OmniAccess 3500 Nonstop Laptop Guardian Release 1.2 Administration Guide Document Version: 25.02 Part Number: 060228-10 Rev B Published: 12.11.
Alcatel-Lucent Proprietary Copyright © 2007 Alcatel-Lucent. All rights reserved. This document may not be reproduced in whole or in part without the express written permission of AlcatelLucent. Alcatel-Lucent ® and the Alcatel-Lucent logo are registered trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
Table of Contents About This Document ...............................................................................1 The OmniAccess 3500 NLG Library ...............................................................1 Contacting Technical Support .....................................................................2 Chapter 1. OmniAccess 3500 NLG Platform Components .....................................3 OmniAccess 3500 NLG Gateway ................................................................
Viewing the Laptop Location ................................................................. 55 Laptop Remote Lock ........................................................................... 57 Laptop Remote Unlock ........................................................................ 57 One-Time Password Generation.............................................................. 58 Encrypted Volume Management .............................................................
About This Document About This Document The OmniAccess 3500 Nonstop Laptop Guardian (NLG) administrator finds in this document general information about the OmniAccess 3500 NLG Release 1.2 (R1.2) product and detailed information on the use of the management system Graphical User Interface (GUI) and on the maintenance of the OmniAccess 3500 NLG gateway.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide applications (PatchLink Update is a Lumension Security product; SMS is a Microsoft product). • The OmniAccess 3500 Nonstop Laptop Guardian Release 1.2 Card Quick Start Guide (available at: http://www1.alcatellucent.com/enterprise/en/resource_library/user_manuals.html) provides the end user with an overview of the OmniAccess 3500 NLG card and with the necessary information for its installation.
Chapter 1. Platform Components Chapter 1. OmniAccess 3500 NLG Platform Components The OmniAccess 3500 NLG platform is built on the following three logical components: • OmniAccess 3500 NLG gateway — An enhanced remote access server that deploys at the edge of the enterprise network. • OmniAccess 3500 NLG card — An intelligent EV-DOrA data card that plugs into the end-user laptop and includes a processor, non-volatile memory, and independent power.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide • A hardware acceleration module for IPsec encryption/decryption, key management, and compression. • A hard disk for storage of local information and application caching. • A secure management interface for driving all OmniAccess 3500 NLG operation, administration, management, and provisioning (OAM&P) procedures.
Chapter 1. Platform Components of OmniAccess 3500 NLG cards. The gateway’s physical location can be either intrapremises or extra-premises (e.g., in a data center). For detailed information on installing the OmniAccess 3500 NLG gateway, see the OmniAccess 3500 Nonstop Laptop Guardian Release 1.2 Gateway Installation Guide.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Chapter 2. OmniAccess 3500 NLG Initialization Tasks The management system performs all OAM&P functions for the OmniAccess 3500 NLG platform. The management system GUI is the single entry point to those functions for the IT administrator. This chapter explains how to: • Launch the management system GUI, log into an administrator account, browse through the GUI sections, and log out of the administrator account.
Chapter 2. Initialization Tasks Launching the Management System GUI To launch the management system GUI, you must open a web browser and connect to the HTTPS URL of the target GUI instance. The procedure is the same irrespective of whether you are working from a remote terminal or at the console of the OmniAccess 3500 NLG gateway that hosts the management system. Logging into the Management System GUI 1. After you launch the GUI, the login window appears (Figure 3). Figure 3 - Login window 2.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 5. Click Accept to log into the GUI. Note: To customize your banner page, contact the OmniAccess 3500 NLG customer support. 6. Next, the Home window appears (Figure 5). This window displays system settings information. You can click Home at any time during your GUI session to return to the Home page.
Chapter 2. Initialization Tasks Common Operations Most objects allow the following operations: • New — Click this button to create a new instance of the object. • Open — Click this button to view information about an object instance. Fields on the Open windows are read-only. • Edit — Click this button to modify settings for an object instance. • Delete — Click this button to remove an object instance from the system. A message will appear asking you to confirm the deletion.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Technical Support Information Click the Support button at the top right of any window to see technical support contact information in the Gateway Support Information window (Figure 6). Figure 6 - Gateway Support Information Support information can be added or edited using the following procedure: 1. Click Gateway on the main menu. 2. Click Edit Support Information. The Edit Gateway Support Information window appears (Figure 7). 3.
Chapter 2. Initialization Tasks Figure 7 - Edit Gateway Support Information Logging Out of the Management System GUI 1. To log out of the management system GUI, click the Logout link near the top of the window (see Figure 8 for the location of the Logout link). 2. Alternatively, you can exit the application by closing the web browser window.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 9 - Gateway Settings 2. The Gateway Configuration (Add) window appears (Figure 10).
Chapter 2. Initialization Tasks 3. Type the appropriate information into the fields that do not contain default values (see the Gateway portion of the Devices section in Chapter 5, OmniAccess 3500 NLG Administrative Information Base, for a detailed description of each field). 4. Click Save when you are finished entering information. 5. A window appears stating that the operation has been successful. 6. The gateway will reboot and resume operation with the last saved configuration.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 3. o Password: The password of the new administrator. The value assigned to this field is relevant only if the selected authentication method is . If the selected authentication method is , the password needed by the administrator for authentication is set separately through the RADIUS infrastructure.
