IntraPort Enterprise-8 VPN Access Server Installation Guide Compatible Systems Corporation 4730 Walnut Street Suite 102 Boulder, Colorado 80301 303-444-9532 800-356-0283 http://www.compatible.
IntraPort Enterprise-8 VPN Access Server Installation Guide, Version 1 Copyright © 1999, Compatible Systems Corporation All rights reserved. IntraPort Enterprise, RISC Router, MicroRouter and CompatiView are trademarks of Compatible Systems Corporation. Other trademarks are the property of their respective holders. Part number: A00-1869 FCC Notice: This product has been certified to comply with the limits for a Class A computing device, pursuant to Subpart J of Part 15 of FCC Rules.
Table of Contents Introduction to the IntraPort Enterprise-8 1 A NOTE ABOUT REMOTE CLIENT CONNECTIONS INTRAPORT ENTERPRISE-8 INSTALLATION OVERVIEW INTRAPORT ENTERPRISE-8 MANUAL OVERVIEW 1 1 2 Chapter 1 - Getting Started 3 A FEW NOTES 3 3 3 3 4 4 4 Please Read the Manuals Warranty and Service Getting Help with the IntraPort Enterprise-8 WHAT YOU WILL NEED TO GET STARTED Supplied with the IntraPort Enterprise-8 Additional Items Needed for Installation Chapter 2 - Mounting Instructions 5 PLACEMENT
Table of Contents Chapter 6 - Basic Configuration Guide 22 ETHERNET INTERFACE CONFIGURATION IP Protocol SAVING A CONFIGURATION FILE TO FLASH ROM 22 22 22 23 24 24 24 24 24 24 24 24 24 25 25 25 25 26 26 26 27 27 27 28 Chapter 7 - Shipping Defaults 29 DEFAULT PASSWORD ETHERNET INTERFACES IP Defaults IPX Defaults AppleTalk Defaults 29 29 29 29 29 Chapter 8 - LED Patterns and Test Switch Settings 30 INTRAPORT ENTERPRISE-8 LED PATTERNS Over Temp Sys Ready General Indicators Ethernet Traffic Indicator
Table of Contents Appendix B - Downloading Software From Compatible Systems 33 Appendix C - Security Dynamics ACE/Server Information 34 Appendix D - Adding or Replacing RIOP Cards 35 Appendix E - When the “Over Temp” Light Comes On 36 REPLACING OR CLEANING THE INTRAPORT ENTERPRISE-8 AIR FILTER 36 Appendix F - Terms and Conditions 37 iii
Table of Contents Figure 1. Location of Voltage Switch on the Power Supply Figure 2. Installing Mounting Ears and Handles for a Standard Equipment Rack Figure 2.1. Installing Mounting Ears for a Telco Rack Figure 3. Rack-Mount Brackets Figure 4. Fastening the Right Bracket to the Rack Figure 5. Fastening the Left Bracket to the Rack Figure 6. Lowering the Shelf Figure 6.1. Securing the Shelf Figure 7. Moving the Unit into a Standard Equipment Rack Figure 7.1. Moving the Unit into a Telco Rack Figure 8.
Introduction to the IntraPort Enterprise-8 1 Introduction to the IntraPort Enterprise-8 Congratulations on your purchase of the IntraPort Enterprise-8 VPN Access Server. The IntraPort Enterprise-8 supports up to 512 LAN-to-LAN tunnels and up to 40,000 simultaneous remote client connections. In addition, it offers DES and 3DES encryption using built-in hardware coprocessors.
Introduction to the IntraPort Enterprise-8 2 IntraPort Enterprise-8 Manual Overview The manual is divided into several sections that should provide you with the basic information you will need to use the IntraPort Enterprise-8 on your network. For the latest documentation on Compatible Systems products, including the most current version of this manual, visit the Technical Support section of our Web site.
Chapter 1 - Getting Started 3 Chapter 1 - Getting Started A Few Notes Please Read the Manuals The manuals included with your IntraPort Enterprise-8 VPN Access Server contain very important information about installing and operating the IntraPort Enterprise-8. Please read this manual, and refer to the management reference guides as required. It’s worth the few minutes it will take. Also, please fill out the warranty registration card and return it to us today.
Chapter 1 - Getting Started 4 What You Will Need to Get Started Before connecting the IntraPort Enterprise-8 VPN Access Server, please check the list below to make sure that you have received all of the items that are supplied with the shipping package(s). You should also make sure you have any additional items that are necessary to connect the server to your network.
