Message Networking 5.2 Administration print guide

Transcription

1 Page 1 of 421 Administration print guide This print guide is a collection of system topics provided in an easy-to-print format for your convenience. Please note that the links shown in this document do not work online, and that some of the topics link to tasks that are not included in the PDF file. The online system contains all Message Networking documentation and is your primary source of information. This printable guide contains the following topics: Topic Page Number Message Networking initial administration checklist 2 Accessing the system 4 Verifying customer options 36 Performing voice system administration 39 Setting system parameters 46 Administering TCP/IP LAN connectivity 59 Administering remote machines 64 Administering Message Networking as a remote machine 266 Administering the Message Networking switch connection 267 Administering subscribers 277 Administering Enterprise Lists 312 Administering Call Detail Recording 367 Using the File Transfer Protocol 374 Administering SNMP 382 Administering SAL 400 Administering alarm management 401 Administering the system to send logging messages to an external server 404 Performing a secure file upload of administration scripts 405 Performing a secure file download of reports 406

2 Page 2 of 421 Message Networking initial administration checklist This topic provides a checklist that contains the tasks you must complete during initial Message Networking system administration. Administration procedures are provided in the online help and in the Administration print guide. Notes: Administration checklists are also provided for adding each remote machine type. Some tasks in the Message Networking administration checklists are also included in the remote machine checklists. If you did not complete configure network addressing during system installation, complete it now. The following table lists the procedures required for initial administration. The procedures are listed in the sequence in which they are performed. Task Description 1. Verify feature options for the Message Networking system 2. Administer analog support if system must support analog protocols: Administer the voice system Administer the switch connected to the Message Networking system 3. Administer remote access to allow a remote service center to connect to the Message Networking system remotely for troubleshooting or system maintenance 4. Administer the system parameters on the Message Networking system 5. Administer remote machines: Add remote machines Administer the Dial Plan Mapping for each remote machine Administer SMTP/MIME security Administer remote machine Directory Views View the Remote Machines List View the Remote Machines Dial Plan List Administer the Message Networking as a remote machine on each remote machine 6. Administer subscribers 7. Administer Enterprise Lists 8. Change the default passwords if you have not changed them during installation. Caution! It is critical that you change the sa password from the default to avoid unauthorized access to the system. 9. Administer the Access Security Gateway (ASG) (optional) 10. Configure the system for login authentication by an AAA server (optional)

3 Page 3 of Administer the system to send logging messages to an external server (optional) 12. Administer alarm management 13. Perform acceptance testing: Testing voice ports Calling Message Networking ports Testing remote machine connectivity between the Message Networking system and remote machines Sending a test message to a remote subscriber 14. Perform an attended backup

4 Page 4 of 421 Accessing the system This topic provides the following information: Logging In to Message Networking Logging out of Message Networking Administering passwords Managing local administration accounts Role-Based Access Control Managing administrative roles Changing the security warning Administering the ASG gateway Setting up remote access

5 Page 5 of 421 Logging in to the Message Networking system This topic provides information on logging in to the Message Networking system. You log in to the system using sa or another administrative login. For more information about administrative logins and when you would use a particular login, see Administering passwords. You can use two different methods to access the system: The console connected to the Message Networking system The Web browser from a separate system on the customer LAN The pages that display might be slightly different depending on your method of login. Caution! Your service technician installs your system with default passwords. You should immediately change these passwords after the installation is complete. After familiarizing yourself with the basic operations of the Message Networking system detailed in the next few sections, set new passwords. Logging from a console Use the following procedure to log in to Message Networking from the console connected to the system: To log in to the Message Networking system from the console: 1. Turn on the monitor. The system displays the following message: console login: 2. Type sa (or another appropriate login), and press Enter. The system is case sensitive, so use lowercase letters. The system displays the following message: password: 3. Enter the password for your login. The system displays the following message: terminal type: 4. Enter one of the following: linux for the console monitor 4410 for Terranova or PROCOMM PLUS 4410 emulation 4425 for a 4425 terminal 715 for a 715 terminal vt100 for a vt100 or vt131 terminal Note: Additional terminal types can be used and might work with no noticeable difference in functionality. However, inconsistency in the appearance of function keys and displays might result when using some terminals or emulators. The system displays an alert to add the certificate as an exception for the browser. 5. In the Alert dialog box, click Ok. 6. In the Secure Connection Failed dialog box, click Or you can add an exception... link 7. Click Add Exception In the Add Security Exception dialog box, click Get Certificate. 9. Click Confirm Security Exception. The system displays the Message Networking Web administration page. 10. In the Message Networking Web administration page, select items from the menu by clicking them.