Chapter 2. Initialization Tasks 1. Local — The management system authenticates the administrator with locally configured login ID and password (default method). 2. RADIUS — A RADIUS server installed in the network authenticates the administrator with a login ID that is configured with the administrator account and a password that is remotely assigned according to the applicable RADIUSsupported authentication method.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 12 - Radius Configurations (Add) Remote Access Provisioning The infrastructural components needed to establish the remote access connections to the gateway, including the OmniAccess 3500 NLG licenses, are provisioned through the following sections of the management system GUI: 1.
Chapter 2. Initialization Tasks ADDRESS POOL Address pools are sets of IP addresses from which the gateway draws the pair of VPN addresses that it assigns to the OmniAccess 3500 NLG card and associated laptop upon establishment of the IPsec tunnel. The addresses for the card and for the laptop are drawn from different, disjoint sets. Multiple sets can be assigned to the cards (Card sets) and to the laptops (Laptop sets). To add an address pool: 1.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide SERVER TABLE The Server Table allows the configuration of the DNS, WINS, and default-gateway addresses that the gateway passes to the card and laptop together with the VPN addresses. Only one address can be set for each type of server. To add a server table entry: 1. Click Gateway on the main menu and then click Configure Advanced Settings. 2. On the Configure menu, click Server Table. 3. Click New.
Chapter 2. Initialization Tasks The embedded firewall can be used to restrict the network traffic that the gateway exchanges over its interfaces, assuming the function of an enterprise firewall in a network where an enterprise firewall may not be already deployed. The firewall rules may or may not be associated with existing IPsec tunnels. The embedded IPsec endpoint handles the requests to open IKEv2 and IPsec security associations that the OmniAccess 3500 NLG cards originate from their current locations.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide existing IPsec tunnel is not found for a matching packet, it is created before the packet is delivered), (packets matching the rule are received from an IPsec tunnel whose profile is identified by the value; if a remote request to open an IPsec tunnel is received on a packet whose header matches the rule, the OmniAccess 3500 NLG gateway uses the tunnel profile specified in the value to conduct the subsequ
Chapter 2. Initialization Tasks 3. 4. Click New. A Connection Manager Tunnel Table (Add) window appears (Figure 16), displaying the following fields: o Name: Name of the tunnel profile. o Identity Type: Type of identifier used to designate the local tunnel endpoint (residing on the OmniAccess 3500 NLG gateway) in the security association negotiations. Options (choose one): (email address, as in ), (Fully Qualified Domain Name, as in
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 16 - Connection Manager Tunnel Table (Add) To view/delete information for an address pool, a server table entry, a filter rule, or a tunnel table entry: 1. Click Gateway on the main menu and then click Configure Advanced Settings. 2. On the Configure menu, click Address Pool, Server Table, Rule, or Tunnel Table, depending on the type of information you want to view. 3. A Gateway Configure window opens, displaying your selection. 4.
Chapter 2. Initialization Tasks • CA Certificate Revocation List: List of certificates issued by the Certificate Authority that have been revoked before their natural expiration. • Gateway Certificate: Certificate (public key) of the gateway, used by peer network nodes for encryption of the messages that they send to the gateway. • Gateway Private Key: Secret key used by the gateway to decrypt the messages that it receives from peer network nodes (including the OmniAccess 3500 NLG cards).
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide management system at any time. If necessary, a license can be issued for a single end user. The customer enterprise specifies all license parameters upon ordering the license file.
Chapter 2. Initialization Tasks Figure 18 - Card License Upload To view detailed information for all your licenses: 1. On the main menu, click Card Licenses. The Card Licenses window appears (Figure 19), displaying the following fields for each entry: o Name: Unique name that identifies the license. o Service Provider: Service provider for which this license is valid. o Max. Licenses: Maximum number of users served by this license that can be provisioned in the management system at any given time.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 19 - Card Licenses The same information can be displayed for a single license by clicking the checkbox next to the license name and then clicking Open (Figure 20).
Chapter 2. Initialization Tasks To renew a license: 1. On the Card Licenses window, click Renew. 2. The Card License Upload window appears. 3. Follow the same procedure described above for adding a new license in order to replace the old license file with a new one. End User Provisioning This section explains how to provision OmniAccess 3500 NLG cards and associated laptops and users.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 3. 28 o Connectivity Timeout (sec): Total laptop power-on time during which the laptop is allowed to work without VPN tunnel to the OmniAccess 3500 NLG gateway. The corresponding timer is reset every time the IPsec tunnel to the gateway is established while the laptop is powered on. A warning pops up on the laptop’s screen five minutes before expiration of the connectivity timeout.
Chapter 2. Initialization Tasks Figure 21 - User Information (Add) Once you have added users, you can add them to user groups. You can have as many user groups as you like. A given user can belong to only one user group. To manually add a user group: 1. First you must add users to the system. Follow the instructions above to add a user. 2. Next, add the users to a user group. From the User Groups Information menu, click New.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 22 - User Group Information (Add) You can modify the list of users for a group by editing user groups. The same fields whose initialization is described above can be modified for an existing user group. You can also import user and user group information automatically from your Active Directory Server (ADS), which is particularly useful when the number of OmniAccess 3500 NLG users to add or re-configure is large.