Chapter 2 - Mounting Instructions 5 Chapter 2 - Mounting Instructions The IntraPort Enterprise-8 VPN Access Server is designed to be mounted in a 19-inch equipment rack or in a Telco rack. Compatible Systems provides all the parts necessary for securing the supplied mounting brackets and ears to the device; however, due to the variety of equipment racks and mounting techniques, you will need to provide your own screws or clips to secure the mounting brackets and ears to the equipment rack.
Chapter 2 - Mounting Instructions 6 Parts and Tools The following items are needed to install the mounting ears and handles on the IntraPort Enterprise-8 VPN Access Server. • IntraPort Enterprise-8 unit • Two mounting ears • Two handles • Two handle spacers • 14 mounting screws (10-32 undercut flat head) • Phillip’s head screwdriver In addition to the above items, the following items are needed to install the IntraPort Enterprise-8 VPN Access Server in an equipment rack.
Chapter 2 - Mounting Instructions 7 Installing Mounting Ears and Handles Figure 2. Installing Mounting Ears and Handles for a Standard Equipment Rack Figure 2.1. Installing Mounting Ears for a Telco Rack The mounting ears should be installed on the IntraPort Enterprise-8 VPN Access Server whether you are planning to rack-mount it or not.
Chapter 2 - Mounting Instructions 8 Rack-Mount Brackets Figure 3. Rack-Mount Brackets Brackets (shown in Figure 3) are provided for mounting the IntraPort Enterprise-8 in a standard 19-inch equipment rack or a Telco rack. Note that the left bracket features a fold-down shelf which maintains the proper alignment of the brackets in the rack, but does not bear the weight of the unit. The ledges at the bottom of the brackets bear the weight of the unit until it is securely attached to the equipment rack.
Chapter 2 - Mounting Instructions 9 Right Bracket Installation Figure 4. Fastening the Right Bracket to the Rack 1. It is recommended that you mark on the equipment rack exactly where you want the top of the two mounting brackets to go on the device in order to make sure that they are level with each other (using a level if necessary). Once you have determined the desired location, fasten the right bracket to the rack using your own screws or clips, as shown in Figure 4.
Chapter 2 - Mounting Instructions 10 Left Bracket Installation Figure 5. Fastening the Left Bracket to the Rack 1. It is recommended that you mark on the equipment rack exactly where you want the top of the two mounting brackets to go on the device in order to make sure that they are level with each other. Once you have determined the desired location, fasten the left bracket to the rack using your own screws or clips, as shown in Figure 5.
Chapter 2 - Mounting Instructions 11 Securing the Shelf Figure 6. Lowering the Shelf 1. Lower the shelf onto the tabs protruding from the right bracket as shown in Figure 6 and use the thumb screws to fasten the shelf to the bracket. The brackets and shelf should look like Figure 6.1 when fully installed. Figure 6.1.
Chapter 2 - Mounting Instructions 12 Moving the Unit into the Rack Never attempt to move the server using the RIOP card handles or the filter cover opening. They will not support the weight of the device. Use the built-in side handles and either the large mounting handles, if you have installed them, or the very bottom of the chassis to move it. Figure 7. Moving the Unit into a Standard Equipment Rack 1. Two people are needed to move the unit into the rack. Do not attempt to move the unit by yourself.
Chapter 2 - Mounting Instructions 13 Placing the Unit in an Equipment Rack Figure 8. Placing the Unit in a Standard Equipment Rack Figure 8.1. Placing the Unit in a Telco Rack 1. Slide the unit back into the rack until the mounting ears are flush with the sides of the rack. Proper placement in a standard equipment rack should look like Figure 8. Proper placement in a Telco rack should look like Figure 8.1.
Chapter 2 - Mounting Instructions Securing the Unit to the Rack Figure 9. Securing the Unit to the Rack 1. Using your own screws or clips, secure the mounting ears to the rack as shown in Figure 9, using two screws at the top of each mounting ear and two screws at the bottom of each mounting ear.
Chapter 3 - Network Installation 15 Chapter 3 - Network Installation This section of the manual describes how to connect the IntraPort Enterprise-8 VPN Access Server to your Ethernet networks. In summary, the steps for installation are: 1. After mounting the server or placing on a desktop, make sure it is not connected to any power source. 2. Connect the server to the Ethernet network(s). 3. Connect a management console to the server (optional). 4. Plug in the power cables and power up the server.
