OmniAccess 3500 Nonstop Laptop Guardian Release 1.2 Administration Guide

Transcription

1 OmniAccess 3500 Nnstp Laptp Guardian Release 1.2 Administratin Guide Dcument Versin: Part Number: Rev B Published:

2 Alcatel-Lucent Prprietary Cpyright 2007 Alcatel-Lucent. All rights reserved. This dcument may nt be reprduced in whle r in part withut the express written permissin f Alcatel- Lucent. Alcatel-Lucent and the Alcatel-Lucent lg are registered trademarks f Alcatel-Lucent. All ther trademarks are the prperty f their respective wners.

3 Table f Cntents Abut This Dcument...1 The OmniAccess 3500 NLG Library...1 Cntacting Technical Supprt...2 Chapter 1. OmniAccess 3500 NLG Platfrm Cmpnents...3 OmniAccess 3500 NLG Gateway...3 OmniAccess 3500 NLG Card...5 Management System Sftware...5 Chapter 2. OmniAccess 3500 NLG Initializatin Tasks...6 Wrking with the Management System GUI...6 Launching the Management System GUI...7 Lgging int the Management System GUI...7 Windw Navigatin...8 Cmmn Operatins...9 Technical Supprt Infrmatin Lgging Out f the Management System GUI Initial Cnfiguratin f Gateway Parameters Administratr Accunts Administratrs Authenticatin Methds Remte Access Prvisining Cnnectin Manager Settings File Uplad License Manager End User Prvisining Users and User Grups OmniAccess 3500 NLG Cards Laptps Applicatin Prvisining Device Management Applicatins Persnal Firewall Chapter 3. OmniAccess 3500 NLG Runtime Administratin Functins Viewing Laptp Asset Infrmatin Viewing User Status Infrmatin... 54

4 Viewing the Laptp Lcatin Laptp Remte Lck Laptp Remte Unlck One-Time Passwrd Generatin Encrypted Vlume Management Cnnectin Manager Shw Infrmatin Lgs and Alarms Lg Viewer Lg Histry Syslg Chapter 4. OmniAccess 3500 NLG Infrastructure Maintenance Backing Up and Restring the OmniAccess 3500 NLG Gateway Cnfiguratin Autmatic Backup Cnfiguratin Restratin Prcedure Upgrading the OmniAccess 3500 NLG Gateway Cnfiguratin Cnfiguratin Upgrade Chapter 5. OmniAccess 3500 NLG Administrative Infrmatin Base Devices Users Hsts Services Plicies Fault Manager License Manager Management Access Cnfiguratin Manager Utilities

5 Abut This Dcument Abut This Dcument The OmniAccess 3500 Nnstp Laptp Guardian (NLG) administratr finds in this dcument general infrmatin abut the OmniAccess 3500 NLG Release 1.2 (R1.2) prduct and detailed infrmatin n the use f the management system Graphical User Interface (GUI) and n the maintenance f the OmniAccess 3500 NLG gateway. The dcument is divided int the fllwing chapters: Chapter 1, OmniAccess 3500 NLG Platfrm Cmpnents, prvides an verview f the cmpnents that make up the OmniAccess 3500 NLG. Chapter 2, OmniAccess 3500 NLG Initializatin Tasks, details cnfiguratin and prvisining tasks that the administratr perfrms n the OmniAccess 3500 NLG cmpnents prir t their deplyment. Chapter 3, OmniAccess 3500 NLG Runtime Administratin Functins, describes tasks that the administratr perfrms at runtime n the deplyed OmniAccess 3500 NLG cmpnents. Chapter 4, OmniAccess 3500 NLG Infrastructure Maintenance, illustrates prcedures fr servicing and upgrading the OmniAccess 3500 NLG gateway (including the management system sftware that runs n it). Chapter 5, OmniAccess 3500 NLG Administrative Infrmatin Base, cntains detailed descriptins fr all infrmatin bjects that are accessible thrugh the management system GUI. The OmniAccess 3500 NLG administratr shuld refer t this chapter t better understand the meaning and intended use f the bjects that cmpse the infrmatin base. The OmniAccess 3500 NLG Library Other dcuments in the OmniAccess 3500 NLG library include the fllwing: The OmniAccess 3500 Nnstp Laptp Guardian Release 1.2 Gateway Quick Start Guide (available at: prvides the IT administratr/technician with an verview f the OmniAccess 3500 NLG gateway and with the minimum infrmatin needed t set up the gateway and cnnect it t the netwrk. The OmniAccess 3500 Nnstp Laptp Guardian Release 1.2 Gateway Installatin Guide (available at: prvides the IT administratr/technician with detailed instructins fr the installatin and initial cnfiguratin f the OmniAccess 3500 NLG gateway. The OmniAccess 3500 Nnstp Laptp Guardian Release 1.2 Applicatin Nte: Integratin f PatchLink Update and Micrsft SMS (available at: prvides the IT administratr with instructins fr the integratin f the OmniAccess 3500 NLG platfrm with the PatchLink Update and Systems Management Server (SMS) 1

6 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide applicatins (PatchLink Update is a Lumensin Security prduct; SMS is a Micrsft prduct). The OmniAccess 3500 Nnstp Laptp Guardian Release 1.2 Card Quick Start Guide (available at: prvides the end user with an verview f the OmniAccess 3500 NLG card and with the necessary infrmatin fr its installatin. The OmniAccess 3500 Nnstp Laptp Guardian Release 1.2 End User Reference Guide (available at: prvides the end user with instructins fr the daily peratin f the OmniAccess 3500 NLG card. The OmniAccess 3500 Nnstp Laptp Guardian Release 1.2 Features Overview presents the feature set cmpsitin fr the current release f the prduct. The OmniAccess 3500 Nnstp Laptp Guardian Technical Overview presents release-independent infrmatin abut the prduct s technlgy and features. Cntacting Technical Supprt Alcatel-Lucent technical supprt is cmmitted t reslving ur custmer s technical issues in a timely manner. Custmers with inquiries shuld cntact us at: Regin Phne Number Nrth America Latin America Eurpe Asia Pacific Other Internatinal supprt@ind.alcatel.cm Internet: Custmers with Alcatel-Lucent service agreements may pen cases 24 hurs a day via Alcatel-Lucent s supprt web page at: service.esd.alcatel-lucent.cm. 2

7 Chapter 1. Platfrm Cmpnents Chapter 1. OmniAccess 3500 NLG Platfrm Cmpnents The OmniAccess 3500 NLG platfrm is built n the fllwing three lgical cmpnents: OmniAccess 3500 NLG gateway An enhanced remte access server that deplys at the edge f the enterprise netwrk. OmniAccess 3500 NLG card An intelligent EV-DOrA data card that plugs int the end-user laptp and includes a prcessr, nn-vlatile memry, and independent pwer. Management system sftware A management platfrm that can be installed in any general-purpse enterprise server (including the OmniAccess 3500 NLG gateway). In the OmniAccess 3500 NLG R1.2 the management system sftware is always embedded in the OmniAccess 3500 NLG gateway. Figure 1 displays the OmniAccess 3500 NLG platfrm cmpnents. Figure 1 - OmniAccess 3500 NLG platfrm cmpnents After receiving the bx with the OmniAccess 3500 NLG card, the end user dwnlads the client sftware (a cllectin f Windws drivers and applicatins that enable the laptp fr OmniAccess 3500 NLG functinality) frm the OmniAccess 3500 NLG supprt website (the URL is printed n the end user welcme card that cmes with the bx). The laptp activates the client sftware the first time the card is plugged in. OmniAccess 3500 NLG Gateway The OmniAccess 3500 NLG gateway cmbines the fllwing physical and functinal elements: Tw netwrk interfaces (10/100/1000 Mbps Ethernet), f which ne is external (handling traffic t and frm the public Internet) and ne internal (facing the inner prtin f the enterprise netwrk). A prcessing subsystem (CPU, OS, and management system sftware) that implements the OmniAccess 3500 NLG functins. 3

8 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide A hardware acceleratin mdule fr IPsec encryptin/decryptin, key management, and cmpressin. A hard disk fr strage f lcal infrmatin and applicatin caching. A secure management interface fr driving all OmniAccess 3500 NLG peratin, administratin, management, and prvisining (OAM&P) prcedures. The OmniAccess 3500 NLG gateway terminates the secure remte-access tunnels, manages user credentials and security plicies (up t 16K users in the OmniAccess 3500 NLG R1.2), and prvides strage and file transfer capabilities in supprt f third-party remte-access and device-management applicatins. The OmniAccess 3500 NLG gateway als cperates with the OmniAccess 3500 NLG card in ensuring that vertical handvers (run-time cnnectivity switchvers frm ne laptp interface t anther) are nt disruptive t running netwrk applicatins. Figure 2 - Recmmended placement f the OmniAccess 3500 NLG gateway within the netwrk The OmniAccess 3500 NLG gateway is best deplyed as a stub f the enterprise firewall at the edge f the enterprise netwrk (Figure 2): the firewall and the OmniAccess 3500 NLG gateway exchange encrypted traffic ver the external interface f the gateway and decrypted traffic ver its internal interface. This way the firewall can apply full prtectin bth t the external interface f the OmniAccess 3500 NLG gateway and t the inner prtin f the enterprise netwrk. Alternative, sub-ptimal arrangements can als be adpted t match tplgical and functinal peculiarities that may be fund in the pre-existing netwrk infrastructure. Multiple instances f the OmniAccess 3500 NLG gateway can be deplyed within the same enterprise netwrk t increase capacity and extend gegraphical cverage and service availability. In the OmniAccess 3500 NLG R1.2, each OmniAccess 3500 NLG gateway is installed with its wn management system instance and serves its wn set 4

9 Chapter 1. Platfrm Cmpnents f OmniAccess 3500 NLG cards. The gateway s physical lcatin can be either intrapremises r extra-premises (e.g., in a data center). Fr detailed infrmatin n installing the OmniAccess 3500 NLG gateway, see the OmniAccess 3500 Nnstp Laptp Guardian Release 1.2 Gateway Installatin Guide. Fr infrmatin n the maintenance f the OmniAccess 3500 NLG gateway sftware, see the chapter entitled OmniAccess 3500 Nnstp Laptp Guardian Infrastructure Maintenance in this dcument. OmniAccess 3500 NLG Card The OmniAccess 3500 NLG card is a CardBus device that can be field-installed in a laptp with a PCMCIA slt. The card cntains a lcal prcessr, flash memry, and a 3G mdem (EV-DO Release A), all pwered by an n-card rechargeable battery. During nrmal peratin, the card draws pwer frm the laptp. The rechargeable battery supplies pwer when the laptp is in standby mde r in shutdwn mde. The OmniAccess 3500 NLG card wrks with Windws-based laptps with the fllwing minimum cnfiguratin: CPU: X86 1GHz Memry: 512 MB Free hard disk space: 1 GB Operating system: Windws XP Hme, Prfessinal, r Tablet editin One PC Cardbus slt Fr infrmatin n installing the OmniAccess 3500 NLG card and the client sftware, see the OmniAccess 3500 Nnstp Laptp Guardian Release 1.2 Card Quick Start Guide. Management System Sftware The management system is the sle management prtal t the OmniAccess 3500 NLG gateway, cards, and laptps. It is a sftware-nly cmpnent that can be installed in any Linux server with adequate resurces, including the OmniAccess 3500 NLG gateway (in the OmniAccess 3500 NLG R1.2 the gateway is actually the nly ptin available fr the installatin f the management system sftware). 5

10 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Chapter 2. OmniAccess 3500 NLG Initializatin Tasks The management system perfrms all OAM&P functins fr the OmniAccess 3500 NLG platfrm. The management system GUI is the single entry pint t thse functins fr the IT administratr. This chapter explains hw t: Launch the management system GUI, lg int an administratr accunt, brwse thrugh the GUI sectins, and lg ut f the administratr accunt. Perfrm initializatin tasks frm the management system GUI, including the fllwing: Cmpleting the gateway installatin After installing the gateway r upgrading its sftware, yu must cnfigure parameters that enable the gateway interperatin with the ther functinal cmpnents f the crprate netwrk. Cnfiguring administratr accunts Yu can add administratr accunts t the system, as well as view, edit, and delete existing administratr infrmatin (including the authenticatin methd). Cnfiguring RADIUS servers fr administratr authenticatin Yu can cnfigure RADIUS servers fr administratr accunts that d nt use lcallydefined credentials fr authenticatin. Cnfiguring the cnnectin manager Yu can set cnfiguratin parameters and view status infrmatin fr the functinal cmpnents f the OmniAccess 3500 NLG gateway that define hw the remte access cnnectins are established. Managing licenses Yu can create, delete, and renew user licenses. Prvisining users Yu must cmplete certain tasks befre starting deplyment f the OmniAccess 3500 NLG cards, such as cnfiguring a user grup and assciating it with a persnal firewall plicy, and adding a new user t a user grup. Prvisining cards Yu can add and delete OmniAccess 3500 NLG card instances, r edit their cnfiguratin. Prvisining laptps Yu can add and delete laptp instances, r edit their cnfiguratin. Setting up the assisted file transfer facility Yu can cnfigure yur IT applicatins fr autmatic ffline synchrnizatin between laptp and enterprise flders. Managing plicies Yu can cnfigure the persnal firewall plicies that are installed in the OmniAccess 3500 NLG cards. Wrking with the Management System GUI The management system GUI is a web server applicatin that runs n the OmniAccess 3500 NLG R1.2 gateway. Every instance f the management system has exclusive cntrl ver the OmniAccess 3500 NLG gateway where it is installed. 6

11 Chapter 2. Initializatin Tasks Launching the Management System GUI T launch the management system GUI, yu must pen a web brwser and cnnect t the HTTPS URL f the target GUI instance. The prcedure is the same irrespective f whether yu are wrking frm a remte terminal r at the cnsle f the OmniAccess 3500 NLG gateway that hsts the management system. Lgging int the Management System GUI 1. After yu launch the GUI, the lgin windw appears (Figure 3). Figure 3 - Lgin windw 2. Enter yur Administratr ID and Passwrd. 3. Click Lgin. 4. A banner windw appears (Figure 4). Figure 4 - Banner windw 7

12 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide 5. Click Accept t lg int the GUI. Nte: T custmize yur banner page, cntact the OmniAccess 3500 NLG custmer supprt. 6. Next, the Hme windw appears (Figure 5). This windw displays system settings infrmatin. Yu can click Hme at any time during yur GUI sessin t return t the Hme page. Figure 5 - Hme windw Nte: The first time yu lg int the management system GUI after installing the gateway r upgrading its sftware, yu will find mst settings still undefined. Please fllw the instructins in the sectin Initial Cnfiguratin f Gateway Parameters fr cmpleting the initializatin f the OmniAccess 3500 NLG gateway befre mving n t ther administrative tasks. Windw Navigatin The OmniAccess 3500 NLG cnfigurable bjects are accessible by clicking n them in the menu bar n the left-hand side f the GUI windw. Object windws have the fllwing frmat: First rw: windw name Secnd rw: actin tabs (see the Cmmn Operatins sectin belw fr cmmn actin tabs) Third rw: field descriptins. Click n a field descriptin t apply that field as the srting criterin fr the listed bjects. 8

13 Chapter 2. Initializatin Tasks Cmmn Operatins Mst bjects allw the fllwing peratins: New Click this buttn t create a new instance f the bject. Open Click this buttn t view infrmatin abut an bject instance. Fields n the Open windws are read-nly. Edit Click this buttn t mdify settings fr an bject instance. Delete Click this buttn t remve an bject instance frm the system. A message will appear asking yu t cnfirm the deletin. Click Yes t delete the bject yu selected. Status Click this buttn t update the status fr an bject instance and review it. Cnfigure Click this buttn t perfrm cnfiguratin actins n an bject instance. T cmplete actins n a windw, click ne f the fllwing buttns that appear at the bttm f the windw: After viewing infrmatin n a windw, click OK. After changing infrmatin n a windw, click Save. T exit a windw withut saving changes, click Cancel. Nte: Always use the GUI s interface buttns t navigate. With sme brwsers (e.g., Internet Explrer) using the brwser s navigatin buttns will result in being sent t an errr windw (lgin sessin expiratin) and then back t the lgin windw. Yu can access nline supprt infrmatin at any time by clicking the Supprt link that appears at the tp right crner f every windw (see the Technical Supprt Infrmatin sectin belw fr mre details). Yu can access nline help infrmatin (a web reprductin f this dcument) at any time by clicking the Help link that appears at the tp right crner f every windw. 9

14 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Technical Supprt Infrmatin Click the Supprt buttn at the tp right f any windw t see technical supprt cntact infrmatin in the Gateway Supprt Infrmatin windw (Figure 6). Figure 6 - Gateway Supprt Infrmatin Supprt infrmatin can be added r edited using the fllwing prcedure: 1. Click Gateway n the main menu. 2. Click Edit Supprt Infrmatin. The Edit Gateway Supprt Infrmatin windw appears (Figure 7). 3. Type supprt cntact infrmatin int the fields r edit the existing infrmatin. 4. Click Save. 10

15 Chapter 2. Initializatin Tasks Figure 7 - Edit Gateway Supprt Infrmatin Lgging Out f the Management System GUI 1. T lg ut f the management system GUI, click the Lgut link near the tp f the windw (see Figure 8 fr the lcatin f the Lgut link). 2. Alternatively, yu can exit the applicatin by clsing the web brwser windw. Figure 8 - Lgut buttn Initial Cnfiguratin f Gateway Parameters After physical installatin f the OmniAccess 3500 NLG gateway r installatin f a sftware upgrade, yu must cnfigure the gateway fr interperatin with the ther ndes f yur netwrk. This sectin describes the prcedure fr this initial cnfiguratin. 1. The first time the management system GUI is pened, the Gateway Settings windw appears (Figure 9). Click New. 11

16 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 9 - Gateway Settings 2. The Gateway Cnfiguratin (Add) windw appears (Figure 10). Figure 10 - Gateway Cnfiguratin (Add) 12