Chapter 2. Initialization Tasks Figure 23 - Active Directory Import User Information 2. 3. Enter the necessary information for the following fields: o Server IP: IP address of the ADS to be used as the source of the user record. o Password: Password needed for access to the ADS. o Authentication: Type of authentication required for access by the ADS. The option is typical for Active Directory. o Search Base CN: Common name; for example, Administrator, Users. o DC: Domain name (e.g.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 2. The management system connects to the ADS, retrieving data for the target user group. 3. Click OK on the Active Directory User Import window. If an automatic import profile includes users that are already present in the management system database, the execution of the automatic import transaction based on that profile does not modify the records of those users.
Chapter 2. Initialization Tasks Figure 24 - Card (Add) To view information for all cards: o After you click Cards on the left-hand side of the main menu, the Card Information window appears (Figure 25). This window shows a list of cards in the OmniAccess 3500 NLG system.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 25 - Card Information To view the status of an OmniAccess 3500 NLG card: 1. From the Card Information menu, click the checkbox next to a card to select it. 2. Click Status. The Card Status window appears (Figure 26), displaying the following fields: 3. 34 o Card ID: The ESN (Electronic Serial Number) of the card. ESN is a unique identification number for the card provided by the manufacturer.
Chapter 2. Initialization Tasks Figure 26 - Card (Status) Laptops This section of the management system GUI allows you to view information for and configure laptops. Click Laptops on the main menu to access this function. You can perform the following administrative functions for laptops: • Add a laptop. • Edit laptop information. • Delete a laptop. To add a laptop: 1. 2. On the Active Laptop Information menu, click New.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 27 - Laptop (Add) Application Provisioning To support certain IT applications at runtime, you must first provision the infrastructure that supports them. This section describes the provisioning tasks that prepare the OmniAccess 3500 NLG platform for support of the following IT applications: • Device management applications, such as asset inventory maintenance and patch management.
Chapter 2. Initialization Tasks ASSISTED FILE TRANSFER The Assisted File Transfer facility allows you to synchronize the contents of laptop and enterprise folders via the OmniAccess 3500 NLG card, staging information in the card when either the laptop or the OmniAccess 3500 NLG gateway is not reachable. This feature is configured per application; that is, you specify for each application the enterprise folder and the laptop folder that need to be kept in sync.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 28 - Application Table Information To add an entry to the application table for the AFT facility: 1. Click Gateway on the main menu and then click Configure Advanced Settings. 2. On the Configure menu, under Assisted File Transfer, click Application Table.
Chapter 2. Initialization Tasks o 3. User Groups: Sets of users that participate in the Assisted File Transfer transactions for the application being configured. Click Save.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 3. o Name: Type a name for the service you want to add. o Port: The port number of the service. Click Save. Figure 29 - Service Information (Add) Next, create a service group, which is simply a group of previously defined services. 4. Click Service Groups on the main menu. 5. On the Service Group Information menu, click New. The Service Group Information (Add) window appears (Figure 30), displaying the following fields: 6.
Chapter 2. Initialization Tasks Figure 30 - Service Group Information (Add) Now create a host object. The host object designates a set of IP addresses that will later be included in a host group and thereby in a packet filter rule. 7. Click Hosts on the main menu. 8. On the Host menu, click New. The Host (Add) window appears (Figure 31), displaying the following fields: 9. o Host Name: A name that uniquely identifies the host. o Description: Type in any descriptive text about the new host.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 31 - Host (Add) Now create a host group. A host group contains a list of IP address ranges that are currently configured for inclusion in packet filtering rules for personal firewall policies. 10. Click Host Groups on the main menu. 11. On the Host Groups menu, click New. The Host Group (Add) window appears (Figure 32), displaying the following fields: o Host Group Name: A number that uniquely identifies the host group.
Chapter 2. Initialization Tasks Figure 32 - Host Group (Add) Next, create the packet filter rules. The default packet filter rule is the “drop” rule: if a packet does not match any of the packet rules specified in the personal firewall policy, the packet is dropped. The packet filter rules that are explicitly created define exceptions to the default behavior. 13. Click Personal Firewall on the main menu. 14. On the Policies – Personal Firewall menu, click Packet Filter Rules.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 16. Click Save. Figure 33 - Packet Filter Rules (Add) Next, create the list of applications for inclusion in application groups and application filter rules. 17. Click Personal Firewall, then Applications. The Applications window appears. 18. Click New. The Applications window appears (Figure 34), displaying the following fields: o Application Name: Name of the application.
Chapter 2. Initialization Tasks Figure 34 - Applications Next, create the list of application groups for inclusion in the application filter rules. 20. Click Personal Firewall, then Application Group. The Applications Group Information window appears. 21. Click New. The Application Group window appears (Figure 35), displaying the following fields: o Group Name: Name of the application group. o Applications: Drop-down menu with the list of applications that can be added to the application group.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 35 - Application Group Now create the personal firewall policy. 23. Click Personal Firewall, then Firewall Policy. The Firewall Policy Definitions window appears. 24. Click New. The Firewall Policy Settings (Add) window appears.
Chapter 2. Initialization Tasks On the General tab ( 25. Figure 36), enter information for the following fields: o Policy Name: A unique alphanumeric identifier for the personal firewall policy. o User Control: Whether the user will have control to allow or deny network connections requested by applications. Possible values are and .