Chapter 3 - Network Installation 16 Figure 11. Detail of RIOP Cards Connecting the Server to the Ethernet The 10/100 Ethernet interfaces directly support 100BaseTx or 10BaseT twisted-pair Ethernet. The actual hardware is not numbered by slot. The slot numbers are provided in Figure 11 for your reference. Because slots 1, 3, 5 and 7 have IPSec-only interfaces (meaning they will only handle IPSec packets and will drop all other traffic), you need to pay special attention to your Ethernet connection setup.
Chapter 3 - Network Installation 17 Connecting a Management Console If you wish to connect an out-of-band management console, use the supplied DB-25 male to DB-25 female cable and connect to the Console interface on the leftmost slot (slot 0) on the IntraPort Enterprise-8. You can use a dumb terminal or a computer equipped with VT100 terminal emulation. v Note: If you connect to the console using a slot other than slot 0, all configuration changes will be lost when the box is rebooted.
Chapter 4 - CompatiView Software Installation 18 Chapter 4 - CompatiView Software Installation All of the products in Compatible Systems’ internetworking and VPN families, including the IntraPort Enterprise-8, can be managed from a single GUI management platform called CompatiView. CompatiView for Windows is included on the CD-ROM which was shipped with your IntraPort Enterprise-8 VPN Access Server. v Note: An older version of CompatiView for Mac OS is also included on the CD-ROM shipped with your server.
Chapter 4 - CompatiView Software Installation 19 Transport Protocols and CompatiView CompatiView will be able to use the transport protocol (IP or IPX) you have selected to access Compatible Systems products anywhere on your internetwork. Depending on your security setup, you may also be able to use the IP transport option to manage devices across the Internet. The IP protocol does not provide a method for CompatiView to automatically discover the IntraPort Enterprise-8 VPN Access Server.
Chapter 5 - Command Line Management 20 Chapter 5 - Command Line Management The command line interface allows you to configure and monitor the IntraPort Enterprise-8 VPN Access Server in-band via Telnet or out-of-band with a terminal connected to the server’s Console interface. v Note: Proper syntax is vital to effective operation of command line management. Case is not significant – you may enter commands in upper case, lower case, or a combination of the two.
Chapter 5 - Command Line Management 21 Setting Up Telnet Operation Telnet is a remote terminal communications protocol based on TCP/IP. With Telnet you can log into and manage the IntraPort Enterprise-8 from anywhere on your IP internetwork, including across the Internet if your security setup allows it. To manage the server with Telnet, you must: 1. Run Telnet client software on your local computer, which will communicate with the Telnet server built into the IntraPort Enterprise-8. 2.
Chapter 6 - Basic Configuration Guide 22 Chapter 6 - Basic Configuration Guide This chapter briefly discusses the major parameters that must be set in order to use the IntraPort Enterprise-8 VPN Access Server. Detailed information on the meaning of the server’s parameters is provided in the CompatiView Management Software Reference Guide and the Text-Based Configuration and Command Line Management Reference Guide.
Chapter 6 - Basic Configuration Guide 23 Use the IP Connection Dialog Box to set address parameters for Ethernet 1:0, 3:0, 5:0 and 7:0. These Ethernet interfaces do not have any other settings available because they only handle IPSec traffic and do not do routing. Use the IPSec Gateway Dialog Box (under Global/IPSec Gateway) to set the IPSec Gateway address. The IPSec Gateway must be on the same IP network as Ethernet 1:0, 3:0, 5:0 and 7:0.
Chapter 6 - Basic Configuration Guide 24 IPX Protocol Required for IPX Generally, there are no required changes from the shipping Ethernet configuration for IPX. The Ethernet interface will autoconfigure to use the two most common IPX frame types, and will automatically adapt to conditions on the Ethernet. Suggested for IPX You may want to set your own network numbers, rather than using the autoconfigured values. You may also want to turn off unused frame types.
Chapter 6 - Basic Configuration Guide 25 Configuring the Server for IP and IPX Client Tunnels To configure the IntraPort Enterprise-8 for IP and IPX client tunnels, each user must be entered into the VPN user database or a RADIUS server database and assigned a tunnel configuration.
Chapter 6 - Basic Configuration Guide 26 Setting up RADIUS Authentication If you are using a RADIUS server for user authentication, you must set up the IntraPort Enterprise-8 to communicate with a RADIUS server and also set some special parameters in the RADIUS server itself Setting the IntraPort Enterprise-8 for a RADIUS Server Just a few basic settings are required for the IntraPort Enterprise-8 to communicate with a RADIUS server: • • • • Primary server IP address Secret VPN password attribute number
Chapter 6 - Basic Configuration Guide 27 Setting up SecurID Authentication If you are using Security Dynamic’s ACE/Server software for user authentication, you must set up the IntraPort Enterprise-8 to communicate with the ACE/Server. The Security Dynamics ACE/Server software performs dynamic two-factor SecurID authentication.