6 Page 6 of 421 Logging from a Web browser If you have configured LAN/WAN network addressing, use the following procedure to log in to Message Networking from the Web browser of a separate system on the customer LAN. To log in to the Message Networking system from the Web browser: 1. Open the Web browser of a machine connected to the customer LAN. 2. In the Web browser screen, enter the address where localhost is the name of the machine and localdomain is the name of the company's domain (for example, The system displays a page with a security notice. Message Networking requires your browser to have a security certificate, which is used to establish an encrypted, secure session with the Avaya media server. 3. You can either accept the security certificate for your current browser session or install the certificate for the current session and all future sessions. Accept the server certificate for the current session only. Avaya recommends to use this option if you are accessing Message Networking on a one-time basis (for example, from a computer or browser that you do not normally use), or if you are unable to store the certificate for future sessions. Avaya recommends to install the certificate, if you are accessing Message Networking from a computer and browser that you plan to use again. This option is not always available and might not work on all systems. Note: The steps for accepting the certificate for the current session or installing the certificate varies, as per the browser you are using. You can also install the security certificate from the Security > Avaya Root Certificate page. For more information, see the Install Avaya Root Certificate Help page. The system displays a page with a security notice. 4. Click Continue to proceed. 5. In the Username field, type sa (or another appropriate login), and click Login. The system is case sensitive, so use lowercase letters. 6. In the Password field, enter the password for your login, and click Login. The system displays the Administration menu. Select items from the menu by clicking them.

7 Page 7 of 421 Logging out of the Message Networking system To log out of the Message Networking click Log Off at the top of the Administration menu on the Web-based administration page. The system logs you out. See Logging in to the Message Networking system if you need to log back in.

8 Page 8 of 421 Administering passwords This topic provides information on administering the passwords used to control access to the system. Use the procedures in this topic to administer the password rules, to change the password for a login, or to set the interval at which the system's passwords must be changed. Overview of passwords Access to the Message Networking system is controlled by a set of passwords that provide different access levels. The following administration accounts (also called logins) are provided with the system for system installers, administrators, and support personnel: sa: The sa login is for use by the customer's system administrators either from the console or from another computer on the customer's LAN. craft: The craft login is for use by Avaya personnel performing system installation, administration, or maintenance on the customer site, either from the console or from another computer on the customer's LAN. dadmin: The dadmin login is for use by Avaya Business Partners performing administration or maintenance on the customer site, either from the console or from another computer on the customer's LAN. The customer must use the craft login to activate the dadmin login and grant permission. The dadmin login has the same permissions as the craft login. icftp: The icftp login is for use with Message Networking's FTP feature. The FTP feature enables file importing and exporting. sappp: The sappp login is for use by a system administrator performing system administration and maintenance remotely using a dial-up connection. You must set up the sappp password to allow a remote administrator to dial in to the system. craftppp: The craftppp login is for use by remote Avaya personnel performing system installation, administration, or maintenance using a dial-up connection. You must set up the craftppp password to allow Avaya personnel to dial in to the system. When your system is installed, the sa and icftp logins come with default passwords. You must change these passwords immediately to ensure system security following minimum password standards. You must also set up the system's PPP logins, to allow a remote service center to dial in to the system to perform troubleshooting or system maintenance. For information on setting up these logins, see Administering logins and passwords. In addition to the administration accounts that are available after the system is installed, you can use the sa login to create new administration accounts for logging in to the system either from the console or from another computer on the customer's LAN. The administration accounts you create can have access privileges that are the same as the sa account, or you can create administration accounts that have different access privileges. For more information, see Managing local administration accounts. To create administration accounts that have access privileges that are different from the sa account, you first have to set up one or more administrative roles. When you set up an administrative role, you specify which webadministration pages the role can access and the access type. For more information about setting up administrative roles, see Role-Based Access Control and Managing administrative roles. When you create administration accounts, you can specify whether the account is authenticated locally when a user logs in to the system. Administration accounts can also be authenticated by an Authentication, Authorization, and Accounting (AAA) server, if one has been configured. For more information, see Configuring the system for login authentication by an AAA server. Additionally, you can administer several parameters of the password aging feature that will enhance the level of security the system maintains. Note: You can administer the Access Security Gateway (ASG) on the Message Networking system to provide