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 36 - Firewall Policy Settings General tab 27. On the Rules tab (Figure 37), enter information for the following fields: o Rule name: A unique alphanumeric identifier for the packet filter rule to be included in the personal firewall policy. o Precedence: A priority level for designation of the order in which the packet filter rule will be executed (i.e., compared with the packet header) with respect to other rules.
Chapter 2. Initialization Tasks Figure 37 - Firewall Policy Settings Rules tab 29. On the Applications tab (Figure 38), enter information for the following fields: o Applications: List of applications in the application filter table that contributes to the definition of the personal firewall policy.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 38 - Firewall Policy Settings Applications tab 31. On the Application Groups tab (Figure 39), enter information for the following fields: o Application Groups: List of application groups in the application filter table that contribute to the definition of the personal firewall policy.
Chapter 2. Initialization Tasks Figure 39 - Firewall Policy Settings Application Groups tab Now apply the firewall policy to a user group. 33. Click User Groups. The User Group Information window appears. 34. Click the checkbox next to a User Group to select it. 35. Click Edit. The User Group Information window appears (Figure 40). Select the Firewall Policy that you want to apply from the Policy drop-down list. 36. Click Save.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 40 - User Group Information (Edit) 52
Chapter 3. Runtime Administration Functions Chapter 3. OmniAccess 3500 NLG Runtime Administration Functions This chapter describes tasks that are performed during runtime, after deployment of the OmniAccess 3500 NLG cards. Runtime tasks include the following: • Viewing laptop asset information — Display asset information for a user’s laptop. • Viewing laptop location — Display location information for a user’s laptop. • Remotely locking a laptop — Remotely lock a user’s laptop for security reasons.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 41 - User Configurations 3. To view laptop asset information, select one of the options under the Asset Management menu, as follows: • Programs: Applications installed in the user’s laptop. • Services: Services installed in the user’s laptop. • Processes: Processes running on the user’s laptop. • Partitions: Partition table entries. • System Information: System-related information, such as Manufacturer, Model, CPU version, etc.
Chapter 3. Runtime Administration Functions 5. Click the checkbox next to a user to select it and then click Status. 6. On the Status Information of User window, click User Status. The User Status Information window appears (Figure 42). 7. Click OK. Figure 42 - User Status Information Viewing the Laptop Location You can view the current location of the laptop or the location where the user most recently logged into the laptop. To view a laptop’s location: 1. Click Users on the main menu. 2.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 43 - Proprietary Information window 5. A map similar to the one shown in Figure 44 appears. If the laptop’s location cannot be retrieved, a corresponding message will appear.
Chapter 3. Runtime Administration Functions Laptop Remote Lock The IT administrator can remotely lock the laptop when the end user realizes that the laptop cannot be physically protected from external intrusions (for example, if the laptop was inadvertently left unguarded in a public location). To remotely lock a laptop: 1. Click Users on the main menu. 2. Click the checkbox next to a user to select it, then click Configure. 3.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 4. Click Yes to unlock the laptop. 5. A message appears stating that the laptop has been unlocked. One-Time Password Generation The OmniAccess 3500 NLG can lock the laptop under several circumstances, both manually (remote lock command issued by the IT administrator) and automatically (upon detection of certain events like tamper attempts, etc.).
Chapter 3. Runtime Administration Functions Figure 46 - Tamper Proofing Settings - Get One Time Password 4. Click Get PW. A window appears displaying a new one-time password. The enduser must type this password (including any hyphen it may include) into the Password field on the window on the laptop to unlock the laptop. (They must uncheck the Hide Password box if they want the password to display on the window as they are typing it.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide To configure common volume encryption parameters within a user group: 1. Click User Groups on the main menu. 2. Click the checkbox next to a user group to select it and then click Configure. 3. On the User Group Configurations window, click Group Volume Settings. 4.
Chapter 3. Runtime Administration Functions Note: If you delete your selection for the values of the user group parameters for TrueCrypt, the default values are automatically restored for those parameters. Figure 47 - TrueCrypt User Group Settings To create an encrypted volume: 1. Click Users on the main menu. 2. Click the checkbox next to a user to select it and then click Configure. 3. On the User Configurations window, click Volume Settings under the TrueCrypt Volume Encryption menu. 4.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide creation of the encrypted volume to proceed the next time the laptop connects to the gateway after the volume settings are saved. 5. Click Save to save the configuration settings and enable the creation of the encrypted volume. Figure 48 - TrueCrypt Settings To relinquish administrative control over an existing encrypted volume: 1. Click Users on the main menu. 2. Click the checkbox next to a user to select it and then click Configure. 3.
Chapter 3. Runtime Administration Functions To display the properties of a volume that was previously released by the administrator: 1. Click Users on the main menu. 2. Click the checkbox next to a user to select it and then click Configure. 3. On the User Configurations window, click Deleted Volume Properties under the TrueCrypt Volume Encryption menu. 4.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 5. On the User Configurations window, click Change Volume Password under the TrueCrypt Volume Encryption menu. 6. Click Yes to issue the password change command and return to the User Configurations window. 7. Click Volume Status and verify the Password Change Status reported on the TrueCrypt Status Information window. Then click OK. 8.