17 Chapter 2. Initializatin Tasks 3. Type the apprpriate infrmatin int the fields that d nt cntain default values (see the Gateway prtin f the Devices sectin in Chapter 5, OmniAccess 3500 NLG Administrative Infrmatin Base, fr a detailed descriptin f each field). 4. Click Save when yu are finished entering infrmatin. 5. A windw appears stating that the peratin has been successful. 6. The gateway will rebt and resume peratin with the last saved cnfiguratin. Administratr Accunts The management system admits ne super administratr accunt (pre-cnfigured) and multiple plain administratr accunts (cnfigured exclusively by the super administratr). The super administratr can create, mdify, and delete plain administratr accunts thrugh the Management Access sectin f the management system GUI. Plain administratrs cannt cnfigure ther administratr accunts. The super administratr and all plain administratrs have identical administrative privileges ver all cnfigurable bjects f the management system GUI. N mre than ne lgin sessin per administratr accunt can be active at any time. The super administratr always uses lcally-defined credentials t lg int the management system GUI. Fr every plain administratr accunt, instead, the super administratr can chse between lcal and RADIUS-based authenticatin. RADIUS is a distributed client/server system that secures netwrks against unauthrized access. The OmniAccess 3500 NLG management system integrates a RADIUS client fr cmmunicatin with the RADIUS server(s) that may be deplyed within the enterprise netwrk. The Management Access sectin f the management system GUI includes facilities fr cnfiguring the RADIUS servers fr RADIUS-based authenticatin f the plain administratrs. Administratrs The super administratr can use this GUI bject t add, view, edit, and delete administratr accunts. T add an administratr: 1. Click Administratrs n the main menu. 2. On the Administratrs Infrmatin windw, click New. The Administratrs Infrmatin (Add) windw appears (Figure 11), displaying the fllwing fields: Lgin ID: The lgin ID fr the administratr accunt yu are creating. Authenticatin Methd: Select <Lcal> (fr authenticatin based n lcally defined username and passwrd) r <RADIUS> (fr authenticatin by a RADIUS server). RADIUS Server: Frm the drp-dwn menu, select <Nne> (if the selected authenticatin methd is <Lcal>) r the pre-ppulated IP address f a RADIUS server (if the selected authenticatin methd is <RADIUS>). First Name: The first name f the new administratr. Last Name: The last name f the new administratr. 13

18 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Passwrd: The passwrd f the new administratr. The value assigned t this field is relevant nly if the selected authenticatin methd is <Lcal>. If the selected authenticatin methd is <RADIUS>, the passwrd needed by the administratr fr authenticatin is set separately thrugh the RADIUS infrastructure. Re-enter Passwrd: Re-enter the passwrd f the new administratr (relevant nly if the authenticatin methd is set t <Lcal>). The address f the new administratr. Address: The mailing address f the new administratr. City: The city f the new administratr. State: The state f the new administratr. Cuntry: The cuntry f the new administratr. Zip: The zip cde f the new administratr. Phne: The new administratr s ffice phne number. Mbile: The new administratr s mbile phne number. 3. Click Save. Authenticatin Methds Figure 11 - Administratrs Infrmatin (Add) The OmniAccess 3500 NLG R1.2 supprts the fllwing tw methds fr authenticatin f a plain administratr: 14

19 Chapter 2. Initializatin Tasks 1. Lcal The management system authenticates the administratr with lcally cnfigured lgin ID and passwrd (default methd). 2. RADIUS A RADIUS server installed in the netwrk authenticates the administratr with a lgin ID that is cnfigured with the administratr accunt and a passwrd that is remtely assigned accrding t the applicable RADIUSsupprted authenticatin methd. The super administratr can use the Authenticatin Methds bject f the management system GUI t cnfigure the RADIUS servers that supprt nn-lcal authenticatin methds fr the plain administratrs. Each administratr is assigned t ne f the available RADIUS servers. T access this bject, click Authenticatin Methds under Management Access and then click RADIUS Server. T add a RADIUS cnfiguratin: 1. On the RADIUS Server Cnfiguratin windw, click New. The RADIUS Cnfiguratins (Add) windw appears (Figure 12), displaying the fllwing fields: Server IP Address: IP address f the RADIUS server yu are adding. Authenticatin Prt: UDP prt fr the authenticatin requests (default: 1812). Accunting Prt: UDP prt fr the accunting requests (default: 1813). Currently nt used. Timeut (secnds): Time interval (in secnds) between cnsecutive retransmissins f the same request frm the OmniAccess 3500 NLG gateway t the RADIUS server if the gateway receives n reply frm the RADIUS server (default: 30). Shared Secret: Authenticatin key used fr all RADIUS exchanges between the gateway and the RADIUS server. The key must match the authenticatin methd set fr the RADIUS daemn. Authenticatin Methd: Authenticatin methd supprted by the RADIUS server. Available ptins: <CHAP> (challenge-based) and <PAP> (simple passwrd). 2. Click Save. 15

20 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 12 - Radius Cnfiguratins (Add) Remte Access Prvisining The infrastructural cmpnents needed t establish the remte access cnnectins t the gateway, including the OmniAccess 3500 NLG licenses, are prvisined thrugh the fllwing sectins f the management system GUI: 1. Cnnectin Manager Settings: Cnfiguratin f address pls, server addresses, packet classificatin rules, and tunnel prfiles, needed by the OmniAccess 3500 NLG gateway t handle the remte requests fr IPsec tunnel establishment. Yu can create new bjects by clicking the New buttn and entering the required infrmatin, r yu can view/remve existing bjects by selecting an bject and clicking the Open/Delete buttn. Please nte that t mdify any parameter f a Cnnectin Manager bject, yu must first delete the bject and then create a new ne with the desired parameter values. See the fllwing sectins fr mre details. 2. Gateway File Uplad: Installatin f the files needed by the gateway t participate in all secure transactins with its netwrk peers (including the OmniAccess 3500 NLG cards). 3. License Manager: Installatin f the service licenses that enable cnnectivity between the OmniAccess 3500 NLG cards and the gateway. Cnnectin Manager Settings The Cnnectin Manager Settings sectin f the management system GUI prvides cntrl ver gateway bjects that are needed fr cnfiguratin f the remte access cnnectins. 16

21 Chapter 2. Initializatin Tasks ADDRESS POOL Address pls are sets f IP addresses frm which the gateway draws the pair f VPN addresses that it assigns t the OmniAccess 3500 NLG card and assciated laptp upn establishment f the IPsec tunnel. The addresses fr the card and fr the laptp are drawn frm different, disjint sets. Multiple sets can be assigned t the cards (Card sets) and t the laptps (Laptp sets). T add an address pl: 1. Click Gateway n the main menu and then click Cnfigure Advanced Settings. 2. On the Cnfigure menu, click Address Pl. 3. Click New. An Cnnectin Manager Address Pl (Add) windw appears (Figure 13), displaying the fllwing fields: IP Address: The base IP address fr the definitin f the IP address range frm which the OmniAccess 3500 NLG gateway draws the pair f VPN addresses. Netmask (x.x.x.x): The netmask fr the definitin f the IP address range frm which the OmniAccess 3500 NLG gateway draws the pair f VPN addresses. The Netmask value must be expressed as an IP address (e.g., < >). Type: The platfrm cmpnent that will receive the VPN addresses ut f this address pl. Select <Card> r <Laptp> frm the drp-dwn menu. 4. Click Save. Figure 13 - Cnnectin Manager Address Pl (Add) 17

22 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide SERVER TABLE The Server Table allws the cnfiguratin f the DNS, WINS, and default-gateway addresses that the gateway passes t the card and laptp tgether with the VPN addresses. Only ne address can be set fr each type f server. T add a server table entry: 1. Click Gateway n the main menu and then click Cnfigure Advanced Settings. 2. On the Cnfigure menu, click Server Table. 3. Click New. A Cnnectin Manager Server Table (Add) windw appears (Figure 14), displaying the fllwing fields: Type: The type f server fr which the address is being cnfigured. Optins (chse ne): <DNS> (DNS server), <WINS> (WINS server), and <GUARD_PRIVATE_IP> (IP address f the LAN:1 virtual interface f the gateway). Primary IP Address: IP address f the first netwrk server being cnfigured. Secndary IP Address: IP address f the secnd netwrk server being cnfigured. 4. Click Save. RULES Figure 14 - Cnnectin Manager Server Table (Add) The entries f the Rule Infrmatin table define the packet classificatin behavir fr the firewall and IPsec endpint that are embedded in the OmniAccess 3500 NLG gateway. 18

23 Chapter 2. Initializatin Tasks The embedded firewall can be used t restrict the netwrk traffic that the gateway exchanges ver its interfaces, assuming the functin f an enterprise firewall in a netwrk where an enterprise firewall may nt be already deplyed. The firewall rules may r may nt be assciated with existing IPsec tunnels. The embedded IPsec endpint handles the requests t pen IKEv2 and IPsec security assciatins that the OmniAccess 3500 NLG cards riginate frm their current lcatins. The gateway uses the IPsec endpint rules t match incming IKEv2 requests with sets f IKEv2/IPsec parameters (Tunnel Table entries) t be used in the cnfiguratin f the resulting security assciatins. T add a packet classificatin rule: 1. Click Gateway n the main menu and then click Cnfigure Advanced Settings. 2. On the Cnfigure menu, click Rules. 3. Click New. A Cnnectin Manager Rules (Add) windw appears (Figure 15), displaying the fllwing fields: Precedence: Rule precedence with respect t ther rules defined in the same cntext. The pririty f the rule is higher with a higher precedence value. Type: Rule type, t be chsen ut f <Pass> (accept all packets matching the rule), <Drp> (drp all packets matching the rule), and <Reject> (drp all packets matching the rule and fr each drpped packet ntify the sender). Prtcl: Prtcl Identifier value carried by the packets that match the rule. Optins (chse ne): <IP>, <TCP>, <UDP>, <ICMP>. Surce IP/[Mask]: Range f IP addresses t be checked against the surce IP address field in the packet header. Surce Prt Lw, Surce Prt High: Range f prt values t be checked against the surce prt field in the packet header. Destinatin IP/[Mask]: Range f IP addresses t be checked against the destinatin IP address field in the packet header. Destinatin Prt Lw, Destinatin Prt High: Range f prt values t be checked against the destinatin prt field in the packet header. Interface Name: Netwrk interface n the OmniAccess 3500 NLG gateway where the packet filter rule applies. Optins (chse ne): <WAN> (fr the WAN/public interface f the gateway), <LAN> (fr the LAN/private interface f the gateway)). Lcal Stack Directin: Packet directin with respect t the lcal IP stack f the OmniAccess 3500 NLG gateway. Optins (chse ne): <ANY> (the rule applies t traffic in any directin), <Frm> (the rule nly applies t traffic frm the lcal IP stack, i.e., utging traffic), <T> (the rule nly applies t traffic t the lcal IP stack, i.e., incming traffic). Tunnel Directin: This bject enables the assciatin f the packet classificatin rule with a tunnel prfile. Optins (chse ne): <Nne> (n tunnel is t be assciated with the rule, which is therefre strictly a packet filtering rule), <T Tunnel> (packets matching the rule are dispatched thrugh an IPsec tunnel whse prfile is identified by the <T Tunnel> value; if an 19

24 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide existing IPsec tunnel is nt fund fr a matching packet, it is created befre the packet is delivered), <Frm Tunnel> (packets matching the rule are received frm an IPsec tunnel whse prfile is identified by the <Frm Tunnel> value; if a remte request t pen an IPsec tunnel is received n a packet whse header matches the rule, the OmniAccess 3500 NLG gateway uses the tunnel prfile specified in the <Frm Tunnel> value t cnduct the subsequent negtiatins). T Tunnel: Name f the tunnel prfile fr the IPsec tunnel that dispatches the matching packet. Frm Tunnel: Name f the tunnel prfile fr the IPsec tunnel ver which the matching packet is received. 4. Click Save. Figure 15 - Cnnectin Manager Rules (Add) TUNNEL TABLE The Tunnel Table cntains a list f tunnel prfiles used t define the parameters f the IKE and IPsec Security Assciatins that are created either by the OmniAccess 3500 NLG gateway r by request f the OmniAccess 3500 NLG cards. Mre specifically, the cnfiguratin f the Tunnel Table entries drives the run-time selectin f the hashing and encryptin algrithms used fr message authenticatin and cntent prtectin in the IKEv2 and IPsec exchanges. T add a tunnel prfile: 1. Click Gateway n the main menu and then click Cnfigure Advanced Settings. 2. On the Cnfigure menu, click Tunnel Table. 20

25 Chapter 2. Initializatin Tasks 3. Click New. A Cnnectin Manager Tunnel Table (Add) windw appears (Figure 16), displaying the fllwing fields: Name: Name f the tunnel prfile. Identity Type: Type f identifier used t designate the lcal tunnel endpint (residing n the OmniAccess 3500 NLG gateway) in the security assciatin negtiatins. Optins (chse ne): < > ( address, as in <user@dmain.ext>), <FQDN> (Fully Qualified Dmain Name, as in <hstname.lcaldmain.ext>, <DN> (Distinguished Name, used fr identificatin f an entry in an LDAP directry, as in <dn: cn=jhn De,dc=example,dc=cm>, where <cn=jhn De> is the Relative Distinguished Name f the entry and <dc=example,dc=cm> is the Distinguished Name f the parent entry). Identity: Identity value fr the lcal tunnel endpint, specified in the frmat required by the <Identity Type> value. Algrithms t be used fr IPsec Negtiatins: Encryptin and hashing algrithm t be used in the IPsec tunnel. Optins (chse ne): <3DES-SHA1>, <AES128- SHA1>, <AES192-SHA1>, <AES256-SHA1> (3DES, AES128, AES192, and AES256 are the encryptin algrithms available fr selectin; the hashing algrithm is SHA- 1 in all cases). Algrithms t be used fr IKE Negtiatins: Encryptin and hashing algrithm t be used fr prtectin f the IKEv2 exchanges. Optins (chse ne): <3DES- SHA1>, <AES128-SHA1>, <AES192-SHA1>, <AES256-SHA1> (3DES, AES128, AES192, and AES256 are the encryptin algrithms available fr selectin; the hashing algrithm is SHA-1 in all cases). Lifetime f the IKE SA in secnds: Maximum duratin f the IKEv2 Security Assciatin that cntrls the IPsec tunnel between the OmniAccess 3500 NLG card and the OmniAccess 3500 NLG gateway. Lifetime f the IPsec SA in secnds: Maximum duratin f the IPsec Security Assciatin that carries encrypted packets frm ne end f the secure remte access cnnectin t the ther (i.e., maximum lifetime f a remte-access tunnel). 4. Click Save. Nte: As the OmniAccess 3500 NLG gateway is first installed, the Rules Table cntains a default set f pre-defined rules. Within the set, the rules with precedence 78, 79, and 150 must be replicated fr every new tunnel prfile that is added t the Tunnel Table. When the first Tunnel Table entry is created, delete the current versin f each rule and replace it with a new versin that includes reference t the Tunnel Table entry in the T Tunnel r Frm Tunnel field. Fr subsequent replicatins f the rules, simply create new rules with identical structure as the existing nes, but with reference t the apprpriate Tunnel Table entry. 21

26 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 16 - Cnnectin Manager Tunnel Table (Add) T view/delete infrmatin fr an address pl, a server table entry, a filter rule, r a tunnel table entry: 1. Click Gateway n the main menu and then click Cnfigure Advanced Settings. 2. On the Cnfigure menu, click Address Pl, Server Table, Rule, r Tunnel Table, depending n the type f infrmatin yu want t view. 3. A Gateway Cnfigure windw pens, displaying yur selectin. 4. Click the checkbx next t an item t select it. 5. Click Open t view the bject details and then OK when yu want t return t the Gateway Settings windw. Click Delete and then OK t remve the bject and return t the Gateway Settings windw. File Uplad The fllwing files must be installed in the gateway t enable its participatin in secure transactins with ther netwrk ndes: Keytab File: File cntaining the credentials f the gateway fr authenticatin with the Active Directry Server (ADS). The file must necessarily be upladed t the gateway befre any interactin with the Active Directry (AD) infrastructure can start. This includes the case where the methd used fr authenticatin f ne r mre user grups changes frm RADIUS t AD. CA Certificate: Digital certificate f the Certificate Authrity (CA), which includes the CA s public key and digital signature. The same CA certificate is installed in the OmniAccess 3500 NLG cards. 22

27 Chapter 2. Initializatin Tasks CA Certificate Revcatin List: List f certificates issued by the Certificate Authrity that have been revked befre their natural expiratin. Gateway Certificate: Certificate (public key) f the gateway, used by peer netwrk ndes fr encryptin f the messages that they send t the gateway. Gateway Private Key: Secret key used by the gateway t decrypt the messages that it receives frm peer netwrk ndes (including the OmniAccess 3500 NLG cards). T install the security files: 1. Click Gateway n the main menu. 2. Click File Uplad. The Gateway Cnfiguratin File Uplad windw appears (Figure 17). 3. Brwse thrugh the file system f yur cmputer t find the apprpriate files t fill ut each f the fllwing fields: Keytab File, CA Certificate, CA Certificate Revcatin List, Gateway Certificate, and Gateway Private Key. 4. Click Uplad Files. Figure 17 - Gateway Cnfiguratin File Uplad License Manager Only cards that are cvered by a valid OmniAccess 3500 NLG license issued by Alcatel- Lucent can establish the VPN tunnel t the gateway. Every license is strictly assciated with the service prvider that ffers bradband wireless access t the 3G subscriptins f the cards. The duratin f a license can be 1 mnth, 3 mnths, 6 mnths, 1 year, 2 years, r unlimited. The number f end users in the license defines the maximum number f end users that can be prvisined in the 23

28 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide management system at any time. If necessary, a license can be issued fr a single end user. The custmer enterprise specifies all license parameters upn rdering the license file. A sample license file lks like the fllwing: testlic 100 xyzwireless 01/01/ /31/2007 mgyxde0fd8xbn0eeyvukre11u319bakyiu5omfxipwajirzp//u17g== The meaning f each line in the file is as fllws: The first line (testlic in the example) is the license identifier, unique fr every license. The secnd line (100 in the example) is the number f users. The third line (xyzwireless in the example) is the service prvider fr which this license is valid. The furth line (01/01/2007 in the example) indicates the start date fr the license in mm/dd/yyyy frmat. The fifth line (12/31/2007 in the example) indicates the end date fr the license in mm/dd/yyyy frmat. The sixth and last line (mgyxde0fd8xbn0eeyvukre11u319bakyiu5omfxipwajirzp//u17g== in the example) is a digital signature f the first five license lines and f the Gateway Certificate ID that is set with the prcedure described in the Initial Cnfiguratin f Gateway Parameters sectin abve (the installatin f the actual certificate is described in the File Uplad sectin, als abve). The License Manager sectin f the management system GUI allws yu t view/create/renew/delete yur card licenses. T add a license: 1. Click Card Licenses n the main menu. 2. On the Card Licenses windw, click New. The Card License Uplad windw appears (Figure 18), displaying the fllwing field: License File: Brwse thrugh yur cmputer s file system t find the license file previusly btained frm Alcatel-Lucent and assign it t this text bx. 3. Click Uplad License. If this license is valid, a new entry will appear n the Card Licenses windw. 24

29 Chapter 2. Initializatin Tasks Figure 18 - Card License Uplad T view detailed infrmatin fr all yur licenses: 1. On the main menu, click Card Licenses. The Card Licenses windw appears (Figure 19), displaying the fllwing fields fr each entry: Name: Unique name that identifies the license. Service Prvider: Service prvider fr which this license is valid. Max. Licenses: Maximum number f users served by this license that can be prvisined in the management system at any given time. Available: Number f users that can still be prvisined with this license. Start Date: Start date fr this license in mm/dd/yyyy frmat. End Date: End date fr this license in mm/dd/yyyy frmat 25