9 Page 9 of 421 additional security. The ASG provides strong authentication for the Message Networking system logins by challenging each potential dial-up session user when the authentication type for a particular login is set to ASG. To respond to the ASG challenge, the user must have a handheld device, called the ASG Key, which must be set with an ASG secret key number that matches that of the user's ASG secret key number in the Message Networking system. Guidelines for passwords To minimize the risk of unauthorized people using the Message Networking system, follow these guidelines for system passwords. Establish a new password as soon as the Message Networking system is installed. Use a password containing at least 6 alphanumeric characters. See Administering password rules. Never use obvious passwords, such as a telephone extension, room number, employee identification number, social security number, or easily guessed numeric or letter combinations. Do not post, share, print, or write down passwords. Do not put the password on a programmable function key. Change the password at least once per month. You can administer your system to age the password and notify you that a new password is required. For more information, see Setting administrator password aging. If you suspect that the security of any password has been compromised, notify your project manager or system administrator. Administering password rules Only Administrators who have access to Password Rules Administration page can administer the password rules. The ability to administer the password rules can be assigned using the Administrative Roles menu. To set the password rules, the administrator must complete the following fields: 1. In the Administration menu, under Security, click Password Rules. The system displays the Password Rules Administration page. For information about the fields on this page, click Help. 2. Complete the following fields: 1. Minimum Password Length: This ranges from 6 to 16 characters. The default minimum password length is 8 characters. 2. Number of Previous Passwords That Must Not Match: This defines the number of previous passwords that must not match. The system records the previous passwords used by each administrator. By default, this field is set to 1. If an administrator sets the value to 3, the new password must not match the previous 3 passwords including the current password. To allow users to use previously used passwords, set this value to 0. The range is Passwords Must Contain at Least this Many of the Selected Types of Characters: Specify the minimum number of character types that must be present in a password. You can select a value between one to four. This field should always be less than or equal to the number of character types selected. By default, this field is set to 2 and the character types selected are Lowercase and Numbers. Lowercase (a-z): If selected, the password must contain at least one lowercase alphabetic character from [a - z]. Uppercase (A-Z): If selected, the password must contain at least one uppercase alphabetic character from [A - Z]. Numbers (0-9): If selected, the password must contain at least one numeric value from [0-9]. Special Characters (@ % ~ - _ / + =.? [ ] { }! ^ * :,): If selected, the password must contain at least one special character. The system supports [@ % ~ - _ / + =.? [ ] { }! ^ * :

10 Page 10 of 421,] characters. 4. Number of Failed Login Attempts Before Account Lockout: You can set any value between zero and five. By default, the system sets the value to zero, which means the account does not get locked with any number of failed login attempts. If you set a value between one and five, the system keeps a track of the number of consecutive failed login attempts. The system denies access if the count of failed attempts exceed the value set by the administrator. For example, if the value is set to 4, and five consecutive login attempts fail, then the account gets locked. The system unlocks the account automatically within 10 minutes. 3. Click Save. Changing passwords You must immediately change the password for the sa, icftp, craft, and dadmin logins after your system is installed. Once a new password is established, you must also establish a regular schedule for changing the password, for example, at least monthly. Be sure to alert any other Message Networking administrators or system administrators after a password is changed. The logins for which you can change the password depend on your login. For example, when you log in using the sa login, you can change the password for the sa, icftp, and sappp logins. Every user can change the password associated with their own administration account (login). To change the password for a local administration account (login): 1. In the Administration menu, under Security, click Local Administrators. The system displays the Manage Local Administration Accounts page. For information about the fields on this page, click Help. 2. Select the login for the password you want to change. 3. Click Edit the Selected Admin. 4. In the Password field, type a new password. The new password should be as per the password rules set by the administrator in the Password Rules Administration page. If the Local Authentication Enabled? field is set to yes, a password must be entered for this local administration account. 5. In the Confirm Password field, type the new password again for verification. 6. Select the Change Password at next Logon field, to change the password when you log in to the Message Networking admin. 7. Click Save. To change the password for the icftp login: 1. In the Administration menu, under Security, click icftp Configuration. The system displays the icftp Configuration page. For information about the fields on this page, click Help. 2. In the Local Authentication Enabled? field, select yes if you want this login to be authenticated by the Message Networking system, select no if you want this login authenticated by an external AAA server. 3. In the New Password field, type a new password. The new password should be as per the password rules set by the administrator in the Password Rules Administration page. 4. In the Confirm Password field, type the new password again for verification. 5. Click Save. To change the password for your local administration account (login): 1. In the Administration menu, under Security, click Change My Password. The system displays the Change My Password page. For information about the fields on this page, click Help. 2. In the Old Password field, type your current password. 3. In the New Password field, type a new password containing. The new password should be as per the password rules set by the administrator in the Password Rules Administration page. 4. In the Confirm Password field, type the new password again for verification.