Chapter 3. Runtime Administration Functions 5. o Volume Size: Hard disk space allocated to the encrypted volume (in MB). o Volume Status: Status of the encrypted volume (whether or not created and mounted). o Password Change Status: Status of execution of a command previously issued to change or delete the secret password. o Password Change Time: Time of completion of the Password Change/Delete command. o Active Password: Last password successfully stored in the OmniAccess 3500 NLG card.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide To view status information: 1. Click Gateway on the main menu, then click Configure Advanced Settings. 2. On the Configure menu, under Connection Manager –Show Information, click SAIKE, SA-IPsec, Flows, or Global Information, depending on the type of information you wish to view. 3. A window containing information about the OmniAccess 3500 NLG gateway you have selected appears (Figure 50 shows the Global Information window as an example).
Chapter 3. Runtime Administration Functions o Event ID: The type of the logged event. o Module Name: The name of the module by which the log is filtered. o Severity: The alarm severity. o Message: Any additional information about the event. Figure 51 - Server Log Viewer Log History The Log History function provides access to an extended set of archived event logs. 1. On the Fault Manager menu, click Log History.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 52 – Server Log History Syslog All log messages are sent to the management system and displayed on the GUI. The syslog function allows you to have logs also forwarded to a particular server. 1. 2. 68 On the Fault Manager menu, click Syslog. The Syslog Server Settings window appears (Figure 53), displaying the following fields: o Primary Server: The first Server to which you want to forward logs.
Chapter 3.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Chapter 4. OmniAccess 3500 NLG Infrastructure Maintenance This chapter describes the procedures that are needed for maintenance of the infrastructural components of the OmniAccess 3500 NLG platform after they are installed.
Chapter 4. Infrastructure Maintenance example of Figure 54, <10.1.1.9> is the IP address of the private interface (LAN) of the gateway. Figure 54 - Connection Manager Rules (Add) 3. Set the parameters for the automatic backup procedure through the Configuration Services section of the management system GUI. To set the configuration parameters for the automatic backup procedure: 1. Click Configuration Services on the main menu. 2.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 55 – Configuration Manager 3. 72 The File Server – Public Key window appears (Figure 56). The text box on this window contains the Public Key for the Backup File Server. The text is read-only and is populated by the “SSH Public Key” generated internally when the gateway is configured for the first time.
Chapter 4. Infrastructure Maintenance Figure 56 - File Server Public Key 4. Copy the contents of the text box into the “/.ssh/authorized_keys” file on the backup server where the backup files are to be stored. 5. Click Configuration Services on the main menu. 6. On the Configuration Manager menu, click Configuration Server Profile.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide the mm/dd/yyyy value for all future backups; the hh:mm:ss portion is also the hh:mm:ss value for all future backups). o 7. Backup Frequency: Frequency of generation and uploading of configuration backups. Click Save to save the backup settings. Figure 57 - Backup Configuration (Periodic Backup) 8.
Chapter 4. Infrastructure Maintenance Figure 58 - Backup Configuration (Immediate Backup) 9. Click Start Backup to start the backup procedure immediately. Restoration Procedure The restoration procedure consists of the following steps: 1. Click Configuration Services on the main menu. 2. Click Restore Previous Configuration. The Configuration Restore – Step 1 window appears (Figure 59). 3.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 59 - Configuration Restore - Step 1 4. Click Get Files. The Configuration Restore - Step 2 window appears (Figure 60). Figure 60 - Configuration Restore - Step 2 5. 76 This window displays the backup files available to restore the configuration. Select a backup file and click Start Restore Configuration. The corresponding configuration is automatically restored.
Chapter 4. Infrastructure Maintenance Upgrading the OmniAccess 3500 NLG Gateway Configuration The procedure in this section describes how to upgrade the software package running on your OmniAccess 3500 NLG gateway. Configuration Upgrade The following steps are required for upgrading the OmniAccess 3500 NLG software package that runs on the gateway appliance: 1. Click Configuration Services on the main menu. 2. Click Upgrade Server Profile.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 5. Click Upgrade Actions. The Upgrade Actions window appears (Figure 62), displaying information about the upgrade, as well as upgrade status information. Figure 62 - Upgrade Actions 6. Click Start Upgrade to begin the configuration upgrade process. The Start Upgrade button appears only if an upgrade is possible (that is, if you have previously saved the configuration upgrade parameters on the Upgrade Server Profile window).
Chapter 5. Administrative Information Base Chapter 5. OmniAccess 3500 NLG Administrative Information Base This chapter presents the complete set of objects that can be observed and configured through the management system GUI. Every object that is not a leaf in the management system GUI information base tree is presented in the following format: • Object Name — [Path], [Window Title], [Action(s)] Where: o Object Name is the name of the object on display.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 80 o LAN Interface IP — IP address assigned to the LAN Ethernet interface of the gateway. The LAN interface is connected to a private subnet of the enterprise. o LAN Interface Netmask — Network mask for identification of the private subnet of attachment of the LAN gateway interface.
Chapter 5. Administrative Information Base o Admin Server — Administration server for the enterprise domain; in most cases the administration server coincides with the Active Directory server, except when the KDC realm administrator has not made the administration server name available through DNS. o Primary DNS — IP address of the primary DNS name server for laptop user traffic. This entry must be filled with one IP address when the gateway is first configured.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide 82 o Confirm Password — Confirmation replica of the SMTP password. o SNMP Enable — The OmniAccess 3500 NLG gateway offers MIB-II support for its native functional components (i.e., components that are not part of the OmniAccess 3500 NLG platform). If the option is set, it is possible to use a third-party network management system to manage and monitor the MIB-II objects of the gateway through SNMP.
