hewlett-packard vpn server appliance sa3110/sa3150/sa3400/sa3450 installation guide Hewlett-Packard Company HP: 5971-0872 P/N: A52437-001 March 2001
ii
Disclaimer Information in this document is provided in connection with Hewlett-Packard Company products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document.
Statement of Compliance for the HP VPN Server Appliance SA3110 This product follows the provisions of the European Directive 1999/5/EC. Dette produkt er i overensstemmelse med det europæiske direktiv 1999/5/EC Dit product is in navolging van de bepalingen van Europees Directief 1999/5/EC. Tämä tuote noudattaa EU-direktiivin 1999/5/EC määräyksiä. Ce produit est conforme aux exigences de la Directive Européenne 1999/5/EC.
Contents Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Statement of Compliance for the HP VPN Server Appliance SA3110 . . . . . . . . . . . . . . iv Getting Started Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Required Components of a VPN Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing the IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 Using Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 Appendix — Network Infrastructure Checklists Appendix — Network Infrastructure Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Router Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Required Components of a VPN Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ge t t in g S t a r t ed Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Getting Started 1 Getting Started Purpose The purpose of this Installation Guide is to provide you with installation instructions for Release 6.8.2 of the HP VPN Server Appliance SA3110/SA3150/SA3400/SA3450. The term VPN device is used in this document to refer to all of these devices.
Getting Started VPN device, add your VPN device (meaning that the VPN Manager software "sees" the device, and knows it is accessible), and save your VPN device list and configuration information to a file. 5. Installing HP SA3000 Series VPN Client This chapter tells you how to install the VPN Client software on your PC. 6. Supplementary Procedures This chapter gives instructions for the following procedures: • Installing or Replacing the X.21 or V.
Required Components of a VPN Device Required Components of a VPN Device There are three primary required components for a new VPN device: • VPN device • VPN Manager • VPN Client This section explains the functions of each of these three primary components. Functions of the VPN Device The VPN device is a hardware/software security system that processes data packets as they pass between the public side and the private side of a network.
Getting Started to centrally manage multiple VPN devices across multiple sites within a network. VPN Manager also works with the external authentication servers that define and grant access to VPN Client users. Functions of VPN Client VPN Client is a software-based package that allows for encryption in cooperation with the Windows 95, Windows 98, Windows 2000, or Windows NT TCP/IP stack.
Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-3 Installation Preparation Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B e f o re Yo u I n s t a l l Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Before You Installl 2 Hardware and Software Requirements This section lists the system hardware and software requirements for installing each of the following: • VPN device • HP SA3000 Series VPN Manager, Release 6.8.2 • HP SA3000 Series VPN Client, Release 6.8.2 VPN Manager Requirements The hardware and software requirements for VPN Manager Release 6.8.2 include: • PC or PC-compatible desktop computer • Windows 95 (B) or OSR2, Windows 98, Windows NT 4.
Before You Install — Intel Pentium 133 MHz (minimum) processor or better — 2 GB hard drive with 650 MB minimum free disk space — 64 MB minimum RAM 2-2 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Installation Overview Installation Overview The following flowchart provides an overview of the installation process for your VPN device: Complete preinstallation requirements Related Info Refer to the Installation Preparation Checklist in Chapter 2 Perform the initial hardware setup Refer to Chapter 3 Set up a basic routing mode configuration and connect the device to the network Refer to Chapter 3 Install and configure the VPN Manager software Refer to Chapter 4 Install and configure the VPN Cl
Before You Install Installation Preparation Checklist Before you install the VPN device, complete the following tasks: ___Map out your current network topology, and determine IP addresses and default gateways. Having the IP address scheme already decided helps you configure the unit. Refer to the Appendix, "Network Infrastructure Checklists," for checklists to complete on your network’s infrastructure.
Installation Preparation Checklist ___If you use a different subnet when creating site-to-site tunnels, make the proper routing changes for your organization. For example, if your internal network is 10.0.0.0 and you assign an incoming address from 192.168.x.x, all internal routers must be configured to send all 192.168.0.0 traffic to the VPN device.
Before You Install 2-6 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Performing the Initial Hardware Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Preparing to Configure a New VPN Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2 Setting Up a Basic Routing Mode Configuration on a New Device . . . . . . . . . . . . . . . .3-5 Using Bridge Mode With the VPN Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-10 Connecting the Device to the Network . . . . . . . . . . . . . . . .
