the devices active password were not accepted It can also indicate that the SSH authentication method password was not accepted by the mGuard TO failed Upload failed This error indicates that an input ouput I O failure has occurred In the case of SSH uploads this is probably a transient error and a retry should be scheduled In the case of filesystem output pull config the failure is probably not transient and the cause should be examined by the user Concurrent configuration upload This indicates that another upload is currently active for the same device An example is an SSH upload that detects a running pull config script The usual way to handle this is to reschedule this update Configuration rejected This indicates that the device has rejected the configuration as invalid Upload timeout This indicates that the SSH connection to the device has timed out i e the device has no reacted to the commands initiated by the mdm within a given configurable time frame If the configuration contains a large number of VPN connections it might be necessary to increase the timeout see Chapter 2 6 node service storage update ssh deadPeerDetection Timeout e License could not be installed 8 This indicate
112. etected When importing a PKCS 2 file a dialog asking for the password is displayed 95 of 130 Template device pool and VPN group configuration Requesting a machine certificate Importing a machine certificate mGuard firmware 4 2 Importing a machine certificate mGuard firmware 5 0 or newer Deleting machine certificates Revoking machine certificates You can convert a PKCS 12 file to PEM using the command p12 openssl pkcs12 in inputfil nodes out outputfile pem When SCEP is used the CA server must be configured to issue certificates immediately Pending requests are not supported In order to request a certificate from the mdm CA the CA component has to be installed see Chapter 2 8 Prior to requesting a certificate make sure that the certificate attribute fields contain the desired values for mGuard firmware 4 2 navigate to IPsec VPN Global Machine certificate Certificate attributes for mGuard firmware 5 0 or newer navigate to Authentication Certificates Certificate settings and Certificate attributes To request a certificate select one or more devices in the device overview table and select Certificate Handling Request Additional Certificate or Certificate Handling Request Replacement Certificate from the context menu The difference is that Request Additional Certificate will append the new certificate to the list of existing certificates while Request Rep
113. etween 01 and 31 optionally followed by an ISO time hh mm ss where hh is the hour according to the 24 hour timekeeping system mm is the minute and ss is the second For example a quarter past 4 p m and 20 seconds on December 22nd 2010 would be written as 2010 12 22 16 15 20 Alternatively click on the Y icon to select the date from a calender Device configuration must have been uploaded or exported Generating the report The criterion can be combined with the others If the checkbox is checked only history entries pertaining to configurations which have been uploaded to an mGuard or exported for pull configuration are considered The report consists of an HTML file which can be viewed with any web browser The name of the file to which to write the report is specified in the Report field If the Open finished Report in Browser checkbox is checked mdm automatically opens a web browser and loads the report 110 of 130 Creating and managing certificates 7 Creating and managing certificates Keystores The OpenSSL configuration file It is assumed that the reader has a basic knowledge of certificates and public key encryption This chapter explains the usage of OpenSSL to create certificates It is important to note that mdm requires two different types of certificates and keys e Certificates and keys used to secure the communication between the mdm components e Certificates and keys used for the PKI H
114. explain the contents in more detail 115 of 130 Creating and managing certificates The Subject Distinguished Name The Subject Distinguished Name is a unique identifier of the certificate and its owner It is composed of several components Abbreviation Name Explanation CN Common Name Identifies the person or object owning the certificate For example CN server1 E E mail Address Identifies the e mail address of the owner OU Organizational Unit Identifies a unit within the organization For example OU Research amp Development O Organization Identifies the organization For example O Innominate L Locality Identifies the place where the entity resides The locality can e g be a city L Berlin ST State Identifies the state For example ST Berlin C Country Two letter code identifying the country For example C DE for Germany Depending on your policy not all of the components are mandatory but if the extension Subject Alternative Name is not included in the certificate at least one component that can be used as identifier has to be included typically this is the Common Name CN Please note that currently the mdm CA cannot handle certificates with Subject Alternative Name extensions Certificate extensions Information about the certificate or the infrastructure is contained in the so called certificate extensions Basically anyone can define its own extensions but the stan
115. eystore In the example Java keystore format JKS is used This can be accomplished with the tool JmportKey ImportKey does accept the unencrypted key on standard input only therefore the output of the pkcs8 command has to be piped as follows openssl pkcs8 topk8 in privkey pem passin pass yourSSLPW inform PEM nocrypt outform DER java cp ImportKey alias yourAlias storetype JKS keystore serverKeystore jks storepass pass yourSSLPw keypass pass yourSSLPW chain serverCert pem Explanation of the openss arguments pkes8 The pkcs8 command is used to process private keys in PKCS 8 format topk8 Use a traditional format private key as input and write a key in PKCS 8 format key in filename The name and the location of the input file in the example privkey pem passin pass password Password required to decrypt the input in the example yourSSLP W inform PEM The input format of the key is PEM nocrypt The output the key is not encrypted outform DER 113 of 130 Creating and managing certificates The ouput format is DER Explanation of the JmportKey arguments alias name A keystore can contain multiple entries The alias identifies the entry and therefore has to be unique in the keystore Aliases are case insensitive keystore filename The file containing the keystore in the example serverKeyStore jks storetype JKS Use JKS as format for the keystore storepass pass password Passwor
116. fined as local variable by selecting Local as value Inherited value Devices or templates using a parent template inherit the values defined in the parent template Depending on the permission setting the inherited value can or cannot be overridden in the inheriting devices and templates Management ID A unique logical identifier independent of the physical hardware that identifies each device as opposed to an identifier of the physical device e g the serial number OCSP The Online Certificate Status Protocol OCSP specifies the message format for a service responding with actual revocation status information on individual certificates upon request Such a service is conventionally embedded within an HTTP server Thus most OCSP servers use HTTP as transport layer for the OCSP messages Such an OCSP server is operated by some Certification Authorities as alternative to or replacement for CRLs For detailed information on OCSP please refer to RFC 2560 128 of 130 Glossary Permissions The permissions in a template determine whether the user configuring an inheriting device or template can override modify the settings of the parent template Regular expressions Regular expressions are text strings to match portions of a field using characters numbers wildcards and metacharacters Regular expressions can be used in mdm to filter the device template or pool table For detailed information on regular expressions please ref
117. for the issuer of the certificate in which the extension appears Such an extension is used to identify the OCSP server which provides current revocation status information for that certificate mdm supports the inclusion of an AIA extension containing the URL of a single OCSP server For detailed information on the AJA extension please refer to RFC 3280 CDP The certificate extension called CRL Distribution Points CDP identifies how CRL information is obtained for the certificate the extension is included in mdm supports the creation of certificates containing the CDP extension with a single Attp URL enclosed therein The URL specifies the download location of the actual CRL For more detailed information on CRL Distribution Points please refer to RFC 3280 CRL A Certificate Revocation List CRL is issued regularly by a Certification Authority CA to provide public access the revocation status of the certificates it issued A CRL is a list of revoked certificates identified by serial number Once a certificate is revoked it is considered to be invalid A revocation becomes necessary in particular if associated private key material has been compromised For more detailed information on CRLs please refer to RFC 3280 Local mGuard variables Local mGuard variables are not managed by mdm but only by the netadmin locally on the mGuard Within mdm in the Template Properties Dialog or the Device Properties Dialog each variable can be de
118. ges e g 0 2 3 The filter history will be saved for the current user and can be accessed using the drop down functionality of the filter fields There are several ways to create new templates 1 Open the context menu by clicking on the template table with the right mouse button To open the Template Properties Dialog for a new template please select Add in the context menu 2 Select the Template tab and click on the icon in the menu bar to open the Template Properties Dialog for a new template 3 Select New Template in the main menu to open the Template Properties Dialog for a new template There are several ways to edit a template 1 Double click with the left mouse button on the template in the table to open the Template Properties Dialog 2 Select the template with the left mouse button and open the context menu by pressing the right mouse button Then select Edit to open the Template Properties Dialog 3 Select the template to be modified in the template table Select Edit Edit Item in the main menu to open the Template Properties Dialog The Edit entry in the context menu and the Edit button in the toolbar are only enabled if exactly one template is selected in the template table There are several methods to delete templates 1 Select the template s and open the context menu by clicking with the right mouse button To delete the templates please select Delete in the context menu 2 Select the temp
119. he Key Usage extension Subject Alternative Name The extension Subject Alternative Name can be used to add more identifiers to the certificate Subject Alternative Name can contain e g e mail addresses domain names etc It can be used as substitute for the Subject as well which must be empty in this case Please note that the mdm CA is currently not able to handle Subject Alternative Name extensions CRL Distribution Points CDP Certificates can be revoked e g if a private key was compromised or if it is no longer valid Usually an application has to check whether a certificate is still valid by checking the validity period and or by retrieving revocation information from a CRL distribution point CDP To retrieve the information either Certificate Revocation Lists CRL can be used or a dedicated protocol like OCSP However the certificate should contain the information which CDP should be contacted Authority Information Access Authority Information Access is not an X 509 standard extension but an extension defined by the PKIX working group http www ietf org html charters pkix charter html Authority Information Access contains information about the issuing CA e g policies further root certificates or where to retrieve the higher certificates in the chain if the complete chain is not contained in the certificate Depending on the settings of these extensions the receiver not the owner of a certificate accepts or denies
120. he following columns columns 7 The column width can be changed by placing the cursor on the header of the table at the border of two columns and dragging the border to the desired location The order of the columns can be changed by dragging the column header to a different location Status The status icon shows whether the VPN group is currently locked Name The name assigned to the VPN group The name can be set in the General Settings of the VPN Group Properties Dialog see Chapter 4 8 Members A comma separated list of the devices which are members of the VPN group i e which are a part of the meshed VPN network defined by the VPN group Version The mGuard firmware version that is used for the VPN group Comment Optional comment The comment can be set in the General Settings of the VPN Group Properties Dialog see Chapter 4 8 Member Count This column shows the number of devices which are members of the VPN group Filtering and The header of the table can be used to sort the table entries A click on a header sorting the table of a column will activate the primary sort based on this column This is indicated by the arrow in the column header A second click on the same header will reverse the sort order Clicking on another column header activates the sort based on this new column the previously activated column will be used as secondary sorting criterion The first row of the table accepts the input of regular expressions pl
121. he mdm installs the configuration files on the mGuards using SSH Therefore SSH access has to be permitted on the mGuards if mdm is using the external untrusted interface to upload the configuration Select Management System settings Shell access in the menu of the Web user interface and enable SSH remote access For more detailed information on SSH remote access please consult the mGuard Reference Manuals 7 If you enable remote SSH access make sure that you change the default admin and root passwords to secure passwords 7 mdm is using the admin password to log into the Innominate mGuard If the password was changed locally on the device please change the password setting in mdm accordingly using the Set Current Device Passwords option in the context menu of the device overview table Otherwise mdm is not able to log into the device The current root password is part of the configuration file If the password was changed locally on the device please change the password setting in mdm accordingly Otherwise the mGuard will reject the configuration 2 10 Installation of an HTTPS configuration pull server To transmit information on the configuration status of an mGuard the HTTPS pull server has to send SYSLOG messages to the mdm server pull feedback Please make sure that neither the communication between the HTTPS server and the mdm server nor the communication between the HTTPS pull server and the mGuards is blocked by a firewall
122. his password upon startup from the environment variable named PASSWORD_SSL the name PASSWORD_SSL is just an example and can be changed if desired Node session Key maxInactivelnterval The maximum time interval of inactivity in seconds that the server will keep a session open between client accesses A negative or zero time default indicates a session should never time out 7 Please note that this timeout will be reset only if there is an interaction between client and server Actions that are local to the client i e scrolling in a table or changing between the device template pool or VPN group tab will not reset the inactive timeout 21 of 130 Installation Key maxConcurrentSessions The maximum number of concurrent sessions connected clients A negative or zero count default indicates that the upper limit of the number of concurrent sessions is defined by the license Node storage Node database Key host The IP address or host name mdm should connect to to get access to the PostgreSQL database default 727 0 0 1 Key port The port that mdm should use to connect to the database default 5432 Key name The name of the database default innomms Key user The user of the database default innomms Key password The password to be used to connect to the database default ENV PASSWORD_DB The special value ENV PASSWORD_DB will cause the mdm server to read this password upon startup from th
123. ice Licenses and Licenses Manage License Vouchers which are explained in detail in the following sections 70 of 130 mdm client overview Managing License Vouchers Requesting generating licenses Managing Device Licenses To open the Voucher Management Window please select Licenses Manage License Vouchers from the main menu ir Manage License Vouchers Voucher Type Upgrade professional gt enterprise Anti Virus 1 Year subscription Anti Virus 1 Month subscription Upgrade base gt enterprise Upgrade industrial enterprise FW gt industrial e Anti Virus ClamAV unlimited Upgrade VPN 10 Upgrade VPN 250 Upgrade FW Redundancy Major Release Upgrade Major Release Upgrade VPN 250 Major Release Upgrade FW Redundancy Upgrade VPN TunnelGroup Availability Choose File Import Figure 15 The Voucher Management Window The window shows the available number of vouchers per voucher type To import vouchers either paste the voucher information into the import field or select a file that contains the voucher data and then click on Import Only CSV is supported as import format i e each line of the import data has to contain the following information lt serial number gt lt voucher key gt At least one voucher of the corresponding type major release upgrade VPN etc has to be imported into mdm before requesting a device license Furthermore the flash ID and the serial number are requi
