Enterasys Networks Network Card Network Card User Manual
Contents
1. 60 Configuring RIP for the Interface 62 Configuring OSPF on an Interface sse 64 Creating Static Routes sepe retener erento derent ae tsini 65 Adding a Remote Server a E nennen nennen 68 Changing Server and Tunnel Properties sss 71 iv RiverMaster Administrator s Guide Table of Contents Chapter 4 Setting Up Aurorean Services hicbonmbu e M 75 Authorization Plug in Options ssssssssssseseeeeeeneerete nennen 76 RADIUS Authentication SeryvetS isi iiir isinira eee 76 Plagin Plan ing eene eene t ER Gee red eerie er Eo ed 77 Threads remercie eere tnde end 77 Private Public Keys for IPSec Authentication sssssseeeeeene 78 ProblemiINOBBCAtIOD iioi gta OE Od P Eq eps 78 Arace L6yelscz cato ee i aie RR esi E E R E 79 Adding an Authorization Plug In s sse eene 80 Enterasys Authentication sssssssssssesseeeenenetetrene tenente nnne nennt 81 RADIUS Authorization ementi eie oH up eta eei 83 SecurID Authorization eet tertie tat eeepc eire trn i e eoe eon 87 Generating Private Public Keys nennen 91 Using the Notification Service to Send E Mail sssssssssssseeeeneen 93 Creating a Mailing List eiee om oor EUR ERREUR O HERI ER 93 Adding an Address to a Mailing List sss 95 Setting Trace LEVE lS hisini ianei ake o eH e ere Se tege arte2. X NOTE V Do not remove the Enterasys Authentication plug in or convert it into a RADIUS or SecurID plug in Without a plug in of this type you will not be able to log into RiverMaster Enterasys Authentication To modify the Enterasys Authentication plug in perform the following steps 1 Open the Configuration pullout 2 Inthe list of Aurorean devices expand the tree list by clicking the symbol under the name of your APS and expand it again under Auth Service Figure 44 shows the Configuration pullout Click here to view Configure pull down box options Indus Airer Aether I iorri Pimat nber of Threat Li i Piigin Tze EDI BIER Click here to open the Click here to add a new Authorization Plug in or here to expand the tree list and select or create a plug in Hotrication Serwine Sires Rater al Gare Click here to access the APS configuration windows Configuration pullout Click here to configure the plug in Figure 44 Configure Authorization Plug ins Window RiverMaster Administrator s Guide 81 Adding an Authorization Plug In Chapter 4 Setting Up Aurorean Services 82 3 5 From the list of Plug ins select Enterasys Authentication Click Properties The Properties for Plug in Enterasys Authentication window will appear as shown in Figure 45 Uy pom Plug ri fom A x pe Click here to update the plug in F
3. Figure 18 General Aurorean Network Gateway Settings If you plan to change the Aurorean Network Gateway s IP address in the future enter the new address in the Future IP Address field otherwise leave this field blank and continue with the next step When you build a custom Aurorean Client installation kit for your remote users as described in Chapter 6 the ANG s IP address is saved as part of the kit Aurorean Client needs this address to locate the ANG across the Internet and create a tunnel If you enter an IP address in the Future IP Address field the kit will contain both IP addresses that appear on this pullout If Aurorean Client cannot locate a ANG by first using the standard IP address it will automatically use the future IP address If connecting to this address is unsuccessful a user can enter an IP address in the Alternate Tunnel Server IP address field in Aurorean Client Refer to the Aurorean Client User s Guide for more information RiverMaster Administrator s Guide Chapter 3 General Aurorean Network Gateway Settings Configuring an ANG 3000 7000 6 To allow remote users to browse the Internet directly while they are tunneled into the corporate network place a check next to Enable Intelligent Client Routing on the General page For more information on Aurorean Virtual Network s Intelligent Client Routing feature refer to Intelligent Client Routing on page 31 vA NOTE The Reset button returns any altered valu
4. Peer 22 5111 Tul Pharee 671 26 E10D H ap trots After you add bub suat tamire f an ISP it appears here Figure 60 ISP Profiles 4 Click on the ISP Profiles tab and then click Add 108 RiverMaster Administrator s Guide Chapter 5 Adding Corporate ISPs Controlling Remote User Dialing amp Access 5 Type a name for the new ISP in the field next to the Name menu This name will appear on the Aurorean Client interface exactly as you typed it If you are describing a corporate dial up server enter a name that identifies your company and the particular server If you are describing an actual ISD enter the business name of the ISP 6 Inthe Address City State and Zip fields type the ISP mailing address The city and state information will appear on the Aurorean Client interface exactly as you typed it the remainder of the information is for your reference only 7 Fromthe Country list choose the country where the ISP is located 8 Type the ISP s Web site URL in the Web Site field This Web site information will appear on the Aurorean Client interface exactly as you typed it 9 Inthe Backbone field specify the ATM or Frame Relay backbone that serves this ISP optional This information is for your reference only and is not displayed for Aurorean users 10 In the Customer Support area type the E mail address in the E mail field This E mail address will appear on the Aurorean Client i
5. To set RIP parameters choose RIP from the Routing Protocols menu and click Properties refer to the next section Setting RIP Properties for additional instructions To set OSPF parameters choose OSPF from the Routing Protocols menu and click Properties refer to Setting OSPF Properties on page 57 for additional instructions Setting RIP Properties To configure RIP properties for the ANG perform the following steps 1 Perform the steps in the previous section to access RIP properties The RIP Configuration window should appear as shown in Figure 31 RiverMaster Administrator s Guide 55 Routing Chapter 3 Configuring an ANG 3000 7000 If this list is blank the Aurorean Network Gateway accepts RIP updates from all A Bp Congres routers on the subnet You can limit the amount of updates that the Aurorean Network Gateway will accept pee yere by specifying individual routers in this list rianta iai Figure 31 RIP Routing Protocol Configuration 2 Toturn on RIP for IPX packets click Enable under IPX RIP Enable otherwise continue with the next step 3 Doone ofthe following Toallow the ANG to accept RIP updates from all routers on the same subnet no further work is required Skip to Step 6 To configure trusted individual routers to supply RIP updates to the ANG click Add and continue with the next step The Add A Trusted Gateway window appears as shown in Figure 32
6. A CAUTION In order for Windows NT logon scripts to run automatically upon connection with Aurorean Client the following conditions must be met If all three of the conditions are not complied with the logon script will not run when a user logs in with Aurorean Client A client computer must be registered on the domain But a user need not log into that domain when logging into NT a user can log in locally to the computer The name of a user logged into NT must match that user s domain login name The user s password on NT must match that user s domain password che Mew Scrip Files Click here to browse the network for the script file Click here to upload the file to the APS Figure 62 Select New Script Files Window RiverMaster Administrator s Guide Chapter 5 Adding Corporate ISPs Controlling Remote User Dialing amp Access 23 Choose the dial up protocols supported by the ISP from the Frame Protocols menu Nearly all ISPs and dial up Remote Access Service RAS servers support the default Point to Point Protocol PPP If the dial up server at the ISP supports other protocols such as Serial Line Interface Protocol SLIP you may choose another protocol from the menu 24 Select the Network Protocols to use over the dial up connection as follows To enable TCP IP protocol over the dial up connection place a check next to TCP HP This protocol is required for Internet access
7. Ramones heap barre E ipie I 35 gd d Dela sab Luar Maree nerfed mE oo Figure 121 Add Remote ANG Window NOTE Unless you are configuring a tunnel from the ANG APS pair to a Remote ANG you only need to enter the Remote Gateway Name and IP Address Enter a Remote Gateway Name and IP address in the fields provided Type a User Name User Password and confirm the password This User Name and Password must also be registered in the authentication database in the ANG at the remote site by adding the user to a group Refer to Chapter 6 for more information Choose the tunneling protocol IPSec or PPTP Click Add The Remote ANG is added to the configuration on your local ANG A message displays stating the Remote ANG was successfully added Because the preceding configuration information is not immediately written to a floppy disk we strongly recommend you repeat this procedure for all Remote ANGs you plan to add RiverMaster Administrator s Guide Configuring ANG IP Addresses Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Configuring ANG IP Addresses This section describes how to configure the ANG s name and Domain names IP addresses and subnets and Intelligent Client Routing This action marks the actual start of the process to write information to the floppy disk Ap NOTE If the Remote Gateway configuration procedure is canceled at any po
8. Click here to choose a Destination Figure 117 Export Window 2 Select a program file Format to export the report in by clicking the arrow under the Format field You may convert the report to a file in one of the following formats Comma separated values CSV Character separated values Crystal Reports RPT Data Exchange Format DIF Microsoft Excel XLS Hyper Text Markup Language HTML Lotus 1 2 3 WK1 WK2 WKS Open Database Connectivity ODBC Paginated Text TXT Record Style REC Rich Text Format RTF Tab separated text TTX Tab separated values TSV Text TXT and Word for Windows DOC 3 Select Microsoft Mail MAPI in the Destination field and click OK The window that appears will depend on your selected format Go to the Exporting Reports to a Disk File section and find the starting step for the format you selected When you complete the next step or two the Choose Profile window will appear for all formats selected as shown in Figure 118 RiverMaster Administrator s Guide 207 Downloading Viewing and Exporting Reports Chapter 8 Generating Reports Choose Profile Microsoft Outlook Wptions gt gt Figure 118 Choose Profile Window 4 Select a Profile Name by clicking the arrow next to the field and click OK You can also create a new profile or configure two options The Send Mail window appears as shown in Figure 119 Send bail Figure 119 Send Mail Window 5 Fil
9. If Stopped The Aurorean Policy Server will accept configuration changes and the Aurorean Network Gateway will accept tunnel connection attempts However the messages generated by these actions are not stored in a log file on the Aurorean Policy Server and cannot be viewed as they occur from the RiverMaster Reports will also be inaccurate Authentication 20 Provides the mechanism for authenticating remote users against user databases located on either the Aurorean Policy Server or an external authentication server such as a RADIUS device Authentication also serves another security role by enforcing a strict ring level hierarchy for Delivery messages to prevent unauthorized access to sensitive information Configuration changes sent by the RiverMaster to the Aurorean Policy Server are rejected because the Aurorean Policy Server cannot authenticate them Also the Aurorean Network Gateway will not accept new tunnel connection attempts because the remote user cannot be authenticated The Aurorean Policy Server reboots approximately 3 minutes after this service stops The memory and hard disk usage meters in the Aurorean Policy Server statistics area show how much server resources are being consumed to manage the Aurorean Virtual Network High memory usage normally reflects alarge number of authorization messages for both remote user authentication and server to server traffic generating reports and Aurore
10. To enable Microsoft s NetBEUI protocol over the dial up connection please a check next to NetBEUI NetBEUI provides fast network browsing in small networks that are primarily Microsoft based To enable IPX and SPX protocols over the dial up connection place a check next to IPX SPX These protocols are normally required for access to Novell NetWare servers Ap NOTE NetBEUI is not a routable protocol You should select at least one other protocol to allow packets to be routed through the Internet or corporate network 25 Do one of the following RiverMaster Administrator s Guide Click Update to save the new ISP information Click Cancel to clear the ISP information without saving your changes 113 Chapter 5 Adding POPs for Corporate ISPs Controlling Remote User Dialing amp Access Adding POPs for Corporate ISPs 3 To add a new POP phone number for a corporate ISP perform the following steps ths 1 Open the Configuration pullout 2 Click on the down arrow next to the Configure menu item at the top left edge of the pullout The Configure menu items display appears similar to the one shown in Figure 63 ay 3 Choose ISP POP from the menu 4 Choose Add Modify POP from the menu The Corporate POP Profiles display appears similar to the one shown in Figure 63 Click here to display menu options Click hereto E Es Corperate Dos Prufila B select the POP men Re
11. Type plug in name and identifier here Click here to create the plug in Click here to enter SecurlD Plug in values Figure 47 SecurlD Plug in Window 3 In the Name field type in a name to describe the plug in This name later appears in the plug in tree list For example if you are adding a plug in for a SecurID server you can type SecurID as the name If you plan to authenticate against more than one SecurID server you can enter a specific server name in this field 88 RiverMaster Administrator s Guide Chapter 4 Adding an Authorization Plug In Setting Up Aurorean Services 4 Inthe Identifier field type a name that remote users will use to select this plug in Aurorean users can include this identifier as part of their VPN user names to override the default authorization plug in For example if you enter ACE as the identifier for this plug in Aurorean users can specify a user name such as Bob ACE to authenticate against the ACE Server instead of the default plug in 5 Optionally specify a value in the Num Threads field This function allows the specified number of users to simultaneously log in without delay The range of threads that can be set is 1 to 100 with a default value set to 10 6 To make this plug in the default authorization method place a check next to Default Plug In 7 Click on SecurlD Plug in 8 Optionally you can change the values for Timeout and Retry from the default values displayed T
12. You can assign a specific address to each remote user or allow users to dynamically draw addresses from a pool Address pools are created by defining virtual subnets as described in Chapter 3 Configure the Aurorean Network Gateway to route packets from remote users through the corporate network The Aurorean Network Gateway supports RIP OSPF and static routes to forward packets to their destination to configure these routing protocols refer to the instructions in Chapter 3 Determine how remote Aurorean Client Software users will be authenticated To authenticate against a database residing on the Aurorean Policy Server you must use the Authorization service as described in Chapter 4 To authenticate against an external RADIUS server you must configure an authorization plug in as described in Chapter 4 To authenticate against an external SecurID server you must configure an authorization plug in as described in Chapter 4 RiverMaster Administrator s Guide 21 Setting Up a Aurorean Virtual Network the First Time Chapter 2 Getting Started with RiverMaster 22 6 10 11 Create mailing lists so that the Aurorean Policy Server sends you E mail when alarm alert or notification messages are generated optional E mail messages are generated by the Notification service as described in Chapter 4 Reboot the Aurorean Network Gateway to put the networking changes into effect Create POP packages of selected
13. 7 Doone of the following Click Apply to start retrieving messages from the Aurorean Policy Server Click Close to close the Message Viewer window without retrieving messages When you click Apply RiverMaster sends a query to the Aurorean Policy Server for the messages that fall within your parameters This query may take several seconds you can halt the query at any time by clicking Cancel Figure 87 shows an example of the results from a message trace of all login and logout activity for a user over a two week period RiverMaster Administrator s Guide 167 Monitoring System Activity Chapter 7 Viewing Server Activity amp Statistics 168 Click here to start a new trace Double click on a message to view a detailed description TGA wl ele B rir En i Ere berti prat ii D 1959 11814 ai CDA KT ress 12 04 1399 L4 E rr e419899 DID deer CELE xrCheme noc IAAT be 12 D0 1959 13 21 04 dini char XiChamzpnec 1I DA LI bac iZ DA 1999 13 22 17 dimh rhantl23 CDRxTrAacA LIAA P4 EIS Loe PIE tient TZ client 2 CDATracm LETALA L Paes DEF CPAs T rc 1204 71359 14 2 Lis Lebar desiti cheil xc berti prac iiaia r4 imi i INTAI IRIT diit chard CDAaTrecs LALO 14 32 ED 13 27 15 det Ld chentl13 CDRExTTA amp cR LADRATA L4 13 RAG L1 2 B dissii chanel C RT LATALI 4 DA TIM beh dissii chert ST Chente pro 12 1399 de 12 0 1999 ieee Glens centi E no EPA iT rds 12 0
14. Clients will read the notice in a pop up Message of the Day box visible for 30 seconds upon connecting and the same text will display in their Prescriber pullout as well as their Prescriber log if it is enabled The notice remains in the Group Notice window until its expiration date For directions on configuring Group Notices refer to Setting Up Group Notices on page 152 Creating a New Group Vil When you first log into RiverMaster you will observe that one group already exists in the Aurorean Policy Server database Admin which is the only group that has administrative privileges to log into RiverMaster This group contains the default login user account netadmin For administration security Enterasys Networks recommends that you add a new login account to the Admin group and then remove the Enterasys user account AA EATON Do not remove the Admin group from the APS database To log into RiverMaster you must enter the user name and password of a member of that group If you remove the group you will be unable to use RiverMaster in the future To create a new group perform the following steps ine 1 Open the Manage Users and Groups pullout When you open this pullout the Group view is automatically displayed as shown in Figure 68 RiverMaster Administrator s Guide 127 Creating a New Group Chapter 6 Managing Users amp Groups Use the tab pages to assign policies to each group Ti aan
15. Gateway Regional Office B Headquarters Aurorean a Network J n s Gateway Ss Aurorean Server 1 Policy 8 os Server e e e e Remote access tunnel m mm om Site to Site tunnel Figure 16 Site to Site Configuration 34 RiverMaster Administrator s Guide Chapter 3 Before You Begin Configuring an ANG 3000 7000 When corporate networks are linked via one or more tunnels users can utilize applications over these LANs simply by choosing a network supported program or by using Windows Explorer to find a destination server Using Aurorean Client to dial up a remote connection is not required Remote Aurorean site to site connections are set up by first adding a remote ANG to an existing ANG configuration then adding the tunnel itself This is done by configuring a user on that server with the following values an IP address or Fully Qualified Domain Name FODN for the server a user name and password and a tunnel protocol either IPSec or PPTP These are all the values required to make the connection We recommend that you enable Intelligent Client Routing on both Aurorean Virtual Network Network Gateways so clients accessing the tunnel remotely or locally can access clients on the far end of the network NOTE Enable at least one routing protocol RIPv1 RIPv2 or OSPF on the ANG Refer to Chapter 3 for instructions Refer to Adding a Remote Server on page 68 to configure a site to site tunnel AutoLink R
16. Prescriber A feature of Enterasys Networks products that diagnoses why a tunnel connection failed and attempts to correct the problem either on its own or with user assistance On Enterasys Networks Aurorean Client the Prescriptive Diagnostics Engine performs a step by step check of each tunnel connection element including the COM port or serial driver used modem or terminal adapter line to a PBX or the telephone network local or long RiverMaster Administrator s Guide 213 Appendix A Glossary distance phone service connection to the ISP POP ISP authentication settings and so forth On the Enterasys Networks Aurorean Policy Server the Prescriptive Diagnostics Engine uses the call home feature to provide an alternate route that tests end to end operation and isolates tunnel problems and also allows the remote user to download missing or updated files Remote Client User RiverMaster Routers Thread 214 A computer user who wants to access data on a corporate network from a remote location such as a field office home office or temporary lodging Remote users working from a fixed location are often referred to as telecommuters or day extenders if they access the network after regular work hours Remote users who travel frequently and attempt to access the network from different locations are often called mobile users A management application running on a Windows NT 4 0 Workstation 2000 Professional computer which co
17. Table 9 System Activity Display Continued Heading Meaning App ID The IR service or software component that generated the message possible values include ACCESS for messages from the Aurorean Policy Server ADMIN for messages generated by the IR Admin service AUTH for messages produced by the IR Authorization service CLIENT for messages produced by Aurorean Client software and sent over the tunnel NOTIFICATION for messages by the IR Notification service OVERLORD for messages sent by the IR Overlord Service TUNNEL for messages generated by the Aurorean Network Gateway Msg ID Message ID that is unique for each message refer to Table 10 on page 161 for a list of some message IDs Date Sent The time and date the originator sent the message based on the originating server or remote PC s clock 4 To view a detailed description of a particular message highlight the message in the display and examine the contents of the Message Description area Use the scroll bar in this area to view the entire description or click the maximize button to expand the area A sampling of messages that appear in this area are listed in alphabetical order by Message ID in Table 10 NOTE The Me Description area displays information for up to 2000 messages After that threshold is reached no information for highlighted messages is displayed in the Message Description area You can still view the con
18. These events are sorted by the remote client s user name and then listed according to the time they were sent Table 15 lists the column headings and values that appear in a Client Anomaly Report A text area under each message also provides a detailed description of the cause of the condition Table 15 Client Anomaly Report Values Heading Explanation TIMESENT The time the event occurred according to the remote client PC s clock in Hour Minute Second military format MSGTYPE Category of the anomaly message possible values are Alarms for Aurorean Client Software alarm conditions Alerts for alert conditions that may lead to an alarm state Problem for problem notification messages MSGID An ID number useful for Enterasys Networks Customer Support personnel to isolate the problem HOSTNAME The computer name assigned to the remote client s computer DOMAIN The APS Domain name given this Aurorean Virtual Network BUILDREV Version of Aurorean Client Software installed and running on the remote client in the format Release Build where Release indicates the functionality release e g 3 0 and Build indicates an internal software version number S W Software component that reported the anomaly Possible values COMPONENT include Authorize Aurorean Client Figure 95 displays a typical Client Anomaly Report 182 RiverMaster Administrator s Guide Chapter 8 Report Contents Generating Repor
19. and manually dial the POP using a telephone RiverMaster Administrator s Guide 129 Creating a New Group Chapter 6 Managing Users amp Groups Allow ISP Selection Table 5 Dial Policies Explanation When enabled Aurorean users can decide whether or not to disable an ISP so that it is not used for dialing When an ISP is disabled its associated POP phone numbers do not appear in the dial list This policy is enabled by default Allow POP Ordering When enabled Aurorean users can change the dialing sequence for POPs to match their personal preferences This policy provides the flexibility of mixing POPs of different ISPs as well as moving 800 number POPs ahead of local POP phone numbers This policy is disabled by default Allow Dial String Editing When enabled Aurorean users can edit the digit string dialed by their modem to include any special prefix numbers or other digits required by the telephone equipment at that site This policy is disabled by default Allow Manual Dialing When enabled Aurorean users can choose to manually dial a POP phone number using a telephone With manual dialing the user s modem does not send any digits the user must lift the receiver of a telephone and dial the POP number using the telephone s keypad This policy is disabled by default Allow 800 Number Dialing When enabled Aurorean users can dial a nationwide POP phone number 800 888 or 877 number instea
20. 97 appears substantially the same E dandus Aie Meta gt Fire entes r rA Broad Only a a List Fisa ed Typi Eee Com lt Figure 110 Select Workbook Window 14 Type an ODBC database name in the field provided and click OK The Exporting Records window appears as shown in Figure 105 Return to Step 4 to continue RiverMaster Administrator s Guide 201 Chapter 8 Generating Reports 15 If you chose the Paginated Text format you are prompted to set the number of lines per page or keep the default of 60 lines and click OK The Lines Per Page dialog box appears as shown in Figure 111 The Choose Export File window follows as shown in Figure 104 Return to Step 4 to continue Downloading Viewing and Exporting Reports Inpa the Himba of Lines Pee Page Figure 111 Lines Per Page Dialog Box 16 If you chose the Excel 5 0 Tabular format you are prompted to set column headings Check the box or leave it blank and click OK The Format Options dialog box appears as shown in Figure 112 The Choose Export File window follows as shown in Figure 104 Return to Step 4 to continue Figure 112 Format Options Dialog Box 202 RiverMaster Administrator s Guide Chapter 8 Downloading Viewing and Exporting Reports Generating Reports Exporting Reports to a Microsoft Exchange Folder To export reports to a Microsoft Exchange folder perform the following steps i 1 Click the Export button along the top edge of t
21. B Backbone field 109 backing up the Aurorean Policy Server database 98 100 Backup Database option 99 BorderManager Authentication Services 76 browsing the Internet 31 39 bytes received sent 175 C calling cards 132 City field 115 Client Anomaly Report 182 Client Report 183 client synchronization datasync 146 definition 124 210 disabling 146 enabling 146 enabling data or software sync 129 FTP service 19 green D and S definition 146 managing updates 145 overview of process 124 126 patch package alternative 126 policy changes conveyed automatically 137 red D and S definition 146 restart after disconnection 126 software sync 146 compression 48 49 175 226 227 core files building new files 147 149 definition 122 synchronizing 125 Corporate Dial Up Number fields 115 corporate ISP adding 108 113 definition 103 uploading login scripts 116 Corporate ISP Namelist 115 corporate POP adding 114 117 definition 103 cost OSPF 57 Cost Index field 111 116 Country Code field 109 115 Credit Card Dialing policy 132 Credit Card PIN policy 132 credit card policies 121 Customer Support E mail address 254 E mail address field 109 phone number 254 D data synchronization 124 146 RiverMaster Administrator s Guide default authorization plug in 77 default gateway 30 Default Gateway field 110 defaultlogin 7 13 Delivery service 8 18 Delivery See Delivery service DES 47 48 225 226 DES See also Triple DES dial p
22. Build Core Data Files Display 4 From the Group menu choose the group you want to receive the new set of core data files 5 Click Build As the core files are built status messages appear in the lower left corner of the pullout and in the Build Status area 148 RiverMaster Administrator s Guide Chapter 6 Controlling Client Synchronization Managing Users amp Groups 6 Ifyou have not previously built core files for this group a Directory Not Found window appears asking you to create a new directory for the core files click Yes to create the directory If you installed RiverMaster in the default location on your computer the new core files are stored in C Program Files Indus River NetworksNRiverMasterNMDataFilesNMRiverPilotN GroupName where GroupName is a subdirectory that matches the group name The new core files are also maintained on the APS If client synchronization is enabled for the group members of the group automatically receive the updated files during synchronization To manually distribute the new core files to users who cannot connect copy the contents of the directory created in Step 6 onto a floppy disk or other distributable media Aurorean users must copy these IRX files into the Data directory on their computers by default C NProgram Files Indus River Networks NRiverPilot Data NOTE After Aurorean users copy the new core files onto their computers they must re enter their VPN and IS
23. Guide Chapter 6 Before You Begin Managing Users amp Groups Group Policies To manage the remote users that will tunnel into your corporate network you should organize users that share similar access and security needs into groups For each group you assign a set of policies that determine the Aurorean Client features and functions that members of that group can use Aurorean Virtual Network policies fall into four categories CJ Dial policies determine the remote user s control over the POP phone numbers dialed by Aurorean Client These policies include whether the user can Change the default order in which POP phone numbers are dialed Edit the phone number digit string before it is dialed to add special dialing codes or change the digits Manually dial the POP phone number using a telephone instead of relying on the modem to generate the digits Diala nationwide phone number such as an 800 888 or 877 number instead of a local phone number O Password policies indicate whether members of this group can save their ISP corporate ISP and VPN passwords on their Aurorean Client computers so that they do not need to enter these passwords each time they connect CJ Credit card policies specify if users can bill international calls against a calling card and save personal calling card numbers on their Aurorean Client computers so that they do not need to enter these numbers each time they connect O Tunnel policie
24. IETF RFC 2138 RiverMaster Administrator s Guide Chapter 4 Adding an Authorization Plug In Setting Up Aurorean Services 14 If you want the APS to apply an MD4 hash to the key returned by the RADIUS server place a check next to the Apply Hash field Place a check in this field only if all of the following statements are true remote users will authenticate against a Steel Belted RADIUS 2 1 or earlier server the tunnel protocol negotiated for all connections by these users will be PPTP and 128 bit encryption is enabled on the Aurorean Network Gateway 15 Do one of the following Click Commit to save the new plug in Click Cancel to clear the fields without saving the plug in 16 If you click Commit you are prompted to re type the Shared Secret 17 Reboot the APS to enable the authorization changes SecurlD Authorization To configure the APS to forward authentication requests to a SecurID server perform the following steps o 1 Open the Configuration pullout I 2 Choose Authorization Plug ins from the Configure pull down box in e the top left corner of the pullout Or in the list of Aurorean devices expand the tree list under the name of your APS by clicking the symbol expand it again under Auth Service and click Make New Plug in The Create New Plug in window will appear as shown in Figure 47 RiverMaster Administrator s Guide 87 Adding an Authorization Plug In Chapter 4 Setting Up Aurorean Services
25. Internet Service Providers ISPs from the list of those available in the master TollSaver database as described in Chapter 5 By limiting the ISPs available for use by remote users and grouping them in POP packages you can minimize the size of the database of Point of Presence POP phone numbers distributed to your Aurorean Client Software users In addition to POP phone numbers you can add corporate direct dial phone numbers to this database Define groups for remote Aurorean Client Software users as described in Chapter 6 For each group you can assign a range of IP addresses to allocate to Aurorean Client Software users when they connect using the virtual subnets you defined in Step 3 You can also grant policies to each group that determine the Aurorean Client Software features and functions that can be used by members of that group Add user accounts to each group as described in Chapter 6 If you plan to authenticate all remote users against an external RADIUS or SecurID server you can skip this step For each user account you must enter a specific IP address or indicate that the Aurorean Network Gateway must allocate the user an address from the group s virtual subnet Generate a customized Aurorean Client Software installation kit for distribution to members of each group as described in Chapter 6 This installation kit contains the Aurorean Client Software application group policy settings destinations and a TollSaver dat
26. Make New Plug in The Create New Plug in window will appear as shown in Figure 46 but without default or configured values RiverMaster Administrator s Guide 83 Adding an Authorization Plug In Chapter 4 Setting Up Aurorean Services Type plug in name JA Properes For Fhage RADIIS Farthenkecotinn x and identifier here Mame steal Belted RADIIS Craabk ser cancel Mum Threads i iU Default Plugin l Click here to create the Barorean Plug in plug in RADIUS Plug in Server Address ESR yourcompany com Shared seret Auth Port 105 fhoont Porti 166 Click here to enter Timeout secs 20 Retry secs 2 rt Plug in Ik Group ate Apply Hah F Tenacat secs I Retry su Figure 46 Sample RADIUS Authorization P lug In Settings 3 Inthe Name field type in a name to describe the plug in This name later appears in the plug in tree list For example if you are adding a plug in for a Steel Belted RADIUS server you can type Steel Belted RADIUS as the name If you plan to authenticate against more than one RADIUS server you can enter a specific server name in this field 4 Inthe Identifier field type a name that remote users will use to select this plug in Aurorean users can include this identifier as part of their VPN user names to override the default authorization plug in For example if you enter RADIUS as the identifi
27. Networks License Agreement eee 249 License Gram oot edDeec do EE 249 Watranity 250 Infringement Indemnification sssssssssseseeeenneeeneee tenen 251 Limitation of Liability retener nennt teniente beet entend ets 251 TerMminatiOn 252 International Provisions tereti teet tht eee anne ane nee die roro dala 252 Applicable Leaw e P 252 U S Government Commercial Computer Software sss 253 Technical Soup Pore erensia r E A E AAE Es 254 Support from Authorized Resellers sss 254 Support from Enterasys Networks sss 254 On lIMe SOL VICES P 254 Phone SUpport se on eedem eren pred edat eiat 254 Index viii RiverMaster Administrator s Guide About This Guide This guide describes how to use Version 3 1 of the RiverMaster management application to set up and monitor Aurorean Virtual Network systems While written primarily to describe how to configure a Aurorean Virtual Network solution for the first time this guide also addresses how to track usage and troubleshoot end to end VPN connectivity problems The guide is designed for network administrators who are responsible for installing and managing local and wide area networking equipment The guide assumes you have experience working with LAN devices such as firewalls routers hubs and file server
28. POP package to associate with the selected group Click Update If you have not already built a POP package refer to Chapter 5 Creating POP Packages for instructions aj 4 Click the Build Custom Installation kit button 5 When the Build Client Install Kit window appears use the Output Directory field to specify where the resulting installation kit file should be stored on your computer A sample window is shown in Figure 74 The default destination for Aurorean installation kit files is C Program Files Indus River Networks RiverMaster RiverPilot_Packages To change the output directory click the button to the right of the field and use the Open window to select or create another directory Click here to start the build Specify where you want the resulting installation kit file stored on your b Bibl Cusipim Aus vetuit Chers atatia ue computer here F Wh sinin p oT nn ERE n bed wi eia Mme i iTr Calltone Wernher sias ret quacfiad HET inna f enaa viene Usera mho install this Kit will connect tec Dieetratin AE FIL Ind Tig rave Serrar diet Pit imlusehu ero ois E adini 115 145 718 4 Juzeis ev bie unir PPTP Tha Palluming Policies are ALLOWED j DID Furmnksr Dislirg ALLOW Leave this box checked eu M 15e ordena eed to receive progress OF jbeedalahies Wome 2h Deui PoP cedernpg ALLOW n d save ESP F rd ALLOW messages as the kit fein eran ad Gave Carparata Faseward
29. POP phone number data files and indicate whether you want the data files preserved or deleted after the kit is built POP data files for each area code are created on the APS and then copied to the RiverMaster computer You can choose to delete these files once they are included in the installation kit or preserve the files for future kits allowing you to select the Use Existing Data Files kitting option In the Zip Files area specify the destination directory and file name for the Zip file used in the self extracting archive and indicate whether you want the Zip file preserved or deleted after the kit is built RiverMaster Administrator s Guide Chapter 6 Creating an Aurorean Client Installation Kit Managing Users amp Groups 12 In the Aurorean Client Kits area specify the source directory of the Aurorean application you want to distribute By default Aurorean is copied into C Program Files Indus River Networks MRiverMasterN RiverPilotKits when you install RiverMaster Aurorean Client files are stored in directories named after the software s version number for example the Version 3 directory contains Aurorean Software Release 3 0 software If you are maintaining different releases of Aurorean among your users indicate which version you want to distribute by selecting the appropriate directory 13 Click OK to close the Advanced Options window and save your changes 14 On the Build Client Install Kit window click Build to
30. Recovery which employs automatic fail over to a backup Aurorean Virtual Network system To access RiverMaster you must enter a user name and password that the Aurorean Policy Server can authorize from its internal database The default login account is netadmin with the password netadmin fal Riverklacter Logan xx Auroran PI neum PET TEST wine E EX eaw f cwes Figure 6 RiverMaster Login Window Log into RiverMaster by typing a user name and password in the fields provided and choosing the Aurorean VPN name associated with the Primary Aurorean Policy Server Click OK RiverMaster Administrator s Guide 13 Logging into RiverMaster Chapter 2 Getting Started with RiverMaster NOTE To prevent unauthorized RiverMaster access Enterasys Networks recommends that you immediately create a new administrator login account in the IRAdmin group and delete the default login account Refer to Chapter 6 for more on adding and deleting user accounts If you have configured a connection to a second Aurorean Policy Server the Select APS window appears as shown in Figure 7 Select the Aurorean Policy Server you want to manage and click OK The RiverMaster Login window then appears as shown in Figure 6 allowing you to log into the selected Aurorean Policy Server EILEEN un Mi E3 Sele the APS you mart bo manage C Seconde 2053 5 112 203 Cancel Figure 7 Select APS Window J CAUTION If
31. RiverMaster Administrator s Guide 177 Report Contents Chapter 8 Generating Reports Rx Table 13 Server Anomaly Report Values Heading Explanation TIMESENT Time the message was sent according to the server s clock MSGTYPE Category of the anomaly message possible values are Alarms for server alarm conditions Alerts for alert conditions that may lead to an alarm state Problem for problem notification messages MSGID An ID number useful for Enterasys Networks Customer Support personnel to isolate the problem DOMAIN The Aurorean Policy Server Domain name assigned to servers within this Aurorean Virtual Network BUILDREV Version of Aurorean system software installed and running on the server in the format Release Build where Heleases indicates the functionality release such as 3 0 and Build indicates an Enterasys Networks internal software version number S W Software component that reported the anomaly Possible values COMPONENT include Authorize Notification Service Aurorean Client Software APS Log Service APS Overlord Service ANG Overlord Service TUNNEL USERNAME Name of the remote user experiencing the problem If the problem was not caused by Aurorean Client Software connection this field contains N A Figure 92 displays a typical Server Anomaly Report 178 RiverMaster Administrator s Guide Chapter 8 Report Contents Generating Reports SERVER AR