11 Page 11 of Click Save. Setting Administrator Password Aging You can determine how often the system's passwords have to be changed by setting Password Aging parameters. The logins for which you can set Password Aging parameters depend on your login. For example, when you log in using the sa login, you can set Password Aging parameters for the sa, icftp, and sappp passwords. Avaya recommends that you set Password Aging parameters to help maintain a high level of system security. To set Password Aging parameters: 1. In the Administration menu, under Security, click Local Administrators. The system displays the Manage Local Administration Accounts page. For information about the fields on this page, click Help. 2. Select the login for which you want to set Password Aging parameters. 3. Click Edit the Selected Admin. The system displays the Edit Local Administration Accounts page. 4. Complete the following fields: 1. Password Expiration: Select Enabled or Disabled. If the Password Expiration field is set to Enabled, in the days field, type the number of days a password can be valid/active before the user is forced to change it. The default value for the Password Expiration field is Disabled. The range for the days field is 1 through The default value for the days field is Minimum Age Before Changes: Select Enabled or Disabled. If the Minimum Age Before Changes field is set to Enabled, in the days field, enter the number of days before the user can change the password. You cannot change the password until the value specified in the days field has elapsed. For example, if you enter '5' in the days field, you cannot change the password for next 5 days. If the Minimum Age Before Changes field is set to Disabled, you can change the password as frequently as desired. By default, the Minimum Age Before Changes field is set to Disabled. The range for the Minimum Age Before Changes days field is 1 through 999. Note: The value you specify for the Minimum Age Before Changes days field must be less than or equal to the value you specify for the Password Expiration, days field. 3. Expiration Warning: Select Enabled or Disabled. If the Expiration Warning field is set to Enabled, in the days field, specify the number of days prior to password expiration that the expiration warning begins to display. At login, the system then displays a warning message that the password is scheduled to expire. When this message begins to appear depends on the value entered in the Expiration Warning, days field. For example, if you enter 5 in the Expiration Warning, days field, the expiration warning message begins to appear five days before the password expires, and continues displaying until the password is changed. By default, the Expiration Warning field is set to Enabled and days field is set to 10. You can set the Expiration Warning, days field to a value from 1 through 30. If the Expiration Warning field is set to Disabled, the system does not display an expiration warning message to change the password before the password gets expired. Note: The value you specify for the Expiration Warning, days field must be less than or equal to the value specified for the Password Expiration, days field. 4. Select the Change Password at next Logon field, to change the password when you log in to the Message Networking admin. 5. Click Save.

12 Page 12 of 421 Managing local administration accounts This topic describes how to manage administration accounts (logins) on the Message Networking system using the Web-based administration pages. System administrators who log in with the sa login, or an administration account that is allowed to access the Manage Local Administration Accounts page, can add, change, or delete administration accounts. The administration accounts you create can be assigned access levels that are the same as the sa account, or you can create administrative accounts that have different access privileges. To create administration accounts that have access privileges that are different from the sa account, you first have to set up one or more administrative roles. For more information about setting up administrative roles, see Role-Based Access Control and Managing administrative roles. For information about assigning or changing passwords, see Administering passwords. Note: If you are the system administrator using the sa login and lost your sa password, contact the remote support center to establish a new password. To add an administration account: 1. On the Message Networking administration Web interface, under Security, click Local Administrators. The system displays the Manage Local Administration Accounts page. For information about the fields on this page, click Help. 2. Click Add a new Admin. 3. On the Add Local Administration Account page, complete the User Name and Role ID fields. The Role ID you choose determines the access privileges for this administration account. 4. Complete the following fields: 1. Local Authentication Enabled?: Select yes or no to specify whether local authentication is enabled for this account. If this field is set to yes, you must enter a password for this local administration account. If this field is set to no, you cannot enter a password for this local administration account. By default, the value is set to yes. Note: If this field is set to no, you cannot enter a password and the administration account must be authenticated by an external AAA server. 2. Password: Enter the password for the local administration account. The characters you type appear as asterisks (*) for security purposes. If the Local Authentication Enabled? field is set to yes, you must enter a password for this local administration account. Note: The new password should be as per the password rules set by the administrator on the Password Rules Administration page. For more information, see Administering passwords. 3. Confirm Password: Retype the same password you entered in the Password field for verification. The characters you enter appear as asterisks (*) for security purposes. 4. Change Password at next Logon: Select the check box, if you want to change the password when you log into the Message Networking admin web interface. By default, this check box is selected. 5. Check the default values for the password expiration fields and change them if necessary. 6. Click Save. To change an administration account: 1. On the Message Networking administration Web interface, under Security, click Local Administrators. The system displays the Manage Local Administration Accounts page. For information about the fields on this page, click Help. 2. Select one of the existing administration accounts and click Edit the Selected Admin. 3. On the Edit Local Administration Account page, make any necessary changes. 4. Click Save.

