July 02, Using the Contivity Branch Access Management Software
Contents
1. Using the Contivity Branch Access Management Software Version 7 20 146 Chapter 4 Internet activity logging Stats toolbar buttons When the Stats window is active you can select any of the following options on the toolbar TAFE I I F I F Disable This button disables the Contivity Branch Access interface Disable Enable selected in the list box below the graph To re enable the unit click the I F Enable toolbar button Caution If you are using a dynamic IP address and a different IP address is accessed when the dial up connection reestablishes users may be disconnected from the selected Contivity unit 4 E e Line This button displays the connection status and is available for the Line Line following connections e Between the phone line and the Internet If the line is active it shows a green arrow pointing up If the line is inactive it shows a red arrow pointing down To activate or deactivate a line click the corresponding button e Between ends of a VPN tunnel This button appears for a VPN tunnel only if you are monitoring an IPsec interface Use it to test situations where you want to force the tunnel to be inactive To make a VPN tunnel connection inactive click the down arrow button Stats menu The Stats menu contains options for the Stats toolbar buttons as well as the following options e Forget password If you select the Remember Password option when you are promp2. 00 c eee eee eee 334 Tracing the roule tO a NOSI oc ccc ec eee eee eee ttiie ee ee 336 Testing the echo portot a NOS cua we ee ak an 338 Setting host connection test options 02ccaceeidens eee eeaenaeweReds 341 Appendix A Troubleshooting and error messages 2 2 c eee 343 Viewing a Contivity units serial number 0 0 00 e eee eee 343 Viewing systemi logs and entries o2 c0cce Parse i Geseee soloed eens tonaka 344 Viewing system files in Setup 0 c eee eee 344 Viewing unit log iTOWMNENON oiccewecidd sa sitiada betyda RO 344 VIEWING a UNITS USES i cc wad Ke ee eR EM ER LSM ERRS CRRA SHEER KRESS 344 Viewing a unit s update history 0 eee eee eee 345 313371 A Contents 15 Managing system files through a Web browser 00000 e eee aaa 345 Connecting to the Contivity unit using a Web browser 345 VIEWING BUNS log fes vi coc iced career eee ieri ee ee Re 347 Viewing a unit s update history 0 2 c eee eee eee 347 Changing a units system settings file 20000020 0200 eee 347 Changing a unit s port mappings lt sasccee eu ceewntee new eeeedwe es eee ad 348 Changing a UNITS NOSIS ousia cahe eke ee RAE e ee eA ee we a 348 IP workstation error MNGSSAUES occ een cena ceeds e kaw deed Rew ERAS RR E RE EO 348 Common questions and answers 0 0c eee eee ees 349 fe err ere Te rT Tere TTT TTT ee Ter Te TT eT eT eT ee Te 351 INGO 4
3. 313371 A 179 Chapter 5 Proxy services This chapter describes how to use Setup to configure the Contivity unit as a Web DNS or SOCKS proxy server and provides additional information on SOCKS configuration Understanding proxy servers A proxy server makes a connection to the application server for the client The proxy server relays data between the client and the applications server From the application server s perspective the proxy server is the client When a client wants to make a connection to an application server the client connects to the proxy server The application server s address and port number are passed to the proxy server via a proxy protocol The proxy server then connects to the application server After the connection to the application server is established the proxy server relays data between the client and the applications server You can use the Contivity unit as a e Web HTTP proxy server e DNS proxy server e SOCKS proxy server Using Setup Setup is the utility you use to create and configure servers and services for the Contivity unit When you install the Contivity Branch Access management software you create and configure general servers and services Using the Contivity Branch Access Management Software Version 7 20 180 Chapter 5 Proxy services To start Setup 1 From the Instant Internet program group or menu depending on your operating system select Setup
4. Using the Contivity Branch Access Management Software Version 7 20 220 Chapter6 Advanced IP configuration Using the DHCP BoolP relay agent feature A DHCP server can provide IP addresses to workstations on remote subnets if a DHCP BootP relay agent exists on each workstation network A relay agent routes the workstation requests to the actual DHCP server The DHCP BootP relay agent functionality can be provided by any RFC 1542 compliant router If you do not have such a router you can enable the relay agent feature on the Contivity unit if it is configured to be the DHCP server for your network Note If you choose to use your Contivity unit as a DHCP BootP relay agent none of the other configuration parameters for the Contivity DHCP server have any meaning As a DHCP server the Contivity unit does not directly provide configuration information to workstations but merely acts as a gateway for communication between DHCP workstations and the DHCP server Note Additional BootP configuration options are available through the command line interface CLI For details refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20 To use the relay agent feature 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Services The Services dialog box opens Figure 102 313371 A Chapter 6 Advanced IP configuration 221 Figure 102 Services dialog box Se
5. Using the Contivity Branch Access Management Software Version 7 20 150 Chapter 4 Internet activity logging Table 19 Sort options in the Users window continued Item Description Apps Sorts the list numerically by number of applications used First access time Sorts the list chronologically by the time each user first accessed the Contivity unit Reverse sort Reverses the sort order currently displayed Viewing Web site access You can view a record of each Internet Web site that a user accesses Note Monitor maintains logging information for each user for whom you enabled logging For details refer to Enabling logging for a user on page 101 Figure 71 To view a list of Web sites the user accessed gt Click the Log toolbar button The Log window opens BR IIUNIT 1 log Time 04 26 1999 09 38 49 04 26 1999 09 38 49 04 26 1999 09 38 49 04 26 1999 09 39 00 04 26 1999 09 39 00 04 26 1999 09 39 18 04 26 1999 09 39 20 04 26 1999 09 39 20 04 26 1999 09 39 21 04 26 1999 09 39 21 04 26 1999 09 39 22 04 26 1999 09 39 22 04 26 1999 09 39 23 Figure 71 shows a sample Log window Sample Log window l Ea Name Event RLEWIS Proxy Connect 0 us yimg com RLEWIS Proxy Connect 0 216 32 5 210 RLEWIS Proxy Connect 0 us yimg com RALLEN Proxy Connect 0 adforce imgis com GGALLEGOS Proxy Connect 0 imageserv1 imgis com GGALLEGOS Proxy Connect 0 www scuba
6. Note Using the install cfg file for automatic workstation installation is described in more detail in Installing the Contivity Branch Access Management Software Version 7 20 There you can find detailed descriptions of the options for install cfg including the use of the asterisk For details on how to use the unit line refer to Configuring fault tolerance and automatic user load balancing on page 308 Using the Contivity Branch Access Management Software Version 7 20 310 Chapter 9 IPX configuration and support Example Sales In this example this set of defaults is called Sales SALES description Sales type private directory c instinet unit iibox1 iibox2 backupii choice admin The software installs to a private directory c instinet but the user is not prompted to supply the directory name refer to Installing the Contivity Branch Access Management Software Version 7 20 The first default unit is iibox1 The second default unit is 1ibox2 The third default is backupii The administrative utilities are not installed and you are not prompted to install them Example Accounting In this example this set of defaults is called Accounting ACCOUNTING description Accounting type private directory c instinet unit iibox2 iiboxl1 backupii choice admin The software installs to a private directory and you are prompted with c instinet as a default location The first default
7. Table 26 describes the SYSLOG messages for DHCP events Table 26 SYSLOG messages for DHCP events Priority Message Meaning Critical rogue DHCP server discovered Another DHCP server is conflicting with this one probably lt ip_address_of_rogue gt due to connecting a router device to the network Error conflict lt ip_address gt The IP address to be assigned by the DHCP server is already in use probably because the address has been assigned as a static address from the DHCP scope Error declined lt ip_address gt A DHCP client has requested an IP address that is not lt hostname gt lt mac_address gt allowed for example 255 255 255 255 313371 A Chapter 4 Internet activity logging 167 Table 26 SYSLOG messages for DHCP events continued lt hostname gt lt mac_address gt Priority Message Meaning Warning deny lt ip_address gt lt hostname gt A DHCP client has requested an address that does not lt mac_address gt belong to this DHCP server probably because a portable computer from another network was attached to this network and made the request Warning scope lt name gt is full All of the addresses in the DHCP scope have been assigned no more clients can be supported without reconfiguring with a larger scope Information assign lt ip_address gt A DHCP client has been assigned an address lt hostname gt lt mac_address gt Infor
8. Using the Contivity Branch Access Management Software Version 7 20 234 Chapter6 Advanced IP configuration Figure 112 Enter IP Information for Interface dialog box Enter IP Information for Eth2 x Enter a numeric IP address from the pool of addresses on your LAN to be used by the Instant Internet unit The subnet mask is automatically generated and normally does not require changing OK Cancel Assign the Contivity unit an IP address within the DMZ subnet Enter a subnet mask The default is 255 255 255 0 6 ClickOK Publishing a server To make a server in the DMZ publicly accessible use server publication Publishing the server s protects the DMZ by limiting traffic to only the published services For details refer to Configuring Contivity Branch Access to publish a private server on page 205 Deciding whether to enable IP forwarding for your DMZ When IP forwarding is not enabled clients on the private LAN are restricted to public access of the servers on the DMZ To allow unrestricted access between your LAN clients and the server s on the DMZ subnet you must enable IP forwarding For details refer to Enabling IP forwarding on page 199 313371 A Chapter 6 Advanced IP configuration 235 Example Using a DMZ to publish a Web server In this example you are publishing a Web server with a public IP address of 134 177 3 28 Your LAN uses private a
9. 000 295 Windows 95 Run dialog BOX aags ce tetn cae een h een gen eee 300 Instant Internet Units dialog box 2 2 2 0 e eee ee ees 300 Select IPX Frame Types dialog box 200000 eee eee 301 Restarting Instant Internet dialog box 0c cee eee eee 313 ULOGA CON serrrrt r aripi aa a Ew Eee ad 314 iiLogin Connected as username dialog box 2200000 314 Instant Internet Units dialog box 2 2 0 eee eee 315 313371 A Figures 21 Figure 135 Figure 136 Figure 137 Figure 138 Figure 139 Figure 140 Figure 141 Figure 142 Figure 143 Figure 144 Figure 145 Figure 146 Figure 147 Figure 148 Figure 149 Figure 150 Figure 151 Figure 152 Figure 153 Figure 154 Figure 155 Figure 156 Enter Unit s IP Address dialog box 0 0c eee eee ees 316 Backup Setup Configuration dialog box 22220000 317 Restore Setup Configuration dialog box 200 eee eee 318 Prompt to restore users and groupS 0 00 eee eee eee 319 Dialup Configuration dialog DOX sicevsesescieerareeedeeerawwads 321 ISDN Configuration dialog BOX o 20 6004s00ees wee ene enna es eew ed 322 Registration Information dialog box 200 323 Change Password dialog DOK 202616646 vee w wand ORR HA whe Rw EOS 324 Unit Name dialog BOX s2c5cctee reer ee deed eee ee eee 325 Unit TME diN BOX naakw wield anemia E ede eee 326 Time zone dialog DOR is gaes ee ye ehets pee eee roan 327
10. Note You will see only users and groups that have had access controls defined for that unit If a group has certain Internet access permissions you will see the group in Admin but you will not necessarily see the users in that group unless they have some unique privilege defined Using the Contivity Branch Access Management Software Version 7 20 136 Chapter 3 User access administration Using the Control program to control Internet access times The Control program is a console DOS based program that allows you to manage a group of interfaces using a batch file You can use four operation commands to control an interface e down Manually takes the connection down Internet traffic automatically brings the connection back up e up Manually brings the connection up if it is down e disable Disables the interface and does not permit Internet traffic Use this command if you want to prohibit Internet access until you manually re enable the interface e enable Manually enables the interface Using Control you can regulate the hours that users can access the Internet by disabling all relevant interfaces for a specific period of time Control provides a means for automating this process using a third party Windows scheduler Note The Control program is available for workstations running Windows 95 and later It is not available for workstations running Windows 3 1 or Windows for Workgroups
11. 4 Select the destination user Using the Contivity Branch Access Management Software Version 7 20 96 Chapter 3 User access administration 5 On the toolbar click Paste A confirmation message box opens Figure 34 Figure 34 Copy user confirmation message box Instant Internet Admin Copy user Robin 6 Click Yes to copy the user To copy the Internet access settings of one group to another group On the toolbar click Groups 2 Select the group that has the access settings you want to copy 3 Do one of the following e On the toolbar click Copy e Choose Groups gt Copy a Group 4 Select the destination group 5 On the toolbar click Paste A confirmation message box opens Figure 35 Figure 35 Copy group confirmation message box Instant Internet Admin x 2 Copy group Texas 6 Click Yes to copy the group 313371 A Chapter 3 User access administration 97 Viewing effective user access Because Contivity Branch Access enables you to configure the Internet access of individual users as well as groups a particular user may have Internet access designated through several groups and access might vary from group to group Contivity Branch Access provides the View Effective User Access option so that you can view the user s effective actual Internet access To view a user s effective user access Do one of the following e On the toolbar click Effect e Choose Users
12. Overview of configuring Internet access on page 105 Using the Contivity Branch Access Management Software Version 7 20 104 Chapter 3 User access administration Defining controlled Internet access The Internet Access button in the Change Settings of User dialog box Figure 37 enables you to define the access the user or group has to the Internet for those times you have defined user access as controlled blue You can specify IP addresses domain names and port numbers that give users Internet access thus providing total Internet access control You can define Internet access only if you have defined the user or group access to Controlled For details refer to Configuring Internet access on page 102 Before you continue familiarize yourself with the basic concepts of Internet addressing protocols Three kinds of Internet addressing There are three kinds of Internet addressing e IP addresses are direct communications over the Internet to the appropriate destinations All connections on the Internet are made using IP addresses Each IP address consists of an actual IP address and a port number The format is nnn nnn nnn nnn You can use one to three digits between each decimal point in the address such as 206 210 192 99 IP addresses and port numbers are separated by a colon For example 198 67 8 99 80 e Host names are human readable versions of IP addresses such as nortelnetworks com or inst
13. on page 314 To set user name order 1 Choose View gt Set User Name Order The Set User Name Order dialog box opens Figure 27 Figure 27 Set User Name Order dialog box Set User Name Order x E NT NDS Bindery Cancel 2 Select the option you want to move 3 Do one of the following e Click the Up arrow to move the option to a higher priority If you choose the first option you cannot move it higher e Click the Down arrow to move the option to a lower priority If you choose the last option you cannot move it lower 313371 A Chapter 3 User access administration 85 Migrating your database to use unique users and groups by server You can migrate your database to use unique users and groups by server This feature is useful if you currently have bindery users and groups configured and then select the Unique users and groups by server check box Selecting this option copies the access of all the configured users and groups to the matching users and groups of the server you are currently viewing The copied users and groups are then deleted Note You must be running NetWare and have the option Unique users and groups by server selected in order to use this option For details refer to Setting the NetWare preferred server on page 88 To migrate your database to use unique users and groups by server gt Click View gt Move to Server A checkmark next to the menu item indicates that the
14. Chargen DHCP Discard DNS Proxy Echo Ident SNMP SOCKS Telnet WEB Proxy WEB Configuration Dontigure 3 Select the DHCP check box 4 Click Configure The DHCP Configuration dialog box opens Figure 105 Using the Contivity Branch Access Management Software Version 7 20 224 Chapter 6 Advanced IP configuration Figure 105 DHCP Configuration dialog box DHCP Configuration 192 168 1 1 5 Inthe Scopes area click Add The Scope Configuration dialog box opens Figure 106 where can you add a range of addresses for the Contivity unit to use You can also specify any addresses within that range that you want to exclude 313371 A Chapter 6 Advanced IP configuration 225 Figure 106 Scope Configuration dialog box IP Addresses Start address fs End address fs Subnet mask fl Router address fs m Excluded Addresses Start Address End Address Add Remove Configure Cancel 6 Inthe IP Addresses area specify the following e Start Address The first address of the range of addresses you want the Contivity unit to use e End Address The last address of the range of addresses you want the Contivity unit to use e Subnet Mask This is automatically entered after you enter the Start Address and you move the cursor out of the Start Address box e Router Address Enter the IP address of the router you want the workstations to
15. Configuring a workstation to use a Contivity unit as a Web proxy server on page 184 Click OK You return to the Services dialog box Figure 84 on page 181 Click OK In the main Setup window click Save and Exit You can now use your Web browser to configure Web caching and set other parameters For details refer to Chapter 7 Web cache configuration on page 237 Using a commercial proxy server You can use a commercial proxy server for services such as kid safe Internet service To do so enable the transparent proxy server option for the Contivity unit see Configuring a Contivity unit as a Web proxy server on page 180 Then use a Web browser to configure the Contivity Branch Access proxy to cascade to the proxy that you want to use For details refer to Chapter 7 Web cache configuration on page 237 Be sure to enter the proxy server s IP address in the Proxy through HTTP address box 313371 A Chapter 5 Proxy services 183 Enabling Web configuration When you enable Web configuration you can use a Web browser to Edit Contivity Branch Access configuration files and view log files and refer to Changing a unit s system files on page 194 and Viewing system logs and entries on page 344 Configure Web cache settings refer to Chapter 7 Web cache configuration on page 237 To enable Web configuration N Start Setup and if prompted select a unit to conf
16. Filter lists are executed sequentially from the top down This concept is important Perhaps the most common cause of malfunctioning filter lists is putting the individual filtering lines in the wrong sequence To configure an IP filter 1 Start Setup and if prompted select a unit to configure 2 Inthe Interfaces area select an interface and then click Filters The lt interface name gt Filter Configuration dialog box opens Figure 98 Figure 98 Interface Filter Configuration dialog box Eth2 Filter Configuration x Le Le m Filters _ Remove Configure cone 3 Click Add The Filter Configuration dialog box opens Figure 99 Using the Contivity Branch Access Management Software Version 7 20 214 Chapter 6 Advanced IP configuration Figure 99 Filter Configuration dialog box Filter Configuration 4 In the Filter Name box enter a name for the filter 5 Click Add The Rule Configuration dialog box opens Figure 100 313371 A Chapter 6 Advanced IP configuration 215 Figure 100 Rule Configuration dialog box Rule Configuration x Deny C L4switch C NAT Action H Protocol IP CTCP C UDP C ICMP Established 7 m Source Address Port r Destination Address Port Ld Ending Port Co Ending Port 6 Select the Action for any packet matching the filter rule e Allow Allows the packet e Deny
17. Notice tunnel established lt local gt Valid tunnel constructed between endpoints lt destination gt Information _ initiating phase 1 to SA being established lt destination gt Information initiating quick mode Phase 2 connection is starting Information need tunnel lt local gt Received request for a tunnel Information new message ID from Received request for a tunnel or received an information or lt destination gt error message Information notify received from Received information message lt destination gt Information receive from lt destination gt Received control message Information responding to aggressive Received an aggressive mode tunnel request and is mode from lt destination gt responding to the request Information responding to main mode from Received an main mode tunnel request and is responding lt destination gt to the request Information send to lt destination gt Control message sent Using the Contivity Branch Access Management Software Version 7 20 170 Chapter 4 Internet activity logging Table 28 describes the SYSLOG messages for linestate events Table 28 SYSLOG messages for linestate events Priority Message Meaning Notice answering lt interface gt Answering a call from a remote end Notice connected lt interface gt Connecting to a remote end Notice dialing lt interface gt Dialing a remote end Notice negoti
18. e Select or clear the Display most recent access and activity notices for each site check box e Enter the Number of entries to display per page Click Help for more information about each field on any page Bypassing the cache for a Web site Occasionally you may need to bypass the cache altogether for a particular Web site For example some sites require special authentication send Web content obtained from a secure server or use a non standard protocol In this case making adjustments to the site s individual cache settings may not correct the problem You may need to bypass the cache for that site Using the Contivity Branch Access Management Software Version 7 20 268 Chapter 7 Web cache configuration The reasons why you would bypass the cache are very similar to the reasons why you need to enable cookies The reasons are e When a Web site requires a user ID and password the Web site prompts the user to sign on again after the user signs on the first time or the initial login fails e When a Web site offers online shopping the user adds an item to an order but does not see it in their shopping cart For example when a user cannot access a particular Web site because the site uses a non standard protocol you must first determine which site is the problem site As in the case of Web sites that require cookies the most efficient way to do this is to sort the Web site list by most recent access refer to Sorti
19. 10 Waiting for Security Association e Phase 1 did not receive main or aggressive mode e Contivity unit did not choose any of the remote end s proposals e Invalid aggressive mode user name 11 Sent Security Association Remote end did not choose any of the Contivity unit s proposals waiting for Security Association 12 Sent Security Association waiting for Key Exchange 13 Sent Security Association waiting for Key Exchange 14 Sent Key Exchange waiting for Pre shared keys did not agree Identification 15 Sent Key Exchange waiting for Pre shared keys did not agree Identification 16 Phase 1 complete 17 Phase 1 complete Table 3 Phase 1 aggressive mode states No Meaning Reason 21 Sent Security Association e Remote end did not accept aggressive mode waiting for Security Association Remote end did not choose any of the Contivity unit s proposals e Invalid user name 22 Sent Security Association Pre shared keys did not agree waiting for Hash 23 Phase 1 complete 24 Phase 1 complete 25 Phase 1 received invalid hash Pre shared keys did not agree Using the Contivity Branch Access Management Software Version 7 20 78 Chapter 2 IP security and VPN Table 4 Phase 2 main mode states No Meaning Reason 31 Waiting for phase 1 completion Phase 1 did not complete because of error to initiate phase 2 32 Waiting for Security Association Phase 2 did not receive quick mode or inform mode I