30 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 19 - Card Licenses The same infrmatin can be displayed fr a single license by clicking the checkbx next t the license name and then clicking Open (Figure 20). Figure 20 - Card License Infrmatin 26

31 Chapter 2. Initializatin Tasks T renew a license: 1. On the Card Licenses windw, click Renew. 2. The Card License Uplad windw appears. 3. Fllw the same prcedure described abve fr adding a new license in rder t replace the ld license file with a new ne. End User Prvisining This sectin explains hw t prvisin OmniAccess 3500 NLG cards and assciated laptps and users. The fllwing tasks must be cmpleted n the management system GUI befre starting deplyment f the OmniAccess3500 NLG cards: 1. Cnfigure a user grup. 2. Assciate the user grup with a persnal firewall plicy. The fllwing tasks must be cmpleted n the management system GUI befre deplying a new card: 1. Add a new user. 2. Place the new user int an existing user grup. 3. Create a user license fr the card. Warning: T prevent the end user frm arbitrarily remving the OmniAccess 3500 NLG client sftware frm the laptp withut lsing the data it cntains, the administratr must ensure that n Windws System Restre pint exists in the laptp when the client sftware is installed. Users and User Grups Users can be administered either individually, r can be assigned t a user grup and have administrative functins assigned t the grup as a whle. T manually add a user t the system: 1. Click Users n the main menu. 2. Frm the User Infrmatin menu, click New. The User Infrmatin (Add) windw appears (Figure 21), displaying the fllwing fields: Lgin: The lgin name f the user (e.g., jde). Dmain: The Windws dmain name fr the user. If the enterprise uses a RADIUS-based methd instead f an Active Directry infrastructure t authenticate the end users fr netwrk access, the Dmain field shuld be filled with the Laptp ID as set up in the laptp cnfiguratin. Full Name: The real name f the user (e.g., Jhn De). Base Unlck Passwrd: Base passwrd used t generate the One-Time Passwrd (OTP). D nt use special characters (such as &) in this field. 27

32 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Cnnectivity Timeut (sec): Ttal laptp pwer-n time during which the laptp is allwed t wrk withut VPN tunnel t the OmniAccess 3500 NLG gateway. The crrespnding timer is reset every time the IPsec tunnel t the gateway is established while the laptp is pwered n. A warning pps up n the laptp s screen five minutes befre expiratin f the cnnectivity timeut. If the timeut expires, the laptp lcks and can nly be unlcked with an OTP received frm the IT helpdesk. OTP Valid Time (sec): Amunt f time that the laptp will remain unlcked after the ne-time passwrd has been successfully entered. After this time interval expires, all tamper checks are enabled again. Card ID: The Electrnic Serial Number (ESN) f the card assigned t this user. One card nly can be assigned t a given user. Laptp ID: The laptp assigned t this user. One laptp nly can be assigned t a given user. User Grup: The user grup t which the user belngs. A given user can belng t nly ne user grup. Certificate ID: The identifier f the Digital Certificate that is used in the activatin f the card. The identifier must be expressed in the frmat: <CN=value>, where CN stands fr cmmn name and value is the cmmn name f the certificate (available in the Subject field f the certificate). Please nte that this parameter is case-sensitive. License ID: Select a license name frm the pull-dwn menu. The user can cnnect t the enterprise between the start and end dates specified in the license yu have selected. 3. Click Save. 28

33 Chapter 2. Initializatin Tasks Figure 21 - User Infrmatin (Add) Once yu have added users, yu can add them t user grups. Yu can have as many user grups as yu like. A given user can belng t nly ne user grup. T manually add a user grup: 1. First yu must add users t the system. Fllw the instructins abve t add a user. 2. Next, add the users t a user grup. Frm the User Grups Infrmatin menu, click New. The User Grup Infrmatin (Add) windw appears (Figure 22), displaying the fllwing fields: Name: Type in a name fr the new user grup. Descriptin: An ptinal field int which yu can type any additinal infrmatin. Radi Timeut (sec): A switch n the OmniAccess 3500 NLG card turns the 3G mdem n and ff. The radi timeut field indicates hw lng the switch can remain in the ff psitin with the laptp pwered n befre the Windws Lck screen appears n the laptp s mnitr. The lck screen can be unlcked using the Windws Lgn credentials, but nly as lng as the Cnnectivity Timeut des nt expire. Plicy: The Persnal Firewall Plicy that is installed in all the OmniAccess 3500 NLG cards f this user grup. 3. Click Save. 29

34 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 22 - User Grup Infrmatin (Add) Yu can mdify the list f users fr a grup by editing user grups. The same fields whse initializatin is described abve can be mdified fr an existing user grup. Yu can als imprt user and user grup infrmatin autmatically frm yur Active Directry Server (ADS), which is particularly useful when the number f OmniAccess 3500 NLG users t add r re-cnfigure is large. T cnfigure a new autmatic ADS imprt prfile fr a user grup: 1. Click Active Directry n the main menu and then click New in the Active Directry Server Cnfiguratin windw. The Active Directry Imprt User Infrmatin windw appears (Figure 23). 30

35 Chapter 2. Initializatin Tasks Figure 23 - Active Directry Imprt User Infrmatin 2. Enter the necessary infrmatin fr the fllwing fields: Server IP: IP address f the ADS t be used as the surce f the user recrd. Passwrd: Passwrd needed fr access t the ADS. Authenticatin: Type f authenticatin required fr access by the ADS. The <Simple> ptin is typical fr Active Directry. Search Base CN: Cmmn name; fr example, Administratr, Users. DC: Dmain name (e.g., evrs.example.cm). NetBIOS: The NetBIOS name crrespnding t the Dmain name (e.g., evrs in the dmain name evrs.example.cm). User Grup: Name f the user grup t be imprted frm the ADS. 3. Click Save. T imprt user recrds based n a pre-cnfigured autmatic imprt prfile: 1. Click Active Directry n the main menu, select the checkbx next t a server cnfiguratin entry in the Active Directry Server Cnfiguratin windw, and then click Imprt. 31

36 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide 2. The management system cnnects t the ADS, retrieving data fr the target user grup. 3. Click OK n the Active Directry User Imprt windw. If an autmatic imprt prfile includes users that are already present in the management system database, the executin f the autmatic imprt transactin based n that prfile des nt mdify the recrds f thse users. When cmpleted, the transactin shws a Status: Failed! message with a list f the users whse recrds culd nt be imprted because they already exist in the management system database. If yu wish t autmatically update a user recrd that already exists in the management system database, yu must first delete the ld recrd and then invke the autmatic imprt prcedure with a prfile that includes the target user. OmniAccess 3500 NLG Cards Once users are cnfigured, yu can prvisin OmniAccess 3500 NLG card infrmatin. This must be dne befre cnnecting a card t the OmniAccess 3500 NLG gateway; therwise, the card will nt be recgnized by the system and will be denied access t the enterprise netwrk. Yu can perfrm the fllwing administrative functins fr the cards: View card infrmatin. Add a card t the system. Edit card infrmatin. Delete a card. Update and review the status f a card. T add an OmniAccess 3500 NLG card t the system: 1. T access this functin, click Cards n the main menu. 2. On the Card Infrmatin menu, click New. The Card (Add) windw appears (Figure 24), displaying the fllwing fields: Card ID (ESN #): The Electrnic Serial Number (ESN) f the card. Service Prvider: The cmpany that is prviding 3G wireless service t the card. Descriptin: An ptinal field in which yu can type any additinal infrmatin. Phne # (MSID): The 10-digit telephne number assciated with the OmniAccess 3500 NLG card, assigned by the service prvider. 3. Click Save. 4. Repeat this prcedure fr each card that yu want t cnnect t the OmniAccess 3500 NLG gateway. 32

37 Chapter 2. Initializatin Tasks T view infrmatin fr all cards: Figure 24 - Card (Add) After yu click Cards n the left-hand side f the main menu, the Card Infrmatin windw appears (Figure 25). This windw shws a list f cards in the OmniAccess 3500 NLG system. 33

38 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 25 - Card Infrmatin T view the status f an OmniAccess 3500 NLG card: 1. Frm the Card Infrmatin menu, click the checkbx next t a card t select it. 2. Click Status. The Card Status windw appears (Figure 26), displaying the fllwing fields: Card ID: The ESN (Electrnic Serial Number) f the card. ESN is a unique identificatin number fr the card prvided by the manufacturer. VPN IP Address: The VPN IP Address assigned t the card when the tunnel is established. VPN Status: Current status f the IPsec tunnel between the OmniAccess 3500 NLG card and its target OmniAccess 3500 NLG gateway. 3. Click OK. Last Cnnectin Status: Indicates whether the card is plugged int the laptp r nt. Pssible values are <Card Inside Laptp> and <Card Outside Laptp>. Mdem Activatin Time: The time when the card was activated with the Service Prvider. Last Cnnectin Time: The last time the card cnnected t the OmniAccess 3500 NLG gateway. 34

39 Chapter 2. Initializatin Tasks Laptps Figure 26 - Card (Status) This sectin f the management system GUI allws yu t view infrmatin fr and cnfigure laptps. Click Laptps n the main menu t access this functin. Yu can perfrm the fllwing administrative functins fr laptps: Add a laptp. Edit laptp infrmatin. Delete a laptp. T add a laptp: 1. On the Active Laptp Infrmatin menu, click New. The Laptp (Add) windw appears (Figure 27), displaying the fllwing fields: Laptp ID: A unique name fr the laptp. Descriptin: An ptinal field in which yu can type any additinal infrmatin. 2. Click Save. 35

40 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 27 - Laptp (Add) Applicatin Prvisining T supprt certain IT applicatins at runtime, yu must first prvisin the infrastructure that supprts them. This sectin describes the prvisining tasks that prepare the OmniAccess 3500 NLG platfrm fr supprt f the fllwing IT applicatins: Device management applicatins, such as asset inventry maintenance and patch management. Security applicatins, such as management f the persnal firewall that is installed in the OmniAccess 3500 NLG card. Device Management Applicatins The OmniAccess 3500 NLG R1.2 supprts a prprietary applicatin (called ASSETMGMT) fr maintaining inventries f the sftware assets in the deplyed laptps, and tw third-party slutins fr the management f patch dwnlads (PatchLink Update by Lumensin Security and SMS by Micrsft ). The Assisted File Transfer (AFT) facility f the OmniAccess 3500 NLG platfrm prvides the fundatin fr integratin f the ASSETMGMT and Micrsft SMS applicatins. The first subsectin that fllws describes the AFT facility, its supprt fr the ASSETMGMT and Micrsft SMS applicatins, and the cnfiguratin steps needed t integrate ther IT applicatins. The secnd subsectin that fllws references the dcument that describes all the cnfiguratin steps needed fr integratin f the OmniAccess 3500 NLG R1.2 with the PatchLink Update and SMS applicatins, including the steps that are external t the OmniAccess 3500 NLG platfrm. 36

41 Chapter 2. Initializatin Tasks ASSISTED FILE TRANSFER The Assisted File Transfer facility allws yu t synchrnize the cntents f laptp and enterprise flders via the OmniAccess 3500 NLG card, staging infrmatin in the card when either the laptp r the OmniAccess 3500 NLG gateway is nt reachable. This feature is cnfigured per applicatin; that is, yu specify fr each applicatin the enterprise flder and the laptp flder that need t be kept in sync. The enterprise flder is a Windws share that is available fr exprt and is munted frm the respective applicatin server int the file system f the OmniAccess 3500 NLG gateway. The directin f the synchrnizatin frm the enterprise t the laptp, r vice versa is a mandatry cnfiguratin parameter. When the directin is frm the enterprise t the laptp, the enterprise flder is replicated t the specified OmniAccess 3500 NLG laptp flder. When the directin is frm the laptp t the enterprise, the files in the laptp flder are cpied int the enterprise flder. It is als pssible t bind applicatin table entries with user grups, s that fr every applicatin the directry synchrnizatin nly applies t the laptps f the assciated user grups. The default grup called BROADCAST crrespnds t all users. T cnfigure an applicatin fr use f the AFT facility, yu must create a new entry in the Applicatin Table assciated with the AFT and set all necessary parameters. There is ne pre-cnfigured applicatin in the Applicatin Table, called ASSETMGMT (Figure 28). ASSETMGMT is the OmniAccess 3500 NLG internal applicatin that peridically transfers laptp asset infrmatin frm the laptp t the gateway ver the AFT facility. Yu can view status infrmatin fr a given laptp asset (ut f the fllwing list: Prgrams, Services, Prcesses, Partitins, System Infrmatin, Operating System, Persnal Firewall, TrueCrypt Encrypted Vlume) by clicking the asset name n the User Cnfiguratins windw (t access the User Cnfiguratins windw click Users n the main menu, click the checkbx next t the desired user, and finally click Cnfigure). 37

42 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 28 - Applicatin Table Infrmatin T add an entry t the applicatin table fr the AFT facility: 1. Click Gateway n the main menu and then click Cnfigure Advanced Settings. 2. On the Cnfigure menu, under Assisted File Transfer, click Applicatin Table. The Applicatin Table Infrmatin windw (Figure 28) appears, displaying the fllwing fields: Applicatin Name: Name f the applicatin that will be cnfigured t use the Assisted File Transfer facility (e.g., <testapp>). Shared Path: Windws share t be munted n the gateway file system (e.g., <//server1/testappdir>, where <server1> is the IP address r hstname f the applicatin server and <testappdir> is the path f the directry t be synchrnized). User Name: User name with permissin t munt the share. Dmain Name: Dmain f the server that hsts the share. Laptp Directry: Flder n the laptp that will be created fr the applicatin (if it des nt exist already). Laptp Directry Owner: The dmain accunt t which the wnership f files in this laptp flder is assigned. Directin: Replicatin directin (chse between <Laptp_T_Enterprise> and <Enterprise_T_Laptp>). Max Disk Size (MB): Maximum strage space (in MB) allcated fr the applicatin (n the laptp, card, and gateway). 38

43 Chapter 2. Initializatin Tasks User Grups: Sets f users that participate in the Assisted File Transfer transactins fr the applicatin being cnfigured. 3. Click Save. Nte: If yu use the Mzilla Firefx brwser t access the management system GUI and the brwser is cnfigured t remember the passwrds that yu enter n the management system GUI windws, a pp-up windw will appear when yu click the Save buttn, asking whether r nt yu want t change ne f the passwrds that the brwser had previusly saved. Either answer will nt cmprmise the cnfiguratin f the applicatin table entry. Hwever, t avid the incnvenience f dealing with the pp-up windw, it is recmmended t cnfigure the brwser s that it des nt remember any passwrd at the URL f the management system GUI. INTEGRATION OF PATCHLINK UPDATE AND MICROSOFT SMS Fr all infrmatin needed t cnfigure the integratin f the PatchLink Update and SMS applicatins with the OmniAccess 3500 NLG R1.2, please refer t the fllwing dcument: OmniAccess 3500 NLG Release 1.2 Applicatin Nte: Integratin f PatchLink Update and Micrsft SMS. Persnal Firewall The Plicies sectin f the management system GUI allws the cnfiguratin f the persnal firewall plicies that are installed in the OmniAccess 3500 NLG cards. A persnal firewall plicy regulates the netwrk activity f the end user. The persnal firewall plicy has scpe exclusively ver the netwrk traffic exchanged by the OmniAccess 3500 laptp and nt ver the traffic that terminates at the card. The same persnal firewall plicy is installed in the OmniAccess 3500 NLG cards f all users in the same user grup. Each user grup is bund t a single persnal firewall plicy. Whenever the plicy changes, the same mdificatin applies t the persnal firewalls f all users in the grup. A persnal firewall plicy cnsists f packet filter rules and applicatin filter rules. A packet filter rule defines the treatment f individual packets that traverse the persnal firewall in the OmniAccess 3500 NLG card. The fllwing steps must be cmpleted prir t the cnfiguratin f a packet filter rule: 1. Define its services (TCP/UDP prt numbers) and assign them t a service grup (aggregatin f multiple TCP/UDP prt numbers). 2. Define its hsts (sets f cntiguus IP addresses) and assign them t a hst grup (aggregatin f multiple IP address ranges). An applicatin filter rule decides n the pening f laptp-terminated cnnectins fr the target applicatin whenever the applicatin requests such an pening. T begin cnfiguring a persnal firewall plicy, first create the necessary service instances. A service is where the binding between TCP/UDP prt numbers and service/applicatin names is defined. 1. Click Services n the main menu. 2. On the Services Infrmatin menu, click New. The Service Infrmatin (Add) windw appears (Figure 29), displaying the fllwing fields: 39

44 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Name: Type a name fr the service yu want t add. Prt: The prt number f the service. 3. Click Save. Figure 29 - Service Infrmatin (Add) Next, create a service grup, which is simply a grup f previusly defined services. 4. Click Service Grups n the main menu. 5. On the Service Grup Infrmatin menu, click New. The Service Grup Infrmatin (Add) windw appears (Figure 30), displaying the fllwing fields: Grup ID: Type a numeric user ID representing the service grup yu want t add. Name: Type the name f the service grup yu want t add. Services: Click n a user ID in the Available list and mve it t the Selected list by clicking the apprpriate arrw key. This adds services t the new service grup. 6. Click Save. 40

45 Chapter 2. Initializatin Tasks Figure 30 - Service Grup Infrmatin (Add) Nw create a hst bject. The hst bject designates a set f IP addresses that will later be included in a hst grup and thereby in a packet filter rule. 7. Click Hsts n the main menu. 8. On the Hst menu, click New. The Hst (Add) windw appears (Figure 31), displaying the fllwing fields: Hst Name: A name that uniquely identifies the hst. Descriptin: Type in any descriptive text abut the new hst. Hst: A valid IP address in the target IP address range. Mask (1-32): The netwrk mask used fr identificatin f the entire range (the integer expresses the number f right-mst bits t be set at 0 in the netwrk mask address). 9. Click Save. 41

46 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 31 - Hst (Add) Nw create a hst grup. A hst grup cntains a list f IP address ranges that are currently cnfigured fr inclusin in packet filtering rules fr persnal firewall plicies. 10. Click Hst Grups n the main menu. 11. On the Hst Grups menu, click New. The Hst Grup (Add) windw appears (Figure 32), displaying the fllwing fields: Hst Grup Name: A number that uniquely identifies the hst grup. Descriptin: Type in any descriptive text abut the new hst grup. Hsts: Click n a hst name in the Available Hsts list and mve it t the Selected Hsts list by clicking the apprpriate arrw key. This adds the hst t the new hst grup. 12. Click Save. 42