Chapter 6 - Basic Configuration Guide 28 Saving a Configuration File to Flash ROM Once a configuration is complete, you can save it to the server’s Flash ROM. Until saved, all changes are made in a separate buffer and the server’s interfaces continue to run as before the changes were made. CV: Use the Save to/Device option from the File menu. TB: Use the save command.
Chapter 7 - Shipping Defaults Chapter 7 - Shipping Defaults Default Password • letmein Ethernet Interfaces IP Defaults • Ethernet 0:0 is on • Address: 198.41.12.1 • Subnet mask: 255.255.255.0 • Broadcast address: 198.41.12.255 • Mode: Routed • All other Ethernet interfaces are off IPX Defaults • Ethernet 0:0 is on • Mode: Routed • 802.3 on, autoseeding • 802.2 on, autoseeding • Type II off • 802.
Chapter 8 - LED Patterns and Test Switch Settings 30 Chapter 8 - LED Patterns and Test Switch Settings IntraPort Enterprise-8 LED Patterns The IntraPort Enterprise-8 VPN Access Server uses a number of light patterns on its front LED bars to indicate operating conditions. v Note: Any continuous flashing pattern not noted in this chapter may be caused by a hardware failure. Please call Compatible Systems’ Technical Support if your server shows a hardware failure.
Chapter 8 - LED Patterns and Test Switch Settings 31 IntraPort Enterprise-8 Switch Settings The switch for Ethernet 0:0 controls the entire device. For example, if you set the switch for Ethernet 0:0 to “3” and download new software to the device, the other interfaces will automatically receive the software update from Ethernet 0:0 via the backplane. In general, the only time you should use an individual RIOP card’s switch is when the card is unable to communicate with the backplane for some reason.
Appendix A - Connector and Cable Pin Outs 32 Appendix A - Connector and Cable Pin Outs Pin Outs for DB-25 Male to DB-25 Female Console Cable The cable supplied with the IntraPort Enterprise-8 is twenty-five conductors, straight through. Connections on the console interface follow the standard RS-232C pin outs.
Appendix B - Downloading Software From Compatible Systems 33 Appendix B - Downloading Software From Compatible Systems The latest versions of operating software for all Compatible Systems products are available at our Web site. The latest version of CompatiView management software is also available. To download software, follow the instructions below: 1. Use your browser to access http://www.compatible.com/, and find the link on our home page to “Software Downloads.” 2.
Appendix C - Security Dynamics ACE/Server Information 34 Appendix C - Security Dynamics ACE/Server Information ACE/Server software and SecurID tokens can be purchased directly from Security Dynamics Technologies, Inc. Use the following information to contact Security Dynamics for more information: Security Dynamics Technologies, Inc. 20 Crosby Drive Bedford, MA 01730, U.S.A. 800-SECURID (800-732-8743 or 888-732-8743) To telephone from outside the U.S.: 781-687-7000 E-mail: info@securitydynamics.
Appendix D - Adding or Replacing RIOP Cards 35 Appendix D - Adding or Replacing RIOP Cards The modular design of the IntraPort Enterprise-8 VPN Access Server allows you to add, remove or replace the RIOP cards without disconnecting the device. Be sure to keep a cover plate over any empty slots to maintain proper air ventilation and minimize dust accumulation. The following instructions apply to adding or removing an RIOP card or cover plate. Figure 13.
Appendix E - When the “Over Temp” Light Comes On 36 Appendix E - When the “Over Temp” Light Comes On The Intraport Enterprise-8 is designed to operate reliably in a normal computer room, and requires no special environmental control. If operating within its published temperature and humidity specifications (0° to 45° C, up to 95% relative humidity, non-condensing, at 40° C) in a normal computer room, no periodic maintenance is required.
Appendix F - Terms and Conditions 37 Appendix F - Terms and Conditions Compatible Systems Corporation (Compatible Systems) offers to sell only on the condition that Customer’s acceptance is expressly limited to Compatible Systems’ terms and conditions of sale. Compatible Systems’ acceptance of any order from Customer is expressly made conditional on assent to these terms and conditions of sale unless otherwise specifically agreed to in writing by Compatible Systems.
Appendix F - Terms and Conditions 38 3. Payment Terms. Payment shall be made prior to shipment or upon delivery, unless otherwise agreed to in writing. Payment shall not constitute acceptance of the goods. 4. Force Majeure.