124. if the current firewall table is for incoming traffic the incoming firewall table for non VPN traffic is copied likewise for outgoing traffic A separate background color is used to indicate which firewall rules have been copied The background color is cleared once a different navigation tree node is opened These hints are useful if the tunnel group feature is not used and the VPN connections are explicitly defined 7 In 1 N VPN configurations it is recommended to define the VPN connection in a template and select the central device in the Peer device field See section Automatic configuration of peer above If you assign this template to the devices mdm will automatically generate the N connection configurations for the central device Ina 1 N VPN configuration it is required for the configuration of the peer to specify the gateway address of the current device see Figure 36 Configuration of peer device Gateway address of peer If certificates are used any as shown in Figure 36 can be used as address in the template but if PSK authentication is used any is not allowed If PSK authentication is used the external address if no NAT us used has to be entered into the field Configuration of peer device Gateway address of peer for each device 4 6 Managing X 509 certificates Exporting Certificates The functionality of the certificate management depends on the mGuard release Beginning with mGuard firmware release 5 0
125. ighly recommended to change the default passwords after installation please refer to Chapter 3 11 subsection Changing user settings for more information Multiple mdm clients using an mdm server instance concurrently are fully supported only by the mdm 1 6 Unlimited Edition All other available editions still have the limitation to two concurrent clients Entities are locked if this is necessary to prevent two users from editing the same variable simultaneously This includes inheritance hierarchies where a user could edit a variable that a descent template or device inherits but not synthesized VPN connections which are read only in the receiving device If another user tries to open the device or the template an error message will be displayed If a client opens a Template Properties Dialog then the template and all devices referencing this template will be locked and cannot be opened by another user The same is true for pools and VPN groups In case the connection between a client and a server is interrupted and cannot be terminated gracefully the device template pool VPN group that was locked by that client will get released after an inactivity timeout can be configured in the server configuration see Chapter 2 6 key maxInactivelnterval i e it could happen that certain settings cannot be accessed until the inactivity timeout is reached 44 of 130 mdm client overview 3 2 The mdm main window The following screensh
126. ique ID which is automatically assigned and cannot be changed is used as name for the configuration file The filename is shown in this field Optionally additional export files following a different naming scheme can be generated please refer to Chapter 2 6 for more information Serial number Flash ID Comment The serial number of the device The serial number is required for the license handling It can be manually set but is overridden with the value found on the device every time a push upload is performed or a pull feedback is received If no push upload is ever performed and no pull feedback is ever received e g ina usage scenario where the exported configuration profiles are installed manually on the devices the serial number has to be entered here if you would like to create pull configuration filenames containing the serial number The flash ID of the device The flash ID is required for the license handling This field can be manually set but is overridden with the value found on the device every time a push upload is performed or a pull feedback is received An optional comment Additional ATV include This is a text field for additional settings that should be included in the configuration file of the mGuard The input has to adhere to the mGuard configuration file conventions You can also import the contents of a text file in the field by selecting a file with the File Chooser icon 7 Please note that the includ
127. is checked mdm automatically removes some checkboxes so that it is not possible to reverse the order Activating two different entries is easiest when the table is sorted by creation date Status U The U column shows the upload status if the configuration coressponding to the history entry has been uploaded to an mGuard or exported for pull config Please refer to Chapter 3 3 for a list of available upload statuses and their meanings One additional upload status is available in the configuration history dialog e Not uploaded x The configuration coressponding to the history entry has not been uploaded to an mGuard or exported for pull config If the same configuration is uploaded or exported two or more times the latest configuration history entry is duplicated so that one entry exists for every successful or unsuccessful upload attempt Status V The V status indicates whether or not the configuration corresponding to the history is valid A configuration is not valid if a None value in a template has not been overridden so that the configuration cannot be uploaded to an mGuard Please refer to Chapter 4 1 for more information A history entry corresponding to an invalid configuration cannot be activated Creation Date The date and time when the configuration history entry was created Version The firmware version that was set for the device when the configuration history 106 of 130 Configuration history Creat
128. is product includes the following software PostgreSQL JDBC driver Copyright 1997 2010 PostgreSQL Global Development Group Jetty Copyright 1995 2007 Mort Bay Consulting Pty Ltd Copyright 1999 Jason Gilbert Copyright 1999 2005 Sun Microsystems Inc All rights reserved Copyright 2002 International Business Machines Corporation Copyright 2004 2006 The Apache Software Foundation Copyright 2006 Tim Vernum Copyright 2007 CSC Scientific Computing Ltd Commons DBCP Copyright 1999 2007 The Apache Software Foundation Commons Pool Copyright 1999 2004 The Apache Software Foundation Commons Codec Copyright 2001 2004 The Apache Software Foundation Commons HttpClient Copyright 1999 2007 The Apache Software Foundation Commons Logging Copyright 2003 2007 The Apache Software Foundation Tar library from Ant Copyright 1999 2006 The Apache Software Foundation Bouncy Castle Provider and CMS Copyright 2000 2010 The Legion Of The Bouncy Castle http www bouncycastle org jSCEP Copyright 2009 2010 David Grant Copyright 2010 ThruPoint Ltd JSch and JZlib Copyright 1995 1998 Jean loup Gailly and Mark Adler Copyright 2000 2009 Atsuhiko Yamanaka JCraft Inc All rights reserved JGoodies Common library from JGoodies Copyright 2009 2011 JGoodies Karsten Lentzsch All rights reserved JGoodies Looks library from JGoodies Copyright 2001 2011 JGoodi
129. l Settings Local or if the device is operated in router mode it can be automatically derived Ifthe IPsec VPN VPN Group Configuration Tunnel Settings Use first internal address as local VPN network in router mode variable is set to Yes mdm uses the first internal address and associated netmask so that the corresponding local network is visible through the VPN tunnel The setting has no effect in stealth mode i e if the device is operated in stealth mode the local VPN network must always be specified Local 1 1 NAT VPN group connections can be configured to perform 1 1 NAT on local addresses None of the other NAT mechanisms for VPN connections are available in VPN group connections Local 1 1 NAT is enabled by setting the IPsec VPN VPN Group Configuration NAT Enable 1 1 NAT of local addresses variable to Yes The local network within the tunnel must be specified Please note that the network within the tunnel i e the network addresses as seen by the peer is specified in the 1 1 NAT settings This is different 99 of 130 Template device pool and VPN group configuration Extended firewall rules from the mGuard Web GUI where the network outside of the tunnel i e the network addresses as seen from the local network is specified in the 1 1 NAT settings The firewall rules under the IPsec VPN VPN Group Configuration node contain additonal Combine fields associated with the From IP and To IP ad
130. l configuration upload In case there are only a few devices to be configured and the devices cannot be accessed by mdm it is possible to export the configuration files to the file system and upload them manually to each device using the Web GUI of the respective device Each device is identified by a unique identifier which is 67 of 130 mdm client overview automatically assigned by mdm This identifier 8 digit hex string with lower case characters is used as file name for the export The convention for the exported configuration file is lt identifier gt atv The filename for each configuration file is shown in the General settings of the Device Properties Dialog and in the device table To export configuration files the following requirements have to be met e An export directory has to be configured in the preferences file of the mdm server see Chapter 2 6 Please note that it is not possible to export the files locally on the client side The files are always exported on the server side to the export directory configured in the server preferences file e The export directory has to be accessible and writeable from the server There has to be enough disk space to export the files Configuration pull The mGuards are able to pull configuration files from an HTTPS server mGuards running firmware version 5 0 or newer can additionally pull license files To use the configuration pull feature please refer to the section Manu
131. l pkcs8 topk8 in caKey pem passin pass caPW inform PEM nocrypt outform DER java cp ImportKey alias ca keystore ca keystore jks storetype JKS storepass pass caPW keypass pass caPW chain caCertWithChain pem 125 of 130 Creating and managing certificates Explanation of the openss arguments pkes8 The pkcs8 command is used to process private keys in PKCS 8 format topk8 Use a traditional format private key as input and write a key in PKCS 8 format key in filename The name and the location of the input file in the example caKey pem passin pass password Password required to decrypt the input in the example caP W inform PEM The input format of the key is PEM nocrypt The output the key is not encrypted outform DER The output format is DER Explanation of the JmportKey arguments alias name A keystore can contain multiple entries The alias identifies the entry and therefore has to be unique in the keystore Aliases are case insensitive keystore filename The file containing the keystore in the example ca keystore jks storetype JKS Use JKS as format for the keystore storepass pass password Password required to decrypt the contents of the keystore in the example caPW keypass pass password Additional password required to decrypt the private key in the keystore chain filename The certificate chain including the root certificate The command above creates one output file
132. lacement Certificate will replace the existing certificates with the new one so that the device ends up with a single machine certificate The mdm server will request certificate s from the CA and will assign them to the device s SCEP requires that a one time challenge password is entered for each certificate request Therefore certificate requests can only be performed for a single device if SCEP is used The mdm client will open a dialog window in which to enter the challenge password please consult the documentation of your CA server on how to obtain the password OCSP and CRLs are not supported by mGuard 4 2 Nevertheless if you would like to use firmware releases newer than 4 2 with CRL OCSP support you should configure values for these attributes To import a certificate navigate to PsecVPN Global Machine certificate Machine certificates and click on the Import button the Import button is only enabled if Custom or Custom Locally appendable is selected as value for the machine certificate table Select the file containing the machine certificate and click on Open The machine certificate is subsequently shown in the table if the import was successful otherwise an error message will be displayed Only the first entry of the machine certificate table is used as machine certificate To import a certificate navigate to Authentication Certificates Machine Certificates and click on the Import button
133. lates to be deleted in the template table and click on the x icon in the menu bar 55 of 130 mdm client overview Please note that templates that are still assigned to devices or other templates cannot be deleted 3 4 1 The template context menu The following entries are available in the context menu of the template overview table Add Create a new template and open the Template Properties Dialog of the new template Edit Edit the selected template only active if exactly one template is selected in the overview table Duplicate To create a duplicate of a template please open the context menu by clicking with the right mouse button on the template in the template table Select Duplicate in the context menu mdm will create a copy of the template and append the string _copy lt n gt lt n gt is a number to the name of the new template Please note that the Duplicate menu entry is only enabled if exactly one template is selected in the template table Import ATV Profile Import an ATV profile into the selected template s This works analogous to the ATV profile import into devices please refer to Chapter 3 3 1 for details Delete Delete the selected templates Set Firmware Version Upgrade the firmware version to a new version Please refer to Chapter 3 12 for more details Assign Template Open the Assign template dialog and assign a parent template to the selected templates Set Redundancy Mode Open a dial
134. le value allow the following choices e Inherited See above e Local See above e Custom If you select the Custom value entry the combo box becomes editable and you can enter a specific value for the variable e g prod2975 in the example in Figure 19 The value you entered is subsequentely shown as available selection in the combo box Table variables e g incoming firewall rules Table variables allow the following choices for more information on tables please see below in the Chapter Modifying mGuard table variables e Inherited Set the variable to the default rows or to the rows defined in an assigned template if applicable The inherited rows are shown at the beginning of the table in a different color and are not editable or selectable The usage of templates and inherited values is further explained in Chapter 4 2 and Chapter 5 e Local See above If you set a table variable to Local and mdm shows an error please check whether May append is set as permission in the template if any If May append is selected as permission for the table in the template it is only allowed to append rows in the Device Properties Dialog therefore the selection of Local results in an error e Custom If you select Custom the table and its associated menu elements become enabled Table rows defined in a template are copied from the template to the device and can be deleted or edited in the Device Properties Dialog please note that deleting or
135. lects all entries in the currently active overview table New Device Creates a new device and opens the Device Properties Dialog Template Creates a new template and opens the Template Properties Dialog Pool Creates a new pool and opens the Pool Properties Dialog 64 of 130 mdm client overview Upload VPN Group Creates anew VPN group and opens the VPN Group Properties Dialog Device Import Opens a window that allows to select an import file With the device import option you can import an automatically e g with a script generated file of devices This can be used to create a large number of devices in mdm without going through the process of creating them manually The import file must be comma separated value CSV formatted Either a comma or a semicolon can be used as a field separator Each record line in the file describes a single device and consists of the following fields Field Description 0 Management ID 1 Firmware Version 2 Template Name 3 Reachable via address 4 Serial Number 5 Flash ID 6 n Variable assigments The Management ID and Firmware Version fields 0 and 1 are mandatory all other fields are optional If a field is empty or non existent the corresponding attribute is not set The Firmware Version field must be a supported firmware version without patchlevel as it would appear in the Version column of the device overview
136. lowing command openssl req new batch config templateCert conf key templateKey pem keyform PEM passin pass caPW sha256 outform PEM out templateCertReq pem Explanation of the arguments req req instructs OpenSSL to generate a certificate request default or a certificate batch Non interactive mode 123 of 130 Creating and managing certificates new Create a new request or a new certificate config filename The name and the location of the openssl configuration file in the example templateCert conf key filename The corresponding private key in the example templateKey pem keyform PEM The private key is in PEM format passin pass password Password required to decrypt the private key in the example caP W sha256 Use the SHA256 algorithm to create the message digest for the signature recommended outform PEM The format of the output file is PEM out filename The name of the output file i e the certificate in the example templateCertReq pem The command above generates one output file templateCertReq pem This file contains the certificate request Request the template certificate The request has to be sent to the intermediate CA You can sign the certificate request issue the certificate with the following command openssl ca batch config templateCert conf days 1826 md sha256 in templateCertReg pem keyfile caKey pem cert caCert pem passin pass caPW notext