20. Because only the Contivity unit is aware of the ISP s DNS server configuration changes such as adding or removing additional DNS servers do not require changes to each IP workstation e Performance The DNS proxy service provides local caching of DNS information which is then shared by all users This keeps most DNS queries on the local LAN By default the Contivity unit is configured to be a DNS proxy server To disable or re enable the DNS Proxy option 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Services The Services dialog box opens Figure 87 Using the Contivity Branch Access Management Software Version 7 20 186 Chapter5 Proxy services Figure 87 Services dialog box Chargen DHCP Discard DNS Proxy Echo Ident SNMP SOCKS Telnet WEB Proxy WEB Configuration Configure Cancel O M m M O M M M M M z 3 Select or clear the DNS Proxy check box A check mark indicates that the option is enabled 4 Click OK Configuring a Contivity unit as a SOCKS proxy server A SOCKS proxy server provides a firewall for a network allowing a secure connection to the Internet When you configure the Contivity unit as a Web proxy server it provides only HTTP proxy support Configuring the unit as a SOCKS proxy server provides a simple firewall for other TCP traffic such as FTP requests If you have IP workstations alre
21. Bypass the cache for the problem Web site For details refer to Bypassing the cache for a Web site on page 267 If bypassing the cache does not solve the problem the originating Web server may be down or is not responding Be sure to re enable the cache for the problem Web site blocked a site but it still opens in a user s Web browser Problem The user may have the local cache enabled on the user s workstation and the content requested from the blocked site may still be in the local cache and is being displayed For more information on the local cache refer to How Web caching works with a user s local cache on page 239 Solution 1 Purge the user s local cache For details refer to your Web browser s documentation 313371 A Chapter 7 Web cache configuration 273 requested a Web page but the content looks outdated Problem The Web content is being retrieved from the user s local cache and is stale For more information on the local cache refer to How Web caching works with a user s local cache on page 239 Solution 1 Purge the user s local cache For details refer to your Web browser s documentation Solution 2 Force the Web entries to bypass the cache In Netscape Navigator press the Shift key while clicking the Reload toolbar button Problem The expiration settings for the cache level are set too aggressively Solution 1 Force the Web entries to bypass the cache In
22. If you have an IP network or a network with more than one Contivity unit the Instant Internet Units dialog box opens 2 Select the unit you want and then click OK If you do not see the Contivity unit in the list refer to Adding a Contivity unit to the selection list on page 315 Configuring a Contivity unit as a Web proxy server You can configure the Contivity unit to function as a Web HTTP proxy server which enables you to direct all workstations to a remote proxy You can also configure the Contivity unit as a Web cache in addition to or instead of the cache on an individual workstation Web caching is available only for Contivity 400 units The benefits of using the Contivity unit as a Web HTTP proxy server include e Enabling it to direct Contivity Branch Access workstation access through a remote proxy e Enabling Web caching in the Contivity unit in addition to the individual workstations You can also use a Web browser to configure cache and system settings For details refer to Chapter 7 Web cache configuration on page 237 Before you can use the Contivity unit as a Web proxy server you must enable both the Web Proxy and Web Configuration options When you first install the Contivity Branch Access management software these features are enabled by default If you disabled these options you must re enable them To configure the Contivity unit as a Web HTTP proxy server 1 Start Setup and if prom
23. When you select a user all groups to which the user belongs display as folders in the Groups the User Is In area All groups to which the user does not belong display as folders in the Groups the User Is Not In area To display all groups either click the Groups toolbar button or choose Groups gt View Groups List from the menu bar The Admin window displays the following information e List of Groups e Users In the Group e Users Not In the Group When you select a group all users in the group are displayed as figures in the Users In the Group area All users who do not belong are displayed as figures in the Users Not In the Group area Note If you want be able to view user names rather than IP addresses in all logs you must force all workstations to run iiLogin refer to Identifying the login workstation on page 314 If you disable access for the Default user and allow access for the Everyone group only users running iiLogin are allowed Internet access Copying user and group Internet access settings To simplify the process of adding users or modifying existing users you can copy the Internet access settings from one user or group and paste it to another user or group To copy the Internet access settings of one user to another user 1 On the toolbar click Users Select the user with the access settings you want to copy Do one of the following e On the toolbar click Copy e Choose Users gt Copy a User
24. access to the Internet and to specific sites including news groups incoming ports and RAW sockets When you install the Contivity Branch Access management software all network users are automatically set up to use the default Contivity Branch Access user profile giving them full Internet access If this suits your environment you do not need to further configure Contivity Branch Access However if you want some users to have restricted access to the Internet or if you want to log the activity of a particular user you can configure group and user access to Internet resources You can create users in two ways e Adopt your users and groups from your network directory services For details refer to Managing directory service users and groups on page 82 e Create new users and groups for Contivity Branch Access For details refer to Creating and removing users and groups on page 89 Using the Contivity Branch Access Management Software Version 7 20 80 Chapter 3 User access administration Starting Admin To start Admin gt From the Instant Internet program group or menu depending on your operating system select Admin If you have an IP network or a network with more than one Contivity unit the Instant Internet Units dialog box opens Select the unit you want and then click OK If you do not see the Contivity unit in the list refer to Adding a Contivity unit to the selection list on page 315
25. check box 313371 A Chapter 3 User access administration 101 Ignoring group settings option The ignore group settings option is available only for users When you choose this option Contivity Branch Access ignores the group Internet access settings of the groups that this user belongs to Instead the software uses only the user s specific Internet access For example if you choose the Ignore group settings for one user in a particular group Contivity Branch Access uses the individual user s Internet access options only and ignores the settings for that group To ignore group settings for a user gt In the Change Settings of User dialog box Figure 37 select the Ignore group settings check box Enabling logging for a user The Enable Logging option keeps a record of each Internet site IP address and port number that a user accesses Refer to Viewing a unit s users on page 344 This log is separate from the User Log which is a continuous running total and summary kept for each user until the log is cleared The Automatic Logging utility refer to Automatic logging on page 159 collects this data and writes it to a file The log is maintained regardless of this setting The Enable Logging option controls only the detailed connection log Note The log file generated by logging can grow rapidly so the amount of logging information a Contivity unit can store depends on the load The M
26. installed between the servers you want to be public for example Web servers or mail servers and the Internet then you must provide additional information For details refer to Publishing a private server on page 204 Disabling address translation When you install the Contivity Branch Access management software output NAT is enabled by default However if you are using IP forwarding you should disable address translation For more information on IP forwarding refer to Configuring IP forwarding on page 199 To disable address translation 1 Start Setup and if prompted select a unit to configure 2 Inthe Interfaces area select your WAN interface in the list and then click Configure The lt interface name gt Configuration dialog box opens The dialog box in Figure 92 is an example The dialog box appears different depending on the interface you select Using the Contivity Branch Access Management Software Version 7 20 204 Chapter6 Advanced IP configuration Figure 92 Interface Configuration dialog box Eth Configuration x IP address 192 168 1 1 Subnet mask 255 255 255 0 Address translation Cancel 3 Clear the Address translation check box 4 Click OK Publishing a private server Server publication is accomplished using static network address translation NAT which allows you to publish privately addressed servers to the Internet while keeping the firewall in
27. over copper wires DSU Digital Service Unit A device connecting data terminal equipment DTE to digital communication lines which ensures that data to be transmitted across the network is formatted correctly E1 European format for digital transmission that carries a DS 1 formatted signal at 2 048 Mb s Echo A service used for troubleshooting that sends back any message or packet sent to it ESF Extended Superframe Ethernet A widely used LAN technology defined by the Ethernet and IEEE 802 3 specification encryption A way to achieve data security by translating data into a secret code To read an encrypted file you must have access to a secret key or password that enables you to decrypt it When configuring IPsec for a VPN you can choose from DES 3DES and null FAS Frame Alignment Signal A distinctive signal inserted within a frame that helps maintain synchronization Using the Contivity Branch Access Management Software Version 7 20 356 Glossary filtering The process of examining a data packet on the network and determining the destination of the data to decide whether the packet should be passed along on the local LAN copied to another LAN or dropped FQDN Fully Qualified Domain Name The complete combination of the host name domain name and top level domain For example www nortelnetworks com frame A unit of data transmission in a local area network usually Ethernet or token
28. s pool or scope the server grants permission to use that IP address for a given amount of time called a lease Before the lease expires the workstation asks the server to extend the lease so that the lease remains in effect until some time after the workstation computer is turned off In fairly static network environments where computers are not frequently moved in and out of the network long term leases days or even weeks or months are sometimes used The advantage of long leases is that the DHCP server may be down for maintenance or repairs for a long period of time before DHCP workstations lose their leases on their addresses and must stop using the network The disadvantage of long leases is that the IP address used by a computer that is removed from the network will not be available for use by another computer until the lease expires Thus in a situation where it is common for visitors to bring their portable computers into the office and connect to the network or in situations where the pool of available addresses is very small shorter leases may be desirable The overhead of renewing a lease is negligible and need not be a concern when selecting a lease period Leases as short as 20 minutes are perfectly practical Note Additional scope specific configuration options are available through the command line interface CLI For details refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20
29. which provides features required by certain diagnostics such as ping and trace route These programs require special low level control of the IP packets so some administrators may want to restrict user access to these diagnostics relaying The process of moving data along a path determined by a routing process The data is relayed between a source and a destination Using the Contivity Branch Access Management Software Version 7 20 364 Glossary remote device Any network device that is accessible only by means of communication over a digital or analog dial up network RFC Request for Comment These documents are the standards for the IP protocol RIP Routing Information Protocol A distance vector protocol in the IP suite used by IP and IPX network layer protocol that enables routers in the same autonomous system to exchange routing information by means of periodic updates ROM Read Only Memory router A device that forwards traffic between networks based on network layer information and routing tables A router decides which path network traffic follows using routing protocols to gain information about the network and algorithms to choose the best route based on a routing matrix SA Security Association See tunnel SHA Secure Hash Algorithm An authentication algorithm that uses hash security SMTP Simple Mail Transfer Protocol A service designed specifically for electronic
30. you must either use a proper subnet or use a different valid network number for the client side interface The Contivity unit routes between the two interfaces Using the Contivity Branch Access Management Software Version 7 20 202 Chapter 6 Advanced IP configuration 3 Enable IP Forwarding Refer to Enabling IP forwarding for a Contivity unit on page 200 4 Inthe main Setup window click Save and Exit You must allow the changes to take effect immediately before IP forwarding is enabled 5 Ensure that any computer on your network running TCP IP that you want to have access to the Internet using the Contivity unit has the default gateway configured to be the IP address of the client side interface The subnet mask should match the subnet mask that you entered for the client side interface Using network address translation NAT Network address translation NAT provides a secure method to use a single network for both public Internet and private LAN communications NAT uses one set of IP addresses for internal communication and a completely different set of IP addresses for external communications thereby keeping the public from learning the private IP addresses Contivity Branch Access supports both input and output NAT When input NAT is specified Contivity Branch Access translates packets as soon as they are received When output NAT is specified Contivity Branch Access translates a packet when it is sent
31. 179 CSNY TB a st i pan detonated eee Ree eRe ed ae ie Seater ada E 179 Configuring a Contivity unit as a Web proxy server 000 eee eee eee 180 Using a commercial proxy SEE ocavieiideecdiereionciared eacea cadens 182 Enabling Web coniguralon 2 05 5 6425 0 3A sis FSR PAE oR AA Ae PSN Aes 183 Configuring a workstation to use a Contivity unit as a Web proxy server 184 Configuring a Contivity unit as a DNS proxy server 000 eee eee eee 185 Configuring a Contivity unit as a SOCKS proxy server 00 eee eee 186 Using SOCKS workstations with the Admin program 00 0 eee eee 187 Admin options that do not apply to SOCKS workstations 188 Host name access controls and SOCKS 2 2 cise ee eb ee ee ewe 188 Configuring socksified applications 0 tee 189 Configuring common SOCKS enabled software 0 0e eee eee 189 Third party socksifying SONWA oc eben keene ee ceed va dee ee 191 Additional SOCKS information 0 0 0 cee eee 191 Chapter 6 Advanced IP configuration 00ee eee eee nents 193 LSI OUT uenra rrou a meee ale baa a Ae aad a ugh dahl etme S 193 Changing Ui S system MeS 2s oh apawwana caes bowed norin edge ah aaa ga 194 Changing a units system settings 0 2 00 e ee eee eee ees 194 Changing units port MADBINGS ccccuss coe ee owe el deed ankie dukeien baka 195 Changing a unit s Support ROSIS c0scccexccewec eames ewneedemesce
32. 3 User access administration 2 Use the information in Table 11 to choose the report options you want Table 11 Report options Item Description Selected If you choose this option you can choose the reports you want All When you choose this option the Users area becomes active Users e Configured Access Reports on the access defined for each user e Effective Access Reports on the effective access for each user Groups Configured Access Reports on the access defined for each group 3 ClickOK 4 Enter the drive and directory where you want the reports to be saved Common user and group access examples The following examples represent the most common ways of creating users and groups in Admin This section gives general instructions on e Setting unlimited access next e Restricting access to a few sites page 132 e Allowing access to a few sites page 132 Allowing unlimited access for everyone To allow unlimited access for everyone in a group 1 Set the Everyone Group s access to Full access Refer to Configuring Internet access on page 102 for more information The Change User Access dialog box opens Figure 63 313371 A Chapter 3 User access administration 131 Figure 63 Change User Access dialog box Change User Access of Everyone x AM PM eE A a a e e e E e Oem oon 2 Configure News Group access to allow access to all news groups Refer to Man
33. 343 server caching proxy 237 DNS proxy 58 185 HTTP proxy 180 mail 207 208 NetWare preferred 88 network layer cache 237 network time protocol NTP 326 SMTP 207 208 SOCKS proxy 186 third party proxy 182 transparent proxy 182 237 Web cache 237 Web proxy 180 server publication Web server 208 Using the Contivity Branch Access Management Software 376 Index services IP configuring 193 diagnostic tools 329 DNS proxy server 185 IP forwarding 199 network address translation NAT 203 SOCKS proxy server 186 187 Web proxy server 180 Setup program overview 179 starting 180 shopping cart 261 268 274 single hit statistics 252 SMTP server 207 208 SOCKS proxy server 186 socksified applications configuring 189 special Web request about 248 255 CGI 255 enabling 257 no cache 256 not sent from the cache 252 options setting 255 query 255 split tunneling 41 static address translation 204 static routes 196 statistics active refresh 271 and bandwidth savings 251 hit rate 252 single hit 252 using to fine tune cache settings 251 viewing 251 Web cache 254 support Nortel Networks 29 T T1 connection communication settings 290 TCP IP advanced settings 194 IP forwarding 199 IPX requirements 297 SOCKS 191 using IP forwarding 199 201 202 technical publications 28 technical support 29 text conventions 26 text Web entry 246 time changing 325 expiration for a Web entry 238 247 no time stamp for a Web e
34. Access supports the SOCKS Version 4 User ID method as well as the Version 5 User name Password method GSSAPI and Challenge Handshake Authentication Protocol CHAP are not currently supported e Remote or local address resolution If SOCKS Version 5 is supported you may have the option of selecting remote or local address resolution Remote resolution is preferred because it reduces traffic between the Contivity unit and the SOCKS workstation Note Microsoft Internet Explorer is not natively SOCKS enabled for Macintosh computers and is not available for OS 2 workstations Netscape Communicator works on all platforms Configuring common SOCKS enabled software IP workstations configured to use the Contivity unit as the gateway and DNS server can access the Internet without modifying their browser applications If you choose to use SOCKS you must configure the browser applications as follows Using the Contivity Branch Access Management Software Version 7 20 190 Chapter5 Proxy services To configure Netscape Communicator for the PC 1 2 Start Netscape Communicator Choose Edit gt Preferences The Preferences dialog box opens In the Category area double click Advanced Select Proxies The Proxies dialog box opens Select the Manual proxy configuration option In the SOCKS Host box enter the IP address of the Contivity unit s LAN side interface In the Port box enter 1080 Click OK through all dia
35. Administration program icons In Admin the color of the symbol reflects the user s type of directory service e Light blue identifies a Contivity Branch Access user e Gold identifies Contivity Branch Access groups e Red identifies Novell Bindery or NetWare NDS users and groups e Dark blue identifies NT users and groups The actual icon itself denotes the type of access granted to the user Table 6 describes the user icons in Admin Table 6 Admin user icons Icon Meaning User has no specific Internet access control so Contivity Branch Access assigns default user settings amp User s Internet access Disable option is activated and the user has no access to Internet resources he User s Enable Logging option is activated User has no specific Internet access control but is inheriting access control from a group or groups 313371 A Chapter 3 User access administration 81 Table 6 Admin user icons continued Icon Meaning i User has specific Internet access User s Internet access Ignore Group Settings option is activated and the user has no access to the user s group settings Default user and Everyone group When you install the Contivity Branch Access management software a Default user and the Everyone group are automatically set up for you These provide a baseline for setting up and establishing your users and groups Restoring the Default user When you create a new
36. Branch Access is a powerful system that enables you to customize settings and services specifically for your organization Following are some suggestions for getting started e To use the Contivity unit in a virtual private network VPN refer to Chapter 2 IP security and VPN on page 37 e To establish and maintain control over the Internet sites your users and groups of users access for example block access to Web sites newsgroups and incoming ports refer to Chapter 3 User access administration on page 79 e To log and view the Internet sites your users are accessing refer to Chapter 4 Internet activity logging on page 141 e To configure alarms for system log SYSLOG and SNMP trap events refer to Chapter 4 Internet activity logging on page 141 e To use the Contivity unit as a Web DNS or SOCKS proxy server refer to Chapter 5 Proxy services on page 179 e To adjust the default IP services or configure the IP services refer to Chapter 6 Advanced IP configuration on page 193 e To speed up the Internet response time even more by caching sites that are accessed on a regular basis refer to Chapter 7 Web cache configuration on page 237 313367 A 37 Chapter 2 IP security and VPN This chapter explains how to configure IP security IPsec to configure a virtual private network VPN between a Contivity Branch Access unit and a Contivity VPN Switch CVS or bet
37. Change the cache level from Moderate to Aggressive For details refer to Increasing efficiency on page 243 Set how the Contivity unit responds to CGI query and no cache requests For details refer to Setting options for special Web requests on page 255 Restrict Web servers from setting cookies on client workstations Doing so increases efficiency but also helps you protect your corporate online privacy For details refer to Managing cookies on page 259 e To reduce employee recreation on company time restrict access to certain Web sites For details refer to Managing Web site access on page 264 e To keep the most frequently requested Web entries fresh enable the active refresh option For details refer to Refreshing cache entries on page 270 Increasing efficiency Bandwidth is a measure of the capacity of a network connection or device to carry data in this case your Internet connection The amount of data that is transmitted in a fixed amount of time depends on the bandwidth capacity of your connection The more efficiently you cache Web entries the less bandwidth is required and the lighter the network load The Contivity unit helps save bandwidth by caching frequently requested Web entries thereby reducing traffic decreasing the load on your Internet connection and improving response time to your users For example users accessing the Internet through a 56K modem connection
38. Chapter 10 Contivity unit configuration support and diagnostics 2 Set any of the following options e Ping Number of pings The number of pings you want the ping test to complete Length of ping data The size of the data sent Timeout in seconds The number of seconds allowed before the test fails e Trace Maximum hops The maximum number of hops per trace Lookup names If selected this option looks up and displays host names Timeout in seconds The number of seconds allowed before a hop is considered unreachable e Stress Repeat count The number of times the stress test is performed Block size The size of the data packet sent or received not including the headers Send Receive echo When selected this option allows data to be sent and received Send only discard When selected this option allows data to be sent only Receive only chargen When selected this option allows data to be received only Non blocking This option determines how the Winsock receives data 3 Click OK 313371 A 343 Appendix A Troubleshooting and error messages This appendix describes some methods for troubleshooting the Contivity unit and describes error messages Viewing a Contivity unit s serial number To view the serial number through the Contivity Branch Access Setup program 1 Start the Setup program For details see Using Setup on page 193