P e rf o r m i n g t h e I n i t i a l H a r d w a r e S e t u p Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Performing the Initial Hardware Setup 3 Performing the Initial Hardware Setup In this chapter, you complete the following tasks: 1. Physically connect the supplied DB-9 cable to your VPN device and your PC. 2. Check power supply voltage setting. 3. Turn on the VPN device. 4. Create a console window with your terminal emulation program. 5. Establish an initial session between your PC and your VPN device. 6. Run your setup script. 7. Configure Syslog for troubleshooting. 8.
Performing the Initial Hardware Setup Preparing to Configure a New VPN Device A set of keys is packed in the shipping container. These are universal keys that fit any HP VPN device. Keep the keys in a safe place. It is not necessary to lock the device. In preparation for configuring your new VPN device, you must complete the following tasks: 1. Insert the flash card into the device. 2. Connect the supplied DB-9 cable to your device. 3. Set power supply voltage. 4. Turn on the device. 5.
Preparing to Configure a New VPN Device Connecting the Cable and Powering On the Device To connect the cable and turn on the device: 1. Connect the supplied DB-9 console cable to the console port of the VPN device and to the COM port on your PC. Make a note of the communication port number on your PC. 2. Ensure that the voltage switch is set to the proper voltage used in your environment. 3. Plug in the power cable. 4. Turn on the VPN device by setting the power switch to the 1 (one) position.
Performing the Initial Hardware Setup 10. Click OK. You return to the terminal emulation program window, where the cursor is blinking in an otherwise blank white screen. You now have an active console session and can communicate from your computer to the device.
Setting Up a Basic Routing Mode Configuration on a New Device Setting Up a Basic Routing Mode Configuration on a New Device In this section, to set up a basic routing mode configuration, you complete the following tasks: • Establish an initial session between your PC and your VPN device. • Run your setup script.
Performing the Initial Hardware Setup 6. In the File name field, select the file name you want to give the session file. 7. Click Save. You return to the HyperTerminal window. 8. Press Enter three times. The license agreement appears in the Console window. 9. Press the space bar or press Enter to scroll through the license agreement. 10. To accept the license agreement terms, press Y. This creates a file called license.
Setting Up a Basic Routing Mode Configuration on a New Device Running the Setup Script You run the setup script to configure your new VPN device. Notes: 1. You cannot communicate with a device from VPN Manager until you run the setup script. 2. Do not run the setup script on a device that has already been configured. 3. Words shown in square brackets provide examples of the required information. They are not defaults. 4.
Performing the Initial Hardware Setup 8. At the prompt, enter the IP address for the default gateway. The default gateway is the gateway that provides a route to the Internet. The VPN Gateway does not support Routing Information Protocol (RIP) or any other form of dynamic routing table updates. All other routing information must be configured statically using the command shell (through the console window) or VPN Manager. 9. To set the Manager Password, enter password.
Setting Up a Basic Routing Mode Configuration on a New Device ping 10.1.2.2 255.255.0 The device informs you of the success of the ping. The setup script is now complete. The initial configuration is set on the new VPN device.
Performing the Initial Hardware Setup Using Bridge Mode With the VPN Device The VPN device has two basic operating modes: • router • bridge VPN devices are usually deployed as routers, which is the default configuration. In certain network topologies, however, it is advantageous to configure a VPN device in bridge mode.
Using Bridge Mode With the VPN Device IP Bridge Mode Address Assignment In IP bridge mode, all physical interfaces on the VPN device are assigned the same IP address. Use the bridge command when you assign an address to a VPN device that operates in bridge mode. To assign IP address 10.1.1.1 mask 255.255.255.0 from the command line, use the following format: hostname: NORMAL# config hostname [config]: NORMAL# bridge 10.1.1.1 255.255.255.
Performing the Initial Hardware Setup As a bridge, the VPN device ARP responds under the following conditions: 1. The ARP request is for an address that has been assigned to an interface on the VPN device. 2. The ARP request is for an address that has been assigned to a remote user tunnel as a client IP. 3. The ARP request is for an address that is currently in the VPN device device’s ARP cache for an interface other than the interface where the ARP request was picked up. 4.