137. ment ID of the desired device If you select a device the VPN configuration for this device will be automatically generated Not all settings of the peer can be automatically generated therefore you have to enter parts of the configuration manually Please check the sub nodes of the VPN connection for those settings they are in the relevant subnodes separated from the other settings by the text Configuration of peer device for an example see Figure 36 7 The automatically generated VPN connections show up as read only in the peer connection table i e you cannot change the configuraton on the peer side If the VPN gateways have different firmware versions the configuration of a peer is only possible in the Properties Dialog of the device with the older firmware version If you configure the peer in the Properties Dialog of the device with newer firmware the connection will not be generated in the device with the older firmware There will be no error or warning displayed The automatically generated VPN connections can be used as alternative to the mGuard Tunnel Group feature mGuard 5 0 or newer see comments in section Hints for VPN configurations below il Edit Template Production Paris Connection name VPNO2 May override Enabled m Yes May override v L Gateway address a Inherited Any gateway 324 Connections a veno1 Connection startup m Initiate on traffic wed PNOZ
138. must be configured in ca preferences xml in the node certificateFactory certTemplate 7 The files templateCertReq pem and templateKey pem are not needed any more and should be deleted 7 2 2 Create the keystores After following the steps described in Chapter 7 2 1 you should find the following files in your working directory templateCert pem This file contains CAtempicert Signed with CAkey e caCert pem This file contains CA 4 signed withCA ootKey e caKey pem This file contains CAxey e rootCert pem This file contains the self signed root certificate CA ootCert e rootKey pem This file contains the encrypted private root key CA ootkey Some of those files have to be included in keystores The installation archive mdm ca 1 6 x zip contains the proprietary java tool ImportKey in the demoCA directory which can be used to create and manage keystores Please copy the file ImportKey class to your working directory First the intermediate CA certificate and the root certificate have to be merged into one file create a certificate chain cat caCert pem rootCert pem gt caCertWithChain pem Then the key caKey pem has to be converted to PKCS 8 format and both CAjey and the certificate chain have to be included in a PKCS 2 keystore This can be accomplished with the tool ImportKey ImportKey does accept the unencrypted key on standard input only therefore the output of the pkcs8 command has to be piped as follows openss
139. n boo GQ IPsec YPN Quality of Service Redundancy Logging External networks Obtain external configuration via DHCP LG PP of external interface Netmask of external network Default gateway 10 73 127 218 255 255 255 0 10 73 127 254 Gf Inheritede 1 a E Add aias ffi Copy alias fil Delete alias EJE IP address Netmask Use VLAN Figure 24 Indication of applied changes m Cancel The icon in the leafs of the navigation tree see the following figure indicates that a None value which has not been overridden set in the template hierarchy yet is selected in one of the ancestor templates Gil Edit Device Gateway London 4 mGuard configuration E General settings 4 Management Blade Control Gh Network 6 Interfaces O General Ey Network Mode E Stealth configuration E Static Stealth configuration G3 External networks E Internal networks E PPPoE settings E PPTP settings i E Modem settings Ethernet G0 Serial port w E Hardware ons H I DHCP E Proxy settings i E Authentication C4 Network security b I Virus Protection coo GQ IPsec YPN Quality of Service Redundancy Logging External networks Obtain external configuration via DHCP PP of external interface Netmask of external network Default gateway Gf I
140. n Location I at iGuard Where should mGuard Device Manager be installed P Dia ns device manager D Setup will install mGuard Device Manager into the following folder To continue dick Next If you would like to select a different folder dick Browse C Program Files mGuard Device Manager Browse Atleast 132 0 MB of free disk space is required Visit homepage lt Back Cancel 8 of 130 Installation The default location usually need not be modified 3 Choose which mdm components to install zix Select Components mMaGuard Which its should be installed A ns device manager Select the components you want to install Clear the components you do not want to install Click Next when you are ready to continue Minimal installation Vv mdm Server and mdm Clien A Java Runtim I PostgreSQL Server ca mdm S FZ Apache Web Server 40 8 MB mdm Certification Authority optional 4 1MB F Config Pull Server optional 2 0 MB 7 Firmware Upgrade Server optional 2 0 MB Current selection requires at least 132 0 MB of disk space Visit homepage lt Back Next gt Cancel The mdm server Java runtime environment PostgreSQL server mdm service launcher used to run the mdm server as a service and Apache web server are always installed while the mdm CA is optional The Apache web server can also optionally be set up as configuration pull server and a firmware upgrade server
141. n please make sure that your system fulfills the system requirements see Chapter 2 1 mdm is a client server application i e the communication path between the client and the server must not be blocked by a firewall or a NAT device In case you are using a NAT router in your environment configure your environment in a way that the communication between client and server can proceed The service port configured in the login window of the client please refer to Chapter 3 1 and Chapter 2 6 is used to communicate with the mdm server In a NAT scenario you have to make sure that this port on the server is accessible from the client The communication between client and server is encrypted using the SSL protocol The configuration is uploaded from the mdm server to the device using SSH or pulled by the mGuard using HTTPS Please make sure that the communication between the server and the mGuard is not blocked by a firewall or a NAT device 2 4 1 Installation on Windows Required components For a full installation of mdm you need the following files and components e Java Runtime Environment JRE SE 7 PostgreSQL installation files postgresqI 9 1 9 zip mdm server mdm server 1 6 x zip e mdm client mdm client 1 6 x zip e License file mdm_license dat mdm CA mdm ca 1 6 x zip optional OpenSSL optional Except for the license file these components are contained on the mdm CD ROM 12 of 130 Installation Da
142. nHistory Node C4 Key expireAfterDays Configuration history entries older than the specified number of days are automatically expired i e removed from the history If the value 0 is used configuration history entries are never expired default 74 Please refer to Chapter 6 for more detailed information on configuration history entries These settings are required only if a CA is used Key type The type of CA to use Valid values are mdm CA to use the mdm CA or SCEP to communicate with a CA via SCEP default mdm CA Please refer to Chapter 4 6 1 for more detailed information on SCEP Key protocol The protocol to be used to connect to the mdm CA Valid values are http or https default https When using the mdm CA only https should be used since the mdm CA relies on transport layer security for authentication purposes SCEP includes application layer authentication mechanisms so Attp is usually used with SCEP Key host The hostname or IP address of the CA server default localhost Key port The port on which the CA server listens for incoming requests default 7070 If 0 is specified the Attps or http default port is used Key requestDirectory The path within the URL the mdm server uses for certification requests default request When using the mdm CA request must be used When using SCEP consult the documentation of the CA server If e g the Microsoft Windows Server 2008 CA is used CertSrv mscep mscep dll
143. nd bat for Windows The Linux scripts must be made executable before they can be invoked Change into the demoCA directory and type the following command chmod x sh Contents of the The following files are contained in the demoCA directory demoCA directory Tools e ImportKey class ImportKey java Java tool to create and manage keystores General purpose scripts e gen all bat gen all sh These scripts generate all required keys and certificates e gen dirs bat gen dirs sh These scripts create the sub directories in your target directory see section Running the scripts below in which the certificates and keys are stored e set env bat set env sh These scripts contain the initialization of the environment variables that are used in the subsequent scripts Scripts to generate the CA certificates e gen template bat gen template sh Scripts to generate the template certificate e gen ca bat gen ca sh Scripts to generate the intermediate CA certificate and keys e gen root bat gen root sh Scripts to generate the root CA certificate and keys OpenSSL configuration files to be used for the generation of the CA certificates caCert conf e rootCert conf e templateCert conf Scripts to generate the SSL certificates e gen ssl bat gen ssl sh Scripts to generate all required SSL certificates e gen ssl mdm ca bat gen ssl mdm ca sh Scripts to generate the mdm CA certificates e gen ssl mdm server bat gen ssl mdm server sh
144. nd append the string _copy lt n gt lt n gt is a number to the Management ID of the new device Please note that the Duplicate menu entry is only enabled if exactly one device is selected in the device table 50 of 130 mdm client overview Import ATV Profile Import ATV profiles into the selected device s o Importing ATV Profile Importing ATV Profile into one device Profile import options Select Inherited where possible Ignore table rows added by the netadmin user Select from File Device Look In G3 mgntid B a eH BBE E Gateway Berlin atv B Gateway San Francisco atv File Name Files of Type av Profiles atv import Cancel Figure 10 ATV import The following options are available when importing a profile Select Inherited where possible If this option is selected variables for which the imported value i e the value in the ATV profile is the same as the inherited value are set to Inherited Otherwise all variables contained in the profile are set to Custom regardless of their value Ignore table rows added by the netadmin user Tables rows that were created by the local netadmin user on the mGuard are not imported Select from File Device If File is selected the ATV profile to import is uploaded as a file This option is only available if an ATV import into a single device is performed If Device is selected mdm downloads the ATV profile from th
145. ndling Issue and Export Certificate Requests action is invoked more than once without importing the resulting certificates only the certificates from the last invocation can be imported 4 6 2 CA certificates mGuard firmware 5 0 or newer Importing CA certificates Beginning with mGuard release 5 0 CA certificates root or intermediate are supported To import a CA certificate navigate to Authentication Certificates CA Certificates and click on the Import button the Import button is only enabled if Custom or Custom Locally appendable is selected as value for the CA certificate table Select the file containing the CA certificate and click on Open The CA certificate is subsequently shown in the table if the import was successful otherwise an error message will be displayed 4 6 3 Remote certificates mGuard firmware 5 0 or newer Importing remote certificates To import a remote certificate navigate to Authentication Certificates Remote Certificates and click on the Import button the Import button is only enabled if Custom or Custom Locally appendable is selected as value for the remote certificate table Select the file containing the remote certificate and click on Open The remote certificate is subsequently shown in the table if the import was successful otherwise an error message will be displayed 97 of 130 Template device pool and VPN group configuration 4 6 4 Connection certificates Importing
146. nheritede gt None 255 255 255 0 10 73 127 254 SP Inheritede 1 i Add alias E Copy alias BH Delete alias IP address Netmask VLAN ID Figure 25 Indication of None value cone 82 of 130 Template device pool and VPN group configuration Modifying mGuard The following figure shows an example of a table variable incoming firewall table variables tules il Edit Device Gateway London Incoming rules 4 mGuard configuration General Log entries for unknown connection attempts m No 4g Incoming rules Z Custome Packet filter 23 Incoming rules E Outgoing rules E Sets of rules MAC fitering EA Add rule ial Copy rue E Delete rule BDI nat Source NAT NAT IP Masquerading E Stealth mode Figure 26 Modifying table variables Add delete copy or move rows To add delete copy or move rows please use the respective buttons If none of the rows is selected then a click on the Add button will add the row at the beginning of the table If one or more rows are selected a new row will be added after the last selected row The Delete button is enabled only if at least one row is selected It deletes the selected rows The Copy button is enabled only if at least one row is selected It copies the selected ro
147. nn iGuar device manager Reference Manual mdm Version 1 6 Document Rev 02 Innominate Security Technologies AG Rudower Chaussee 13 12489 Berlin Germany Tel 49 30 921028 0 contact innominate com http www innominate com Copyright 2006 2014 Innominate Security Technologies AG November 2014 Innominate and mGuard are registered trade names of Innominate Security Technologies AG The mGuard technology is protected by the German patents 10138865 and 10305413 Further national and international patent applications are pending This document may not be copied or transferred in whole or in part without prior written approval Innominate reserves the right to modify this document at any time without notice Innominate provides no warranty for the contents of this document This disclaimer shall also apply to any implicit warranty of marketability or suitability for a specific purpose Furthermore Innominate assumes no liability for errors in this manual or for accidental or consequential damages in connection with the delivery performance or utilization of this document This manual may not be photocopied duplicated or translated into another language in whole or in part without the prior written approval of Innominate Security Technologies AG SSH SSH Secure Shell are trademarks of SSH Communications Security Windows Windows NT and Windows Server are trademarks of Microsoft Corporation Th
148. nnecting to the PostgreSQL database with pgAdmin IIIT 3 Enter your login data Connect to Server j Please enter password for user postgri on server PostgreSQL 9 0 localhost seses ss IV Store password Help Cancel Figure 2 Login to the PostgreSQL database with pgAdmin III 4 Create a new login role by selecting New login role from the context menu Please make sure that the values your_user and your_password are identical to the values specified in the preference file of the mdm server see Chapter 2 6 e User your_user e Password your_password File Edit Plugins View Tools Help Ces USER e hae Object bone Properties Statistics Dependencies Dependents H Server Groups a B Servers 1 B M PostgreSQL 9 0 localhost 5432 B Databases 1 Tablespaces 2 rg Group Roles 0 Login Refresh New Login Role A postgres Retrieving Login Roles details Done Figure 3 PostgreSQL initialization create a new login role 5 Select the rights Inherits rights 15 of 130 Installation in the tab Properties and select the option e With admin option in the tab Role memberships LX x LX x Properties Role privileges Role membership variables sql Properties Role privileges Role membership variables sa Role name Jinnomms Not Member Member OID gt Can login Vv Password coo Password again oceeee
149. nor release Schedule a firmware upgrade to the latest available minor release Please refer to Chapter 3 12 for more details 53 of 130 mdm client overview Firmware Upgrade Schedule upgrade to next major version Schedule a firmware upgrade to the next major version Please refer to Chapter 3 12 for more details Firmware Upgrade Unschedule upgrade Unschedule a firmware upgrade Certificate Handling Request additional certificate Request a machine certificate for the device and append it to the list of existing machine certificates Please refer to Chapter 4 6 1 for more details Certificate Handling Request replacement certificate Request a machine certificate for the device and replace any existing machine certificates with the new one Please refer to Chapter 4 6 1 for more details amp All existing machine certificates in the device are deleted even if they have been imported manually As a result the device has a single machine certificate the newly requested one This function is therefore most useful for devices which contain a single machine certificate Certificate Handling Issue and Export Certificate Requests Generate certificate requests for manual certificate enrollment Please refer to Chapter 4 6 1 for more detailed information Select All Select all devices not excluded by the table filter 3 4 Template overview table Please select the Template tab to access the template overview table