13 Page 13 of 421 To delete an administration account: 1. On the Message Networking administration Web interface, under Security, click Local Administrators. The system displays the Manage Local Administration Accounts page. For information about the fields on this page, click Help. 2. Select one of the existing administration accounts and click Delete the Selected Admin. The system displays a confirmation message. 3. Click OK. The system displays a message that the user was successfully deleted. 4. Click OK.

14 Page 14 of 421 Role-Based Access Control Role-Based Access Control (RBAC) gives customers the ability to create administration accounts based on customer-defined roles. Customer-defined roles can be tailored to give each administrator only the access privileges that are needed to perform that administrator's job. When you set up an administrative role, you specify which web-administration pages the role can access and the access type. The access type can be read and write or read only. Roles assigned read and write access can view and modify settings for the web-administration pages that the role is allowed to access. Roles assigned read only access can view settings for the web administration pages that the role is allowed to access, but cannot modify settings. The administrative roles you create can have access privileges that are the same as the sa (system administrator) login, or you can create administrative roles that have different access privileges. The administrative role associated with the sa login is called a fixed or pre-defined role because it is set up when the system is installed and cannot be modified (edited). However, a fixed role can be copied to create a customerdefined (custom) role and then the custom role can be modified. For more information about administrative roles, see Managing administrative roles. When a custom role is created, the role is assigned a role identifier (Role ID), which is associated with a Linux group number. To avoid conflict with Linux group numbers that may be in use in other parts of the enterprise, Linux group numbers used for RBAC are offset by a number called the profile base number. If necessary, the system administrator can change the profile base number, which changes the range of Linux group numbers associated with role identifiers and customer-defined roles. For more information, see Changing the profile base. Role identifiers are also used to assign access privileges to administration accounts on the Message Networking system. For customers who use an Authentication, Authorization, and Accounting (AAA) sever to authenticate administration accounts (logins) on the Message Networking system, the same administrative roles must be defined on the AAA server. For information about configuring the Message Networking system for login authentication by a AAA server, see Configuring the system for login authentication by a AAA server.

15 Page 15 of 421 Changing the profile base This topic describes how to change the profile base. The profile base number defines the range of Linux group numbers that are associated with role identifiers (Role IDs) for locally defined administration accounts. To change the profile base: 1. On the Message Networking administration Web interface, under Security > Administrative Roles. The system displays the Manage Administrative Roles page. For information about the fields on this page, click Help. 2. On the Manage Administrative Roles page, click Edit Profile Base. 3. On the Edit Profile Base page, in the Profile Base field, change the profile base number. 4. Click Save.

16 Page 16 of 421 Configuring the system for login authentication by an AAA server This topic provides information about configuring an Authentication, Authorization, and Accounting (AAA) sever. An AAA server is an optional, customer-provided server that can be used to authenticate administration accounts (logins) on the Message Networking system. An administrator who uses the sa login, or an administration account that has permissions to access the Configure Authentication, Authorization, and Accounting (AAA) Server page, can configure an AAA server. You can configure one or two Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), or Active Directory servers. Only one type of AAA server (RADIUS, LDAP, or Active Directory) can be enabled. Administration accounts on the Message Networking system that will be authenticated by a RADIUS AAA server must be defined on the Message Networking server and the AAA server. For a RADIUS AAA server, passwords associated with administration accounts on the Message Networking server, must be changed on the AAA server. For an LDAP or Active Directory AAA server, passwords associated with administration accounts on the Message Networking server can be changed from the Message Networking server, if allowed by the AAA server. For information about changing passwords, see Managing local administration accounts. For all types of AAA servers, it may take one hour or more for a password change to take effect. To use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt the information sent to and from an AAA Server, in addition to configuring the server to use TLS or SSL (see the LDAP and Active Directory configuration procedures below), a security certificate must be installed on the Message Networking system and on the AAA server. For more information see, Managing security certificates. To configure a RADIUS server: 1. In the Administration menu, under Security, click AAA Configuration. The system displays the Configure Authentication, Authorization, and Accounting (AAA) Server page. For information about the fields on this page, click Help. 2. Select RADIUS. 3. In the Server Name field, enter the Fully Qualified Domain Name, an alias, or the IP address of the AAA server. 4. The default port number for a RADIUS server is 1812 (UDP). To use a different port number, in the Alternate Port field, type the port number you want to use. 5. In the Shared Secret field, enter the shared secret for encryption of the login credentials that are passed to the AAA server for authentication. Note: The shared secret you enter for this field must match the shared secret administered on the AAA server. 6. Click Save. To configure an LDAP server that complies with RFC 2307 (POSIX): 1. In the Administration menu, under Security, click AAA Configuration. The system displays the Configure Authentication, Authorization, and Accounting (AAA) Server page. For information about the fields on this page, click Help. 2. Select LDAP (POSIX). 3. In the Server Name field, enter the Fully Qualified Domain Name, an alias, or the IP address of the AAA server. 4. The default port number for an LDAP server is 389. To use a different port number, in the Alternate Port field, enter the port number you want to use. 5. In the Base DN field, enter the LDAP base Distinguished Name (DN). Note: This is the base DN of the LDAP directory on the AAA server where user login credentials are stored. This LDAP directory is used to authenticate user logon requests.