Chapter 5. Administrative Information Base address range when the gateway is first configured. Later on, the editing of the initial card address range or the introduction of new address ranges must be executed on the [Gateway Configure-> Address Pool Information] window, reachable through the [Gateway|Configure Advanced Settings|Address Pool] path. o Laptop Address Mask — Network mask for identification of the laptop address pool set upon initial configuration of the gateway.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide The following gateway information objects can be accessed upon selection of the tab: o Connection Manager – Settings — [Gateway|Configure Advanced Settings], [Configure:], [r] Objects needed for configuration of the remote access connections.
Chapter 5. Administrative Information Base Figure 64 - Connection Manager Address Pool (Add) − Server Table — [Gateway|Configure Advanced Settings|Server Table], [Gateway Configure:-> Server Table Information], [rw] Configuration of the DNS, WINS, and default gateway addresses that the OmniAccess 3500 NLG gateway passes to the card and laptop together with the VPN addresses. Only one value can be set for each type of address. Type — Network server for which the IP address is specified.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 65 - Connection Manager Server Table (Add) − Rules — [Gateway|Configure Advanced Settings|Rules], [Gateway Configure:-> Rule Information], [rw] Packet classification rules for the firewall and IPsec endpoint that are embedded in the OmniAccess 3500 NLG gateway.
Chapter 5. Administrative Information Base (drop all packets matching the rule, and for each dropped packet notify the corresponding sender). Protocol — Protocol Identifier value carried by the packets that match the rule. Options (choose one): , , , . Source IP/[Mask] — Range of IP addresses to be checked against the source IP field in the packet header.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 66 - Connection Manager Rules (Add) − Tunnel Table — [Gateway|Configure Advanced Settings|Tunnel Table], [Gateway Configure:-> Tunnel Table], [rw] List of profiles used to define the parameters of the IKE and IPsec Security Associations that are created either by the OmniAccess 3500 NLG gateway ( option in the Rule definition) or by request of the OmniAccess 3500 NLG cards ( option in the Rule definition).
Chapter 5. Administrative Information Base Algorithms to be used for IKE Negotiations — Encryption algorithm to be used for protection of the IKEv2 exchanges. Options (choose one): <3DES-SHA1>, , , . Lifetime of the IKE SA in seconds — Maximum duration of the IKEv2 Security Association that controls the IPsec tunnel between the OmniAccess 3500 NLG card and the OmniAccess 3500 NLG gateway.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Application Name — Name of the application that will use the Assisted File Transfer facility (e.g., testapp). Application Password — Password associated with the application. Share Path — Directory path in the application server that leads to the Windows share to be mounted (e.g., //server1/testappdir). Share User Name — User name with permission to mount this share. Share Password — Password corresponding to this user.
Chapter 5. Administrative Information Base o Connection Manager - Show Information — [Gateway|Configure Advanced Settings], [Configure:], [r] Read-only state information for a number of functional components of the OmniAccess 3500 NLG platform. − SA – IKE — [Gateway|Configure Advanced Settings|SA — IKE], [Gateway:-> SA IKE Information], [r] List of the IKE Security Associations that currently exist between the OmniAccess 3500 NLG gateway and remotely connected OmniAccess 3500 NLG cards.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide − AH SPI-In — Security Parameter Index found in incoming IPsec packets with AH protection (not available with ESP protection). AH SPI-Out — Security Parameter Index inserted in outgoing IPsec packets with AH protection (not available with ESP protection). Algorithm Cipher — Algorithm used for the encryption of packets exchanged over the IPsec tunnel.
Chapter 5. Administrative Information Base Total No. of IKE nego done — Number of IKE negotiations successfully completed since the OmniAccess 3500 NLG gateway was last restarted. Total No. of IKE nego failed — Number of IKE negotiations failed since the OmniAccess 3500 NLG gateway was last restarted. No. of Phase-1 Initiator SA's — Number of Phase-1 negotiations initiated by the OmniAccess 3500 NLG gateway since it was last restarted. No.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide No. of Free transforms — Number of IPsec transforms (ESP or AH) that the OmniAccess 3500 NLG gateway can additionally allocate. No. of Total transforms — Number of IPsec transforms (ESP or AH) allocated by the OmniAccess 3500 NLG gateway since it was last restarted. No. of Active rules — Number of rules that are currently active. No. of Free rules — Number of rules that the OmniAccess 3500 NLG gateway can additionally allocate.
Chapter 5. Administrative Information Base Figure 69 - Gateway Configuration File Upload The following fields appear upon selection of the menu item: o Edit Gateway Support Information — [Gateway|Edit Support Information], [Edit Gateway Support Information], [rw] − Contact Person — Name of the person to contact for gateway support. − Telephone — Telephone number of the person to contact for gateway support.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 70 - Edit Gateway Support Information • Cards — [Cards], [Card Information], [rwx] List of the OmniAccess 3500 NLG cards that are currently under administrative control of the management system instance.
Chapter 5. Administrative Information Base Figure 71 - Card (Add) The following status indicators can be observed on the target OmniAccess 3500 NLG card upon selection of the tab: o Card ID — The ESN (Electronic Serial Number) of the card. ESN is a unique identification number for the card provided by the manufacturer. o VPN IP Address — The VPN IP Address assigned to the card when the tunnel is established (no address is visible if the tunnel is down).