150. nse Date Flash Id Device Max version Expiry Date License Type CMC CM TOO6OT CML 1 2007 08 10T16 25 46 00Z9000b40Fc0757 unlimited Maintenance Contract a MRU 2750800001 00005976 2007 05 09T11 02 09 00040009413FFOd6 Production 4076 5 unlimited Major Release Upgrade MRU 2750800002 00005992 2007 05 09T20 38 12 000a00053F719cd6 5 unlimited Major Release Upgrade MRU 2821300000 00008292 2008 02 25T14 25 17 0004000941 3fFOd6 Production 4076 6 unlimited Major Release Upgrade oe 03 157169 ee Pager Release upgrade JUBE 25617000 00003293 2005 11 17T17 35 19 0004000541 3FdF2b Gateway Berlin unlimited Upgrade base gt enterprise IUFX 25817002 00003299 2005 11 17T17 48 58 0004000541 3fdF2b Gateway Berlin unlimited Upgrade industrial enterprise FW gt industrial JUPE 25B17003 00003300 2005 11 17T18 09 18 00040005413FdF2b Gateway Berlin unlimited Upgrade professional gt enterprise a Choose File Import Please note Import is performed instantly ox cance Figure 16 The License Management Window A double click on a license row in the table opens the Device Properties Dialog of the corresponding device if any All licenses managed by mdm will be installed on the devices with every upload The licenses are automatically assigned to the devices by using the flash ID contained in the license i e without a flash ID in the General settings of the device an assignment of the licenses is not pos
151. ntioned in the previous chapter This chapter first describes some of the PKI basics and then the usage of OpenSSL to roll out a PKI Please note that the certificates described in this section are not used for SSL 114 of 130 Creating and managing certificates Please note that the certificates and keys described in this section are not stored in the SSL keystore of the mdm CA but in the CA keystore PKI basics Among others the main reasons for using a PKI are e Authentication When communicating using data networks it is in most cases not possible to see the entity on the remote side exception video telephony i e one cannot be sure that the entity on the remote side is the one it claims to be The usage of a PKI assures the authenticity of the entities communicating with each other e Data confidentiality This is the reason VPNs are used to exchange data The data packets are sent in the public Internet but unauthorized entities are prevented from accessing the information contained in the packets e Data integrity The assurance that the information received is identical to the information sent by the other entity This prevents information to be altered by an entity in the middle which is not authorized to participate in the communication It is beyond the scope of this document to describe all components and their interactions involved in a complete PKI therefore only the most important are m
152. o perform the upload If it does not succeed within the specified time mdm will perform no more upload attempts and consider the upload failed Temporary Upload Password Upload history If a password is entered into this field and a push upload is performed mdm uses this password when logging into the mGuard via SSH The password is used for all devices If the field is left empty default mdm uses the known admin password of each device The feature is useful if the mGuard does not use the configured admin password to authenticate the login request e g if the mGuard uses RADIUS authentication When a temporary upload password is used mdm can use a username other than admin to log into the mGuard This username can be configured in the Device Properties Dialog or the Template Properties Dialog Please open the Authentication Local Users Temporary Upload User node in the navigation tree Shows the upload history The upload history contains details on the last upload actions and their results for each device To review the upload history for a device please select the mGuard in the device overview table and open the context menu with a click with the right mouse button Select Upload History to open a window with the upload history 3 10 Managing license vouchers and device licenses mdm enables you to centrally manage your license vouchers and device licenses The main menu contains two entries Licenses Manage Dev
153. of row Inherited rows from an ancestor template are colored red green or grey Gi Edit Device Gateway London 4 mGuard configuration E General settings 4 Management Blade Control CA Network Authentication GQ Network security Packet fiter B Incoming rules E Outgoing rules E Sets of rules OO MAC filtering Incoming rules E Outgoing rules W Advanced E Consistency checks E Router modes settings E Anti virus settings E Stealth mode settings E Connection tracking nat Source NAT E NAT IP Masquerading 1a nat W Destination NAT E Port Forwarding Dos protection B Tte B cme E Stealth mode Incoming rules Log entries For unknown connection attempts Lg Incoming rules ta Protocol From IP From port Comment 0 0 0 0 0 any Figure 27 Table row colors OK cancel A green row indicates that the row is editable a red row indicates that the row cannot be edited or deleted and a grey row indicates that this is an inherited default row which can be changed To change a green or grey row it is necessary to switch the value of the table from Inherited to Custom Context menu Tables can also be edited using the context menu Please click on the table with the right mouse button The following menu will appear add Ctrl N E Copy Cth C Delete Ctrl Delete 4 Move range up
154. og in which redundancy mode can be enabled or disabled for the selected templates Select All Select all templates not excluded by the table filter 56 of 130 mdm client overview 3 5 Pool value overview table Please select the Pool tab to access the pool overview table A pool defines a range of network addresses which can be automatically assigned to variables For detailed information on pools and their usage please refer to Chapter 4 4 mGuard device manager Client admin File Edit New Upload Extras Options Help 7 16 olel s 3 Devices Templates Pools VPN Groups Name Comment New York Paris Tokyo Vienna San Francisco ay Logged Events Date Message 2013 09 05 14 26 25 353 mdm version mdm 1 5 0 build 6821 ea6 2013 09 05 14 26 25 358 mdm client initialized 2013 09 05 14 26 29 129 Connected to mdm server localhost 127 0 0 1 7001 mdm 1 5 0 build 6821ea6 as admin 127 0 0 1 35 w Figure 12 The mdm main window with pool table Pool table columns The pool overview table contains the following columns 7 The column width can be changed by placing the cursor on the header of the table at the border of two columns and dragging the border to the desired location The order of the columns can be changed by dragging the column header to a different location Status The status icon shows whether the pool definition is valid Name
155. og is opened where the directory where to store the ECS files can be selected The prerequisites for creating encrypted ECS files are same as for encrypted profiles See Profile encryption on page 68 Show Device Configuration History Open the configuration history dialog Please refer to Chapter 6 1 for more detailed information Generate Report of Changes to Device Configuration Open a dialog to generate a report of changes to device configurations Please refer to Chapter 6 5 for more detailed information Upload History Display an overview over the last upload actions Set Current Device Credentials Open a dialog in which the device credentials can be set The following attributes can be set e Active root and admin passwords 52 of 130 mdm client overview The active passwords are the passwords that are currently in effect on the device They may differ from the configured passwords when the current configuration has not yet been uploaded to or been pulled from the mGuard mdm keeps track of the active passwords since the root password is needed to set a new root password and the admin password is needed to log into the mGuard e Reset SSH Host Key mdm stores the SSH key of an mGuard after the initial contact In case an mGuard has been replaced the SSH keys do not match and mdm will refuse any connection to the replaced device This function can be used to reset the SSH key e Renew Secure Key Length
156. ollowing VPNOL URLs s vPNoz https login passwort hostinph vpn egi name connection amp cmd upidown E L2TP over IPsec Example CD Quality of Service https admin mnGuard 1 92 168 1 1 nph vpn cgi name paris amp emd up Redundancy Logging IPsec Connections A Custome Add connection Copy connection F Delete connection l J Le Enabled Name Yes Figure 29 Modifying complex table variables A complex table does not allow to move rows the respective buttons are missing Furthermore the cells of complex tables cannot be edited Adding a row to acomplex table also results in adding a node to the navigation tree see Figure 29 The Add Copy and Delete buttons are enabled only if Custom or Custom Locally appendable is selected Please refer to the Section mGuard configuration above Changes made to the configuration are permanently stored with the Apply button at the bottom of the dialog If you make any changes without applying them you can discard your changes by closing the dialog with the Cancel button You can also apply your changes by closing the dialog with the OK button Please note that the configuration is not automatically transferred to the mGuard after applying a change To transfer the configuration to an mGuard you have to upload the configuration file please refer to Chapter 3 9 to the mGuard 4 2 The Template Properties Dialog Templates offer a powerful m
157. ome but not all of the selected users The permission is granted to all of the selected users Likewise the same icons are used in the R column to express if the permission is assigned to none some or all of the selected roles 3 11 4 User authentication mdm database authentication RADIUS authentication mdm supports two mechanisms to authenticate users logging into the mdm client the mdm database and RADIUS Authentication against the mdm database is the default mechanism It uses the usernames and passwords stored in the mdm database and configured in the Users Panel of the Users and Roles Dialog to authenticate users Please refer to Chapter 3 11 1 for more details Remote Authentication Dial In User Service RADIUS is a network protocol that provides a remote authentication service If the mdm server is configured to use RADIUS authentication the users stored in the mdm database are ignored When a user attempts to log into the mdm client the mdm server performs a request to one or more RADIUS servers to authenticate the user The RADIUS reply must contain one or more Filter Id attributes which the mdm server interprets as role names If the login attempt is sucessful the user is assigned to the roles specified in the Filter Id attributes If RADIUS authentication is used mdm does not use the concept of a superuser The username root is not treated specially in any way Please refer to Chapter 2 6 for more informa
158. on history 6 3 Comparison of historic configurations Navigation tree Configuration variables Special values When two history entries are activated in the configuration history dialog the Compare button is enabled Clicking on this button opens the History Comparision Dialog which shows a comparison of the two historic configurations Although the History Comparision Dialog looks similar to the Device Properties Dialog the type of information that is visualized is different History entries contain configurations as they are uploaded to the mGuards variable permissions and template inheritance relations are not part of the history Different icons and colors in the navigation tree are used to visualize where and how the older and newer configuration differ e Unchanged Gl black label The older and newer configuration are identical in the subtree below the node Modified blue label Variables have changed between the older and newer configuration in the subtree below the node e Added l green label The subtree has been added i e it exists in the newer but not in the older configuration e Removed g red label The subtree has been removed i e it exists in the older but not in the newer configuration If a variable has not changed between the older and newer configuration its single value is displayed Otherwise if a simple variable has changed its old value is displayed above its new value
159. on on Device This field represents the firmware version currently installed on the device It can be manually set but is overridden with the value found on the device every time a push upload is performed or a pull feedback is received Template The parent template of the device 89 of 130 Template device pool and VPN group configuration Accessible via This is the address used by the mdm server to access the mGuard for an SSH push of the configuration or to open the web interface Please refer to Chapter 3 9 for more information on the upload procedure The following values are available for Accessible via e Not online manageable The device is not managed via SSH push Internal interface in auto stealth mode 1 1 1 1 mdm accesses the mGuard using the address 1 1 1 1 address of internal interface in automatic stealth mode Stealth management address mdm accesses the external or internal interface of the mGuard in stealth mode e First external IP address mdm accesses the external interface of the mGuard in router mode e First internal IP address mdm accesses the internal interface of the mGuard in router mode e Custom value A custom value might be required to access the mGuard in NAT scenarios If necessary you can additionally specify a port number lt J Paddress gt lt port number gt or lt hostname gt lt port number gt Pull filename read only If the configuration is exported to the file system a un
160. or entry was created The username of the user who made the change to a device template or VPN group configuration that caused the configuration history entry to be created Upload Date Uploader Target Filtering and sorting the table Detail information The date and time when the configuration corresponding to the history entry was uploaded to an mGuard or exported for pull config Empty if the configuration has not been uploaded or exported The username of the user who initiated the upload or export Empty if the configuration has not been uploaded or exported e Ifthe configuration has been uploaded the address to which it has been uploaded e Ifthe configuration is exported the name of the file to which it has been exported e Otherwise empty The header of the table can be used to sort the table entries A click on a header of a column will activate the primary sort based on this column This is indicated by the arrow in the column header A second click on the same header will reverse the sort order Clicking on another column header activates the sort based on this new column the previously activated column will be used as secondary sorting criterion The first row of the table accepts the input of regular expressions please refer to Chapter 8 Regular expressions which can be used to efficiently filter the table entries Filtering based on regular expressions is not used for columns that do not contain tex
161. ort of changes allows it to obtain an overview how multiple devices have changed between two points in time Select one or more devices in the device overview table and activate the Generate Report of Changes to Device Configuration option in the context menu This opens the history reporting dialog ime Generate Report of Changes to Device Configurations x Q Generate report of changes to 5 device configurations Older Revision Oldest Oldest device configuration C Device configuration must have been uploaded or exported Newer Revision Newest v Oldest device configuration M Device configuration must have been uploaded or exported Report tmp Report_of_Changes_to_Device_Configurations html X Open finished Report in Browser oK Cancel Figure 41 The dialog to generate a report of changes to device configurations The two historic configurations to compare are selected by applying two selection criteria one to select the older revision and one to select the newer revision to each selected device individually The following criteria can be chosen The oldest device configuration 109 of 130 Configuration history Newest The newest device configuration Newest Before The newest device configuration prior to a date and time The date and time is specified as an ISO date YYYY MM DD where YYYY is the year MM is the month of the year between 01 and 12 and DD is the day of the month b
162. osoft Windows server Supported Microsoft Windows versions mdm installation If you plan to run the mdm server the PostgreSLQ database server and the CA server if applicable on a single Microsoft Windows server an automatic installer program can be used The installer program can additionally set the server up as a configuration pull server see Chapter 3 9 or as a firmware upgrade server see Chapter 3 12 The following versions of Microsoft Windows are supported by the installer e Windows Server 2012 64 Bit e Windows Server 2008 R2 SP1 Enterprise Edition 64 Bit e Windows Server 2008 SP1 Enterprise Edition 64 Bit e Windows Server 2008 SP1 Enterprise Edition 32 Bit e Windows Server 2003 SP2 Enterprise Edition 64 Bit e Windows Server 2003 SP2 Standard Edition 64 Bit e Windows Server 2003 SP2 Standard Edition 32 Bit Since the installer program sets up a PostgreSQL database server and a https web server it will fail if a PostgreSQL server or https server are already running on the system A running web server is fine as long as it does not serve the https default TCP port 443 Follow these steps to install mdm 1 Insert the mdm CD and run the installer program with administrator rights Click the Next button on the greeting screen and accept the mdm and third party software licenses on the following two screens 2 Select a location where to install mdm I set mua eves Honaper_ Lo Select Destinatio