Connecting the Device to the Network Connecting the Device to the Network In this section, you connect your VPN device to the network behind your firewall. Steps To connect the VPN device to the network: 1. Turn the device off before connecting network cables. 2. Connect the supplied Ethernet cables to the Ethernet interfaces. 3. Connect your Ethernet LAN cables to the shielded cables. 4. Turn the device on.
Performing the Initial Hardware Setup Configuring Syslog for Troubleshooting Syslog is a utility you can activate through the console window or VPN Manager to help troubleshoot problems when running your VPN device. This section explains how to use Syslog to view debugging messages. Checking Syslog Level Syslog’s levels of logging problems run from 0 (the factory default) to 7, with 0 being most basic (emergency messages only) and 7 being the most specific.
Configuring Syslog for Troubleshooting Next Step Installing VPN Manager (page 4-1) Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide 3-15
Performing the Initial Hardware Setup 3-16 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Overview to Installing HP SA3000 Series VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Installing VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2 Adding a VPN Device With VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-4 Saving New Device Information to a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . .
I n s t a l l i n g H P S A3 0 0 0 S e r i e s V P N M a n a g e r Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Installing HP SA3000 Series VPN Manager 4 Overview to Installing HP SA3000 Series VPN Manager In this chapter, you complete the following tasks: 1. Install the HP SA3000 Series VPN Manager software. 2. Add your VPN device (meaning that the VPN Manager "sees" the device and knows it is accessible). 3. Create a device list. 4. Save the device list. 5. Save your VPN device configuration information to a file.
Installing HP SA3000 Series VPN Manager Installing VPN Manager In this section, you install VPN Manager on your PC. Steps To install VPN Manager on your PC: 1. Place the VPN Manager CD-ROM into the CD-ROM drive bay. The VPN Manager CD-ROM menu appears. Note: If the VPN Manager CD-ROM menu does not automatically appear, use your file browser to locate the installation files on the VPN Manager CD-ROM. Double-click the setup.exe program to begin the installation procedure. 2.
Installing VPN Manager When you double-click the VPN Manager icon on your desktop, the VPN Manager application starts, and you are prompted for a password when opening the encrypted device list file.
Installing HP SA3000 Series VPN Manager Adding a VPN Device With VPN Manager In this section, you add your VPN device, so that VPN Manager knows the device is accessible. Steps To add your device: 1. Open the VPN Manager software. 2. In the File Menu, select Add Device. The Add Device window appears. 3. Enter the IP address of the device. Note: Because a VPN device can have many IP addresses, you must enter an IP address on the same local network as VPN Manager, that is, a reachable address. 4.
Adding a VPN Device With VPN Manager Configuration on a New Device" in Chapter 3 of this document.) 8. In the Reenter to confirm field, enter the password again. 9. Click Add. The VPN Manager now displays the device in the color red. When the device appears in green, the device is in normal mode, and you can configure it. 10. Double-click the device to configure it. The Configure Device window appears, displaying tabs. If the device does not open, see Checking Setup in the online Help. 11.
Installing HP SA3000 Series VPN Manager Next Step 4-6 Saving New Device Information to a Configuration File (page 47) Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Saving New Device Information to a Configuration File Saving New Device Information to a Configuration File In this section, you save the configuration information you entered in the preceding section, "Adding a VPN Device With VPN Manager," to a file. Steps To save your configuration information to a file: 1. In the Configure menu, select Manager, then select Password. The VPN Manager window appears. 2. Enter and reenter the password to confirm it.
Installing HP SA3000 Series VPN Manager 4-8 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Overview to Installing HP SA3000 Series VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Installing VPN Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-3 Configuring the VPN Client for a Basic Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
I n s t a l l i n g H P S A 3 0 0 0 S e ri e s V P N C l i e n t Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Installing HP SA3000 Series VPN Client 5 Overview to Installing HP SA3000 Series VPN Client In this chapter, you complete the following tasks: • Install the HP SA3000 Series VPN Client • Configure the VPN Client software for a basic tunnel Prerequisites Using Windows 95 (Gold or A) Versions Because Windows 95 Gold and Windows 95A use DUN 1.0, these releases do not support data to transfer over tunnels established over PPP dial-up connections.
Installing HP SA3000 Series VPN Client • • • • • Peer challenge phrase Target network IP address and subnet mask An account configured on a RADIUS server, if necessary An account configured with SecurID or SecureID Software Token’s ACE/Server, if necessary An account configured for Entrust, if necessary Software Version Compatibility The Hewlett-Packard Company strongly recommends that you use Release 6.8.2 of all VPN software.