32. a new SDCONF rec becomes available select the SecurID plug in from the Auth Service list click Properties and Update Configuration File and repeat Step 10 RiverMaster Administrator s Guide Chapter 4 Generating Private Public Keys Setting Up Aurorean Services Generating Private Public Keys A unique El Gamal private public key pair is produced on all APSs In most cases these keys do not need to change However if you believe the keys have been compromised and your network security is subject to risk you can generate a new El Gamal private public key pair by performing the following steps NOTE When you regenerate the El Gamal private public keys Aurorean users who employ IPSec protocol cannot tunnel into the corporate network until a set of core files containing the new public key are distributed To build core files that contain the new key refer to the instructions in Chapter 6 1 Open the Configuration pullout i 2 Click on the Activity icon in the lower left corner of the pullout to E switch to the Active Tunnel Service List view 3 Expand the tree list under Active Service List click the symbol 4 Click on Enterasys Authentication The Service Control display for the Authentication Service appears as shown in Figure 49 RiverMaster Administrator s Guide 91 Generating Private Public Keys Chapter 4 Setting Up Aurorean Services Canina Click here to inci fier
33. aE n W amp Copper bn Time Jks db oes er oen Ika DH me ee eme Co Fhsbier of Lagtr T Timpa i CERTE Jul TM 1a E x mr 1 Mizi of Lager T Thregigat iniaa mur Tr AT Iz n Logged ie Tie Mke DP peine dil pend Coni os UT wirst T gere oem Figure 98 Accounting Summary Report Double clicking on the client user name line above with the magnifier icon produces a drill down Accounting Detail Report similar to Figure 99 below TIME TIME FROTO VIRTUAL FHYU CAL TEN VEN I it PETS PRI Tn oT COL IF IF KEYTES KBYTEB EBYTES KBYTES WT In ANNATE ATE 85 BUT 1M au Im PU On as Pee eo 1 FFTF PHAR APALEN iii 5 ae by w Trairan kri SP mia H eer mim Feel bema Uer Pogam DNS I oe a BPTP ion Sea Der 53 EE I Dass Sen Tia 1 hrs Sb ia 81 56i eius Eri Remo Vert Req DPR ST e 3 1 PFIP llM2I2IS eal E 55 AND iH EX HE Thararken 1 kr Ti mles 81 a Section Feed Eskari Meer Rega 199 2M 06 20 25 185204 DOP DO 1L 1 FIT Fue ae mi pri qns mig NES ee Dania 2 kr di mia 12 aca Dnia a bawan User TSP RAM 1999002008 Le PPTF Hary SALE ion a MEI in E a Tursin 2 kra MB adn Vi aera Sears Emil Races Weer equi Jemnimq30 3i 18995200 30073 prte ge EIL mum m n Li mi n Dewar Fore mia 57 er Seorien Esi brm per Regum Figure 99 Drill down Accounting Detail Report RiverMaster Administrator s Guide 189 Downloading Viewing and Exporting Reports Chapter 8 Generating Report
34. and C to ANG just as it will propagate knowledge of ANG2 s associated networks X Y and Z to ANGI Then if the virtual subnet 10 10 10 0 is created on ANG2 for use by ANGI site to site clients and is shared with remote Aurorean clients the Aurorean users cannot access networks A B and C on ANG1 because they have no knowledge of those networks To remedy this situation create virtual subnet 187 14 57 0 on ANG2 for Aurorean users RIP will broadcast knowledge of this route to ANG2 enabling Aurorean users to dial into ANGI as well as ANG2 30 RiverMaster Administrator s Guide Chapter 3 Before You Begin Configuring an ANG 3000 7000 Aurorean TT ae lt Routes i J X Y Z Ns Virtual t Network A 10 10 10 3 EZ 1025100 udi i Network B ANG1 ANG2 T Network X E mre TE e 5 Network C 10 10 10 2 Learned Network Y m f Routes x e Site to Site Tunnel A B C Network Z Figure 13 Virtual Subnets for Site to Site and Remote Access Tunnels For instructions on creating virtual subnets for IP address and IPX network number allocation refer to Virtual Subnetting on page 50 Intelligent Client Routing Enterasys Networks Intelligent Client Routing feature provides you with a measure of control over a Aurorean Client user s access to the Internet When enabled this feature is enabled by default Intelligent Client Routing allows remote clients to browse the Internet directly outside of the tunnel For example if a remote cl
35. and indicate how effective compression is on this connection Very low numbers indicate that compression was not negotiated for this connection or that the data passing over the tunnel is not compressible 4 Using the controls shown in Figure 91 control the graph display as follows To start and stop the display use the Play and Stop buttons To temporarily freeze the display to examine activity at a specific point in time use the Pause button To clear the display and restart the graph use the Reset button To adjust the scale to closely examine an individual graph or pull back to view all graphs use the Zoom In and Zoom Out buttons To view the graphs as 3 dimensional objects rather than simply 2 dimensional lines place a check next to 3D RiverMaster Administrator s Guide 175 Using SNMP to Gather Statistics Chapter 7 Viewing Server Activity amp Statistics NOTE You can disconnect an active user by selecting a user from the Active Users list and clicking the Disconnect User button as shown in Figure 90 Play Pause Stop Resets the graph s Adjusts the Changes the scale to the graph s scale graph from default setting zoom in and 2 dimensional zoomout to 3 dimensional Figure 91 Protocol Statistics Display Controls To gain additional details about the user such as how the user was authenticated use the System Activity pullout as described in Monitoring Syst
36. and personnel only with the rights set forth in this license The use of the Licensed Software by the Government constitutes acknowledgment of Enterasys proprietary rights in the Licensed Software The manufacturer is Enterasys Networks 35 Industrial Way Rochester New Hampshire 03866 The licensee or user of this product agrees not to remove any of the RESTRICTED RIGHTS legends and markings included in this software and associated documentation RiverMaster Administrator s Guide 253 Technical Support AppendixC Technical Support Enterasys Networks provides easy access to technical support information through a variety of services Support from Authorized Resellers If you purchased your Aurorean Virtual Network server or software from an authorized Enterasys Networks reseller contact the reseller for technical assistance Most authorized resellers are qualified to provide a variety of services including network planning installation maintenance training and customer support If you unable to contact your reseller contact Enterasys Networks directly as described below Support from Enterasys Networks Enterasys Networks offers two ways of contacting customer support personnel On line Services To receive answers to technical questions on Aurorean Virtual Network products send E mail to support enterasys com Please include your name title company and phone number in all correspondence Phone Support Enterasy
37. as you typed them in the Password field 9 Inthe First Name M I and Last Name fields type the user s first and last name and middle initial optional This information is used for reference only and has no effect on authentication 10 Inthe Job Title and Department fields type information to describe the user s position in the company optional The Department field automatically defaults to the group name 11 Do one of the following Click Commit to store the new user account on the Aurorean Policy Server Click Cancel to cancel the operation 136 RiverMaster Administrator s Guide Chapter 6 Creating a New Group Managing Users amp Groups Modifying User amp Group Information After a user or group has been created you can modify any setting associated with the user or group name including group policies IP address allocation methods and user passwords Although you cannot rename a user or group you can accomplish the same goal by removing the user or group and then reentering the information using a new name To modify user or group information perform the following steps i 1 Open the Manage Users and Groups pullout 2 Click on the appropriate icon in the lower left corner of the pullout to select the Group or User view 3 Select the user or group name from the list of Current Users or Current Groups 4 Click Modify 5 Change the settings for the user or group as required 6 Doone ofthe followi
38. client To cause the ANG to advertise its known routes place a check next to Enable Export This setting is required to allow the ANG to advertise the reachability of virtual subnets to other devices on the network 7 Doone of the following Click Apply to save the RIP configuration changes Click Cancel to close the window without saving your changes Click Reset to the return the interface s protocol configuration to its original setting RiverMaster Administrator s Guide 63 Routing Chapter 3 Configuring an ANG 3000 7000 Configuring OSPF on an Interface To enable OSPF on an interface perform the following steps 1 Add OSPF as described in Adding or Removing a Routing Protocol for an Interface on page 60 or select OSPF from the Routing Protocols list and click Properties The OSPF Interface Configuration window appears as shown in Figure 37 Ie DSPE nimiace Coed rpaatien CEP Wikis feed Tohii mesures l Figure 37 Routing Interfaces Configuration OSPF 2 Type the OSPF password used by routers on your network in the Authentication Password field OSPF authentication passwords are used by routers to determine if they should accept updated routing information sent from another router If your routers do not authenticate updates leave this field blank X NOTE Passwords are limited to 8 characters or less 3 Type the same password in the Re Type Authentication Password field exac
39. dial up access to the corporate network O Add or modify POP information for direct dial up connections NOTE Destinations POP Packages and POP phone numbers are included in the Aurorean Client installation kit that you distribute to your remote users You must perform the steps in this chapter before you can build the custom Aurorean Client installation kit as described in Chapter 6 Before You Begin Before performing the steps in this chapter you should familiarize yourself with the following Aurorean Virtual Network concepts CJ TollSaver database O Corporate dial up access O Problem Notification RiverMaster Administrator s Guide 101 Before You Begin Chapter 5 Controlling Remote User Dialing amp Access 102 TollSaver Database The TollSaver database contains an extensive list of Point of Presence POP phone numbers for many Internet Service Providers ISPs throughout North America A master TollSaver database is maintained on the Aurorean Policy Server To customize this database for your remote users you simply select the ISPs they are permitted to use from a list and create a POP package When you later build a Aurorean Client installation kit the APS uses your selections to extract POP phone numbers from the master TollSaver database to build a POP package that is stored on the APS This custom database is copied onto the remote user s computer when the Aurorean Client installation kit is in
40. dialing list The POP phone number with the lowest weight is dialed first if the POP fails to answer the call for example if the line is busy Aurorean Client automatically dials the next POP phone number By assigning corporate POPs greater weights than standard Internet POPs you can prevent these direct dial up connections from being used until all other options are exhausted Once you create a corporate ISP it appears in the list of available ISPs You then choose the corporate ISP when you select all the ISPs that you want to be part of a POP package For instructions on defining a corporate ISP for dial up access refer to Adding Corporate ISPs on page 108 After you define the ISP you can add individual dial up POP phone numbers as described in Adding POPs for Corporate ISPs on page 114 or if you wish to gather selected ISPs in a group you can create a POP package as described in Creating POP Packages on page 105 RiverMaster Administrator s Guide 103 Before You Begin Chapter 5 Controlling Remote User Dialing amp Access Problem Notification Each Aurorean Policy Server is able to accept reported problems from Aurorean users when they cannot tunnel into the corporate network The Aurorean Client application issues a Problem Notification when it is unable to build a tunnel while dialing the list of POP phone numbers Aurorean Client uses RAS to transfer a Prescriber session report detailing the problem to the APS T
41. ends abruptly O User Error the Aurorean Network Gateway and Aurorean Client were unable to successfully negotiate a tunnel connection In addition to the data described below throughput login and session totals are reported for each client as well as the reason for why the session ended This report also offers a drill down view in a subsequent display Table 17 lists the column headings and values that appear in an Accounting Report Heading Explanation Table 17 Accounting Report Values TIME IN Time the tunnel session started according to the ANG s clock in the format Year Month Day Time where Time is shown in military time TIME OUT Time the tunnel session ended according to the ANG s clock in the format Year Month Day Time where Time is shown in military time PROTOCOL Tunnel protocol negotiated for the session IPSec or PPTP VIRTUAL IP IP address allocated from a virtual subnet to the remote client ADDRESS during the session PHYSICAL IP IP address of the Ethernet port on the ANG that accepted the ADDRESS tunnel session typically the External port RiverMaster Administrator s Guide 187 Report Contents Chapter 8 Generating Reports 188 Heading VPN KBYTES OUT Table 17 Accounting Report Values Explanation Total bytes of data sent end to end over the tunnel from the corporate network to the Aurorean user during the session VPN KBYTES IN Total bytes of data sent end to en
42. i crea ceedesoeanaetee 97 Backing Up the Database eerte entere rene tentent btt esee ro reet 98 Chapter 5 Controlling Remote User Dialing amp Access Before You Begin eee tee teet e arb oaen aiee Sarlin sevheravecsenteseaes 101 TollS verDatabdse scoop cora uim emu oT C E 102 Corporate Dial Up Access sse nennen nnne 103 Problem Notification sai e enne eitis ter itl b nee deor eie eons 104 Creating POP Packages oie eere titre eter Hed reden teres ipee open EROR 105 Adding Corporate ISPs irite eenn eE anA aT EE E E E E nennen 108 RiverMaster Administrator s Guide V Table of Contents Adding POPs for Corporate ISPs nennen nenne 114 Chapter 6 Managing Users amp Groups Before You Begin deeem tte ELA UR RE PEE ECHO HH LEE HS ENS EHE ER EERH S MERE EIE 120 Group Policies te re eere eee HE en ete a desegnesesedseseesxeesteteees 121 Aurorean Client Installation Kits sess 122 Client Sytichronization entes ett rei Pe Hee eee E ESEE e eek He REI HERE 124 emu ais 127 Creating a New Group sse nennen isita espasi tenent 127 Adding Users to a Group enne nennen 134 Modifying User amp Group Information sse 137 Removing Users amp Groups sse entente tenente nnne 138 Creating an Aurorean Client Installation Kit sss 139 Controlling Client Synchronization essere eren 145 Viewing Gro
43. interface and summarizes the steps required to use RiverMaster to configure your Aurorean Virtual Network for the first time RiverMaster Overview When RiverMaster is installed on your PC the computer becomes a management station for the Aurorean Virtual Network receiving dynamic updates from Aurorean Virtual Network systems and making immediate configuration changes All data displayed by RiverMaster is retrieved from databases residing on the Aurorean Policy Server or from incoming messages from either the Aurorean Policy Server or Aurorean Network Gateway no data is stored locally on your PC s hard disk Figure 5 illustrates the interaction between the Aurorean Policy Server Aurorean Network Gateway and RiverMaster PC RiverMaster Administrator s Guide 11 RiverMaster Overview Chapter 2 Getting Started with RiverMaster Aurorean Aurorean Policy Network Server Updated configurations Backup configuration i Gateway go EM Requests for logs Log files n eee Figure 5 Aurorean Virtual Network Communication Flow Using the RiverMaster management application you can CJ Quickly check a server s operational status by determining if all services are running reviewing alarm and alert messages that have accumulated and displaying current tunnel activity the number of users logged in and the amount of data passing over all tunnels O Define virtual subnets to provide IP addresses to remote Aurorean Cl
44. itmpt dr E istmpzd die BJ ere ld iam 4 du Fie game Tuwemuisscs See ii TE o Figure 104 Choose Export File Window RiverMaster Administrator s Guide Chapter 8 Downloading Viewing and Exporting Reports Generating Reports 5 Select the directory to store the report and click Save Optionally you may also rename the file or save it in a different format The Exporting Records window appears as shown in Figure 105 This window is a running tally of the number of records exported and percentage of the job completed Optionally you may click Cancel Exporting if necessary When the Complete percentage reaches 100 the export is completed Optionally you can click Cancel Exporting Exporting Records Figure 105 Exporting Records Window RiverMaster Administrator s Guide 197 Downloading Viewing and Exporting Reports Chapter 8 Generating Reports 6 If you selected HTML versions 3 0 3 2 Extended or 3 2 Standard you are prompted to specify the name of a directory where the report titled default htm will be written The Export To Directory window appears as shown in Figure 106 Export To Directory x Enter the directory name in which to save the HTML pages and images for this report Directory Name Cancel E c E Program Files Note HTML Exporting can produce z Indus River Netwe multiple output files The directory E RiverMaster name eren is NOT used to name an output
45. later Only one user name is required for site to site users to access the connection 244 RiverMaster Administrator s Guide Appendix B Creating Remote Connections ANG 3000 7000 Preconfiguration Stored on a Floppy Disk NOTE A User specified here also must be added to the connecting Local ANG User al Groups for instructions Also be aware that you cannot use this floppy configuration utility to add Users and Groups to standalone ANGs which terminate tunnels Only the Aurorean Policy Manager can perform this task Refer to Chapter 3 Configuring the ANG with Aurorean Policy Manager in the Aurorean Installation amp Service Guide for instructions Group database Refer to Chapter 6 Managing Users and Enter a Password and Confirm Password for this user in the fields provided Select a tunnel Protocol IPSec or PPTP from the pull down list Between any two connecting ANGs in a fully meshed network you can select different tunnel protocols Select the Initial State you want this ANG to default to upon startup If your Local ANG is up and running the Remote ANG will be connected immediately with the default Initial State set to Enabled Click Add The new Remote ANG appears in the Remote Connection Configuration window as shown in Figure 141 RiverMaster Administrator s Guide 245 Creating Remote Connections Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 1 ti3 i
46. nY Alive acter Figure 59 Build Completed Window L NOTE Creating a POP package is important to enable any Aurorean Client Installation Kit you create later described in Chapter 6 to dial and allow any users in associated groups also described in Chapter 6 to synchronize POPs RiverMaster Administrator s Guide 107 Adding Corporate ISPs Chapter 5 Controlling Remote User Dialing amp Access Adding Corporate ISPs amp To add a new corporate ISP profile perform the following steps ty 1 Open the Configuration pullout ay 2 Click on the down arrow next to the Configure menu item at the top left edge of the pullout and select POP ISP from the drop down menu 3 Choose Add Modify ISP from the menu The ISP Profiles and Properties display appears similar to the one shown in Figure 60 X NOTE You can modify information about any ISP corporate or otherwise within the ISP Profile display Click here to display menu options Click here to T open the ick here to LEE Configuration display the naira amp ISP Profiles And Properties pullout Corporate ISP SAT AN Fok ET Rd Py menu IS Profiles r IEP Properties Haga acme Camara acme Carper lld sa 55 rs Road Ce oa E nfl Derision ED STATES Enter the ISP s ACHEUFR rs name here T d rar Pacheges QA ace iF Click here to add the ISP Emal oop ctor i
47. number of remote clients You can modify the subnet mask for an existing virtual subnet to provide additional addresses or create entire new virtual subnets RiverMaster Administrator s Guide Chapter 3 Before You Begin Configuring an ANG 3000 7000 Figure 12 shows a sample corporate network that employs two virtual subnets Each virtual subnet provides up to 255 client IP addresses depending upon the subnet mask used By assigning different virtual subnets to each group you can control what devices members of the group can access once they are connected Aurorean Remote Clients Ey Aurorean n Qe T pu ts Firewall Network zi I Gateway E s S 200 100 200 0 E ate ae Router ZA Server 1 200 100 201 0 Server 2 J Figure 12 Remote Client Virtual Subnet Usage For example because Server 1 resides on the same network segment as the ANG all remote clients can access this server regardless of the virtual subnet that provided their address If you enable RIP or OSPF on the ANG Trusted interface the router in this diagram will learn about both virtual subnets However if you enable only static routing on the ANG Trusted interface you can limit access to the 200 100 201 0 subnet to users that receive address from Virtual Subnet 1 To accomplish this you must create two static routes RiverMaster Administrator s Guide 29 Before You Begin Chapter 3 Configuring an ANG 300
48. or demands to the extent that they are based upon i the combination of Licensed Software with any items not supplied by Enterasys ii any modification or change to the Licensed Software by Customer or iii any failure by Customer to implement modifications or replacements distributed by Enterasys that address any alleged infringement This Section states the entire liability of Enterasys with respect to indemnification or liability for infringement or misappropriation of patents copyrights trademarks trade secrets or other proprietary rights by Enterasys or the Licensed Software or any part thereof or by their use or Operation Limitation of Liability ENTERASYS AND ITS LICENSORS TOTAL LIABILITY FOR ANY CAUSE OF ACTION ARISING IN CONNECTION WITH THIS AGREEMENT AND REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT OR IN TORT INCLUDING NEGLIGENCE SHALL BE LIMITED TO THE ACTUAL DOLLAR AMOUNT ENTERASYS RECEIVED HEREUNDER RiverMaster Administrator s Guide 251 Enterasys Networks License Agreement AppendixC FROM CUSTOMER FOR THE PARTICULAR PRODUCTS WHICH ARE THE SUBJECT MATTER OF THE CAUSE OF ACTION IN NO EVENT SHALL ENTERASYS BE LIABLE FOR ANY LOST OR ANTICIPATED PROFITS OR SAVINGS OR ANY INCIDENTAL EXEMPLARY PUNITIVE SPECIAL OR CONSEQUENTIAL DAMAGES REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT OR IN TORT INCLUDING NEGLIGENCE AND WHETHER OR NOT ENTERASYS WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES SOME STATE
49. or remove a routing protocol from an interface continue floppy disk configuration with the following steps 1 Click the Interfaces tab in the Routing Configuration window The Interfaces tab in the Routing Configuration window appears as shown in Figure 133 234 RiverMaster Administrator s Guide Appendix B Configuring Routing Interfaces ANG 3000 7000 Preconfiguration Stored on a Floppy Disk I EH H EH E dps Reports tee andusrreer com mas indusrisdr cnm Remb Gates g Configure Remote Gateway Destinations POP Packages RSS ATES ISP Figure 133 Interfaces Tab in the Routing Configuration Window 2 Selectthe interface Trusted or External from the list under Network Interfaces The protocols already enabled for this interface appear in the Routing Protocols list Do one of the following Toadda protocol to the trusted interface click Add and continue with the next step To remove a protocol select the po from the Routing Protocols list and click Remove Skip to Step 5 When the Add an Interface Routing Protocol window appears as shown in Figure 134 select a routing protocol and click Add RiverMaster Administrator s Guide 235 Configuring Routing Interfaces Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk CIFT Bmuimg Probes Etahic Ariea Gare Figure 134 Adding a Routing Protocol NOTE For the External interface a can only add or remove static
50. packets dropped during the session due to flow control or checksum errors User of logins Number of logins by the specified user Total time Total interval of time the specified user was logged in Average login time Average session time of specified user RiverMaster Administrator s Guide 185 Report Contents Chapter 8 Generating Reports Figure 96 displays a typical Client Session Summary Report I mr mr TT my FETA eS DTG Gr mnt Lowi Lu m mT m LORDEBTRIC Meeker Tipp ronde rias DR m 4 i 3 E pikie Till ei Tamure rmm im lF m P 1 E RETE VLERAFET duis of Lage i n he Laie i Bee 7 s Tir diu per Tp UODTTNTRIC Beebe of Lege Teppa rasis tm F E m 1 a Lager unm E n E ea Pimrajapi rmm ln LF a a i i i p INI D a a VLERAPRT id mia 8 Tim a rns ria DR a r Logs m remind LIF T Timur sesempea Lin Bi iii aas 1 s i ee ee a Li Toni Bain ci iL Tipai a em am lt b i Lappin me j a On Tem rcrum om F z F Legri ee Ci dan De pam HT aen Figure 96 Client Session Summary Report Double clicking on the user name line above with the magnifier icon produces a drill down view similar to Figure 97 CLIENT SESSION DETAIL REPORT TIME TIME HOST PROT OCOL POP FROM CONN CONN ISP ISP IN OUT NAME PHONE PHONE TYPE SPEED KBYTES KBYTES K OUT kp aradis Pre existing Connection 2001 0
51. reconfigure the Remote Server Click Cancel to close the window without saving your changes Click Delete to remove the Remote Server configuration RiverMaster Administrator s Guide 71 Adding a Remote Server Chapter 3 Configuring an ANG 3000 7000 To change properties for the Remote Tunnel perform the following steps 1 Select your Remote Tunnel from the tree list under Remote Servers 4 and click Properties in the display The Remote Tunnel Properties window appears as shown in Figure 42 Papatet ol amnis Tunnel x Click here to X IE mm update the tunnel J Click here to refresh the values for the Current state and Last try result attributes shown in the Tunnel Protocols window Figure 42 Remote Tunnel Properties Window 2 Change any information If the Remote Tunnel is enabled select Disabled in the Enabled State field and do one of the following Click Update to reconfigure the Remote Tunnel Click Cancel to close the window without saving your changes Click Delete to remove the Remote Tunnel configuration If you clicked Update a window pops up asking if you want to save the modified tunnel Click Yes or No 72 RiverMaster Administrator s Guide Chapter 3 Adding a Remote Server Configuring an ANG 3000 7000 3 Re open the Remote Tunnel Properties window and select Enabled in the Enabled State field if you want to create the tunnel immediately with the reconfigured properties If you clicked U
52. routing Because the External interface is optimized for tunnel protocols only you cannot use RIP or OSPF on this interface 5 Doone ofthe following Ifyou are adding RIP to the interface perform the steps in Configuring RIP for the Interface on page 236 Ifyou are adding OSPF to the interface perform the steps in aoni uane OSPF on an Interface on page 238 Ifyou are adding a static route to the interface perform the steps in Creating Static Routes on page 239 Configuring RIP for the Interface To configure RIP on an interface continue floppy disk configuration with the following steps 1 Inthe RIP Interface window shown in Figure 135 choose the version of RIP to use on this interface RIP Version 1 uses IP broadcast packets for periodic announcements of reachable subnets RIP Version 2 is an enhanced version of RIP that uses IP multicast packets for announcements 236 RiverMaster Administrator s Guide Appendix B Configuring Routing Interfaces ANG 3000 7000 Preconfiguration Stored on a Floppy Disk LA DIETER A VIP letertece Saniga Cw Inbeifaeze hiara ued These values are used to authenticate RIP updates from routers on the network BiP orare T Yemin d 5 Warupn 2 BiP aum emos amim x Password fait pom Eaeari BiP Agai jajn Epit F Enable mipart Fe tnab spest 1 apa T cm neice Figure 135 Routing Interfaces
53. the printing options and click OK Pritt Printer System Printer Cancel Copies 1 Iv Collate Copies From 10D Figure 102 Report Print Window L NOTE If you do not have at least one printer driver installed on n computer the printer button is disabled To install a printer follow the instructions provided in Windows on line Help RiverMaster Administrator s Guide 193 Downloading Viewing and Exporting Reports Chapter 8 Generating Reports Exporting Reports dozen formats to either a file on disk a Microsoft Exchange folder or your mail server via the Microsoft Application Programming Interface MAPI program This feature differs from the export option offered in the report display windows which dumps raw data into a file in ASCII format i Aurorean Virtual Network supports the exporting of reports in more than a Exporting Reports to a Disk File To export reports to a disk file perform the following steps e 1 Click the Export button along the top edge of the report display The Export window appears as shown in Figure 103 Click here to choose a file Format Lomma separnabed value CS Click here to choose a Destination Figure 103 Export Window 2 Select Disk file in the Destination field You may also export the report to a file in a Microsoft Exchange folder or to your mail server using MAPI Refer to Exporting Reports to a Microsoft Exchange Folder on pa
54. to Internet congestion corporate ISP outage or router malfunction the secondary Aurorean Virtual Network system provides continued VPN service to remote users and branch offices From the standpoint of network topology both Aurorean Virtual Network systems share the same Management domain name although they are physically discrete Also a RiverMaster management application serving each Aurorean Virtual Network system is accessible at and operates from a single Windows NT 2000 computer The Aurorean Virtual Network system pairs can handle authentication through a shared database if an external service such as RADIUS or SecurID is used ALR also supports Enterasys authentication via the APS database although this requires that user information be manually replicated in each Aurorean Virtual Network system For more detailed information refer to the AutoLink Recovery Application Note 36 RiverMaster Administrator s Guide Chapter 3 General Aurorean Network Gateway Settings Configuring an ANG 3000 7000 General Aurorean Network Gateway Settings ed General network settings for the ANG include o6 m O The current and possible future IP addresses for the server O Enabling Aurorean Virtual Network s Intelligent Client Routing feature which provides you with a measure of control over a Aurorean Client s access to the Internet Addresses for the Domain Name System DNS Windows Internet Name Service WINS and Network Addre
55. to clients See also IP addresses and IPX ATM backbone name 109 Aurorean Alternate Address Information 42 Aurorean Client installation kits 102 Software Alternate Tunnel Server IP Address field 38 Aurorean Client Software application executable files 125 connection problems 182 creating an installation kit 139 144 Data File Directory field 142 Install Kit Options 141 installation kit components 122 installation kits 38 122 ISPs 109 Kit Directory field 144 Kit Filename field 141 Output Directory field 140 specifying the source directory 143 Zip File Directory field 142 Aurorean Network Gateway 79 all tunnel session counters 187 auto recovery 35 changing IP addresses 38 definition 209 memory and disk usage 8 routing 54 67 234241 statistics 7 16 successful tunnel session counters 183 throughput performance reports 179 tunnel protocols 43 50 221 227 virtual subnets 50 54 228 229 255 Index Aurorean Policy Server 79 backing up the database 98 memory and disk usage 8 RX TOC TXT file 151 statistics 7 17 uploading login scripts 111 116 Aurorean Software Update Service 102 149 Aurorean VPN Name field 5 authentication plug in options 76 tunnel protocols 45 46 221 224 viewing messages 166 Authentication service 20 76 92 Authentication See Authentication service Authorization plug ins 76 Enterasys 81 83 RADIUS 83 87 Auto Link Recovery description 210 logging into RiverMaster 13 AutoLink Recovery 35 36
56. to the Internet 9 Inthe Reachable Subnet fields type a starting IP address and subnet mask to define a subnet Packets received by the ANG are statically routed to the gateway you specified To forward all packets to the gateway when there is no other reachable next hop address for a packet enter an address of 0 0 0 0 and a subnet mask of 0 0 0 0 A CAUTION Configuring a default static route 0 0 0 0 0 0 0 0 on the Trusted interface of the ANG disables Intelligent Client Routing Refer to Intelligent Client Routing on page 31 for more information 66 RiverMaster Administrator s Guide Chapter 3 Routing Configuring an ANG 3000 7000 10 Click Add The static route you configured appears in the Internal Static Routes display 11 Do one of the following Click Apply to create the static route Click Reset to the return the interface s protocol properties to their default settings Click Cancel to close the window without saving your changes RiverMaster Administrator s Guide 67 Adding a Remote Server Chapter 3 Configuring an ANG 3000 7000 Adding a Remote Server 68 An ANG can be added at a remote location in a Site to Site configuration This section describes how to set up an initiating Network Gateway to connect to a Local or terminating ANG APS pair L NOTE Local ANGs use an accompanying APS remote ANGs are stand alone These instructions cannot be used
57. you want to configure a connection to a second Aurorean Policy Server after having already configured a connection to only one server you must first delete the config irxfilein the C Program Files Indus River Networks RiverMaster directory on the RiverMaster computer Then when you click on the RiverMaster desktop icon the Identify your Aurorean Environment window will appear as described in Chapter 1 14 RiverMaster Administrator s Guide Chapter 2 Checking Server Status Getting Started with RiverMaster Checking Server Status RiverMaster s main interface is designed to quickly show the Aurorean Virtual Network s health when you start the application The health conditions are organized into three categories O Problem summary and users logged in O Aurorean Network Gateway statistics CJ Aurorean Policy Server statistics Problem Summary amp Users Logged In As shown in Figure 8 counters at the top and bottom of the interface track both error conditions and successful tunnel login attempts The Problem Summary counters are updated whenever RiverMaster receives one of three types of messages O Alarms notify you when a significant error occurs with a service running on a Aurorean Virtual Network system or a general server problem that is preventing the server from operating normally O Alerts occur when an error count threshold has been crossed and an alarm condition is imminent O Problem Notification messages typic
58. 0 7000 O Using RiverMaster adding a static route for all addresses in the Virtual Subnet 1 range with the router s IP address as the default gateway O On the router create a static route to forward all packets addressed with IP addresses in the Virtual Subnet 1 range to the IP address of the ANG Trusted interface With this arrangement remote clients that receive addresses from Virtual Subnet 1 will be able to access Server 2 Without a static route remote clients that receive addresses from Virtual Subnet 2 will be unable to access Server 2 or any other device on the 200 100 201 0 segment Virtual Subnets for Site to Site and Remote Access Tunnel Servers When you set up a site to site tunnel in conjunction with remote access service we recommend creating separate groups and assigning separate virtual subnets for all your site to site and remote access users This is necessary because RIP does not forward knowledge of a route over the interface from which it learned of that route So if a remote client and a site to site tunnel obtain their virtual IP addresses from the same virtual subnet on the terminating ANG then that remote access client will not be able to learn the routes that are known to the initiator of the site to site tunnel This condition does not apply to a terminating ANG though As shown in Figure 13 if ANGI initiates a tunnel connection to ANG2 RIP will broadcast knowledge of ANG1 s associated networks A B
59. 1 165 32 46 34 z Server 2 165 32 46 115 ANG 165 32 46 98 Aurorean 5 TEA Network pr Gateway Server 1 200 57 115 15 dii 200 57 115 18 Aurorean Policy i Server Figure 15 Aurorean Virtual Network s NAT Server Feature RiverMaster Administrator s Guide 33 Before You Begin Chapter 3 Configuring an ANG 3000 7000 NOTE Aurorean s NAT Server implementation cannot be employed as a client NAT where for example it operates within a cable modem ISP topology Aurorean s NAT Server implementation is server centric Site to Site Tunnels Aurorean site to site tunnels optimize service between remote offices and their remotely linked corporate LANs This configuration is similar to a remote access Aurorean connection in the sense that both configurations originate tunnels from an ANG and terminate the tunnel at a remote site The site to site tunnel configuration differs from the typical ANG model in the sense that the remote server and tunnel must be configured with several network values which identify the remote server to the local ANG Figure 16 displays two site to site configurations of Regional Offices A and B connected to a local ANG and both remote offices connected together as well as a remote access connection into Corporate Headquarters Aurorean Client Aurorean Regional Office A 1 Network Gateway Aurorean Network Corporate
60. 1 19 10 42 51 2001 01 19 10 42 53 kparadis IPSEC N A 9991234567 Tunnel N A 0 0 Duration 0 hrs 00 mins 02 secs 2001 01 19 10 45 24 kparadis IPSEC HTTPS N A 9991234567 Tunnel N A 0 0 2001 01 19 12 05 58 2001 01 19 12 06 31 kparadis IPSEC HTTPS N A 9991234567 Tunnel N A 0 0 Duration 0 hrs 00 mins 33 secs 2001 01 19 12 10 16 2001 01 19 12 10 40 kparadis IPSEC HTTPS N A 9991234567 Tunnel N A 0 0 Duration 0 hrs 00 mins 24 secs 2001 01 19 12 17 04 2001 01 19 12 17 10 kparadis IPSEC NA 9991234567 Tunnel N A 0 0 Duration 0 hrs 00 mins 06 secs 2001 01 19 12 18 30 2001 01 19 12 20 55 kparadis IPSEC N A 9991234567 Tunnel N A 0 0 Figure 97 Client Session Details Report 186 RiverMaster Administrator s Guide Chapter 8 Generating Reports Report Contents Accounting Report This report lists all tunnel sessions that occurred during the selected period sorted by user name In addition to a wide range of tunnel performance statistics for each session this report indicates the virtual subnet IP address allocated to the remote client the duration of each session and the reason the session ended Possible reasons the session ended include O User Request the Aurorean user pressed Disconnect to disconnect the tunnel this is the most common reason for a session to end CJ Lost Service the tunnel was disconnected unexpectedly such as when the Aurorean PC reboots without warning or when the dial up connection between Aurorean and the ISP POP
61. 36 colors or better at 1024 x 768 resolution RiverMaster Administrator s Guide 1 Installing the Application Chapter 1 Installing RiverMaster Software Software Requirements The following operating systems applications and protocols should be installed and configured before you install RiverMaster O Windows NT 4 0 Workstation upgraded with Service Pack 4 SP4 or later version or Windows 2000 Professional O TCP IP protocol O To use Aurorean Policy Manager Internet Explorer 5 or Netscape 4 Installing the Application Before installing RiverMaster close any applications you have running Once the installation is complete you must restart the computer before you can use RiverMaster to manage your Aurorean Virtual Network NOTE You must log into your Windows NT Workstation 2000 computer using an account with administrator privileges before installing RiverMaster Without administrator privileges some files may not install properly and you may be prevented from using some RiverMaster features Upgrading a Previous Release The following instructions assume you are installing RiverMaster on your computer for the first time Do not re install RiverMaster over a previous version Remove the older version of RiverMaster as described in Removing RiverMaster Files on page 9 and then install the new version as described in the following section Installation Steps To install RiverMaster on your compu
62. 5 1399 14 16 LVM Lhd dey cho a 11 195 p4 36r EZ DA 1999 13 11 18 dete choral 20 CORT he 12 DA I9 9 Las eT LEIA 13 11 38 deet chilis wYChant amp yncc IAA L4 disini nl a ante ee ouo 3m Iv Clentsynzcpmpleta TECE Remo af LDA LOF Du a 48 Prom clianti25 Appbeabankanma Hage Test Clent Data Syn comets Liar Marie lr 24 Access Sync Versione Figure 87 Advanced Message Viewer Results Example To view a detailed description of a message double click on the message Figure 87 shows the details of a Connection Start message that reveals information on how the Aurorean Client connected a client named Paul RiverMaster Administrator s Guide Chapter 7 Monitoring System Activity Viewing Server Activity amp Statistics 9 Doone of the following S To retrieve another set of messages click the Search Messages icon and return to Step 3 3 To open or close the window pane that displays detailed description for each message click the Enable Preview Pane icon Toggling this button enables and disables the Print icon Ll To save the query result to a file click the Save Messages As icon The results can be saved as a text only OUT file or formatted as a Aurorean Virtual Network report For more information on report formats refer to Chapter 8 amp To print the query results click the Print icon A Print window appears as shown in Figure 88 set the printing options and click OK Pint Printer System P