163. ot shows the mdm main window mGuard device manager Client admin File Edit New Upload Extras Options Help lg cA p lt s riala O s Devices Templates Pools VPN Groups c U Management ID B Gateway Berlin Gateway Templates v _ Version _F Version on Accessible via Upload s Serial numb Pull Config Fi Location Hardware on De K Zi F 00000004 atv Berlin DE 152000 E 00000008 atv London UK default 0000000a atv New York NY US default 15x22024 16x04046 15X28272 17X15018 15X30035 mGuard 7 6 2 default 10 226 26 150 mGuard 7 1 1 default 10 73 127 218 N H Gateway London Gateway Gateway New York Gateway mGuard 7 1 1 default 10 189 212 253 Gateway Paris Gateway mGuard 7 6 2 default 10 118 110 146 00000006 atv Paris FR default 7 6 2 default 10 102 212 210 0000000c atv San Francisco C default 00000006e atv Tokyo JP default 00000002 atv Vienna AT default 00000001 atv Vienna AT default 00000011 atv Vienna AT default 00000012 atv Vienna AT default 00000009 atv New York NY US default 900000013 atv New York NY US default 00000014 atv New York NY US default Gateway San Francisco Gateway mGuard BBB Gateway Tokyo Gateway mGuard 7 1 l default 10 151 194 230 16X08179 Gateway Vienna Gateway mGuard 7 4 1 default 10 177 176 225 17x03110 Production 0354 Production Vienna Prod mGuard unknown 10 134
164. otocol From IP Fromport TalP Toport Action Comment Log al 0 0 0 0 0 y 10 1 47 19 any Accept Ye Figure 20 Value types of an mGuard table variable IPsec Connections 4 Custome Fa cs ocally appendable E Add connection Enabled Name Yes YPNOL Figure 21 Value types of an complex mGuard table variable 78 of 130 Template device pool and VPN group configuration Variables with a fixed value set Variables with a fixed value set allow the following choices e Inherited Set the variable to the default value or to the value defined in an assigned template if applicable The usage of templates and inherited values is further explained in Chapter 4 2 and Chapter 5 e Local The mGuard supports among others two roles the admin who is able to change all mGuard variables and the netadmin who is able to change only local variables The Local value determines whether a variable is local i e whether or not it can be managed by the netadmin on the mGuard Ifa variable is local it will not be managed by mdm anymore in order to avoid conflicts between mdm and the netadmin e Fixed values A number of fixed values which can be selected for this variable The selectable values depend on the variable In the example above Figure 18 the fixed values are Provider defined and User defined for the variable Hostname mode Variables with an editable value Variables with an editab
165. ow click on the Security tab If this tab is not present then you have to disable the simple file sharing a Click Start and then click My Computer b On the Tools menu click Folder Options and then click the View tab c In the Advanced Settings section clear the Use simple file sharing Recommended check box 4 Select the Users group or the user from the list The current access rights for the Users group or the user will be displayed in the bottom half of the dialog box If the Users group is not listed click on the Add button to add it 5 Make any necessary changes then click Apply Use the following options for the installation If you would like to get error and system messages in a language other than English please select National Language Support in the nstallation Options as additional package to be installed Inthe Service configuration please enter the login information of the account to be used for PostgreSQL If you have not yet created an account and you would not like to use an existing account the installer can also create an account for you e Please confirm to grant the permission Log in as a service Ifthe mdm server and PostgreSQL are to be installed on different computers please select the option Accept connections on all addresses not just localhost in Initialize database cluster Please enter a password for the internal database superuser to prevent unauthorized access to the database Acc
166. ow to create certificates and keys to be used for the SSL communication is explained in Chapter 7 1 The certificates and keys used in a PKI are described in Chapter 7 2 7 Please note that the process described in this section to create certificates is just one example of the usage of OpenSSL There are also alternative ways to create your certificates If you are not familiar with OpenSSL you should exactly follow the instructions below 7 The use of OpenSSL 0 9 8zc 1 0 00 or 1 0 1j or newer is recommended due to the support of SHA 256 and several important security fixes If you would like to use an OpenSSL version older than version 0 9 8 you have to use a digest algorithm supported by your version in the commands Certificates and keys are stored in databases called keystores A keystore is a file containing the certificates and keys in encrypted form To access the information in a keystore a passphrase is required Keystores can have different formats common formats are e g PKCS 12 or the proprietary Java Keystore format JKS The encryption algorithm can usually be selected when creating the keystore 3DES is recommended OpenSSL uses default values specified in the configuration file openssl cnf the directory where this file is located depends on your distribution e g check in the directory usr ssl or usr lib ss If you omit mandatory arguments of a command OpenSSL uses the default settings defined in the configuration fil
167. ows to the table 6 4 Reconstructing a device from a historic configuration Template assignment When a single history entry is activated in the configuration history dialog by checking the checkboxes in both the A and the B column the Reconstruct Device button is enabled Clicking on this button creates a new device in which all variables are set according to the historic configuration and opens the Device Properties Dialog for the reconstructed device 7 Once created the new device is no longer linked to the device from which it has been reconstructed It is an independent device with an independent device history If the device was assigned to a template when the history entry was created and if that template still exists and if the firmware version the device had when the history entry was created is equal to or newer than the current firmware version of the template the template can be assigned to the reconstructed device ime Assign template tx Assign template Gateway to the reconstructed device Yes No Cancel J If the template is assigned to the device variables in the device are set to Inherited if their value in the historic configuration matches the value in the template in its current state If the template uses the No override or May append permission it may not be possible to reproduce the historic configuration exactly 6 5 Report of changes Selection criteria Oldest The rep
168. pem 2048 2 Create the self signed certificate IS as described in Chapter 7 1 openssl req batch new x509 key mdm https client key pem keyform PEM passin pass yourSsSSsSLPW sha256 outform PEM out mdm https client cert pem Create the keystore as described in Chapter 7 1 Gl openssl pkcs8 topk8 in mdm https client key pem passin pass yourSSLPW inform PEM nocrypt outform DER java cp ImportKey alias mdm storetype JKS keystore mdm keystore jks storepass pass yourSSLPWw keypass pass yourSSLPW chain mdm https client cert pem There should be 3 additional files in your directory e mdm https client key pem e mdm https client cert pem e mdm keystore jks Please store the key and the certficate at a secure location Only the keystore is used by the mdm server therefore copy it to its final destination Then the preferences file of the mdm server has to be configured e The location of the keystore has to be configured in the preferences xml file of the mdm server in the node service security keyStore The format of the keystore JKS has to be configured in the preferences xml file of the mdm server in the node service security keyStoreType The password to access the keystore in the example yourSSLPW has to be configured in the preferences xml file of the mdm server in the node service security keyStorePassword To enable the SSL communication to the mdm CA and to
169. perties Dialog for a new mGuard 4 Select New Device Import in the main menu to import new devices There are several ways to edit a device 1 Double click with the left mouse button on the device in the table to open the Device Properties Dialog 2 Select the device with the left mouse button and open the context menu by pressing the right mouse button Then select Edit to open the Device Properties Dialog 3 Select the device to be modified in the device table Select Edit Edit Item in the main menu to open the Device Properties Dialog 7 The Edit entry in the context menu and the Edit button in the toolbar are only enabled if exactly one device is selected in the device table There are several methods to delete devices 1 Select the device s in the device table and open the context menu by clicking with the right mouse button To delete the devices please select Delete in the context menu 2 Select the devices to be deleted in the table and click on the icon in the menu bar 3 3 1 The device context menu Add Edit Duplicate Create a new device and open the Device Properties Dialog of the new device Edit the selected device only active if exactly one device is selected in the overview table To create a duplicate of a device please open the context menu by clicking with the right mouse button on the device in the device table Select Duplicate in the context menu mdm will create a copy of the device a
170. pload of the configuration to the upload devices e Open the menu Upload in the main menu Chapter 3 8 1 and select which devices should be uploaded All Selected or Changed i e all devices witha configuration status of out of date e Select the entry Upload in the context menu right click on the device table This will schedule all currently selected devices in the device table for upload e Click on the H icon in the tool bar to initiate an upload for the currently selected devices in the device table After initiating the upload please specify which upload method you prefer Push upload via SSH mdm tries to upload all scheduled devices using SSH push For SSH upload there has to be an IP address or a hostname specified in the field Accessible via in the General settings of the Device Properties Dialog see Chapter 4 3 If this is not the case an error will be displayed in the log window and the upload status will be set to error If mdm cannot login to the device due to wrong SSH authentication information an error will be displayed in the log window and the upload status will be set to error If the mGuard is not accessible mdm will retry to upload the configuration After the maximum retry count is reached an error message will be displayed in the log window and the upload status will be set to error Prepare pull configuration The configuration of all scheduled devices will be exported to the file system Th
171. r K to indicate kilobytes or m or M to indicate megabytes The default value is 2 MB Examples Xms33554432 Xms32768k Xms32m Maximum size of the memory allocation pool Use the option Xmx to specify the maximum size in bytes of the memory allocation pool This value must be a multiple of 1024 Append the letter k or K to indicate kilobytes or m or M to indicate megabytes The default value is 64 MB Examples Xmx268435456 Xmx262144k Xmx25 6m For the client a value of 512 MB xmx512m is recommended especially if mdm is used to configure VPN connections The server should generally have as much memory as possible so that it can make efficient use of its caching mechanisms but not so much that the machine starts swapping Recommended is a value between 50 and 75 of the physical RAM size depending on which other applications are running on the same machine Windows Server In case you would like to start the server as a service two tools from the Windows Resource Kit can be downloaded from www microsoft com are required 26 of 130 Installation srvany exe instsrv exe Please download and install the Windows Resource Kit The required installation steps for running the mdm Server as Windows service are 1 8 Execute the command instsrv lt Service name gt lt Path to srvany exe gt e g instsrv mdm Server 1 6 c ntreskit srvany exe Open the registry editor and navigate to the key
172. r in the node service security trustStore The format of this keystore JKS has to be configured in the preferences xml file of the mdm server in the node service security trustStore Type The password to access the keystore default ENV PASSWORD_ SSL has to be configured in the preferences xml file of the mdm server in the node service security trustStorePassword Subdirectory postgres server e server crt e server key These are the files containing DB and DByey The files have to be copied to the PostgreSQL data directory i e the subdirectory of the PostgreSQL directory usually named pgdata Subdirectory archive This directory contains certificates and keys that were created during the process but are not required for the installation Please do not delete this directory since it contains e g the root key which might be required when signing further intermediate CA certificate requests Further keys in the configuration files To enable the SSL communication the following keys of the configuration files have to be configured as well e ca preferences xml certificateFactory storage database ssl true httpServer protocol https httpServer https clientAuth true e preferences xml e server storage database ssl true e ca protocol https 2 8 4 Manual creation of the CA keys and certificates This section explains how to manually create and install the key
173. r release upgrade Alternatively you can schedule the automatic firmware upgrade for one or more devices using the context menu of the device overview table Please open the context menu by right clicking on the device table then select the desired upgrade option To finally initiate the firmware upgrade the configuration has to be uploaded to the devices after performing the steps above You can unschedule a scheduled firmware upgrade with the option Unschedule upgrade in the context menu of the device overview table When performing an upgrade it is important to follow the correct order of the steps Let us assume you would like to upgrade a device from release 4 2 3 to 5 1 0 The current firmware version configured in the field Firmware Version in the Device Properties Dialog in mdm is 4 2 corresponding to the firmware version on the device which is also a 4 2 version This should be indicated in the Version on Device field in the device overview table see Chapter 3 3 Make sure that all required prerequisites see section Prerequisites above are fulfilled 76 of 130 mdm client overview Monitoring the firmware upgrade and start a configuration upload for the device see section Scheduling a firmware upgrade above First the icon in the Version on Device column will change to Bi indicating that a firmware upgrade has been scheduled with the next upload As soon as the configuration upload is started the icon changes
174. rd in router mode Custom value A custom value might be required to access the mGuard in NAT scenarios If necessary you can additionally specify a port number lt IPaddress gt lt port number gt or lt hostname gt lt port number gt Default Permission The permission mdm uses for variables set to Inherited when a device or template inherits from this template The following permissions can be set e May override Variables set to Inherited have May override permission i e they can be set in the inheriting device or template e May append Table variables set to Inherited have May append permission i e rows can be appended in the inheriting device or template but existing rows cannot be changed Other variables set to Inherited have May override permission i e they can be set in the inheriting device or template No override Variables set to Inherited have No override permission i e they cannot be set in the inheriting device or template Comment An additional optional comment which is also shown in the template table of the main window 4 2 1 Template configuration As explained above the navigation tree on the left side of the Template Properties Dialog resembles the mGuard menu structure Figure 31 shows an example of the configuration for the external interface il Edit Template Production Berlin d Internal networks 4 mGuard configuration al e E General settings IP of internal interface G None
175. red for the license request i e the numbers have to be supplied in the General Settings of the device These identification numbers may be entered manually or are automatically requested from the device during the push or pull upload procedure To request licenses select the devices in the device overview table and either press the icon in the tool bar or select Generate License from the context menu The generated licenses are subsequently shown in the License Management Window and on the Management Licensing page in the Device Properties Dialog and will be installed on the device with the next upload The result of the license request is also shown in the log window mdm has to be able to connect to the Innominate license server in order to generate request licenses To open the License Management Window please select Licenses Manage Device Licenses from the main menu All licenses managed by mdm and their licenses details are shown in the License Management Window In addition to license requested generated by the procedure described in the previous section 71 of 130 mdm client overview existing licenses can be imported To import licenses either type or paste the filenames of the license files one filename per line into the import field and click on Import subsequently or click on the Choose File button and select one or more files in the dialog ry e Device License Og License Id Lice