47 Chapter 2. Initializatin Tasks Figure 32 - Hst Grup (Add) Next, create the packet filter rules. The default packet filter rule is the drp rule: if a packet des nt match any f the packet rules specified in the persnal firewall plicy, the packet is drpped. The packet filter rules that are explicitly created define exceptins t the default behavir. 13. Click Persnal Firewall n the main menu. 14. On the Plicies Persnal Firewall menu, click Packet Filter Rules. The Packet Filter Rules Definitins windw appears. 15. Click New. The Packet Filter Rules (Add) windw appears (Figure 33), displaying the fllwing fields: Rule Name: Type a name fr the new rule. Directin: Whether the directin f the packets matching the rule is inbund (t the laptp) r utbund (frm the laptp). IP Addresses: Set f IP address ranges including the address f a packet matching the packet filter rule (destinatin IP address fr utging packets, surce IP address fr incming packets). Surce Prts: The prts frm which the netwrk traffic is riginating. Destinatin Prts: The prts t which the netwrk traffic is ging. Prtcl: Select a prtcl frm the drp-dwn list (fr example, UDP, TCP, ICMP, r IP). Rule Actin: Select an actin t take fr this rule frm the drp-dwn list (Accept r Drp). 43

48 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide 16. Click Save. Figure 33 - Packet Filter Rules (Add) Next, create the list f applicatins fr inclusin in applicatin grups and applicatin filter rules. 17. Click Persnal Firewall, then Applicatins. The Applicatins windw appears. 18. Click New. The Applicatins windw appears (Figure 34), displaying the fllwing fields: Applicatin Name: Name f the applicatin. Executable File: Name f the executable file that implements the applicatin. 19. Click Save. 44

49 Chapter 2. Initializatin Tasks Figure 34 - Applicatins Next, create the list f applicatin grups fr inclusin in the applicatin filter rules. 20. Click Persnal Firewall, then Applicatin Grup. The Applicatins Grup Infrmatin windw appears. 21. Click New. The Applicatin Grup windw appears (Figure 35), displaying the fllwing fields: Grup Name: Name f the applicatin grup. Applicatins: Drp-dwn menu with the list f applicatins that can be added t the applicatin grup. One an applicatin is selected, click Add t include it in the grup list. 22. Click Save when the list f applicatins is cmplete. 45

50 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 35 - Applicatin Grup Nw create the persnal firewall plicy. 23. Click Persnal Firewall, then Firewall Plicy. The Firewall Plicy Definitins windw appears. 24. Click New. The Firewall Plicy Settings (Add) windw appears. 46

51 Chapter 2. Initializatin Tasks On the General tab ( 25. Figure 36), enter infrmatin fr the fllwing fields: Plicy Name: A unique alphanumeric identifier fr the persnal firewall plicy. User Cntrl: Whether the user will have cntrl t allw r deny netwrk cnnectins requested by applicatins. Pssible values are <Allw> and <Deny>. Htelling Scenari Unsecured Cnnectivity Duratin: First timeut used in the Captive Prtal Management algrithm, which regulates pen access t the Internet during the negtiatin f lcal access credentials with an access pint prvider. The timeut, expressed in secnds, defines the extensin f the time windw during which the end user can negtiate the access credentials with the access pint prvider, in a cnnectivity scenari that is nt secured by the inclusin f the OmniAccess 3500 NLG Gateway in the data path. Htelling Scenari: Re-activatin Wait Perid: Secnd timeut used in the Captive Prtal Management algrithm, which regulates pen access t the Internet during the negtiatin f lcal access credentials with an access pint prvider. The timeut, expressed in secnds, defines the extensin f the blackut interval between cnsecutive attempts t btain access credentials frm the access pint prvider. The blackut interval prevents the end user frm causing cntinuus expsure f the laptp t external attacks with lengthy credential negtiatin prcedures. 26. Click Save. 47

52 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 36 - Firewall Plicy Settings General tab 27. On the Rules tab (Figure 37), enter infrmatin fr the fllwing fields: Rule name: A unique alphanumeric identifier fr the packet filter rule t be included in the persnal firewall plicy. Precedence: A pririty level fr designatin f the rder in which the packet filter rule will be executed (i.e., cmpared with the packet header) with respect t ther rules. Higher precedence value means that the rule will be executed first. The first rule that matches the packet header determines the actin n the packet. 28. Click Save. 48

53 Chapter 2. Initializatin Tasks Figure 37 - Firewall Plicy Settings Rules tab 29. On the Applicatins tab (Figure 38), enter infrmatin fr the fllwing fields: Applicatins: List f applicatins in the applicatin filter table that cntributes t the definitin f the persnal firewall plicy. Netwrk Access: While a packet filter rule is always an allw rule (a packet matching the rule is allwed thrugh the filter), an applicatin filter rule can be set as either an allw rule (the applicatin is always allwed t pen a remte cnnectin) r a deny rule (the applicatin is never allwed t pen a remte cnnectin). 30. Click Save. 49

54 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 38 - Firewall Plicy Settings Applicatins tab 31. On the Applicatin Grups tab (Figure 39), enter infrmatin fr the fllwing fields: Applicatin Grups: List f applicatin grups in the applicatin filter table that cntribute t the definitin f the persnal firewall plicy. Applicatin grups are used t simplify the specificatin f persnal firewall plicies, especially when a large number f applicatins require explicit inclusin in the applicatin filter table. Netwrk Access: While a packet filter rule is always an allw rule (a packet matching the rule is allwed thrugh the filter), an applicatin grup filter rule can be set as either an allw rule (the applicatin grup is always allwed t pen a remte cnnectin) r a deny rule (the applicatin grup is never allwed t pen a remte cnnectin). 32. Click Save. 50

55 Chapter 2. Initializatin Tasks Figure 39 - Firewall Plicy Settings Applicatin Grups tab Nw apply the firewall plicy t a user grup. 33. Click User Grups. The User Grup Infrmatin windw appears. 34. Click the checkbx next t a User Grup t select it. 35. Click Edit. The User Grup Infrmatin windw appears (Figure 40). Select the Firewall Plicy that yu want t apply frm the Plicy drp-dwn list. 36. Click Save. 51

56 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 40 - User Grup Infrmatin (Edit) 52

57 Chapter 3. Runtime Administratin Functins Chapter 3. OmniAccess 3500 NLG Runtime Administratin Functins This chapter describes tasks that are perfrmed during runtime, after deplyment f the OmniAccess 3500 NLG cards. Runtime tasks include the fllwing: Viewing laptp asset infrmatin Display asset infrmatin fr a user s laptp. Viewing laptp lcatin Display lcatin infrmatin fr a user s laptp. Remtely lcking a laptp Remtely lck a user s laptp fr security reasns. Yu can later unlck the same laptp r generate a ne-time passwrd fr the end user t temprarily disable all OmniAccess 3500 NLG functins in the laptp. Managing the encrypted vlume f a laptp Create/delete/view status fr an encrypted vlume, and change/remve the secret passwrd needed fr decryptin f the vlume cntents. Viewing lg infrmatin View lgs and alarms stred in the management system database. View status infrmatin fr current access cnnectins View current settings, status variables, and traffic statistics. Viewing Laptp Asset Infrmatin The Asset Management functin runs peridically and allws yu t display infrmatin abut laptp assets. 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Cnfigure. The User Cnfiguratins windw appears (Figure 41). 53

58 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 41 - User Cnfiguratins 3. T view laptp asset infrmatin, select ne f the ptins under the Asset Management menu, as fllws: Prgrams: Applicatins installed in the user s laptp. Services: Services installed in the user s laptp. Prcesses: Prcesses running n the user s laptp. Partitins: Partitin table entries. System Infrmatin: System-related infrmatin, such as Manufacturer, Mdel, CPU versin, etc. Operating System: Operating system installed in the user s laptp. Persnal Firewall: Applicatins fr which the persnal firewall plicy has set allw/deny rules with respect t netwrk access. TrueCrypt File Infrmatin: Infrmatin abut the files stred in the encrypted vlume f the user s laptp. Refresh Asset Inf: Click this link t trigger a refresh f all the asset management entries. Viewing User Status Infrmatin The management system maintains cmprehensive status infrmatin fr every user and the assciated laptp and card. T view a user s status infrmatin: 4. Click Users n the main menu. 54

59 Chapter 3. Runtime Administratin Functins 5. Click the checkbx next t a user t select it and then click Status. 6. On the Status Infrmatin f User windw, click User Status. The User Status Infrmatin windw appears (Figure 42). 7. Click OK. Figure 42 - User Status Infrmatin Viewing the Laptp Lcatin Yu can view the current lcatin f the laptp r the lcatin where the user mst recently lgged int the laptp. T view a laptp s lcatin: 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Status. 3. Click ne f the fllwing: View Current Lcatin t see the current lcatin f the laptp. View Lgin Lcatin t see the lcatin where the user last lgged int the laptp. 4. A Prprietary Infrmatin windw appears (Figure 43). Type yur administratr passwrd int the text bx and click Accept t prceed. 55

60 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 43 - Prprietary Infrmatin windw 5. A map similar t the ne shwn in Figure 44 appears. If the laptp s lcatin cannt be retrieved, a crrespnding message will appear. Figure 44 - Current User Lcatin map 56

61 Chapter 3. Runtime Administratin Functins Laptp Remte Lck The IT administratr can remtely lck the laptp when the end user realizes that the laptp cannt be physically prtected frm external intrusins (fr example, if the laptp was inadvertently left unguarded in a public lcatin). T remtely lck a laptp: 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it, then click Cnfigure. 3. On the User Cnfiguratins windw, click Lck under the System Management menu. 4. Click Yes t lck the laptp. 5. A windw appears n the laptp indicating that the laptp has been lcked (Figure 45). Figure 45 - Laptp lcked windw Laptp Remte Unlck The IT administratr can issue a remte unlck cmmand thrugh the management system t unlck a laptp that had previusly been lcked by issuing a remte lck cmmand. T remtely unlck a laptp: 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Cnfigure. 3. On the User Cnfiguratins windw, click Unlck under the System Management menu. 57

62 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide 4. Click Yes t unlck the laptp. 5. A message appears stating that the laptp has been unlcked. One-Time Passwrd Generatin The OmniAccess 3500 NLG can lck the laptp under several circumstances, bth manually (remte lck cmmand issued by the IT administratr) and autmatically (upn detectin f certain events like tamper attempts, etc.). While lcked, the laptp shws n the windw a numeric key (the screen cunt) and a passwrd prmpt. T unlck the laptp, the legitimate end user must call the IT desk and read the screen cunt value t the IT administratr. If the end user is eligible fr unlcking, the IT administratr generates a ne-time passwrd (OTP) using the screen cunt and cmmunicates it t the end user. The end user enters the OTP t regain cntrl f the laptp. The OTP expires upn its first use. All OmniAccess 3500 NLG cntrls are disabled fr a perid f cnfigurable duratin, during which the end user is expected t remve the cause f the initial lck. Upn expiratin f the cntrlless interval, the laptp either lcks again (if the cause f the lck has nt been remved) r restres all OmniAccess 3500 NLG cntrls (if the cause f the lck has been successfully remved). T generate a ne-time passwrd fr a lcked laptp: 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it, then click Cnfigure. 3. On the User Cnfiguratins menu, click Generate One Time Passwrd under the Tamper Prf Manager menu. The Tamper Prfing Settings Get One Time Passwrd windw appears (Figure 46), displaying the fllwing fields: User ID: Type the user ID crrespnding t the laptp yu are lcking. Current Date (mm/dd/yyyy): Type the date displayed n the lck screen f the laptp. Current Time (hh:mm:ss): Type the time f the day displayed n the lck screen f the laptp. Time Zne: Type the time zne displayed n the lck screen f the laptp. Screen Cunt: Type the number that appears in the upper right-hand crner f the pp-up windw n the laptp screen (in Figure 45, this number is ). 58

63 Chapter 3. Runtime Administratin Functins Figure 46 - Tamper Prfing Settings - Get One Time Passwrd 4. Click Get PW. A windw appears displaying a new ne-time passwrd. The enduser must type this passwrd (including any hyphen it may include) int the Passwrd field n the windw n the laptp t unlck the laptp. (They must uncheck the Hide Passwrd bx if they want the passwrd t display n the windw as they are typing it.) Encrypted Vlume Management An encrypted vlume can be created in the laptp hard disk fr strage f sensitive data. While the selectin f the files t be included in the encrypted vlume is left t the end user, the OmniAccess 3500 NLG assumes exclusive administrative cntrl ver the encrypted vlume. Thrugh the management system GUI, the administratr sets the cnfiguratin parameters f the encrypted vlume (sme f the parameters, such as the encryptin algrithm and the hash algrithm, are set per user grup, while ther parameters, such as the drive identifier, the maximum size, and the secret passwrd needed fr encryptin/decryptin f the vlume cntents, are set per individual user). The end user can access neither the cnfiguratin parameters, nr the secret passwrd, which is stred in the OmniAccess 3500 NLG card and never accessible frm the laptp. If the laptp is stlen, the cntents f the encrypted vlume can be prtected frm malicius access by remtely deleting the secret passwrd frm the card. The management system retains the last passwrd used t encrypt the data, s that it can be utilized t retrieve the data if the laptp is ever recvered. This sectin describes the cnfiguratin f the encrypted vlume, the management f the secret passwrd, and the mnitring f the vlume status. 59

64 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide T cnfigure cmmn vlume encryptin parameters within a user grup: 1. Click User Grups n the main menu. 2. Click the checkbx next t a user grup t select it and then click Cnfigure. 3. On the User Grup Cnfiguratins windw, click Grup Vlume Settings. 4. The Grup TrueCrypt Settings (New) windw appears (Figure 47), shwing the fllwing fields: Grup Name: Identifier f the user grup, shwn t remind the IT administratr f the user grup fr which the encrypted vlume is being cnfigured. Encryptin Algrithm: Algrithm used fr encryptin f the vlume cntents. Available ptins are: AES (default) Serpent Twfish AES-Twfish AES-Twfish-Serpent Serpent-AES Serpent-Twfish-AES Twfish-Serpent Hash Algrithm: Algrithm used fr randm generatin f the vlume master key. Available ptins are: RIPEMD-160 (default) SHA-1 Whirlpl File Frmat: Type f file system fr the encrypted vlume. Available ptins are: FAT (default) NTFS (this ptin des nt wrk fr end users that d nt have administratr privileges n their laptps). Nte: Windws XP supprts NTFS. Earlier Windws versins and Linux supprt FAT. 5. Click Save t save the TrueCrypt settings fr the user grup. Nte: The values f the user grup parameters fr TrueCrypt are nt retractively applied. When ne r mre user grup values change, nly the encrypted vlumes that are created after the change reflect the new values. Nte: Since every user grup parameter fr TrueCrypt has an assigned default value, the cnfiguratin f the user grup parameters fr TrueCrypt is nly necessary when ne r mre f thse values requires mdificatin. 60

65 Chapter 3. Runtime Administratin Functins Nte: If yu delete yur selectin fr the values f the user grup parameters fr TrueCrypt, the default values are autmatically restred fr thse parameters. Figure 47 - TrueCrypt User Grup Settings T create an encrypted vlume: 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Cnfigure. 3. On the User Cnfiguratins windw, click Vlume Settings under the TrueCrypt Vlume Encryptin menu. 4. The TrueCrypt Settings windw appears (Figure 48), with the fllwing parameters t be cnfigured: User ID: Numeric identifier f the end user (read-nly field). Vlume Path: Lcatin f the encrypted vlume in the laptp hard disk. The assigned value must be a valid, unused path and can pint t a file with any type f extensin. Munt Drive: Drive identifier assigned t the encrypted vlume nce munted. The assigned value must be a valid, unused drive identifier. Vlume Size (MB): Space allcated t the encrypted vlume in the laptp hard disk. The assigned value must nt exceed the space that is currently available n the laptp s hard disk. Vlume Enabled: Flag fr enabling/disabling the munting f the encrypted vlume n the laptp s file system. The flag must be checked in rder fr the 61

66 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide creatin f the encrypted vlume t prceed the next time the laptp cnnects t the gateway after the vlume settings are saved. 5. Click Save t save the cnfiguratin settings and enable the creatin f the encrypted vlume. Figure 48 - TrueCrypt Settings T relinquish administrative cntrl ver an existing encrypted vlume: 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Cnfigure. 3. On the User Cnfiguratins windw, click Delete Vlume under the TrueCrypt Vlume Encryptin menu. 4. Click OK t issue the Delete Vlume cmmand and return t the User Infrmatin windw. The administratr shuld relinquish administrative cntrl ver an existing vlume nly after having carefully cncluded that the encrypted vlume will never be needed again by the end user (fr example, if the end user is n lnger with the cmpany). Please nte that the Delete Vlume cmmand des nt remve the encrypted vlume frm the laptp hard disk and des nt always make the cntents f the encrypted vlume immediately inaccessible t the end user. The administratr must resrt instead t the Remve Passwrd cmmand in all emergency cases where access t the encrypted vlume cntents must be immediately denied ( Remte Kill feature). If cntrl ver the vlume is errneusly relinquished and a user wants t recver data frm the deleted vlume, the Deleted Vlume Prperties feature can be used t recver the vlume path and passwrd, as in the fllwing prcedure. 62

67 Chapter 3. Runtime Administratin Functins T display the prperties f a vlume that was previusly released by the administratr: 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Cnfigure. 3. On the User Cnfiguratins windw, click Deleted Vlume Prperties under the TrueCrypt Vlume Encryptin menu. 4. The Deleted Vlume Infrmatin windw appears (Figure 49), displaying all data needed fr recnfiguratin f the same vlume in the laptp s hard disk. Nte: The restratin f a relinquished encrypted vlume cannt be perfrmed remtely by the administratr thrugh the management system. Instead, the end user must enter the necessary parameters lcally, thrugh the user interface that cmes with the encrypted vlume sftware. 5. Click OK. Only the end user can physically remve the encrypted vlume frm the laptp hard disk, by deleting the file crrespnding t the vlume path after the administratr has relinquished administrative cntrl ver it. Figure 49 - Deleted Vlume Infrmatin T change the secret passwrd stred in the OmniAccess 3500 NLG card: 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Cnfigure. 3. On the User Cnfiguratins windw, click Vlume Settings under the TrueCrypt Vlume Encryptin menu. 4. If the check bx next t Vlume Enable is currently checked, click it t uncheck it and click Save. 63