17 Page 17 of To use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt the information sent to and from the AAA server, select the Use TLS/SSL check box. 7. To specify a Bind DN (also called a User DN), complete the Bind DN, Password, and Confirm Password fields. If you do not specify a Bind DN and password, an anonymous bind will be used to connect to the AAA server. 8. Click Save. To configure an Active Directory server running Services for UNIX (SFU): 1. In the Administration menu, under Security, click AAA Configuration. The system displays the Configure Authentication, Authorization, and Accounting (AAA) Server page. For information about the fields on this page, click Help. 2. Select ACTIVE DIRECTORY (SFU). 3. In the Server Name field, enter the Fully Qualified Domain Name, an alias, or the IP address of the AAA server. 4. The default port number for an LDAP server is 389. To use a different port number, in the Alternate Port field, enter the port number you want to use. 5. In the Base DN field, enter the LDAP base Distinguished Name (DN). Note: This is the base DN of the LDAP directory on the AAA server where user login credentials are stored. This LDAP directory will be used to authenticate user logon requests. 6. To use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt the information sent to and from the AAA server, select the Use TLS/SSL check box. 7. To specify a Bind DN (also called a User DN), complete the Bind DN, Password, and Confirm Password fields. If you do not specify a Bind DN and password, an anonymous bind will be used to connect to the AAA server. 8. Click Save. To configure an Active Directory server running Identity Management for UNIX (IDMU): 1. In the Administration menu, under Security, click AAA Configuration. The system displays the Configure Authentication, Authorization, and Accounting (AAA) Server page. For information about the fields on this page, click Help. 2. Select ACTIVE DIRECTORY (IDMU). 3. In the Server Name field, enter the Fully Qualified Domain Name, an alias, or the IP address of the AAA server. 4. The default port number for an LDAP server is 389. To use a different port number, in the Alternate Port field, enter the port number you want to use. 5. In the Base DN field, enter the LDAP base Distinguished Name (DN). Note: This is the base DN of the LDAP directory on the AAA server where user login credentials are stored. This LDAP directory will be used to authenticate user logon requests. 6. To use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt the information sent to and from the AAA server, select the Use TLS/SSL check box. 7. To specify a Bind DN (also called a User DN), complete the Bind DN, Password, and Confirm Password fields. If you do not specify a Bind DN and password, an anonymous bind will be used to connect to the AAA server. 8. Click Save. To disable all configured AAA servers, on the Configure Authentication, Authorization, and Accounting (AAA) Server page, select NONE. Any configured servers are disabled, but the configuration information remains, so that you can easily enable the server.

18 Page 18 of 421 Managing administrative roles This topic describes how to manage administrative roles on the Message Networking system using the Webbased administration pages. System administrators who log in with the sa login, or an administration account that is allowed to access the Manage Administrative Roles page, can add, change, copy, or delete administrative roles. To add an administrative role: 1. On the Message Networking administration Web interface, under Security, click Administrative Roles. The system displays the Manage Administrative Roles page. For information about the fields on this page, click the field names or Help. 2. Click Add a new Role. 3. On the Add Role page, enter a Role Name and select a Role ID. 4. For the Access Type field, select Read & Write or Read Only. 5. In the table at the bottom of the page, use the Allow and Deny buttons to specify which Webadministration pages this administrative role is allowed to access. 6. Click Save. The system displays a confirmation message. 7. Click OK. To view or change an administrative role: Note: Role IDs 20 through 69 can be edited. Role IDs 2 through 19 are reserved for fixed roles and can be viewed or copied, but cannot be edited. 1. On the Message Networking administration Web interface, under Security, click Administrative Roles. The system displays the Manage Administrative Roles page. For information about the fields on this page, click Help. 2. Select one of the existing administrative roles and click Edit the Selected Role. 3. On the Edit Role page, make the necessary changes. 4. Click Save. The system displays a confirmation message. 5. Click OK. To copy an administrative role: 1. On the Message Networking administration Web interface, under Security, click Administrative Roles. The system displays the Manage Administrative Roles page. For information about the fields on this page, click Help. 2. Select one of the existing administrative roles and click Copy the Selected Role. 3. On the Copy Role page, select a Copy To Role ID and enter a Copied Role Name. 4. Click Save. The system displays a confirmation message. 5. Click OK. 6. If necessary, edit the administrative role. To delete an administrative role: Note: Role IDs 20 through 69 can be deleted. 1. On the Message Networking administration Web interface, under Security, click Administrative Roles.