176. references xmil file in the node httpServer https trustStorePassword 43 of 130 mdm client overview 3 mdm client overview 3 1 Login Using multiple clients The mdm client is the graphical front end to access all features of mdm It allows to create and manage devices templates pools and VPN groups initiates the upload of configurations to devices or initiates the export of configuration files to the file system For information on how to start and stop the client please refer to Chapter 2 7 Before connecting to the server you have to authenticate yourself in the login window Furthermore the server IP hostname and the server port to be used can be set in the login window The following screenshot shows the login dialog o Connect to server device manager Hostname localhost Port 7001 Username admin Password ox cancel Figure 8 The mdm client login window There are three predefined user accounts root admin and audit root can access all settings admin can by default modify all configuration settings and read user management settings whereas audit has read only permission by default i e the audit user cannot change any settings except for his password The permissions for the users can be changed if desired see Chapter 3 11 The default passwords for user admin is admin the default password for user audit is audit the default password for root is root amp It is h
177. result of values and permissions inherited from the parent template and modifications made in the device T Edit Device Production 7248 4 mGuard configuration E General settings 4 Management Blade Control 64 Network GA Interfaces ons 6 DHCP Internal DHCP E Mode 6 Server options E Relay options External DHCP E Proxy settings Authentication A Network security Virus Protection IPsec VPN Quality of Service Redundancy Logging Server options 43 Enable dynamic IP address pool DHCP lease time 45 DHCP range start 45 DHCP range end Local netmask Broadcast address e Default gateway AG DNS server Ag WINS server gt dp Static mapping 4 gt Inheritede Yes 4 Inheriteds 14400 Jf Inheriteds Locale 4 Inheriteds gt Locale Jf Inherited 255 255 255 0 192 168 2 255 192 168 2 1 192 168 2 2 4 Inherited gt None Z custome Figure 39 Settings in the inheriting device Enable dynamic IP address pool This variable is set to Yes in the template and the permission is set to No override Therefore the value of the variable cannot be changed in the device configuration This is indicated by the disabled controls and by the 483 icon in front of the variable name in the Device Properties Dialog DHCP range start DHCP range end These variables are se
178. rformed by the device if it cannot access the configuration pull server after applying a pull configuration this is interpreted by the device as misconfiguration To enable rollback for a device please navigate in the Properties Dialog to Management Configuration Pull and set the option Rollback misconfigurations to Yes 4 10 Redundancy mode Separate settings If a device or template is in redundancy mode it represents a pair of redundant mGuards 1 e two physical devices Settings and configuration variables which must or may be different for the two physical devices of a redundant pair can be set separately Additional navigation tree nodes and variables are visible in the Device and Template Properties Dialog in redundancy mode Nodes and variables prefixed with Device 2 are used for the second device while those without prefix are used for the first device The following settings exist separately for the physical devices but are not normally set by the user e Firmware Version on Device e Pull filename e Serial Number e Flash ID The following variables must be set to different values for the physical devices The external and internal network settings in router mode The stealth management address settings in stealth mode 100 of 130 Template device pool and VPN group configuration Upload Pull export The IP settings for the dedicated redundancy state synchronization interface if this interfac
179. roperties Dialog for this purpose If you would like to manually change the active password you can use the option Set Current Device Password in the context menu of the device table If a device is not accessible mdm will retry the connection after a waiting time As soon as the maximum count of retries is reached mdm will stop trying to upload the configuration and will show an error in the log Ifa configuration change causes the mGuard to reboot e g when switching from stealth to router mode mdm is not immediately informed whether the configuration has been successfully applied It will therefore reaccess the device after a waiting time Adapt the Accessible via setting after the initial upload if necessary Alternatively the configuration state can be set manually with the option Set Upload State in the context menu of the device overview table If you change the password in the Device Properties Dialog and a subsequent upload of the device configuration fails it may happen that the password change was applied on the mGuard but mdm was not able to keep track of the succesful change In this case you have to manually set the active password in mdm using the option Set Current Device Password in the context menu of the device overview table otherwise mdm will not be able to log in for the next upload Due to this potential issue it is recommend to apply upload password changes separately from extensive configuration changes Manua
180. rotection GA IPsec VPN 3 Quality of Service Redundancy Logging K External networks Obtain external configuration via DHCP m Yes GPP of external interface 10 73 127 218 E Netmask of external network 255 255 255 0 a Default gateway 10 73 127 254 d Use VLAN No P vanm 4 Inheritede 1 r Aliases External aliases a Inherited P te as a ie 2 1P address Nene URAN VLAN ID The a icon in the leafs ofthe navigation tree see the following figure indicates that a change has been made to a variable in the leaf but has not been applied yet E Figure 23 Indication of non applied changes 81 of 130 Template device pool and VPN group configuration Indication of None value The lig icon in the leafs of the navigation tree see the following figure indicates that settings have been changed in the respective leaf and have been applied i Edit Device Gateway London A mGuard configuration E General settings 4 Management Blade Control GA Network Interfaces W General By Network Mode E Stealth configuration E Static Stealth configuration E External networks E Internal networks E PPPoE settings E PPTP settings i E Modem settings Ethernet 0 Serial port i E Hardware Gi ons oHe E Proxy settings Authentication CQ Network security G4 Virus Protectio
181. roup Properties Dialog Meshed VPN networks ssssssssssessssessesessee 98 4 9 RollbackSupport ays cet oniinn aa a a E a a aa aS 100 4 10 Redundancy mode iiceoe e a e sates a aaa aie vance iia 100 Working with templates seeesooessoessoesssecssocssoossoossssesssesssocssoossoosssoessoesssocssoossosssssesssese 102 XL Inheritance nnes dics aa i a E a a cane aes ee eaten 102 Dede Miscellaneous kanan a a a a aaa aaa aa a a a t 104 5 2 1 Complex table variables and permissions c c ccsseesseeeteeeeeeeeeeeesees 104 5 2 2 Firmware release settings and inheritance cee eeeecceeseeeteeeeeeeeees 104 Configuration DISLOIY siccusescesscSsecissossccsooasesconcessecesbospecsooussecoossseedessessscsebsspecossoveedscouipacens 105 6 1 The configuration history GialO o pise sa sacsees dl shai acel es as seemed nen 105 6 2 Viewing historic configurations sec eis dae Nesta acieonetaias rein ates eines 107 6 3 Comparison of historic configurations cccccceceseceeeeeeseeeseeceseceeeeeeeeenseecaeenes 108 6 4 Reconstructing a device from a historic configuration ccceceeseeseeeseeeteeees 109 6 5 R port OV CMAN ES a ock Got nctea stot a ohne To acl ana eee tt al Co ata ans 109 Creating and Managing Certificates sseessesssoossoossosessoesssesssoossoossoossssssssesssoessoossoosssse 111 Tl Ceradieates and keys for SS tics nso bataa enol dius weed cee ae a aa neen 111 7 2 Certificates and keys for a PKI us nleciscacee esa erei
182. s oHe E Proxy settings Authentication Network security Virus Protection CO IPsec VPN Quality of Service Redundancy C Logging External aliases a Inherited IP address Use van VLAN ID tee 6 enca Figure 35 Usage of pool values The following should be kept in mind when working with pools Ina variable that requires an IP address not an IP network only pools with a network mask of 32 can be referenced 7 If you decide to override a pool value in a device the assigned pool value is not returned to the pool i e the use count is not decreased but remains assigned in the background in case you decide to use the inherited value again Pools must be large enough to provide a value for every device that inherits from the template in which the pool is referenced even if some of the devices override their respective pool value see above 4 5 VPN configuration Adding and editing VPN connections With mdm you can easily generate the configuration for a large number of VPN tunnels In general the information contained in Chapter 4 1 Chapter 4 2 Chapter 4 3 and Chapter 5 applies also to the VPN configuration But VPNs require some special settings to be taken into consideration which are explained in this chapter e g the automatic configuration of the VPN peer You can find the VPN configuration in the node IPsec VPN of the navigation tree
183. s and certificates required for the CA If you are not familiar with OpenSSL it is highly recommended to read Chapter 7 first which introduces some of the basic concepts and explains the process in detail The requirements for the certificates are summarized in Chapter 7 2 3 Follow these steps to manually create the mdm CA keys and certificates 1 Generate CA ootCert and a matching private key CA ootKey as described in Chapter Create the root certificate on page 118 2 Generate the CA certificate CA cert and the corresponding private key CAxey as described in Chapter Create the CA certificate on page 120 33 of 130 Installation 3 Generate the template certificate CA tempicert 28 described in Chapter Create a certificate template on page 123 The template certificate is used by the CA as template for creating the mGuard certificates 4 Create the CA keystore and configure the preferences file of the mdm CA as described in Chapter Create the keystores on page 125 5 Secure your communication paths and configure the preferences files of the mdm components as described in Chapter 2 11 2 8 5 Configuration of the mdm CA This chapter describes the contents of the configuration file ca preferences xml contained in the installation archive mdm ca 1 6 x zip Please adapt ca preferences xml according to your environment Node certificateFactory Key validityPeriodDays Number of days certificates issu
184. s new column the previously activated column will be used as secondary sorting criterion 62 of 130 mdm client overview The context menu The context menu is opened by clicking on the log window with the right mouse button The following actions can be performed Show Persistent Event Log Opens the Persistent Event Log Window Please refer to Chapter 3 7 1 for more details Clear Deletes the log entries This applies to the current mdm client only i e other clients are not affected Export Opens a file chooser window and exports the log entries to an XML file Filter Log Entries Enables or disables the filter for the log entry table If the filter is enabled the first row of the table accepts the input of regular expressions please refer to Chapter 8 Regular expressions which can be used to efficiently filter the table entries Increase Verbosity Enables or disables verbose logging If verbose logging is enabled some events which are not normally useful and may be confusing are logged Auto scrolling Ifa new event is logged the log window is automatically scrolled so that the new entry is visible by default The auto scrolling mechanism can be disabled and re enabled by clicking on the icon in the upper right corner of the log window 3 7 1 The persistent event log The Persistent Event Log Window shows selected events from the last 200 days in the same manner as the log window Unlike the entries in the log
185. s that an mGuard license file could not be installed on the device Pull configuration rolled back This indicates that a configuration pulled by the device was rolled back Pull configuration blocked due to previous rollback This indicates that configuration is blocked due to a previous rollback Saving configuration for rollback failed This indicates that saving the rollback configuration failed the configuration was not applied Pulled configuration invalid 2 This indicates the device detected an invalid pull configuration and therefore the configuration was not applied 47 of 130 mdm client overview Firmware upgrade failed U The scheduled firmware upgrade failed Queued for upload or export The device is currently in the upload queue Depending on the settings for the configuration push retries and the waiting time between retries the device might stay in the queue for a while e Upload or export running The device has been accessed and the configuration file is currently being uploaded e Requeued for upload or export Si If the device is not accessible then it will be requeued and after waiting time between retries the upload will start again If after configuration push retries the device has not been accessed an error is shown This icon is also shown during an ongoing firmware upgrade since mdm will periodically poll the device for the result of the firmware upgrade Management ID The Manag
186. sassa evades a onaceatees eaten aes 56 3 5 Pool value overview table ciccs cudintsciacatecec viadacteevteiaapdasdocaa sets tg oiadedteadeteusdeaboanres 57 3 5 1 THE POG context Men rento isiroidan an ea a ere 58 3 6 VPN group Overview table cesis inresnirenenrcerie inii i a a E a a 59 3 6 1 The VPN group context menu ay ciasanewyen accents casiplan yang 60 3 6 2 Editing device membership in VPN groups 0 c cecsceesseeeteeeteeeeeeeeseees 61 Dik Log WAM O Wises saasuta titi Manis vsee shay E A a Wasi a moana RE 62 3 7 1 THE persistent event log misiem uas asanti ean ie aA R R AR AEE 63 3 7 2 Logging events via syslog sc isssneidisiices astivisiacti cae idiiinass dieses 64 3 8 The mdm main menu and tool bar asiis c skaaitsaeaina cai ecnetlivsaeacouaaktesahemieh stations 64 3 8 1 The mdm main menu Sy c h LY oy seectts vs poe sc adistens aaa ae eases ees ta oman 64 3 8 2 Theandim tool bar 24s actos acco E RR EA niente 66 3 9 Uploading configurations to the MGuards oe ceeceeseeseeeeteceteeeeeeeeseeesaeenteeeeees 67 3 10 Managing license vouchers and device licenses eeceesseceseceseeeeseeeteeeeseeeteeesees 70 3 11 Managing users roles and permissions ccceeeceeeceesceesceceseceeceeeeeeseecsaeeeeensees 72 3111 Nan agine Users cniinn netndaas as R a a i 73 3 11 27 Man ging TONS aclu ccatuitnn aved e e A ea E 74 4 of 130 Balile 3 Permissions 2 62 ara aces a oa Seek aPobens aiid A es asec eA 74
187. se refer to Chapter 3 12 for more details Set Hardware Flavor Set the hardware flavor Please refer to Chapter 3 13 for more details Assign Template Open the Assign template dialog and assign a template to the selected devices Add to VPN Group Opens a dialog to add the selected devices to a VPN group Remove from VPN Group Opens a dialog to remove the selected devices from a VPN group Upload Open the Upload dialog Please refer to Chapter 3 9 for more details Cancel Upload Cancel the scheduled upload for the selected devices Set Upload State The upload status will never be set to successfully uploaded automatically if no push upload is performed and no pull feedback from the configuration server is received e g in a usage scenario where the exported configuration profiles are installed manually on the devices You can use this option to set the upload state to successfully uploaded manually Please select the device in the device table open the context menu with a right click and then select Set upload state Ifa device is in a state in which an upload would fail e g if a None value has not been overridden cf Chapter 4 2 1 it is not possible to set the upload state to successfully uploaded Export ECS Files Download encrypted ECS files for the selected devices ECS files can be used to configure mGuard devices that support this mechanism through SD cards please refer to the mGuard manual for more details A dial
188. se refer to RFC 3280 129 of 130 This page is intentionally left blank 130 of 130
189. se server default 80 Please do not change this value Key reqPage The CGI script to be called when requesting licenses default cgi bin autoreq cgi Please do not change this value Key refPage The CGI script to be called when refreshing licenses default cgi bin autorefresh cgi Please do not change this value Key reqProfKey The CGI script to be called when requesting profile keys default cgi bin autodevcert cgi Please do not change this value Key req Username The username needed to request profile keys Please contact Innominate support to obtain a username Key reqPassword The password needed to request profile keys Please contact Innominate support to obtain a username Key retries The number of retries to contact the license server default 3 Please do not change this value Key timeout The timeout in seconds when contacting the license server default 60 Please do not change this value Node connection Key useProxy Here you can configure whether a proxy should be used to contact the license server default false Key proxyAddress The address of the proxy to contact the license server default 727 0 0 1 Key proxyPort The port of the proxy to be used to access the license server default 3128 Key proxyRequiresAuthentication Boolean defining whether the proxy requires authentication default false Key proxyAuthenticationUsername Key proxyAuthenticationPassword Key proxyAuthen