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 72 - Card (Status) • Laptops — [Laptops], [Active Laptop Information], [rwx] List of laptops associated with OmniAccess 3500 NLG cards that are currently connected to the gateway. The and tabs provide access to the following information items for the selected laptop. The tab removes the selected entry. 98 o Laptop ID — A unique name for the laptop.
Chapter 5. Administrative Information Base Figure 73 - Laptop (Add) Users The Users section of the management system GUI allows configuration and monitoring of users and user groups. In this section it is possible to add/edit and delete user/user group entries, check user status, and find the location of a user’s laptop. • Users — [Users], [User Information], [rw] List of users that are currently configured under administrative control of the management system instance.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide the laptop’s screen five minutes before expiration of the connectivity timeout. If the timeout expires, the laptop locks and can only be unlocked with an OTP received from the IT helpdesk. o OTP Valid Time (sec) — Amount of time that the laptop will remain unlocked and with reduced OmniAccess 3500 NLG controls after the one-time password has been successfully entered. All tamper checks are re-enabled after expiration of this time.
Chapter 5. Administrative Information Base The tab provides access to the following options: , , and . Clicking on provides visual access to the following status indicators: o o o o o User Settings — Information about the selected user. − User ID — Numeric identifier and full name of the user. − User Status — Whether or not logged into the laptop. − Last Logged-in Time — Time of completion of latest laptop login.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide − State — Whether the license is in a valid state. − Start Date — The start date for the license. − End Date — The end date for the license. Figure 75 - User Status window The and tabs provide geographic information about the laptop.
Chapter 5.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide The tab provides access to the following items: o Asset Management : — [Users|User|Configure], [User Configurations : ], [r] This function runs on demand (see the Refresh Asset Info menu option below) and allows you to view information about user assets. Menu options available are: o − Programs — Applications that are currently running on the user’s laptop.
Chapter 5. Administrative Information Base Figure 78 - Tamper Proofing Settings - Get One Time Password o TrueCrypt Volume Encryption — [Users|User|Configure], [User Configurations: ], [rwx] This section of the management system GUI allows you to configure the encrypted volume in the remote laptop and manage the secret password that the laptop needs to mount and access the encrypted volume.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 79 - TrueCrypt Settings − Change Volume Password — [Users|User|Configure|Change Volume Password], [Change Password Confirmation], [rwx] Facility for changing the secret password needed by the laptop to mount the encrypted volume and encrypt/decrypt the encrypted volume contents.
Chapter 5. Administrative Information Base Mount Drive — Drive identifier assigned to the encrypted volume when mounted. Volume Size (MB) — Hard disk space allocated to the encrypted volume. Volume Status — Current status of the encrypted volume.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide o System Management — [Users|User Information|Configure], [System Management], [rw] This set of commands allows you to lock or unlock the user’s laptop. • − Lock — Locks the user’s laptop. − Unlock — Unlocks the user’s laptop. User Groups — [User Groups], [User Groups Information], [rwx] List of user groups that are currently configured under administrative control of the management system instance.
Chapter 5. Administrative Information Base Figure 81 - User Group Information (Add) The tab allows the configuration of the above information items when a new user group is created. The tab allows the modification of the settings for one or more of the above items for an existing User Group entry. The tab removes the selected entry from the User Group table.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide − − Twofish-Serpent Hash Algorithm — Algorithm used for random generation of the volume master key. Available options are: RIPEMD-160 (default) SHA-1 Whirlpool File Format — Type of file system for the encrypted volume. Available options are: FAT (default) NTFS (this option does not work for end users that do not have administrator privileges on their laptops). Note: Windows XP supports NTFS.
Chapter 5. Administrative Information Base Hosts The Hosts section of the management system GUI allows access to information and management actions that apply to the groups of IP addresses to be included in the specification of the packet filter rules for the personal firewall policies. Through the Hosts section, you can view, add, edit, and delete hosts (i.e., ranges of IP addresses) and host groups (i.e., groups of non-contiguous IP address ranges).
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide The tab allows the configuration of the above information items when a new group of IP address ranges is created. The tab allows the modification of the settings for one or more of the above items for an existing Host entry. The tab removes the selected entry from the Hosts table.
Chapter 5. Administrative Information Base Services The Services section of the management system GUI provides access to information and management actions that apply to the groups of UDP and TCP ports to be included in the specification of the packet filter rules for the personal firewall policies. Through the Services section, you can view, add, edit, and delete services and service groups.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide include indication of the target layer-4 protocol. Each row in the table corresponds to one service group and shows the following information items: (unique numerical identifier of the service group), (descriptive alphanumeric identifier of the service group).
Chapter 5. Administrative Information Base Configuration of packet filter rules, application lists, and personal firewall policies. o Packet Filter Rules — [Personal Firewall|Packet Filter Rules], [Packet Filter Rules Definitions], [rw] List of packet filter rules to be included in the personal firewall policies. All packet filter rules are allow-rules: only packets that match one of the configured packet filter rules are allowed through the personal firewall.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 87 - Packet Filter Rules (Add) o Applications — [Personal Firewall|Applications], [Applications], [rw] Configuration of applications to be included in the personal firewall policies. This utility enables the coupling of MS Windows executable file names () with their corresponding application names (). A pre-populated list of common applications is available by default.