68 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide 5. On the User Cnfiguratins windw, click Change Vlume Passwrd under the TrueCrypt Vlume Encryptin menu. 6. Click Yes t issue the passwrd change cmmand and return t the User Cnfiguratins windw. 7. Click Vlume Status and verify the Passwrd Change Status reprted n the TrueCrypt Status Infrmatin windw. Then click OK. 8. If the passwrd change has been successful, click Vlume Settings under the TrueCrypt Vlume Encryptin menu and click the Vlume Enable checkbx n the TrueCrypt Settings (Edit) windw. 9. Click Save. T delete the secret passwrd and immediately make the cntents f the encrypted vlume impssible t access (Remte Kill feature): 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Cnfigure. 3. On the User Cnfiguratins windw, click Remve Vlume Passwrd under the TrueCrypt Vlume Encryptin menu. 4. Click Yes t issue the passwrd deletin cmmand and return t the User Infrmatin windw. Nte: T immediately deny access t the encrypted vlume cntents withut deleting the vlume yu must use the Remve Vlume Passwrd cmmand. Other methds, such as unchecking the Vlume Enabled flag, are nt immediately effective and may nt prevent the decryptin f the vlume cntents. T restre the secret passwrd stred in the OmniAccess 3500 NLG card: 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Cnfigure. 3. On the User Cnfiguratins windw, click Restre Passwrd under the TrueCrypt Vlume Encryptin menu. 4. Click Yes t issue the passwrd restre cmmand and return t the User Infrmatin windw. T verify the status f a previusly submitted vlume encryptin cmmand (vlume creatin/deletin, passwrd change/remval): 1. Click Users n the main menu. 2. Click the checkbx next t a user t select it and then click Cnfigure. 3. On the User Cnfiguratins windw, click Vlume Status under the TrueCrypt Vlume Encryptin menu. 4. The TrueCrypt Status Infrmatin windw appears, shwing the fllwing fields: User ID: Numeric identifier f the user. Vlume Path: Lcatin f the encrypted vlume in the laptp hard disk. Munt Drive: Drive name assigned t the encrypted vlume. 64

69 Chapter 3. Runtime Administratin Functins Vlume Size: Hard disk space allcated t the encrypted vlume (in MB). Vlume Status: Status f the encrypted vlume (whether r nt created and munted). Passwrd Change Status: Status f executin f a cmmand previusly issued t change r delete the secret passwrd. Passwrd Change Time: Time f cmpletin f the Passwrd Change/Delete cmmand. Active Passwrd: Last passwrd successfully stred in the OmniAccess 3500 NLG card. 5. Click OK t return t the User Infrmatin windw. T delete TrueCrypt Vlume Encryptin settings frm a user grup: 1. Click User Grups n the main menu. 2. Click the checkbx next t a user grup t select it and then click Cnfigure. 3. On the User Grup Cnfiguratins windw, click Delete Grup Vlume. 4. A cnfirmatin windw appears, asking if yu are sure yu want t delete grup vlume settings. 5. Click Yes t delete the settings. Cnnectin Manager Shw Infrmatin This sectin f the management system GUI allws yu t display status infrmatin fr the remte access cnnectins that are currently established between the OmniAccess 3500 NLG cards and the gateway. (Refer t Chapter 5, OmniAccess 3500 NLG Administrative Infrmatin Base, t see detailed field infrmatin.) Status infrmatin can be displayed fr the fllwing items: SA-IKE List f the IKE Security Assciatins that currently exist between the OmniAccess 3500 NLG gateway and remtely cnnected OmniAccess 3500 NLG cards. SA-IPsec List f the IPsec Security Assciatins that currently exist between the OmniAccess 3500 NLG gateway and remtely cnnected OmniAccess 3500 NLG cards. Flws List f the bjects that the OmniAccess 3500 NLG gateway instantiates fr stateful packet inspectin purpses. When a packet arrives at the firewall embedded in the OmniAccess 3500 NLG gateway, the firewall first tries t match it with a previusly established flw bject. If n matching flw bject is fund, the firewall tries t match the packet with ne f its cnfigured rules. If ne r mre matches are fund, a new flw bject is created accrding t the matching rule with the highest precedence. If n matching rule is fund, the default rule (drp) is applied t the packet. Glbal Infrmatin List f traffic statistics cllected since the OmniAccess 3500 NLG gateway was last restarted. 65

70 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide T view status infrmatin: 1. Click Gateway n the main menu, then click Cnfigure Advanced Settings. 2. On the Cnfigure menu, under Cnnectin Manager Shw Infrmatin, click SA- IKE, SA-IPsec, Flws, r Glbal Infrmatin, depending n the type f infrmatin yu wish t view. 3. A windw cntaining infrmatin abut the OmniAccess 3500 NLG gateway yu have selected appears (Figure 50 shws the Glbal Infrmatin windw as an example). Figure 50 - Gateway Glbal Infrmatin Lgs and Alarms The Fault Manager applicatin allws yu t view system status infrmatin in different frmats. In additin, yu can use the Syslg functin t have lgs frwarded t a specific server. Lg Viewer The Lg Viewer functin allws yu t view the mst recent lgs stred in the system s database. T view all lgs: 1. On the Fault Manager menu, click Lg Viewer. The Server Lg Viewer windw appears (Figure 51), displaying the fllwing fields: Lcal Time: The lcal time at which the event tk place. IP Address: The IP address f the mdule n which the event tk place. 66

71 Chapter 3. Runtime Administratin Functins Event ID: The type f the lgged event. Mdule Name: The name f the mdule by which the lg is filtered. Severity: The alarm severity. Message: Any additinal infrmatin abut the event. Lg Histry Figure 51 - Server Lg Viewer The Lg Histry functin prvides access t an extended set f archived event lgs. 1. On the Fault Manager menu, click Lg Histry. The Server Lg Histry windw appears (Figure 52), displaying the fllwing fields: Time: The lcal time when the lg was created. GMT Time: The GMT time the alarm ccurred. IP Address: The IP address f the device where the alarm ccurred. Event ID: The identifier f the sftware mdule that triggered the alarm. Mdule Name: Name f the sftware mdule that generated the lg. Severity: The alarm severity. Message: Any additinal infrmatin abut the event. Refresh (mins.): Type a number in this field t indicate hw ften yu wuld like this windw t refresh (default: 1 minute). 67

72 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Syslg Figure 52 Server Lg Histry All lg messages are sent t the management system and displayed n the GUI. The syslg functin allws yu t have lgs als frwarded t a particular server. 1. On the Fault Manager menu, click Syslg. The Syslg Server Settings windw appears (Figure 53), displaying the fllwing fields: Primary Server: The first Server t which yu want t frward lgs. Secndary Server: A secnd Server t which yu want t frward lgs. Prt: The prt number t which yu want t frward lgs. Frward Lgs: Click this checkbx t frward lgs; leave unchecked t nt frward. 2. Click Save. 68

73 Chapter 3. Runtime Administratin Functins Figure 53 - Syslg Server Settings 69

74 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Chapter 4. OmniAccess 3500 NLG Infrastructure Maintenance This chapter describes the prcedures that are needed fr maintenance f the infrastructural cmpnents f the OmniAccess 3500 NLG platfrm after they are installed. Backing Up and Restring the OmniAccess 3500 NLG Gateway Cnfiguratin The backup-and-restre prcedures described in this sectin shuld be applied t recver frm the cmplete failure f an OmniAccess 3500 NLG gateway unit, when the failed unit is replaced with a new ne. The criticality f the specific OmniAccess 3500 NLG gateway instance drives the chice fr the backup frequency and fr the lcatin f the backup repsitry. At a minimum, it is recmmended t backup the cnfiguratin data at least nce a day, and t stre the backup files in tw gegraphically separated backup repsitry sites. Autmatic Backup Cnfiguratin The fllwing steps are required fr cnfiguratin f the autmatic backup prcedure: 1. Make sure that the gateway already has all the files that it needs t establish secure cnnectins with ther netwrk ndes: Keytab File: File cntaining the credentials f the gateway fr authenticatin with the Active Directry Server (ADS). The file must necessarily be upladed t the gateway befre any interactin with the Active Directry (AD) infrastructure can start. This includes the case where the methd used fr authenticatin f ne r mre user grups changes frm RADIUS t AD. CA Certificate: Digital certificate f the Certificate Authrity (CA), which includes the CA s public key and digital signature. The same CA certificate is installed in the OmniAccess 3500 NLG cards. CA Certificate Revcatin List: List f certificates issued by the Certificate Authrity that have been revked befre their natural expiratin. Gateway Certificate: Certificate (public key) f the gateway, used by peer netwrk ndes fr encryptin f the messages they send t the gateway. Gateway Private Key: Secret key used by the gateway t decrypt the messages it receives frm peer netwrk ndes (including the OmniAccess 3500 NLG cards). In the unlikely case that the files listed have nt already been upladed, fllw the prcedure described in the File Uplad sectin f this dcument (page 22) t install the files in the gateway. 2. Add a pass rule t the Rules table (thrugh the [Gateway Cnfigure Advanced Settings Rules New] cmmand path) t allw traffic frm the gateway t the designated backup server. The rule is typically set fr the Ethernet interface f the gateway that faces the private prtin f the enterprise netwrk (LAN). In the 70

75 Chapter 4. Infrastructure Maintenance example f Figure 54, < > is the IP address f the private interface (LAN) f the gateway. Figure 54 - Cnnectin Manager Rules (Add) 3. Set the parameters fr the autmatic backup prcedure thrugh the Cnfiguratin Services sectin f the management system GUI. T set the cnfiguratin parameters fr the autmatic backup prcedure: 1. Click Cnfiguratin Services n the main menu. 2. On the Cnfiguratin Manager windw (Figure 55), click Gateway Public Key. 71

76 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 55 Cnfiguratin Manager 3. The File Server Public Key windw appears (Figure 56). The text bx n this windw cntains the Public Key fr the Backup File Server. The text is read-nly and is ppulated by the SSH Public Key generated internally when the gateway is cnfigured fr the first time. 72

77 Chapter 4. Infrastructure Maintenance Figure 56 - File Server Public Key 4. Cpy the cntents f the text bx int the <user hme>/.ssh/authrized_keys file n the backup server where the backup files are t be stred. 5. Click Cnfiguratin Services n the main menu. 6. On the Cnfiguratin Manager menu, click Cnfiguratin Server Prfile. The Backup Cnfiguratin windw appears (Figure 57), where yu can set the fllwing parameters fr the backup server: Backup File Name: Name assigned t the backup file, where all f the cnfiguratin settings are saved. Primary Server IP Address: IP address f the first server where the backup file is upladed. Primary Server Username: Lgin accunt n Server 1 where the backup file is stred. Primary Server Path: Directry path where the backup file is stred when upladed t Server 1. Secndary Server IP Address: IP address f a secnd server where the backup file may be upladed. Secndary Server Username: Lgin accunt n Server 2 where the backup file may be stred. Secndary Server Path: Directry path where the backup file is stred if it is upladed t Server 2. Start Time (hh:mm:ss): Reference start time fr peridic backups (the mm/dd/yyyy prtin, cmbined with the Backup Frequency value, determines 73

78 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide the mm/dd/yyyy value fr all future backups; the hh:mm:ss prtin is als the hh:mm:ss value fr all future backups). Backup Frequency: Frequency f generatin and uplading f cnfiguratin backups. 7. Click Save t save the backup settings. Figure 57 - Backup Cnfiguratin (Peridic Backup) 8. T start an immediate backup instead f waiting fr a peridic ne, click Cnfiguratin Services n the main menu and then click Backup Current Cnfiguratin. The Backup Cnfiguratin windw appears (Figure 58), shwing read-nly infrmatin that yu previusly entered. 74

79 Chapter 4. Infrastructure Maintenance Figure 58 - Backup Cnfiguratin (Immediate Backup) 9. Click Start Backup t start the backup prcedure immediately. Restratin Prcedure The restratin prcedure cnsists f the fllwing steps: 1. Click Cnfiguratin Services n the main menu. 2. Click Restre Previus Cnfiguratin. The Cnfiguratin Restre Step 1 windw appears (Figure 59). 3. Frm the drp-dwn list, select the IP address fr the backup server frm which t dwnlad the backed-up cnfiguratin. Nte: The IP addresses that appear are taken frm the values yu entered previusly in the Backup Cnfiguratin windw (Figure 57). 75

80 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 59 - Cnfiguratin Restre - Step 1 4. Click Get Files. The Cnfiguratin Restre - Step 2 windw appears (Figure 60). Figure 60 - Cnfiguratin Restre - Step 2 5. This windw displays the backup files available t restre the cnfiguratin. Select a backup file and click Start Restre Cnfiguratin. The crrespnding cnfiguratin is autmatically restred. Once the restre is dne, refresh the page, and lg in again t see the restred cnfiguratin. 76

81 Chapter 4. Infrastructure Maintenance Upgrading the OmniAccess 3500 NLG Gateway Cnfiguratin The prcedure in this sectin describes hw t upgrade the sftware package running n yur OmniAccess 3500 NLG gateway. Cnfiguratin Upgrade The fllwing steps are required fr upgrading the OmniAccess 3500 NLG sftware package that runs n the gateway appliance: 1. Click Cnfiguratin Services n the main menu. 2. Click Upgrade Server Prfile. The Cnfigure Upgrade Prfile (New) windw appears (Figure 61) where yu can set the fllwing cnfiguratin parameters fr the gateway: Server Name: IP address f the Package Distributin Server where the upgrade package is stred. User Name: The user name used t access the Package Distributin Server. Package Name: The name f the package that cntains all infrmatin needed fr the upgrade. Path: The path where the package is stred in the Package Distributin Server. 3. Click Save t save the parameters. Figure 61 - Cnfigure Upgrade Prfile (New) 4. Click Cnfiguratin Services n the main menu. 77

82 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide 5. Click Upgrade Actins. The Upgrade Actins windw appears (Figure 62), displaying infrmatin abut the upgrade, as well as upgrade status infrmatin. Figure 62 - Upgrade Actins 6. Click Start Upgrade t begin the cnfiguratin upgrade prcess. The Start Upgrade buttn appears nly if an upgrade is pssible (that is, if yu have previusly saved the cnfiguratin upgrade parameters n the Upgrade Server Prfile windw). Cnnectivity will be lst during the upgrade as all prcesses are temprarily shut dwn. After the upgrade cmpletes, cnnectivity will becme available again. If an errr ccurs during the upgrade prcess, the previus sftware package will be used. Nte: After the upgrade starts, an Abrt buttn appears. Click this buttn t stp the upgrade. T start the upgrade again, click Cnfiguratin Services n the main menu and then click Reset Upgrade Setting. This changes the upgrade status back t an idle state. The upgrade can then be re-attempted. 7. If a Failed message appears in the Upgrade Status field n the Upgrade Actins windw, click Cnfiguratin Services n the main menu, then click Reset Upgrade Setting. This changes the upgrade status back t an idle state. The upgrade can then be re-attempted. 78

83 Chapter 5. Administrative Infrmatin Base Chapter 5. OmniAccess 3500 NLG Administrative Infrmatin Base This chapter presents the cmplete set f bjects that can be bserved and cnfigured thrugh the management system GUI. Every bject that is nt a leaf in the management system GUI infrmatin base tree is presented in the fllwing frmat: Object Name [Path], [Windw Title], [Actin(s)] Where: Object Name is the name f the bject n display. [Path] is the list f cnsecutive GUI selectins that lead t the infrmatin n display. An underlined path segment indicates that the crrespnding bject must be checked ( ) n the GUI windw befre clicking n the path segment that immediately fllws. [Windw Title] is the title shwn n the windw when the infrmatin is displayed. [Actin(s)] is the type f actin allwed n the bject being displayed. Pssible values are <r> (fr read-nly), <rw> (fr read and write), and <x> (fr execute, in the case f displayed bjects that represent functins and nt data). The bjects are presented belw in the same rder as they appear in the main menu f the management system GUI, frm tp t bttm. Devices The Devices sectin f the management system GUI prvides access t the netwrk ndes: gateways, cards, and laptps. Gateway [Gateway], [Gateway Settings], [r] In the OmniAccess 3500 NLG R1.2, each management system instance nly cntrls the OmniAccess 3500 NLG gateway where it is installed. The Gateway Settings windw lists the cnfiguratin parameters fr the gateway where the management system sftware is installed. The fllwing parameters can be edited fr the gateway upn selectin f the <Edit Gateway Settings> ptin: Gateway FQDN Fully Qualified Dmain Name (FQDN) f the gateway. WAN Interface IP IP address assigned t the WAN Ethernet interface f the gateway. The WAN interface is cnnected t a public subnet. WAN Interface Netmask Netwrk mask fr identificatin f the public subnet f attachment f the WAN gateway interface. WAN Interface Next-hp Ruter IP address f the next-hp-ruter within the public subnet f attachment f the WAN gateway interface. 79

84 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide LAN Interface IP IP address assigned t the LAN Ethernet interface f the gateway. The LAN interface is cnnected t a private subnet f the enterprise. LAN Interface Netmask Netwrk mask fr identificatin f the private subnet f attachment f the LAN gateway interface. LAN Interface Next-hp Ruter IP address f the next-hp-ruter within the private subnet f attachment f the LAN gateway interface (the next-hp ruter, r default gateway, shuld nt be cnfused with the OmniAccess 3500 NLG gateway itself). LAN Interface Secndary IP VPN address f the gateway, assciated with the LAN:1 virtual interface. The VPN address is used by cards and laptps t cmmunicate with the gateway (and vice versa) thrugh the IPsec tunnel. It is included in the inner IP header f the packets exchanged by the gateway with the card and laptp ver the IPsec tunnel. This entry must be filled with ne IP address when the gateway is first cnfigured. Later n, any mdificatin f the VPN IP address f the gateway must be executed n the <GUARD_PRIVATE_IP> server type f the [Gateway Cnfigure-> Server Table Infrmatin] windw, reachable thrugh the [Gateway Cnfigure Advanced Settings Server Table] path. LAN Interface Secndary Netmask Netwrk mask fr the private subnet f attachment f the LAN:1 virtual interface f the gateway. Rt Passwrd Passwrd fr the rt accunt n the OmniAccess 3500 NLG gateway. Cnfirm Passwrd Cnfirmatin replica f the rt accunt passwrd. Active Directry Server IP IP address f the Active Directry server used by the enterprise fr authenticatin f the laptp users. User Authenticatin Type The methd used fr authenticatin f the end users. Pssible values are <DOMAIN>, <RADIUS-LAX>, and <RADIUS-STRICT>. If <DOMAIN> is selected, all users will be authenticated using KDC. If <RADIUS- LAX> r <RADIUS-STRICT> is selected, a RADIUS server will authenticate all users. Mre specifically, with <RADIUS-LAX> the user s laptp btains its netwrk parameters befre submissin f the authenticatin credentials by the end user. With <RADIUS-STRICT>, instead, the netwrk parameters will nly be granted after success f the RADIUS authenticatin. Radius IP Address The IP address f the RADIUS server being used fr authenticatin. Radius Prt The destinatin prt fr authenticatin requests. Radius Secret The authenticatin and encryptin key fr all RADIUS cmmunicatins between the gateway and the RADIUS server. Kerbers Realm KDC dmain f the OmniAccess 3500 NLG gateway. The KDC dmain name is the same as the enterprise dmain name, but must be written in uppercase letters. KDC FQDN Fully Qualified Dmain Name (FQDN) f the Active Directry server. 80