Installing VPN Client Installing VPN Client In this section, you install VPN Client on your PC. Note: All network adapters to be secured using the VPN Client must have TCP/IP bound to them before installation. Steps To install VPN Client on your PC: 1. Quit all applications. 2. Place the CD-ROM into your computer’s CD-ROM drive. 3. In the Start menu, select Run. 4. In the Run window, select Browse and select your computer’s CD-ROM drive (for example, E:\). 5. Select setup.exe and click OK. 6.
Installing HP SA3000 Series VPN Client the VPN Client to make available by accepting the default value of 2 or entering another number of tunnels you want. The maximum number of tunnels is four. 13. Select Next to continue. The User Configuration Files window appears. 14. Specify the location where you want to save future User Configuration files. Click Browse to select an alternate location. 15. Select Next to continue. The VPN Client software is installed on your computer.
Configuring the VPN Client for a Basic Tunnel Configuring the VPN Client for a Basic Tunnel In this section, you configure the VPN Client software for a basic tunnel. Steps To configure a basic tunnel: 1. In the Start menu, select Programs, then HP SA3000 VPN Software, then VPN Client. The VPN Client Logon window appears. The first time you run VPN Client after installing it on your computer, you are prompted for a user name and password. 2. Enter your user name and password in the window that appears.
Installing HP SA3000 Series VPN Client 9. Enter Peer IP and Peer Name in the corresponding fields and click OK. 10. Select Enable WINS/DNS via VPN device and click OK. You now have created a basic VPN tunnel. For more information on configuring advanced features of the VPN Client, see the online Help file within the VPN Client software.
Supplementary Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Installing or Replacing the X.21 or V.35 Serial Card in the VPN Device . . . . . . . . . . . .6-2 Using the Copy Command (TFTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 Capturing a Terminal Emulation Session as Text. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8 Viewing a Terminal Emulation Session . . . . . . . . . . .
S u p p l e m e n t a ry P ro c e d u r e s Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Supplementary Procedures 6 Supplementary Procedures This chapter contains supplementary procedures, which are done occasionally, as required. This chapter gives instructions for the following supplementary procedures: • Installing or replacing the X.21 or V.
Supplementary Procedures Installing or Replacing the X.21 or V.35 Serial Card in the VPN Device This section explains how to install or replace the X.21 or V.35 serial card in your HP VPN Server Appliance SA3400/SA3450, and covers the following topics: • Hardware requirements • Safety precautions • Backing up your configuration file • Removing the cover of the VPN device • Installing/replacing the X.21 or V.
Installing or Replacing the X.21 or V.35 Serial Card in the VPN Device Backing Up Your Configuration File When you modify the VPN device’s internal hardware by installing or replacing the X.21 or V.35 serial card, you lose your device’s existing configuration file (ISBR.cfg). The Hewlett-Packard Company recommends that before you modify the VPN device’s internal hardware, you back up the ISBR.cfg file. You can use the VPN Manager or the TFTP Copy command to back up the ISBR.cfg file.
Supplementary Procedures Reconfiguring the VPN Device To reconfigure your VPN device: 1. Configure and run your terminal emulation program (such as HyperTerminal) to create an active console session. The VPN device recognizes a changed configuration and prompts you to reboot the device. 2. Press Enter to reboot the device. The VPN device reboots and displays its Manufacturing Mode Main menu: 1. Configuration 2. Self-diagnostics test 3. User-diagnostics test 4. Burn-in traffic tests 5.
Installing or Replacing the X.21 or V.35 Serial Card in the VPN Device Hewlett-Packard VPN Server Appliance SA3110/SA3150/ SA3400/SA3450 Installation Guide. Restoring the Configuration After you install or replace the X.21 or V.35 serial card in your VPN device, you need to again create the basic configuration file of the device. To restore your advanced configuration settings that you saved in your existing ISBR.cfg file, you need to open your old ISBR.
Supplementary Procedures Using the Copy Command (TFTP) The TFTP (Trivial File Transfer Protocol) copy command transfers a file to or from a TFTP server. The copy command can be used to upgrade firmware. Also, the copy command can be used to back up or restore configuration files. This transfer retains passwords and displays them in clear text. This section tells you how to copy new or modified configuration files from the computer running the TFTP server to the VPN device.