Chapter 5. Administrative Information Base Figure 88 - Applications o Application Group — [Personal Firewall|Application Group], [Application Group Information], [rw] Configuration of groups of applications with homogeneous treatment in the application filter. The inclusion of an application group in a personal firewall policy works the same way as the inclusion of an individual application.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 89 - Application Group o Firewall Policy — [Personal Firewall|Firewall Policy], [Firewall Policy Definitions], [rw] List of personal firewall policies. A personal firewall policy consists of a set of packet filter rules and a set of application filter rules. A packet filter rule decides on the treatment of individual packets that traverse the personal firewall on the OmniAccess 3500 NLG card.
Chapter 5. Administrative Information Base Unsecured Connectivity Duration — First timeout used in the Captive Portal Management algorithm, which regulates open access to the Internet during the negotiation of local access credentials with an access point provider.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 91 - Firewall Policy Settings Rules tab − 120 Applications — [Personal Firewall|Firewall Policy|New|Applications], [Firewall Policy Settings (Add)], [rw] Applications — List of applications in the application filter table that contributes to the definition of the personal firewall policy.
Chapter 5. Administrative Information Base Figure 92 - Firewall Policy Settings Applications tab − Application Groups — [Personal Firewall|Firewall Policy|New|Application Groups], [Firewall Policy Settings (Add)], [rw] Application Groups — List of applications groups in the application filter table that contribute to the definition of the personal firewall policy.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 93 - Firewall Policy Settings Application Groups tab Fault Manager In the Fault Manager section of the management system GUI you can access system status information. Through the Fault Manager section, you can view logs and events and configure the interoperation of the OmniAccess 3500 NLG with a syslog server. • Log Viewer — [Log Viewer], [Server Log Viewer], [r] Logs collected from various portions of the OmniAccess 3500 NLG system.
Chapter 5. Administrative Information Base Figure 94 - Server Log Viewer • Syslog — [Syslog], [Syslog Server Settings], [rw] Syslog service configuration parameters. o Primary Server — First Syslog Server IP address. o Secondary Server — Second Syslog Server IP address. o Port — The port number to which you want to forward logs. o Forward Logs — Set whether or not the Syslog Logs should be forwarded.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 95 - Syslog Server Settings • Log History — [Server Log History], [r] List of archived event logs. Each entry in the list shows the following information objects: 124 o Time — Time of generation of the log record (format: ). o GMT Time — GMT time of generation of the log record (format: ).
Chapter 5. Administrative Information Base Figure 96 – Server Log History License Manager Allows for management of user card licenses. • Card Licenses — [Card Licenses], [Card Licenses], [r] List of currently active card licenses. Existing licenses can be inspected, renewed, and deleted using the , , and tabs respectively. The following information items are shown in the table for each entry: o Name — A unique name that identifies a particular license.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 97 - Card Licenses Upon selection of the tab, the following field appears: o License File — Presents a text box into which the license file that has been obtained from Alcatel-Lucent can be typed. If this license is valid, a new entry will appear on the Card Licenses window after Upload License is clicked. Upon selection of the tab, the License File window appears as described above.
Chapter 5. Administrative Information Base o Login ID — Account name used for logging into the management system GUI. o Authentication Method — Method used for authentication of the administrator upon login. Options (choose one): and . o RADIUS Server — Select if RADIUS is not selected as the authentication method, or select the IP address of the preferred RADIUS server. o First Name — First name of the account owner. o Last Name — Last name of the account owner.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide • Authentication Methods — [Authentication Methods], [Authentication Methods], [rw] Clicking on the link provides access to the configuration of RADIUS servers for the authentication of end user and management system administrators. Existing entries can be inspected, modified, and deleted using the , , and tabs respectively. o Server IP Address — IP address of the RADIUS server.
Chapter 5. Administrative Information Base Configuration Manager This utility allows the administrator to run gateway maintenance tasks from the EMS GUI. • Configuration Services — [Configuration Manager], [Configuration Services], [r] The tab brings up the File Server – Public Key window. The text box on this window contains the Public Key for the Backup File Server.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 100 - Backup Configuration − The tab brings up the Backup Configuration window, which is used to request an immediate backup. The values shown on this window are read-only and are taken from the values you entered previously in the Backup Configuration window. − The < Restore Previous Configuration> tab brings up the Configuration Restore – Step 1 window.
Chapter 5. Administrative Information Base Path — The path where the package is stored in the Package Distribution Server. Figure 101 - Configure Upgrade Profile (New) − The tab brings up the Upgrade Actions window, which shows the status of the upgrade, and allows the user to start the upgrade.
OmniAccess 3500 Nonstop Laptop Guardian Administration Guide Figure 102 - Upgrade Actions − The tab brings up the Reset Upgrade Configuration window, which initiates the command to change the upgrade status on the module back to the idle state. Utilities The Utilities section of the management system GUI contains utilities needed for streamlining the most time-consuming functions expected from the OmniAccess 3500 NLG administrator, such as configuring the end user records.
Chapter 5. Administrative Information Base o NetBIOS — The NetBIOS name corresponding to the Domain name (e.g., “evros” in the domain name evros.example.com). o Directory Name — Directory name (group to be imported from the Active Directory Server). Figure 103 - Active Directory Import User Information The tab removes the selected entry from the Active Directory.