190. sible Refreshing licenses To refresh all licenses in mdm for a device you can select the option Refresh Licenses in the context menu of the device overview table mdm will contact the Innominate license server and retrieve all licenses that were bought for this device The licenses will be installed with the next configuration upload You can use this option if you accidentally deleted licenses in mdm or if you would like to manage an mGuard that has already licenses installed that are not yet managed by mdm 3 11 Managing users roles and permissions The permission to log into the mdm client and the permission to perform certain operations once logged in are controlled through users and roles A user corresponds to a person logging into the mdm client Each user has one or more associated roles and each role has an associated set of permissions The union of all permissions associated with a user s roles determine what permissions are granted to a user 7 The permissions are granted when a user logs in and remain valid until the user logs out Therefore any modifications to the user role or permission configuration have no immediate effect on logged in users 72 of 130 mdm client overview User and role management 3 11 1 Assigning roles to users The superuser root Initial users Resetting the root password Users roles and permissions are managed in the Users and Roles Dialog which is opened through the
191. signed signed with CAjootKey cert signed with CAjey CA tempiCert mGuar Cert Figure 42 mdm CA certificate hierarchy In the following it is assumed that there is no other root CA in place and that the mdm CA is used as root CA Important Please keep the private key s at a secure location In particular this is required for the root CA s private key 7 It is recommended to create a working directory e g called security in the mdm installation directory where all the certificates and keys created during the following process are located The following OpenSSL commands require input from the OpenSSL configuration file openss cnf the directory where this file is located depends on your distribution e g check in the directory usr ss or usr lib ss Instead of changing the standard configuration file of your OpenSSL installation it is recommend to use the example configuration files provided in the mdm CA installation archive mdm ca 1 6 x zip and adapt those files to your needs You can instruct OpenSSL to use the provided configuration files instead of the standard configuration file Adapt the OpenSSL configuration file Please copy the file rootCert conf provided in the installation archive mdm ca 1 6 x zip to your working directory Adapt the root dn section of the file which contains the Subject Distinguished Name of your root CA certificate root dn C DE O
192. st If a configuration is uploaded to a device mdm generates a configuration file which is transferred via SSH to the device and is subsequently taken into operation Furthermore mdm can generate configuration files to be used for the configuration pull feature of the Innominate mGuard Additionally mdm can trigger firmware upgrades and deploy device licenses mdm 1 6 supports Innominate mGuard firmware 5 0 x to 8 1 x Detailed information of limitations and known issues can be found in the document mdm Release Notes Version 1 6 x at www innominate com Detailed information on the Innominate mGuard can be found in the following documents at www innominate com e Reference Manual mGuard Firmware e Reference Manual mGuard Appliances e Application note Rollout support 6 of 130 Installation 2 Installation 2 1 System requirements mdm Client mdm Server mdm CA Hardware Software Download A minimum of 512 MB RAM 500 MB free hard disk space Color monitor with at least 1280 x 1024 resolution Windows 2000 SP 2 XP or later Windows Server 2003 or later or Linux Java Runtime Environment JRE SE 7 A minimum of 4 GB RAM 100 GB free hard disk space Windows 2000 SP 2 XP or later Windows Server 2003 or later or Linux Java Runtime Environment JRE SE 7 PostgreSQL Version 9 0 or later A minimum of 512 MB RAM 5 GB free hard disk space Windows 2000 SP 2 XP or later Win
193. st be unique The real name It has no technical effect its purpose is to make it easier to associate a user with a real person The password The user must provide the correct password to log into the mdm client If one or more users in the Users Panel and one or more roles in the Roles Panel are selected the roles can be assigned to the users by clicking the Assign Role button or removed by clicking the Remove Role button All of the selected roles are assigned to or removed from all of the selected users A superuser with the username root always exists Although it has no associated roles it has all permissions i e it is treated specially by mdm The superuser cannot be deleted nor can permissions be revoked from the superuser Three users exist in a fresh mdm installation root admin and audit The initial password of each of these users is identical to the respective username If the password for the superuser root is lost it is possible to reset it to root with the following psql command to be performed while the mdm server is not running UPDATE mgnt_system_users SET password WNd6PePC4Q0rGiz2zeKv6bQ WHERE username root 73 of 130 mdm client overview 3 11 2 Managing roles Roles are managed in the Roles Panel of the Users and Roles Dialog They can be added with the Add button deleted with the Delete button and edited with the Edit button or by double clicking on
194. t columns U or V Since the A and B columns do not contain information but are used to activate history entries they cannot be used for filtering or sorting Double clicking on a row in the configuration history dialog opens a dialog which displays detail information about the configuration history entry In particular if the configuration has been uploaded the messages received from the mGuard while applying the configuration are shown 6 2 Viewing historic configurations Special values When a single history entry is activated in the configuration history dialog the View button is enabled Clicking on this button opens the History View Dialog which shows the historic configuration Although the History View Dialog looks similar to the Device Properties Dialog the type of information that is visualized is different History entries contain configurations as they are uploaded to the mGuards variable permissions and template inheritance relations are not part of the history In addition to the variable value or Custom if the variable value cannot be displayed e g password variables two special values are used Local indicates that the variable has no value known to mdm The value is set by the user netadmin on the mGuard e Custom Locally appendable is only applicable to table variables It indicates that the user netadmin on the mGuard has the permission to append rows to the table 107 of 130 Configurati
195. t in the example caCertReq pem cert filename The name of the file containing the root certificate in the example rootCert pem keyfile filename The name of the file containing the key used to sign the certificate request in the example root Key pem passin pass password Password required to decrypt the private key in the example rootPW md sha256 Use the SHA256 algorithm to create the message digest for the signature recommended notext openssl has an option to include human readable explanatory text in the certificate But this would create problems later in the process when creating the keystores therefore do not include any text in the certificate outdir directoryName The output directory in the example the current working directory The command above generates one output file e caCert pem This file contains CA cert The file caCertReq pem is not required any more and should be deleted 122 of 130 Creating and managing certificates Create a certificate The purpose of the CA is to issue certificates To do so the CA needs instructions template how the certificates to be issued should look like e g which extensions should be included This can be accomplished by providing the CA with a certificate template CA tempicert CAtempiCert S a Certificate issued by the CA To issue a certificate you first have to adapt an OpenSSL configuration file again Adapt the OpenSSL configuration fil
196. t contain a Basic Constraints extension marked as critical and with the boolean cA field set to true Innominate strongly recommends to include the pathLenConstraint field in any CA certificate s Basic Constraints extension It must be set to one less than the number of descendant CA certificates So for a typical scenario where a certification chain is made up of one root CA certificate a single intermediate CA certificate and an end entity certificate VPN certificate in this case the pathLenConstraint must be one 1 for the root CA certificate and zero for the intermediate CA certificate The template VPN certificate must have a Basic Constraints extension marked as critical with the boolean cA field set to false and without a pathLenConstraint field Any CA certificate must contain a Key Usage extension marked as critical with the bit keyCertSign set It is recommended to have the bit cRLSign set as well The template VPN certificate does not need to contain any Key Usage extension Any intermediate CA certificate must contain one or both of the extensions CRL Distribution Points and Authority Information Access if it is planned to distribute revocation information online with a future release of the mdm and the mGuard firmware The extensions must be marked as non critical The former extension is required if it is intended to use Certificate Revocation Lists CRLs in the future The latter extension is required if i
197. t is intended to use the Online Certificate Status Protocol OCSP see RFC 2560 in the future Any of the extensions must contain HTTP URLs only The template VPN certificate should contain one or both of the extensions CRL Distribution Points and Authority Information Access described above if it is planned to distribute revocation information online in the future Alternatively the mdm server can be instructed to include them within the certification request sent to the mdm CA The latter is more flexible because this way the location of the revocation information CRL respectively information service OCSP can be set for groups of devices or even for individual devices Please note If the template VPN certificate already includes any of the extension and the mdm is instructed to include it within the certification request as well the extension from the request overrides the one found within the template The issued certificate will contain the extension copied from the request 10 The keystore containing the certificates has to contain the complete certificate chain up to and including the root certificate 127 of 130 Glossary 8 Glossary admin netadmin on the mGuard The user admin mGuard user can change all settings of the mGuard whereas the user netadmin can change only local variables AIA The certificate extension called Authority Information Access AIA indicates how to access CA information and services
198. t to Local and the permission is set to No override i e the Local setting cannot be changed in the device configuration These values have to be set by the netadmin of the mGuard and are not managed by mdm 103 of 130 Working with templates Local netmask Broadcast address There are no restrictions for these variables defined in the template indicated by the missing icon in front of the variable name in the Device Properties Dialog In the example the device configurator decided to use a custom value for Broadcast address and the inherited default value for Local netmask Default gateway The value of this variable is set in the template and the permission is set to May override Therefore the value of the variable can be changed in the device configuration This is indicated by the enabled controls and by the 6 icon in front of the variable name In the example the value from the template is overridden with a custom value DNS server The value of this variable is set in the template and the permission is set to May override Therefore the value of the variable can be changed in the device 2 configuration This is indicated by the enabled controls and by the icon in front of the variable name In this example the value from the template is overridden in the device configuration with a custom value WINS server The value of this variable is set to None in the template Therefore a value for this variable has to
199. tabase Install the PostgreSQL database first PostgreSQL is distributed with an installer installation for Windows Please follow the instructions of the PostgreSQL installer The mdm server and the database can be be installed on different computers 7 PostgreSQL can only be installed using an account with administrative privileges But the PostgreSQL service has to run with non administrative privileges For this purpose please create an appropriate account use one of the existing accounts or let the PostgreSQL installer automatically create an account for you install option During the installation this account will get the Log on as a service permission If the access rights of the drive onto which you are planning to install or upgrade the PostgreSQL database are limited to special groups only ensure that the Windows Users group has also the following access rights to this drive e Read e Read amp Execute e List Folder Contents These access rights are only required temporarily during the installation process and can be removed once the installation has been completed If these access rights are not set prior to installation then the installation process will fail to complete and display the error message Failed to run initdb 1 To check or set access rights for a drive folder 1 In Windows Explorer right click on the drive you are checking 2 Select Properties from the right click menu 3 In the Properties wind
200. te eid edige Maa Nee ae 114 7 2 1 Cr ate the CAS Cerincates cccis Sccistensir nese eons ee 117 7 2 2 Create the Key stores x abacrat eae cacenni a a n a e gacchauite 125 7 2 3 Requirements for certificates s sossseesseseesseossessresresseesesresseesreserssesse 127 CE OTET E EA scassesiateosscanctcctsccedsasesadcncsuskesnuessogaseseseussastenponessaaaseasscyesnsaesdontebcevdoateatedsaskuctecis Sees 128 5 of 130 Introduction 1 Introduction Overview Supported devices Related documentation Thank your for choosing mGuard device manager Please read this document for information on e the installation of mGuard device manager e how to efficiently generate configurations for your Innominate mGuards and e how to upload configurations to your Innominate mGuards mGuard device manager enables the convenient management of Innominate mGuard security appliances The tool offers a template mechanism that allows to centrally configure and manage thousands of Innominate mGuard devices With a click of your mouse you can generate the desired firewall rules NAT settings etc and upload the generated configurations to the devices in the network deploying in an instant your desired device configurations mdm is a client server application the client offering full control of all mdm features the server storing the configuration in a database generating configuration files and uploading those files to the devices upon reque
201. the communication with the peer thus preventing any misuse of certificates and creating a higher level of security 7 2 1 Create the CA certificates Depending on your existing infrastructure the mdm CA needs the following certificates e A self signed root certificate CA ootCert and the matching private key CAjootKey If you have another upstream root CA in place there is no need to generate the root certificate and the matching private key The self signed root certificate is distributed to all entities participating in the communication It is used by the entities to verify the authenticity of the communication peer and of any intermediate CAs in the certificate chain The private key CA ootKey S used to sign the self signed root certificate e ACA certificate CA cert and the matching private key CA ey This is the certificate used by the CA to authenticate itself to other entities This certificate has to be signed with the root private key i e either with CArootKey OF with the key of your existing root CA The private key CAxey is used to sign the certificate request sent by the mdm server i e it is used to issue certificates for the mGuards 117 of 130 Creating and managing certificates Create the root certificate A template certificate CA jempicert Which is used by the CA as template when issuing end entity mGuard certificates Figure 42 shows the certificate hierarchy CA rootCert a self
202. the database the following keys of the preferences xml file have to be configured e server storage database ssl true e ca protocol https 1 First create an unencrypted private key IC ey as described in Chapter 7 1 openssl genrsa des3 passout pass yourSSLPW out ca https client key pem 2048 2 Create the self signed certificate IC as described in Chapter 7 1 openssl req batch new x509 key ca https client key pem keyform PEM passin pass yourSsSSsSLPW sha256 outform PEM out ca https client cert pem 3 Create the keystore as described in Chapter 7 1 openssl pkcs8 topk8 in ca https client key pem passin pass yourSSLPW inform PEM nocrypt outform D java cp ImportKey alias ca storetype JKS keystore ca keystore jks storepass pass yourSSLPW keypass pass yourSSLPW chain ca https client cert pem ea w There should be 3 additional files in your directory e ca https client key pem e ca https client cert pem e ca keystore jks 41 of 130 Installation Please store the key and the certificate at a secure location Only the keystore is used by the CA server therefore copy it to its final destination Then the preferences file of the CA server has to be configured e The location of the keystore has to be configured in the ca preferences xml file of the mdm server in the node AttpServer https keyStore The format of the keystore J