85 Chapter 5. Administrative Infrmatin Base Admin Server Administratin server fr the enterprise dmain; in mst cases the administratin server cincides with the Active Directry server, except when the KDC realm administratr has nt made the administratin server name available thrugh DNS. Primary DNS IP address f the primary DNS name server fr laptp user traffic. This entry must be filled with ne IP address when the gateway is first cnfigured. Later n, any mdificatin f the primary DNS name server address must be executed n the [Gateway Cnfigure-> Server Table Infrmatin] windw, reachable thrugh the [Gateway Cnfigure Advanced Settings Server Table] path. Secndary DNS IP address f the secndary DNS name server (ptinal). This entry must be filled with ne IP address when the gateway is first cnfigured. Later n, any mdificatin f the secndary DNS name server address must be executed n the [Gateway Cnfigure-> Server Table Infrmatin] windw, reachable thrugh the [Gateway Cnfigure Advanced Settings Server Table] path. Primary NTP Server IP address f the Netwrk Time Prtcl (NTP) server used by the OmniAccess 3500 NLG gateway fr time synchrnizatin. Since the time n the OmniAccess 3500 NLG gateway is critically bund t the time n the Active Directry server, the Active Directry server typically acts as the primary NTP server fr the OmniAccess 3500 NLG gateway. Secndary NTP Server IP address f the secndary NTP server (ptinal). SMTP Access Type Settings fr the Simple Mail Transfer Prtcl (SMTP) server used fr the exchange f s t and frm the OmniAccess 3500 NLG gateway. The gateway uses s (transmitted as SMS text messages ver the 3G wireless netwrk) t wake up drmant cards when urgent remte management tasks are due. The ptins fr the SMTP Access Type are <Direct>, <Lgin>, and <TLS>. The <Direct> ptin enables access t the SMTP server withut submissin f a <lgin, passwrd> pair. The <Lgin> ptin requires instead the submissin f the <lgin, passwrd> pair. The <TLS> ptin (fr Transprt Layer Security) requires the <lgin, passwrd> submissin and encrypts the cmmunicatin between the gateway and the SMTP server. SMTP Server IP address f the SMTP server. SMTP Prt Number f the prt used by the mail server t listen fr requests. The prt number is typically <25>, but the administratr can change it fr security purpses. Mail Frm address used in the Frm field f the SMS messages sent t wake up the drmant cards. Mail Dmain Dmain within which all addresses used fr SMS messaging are exchanged. SMTP Lgin Lgin name assigned t the OmniAccess 3500 NLG gateway fr its accunt with the SMTP server. SMTP Passwrd Passwrd assciated with the accunt f the OmniAccess 3500 NLG gateway with the SMTP server. 81

86 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Cnfirm Passwrd Cnfirmatin replica f the SMTP passwrd. SNMP Enable The OmniAccess 3500 NLG gateway ffers MIB-II supprt fr its native functinal cmpnents (i.e., cmpnents that are nt part f the OmniAccess 3500 NLG platfrm). If the <SNMP Enable> ptin is set, it is pssible t use a third-party netwrk management system t manage and mnitr the MIB-II bjects f the gateway thrugh SNMP. Prt Number Prt ver which the third-party netwrk-management system can exchange get and set SNMP messages with the OmniAccess 3500 NLG gateway fr retrieving and setting the values f the MIB-II bjects. The prt number is typically 161, but the administratr can change it fr security purpses. Trap Prt Number Prt ver which the third-party netwrk management system can receive the trap messages generated by the OmniAccess 3500 NLG gateway. The prt number is typically 162, but the administratr can change it fr security purpses. Read Cmmunity This string is used fr SNMP authenticatin and wrks like a passwrd that any remte SNMP client must use when accessing bjects f the gateway MIB in read-nly mde. Cnfirm Read Cmmunity Cnfirmatin replica f the read cmmunity string. Read-Write Cmmunity This string is used fr SNMP authenticatin and wrks like a passwrd that any remte SNMP client must use when accessing bjects f the gateway MIB in read-write mde. It is recmmended t setup different values fr the read cmmunity string and fr the read-write cmmunity string. Cnfirm Read-Write Cmmunity Cnfirmatin replica f the read-write cmmunity string. HTTPS Prt The prt n which yu can securely access the management system GUI frm a web brwser. The default value is <443>, in which case yu dn't have t specify the prt in the URL. If yu set a different prt, yu will have t use the prt number in the URL while accessing the management system. Fr example, if yu specify the HTTPS prt as <8443>, and the address f the LAN interface (accessible frm within the enterprise netwrk) is < >, then yu can pen the management system GUI by typing the fllwing URL in the address bx f yur brwser: < Card Address Range IP address pl fr assignment t the cards when they cnnect t the gateway. This entry must be filled with ne address range when the gateway is first cnfigured. Later n, the editing f the initial card address range r the intrductin f new address ranges must be executed n the [Gateway Cnfigure-> Address Pl Infrmatin] windw, reachable thrugh the [Gateway Cnfigure Advanced Settings Address Pl] path. Card Address Mask Netwrk mask fr identificatin f the card address pl set upn initial cnfiguratin f the gateway. Laptp Address Range IP address pl fr assignment t the laptp when the crrespnding Card cnnects t the gateway. This entry must be filled with ne 82

87 Chapter 5. Administrative Infrmatin Base address range when the gateway is first cnfigured. Later n, the editing f the initial card address range r the intrductin f new address ranges must be executed n the [Gateway Cnfigure-> Address Pl Infrmatin] windw, reachable thrugh the [Gateway Cnfigure Advanced Settings Address Pl] path. Laptp Address Mask Netwrk mask fr identificatin f the laptp address pl set upn initial cnfiguratin f the gateway. Gateway Certificate ID Type Type f identifier fr the digital certificate that is used by the OmniAccess 3500 NLG gateway fr mutual authenticatin with the OmniAccess 3500 NLG cards. Optins available (chse ne): < >, <FQDN>, <DN>. This entry must be set when the gateway is first cnfigured. Later n, the setting f the Gateway Certificate ID Type (pssibly with a different value than the initial ne) must be executed n the [Cnnectin Manager Tunnel Table (Add)] windw, reachable thrugh the [Gateway Cnfigure Advanced Settings Tunnel Table New] path. Gateway Certificate ID Identifier f the certificate that the OmniAccess 3500 NLG gateway uses fr mutual authenticatin with the OmniAccess 3500 NLG cards. This entry must be set when the gateway is first cnfigured. Later n, the setting f the Gateway Certificate ID (pssibly with a different value than the initial ne) must be executed n the [Cnnectin Manager Tunnel Table (Add)] windw, reachable thrugh the [Gateway Cnfigure Advanced Settings Tunnel Table New] path. Please nte that this parameter is casesensitive. Figure 63 - Gateway Cnfiguratins (Edit) 83

88 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide The fllwing gateway infrmatin bjects can be accessed upn selectin f the <Cnfigure Advanced Settings> tab: Cnnectin Manager Settings [Gateway Cnfigure Advanced Settings], [Cnfigure:], [r] Objects needed fr cnfiguratin f the remte access cnnectins. Address Pl [Gateway Cnfigure Advanced Settings Gateway Cnfigure:-> Address Pl Infrmatin], [rw] Sets f IP addresses frm which the OmniAccess 3500 NLG gateway draws the pair f VPN addresses that it assigns t the OmniAccess 3500 NLG card and assciated laptp upn establishment f the IPsec tunnel. The addresses fr the card and fr the laptp are drawn frm different, disjint sets. Multiple sets can be assigned t the cards (Card sets) and t the laptps (Laptp sets). The address sets are expressed in the frmat <IP address>, <Netmask>, as in < >, < >. The <IP Address> value can als be expressed as a range (as in < >) r as a hst (as in < /24>). The <Netmask> value must be specified in all cases. The <Type> value designates the assignment f the IP address set t the OmniAccess 3500 NLG cards (<Card>) r t the laptps (<Laptp>). Each address pl requires the cnfiguratin f the fllwing set f parameters: IP Address The IP address frm which the gateway draws the pair f VPN addresses it assigns t the card and t the laptp upn establishment f the IPsec tunnel. Netmask(x.x.x.x) The Netmask address used t designate the IP subnet frm which the gateway draws the pair f VPN addresses it assigns t the card and t the laptp upn establishment f the IPsec tunnel. Type Select <Card> r <Laptp> frm the drp-dwn menu. 84

89 Chapter 5. Administrative Infrmatin Base Figure 64 - Cnnectin Manager Address Pl (Add) Server Table [Gateway Cnfigure Advanced Settings Server Table], [Gateway Cnfigure:-> Server Table Infrmatin], [rw] Cnfiguratin f the DNS, WINS, and default gateway addresses that the OmniAccess 3500 NLG gateway passes t the card and laptp tgether with the VPN addresses. Only ne value can be set fr each type f address. Type Netwrk server fr which the IP address is specified. Optins (chse ne): <DNS> (DNS server), <WINS> (WINS server), and <GUARD_PRIVATE_IP> (IP address f the LAN:1 virtual interface f the gateway). Primary IP Address IP address f the first netwrk server being cnfigured. Secndary IP Address IP address f the secnd netwrk server being cnfigured. 85

90 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 65 - Cnnectin Manager Server Table (Add) Rules [Gateway Cnfigure Advanced Settings Rules], [Gateway Cnfigure:-> Rule Infrmatin], [rw] Packet classificatin rules fr the firewall and IPsec endpint that are embedded in the OmniAccess 3500 NLG gateway. The embedded firewall can be used t restrict the netwrk traffic that the OmniAccess 3500 NLG gateway exchanges ver its interfaces, assuming the functin f an enterprise firewall in a netwrk where an enterprise firewall is nt already deplyed. The firewall rules may r may nt be assciated with existing IPsec tunnels. The embedded IPsec endpint handles the requests t pen IKEv2 and IPsec security assciatins that the OmniAccess 3500 NLG cards riginate frm their current lcatins. The OmniAccess 3500 NLG gateway uses the IPsec endpint rules t match incming IKEv2 requests with sets f IKEv2/IPsec parameters t be used in the cnfiguratin f the security assciatins that may result frm the negtiatins. Each rule requires the cnfiguratin f the fllwing set f parameters: Precedence Rule precedence with respect t ther rules defined in the same cntext. The pririty f the rule is higher with a higher precedence value. The highest-precedence rule that matches a packet is the rule that defines hw the packet is handled. Type Rule type, t be chsen amng <Pass> (accept all packets matching the rule), <Drp> (drp all packets matching the rule), and 86

91 Chapter 5. Administrative Infrmatin Base <Reject> (drp all packets matching the rule, and fr each drpped packet ntify the crrespnding sender). Prtcl Prtcl Identifier value carried by the packets that match the rule. Optins (chse ne): <ANY>, <TCP>, <UDP>, <ICMP>. Surce IP/[Mask] Range f IP addresses t be checked against the surce IP field in the packet header. Surce Prt Lw, Surce Prt High Range f prt values t be checked against the surce prt field in the packet header. Destinatin IP/[Mask] Range f IP addresses t be checked against the destinatin IP field in the packet header. Destinatin Prt Lw, Destinatin Prt High Range f prt values t be checked against the destinatin prt field in the packet header. Interface Name Netwrk interface n the OmniAccess 3500 NLG gateway where the packet filter rule applies. Fr the target interface, the name must be cnsistent with the interface labels n the gateway s back panel (<WAN> and <LAN>). Lcal Stack Directin Packet directin with respect t the lcal IP stack f the OmniAccess 3500 NLG gateway. Optins (chse ne): <ANY> (the rule applies t traffic in any directin), <Frm> (the rule nly applies t traffic frm the lcal IP stack, i.e., utging traffic), <T> (the rule nly applies t traffic t the lcal IP stack, i.e., incming traffic). Tunnel Directin This bject enables the assciatin f the packet classificatin rule with a tunnel prfile. Optins (chse ne): <Nne> (n tunnel is t be assciated with the rule, which is therefre strictly a packet filtering rule), <T Tunnel> (packets matching the rule are dispatched thrugh an IPsec tunnel whse prfile is identified by the <T Tunnel> value; if an existing IPsec tunnel is nt fund fr a matching packet, the IPsec tunnel is created befre the packet is delivered), <Frm Tunnel> (packets matching the rule are received frm an IPsec tunnel whse prfile is identified by the <Frm Tunnel> value; if a remte request t pen an IPsec tunnel is received n a packet whse header matches the rule, the OmniAccess 3500 NLG gateway uses the tunnel prfile specified in the <Frm Tunnel> value t cnduct the subsequent negtiatins). T Tunnel Name f the tunnel prfile fr the IPsec tunnel that dispatches the matching packet. Frm Tunnel Name f the tunnel prfile fr the IPsec tunnel ver which the matching packet is received. 87

92 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 66 - Cnnectin Manager Rules (Add) Tunnel Table [Gateway Cnfigure Advanced Settings Tunnel Table], [Gateway Cnfigure:-> Tunnel Table], [rw] List f prfiles used t define the parameters f the IKE and IPsec Security Assciatins that are created either by the OmniAccess 3500 NLG gateway (<T Tunnel> ptin in the Rule definitin) r by request f the OmniAccess 3500 NLG cards (<Frm Tunnel> ptin in the Rule definitin). Name Name f the tunnel prfile. Identity Type Type f identifier used t designate the lcal tunnel endpint (residing n the OmniAccess 3500 NLG gateway) in the security assciatin negtiatins. Optins (chse ne): < > ( address, as in <user@dmain.ext>), <FQDN> (Fully Qualified Dmain Name, as in <hstname.lcaldmain.ext.>), <DN> (Distinguished Name, used fr identificatin f an entry in an LDAP directry, as in <dn: cn=jhn De,dc=example,dc=cm>, where <cn=jhn De> is the Relative Distinguished Name f the entry and <dc=example,dc=cm> is the Distinguished Name f the parent entry). Identity Identity value fr the lcal tunnel endpint, specified in the frmat required by the <Identity Type> value. Algrithms t be used fr IPsec Negtiatins Encryptin algrithm t be used n the IPsec tunnel. Optins (chse ne): <3DES-SHA1>, <AES128-SHA1>, <AES192-SHA1>, <AES256-SHA1>. 88

93 Chapter 5. Administrative Infrmatin Base Algrithms t be used fr IKE Negtiatins Encryptin algrithm t be used fr prtectin f the IKEv2 exchanges. Optins (chse ne): <3DES-SHA1>, <AES128-SHA1>, <AES192-SHA1>, <AES256-SHA1>. Lifetime f the IKE SA in secnds Maximum duratin f the IKEv2 Security Assciatin that cntrls the IPsec tunnel between the OmniAccess 3500 NLG card and the OmniAccess 3500 NLG gateway. Lifetime f the IPsec SA in secnds Maximum duratin f the IPsec Security Assciatin that carries encrypted packets frm ne end f the secure remte access cnnectin t the ther. Figure 67 - Cnnectin Manager Tunnel Table (Add) Assisted File Transfer [Gateway Cnfigure Advanced Settings], [Cnfigure:], [r] Cnfiguratin f the OmniAccess 3500 NLG Assisted File Transfer facility fr IT applicatins integrated in the OmniAccess 3500 NLG platfrm. The OmniAccess 3500 NLG gateway allcates a fixed amunt f strage space fr each applicatin. The ther cnfiguratin parameters drive the transprt aspects f the file transfer transactins. Applicatin Table [Gateway Cnfigure Advanced Settings Applicatin Table], [Gateway:-> Applicatin Table Infrmatin], [rw] List f applicatins that utilize the Assisted File Transfer utility. The fllwing infrmatin items are displayed fr every applicatin listed: Applicatin Name, Share Path, User Name, Dmain Name, Laptp Directry, Laptp Directry Owner, Directin, and Max Disk Space (MB). 89

94 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Applicatin Name Name f the applicatin that will use the Assisted File Transfer facility (e.g., testapp). Applicatin Passwrd Passwrd assciated with the applicatin. Share Path Directry path in the applicatin server that leads t the Windws share t be munted (e.g., //server1/testappdir). Share User Name User name with permissin t munt this share. Share Passwrd Passwrd crrespnding t this user. Dmain Name Dmain f the applicatin server that includes the Windws share. Laptp Directry Path f the laptp flder that is created fr this applicatin (if it des nt already exist). Laptp Directry Owner The dmain accunt t which the wnership f files in this flder shuld be set. (Currently unused. All files are stred and accessed using the SYSTEM accunt). Directin Determines if the directin f the cntents replicatin is frm the laptp t the enterprise r vice versa. Maximum Disk Size (MB) The maximum size f the flder allcated t the applicatin. User Grups User Grups that the file replicatin is restricted t. The BROADCAST grup includes all user grups. Figure 68 - Applicatin Table Infrmatin 90

95 Chapter 5. Administrative Infrmatin Base Cnnectin Manager - Shw Infrmatin [Gateway Cnfigure Advanced Settings], [Cnfigure:], [r] Read-nly state infrmatin fr a number f functinal cmpnents f the OmniAccess 3500 NLG platfrm. SA IKE [Gateway Cnfigure Advanced Settings SA IKE], [Gateway:-> SA IKE Infrmatin], [r] List f the IKE Security Assciatins that currently exist between the OmniAccess 3500 NLG gateway and remtely cnnected OmniAccess 3500 NLG cards. Each rw in the table crrespnds t ne OmniAccess 3500 NLG card and shws the fllwing infrmatin items: Child SAs Number f existing IPsec Security Assciatins that were established under cntrl f this IKE Security Assciatin. Creatin Time Time f establishment f the IKE Security Assciatin, in the frmat: <yyyymmddhhmmss>. Lcal IP IP address (uter header) f the lcal endpint f the IKE Security Assciatin (n the OmniAccess 3500 NLG gateway). Remte IP IP address (uter header) f the remte endpint f the IKE Security Assciatin (n the OmniAccess 3500 NLG card). Lcal Identity Certificate ID fr the lcal endpint f the IKE Security Assciatin. Remte Identity Certificate ID fr the remte endpint f the IKE Security Assciatin. Encryptin Algrithm Algrithm used fr the encryptin f packets exchanged ver the IKE Security Assciatin. Hash Algrithm Algrithm used fr the exchange f credentials ver the IKE Security Assciatin. SA IPsec [Gateway Cnfigure Advanced Settings SA - IPsec], [Gateway:- > SA IPsec Infrmatin], [r] List f the IPsec Security Assciatins that currently exist between the OmniAccess 3500 NLG gateway and remtely cnnected OmniAccess 3500 NLG cards. Each rw in the table crrespnds t ne OmniAccess 3500 NLG card (i.e., ne IPsec tunnel, cnsisting f tw IPsec security assciatins) and shws the fllwing infrmatin items: Lcal IP IP address (uter header) f the lcal endpint f the IPsec tunnel (n the OmniAccess 3500 NLG gateway). Remte IP IP address (uter header) f the remte endpint f the IPsec tunnel (n the OmniAccess 3500 NLG card). ESP SPI-In Security Parameter Index (SPI) fund in incming IPsec packets with ESP prtectin (nt available with AH prtectin). ESP SPI-Out Security Parameter Index inserted in utging IPsec packets with ESP prtectin (nt available with AH prtectin). 91