Using the Copy Command (TFTP) The device reboots and the new settings take effect upon restart.
Supplementary Procedures Capturing a Terminal Emulation Session as Text This section tells you how to use a terminal emulation program such as HyperTerminal to capture a console session with a VPN device as a text file. Prerequisite You must have configured a console window before using it for text capture. See "Preparing to Configure a VPN device" in Chapter 3. Steps To capture a console session as a text file for later review: 1. At your desktop, double-click the Console icon.
Viewing a Terminal Emulation Session Viewing a Terminal Emulation Session This section tells you how to view a previously recorded terminal emulation session. Steps To view a previously recorded terminal emulation session: 1. Open Notepad (or similar text editor). 2. In the Start menu, select Programs, then Accessories, then Notepad. 3. In the File menu, select Open. The Open window appears. 4. In the list box, select the desired session. 5. Click Open. You return to the Notepad window.
Supplementary Procedures Deleting the Current VPN Device Configuration This section tells you how to delete the current VPN device configuration and restore the factory defaults. Steps To delete the current VPN device configuration: 1. At your desktop, double-click the HyperTerminal icon. The Console HyperTerminal window appears. 2. Press Enter three times. This causes HyperTerminal to send a handshake to the VPN device attached to COM port N on your PC.
Restoring the VPN Device Configuration Restoring the VPN Device Configuration This section tells you how to restore the VPN device configuration to near-factory default condition, by deleting these four files: • isbr.cfg • safe.cfg • lrvg.acl • safe.acl Steps To delete these four files, and restore the VPN device configuration to near-factory default condition: 1. At the name-and-state prompt, enter del filename where filename equals the filename.extension of the first file to be deleted.
Supplementary Procedures Viewing the IP Configuration This section tells you how to use your computer’s operating system to identify the IP address of your computer’s interfaces. Steps To view your IP configuration: 1. In the Start menu, select Programs, then the MS-DOS prompt. The MS-DOS prompt appears. 2.
Viewing the IP Configuration • • • • showing the node enter of your host computer, for example, hybrid NetBIOS Scope Id, showing the identification of the NetBIOS (Network Basic Input/Output System) scope, if any IP Routing Enabled, showing IP routing is enabled when checked; disabled when clear WINS Proxy Enabled, showing WINS (Windows Internet Naming Service) proxy routing is enabled when checked; disabled when clear NetBIOS Resolution Uses DNS, showing the NetBIOS resolution uses the DNS when checked;
Supplementary Procedures • Lease Expires, showing the date and time the lease ends for the temporary IP address issued from the pool Command Buttons The IP Configuration window has the following command buttons: 6-14 Button Function OK Lets you close the window and apply the configuration parameters shown Release Releases the current TCP/IP binds for the displayed adapter only so that a new stack can be created Renew Renews the current TCP/IP binding for the displayed adapter only Release All
Using Telnet Using Telnet This section tells you how to specify a remote connection using Telnet. One of the TCP/IP suite of protocols, Telnet provides virtual emulation across the Internet. Using IP as its transport mechanism, Telnet is received on application port number 23. Telnet provides a way to check device configuration in addition to using VPN Manager. Note: Telnet is supported only on red (private) interfaces. Steps To specify a remote connection using Telnet: 1. In the Start menu, select Run.
Supplementary Procedures 11. Select the VT 100 arrows check box, then click OK. You return to the Connect window. 12. Click Connect. A Password prompt appears on the screen. 13. Enter the enable password. A row of asterisks (*) appears as you enter your password. The status Passed appears. Information concerning the device to which you are connected appears. You are provided with the command line prompt of the destination host.
Appendix — Network Infrastructure Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Router Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 Firewall Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4 Using An Existing Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A p p e n d i x — N e t w o r k I n f r a s t ru c t u r e C h e c k l i s t s Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Appendix — Network Infrastructure Checklists 7 Appendix — Network Infrastructure Checklists This appendix provides: • Checklist tables for you to complete, to gather network information that you need, before you install your VPN device • A Port Combinations table to provide the ports you must use through any firewall that is in front of a VPN device, depending upon which protocols you support on your corporate network Complete the following checklists before you install the VPN device.
Appendix — Network Infrastructure Checklists Router Checklists The router checklists ask for information about the external router that connects your network to the Internet. Complete the following router checklists: • Router classification • External router IP address and subnet mask • Filter information • VPN device address and subnet mask Router Classification If you are using an external router, specify the following information.