63. 6 Aurorean Network Gateway 44 Aurorean VN Servers 37 50 52 55 60 65 262 Triple DES 47 48 225 226 Trusted interface 59 234 tunnel policies 121 Tunnel Protocol policy 133 tunnel statistics 173 176 Compression checkbox 174 display controls 176 GRE checkbox 174 protocol statistics definition 174 175 setting the Tunnel Stats Interval 171 tunneled access 103 111 tunneling 215 type OSPF 57 U UDP port numbers for RADIUS 85 UninstallShield program 9 updates building core data files 147 managing 145 151 uploading software sync files 149 149 151 viewing group policies 146 upgrading a previous release 2 users adding to groups 134 136 Confirm Password field 136 Corporate User Name field 135 how to disconnect an active user 176 Job Title and Department fields 136 Name fields 136 Password field 136 symbols disallowed in fields 136 User IP Address fields 135 V Virtual Private Network VPN 215 RiverMaster Administrator s Guide virtual subnets advantages 28 assigning to groups 129 135 defined as address pools 27 defining IP subnets 50 52 228 229 example 29 scaling 28 support by RIP and OSPF 27 VPN Password policy 131 VPN passwords 131 VPN user name 4 135 VPN See Virtual Private Network VPN W warranty 250 Web Site field 109 weight definition 103 entered for Cost Index 111 116 entered for Performance Index 111 Windows Internet Name Service WINS servers 41 IP addresses 110 RiverMaster Admini
64. 72 30 255 254 on a Class B network Although 172 31 0 0 to 172 31 255 254 is also a reserved range you cannot define virtual subnets within this range because addresses in that range may be taken by the ANG for internal use 192 168 0 0 to 192 168 255 254 on a Class C network These addresses are not routable outside your corporate network By using these addresses for remote clients you can preserve the routable IP addresses for LAN devices NOTE If you allocate addresses from one of these non routable ranges and you want remote clients to be able to browse the Internet while connected you must enable the Intelligent Client Routing described on page 31 or use network address translation There are several advantages to using virtual subnets over other IP address allocation techniques o The ANG can advertise the virtual subnets before remote clients connect Using the other techniques the ANG would only create a host route when the client connected Because routing protocols may take as long as 30 seconds per router to propagate a host route the client may remain unreachable for a period of time Creating individual host routes for each remote client as they connect may overload the network s routers Because ANG 5000s support 5000 tunnels ANG 3000s support 500 tunnels each router may become burdened with 5000 routes in its route table Virtual subnets can be quickly and easily scaled up to accommodate large
65. 90 lucidum 193 Exporting Reports ccccccccssseeescscsesesesesssesescecssscsesescecasscsescseecesassescecessnssseeescenanaeeees 194 Exporting Reports to a Disk File sss 194 Exporting Reports to a Microsoft Exchange Folder ss 203 Exporting Reports Using MAPI s sssrsssresisrssirriissrrsssreissoriessstersrissisicsesastsdiserdstsa 207 Appendix A Glossary Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Adding Remote Gateways eene tenete tenentes 218 Configuring ANG IP Addresses sse tenentes 220 Configuring Tunnel Protocols sse eene nennen 221 Configuring Virtual Subnet sssssssssssseesseeeeeeereneneete tenentes 228 Configuring Routing Protocols ccccccescceesssesesnseseseecesescscseseseseecenescsesnasnesesesnensneses 230 OSPF Properties 232 RiverMaster Administrator s Guide vii Table of Contents Configuring Routing Interfaces sssssssssssesseeeeeenenenenerete nennen nennen 234 Configuring RIP for the Interface eet 236 Configuring OSPF on an Interface sssssssesseeseeenennererne tenente 238 Creating Static Routes esee remet tet I HR ete e ei TL Ee EHE Ie eot Eain 239 Creating Remote Connections entente nennt nennen 242 Loading the Floppy Disk nennen 247 Chapter 9 License Agreement amp Support Enterasys
66. ALLOW is built Tdi amena Save VPN Paspeont ALLOW U laka Use Calmi Candi Avr IM l 1 The Fallawing Policies are SOT ALLEISSE D Leima thi faalag bur un uniri Marya iting Ds Ala O i an 1 Dead Strong Exin His Aio se pieni zug Cabe Card FIM DISALLOW They mill be using POPs fram the talliriy DTE Toca Progress messages appear here as the kit is built Figure 74 Build Client Install Kit Window 140 RiverMaster Administrator s Guide Chapter 6 Creating an Aurorean Client Installation Kit Managing Users amp Groups 6 Inthe Kit Filename field specify a name for the self extracting Aurorean installation kit file The default Aurorean installation kit file name is RP Group Releasett EXE where Group indicates which group policies are applied to the Aurorean application and Release specifies the version of Aurorean included in the kit for example V3 indicates Aurorean Release 3 0 You can modify the file name to suit your needs but do not change the EXE file extension 7 Setthe Install Kit Options as follows The first time you build a kit the only option available will be Use datafiles from the APS This choice retrieves POP phone numbers from the APS After you have built your first kit choosing this option is useful if you have added more ISPs or POP phone numbers to your POP package and want to update your configuration To generate a revised TollSaver database from files on the APS the slowest kit b
67. ATS Orid CoU open the uinea Turca Configuration blaragerar iaa T 5 pullout Select the Authenticatio Service Click here to generate new keys Click here to view the list of services Figure 49 Generating El Gamal Private P ublic Keys 5 Click Start to begin generating a new private public key pair A NOTE This display can also be used to start and stop the Authentication Service Because terminating this service can prevent remote clients from connecting to the Aurorean Network Gateway stopping this service should be done only when recommended by Enterasys Networks Customer Support personnel 92 RiverMaster Administrator s Guide Chapter 4 Using the Notification Service to Send E Mail Setting Up Aurorean Services Using the Notification Service to Send E Mail EN There are two stages to setting up the Notification service O Creating a mailing list O Adding addresses to a list Creating a Mailing List The RiverMaster installation process creates an initial mailing list called DEFAULT To create your own custom mailing list perform the following steps ty 1 Open the Configuration pullout i 2 Choose Notifications from the Configure pull down box in the top left E corner of the pullout Figure 50 shows the Configuration pullout with the Notification Service Mailing Lists display selected Click here to view Configure pull down box options Click here to cm open the AMATA Co
68. Apply to create the static route click Cancel to close the window and click Next to continue configuration The Remote Connections Configuration window appears Click Reset to return the interface s protocol properties to their default settings Click Cancel to close the window without saving your changes RiverMaster Administrator s Guide 241 Creating Remote Connections Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Creating Remote Connections This section describes how to configure the connections between your ANGs Connection and User names are employed to identify the ANGs at both ends of the tunnel connection See Figure 138 for a graphical representation of an Aurorean Virtual Network meshed network Remote ANG Connections Connection Name New York Chicago User Name Chicago n Group Branch Sales Deam User Names Boston Denver Remote ANG Connections Connection Name New York User Name Denver Remote ANG Connections Connection Name New York User Name Boston Connection Name Chicago Connection Name Chicago User Name Denver User Name Boston I LEER Denver Remote ANG Connections Connection Name destination name ENIRO a e User Name designation of ANG n EI TUM aun a Ch D tunnel to terminating ANG New York Ser Mame SOSON Scapa MEIST Figure 138 Aurorean Virtual Network Meshed Network Topology To connect your configured ANG continue fl
69. Aurorean Virtual Network RiverMaster Administrator s Guide Version 3 1 ENTERASYS NETWORKS 2001 Enterasys Networks All rights reserved This publication contains information that is the property of Enterasys Networks No part of this publication may be copied photocopied reproduced translated or reduced to any electronic medium or machine readable form without prior written consent of Enterasys Networks Information in this publication is subject to change without notice Enterasys Networks assumes no responsibility for errors or omissions in this publication or for the use of this material Part Number AVN RMAG R31 Released March 2001 Printed in the USA For more information on Enterasys Networks products refer to the following table Address 35 Industrial Way Rochester NH 03866 Phone 1 877 641 7400 Fax 603 337 2211 Internet http Awww enterasys com Sales 1 877 641 7400 www enterasys com Support Call the Enterasys GTAC at 1 800 872 8440 or email us at support enterasys com The Enterasys Networks logo Aurorean Prescriptive Diagnostic Engine RiverMaster Intelligent Client Routing and TollSaver and TurboTunnel are trademarks of Enterasys Networks Microsoft MS and MS DOS are registered trademarks and Windows Windows 95 Windows 98 Windows NT Windows 2000 Professional and Windows Millennium are trademarks of Microsoft Corporation in the USA and other countries Virtual N
70. Configuration RIP 2 Inthe RIP Authentication fields choose the algorithm simple or none used by routers on your network If the routers on your network do not require passwords to accept RIP updates set the algorithm to None and skip to Step 6 L NOTE RIP update authentication is only supported by RIP Version 2 If the routers on your network only support RIP Version 1 you cannot enter values in the RIP Authentication fields 3 Type the RIP authentication password used by routers on your network in the Password field RIP authentication passwords are used by routers to determine if they should accept updated routing information sent from another router If your routers do not authenticate updates leave this field blank and skip to Step 6 4 Type the same password in the Re Type Password field exactly as you entered it in Step 3 RiverMaster Administrator s Guide 237 Configuring Routing Interfaces Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 5 Set the RIP Route Importing Exporting options as follows 6 To allow the Aurorean Network Gateway interface to learn new routes place a check next to Enable Import If you enabled the Intelligent Client Routing feature you should turn on Enable Import to allow the ANG to pass known reachable addresses to the remote client To cause the ANG to advertise its known routes place a check next to Enable Export This setting is required to allow th
71. DOMALY REPORT FOR 11 TIMESEMT MSGTYFE MS DOMAIN BUILDREY BW COMPONENT USERNAME Mae 2003 robin EI FS ATS Ib Bab i Hetiiewion Serien HA Ho SMTP sewer nbg 104213 Alm a Fe RTS Ib Bab 5i ETS Dibri Service HA ChuLODS i up lcs 3 Fobken Ms KAS RTS 1B Bab 3I TUHHEL HIR LEPESANT Bessel Pisteasl Rejed packet fer RL Can 13212205174 mn ag Tehk mn Tu FETE JP Pob T TUHHEL Hi LCE E2205074 Read Protosci Beject packet for fd Call H 123014 105333 Fre 105 RMSE RTSE 1B Bau 531 TUHHEL HA LCE L2435554 Timeout sending Confip Requests Call H EM 1n 5233 Fiha Ins KMS RIS 1P Baii TUHHEL HA LOPS Timeout sending Config Requeste Call h L2435554 Lieb Probie los RMSE RTSE 1B Bax 537 TUHHEL HA LOPS Ukr Poio Option 19 Call He 15205457 ELANI Pika I EMI ET AD baii li TUHHEL HI LERES EN Uakrom Prosagmi Cptien 12 Cal 213305157 Lela Fria ius RMSE RTSE Ib Baiil TUHHEL Hin LOPS alacer Pood Option 17 Cll 337 13306857 Ir1431 This Ius TR FT 1D Bod I TUHHEL Ho LOPS Deke Frotaamd Option 17 Call He 13206457 EHI Troes IE EME RISE 1B Baud 537 Tie innagemest Sten HA Generic problem aotziamion gvessape Emo 12 00 99 L22 35 Error witing pet state menage bo epa peer IHH Frika 14 EMA RIS 1B Bad 207 Toss higen 5h HA Damai picblen facian epe Ern 12 08 00 122455 The Epi wi nct mpila wih thia EPA Figure 92 Server Anomaly Report Network Gateway Report This report reveals the Aurorean Network Gateway s throughput performa
72. Enterprise Edition documentation for more information RiverMaster Administrator s Guide Chapter 4 Before You Begin Setting Up Aurorean Services NOTE Enterasys Networks continually tests interoperability with other RADIUS server vendors Contact Enterasys Networks Customer Support for an up to date list of approved RADIUS servers Plug in Planning You can add multiple plug ins for RADIUS or SecurID authentication Typically you add one plug in for each RADIUS or SecurID authentication server on your network and preserve the Enterasys Authentication plug in for RiverMaster logins One plug in must be designated as the default plug in When you set up your Aurorean Virtual Network for the first time the default plug in is Enterasys Authentication When Aurorean users attempt to tunnel into the corporate network they must present a VPN user name and password for authentication If the Aurorean Client user presents a simple user name such as BSmith the user is authenticated against the default plug in Aurorean users have the ability to override the default and select another plug in by adding an symbol and the identifier for the plug in For example if you add a RADIUS plug in with the identifier RADIUS1 a Aurorean Client user can select this plug in by entering a VPN user name such as BSmith RADIUS1 Threads You can accelerate the authentication of multiple users logging in at the same time by increa
73. Figure 23 Click here to access the Gateway configuration windows Figure 23 Tunnel Protocol General Settings 5 Ifyou want to prevent remote clients from using one of the tunnel protocols select the protocol and click Remove By default PPTP and IPSec are both enabled for client use You normally control protocol usage on a per group basis by selecting the protocol when you assign group policies refer to Chapter 6 for instructions If you want to globally disable a protocol you can remove it from this list If you have removed a protocol and want to reinstall it click Add once and when the highlighted tunnel protocol pops up click Add again You are not required to click Apply RiverMaster Administrator s Guide Chapter 3 Tunnel Protocols Configuring an ANG 3000 7000 6 Click the Authentication tab Figure 24 shows the authentication parameters available for each tunnel protocol 7 Doone of the following Choose IPSec from the Protocol pull down menu Use the information in Table 2 to select the IPSec Signature Algorithm that determines how IPSec packets exchanged between the ANG and Aurorean users are signed and verified Set the Key Lifetimes Time Period and Data Transferred value The default values are 60 minutes for Time Period and Disabled for Data Transferred Refer to Table 2 to select the Time Period and Data Transferred values which set how long the key lifetime should last in terms of time elapsed or k
74. Guide Chapter 3 Tunnel Protocols Configuring an ANG 3000 7000 Click here to Click here to selectthe Alt Address option open the Alt Addresses window Click here to open the Configuration pullout POP Packages RMS8 RTS8 ISP Figure 22 Aurorean Alternate Address Info Window 5 If you want to change either the ANG or APS Alternate IP address click Modify enter a value and click Update Tunnel Protocols ed The ANG supports two tunnel protocols O Point to Point Tunneling Protocol PPTP developed by Microsoft 3Com and others that uses Point to Point PPP protocol and Generic Routing Encapsulation GRE to route packets through the Internet O IP Security IPSec protocol developed by the Internet Engineering Task Force IETF that adds security extensions for encryption and message authentication to IP protocol For each tunnel protocol you can configure authentication encryption and compression parameters To set tunnel protocol parameters perform the following steps RiverMaster Administrator s Guide 43 Tunnel Protocols Chapter 3 Configuring an ANG 3000 7000 44 1 Open the Configuration pullout 2 Inthe list of Aurorean devices expand the tree list under Servers click the symbol amp 3 Expand the tree list under the name of your ANG 4 Click on Tunnel Protocols to display PPTP and IPSec protocol tab pages The Tunnel Protocols window appears as shown in
75. IP Virtual Subnet Popup Window 2 Enter the starting address of the subnet in the Address fields You can use actual IP addresses from your network or non routable IP address ranges such as 192 168 x x for a Class C network 3 Enter a subnet mask to define the subnet range in the Mask field 4 Doone ofthe following Click Add to add the new virtual subnet Click Cancel to close the window without saving your changes 5 Repeat previous steps for each virtual subnet you require 6 Click Add to save your changes and Next to bring up the Routing Configuration window as shown in Figure 129 To return the parameters to their original settings without saving your changes click Reset RiverMaster Administrator s Guide 229 Configuring Routing Protocols Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Configuring Routing Protocols Configuring the routing behavior of the Aurorean Network Gateway consists of two general steps CJ Setting parameters for the two routing protocols supported RIP and OSPF O Selecting routing protocols for each Aurorean Network Gateway Ethernet interface E B Systems m tzH nduzrreer com m mzs amp indusriv amp r corn B Remote Gateways L Configures Remote Gateway IH Destinations HH POP Packages EH RMS amp BTS ISP Fd Reports Figure 129 Protocols Tab of Routing Configuration Window To access RIP and OSPF parameters for the Aurorean Network Gateway
76. P user names and passwords Any From locations they added are preserved and do not need to be reentered Uploading Software Synchronization Files New Prescriber remedies and updated Aurorean Client application files are distributed as part of Enterasys Network s Aurorean Software Update Service In order for Aurorean clients to receive this information a set of files containing the scripts and application executables as well as a table of contents file rx toc txt must be uploaded to the APS Once the files are uploaded Aurorean clients automatically receive the new Prescriber remedies and revised Aurorean Client program files through the software synchronization process RiverMaster Administrator s Guide 149 Controlling Client Synchronization Chapter 6 Managing Users amp Groups A NOTE You must enable software synchronization for each group in order for Aurorean users to automatically receive new Prescriber and Aurorean Client application files Refer to page 146 for directions to enable software synchronization IY To upload new software synchronization files perform the following steps 1 Open the Configuration pullout 2 Click the Update tab 3 Expand the list under Global Area 4 Click the Upload icon The Upload Software Synchronization Files to APS display appears as shown in Figure 80 u a R Click here to view the Upload software Click here to browse for the software synchronization fil
77. Problem Notification Tunnel ID D stopped at TIME TYConfiguration UpdateNfy Tunnel Activity Trace Tunnel service has updated its configuration with a result code TYTunnelSvcStart Success Tunnel Activity Trace Tunnel service has started successfully TYTunnelTrace Tunnel Activity Trace TRACE_MESSAGE Call ID TUNNEL_ID XYBuildClientData SetCompleted Access Activity Trace Client dataset build completed with RESULT at STOPDATE XY BuildClientData SetStarted Access Activity Trace Client dataset build began at STARTDATE XYBuildlspPackage Completed Access Activity Trace ISP package build ended with RESULT at STOPDATE XYBuildlspPackage Started Access Activity Trace ISP package build began at STARTDATE XYClientSyncComplete P P E ge SS e opoje o Access Activity Trace RiverMaster Administrator s Guide Client synchronization completed for user 163 Monitoring System Activity Chapter 7 Viewing Server Activity amp Statistics 164 v amp Advanced Message Viewer While the standard message viewer displays current message activity the advanced message viewer allows you to access messages that were sent on previous days or locate current messages buried in a large output of generated messages Using the advanced message viewer you can specify a period of time for example the previous week and set message filter options for various ty
78. S DO NOT PERMIT DISCLAIMERS OF IMPLIED WARRANTIES OR OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE ABOVE DISCLAIMERS MAY NOT APPLY TO YOU Termination Enterasys may terminate this license agreement and Licensee s right to use the Licensed Software if Licensee materially breaches the terms of this Agreement or fails to pay the licensee fee when due and fails to cure such breach within thirty days of notice thereof by Enterasys International Provisions Licensee agrees that it shall not directly or indirectly export the Licensed Software individually or as part of a system without first obtaining a license from the U S Department of Commerce or any other appropriate agency of the U S Government as required Diversion of products contrary to U S law is prohibited Applicable Law The parties agree that this license shall be governed by the substantive laws of the State of New Hampshire and the United States The exclusive jurisdiction for any dispute regarding this Agreement shall be in the United States of America or for Licensees located in Europe London England The parties expressly disclaim the applicability of the U N Convention on the Sales of Goods RiverMaster Administrator s Guide Appendix C Enterasys Networks License Agreement U S Government Commercial Computer Software This Licensed Software is Commercial Computer Software as provided in 48 CFR 2 101 and is licensed to U S Government agencies
79. SI P D H 158 ee Bri ae yy BETHI E recti e ni o rem 1 M n LES NET s rbuidckaniDataSet onpated THEE Received at 12 05 2089 10 5302 From ACCESS acres iant Muisana Tail Raden chen dataset budil has comelmbed resut I Complutien Time t Click here to a Se rs Reden l open the View System Click here to open the advanced Message Viewer to display messages for other days Activity pullout Figure 85 Message Activity Window 2 Select the types of messages you want to view by choosing one of the following All Messages to view messages of all types generated by the APS and ANG and Aurorean Client Login Logout Activity to limit the display to accounting billing and authorization messages produced when remote clients log in and out Trace to examine activity trace messages that contain details on tunnel protocol negotiation and remote client session reports sent in by Aurorean software Alarms Alerts Notifications to check for alarm alert and problem notification messages that indicate problems at the Aurorean Network Gateway or Aurorean Policy Server or a remote client 158 RiverMaster Administrator s Guide Chapter 7 Monitoring System Activity Viewing Server Activity amp Statistics 3 Use the play and pause buttons in the upper left corner to start and pause the message display During peak periods of activity messages may scroll at a high rate To pause the display to allow you to select a parti
80. Screen 7 Write your notice in the text box The message you write is limited to 256 characters See Figure 82 8 Click Apply to set the Notice for members of the selected Group or Apply to All to set the Notice for members of all groups If you made an error or want to change the selected date or group before applying the notice edit the text and click Apply See Figure 84 Clicking Reset retrieves the last screen saved RiverMaster Administrator s Guide 155 7 Viewing Server Activity amp Statistics This chapter describes how to check activity on Aurorean Virtual Network systems by O Monitoring system activity such as the messages exchanged between Aurorean Virtual Network servers and the RiverMaster O Viewing statistics information on active tunnel connections including GRE packet and compression performance O Using SNMP to gather network statistics Monitoring System Activity Using the Delivery service Virtual Network systems and connected Aurorean Client Software clients exchange detailed messages with one another RiverMaster captures this message activity as it occurs and displays the current messages in a viewer window Messages are also stored in daily log files and can be later retrieved using an advanced message viewer Current Message Activity Using the RiverMaster message viewer you can view all messages as they are sent or filter messages based on three categories O Remote user login and logout ac
81. Server or instruct the Aurorean Policy Server to authenticate remote users against an external authentication server such as a RADIUS or SecurID server When the network administrator changes tunnel connection parameters the Aurorean Policy Server provide updated configuration files to Aurorean Network Gateways on request RiverMaster Administrator s Guide 209 Appendix A Glossary AutoLink Recovery An extension of the fault recovery capabilities of the Aurorean Client which includes automatic fail over to a backup Aurorean Client system in the event of a service outage or VPN hardware failure AutoLink Recovery ALR is implemented with the installation of a second Aurorean Client system consisting of a pair of Aurorean Policy Servers and Aurorean Network Gateways The secondary Aurorean Client system operates in parallel with but independently of the primary Aurorean Client system Each system must be located on the same corporate network but can be physically situated at different sites for disaster recovery For more information about ALR refer to the ALR Application Note Client Synchronization A two part process which automatically upgrades Aurorean Client firmware and settings by downloading updated files from the Aurorean Policy Server During client synchronization a portion of the tunnel is utilized as a management channel between the Aurorean Client computer and the Aurorean Policy Server operating in the background of th
82. Show Logon screens for all information services Figure 114 Choose Profile Window 204 RiverMaster Administrator s Guide Chapter 8 Downloading Viewing and Exporting Reports Generating Reports 4 Select a Profile Name by clicking the arrow next to the field and click OK You can also create a new profile or configure two options The Select a folder window appears as shown in Figure 115 Select a Folder Figure 115 Selecta Folder Window RiverMaster Administrator s Guide 205 Chapter 8 Generating Reports 5 Click on a folder to store the report and click OK The Exporting Records window appears as shown in Figure 116 This window is a running tally of the number of records exported and percentage of the job completed Optionally you may click Cancel Exporting if necessary Downloading Viewing and Exporting Reports When the Complete percentage reaches 100 the export is completed Optionally you can click Cancel Exporting Exporting Records Ea Eee nes E aes fp Za Low A Figure 116 Exporting Records Window 206 RiverMaster Administrator s Guide Chapter 8 Downloading Viewing and Exporting Reports Generating Reports Exporting Reports Using MAPI To export reports to your mail server using MAPI perform the following steps c 1 Click the Export button along the top edge of the report display The Export window appears as shown in Figure 117 Click here to choose a file Format
83. Trace Level here Configuration pullout p Bacco Lares Lii pria is Ms Dicit A irie Nes Pets Click here to Mpa expand the kreias Pim Fig tree list isbn Bier Acom keka Aie Log incus ice Aathertoeton indus Fear T3 Chandar raie Fives ATS Turned Fgeagenent Let Selectthe Click here to service configure the trace level Click here to view the list of services Start or stop the trace service by clicking here Figure 53 ANG Tunnel Management Service Window RiverMaster Administrator s Guide 97 Backing Up the Database Chapter 4 Setting Up Aurorean Services 5 Click the arrow in the Trace Level field and select None Low Medium or High Medium and High trace levels are recommended only for diagnostic purposes and with the supervision of Enterasys Customer Support personnel 6 Click Set to enable the Trace Level RiverMaster now begins tracing messages at the level you set X NOTE If you want to terminate a particular running service click Stop To start up a terminated service click Start Backing Up the Database 98 The Management database management db is a 1Mb file residing on the APS which contains a list of selected ISPs as well as configuration data for both the tunnel and management servers To avoid the possibility of down time should the database become corrupted it is advisable to back it up Consult Enterasys Customer Support for directions to reinstall the database Two options
84. Un Enable Data or Software Sync or both forthe group After you create a group it appears here Assign a pool of IP addresses for all members of this group or indicate that you will individually specify addresses for each user Group view button POP package with this group Figure 68 Manage Users and Groups Pullout Group View 2 Under the list of Current Groups click Add 3 In the Group Name field enter a name for that group For example if you are structuring groups by department you can create groups named Sales Marketing and so forth There is no character limit to Group names and they may contain letters numbers and most symbols The name you enter appears in the Current Groups list after the group is successfully created A NOTE The E symbols are not permitted in the Group Name or Description fields single and double quote space apostrophe tilde percent sign 7o ampersand amp exclamation point backslash forward slash at sign and asterisk 128 RiverMaster Administrator s Guide Chapter 6 Creating a New Group Managing Users amp Groups 4 Inthe Description field enter information that describes the members of the group There is no character limit to descriptions and they may contain letters numbers and most symbols This field is provided for information purposes only and does not affect authentication Only the first 24 characters are s
85. a code RiverMaster Administrator s Guide 115 Adding POPs for Corporate ISPs Chapter 5 Controlling Remote User Dialing amp Access 116 10 11 12 13 In the Cost Index field enter a number between 0 and 999 to indicate the relative cost of using this POP This number is factored into the Weight value that appears on the Aurorean Client interface and affects how POP phone numbers are ordered for dialing High cost POPs appear at the bottom of the list and therefore are dialed last In the Performance Index field enter a number between 0 and 999 to indicate the performance history of this POP This field is currently not implemented In the Modem Type field enter maximum speed of the modem in bits per second located at the POP or in the corporate dial up server For example if the POP offers 56K modem access type 56000 in this field The modem type will appear on the Aurorean Client interface exactly as you typed it In the optional Login Script field type the full path or just the name of a script file for RiverMaster to locate optionally using the browse button to search for the directory on your computer where it is stored Some corporate ISPs use scripts to enable client login After you download the script file to your computer RiverMaster uploads it to the IndusRiver Database PopScripts directory on your APS Later when you create an installation kit the login script is incorporated into the management d
86. abase with POP phone numbers for the ISPs assigned to the group RiverMaster Administrator s Guide Chapter 2 Setting Up a Aurorean Virtual Network the First Time Getting Started with RiverMaster Once remote users begin tunneling into the corporate network using Aurorean Client Software software you can view this activity using the Tunnel Statistics window described in Chapter 7 You can also produce detailed daily usage reports as described in Chapter 8 Authentication requests and other user activity messages are also displayed in the System Activity window described in Chapter 7 This window also displays alarm and alert messages that warn you when server errors occur RiverMaster Administrator s Guide 23 3 Configuring an ANG 3000 7000 This chapter describes how to configure network settings for your local Aurorean Network Gateway ANG 3000 7000 Local ANGs have an accompanying Aurorean Policy Server and are configured using RiverMaster Remote ANGs are stand alone systems configured by using the Web based Aurorean Policy Manager utility The ANG 1000 is configured using its Web based configuration utility only Network settings for the ANG fall into these categories O General settings such as the DNS WINS and NAT servers that remote clients require for name resolution or authentication O Tunnel protocol PPTP or IPSec parameters for authentication encryption and compression CJ Virtual subnets containing po
87. achable subnets RIP Version 2 is an enhanced version of RIP that uses IP multicast packets for announcements 3 Inthe RIP Authentication fields choose the algorithm used by routers on your network If the routers on your network do not require passwords to accept RIP updates set the algorithm to None and skip to Step 7 62 RiverMaster Administrator s Guide Chapter 3 Routing Configuring an ANG 3000 7000 NOTE RIP update authentication is only supported by RIP Version 2 If the routers on your network only support RIP Version 1 you cannot enter values in the RIP Authentication fields Refer to Configuring RIP for the Interface on page 62 for instructions on selecting the version of RIP used on your network 4 Type the RIP authentication password used by routers on your network in the Password field RIP authentication passwords are used by routers to determine if they should accept updated routing information sent from another router If your routers do not authenticate updates leave this field blank and skip to Step 2 5 Type the same password in the Re Type Password field exactly as you entered it in Step 4 6 Setthe RIP Route Importing Exporting options as follows To allow the ANG interface to learn new routes place a check next to Enable Import If you enabled the Intelligent Client Routing feature you should turn on Enable Import to allow the ANG to pass known reachable addresses to the remote
88. ally indicate an error at the Aurorean Network Gateway or a remote client connection problem which Aurorean Client Software s Prescriber feature diagnosed and reported Prescriber is a Aurorean Virtual Network feature which diagnoses why a tunnel connection failed and attempts to correct the problem RiverMaster Administrator s Guide 15 Checking Server Status Chapter 2 Getting Started with RiverMaster Indicates current alarms alerts and informational messages that appear in Pi Click here to view the System Activity window more details about refer to Chapter 7 for more logged in users information Total number of remote users authenticated and connected to the corporate network via the Aurorean Network Gateway Running Petree ni Running Deer Bunn Nori catis hun ng Figure 8 Aurorean Network Gateway Status Information Aurorean Network Gateway Statistics Figure 9 shows the statistics information RiverMaster displays for the Aurorean Network Gateway The graph indicates total amount of bytes sent and received over all tunnels processed by the Aurorean Network Gateway to view the traffic passing over a single tunnel click the button at the top right corner of the graph 16 RiverMaster Administrator s Guide Chapter 2 Checking Server Status Getting Started with RiverMaster Aggregated number of bytes ANG Statistics g received and sent over all tunnels processed by the mEn LEM Aurorea
89. ame Protocols list X NOTE Direct access does not support Data Software Synchronization 21 Ifyou are adding a corporate ISP because it does not appear in the TollSaver database select Tunnel Aurorean users will dial into a POP for this ISP and then negotiate a tunnel into the corporate network In the optional Login Script field type the full path of a script file for RiverMaster to locate optionally using the browse button to search for the directory on your computer where it is stored Some ISPs use scripts to enable client login These scripts are provided by the ISPs often on their Websites After you download the script file to your computer RiverMaster uploads it to the IndusRiver Database PopScripts directory on your APS Later when you create an installation kit the login script is incorporated into the management database and built into Aurorean NOTE Script files are not uploaded without the SCP extension RiverMaster Administrator s Guide 111 Adding Corporate ISPs Chapter 5 Controlling Remote User Dialing amp Access Select the script file to upload here Type the full path or justthe name of the script file here 112 22 When the Select New Script Files window appears click the browse button in the Look in field and find the script you wrote or obtained from your ISP When finished click Open The Script window appears as shown in Figure 62
90. an Client Software installation kits can also consume Aurorean Policy Server memory High disk space usage is normally a result of many large log and report files accumulating on the hard disk NOTE When 85 of the Aurorean Policy Server drive capacity is full the server automatically begins deleting logs and reports older than 90 days Log and report deletions are not configurable at this time RiverMaster Administrator s Guide Chapter 2 Setting Up a Aurorean Virtual Network the First Time Getting Started with RiverMaster Setting Up a Aurorean Virtual Network the First Time When you start RiverMaster for the first time you need to perform several basic configuration steps to put your Aurorean Virtual Network into operation These basic steps are outlined below with references to the detailed instructions provided throughout this manual 1 Enter the Aurorean VPN name for your Aurorean Virtual Network equipment and enter the IP address es of the Aurorean Policy Server s You are prompted to enter these values the first time you start the RiverMaster application After you login with the default user name and password set the authentication encryption and compression options used during tunnel connections These options are set separately for each tunnel protocol PPTP or IPSec as described in Chapter 3 Allocate IP addresses for remote users to use when they tunnel into the corporate network
91. appears as shown in Figure 127 To return the parameters to their original settings without saving your changes click Cancel RiverMaster Administrator s Guide 227 Configuring Virtual Subnets Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Configuring Virtual Subnets This optional section describes how to create virtual subnets that serve as IP address pools for allocation to remote clients when they connect aA NOTE Virtual subnets are configured for terminating ANGs only If you are configuring an initiating ANG skip to Configuring Routing Protocols on page 230 EA ps8 nTSB Bi sritems Bk ts amp indusriear com H mig indus river cwm iE Remote Gateways Configure Remate Gateway EH Destinations FHG POP Packages AMSA ATEB ISP F Reports Figure 127 Subnet Configuration Window To set up virtual subnets of IP addresses to allocate to remote users continue floppy disk configuration with the following steps 228 RiverMaster Administrator s Guide Appendix B Configuring Virtual Subnets ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 1 Click Add The Add an IP Virtual Subnet popup window appears as shown in Figure 128 AJ Aili An WP m Silin dh Add An IP Virtual Subnet Address ee TTT E Warning Virtual Subnsts are NOT ALLOWED to gwarlap the IP Addresses assigned to thee physical interfaces of the Mebwork Gateway Figure 128 Add an
92. are available for saving the database You can simply copy the file into a default directory on the APS or copy it a second time into a directory of your choice on your management device a remote network site or to a ZIP device To back up the Management database on the APS perform the following steps 1 Open the Configuration pullout 2 Click on the Activity icon in the lower left corner of the pullout to switch to the Active Tunnel Service List view 3 Expand the tree list under Active Service List click the symbol RiverMaster Administrator s Guide Chapter 4 Backing Up the Database Setting Up Aurorean Services 4 Click on Indus River Access The Service Control display for the Access Service appears as shown in Figure 54 trader Fire AS Dewiced Viae Pieni Fired Trias Faces Hansa iraia Fever Pip Hinata RES i dE 4 Click here to irait F re ATS DI eri yaka Ae open the Midas Ries ATS T used d i Selectthe Hanged Sani xil i ae Access P Service Click here to start the backup Click here to view i Click here to download the database f the list of services to the directory of your choice Figure 54 Starting a Database Backup 5 Click Start on Backup Database A window pops up stating the database and the auth1oc files were copied to the C IndusRiver Database Backup directory Click OK Auth1loc contains a copy of the El Gamal key A CAUTION This display can also be used to star
93. aster Administrator s Guide On the main Windows NT 2000 desktop double click the RiverMaster icon Alternatively you can click the Start button point to Programs point to Indus River Networks and then click RiverMaster In the RiverMaster program group click RiverMaster to launch the application After a few seconds the Identify Your Aurorean Environment window appears as shown in Figure 1 Lx iderdily your urnrean Erwronment A Figure 1 First Time Setup Information In the Aurorean VPN Name field type a collective name that will be shared by all Aurorean devices on your corporate network This name is set using the APS Quick Configuration wizard program refer to the Aurorean Installation amp Service Guide for more information Installing the Application Chapter 1 Installing RiverMaster Software 3 Doone ofthe following Ifyou are configuring only one Aurorean Policy Server enter the IP address assigned to it in the Primary fields and click OK The RiverMaster Login window will appear as shown in Figure 3 with the Aurorean VN Name APS name and IP address displayed as you specified earlier Skip to Step 5 If in addition to configuring a Primary APS you have installed a backup APS to use with the Auto Link Recovery feature supply this IP address in the Alternate fields after entering an IP address of the Primary APS in the fields provided Click OK The Select APS window will appear as shown in Figure 2 Thi