19 Page 19 of 421 The system displays the Manage Administrative Roles page. For information about the fields on this page, click Help. 2. Select one of the existing administrative roles and click Delete the Selected Role. The system displays a confirmation message. 3. Click OK.

20 Page 20 of 421 Managing security certificates To use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt the information sent by the Message Networking system to and from an LDAP Server, a security certificate must be installed on the Message Networking server and on the AAA server. Use the following procedure to upload the security certificate from an LDAP AAA server and install the certificate on the Message Networking server. The Avaya Root certificate from the Message Networking server must also be installed on the LDAP AAA server. To upload a security certificate: 1. On the Message Networking administration Web interface, under Security > Certificate Management. The system displays the Manage Certificates page. For information about the fields on this page, click Help. 2. Click Upload Certificate. 3. On the Upload Certificate page, in the Certificate Name field, enter a name for the security certificate. Note: The certificate name you enter must match the server name you enter on the Configure Authentication, Authorization, and Accounting (AAA) Server page. 4. In the Path to Certificate File field, enter the path to the certificate file, or click Browse and navigate to the certificate file. 5. Click Save. To delete a security certificate: 1. On the Message Networking administration Web interface, under Security, click Certificate Management. The system displays the Manage Certificates page. For information about the fields on this page, click Help. 2. Select the security certificate you want to delete. 3. Click Delete the Selected Certificate.

21 Page 21 of 421 Changing the security warning A security warning appears on the first Web-administration page when you log in to the Message Networking system. A default security warning message is distributed with the Message Networking system. You can use the Manage Security Warning page to change or replace the text of the security warning. You can directly edit the text of the security warning or replace the entire contents of the security warning by specifying a different text file. The security warning text is limited to 1200 characters. To edit the security warning text: 1. On the Message Networking administration Web interface, under Security, click Security Warning. The system displays the Manage Security Warning page. For information about the fields on this page, click Help. 2. In the Security Warning Text text box, edit the security warning text. 3. Click Save. The system displays a confirmation message. 4. On the confirmation dialog box, click OK. To replace the security warning with a different text file: 1. On the Message Networking administration Web interface, under Security, click Security Warning. The system displays the Manage Security Warning page. For information about the fields on this page, click Help. 2. In the Path to Security Warning File field, enter the path to the security warning file, or click Browse to find the security warning file. 3. Click Save. The system displays a message asking you to confirm that you want to replace the security warning text with the file you specified. 4. To replace the current security warning text with the file you specified, click OK. To keep the current security warning text, click Cancel. To replace the current security warning text with the default security warning text: 1. On the Message Networking administration Web interface, under Security, click Security Warning. The system displays the Manage Security Warning page. For information about the fields on this page, click Help. 2. Click Delete. The system displays a confirmation message. 3. On the confirmation dialog box, click OK. 4. Click Save. The system displays a confirmation message. 5. On the confirmation dialog box, click OK.

22 Page 22 of 421 Administering the Access Security Gateway (ASG) The Access Security Gateway (ASG) provides the newest generation of strong authentication for the Message Networking system logins. ASG protects the Message Networking system by challenging each potential dial-up session user when the authentication type is set to ASG for that particular login (such as sa). The following table lists the types of authentication supported on the system and the access ID required for each authentication type. Authentication type ASG Password Blocked Access ID required ASG challenge/response System password no access allowed To respond to the ASG challenge, the user must have a handheld device, called the ASG Key. The ASG Key must be set with an ASG secret key number that matches that of the user's ASG secret key number in the Message Networking system. This topic includes the following information: Logging in with ASG Maintaining ASG login IDs Adding an ASG login Blocking or reinstating access privileges for an ASG login Changing the ASG secret key number for an ASG login Displaying ASG login information Disabling ASG authentication Setting and resolving violation warnings Setting notification limits Resolving ASG security violation warnings