96 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide AH SPI-In Security Parameter Index fund in incming IPsec packets with AH prtectin (nt available with ESP prtectin). AH SPI-Out Security Parameter Index inserted in utging IPsec packets with AH prtectin (nt available with ESP prtectin). Algrithm Cipher Algrithm used fr the encryptin f packets exchanged ver the IPsec tunnel. Algrithm Hash Algrithm used fr the exchange f credentials ver the IPsec tunnel. Flws [Gateway Cnfigure Advanced Settings Flws], [Gateway:-> Flws], [r] List f the bjects that the OmniAccess 3500 NLG gateway instantiates fr stateful packet inspectin purpses. When a packet arrives at the firewall embedded in the OmniAccess 3500 NLG gateway, the firewall first tries t match it with a previusly established flw bject. If n matching flw bject is fund, the firewall tries t match the packet with ne f its cnfigured rules. If ne r mre matches are fund, a new flw bject is created accrding t the matching rule with the highest precedence. If n matching rule is fund, the default rule (drp) is applied t the packet and n new flw is created. Each rw in the table crrespnds t ne statefulinspectin flw bject and shws the fllwing infrmatin items: Idle Time Time elapsed since the last packet assciated with the flw was received (in secnds). IP Prtcl IP-encapsulated prtcl f the cnnectin assciated with the flw bject. Sme f the pssible values are <TCP>, <UDP>, <ESP>, <AH>. Surce IP Surce IP Address (uter IP header) identifying the flw bject. Surce Prt Surce Prt (if prtcl is TCP r UDP) identifying the flw bject. Dest. IP Destinatin IP Address (uter IP header) identifying the flw bject. Dest. Prt Destinatin Prt (if prtcl is TCP r UDP) identifying the flw bject. Rule Index Internal identifier f the rule that riginated the flw bject. Glbal Infrmatin [Gateway Cnfigure Advanced Settings Glbal Infrmatin], [Gateway: -> Glbal Infrmatin], [r] List f statistics cllected since the OmniAccess 3500 NLG gateway was last restarted and current status indicatrs. Active IKE SAs Number f IKE Security Assciatins that are currently active. 92

97 Chapter 5. Administrative Infrmatin Base Ttal N. f IKE neg dne Number f IKE negtiatins successfully cmpleted since the OmniAccess 3500 NLG gateway was last restarted. Ttal N. f IKE neg failed Number f IKE negtiatins failed since the OmniAccess 3500 NLG gateway was last restarted. N. f Phase-1 Initiatr SA's Number f Phase-1 negtiatins initiated by the OmniAccess 3500 NLG gateway since it was last restarted. N. f Phase-1 Respnder SA's Number f Phase-1 negtiatins initiated by a remte OmniAccess 3500 NLG card since it was last restarted. N. f Active IPsec SA's Number f IPsec Security Assciatins that are currently active. N. f Quick Mde neg dne Number f successful negtiatins fr the creatin f an IPsec Security Assciatin since the OmniAccess 3500 NLG gateway was last restarted. N. f Quick Mde neg failed Number f failed negtiatins fr the creatin f an IPsec Security Assciatin since the OmniAccess 3500 NLG gateway was last restarted. N. f Bytes received Number f bytes received by the OmniAccess 3500 NLG gateway since it was last restarted. N. f Bytes sent Number f bytes transmitted by the OmniAccess 3500 NLG gateway since it was last restarted. N. f Bytes Frwarded Number f bytes frwarded frm ne interface t anther since the OmniAccess 3500 NLG gateway was last restarted. N. f Packets Received Number f packets received by the OmniAccess 3500 NLG gateway since it was last restarted. N. f Packets Sent Number f packets transmitted by the OmniAccess 3500 NLG gateway since it was last restarted. N. f Packets Frwarded Number f packets frwarded frm ne interface t anther since the OmniAccess 3500 NLG gateway was last restarted. N. f Packets Drpped Number f packets drpped at the OmniAccess 3500 NLG gateway since it was last restarted. N. f Active flws Number f currently allcated stateful-inspectin flw bjects. N. f Free flws Number f stateful-inspectin flw bjects that the OmniAccess 3500 NLG gateway can still allcate. N. f Ttal flws Number f stateful-inspectin flw bjects allcated since the OmniAccess 3500 NLG gateway was last restarted. N. f Active transfrms Number f IPsec transfrms (either ESP r AH) currently allcated. 93

98 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide N. f Free transfrms Number f IPsec transfrms (ESP r AH) that the OmniAccess 3500 NLG gateway can additinally allcate. N. f Ttal transfrms Number f IPsec transfrms (ESP r AH) allcated by the OmniAccess 3500 NLG gateway since it was last restarted. N. f Active rules Number f rules that are currently active. N. f Free rules Number f rules that the OmniAccess 3500 NLG gateway can additinally allcate. The fllwing fields appear upn selectin f the <File uplad> menu item: Gateway Cnfiguratin File Uplad [Gateway Cnfigure Advanced Settings File Uplad], [Gateway -> File Uplad], [rw] Keytab File File cntaining the credentials f the gateway fr authenticatin with the Active Directry server. The file must necessarily be upladed t the gateway befre any interactin with the Active Directry (AD) infrastructure can start. This includes the case where the methd used fr authenticatin f ne r mre user grups changes frm RADIUS t AD. CA Certificate Digital certificate f the Certificate Authrity (CA), which includes the CA s public key and digital signature. The same CA certificate is installed in the OmniAccess 3500 NLG cards. CA Certificate Revcatin List List f certificates issued by the Certificate Authrity that have been revked befre their natural expiratin. Gateway Certificate Certificate (public key) f the gateway, used by peer netwrk ndes fr encryptin f the messages they send t the gateway. Gateway Private Key Secret key used by the gateway t decrypt the messages it receives frm peer netwrk ndes (including the OmniAccess 3500 NLG cards). 94

99 Chapter 5. Administrative Infrmatin Base Figure 69 - Gateway Cnfiguratin File Uplad The fllwing fields appear upn selectin f the <Edit Supprt Infrmatin> menu item: Edit Gateway Supprt Infrmatin [Gateway Edit Supprt Infrmatin], [Edit Gateway Supprt Infrmatin], [rw] Cntact Persn Name f the persn t cntact fr gateway supprt. Telephne Telephne number f the persn t cntact fr gateway supprt. Web Site URL Web site where gateway supprt infrmatin can be fund. address f the persn t cntact fr gateway supprt. 95

100 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 70 - Edit Gateway Supprt Infrmatin Cards [Cards], [Card Infrmatin], [rwx] List f the OmniAccess 3500 NLG cards that are currently under administrative cntrl f the management system instance. Each rw in the table crrespnds t ne OmniAccess 3500 NLG card and shws the fllwing infrmatin items: Card ID Electrnic Serial Number (ESN) f the OmniAccess 3500 NLG card, an 8-digit (hexadecimal) numeric identifier assigned by the card manufacturer. Phne The 10-digit telephne number assciated with the OmniAccess 3500 NLG card, assigned by the service prvider. Descriptin Space fr additinal card infrmatin (ptinal). The Card Infrmatin windw ffers access t functins that can be applied t individual entries in the list: <New> (creates new entry), <Edit> (mdifies prvisined parameters fr existing entry), <Delete> (remves existing entry frm list), <Status> (updates status variables fr existing entry). The fllwing parameters are prvisined with the <New> r <Edit> functins: Card ID (ESN #) Electrnic Serial Number (ESN) f the OmniAccess 3500 NLG card, an 8-digit (hexadecimal) numeric identifier assigned by the card manufacturer. Service Prvider The cmpany that is prviding 3G wireless service t the card. Descriptin Optinal field fr additinal card infrmatin. Phne # (MSID) The 10-digit telephne number assciated with the card. 96

101 Chapter 5. Administrative Infrmatin Base Figure 71 - Card (Add) The fllwing status indicatrs can be bserved n the target OmniAccess 3500 NLG card upn selectin f the <Status> tab: Card ID The ESN (Electrnic Serial Number) f the card. ESN is a unique identificatin number fr the card prvided by the manufacturer. VPN IP Address The VPN IP Address assigned t the card when the tunnel is established (n address is visible if the tunnel is dwn). VPN Status Current status f the IPsec tunnel between the OmniAccess 3500 NLG card and the OmniAccess 3500 NLG Gateway. Last Cnnectin Status Indicates whether the card is plugged int the laptp r nt. Pssible values are <CARD_INSIDE_LAPTOP> and <CARD_OUTSIDE_LAPTOP>. Mdem Activatin Time Time when the card was activated with the Service Prvider. Last Cnnectin Time Time when the card was last cnnected t the gateway. 97

102 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 72 - Card (Status) Laptps [Laptps], [Active Laptp Infrmatin], [rwx] List f laptps assciated with OmniAccess 3500 NLG cards that are currently cnnected t the gateway. The <New> and <Edit> tabs prvide access t the fllwing infrmatin items fr the selected laptp. The <Delete> tab remves the selected entry. Laptp ID A unique name fr the laptp. Descriptin Field fr additinal laptp infrmatin (ptinal). 98

103 Chapter 5. Administrative Infrmatin Base Figure 73 - Laptp (Add) Users The Users sectin f the management system GUI allws cnfiguratin and mnitring f users and user grups. In this sectin it is pssible t add/edit and delete user/user grup entries, check user status, and find the lcatin f a user s laptp. Users [Users], [User Infrmatin], [rw] List f users that are currently cnfigured under administrative cntrl f the management system instance. The <Open>, <New>, and <Edit> tabs prvide access t the fllwing infrmatin items fr the selected user: Lgin The lgin name f the user (e.g., jde). Dmain The name f the Windws dmain that includes the user. If the enterprise uses a RADIUS-based methd instead f an Active Directry infrastructure t authenticate the end users fr netwrk access, the Dmain field shuld be filled with the Laptp ID as set up in the laptp cnfiguratin. Full Name The real name f the user (e.g., Jhn De). Base Unlck Passwrd Base passwrd used t generate the ne-time passwrd. D nt use special characters (such as &) in this field. Cnnectivity Timeut (sec.) Ttal laptp pwer-n time during which the laptp is allwed t wrk withut VPN tunnel t the OmniAccess 3500 NLG gateway. The crrespnding timer is reset every time the IPsec tunnel t the gateway is established while the laptp is pwered n. A warning pps up n 99

104 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide the laptp s screen five minutes befre expiratin f the cnnectivity timeut. If the timeut expires, the laptp lcks and can nly be unlcked with an OTP received frm the IT helpdesk. OTP Valid Time (sec) Amunt f time that the laptp will remain unlcked and with reduced OmniAccess 3500 NLG cntrls after the ne-time passwrd has been successfully entered. All tamper checks are re-enabled after expiratin f this time. Card ID The ESN f the card assigned t this user. Only ne card can be assigned t a given user. Laptp ID The laptp assigned t this user. Only ne OmniAccess 3500 NLGenabled laptp can be assigned t a given user. User Grup The user grup that includes this user. A given user can belng t nly ne User Grup. Certificate ID The identifier f the Digital Certificate that is used in the activatin f the card. The identifier must be expressed in the frmat: <CN=value>, where CN stands fr cmmn name and value is the cmmn name f the certificate (available in the Subject field f the certificate). Please nte that this parameter is case-sensitive. License ID A license name can be selected frm the pull-dwn menu. The user can cnnect t the enterprise between the start and end dates specified in the license selected. Figure 74 - User Infrmatin (Add) The <Delete> tab remves the selected entry frm the Users table. 100

105 Chapter 5. Administrative Infrmatin Base The <Status> tab prvides access t the fllwing ptins: <User Status>, <View Current Lcatin>, and <View Lgin Lcatin>. Clicking n <User Status> prvides visual access t the fllwing status indicatrs: User Settings Infrmatin abut the selected user. User ID Numeric identifier and full name f the user. User Status Whether r nt lgged int the laptp. Last Lgged-in Time Time f cmpletin f latest laptp lgin. Authenticatin Status Whether r nt authenticated with the enterprise netwrk. Card Settings Infrmatin abut the selected user s card. Card ID Unique numeric identifier (ESN) f the card. Last Cnnectin Status Whether r nt plugged int the laptp. VPN Status Whether r nt the IPsec tunnel between the card and the gateway is up. VPN IP Address Current VPN IP address f the card. Last Cnnectin Time Time when the current cnnectin was established. Mdem Activatin Time Time when the 3G mdem was last switched n. Laptp Settings Infrmatin abut the selected user s laptp: ID Laptp identifier. Name Laptp identifier. Status Whether r nt pwered n. IP Address Current VPN IP address f the laptp. Tamper Prfing Settings Infrmatin abut the selected user s security settings: Lck Status Whether r nt currently lcked. Last Lck Time Time when the laptp was last lcked. Last Unlck Time Time when the laptp was last unlcked. Last Remte Kill Status Status f the last remte kill cmmand issued fr the laptp. Last Remte Kill Time Time when a remte kill cmmand was last issued fr the laptp. Last Rebt Initiated Time when the laptp last started rebting. License Settings Infrmatin abut the selected user s license: License ID License identifier. 101

106 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide State Whether the license is in a valid state. Start Date The start date fr the license. End Date The end date fr the license. Figure 75 - User Status windw The <View Current Lcatin> and <View Lgin Lcatin> tabs prvide gegraphic infrmatin abut the laptp. Clicking n <View Lgin Lcatin> shws a Prprietary Infrmatin page int which an administratr passwrd must be typed, then displays the lcatin f the last user lgin t the laptp, similar t the fllwing map: 102

107 Chapter 5. Administrative Infrmatin Base Figure 76 - View Lgin Lcatin Clicking n <View Current Lcatin> shws a Prprietary Infrmatin page int which an administratr passwrd must be typed, then displays the lcatin f the current user lgin t the laptp, similar t the fllwing map: Figure 77 - View Current Lcatin 103

108 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide The <Cnfigure> tab prvides access t the fllwing items: Asset Management :<Laptp lcal time f latest asset inf refresh> [Users User Cnfigure], [User Cnfiguratins : <User ID :User Full Name>], [r] This functin runs n demand (see the Refresh Asset Inf menu ptin belw) and allws yu t view infrmatin abut user assets. Menu ptins available are: Prgrams Applicatins that are currently running n the user s laptp. Services State f the Windws Services installed in the user s laptp. Prcesses Prcesses currently running n the user s laptp. Partitins Partitin table infrmatin. System Infrmatin System infrmatin, such as Manufacturer. Mdel, CPU versin, etc. Operating System Operating system used n the user s laptp. Persnal Firewall Applicatins that are allwed netwrk access by the applicatin filter f the persnal firewall. Truecrypt File Infrmatin Infrmatin abut files cntained in the encrypted vlume in the remte laptp. Refresh Asset Inf This cmmand triggers a refresh f all the asset management entries. Tamper Prf Manager [Users User Cnfigure], [User Cnfiguratins: <User ID: User Full Name>], [rwx] This sectin f the management system GUI allws yu t generate the netime passwrd that the end user can utilize t unlck a laptp recvered after being lcked due t lss r theft. Generate One Time Passwrd [Users User Cnfigure Generate One Time Passwrd], [Tamper Prfing Settings - Get One Time Passwrd], [rwx] Parameters needed fr the immediate generatin f a ne-time passwrd. User ID User ID crrespnding t the laptp fr which the ne-time passwrd is being generated. Current Date (mm/dd/yyyy) Date displayed n the lck screen f the laptp. Current Time (hh:mm:ss) Time f the day displayed n the lck screen f the laptp. Time Zne Time zne displayed n the lck screen f the laptp. Screen Cunt Type the number seen by the end user in the upper right-hand crner f the windw that appears n the screen f the lcked laptp. 104

109 Chapter 5. Administrative Infrmatin Base Figure 78 - Tamper Prfing Settings - Get One Time Passwrd TrueCrypt Vlume Encryptin [Users User Cnfigure], [User Cnfiguratins: <User ID: User Full Name>], [rwx] This sectin f the management system GUI allws yu t cnfigure the encrypted vlume in the remte laptp and manage the secret passwrd that the laptp needs t munt and access the encrypted vlume. Vlume Settings [Users User Cnfigure Vlume Settings], [TrueCrypt Settings], [rw] Encrypted-vlume cnfiguratin parameters that are set per user. User ID Numeric identifier f the end user. Vlume Path Vlume lcatin in the laptp file system. The value can pint t a file with any type f extensin. Munt Drive Drive identifier assigned t the encrypted vlume nce munted. Vlume Size (MB) Ttal hard disk space allcated t the encrypted vlume. Vlume Enabled Flag enabling/disabling the munting f the encrypted vlume upn authenticatin f the user s Windws Lgn credentials. 105

110 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 79 - TrueCrypt Settings Change Vlume Passwrd [Users User Cnfigure Change Vlume Passwrd], [Change Passwrd Cnfirmatin], [rwx] Facility fr changing the secret passwrd needed by the laptp t munt the encrypted vlume and encrypt/decrypt the encrypted vlume cntents. Remve Vlume Passwrd [Users User Cnfigure Remve Vlume Passwrd], [Delete Passwrd Cnfirmatin], [rwx] Facility fr deleting the secret passwrd needed by the laptp t munt the encrypted vlume and encrypt/decrypt the encrypted vlume cntents. Withut the secret passwrd the cntents f the encrypted vlume becme inaccessible. Restre Passwrd [Users User Cnfigure Restre Passwrd], [Restre Passwrd Cnfirmatin], [rwx] Facility fr restring a deleted secret passwrd needed by the laptp t munt the encrypted vlume and encrypt/decrypt the encrypted vlume cntents. Vlume Status [Users User Cnfigure Vlume Status], [TrueCrypt Status Infrmatin], [r] List f status indicatrs fr the encrypted vlume: User ID Numeric identifier f the laptp user. Vlume Path Lcatin f the encrypted vlume in the laptp file system. The value can pint t a file with any type f extensin. 106

111 Chapter 5. Administrative Infrmatin Base Munt Drive Drive identifier assigned t the encrypted vlume when munted. Vlume Size (MB) Hard disk space allcated t the encrypted vlume. Vlume Status Current status f the encrypted vlume. Pssible values indicate the fllwing states: N Vlume, Vlume Munted, Vlume Dismunted, TrueCrypt Nt Installed, Vlume Creatin Failed Fr Lack Of Space, Vlume Creatin Failed Fr Reasns Other Than Lack Of Space, Vlume Munt Failed, Vlume Dismunt Failed. Passwrd Change Status Status f an nging passwrd change r passwrd remval prcedure. Pssible values indicate the fllwing states: N Status, Passwrd Change Successful, Passwrd Change In Prgress, Passwrd Change Failed, Passwrd Remval Successful, Passwrd Remval In Prgress, Passwrd Remval Failed. Passwrd Change Time Time when the passwrd was last changed. Active Passwrd Last passwrd successfully stred in the OmniAccess 3500 NLG card. Figure 80 - TrueCrypt Status Infrmatin Delete Vlume [Users User Cnfigure Delete Vlume], [Delete Vlume Cnfirmatin], [rwx] Facility fr remving the encrypted vlume frm the laptp hard disk. Deleted Vlume Prperties [Users User Cnfigure Deleted Vlume Prperties], [Deleted Vlume Infrmatin], [r] Displays infrmatin abut vlumes that have previusly been deleted. 107