39. Configure The Web Cache Configuration page opens In the Web Cache Space Options area enter the Maximum size entry to cache in kilobytes Click Help for more information about each field on any page 313371 A Chapter 7 Web cache configuration 255 Setting options for special Web requests Special Web requests contain more than HTML based Web content These special requests usually require user interaction or input and could contain private or personalized information The Contivity unit has several options for maximizing Web content cache ability while minimizing the return of sensitive information There are three types of special Web requests CGI query and no cache requests Statistics are available on the Web Cache Statistics page to help you decide whether to enable these requests CGI requests A CGI Common Gateway Interface program is an application that runs on the originating Web server and is designed to accept input from and return data to a user An example of this type of request is a request where you enter information in a form and receive other information in return You can select whether to retrieve the same CGI requests from the cache or from the originating Web server If you select to retrieve the same CGI requests from the cache and two users use a CGI program to request the same information from the same Web server and the results are the same the results are sent from the cache rather than the
40. Configuring Contivity Branch Access as a branch office VPN tunnel on page 64 Example Configuring a branch office connection on the CVS This procedure provides an example for configuring a branch office connection on the CVS for tunneling For detailed information refer to your product documentation To configure a branch office connection on the CVS 1 Inthe CVS main window choose Profiles gt Networks Enter a network name and then click Create In the New Subnet area do one of the following e Ifyou are using split tunneling specify the IP addresses and masks of all local subnets that will participate in the VPN e If you are using non split tunneling specify an IP address of 0 0 0 0 and a mask of 0 0 0 0 For more information on split and non split tunneling refer to Managing local and remote IP addresses on page 41 313371 A Chapter 2 IP security and VPN 63 oN Oo fF 10 11 12 13 14 15 16 Click Add to create the new network Click Close In the CVS main window choose Profiles gt Branch Office Select the user involved in the tunnel and then click Edit If you are using a CVS version 4 0 or later in the Connection Type list do one of the following e Select Peer to Peer for a main mode connection static IP address e Select Responder for an aggressive mode connection dynamic IP address If you are configuring a main mode Peer to Peer connection in the Configuration
41. Denies the packet e L4switch Sends the packet to the Web HTTP proxy e NAT Sends the packet for address translation 7 Select the Protocol to which you want to apply the rule IP is the default If you select TCP the Established check box becomes available You can select this option to match TCP packets belonging to established connections This is typically used to allow packets for established workstation sessions while preventing access to servers Using the Contivity Branch Access Management Software Version 7 20 216 Chapter6 Advanced IP configuration 8 Inthe Source area enter the following information Address The IP address of the source You can use any valid IP address or host name If you do not specify a source the default is any source address Bits The number of bits of the network portion of the source address The default is 32 Port If you are specifying a range of ports this is the beginning port number This is meaningful only for TCP or UDP filter rules and specifies the port of the data packet Ending Port If you are specifying a range of ports this is the ending port number in the range This is meaningful only for TCP or UDP filter rules The ending port must be greater than the beginning port 9 In the Destination area enter the following information Address The IP address of the destination You can use any valid IP address or host name The default is any destination
42. IP forwarding enables the Contivity unit to act as a router in some specialized applications Use this feature with caution to ensure that the Contivity unit firewall is maintained at all times For example if you have IP Forwarding enabled then you should have filters in place to protect your network from various attacks including Smurf In order to block Smurf you must deny any packet containing the broadcast address for any inside network Before you enable IP forwarding check with your ISP to ensure that you have a LAN account that provides you with a range of IP addresses Note The Enable IP Forwarding option is available only if you configured two interfaces for the unit Enabling IP forwarding for a Contivity unit To enable IP forwarding 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Other Settings The Other Settings dialog box opens Figure 91 Figure 91 Other Settings dialog box Enable IP forwarding Enable Token Ring source routing 7 Disable Eth interface at Disable time Enable time Notify DNS server of Eth interface address change ne O O O i y DNS address DoS Cancel 3 Select the Enable IP Forwarding check box The software now allows IP forwarding for the Contivity unit 313371 A Chapter 6 Advanced IP configuration 201 Enabling IP forwarding for two interfaces To enable IP forwardi
43. Manually size each window to suit your needs Figure 75 shows a sample Monitor window with multiple Contivity units Using the Contivity Branch Access Management Software Version 7 20 158 Chapter 4 Internet activity logging Figure 75 Multiple Contivity units window M lIMon GS ISDN stats ojx File View Stats Window Help 2 w eS S A P GS ISDN stats _ oO x 2938 Server GS ISDN o IP Addr 192 0 4 1 Apps 0 o Firmware 6 00 Speed 100000 Kb Up 0 days 0 hrs 13 mins 56 secs 0 Show Sends Recvs Both Interface In Bytes Out Bytes ae 3 701 325 1 058 463 Last call Status x I GS ISDN diag oO x Interface Trace Server GS ISDN 4 IP Addr 192 0 4 1 ISDN Z NetMask 255 255 255 255 MTU size 1500 HW Addr Output queue 0 Flags Demand Default MP Encapsulation PPP In Out Last time Bytes 2 624 6 730 Discards 7 0 Errors 0 0 gt For Help press F1 313371 A Chapter 4 Internet activity logging 159 Automatic logging The automatic logging AutoLog feature lets you save selected connection and user log files from the Contivity unit to a disk file at specified intervals To use the automatic logging feature enable the feature at a workstation on your LAN The AutoLog program must remain running for the duration of the log If you close the task down on the workstation that initiated the autolog while autolog is running automatic logging stops AutoLog can run
44. Networks Inc Nortel Networks grants the end user of the Software Licensee a personal nonexclusive nontransferable license a to use the Software either on a single computer or if applicable on a single authorized device identified by host ID for which it was originally acquired b to copy the Software solely for backup purposes in support of authorized use of the Software and c to use and copy the associated user manual solely in support of authorized use of the Software by Licensee This license applies to the Software only and does not extend to Nortel Networks Agent software or other Nortel Networks software products Nortel Networks Agent software or other Nortel Networks software products are licensed for use under the terms of the applicable Nortel Networks Inc Software License Agreement that accompanies such software and upon payment by the end user of the applicable license fees for such software 2 Restrictions on use reservation of rights The Software and user manuals are protected under copyright laws Nortel Networks and or its licensors retain all title and ownership in both the Software and user manuals including any revisions made by Nortel Networks or its licensors The copyright notice must be reproduced and included with any copy of any portion of the Software or user manuals Licensee may not modify translate decompile disassemble use for any competitive analysis reverse engineer distribute or create der
45. RALLEN 168 942 1 449 532 00 00 00 52 04 26 1999 09 47 21 KRILEY 2 669 60 248 00 00 00 06 04 26 1999 09 38 51 GGALLEGOS 512 969 3 504 036 00 00 05 33 04 26 1999 12 15 06 NSMITH 45 073 1 597 939 00 00 05 15 04 26 1999 11 35 04 GCONRAD 186 774 1 686 501 00 00 01 52 04 26 1999 12 11 20 RKERRY 270 241 2 183 730 00 00 02 25 04 26 1999 10 36 52 SBRAND 326 287 12 926 875 00 00 07 41 0472671999 11 16 02 PEVANS 107 256 2 656 640 00 00 02 23 04 26 1999 11 49 42 MV ALDEZ 549 442 6 366 794 00 00 10 08 0472671999 12 15 15 LMEDINA 64 435 1 115 305 00 00 01 25 0472671999 10 55 26 eeeocoeooeceoec es Table 17 lists the information shown in the Users window Table 17 Users window statistics Item Description User User name Sent Amount of data the user sent Received Amount of data the user received Time on Amount of time the user has been logged in to the Contivity unit Last accessed Time the user last accessed the Contivity unit Apps Number of applications being used to access the Internet Contivity Branch Access supports an unlimited number of IP workstation application instances Users toolbar buttons When the Users window is active the options in Table 18 are available on the toolbar 313371 A Chapter 4 Internet activity logging 149 Table 18 Monitor main window toolbar buttons Button Description TR Refreshes the display to view up to the minute user information including t
46. Web entry and then does one of two things e If the entry is not already in the cache the cache server retrieves the entry from the originating Web server caches it and then sends the entry to the user e If the entry is in the cache the cache server evaluates the date and time of the entry and then does one of the following If the entry in the cache is still fresh the cache server sends the entry in the cache to the user If the entry in the cache is expired the cache server sends a conditional request to the originating Web server If the data on the server has changed it replaces the cached entry with the new entry from the originating Web server and then sends the new entry to the user How Web caching works with a user s local cache As a downstream caching proxy server the Contivity unit is located between a user s workstation on the network and the Internet If you disable the local cache on a user s Web browser the Contivity unit is the user s primary cache and all requests for Web content go directly to the cache server If you enable the local cache the cache server is a secondary cache Requests for Web content are directed first to the user s local cache and then to the Contivity unit Although using the Contivity unit as the only cache slightly increases traffic on your local network doing so provides several advantages This setup e Frees up hard disk space on each user s workstation by elim
47. Web site The cache settings page for the individual Web site opens In the Site Specific Options area select the Block access to this server check box Click Help for more information about each field on any page Setting Web site activity display options On the Web Sites page you can view activity details for each Web site including Whether a Web site is serving cookies and if clients are returning them Whether access to a site is restricted Whether the cache has been bypassed for a site The date and time of the most recent access to the Web site The number of times an entry has been requested from the Web site 313371 A Chapter 7 Web cache configuration 267 Configuring Web site display options On the Default Web Site Options page you can choose not to view the access activity details on the Web sites list You can also specify the number of Web site records that are displayed on a single page of Web sites The default is 10 the minimum is 1 and the maximum is 100 If more than the specified number of records is available click Next or Prev to advance to the next or previous page of the Web sites list To set the Web site access activity detail option 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Web Sites The Web Sites page opens 3 Click Default Options The Default Web Sites Option page opens 4 Inthe Display Options area do any of the following
48. Windows will open it for you Open Ja install X Cancel Browse 2 Enter d instinet install exe select where d is the letter of the network drive or the CD ROM drive 3 Click OK The update process begins If you have only one unit the update process completes and the name is updated If you have more than one unit the Instant Internet Units dialog box opens Figure 129 Figure 129 Instant Internet Units dialog box Unit Serial Number MIT G2 SYL G3 100000300 Select an Instant Internet unit for your Internet applications to use Lok oa 4 Select the new Contivity unit name and then click OK 313371 A Chapter 9 IPX configuration and support 301 Configuring IPX frame types By default Contivity Branch Access enables support for all IPX frame types You can however enhance performance slightly by turning off certain frame types if you know that they are not used To select the frame types you want the Contivity unit to support 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt IPX Frame Type The Select IPX Frame Types dialog box opens Figure 130 Figure 130 Select IPX Frame Types dialog box Interface ll 802 3 802 2 SNAP 3 Do the following e Select the check boxes of the frame types you want the Contivity unit to use e Clear the check boxes of the frame types you do not want the unit to use 4 Click OK Using
49. Winsocks All 16 bit Winsock applications use the winsock dll file When you start a 16 bit application it searches for the dll file in the following order e Memory e Its own application directory e windows system directory e Search path e All mapped drives If another application has already loaded a winsock dll file the new application uses the loaded version otherwise it looks in its application directory 313371 A Chapter 9 IPX configuration and support 303 32 bit Winsocks All 32 bit Winsock applications those specifically designed for Windows 95 Windows 98 Windows Me and Windows NT use the wsock32 dll file When you start a 32 bit application it searches for the dll file in the following order e Its own application directory it does not look in memory e windows system directory e Search path e All mapped drives Not every application follows the rules listed above Some 32 bit applications look only in the windows system directory This is something to keep in mind when you make a decision about how to use multiple versions of Winsock Note The Contivity Branch Access 32 bit Winsock 2 0 is named gt ws2pt dll Winsock 1 1 and Winsock 2 0 The Install program always installs the Winsock 2 0 client software on Windows 98 Windows Me and Windows NT workstations On a Windows 95 workstation the Install program auto detects what Winsock standard is installed on the workstation If for some
50. You can enable address translation in the Setup utility When enabled address translation reflects the most logical form of NAT If the interface is an internal LAN interface input NAT is enabled If the interface is used as the default route or is a WAN interface output NAT is enabled Note You can override the NAT direction If you set the NAT direction the check box displayed by the Setup utility is dimmed and you must change it in Advanced TCP IP settings or through the command line interface For more information see Reference for the Contivity Branch Access Command Line Interface Version 7 20 313371 A Chapter 6 Advanced IP configuration 203 Configuring NAT Address translation allows the Contivity unit to route traffic that has private or reserved IP addresses to and from the Internet Contivity Branch Access can isolate your LAN from the Internet by performing address translation on routed packets which enables it to translate workstation addresses into legal IP addresses IP address translations are totally transparent to workstations on the LAN Some of the benefits of using Contivity Branch Access as an address translator include e Translating addresses transparently e Simplifying the administrator s task by allowing existing private addressing schemes to be used while still allowing Internet access e Acting as a firewall If the Contivity unit is currently running address translation and is logically
51. a non Contivity client or with CVS version 4 0 or later branch office connections are supported in aggressive mode e Static IP address When your Contivity Branch Access unit receives a static IP address from your ISP the tunnel uses main mode If a unit that uses static IP addresses establishes a tunnel with a CVS the CVS regards the Contivity Branch Access unit as a branch office This type of tunneling is called branch to branch tunneling 313371 A Chapter 2 IP security and VPN 57 VPN configuration guidelines Contivity Branch Access supports both the CVS branch to branch office mode and non Contivity client modes Following are some general guidelines to keep in mind before you begin configuring a VPN Branch to branch mode If you are using CVS software earlier than version 4 0 at least one public static IP address must be available at both the location of the CVS and of the Contivity Branch Access unit A static IP address is not required for CVS software version 4 0 or later Note Only the CVS branch office routing type of static is supported RIP mode works only between CVSs Client mode e Because all traffic must be translated to the static address that was assigned to the Contivity Branch Access unit the static address must exist on the Contivity Branch Access unit Often the static address is the same as the Contivity Branch Access unit s private LAN address If the address is not
52. add You can enter an unlimited number of SNMP hosts In the Community box enter the community string to identify the Contivity unit as the source of the SNMP trap The community string is a unique identifier for the Contivity unit This string does not have to match the community string of the SNMP host The default string is public Click OK In the main Setup window click Save and Exit Example Capturing SNMP traps In this example an SNMP host is running on a workstation with an IP address of 198 168 1 15 and has the community string network The Contivity unit has the community string ContivityUnit To configure SNMP alarms for trap events 1 Start Setup and if prompted select a unit to configure Choose Support gt Alarms In the Alarms dialog box Figure 82 on page 175 in the SNMP Hosts area click Add In the Enter SNMP Host dialog box Figure 83 on page 175 in the SNMP Host box enter 198 168 1 15 the IP address of the SNMP host and then click OK In the Alarms dialog box Figure 82 on page 175 in the Community box enter ContivityUnit Click OK 313371 A Chapter 4 Internet activity logging 177 7 Inthe main Setup window click Save and Exit After the unit restarts verify that your SNMP host captured and displayed the Cold Start trap Using the Contivity Branch Access Management Software Version 7 20 178 Chapter 4 Internet activity logging
53. address Note Contivity Branch Access removes the IP options field from received packets including the source routing option This prevents the Contivity unit from forwarding source routed packets under any circumstances and it generally processes such packets as if addressed to the unit itself Bits The number of bits of the network portion of the destination address The default is 32 Port If you are specifying a range of ports this is the beginning port number This is meaningful only for TCP or UDP filter rules and specifies the port of the data packet Ending Port If you are specifying a range of ports this is the ending port number in the range This is meaningful only for TCP or UDP filter rules The ending port must be greater than the beginning port 10 Click OK You return to the Filter Configuration dialog box Figure 99 on page 214 and the filter you just configured appears in the list If you define more than one filter you can change the order in which the filters are executed by selecting a filter and using the arrows to the left of the list to move the filter up or down in the list 313371 A Chapter 6 Advanced IP configuration 217 11 Click OK The lt interface gt Filter Configuration dialog box opens Figure 98 12 Apply the filter to the interface see Applying a filter to an interface next Applying a filter to an interface After you create a filter you can appl
54. and diagnostics 313 Restarting a Contivity WY erse Ace abn aos i deen op ion ARN oo Am Ran A me 313 Identifying the login workstation 0 2 2 0 cee eee 314 Adding a Contivity unit to the selection list 0 0 2 cece ee eee 315 Understanding the name server list order 00 c eee eee eee ee 316 Saving and restoring unit configurations 00 000 ees 317 Backing up a unit c nfig ration TO GISK nace ioco chew ake cowed aa wn 317 Restoring aunit contiguration from ISK cicacee ve drad cee eee da eeewns awe 318 Changing the unit configuration 6 6563 cable conse dae Geek bed oe bee ewe 319 CANO VOU IOP han ce ede Cue ele NO k ee a ee eee aad 320 Changing registration information 0 0 cece ee eee 322 Changing a units Password 2 cea d evans scksen seer eabae debe seer ds 323 en UNIS ee io ogy eset oais ee ew een a beh eeee aed 325 Changing a unit s time date or time zone 202 cece eee 325 Selecting additional support options 00 000 cee 328 Enabling diagnostice IP tools 2a cccaed dade bees doews ROG Ed REE eRe ROR EGS 329 Defining the SNMP community string for get requests 2 5 331 TSUN OTS a escent fost a ack eo be RN es Sl meal dae a heal ad aM eae Rane 332 Testing the connection to the Internet 000 0c eee eee eee 332 Testing the connection to a HOSE 65 ccicsseissvdeieseeeudeehe ees iiaia 333 Testing the response time of a host
55. and later includes support for non Contivity clients Contivity Branch Access can send identification information when a connection is made using aggressive mode therefore the CVS allows the Contivity Branch Access unit to have a dynamic IP address However the CVS never initiates an aggressive mode connection all such connections must be initiated from the opposite end of the tunnel Configuring a VPN between a Contivity Branch Access unit and the CVS when the Contivity Branch Access unit acts as a non Contivity client is a two step process You will e Configure the non Contivity client connection on the CVS next e Configure the Contivity Branch Access unit as an aggressive mode VPN tunnel refer to Configuring Contivity Branch Access as a branch office VPN tunnel on page 64 Using the Contivity Branch Access Management Software Version 7 20 70 Chapter 2 IP security and VPN Example Configuring a non Contivity client connection on the CVS This procedure provides an example for configuring a non Contivity client connection on the CVS for tunneling For detailed information refer to your product documentation To configure the non Contivity client connection on the CVS 1 N Oo oO RA In the CVS main window choose Profiles gt Networks Enter a network name and then click Create In the New Subnet area do one of the following If you are using split tunneling specify the IP addresses and masks of a
56. and the second called backupii To allow load balancing across multiple Contivity units see the following example The brackets define the set of units to which a user is randomly connected unit instant1 salesii iibox2 In the following example the user connects randomly to iia or 1ib If one fails the unit tries the other if both fail it connects to iibackup unit iia iib iibackup 313371 A Chapter 9 IPX configuration and support 309 In the next example the user connects randomly to iia or iib If the connection to one of these units fails the other is not tried iibackup is tried instead unit iia iib iibackup Configuring multiple default sets e Ina multiple unit installation you can create a default menu that can prompt users to make choices You do this by making multiple default entries in the install cfg file for example e The available Contivity units are iibox1 iibox2 and backupii e The select statement parameter builds a menu displayed at the individual workstation installation from which the user selects a workgroup The Default section at the beginning of the install cgf file must contain DEFAULT select Sales Accounting Marketing IS Normal This entry creates the menu the user sees at the individual workstation installation The workgroups are Sales Accounting Marketing IS and Normal You can further configure the default installation for the various workgroups
57. aompdichs a Ried FRESE a ead 151 LOMO sia Seat act a dod Wk A aoe unt aad ah a ae eden as 151 Log SOn MOMs rearset tati E ex 152 Viewing diagnostice information s s ssarsserressrassi S440 eRe issus 152 Peronin a MaCS ssicrirrisoiissrridtnia tipa coewde denen cokes 154 Monitoring multiple Contivity UMIS ssrireriecsresisriiseredretn iiis 157 Automato HII raaa Be aa ad ab ia si cp wc oa EAEN 159 POLO oba DUNONG ce n08edhoarne veedg peewres ne EEEO 160 Emb AUO RUM cate nudumhalh eddkow sabe ke vhs be Heke eee ds 161 Configuring automate lOggG uc kicks owe Ake we eee ee aS 161 Editing an automatic logging configuration 0 0 163 Deleting a log from the automatic logging configuration 163 ERO OTS scat pecues el eeenite ined terewiRieueie eee 164 Managing SYSLOG alarMS cvccceuee Ne erdneea even tine se Chesed orraa chew ds 165 SYSLOG message formals 2 24250 08N cd dado edd dda ea ee a a ad 165 Event priorities and messages 200 e eee eee eee eee 166 313371 A Contents 9 Configuring SYSLOG Sane 265 0 ce ain esha orate aoa a teeta eek dw tehes 170 Managing SNMP alarms ices bene es iuad ka Ree MARR Ca ad 174 SNMP message formats and trap events 000 c eee ee eee 174 Configuring SNMP alarms for trap events 0 c eee eee 174 Chapter 5 PREY GOCE Se a ok bien s Soe es See wee wens en keen es a 179 Understanding Proxy SCIVElS cic ican cane ddwa ew aan Shaeee capa meee dienaam