203. the file name may be used with a relative or absolute path name The suffix n log will be appended to the base name with n being a non negative integer Key limit Maximum number of bytes a log file of the mdm CA can reach when it grows beyond this number it will be rotated Key count Maximum number of rotated log files the mdm CA should keep Key level Defines granularity of the logging messages the mdm CA will produce acceptable values are e OFF SEVERE highest value e WARNING e INFO e CONFIG e FINE e FINER FINEST lowest value e ALL 2 8 6 Starting the CA Start the CA with the following command in a single line please note that the CA has its own preferences file ca preferences xml as described above java Xmx384m jar full_path mdm ca 1 6 x jar full_path ca preferences xml Prior to starting the CA you should set the environment variables that contain the passwords 37 of 130 Installation PASSWORD CA your CA password PASSWORD SSL your SSL password PASSWORD DB your DB password Depending on your settings for the keys in the ca preferences xml different environment variables than the examples above need to be used 38 of 130 Installation 2 9 Pre configuration of the mGuards Please follow the steps described in the Reference Manual mGuard Appliances for starting up and configuring the device IP addresses of the interfaces etc Enable SSH access T
204. the truststore file see Chapter 2 11 2 and Chapter 2 8 The special value ENV PASSWORD_SSL will cause the mdm server to read this password upon startup from the environment variable named PASSWORD SSL the name PASSWORD_SSL is just an example and can be changed if desired Node certificationRequestHandler Key maxRequestLength Number of bytes PKCS 0 certification requests can have at most longer requests will be rejected to defend against simple DoS attacks default 102400 Node revocationRequestHandler Key maxRequestLength Number of bytes revocation requests must have at most longer requests will be rejected to defend against simple DoS attacks default 10240 Node httpServer Key host IP address or host name of the interface to listen on with the mdm CA s servlet interface value 0 0 0 0 means to listen on any interface default 727 0 0 1 Key port Port number the server should listen on for incoming connections default 7070 Key min Threads Minimum number of instantiated HTTP server threads the mdm CA shall maintain in its pool default 2 Key lowThreads Internal use only Please do not change Key maxThreads Maximum number of instantiated HTTP server threads the mdm CA shall keep in its pool default 5 Key protocol The protocol the mdm CA s servlet interface should use either http or https To enable secure communication Attps should be used Node https The configuration in this node is used onl
205. ticationRealm The credentials to be used if the proxy requires authentication default empty 20 of 130 Installation Node service Key address The IP address designating the network interface on which the server is listening for client connections If you specify 0 0 0 0 the server is listening on all interfaces default 727 0 0 1 Key port The port number on which the server is listening for client connections default 7001 Key backlog Number of log entries to be stored default 50 Key storage The storage to be used default database Node security Key keyStore Name and path of the keystore file see Chapter 2 11 1 and Chapter 2 8 Key keyStoreType Format of the keystore either JKS Java JRE keytool default or PKCS 2 OpenSSL Key keyStorePassword Password for the keystore file see Chapter 2 11 1 and Chapter 2 8 The special value ENV PASSWORD_SSL will cause the mdm server to read this password upon startup from the environment variable named PASSWORD_SSL the name PASSWORD_SSL is just an example and can be changed if desired Key trustStore Name and path of the truststore file see Chapter 2 11 2 and Chapter 2 8 Key trustStoreType Format of the truststore either JKS Java JRE keytool default or PKCS12 OpenSSL Key trustStorePassword Password for the truststore file see Chapter 2 11 2 and Chapter 2 8 The special value ENV PASSWORD_SSL will cause the mdm server to read t
206. tion on how to configure the mdm server to use RADIUS authentication 3 12 Managing firmware upgrades with mdm Prerequisites mdm supports the management of the firmware of your mGuards The firmware itself is not uploaded to the device by mdm mdm instructs the device during the configuration upload to download a firmware upgrade package from an upgrade server and apply it e An upgrade server has to be set up and the required update packages etc have to be put on the server The upgrade server has to be accessible from the devices and not necessarily from mdm e The server has to be configured in the device configuration or in the 75 of 130 mdm client overview Scheduling a firmware upgrade Canceling the scheduled firmware upgrade Upgrade process template configuration For 4 2 devices please navigate in the Properties Dialog to Management Firmware upgrade Upgrade servers or for 5 0 devices or newer navigate to Management Update Firmware upgrade Upgrade servers to add your upgrade server to the configuration If you use the automatic firmware upgrade see section below together with a pull upload make sure that the field Firmware Version on Device see Chapter 4 3 has a valid value The value can either be entered manually or alternatively mdm will automatically fill in this information after the initial push upload or pull configuration feedback If entered manually the Firmware Version on Device
207. to the current configuration of your mGuard i e the changes made with mdm have not yet been uploaded to the device 45 of 130 mdm client overview Status U Locked E3 The configuration is locked by another user This can happen if another user opens the Device Properties Dialog or the Template Properties Dialog of an assigned template Please note that configuration changes performed by other means than mdm cannot be detected i e the configuration status is displayed correctly only if solely the netadmin user changes the mGuard configuration locally on the device If a template is changed the configuration status of all mGuards using this template is set to out of date no matter whether the template change affected the device configuration or not Please refer to Chapter 3 8 1 if you would like to manually reset the configuration status to up to date The column labled with U shows the upload status of the device which indicates the status of a pending upload or the result of the last upload Please refer to Chapter 3 9 on how to upload configurations to the devices The upload status can take the following values Unknown d mdm could not determine the status yet since no upload has taken place Up to date The configuration on the device has not changed because it already was up to date Updated M The configuration on the device has been updated Configuration exported i The configuration files h
208. upon startup from the environment variable named PASSWORD_CA the name PASSWORD _CA is just an example and can be changed if desired Key crlExportDirectory The path to the directory that is used by the mdm CA to export the files containing the CRLs Certificate Revocation Lists Each file contains a PEM encoded X 509 CRL of revoked certificates from a single issuer The filename of each CRL file is composed of the hash value of the issuer with a crl extension e g 5E84D566026616ED32169580A913661499FA6B03 cri Please make sure 34 of 130 Installation that the files contained in this directory are accessible from the mGuards To configure the CRL URL on the mGuards please navigate to Authentication Certificates CRLs in the Device or Template Properties Dialog mGuard 5 0 or newer only and add the correct URL to the CRL table Please refer to Chapter 4 6 1 for more details on certificate revocation default security crl Key crlUpdatePeriodMinutes The time interval in minutes how often CRLs are exported to the crlExportDirectory When a certificate is revoked a CRL is exported immediately Additionally CRLs are exported periodically according to the specified time interval Key nextUpdatePeriodDays The number of days into the future written into the Next Update field in exported CRLs The field is a hint for the mGuard downloading the CRL when it is to be considered obsolete It should therefore be significantly larger th
209. uration history entries If the user has the Write Devices permission in addition to this permission Reconstruct devices from device configuration history entries Read Templates View the list of templates and template configurations Write Templates Edit add remove or duplicate template configurations Read Pools View the list of pools and pool configurations Write Pools Edit add or remove pool configurations Read VPN Groups View the list of VPN groups and VPN group configurations Write VPN Groups Edit add remove or duplicate VPN group configurations 74 of 130 mdm client overview Permission Granted Actions Read Users and Roles View users roles and permissions Write Users and Roles Manage users roles and permissions including the permission to set other user s passwords Read Event Log View the persistent event log Minimal permission The permissions Read Devices Read Templates Read Pools and Read VPN set Filtering the permission table Groups form the minimal permission set These permissions cannot be revoked from a role The columns U and R show how each permission relates to the currently selected users and roles They can be used to filter the permission table The following icons can appear in the U column O The permission is not granted to any of the selected users The permission is granted to s
210. ush configurations to the device or open the Web GUI of the device Please note that this address might not correspond to the internal or external address of the mGuard if NAT is involved If the device is in redundancy mode see Chapter 4 10 for more details the Accessible via addresses of both devices separated by a comma are shown Upload scheduled at The date time the next configuration upload is scheduled for this device Serial number The serial number of this device Please refer to Chapter 4 3 If the device is in redundancy mode see Chapter 4 10 for more details the serial numbers of both devices separated by a comma are shown Pull config filename Location Hardware Status K Filtering and sorting the table If the configuration is exported to the file system a unique ID is used as name of the configuration file The filename of the configuration file is shown in this column In this column the value of the SNMP Location variable SYS LOCATION is shown If the location is empty a character is displayed If the device is in redundancy mode see Chapter 4 10 for more details and different locations are set for each physical device the locations of both devices separated by a comma are shown The hardware flavor of the device See Chapter 3 13 for more details The size of the ssh and https cryptographic keys on the mGuard e Unknown 2 e 1024 bits 8 2048 bits 48 e Key renewal schedule
211. version than the child itself e Itis possible to change the firmware version of a parent template to a newer version only if all childs inheriting from the parent template are already set to the new firmware version 104 of 130 Configuration history 6 Configuration history mdm keeps track of mGuard device configurations in the configuration history Whenever a change is made to a device template or VPN group configuration a new history entry is automatically created for each device that changes as a result Each device has its own independent history When a device is deleted its associated history is deleted as well The history stores configurations as they are uploaded to the mGuards Variable permissions and template inheritance relations are not part of the history 6 1 The configuration history dialog To access a device s configuration history select the device in the device overview table and activate the Show Device Configuration History option in the context menu This opens the configuration history dialog which contains a list of history entries for the selected device mie Gateway San Francisco Device Configuration History 1x Range Selection Last Entries Apply Show last 100 entries Fal Currently effective Last 100 entries al w lt Creation Date ___Firmware Variant Creator Upload Date Uploader Target E 4 Ix Ix 4 4 is 2011 08 09
212. window the entries in the Persistent Event Log Window are stored persistently in the mdm database i e they are retained even if the mdm server is restarted Range selection Since there can be a large number of persistent log entries not all entries are automatically loaded from the mdm server when the dialog is opened By changing the criteria in the Range Selection field and clicking the Apply button the history entries matching the specified critera can be loaded amp By default the latest i e newest 100 entries are loaded All Entries Loads all log entries 7 Ifthe numer of entries is large i e thousands or more loading all entries may incur a significant delay Time Range Loads all entries which have been created during a time range The time range must be specified e Ifa lower bound but not an upper bound is specified all entries newer than the lower bound are loaded Ifan upper bound but not a lower bound is specified all entries older than the upper bound are loaded e If both a lower and an upper bound are specified all entries created during the time interval given by the bounds are loaded Times are specified as an ISO date YYYY MML DD where YYYY is the year MM is the month of the year between 01 and 12 and DD is the day of the month between 01 and 31 optionally followed by an ISO time hh mm ss where hh is the hour according to the 24 hour timekeeping system mm is the minute and ss 63
213. wing commands in a single line each as superuser Make sure that the values your_user your_database_name your_password are identical to the values specified in the preference file of the mdm server see Chapter 2 6 e su postgres createdb your database name createuser no adduser no createdb your user e echo ALTER USER your_user WITH PASSWORD your password psql your database name e echo GRANT ALL ON DATABASE your database name TO your_user psql your database_name Securing the communication with the database Server installation If you install the database and the mdm server or the mdm CA on different computers it is highly recommended to encrypt the communication between the components Please refer to Chapter 2 11 on how to setup a secure connection to the database server First create a new user e g mdm Unpack the file mdm server 1 6 x zip into the home directory of the user mdm If you would like to start the server when the system is started please include a script in the etc init d directory It is also necessary to create symbolic links in system specific directories please consult the documentation of your Linux distribution for details The SQL database and the mdm server can be installed on different computers Finally initialize the database Make sure that the preferences file matches the values you used when installing the database To initialize the database you have
214. ws and inserts them after the last selected row The Move buttons are enabled only if at least one row is selected To move the current selection up one row press the d button to move it down please press the button 7 The Add Delete Copy and Move buttons are enabled only if either Custom or Custom locally appendable is selected Please refer to the Section mGuard configuration above Selecting table rows By clicking on a table row with the left mouse button you select it Multiple rows can be selected as a contiguous block of rows either by first selecting the upper or lower row of the block and then selecting the opposite row with a left click while holding the lt Shift gt key Rows can be added to the selection or removed from the selection by clicking with the left mouse button on the row while pressing the lt Ctrl gt key Changing a table cell To edit a table cell please double click on the cell with the left mouse button A single click selects the table row Invalid values in tables An invalid value in a table will not be indicated in the navigation tree but the cell will be marked red If you enter an invalid value in a table cell and leave the cell e g by clicking on another navigation tree node the last applied valid value will replace the invalid input 83 of 130 Template device pool and VPN group configuration Row colors The rows of a table may have different colors depending on the type
215. y if protocol in node httpServer is https Key keyStore Name and path of the keystore file Key keyStoreType Format of the keystore either JKS Java JRE keytool default or PKCS 2 OpenSSL Key keyStorePassword Password for the keystore file The special value ENV PASSWORD_SSL will cause the mdm server to read this password upon startup from the environment variable named PASSWORD_ SSL the name PASSWORD_SSL is just an example and can be changed if desired 36 of 130 Installation Key keyPassword The password required to decrypt the SSL private key contained in the keystore for the HTTPS server Key clientAuth Boolean value true means clients need to authenticate via SSL too not just the server false means clients do not need to authenticate This value should be set to true Key trustStore Name and path of the truststore file containing the trusted certificates for the SSL connection from the clients Key trustStoreType Format of the truststore either JKS Java JRE keytool default or PKCS12 OpenSSL Key trustStorePassword Password for the truststore file see Chapter 2 11 2 and Chapter 2 8 The special value ENV PASSWORD_SSL will cause the mdm server to read this password upon startup from the environment variable named PASSWORD_SSL the name PASSWORD_SSL is just an example and can be changed if desired Node logging Key file The base name of the rotated log file the mdm CA will produce
Download Pdf Manuals
Related Search