94. ata Encryption Standard DES a block cipher method that uses 56 bit keys Using DES data is encrypted in fixed size blocks and packets are padded to become a multiple of the block size Triple DES Enables a version of DES described above that employs a DES encryption with one key a decryption with a second key and then another encryption with a third key The result is equivalent to DES with a 112 bit key MPPE 40 bit Enables 40 bit key Microsoft Point to Point Encryption MPPE which generates a key based on a hash of the user s password and invokes RC4 encryption This type of encryption is supported by Windows 95 98 NT 2000 ME computers without any additional software MPPE 128 bit Enables 128 bit key MPPE on the tunnel To support 128 bit keys the Aurorean computer must receive a 128 bit encryption upgrade available from Microsoft This upgrade may not be available to users outside the U S 10 Click the Compression tab 48 RiverMaster Administrator s Guide Chapter 3 Tunnel Protocols Configuring an ANG 3000 7000 11 Enable or disable MPPC as required For both IPSec and PPTP protocols Microsoft Point to Point Compression MPPC is currently the only compression technique supported by the ANG By default MPPC compression is enabled for both protocols X NOTE Compression settings are applied automatically to both tunnel protocols That is disabling compression on IPSec also disables com
95. atabase and built into Aurorean Client X NOTE Script files are not uploaded without the SCP extension RiverMaster Administrator s Guide Chapter 5 Adding POPs for Corporate ISPs Controlling Remote User Dialing amp Access 14 When the Select New Script Files window appears click the browse button in the Look in field and find the script you wrote or obtained from the ISP When finished click Open The Script window appears as shown in Figure 65 Sec Heus Scis files Click here to browse the network for the Select the script file script file to upload here Click here to upload Type the full path or the file to the APS justthe name of the script file here Figure 65 Select New Script Files Window 15 Doone of the following Click Commit to save the new POP information Click Cancel to clear the POP information without saving your changes RiverMaster Administrator s Guide 117 6 Managing Users amp Groups This chapter describes how to O Add modify and remove groups from a database residing on the Aurorean Policy Server Group settings include policies that determine the Aurorean Client features and functions that your remote users are allowed to use O Add modify and remove individual user accounts that are used to authenticate remote users via the Enterasys Authorization service C Create a customized Aurorean Client installation kit to distribute to your r
96. ated to the client for the duration of the connection To receive an IP address in this manner the remote client must authenticate against the Enterasys authorization plug in as described in Chapter 4 O Authenticate remote clients against an external authentication server such as a RADIUS server and have that server allocate IP addresses To receive an IP address in this manner the remote client must authenticate against a RADIUS plug in as described in Chapter 4 O Define one or more virtual subnets that act as address pools Virtual subnets are linked to groups when a member of a group connects an address from within the virtual subnet is allocated to that user for the duration of the connection To support virtual subnets the ANG must learn the topology of the corporate network and advertise to other devices that remote clients on the virtual subnet are reachable To do this the ANG supports Routing Information Protocol RIP and Open Shortest Path First OSPF routing protocols The ANG supports both RIP Version 1 and Version 2 RiverMaster Administrator s Guide 27 Before You Begin Chapter 3 Configuring an ANG 3000 7000 28 Virtual subnets can use both legitimate IP addresses unique addresses purchased and registered by your company and non routable address ranges reserved for private network use only These reserved address ranges include og o o 10 0 0 0 to 10 255 255 254 on a Class A network 172 16 0 0 to 1
97. ay also force a total server reboot if necessary If Stopped The Aurorean Policy Server automatically reboots itself approximately 20 seconds after the Overlord service stops Retrieval Retrieves statistics and messages from both the Aurorean Network Gateway and Policy Server to generate activity and anomaly reports You cannot download and view reports using RiverMaster Delivery 18 Carries messages between all Aurorean Virtual Network components including servers Aurorean Client Software clients and the RiverMaster management application Delivery is a critical service that must be operational for Aurorean Virtual Network components to initialize properly and synchronize with one another The Aurorean Policy Server cannot communicate with the RiverMaster application and remote users are unable to authenticate and establish a tunnel connection with the Aurorean Network Gateway The Aurorean Policy Server automatically reboots itself approximately 3 minutes after the Delivery service stops RiverMaster Administrator s Guide Chapter 2 Getting Started with RiverMaster Checking Server Status Service Notification Table 1 Aurorean Policy Server Services Function Reports alarm alert and problem notification messages using E mail If Stopped The Aurorean Policy Server and Network Gateway can operate normally but E mail messages are no longer sent when alarms alerts prob
98. cause source data roe in each daily report is not collected by the APS until the end of the day you cannot generate a report for the current day 5 Doone of the following Click Get Report to start generating the report RiverMaster sends the report request to the APS which FTPs the file to the RiverMaster computer To vary the width of the report select a value in the percentage field After the report appears you can Q double click the magnifier icon on a user s name to focus on user specific data Click Export Data if you want to simply export the data in flat ASCII text without viewing the report A Save As window appears prompting you to select the directory to store this file X NOTE Depending upon the level of activity and interval queried iin may need to wait a while for a report viewing window to appear as shown in Figure 101 For example an Accounting Report for 1000 sessions may take 10 minutes or more to download For reports which cover hundreds of logins or many weeks of heavy activity the report viewing window E dae blank and the hourglass which usually indicates activity also isappears while data is being compiled A CAUTION If you run two sessions of RiverMaster do not generate the same type of report on both sessions at the same time If you require the same report from both RiverMasters wait until one report is finished compiling before starting the second r
99. cols such as TCP IP IPX and NetBEUI and uses encryption to secure the data sent over the Internet PPTP was developed jointly by Microsoft and U S Robotics 3Com Policy A set of rules that governs how remote users log onto the corporate network Corporate policies are defined by the network administrator and maintained on the Aurorean Policy Server Policies fall into two general categories Internet access and user group administration For Internet access the network administrator determines which ISPs and telephone carriers the remote user can select what rates are acceptable for phone calls and Internet connection periods and which regions of the country the remote user may connect from These policies are reflected in the customized TollSaver database that is distributed as part of the Aurorean Client For user group administration the network administrator establishes the log in methods for both ISP access and corporate network access specifies the use of protocols encryption and compression and determines the user s right to change his or her username or password POP Package A set of ISPs that can be assigned to one or more client groups RiverMaster creates a POP package as the first most time consuming step of the Aurorean Client Installation Kit build when the TollSaver database is generated The second step of the kit build incorporates configuration values for the system with the POP package and its associated ISPs
100. continue floppy disk configuration with the following steps 230 RiverMaster Administrator s Guide Appendix B Configuring Routing Protocols ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 1 Doone ofthe following To set RIP parameters choose RIP from the Routing Protocols menu and click Properties continue with Step 2 The RIP Configuration popup window appears as shown in Figure 130 To set OSPF parameters choose OSPF from the Routing Protocols menu and click Properties skip to OSPF Properties on page 232 ADT Conliquestion Rin Configuration IP RIP Enable E C Disable Figure 130 RIP Configuration Popup Window 2 Inthe RIP Configuration popup window if you want to turn on RIP for IPX packets click Enable under IPX RIP Enable otherwise continue with the next step RiverMaster Administrator s Guide 231 Configuring Routing Protocols Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 3 Doone ofthe following Toallow the Aurorean Network Gateway to accept RIP updates from all routers on the same subnet no further work is required Skip to OSPF Properties To configure trusted individual routers to supply RIP updates to the Aurorean Network Gateway click Add and continue with the next step The Add A Trusted Gateway window appears as shown in Figure 131 APTENT Errrr Hui Addaia if the rud Garissa In adi EC ES 11711 BED Figure 131 Adding A Tru
101. counters 5 Click OK to save Performance Option changes or Cancel to exit the window without changing the values 172 RiverMaster Administrator s Guide Chapter 7 Viewing Tunnel Activity Viewing Server Activity amp Statistics Viewing Tunnel Activity The Tunnel Statistics window displays counters in graphic and column form The graphical window can be configured to display any Generic Routing Encapsulation GRE or compression counters you select in the available checkboxes The Active Users boxes show the User Name Login Time and Tunnel ID for users logged in and log in or session time for users who are currently logging in or out To view data for a user currently tunneled into the network do the following v 1 Onthe main RiverMaster interface click the Aurorean Network Gateway Details button A Tunnel Statistics window appears similar to Figure 90 Control the frequency that IP address user tunnel data derived from the are displayed by virtual subnet or adjusting the static address Tunnel Stats given to the Interval with the N iar client for the RiverMaster a fa ik PA duration of the Options button TT ee ibi abe mes connection Use these buttons to control the tunnel statistics graph Selectthe statistics you wantto graph here Users in the process of Connected users logging in or out appear here appear here Disconnect active user here Figure 90 Tunnel Statistics Window RiverMaster A
102. cular message to examine in detail click the pause button When the display is paused the number of messages waiting to be shown appears in parentheses above the button For example if RiverMaster received five messages since you paused the display 5 appears above the button Table 9 System Activity Display Heading Meaning Message type possible values are amp Authorization message resulting from a remote client s attempt to authenticate Accounting and billing message indicating a remote client logging into or out of the VPN Problem notification message signaling a connection problem at the Aurorean Network Gateway or the remote client Activity trace message providing details on tunnel protocol negotiation and showing remote client session reports sent in by Aurorean Client software o Message from the Tunnel or Aurorean Policy Server indicating an alarm condition has occurred such as a server reboot or El Gamal key pair reissuance Date The time and date RiverMaster received the message based on the Received RiverMaster PC s clock Originator The source of the message Messages originating from the Tunnel or Aurorean Policy Server display the originator as N A If the message was generated by Aurorean Client software the remote client s user name appears in this column RiverMaster Administrator s Guide 159 Monitoring System Activity Chapter 7 Viewing Server Activity amp Statistics 160
103. d Enterasys Enterasys reserves any rights not expressly granted to you You own the media on which the software is originally or subsequently recorded or fixed but Enterasys retains ownership of all copies of the software itself License Grant Enterasys Networks 35 Industrial Way Rochester New Hampshire 03866 hereby grants to Licensee a personal nonexclusive non transferable license to use the Licensed Software on the servers on which the Software is first installed Licensed Servers and on an unlimited number of client processors subject to the limit on simultaneous users as specified by the RiverMaster Administrator s Guide 249 Enterasys Networks License Agreement AppendixC 250 scope of the license that Licensee has purchased from Enterasys Should one or more the above Licensed Servers be upgraded and or replaced by other Enterasys servers purchased by Customer pursuant to Enterasys s then current upgrade policy the license may be transferred and the Software may be used on the replacement server s This License shall commence upon the receipt by Licensee of the Licensed Software and shall continue until Licensee discontinues use or this Agreement is terminated No ownership of the Licensed Software or any of its parts is transferred to Licensee Licensee may make copies of the Licensed Software in object code form for archival and backup purposes only All copies including copies of the documentation must bear the copyri
104. d of a local phone number Because ISPs often charge a premium for this type of access your may want to restrict users from dialing these numbers This policy is disabled by default 9 Click the Password tab and set the group s password policies as described in Table 6 and shown in Figure 69 130 RiverMaster Administrator s Guide Chapter 6 Creating a New Group Managing Users amp Groups Table 6 Password Policies Explanation Save VPN When enabled Aurorean users can save their VPN password This Password password is used while creating the tunnel to authenticate the user against the APS user database or an external RADIUS server When this policy is disabled users must retype this information each time they try to tunnel into the corporate network This policy is disabled by default Save When enabled Aurorean users can save the password they use for direct Corporate corporate network access When this policy is disabled users must Password retype this information each time they try to log into the corporate network This policy is enabled by default Save ISP When enabled Aurorean users can enter and save their password for Passwords each ISP they plan to use The ISP password is used to log the user into the ISP and gain access the Internet When this policy is disabled users must retype this information each time they try to log into an ISP This policy is enabled by default Faszmord Save Policy for gro
105. d over the tunnel from the Aurorean user to the corporate network during the session ISP KBYTES OUT Total bytes of data sent from the ISP POP to the Aurorean user during the session ISP KBYTES IN Total bytes of data sent from the Aurorean user to the ISP POP during the session PKTS OUT Total number of packets transmitted over all tunnels from the ANG Packets are shown in terms of total counts and packets per second throughput PKTS IN Total number of packets received over all tunnels by the ANG Packets are shown in terms of total counts and packets per second throughput PKTS RETRNS Total number of packets retransmitted because they were received out of order DUP PKTS Total number of packets received which were duplicates of previously received packets LOST PKTS Number of packets dropped during the session due to flow control or checksum errors User of logins Number of logins by the specified user Total time Total interval of time the specified user was logged in Average login time Average session time of specified user Figure 98 displays a typical Accounting Summary Report RiverMaster Administrator s Guide Chapter 8 Report Contents Generating Reports VEN YI I ise FETS FE EFYTES EAYTER ENYTES EAYTER OUT TH aur mt our IN Herei of Leger 4 Tion izis mE Ims Wr Tu H El Lagu Tre dum 2A wma jen Cire bus 2 mum jer jrg Hir Lapar LO
106. dministrator s Guide Chapter 5 Before You Begin Controlling Remote User Dialing amp Access Corporate Dial Up Access Within RiverMaster the terms corporate ISP and corporate POPs are used to describe two types of connections O Direct dial up remote access to equipment on your corporate network such as a Windows NT Server equipped with modems and running remote access service RAS O Tunneled access through an ISP that is not included in the TollSaver database such as a small regional ISP that provides your Internet connectivity You can integrate phone numbers for these connections into the TollSaver database as corporate POPs Aurorean Client treats these corporate POP phone numbers no differently from actual POP phone numbers When the Aurorean Client user enters a From location that is within the local calling area of the direct dial up equipment or the regional ISP the corporate POP appears in the list of available POP phone numbers To integrate corporate POP phone numbers into the TollSaver database you first define one or more corporate ISPs Defining an ISP involves describing its location entering support contact phone numbers and corporate network information You must then add individual corporate POP phone numbers to each corporate ISP In addition to the phone number you can choose cost and performance indicators that factor into the weight assigned to this method This weight determines the POPs placement in the
107. dministrator s Guide 173 Viewing Tunnel Activity Chapter 7 Viewing Server Activity amp Statistics GRE Generic Routing Encapsulation 174 2 From the Active Users list click on a user name 3 Using the GRE and Compression checkboxes choose the types of statistics you want to graph for the selected user Table 12 describes the types of statistics you can choose Flow Pkts Table 12 Protocol Statistics Meaning The number of GRE packets dropped by the Aurorean Network Gateway due to flow control and full receive buffers Trends to Look For This value usually indicates congestion at the Aurorean Network Gateway caused by a large number of users logged in and or a high volume of data being transferred Sudden spikes in this graph occur when the Aurorean Network Gateway is unable to keep pace with incoming tunnel packets Pkts Lost The number of GRE packets lost by the Aurorean Network Gateway This value indicates checksum failures corrupted packet headers or flow control problems the Flow Pkts count is included in this value Sudden spikes in this graph occur when the Aurorean Network Gateway is unable to keep pace with incoming tunnel packets Acks Recvd The number of GRE acknowledgment packets received by the Aurorean Network Gateway Acks Sent The number of GRE acknowledgment packets sent to the remote client These values result from overhead traffic betw
108. e Chapter 4 Using the Notification Service to Send E Mail Setting Up Aurorean Services Adding an Address to a Mailing List To add E mail addresses to a mailing list perform the following steps ity 1 Open the Configuration pullout 2 Choose Notifications from the Configure pull down box in the top left p corner of the pullout Figure 51 shows the Configuration pullout with the Notification display selected Click here to view Configure Choose the mailing list that you want pull down box options to add the new address to here Ennigas Et piPicetian Servior Maing Liste Click here to select Notifications Renae Click here Mam toopen the Fram Agire Configuration T Fi pullout Berets Servers Add Berea Heie Adi Ferais Tusreal ra Click here to ti add an zi f pesiraticnn address to a ACPHE V FT mailing d or Packages address list Haka liar artan Figure 51 Detailed Notification Service Mailing List Window 3 Selecta mailing list from those shown in the Mailing Lists list box and click Modify the Modify button to the right of Mailing Lists 4 Click Add the Add button below the Recipients list An Add a Notification E Mail Address window appears similar to the one shown in Figure 52 RiverMaster Administrator s Guide 95 Using the Notification Service to Send E Mail Chapter 4 Setting Up Aurorean Services Figure 52 Add a Notification E Mail Addr
109. e t decries in uberes r com Configuration F Farce Geaen pullout Click here to op nesu ancra Brang Pertecdlsi access the BOW ron Fecages WI Buster Gateway kCMEVRH SF Sti c guber configuration oap taies windows A j SENATE j montw Figure 34 Aurorean Network Gateway Routing Interface Configuration Adding or Removing a Routing Protocol for an Interface To add or remove a routing protocol from an interface perform the following steps os 1 Open the Configuration pullout 2 Inthe list of Aurorean devices expand the tree list under Servers click the symbol ed 3 Expand the tree list under the name of your ANG 4 Click on Routing to display the routing parameter tab pages 5 Click on the Interfaces tab to display the configuration for each ANG network interface 60 RiverMaster Administrator s Guide Chapter 3 Routing Configuring an ANG 3000 7000 6 Select the interface Trusted or External from the list under Network Interfaces The protocols already enabled for this interface appear in the Routing Protocols list 7 Doone ofthe following To add a protocol to the trusted interface click Add and continue with the next step To remove a protocol select the protocol from the Routing Protocols list and click Remove Skip to Step 10 8 When the Add an Interface Routing Protocol window appears as shown in Figure 35 select a routing protocol and click Add Ve spi An Inseslece Hite Piese OP A
110. e ANG to advertise the reachability of virtual subnets to other devices on the network Do one of the following Click Apply to save the RIP configuration changes click Cancel to close the window and click Next to continue configuration Click Cancel to close the window without saving your changes Click Reset to the return the interface s protocol configuration to its original setting Configuring OSPF on an Interface To enable OSPF on an interface perform the following steps 1 In the OSPF Interface window shown in Figure 136 Type the OSPF password used by routers on your network in the Authentication Password field OSPF authentication passwords are used by routers to determine if they should accept updated routing information sent from another router If your routers do not authenticate updates leave this field blank A NOTE Passwords are limited to 8 characters or less 238 RiverMaster Administrator s Guide Appendix B Configuring Routing Interfaces ANG 3000 7000 Preconfiguration Stored on a Floppy Disk COP inigriacm Cum gun o Kies hm jip Fes lee ae Pe cene Mote Passed aes inta Dci LI wah RC UN TAE Figure 136 Routing Interfaces Configuration OSPF 2 Type the same password in the Re Type Authentication Password field exactly as you entered it in Step 2 3 Do one of the following Click Apply to save the OSPF parameter changes click Cancel to close the wind
111. e client connection without any visible effect on performance Data Synchronization acquires revised POP ISP policy and other configuration data while Software Synchronization acquires new Prescriber remedies and updated Aurorean Client program files Firewall A combination of hardware and software which limits the exposure of a corporate network to outside attack by enforcing a boundary between the network and the Internet Firewalls normally fall into one of two categories application level or network level often referred to as a packet filter An application level firewall examines traffic at the application level and only passes packets that are sent by approved applications such as FTP E mail or Telnet This type of firewall often readdresses outgoing traffic so that it appears to have originated at the firewall rather than an internal host thereby concealing the address of the internal host A network level firewall examines traffic at the network packet level and filters packets based on the destination and or source address The Aurorean Network Gateway offers Firewall NAT Traversal as a policy option to Aurorean Client users such as contractors visitors and others who are connected temporarily on internal networks 210 RiverMaster Administrator s Guide Appendix A Glossary permitting them to dial out of the network across the firewall to their own corporate network and returning to their computer Aurorean Client uses thi
112. e magnifier icon 186 189 printing 193 selecting date options 190 Server Anomaly 177 setting default intervals 190 supported export formats 195 Tunnel Server 179 using the magnifier icon 191 Retrievalservice 18 Retrieval See Retrieval service Retry field 89 RIP configuring for the interface 62 236 effect on virtual subnets 27 29 general properties 55 route updates 56 232 RIP Authentication fields 62 237 RiverMaster closing the application 8 configuring dual logins 4 7 deleting the RiverMaster folder 10 display settings 1 dual logins 13 files location 3 first time setup 21 22 installing 2 4 installing Microsoft ODBC 3 logging in 13 overview 11 13 removing 9 removing shared files 9 reviewing the README file 4 setting up group notices 152 155 SETUP EXE file 2 Software License Agreement 3 starting the application 4 5 system requirements 1 upgrading 2 upgrading a previous release 2 using the options button 170 RiverMaster Administrator s Guide Index RiverMaster Options button 170 Rivest MD5 message digest 46 224 routers 30 RSA Security 76 rx toc txt file 151 S Save Corporate Password policy 131 Save ISP Passwords policy 131 scripts uploading login scripts 111 116 SDCONF REKC file 90 Secondary DNS field 40 110 Secondary WINS field 41 110 SecurID Authorization 87 90 sdconf rec file 90 Security Dynamics ACE Client 76 Server Anomaly Report 177 services Delivery 8 status 17 setting trace levels 79 Set
113. ecovery Auto LinkRecovery ALR extends the fault isolation and recovery capabilities of the Aurorean Client to include automatic fail over to a backup Aurorean Virtual Network system in the event of a service outage or VPN hardware failure To support ALR a second Aurorean Virtual Network system APS ANG and RiverMaster management application is required The secondary Aurorean Virtual Network system operates in parallel but independently of the primary Aurorean Virtual Network system Each system must be located on the same corporate network but can be physically situated at different sites to support disaster recovery as shown in Figure 17 For more detailed information refer to Viewing Aurorean Alternate Address Information on page 42 RiverMaster Administrator s Guide 35 Before You Begin Chapter 3 Configuring an ANG 3000 7000 Aurorean Client Primary Secondary Aurorean Aurorean System System Aurorean INTERNET Aurorean Network Gateway Network Gateway Trusted network I z FP mE NEM NEM NEM NEED ESO NO DO D DO ND pus LE t ma M F i i HERR B Aurorean Aurorean Policy External Policy Sever _ Authorization Server Primary amp Secondary Server RiverMaster Primary RM session Secondary RM session Figure 17 Auto Link Recovery Architecture If the primary Aurorean Virtual Network system fails or is unreachable due
114. ed Used when exporting a non OSPF route from the ANG s routing table into OSPF as an autonomous system AS Type Indicates which type of autonomous systems Type 1 AS that routes exported from the ANG s routing table become AS Export Specifies how often autonomous system link Once per second Interval advertisements are generated and exported RiverMaster Administrator s Guide 57 Routing Chapter 3 Configuring an ANG 3000 7000 Table4 Fixed OSPF Parameters Parameter Meaning Fixed Value AS Export Specifies how many autonomous systems are 100 Limit generated and exported each time Interface Determines the ANG s priority for becoming 0 the ANG cannot Priority the designated router in the area be the designated router To configure OSPF properties for the ANG perform the following steps 1 Perform the steps in Setting Routing Protocol Parameters on page 55 to access OSPF properties The OSPF Configuration window appears as shown in Figure 33 DIEGCITTO HEN Ae DSPF Area RENE EN NR DEFT Route E LITE OSPF Suiwericah digii Figure 33 OSPF Routing Protocol Configuration 2 Type the area ID shared by the ANG and routers within the subnet in the OSPF Area ID fields 3 Type the IP address for the Trusted interface in the OSPF Router ID fields 58 RiverMaster Administrator s Guide Chapter 3 Routing Configuring an ANG 3000 7000 4 From the OSPF Au
115. een the Aurorean Network Gateway and the remote client packets which did not contain actual user data Sudden spikes usually occur when a connection begins as the Aurorean Network Gateway and remote client negotiate authentication encryption and compression options to use on the connection RiverMaster Administrator s Guide Chapter 7 Viewing Server Activity amp Statistics Viewing Tunnel Activity GRE Generic Routing Encapsulation Table 12 Protocol Statistics Continued Bytes Rcvd Meaning The total number of GRE bytes received by the Aurorean Network Gateway over the tunnel Bytes Sent The total number of GRE bytes sent to the remote client over the tunnel Trends to Look For These values describe the actual payload data without packet headers sent and received over the tunnel Sudden spikes usually occur when a remote client starts to download or upload a large file Compression Comp Bytes In The total number of compressed bytes received by the Aurorean Network Gateway over the tunnel Comp Bytes Out The total number of compressed bytes sent to the remote user over the tunnel Uncomp Bytes In The total number of uncompressed bytes received by the Aurorean Network Gateway over the tunnel Uncomp Bytes Out The total number of uncompressed bytes sent to the remote user over the tunnel The values show the level of activity on the tunnel
116. em Activity on page 157 Using SNMP to Gather Statistics Aurorean Virtual Network software supports two private MIBs as well as standard SNMP MIBs for statistical analysis by any common network management tool The proprietary MIBs etsys aps MIB and etsys ang MIB are stored on the Aurorean System Software CD ROM and are read only 176 RiverMaster Administrator s Guide 8 Generating Reports This chapter describes the contents of the customized reports available from RiverMaster and describes how to download view export and print these reports Report Contents Each initial Preview Aurorean report shows all activity for the selected i period Subsequent drill down displays categorize activity into user specific data for Accounting and Client reports Additionally the Network Gateway Report displays a bar graph The following reports are available O Server Anomaly Report Network Gateway Report Client Anomaly Report Client Report naana Accounting Report Server Anomaly Report This report lists the alarm alert and problem notification messages produced by the Aurorean Policy Server and Aurorean Network Gateway for that period The messages are ordered by server name and then listed according to the time they were received Table 13 lists the column headings and values that appear in a Server Anomaly Report A text area under each message also provides a detailed description of the cause of the condition
117. emote users This kit contains the Aurorean Client application group policies Tollsaver POP phone numbers and destination information O Manage the client synchronization process that automatically updates remote users with policy changes new POP phone numbers additional Prescriber remedies and Aurorean Client application updates each time they connect O Write messages to Aurorean users that they will read when they log in The user group management functions and Aurorean Client installation kit building controls are located on the Manage Users and Groups pullout as shown in Figure 66 RiverMaster Administrator s Guide 119 Before You Begin Click here to add and modify groups Chapter 6 Managing Users amp Groups Click here to open the Manage Users and Groups pullout Click here to add After you create a group assign users and modify individual and a POP package to that group click user accounts here to create a custom Aurorean installation kit for members of that group Figure 66 Manage Users amp Groups Pullout Before You Begin 120 Before performing the steps in this chapter you should familiarize yourself with the following Aurorean Virtual Network concepts O Group policies C Aurorean Client installation kits O Client synchronization of the TollSaver database policy settings Prescriber remedies and Aurorean Client application updates O Group Notices RiverMaster Administrator s
118. enig Running Deier Running Luang View System Activity pullout When service status appears RiverMaster has detected and synchronized with the Aurorean Policy Server Figure 4 RiverMaster Main Interface To learn more about the server status data displayed on the RiverMaster interface refer to Chapter 2 To exit the RiverMaster application at any time click the close X button in the upper right corner of the main interface NOTE If you have used RiverMaster extensively to generate reports and view messages during a period of peak activity the application may require a few moments to close 8 RiverMaster Administrator s Guide Chapter 1 Removing RiverMaster Files Installing RiverMaster Software Removing RiverMaster Files RiverMaster can be uninstalled from your computer using the standard Add Remove Programs tool provided with Windows After RiverMaster files are removed from your computer you should restart the computer to clean up any files that were in use during the uninstall To remove RiverMaster files from your computer perform the following steps 1 On your desktop computer click the Start button point to Settings ELI then click Control Panel Double click on Add Remove Programs to launch the utility E 3 Onthe Install Uninstall tab page select RiverMaster from the list of programs and click Add Remove 4 When the Confirm File Deletion window appears click Yes to confirm
119. ents Enterasys warranty obligations shall be void if the Licensed Software is modified without the written consent of Enterasys RiverMaster Administrator s Guide Appendix C Enterasys Networks License Agreement EXCEPT AS SPECIFICALLY PROVIDED HEREIN THERE ARE NO WARRANTIES EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY OF MERCHANTABILITY OR ANY IMPLIED WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE Infringement Indemnification Enterasys shall indemnify defend and hold Customer harmless from and against any claims actions or demands alleging that the Licensed Software directly infringes any United States patent trademark or copyright or misappropriates any trade secret right of any third party provided that Customer promptly notifies Enterasys of any such claim allows Enterasys to control the defense and provides reasonable information and assistance to Enterasys at Enterasys expense in the defense of the claim Customer shall permit Enterasys to replace or modify any affected Licensed Software to avoid infringement or to procure for Customer the right to continue to use such Licensed Software If neither of such alternatives is reasonably possible Enterasys may require Customer to return the affected Licensed Software to Enterasys and Enterasys sole liability in regard to such return shall be to refund the purchase price paid by Customer Enterasys shall have no obligation with respect to claims actions
120. eport 6 Ifyou chose Export Data you may keep the default file name or type a new name select the directory and click Save Optionally you can select another file type by clicking the Save as type down arrow RiverMaster Administrator s Guide 191 Downloading Viewing and Exporting Reports Chapter 8 Generating Reports Use the arrows to page Click here to automatically print the report Click here to vary the displayed through the report to your computer s default printer Size of the report Click here to Click here to export the report resetthe display to the aep n a ep e P review gt STESA Fii H windo Click these buttons to toggle between views Hester of Lagar Double click Logged in Tam Der dd onim d ace iiiad A ber Li ranr dbz reum here to view user details biii ol Lag Ting pei tote aT Ei a Logeli Tue 2 kae pis JE aen Lara dae TS ee 2 oen gel birer olapar 14 Logged T does 2E anm m oa id ear LO in 38 cm verd Werke of Legian 1 14 a Logged Toe 0 fee Ot gra H secar rta boo 13 te asm avers Figure 101 Report Viewing Window 192 RiverMaster Administrator s Guide Chapter 8 Downloading Viewing and Exporting Reports Generating Reports Printing Reports To print reports you must have a default printer defined for your computer Click the printer button along the top edge of the report display A Print window appears as shown in Figure 102 set
121. er for this plug in Aurorean users can specify a user name such as Bob RADIUS to authenticate against the RADIUS server instead of the default plug in 84 RiverMaster Administrator s Guide Chapter 4 Adding an Authorization Plug In Setting Up Aurorean Services 5 Optionally specify a value in the Num Threads field This function allows the specified number of users to simultaneously log in without delay The range of threads that can be set is 1 to 100 with a default value set to 10 NOTE Do not set Num Threads to a 0 zero value for a RADIUS plug in This will cause user login problems You may set the value to zero for the Enterasys Authentication plug in 10 To make this plug in the default authorization method place a check next to Default Plug In Click on Radius Plug In In the Server Address field enter the IP address or DNS name of the RADIUS server In the Shared Secret field type the same shared secret password you entered on the RADIUS server For more information on shared secrets refer to the documentation supplied with your RADIUS server Leave the Authentication Port and Accounting Port fields set to their default values These values specify UDP port numbers and match industry standards for RADIUS RiverMaster Administrator s Guide 85 Adding an Authorization Plug In Chapter 4 Setting Up Aurorean Services 86 11 12 13 In the Timeout field enter the nu
122. ernal IP address of the ANG RiverMaster Administrator s Guide 41 Viewing Aurorean Alternate Address Information Chapter 3 Configuring an ANG 3000 7000 NOTE You must configure an IP address on your NAT Server that correlates with the alias IP address you set here 13 Click Apply to save your changes To return the parameters to their original settings without saving your changes click Reset 14 Do one of the following Ifyou are setting up your Aurorean Virtual Network for the first time continue with the next subsection to configure additional ANG network settings Ifyou are finished with the ANG network configuration and you want to put the new network settings into effect no additional work is required Viewing Aurorean Alternate Address Information 3 The Aurorean Alternate Address Info window displays IP addresses of the alternate APS and ANG systems as well as those of the primary system To invoke the display perform the following steps es 1 Open the Configuration pullout i 2 Click the arrow on the Configure toolbar item at the top left edge of the pullout 3 Choose Alt IP Addresses as shown in Figure 22 i The Aurorean Alternate Address Info window appears as shown in Figure 22 4 View the ANG and APS Primary and Secondary if previously configured IP addresses NOTE Primary addresses cannot be modified in this window 42 RiverMaster Administrator s
123. es to APS display synchronization file rx toc txt file Green D data or S software indicates what type of sync is enabled Red D data or S software shows Een te the type of sync Configuration disabled pullout Click here to view the client i A Click here to copy the rx toc txt file to the APS Figure 80 Upload Software Synchronization Files Display 150 RiverMaster Administrator s Guide Chapter 6 Managing Users amp Groups Controlling Client Synchronization x Select the directory where the new software sync files reside by clicking the browser In addition to Software Synchronization files Prescriber remedies and Aurorean Client executables a table of contents file rx toc txt is transferred to the APS This text file lists all the synchronization files contained in the ZIP file and is used during client synchronization to determine if the Aurorean user requires new software files Click Upload to copy the file you chose onto the APS The Software Synchronization files are copied into the C x Program Files Indus River MScripts Java directory on the APS Software Synchronization and rx toc txt files must be located in the same directory for successful uploading During client synchronization Aurorean Client compares its rx toc txt file against the version you uploaded If new software files are available the APS downloads them over the management channel When the Aurorean user start
124. es to their earlier setting pLMMM 3 7 Click the DNS tab The DNS server addresses tab page appears as shown in Figure 19 Click here to open the Configuration i pullout E POP Packages iM ace GF Figure 19 DNS Server Addresses RiverMaster Administrator s Guide 39 General Aurorean Network Gateway Settings Chapter 3 Configuring an ANG 3000 7000 8 Inthe Primary DNS and Secondary DNS fields enter the IP addresses of DNS servers on your network You must identify a primary DNS server the secondary DNS server is optional The primary and secondary labels indicate the search order primary first and then secondary Select DNS servers that can resolve the names of network devices that remote clients must access Ai CAUTION Not specifying a value for both primary and secondary DNS and WINS servers may cause connection problems on networks with Windows NT clients To avoid this possibility enter the IP address used on your primary DNS server in all DNS WINS fields even if you do not have a secondary DNS or primary or secondary WINS server installed on your network 9 Click the WINS tab The tab page for Windows Internet Name Service WINS server addresses appears as shown in Figure 19 Congas Geseral cum WING nas 3 NP ren Bu art PAI TESTATE himii Tunna Proto ral lt d d is 4 j Li Click here to Routing ope