58. bosco Bring interface up iict cbaunit isdn up bosco Disable interface iictl cbaunit isdn disable bosco Enable interface iictl cbaunit isdn enable bosco View unit information all units iictl View unit information specific unit iictl cbaunit View specific interface all units iictl isdn View interface information specific interface iictl cbaunit isdn Write unit information to a file specific unit iictl cbaunit gt isdninfo Write unit information to file all units iictl gt allunits Table 13 shows the Control commands available for each type of interface Table 13 Interface commands available Interface Type Up Down Enable Disable Alias Dial up y y y y Dual analog N Ni Ni Ni E1 J J Ethernet IPsec N ISDN V y V V Serial Ni N T1 y y 1 You cannot use the Control program to control access for an Ethernet or alias interface 2 You can control access for each dial up interface individually by specifying the interface name dialup1 dialup2 or specify dialup to control access for both interfaces at the same time 3 You can control access for each ISDN interface individually by specifying the interface name isdn b1 isdn b2 or specify isdn to control access for both interfaces at the same time 313371 A Chapter 3 User access administration 139 Example Configuring a t
59. box Enter SYSLOG Host Using the Contivity Branch Access Management Software Version 7 20 172 Chapter 4 Internet activity logging 4 Inthe SYSLOG Host box enter the IP address or hostname of a SYSLOG host and then click OK You return to the Alarms dialog box Figure 79 e To delete a SYSLOG host select it in the list and then click Remove e To change the name of a SYSLOG host select it in the list and then click Configure 5 Repeat steps 3 4 for each SYSLOG host you want to add You can enter an unlimited number of SYSLOG hosts 6 Enter the following information e Facility Select a name that identifies the Contivity unit as the originator of the SYSLOG message The facility should not conflict with the facility of another message originator for example a print server e Priority Select the lowest priority level of messages to be logged To log all messages select the Debug priority Note You must configure the SYSLOG daemon to display at least the priority you select in Contivity Branch Access For example if you set the priority on the SYSLOG daemon to Critical and you set the priority in Contivity Branch Access to Debug then only Emergency Alert and Critical priority messages are logged in the daemon even though Contivity Branch Access is sending SYSLOG messages of all priorities 7 Click OK 8 Inthe main Setup window click Save and Exit Example Capturing SYSLOG messages In th
60. checksum M Cancel 4 Configure any of the following e Starting Channel An E1 line has 32 channels 1 to 32 When you order a fractional E1 service only part of the channels are available for data transmission In some cases the Contivity unit may need to send data on a block of channels that do not start on Channel 1 so you must change the starting channel e Clock If the network provides the clock for the E1 line select External If the Contivity unit provides the clock select Internal In almost all cases the network provides the clock e Auto loopback Auto loopback is used for diagnostics and allows the network to force the Contivity unit into loopback Leave this check box selected unless directed otherwise by a technical support representative e CRC4 checksum CRC4 checksum allows you to enable or disable the CRC4 checksum bits e Backup interface A ISDN connection is available for use as a backup connection to the Internet should your E1 connection become unavailable Using the Contivity Branch Access Management Software Version 7 20 294 Chapter 8 Advanced communications configuration Configuring advanced communication settings for a PPPoE connection If you have a PPP over Ethernet PPPoE connection you can configure dial on demand settings to establish a connection to the Internet as needed To configure dial on demand settings 1 Start Setup and if prompted select a un
61. different location When you establish a VPN between two Contivity Branch Access units you can decide what types of connection you want to allow to the unit This option provides you with another means for selecting the level of security necessary You can specify whether you want to allow only incoming or outgoing connections to establish a tunnel You can also specify whether to allow both incoming and outgoing connections to establish a tunnel Using the Contivity Branch Access Management Software Version 7 20 48 Chapter 2 IP security and VPN Allowing only incoming connections When connecting with a remote site that has a dynamic IP address or is a third party IPsec client configure Contivity Branch Access to allow only incoming connections To allow only incoming connections to establish a tunnel 1 Start Setup and if prompted select a unit to configure 2 Inthe main Setup dialog box click Add The Select Connection Type dialog box opens Figure 6 Figure 6 Select Connection Type dialog box Select Connection Type x Select the connection type Dialup is for connections using the built in modem Network is for a connection to a LAN Alias is for multiple IP addresses on the same interface IPsec is for establishing an IPsec tunnel to another device Network Alias IPsec 3 Click IPsec The Select Connection Device dialog box opens Figure 7 Figure 7 Select Connection Device dialo
62. does not necessarily mean it has Web entries in the cache All configured Web sites are maintained in the list of Web sites indefinitely However unconfigured Web sites can expire from the list through attrition Note When you bypass a site Web entries from that site are not cached However the Web site is in the list of Web sites because it is a configured Web site Using the Contivity Branch Access Management Software Version 7 20 264 Chapter 7 Web cache configuration Tracking active Web entries is especially useful if there is a problem with a particular site For example if cookies are turned off and the site requires cookies you have a record of the request The most efficient way to determine which site requires cookies is to sort the Web site list by most recent access and look for Web servers that are serving cookies and have a Web site name related to the problem site Click the entry to view the cache settings page for the Web site and then enable cookies for that site Note Be aware that often the site that you cannot access is not the site that is serving cookies Because there may be links to other sites for personalized information the cookie could be coming from a seemingly unrelated site To view the Web sites list 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Web Sites The Web Sites page opens Click Help for more information about each f
63. e de IE Kaw e RS 243 313371 A Contents 11 Fine tuning cache setings sess chs be eky P Rey sy HSE PRS GONE sNews 244 Increasing response TIMES ia cde ddd wR uk RRR we OL Ge me OC 244 Increasing bandwidth savingS cece eee eee eee 244 Deciding how long to run an experiment 2202202000es 245 Salsa a cacho Vol sei accwenesaes dee raaei wees eesead eeeeesaedd 245 How cache levels are defined 0 00 eee ee eee eee ees 246 Expiration Porco wan sk KLaen CU ee see ees Ah ee ee ee 246 Minim m expiration TMG cc scadiwseaeiek ees e pees ee Sader aseene toda 247 Special Web SQuests o cee s cet cheese ede ed RARER ERS akdemik CERES 248 EOF MRSS AS iis t iii eka Pha eee ele hae ake e aula deals ad 248 Predefined cache levels default values 000 ee eee tee 249 Creating a custom cache level ccc ca civ tee dw Pe ee s Ere ERROR ON SH e Dw oe 250 mierpretng Statislics 20 4 bbe eds dew niuri hee ONE Oe Chee 251 Using statistics to fine tune cache settings uaauaaaaaa naana anaa 251 Viewing why requests are not sent from the cache 0 252 Limiting the size of a Cached entity aiinriicvareeeeeda eee enews cea ee ews 254 Setting options for special Web requests 2000 eee eee 255 PUG SIS Eeer oe wah dB ah Aad ee haan TT 255 Quer rogues sed bee PRGRSe ALDER MG ERAS SOROS KA SEBHEOERE HEA 255 No cache requests 000 eens 256 Setting the action th
64. environment Using Contivity as an IPX to IP gateway Contivity Branch Access supports IPX networks by serving as an IPX to IP gateway In an IPX network you do not need to load TCP IP on every workstation because there is no IP traffic Security considerations In dial up mode Contivity Branch Access fully satisfies the design requirements for secure PC LAN access to the Internet Contivity Branch Access is not a firewall or a filter but a point where the Internet stops With the IPX configuration of the Contivity unit you do not need to load TCP IP anywhere on the LAN not on any workstation nor on any server All Internet packets stop at the unit Internet users cannot see LAN resources and hackers cannot get in Using the Contivity Branch Access Management Software Version 7 20 298 Chapter 9 IPX configuration and support To achieve the same level of security using Contivity Branch Access with a router as with a dial up connection you should use the dual Ethernet option Ensure that the router resides on a LAN segment that is separate from all other LAN servers and resources This configuration completely isolates IP traffic from the local LAN and provides the same hardware firewall as a Contivity unit with a dial up connection Note Contivity Branch Access cannot prevent individual LAN users from transferring sensitive information on the Internet via e mail or fax Performance considerations The Internet is
65. for VPN tunneling in Contivity Branch Access DHCP Dynamic Host Configuration Protocol DHCP DHCP is an industry standard intended to ease the burden of configuring TCP IP computers by providing a mechanism for allocating network addresses dial up connection A temporary as opposed to dedicated connection between computers established over an analog or digital phone line DIP Dual In line Pins Directory Service A network service that maintains user account information such as user information security access rights and group membership Examples of directory services include NetWare NDS and NT Domain User and Groups Discard A service used for troubleshooting that discards any message or packet sent to it DLL Dynamic Link Library DMZ Demilitarized Zone DMZ A less secure publicly accessible network segment that sits between the Internet and your internal network DNS Domain Name Server or Domain Name Service Addressing system that incorporates the domain name into the IP address domain name Used to organize Internet names into manageable groups such as nortelnetworks com or instant net 313371 A Glossary 355 DOVBS Data over Voice A technology used to transmit data and voice simultaneously over twisted pair copper wiring DSL digital subscriber lines A type of high speed communications technology that supports connections from a telephone switching station to a home or office
66. gif that has a last modified date and time of 365 days ago at noon on 7 4 1999 With the Aggressive non text expiration set to 200 the bard gif file will expire 730 days into the future at noon on 7 4 2002 In this case the cached entry is sent to the user Minimum expiration time The minimum expiration time entered in minutes specifies how the Contivity unit extends the freshness time of a text or non text entry after it is downloaded and cached You can set a minimum time extension so that regardless of what the calculation is for the expiration percent the Contivity unit uses the following formula minimum expiration time minimum number of minutes after an entry expires before it is checked against the originating Web server Set this value lower if users consistently request information that changes often for example stock quotes Set it higher if users request information that does not change often for example Shakespeare s sonnets If the calculated time is less than the minimum value the minimum value is used Example one on page 247 If the calculated time is more than the minimum value the calculated time is used Example two on page 247 Using the Contivity Branch Access Management Software Version 7 20 248 Chapter 7 Web cache configuration Example one You request a Web page of stock quotes called quotes html at noon on 7 4 2000 The page contains a picture of the most requested stock of the
67. gt View Effective User Access The Effective Settings of User dialog box opens Figure 36 Figure 36 Effective Settings of User dialog box Effective Settings of User Sally Using the Contivity Branch Access Management Software Version 7 20 98 Chapter 3 User access administration You can view User Access time and days a user may access the Internet Internet Access IP addresses and ports to which a user has access News Groups news groups to which a user has access and Incoming Ports the incoming ports that users may access You can view but not edit this information with this feature For instructions on editing these configuration settings refer to Configuring Internet access on page 102 Defining controlled Internet access on page 104 Managing news group access on page 114 and Managing incoming port access on page 120 Defining user and group access When you assign Internet access to users or groups of users use these guidelines e To simplify administration set the Internet access control for groups rather than for individual users whenever possible e After you set group access to a set of Internet resources access for every user in the group changes simultaneously when Internet access changes for the group A user can belong to several groups each with different Internet access settings When this happens Contivity Branch Access assigns the user the most restrictiv
68. hour called hotstock gif that has a last modified date and time of five minutes ago at 11 55 AM on 7 4 2000 With the Aggressive non text expiration set to 200 the hotstock gif file should expire at 12 05 PM but because the Aggressive non text minimum expiration time is set to 60 minutes the calculated time 10 minutes is less than the minimum value 60 minutes so the minimum value is used and the hotstock gif file will expire at 1 00 PM In this case the cached entry is sent to the user Example two You request a Web page of stock quotes at noon on 7 4 2000 The Web page calls a list of the previous day s top eight most requested stocks called 8stocks html that has a last modified date and time of seven hours ago at 5 00 AM on 7 4 2000 With the Aggressive text minimum expiration time set to 30 minutes the 8stocks html page should expire at 5 30 AM Because the Aggressive text minimum expiration time is set to 200 the calculated time 14 hours is more than the minimum value 30 minutes so the calculated value is used and the 8stocks html file will expire 14 hours into the future at 6 00 PM In this case the cached entry is sent to the user Special Web requests Special Web requests include CGI requests query requests and no cache requests For details refer to Setting options for special Web requests on page 255 Error message You can select whether a user receives an error message or receives a cached entr
69. of lt Everyone gt x Allow Type IP Address Port Host Name All All 192 0 4 1 www dontlookhere com 192 0 45 23 www weatherisus com 192 0 58 96 www_noxratedsites com Add Delete Change Cancel Clear Lookup 4 Configure Incoming Ports to allow access to all ports and Both TCP and UDP Refer to Managing incoming port access on page 120 for more information After you have completed these steps all users follow the Everyone Group access settings Note If a user s individual access settings are more restrictive than the Everyone Group settings Contivity Branch Access uses the more restrictive access settings Using the Contivity Branch Access Management Software Version 7 20 134 Chapter 3 User access administration Allowing access to a few sites Some major Web sites such as www microsoft com and www cnn com have more than one IP address For very large sites you must allow access to all IP addresses for the site To allow a few sites for everyone in a group 1 Set the Everyone Group s access to Controlled access Refer to Configuring Internet access on page 102 for more information 2 Configure Internet Access for the Everyone Group by allowing access to www nortelnetworks com Refer to Defining controlled Internet access on page 104 for more information 3 Repeat step 2 to allow access to the site www cnn com You should now see a list of site
70. of this Agreement shall remain in full force and effect This Agreement will be governed by the laws of the state of California Should you have any questions concerning this Agreement contact Nortel Networks Inc 2375 N Glenville Dr Richardson TX 75082 LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT UNDERSTANDS IT AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN NORTEL NETWORKS AND LICENSEE WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST NORTEL NETWORKS UNLESS NORTEL NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT INCLUDING AN EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT 313371 A Contents PICTACS cso sbi Sea a eee dae tes Se ee eee ee se eee be 25 Poe Ou Ne Schoen na vesig par neeed os Pores geet e TETT 25 TERECONVENNONS creids eet kedadieedueenidewe Coded iden cede tae eed eee ee 26 Polatod PUDENS dysser ra oak haere EERE ARES ERA eae aS 27 MURON issic bose Noan ENR SNI EERE E Geeks OENE 29 Chapter 1 INrOdUCHON 5 4 0665455 60805945009 FN nAra TIn ROARED RANTON 31 Flexible Business Solution s sissrrssisessrtris rats arraroa 4 Oe eS 31 Advanced OUN chalice Howse SoS ls eee deel oe deRy Moet w dened owes 32 High performance throughput 2ss c0scccesaecevneesenewecen
71. option is enabled Managing domain users and groups In the Admin window Windows 95 Windows 98 Windows Me Windows NT Windows 2000 and domain users are displayed as dark blue figure icons and groups are displayed as dark blue folders In the Windows 95 Windows 98 Windows Me Windows NT and Windows 2000 domain environments Contivity Branch Access uses the Windows domain user and group names To change group membership modify users and so forth you must use the Windows administration utilities For more information on managing users and groups refer to Managing users and groups on page 94 Using the Contivity Branch Access Management Software Version 7 20 86 Chapter 3 User access administration Viewing Users and Groups To view Windows 95 Windows 98 Windows Me Windows NT or Windows 2000 users and groups gt Choose View gt View NT Users and Groups Managing NetWare NDS users and groups Contivity displays NDS users as red figure icons and groups as red folders in the Admin window In the Novell environment Contivity Branch Access uses the NDS user names and groups To change group membership modify users and so forth you must use NDS administration utilities refer to the Admin online Help for more information For more information on managing users and groups refer to Managing users and groups on page 94 Note In a Novell environment if a user is logged in to the NetWare Dir
72. originating Web server To determine whether you may need to enable CGI requests look at the statistic for CGI request in the Why requests are not served from the cache area If this number is high over 10 you should enable the option to retrieve CGI requests from the cache This option is enabled by default for the Moderate Aggressive cache levels Query requests You can select whether to retrieve the same query requests for example to a search engine from the cache or from the originating Web server For example if you select to retrieve the same query requests from the cache and two users perform a search for Shakespeare s sonnets using the same search engine and the results are the same the results are sent from the cache rather than the originating Web server Using the Contivity Branch Access Management Software Version 7 20 256 Chapter 7 Web cache configuration To determine whether you need to enable query requests look at the statistic for Query request in the Why requests are not served from the cache area If this number is high over 10 you should enable the option to retrieve query requests from the cache This option is enabled by default for the Moderate and Aggressive cache levels Note CGI and query requests are used to generate an answer based on the input passed within the URL The Contivity unit searches the URL for an indication that the request may contain a C
73. problem Web site For details refer to Managing cookies for a particular Web site on page 262 Problem The cache server is incompatible with the originating Web server Solution Bypass the cache for the problem Web site For details refer to Bypassing the cache for a Web site on page 267 logged on to a Web site but am prompted to log on again Problem The Web site requires cookies and cookies are blocked Solution Enable cookies for the problem Web site For details refer to Managing cookies for a particular Web site on page 262 Problem The cache server is incompatible with the originating Web server Solution Bypass the cache for the problem Web site For details refer to Bypassing the cache for a Web site on page 267 added an item to my online shopping cart but it s still empty Problem The Web site requires cookies and cookies are blocked Solution Enable cookies for the problem Web site For details refer to Managing cookies for a particular Web site on page 262 313371 A Chapter 7 Web cache configuration 275 Problem The cache server is incompatible with the originating Web server Solution Bypass the cache for the problem Web site For details refer to Bypassing the cache for a Web site on page 267 Using the Contivity Branch Access Management Software Version 7 20 276 Chapter 7 Web cache configuration 313371 A 277 Chapter
74. reason this does not happen during installation you can force the Install program to install the Winsock 2 0 compliant Winsocks with the install exe ws2 switch When you install Contivity Branch Access you must close all applications including virus protection programs that may be using the Winsock Using multiple versions of Winsock You have two options for resolving a Winsock conflict You can install TCP IP refer to Installing the Contivity Branch Access Management Software Version 7 20 or you can use multiple versions of Winsock Using the Contivity Branch Access Management Software Version 7 20 304 Chapter 9 IPX configuration and support Using multiple 16 bit Winsocks Using multiple versions of Winsock in a 16 bit environment can be frustrating because an application looks for the Winsock in memory first which requires the user to close each application before opening another If you decide to use a 16 bit Winsock do the following 1 Place the appropriate winsock dll in each application directory For example in Netscape place the winsock dll that had a Contivity Branch Access version number as the time stamp in the same directory as the netscape exe file and leave your other winsock dll in the Windows directory or wherever it previously resided 2 Close each application before you open another Using multiple 32 bit Winsocks Using multiple versions of Winsock in a 32 bit environment allows you to have more
75. ring frame relay A high speed packet switching WAN protocol designed to provide efficient high speed frame or packet transmission with minimum delay Frame relay uses minimal error detection and relies on higher level protocols for error control FTP File Transfer Protocol Protocol that allows a user on one host to access and transfer files to and from another host over a network On the Internet a tool for accessing linked files GMT Greenwich Mean Time HDB3 High Density Bipolar 3 A signal encoding scheme in which a 1 is represented alternately as positive and negative voltage but a maximum of 3 consecutive Os can occur host name A readable name that uniquely identifies a device on the Internet and is associated with a corresponding IP address If the IP address is dynamically assigned by the ISP the host name can also be dynamically assigned based on the actual port accessed each time you make a connection 313371 A Glossary 357 host name access control The host name access control is used to restrict users from contacting specified hosts by host name Wildcards may be used to restrict access to hosts matching general patterns HTTP HyperText Transfer Protocol A client server protocol for linking text files to one another in order to share information on the Internet and the World Wide Web WWW HTTP proxy or Web proxy Acts as a go between between the requester of pag
76. sourced from independent clocks with different frequencies and phase relationships Start and stop bits may be added to coordinate character transfer Using the Contivity Branch Access Management Software Version 7 20 352 Glossary AUI Attachment or Attached Unit Interface A connector on the network adapter used to connect cables to fiber optic coaxial or IOBASE T transceivers authentication The process of identifying an individual usually by username and password or system by an authentication algorithm When you configure IPsec for a VPN you can choose from MD5 SHA and null B8ZS Bipolar with B Zero Substitution baud The signaling rate of a line the number of voltage or frequency transitions per second Bindery In Novell NetWare products this is a database that contains information about all the users workstations servers and other objects recognized by the server Contivity Branch Access adopts the information about the users BNC connector A small coaxial connector with a half twist locking shell BootP bootstrap protocol A protocol that allows a diskless workstation to boot and obtain necessary information such as an IP address CAS Channel Associated Signaling ccs Common Channel Signaling CGI Common Gateway Interface 313371 A Glossary 353 CHAP Challenge Handshake Authentication Protocol A method of establishing security on PPP links where the peers must sha