Router Checklists Filters Determine if your existing router has filters. Do you plan to apply the filters to the incoming and outgoing traffic in the VPN device? Yes VPN Device IP Address and Subnet Mask No Assign the IP addresses and subnet masks to the VPN device that you plan to use as a router. If you plan to use the VPN device for a bridge, assign the same IP address and subnet mask to both interfaces.
Appendix — Network Infrastructure Checklists Firewall Checklists Firewall rules determine: • Who can communicate from the corporate network to the Internet, and who can communicate from the Internet to the corporate network (by their IP addresses and subnet masks) • What specific applications any individual user may access With unrestricted access, a user’s IP address and subnet mask is 0.0.0.0, and the user can gain access to any application (http, ftp, and so on).
Firewall Checklists Inbound Firewall Access Rights Inbound Users IP Address Subnet Mask Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide Accessible Applications A-5
Appendix — Network Infrastructure Checklists Using An Existing Firewall If you are using an existing firewall, you need to ensure that you do not duplicate any of its IP addresses with those that you provide to your new VPN device. Existing Firewall Information Provide the manufacturer, type, and version of your existing firewall in the following table.
Internal Network Checklists Internal Network Checklists The internal network checklists pertain to how traffic is routed through your internal network. Internal Default Router Determine if your current network topology includes an internal default router. If yes, provide the IP address and subnet mask. IP Address LAN Cables and Connectors Subnet Mask The VPN device includes two RJ-45 UTP female connections.
Appendix — Network Infrastructure Checklists Provide the types of cables and connectors it requires in the following table. Connectors or Cables Required? Yes/No V.35 serial interface for Frame Relay X.21 serial interface for dedicated leased lines DTE or DCE adapter cable Note: To select the correct adapter cable, you must know whether the VPN device is being connected to a DTE or DCE device (see next section).
Internal Network Checklists VPN Device DSU/CSU (DTE) (DCE) DTE Adapter Cable Frame Relay Device (DTE) (DCE) DCE Adapter Cable This allows the VPN device to encrypt frame relay traffic before it is sent out on the frame relay network. In this configuration, you connect the VPN device to one port of the serial card with a DCE cable, and you connect the other serial card port to the DSU/CSU with a DTE cable.
Appendix — Network Infrastructure Checklists IP Addresses Network Protocols Subnet Masks Provide the protocols you run on your network in the following table: Protocols Yes No TCP/IP IPX/SPX NETBEUI AppleTalk Other_________________ A-10 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Authentication Checklists Authentication Checklists To set up authentication for the VPN device, complete the following checklists: • Authentication types • IP address and port for certificate authority (if applicable) Authentication Types Determine which authentication methods to use, and provide this information in the following table. You may use a combination of authentication applications for remote users and site-to-site connections.
Appendix — Network Infrastructure Checklists Port Combinations Table The following protocol and port combinations must be opened through any firewall that is in front of a VPN device. A-12 Protocol Destination Port Source Port UDP In: 2233 Out: 2233 All All These data packets are encrypted. They must be allowed through the firewall and should be directed to the device and no other destination address.
Port Combinations Table Protocol Destination Port Source Port UDP In: 10026 Out: 10026 All All These are encrypted statistics packets bound for the VPN Manager. You should not open this firewall rule unless the VPN Manager is running outside the firewall. UDP In: 10027 Out: 10027 All All These packets are certificate requests between the certificate authority server and a VPN device or HP client.
Appendix — Network Infrastructure Checklists A-14 Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450 Installation Guide
Inde x Index IndexIndex A administrator password ......................... 4-4 B bridge mode ........................................ 3-10 C cables connecting ..................................... 3-3 DB-9 .............................................. 3-2 checklists .............................. 2-4, A-1–A-13 configurations basic routing mode.......................... 3-5 deleting ......................................... 6-10 restoring to factory defaults ............ 6-11 viewing .....................
using Telnet................................... 6-15 required components, VPN device .......... 1-3 requirements, for installing .................... 2-1 restoring factory-default settings passwords ...................................... 3-6 VPN device.................................... 6-11 router mode ........................................ 3-10 S safe mode ............................................ 3-6 setup script running .......................................... 3-7 software requirements..........