125. ess Window 5 Inthe E Mail Address field type the E mail address of the person you want to receive notification messages 6 Use the check boxes to select the events which will generate E mail and click OK You can select from the following events Alarms notify you when a significant error occurs with a service running on a Aurorean Virtual Network system or a general system Rem that is preventing the system from operating normally Alerts occur when an error count threshold has been crossed and an alarm condition is imminent A Problem Notification typically indicates a remote client connection problem which Aurorean Client s Prescriber feature diagnosed 7 Doone of the following Click Update to save the new address to the mailing list Click Cancel to clear the mailing list information without saving your changes 96 RiverMaster Administrator s Guide Chapter 4 Setting Trace Levels Setting Up Aurorean Services Setting Trace Levels To set the trace level for any of the ten services perform the following steps 9 1 2 Open the Configuration pullout Click on the Activity icon in the lower left corner of the pullout to view the Active Service List Figure 53 shows the Tunnel Management Service window with the full Active Service List displayed Expand the tree list under Active Service List click the symbol Select the service of your choice Click to open the Set the
126. etwork Computing is a trademark of AT amp T Laboratories Cambridge Other trademarks and trade names used in this publication belong to their respective owners Aurorean Virtual Network software includes the following third party components Gate Daemon software 1995 The Regents of the University of Michigan All rights reserved Gate Daemon was originated and developed through release 3 0 by Cornell University and its collaborators A DES implementation written by Eric Young 1995 1997 Eric Young eay cryptsoft com All rights reserved MD4 and MD5 implementation derived from the RSA Data Security Inc MD4 Message Digest Algorithm and MD5 Message Digest Algorithm 1991 2 RSA Data Security Inc Created 1991 All rights reserved ccp c PPP Compression Control Protocol 1994 The Australian National University All rights reserved chap c Cryptographic Handshake Authentication Protocol 1991 Gregory M Christy All rights reserved chap_ms c Microsoft MS CHAP compatible implementation 1995 Eric Rosenquist Strata Software Limited www strataware com All rights reserved fsm c Link IP Control Protocol Finite State Machine 1989 Carnegie Mellon University All rights reserved Routines to compress and uncompress TCP packets for transmission over low speed serial lines 1989 Regents of the University of California All rights reserved Portions of Aurorean Client Software are copyrighted to ICE Engineerin
127. f the user logged into the Aurorean Network Gateway more than once that day the sessions are listed in the order they occurred For each user the report calculates the average connection time and the total amount of time connected as well as totals the byte and packet counts for all sessions RiverMaster Administrator s Guide 183 Report Contents Chapter 8 Generating Reports The report also indicates the ISP that was used for each session or shows Pre existing Connection for non dialed LAN link or cable modem connections In addition to the data described in the following table throughput averages and sums and login session totals and average intervals are reported for each user and ISP This report also offers a drill down view in a subsequent display Table 16 lists the column headings and values that appear in a Client Report Heading TIME IN Table 16 Client Session Report Values Explanation Time the tunnel session started according to the remote client PC s clock in the format Year Month Day Time where Time is shown in military time TIME OUT HOST NAME Time the tunnel session ended according to the remote client PC s clock in the format Year Month Day Time where Time is shown in military time The computer name assigned to the remote client s computer PROTOCOL The security protocol used on the tunnel IPSEC HTTPS for an ANG that negotiated the IPSec and HTTPS protocols PPTP fo
128. fere with regular traffic between the remote user and the network Network Address Translation NAT Described by Whatis com as the translation of an Internet Protocol address used within one network to a different IP address known within another network One network is designated the inside network and the other is the outside Typically a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on RiverMaster Administrator s Guide 211 Appendix A Glossary incoming packets back into local IP addresses This provides security since each outgoing or incoming request must undergo a translation process that also offers the chance to qualify or authenticate the request or match it with a previous request NAT also conserves the number of global IP addresses that a company uses and permits the use of a single IP address to interface with the world RiverMaster permits the Aurorean Network Gateway to be configured as a NAT server The ANG also offers Firewall NAT Traversal as a policy option to Aurorean Client users such as contractors visitors and others who are connected temporarily on internal networks permitting them to dial out of the network across the firewall to their own network and return to their computer Aurorean Client uses this feature in conjunction with the HyperText Transfer Protocol Secure HTTP S to successfully traverse the NAT server without causing harm t
129. fi dd A Tnssted abesap Figure 32 Adding A Trusted Gateway for RIP 4 Inthe Address field type the address for the router that the ANG will accept updates from and click Add You can later modify this address or delete it using the Modify and Remove buttons 56 RiverMaster Administrator s Guide Chapter 3 Routing Configuring an ANG 3000 7000 5 Repeat Step 3 and Step 4 for each gateway required 6 Doone of the following Click Apply to save your changes Click Cancel to close the window without saving your changes Click Reset to return the RIP parameters to their default settings Setting OSPF Properties Using the RiverMaster you can define the following OSPF parameters O Area ID shared by the routers and the ANG O Router ID that identifies the ANG to other devices in the OSPF area The default value for this address is the IP address assigned to the Trusted interface on the ANG O Authentication algorithm used to accept or reject routing table updates from other routers To route packets for remote clients using OSPF the ANG also uses a set of fixed operating parameters Table 4 lists these fixed OSPF parameters which use common default values and cannot be changed Table 4 Fixed OSPF Parameters Parameter Meaning Fixed Value Preference Determines how OSPF routes compete with routes from other protocols such as RIP in the ANG s routing table The route with the lowest preference value is select
130. file but to create a E Query DIRECTORY to hold all these files Drives By default the base output file in this C directory is named default htm If this directory is accessible via your File Name Website browse this file to view the default htm report Figure 106 Export To Directory Window 7 Enter a Directory Name and click OK to export the file to the default directory shown or search the directory and Drives fields for the desired destination and click OK The Exporting Records window appears as shown in Figure 105 Return to Step 4 to continue 198 RiverMaster Administrator s Guide Chapter 8 Downloading Viewing and Exporting Reports Generating Reports 8 Ifyou chose Character separated values you are prompted to enter characters to separate and delimit the output text Accept the defaults or set new values and click OK The Character Separated Values dialog box appears as shown in Figure 107 The delimiter sets the start or end of a portion of text while the separator visually breaks those portions When finished continue with Step 9 Lharacler 5 epanaker V alaes Figure 107 Character Separated Values Dialog Box 9 Ifyou selected Character Tab or Comma separated values Data Exchange Format or Record Style you are prompted to retain the number and date formats presently in the report The Number and Date Format Dialog box appears as shown in Figure 108 Humber are Cate Format Oisi
131. finition 213 overview 121 synchronization 125 viewing a group s policies 146 POP package 102 103 105 106 107 122 123 124 140 141 creating POP packages 105 107 definition 101 POP Profiles and Properties tab Corporate Dial Up Number fields 115 Corporate ISP Name field 115 Cost Index field 116 Country Code field 115 Modem Type field 116 Performance Index field 116 POP See Point of Presence POP PPP See Point to Point Protocol PPP PPTP See Point to Point Tunneling Protocol PPTP preference OSPF 57 260 Prescriber 183 definition 213 E mail notification 78 how new scripts are downloaded 125 Problem Notification diagnosis 78 uploading new scripts 149 151 Primary DNS field 40 110 Primary WINS field 41 110 printing messages 169 printing reports 193 private keys 126 Problem Notification messages definition 15 78 E mail notification 96 viewing messages 166 public key 78 R RADIUS adding a plug in 83 87 Aurorean VN supported servers 76 general 76 group attribute 86 RC4 48 226 README file 3 regenerating private public key pairs 78 91 92 removing RiverMaster 9 10 reports Accounting Report 187 Client Anomaly 182 Client Report 183 downloading viewing printing or exporting 190 exporting reports in ASCII text 191 exporting reports to a disk file 194 202 exporting reports to a MS Exchange folder RiverMaster Administrator s Guide 203 206 exporting using MAPI 207 208 generating reports 177 189 output of th
132. g Inc and licensed through a GNU public license For more information including access to the source code visit their Web site at www ice com ii RiverMaster Administrator s Guide Table of Contents About This Guide Contents of the Guide 5 etti dave b e A ar itr et etate beet ix Conventions Used in this Guide essere nnne nnne r tenent rn nennen xi Related Documents eoi tete te te teme ce e ra t eu xi Chapter 1 Installing RiverMaster Software iM epilisiTser 1 Hardware ReguifementS senistes ienee REE aeeie EEEE nnne nennen 1 Software Requirements cccceccccccecsesssnssesesescesescscecessesesesnenessseecenesescsnasneseseseeeneseeeenes 2 Installing the Application sse EERE 2 Upgrading a Previous Release 2 Installatiot Steps iiec a tette terri tee entente aiden REEL eret EnEn a ES 2 Starting the Application for the First Time 4 Removing RiverMaster Files sss eene 9 Chapter 2 Getting Started with RiverMaster RiverMaster Overview erdeina E E E entrent 11 Logging into RiverMaster esee ies isseessenstenetos in edsin boton inane boten inen etate tor on benda 13 Checking Server Status beste inasai oka kaseiin dtu eS enese asd bes Hee a eaae 15 Problem Summary amp Users Logged In sss 15 Aurorean Network Gateway Statistics sss 16 Aurorean Policy Server Statistics sss 17 Settin
133. g Up a Aurorean Virtual Network the First Time sss 21 RiverMaster Administrator s Guide iii Table of Contents Chapter 3 Configuring an ANG 3000 7000 Before You Begiti uev erae ettet ir quei ende rd en deo erea irte ie aE 26 Allocating IP IPX Addresses to Remote Clients esses 27 Virtual Subnets for Site to Site and Remote Access Tunnel Servers 30 Intelligent Client Routing soiree tesoriere irises seeker ioeie entente tente ennt 31 NAT nc 33 Site to bite Tunnels aeter terere es een retards rigo 34 Ato Lk Recovery smear d qun died i e edu 35 General Aurorean Network Gateway Settings 37 Viewing Aurorean Alternate Address Information sss 42 Tunnel Protocols te een eter rer tete t it te e fe tbe densecssaiecoesntivtles tossed aha 43 Virtual Subnetting ueneno ente edet SEa EE EKAR ERs Er E ri arraina 50 lib id sterd 50 IPX Virtual Networks inerenti t ertet tite tete tinet tertie t tte sian 52 ROUNE 54 Setting Routing Protocol Parameters ssssssssssseeseereenee 55 Setting RIP Properties ccsccccssovscccesscsvscsccesssescscssssersenesonsesassessnccenseesseedensesnsson coed 55 Setting OSPF Properties nennen 57 Routing Interfaces reet terree reete tios iet act eee ees peek insi EESs EEEE 59 Adding or Removing a Routing Protocol for an Interface
134. ge 203 or Exporting Reports Using MAPT on page 207 for more information 194 RiverMaster Administrator s Guide Chapter 8 Downloading Viewing and Exporting Reports Generating Reports 3 Select a program file Format to export the report in and click OK Refer to the table below to begin If you want this export format Crystal Reports Excel versions 2 1 3 0 4 0 or 5 0 Lotus 1 2 3 all versions Rich Text Format Tab separated text Text Word for Windows All HTML versions Character separated values Data Exchange Format Tab separated values Record Style Comma separated values ODBC versions Account txt ClAnom txt Client txt DBASE Files Fox Pro Files PHD Files 32 bit SvrAnom txt Text Files TnlServr txt ODBC versions Excel Files MS Access 97 Database Paginated Text Excel 5 0 Tabular RiverMaster Administrator s Guide 195 Downloading Viewing and Exporting Reports Chapter 8 Generating Reports 196 If you selected one of the following formats Crystal Reports Excel versions 2 1 3 0 4 0 or 5 0 Lotus 1 2 3 Rich Text Format Tab separated text Text or Word for Windows the Choose Export File appears immediately as shown in Figure 104 Choosing other formats may bring up this window after performing the initial step Choose Export File hE Binpi da E ise 1 di inpia Eg impad E simpzBe impl da E kimpi dr E impide B spic jempl3 du D
135. ge and examining its Attributes and Values as shown in Chapter 5 This message indicates the installation kit was successfully built Figure 76 Kit Complete Message Check the output directory to view the installation kit file You must copy the file to a network file server or high capacity media such as a ZIP disk to distribute the installation kit to your users A NOTE To install the Aurorean Client installation kit refer to the Aurorean Client User s Guide Aurorean Client Quick Reference Card or Aurorean Client Release Notes SSS OOS 144 RiverMaster Administrator s Guide Chapter 6 Controlling Client Synchronization Managing Users amp Groups Controlling Client Synchronization t After you enable client synchronization for a group and distribute Aurorean l Client installation kits to its members you can manage the process of updating these clients in these ways O View a summary of each group s current policies O Build new Aurorean Client core data files that contain policy settings destination Aurorean Network Gateway IP address and other critical access information O Upload new Prescriber remedies and the updated Aurorean Client program to the APS from a Aurorean Software Update Service update CD ROM O Communicate to all Group members via Group Notice These functions are available by opening the Configuration pullout and clicking on the Update tab as shown in Figure 77 Green D data o
136. ght notice s and restricted rights legend contained in or on the original Except as expressly permitted by law without the possibility of contractual waiver Licensee agrees that it will not attempt to reverse engineer reverse compile or reverse assemble the Licensed Software or otherwise seek to gain access to source code for the Licensed Software Licensee shall take all reasonable steps to protect the Licensed Software and documentation from unauthorized copying and use Licensee shall not without the express written consent of Enterasys provide disclose transfer or otherwise make available any Licensed Software or copies thereof to any third party Warranty Enterasys warrants to Licensee that the Licensed Software will when used in the specified operating environment substantially perform in the manner described in its documentation as it exists at the date of delivery for a period of one year from the date of original delivery to the Licensee Enterasys sole obligation under this warranty shall be limited to using reasonable efforts to correct reproducible defects and distribute such corrections as part of the next scheduled maintenance release of the Software Enterasys does not warrant that i operation of any of the Licensed Software will be uninterrupted or error free or ii functions contained in the Licensed Software shall operate in the combination which may be selected for use by Licensee or meet Licensee s requirem
137. gorithm that determines how PPTP packets exchanged between ANGs are encrypted 224 RiverMaster Administrator s Guide Appendix B Configuring Tunnel Protocols ANG 3000 7000 Preconfiguration Stored on a Floppy Disk ARCFOUR is a public domain algorithm designed to work with RC4 DES is a government standard block cipher that uses a 56 bit key Triple DES uses three keys to achieve the equivalent of 112 bit encryption Figure 125 Tunnel Protocol Encryption Settings RiverMaster Administrator s Guide 225 Configuring Tunnel Protocols Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Table 19 Encryption Parameters Tunnel Protocol Parameter Explanation Disables encryption on the tunnel because this results in a less secure connection this setting is not recommended ARCFOUR 40 bit Enables a 40 bit key public domain algorithm that is designed to work with Rivest Cipher 4 RC4 a stream based cipher method that supports both 40 bit and 128 bit keys Using RC4 data packets can be encrypted as they are received instead of in blocks ARCFOUR 128 bit Enables a 128 bit key version of ARCFOUR described above DES Enables Data Encryption Standard DES a block cipher method that uses 56 bit keys Using DES data is encrypted in fixed size blocks and packets are padded to become a multiple of the block size Triple DES Enables a version of DES described above that employs a DES encryptio
138. he ANG with the floppy disk at the remote location is simple Perform the following 1 Insert the floppy disk in the Floppy Disk drive 2 Reboot the ANG RiverMaster Administrator s Guide 247 Loading the Floppy Disk Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 3 Remove the floppy disk CAUTION _ If you forget to remove the floppy disk the next time the ANG is rebooted any configuration changes you made with the APS will be replaced with the information stored on the disk The ANG is now up and the site to site connection running 248 RiverMaster Administrator s Guide C License Agreement amp Support This appendix describes the terms and conditions that govern the use of RiverMaster software including the warranties and provides contact information for obtaining technical support from Enterasys Networks Enterasys Networks License Agreement PLEASE READ THIS DOCUMENT CAREFULLY BEFORE USING ENTERASYSSOFIWARE BY USING THE SOFTWARE PRODUCT SHIPPED TO YOU BY ENTERASYS OR ITS DISTRIBUTOR LICENSED SOFTWARE YOU ACCEPT THE TERMS OF THIS SOFTWARE LICENSE AGREEMENT IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT DO NOT USE THE SOFTWARE PRODUCT YOU MAY RETURN THIS PRODUCT TO ENTERASYS FOR A FULL REFUND The Licensed Software is licensed not sold to you for use only under the terms of this license which represents the complete agreement and understanding between you an
139. he APS Log Service publishes the session report and stores a problem notification message that can be viewed in the View System Activity pullout as described in Chapter 7 and within Client Anomaly reports as described in Chapter 8 Figure 56 illustrates how the Aurorean Client issues Problem Notifications Corporate Network U am Rn 8 ge bed RAS dial up olicy to report problem Server Network Servers Sabb Aurorean Network Gateway Aurorean Client INTERNET CN RAS Server JL Figure 56 RAS Problem Notification 104 RiverMaster Administrator s Guide Chapter 5 Creating POP Packages Controlling Remote User Dialing amp Access Creating POP Packages To configure a POP package perform the following steps N CAUTION Do not build a POP package while installing or upgrading the APS software the installation will fail 2 Expand the tree list click the symbol under POP Packages The POP Packages display appears similar to the one shown in Figure 57 E 1 Open the Configuration pullout Click here to 4 add Remote Tuer open the Click here to ty best ations Configuration KCMEXPM ipee E dni menu Sf acriturn rip H erm Curparamim Ln TE Figure 57 POP Packages Display RiverMaster Administrator s Guide 105 Creating POP Packages Chapter 5 Controlling Remote User Dialing amp Access 3 Select Make New Package or you may click t
140. he arrow next to the Configure menu item at the top left edge of the pullout and select POP Packages Either option will display a window similar to the one shown in Figure 58 4 Select an ISP in the Available list and transfer it to the Selected field by clicking on the double arrow 5 Doone of the following Click Create to build the new POP Package Click Cancel to close the window without creating the POP Package Type your new POP package name here cao Moe Package E Select ISPs to include isik spa Marre in the POP package PrE F4 Click here to create the POP package Click here to transfer the chosen ISP to es the selected field Saed tha CPS ba be echided n hio POP package Gitar ot Ma UT gs nn Build Staus Figure 58 Create New Package Display 106 RiverMaster Administrator s Guide Chapter 5 Creating POP Packages Controlling Remote User Dialing amp Access A message appears indicating the build may take several hours to complete Also a trace message indicating the build has started displays in the Message Viewer and after some time a trace message indicating the build is complete You may consult the Attribute area for the selected POP package to check build status Even though the creation of POP packages can be lengthy you can go on to other configuration tasks while the build runs 6 When the POP package build is completed a window similar to Figure 59 will display
141. he report display The Export window appears as shown in Figure 103 Click here to choose a file Format Click here to choose a Destination Figure 113 Export Window 2 Select a program file Format that the report will be exported in by clicking the arrow under the Format field You may convert the report to a file in one of the following formats Comma separated values CSV Character separated values Crystal Reports RPT Data Exchange Format DIF Microsoft Excel XLS Hyper Text Markup Language HTML Lotus 1 2 3 WK1 WKS3 WKS Open Database Connectivity ODBC Paginated Text TXT Record Style REC Rich Text Format RTF Tab separated text TTX Tab separated values TSV Text TXT and Word for Windows DOC RiverMaster Administrator s Guide 203 Downloading Viewing and Exporting Reports Chapter 8 Generating Reports 3 Select Exchange Folder in the Destination field and click OK The window that appears will depend on your selected format Go to the Exporting Reports to a Disk File section and find the starting step for the format you selected When you complete the next step or two the Choose Profile window appears as shown in Figure 114 If you have not created a user profile use the Profile Wizard to do so Optionally you may export the report to your mail server using MAPI Refer to Exporting Reports Using MAPT on page 207 Choose Profile Ea Profile Name Microsoft Dutlook New
142. hown 5 Toenable client synchronization for this group begin by selecting Enable Data Synchronization When enabled Data Synchronization automatically provides members of this group with new policy settings TollSaver POP phone numbers and ISPs whenever they connect Refer to Client Synchronization on page 124 for more information 6 Complete client synchronization for this group by clicking Enable Software Synchronization When Software Synchronization is enabled any new Prescriber remedies and Aurorean application executable files are provided 7 Determine how remote users are assigned IP addresses as follows Toassign a fixed IP address to each user in this group select Use Static User IP Addresses When you add a user to this group you must assign that user a unique IP address as described in Adding Users to a Group on page 134 To dynamically allocate IP addresses from a pool of addresses choose a virtual subnet from the Use Virtual Subnet for IP Address Allocation list If this field is blank you have not defined any virtual subnets refer to Chapter 3 for instructions on creating virtual subnets 8 Click the Dial tab and set the group s dialing policies as described in Table 5 and shown in Figure 68 Dial policies affect Aurorean users that dial into ISP POPs using analog modems These policies specify whether those users can change the ISP and POP dialing order modify a POP phone number before the modem dials it
143. hronization a portion of the tunnel is taken over as a management channel between the Aurorean Client computer and the APS The management channel operates in the background of your connection without any visible effect on connection performance The following process occurs each time a Aurorean user establishes a tunnel connection when both Data and Software Synchronization are enabled 1 The APS determines if client synchronization is enabled for a user s group If data or software synchronization is disabled for that group no further action is taken If data or software synchronization is enabled for that group a message appears in the Aurorean Client Prescriber pullout indicating that synchronization has started A portion of the connection is taken over as the management channel and the process continues with the next step RiverMaster Administrator s Guide Chapter 6 Before You Begin Managing Users amp Groups 2 The APS downloads group policy settings El Gamal keys and group notices over the management channel overwriting the existing policies keys and notices on the Aurorean Client computer Policy settings are automatically updated on the Aurorean Client computer regardless of whether or not they changed since Aurorean Client was installed and whether or not Software or Data Synchronization is enabled or disabled 3 With Software Synchronization enabled Aurorean Client requests new Prescriber scripts and a new ve
144. i y y yO 0 enu Girtas IEP sara Corporebi sj Click here to open the Configuration f mu pullout Capote Diakap Humber urs dor na E of Destinator ACHEUEN ji a oor Packieges Daag Frepartian E i icunu 1B ladajn Parfarmaree teeta nef Acres Corporate i Click here to add a POP ep Deporte Click here to add or modify your POP configuration Figure 63 Corporate POP Profiles 114 RiverMaster Administrator s Guide Chapter 5 Adding POPs for Corporate ISPs Controlling Remote User Dialing amp Access 5 From the Corporate ISP Name list choose the ISP that provides the POP or corporate dial up access 6 Click Add 7 Inthe Country Code field click the arrow and scroll down the list to select the country where the POP is located The pull down options appear as shown in Figure 64 below Selectthe ISP here Click here to display Country Code options Ae eA ZAUD NXABIL EZHITH APC EIL ZWEDEMH ZMITZEFLANLD LMT BBG Click here to enable the configuration adem Tram ionin Selectthe EM ESEEUT Country here Figure 64 Country Code Pull down Options 8 Enter the POP s location in the City and State fields The city and state information will appear on the Aurorean Client interface exactly as you typed it 9 Type the POP or corporate phone number in the Corporate Dial Up Number fields You must enter a full ten digit phone number including the are
145. ield and select a group The Group pull down screen appears as shown in Figure 83 g Group Nobce Selectthe Group S thy you want to notify Group iF Adran aon Ig Admin P Expirstinn Date admin Engineering 1 HEREDES Deccupiion The Group Hoite k meen by usar belonging bo the zpecihed geoup when they connect The Mobos ic nol seen beans ee Figure 83 Group Notice Display Fields 6 Click the arrow in the Expiration Date field and set the date for this notice The Expiration Date pull down screen appears as shown in Figure 84 Note that today s date is encircled in red ink for greater legibility By clicking on the year or month additional screens pop up to let you move the interval back or ahead incrementally NOTE Notices expire on the date you set but they remain in the Group Notice text box until removed or a new notice is written 154 RiverMaster Administrator s Guide Chapter 6 Setting Up Group Notices Managing Users amp Groups Select the date you want to notify on Jonmmp DUO Move the year back or ahead by clicking on the year and opening a pop up screen here Move the month back or ahead by clicking on the month lice i U and opening a pop up MIC eee oe es een eee US HOC screen here Click here to apply Appl Apple To Al Fleet your notice to the selected group or all groups Figure 84 Expiration Date Pull Down
146. ient Software users and allow the Aurorean Network Gateway to properly route remote user packets through the corporate network O Select which Internet Service Providers ISPs your remote Aurorean Client Software users can use from the extensive TollSaver database stored on the Aurorean Policy Server O Define user accounts on the Aurorean Policy Server to locally authenticate remote users or install a plug in to authenticate users against an external RADIUS or SecureID server 12 RiverMaster Administrator s Guide Chapter 2 Logging into RiverMaster Getting Started with RiverMaster O Organize users with groups and assign each group policies that govern the features available in Aurorean Client Software O Create customized Aurorean Client Software installation kits to distribute to your remote users that contains the Aurorean Client Software application POP packages group policies and destination IP addresses Logging into RiverMaster When you start the RiverMaster application the RiverMaster Login window appears as shown in Figure 6 if you have configured a connection to one Aurorean Policy Server If you have configured a connection to a second Aurorean Policy Server the Select APS window will appear as shown in Figure 7 Version 3 0 of RiverMaster lets you start two RiverMaster sessions from one Windows NT 2000 computer to separate Aurorean Virtual Network systems This feature is especially useful when running AutoLink
147. ient computer are still current the process continues with the next step If Data Synchronization is disabled no upgrade occurs RiverMaster Administrator s Guide 125 Before You Begin Chapter 6 Managing Users amp Groups 126 5 Aurorean Client requests any remaining core and TollSaver POP files that have changed since Aurorean Client was installed or last synchronized Ifthe files are out of date the APS begins downloading individual core and TollSaver POP files over the management channel When the update is complete the process continues with the next step Tf the files on the Aurorean Client computer are still current the process continues with the next step 6 The APS relinquishes the management channel and a message appears on the Aurorean Client Prescriber pullout informing the remote user that synchronization is complete X NOTE Prescriber files and Aurorean Client executables downloaded during software synchronization are not immediately available to Aurorean Client users Users must disconnect the tunnel reboot the PC and restart the Aurorean Client application to put the update files into effect Files downloaded during data synchronization are available after closing and reopening Aurorean Client The Aurorean user can disconnect the tunnel while client synchronization is in progress without causing an error When the user connects the next time the APS automatically resume
148. ient tries to browse the Internet while tunneled into the corporate network packets bound for any destination within the Internet are sent down the tunnel into the ANG and then back out the network s Internet gateway When Intelligent Client Routing is enabled the ANG exports routes over the tunnel to the client Based on this information the client determines if the destination address can only be reached over the tunnel or can be reached directly on the Internet Figure 14 contrasts how packets that are destined for an Internet server are routed with the Intelligent Client Routing feature enabled or disabled If you allocate a non routable IP address to a remote client from a virtual subnet you may need to enable Intelligent Client Routing to allow the remote client to browse the Internet RiverMaster Administrator s Guide 31 Before You Begin Chapter 3 Configuring an ANG 3000 7000 Packets that are addressed with non routable addresses are typically blocked by firewalls and Internet gateways and will be dropped by any Internet router The only exceptions to this rule are devices such as proxy servers that perform a network address translation NAT to dynamically re address packets as they leave the corporate network If you do not have a NAT device you can enable Intelligent Client Routing so that packets sent from the Aurorean Client computer to an Internet destination are addressed with the computer s own IP address not the non rou
149. igure 25 Select the IPSec Encryption Algorithm that determines how IPSec packets exchanged between the ANG and Aurorean Client remote users are encrypted To set PPTP encryption parameters choose PPTP from the Protocol menu PPTP encryption parameters are shown in Figure 25 Select the Microsoft Point to Point Encryption MPPE algorithm that determines how PPTP packets exchanged between the ANG and Aurorean remote users are encrypted RiverMaster Administrator s Guide Chapter 3 Tunnel Protocols Configuring an ANG 3000 7000 ARCFOUR is a public domain algorithm designed to work with RC4 DES is a government standard block cipher that uses a 56 bit key Triple DES uses three keys to achieve the equivalent of 112 bit encryption Figure 25 Tunnel Protocol Encryption Settings RiverMaster Administrator s Guide 47 Tunnel Protocols Chapter 3 Configuring an ANG 3000 7000 Table3 Encryption Parameters Tunnel Protocol Parameter Explanation Disables encryption on the tunnel because this results in a less secure connection this setting is not recommended ARCFOUR 40 bit Enables a 40 bit key public domain algorithm that is designed to work with Rivest Cipher 4 RC4 a stream based cipher method that supports both 40 bit and 128 bit keys Using RC4 data packets can be encrypted as they are received instead of in blocks ARCFOUR 128 bit Enables a 128 bit key version of ARCFOUR described above DES Enables D
150. igure 45 Enterasys Authentication Plug in Window In the Identifier field type a name that remote users will use to select this plug in Aurorean users can include this identifier as part of their VPN user names to override the default authorization plug in For example if you enter Enterasys as the identifier for this plug in Aurorean users can specify a user name such as Bob Enterasys to ensure that they authenticate against the APS RiverMaster Administrator s Guide Chapter 4 Adding an Authorization Plug In Setting Up Aurorean Services 6 Optionally specify a value in the Num Threads field This function allows the specified number of users to simultaneously log in without delay The range of threads that can be set is 1 to 100 with a default value set to 10 7 If you want to make this plug in the default authorization method check the Default Plug In box 8 Doone of the following Click Update to save your changes Click Cancel to clear the fields without saving the plug in RADIUS Authorization To configure the APS to forward authentication requests to a RADIUS server perform the following steps o 1 Open the Configuration pullout 2 Choose Authorization Plug ins from the Configure pull down box in amp the top left corner of the pullout Or in the list of Aurorean Virtual Network devices expand the tree list under the name of your APS by clicking the symbol expand it again under Auth Service and click
151. ilobytes amassed Click Apply For PPTP no additional work is required Unlike IPSec PPTP does not authenticate individual packets instead PPTP relies on user authentication using MS CHAP After the remote user is authenticated all PPTP packets are allowed access IPSec PPTP Figure 24 Tunnel Protocol Authentication Settings RiverMaster Administrator s Guide 45 Tunnel Protocols Chapter 3 Configuring an ANG 3000 7000 Parameter Table2 IPSec Authentication Parameters Explanation None Disables the Signature Algorithm for IPSec packets individual packets are no longer signed and verified during transmission HMAC SHA Enables hashing message authentication codes HMAC that are generated using the SHA cryptographic hashing function HMAC SHA is generally regarded as stronger more secure cryptographic function than HMAC MD5 HMAC MD5 Enables hashing message authentication codes HMAC that are generated using the Rivest MD5 message digest algorithm hashing function While not as strong cryptographically as HMAC SHA HMAC MD5 provides better performance Time Period Interval after which a new key is generated Data Lifetime volume in kilobytes of the key after which a new key is Transferred generated 8 Click the Encryption tab 9 Doone of the following 46 To set IPSec encryption parameters choose IPSec from the Protocol menu IPSec encryption parameters are shown in F
152. imeout is the interval in seconds before another authorization attempt is made by the APS Retry is the number of authorization attempts you will permit the APS to try 9 Click Create The Specify SecurID configuration file window appears as shown in Figure 48 hs pech Sosa conhgurabian hle Plesce specfy the locaton af the SacurID Type the path of the Pe la ee irr SecurlD configuration diii z Eee file sdconf rec on the ACE Server in Click here to or locate with the download the browse button here sdconf rec file Figure 48 Specify SecurlD Configuration File Window RiverMaster Administrator s Guide 89 Adding an Authorization Plug In Chapter 4 Setting Up Aurorean Services 90 10 Type the path of the SecurlD configuration file SDCONF rec in the ACE Server and click OK or find the file on the network by clicking the browse button to the right of the field If you typed the correct path of the configuration file it is downloaded to its proper site on the APS and the plug in saved If you clicked the browse button an Open window appears prompting you to locate the file When you find and select it click Open and the Specify SecurID configuration file window will reappear Then click OK and the process is complete Optionally you can copy the file off the ACE Server to a floppy disk load the disk in the RiverMaster floppy drive and browse for the file on the a drive NOTE If
153. ing Tunnel Protocols Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Table 18 IPsec Authentication Parameters Parameter Explanation None Disables the Signature Algorithm for IPSec packets individual packets are no longer signed and verified during transmission HMAC SHA Enables hashing message authentication codes HMAC that are generated using the SHA cryptographic hashing function HMAC SHA is generally regarded as stronger more secure cryptographic function than HMAC MD5 HMAC MD5 Enables hashing message authentication codes HMAC that are generated using the Rivest MD5 message digest algorithm hashing function While not as strong cryptographically as HMAC SHA HMAC MD5 provides better performance Time Period Interval after which a new key is generated Default value 60 minutes Data Lifetime volume in kilobytes of the key after which a new key is Transferred generated Default value Disabled 4 Click the Encryption tab 5 Doone of the following To set IPSec encryption parameters choose IPSec from the Protocol menu IPSec encryption parameters are shown in Figure 125 Select the IPSec Encryption Algorithm that determines how IPSec packets exchanged between Aurorean Network Gateways are encrypted To set PPTP encryption parameters choose PPTP from the Protocol menu PPTP encryption parameters are shown in Figure 125 Select the Microsoft Point to Point Encryption MPPE al
154. int it must be restarted here EEE m To set IP Address values begin floppy disk configuration with these steps g 1 Under Remote Gateways click Configure Remote Gateway The Remote ANG Configuration screen appears as shown in Figure 122 L ES systems EX tz3 indusriver com General Tunnal Protecals Subnetting Routing 5 EA ried incasrivag com BE Remote Gateways Configure Remate Gateway B Deztnstionz A Wb POF Packages EHRM niE3 RTS3 ISF ap Reports Figure 122 Remote ANG Configuration Window 220 RiverMaster Administrator s Guide Appendix B Configuring Tunnel Protocols ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 2 Enter values in the open fields as follows ANG name A designation for the gateway Domain name A Fully Qualified Domain Name FQDN Verify that the name is fully qualified not already in use within your domain before entering it in this field Domain names should follow the standard practice of period separators for example APS7000 mycompany com Trusted IP Address and Subnet Mask IP addresses and subnet of the ANG s trusted interface Trusted IP Gateway IP address of a gateway server on the trusted side of the network to which the ANG can route traffic External IP Address and Subnet Mask IP address and subnet mask of the ANG s external interface 3 Click Next The Tunnel Protocols window appears with the Genera
155. into the network For instructions on generating a new private public key pair refer to Generating Private Public Keys on page 91 Problem Notification The Notification service that runs on both the Management and Tunnel servers generate messages when the server experiences operational difficulty The events that trigger these messages fall into three categories O Alarms notify you when a significant error occurs with a service running on a Aurorean Virtual Network system or a general system problem that is preventing the server from operating normally O Alerts occur when an error count threshold has been crossed and an alarm condition is imminent O A Problem Notification typically indicates a remote client connection problem which Aurorean Client s Prescriber feature diagnosed These messages appear in the View System Activity pullout and advanced message viewer as described in Chapter 7 and can also be retrieved from system reports as described in Chapter 8 For immediate notification when one of these events occurs the APS can send E mail to one or more persons RiverMaster Administrator s Guide Chapter 4 Before You Begin Setting Up Aurorean Services that you select You must first define a mailing list and then add E mail addresses for each recipient to this list You can select which types of messages alarms alerts or problem notifications will be sent to each address For instructions on creating mailing lists f