77. string defined in the SNMP host does not match the unit s community string Contivity Branch Access sends an SNMP trap For more information about SNMP traps refer to Managing SNMP alarms on page 174 Authorized SNMP management systems requesting an SNMP get receive the standard Management Information Base IT MIB II variables system e interfaces e at e ip e icmp e tcp e udp e transmission frame relay T1 E1 VPN tunnel snmp To set the community string for get requests 1 In the Services dialog box Figure 147 on page 330 select the SNMP check box and then click Configure The SNMP Configuration dialog box opens Figure 148 Using the Contivity Branch Access Management Software Version 7 20 332 Chapter 10 Contivity unit configuration support and diagnostics Figure 148 SNMP Configuration dialog box Cancel 2 Inthe Community box enter the community string This string must match the community string of the SNMP host The default string is public Click OK until you return to the Setup main window 4 Click Save and Exit Testing connections If you are having trouble accessing the Internet or a particular host you can use several diagnostic tools to test these connections Testing the connection to the Internet You can run a test sequence to verify that the Contivity unit can connect to the Internet The connection test calls each of the domain name server
78. than one loaded into memory at a time If you want to use the Microsoft wsock32 dll file for some applications and the Contivity Branch Access file for others then you need to make sure that the appropriate wsock32 dll file is in the appropriate application directory If you have many applications that use the Microsoft wsock32 dll file and only a few that use the Contivity Branch Access file you should leave the Microsoft file in the windows system directory and relocate the Contivity Branch Access wsock32 dll file If the opposite is true then leave the Contivity Branch Access file in the windows system directory and move the Microsoft file Note Some proprietary applications look in the windows system directory first rather than their own application directory 313371 A Chapter 9 IPX configuration and support 305 Winsock files installed The following sections describe the Winsock files that are installed for Contivity Branch Access Windows 3 x The following files are copied on a Windows 3 x workstation 16 bit only c windows winsock ini c windows winsock dll renames existing file and replaces c windows ptnetwrk dll Windows 95 Windows 98 and Windows Me The following files are copied on a Windows 95 Windows Me or Windows 98 workstation for Winsock 1 1 16 bit and 32 bit c windows winsock ini c windows winsock dll renames existing file and replaces c windows ptnetwrk dll c windows ptnetwrk
79. the Contivity Branch Access Management Software Version 7 20 302 Chapter 9 IPX configuration and support Resolving Winsock conflicts When you install the IPX version of the Contivity Branch Access workstation software some of the Winsocks on the workstation are replaced with the Contivity Branch Access version These Winsocks enable Contivity Branch Access to use the IPX protocol for Internet access During installation you have the opportunity to rename any existing Winsocks The Contivity Branch Access IPX workstation software supports most Winsock 1 1 or Winsock 2 0 compliant applications There are three ways to reconcile Winsock compatibility issues You can e Migrate the workstation operating system to the Winsock 2 0 standard e Use multiple versions of Winsock which is discussed in the following sections To use this effectively it is important to understand how Winsocks work and some limitations of using multiple Winsocks e Install TCP IP on the workstations that are having Winsock conflicts refer to Installing the Contivity Branch Access Management Software Version 7 20 and configure them to use the Contivity unit as an IP to IP gateway As an IPX client the client applications share the Contivity Branch Access TCP IP stack whereas when a workstation has its own TCP IP stack all applications use the standard TCP IP protocol and Microsoft Winsocks for access and most compatibility concerns can be avoided 16 bit
80. the Contivity Branch Access Management Software Version 7 20 336 Chapter 10 Contivity unit configuration support and diagnostics When the ping test completes the percentage of lost packets and the average number of milliseconds per trial are displayed at the bottom of the statistics area of the window Figure 150 Ping test lITools olx File Edit Action View Help P zs 2 Lt z2 9 Options Ni Host ywww nortelnetworks com hc o ca ao O D 2 75ms 47 249 32 64 69ms 47 249 32 64 72ms 47 249 32 64 70ms 47 249 32 64 69ms 47 249 32 64 7ims 47 249 32 64 7ims 47 249 32 64 70ms 47 249 32 64 10 73ms 47 249 32 64 Lost packets 0 00 An average of 71 milliseconds per ping Done For Help press F1 Tracing the route to a host You can use the trace tool to find the route used to get to a specific host This troubleshooting tool allows you to view all sites in the route for a specific trace to pinpoint any problems in data communication The trace tool shows the path taken to get to a specified host For instance if you perform a trace on the host name www baynetworks com you will see a list of the locations hops used to get to www baynetworks com 313371 A Chapter 10 Contivity unit configuration support and diagnostics 337 Using the trace tool you can View the number of hops needed to reach a particular host Find the last reached hop before the desired
81. the blocked site may still be in the local cache and may be displayed Eventually the Web entries in the local cache will expire For more information on a user s local cache refer to How Web caching works with a user s local cache on page 239 Blocking access to all unconfigured Web sites When you block access to all unconfigured Web sites you restrict access to all new and previously unconfigured Web sites accessed through the Contivity unit To block access to all unconfigured Web sites 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Web Sites The Web Sites page opens 3 Click Default Options The Default Web Site Options page opens Using the Contivity Branch Access Management Software Version 7 20 266 Chapter 7 Web cache configuration 4 In the Options For All unconfigured Web Sites area select the Block access to server check box Click Help for more information about each field on any page Blocking access to a particular Web site To block access to a particular Web site it must be in the list of Web sites If the Web site to which you want to block access is not in the list you must first browse to that Web site To block access to a particular Web site 1 On the Home page click Web Cache The Web Cache page opens On the Web Cache page click Web Sites The Web Sites page opens Click the IP address or host name for the individual
82. the connection When you need access again Contivity Branch Access automatically reestablishes a connection within a few seconds To configure the inactivity timeout for a dial up connection gt In the Inactivity timeout box enter the new setting and then click OK Configuring the modem speaker To configure the modem speaker 1 Click Advanced The Dialup Configuration advanced dialog box opens Figure 121 313371 A Chapter 8 Advanced communications configuration 287 Figure 121 Dialup Configuration advanced dialog box Dialup Configuration 2 Set the Modem Speaker to On or Off 3 Set the Speaker Volume 4 Click OK Using the Contivity Branch Access Management Software Version 7 20 288 Chapter 8 Advanced communications configuration Configuring a modem script If your ISP uses special logging conventions you might need to enter a modem script For example a modem script that specifies a connection protocol may look similar to the following dial wait 30000 ogin send Su r wait 20000 assword send Sp r wait 3000 rotocol send PPP r wait 150 To configure a modem script 1 Click Advanced The Dialup Configuration advanced dialog box opens Figure 121 on page 287 Select the Use script commands check box Enter the script commands 4 Click OK Configuring dual analog modem settings There are two additional advanced settings you
83. unit is iibox2 The second default is iibox1 The third default is backupii The administrative utilities are not installed and you are not prompted to install them 313371 A Chapter 9 IPX configuration and support 311 Example Marketing In this example this set of defaults is called Marketing MARKETING description Marketing type private directory c instinet unit iibox1 iibox2 backupii choice admin The software installs to a private directory c instinet but you are not prompted to supply the directory name refer to Installing the Contivity Branch Access Management Software Version 7 20 The user is connected randomly to either iibox1 iibox2 or backupii page 308 The administrative utilities are not installed and you are not prompted to install them Example IS In this example this set of defaults is called IS IS description IS type network directory f instinet unit iibox1 iibox2 backupii choice admin The software installs to a network directory and you are prompted with f instinet as the default location of the software on the network The first default unit is iibox1 The second default is iibox2 The third default is backupii The administrative utilities are installed Using the Contivity Branch Access Management Software Version 7 20 312 Chapter 9 IPX configuration and support Example normal In this example this set of defaults is called Normal NOR
84. use This should be the IP address of the Contivity unit To exclude any addresses in the range you specified above a Inthe Excluded Addresses section click Add The Enter Excluded Addresses dialog box opens Figure 107 Using the Contivity Branch Access Management Software Version 7 20 226 Chapter6 Advanced IP configuration Figure 107 Enter Excluded Addresses dialog box Enter a start and end IP address to specify a range of IP addresses to be excluded from the scope Cancel _ This feature allows you to have more control over how IP addresses are assigned to users and groups b Specify the following e Start Address The first address of the range of addresses you want to exclude e End Address The last address of the range of addresses you want to exclude Note Be sure to exclude the IP address of the Contivity unit c Click OK You return to the Scope Configuration dialog box Figure 106 on page 225 Click OK In the DHCP Configuration dialog box Figure 105 in the DNS Servers area click Add The Enter Server Address dialog box opens Figure 108 313371 A Chapter 6 Advanced IP configuration 227 Figure 108 Enter Server Address dialog box Enter Server Address x Enter the numeric IP address of the server Cancel 10 11 12 13 14 15 16 Specify the DNS servers for the workstations to use You should enter the IP
85. user Contivity Branch Access uses the Default user as a template The new user has all the settings and attributes of the Default user You can then change the settings for the new user to be whatever you would like them to be You can also change the settings of the Default user to the settings that you want all new users to have To restore the Default user 1 On the toolbar click Users 2 Choose Users gt Create the Default User A new user icon labeled lt default gt is added to the List of Users Figure 25 Figure 25 Default User icon Using the Contivity Branch Access Management Software Version 7 20 82 Chapter 3 User access administration Restoring the Everyone group When you first set up the Contivity unit the Everyone group is automatically set up for you All users automatically belong to the Everyone group You can then create new groups and move users into those groups so that you can administer a group of people with little effort and you can assign different access rights for different groups The Everyone group is helpful if you need to assign the same user access to everyone on your network Note It is possible to delete the Everyone group However if you delete it and choose to restore it the restored group does not have the same properties as the original To restore the Everyone group 1 On the toolbar click Groups 2 From the menu bar choose Groups gt Create the Everyone Group A ne
86. vxd c windows system wsock32 dll renames existing file and replaces c windows system ptnet32 dll Using the Contivity Branch Access Management Software Version 7 20 306 Chapter 9 IPX configuration and support Windows 95 The following files are copied on a Windows 95 workstation for Winsock 2 0 when you use the install exe ws2 installation switch 16 bit and 32 bit c windows winsock ini c windows winsock dll renames existing file and replaces c windows ptnetwrk dll c windows ptnetwrk vxd c windows system ws2pt dll c windows system ptnet32 dll Windows NT 4 0 The following files are copied on a Windows NT 4 0 workstation 16 bit and 32 bit winnt winsock ini winnt system32 drivers pti sys winnt system32 oemnxpii inf winnt system32 ptnetwrk dll winnt system32 ptnet32 dll winnt system32 ws2pt dll winnt system32 winsock dll renames existing file and replaces Resolving Winsock conflicts during installation When you install a local or network copy of the Contivity Branch Access management software certain computer specific files such as dll and ini files are copied transparently to the appropriate directories If Contivity Branch Access finds other winsock dll or wsock32 dll files during installation one of the following messages is displayed Found winsock dll in lt drive directory gt Found wsock32 dll in lt drive directory gt 313371 A Chapter 9 IPX configuration and s
87. 2 Choose Help gt About I Setup The About Contivity Setup dialog box opens and the serial number is displayed in the Serial Number box Figure 154 Figure 154 About Instant Internet Setup dialog box Serial Number box About Instant Internet Setup x Instant Internet Setup 7 20 z Copyright 1995 2001 Nortel Networks Corporation Serial Number I500E07BF23FAC System Memory 12 MB of Applications 250 Expires Firmware Version 7 20 Using the Contivity Branch Access Management Software Version 7 20 344 Appendix A Troubleshooting and error messages Viewing system logs and entries Log settings and entries are typically used by technical support representatives for troubleshooting You can view the Contivity unit s log users and update history using the Setup program or a Web browser You can also change a unit s system TCP IP settings port mappings and support hosts For details refer to Changing a unit s system files on page 194 Viewing system files in Setup Viewing unit log information The unit log details a unit s activity since it was last restarted To view the unit log 1 Choose View gt Unit Log 2 Review the file as needed To print the file choose File gt Print 3 Toclose the file choose File gt Close Viewing a unit s users A list of users currently connected to a specific unit is available for viewing purposes only To view the list of users c
88. 32 ckSum 243D 199 1 1 45 gt 206 2 2 2 99 21 41 0029 pppoe rcv ppp typ ip IP len 96 id 9B3E ttl 32 prot 32 ckSum 8787 206 2 2 2 gt 199 1 1 45 66 21 44 5537 pppoe2 rcu ppp typ ip IP len 76 id B13E tt1 32 prot 32 ckSum 71A7 206 2 2 2 gt 199 1 1 45 66 21 44 5544 pppoe2 snd ppp typ ip IP len 66 id 52BD ttl 46 prot 32 ckSum C 238 199 1 1 45 gt 206 2 2 2 66 21 51 6176 pppoe2 snd ppp typ ip IP len 96 id 7616 tt1 46 prot 32 ckSum 9EAF 199 1 1 45 gt 266 2 2 2 66 21 51 1688 pppoe2 rcu Ppp typ ip IP len 96 id D43F tt1 32 prot 32 ckSum 4E86 206 2 2 2 gt 199 1 1 45 7 Toclose the trace results file choose File gt Exit 313371 A Chapter 4 Internet activity logging 157 Monitoring multiple Contivity units Monitor enables you to view multiple units by selecting the units to view and then specifying Tile or Cascade Cascading the view places one Contivity unit view in front of the other stacks them on the screen Tiling the view shows multiple unit views side by side and above and below one another on the screen To monitor multiple Contivity units simultaneously 1 In Monitor click the appropriate toolbar button 2 From the list select the Contivity unit to monitor and then click OK The monitoring window for the selected unit opens Repeat steps 1 2 for each unit you want to monitor To arrange the windows do one of the following e Choose Window gt Tile e Choose Window gt Cascade 5
89. 461444004406 s einen Seeds b240004 bhlds 0486 ee ewes e000 Rds 369 Using the Contivity Branch Access Management Software Version 7 20 16 Contents 313371 A 17 Figures Figure 1 Connecting the Contivity unit in a network 00 eee eee 32 Figure2 IPsec Configuration dialog box 0 cee eee 40 Figures Enter iP Address dialog DOX isss neared ee eee dan de eed 42 Figure 4 Pings aly O 2244 roiroi eee adie iia Soren engeagetaness 45 Figure S Ping Configuration dialog box 22 assas 48445 sein deeds dada vedo 46 Figure6 Select Connection Type dialog box 2 2 c eee eee 48 Figure 7 Select Connection Device dialog box 00 0c eee eee 48 Figure8 Select Type of Connections dialog box 0 20 e eee eee eee 49 Figures IPsec Configuration dialog DOX s rssa crre sorron akso aspran 49 Figure 10 IPsec Configuration dialog box 0 cee eee 51 Figure 11 Monitor Connection dialog box 0 0 0 ga Figure 12 Enter Monitor Control Connection Information dialog box 52 Figure 13 IPsec Configuration dialog box 0 eee ee 54 Figure 14 Monitor Connection dialog BOX 0c ee ee 55 Figure 15 Enter Monitor Control Connection Information dialog box 55 Figure 16 Select Connection Type dialog box 2 c eee eee eee 64 Figure 17 Select Connection Device dialog box 0002 e eee eee 65 Figure 18 Select Type of Connection dialog b
90. 8 Advanced communications configuration This chapter describes how to configure advanced communication settings for a dial up ISDN T1 E1 or PPPoE connection The T1 E1 V 35 and X 21 interfaces allow you to configure a backup ISDN connection to the Internet in case your primary connection fails Configuring advanced communication settings for an ISDN connection If you have an ISDN interface on the Contivity unit you can configure a backup connection phone number ISP connection settings bandwidth on demand settings inbound voice and outbound priority and the inactivity timeout You configure these settings through the ISDN Configuration dialog box To open the ISDN Configuration dialog box 1 Start Setup and if prompted select a unit to configure 2 Inthe Interfaces area select the ISDN interface and then click Configure The ISDN Configuration dialog box opens Figure 117 Using the Contivity Branch Access Management Software Version 7 20 278 Chapter 8 Advanced communications configuration Figure 117 ISDN Configuration dialog box Prone Backups Switch type Reece elu e i M Speed Voice F Do not disable second channel on PPP negotiation failure Obtain an IP address from ISP i Specify an IP address Address translation V Inactivity timeout mins 9 secs Advanced Cancel 3 Ifyou have an ISDN connection and your interface is disabled because yo
91. C0A8561749 222 68 1 18 Telnet login from 222 68 1 18 222 68 1 18 Telnet login from 222 68 1 18 222 68 1 18 DHCPD Renew 222 68 1 18 KIMNT 00C0A8561749 222 68 1 18 Telnet login from 222 68 1 18 Using the Contivity Branch Access Management Software Version 7 20 166 Chapter 4 Internet activity logging Event priorities and messages The SYSLOG records all significant system events These events are available to the SYSLOG daemon according to priority When you select a priority in Contivity Branch Access all priorities higher than the selected priority are also logged For example the Critical priority also logs Alert and Emergency priorities Table 25 describes the SYSLOG priority levels Table 25 SYSLOG priority levels Priority SYSLOG Code Meaning Emergency Emerg System is unusable Take action immediately Alert Alert System may become unusable Take action immediately Critical Crit System is in critical condition Take action immediately Error Err System produced an error condition Take action as soon as possible Warning Warn System produced a warning condition Take action as soon as possible Notice Notice System produced a normal but significant condition Not an error condition but take action as soon as possible Information Info Information only No action required Debug Debug Debug message used only when debugging the software No action required
92. Figure 67 shows the Control help screen 313371 A Chapter 3 User access administration 137 Figure 67 Control help screen IIcTL Get this help screen IICTL name interface operation password Perform the operation on the specified unit name Name of the Contivity Branch Access unit interface Hame of the interface operation up Bring up the interface down Take down the interface enable Administratively enable the interface disable Administratively disable the interface IICTL interface Show information on the interface for a unit or all units Information for a unit is in the following format name MACaddress version interface IPaddress inbytes outbytes state lastcall status C INSTINET gt Using the Control commands You can type any Control command from a DOS prompt or enter the command with the full path into a scheduling application Sample Control commands Table 12 shows sample commands for the ISDN interface on a Contivity unit The name of the unit is CBAUnit and it is protected by the privileged password bosco Note If you are entering the command in a third party scheduling application you must precede the command with c instinet Using the Contivity Branch Access Management Software Version 7 20 138 Chapter 3 User access administration Table 12 Sample Control commands Operation Sample Command Take interface down iictl cbaunit isdn down
93. For details on enabling No RAW Sockets refer to Managing RAW sockets on page 127 To start Tools gt In the Contivity Branch Access program group or menu depending on your operating system select Tools The Tools main window opens Figure 149 Using the Contivity Branch Access Management Software Version 7 20 334 Chapter 10 Contivity unit configuration support and diagnostics Figure 149 Tools main window lITools olx Fie Edit Action View Help eieae A Host 192 168 1 1 7 Description Microsoft wsock32 dll ver2 2 32bit of Apr 22 1999 at 20 29 32 1 1 System status On Win95 Maximum sockets 32767 For Help press F1 NUM Vi The troubleshooting tools include e Ping Finds a host and determines the response time for that host e Trace Finds the route used to get to a specific host e Stress Tests the echo port of a selected host Testing the response time of a host The ping tool finds a host and determines the response time for that host Ping tests the connection to a specified host by sending data to the specified host and waiting for the packet to be returned When a host is successfully pinged the data packet is returned to the requester If the ping is unsuccessful then there is a problem with the connection or with the route used to connect to the host 313371 A Chapter 10 Contivity unit configuration support and diagnostics 335 Using the p
94. GI request or a query request For example a dictionary Web site may receive a query request that contains the word to be defined in the URL In most cases the results of these types of requests are cached However if an originating Web server uses CGI or query requests to generate a response that contains a user s private or personalized data for example a stock portfolio you may need to disable caching of these types of requests Note that when you disable CGI or query requests you disable them for all Web sites If you do not want to do this you can bypass caching of the problem sites and continue to cache CGI and queries for all other sites For details on bypassing a Web site refer to Bypassing the cache for a Web site on page 267 CGI and query requests are enabled for the Moderate and Aggressive cache levels If your users access Web sites that do not permit CGI and query requests to be cached but you do not want to use the Conservative expiration settings create a Custom cache level and disable CGI and query requests For details refer to Creating a custom cache level on page 250 No cache requests A no cache request is a request that forces an entry to be sent from the originating Web server rather than the cache No cache requests can be initiated in the entry by the originator or by the user who requests the entry Some originators explicitly place no cache headers into their ent
95. HCP server 0 2000000 222 Using a Contivity unit as a DHCP workstation 2220005 228 Configuring the routing information protocol RIP 0 0 eee eee ee 228 Configuring an alias for an interface 0000 ees 230 Using a demilitarized zone DMZ ian cee ae ee wk ea a ankai 232 Configuring a Contivity unit to supportaDMZ 22222 0000 233 Configuring the interface to support the DMZ 20 05 233 PUBISHINO A SEEP nor aei oe Gk a dies ha Maude a ORTE i a OE as 234 Deciding whether to enable IP forwarding for your DMZ 234 Chapter 7 Web cache configuration 4 ccnccacecdecscacnte niece sawn neawe ans 237 iMiroducion to Web caching srao vies a ga ma alg aana a a a E anal eae aaa 237 How the Contivity unit functions as a proxy server 00 eee ee eae 237 How the Contivity unit functions as a caching proxy server 238 How Web caching WOKS css ccgce ve uE aye wens eGR ed Coen ewe Oke 238 How the Contivity unit expires entries 0 00 eee eee eee ees 238 How Web caching works with a user s local cache 25 239 Connecting to the Contivity unit using a Web browser 2 22005 240 Viewing the Contivity unit system status 0000 cece ee eee 241 Getting started with the Web cache 2 00 cece eee eee 242 inereasing SINCMMEY fas akd6 ew eddswed coRi wowed deed ae sad OER
96. Increasing efficiency on page 243 e System Administration click Admin View the Contivity unit s log update history system settings port mappings and hosts For more information on system administration refer to Managing system files through a Web browser on page 345 Using the Contivity Branch Access Management Software Version 7 20 242 Chapter 7 Web cache configuration To view the Web Cache page gt On the Home page click Web Cache The Web Cache page opens Figure 116 Figure 116 Web Cache page Instant Internet Statistics Configure Admin Web Cache Web Cache Home Help Status Cache level Active Refresh Hit rate Port number Proxy through HTTP address None oO D oO Getting started with the Web cache The Contivity unit is easy to install and easy to use In fact after you configure the Contivity unit as a Web proxy server it immediately begins caching Web entries Cache statistics are available but you do not have to monitor the cache server or change settings unless you want to The Web cache is configured with some default settings that help you start caching Web content and saving bandwidth immediately However if you want to fine tune the Contivity unit settings to take advantage of added features start with the following 313371 A Chapter 7 Web cache configuration 243 e To increase cache performance and efficiency