112 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide System Management [Users User Infrmatin Cnfigure], [System Management], [rw] This set f cmmands allws yu t lck r unlck the user s laptp. Lck Lcks the user s laptp. Unlck Unlcks the user s laptp. User Grups [User Grups], [User Grups Infrmatin], [rwx] List f user grups that are currently cnfigured under administrative cntrl f the management system instance. Each rw in the table crrespnds t ne user grup and shws the fllwing infrmatin items: <Grup ID> (unique numerical identifier), <Name> (unique alphanumeric identifier, in n mandated frmat), <Descriptin> (ptinal additinal infrmatin), <Radi Timeut> (maximum allwed time with pwered-ff mdem befre the laptp screen lcks). The <Open> tab prvides read access t the fllwing infrmatin items fr the selected user: Name Unique alphanumeric identifier fr the user grup. Descriptin An ptinal field in which yu can type any additinal infrmatin. Radi Timeut (sec) A switch n the OmniAccess 3500 NLG card turns the 3G mdem n and ff. The radi timeut field indicates hw lng the switch can remain in the ff psitin with the laptp pwered n befre the Windws Lck screen appears n the laptp s mnitr. The lck screen can be unlcked using the Windws Lgn credentials, but nly as lng as the Cnnectivity Timeut des nt expire. Plicy Persnal firewall plicy that applies t this user grup. Assigned Users Users assigned t this grup. 108

113 Chapter 5. Administrative Infrmatin Base Figure 81 - User Grup Infrmatin (Add) The <New> tab allws the cnfiguratin f the abve infrmatin items when a new user grup is created. The <Edit> tab allws the mdificatin f the settings fr ne r mre f the abve items fr an existing User Grup entry. The <Delete> tab remves the selected entry frm the User Grup table. The <Cnfigure> tab prvides access t the sectin f the management GUI that allws yu t assign TrueCrypt Vlume Encryptin infrmatin t a user grup. Grup Vlume Settings [Users User Grups Infrmatin Cnfigure User Grup Cnfiguratins], [Grup TrueCrypt Settings], [rw] Encrypted-vlume cnfiguratin parameters that are set per user grup. Grup Name Identifier f the user grup, shwn t remind the IT administratr f the user grup fr which the encrypted vlume is being cnfigured. Encryptin Algrithm Algrithm used fr encryptin f the vlume cntents. Available ptins are: AES (default) Serpent Twfish AES-Twfish AES-Twfish-Serpent Serpent-AES Serpent-Twfish-AES 109

114 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Twfish-Serpent Hash Algrithm Algrithm used fr randm generatin f the vlume master key. Available ptins are: RIPEMD-160 (default) SHA-1 Whirlpl File Frmat Type f file system fr the encrypted vlume. Available ptins are: FAT (default) NTFS (this ptin des nt wrk fr end users that d nt have administratr privileges n their laptps). Nte: Windws XP supprts NTFS. Earlier Windws versins and Linux supprt FAT. Figure 82 - Grup TrueCrypt Settings (New) Delete Grup Vlume [Users User Grups Infrmatin Cnfigure User Grup Cnfiguratins], [Delete Grup Vlume Settings], [rw] Click this t delete vlume settings frm the selected user grup. 110

115 Chapter 5. Administrative Infrmatin Base Hsts The Hsts sectin f the management system GUI allws access t infrmatin and management actins that apply t the grups f IP addresses t be included in the specificatin f the packet filter rules fr the persnal firewall plicies. Thrugh the Hsts sectin, yu can view, add, edit, and delete hsts (i.e., ranges f IP addresses) and hst grups (i.e., grups f nn-cntiguus IP address ranges). Hsts [Hsts], [Hsts], [rw] List f IP address ranges that are currently cnfigured fr inclusin in the packet filtering rules fr the persnal firewall plicies. Each rw in the table crrespnds t ne range f IP addresses and shws the fllwing infrmatin items fr identificatin purpses: <Hst Name> (unique alphanumeric identifier f the IP address range, in n mandated frmat), <Descriptin> (infrmatin nte further describing the IP address range), <Hst> (a valid address in the IP address range), <Mask> (netwrk mask used fr identificatin f the entire range, expressed as the number f initial invariant bits in the IP address; valid range: <1..32>). The <Open> tab prvides read access t the fllwing infrmatin items fr the selected hst: Hst Name Unique name identifying the IP address range. Descriptin Descriptive text abut the IP address range. Hst A valid IP address in the IP address range. Mask (1-32) The netwrk mask used fr identificatin f the entire range. Figure 83 - Hst (Add) 111

116 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide The <New> tab allws the cnfiguratin f the abve infrmatin items when a new grup f IP address ranges is created. The <Edit> tab allws the mdificatin f the settings fr ne r mre f the abve items fr an existing Hst entry. The <Delete> tab remves the selected entry frm the Hsts table. Hst Grups [Hst Grups], [Hst Grups], [rw] List f IP address range grups that are currently cnfigured fr inclusin in the packet filtering rules fr the persnal firewall plicies. Each rw in the table crrespnds t ne hst grup and shws the fllwing infrmatin items fr identificatin purpses: <Hst Grup Name> (unique alphanumeric identifier f the IP address range grup, in n mandated frmat), <Descriptin> (infrmatin nte further describing the IP address range grup). The <Open> tab prvides access t the fllwing infrmatin items fr the selected hst grup: Hst Grup Name Unique alphanumeric identifier fr the grup f IP address ranges. Descriptin Infrmatin nte detailing the nature and purpse f the grup f address ranges. Hsts Set f IP address ranges included in the grup. Figure 84 - Hst Grup (Add) The <New> tab allws the cnfiguratin f the abve infrmatin items when a new grup f IP address ranges is created. The <Edit> tab allws the mdificatin f the settings fr ne r mre f the abve items fr an existing Hst Grup entry. The <Delete> tab remves the selected entry frm the Hst Grups table. 112

117 Chapter 5. Administrative Infrmatin Base Services The Services sectin f the management system GUI prvides access t infrmatin and management actins that apply t the grups f UDP and TCP prts t be included in the specificatin f the packet filter rules fr the persnal firewall plicies. Thrugh the Services sectin, yu can view, add, edit, and delete services and service grups. Services [Services], [Services Infrmatin], [rw] List f layer-4 prts that are cnfigured fr inclusin in service grups. The service specificatin des nt include indicatin f the target layer-4 prtcl. Each rw in the table crrespnds t ne service and shws the fllwing infrmatin items: <Name> (descriptive alphanumeric identifier f the service), <Prt> (prt number f the service, with <0> representing all prt numbers between <1> and <65535>). The fllwing items are set upn creatin f a new table entry thrugh the <New> tab: Name Unique name fr the service yu want t add. Prt The prt number f the service. Figure 85 - Service Infrmatin (Add) The <Open>, <Edit>, and <Delete> tabs can be used t view, mdify, and delete an existing entry, respectively. Service Grups [Service Grups], [Service Grup Infrmatin], [rw] A service grup is a cllectin f layer-4 prt numbers t be included in the specificatin f persnal firewall plicies. The service grup specificatin des nt 113

118 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide include indicatin f the target layer-4 prtcl. Each rw in the table crrespnds t ne service grup and shws the fllwing infrmatin items: <Grup ID> (unique numerical identifier f the service grup), <Name> (descriptive alphanumeric identifier f the service grup). The <New> tab enables the cnfiguratin f the fllwing fields upn instantiatin f a new service grup: Grup ID Unique alphanumeric identifier fr the grup f layer-4 prts. Name Name identifying the service grup. Services Set f layer-4 prts included in the grup. Figure 86 - Service Grup Infrmatin (Add) The <Open>, <Edit>, and <Delete> tabs can be used t view, mdify, and delete an existing entry, respectively. Plicies The Plicies sectin f the management system GUI prvides access t infrmatin and management actins that apply t the persnal firewall plicies t be installed in the OmniAccess 3500 NLG cards. A persnal firewall plicy has scpe exclusively ver the netwrk traffic exchanged by the OmniAccess 3500 NLG laptp and nt ver the traffic that terminates at the OmniAccess 3500 NLG card. Thrugh the Plicies sectin, yu can view, add, edit, and delete packet filter rules, applicatin filter rules, and persnal firewall plicies. Persnal Firewall [Persnal Firewall], [Plicies Persnal Firewall], [rw] 114

119 Chapter 5. Administrative Infrmatin Base Cnfiguratin f packet filter rules, applicatin lists, and persnal firewall plicies. Packet Filter Rules [Persnal Firewall Packet Filter Rules], [Packet Filter Rules Definitins], [rw] List f packet filter rules t be included in the persnal firewall plicies. All packet filter rules are allw-rules: nly packets that match ne f the cnfigured packet filter rules are allwed thrugh the persnal firewall. The <New> tab allws the creatin f a new table entry. The <Open>, <Edit> and <Delete> tabs allw the inspectin, mdificatin, and deletin f an existing entry, respectively. Each entry in the table shws the fllwing infrmatin items: Rule Name Unique alphanumeric name f the packet filter rule. Directin Directin f the traffic that is subject t the packet filter rule. Optins (chse ne): <In> (frm the netwrk t the laptp), <Out> (frm the laptp t the netwrk). IP Addresses Set f IP address ranges including the address f a packet matching the packet filter rule. The address must be fund in the Surce IP Address field in the case f a packet filter rule with <In> directin, and in the Destinatin IP Address field in the case f a packet filter rule with <Out> directin. Surce Prts Set f prt values including the surce prt number f a packet matching the packet filter rule. This field is nly relevant fr packet filter rules whse <Prtcl> selectin is either <TCP> r <UDP>. Destinatin Prts Set f prt values including the destinatin prt number f a packet matching the packet filter rule. This field is nly relevant fr packet filter rules whse <Prtcl> selectin is either <TCP> <UDP>. Prtcl Prtcl identifier carried in the header f a packet that matches the packet filter rule. Optins (chse ne): <TCP>, <UDP>, <ICMP>, <IP>. Rule Actin Select an actin t take frm the drp-dwn list (Accept r Drp). 115

120 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 87 - Packet Filter Rules (Add) Applicatins [Persnal Firewall Applicatins], [Applicatins], [rw] Cnfiguratin f applicatins t be included in the persnal firewall plicies. This utility enables the cupling f MS Windws executable file names (<Executable File>) with their crrespnding applicatin names (<Applicatin Name>). A pre-ppulated list f cmmn applicatins is available by default. The fllwing infrmatin items are set upn instantiatin f a new table entry using the <New> tab: Applicatin Name Unique alphanumeric name fr the new applicatin. Executable File Name f the MS Windws executable file that crrespnds t the Applicatin Name. 116

121 Chapter 5. Administrative Infrmatin Base Figure 88 - Applicatins Applicatin Grup [Persnal Firewall Applicatin Grup], [Applicatin Grup Infrmatin], [rw] Cnfiguratin f grups f applicatins with hmgeneus treatment in the applicatin filter. The inclusin f an applicatin grup in a persnal firewall plicy wrks the same way as the inclusin f an individual applicatin. This utility makes the specificatin f Persnal Firewall rules faster by aviding the necessity f explicitly listing the required firewall behavir fr every applicatin that is relevant t the rule. The creatin f an applicatin grup requires the prir insertin f its cmpnent applicatins in the list that maps applicatin names nt executable file names. The fllwing infrmatin items can be set thrugh the <New> r <Edit> tabs: Grup Name Unique alphanumeric name fr the new applicatin grup. Applicatins Drp-dwn list f applicatins that are available fr inclusin in the Applicatin Grup. Click the <Add> buttn t add the applicatin t the grup. 117

122 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 89 - Applicatin Grup Firewall Plicy [Persnal Firewall Firewall Plicy], [Firewall Plicy Definitins], [rw] List f persnal firewall plicies. A persnal firewall plicy cnsists f a set f packet filter rules and a set f applicatin filter rules. A packet filter rule decides n the treatment f individual packets that traverse the persnal firewall n the OmniAccess 3500 NLG card. An applicatin filter rule decides n the pening f laptp-terminated cnnectins fr the target applicatin whenever the applicatin requests such pening. Each user grup is bund t a single persnal firewall plicy. Whenever the plicy changes, the same mdificatin applies t the persnal firewalls f all users in the grup. Each entry in the table shws the fllwing infrmatin items fr identificatin purpses: <Plicy Name> (unique alphanumeric identifier f the firewall plicy), <User Cntrl> (indicates whether t allw user cntrl ver the firewall plicy). Clicking the <New> tab brings up several tabs which allw the creatin f a new persnal firewall plicy with the cnfiguratin f the fllwing bjects: General [Persnal Firewall Firewall Plicy New General], [Firewall Plicy Settings (Add)], [rw] Plicy Name Unique alphanumeric identifier fr the persnal firewall plicy. User Cntrl Whether the user will have cntrl t allw r deny applicatins. Pssible values are Allw and Deny. 118

123 Chapter 5. Administrative Infrmatin Base Unsecured Cnnectivity Duratin First timeut used in the Captive Prtal Management algrithm, which regulates pen access t the Internet during the negtiatin f lcal access credentials with an access pint prvider. The timeut, expressed in secnds, defines the extensin f the time windw during which the end user can negtiate the access credentials with the access pint prvider, in a cnnectivity scenari that is nt secured by the inclusin f the OmniAccess 3500 NLG Gateway in the data path. Re-activatin Wait Perid Secnd timeut used in the Captive Prtal Management algrithm, which regulates pen access t the Internet during the negtiatin f lcal access credentials with an access pint prvider. The timeut, expressed in secnds, defines the extensin f the blackut interval between cnsecutive attempts t btain access credentials frm the access pint prvider. The blackut interval prevents the end user frm causing cntinuus expsure f the laptp t external attacks with lengthy credential negtiatin prcedures. Figure 90 - Firewall Plicy Settings General tab Rules [Persnal Firewall Firewall Plicy New Rules], [Firewall Plicy Settings (Add)], [rw] Rule name Unique alphanumeric identifier fr the packet filter rule being included in the persnal firewall plicy. Precedence The rder in which the packet filter rule will be executed. Higher precedence means that the rule will be executed first. 119

124 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 91 - Firewall Plicy Settings Rules tab Applicatins [Persnal Firewall Firewall Plicy New Applicatins], [Firewall Plicy Settings (Add)], [rw] Applicatins List f applicatins in the applicatin filter table that cntributes t the definitin f the persnal firewall plicy. Netwrk Access An applicatin filter rule can be set as either an allw rule (the applicatin is always allwed t pen a remte cnnectin) r a deny rule (the applicatin is never allwed t pen a remte cnnectin). 120

125 Chapter 5. Administrative Infrmatin Base Figure 92 - Firewall Plicy Settings Applicatins tab Applicatin Grups [Persnal Firewall Firewall Plicy New Applicatin Grups], [Firewall Plicy Settings (Add)], [rw] Applicatin Grups List f applicatins grups in the applicatin filter table that cntribute t the definitin f the persnal firewall plicy. Applicatin grups are used t simplify the specificatin f persnal firewall plicies, especially when a large number f applicatins require explicit inclusin in the applicatin filter table. Netwrk Access The applicatin filter treatment is the same fr all the applicatins in the applicatin grup. The netwrk access decisin can be set as either an allw rule (the applicatins in the grup are always allwed t pen a remte cnnectin) r a deny rule (the applicatins in the grup are never allwed t pen a remte cnnectin). The <Open>, <Edit>, and <Delete> tabs allw t inspect, mdify, r remve an existing persnal firewall plicy. 121

126 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 93 - Firewall Plicy Settings Applicatin Grups tab Fault Manager In the Fault Manager sectin f the management system GUI yu can access system status infrmatin. Thrugh the Fault Manager sectin, yu can view lgs and events and cnfigure the interperatin f the OmniAccess 3500 NLG with a syslg server. Lg Viewer [Lg Viewer], [Server Lg Viewer], [r] Lgs cllected frm varius prtins f the OmniAccess 3500 NLG system. The <Lg Viewer> cmmand brings up recrds cntaining the fllwing infrmatin: Lcal Time Lcal time f generatin f the lg recrd (time zne f the surce OmniAccess 3500 NLG nde). Frmat: <yyyy-mm-dd hh:mm:ss>. IP Address IP address f the OmniAccess 3500 NLG nde (gateway, card, laptp) that generated the lg. Event ID The type f the lgged event. Mdule Name Name f the sftware mdule that generated the lg. Severity Severity f the event reprted in the lg recrd. Message Additinal infrmatin describing the event. 122

127 Chapter 5. Administrative Infrmatin Base Figure 94 - Server Lg Viewer Syslg [Syslg], [Syslg Server Settings], [rw] Syslg service cnfiguratin parameters. Primary Server First Syslg Server IP address. Secndary Server Secnd Syslg Server IP address. Prt The prt number t which yu want t frward lgs. Frward Lgs Set whether r nt the Syslg Lgs shuld be frwarded. 123

128 OmniAccess 3500 Nnstp Laptp Guardian Administratin Guide Figure 95 - Syslg Server Settings Lg Histry [Server Lg Histry], [r] List f archived event lgs. Each entry in the list shws the fllwing infrmatin bjects: Time Time f generatin f the lg recrd (frmat: <yyyy-mm-dd hh:mm:ss>). GMT Time GMT time f generatin f the lg recrd (frmat: <yyyy-mm-dd hh:mm:ss>). IP Address IP address f the OmniAccess 3500 NLG nde (gateway, card, laptp) that generated the event lg. Event ID The type f the lgged event. Mdule Name Name f the sftware mdule that generated the event lg Severity Severity f the event reprted in the event lg. Message Any additinal infrmatin abut the event. Refresh (mins.) Type a number in this field t indicate hw ften (in minutes) yu wuld like this windw t refresh (default: 1). 124

129 Chapter 5. Administrative Infrmatin Base Figure 96 Server Lg Histry License Manager Allws fr management f user card licenses. Card Licenses [Card Licenses], [Card Licenses], [r] List f currently active card licenses. Existing licenses can be inspected, renewed, and deleted using the <Open>, <Renew>, and <Delete> tabs respectively. The fllwing infrmatin items are shwn in the table fr each entry: Name A unique name that identifies a particular license. Service Prvider The service prvider fr which this license is valid. Max. Licenses The maximum number f users wh can be prvisined int the gateway at any given time. Available Initially displays the same value as the Max. Licenses field. When a license is issued t a user, this field is decremented by ne. Start Date The start date fr this license in the mm/dd/yyyy frmat. End Date The end date fr this license in the mm/dd/yyyy frmat 125