156. istrator s Guide Chapter 6 Before You Begin Managing Users amp Groups Aurorean Application p on acsage Core Files un lt 2 Group Policies m 456 889 3435 Eur 787 322 0790 ame 617 311 3118 Archive F ile Figure 67 Contents of a Aurorean Client Installation Kit Once you create a build for one POP package s associated client group the kits you build for other groups can reuse this customized TollSaver database reducing the build time For other groups you need to build only core files that contain group specific information such as policy settings During a build POP packages and core files are generated and stored on the Aurorean Policy Server hard drive These data files are then packaged in a self extracting kit file that also contains the Aurorean Client application The kit file is copied onto your RiverMaster computer into a location of your choosing Once the file exists on your computer you are responsible for distributing the kit file to every group member For instructions on building a Aurorean Client installation kit refer to Creating an Aurorean Client Installation Kit on page 139 RiverMaster Administrator s Guide 123 Before You Begin Chapter 6 Managing Users amp Groups 124 Client Synchronization The Aurorean Client installation kit provides your remote users with all the information they need to tunnel into your network for the firs
157. ivity Highlighted message Wu Ti TiTenneT race diei see a pullout ag i nr TTenivelTraos iip ee qoin here 5 detailed n D ril 1999 hiik Wia TUMMEL TiTsrraitrars VAAL ea 10 24 71 description area ID 21 1939 Lote WA TUMMEL T TsrnalTrazE WAZA 10 28 31 below Bo WILP 12 28 25 WA TUMMEL TiTannalTracu LILLE 10 28 31 x See message text Fasten tein n a amp l here Pecurwad at 10 21 1998 in 38 25 From TUNNEL Indus Fiver ATS Tunnel Mpeg age Tart ec GARS 14 Send Cunrack ica addr 209 5 113 800 axis riaa PT M Figure 43 Trace Messages Display If you read the text for each Tunnel Trace message above you can follow the chain of protocol messages which signify the communications that occur on a packet level when a client successfully makes a connection Then if a client connection subsequently fails you could compare messages and troubleshoot the problem For instructions on setting trace levels refer to Setting Trace Levels on page 97 Adding an Authorization Plug In 80 Qu The Enterasys Authentication plug in is factory installed by Enterasys Networks and made the default plug in This plug in is used when you log into the RiverMaster application to ensure that you have administration privileges To support SecurID and RADIUS authentication you must add one or more SecurID or RADIUS plug ins RiverMaster Administrator s Guide Chapter 4 Adding an Authorization Plug In Setting Up Aurorean Services
158. ized sequentially by the following categories O Adding Remote Gateways Configuring ANG IP Address Configuring Tunnel Protocols Configuring Virtual Subnets Configuring Routing Protocols Configuring Routing Interfaces goOoagaaaqada Configuring Remote Connections O Loading the Floppy Disk Refer to Chapter 3 in the RiverMaster Administrator s Guide for more detailed information about the concepts underlying ANG configuration RiverMaster Administrator s Guide 217 Adding Remote Gateways Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Adding Remote Gateways This section describes how to add a Remote ANG including its Name IP Address User Name and Password and tunnel Protocol To add a Remote ANG perform the following steps 1 Open the Configuration pullout 2 m In the list of Aurorean devices expand the tree list under Systems click the symbol and again under Remote Gateways as shown in Figure 120 Remote Gakbonays Folder RME3 RTE3 FH ts jnidugrver com FH ed indusriver cam Remote Gateways dd Remobe Gebewarpi Add Rarnabe Tunnel Configure Remote Gateway H Destinations H POP Packages H RASI ATSA ISP Figure 120 Add Remote Gateway 3 Click Add Remote Gateway The Add Remote ANG window appears as shown in Figure 121 218 RiverMaster Administrator s Guide Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Adding Remote Gateways
159. l in the open fields as you would any mail message and click Send The export is now complete 208 RiverMaster Administrator s Guide A Glossary Aurorean Client Software Enterasys Networks client software that runs on a Windows 95 98 NT computer that allows a remote user to create a secure tunneling connection to a corporate network This application features the TollSaver database that automatically presents a list of ISP POP s to allow the user to select the lowest cost connection and the Prescriptive Diagnostics Engine that automatically diagnoses connection problems and either corrects the problem itself or directs the remote user on how to solve the problem Aurorean Network Gateway An Enterasys Networks device that creates a secure virtual private circuit over the Internet between itself and a remote user s computer The Aurorean Network Gateway encapsulates data packets using PPTP and encrypts data to prevent third parties from intercepting and examining it A Aurorean Network Gateway receive its configuration settings from a Aurorean Policy Server and passes login information to the Aurorean Policy Server when a remote user attempts to authenticate a tunnel connection Aurorean Policy Server An Enterasys Networks device that manages Aurorean Network Gateways Network administrators configure Aurorean Policy Servers from a RiverMaster computer The network administrator can create a remote user database on the Aurorean Policy
160. l tab selected as shown in Figure 123 Configuring Tunnel Protocols This section describes how to configure the ANG s two supported tunnel protocols O Point to Point Tunneling Protocol PPTP developed by Microsoft 3Com and others that uses Point to Point PPP protocol and Generic Routing Encapsulation GRE to route packets through the Internet O IP Security IPSec protocol developed by the Internet Engineering Task Force IETF that adds security extensions for encryption and message authentication to IP protocol RiverMaster Administrator s Guide 221 Configuring Tunnel Protocols Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk For each tunnel protocol you can configure authentication encryption and compression parameters To set tunnel protocol parameters continue floppy disk configuration with the following steps lacere Authentication Encryprion Compression RMZ3 RTZ3 Bs Tyabb ta indusrivar cum Fiemobs AHG Tunnel Protocols o Gutemay test best com Mes driver com Remabe Gateways Configure Remate Gateviay Destinations POP Packages RME3 RTZ3 ISP ey Reports Supparbrd Tunnal Protocols DPEso Ada Barioa Figure 123 General Tab of Tunnel Protocols Window 1 If you want to prevent the Remote Gateway from using one of the tunnel protocols select the protocol and click Remove By default PPTP and IPSec are both enabled You normally control protoco
161. l usage on a per group basis by selecting the protocol when you assign group policies refer to Chapter 6 of the RiverMaster Administrator s Guide for instructions If you want to globally disable a protocol you can remove it from this list If you have removed a protocol and want to reinstall it click Add once and when the highlighted tunnel protocol pops up click Add again You are not required to click Apply 222 RiverMaster Administrator s Guide Appendix B Configuring Tunnel Protocols ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 2 Click on the Authentication tab Figure 124 shows the authentication parameters available for each tunnel protocol 3 Do one of the following Choose IPSec from the Protocol pull down menu Use the information in Table 18 to select the IPSec Signature Algorithm that determines how IPSec packets exchanged between the ANG and Aurorean users are signed and verified Use Table 18 to select the Time Period and Data Transferred values which set how long the key lifetime should last in terms of time elapsed or kilobytes amassed Click Apply For PPIP no additional work is required Unlike IPSec PPTP does not authenticate individual packets instead PPTP relies on user authentication using MS CHAP After the remote user is authenticated all PPTP packets are allowed access PPTP Figure 124 Tunnel Protocol Authentication Window RiverMaster Administrator s Guide 223 Configur
162. led MMolordUpOK Admin Alarm Overlord service now running after the server rebooted MNGenericProblem Msg Admin Problem Notification Generic problem notification message TEXT MNntfyConfigRtrvFailed Admin Problem Notification Notification service Could not retrieve configuration information MNntfyMsgNotSent Admin Problem Notification Notification service Notify message not transmitted MNntfyNoSMTPsvrs Admin Problem Notification Notification service No SMTP server configured MYGenericTraceMsg 162 o o o o g a g g amp Admin Activity Trace Generic activity trace message TEXT RiverMaster Administrator s Guide Chapter 7 Viewing Server Activity amp Statistics Message ID RYretReqDoneOKMsg Message Type Retrieval Service Activity Trace Monitoring System Activity Table 10 System Activity Messages Continued Detailed Description Statistics derived from completing request TBUserLoggedIn Tunnel Accounting amp Billing E wv User DOMAIN USERNAME logged in TBUserLoggedOut Tunnel Accounting amp Billing User DOMAIN USERNAME logged out TNDisconnect Tunnel Problem Notification Tunnel disconnected TNAuthFailure Tunnel Problem Notification Authorization Failed for User NAME TNTunnelProblem Tunnel Problem Notification PROBLEM MESSAGE Call ID TUNNEL ID TNTunnelStop Tunnel
163. lems occur Provides the mechanism for transferring files between Aurorean Virtual Network servers and RiverMaster FTP also allows Aurorean Client Software computers to synchronize group policy settings TollSaver POP phone numbers Prescriber remedies and Aurorean Client Software application executables Aurorean Client Software users can connect but cannot perform client synchronization RiverMaster cannot download reports from the Aurorean Policy Server RiverMaster cannot complete database transactions and queries Access Supports the exchange of database information stored on the Aurorean Policy Server to other Aurorean Virtual Network components such as TollSaver data logs and server configuration files RiverMaster Administrator s Guide The Aurorean Policy Server cannot accept any configuration changes from the RiverMaster application and remote users are unable to authenticate and establish a tunnel connection with the Aurorean Network Gateway The Aurorean Policy Server automatically reboots approximately 3 minutes after this service stops 19 Checking Server Status Chapter 2 Getting Started with RiverMaster Service Table 1 Aurorean Policy Server Services Function Maintains a running record of system events and messages received by each Aurorean Virtual Network component The RiverMaster application displays these logs and extracts information from them to produce daily reports
164. licies 129 symbols disallowed in fields 128 H hard disk usage 17 20 hardware requirements for RiverMaster 1 HMAC MD5 46 224 HMAC SHA 46 224 identifier 77 82 84 89 257 Index Install Kit Options 141 installation kits See Aurorean Client Software installation kits Intelligent Client Routing description 32 enabling 39 interface priority OSPF 58 interfaces External 59 61 234 235 Trusted 59 61 234 235 international dial up 132 Internet Engineering Task Force IETF 43 221 Internet Service Provider ISP 102 211 IP Address field 110 IP addresses allocating to remote clients 129 assigning to users 135 changing addresses for the Aurorean Network Gateway 38 147 non routable 28 31 IP Security IPSec authentication parameters 45 223 description 43 221 Encryption Algorithm 46 224 encryption parameters 46 224 removing 44 Signature Algorithm 45 223 IPX 113 133 213 IPX network number 52 53 IPX Tunnel policy 133 IPX virtual networks 52 IRAdmin group 127 IRXfiles 149 ISP 800 phone number 109 ISP and POP selection policy 130 ISP local support phone number 109 ISP mailing address fields 109 ISP passwords 131 ISP Profiles tab Address and Zip Code fields 109 Backbone field 109 Country field 109 Customer Support fields 109 E mailfield 109 ISP Web site 109 Name field 109 Phone number field 109 Toll Phone number field 109 ISP Properties tab Cost Index field 111 Default Gateway field 110 Direct and Tun
165. mber of seconds the APS should wait before resending an authentication request If the RADIUS server fails to respond to an authentication request within the time specified the APS automatically resends the request Depending upon the type of RADIUS server you use set this field as follows Server Type Recommended Value Steel Belted RADIUS 10 seconds MS RADIUS 10 seconds SecurlD over RADIUS 30 seconds In the Retry field enter the number of times the APS should resend an authentication request For example when this field is set to 2 the APS resends an authentication request twice before declaring the RADIUS server unreachable Depending upon the type of RADIUS server you use set this field as follows Server Type Recommended Value Steel Belted RADIUS 3 retries MS RADIUS 3 retries SecurlD over RADIUS If you were unable to create an Enterasys group on your RADIUS Server and need to reuse an existing group attribute enter the attribute number in the Group Attrib field Authentication messages passed between the APS and the RADIUS server must carry a group attribute If the RADIUS server management application prevented you from creating an Enterasys group attribute you can take over a pre defined attribute and use it for VPN authentication For example the standard attribute Login LAT Group can be used by entering its number 36 in this field For a complete list of attribute numbers refer to the
166. ministrator s Guide About This Guide Conventions Used in this Guide The following conventions are used in this guide v NOTE Ares Italics SMALL CAPS Courier font Related Documents Notes supply additional helpful information point you to where you can find more information or emphasize critical issues you should consider when performing an action Cautions contain directions that can prevent you from damaging the product or losing data Warnings provide directions that you must follow to avoid harming yourself Text in boldface indicates values you e using the keyboard for example a Nsetup Default settings may also appear in bold Text in italics indicates a variable important new term or the title of a manual Text in small caps specifies keys to press on the keyboard a plus sign 4 between keys indicates that you must press the keys simultaneously for example CTRL ALT DEL Text in this font denotes a file name or directory The following publications are also supplied with Aurorean VN systems O RiverMaster Quick Reference Card that contains shortcuts and tips for installing and using the RiverMaster application O Quick Setup cards that highlight the basic steps required to install either a Aurorean Policy Server or Aurorean Network Gateway CJ Aurorean Installation amp Service Guide describes how to mount connect ower up and maintain an Aurorean Policy Server and Aurorean et
167. mmunicates with Aurorean Policy Servers and Aurorean Network Gateways Using RiverMaster a network administrator creates user databases sets policies for user groups views activity logs and generates usage reports Devices which direct network traffic among LANs or WANs until the data reaches its destination To do this routers communicate with one another using dedicated protocols such as IGRP Interior Gateway Routing Protocol and BGP Border Gateway Protocol to transfer information on network addressing status and configuration Described by Microsoft as an executable entity that belongs to a single process a thread in Aurorean Client is a login process In RiverMaster you can increase the number of threads to permit more authentications by users attempting to connect simultaneously The IR Authentication service is the only multi threaded process that can be configured as such in Aurorean Client RiverMaster Administrator s Guide Appendix A Glossary TollSaver Database A feature of Enterasys Networks products that provides remote users with a list of ISPs phone numbers of available POPs and connection rates The master TollSaver database is maintained on the Aurorean Policy Server and downloaded to the Aurorean Client over the management channel portion of the tunnel connection Tunneling Technology that lets a network transport protocol carry information for other protocols within its own packets For example by enca
168. mputer and click Finish When the reboot completes RiverMaster is installed and ready to manage your Aurorean Virtual Network X NOTE If RiverMaster is running while you upgrade your Aurorean Policy Server software RiverMaster may become confused To avoid this situation exit RiverMaster at the beginning the APS installation or exit and restart RiverMaster after the process has completed Starting the Application for the First Time When you start the RiverMaster application for the first time you are asked for the following information O The IP address es you assigned to the Aurorean Policy Server s during its installation O The Aurorean VPN you assigned to your servers when they were installed CJ A user name and password to log into RiverMaster the defaults are user netadmin and password netadmin NOTE RiverMaster lets you invoke two RiverMaster sessions from one Windows NT 2000 computer to a primary and secondary Aurorean system This feature is especially useful when running AutoLink Recovery ALR which employs automatic fail over to a backup Aurorean Virtual Network system If you wish to invoke two RiverMaster sessions you will be required to enter two IP addresses 4 RiverMaster Administrator s Guide Chapter 1 Installing the Application Installing RiverMaster Software To start RiverMaster perform the following steps c RiverMaster RiverM
169. n I Sama mumbo formats arin repo _OK Same date lormats as in iep Cancel Figure 108 Number and Date Format Dialog Box 10 Checkmark the applicable boxes if you want to keep either of these formats or leave them blank and click OK The Choose Export File window appears as shown in Figure 104 Return to Step 4 to continue RiverMaster Administrator s Guide 199 Downloading Viewing and Exporting Reports Chapter 8 Generating Reports 11 If you selected the following versions of ODBC Account txt ClAnom txt Client txt DBASE Files Fox Pro Files PHD Files 32 bit SvrAnom txt Text Files or TnlServr txt you are prompted to enter a name for the ODBC table The Enter ODBC Table Name dialog box appears as shown in Figure 109 Ember OBI Fable Mame Figure 109 Enter ODBC Table Name Dialog Box 12 Type a name for the ODBC table in the field provided and click OK The Exporting Records window appears as shown in Figure 105 Return to Step 4 to continue 200 RiverMaster Administrator s Guide Chapter 8 Downloading Viewing and Exporting Reports Generating Reports Pa EDI EULE EMI og E DI EDI EI Et I SOOT ER OO SIR GI EIST 13 If you selected the Excel Files or MS Access 97 Database versions of ODBC you are prompted to select a database name and location for the XLS file Excel or MDB file MS Access The Select Workbook Window Excel appears as shown in Figure 110 The Select Database window MS Access
170. n Kit A To build a Aurorean Client installation kit for a group perform the following steps NOTE While the installation kit is built client synchronization is disabled for that group You must manually re enable Data Synchronization after the build is complete in order for group members to receive TollSaver database or policy updates or re enable Software Synchronization to disburse new Prescriber scripts and an updated Aurorean application iz 1 Open the Manage Users and Groups pullout A sample Group view is shown in Figure 73 Select the group from here LL owe 0 cee s nans ulia Senchron ralion s maam Click here to Click here to TM open the Manage start building o e a Met meu Users and the kit F E En arcte cie non Groups pullout m E dise its Bina a Fears Airain a rect achage Click here to MS associate a Ad POP package With a kit Figure 73 Starting the Kit Building Process 2 Inthe Current Groups list select the group for which you are creating the installation kit If you will be selecting a different POP Package than is displayed in the field next to the Build Custom Installation Kit button click Modify otherwise go to Step 3 RiverMaster Administrator s Guide 139 Creating an Aurorean Client Installation Kit Chapter 6 Managing Users amp Groups 3 In the field next to the Build Custom Installation kit button click the browse arrow and choose a
171. n Network Gateway Click here to view detailed statistics for individual tunnels refer to Chapter 7 for details Memory usage M Hard disk usage Figure 9 Aurorean Network Gateway Statistics The memory and hard disk usage meters show how much system resources are being consumed supporting tunnel connections You can use these values for capacity planning to determine when the number of concurrent tunnels is approaching the server s limit Aurorean Policy Server Statistics As shown in Figure 10 RiverMaster displays the current status of services running on the Aurorean Policy Server Normally all services should appear as Running If one or more services appears as Stopped then the Aurorean Policy Server may not function correctly Table 1 briefly defines each service and describes what occurs when the service is stopped RiverMaster Administrator s Guide 17 Checking Server Status Chapter 2 Getting Started with RiverMaster Service Overlord Status of services running or stopped on the Aurorean Policy APS Statistics Senice Server Notification Running Overlord Running eireeval Running n m Memory usage p Hard disk usage Figure 10 Aurorean Network Gateway Statistics Table 1 Aurorean Policy Server Services Function Monitors the condition of all other Aurorean services and restarts a service if it fails to initialize properly or ceases to operate at any point Overlord m
172. n Subnetting to display IP and IPX subnet tab pages 5 Click the IP Subnets tab if it is not already displayed A sample IP subnet window is shown in Figure 27 50 RiverMaster Administrator s Guide Chapter 3 Virtual Subnetting Configuring an ANG 3000 7000 Click here to open the Configuration Click here to pullout access the Gateway configuration windows Figure 27 IP Subnet Configuration for Remote Clients A NOTE Click Remove to delete any configured virtual subnets 3 6 Click Add The Add An IP Virtual Subnet window appears as seen in Figure 28 Figure 28 Adding An IP Virtual Subnet RiverMaster Administrator s Guide 51 Virtual Subnetting Chapter 3 Configuring an ANG 3000 7000 7 Enter the starting address of the subnet in the Address fields You can use actual IP addresses from your network or non routable IP address ranges such as 192 168 x x for a Class C network 8 Enter a subnet mask to define the subnet range in the Mask field 9 Doone ofthe following Click Add to add the new virtual subnet Click Cancel to close the window without saving your changes 10 Repeat Step 6 through Step 9 for each virtual subnet you require 11 Click Apply to save your changes To return the parameters to their original settings without saving your changes click Reset 12 Do one of the following Ifyou are setting up your Aurorean Virtual Network for the first time continue with the next subsec
173. n reports If you select this type you must enter a Aurorean user s name in the Username field Authentication These messages provide a detailed trace of challenge and response activity during the authentication process If you select this type you must enter a Aurorean user s name in the Username field Accounting 166 These messages track the login and logout activity of individual Aurorean users including statistical data reported by the Aurorean application and other connection statistics such as the ISP name POP phone number and connection speed If you select this type you must enter a Aurorean user s name in the Username field RiverMaster Administrator s Guide Chapter 7 Monitoring System Activity Viewing Server Activity amp Statistics 5 Choose the server that you want to monitor from the Servers list This option allows you to select either the APS or ANG and only applies when you are viewing Problem Notification Alarm or Alert messages If you are viewing the other message types this field defaults to None The None selection sets no filtering of messages allowing all server activity to display 6 Toview messages that originated from a specific user enter the Aurorean Client s VPN user name in the Username field This option only applies when you are viewing Activity Trace Authentication or Accounting messages The other message types relate to Aurorean Virtual Network system activity only
174. n the T v MT Re eT COIT fecon Gary wisi d Configuration Fas etn ied pullout tT Derin adiri i PGP Fika git IAP IEE fused ip tarot Finanp congre fis Primary arci Sapanda miM geresrr so be used be Piht ipee Rerum necs Figure 20 WINS Server Addresses 40 RiverMaster Administrator s Guide Chapter 3 General Aurorean Network Gateway Settings Configuring an ANG 3000 7000 10 In the Primary WINS and Secondary WINS fields enter the IP addresses of WINS servers on your network If your remote clients use standard Microsoft Dial Up Networking DUN on the corporate network you must complete these fields to enable browsing and communication with other devices in the Network Neighborhood 11 Click the NAT tab The tab page for the Network Address Translation NAT server address appears as shown in Figure 21 neun Gee Dus os MAT 1 H iN TEST B ma zi a re EST ATi prs Tunnel Prosa ends WAT E E I Tubremng Rearing Ses niuma com IT Mee Gate e Derhzah ore r POP Pooch ades t KWCHEEWBH IGE Desmrquon dig tapos Fiume arigua Hos eer Sanden adiran Par thes tunnel garvar Click here to open the Configuration pullout Figure 21 NAT Server Address 12 In the NAT field enter the IP Address of the NAT server on your network The IP address you enter here is the address that Aurorean users will receive in the installation kit as their destination address the alias ext
175. n with one key a decryption with a second key and then another encryption with a third key The result is equivalent to DES with a 112 bit key MPPE 40 bit Enables 40 bit key Microsoft Point to Point Encryption MPPE which generates a key based on a hash of the user s password and invokes RC4 encryption MPPE 128 bit Enables 128 bit key MPPE on the tunnel 6 Click the Compression tab The Compression properties screen appears as shown in Figure 126 226 RiverMaster Administrator s Guide Appendix B Configuring Tunnel Protocols ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 7 Enable or disable MPPC as required For both IPSec and PPTP protocols Microsoft Point to Point Compression MPPC is currently the only compression technique which you can select via this utility on the ANG Stac LZS is available using the Command Line Interface By default MPPC compression is enabled for both protocols X NOTE Compression settings are applied automatically to both tunnel protocols That is disabling compression on IPSec also disables compression on PPTP l araral kakantzascn brow Enmgimrsian ioe Farid iz Pori oor Tedprs PUPS Teer heel wiete i ol psa AO shui ro cesia nob BPA correc boned coniniehin on a mrdipcd by porti bmi tix ebur enam d ret Figure 126 Tunnel Protocol Compression Settings 8 Click Next to save your changes The Subnet Configuration window
176. nce by showing byte packet traffic over all tunnels connected to the Aurorean Network Gateway Separate performance statistics are shown for tunnels using GRE PPTP and IPSec protocols These statistics are reported for each 1 hour period Table 14 lists the column headings and values that appear in the Network Gateway Report RiverMaster Administrator s Guide 179 Report Contents Chapter 8 Generating Reports Heading Max Tunnels Table 14 Network Gateway Report Values Explanation Total number of remote clients that connected during the one hour period Bytes IN Bytes OUT Number of bytes received over all tunnels by the Aurorean Network Gateway during the one hour period Bytes are shown in terms of total counts in 1000 byte increments and bytes per second throughput Number of bytes transmitted over all tunnels from the Aurorean Network Gateway during the one hour period Bytes are shown in terms of total counts in 1000 byte increments and bytes per second throughput Packets IN Number of packets received over all tunnels by the Aurorean Network Gateway during the one hour period Packets are shown in terms of total counts and packets per second throughput Packets OUT Total number of packets transmitted over all tunnels from the Aurorean Network Gateway during the one hour period Packets are shown in terms of total counts and packets per second throughput The first page of the Ne
177. nd enter a value in the adjacent field Figure 40 Add Remote Server Window 5 Choose a name for the server in the Remote Server Name window 6 Click either IP Address or FQDN Fully Qualified Domain Name If you choose IP Address enter an IP address in the fields provided If you choose FQDN enter a value in the single field The FODN is the name of the Remote Server as well as its domain For example serverl argus com 7 Type a User Name and User Password and confirm the password in the fields provided This User Name and Password must later be registered in the authentication database of the Remote terminating ANG by adding the user to a group Refer to Chapter 6 for more information RiverMaster Administrator s Guide 69 Adding a Remote Server Chapter 3 Configuring an ANG 3000 7000 8 Choose the tunneling protocol IPSec or PPTP 9 Click Add This action adds the remote ANG to the configuration on your Local ANG A message will display stating you have successfully added the remote server 5 10 Click Add Remote Tunnel or select the Remote Server just added and click Add Tunnel The Add Remote Tunnel window appears as shown in Figure 41 Type the name of the Remote Tunnel here ELIT Click here to add m k the tunnel ee irl rer pidan Ba aj frstes aciveccep com x Choose the Remote Gateway name from this pull down list Figure 41 Add Remote Tunnel Window 11 Choose a name for the Remote Tu
178. ndisrivar cor Bg rii 3 anders river cam Remate Gabrways Configure Remote Gateway Destinations ER POP Packages RME3 RTE3 ISF Ri Reports Figure 141 Remote Connection Configuration Window 9 Doone ofthe following Add another Remote Connection Click Finish The Save Configuration window appears as shown in Figure 142 246 RiverMaster Administrator s Guide Appendix B Loading the Floppy Disk ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Select a path bo rave the config ha File bo Tl a DFT583 Inn aimp ci lm nFiEAS mp m DFO imp emp de la nF3 D2imp wj DRE me junk la DF3eF5imp a DFAETI imp Dj veson jaj OFA m nip PST MP n OF BS mp Heampa d zip EJ Feom BE ooo Fes as yper Gorigcaation fie 1conbg i Cancel Figure 142 Save Configuration Window 10 Select a directory either on your computer the A drive or another site on the network and click Save to store the configuration NOTE When saving configuration information you cannot change its default name config irx You may choose a different drive or directory but not a file name Although you can enter a different file name and receive a message indicating RiverMaster successfully wrote the file it will always be saved as config irx This concludes floppy disk configuration on RiverMaster Continue with the next section Loading the Floppy Disk Configuring t
179. nel access methods 111 Frame Protocols options 113 IP Address field 110 Login Script field 111 116 Network Protocols options 113 Performance Index field 111 Primary DNS field 110 Primary WINS field 110 Secondary DNS field 110 Secondary WINS field 110 ISP Web site URL 109 ISP See Internet Service Provider ISP K keys for encryption 48 226 kits See Aurorean Client Software installation kits L license agreement 249 log files 20 Log service 20 Log See Log service logging into RiverMaster 7 13 Login Script field 111 116 RiverMaster Administrator s Guide M magnifier icon 186 189 191 mailing lists adding addresses 95 96 creating 93 94 Manage Users and Groups pullout 134 management channel description 124 211 dropped by Aurorean Policy Server 126 supporting TollSaver download 215 management database 98 111 116 description 98 management station 11 management workstation 212 Manual Dialing policy 130 MAPI 194 207 Mask field 52 229 MD4 87 memory usage 17 20 message viewer advanced 164 169 Advanced Message Viewer button 164 current messages 157 161 Enable Preview Pane icon 169 icons 169 Message Type check boxes 166 messages from previous days 164 169 Printicon 169 Save Messages As icon 169 Search Messages icon 169 selecting message types 158 Serverslist 167 Time Criteria fields 165 Username field 167 Microsoft Dial Up Networking 41 ODBC 3 RADIUS 76 86 service packs 2 Windows NT 4 0 Workstati
180. nfiguration ORY pullout Click here to select Notifications etd Rave Tyre E gz ene X A Cickhereto F bee mecha gee add a new m r T ape Ui scere 122 HE mailing list H iiy apri Figure 50 Notification Service Mailing List Window RiverMaster Administrator s Guide 93 Using the Notification Service to Send E Mail Chapter 4 Setting Up Aurorean Services 94 Click Add the Add button to the right of Mailing Lists In the Name field type a descriptive name for this mailing list In the From Address field enter the E mail address that will appear as the originator for E mails sent to members of this list Instead of using your E mail address or the address of another person you can create a new address for the APS such as AuroreanQ A cme com In the SMTP Server field enter the name of the SMTP server on your network Simple Mail Transfer Protocol SMTP servers typically follow the naming convention SMTP Company com where Company is the company name used throughout your network To make the new list the default mailing list place a check next to Default List Do one of the following Click Commit to save the new mailing list Click Cancel to clear the mailing list information without saving your changes NOTE When you modify Notification service settings you must restart the APS to put the changes into effect RiverMaster Administrator s Guid
181. ng Click Update to put your changes into effect Click Cancel to return the user or group information to its original state The modified information is immediately saved on the APS NOTE Any changes made to Group Policies are conveyed to users automatically through Client Synchronization regardless of whether Data or Software Synchronization are enabled or not RiverMaster Administrator s Guide 137 Creating a New Group Chapter 6 Managing Users amp Groups Removing Users amp Groups il CAUTION Do not remove the Admin group from the APS database To log into RiverMaster you must enter the user name and password of a member of that group If you remove the group you will be unable to use RiverMaster in the future To remove a user or group from the APS perform the following steps i 1 Open the Manage Users and Groups pullout 2 Click on the appropriate icon in the lower left corner of the pullout to select the Group or User view 3 Select the user or group name from the list of Current Users or Current Groups 4 Click Remove 5 When a confirmation window appears do one of the following Click OK to immediately remove the group from the APS database Click Cancel to leave the group intact on the APS 138 RiverMaster Administrator s Guide Chapter 6 Creating an Aurorean Client Installation Kit Managing Users amp Groups Creating an Aurorean Client Installatio
182. nito Phin braw Aae Figure 35 Adding a Routing Protocol NOTE For the External interface Pis can only add or remove static routing Because the External interface is optimized for tunnel protocols only you cannot use RIP or OSPF on this interface 9 Doone of the following Ifyou are adding RIP to the interface perform the steps in Configuring RIP for the Interface on page 62 Ifyouare Seine OSPF to the interface perform the steps in Configuring OSPF on an Interface on page 64 Ifyou are adding a static route to the interface perform the steps in Creating Static Routes on page 65 10 Do one of the following Click Apply to save the routing protocol configuration changes Click Reset to the return the interface s protocol configuration to its original setting RiverMaster Administrator s Guide 61 Routing Chapter 3 Configuring an ANG 3000 7000 Configuring RIP for the Interface To configure RIP on an interface perform the following steps 1 Add RIP as described in the previous section or select RIP from the Routing Protocols list and click Properties The RIP Interface Configuration window appears as shown in Figure 36 These values are used to authenticate RIP updates from routers on the network Figure 36 Routing Interfaces Configuration RIP 2 Choose the version of RIP to use on this interface RIP Version 1 uses IP broadcast packets for periodic announcements of re
183. nnel in the provided field 70 RiverMaster Administrator s Guide Chapter 3 Adding a Remote Server Configuring an ANG 3000 7000 12 Click the arrow in the Remote Server Name field to bring up a pull down list and select the Remote Server you just added RiverMaster types the Server user name and password into the open fields You may change these settings if necessary 13 Select Enabled or Disabled in the Enabled State field If you select Enabled the tunnel will be created immediately Select Disabled if you want to delay enabling the tunnel until configuration is complete at the other end of the tunnel 14 Click Add If the Enabled state was selected earlier the tunnel becomes operational in a few moments NOTE You can configure additional tunnels to the Remote Server just added by selecting the particular server in the Remote Tunnels display clicking Properties and clicking Add Tunnel in the Remote Server Properties window Changing Server and Tunnel Properties Flap The information configured for Site to Site servers and tunnels can be changed by clicking the Properties buttons on either display To change properties for the Remote Server perform the following steps 1 Select your Remote Server from the tree list under Remote Servers and click Properties in the display 2 When the Remote Server Properties window appears change any information and do one of the following Click Modify to
184. nterface exactly as you typed it 11 In the Phone number field type the ISP s 800 phone number for technical support If the ISP does not have an 800 number support line enter a local support phone number in the Toll Phone field as described in Step 12 12 In the Toll Phone field type the ISP s long distance support phone number RiverMaster Administrator s Guide 109 Adding Corporate ISPs Chapter 5 Controlling Remote User Dialing amp Access View messages here 110 13 Click the ISP Properties tab The ISP Properties display will appear as show in Figure 61 e 15 Profiles And Properties BEET Br penies ENEE car me BEBE arca ojo EENE s EE rr Eint zz see i darra nurs rcom dati ded atte or coe rere ied a And Sarees Terier Adj amate Tunnel iP Darina DOBEH Click here to browse the network for the folder where the script is stored BDP Bak aper ACMEUPN ISP done Generation H dy Reparti Type the login script full path or just the name here Figure 61 ISP Properties 14 Inthe IP Address field enter the IP Address of the dial up server If the ISP did not supply this address you can leave this field blank 15 In the Primary DNS and Secondary DNS fields enter the IP addresses of DNS servers used for name resolution ISPs normally supply both primary and secondary DNS addresses For corporate dial up connections into your network you must specif
185. o the native network Network Administrator The person responsible for installing and maintaining a company s network equipment and also insuring that network resources such as servers and the applications running on them are consistently available and performing well In terms of Enterasys Networks products this person physically installs Aurorean Policy Servers and Aurorean Network Gateways distributes Aurorean Client to remote users and runs RiverMaster software on his her computer to manage the entire VPN Point of Presence POP In Internet terms the physical site that contains an ISP s network equipment Remote users dial into the POD authenticate against the ISP s customer database and then gain access to the Internet ISPs typically have POPs scattered throughout their service area so that can customers can dial a local phone call and avoid paying long distance charges when accessing the Internet Point to Point Protocol PPP The Internet standard for sending network traffic over serial lines such as dial up phone lines Unlike its predecessor SLIP Serial Line Internet Protocol PPP provides error detection and compression capabilities 212 RiverMaster Administrator s Guide Appendix A Glossary Point to Point Tunneling Protocol PPTP A network protocol for linking remote locations over the Internet rather than over costly long distance or leased lines To accomplish this PPTP encapsulates other network proto
186. olicies 121 Dial String Editing policy 130 dial up server IP address 110 direct dial up remote access 103 111 disabling client synchronization 146 disallowed symbols 128 136 Disconnect User button 176 Domain Name System DNS IP addresses 40 110 servers 40 Download Database option 100 downloading viewing and exporting reports 190 208 E El Gamal private public keys 78 91 126 147 E mail address for Customer Support 109 E mail addresses for notification 95 E mail field 109 Enable Intelligent Client Routing checkbox 39 encryption 46 48 224 226 Ethernet 1 exporting reports 194 208 External interface 59 234 F firewall description 210 Firewall traversal 133 210 212 first time setup 21 23 flow control 174 Frame Protocols options 113 RiverMaster Administrator s Guide Index Frame Relay backbone name 109 FTPservice 19 FTP See FTP service Future IP Address field 38 G gateway address 66 241 generating reports 177 189 Generic Routing Encapsulation GRE 43 174 211 221 GRE See Generic Routing Encapsulation GRE group attributes for RADIUS 86 Group notices 152 155 description 127 Expiration Date field 154 Group Notice field 154 Group pull down screen 154 icon 152 textbox 155 textlimit 127 group policies 121 groups adding users 134 136 Description field 129 Enable Data Synchronization field 129 Enable Software Synchronization field 129 Group Name field 128 new 127 134 setting dialing po