97. MAL description Normal No defaults here All questions asked The in front of the last line indicates that it is a comment line only For the Normal workgroup there are no defaults and all installations prompts are displayed Installing multiple Contivity units You can increase user capacity and access speed by installing multiple Contivity units on a single LAN The automatic load balancing feature among the units in an IPX environment enhances overall performance by distributing Contivity Branch Access requests to each unit rather than by distributing all requests to one unit Installing more than one unit also provides fault tolerance allowing users to restart an Internet application quickly in the rare event that one unit fails Tips for installing multiple Contivity units If you are installing multiple units be sure to install each unit individually plug in one unit configure it and then complete the installation before plugging in the next unit This practice maintains the simplicity of installing multiple units and avoids any confusion about which unit is currently being configured You can save any administrative user information and restore the information to multiple units When you install the components of the Contivity Branch Access management software select a Contivity unit for the Internet applications to use from the list of units 313371 A 313 Chapter 10 Contivity unit configuration supp
98. NT domain 85 Bindery users 87 copying 95 deleting 93 displaying groups userisin 95 displaying groups user is notin 95 ignore group settings 101 Internet access 99 managing 94 Monitor 147 name order 84 NDS users 86 not using iiLogin 88 reports 129 wildcard 88 user name not required 345 set order for domain 84 Using the Contivity Branch Access Management Software 378 Index V virtual private network VPN about 37 branch to branch 62 branch to branch mode 57 client mode 57 configuration guidelines 57 Contivity unit to Contivity unit 47 Contivity unit to CVS 56 Contivity VPN Switch CVS 56 default network 40 disconnecting 146 DNS proxy server 58 fully qualified domain name FQDN 51 incoming connection 48 Internet Key Exchange IKE 38 Internet Security Association and Key Management Protocol ISAKMP 38 IP address local 41 IP address remote 41 IPsec 37 key 38 Message Digest 5 MD5 38 monitoring 145 network address translation NAT 62 non Contivity client 39 69 non split tunneling 41 outgoing and incoming connections 53 outgoing connection 50 password 38 perfect forward secrecy PFS 39 ping 42 Secure Hash Algorithm SHA 38 Security Association SA 38 split tunneling 41 statistics 145 troubleshooting 75 tunnel 56 tunnel mode 38 VPN See virtual private network VPN W Web browser and cookie management 259 local cache 239 Web cache introduction 237 Web cache server
99. Netscape Navigator press the Shift key while clicking the Reload toolbar button Solution 2 Change the cache level For details refer to Selecting a cache level on page 245 Problem The Web server is down or is not responding and the Contivity unit is configured to return expired Web entries when a Web server error occurs Solution Create a custom cache level and disable the option to return expired Web entries when a Web server error occurs For details refer to Creating a custom cache level on page 250 and Setting the action the cache performs when a Web server error occurs on page 258 requested a Web page and the originating Web server takes a long time to respond Problem The Web server is down or is not responding and the Contivity unit is configured to return expired Web entries on a server error Solution Create a custom cache level and disable the option to return expired Web entries on a server error For details refer to Selecting a cache level on page 245 Using the Contivity Branch Access Management Software Version 7 20 274 Chapter 7 Web cache configuration Problem The Internet is slow your Internet Service Provider has a bottleneck or the originating Web server is down Solution Send a request to the Web site again later lam not able to configure a personalized Web page Problem The Web site requires cookies and cookies are blocked Solution Enable cookies for the
100. No Cache Requests Disabled Disabled Disabled Enabled Enabled Enabled No cache requests are not enabled for any predefined cache level If you want to enable no cache requests you must create a Custom cache level Using the Contivity Branch Access Management Software Version 7 20 250 Chapter 7 Web cache configuration Creating a custom cache level If one of the predefined cache levels does not meet your needs you can create a Custom cache level and enter your own expiration and custom Web content request settings Before you begin tuning these settings be sure you understand how they work Typically you will create a Custom level if you want to keep longer timeout values Moderate or Aggressive level but want to disable CGI and query requests Conservative level When you create a Custom cache level start with one of the predefined settings and then fine tune the individual settings you want Table 31 For example if the Aggressive level expiration settings work for you but you want to disable CGI and query requests select the Aggressive level and then disable those two options Note If you enter 0 as the expiration percent the entry is automatically considered to be expired and the minimum expiration time is used If you set the minimum expiration time to 0 the calculated value is used To create a Custom cache level 1 On the Home page click Web Cache The Web Cache page opens 2 O
101. OG alarms The system log SYSLOG alarms feature enables third party SYSLOG daemons or hosts to receive notification of pre defined significant events The SYSLOG service handles the message and provides a log and user notification Note Contivity Branch Access is not a SYSLOG host and does not compile system messages or maintain a log file It simply forwards system messages to a SYSLOG daemon You must supply the SYSLOG daemon software The SYSLOG alarms feature is especially useful for centralized management of several remote Contivity units For example an ISP can run a SYSLOG daemon at a central location and configure the remote Contivity units to automatically send system messages to the daemon To capture and view SYSLOG messages you must set up a SYSLOG daemon on a server on your network SYSLOG message formats The format of the SYSLOG message depends on the third party SYSLOG daemon receiving the message A typical SYSLOG daemon usually provides the date and time stamp message priority name of the host forwarding the message and text of the system message Figure 78 shows an example of SYSLOG output Figure 78 Sample SYSLOG output Priority Hostname Message Syslog Debug Local2 Info Local2 Notice Local2 Notice Local2_Info Local2 Notice 222 68 1 18 kim s 1 3 6 1 4 1 1424 1 1 23986589 222 68 1 18 Generic er1 Authentication Failure 222 68 1 18 DHCPD Renew 192 168 1 11 KIMNT 00
102. Other Settings dialog BOX s yssi ioe sae vee KSA Reh de ede 328 Services dialog DOX ai ctw oul ewe ee doen eee KL eS 330 SNMP Configuration dialog DOX cc00c cee c owen ce een eee eae wes 332 TSE MaN WNdOW 6 cc45 cabo cee s decade deed bance neseee od 334 FING Sah icone S E Y N E E T T T 336 MacColl che eet kedcdbee sewed eee eee ddeeaeedeand eens eee 3 338 DIONE fie vd KR ee eR TEET SATT TT 340 Options dialog box in Tools cise ca i newe cna wine KNW R Seeded ewewe ws 341 About Instant Internet Setup dialog box Serial Number box 343 instant Internet home PEGE kis ca cee ee diwwanw eke skoda kan wakes 346 Instant Internet System Administration page 00 346 Using the Contivity Branch Access Management Software Version 7 20 22 Figures 313371 A 23 Tables Table 1 Services Contivity Branch Access provides 0 e0ee ee 35 Table 2 Phase 1 main mode states uaaaaaaa aana 77 Table 3 Phase 1 aggressive mode states 00 0c eee eee ee neces Fd Table 4 Phase 2 main mode states 00 sonra eee eee 78 Table 5 ONG Sale Gy ck pp eh eh whe RA es eS hy POS RE eS 78 Table 6 Admin User CONS 6o54 see bok Goes Heh AAA GER weed Od OSES Hu 80 Table 7 Designating Internet access 0 0 cece eee eee 106 Table 8 Sample Internet access control list 2 0002 c eee eee 106 Table 9 Add Internet Access dialog box items 00 e eee eee 110 Table 10 A
103. PN 59 How a tunnel is initiated Neither the Contivity Branch Access unit nor the Contivity VPN Switch CVS can manually initiate a branch office connection To initiate a VPN tunnel some activity must be performed such as using a ping or browsing to a site that uses the tunnel For example a host on one LAN could ping a host on another LAN where the packet is expected to travel through a configured VPN tunnel Tunnel validity The IPsec protocol does not provide a keep alive mechanism as part of its standard If one endpoint of a tunnel disconnects without the knowledge of the other for example if the server on one end is rebooted the remaining live endpoint still attempts to send traffic through the tunnel In this situation the tunnel status may appear to be valid to the live endpoint but communications are not possible However after the disconnected endpoint the end that was rebooted initiates a new tunnel as warranted by traffic the tunnel is reestablished and operates properly Contivity Branch Access provides a ping utility as a keep alive mechanism in order to circumvent the problems associated with losing one end of a tunnel For more information refer to Using pings on page 42 Dial up environments and tunnel validity In a dial up or equivalent analog ISDN PPPoE environment the Internet connection may not exist at all times which can cause a problem when a tunnel is no longer valid A t
104. Part No 313371 A July 2001 4401 Great America Parkway Santa Clara CA 95054 Using the Contivity Branch Access Management Software Version 7 20 NORTEL NETWORKS Copyright 2001 Nortel Networks All rights reserved July 2001 The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks Inc The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license The software license agreement is included in this document Trademarks Nortel Networks the Nortel Networks logo the Globemark Instant Internet and Contivity are trademarks of Nortel Networks Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated AniTa Terminal Emulator is a trademark of April System Design AB Ethernet is a trademark of Xerox Corporation Macintosh is a trademark of Apple Computer Inc Microsoft MSN NetMeeting Windows and Windows NT are trademarks of Microsoft Corporation Netscape Communicator is a trademark of Netscape Communications Corporation NetWare is a trademark of Novell Inc OS 2 i
105. RANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY WARRANTY OF Using the Contivity Branch Access Management Software Version 7 20 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE Licensee is responsible for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files data or programs 4 Limitation of liability IN NO EVENT WILL NORTEL NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY COST OF SUBSTITUTE PROCUREMENT SPECIAL INDIRECT INCIDENTAL OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE EVEN IF NORTEL NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO EVENT SHALL THE LIABILITY OF NORTEL NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT EXCEED THE PRICE PAID TO NORTEL NETWORKS FOR THE SOFTWARE LICENSE 5 Government licensees This provision applies to all Software and documentation acquired directly or indirectly by or on behalf of the United States Government The Software and documentation are commercial products licensed on the open market at market prices and were developed entirely at private expense and without the use of any U S Government funds The license to the U S Government is granted only with restricted ri
106. S VPN works 56 VPN configuration guidelines 0 te eee 57 How SUNS IS IAI oi te oh RW e eh A ee eee we ards 59 Tonnel NOUNS once eeeeee Sete dimes ar a sours Rowe 60 Tunneling to a CVS using a branch to branch connection 62 Tunneling to the CVS when the Contivity Branch Access unit acts as a MON Conti Cle cic cee cake ee ee Ree EER EERE REDEEMER REESE R 69 Troubleshooting a VPN tunnel connection 0 000 cece ees 75 Viewing a Contivity units IPsec l0g c ccicediteedecuae tence becausedeee 76 IPsec connection state information 0 0 cee ee 76 Chapter 3 User access administration 0 2c c cece eee eee eee eee 79 Admin program OVEVIOW seiiace co ark a ete ek Aad Ae dha ns doe adh wed nh ad 79 SDAIN ACM 6c 28sec ede RAG CREE ER EE EAE EERE EEE EEE RE eRe ee 80 Administration program ICONS csc ehu ack eh weet yee oe R4 ee ea RR vs 80 Default user and EVeryone group 22 6 cnncasne ee Pee ete ee ERE MERE RDA R EROS 81 Restoring the Default User ines cone caw e en twee cane ned wenewe wae wee ee 81 PRSS TONING the Everyone GROUP oe ssisrssenr ss teak acess ah Ok daa a acai 82 Managing directory service users and groupS 20 eee eee eee 82 Seling Tie Gata shvik Matlin SERPS RA KEE do REES 6 RRA aA ee ow aw 6 83 Setting user name OIG suk s oh daw aww eights owed SLAG AE ee eS 84 Migrating your database to use unique users and groups by server 85 Managing dom
107. The Enter IP Address dialog box opens Figure 3 Using the Contivity Branch Access Management Software Version 7 20 42 Chapter 2 IP security and VPN Figure 3 Enter IP Address dialog box Bits Cancel 2 Inthe Address box enter the IP Address of a local or remote network that is to be allowed to participate in the tunnel In the Bits box enter the number of bits 4 Click OK Removing a local or remote IP address To remove a local or remote IP address 1 In the IPsec Configuration dialog box in the Local Addresses or Remote Addresses area select the address and then click Remove 2 Inthe confirmation dialog box click Yes Using pings Contivity Branch Access provides a background ping facility that you can use to control or monitor the connection state of a VPN and serve as a keep alive for the tunnel There are two types of pings e Control Use a control ping when you want to maintain a permanent tunnel connection e Monitor Use a monitor ping when you do not want to keep the connection active but you still want to check the status of a tunnel This type of ping is typically used with a dial up connection 313371 A Chapter 2 IP security and VPN 43 The following capabilities are available for a ping e All modes For all modes of ping you can specify the destination address packet length interval and timeout The destination should be some device th
108. The ISDN Configuration advanced dialog box opens Figure 118 on page 281 In the Outbound priority area select one of the following Data Specifies that data gets first priority for control of the line when you are attempting a voice call If you try to make a voice call and all channels are busy you hear a busy signal POTS Specifies that voice gets first priority for control of the line when you are making a voice call If you make a voice call and all channels are busy one of the data channels is dropped to allow the voice call to continue In the Inbound Voice area select one of the following POTS Specifies that an inbound call marked as voice is sent to the telephone line DOVBS Specifies that an inbound call marked as voice is sent to the B channel of the ISDN line The inbound call is treated as a data call and then the incoming call option in the following section applies 313371 A Chapter 8 Advanced communications configuration 283 Configuring incoming data call options You can set the way the ISDN interface handles incoming ISDN data calls To configure the incoming data call option 1 Click Advanced The ISDN Configuration advanced dialog box opens Figure 118 on page 281 In the Incoming Calls area select one of the following No incoming calls allowed The Contivity unit rejects all incoming calls This is the system default Call ISP after receiving incoming call W
109. The Port Mappings page opens Make any changes to the port mappings and then click Submit When you click Submit the changes take effect immediately If you make changes and then decide that you do not want to submit them click Reset to restore the settings to the previous selections You cannot reset settings after you submit them To view or change a unit s port mappings using Setup 1 Start Setup and if prompted select a unit to configure Choose Support gt Port Mappings Change the file as needed and then choose File gt Save e To close the file without saving your changes choose File gt Close e To print the file choose File gt Print Using the Contivity Branch Access Management Software Version 7 20 196 Chapter 6 Advanced IP configuration Changing a unit s support hosts To view or change a unit s support hosts using Web configuration 1 Connect to the unit using a Web browser For details refer to Connecting to the Contivity unit using a Web browser on page 240 On the Home page click Admin On the System Administration page click Hosts The Hosts page opens Make any changes to the hosts information and then click Submit When you click Submit the changes take effect immediately If you make changes and then decide that you do not want to submit them click Reset to restore the settings to the previous selections You cannot reset settings after you submit them To vi
110. To determine the total percentage of requests that are not sent from gt Using the Contivity Branch Access Management Software Version 7 20 254 Chapter 7 Web cache configuration Limiting the size of a cached entry You can specify the maximum size of an entry that can be cached Limiting the size of an entry helps protect the cache from being filled up by extremely large entries for example streaming data You need to adjust the maximum size of a Web entry and then look at two statistics to help determine the new value To determine whether you need to adjust the maximum size of a Web entry look at the statistic for Data exceeded max size in the Why requests are not served from the cache area If this number is high over 10 you should probably increase the maximum entry size In the Cache entries area look at the statistics for the Average entry size This statistic displays the average size of each entry stored in the cache If the average entry size is small you can set the maximum size entry lower If it is large set it higher To review the statistics On the Home page click Web Cache The Web Cache page opens On the Web Cache page click Statistics The Web Cache Statistics page opens Click Help for more information about each field on any page To adjust the maximum entry size 1 On the Home page click Web Cache The Web Cache page opens On the Web Cache page click
111. Users In the List of Users area select the icon of the user In the Groups the User Is Not In area select the group folder to which you want to add the user Drag the folder to Groups the User Is In Note You cannot use dragging to move users who have been adopted gt from directory services To add a user to a group using the Move toolbar button A OO N a On the toolbar click Users Select the group folder to which you want to move the user Select the user you want to move On the toolbar click Move To remove a user from a group by dragging On the toolbar click Users In the List of Users area select the icon of the user In the Groups the User Is In area select the group folder from which you want to remove the user Drag the folder to Groups the User Is Not In Note You cannot use dragging functions to move users who have been gt adopted from directory services 313371 A Chapter 3 User access administration 93 To remove a user from a group using the Move toolbar button On the toolbar click Users Select the group folder from which you want to remove the user Select the user you want to move bk OO N a On the toolbar click Move Deleting users and groups Only those users and groups that were created within the Admin utility may be deleted by the Admin utility When a user name is deleted Contivity Branch Access uses the Default User access setting to
112. a name for the file that you can easily remember or associate with this file Click Save The Save As dialog box opens Navigate to the place on your local machine where you would like to save the Web site configuration file Click Save To restore a Web site configuration 1 N Oo oO fF WO ND On the Home page click Web Cache The Web Cache page opens On the Web Cache page click Web Sites Click Restore Click Browse and locate the wcb file that was previously saved Select the wcb file Click Open Click Submit Web site configurations may be restored to any computer that uses the Web cache feature Contivity Branch Access provides Using the Contivity Branch Access Management Software Version 7 20 270 Chapter 7 Web cache configuration Refreshing cache entries To increase response times for Web entries enable active refresh This option attempts to keep the most frequently requested Web entries available in the cache by refreshing them from the Internet Rather than wait for a request for Web content the Contivity unit actively evaluates the entries in the cache tests them and reloads them if necessary before they expire Actively refreshing Web entries helps to save bandwidth overall but creates a slight increase in bandwidth because the cache server functions as another user requesting Web content Setting active refresh options Nortel Networks recommends that you set active refresh to operate
113. a unit s time date or time zone To change the time date or time zone for a Contivity unit 1 Start Setup and if prompted select a unit to configure 2 Choose Setup gt Time The Unit Time dialog box opens Figure 144 showing the current date and time Using the Contivity Branch Access Management Software Version 7 20 326 Chapter 10 Contivity unit configuration support and diagnostics Figure 144 Unit Time dialog box Unit Time 3 Select one of the following options e Enter the date and time manually Continue with step 4 e Set the date and time to that of the workstation Continue with step 5 e Use a network time protocol NTP server for the date and time Continue with step 6 4 Enter the new date and time in the appropriate boxes and then click Set New Date Time Continue with step 7 5 Click Set to Workstation Date Time Continue with step 7 313371 A Chapter 10 Contivity unit configuration support and diagnostics 327 6 To use an NTP server for the date and time select the Enable NTP check box and then do one of the following e To set the time using an NTP server click Add Enter the domain name or IP address of the NTP server and then click OK e To change from one NTP server to another select the server to be changed and then click Change Enter the IP address or domain name of the new NTP server and then click OK Toremove an NTP server select the server to be re
114. a world wide network in which millions of participating members including host computers and users change constantly Because there are many factors both single and combined that influence your Internet access it is impossible to discuss performance in terms of precise numbers Additionally the speed of the user s workstation and available memory size affects performance The following information provides some broad guidelines Normal delays Some delays you might experience while accessing the Internet are normal For example delays can happen if a computer to which you are trying to connect is down or simply busy if the path is congested or if there is a temporary Internet circuit failure anywhere along the line These types of delays are beyond the control of Contivity Branch Access By the very nature of the Internet s structure any operation is prone to delays Number of simultaneous connections Contivity Branch Access is limited to 250 simultaneous IPX applications which can be 250 users each running a single application Windows users running multiple Internet applications at the same time can occupy the equivalent number of user positions Total available bandwidth is shared among concurrent users Depending on the applications in use at the same time and their respective socket requirements the number of simultaneous connections can vary Operations that produce heavier loads include simultaneous FTP downloading file tr
115. address of the Contivity unit Click OK You return to the DHCP Configuration dialog box Figure 105 on page 224 In the WINS Servers area click Add The Enter Server Address dialog box opens Figure 108 on page 227 Specify WINS Servers for the workstations to use Click OK You return to the DHCP Configuration dialog box Figure 105 on page 224 In the WINS Servers area specify the Node Type for the WINS servers to use e B Uses IP broadcast messages e P Uses point to point communications e M Tries a broadcast B first and if that fails it tries point to point P e H Tries point to point P first and if that fails it tries broadcast B In the Lease area specify the number of days hours and minutes for IP addresses to be leased or assigned to LAN workstations Click OK Using the Contivity Branch Access Management Software Version 7 20 228 Chapter6 Advanced IP configuration Using a Contivity unit as a DHCP workstation You can configure your Contivity unit to be used as a DHCP workstation However this functionality is intended to support modems that use the DHCP protocol to assign dynamic IP addresses Do not allow the Contivity unit to receive an IP address from an existing DHCP server on the network interface because the client workstations must be configured to use the Contivity unit as a gateway and DNS server Configuring the routing information protocol RIP Routing information proto