23 Page 23 of 421 Logging in with ASG When you begin a remote session with a Message Networking system that has the ASG feature activated, the system prompts you with a challenge. To log in to a system that has ASG activated for your login: 1. Enter your login ID at the login: prompt. The terminal screen displays the following message: Challenge: xxxxxxx Response: 2. Press Enter on the ASG Key to start the ASG Key. The ASG Key displays the following message: PIN: 3. On the ASG Key, type your PIN, and press Enter. 4. On the ASG Key, type the challenge number that is displayed on the terminal screen, and press Enter. The ASG Key displays the unique, 7-digit response number that corresponds to the challenge number you entered. The challenge and response numbers are valid for this session only. 5. On the terminal screen at the Response: prompt, enter the response number that is displayed on the ASG Key. If the authentication process is successful, the system displays the Administration main menu for the sa login. If the authentication process fails, the system makes an entry in the system History Log and displays the following message: INVALID LOGIN After a certain number of unsuccessful attempts, which is set in the Login Security Violation Warning Administration page, the system generates a warning alarm.

24 Page 24 of 421 Maintaining ASG login IDs Once you establish an ASG login for a Login ID, anyone with that login who attempts to access your system remotely through a protected port is prompted for the challenge response number. Maintaining ASG login IDs involves the following tasks: Adding an ASG login Blocking or reinstating access privileges for an ASG login Changing the ASG secret key number for an ASG login Displaying ASG login information Disabling ASG authentication

25 Page 25 of 421 Adding an ASG login This topic provides information on adding an ASG login to the system. Note: The default authentication type for sa is password, which requires the usual login and password. You must be logged in as sa to add an ASG login for sa. To add a new ASG login to your system: 1. On the Message Networking administration Web interface, under Security, click ASG Login Administration. The system displays the ASG Security Login Administration page. For information about the fields on this page, click Help. 2. Select the login from the Login ID drop-down menu. 3. Select ASG from the Authentication Type? drop-down menu to activate ASG authentication. Note: If you select Password from the Authentication Type? drop-down menu, the system uses regular Message Networking password protection. See Guidelines for Passwords for more information. 4. Do one of the following in the Secret Key Action field: Click System Generated Key to have the system randomly generate an ASG secret key number. Then leave the Secret Key field blank. Click User Entered Key if you want to enter the secret key that the system uses to generate ASG responses. Then type the secret key in the Secret Key field. Click Keep Previous Key if you want to use the previous value of the secret key used by the system generates ASG responses. Then leave the Secret Key field blank. Do not make a selection for the Secret Key Action field if you select Password in the Authentication Type? field. Then leave the Secret Key field blank, also. 5. Click Save to make the changes. The system displays a confirmation page with the ASG secret key number that must match the ASG Key when a user attempts to log in. The ASG secret key number must be entered into the ASG Key as Key1 or Key2.

26 Page 26 of 421 Blocking or reinstating access privileges for an ASG login You can block ASG login access temporarily if necessary. To block or reinstate access for the ASG login: 1. On the Message Networking administration Web interface, under Security, click ASG Login Administration. The system displays the ASG Security Login Administration page. For information about the fields on this page, click Help. 2. Select the Login ID (User ID) that you want to block or reinstate. You can choose only from the IDs in the list. You cannot create new IDs. 3. To block the user's access to the system, select Blocked from the Authentication Type? drop-down menu. 4. To reinstate the user's access to the system, select ASG from the Authentication Type? drop-down menu. 5. Click Save to accept the page settings. The system displays a confirmation page.

27 Page 27 of 421 Changing the ASG secret key number for an ASG login The ASG secret key number is used by the system and by the ASG Key handheld device to create challenge response pairs of numbers. If an ASG secret key number is lost or compromised, it must be changed in the system and in all associated ASG Key handheld devices. To change the ASG secret key number: 1. On the Message Networking administration Web interface, under Security, click ASG Login Administration. The system displays the ASG Security Login Administration page. For information about the fields on this page, click Help. 2. Click ASG login ID in the Login ID field. 3. In the Secret Key Action field, click one of the following: System Generated Key if you want the system to generate a unique secret key number User Entered Key if you want to enter your own secret key number. 4. Complete the Secret Key field if you selected User Entered Key from the Secret Key Action field. 5. Click Save to accept the page settings. The system displays the ASG secret key number that must be entered into the ASG Key handheld device.

28 Page 28 of 421 Displaying ASG login information You can check the status of an ASG login if necessary. To display ASG login information: On the Message Networking administration Web interface, under Security, click ASG Login Display. The system displays the Display ASG Security Login Information page.