187. ols of IP addresses or IPX network numbers that are allocated to remote users when they tunnel into the corporate network O Routing protocol static RIP and OSPF settings for each ANG Ethernet interface CJ Site to site tunnel parameters between two Aurorean Network Gateways NOTE The ANG 3000 7000 can also be configured using a floppy disk Appendix B describes a procedure similar to configuring the ANG using the RiverMaster application Using the floppy disk method allows an administrator to centrally configure one or more gateways and conveniently distribute that configuration data on floppy disks to remote sites RiverMaster Administrator s Guide 25 Before You Begin Chapter 3 Configuring an ANG 3000 7000 These functions are grouped on the Configuration pullout as shown in Figure 11 er rehus eer pam rna andunear cpm popper aad Click here to kid Rene Serer open the Aid Harrrete Tenn Select the D pezinatios Configuration Network i Package pullout Gateway from Hesa Kiz3iz the list of T d Beppe Servers Click here to access the Network Gateway configuratio windows Figure 11 Configuration Pullout Before You Begin 26 Before performing the steps in this chapter you should familiarize yourself with the following Aurorean Virtual Network concepts O Methods available for allocating IP addresses and IPX network numbers to
188. on 2 Microsoft Point to Point Compression MPPC 49 227 Microsoft Point to Point Encryption MPPE 46 RiverMaster Administrator s Guide Index 48 224 226 Modem Type field 116 monitor 1 MPPC See Microsoft Point to Point Compression MPPC MPPE See Microsoft Point to Point Encryption MPPE MS CHAP 45 223 N NAT server configuration 41 description 33 211 NAT traversal 211 NetBEUI 113 213 Network Address Translation NAT description 211 network administrator 212 non routable IP addresses 28 31 Notification service 19 93 Notification See Notification service Novell NetWare servers accessing via IPX 27 virtual subnet type 50 Num Threads field 83 85 89 O on line services address 254 OSPF enabling for an interface 238 239 setting parameters 57 OSPF Area ID field 58 232 OSPF Authentication Menu 59 233 OSPF Router ID field 58 233 Overlord service 18 Overlord See Overlord service 64 65 232 233 259 Index P packetslost 174 password policies 121 passwords 131 136 patch packages 126 Performance Index field 111 116 Performance Options 171 Phone number field 109 plug ins 77 Enterasys Authentication 81 general 76 RADIUS 83 SecurID 87 Point of Presence POP 102 212 Point to Point Protocol PPP 113 212 Point to Point Tunneling Protocol PPTP 213 authentication parameters 45 223 compression parameters 49 227 description 43 221 encryption parameters 46 224 removing 44 policy de
189. oose the group you want the user to join 4 Underthe list of Current Users click Add 5 Inthe User IP Address fields select how the user receives an IP address when he or she connects to the network over a tunnel To allocate the user an IP address from the virtual subnet assigned to this group select Default to Group IP Pool To assign the user a specific address that is used every time the user connects select ssigned and enter an IP address and subnet mask in the fields provided 6 Inthe Corporate User Name field type a name for the user There is no character limit to User names and they may contain letters numbers and most symbols This name matches the VPN User Name that remote users must enter to use Aurorean Client RiverMaster Administrator s Guide 135 Creating a New Group Chapter 6 Managing Users amp Groups NOTE The following symbols are not permitted in the Corporate User Name field single and double quote space apostrophe tilde percent sign ampersand amp exclamation point backslash forward slash at sign and asterisk 7 Inthe Password field type a unique password Passwords are not limited in character length and may contain letters numbers or symbols 8 Inthe Confirm Password field retype the same characters you entered in the Password field Passwords are case sensitive so you must enter the characters exactly
190. oppy disk configuration with the following steps 1 Click Add in the Remote Connection Configuration window as shown in Figure 139 The Remote Connection parameters window appears as shown in Figure 140 242 RiverMaster Administrator s Guide Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk B Blume Hm tzHonduzrveer com m mB anduzriver com FA Remote Gateways Configure Remote Gateersy L H Co Destination A POP Packages HM nsa ETSE ISP Creating Remote Connections Figure 139 Remote Connection Configuration Window RiverMaster Administrator s Guide 243 Creating Remote Connections Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk A Remote ANG Remotes Conmechon Remote ANG Meme teusk beusk com Conmmction Name Canys Figure 140 Remote Connection Parameters Window 2 Enter a name which describes the destination ANG of this ANG Choosing a Remote ANG name that matches the name of the terminating ANG of this tunnel connection will make it easier to view system activity and statistics later Refer to Figure 138 for a graphical view of this configuration 3 Choose an ANG from the drop down list in the Connection to Gateway field If you have configured other ANGs they will appear in this list 4 Inthe Tunnel Values section enter a User Name Designating a User Name which matches the name of this ANG will make it easier to view system activity and statistics
191. or problem notification refer to Using the Notification Service to Send E Mail on page 93 Trace Levels The number of messages the Management and Tunnel servers report to RiverMaster can be set on a per service basis Because so many messages are routinely shared via control traffic between the servers and clients if a limit were not set on their collection and display they could disrupt Aurorean Virtual Network service But having the option to occasionally read these messages can help troubleshoot service problems Refer to Chapter 7 for more detailed information on the types of messages displayed RiverMaster permits you to set low medium or high trace levels for the ten available Enterasys services These levels correspond to varying numbers of messages reported to RiverMaster depending on the service you configure RiverMaster Administrator s Guide 79 Adding an Authorization Plug In Chapter 4 Setting Up Aurorean Services For example a low trace level set for the Tunnel Management Service will produce messages similar to those in Figure 43 Note Tunnel Trace messages sent by 121 1939 13 28 22 NE AW Fia E trae ven 30 28 00 Click here the tunnel server 1 21 1998 10 28 23 WA TuMMeL TrTurwrelTrace la zi pem 10 28 30 for View B 1 21 1999 13 28 23 H A TUMMEL TiTenneltrac USUAL RE 10 28 30 929 12 28 23 Ma TUMMEL Ehren nor 1 21 1 09 30 28 30 System 9 182 22 MA TUM TiTernelTrace ee a te Te Act
192. or s Guide Chapter 7 Monitoring System Activity Viewing Server Activity amp Statistics Click here to enable changes Enter a new value here to change the frequency that tunnel statistics are displayed in the Tunnel Statistics Window Enter new values in these fields B CNN rom a Click here to reduce the window size RiverMaster session start and duration times shown here Figure 89 RiverMaster Options Window i 2 Inthe Performance Options area enter a value for any message interval The Tunnel Stats Interval is the frequency with which user tunnel statistics are recorded in the Tunnel Statistics Window refer to Viewing Tunnel Activity on page 173 for more information RiverMaster Administrator s Guide 171 Monitoring System Activity Chapter 7 Viewing Server Activity amp Statistics 3 If you wish to change the Max Message List Size or any of the four ListView sizes enter a value in the provided field Size values refer to the maximum number of messages displayed in the Message Viewer according to the message type selected Message Types include All Messages Login Logout Trace and Alarm Alert Notices 4 Click More to display Message Statistics the time when this RiverMaster session began and its duration The Published and Directed messages and Handle and Message List counters are internal to RiverMaster operations Various IR Service and other messages reflect similar internal
193. ow and click Next to continue configuration Click Cancel to close the window without saving your changes Click Reset to the return the interface s protocol properties to their default settings Creating Static Routes The trusted interface should be connected to a protected network segment one behind a firewall or router that offers protection against unauthorized access If you prefer to limit the routes the ANG learns or you do not use routing protocols on your network set up a trusted Static Route CAUTION _ The ANG requires that a static route be established to the Gateway router from the External interface to enable traffic to reach the Internet The external interface may reside outside a firewall and offers unfiltered Internet access RiverMaster Administrator s Guide 239 Configuring Routing Interfaces Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk NOTE de use static routes the ANG will not broadcast IP pools You must d a static route on your internal router for that subnet The internal IP address of the ANG is the gateway To configure a static route between a Aurorean Network Gateway interface and another device perform the following steps 1 Inthe Routing Configuration window with the Interfaces tab selected choose the ANG Ethernet interface to configure External or Trusted and click Add 2 Inthe Routing Protocol selection list of the Add an In
194. p Billing SESSION ID User NAME connected CBCconnStop Client Accounting amp Billing SESSION_ID User NAME disconnected CDRxTrace Client Activity Trace Rx PRESCRIBER_MESSAGE CNRxNotify Client Problem Notification Rx PRESCRIBER_MESSAGE CPCallhomeProblem eol RiverMaster Administrator s Guide Client Problem Notification Client problem reported 161 Monitoring System Activity Chapter 7 Viewing Server Activity amp Statistics Table 10 System Activity Messages Continued Message ID CPCallhomeTrace Message Type Client Problem Activity Trace Detailed Description Client trace completed GAauthenticate General Authorization Authenticate a User GAquery General Authorization Query a user GASet General Authorization Set user data LMlowDiskSpaceMsg Log Service Alarm Free disk space has fallen below 85 MAconfig Admin Authorization Configure authentication service MBUserLoggedin E oP5P5s5s Admin Accounting amp Billing Administrator NAME logged in MBUserLoggedOut Admin Accounting amp Billing Administrator NAME logged out MMolordRebooting Admin Alarm Overlord service now rebooting IR Authentication failed MMolordRestartingProc Msg Admin Alarm Authentication stopped and restarted MMolordRestarProc FailedMsg Admin Alarm Authentication stopped and restart fai
195. pdate a window pops up again asking if you want to save the modified tunnel Click Yes or No NOTE Clicking Refresh displays the status for the Current State and Last Connection Result attributes of the tunnel RiverMaster Administrator s Guide 73 4 Setting Up Aurorean Services This chapter describes how to perform the following tasks O Add an Authorization service plug in to allow Aurorean Virtual Network systems to authenticate remote users against a local database on the Aurorean Policy Server an external Remote Authentication Dial In User Service RADIUS server or an RSA ACE Server O Generate private public encryption decryption keys for use with the IPSec protocol O Prepare the Notification server on the APS to send E mail when alarm alert or notification messages are generated O Adjust trace levels for Management and Tunnel server services to generate a controlled stream of messages O Backup the Management Database to avoid operational down time Before You Begin Before performing the steps in this chapter you should familiarize yourself with the following Aurorean Virtual Network concepts O Authorization plug in options O Private public keys for IPSec authentication O Problem notification via E mail o Trace levels RiverMaster Administrator s Guide 75 Before You Begin Chapter 4 Setting Up Aurorean Services Authorization Plug in Options Within a Aurorean Virtual Net
196. pes of messages Based on this criteria RiverMaster sends a query to the Aurorean Policy Server Messages that match the criteria are extracted from log files and displayed in a separate message viewer window After the query results are displayed you can sort and print detailed descriptions for each message To open the advanced message viewer perform these two steps 1 Open the View System Activity pullout 2 Click the Advanced Message Viewer button located at the bottom right corner of the pullout The Message Viewer window appears as shown in Figure 86 This figure illustrates the settings to retrieve all login and logout activity for a single user over a two week period RiverMaster Administrator s Guide Chapter 7 Monitoring System Activity Viewing Server Activity amp Statistics Select which messages to Use these fields display using to setthe start the and end range of checkboxes the message trace To display messages for a single user Click here to start eie retrieving user s name messages from the here Aurorean Policy Server Figure 86 Advanced Message View Setup Example 3 Using the Time Criteria fields specify the period of time to display messages Use the From and To fields to specify the start date time and end date time The time can be based on when the messages were received and logged by the Aurorean Policy Server according to its system clock or by when the messages were sent based on the origina
197. pression on PPTP z acn Fani tz Pori Coon Tenireci ET Imagi demi chers or nol se ETE AODD dhis di epsa not BPO conpreasen W rol cnunimi ebis cris praca by prniocri baii t im erm rt m Figure 26 Tunnel Protocol Compression Settings 12 Click Apply to save your changes To return the parameters to their original settings without saving your changes click Reset RiverMaster Administrator s Guide 49 Virtual Subnetting Chapter 3 Configuring an ANG 3000 7000 13 Do one of the following Ifyou are setting up your Aurorean Virtual Network for the first time continue with the next subsection to configure additional ANG network settings Ifyou are finished with the ANG network configuration and you want to put the new network settings into effect no additional work is required Virtual Subnetting ed Virtual subnets fall into two categories O IP subnets that serve as IP address pools for allocation to remote clients when they connect O An IPX network number that is shared by all remote clients when they connect and use IPX protocol to access Novell NetWare servers IP Subnetting To set up virtual subnets of IP addresses to allocate to remote users perform the following steps 1 Open the Configuration pullout 2 Inthe list of Aurorean devices expand the tree list under Servers click the symbol eas 3 Expand the tree list under the name of your ANG 4 Click o
198. psulating NetBEUI packets IP can route them across the Internet which is not normally possible Virtual Private Network VPN An extension of a company s private network that uses the resources of the public Internet While most private networks use dedicated lines and equipment that are company property a virtual private network borrows resources from the Internet on an as needed basis RiverMaster Administrator s Guide 215 D ANG 3000 7000 Preconfiguration Stored on a Floppy Disk This appendix describes how to preconfigure the Aurorean Network Gateway ANG 3000 7000 using a floppy disk to store the configuration This procedure is similar to configuring the ANG using the RiverMaster application But this method allows an administrator to centrally configure one or more gateways and conveniently distribute that configuration data on floppy disks to remote sites When the floppy disk is inserted in the Remote ANG and the ANG rebooted configuration information stored in the config irx file is copied and the ANG is ready to initiate tunnels To enable the ANG to terminate tunnels please use the Aurorean Policy Manager as described in Chapter 3 of the Aurorean Installation amp Service Guide Also any initiating ANG User configured here must later be added to the User and Group database of the Local ANG Refer to Chapter 6 Managing Users and Groups of this manual for instructions ANG configuration with a floppy disk is organ
199. r S software Click here to view the Build Aurorean Client Core Data Files display indicates what type of sync is enabled Red D data or S E E software shows Tamara Omenplsan what type of sync M rau Matee Creation Dans LLL EAS Eu ta os V Chen botware ti plowed rds IOLA 3 87 is disabled for HB Gran rim IF Adrena 145 24 31 this group in denen Bg IP Misi BL 785 I Bran 5 Eriginaermg Os 5 ten ldo i arogp Pales bhem ean Chart Sanihrasiratzn Softwar zyrchrzrezahan Enabled Dana Serhan Disabled Click here to me Polly open the Al 157 Ordering Trum i Allee POP Ondaneg Trut Configuration Alpes Cit ing Editing Tris pullout ER rure Data Sone Johane Ep re z flee Marua Distag Mend Aime HDD Mumbar Enakreg Click here Beene PE rd hat view the client KawinTart Save Creparaes Pansard I S raspatp Seve SP Pesaro update options T chananTe st Ds a cedi Card e Poly ras Paes li Irabie Credit Card Drusi Sera Cruci Card Fir tampi Boley Figure 77 Client Synchronization Controls RiverMaster Administrator s Guide 145 Controlling Client Synchronization Chapter 6 Managing Users amp Groups E ges 146 Viewing Group Policies To view a summary of each group s policy settings follow these steps 1 2 Open the Configuration pullout Click the Update tab In the Global Area expand the tree list under Group Areas click the symbol Expand the
200. r an ANG that negotiated thePPTP protocol POP PHONE Phone number of the POP that Aurorean Client dialed into N A for clients using an existing Internet connection such as a cable modem or LAN link FROM PHONE The remote client s location phone number the phone number entered on the Aurorean Client From pullout CONN TYPE 184 Type of connection s used by the remote client to reach the Aurorean Network Gateway Possible values include Both for sessions involving a dial up connection into a POP and then a tunnel Tunnel for tunnels that used an existing Internet connection LAN link or cable modem RiverMaster Administrator s Guide Chapter 8 Report Contents Generating Reports Table 16 Client Session Report Values Heading Explanation CONN SPEED Connect speed of the analog modem in bits per second N A for clients using an existing Internet connection such as a cable modem or LAN link ISP KBYTES OUT Total bytes of data sent from the Aurorean user to the ISP POP during the session ISP KBYTES IN Total bytes of data sent from the ISP POP to the Aurorean user during the session VPN KBYTES OUT Total bytes of data sent end to end over the tunnel from the Aurorean user to the corporate network during the session VPN KBYTES IN Total bytes of data sent end to end over the tunnel from the corporate network to the Aurorean user during the session PKTS LOST Number of
201. r old Aurorean Client and install the new Aurorean Client Client synchronization does not support this change 12 Do one of the following Click Commit to store the new group name on the APS Click Cancel to cancel the operation d Adding Users to a Group To add a user to a group perform the following steps X NOTE You only need to add user accounts when using the Authorization service If Six disabled Authorization in favor of authenticating users against a RADIUS or SecurID server you do not need to create accounts for your remote users Refer to Chapter 4 for more information on Aurorean Virtual Network authentication techniques 2 Click on the User icon in the lower left corner of the pullout to switch to the User view A sample User view is shown in Figure 72 ff 1 Open the Manage Users and Groups pullout 134 RiverMaster Administrator s Guide Chapter 6 Managing Users amp Groups Creating a New Group Click here to choose the group you want the user to join Cerent Users im Groups oar Use these fields to assign a static IP address to the user or dynamically allocate an IP address from the a d Ram J l c m group s virtual subnet T 3 Ei Individual view ESWr T rr button _ Leer Ponds updated sgccesstuliy Se Se re eS ee ee aoa Progress messages appear here Figure 72 Manage Users and Groups Pullout User View 3 From the Group list ch
202. remote clients when they connect CJ Aurorean Virtual Network s Intelligent Client Routing feature O Aurorean Virtual Network s support for Network Address Translation NAT O Methodology of Site to Site tunnels O Aurorean Virtual Network s AutoLink Recovery feature RiverMaster Administrator s Guide Chapter 3 Before You Begin Configuring an ANG 3000 7000 Allocating IP IPX Addresses to Remote Clients When remote clients tunnel into the corporate network they must be able to access devices on the network just as if they were locally connected To serve this need the ANG acts as a router forwarding packets between devices on the corporate network and remote clients When remote clients tunnel into the ANG they must be allocated IP addresses accessible to or on the local network NOTE To access Novell NetWare servers using IPX protocol remote clients must receive an IPX network number RiverMaster allows you to specify a single IPX network number that is shared by all remote clients when they connect IPX usage is also controlled by a group policy refer to Chapter 6 for more information on group policies You can allocate IP addresses to Aurorean users in one of three ways O Assign a specific IP address to each remote client This address is saved as part of the client s user name and password account information stored on the Aurorean Policy Server Once the client authenticates the address is alloc
203. return the parameters to their original settings without saving your changes click Reset RiverMaster Administrator s Guide 53 Routing Chapter 3 Configuring an ANG 3000 7000 8 Doone ofthe following Ifyou are setting up your Aurorean Virtual Network for the first time continue with the next subsection to configure additional ANG network settings Ifno additional ANG network configuration is required and you want to put the new network settings into effect reset the ANG Routing ed Configuring the routing behavior of the ANG consists of two general steps CJ Setting parameters for the two routing protocols supported RIP and OSPF O Selecting routing protocols for each ANG Ethernet interface Click here to open the Configuration Click here to pullout access the Gateway configuration windows Figure 30 Aurorean Network Gateway Routing Configuration 54 RiverMaster Administrator s Guide Chapter 3 Routing Configuring an ANG 3000 7000 Setting Routing Protocol Parameters To access RIP and OSPF parameters for the ANG perform the following steps 1 Open the Configuration pullout 2 Inthe list of Aurorean devices expand the tree list under Servers click the symbol 3 Expand the tree list under the name of your ANG D m 4 Click on Routing to display the routing parameter tab pages 5 Click on the Protocols tab to display protocol parameters for RIP and OSPF 6 Doone of the following
204. rinter Cancel Copies 1 Iv Collate Copies Print Range a Pages From fo To Figure 88 Printing Messages NOTE If you do not have at least one printer driver installed on your computer the printer button is disabled To install a printer follow the instructions provided in Windows on line Help RiverMaster Administrator s Guide 169 Monitoring System Activity Chapter 7 Viewing Server Activity amp Statistics RiverMaster Options The RiverMaster Options button performs the following functions O Controls the number of messages and the frequency they are shown in the Message Viewer Messages are displayed in the Tunnel Statistics window every 5 seconds default and are rolled over after reaching the default maximum of 2000 messages All four ListView sizes are defaulted at 500 messages O When the window is enlarged it displays RiverMaster session and message data The start and duration of the current session is displayed at the bottom of the window Message Statistics are also displayed but only for informational purposes to be interpreted with the help of Enterasys Customer Support personnel To use RiverMaster Options perform the following steps 24 1 Atthe RiverMaster main interface click the RiverMaster Options button above the service status screen The RiverMaster Options window displays as shown in Figure 89 170 RiverMaster Administrat
205. routers on your network If the routers on your network do not require passwords to accept OSPF updates set the algorithm to None and continue with the next step 4 Doone of the following Click Apply to save your changes click Cancel to close the window and click Next to continue configuration The Interfaces tab of the Routing Configuration window appears Click Cancel to close the window without saving your changes Click Reset to the return the OSPF properties to their default settings RiverMaster Administrator s Guide 233 Configuring Routing Interfaces Appendix B ANG 3000 7000 Preconfiguration Stored on a Floppy Disk Configuring Routing Interfaces This section describes how to configure the ANG s two Ethernet interfaces O The Trusted interface should be connected to a protected network segment one behind a firewall or router that offers protection against unauthorized access Typically you should enable a routing protocol RIP OSPF or both on the Trusted interface so that the Aurorean Network Gateway can advertise to other devices that its virtual subnets are reachable to the corporate network O The External interface can be connected to a network segment that resides outside a firewall and offers unfiltered access to the Internet You must create a static route between the External interface and the router that serves as the gateway to the Internet You cannot enable RIP or OSPF on this interface To add
206. rsion of Aurorean Client from the APS if new scripts and application executable files are available Ifnew Prescriber scripts are available the APS begins downloading a self extracting file over the management channel This self extracting file is run the next time the user starts the Aurorean Client application When the download is complete the process continues with the next step Ifthe Prescriber scripts are still current the process continues with the next step If new application executable files are available the APS begins downloading individual files over the management channel When the download is complete the process continues with the next step The new software is installed the next time the user reboots if chosen when prompted by a dialog box If declined the user can manually upgrade Aurorean Client later Also Aurorean Client replaces any files that were deleted Ifthe application executable files are still current the process continues with the next step If Software Synchronization is disabled no upgrade occurs 4 With Data Synchronization enabled Aurorean Client compares the dates of its most frequently used core and TollSaver POP files against those stored on the APS Ifthe files are out of date the APS begins downloading individual core and TollSaver POP files over the management channel When the update is complete the process continues with the next step Tf the files on the Aurorean Cl
207. s Downloading Viewing and Exporting Reports To download and view print or export a report perform the following steps ts 1 Open the Configuration pullout E 2 Expand the list under Reports by clicking the symbol 3 Choose the type of report you want to download and view Figure 100 shows the Accounting Report display For a detailed description of any selected report type click Report Description Select date format here Click here to open the Choosethe 2 Accounting Report d a erat ee from this list ee rea Click here to start E pF fades Cw cnc ESSE generating FO POP Pacts the report PLANET un V Math corey v an Jp Click here to export raw data to a file Doone Prat Cher regt This message indicates data from the AP S downloaded Successfully Configure default date _ settings for week and month here Figure 100 Accounting Report Display 4 Choose from daily weekly monthly or custom options By default the previous day constitutes the One day period and Sunday marks the beginning of the week Also weeks and months commence on the first full week or month If you want to choose an irregular period click Custom Also you may set your own default periods by clicking Configure and selecting a date from the pop up window 190 RiverMaster Administrator s Guide Chapter 8 Downloading Viewing and Exporting Reports Generating Reports NOTE Be
208. s Contents of the Guide Information in this guide is arranged as follows o Chapter 1 Installing RiverMaster Software provides step by step instructions for installing the RiverMaster application on your computer and starting the application for the first time Chapter 2 The Guided Tour contains an overview of RiverMaster operation describes how to log into RiverMaster and check the status of your Aurorean Virtual Network servers and walks you through the process of setting up an Aurorean Virtual Network for the first time Chapter 3 Configuring a Aurorean Network Gatewaydescribes how to configure network settings such as IP addresses name resolution servers tunnel protocols and routing protocols using RiverMaster or Aurorean Policy Manager The chapter describes how to back up the database on the Aurorean Policy Server and details how to set up site to site tunnels from one Aurorean Network Gateway to another It also details how to view and change alternate ANG address data Chapter 4 Setting Up Aurorean VN Services discusses how to use the Authorization service to authenticate remote users prepare the Notification service to send E mail in response to Aurorean Virtual Network alarm alert or notification messages and set trace levels for system messages RiverMaster Administrator s Guide ix About This Guide O Chapter 5 Controlling Remote User Dialing amp Access describes how to define Aurorean Network Gate
209. s feature in conjunction with the HyperText Transfer Protocol Secure HTTP S to successfully traverse the firewall without causing harm to the native network Generic Routing Encapsulation GRE Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels creating a virtual point to point link over the Internet For PPTP GRE is used to encapsulate PPP data packets within an IP packet IP packet headers contain address information necessary for routing while PPP packets do not Internet Service Provider ISP A vendor who provides direct access to the Internet ISPs bill users for the amount of time they are connected and may also offer additional services such as Web site hosting E mail or news group readers Remote users reach the ISP by dialing into an ISP POP with a computer modem and phone line or over a dedicated circuit such as a cable modem connection Management Channel A portion of the tunnel connection that is used to download an updated TollSaver database from the Aurorean Policy Server to the Aurorean Client computer When a remote user establishes a tunnel connection to the corporate network Aurorean Client sends a message to the Aurorean Policy Server asking if the TollSaver database has changed If the Aurorean Client s database is out of date the Aurorean Policy Server downloads a new database during low traffic periods so that the download does not inter
210. s IP address is set using the Aurorean configuration wizard program refer to the instructions supplied with this program for more information RiverMaster needs this IP address to locate and synchronize with the Aurorean Policy Server 4 Ifyou entered both APS IP addresses select the APS you want to log into and click OK The RiverMaster Login window appears as shown in Figure 3 with the Aurorean VPN name displayed as typed in the Identify your Aurorean Environment window fg Sard APS Select the APS jou ennt bo manage ePmaeusenm C Akense 208 6 112 20 Cancel Figure 2 SelectAPS Window 6 RiverMaster Administrator s Guide Chapter 1 Installing the Application Installing RiverMaster Software 5 Type the default user name netadmin and password netadmin and click OK For example the primary APS name and its IP address is displayed in the RiverMaster Login window in Figure 3 When the RiverMaster application starts the main interface appears as shown in Figure 4 MT Riverklaster Login x Aronian YPM reams PeT TEST eem 000 0 Figure 3 RiverMaster Login Window A NOTE To prevent unauthorized RiverMaster access Enterasys Networks recommends that you immediately create a new administrator account in the Admin group and delete the default login account Refer to Chapter 6 for instructions on adding and deleting user accounts When you start RiverMaster the application immediately a
211. s Networks customer support personnel are available by calling 1 800 872 8440 When you call please call from a position where you can operate the RiverMaster management application or view the server s LEDs and make sure you have the following information ready O State of the LEDs on both the front and rear panels of the server s O A list of the error messages appearing in the RiverMaster message alarm display O Details about any recent configuration changes if applicable Enterasys Networks also recommends that you have this guide on hand when you call RiverMaster Administrator s Guide Symbols authloc file 99 Numerics 128 bit encryption 48 87 226 40 bit encryption 48 226 800 Number policy 130 A Access Method 111 Access service 19 99 Access See Access service accounting messages 166 Accounting Report 187 ACE Server RADIUS extensions 76 acknowledgment packets 174 Activity Trace messages 166 Admin group 7 advanced message viewer 164 169 Alarms definition 15 78 E mail notification 96 viewing messages 166 Alerts definition 15 78 E mail notification 96 viewing messages 166 Algorithms ARCFOUR 40 bit 48 226 IPSec Encryption 46 224 Rivest MD5 message digest 46 224 Signature 46 224 ARCFOUR 47 48 225 226 AS export interval OSPF 57 AS export limit OSPF 58 RiverMaster Administrator s Guide Index assigning IP IPX addresses to clients 27 three options available 27 assigning IP IPX addresses
212. s determine the tunneling protocol IPSec or PPTP used on all tunnels started by this group s members whether Firewall NAT traversal is allowed for Aurorean Client users to reach non native networks and whether the IPX protocol can be used over the tunnel to access Novell NetWare servers For instructions on setting group policies refer to Creating a New Group on page 127 The policy settings are packaged in the Aurorean Client installation kit that you create for each group as described in the next section You can change a group s policies after this kit is distributed and installed The modified policies can be automatically updated on the Aurorean Client computer as described in Client Synchronization on page 124 RiverMaster Administrator s Guide 121 Before You Begin Chapter 6 Managing Users amp Groups 122 Aurorean Client Installation Kits To reduce the challenges of remote access Enterasys Networks designed Aurorean Client to be embedded with critical access information when it is first installed Because this information is already present when the remote user tries to connect the connection occurs quickly and with less chance of error You are responsible for configuring this information to match your Aurorean Virtual Network requirements building Aurorean Client installation kits that contain the customized information and distributing these kits to your remote users You must build a Aurorean Clien
213. s the Aurorean Client application the next time the new software files are immediately available for use RiverMaster Administrator s Guide 151 Setting Up Group Notices Chapter 6 Managing Users amp Groups Setting Up Group Notices Group Notices can be written to notify Aurorean users in each group or all Em Aurorean users in a global message The notice displays in a standard pop up window as shown in Figure 81 below The message disappears after 30 seconds or when the user clicks OK Message ofthe Day EG Please upgrade Aurorean today Figure 81 Group Notice Display To write messages for clients in a single Group or all Group basis perform the following steps 1 Open the Configuration pullout 2 Click the Update tab 3 Expand the tree list under Global Area 4 Click on the Group Notice icon The Group Notice display appears as shown in Figure 82 gs 152 RiverMaster Administrator s Guide Chapter 6 Setting Up Group Notices Managing Users amp Groups Click here to Choose a group expand Global Area entries Choose a Date mem 0 58 Tump dy T Click this icon to open the Group Notice display Write your notice here Click here to view the client update options A message indicating Notice status displays here Figure 82 Group Notice Display RiverMaster Administrator s Guide 153 Setting Up Group Notices Chapter 6 Managing Users amp Groups 5 Click the arrow in the Group f
214. s the transfer of files at the point it was interrupted As an alternative to client synchronization you can also manually create a patch package that contains the group s core files If an Aurorean user cannot tunnel into the corporate network and you believe the problem is related to outdated group policies or an incorrect ANG destination IP address you can build and distribute this patch package to that user Also if your remote users employ IPSec tunnel protocol and you have regenerated the El Gamal private key on the ANG you can distribute the patch package to install the new key on their computers The patch package is a self extracting archive that automatically overwrites the core files on the Aurorean Client computer Refer to Building Core Data Files on page 147 for instructions on creating a patch package For more information on controlling client synchronization including building new core files and uploading Prescriber remedies refer to Controlling Client Synchronization on page 145 RiverMaster Administrator s Guide Chapter 6 Creating a New Group Managing Users amp Groups Group Notices Administrators may need to notify Aurorean clients of Group wide news an upcoming change in policy or a departmental bulletin for example and this service is supported by the Group Notice tool A Group Notice can total 256 characters and can be written for all the clients in a particular group or all members of all groups
215. sing the number of threads logins in progress the authenticating server will handle This function is useful if you discover that users are exceeding the timeout value allowed for authentication and are not being connected because too many clients are dialing in simultaneously For instructions on customizing the Enterasys Authentication plug in and adding RADIUS and SecurID plug ins refer to Adding an Authorization Plug In on page 80 RiverMaster Administrator s Guide 77 Before You Begin Chapter 4 Setting Up Aurorean Services 78 Private Public Keys for IPSec Authentication Aurorean users who tunnel into your network using the IPSec protocol also require an El Gamal public key for authentication The key is an embedded piece of data used to encrypt and decrypt packets exchanged between Aurorean Client and the Aurorean Network Gateway A pair of keys one private and one public are generated and saved on the APS The public key is included in the Aurorean Client installation kit you build and distribute for your remote users as described in Chapter 6 The exchange of keys is handled entirely by the Aurorean Client application the user does not need to know or type the public key However if the private key on the APS becomes compromised you may need to regenerate the private public key pair and distribute files with the new public key to your remote users Without the current public key IPSec users will be unable to tunnel
216. ss Translation NAT servers used by remote clients for name resolution To set general network settings for the ANG perform the following steps 1 2 Open the Configuration pullout In the list of Aurorean devices expand the tree list under Servers click the symbol Expand the tree list under the name of your ANG Click on General to display the general network settings tab pages A sample General settings window appears as shown in Figure 18 The IP Address field is read only and displays an address assigned to the ANG during installation If the ANG is equipped with a single Ethernet interface this field shows the address of the Trusted port If the ANG is equipped with dual Ethernet interfaces this field shows the address of the External port RiverMaster Administrator s Guide 37 General Aurorean Network Gateway Settings Chapter 3 Configuring an ANG 3000 7000 38 j PRT 3EXT TS ed Derverad Tas Prob cooks PCI agm s T Pel muris Feind m ues B LoL Configure emtia Cabroemy 1 i oesiranons fl The Aurorean Network Gateway IP address is set when the servers are installed and displayed here as read only NEIN UP tomlin tea Fane P Adorn m inedia riy cleri y shn Click here to allow dhe PF eddies w iha habeari Garey tz going iz be remote users to R directly browse the E J Internet while they are tunneled into the corporate network
217. stalled You can build as many POP packages as necessary If you want each group to use a different POP package you can associate one or more groups with any POP package and build that group s installation kit Refer to Chapter 6 for more information on building Aurorean Client installation kits Because ISPs are constantly opening new POP locations Enterasys Networks provides a mechanism for updating the master TollSaver database on the APS with new POP phone numbers The Aurorean Software Update Service delivers periodic TollSaver updates with new ISPs and updated POP phone numbers Aurorean software updates are normally supplied on a CD ROM which you insert into the APS NOTE For information on the contents of each Aurorean software update and instructions for installing the update refer to the documentation supplied with the Aurorean Software Update Service CD ROM If you select additional ISPs from the database after building a POP package and distributing Aurorean Client installation kits you can make these ISPs available to your remote users by performing some special steps These steps include rebuilding the POP package and then enabling client synchronization to download the new ISP POPs to users when they connect Refer to Chapter 6 for more information on client synchronization For instructions on selecting ISPs for your remote clients to use refer to Creating POP Packages on page 105 RiverMaster A