116. ady configured as SOCKS workstations you can use the Contivity unit to connect them to the Internet For details on configuring SOCKS workstations refer to Configuring common SOCKS enabled software on page 189 To configure the Contivity unit as a SOCKS proxy server 1 Start Setup and if prompted select a unit to configure 313371 A Chapter 5 Proxy services 187 2 Choose Support gt Services The Services dialog box opens Figure 88 Figure 88 Services dialog box Chargen DHCP Discard DNS Proxy Echo Ident SNMP SOCKS Telnet WEB Proxy WEB Configuration Configure Cancel KAKAKAKOKOKRO 3 Select the SOCKS check box 4 ClickOK Using SOCKS workstations with the Admin program If you have IP workstations already configured as SOCKS workstations you can use the Contivity unit as a SOCKS proxy server to connect them to the Internet For details refer to Configuring a Contivity unit as a SOCKS proxy server on page 186 If you are using SOCKS workstations there are some things you need to be aware of when using the Admin program to control Internet access For details on using the Admin program refer to Admin program overview on page 79 Using the Contivity Branch Access Management Software Version 7 20 188 Chapter 5 Proxy services Admin options that do not apply to SOCKS workstations When you configure the Contivity unit as a SOCKS pr
117. aging news group access on page 114 for more information 3 Configure Incoming Ports to allow access to all ports and Both TCP and UDP Refer to Managing incoming port access on page 120 for more information After you complete the previous steps all users follow the Everyone Group access settings Note If a user s individual access settings are more restrictive than the Everyone Group settings Contivity Branch Access uses the more restrictive access settings Using the Contivity Branch Access Management Software Version 7 20 132 Chapter 3 User access administration Restricting access to a few sites for everyone To restrict a few sites for everyone 1 Set the Everyone Group s access to Controlled access Refer to Configuring Internet access on page 102 for more information 2 Configure Internet Access for the Everyone Group by restricting access to a site Figure 64 shows an example Refer to Defining controlled Internet access on page 104 and for more information Figure 64 Change Internet access to deny access to a site example Change Internet Access 2 ol 3 Repeat step 2 for each site for which you want to restrict access You should now see a list of sites restricted to all users within the Everyone Group similar to that in Figure 65 313371 A Chapter 3 User access administration 133 Figure 65 Restrict Internet access example Change Internet Access
118. ain users and groupS 00 0c e eee ees 85 Viewing Users and GYOUDS 26 saceGkG nad ee eaten sedeRedG panekedaoaewes 86 Managing NetWare NDS users and groups 00 ee eee eee ees 86 Setting the context for NDS a cine akodes eek A onde Read Oke awe dS 87 Managing Novell Bindery users and groups 2 022000 eee eee 87 Setting the NetWare preferred server 02000 eee eee eee 88 Setting up IP us rs not using LOIN sisi eschew cake kee dae ee abe a 88 Creating and removing users and groupS 200 eee eee eee eee 89 313371 A Contents 7 Creating a new user Or grOuUp 2casyassse eis wees e eek S44 so Che Ras Kae 89 eS SMSF occu cha send aba Ghee ers chee wh ad eee de 90 GCreang AGUD lt t crtese die oravageeteteteae Obed deee eee eaten 91 Adding a user t a OMOUD 2s 5 ccke dead ed ea secede dod Gas sh ede Sea a HRS OOO 92 Deling users and grOUpE oii ioe eaiied soivan dnra onr E nr d pee eased 4s 93 Deleting ABUSE feed i ce dee ee eee Eride Eed eee Eee eG 93 DRC AOD aw ob cee ee Kee A A ee ae eae 94 Managing users and groups ince ecied ode ade s AweR ANE Mw ERE AM URS Ww OER HA 94 Copying user and group Internet access settings 2200005 95 Viewing effective USEF ACCESS aac ck kd eee ee ae ee eR aa weg 97 Detining user and group ACCESS cues caw ieee eee eared Geen beeen eee Oe Ed ES 98 Disabling user or group ACCESS vcs ie rie dela Hehe Vee teehee eee hehe s 100 igno
119. alid or duplicate message was received from lt destination gt Warning invalid ISAKMP header from An invalid or unsupported format was received lt destination gt Warning invalid main mode message An invalid or duplicate message was received or a key is from lt destination gt incorrect Warning invalid payload format An invalid or duplicate message was received or a key is incorrect Warning invalid quick mode message An invalid or unsupported format was received from lt destination gt Warning IP address changed The interface on which a message was received has changed its IP address The tunnel is dropped and can be re established by normal activity 313371 A Chapter 4 Internet activity logging 169 Table 27 SYSLOG messages for IPsec events continued Priority Message Meaning Warning receive bad sequence Packets were received out of order or old packets were lt destination gt lt number gt resent lt number gt Warning retransmitting to lt destination gt Resending request to remote end after receiving no response Warning timeout Session has timed out waiting for response from remote end Notice deleting connection to Phase 1 connection is being dropped lt destination gt Notice deleting tunnel lt local gt Tunnel is being dropped lt remote gt Notice phase 1 completed with SA completed without error lt destination gt
120. all share the total bandwidth of 56 Kb s As more users log on to the Internet the bandwidth available to each user declines The cache helps to save bandwidth by reducing Internet traffic and as a result each user experiences faster response times The idea that your LAN bandwidth and your Internet connection bandwidth are usually different is important as related to caching Cache minimizes bandwidth requirements of the server side connection and improves efficiency by increasing the number of requests that are serviced in the higher bandwidth portion of a network Using the Contivity Branch Access Management Software Version 7 20 244 Chapter 7 Web cache configuration Fine tuning cache settings The Contivity unit is designed to save bandwidth and speed access times for shared Web content To get the best performance from the cache server you can fine tune individual cache settings to meet the needs of your Internet users If you decide you want to fine tune the Contivity unit s cache settings consider the following Increasing response times To ensure that users always experience the fastest response times for frequently requested Web entries enable active refresh This option attempts to keep the most frequently requested Web entries available in the cache by refreshing them from the Internet For details refer to Refreshing cache entries on page 270 Increasing bandwidth savings You have several options for i
121. alled PAT for Port Address Translation NDS NetWare Directory Services A global naming service used in NetWare 4 x NetBIOS Network Basic Input Output System An interface and upper level protocol developed by IBM for use with a proprietary adapter for its PC network product NetBIOS provides a standard interface to the lower networking layers Essentially the protocol provides higher level programs with access to the network NFAS Not Frame Alignment Signal NT1 Network Terminator 1 NTP Network Time Protocol NUI Network User Identification ODI Open Datalink Interface Using the Contivity Branch Access Management Software Version 7 20 362 Glossary Os Operating System packet A group of bits including data and control signals arranged in a specific format and transmitted as a whole PAP Password Authentication Protocol A method of establishing security on PPP links where the caller must provide a password in order to establish the link PBX Private Branch Exchange PING Packet Internet Groper A program in the Tools application that is useful for testing and debugging networks PING sends an echo packet to the specified host waits for a response and reports success failure and statistics about its operation PFS Perfect Forward Secrecy A method of encryption that uses a single key exchange POP Point of Presence The local or long distance carrier s switching central offi
122. anch Access Management Software Version 7 20 28 Preface e Setting Up the Contivity 400 Unit part number 313370 A Provides instructions on installing and administering the Contivity 400 unit hardware e Using the Contivity Branch Access Management Software Version 7 20 part number 313371 A Provides an introduction to the Contivity Branch Access management software instructions for administering the product and procedures for using Contivity features e Reference for the Contivity Branch Access Command Line Interface Version 7 20 part number 313372 A Provides instructions and CLI commands for remotely accessing the Contivity unit and for administering the unit using out of band management e Contivity Branch Access Software and Documentation Version 7 20 CD part number 313374 A Provides manuals for using and installing the Contivity Branch Access management software and third party applications The CD contains the following documents Installing the Contivity Branch Access Management Software Version 7 20 Setting Up the Contivity 100 Unit Setting Up the Contivity 400 Unit Using the Contivity Branch Access Management Software Version 7 20 Reference for the Contivity Branch Access Command Line Interface Version 7 20 You can print selected technical manuals and release notes free directly from the Internet Go to the www nortelnetworks com documentation URL Find the product for which you nee
123. anch Access to set up and maintain the Internet access settings for these users they do not appear in your network directory services Creating a new user or group Contivity Branch Access provides two methods for adding new users and groups e Using a template The new user or group inherits all template attributes This feature is useful when you add multiple users or groups that require the same Internet access e Creating each user or group individually You must create and configure each new user or group individually Contivity Branch Access provides a default user facility specifying attributes that it uses for individual users If you add a user and do not set specific Internet access settings that user is considered a default user Using the Contivity Branch Access Management Software Version 7 20 90 Chapter 3 User access administration Creating a user To create a new user 1 Do one of the following e On the toolbar click Users e Choose Users gt View User List 2 Select the icon of the user you want to use as a template If you do not want to use a template you do not need to select a user 3 On the toolbar click Create If you selected a user in step 2 you are prompted to verify that the user s profile is to serve as a template Figure 28 Figure 28 Prompt to use selected user as a template Instant Internet Admin Ea 2 Create new user using lt Default gt as a template 4 No Ca
124. and must be renegotiated before any phase 2 SAs can be re keyed Note that when the CVS initiates a phase 1 SA it does not specify a timeout Note If this behavior is undesirable use the Forced Logoff parameter in the CVS to apply the specified timeout to the phase 1 SA For details refer to your CVS documentation Using the Contivity Branch Access Management Software Version 7 20 62 Chapter 2 IP security and VPN Tunneling to a CVS using a branch to branch connection When a tunnel is established between a CVS and a Contivity Branch Access unit that routes a complete subnet the tunnel is called a branch to branch tunnel A CVS earlier than version 4 0 requires that the Contivity Branch Access unit have a static public IP address A CVS version 4 0 and later allows a branch to branch connection in aggressive mode with a Contivity Branch Access unit that has a dynamic IP address When you configure a branch to branch VPN tunnel between a Contivity Branch Access unit and a CVS network address translation NAT is typically not performed through the tunnel Configuring a VPN between a Contivity Branch Access unit and a CVS is a two step process e Configure the branch office connection in the CVS next e Configure the Contivity Branch Access unit as a branch office VPN tunnel You will configure a main mode tunnel if a static IP address is used or an aggressive mode tunnel if a dynamic IP address is used refer to
125. ansfers downloading large graphics and in some cases intensive Web browsing 313371 A Chapter 9 IPX configuration and support 299 When to consider a higher speed connection You may want to use a higher speed digital connection if e Performance is slow e Your LAN has a large number of users e Demand for Internet access is heavy e Internet access is critical to your business Contact your Nortel Networks sales representative to discuss your environment and possible upgrade solutions Configuring IPX workstations to use a new unit name When you change the name of your Contivity unit you must individually configure each IPX workstations to use the new name For details on changing a unit s name refer to Changing a unit s name on page 325 You can configure IPX workstations using the workstation software you copied to a network drive or the Contivity Branch Access Software and Documentation Version 7 20 CD To configure and IPX workstation to use a new unit name 1 Doone of the following e If you are using Windows 95 Windows 98 Windows Me or Windows NT from the Windows Start menu choose Run e If you are using Windows 3 x choose File gt Run The Run dialog box opens Figure 128 Using the Contivity Branch Access Management Software Version 7 20 300 Chapter 9 IPX configuration and support Figure 128 Windows 95 Run dialog box Type the name of a program folder or document and
126. ant net The list of allowed denied host names controls only the ability to look up the IP address associated with a host name Note If you allow access based on host names you must also allow access to their associated IP addresses To allow access to one Web site and dis allow access to all others allow all IP addresses but deny access based on host name For example if you open a browser and type in www xyz com the browser first asks the DNS proxy to look up the address of that name Contivity Branch Access then checks the access controls having to do with host names and decides whether or not the site is allowable The access controls therefore determine whether or not a name can be resolved into an address 313371 A Chapter 3 User access administration 105 e Port numbers can be any number from 0 to 65535 where the first 1024 are well known port numbers that define specific tasks For example Web browsing occurs on port number 80 file transfer protocol FTP uses ports 20 and 21 and simple mail transfer protocol SMTP uses port 25 Note You can think of the IP address or domain name as the address of an apartment building with the port number functioning as an apartment within the building Access to ports can be connectionless UDP or connection oriented TCP Overview of configuring Internet access When a user attempts Internet access Contivity Branch Access checks the access list for tha
127. area enter the Contivity Branch Access unit s public IP address in the Remote Endpoint Address box otherwise skip this step In the Configure Routing areas click IP In the Routing area select the Static option In the Local Accessible Networks area select the network you created in step 2 In the Remote Accessible Networks area click Add In the New Subnet Details area enter the following information and then click OK e IP Address Enter the Contivity Branch Access unit s LAN side IP address e Mask Enter the Contivity Branch Access unit s LAN side subnet mask Click OK If you are using CVS version 4 0 or later in the Psec Authentication area do one of the following e If you are using a main mode Peer to Peer connection select a pre shared key option Text or Hex and then enter and confirm the pre shared key e If you are using an aggressive mode Responder connection enter an Initiator ID that will uniquely identify this branch office Enter a corresponding pre shared key option Text or Hex and then confirm the pre shared key Using the Contivity Branch Access Management Software Version 7 20 64 Chapter 2 IP security and VPN 17 Click OK Configuring Contivity Branch Access as a branch office VPN tunnel If your ISP provides you with a static IP address you must configure a main mode connection Peer to Peer If your ISP provides you with a dynamic IP address you must configure a
128. as a client 238 as a secondary cache 239 as a server 238 as the only cache 239 fine tuning 244 status viewing 241 Web cache statistics resetting 258 reviewing 254 Web configuration enabling 183 Web entry active refresh 270 CGI in request 253 cookie in request 253 defined 238 degree of staleness 246 evaluated by cache server 239 exceeded maximum size 253 expiration percent 246 how expired 238 increasing the number sent from the cache 253 maximum size 254 minimum expiration time 247 no expiration date 246 no time stamp 246 no cache header in request 253 non text 246 number to display 267 outdated 246 273 query in request 253 refreshing 243 244 stale 246 273 text 246 tracking 264 313371 A Index 379 Web page Winsock content troubleshooting 273 16 bit 302 personalized troubleshooting 274 16 bit multiple 304 32 bit 303 Web proxy server configuring 180 configuring a client to use 184 transparent 182 32 bit multiple 304 conflicts 302 files 305 IP filter 307 Web server response time troubleshooting 273 tonbleshooting 306 Web site access information viewing 266 access blocking 265 266 activity details 267 and authentication 268 and login prompt 268 and online shopping cart 268 blocked troubleshooting 272 cache bypassing 267 configured 260 cookie information viewing 266 cookie requirements 262 cookies blocking 262 host name 263 IP address 263 logon troubleshooting 274 recently a
129. ase Example Use the winipefg command 313371 A Preface 27 italic text Indicates file and directory names new terms book titles and variables in command syntax descriptions Where a variable is two or more words the words are connected by an underscore Example If the command syntax is dns lt name_server gt lt name_server gt is one variable and you substitute one value for it screen text Indicates command syntex and system output for example prompts and system messages Example Waiting for Contivity to restart separator gt Shows menu paths Example From the Window Start menu choose Settings gt Control Panel Related publications For more information about using Contivity Branch Access refer to the following publications Important Notice for the Contivity Branch Access Software Version 7 20 part number 313368 A Provides instructions for viewing documentation and installing the Contivity Branch Access management software and third party applications Adobe Acrobat Reader Netscape Communicator and AniTa Terminal Emulator e Installing the Contivity Branch Access Management Software Version 7 20 part number 313367 A Provides instructions for installing the Contivity Branch Access management software e Setting Up the Contivity 100 Unit part number 313369 A Provides instructions on installing and administering the Contivity 100 unit hardware Using the Contivity Br
130. ask in the Windows task scheduler In this example you disable the ISDN interface on your Contivity unit at 10 00PM every night and enable it at 6 00AM every morning The name of the unit is CBAUnit and is protected by the privileged password bosco To configure a task using the Windows task scheduler 1 Choose Start gt Programs gt Accessories gt System Tools gt Scheduled Tasks 2 Double click Add Scheduled Task The Scheduled Task Wizard dialog box opens 3 Click Next A list of applications is displayed Click Browse In the File name box enter c instinet iictl and then click Open Click Next Enter a name for the scheduled task for example ISDN Disable oN Ooo Ff Choose the frequency For this example choose Daily Click Next o 10 Enter the start time and start date For this example enter 10 00PM and accept the default date 11 Click Next 12 Select the Open advanced properties for this task when I click Finish check box 13 Click Finish 14 On the Task tab in the Run box enter the following command c instinet iictl cbaunit isdn disable bosco 15 Repeat this procedure to enable the interface at 6 00AM every morning Name the task ISDN Enable The command is c instinet iictl cbaunit isdn enable bosco Using the Contivity Branch Access Management Software Version 7 20 140 Chapter 3 User access administration 313371 A 141 Chapter 4 Internet activity l
131. at is reachable and for which a response is representative of the desired connectivity For example if the purpose of the ping is to validate a VPN connection then it is best to choose a destination that is reached through the VPN tunnel such as the private address of the remote Contivity Branch Access unit or the CVS e Monitor mode The monitor mode does not initiate a connection and is not considered to be activity against a dial up interface s idle timeout This mode does not keep a connection active Note A monitor ping is considered to be activity on the CVS but is not considered to be activity against the Contivity Branch Access unit s dial up timeout therefore Contivity Branch Access is free to drop the line After the line is dropped the monitor ping disables the connection The CVS s idle timeout disables the other end of the connection In monitor mode if the specified interface is not active the ping does not occur Also in the case of an IPsec interface if the interface used to reach the corresponding remote gateway is not active the ping does not occur If an IPsec interface is specified and no response is received for three consecutive pings the tunnel is dropped and is re established as required by normal VPN activity If the ping fails for three consecutive times the interface is brought down but is not disabled from further activity This is normally used for IPsec interfaces because the ping failu
132. at will accept the update typically the primary authority for the zone Configuring Contivity Branch Access to publish a private server To configure Contivity Branch Access to publish a private server regardless of whether you have a static or a dynamic IP address from your ISP you need the following information e Public Address The public IP address that will reach the Contivity unit or the name of the interface that connects your Contivity unit to the Internet e Public Port The port number or name that a remote end uses to reach your server e Private Address The IP address of the server on your network e Private Port The port number or name of the server on your network Usually public port and private port are the same To configure Contivity Branch Access to publish a private server 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Server Publication The Server Publication dialog box opens Figure 93 Using the Contivity Branch Access Management Software Version 7 20 206 Chapter 6 Advanced IP configuration Figure 93 Server Publication dialog box Server Publication 3 Click Add The Server Publication Configuration dialog box opens Figure 94 Figure 94 Server Publication Configuration dialog box AUC AIC 313371 A Chapter 6 Advanced IP configuration 207 4 Enter the public IP address or interface and private ad
133. ating lt interface gt Negotiating with a remote end Notice no protocol lt interface gt Did not receive expected protocol for example PPP or LCP Notice terminating lt interface gt Terminating a connection with a remote end Notice up lt interface gt Interface is up Table 29 describes the SYSLOG messages for other types of events Table 29 SYSLOG messages for other events Priority Message Meaning Alert Kernel restarting unit Unit was restarted Notice Ping lt interface_name gt down Control ping dropped line exceeded failure limit Notice PPP chap inbound call failed Received an invalid user ID or password authentication Notice PPP pap inbound call failed Received an invalid user ID or password authentication Notice Telnet failed login from User attempted to login from the indicated IP address but lt ip_address gt did not succeed Notice Telnet login from User at the indicated IP address successfully logged in to a lt ip_address gt Telnet session Configuring SYSLOG alarms To configure SYSLOG alarms 1 Start Setup and if prompted select a unit to configure 313371 A Chapter 4 Internet activity logging 171 2 Choose Support gt Alarms The Alarms dialog box opens Figure 79 Figure 79 Alarms dialog box 3 Inthe SYSLOG Hosts area click Add The Enter SYSLOG Host dialog box opens Figure 80 Figure 80 Enter SYSLOG Host dialog
134. ation 313371 A Chapter 2 IP security and VPN 39 e Aggressive mode In an aggressive mode connection the name of the tunnel interface is sent as the source ID in the initial proposal This allows the remote gateway to identify the incoming connection by name rather than by IP address and can therefore be used with dynamic IP addresses The CVS software has implemented aggressive mode for non Contivity clients to support more client implementations Contivity Branch Access leverages this capability to act as a single user client on behalf of the network many to one NAT Using perfect forward secrecy PFS Perfect forward secrecy PFS means that the compromise of a single key permits access only to data protected by that key The PFS setting between the Contivity Branch Access unit and the CVS must match The Contivity Branch Access unit responds to a phase 2 key exchange performed by the destination regardless of this setting Note that PFS also incurs significant additional computational overhead that you may want to avoid unless you understand the security implications and PFS is required The default setting for PFS depends on whether you add an IPsec tunnel for another Contivity Branch Access unit or fora CVS When connecting to another Contivity Branch Access unit the default is off when connecting to a CVS the default is on To enable PFS 1 Start Setup and if prompted select a unit to configure 2 In th