218. start creating the installation kit If you choose to leave this window open during the build real time messages appear at the bottom of the window indicating build status NOTE If problems are detected early in the build process for instance a POP package was not created the details screen of the Build Client Install Kit window will display the problem in red suggesting what should be fixed before proceeding with the build 15 If you are building a kit for the first time or you specified directories that do not currently exist a series of windows appear asking if you want to create each directory click Yes at each window to create the new directories After the directories are created RiverMaster copies the POP data files onto your computer and starts generating the ZIP file and overall self extracting archive file Progress messages appear on the Build Client Install Kit window if you chose to leave it open as these actions occur RiverMaster Administrator s Guide 143 Creating an Aurorean Client Installation Kit Chapter 6 Managing Users amp Groups 16 If you opt to keep the Build Client Install Kit window open during the build a message appears at the bottom of the window when the build completes as shown in Figure 76 click Close to close the window An Access message indicating the build completed also displays in the Message Viewer Additional build information is available by choosing the POP Packa
219. sted Gateway for RIP 4 Inthe Address field type the address for the router that the Aurorean Network Gateway will accept updates from and click Add You can later modify this address or delete it using the Modify and Remove buttons 5 Repeat Step 3 and Step 4 for each gateway required 6 Doone ofthe following Click Apply to save your changes and Cancel to close the window If you want to configure OSPF on the ANG continue with the next section otherwise skip to Configuring Routing Interfaces Click Cancel to close the window without saving your changes Click Reset to return the RIP parameters to their default settings OSPF Properties To enable OSPF on an interface continue floppy disk configuration with the following steps 1 With the OSPF Configuration window displayed as shown in Figure 132 type the area ID shared by the Aurorean Network Gateway and routers within the subnet in the OSPF Area ID fields 232 RiverMaster Administrator s Guide Appendix B Configuring Routing Protocols ANG 3000 7000 Preconfiguration Stored on a Floppy Disk A VETE Configuestion X IA OSPF Configuration OSPF Ares ID OSPF Router ID OSPF Authentscatian Algorithm r Apply Cancel Reset Figure 132 OSPF Routing Protocol Configuration 2 Type the IP address for the Trusted interface in the OSPF Router ID fields 3 From the OSPF Authentication Algorithm menu choose the authentication algorithm used by
220. strator s Guide Index 263
221. t RiverMaster files are stored in C Program Files Indus River Networks RiverMaster To change the destination folder click Browse to select an existing folder or create a new folder To return to the previous window to change your selections click Back this option is also available on all Setup windows that follow 7 When the Select Program Folder window appears assign a name to the RiverMaster program folder and click Next As a default the Setup program creates an Indus River Networks folder that appears in the Programs menu This folder contains shortcut icons for the RiverMaster application and a README file 8 When the Start Copying Files window appears click Next to continue the installation or click Back to change your selections 9 An Information window appears stating that to read the RiverMaster documentation you must install the Adobe Acrobat Reader program Click OK Acrobat Reader can be found in the 3rd Party Support Software directory on this CD or at the Adobe Website www adobe com RiverMaster Administrator s Guide 3 Installing the Application Chapter 1 Installing RiverMaster Software 10 When the Setup Complete window appears do one of the following To view the README file immediately leave the check box checked and click Finish To wait until later to view the README file remove the check from the check box and click Finish 11 At the second Setup Complete window choose Yes to restart your co
222. t and stop the Access Service Because stopping this service can prevent remote clients from connecting the Aurorean Network Gateway stopping this service should only be done when recommended by Enterasys Networks Customer Support m RiverMaster Administrator s Guide 99 Backing Up the Database Chapter 4 Setting Up Aurorean Services 6 Click Start for Download Database to copy the database to a directory of your choice on your computer or a system on the network A window similar to Figure 55 will appear Select the directory on eee He RiverMaster in which Lih ERE mj ene m to copy your database Optionally type a new name for the database here Map mP E rn naragerser Dcabase dil Lance j Figure 55 Selecta Path to Save the Database to 7 Keep the default name or retype the database File name select the directory and click Open RiverMaster copies the database file to the directory of your choice For instructions on using this file to restore your management database contact Enterasys Networks Customer Support as described in Appendix C of this guide 100 RiverMaster Administrator s Guide 2 Controlling Remote User Dialing amp Access This chapter describes how to O Create or modify a POP Package a group of ISPs from those available in the TollSaver database for customized dial up connections O Add or modify corporate ISP information to provide direct
223. t installation kit for each client group defined in the Aurorean Policy Server database An Aurorean Client installation kit contains the following components O The Aurorean Client application O POP packages which contain POP phone numbers for the ISPs you selected as well as any direct dial up corporate ISP phone numbers CJ Aset of core files that contain the following The policies assigned to that particular client group These policies determine which Aurorean Client features and functions users can exercise Destination IP address for the Aurorean Network Gateway you want members of that group to access The Aurorean VPN name shared by the Network Gateway and Policy servers and all Aurorean Client computers that connect to your network Figure 67 illustrates the contents of a Aurorean Client installation kit When you build your first Aurorean Client installation kit you must perform a complete build During the two step build process the Aurorean Policy Server first extracts POP phone numbers from the master TollSaver database to build a custom database for a POP package and its associated ISPs If you are using several ISPs or an ISP with POPs nationwide this POP package build may take a few hours to complete In the second step of the build process a group kit which includes core files containing tunnel destination and configuration is compiled Compiling this build does not take as long RiverMaster Admin
224. t time including ISPs POP phone numbers policies and the IP address of the destination ANG However this information may become obsolete if you select additional ISPs add POP phone numbers install Aurorean Software Update Service updates or change the ANG IP address Using a process known as client synchronization your Aurorean users can receive updated information with a minimum of effort on your part Administrator controlled client synchronization is a two part process which works by accessing data files Data Synchronization and software files Software Synchronization stored on the Aurorean Policy Server Data files are built when POP package kits or group kits are compiled while the software files consist of pre standing Aurorean Client application and subsystem executable files When policies are reconfigured fresh El Gamal keys created and new group notices issued these changes are incorporated in the data files and automatically transferred to your Aurorean users through data synchronization policies are updated every time a user connects But other new settings including new ISPs and POP packages are not transferred during data synchronization unless they have been incorporated in POP package kit and group kit compilations For those changes to take effect you must build new POP package and group installation kits for your Aurorean users Client synchronization is enabled or disabled on a per group basis During client sync
225. table address allocated from the virtual subnet Intelligent Client Routing DISABLED Cea a tea Router Firewall Aurorean Network Gateway Aurorean Client Internet Server Aurorean Client Aurorean Router Firewall Network Gateway xi Packets addressed to server on Internet Figure 14 Aurorean Virtual Network s Intelligent Client Routing Feature 32 RiverMaster Administrator s Guide Chapter 3 Before You Begin Configuring an ANG 3000 7000 NAT Server RiverMaster s NAT server feature provides support for security conscious administrators who want to conceal the physical IP address of their system ANG or another Gateway without affecting Aurorean service By configuring a NAT Server with an alias IP address for the ANG refer to page 41 for instructions the real IP address of the ANG will remain hidden and any IP address received by the NAT Server will be translated to the real IP address of the destination for all incoming clients This ensures that clients access the correct IP address and build a tunnel connection to the ANG without revealing physical addresses The process is reversed for clients on the corporate LAN seeking to dial up remote destinations In Figure 15 below the IP addresses received at the NAT Server for Servers 1 2 and the ANG are translated into the real IP addresses of the destination servers Aurorean Client c NAT Server Received IP Addresses Server Serner
226. tents of a particular message by utilizing the Advanced Viewer and setting the search criteria to zoom in on the message The results will display in the Message Viewer Refer to Advanced Message Viewer on page 164 for details RiverMaster Administrator s Guide Chapter 7 Viewing Server Activity amp Statistics Monitoring System Activity Message ID AAClientAuth Message Type Authentication Authorization Table 10 System Activity Messages Detailed Description The Client needs to be authorized AAchallenge Authentication Authorization Challenge a user AANewElgamalKey Authentication Alarm A new EI Gamal key pair was generated connections down until clients get new key AAresponse Authentication Authorization Authentication service response ADNameChange Authentication Debug Trace User old name is being authenticated as new name AMInvalidElgamalKeys Authentication Alarm Invalid El Gamal keys detected ANAuthFailed Authentication Problem Notification User NAME failed authentication CODE ANBadDomain Authentication Problem Notification User NAME issued an invalid domain name APAuthorization Trace Authorization Activity Trace Authentication service started AYAuthSucceeded Authentication Activity Trace User NAME authenticated successfully CBCconnStart amp g o amp o g S Client Accounting am
227. ter perform the following steps 1 Insert the Aurorean 3 0 System Software CD into the CD ROM drive and run the SETUP EXE program feq 2 Open Windows Explorer go to the RiverMaster directory on this CD 2 RiverMaster Administrator s Guide Chapter 1 Installing the Application Installing RiverMaster Software 3 If a warning message appears stating that Microsoft ODBC is not present on your computer click OK to install Microsoft ODBC If this message does not appear continue with the next step The Microsoft ODBC text driver must be installed on your computer in order for RiverMaster to generate reports RiverMaster Setup automatically launches the Microsoft ODBC install program follow the instructions provided on the screen When asked choose the Typical ODBC installation After ODBC is installed RiverMaster Setup automatically resumes 4 When the Welcome window appears click Next to continue To halt the installation and exit the Setup program click Cancel this option is also available on all Setup windows that follow 5 When the Software License Agreement window appears carefully read the agreement and click Yes to accept the terms To install RiverMaster you must accept the agreement If you click No to decline the agreement the Setup program will close 6 On the Choose Destination Location window select where you want RiverMaster files stored on the computer s hard disk and click Next As a defaul
228. terface Route Protocol popup window double click Static Routes and click Add in the Static Route Configuration window The Static parameter tab page is displayed as shown in Figure 137 ALTES Rosie Lonlique alin Internal Static Rai Static Routes 000000 255 285 2550 10 100 0022 TERED Add Stric Route Emmm Reachable Subnet Address Reachable Subnet m d IE E Figure 137 Static Routing Configuration Window 240 RiverMaster Administrator s Guide Appendix B Configuring Routing Interfaces ANG 3000 7000 Preconfiguration Stored on a Floppy Disk 3 In the Gateway address fields type the IP address of a gateway on this subnet For External interfaces enter the IP address of the router that provides access to the Internet In the Reachable Subnet fields type a starting IP address and subnet mask to define a subnet Packets received by the ANG are statically routed to the gateway you specified To forward all packets to the gateway when there is no other reachable next hop address for a packet enter an address of 0 0 0 0 and a subnet mask of 0 0 0 0 N CAUTION Configuring a default static route 0 0 0 0 0 0 0 0 on the Trusted interface of the ANG disables Intelligent Client Routing Refer to Intelligent Client Routing in Chapter 3 for more information Click Add The static route you set appears in the Internal Static Routes display Do one of the following Click
229. that you want to remove RiverMaster Clicking Yes launches the UnInstallShield program which manages the process of deleting RiverMaster files 5 When Remove Shared File windows appear for shared DLL and OCX files click Yes To All and click Yes again to confirm your decision 6 When the Remove Programs From Your Computer window appears with all items checked click OK 7 When a window appears indicating that RiverMaster has been removed click OK to acknowledge the message but do not restart your computer Although the Add Remove Programs utility removes most Aurorean VN files you must manually delete the contents of the RiverMaster folder within the Indus River Networks folder on your hard drive You should do this before restarting your computer 8 Close the Add Remove Programs control panel S 9 Open Windows Explorer by clicking the Start button pointing to AJ Programs and then clicking Windows Explorer RiverMaster Administrator s Guide 9 Removing RiverMaster Files Chapter 1 Installing RiverMaster Software 10 Locate the RiverMaster program folder The default location for this folder is C Program Files Indus River Networks 11 Delete the RiverMaster folder 12 Restart your computer 10 RiverMaster Administrator s Guide 2 Getting Started with RiverMaster This chapter introduces the essential functions of RiverMaster describes Aurorean Virtual Network system status information displayed on the main
230. thentication Algorithm menu choose the authentication algorithm used by routers on your network If the routers on your network do not require passwords to accept OSPF updates set the algorithm to None and continue with the next step 5 Doone of the following Click Apply to save your changes Click Cancel to close the window without saving your changes Click Reset to the return the OSPF properties to their default settings Routing Interfaces The ANG is equipped with two Ethernet interfaces O The Trusted interface should be connected to a protected network segment one behind a firewall or router that offers protection against unauthorized access Typically you should enable a routing protocol RIP OSPF or both on the Trusted interface so that the ANG can advertise to other devices that its virtual subnets are reachable to the corporate network O The External interface can be connected to a network segment that resides outside a firewall and offers unfiltered access to the Internet You must create a static route between the External interface and the router that serves as the gateway to the Internet You cannot enable RIP or OSPF on this interface RiverMaster Administrator s Guide 59 Routing Chapter 3 Configuring an ANG 3000 7000 Srtccos thier E iea Ea configure batiri Krrertacs ib lithe d f ag rer esr chara Ein med M THEMEN Garena IRI Hepi Tei Click here to asiarra open th
231. ting up Group Notices 152 SHA cryptographic hashing 46 224 shared secret for RADIUS 85 Simple Mail Transfer Protocol SMTP adding an SMTP server name 94 Site to Site tunnel server adding a remote server 68 71 description 34 Software License Agreement 3 software requirements for RiverMaster 2 software synchronization 124 146 State field 115 static route 30 59 61 65 234 236 240 statistics 173 176 Aurorean Network Gateway 16 Aurorean Policy Server 17 RiverMaster Options 170 172 tunnel protocol 173 176 Steel Belted RADIUS 706 84 86 87 261 Index subnet mask 52 66 229 241 system requirements 1 T Tables Accounting Report Values 187 188 Aurorean Policy Server Services 18 20 Client Anomaly Report Values 182 Client Session Report Values 184 185 Credit Card Policies 132 Dial Policies 130 Encryption Parameters 48 226 Fixed OSPF Parameters 57 58 IPSec Authentication Parameters 46 224 Message Types 166 Password Policies 131 Protocol Statistics 174 175 Server Anomaly Report Values 178 System Activity Display 159 System Activity Messages 161 163 Tunnel Policies 133 Tunnel Statistics Report Values 180 TCP IP 113 213 Technical support customer support phone number 254 on line services address 254 thread configuration 77 description 214 Timeout field 89 Toll Phone field 109 TollSaver database definition 215 overview 102 synchronization 126 updates 102 Trace 80 Trace levels 79 tree 55 tree list 52 68 98 14
232. tion to configure additional ANG network settings Ifyou are finished with the ANG network configuration and you want to put the new network settings into effect no additional work is required IPX Virtual Networks To set up a single IPX network number to allocate to remote users perform the following steps ths 1 Open the Configuration pullout 2 Inthe list of Aurorean devices expand the tree list under Servers click the symbol eJ 3 Expand the tree list under the name of your ANG 4 Click on Subnetting to display IP and IPX subnet tab pages 5 Click the IP Virtual Networks tab if it is not already displayed A sample IPX virtual networks window is shown in Figure 29 52 RiverMaster Administrator s Guide Chapter 3 Virtual Subnetting Configuring an ANG 3000 7000 Click here to open the Click here to Configuration access the pullout Gateway configuration windows Figure 29 IPX Subnet Configuration for Remote Clients 6 Inthe IPX Virtual Network Number field enter an IPX network number to be used by all remote clients This number must be unique The network number must be between 1 and 8 hexadecimal digits 1 to FFFFFFFD This network number will be attached to all IPX frames received from remote clients A NOTE Zero 0 and FFFFFFFF addresses are invalid due to NetWare restrictions FFFFFFFE is reserved for the default route R M M M M 7 Click Apply to save your changes To
233. tivity CJ Trace messages generated by Enterasys services such as the Authorization and Access services O Alarms alerts and problem notification messages produced by the Aurorean Policy Server or Aurorean Network Gateway RiverMaster Administrator s Guide 157 Monitoring System Activity Chapter 7 Viewing Server Activity amp Statistics To view message activity perform the following steps a 1 Open the View System Activity pullout i A sample message activity view is shown in Figure 85 Select which messages to display here wj E P Maaga T Lrgn amp Lzpast rzers Tracm T piama Arteria Dou aa ime oo aa m e TO 11 15 44 Av ACCESX KrbubdbiphsoksgeCcomplied 120011998 1 mn 3 Ln doe nETHI KrrxrbenDane OK Pg izoni eo m Maximize the de Las Lpa po z5 33 MA BETRI EYrwiRanDarnenkHFng 12 08 1593 Dr detailed E LEAL GO D 27 17 A RETRI ErrwttenDanaDk Hug Lz GB LEO DE message LOL DOT AMA RETRI EvratRanDsre kHMug LAL ood Di eH Use these 3 LA ee Os A44 ETRI Eirretfos ola res Fang indi c3 D description controls to ug LAE LE RESP mo ACCESS xrbuddCieeDataBeDuTed LALE 1I display start and Db ipie os W ROCESS WrbuldiciesiDana Set Compl 12 081 mint 11 de Lpi DOT MN BETPI ErretanDsreck Mug LEAD LES Di pause the Ps LEAL Dn 30 17 AA BETRI K rrwitanDzre0kMug 12 08 1593 Di message ue Laa e DOS A RETRI Errwite gone Ok Mag 12 0871 898 Di i display hb he ee ak ee RETRI Erreta gares Hg LLU
234. tly as you entered it in Step 2 64 RiverMaster Administrator s Guide Chapter 3 Routing Configuring an ANG 3000 7000 4 Doone ofthe following Click Apply to save the OSPF parameter changes Click Cancel to close the window without saving your changes Click Reset to the return the interface s protocol properties to their default settings Creating Static Routes To configure a static route between an ANG interface and another device perform the following steps 1 Open the Configuration pullout 2 Inthe list of Aurorean devices expand the tree list under Servers click the symbol 3 Expand the tree list under the name of your ANG o m 4 Click on Routing to display the routing parameter tab pages 5 Click on the Interface tab to display the routing protocol s selected for each interface 6 From the Interfaces menu choose the ANG Ethernet interface to configure External or Trusted 7 Inthe Routing Protocol Selection list double click Static Routes and click Add in the Static Route Configuration window The Static parameter tab page is displayed as shown in Figure 38 RiverMaster Administrator s Guide 65 Routing Chapter 3 Configuring an ANG 3000 7000 es TE st gaa Fite Coremeates 2j Figure 38 Static Routing Configuration 8 Inthe Gateway address fields type the IP address of a gateway on this subnet For External interfaces enter the IP address of the router that provides access
235. to configure a stand alone ANG connection to another stand alone ANG refer to Appendix B for more information 1 Open the Configuration pullout 2 Inthe list of Aurorean devices expand the tree list under gateways Bet To add a Remote Network Gateway perform the following steps click the symbol 3 Expand the tree list under Remote Servers The Tunnel Protocols window appears as shown in Figure 39 Click here to Toetie expand the mri onde nim cnm nm i i tree list Cietird TE Ath barare ra indames ram Lg Sarci Fae C Vit ii hotcaian Serine Rete Sarvics coveted Click here to Click here to z Dp Cannescked add the Remote Add Ramota Garver USOS Ardia ta Turnal Gateway or Tunnel E rim wi pullout rti Click here to nao Z Pa Phi ejti Paske Pisa Fack ega Concertnc sere select the created server or tunnel Click here to access the Secrecy acad harmia Sarem ret Network Gateway configuration Click here to display the configured properties of the selected device windows Figure 39 Remote Server Display RiverMaster Administrator s Guide Chapter 3 Adding a Remote Server Configuring an ANG 3000 7000 amp 4 Click Add Remote Server The Add Remote Server window appears as shown in Figure 40 Type the name of the Remote Server here ie Asked Feces AML Ey Click here to add the server Click either the IP Address or FQDN button a
236. tor s clock For best performance sort the messages based on logged time RiverMaster Administrator s Guide 165 Monitoring System Activity Chapter 7 Viewing Server Activity amp Statistics 4 Using the Message Type check boxes specify the types of messages you want to view Table 11 describes the six types of messages available To view Aurorean Virtual Network server activity select Problem Notification Alarm and or Alert messages To view activity for an individual Aurorean user select Activity Trace Authentication and or Accounting messages Message Type Problem Notification Table 11 Message Types Explanation Typically these messages indicate a remote client connection problem which Aurorean Client s Prescriber feature diagnosed and reported These messages are generated by the APS or ANG not Aurorean users These messages are generated when an error count threshold has been crossed and an alarm condition is imminent These messages are generated by the APS or ANG not Aurorean users Activity Trace These messages notify you when a significant error occurs with a service running on a Aurorean Virtual Network system or a general problem that is preventing the server from operating normally These messages are generated by the APS or ANG not Aurorean users These messages cover a wide range of Aurorean user activity including successful authentications VPN user name changes and Prescriber sessio
237. tree list under the name of the group you want to view A D next to the group name symbolizes Data Synchronization an S stands for Software Synchronization Green indicates synchronization is turned on red indicates it is turned off See Figure 77 for examples The current policy settings are displayed in the window pane to the right If data or software synchronization is enabled for that group the settings displayed are automatically overwritten on the Aurorean Client computer whenever members of that group tunnel into the corporate network To change these policy settings refer to the instructions in Modifying User amp Group Information on page 137 To refresh the policy display click the Refresh button located in the toolbar at the top edge of the pullout To enable client synchronization for a group at any time right click on the group name select Data or Software Synchronization and click Enable Data or Software Sync as shown in Figure 78 You can also enable the service on the Manage Users and Groups pullout as described in Creating a New Group on page 127 You can disable the service by right clicking on the group name clicking on Data or Software Synchronization and clicking Disable Data or Software Sync alternatively you can uncheck either of the synchronization boxes in the Manage Users and Group pullout Figure 78 Data and Software Synchronization Dialog Boxes RiverMaster Administrator s Guide Chapter 6 Con
238. trolling Client Synchronization Managing Users amp Groups Building Core Data Files Typically you build new sets of core data files in the following situations O Ifyou have changed the IP address for the External port on the ANG O If you encounter configuration related problems that prevent Aurorean users from connecting and receiving new policy and Prescriber updates using the normal Client Synchronization method O If you have regenerated the El Gamal private public keys required by IPSec clients to tunnel into the corporate network refer to Chapter 4 for more information on generating these keys To build new core data files perform the following steps ity 1 Open the Configuration pullout i 14 2 Click the Update tab RiverMaster Administrator s Guide 147 Controlling Client Synchronization Chapter 6 Managing Users amp Groups 3 Choose Build Patch Program from the toolbar on the top edge of the ut pullout Figure 79 shows the Configuration pullout with the Build Aurorean Client Core Data Files display selected Green D data or S software Click here to view the Build Aurorean Client Core Data F iles display indicates what type of sync is enabled Red D data or S software mean sync is disabled for this group d Click here to open the Configuration Click here to pullout view the client update options Click here to start the build ELLEELLE View status of build here Figure 79
239. ts EERISSUS Eun Un ee Re D E CLIENT ANOMALY REPORT FOR 1080 12 02 TMESENT MPGTVEE SSG HOSTHAME Trou HILDRE AW C ONTPO NIENTE chri Daa Prat eon ns HA EMI ETH 2i Bai d Anthertee Ter chris aed authentic sen Invalid usar name or parrea Tul Fral ea 1 MEI RE ETF 2 faM S Amihai Vaez chu Geled anhini aioi nvasd user name or password pnl EST Frika H Dot BME RT Li Pal 5H Beer lies Bx Dat Wed Des 01 12 10 20 EST 1955 Tiserzpaulj sein Campurerame D S WEsarcmrmIndus Hiver EIrbwcrks Release 20 Edd 53B DeomahlamemEME ETBSUComponmteBseerTuot OOTwpe Windows Pi 10 2222 SuccemfulcannectiozelHao Cannectioz Typem Tanne rF Modembase LT Win Modem mhMbodens i Latin SP O CENTERS 86359000 CabOnamalisnz3B355 155 LadfTusncliddrea 141565 Cosnertions attempted ISP 9 5359000 CONCENTRIC Tunnel 14 15 6 SRE KT3 Figure 95 Client Anomaly Report In addition to the information listed in Table 15 an anomaly event may include a session report produced by Aurorean Client Software s Prescriber feature This session report describes the remedies that Prescriber attempted to correct the problem for more information on Prescriber and this session report refer to the Aurorean Client Software User s Guide Client Report This report lists all successful tunnel sessions into the Aurorean Network Gateway and is useful for identifying each time a user connected during the selected period Sessions are sorted first by user name then ISP i
240. ttempts to detect and communicate with the Aurorean Policy Server and Aurorean Network Gateway located within the same corporate network Depending upon the amount of remote client activity occurring on the VPN RiverMaster may need up to a minute to detect and synchronize with both servers JN CAUTION AN If you want to configure a connection to a second APS after having already configured a connection to only one server you must first delete the config irx filein the C Program Files Indus River Networks RiverMaster directory on the RiverMaster PC Then when you click on the RiverMaster desktop icon the Identify your Aurorean VN Environment window will appear as described on page 5 RiverMaster Administrator s Guide 7 Installing the Application Chapter 1 Installing RiverMaster Software Using the Delivery service running on all Aurorean components RiverMaster establishes a Delivery session with each server The Aurorean Policy Server reports service status memory hard disk usage and a summary of alarms alerts and problem notification messages The Aurorean Network Gateway reports an aggregated total of bytes sent and received over all tunnels as well as memory hard disk usage Click here to close the application Configuration pullout When memory and disk usage appears RiverMaster has detected and synchronized with the Aurorean Network Gateway Manage Users amp Groups pullout Bur
241. twork Gateway Report is a bar graph as shown in Figure 93 displaying the peak number of IPSec and GRE tunnels number of remote clients generated hourly for the selected period The second and subsequent pages of the Network Gateway Report show the numerical information detailed in the preceding table and displayed in Figure 94 180 RiverMaster Administrator s Guide Chapter 8 Report Contents Generating Reports Max Tunnels GRE IPSEC ES MAX IPSEC TUNNELS 12 08 1882 BH MAX GRE TUNNELS 160 ELO UE Ia Number of Tunnels oo La preme e a em EN n mmm E 31 7 s IA Figure 933 Max Tunnels GRE IPSEC Display GRE Eua Pia keri Tria Maa Ta ul al 4 Set Mix Teal E tui Te Gens UU aun I TE ee Ted en uma T OH gaps 18 CUM a 1L RANT Lh HI 348 uN dAPFEO DEB 4 o TIT C a a it a Se ee ee ee ee OU i w pe a ee ee ee oi Gul 8 LM m 2M im maa Or ss ii a a L u i 230308 o 3 300 ELI jai HER m panj aoc purga i Pee lee a a a L L ipi PA m i ie PP ipa MR Ph f38 ER dci ith Tt rede jii i i ADP a FR EPA ia TUE TEH HH Ine Nm Ola a a i r Figure 94 Network Gateway Report RiverMaster Administrator s Guide 181 Report Contents Chapter 8 Generating Reports ox Client Anomaly Report This report lists Aurorean Client Software connection problems such as authentication failures and other failed tunnel attempts
242. uide Chapter 6 Creating a New Group Managing Users amp Groups Table8 Tunnel Policies Explanation Allow IPX When enabled Aurorean Client negotiates IPX protocol with the ANG and the user can access Novell NetWare servers on the network This policy is disabled by default Allow When enabled Aurorean Client traverses firewalls or NAT servers to Firewall successfully connect with the ANG This policy is disabled by default Traversal Firewall NAT traversal employs the HyperText Transfer Protocol Secure HTTPS to encapsulate the selected tunneling protocol IPSec or PPTP and thereby prevent a firewall or NAT server from blocking Aurorean Client s return connection to the computer where the application resides Tunnel Determines which tunneling protocol Point to Point Tunneling Protocol Protocol PPTP or Internet Protocol Security IPSec is used on all tunnels started by users in this group The default tunneling protocol is PPTP E Tunnel Boley for group Wr ipesec Ames EF F gt Tunnel Protocol z al 1 Dial Password Credi card Tumnel Policy settings define the behawior si 5 that are allowed an the Clents Figure 71 Tunnel Policies RiverMaster Administrator s Guide 133 Creating a New Group Chapter 6 Managing Users amp Groups NOTE If you allow IPX rebuild the client kit for that group after setting this por then have your users uninstall thei
243. uilding option select Update the POP Package This option is available only after you build your first kit To use an existing customized TollSaver database already stored on your RiverMaster computer from a previous build the fastest kit building option select Use local datafiles This option is available only after you build your first kit 8 To leave this window open on your desktop until the kit completes place a check next to Leaving this Dialog box up until the Client Kit is built While the kit is built progress messages appear at the bottom of this window 9 Doone of the following To use the default directories for storing and retrieving data ZIP and Aurorean application files on your computer recommended skip to Step 14 To modify the directories used to store and retrieve data ZIP and Aurorean Too files on your computer click Advanced and continue with the next vel Selecting this option will display a window similar to Figure 75 RiverMaster Administrator s Guide 141 Creating an Aurorean Client Installation Kit Chapter 6 Managing Users amp Groups 142 Dag Fla weis Dese T Prngrean Flesincka Fives H peaa d FS Docket Datos Fra nan iure Ul ofi piis liap E rgant arris Fives Hea Petite RP ite O Cie nF dum das rajar Fees H panah Figure 75 Advanced Kit Options Window 10 Inthe Data Files area specify the destination directory on your 11 computer for
244. up Policies ccccccsessssesescseesesescsnensseseseesessscensnssesesesneneseececesesssesneneneneens 146 Building Core Data Files sse nennen nenne 147 Uploading Software Synchronization Files sss 149 Setting Up Group Notices eene EE aE TREE a 152 Chapter 7 Viewing Server Activity amp Statistics Monitoring System Activity ssssssssssseseeeeeenereenenrenemeneennennennennenet 157 Current Message Activity ie iss isse seien nisse thiet is dnte is edebat de eee bene thee eng 157 Advanced Message Viewer cscccssccsssssesssesseesescecesescscensnssessseesesssescecenessssanananeneaes 164 RiverMaster Optoris ener eren rettet ette rete reta hee Ser EE asis been ha 170 Viewing Tunnel Activity gaseai aE EEEE ELE E ASE 173 Using SNMP to Gather Statistics sssssssssssssseseeeeeeeerenene nennen eene 176 vi RiverMaster Administrator s Guide Table of Contents Chapter 8 Generating Reports Report Contents 177 Server Anomaly Report eee teet eee teenaeeeeesenssssaseseeanceessiaeasenanetedionesenees 177 Network Gateway Report gena REEE E E E E EAEE ESER 179 Client Anomaly Report etre tete e ere ea tini eire kh iria kt eei iese 182 Client RepofFt ettet nte erreur i rette eii bes term ec ife dtiet 183 Accounting Report eres deett s ere pe tinea tine irn per eee ine eee teret beet seve 187 Downloading Viewing and Exporting Reports 1
245. up sir mec Save WPH Fassaad Save Corporate Paise rd Save ISP Passmonds XIX 0 Dial Password Policy settings define the behavior and Features that are alowed on the Aueqrean chends Figure 69 Password Policies 10 Click the Credit Card tab and set the group s credit card billing policies as described in Table 7 and shown in Figure 70 RiverMaster Administrator s Guide 131 Creating a New Group Chapter 6 Managing Users amp Groups Table7 Credit Card Policies Explanation Enable Credit Card When enabled Aurorean users can bill long distance or Dialing international dial up connections against a calling card This policy is enabled by default Save Credit Card PIN When enabled Aurorean users can save their credit card PIN this number is stored on the computer in an encrypted format Enabling this policy saves the remote user time and typing during tunnel setup but at the expense of possible credit card fraud if the user s computer is lost or stolen This policy is disabled by default Group Pedicy redit Gard Policy For group alr ipsec Enable Credit Card Dialing F Save Credit Card FIN E Dial Password Credit Card Tunnel Policy settings define the behavior and features that sre alowed on the durcmsn chez Figure 70 Credit Card Policies 11 Click the Tunnel tab and set the group s tunnel policies as described in Table 8 and shown in Figure 71 132 RiverMaster Administrator s G
246. way destinations select ISPs from the TollSaver database configure POP packages and add corporate dial up phone numbers O Chapter 6 Managing Users amp Groups addresses how to create a user database on a Aurorean Policy Server assign policies that govern user access to the network and prepare a customized Aurorean Client Software installation kit O Chapter 7 Viewing Server Activity amp Statistics shows you how to examine and interpret message traffic between Aurorean Virtual Network devices and monitor the performance of active tunnel connections Standard SNMP MIB II and two private MIBs are now available to monitor your Aurorean systems O Chapter 8 Generating Reports describes how to download and view customized reports that reveal Aurorean Virtual Network server performance and remote user activity O Appendix A Glossary contains definitions for terms used throughout this guide O Appendix B Configuring the ANG with a Floppy Disk describes a procedure similar to the steps you would take to configure the ANG by using the RiverMaster application But this method allows an administrator to centrally set up one or more gateways and distribute that information on floppy disks to remote sites O Appendix C License Agreement amp Support describes the agreement that governs the use and distribution of RiverMaster software and provides information for contacting Enterasys Networks for technical support X RiverMaster Ad
247. work the APS coordinates remote user authentication Using an internal software service known as Authentication and a series of plug ins the APS can authenticate remote users in three ways 9 o Using the Enterasys Authentication plug in remote users are authenticated against a database residing on the APS s hard drive Using the RADIUS plug in the APS acts as a RADIUS client forwarding authentication requests from Aurorean users to a RADIUS server Using the RSA Security SecurID plug in the APS acts as a native ACE Client forwarding authentication requests from Aurorean users directly to an ACE Server This plug in supports the fail over function of automatically connecting to a slave ACE Server if the master fails RADIUS Authentication Servers Aurorean Virtual Network systems support a wide range of RADIUS servers including o o o 76 Microsoft RADIUS Funk Software s Steel Belted RADIUS RSA Security ACE Server that supports RADIUS extensions This allows remote users to not only authenticate against a centralized authentication database but also to take advantage of the strong security offered by SecurID passcodes Novell s BorderManager Authentication Services BMAS running on a RADIUS server BMAS is an interface that links dial in users to the network through Novell Directory Services NDS Support for BorderManager is seamless and it requires no configuration on the APS Refer to BorderManager
248. work Gateway O ANG 1000 User s Guide details how to install and configure the small office home office Network Gateway Portable Document File PDF versions of these manuals are available on the Aurorean System Software CD ROM Using Adobe Acrobat Reader 3 0 or RiverMaster Administrator s Guide xi About This Guide later you can view these manuals on line or print additional copies Acrobat Reader can be downloaded from the Adobe web site www adobe com xii RiverMaster Administrator s Guide 1 Installing RiverMaster Software This chapter provides the system requirements and step by step instructions for installing RiverMaster software on your computer If you have not already done so Enterasys Networks recommends that you mount and connect your Aurorean Policy Server and Aurorean Network Gateway before performing these steps Refer to the Aurorean Installation amp Service Guide supplied with each server for detailed installation instructions System Requirements To run the RiverMaster application your computer must meet the following requirements Hardware Requirements RiverMaster runs on a desktop or laptop computer equipped with o uud au A 233 MHz processor or faster 64 MB RAM minimum 128 MB recommended 80 MB free space on the computer s hard drive CD ROM drive Ethernet network interface NOTE To best view the RiverMaster user interface set your monitor to display 655
249. y at least the primary DNS server s address 16 In the Primary WINS and Secondary WINS fields enter the IP addresses of WINS servers on your network ISPs do not typically use WINS for name resolution If you employ WINS on your network enter at least one WINS server address in the Primary WINS field 17 In the Default Gateway field enter the IP address of the gateway used to forward packets to other subnets or networks RiverMaster Administrator s Guide Chapter 5 Adding Corporate ISPs Controlling Remote User Dialing amp Access 18 19 In the Cost Index field enter a number between 0 and 999 to indicate the relative cost of using this ISP This number is factored into the Weight value that appears on the Aurorean Client interface and affects how POP phone numbers are ordered for dialing High cost ISPs and their associated POPs appear at the bottom of the list and therefore are dialed last In the Performance Index field enter a number between 0 and 999 to indicate the performance cost of this ISP This number is factored into the Weight value that appears on the Aurorean Client interface A high performance index increases the weight associated with the ISP moving the ISP down the list 20 Select the Access Method as follows Ifyou are creating a corporate ISP for direct dial up equipment on your network select Direct Aurorean users will directly dial into this equipment using the protocol selected from the Fr
Download Pdf Manuals
Related Search