135. ation request and response settings and why requests are not sent from the cache Experiment with the various expiration options and monitor the Web Cache Statistics page to determine the best settings for your organization s Web usage Using the Contivity Branch Access Management Software Version 7 20 252 Chapter 7 Web cache configuration When you evaluate the cache statistics consider the following e Hit Rate Statistics The hit rate displays the number of times the Contivity unit returned information from the cache rather than a Web server Expect a hit rate of between 25 to 45 A high percentage indicates that information is being sent from the cache and the Contivity unit is operating efficiently If the hit rate is lower do any of the following Move up one cache level for example from Moderate to Aggressive and see if the change increases the hit rate Review the statistics for Why requests are not served from the cache and adjust the settings to increase the number of hits e Single Hit Statistics If the statistics for a single hit is high the 1 request statistic in the Cache entry request count area the Web entries are being requested only once which decreases the cache statistics Web caching is most effective when multiple users request the same Web content Typically when the statistics for entries with a single hit are 70 or less the cache statistics are higher 40 to 50 hit ra
136. c IP Address box This address must be usable on CVS s private network but there are no restrictions in terms of whether the address is public private or even a native part of CVS s private network This address should be the same as the static address in the Contivity Branch Access setup Do not add a subnet mask b Inthe User Account area assign a user ID and password in the appropriate IPsec boxes The user ID and password must match the one given on the other end of the tunnel c Click OK 11 Ensure that another router on the CVS s private network has a static route for the client address with a destination of the CVS s private address You can also use proxy ARP or use the client address redistribution CAR feature on the CVS version 3 60 or later to announce the client route to another router Configuring the Contivity Branch Access unit as a non Contivity client To configure the Contivity Branch Access unit as a non Contivity client 1 Start Setup and if prompted select a unit to configure 2 Inthe main Setup window click Add 3 Inthe Select Connection Type dialog box Figure 16 on page 64 click IPsec Using the Contivity Branch Access Management Software Version 7 20 72 Chapter 2 IP security and VPN 4 Inthe Select Connection Device dialog box Figure 17 on page 65 click Contivity 5 Inthe Select Type of Connection dialog box Figure 17 on page 65 click Client The IPsec Configuratio
137. can configure if your unit has a dual analog modem the number of lines and bandwidth on demand settings Setting the number of lines If your unit has a dual analog modem you can specify how many lines to use Typically you should leave the default setting of two However if your ISP does not support the PPP Multilink Protocol MP over analog lines only one modem line is used and you must change the default hardware setting from two lines to one line 313371 A Chapter 8 Advanced communications configuration 289 To set the number of lines for a dual analog modem In the Dialup Configuration dialog box Figure 120 on page 285 select 1 or 2 from the Number of lines list and then click OK Enabling bandwidth on demand You can set the dial and hang up thresholds and the demand timeout for the dial up connection This option is available only if you set the number of lines to 2 To enable bandwidth on demand 1 Click Advanced The Dialup Configuration advanced dialog box opens Figure 121 on page 287 Select the Dial on demand check box Enter the following information e Dial threshold Enter the percentage of bandwidth that must be in use before an additional interface can dial e Hangup threshold Enter the percentage of bandwidth below which an interface hangs up e Timeout Enter the number of minutes or seconds of inactivity over the dial up connection after which Contivity Branch Access terminates
138. ccessed list of 263 records displaying 267 request troubleshooting 272 unconfigured 260 Web site access activity details 267 blocking 265 266 policy 264 viewing 266 267 Web sites list and bypassed sites 263 sorting 263 wildcard user 88 Using the Contivity Branch Access Management Software 380 Index 313371 A
139. ce For an Internet Service Provider ISP a POP is a local number that a user can call to connect to the ISP POP3 The most recent version of the Post Office Protocol which provides clients access to e mail port A 16 bit identifier that transport protocols use to distinguish between multiple destinations within a given host computer endpoint 313371 A Glossary 363 POTS Plain Old Telephone Service The standard phone service that most homes use PPP Point to Point Protocol Protocol between the terminal and the router A communications protocol that provides dial up access to the Internet PPPoE Point to Point Protocol over Ethernet A type of Internet connection that enables you to select from a variety of different Internet service providers in Ethernet like environments for example a cable modem xDSL or wireless environment proxy server A server that acts on behalf of another protocol A formal set of rules developed by international standards bodies LAN equipment vendors or groups governing the format control and timing of network communications provider An Internet Service Provider that offers Internet access and services to its customers Access can be provided through dial up ISDN or leased lines T1 E1 DDS V 35 or X 21 Services include mail newsreader servers and FTP and Web servers maintained on behalf of clients raw socket A type of socket distinct from TCP or UDP
140. ce Configuration dialog box 200 e eee ees 204 Server Publication dialog DOK 2 2 s 06 cee aeiokecwns doe a owe 206 Server Publication Configuration dialog box 0 0000 206 Example Publishing an SMTP server 200 ee aeeuae 208 Other Settings dialog DOK ouscpigapieutetwavarererenvereadaans 209 Example Publishing a server for NetMeeting 211 Interface Filter Configuration dialog box a a asasan aaan eee eee 213 Filter Configuration dialog box 200 cece ee eee eee es 214 Using the Contivity Branch Access Management Software Version 7 20 20 Figures Figure 100 Figure 101 Figure 102 Figure 103 Figure 104 Figure 105 Figure 106 Figure 107 Figure 108 Figure 109 Figure 110 Figure 111 Figure 112 Figure 113 Figure 114 Figure 115 Figure 116 Figure 117 Figure 118 Figure 119 Figure 120 Figure 121 Figure 122 Figure 123 Figure 124 Figure 125 Figure 126 Figure 127 Figure 128 Figure 129 Figure 130 Figure 131 Figure 132 Figure 133 Figure 134 Rule Configuration dialog DOX 2 ccssuveseusesudeesuressuvesus 215 Interface Filter Configuration dialog box 00 eee ee eee 218 Services dialog DOK cccacceeieeeewve teens Meee dawn Pe kew ee end 221 DHCP Configuration dialog DOX 6654 004 setar ged koe eo eed deed 222 Devi e UNG DOK aoa neeL heehee ele aokre eee dee eaeadd 223 DHCP Configuration dialog BOX lt 2 1c5 see dd ed eee anne ee ew ed 224 sco
141. ching server access transparent Contivity Branch Access functions as a Layer 4 L4 switch to transparently accommodate an external Web caching device Using the Contivity Branch Access Management Software Version 7 20 32 Chapter 1 Introduction Figure provides an example of how you can connect your Contivity unit in your network Figure 1 Connecting the Contivity unit in a network Cable DSL Modem 10231EA Advanced routing Advanced routing features can create multiple subnets per interface and integrate smoothly with the Layer 2 L2 switch to e Add more demilitarized zone DMZ type functions to the existing DMZ Ethernet interface through the 10 100 seven port Ethernet switch e Integrate with Routing Information Protocol RIP and RIP2 e Update the system time with Network Time Protocol NTP services e Provide Dynamic Host Configuration Protocol DHCP services through internal DHCP servers as well as via DHCP relay to central office DHCP servers Domain Name Service DNS proxy caching and many others High performance throughput As a high performance solution Contivity Branch Access keeps up with any proposed broadband and routing requirement with an excess of a 200 Mb s full duplex routing throughput capable of saturating Fast Ethernet links which are provided by all Ethernet ports on the unit Virtual private network VPN 313367 A Chapter 1 Introduction 33 t
142. col RIP allows a router to select the best path for sending packets to help speed up data transfer Every 30 seconds all routers configured to use RIP broadcast a message that contains their own destination network addresses and the number of hops it takes to get to them hop count as well as the destination network addresses and associated hop count of any neighboring routers that they have been in contact with The routers then use the information gathered from these broadcasts to determine whether or not a network is reachable and how far away it is to determine the best route to send a packet To configure RIP 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt RIP s The RIP s dialog box opens Figure 109 313371 A Chapter 6 Advanced IP configuration 229 Figure 109 RIP s dialog box eX I Accept announcements from other Routers Routes dialup eth pppoe2 Version Y1 C Y2 Broadcast C V2 Multicast 3 Inthe Accept Announcements from other Router check box do one of the following e Clear the check box to ignore announcements from other routers e Place a check mark in the check box to accept announcements from another router Note Accepting announcements applies to all forms of RIP V1 V2 Broadcast or V2 Multicast 4 To specify the interface s from which you want to accept announcements select the Announce check box and then do the foll
143. configured the ISDN connection If you select this option enter the local phone numbers for the two B channels Click OK Using the Contivity Branch Access Management Software Version 7 20 284 Chapter 8 Advanced communications configuration Configuring advanced communication settings for a dial up connection If you have an analog or dual analog modem interface on the Contivity unit you can configure a backup connection phone number inactivity timeout modem speaker settings bandwidth on demand settings dual analog only and number of lines dual analog only You configure these settings through the Dialup Configuration dialog box To open the Dialup Configuration dialog box 1 Start Setup and if prompted select a unit to configure 2 Inthe Interfaces area select the dial up interface and then click Configure The Dialup Configuration dialog box opens If you have a single analog modem the dialog box looks like the one in Figure 119 If you have a dual analog modem the dialog box looks like the one in Figure 120 Figure 119 Dialup Configuration dialog box Obtain an IP address from ISP C Specify an IP address Address translation Inactivity timeout mins secs Advanced Cancel 313371 A Chapter 8 Advanced communications configuration 285 Figure 120 Dialup Configuration dual analog dialog box Backup Phone User ID Password Obta
144. control list for the group or user 313371 A Chapter 3 User access administration 109 Figure 40 Change Internet Access dialog box Change Internet Access of Robin 4 Click Add The Add Internet Access dialog box opens Figure 41 Figure 41 Add Internet Access dialog box Add Internet Access Using the Contivity Branch Access Management Software Version 7 20 110 Chapter 3 User access administration Table 9 describes the items in the Add Internet Access dialog box Table 9 Add Internet Access dialog box items Item Description Allow Allows access Do not allow Denies access Host Name Enter a host name for which you are defining access Lookup IP Address If you do not know the IP address of a host name you can enter the host name and then click Lookup IP Address Contivity Branch Access looks up the IP address of the specified host name Type TCP connection oriented UDP connectionless Both TCP and UDP IP Address Enter the IP address of the host name If you do not know the IP address you can enter the host name and select the Lookup IP Address button Contivity Branch Access looks up the IP address of the specified host name Port Select a port number Note You can define access to a host name without specifying its corresponding IP address or addresses Some sites change their IP addresses regularly so t
145. control that user s Internet access Deleting a user To delete a user 1 From the List of Users select the user you want to delete 2 On the toolbar click Delete A confirmation message box opens Figure 32 Figure 32 Delete user confirmation message box Instant Internet Admin 7 Delete user Robin a No 3 Click Yes to verify the deletion Using the Contivity Branch Access Management Software Version 7 20 94 Chapter 3 User access administration Deleting a group To delete a group 1 From the List of Groups select the group folder 2 On the toolbar click Delete A confirmation message box opens Figure 33 Figure 33 Delete group confirmation message box Instant Internet Admin 7 Delete group Texas L No 3 Click Yes to confirm the deletion Managing users and groups You can view a list of all users and groups in the Admin window Icons displaying a figure represent a user those displaying a folder represent a group of users Note The procedures and instructions in this section also apply to the users and groups adopted from the directory services of your network To display all users either click the Users toolbar button or choose Users gt View User List from the menu bar The Admin main window displays the following information e List of Users e Groups the User Is In e Groups the User Is Not In 313371 A Chapter 3 User access administration 95
146. d documentation Then locate the specific category and model or version for your hardware or software product Use Adobe Acrobat Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to Adobe Systems at the www adobe com URL to download a free copy of the Adobe Acrobat Reader You can purchase selected documentation sets CDs and technical publications through the Internet at the wwwI1 fatbrain com documentationMortel URL 313371 A Preface 29 How to get help If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance If you purchased a Nortel Networks service program contact one of the following Nortel Networks Technical Solutions Centers Technical Solutions Center Telephone EMEA 33 4 92 966 968 800 4NORTEL or 800 466 7835 800 Asia Pacific 61 2 9927 8800 800 North America China 800 810 5000 An Express Routing Code ERC is available for many Nortel Networks products and services When you use an ERC your call is routed to a technical support person who specializes in supporting that product or service To locate an ERC for your product or service go to the www nortelnetworks com servsup URL Click the Tools menu item and then click Express Routing Codes under the Ot
147. d mode is a standard ping with no other special provisions This mode sends a ping to the specified destination which initiates a connection if required and is considered to be activity The receipt of a response or the lack of one has no effect on system operation To configure a ping 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Ping s The Pings dialog box opens Figure 4 313371 A Chapter 2 IP security and VPN 45 Figure 4 Pings dialog box 3 Click Add The Ping Configuration dialog box opens Figure 5 Using the Contivity Branch Access Management Software Version 7 20 46 Chapter 2 IP security and VPN Figure 5 Ping Configuration dialog box Length Interval Timeout Type Monitor Control Background Cancel 4 Enter the following information IP address host Enter the IP address or host name of the remote end you want to ping When using ping from Contivity Branch Access unit to Contivity Branch Access unit it is best to select the private address of the remote Contivity Branch Access unit to ping When using ping from a Contivity Branch Access unit to a CVS it is best to select the private address of the CVS to ping Length Enter the length of the data packet This box is normally left blank so that the shortest possible packet is used Interval Enter the number of
148. dd Incoming Port dialog box items 0000 eee eee eee 123 Table 11 PSO opon vias cnt ou vue Reha ewe Aa bok ee ewes oes 130 Table 12 Sample Control commands 0 cece eee eee eens 138 Table 13 Interface commands available 2 0 0 cee eee 138 Table 14 Monitor main window toolbar buttons 0000005 142 Table 15 Stats window statistics 0 0 cee eee es 144 Table 16 Stats window statistics for a dial up or ISDN interface or a VPN tunnel 145 Table 17 Users window statistics 2 lt 6020088 daWa eases daw ew owe Raw we 148 Table 18 Monitor main window toolbar buttons 00200 e ee eee 149 Table 19 Sort options in the Users window 0 0 0c eee eee ees 149 Taboo LG SNS E oarriero Errr RARD 151 Table 21 Log window toolbar buttons 2 2 ccsscsesu5 oes ae eeu ees ween s 151 Table 22 Sort options in the log window 0 0 eee eee eee 152 Table 23 Diag window statistics canccemeecewecc emus sede eee e nenues 153 Table 24 AutoLog toolbar buttons 0 0 0 cee ee ees 160 Table 25 SYSLOG priority levels rsrsrsrsrs Gated geanaueedrasage barns 166 Table 26 SYSLOG messages for DHCP events 000 eee eee 166 Table 27 SYSLOG messages for IPsec events 2 220000 eee 167 Table 28 SYSLOG messages for linestate events 000005 170 Table 29 SYSLOG messages for other events 2 220000 eee 170 Using the Con
149. ddress of the specified interface whenever it changes For more information on using Dynamic DNS refer to Using Dynamic DNS on page 204 Enabling diagnostic IP tools Contivity Branch Access has several diagnostic tools available These tools are automatically set up during installation Typically you will use these diagnostic tools for troubleshooting at the direction of technical support personnel e Chargen A diagnostic service that generates a test pattern characters at the maximum possible rate The default is to leave this option turned off e Discard A diagnostic service that discards any message or packet sent to it The default is to leave this option turned off e Echo A diagnostic service that returns any message or packet sent to it The default is to leave this option turned off Using the Contivity Branch Access Management Software Version 7 20 330 Chapter 10 Contivity unit configuration support and diagnostics e Ident A service that validates the sender of a message or packet This service allows a server to which the workstation is already connected to identify the true user name of the internal device The default is to leave this option turned on e SNMP A service that permits authorized SNMP management systems requesting an SNMP get to receive the standard Management Information Base II MIB II variables For details refer to Defining the SNMP community string for get request
150. ddresses and you are using the seven port Ethernet switch Eth1 for your LAN and Eth2 for your DMZ To configure the interface for the DMZ 1 Start Setup and if prompted select a unit to configure Click Add Click Network The Enter IP Information for Interface dialog box opens Figure 113 Figure 113 Enter IP Information for Interface dialog box Enter IP Information for Eth2 Eg Enter a numeric IP address from the pool of addresses on your LAN to be used by the Instant Internet unit The subnet mask is automatically generated and normally does not require changing 4 Inthe IP Address box enter 134 177 3 1 as the IP address for the Contivity unit on the DMZ subnet 5 Click the Subnet Mask box A default subnet mask of 255 255 255 0 is entered 6 Click OK To publish the server 1 In the Setup main window choose Support gt Server Publication The Server Publication dialog box opens Figure 93 on page 206 Using the Contivity Branch Access Management Software Version 7 20 236 Chapter6 Advanced IP configuration 2 Click Add The Server Publication Configuration dialog box opens Figure 94 on page 206 3 Enter the following information e Protocol Choose TCP e Public Address Enter 134 177 3 28 e Public Port Choose www 80 e Private Address Enter 134 177 3 28 e Public Port Choose www 80 4 Click OK You return to the Server Publication dialog b
151. determine which Web site requires cookies and then enable cookies for that Web site When a user has trouble accessing a particular Web site because cookies are required you must first determine which site requires cookies The most efficient way to do this is to sort the Web site list by most recent access refer to Sorting the Web sites list on page 263 and look for Web servers that are serving cookies and have a Web site name related to the problem site Sorting by most recent access is helpful because the actual Web site serving cookies is often not the Web site name For example a user trying to access the Web site www abcnews com may receive a message that cookies are required but the actual site that requires the cookie may be www my myabc com When you identify the site click the site name in the list to configure site specific options for that Web site to enable cookies refer to Enabling cookies for a particular Web site on page 262 and then have the user try to access the Web site again If the user is still unable to access the site you may need to bypass the cache for that Web site For details refer to Bypassing the cache for a Web site on page 267 Enabling cookies for a particular Web site If you block cookies for all unconfigured Web sites you can later enable a particular Web site to set cookies on client workstations and enable clients to return cookies to the site 313371 A Chapter 7 Web cac
152. diving com GGALLEGOS Start Node 206 210 192 143 GCONRAD Proxy Connect 0 www cnnfn com RKERRY Proxy Connect 0 ph ad21 focalink com SBRAND Proxy Connect 0 www cnnfn com LMEDINA Proxy Connect 0 images cnnfn com LMEDINA Proxy Connect 0 www cnnfn com LMEDINA Proxy Connect 0 adforce imgis com 313371 A Chapter 4 Internet activity logging 151 Table 20 describes the information available in the Log window for each selected Contivity unit Table 20 Log statistics Item Information Time Shows the time and date of the activity Name Shows the name of the user When a user starts a task before you enable the monitoring feature the IP address is displayed here Event The type of event Log toolbar buttons When the Log window is active you can select any of the toolbar buttons described in Table 21 Table 21 Log window toolbar buttons Button Description 7 Refreshes the display to view up to the minute information for the selected 5 Contivity unit Refresh Clears all data from the log After you select Clear there is no user activity shown in this log until the next access Clear Exports data to a specified file for use at a later date This option is useful gt before clearing the connection log Export Log menu The Log menu contains options for the Log toolbar buttons as well as the following options e Lookup Addresses Changes the IP addresses to their ho
153. dress For examples refer to Example Publishing an SMTP server when the Contivity unit has a static IP address on page 207 Example Publishing a Web server when the Contivity unit has a dynamic IP address on page 208 and Example Publishing a server for NetMeeting on page 210 5 Click OK Example Publishing an SMTP server when the Contivity unit has a static IP address In this example you are setting up a server that has a static IP address to be reachable from the Internet Contivity Branch Access has set up the IP network and the LAN addresses have IP addresses such as 192 168 1 nnn where nnn is a number between 0 and 255 The Contivity unit s client side IP address is 192 168 1 1 The SMTP server is on the LAN and has the address 192 168 1 10 The Contivity unit s public address is 134 177 3 28 provided by an ISP To publish the server you assign the Contivity unit s public address 134 177 3 28 as the public address and smtp 25 as the port to the list of server publications The server s private address is 192 168 1 10 port smtp 25 The published server information should look similar to that in Figure 95 for this example Using the Contivity Branch Access Management Software Version 7 20 208 Chapter6 Advanced IP configuration Figure 95 Example Publishing an SMTP server Server Publication x Protocol Public IP Address Port Private IP Addre
154. dress The IP address of another router reachable on the specified interface to which packets to the destination should be forwarded Metric The order used when there are multiple paths A lower number gets higher precedence The default is 1 If you do not specify a gateway address it is assumed that the destination is directly reachable on the specified interface in which case the metric defaults to 0 5 In the main Setup window click Save and Exit Configuring IP forwarding IP forwarding allows the Contivity unit to route IP addresses without modification Enabling IP forwarding allows all routable IP traffic through with no filtering unless filters are defined By default IP forwarding is disabled If you want to configure IP security IPsec for a virtual private network VPN IP forwarding must be enabled Note IP forwarding can compromise your network s security If you decide that IP forwarding is necessary to meet your needs be aware of the security risks to any computer with a real TCP IP stack that has an Internet routable IP address Enabling IP forwarding If you have a network interface you can enable IP forwarding By default if two TCP IP interfaces are configured on the Contivity unit IP traffic cannot pass between them The two interfaces are totally independent IP networks Using the Contivity Branch Access Management Software Version 7 20 200 Chapter 6 Advanced IP configuration
155. during your company s normal business hours For example if your company s business hours are Monday through Friday from 8 AM to 5 PM select each week day and set the start time to 8 00 AM and the duration to 9 hours and 00 minutes The same time is used for each selected day Note Disable active refresh or limit its use if you pay Internet access fees based on usage time To enable active refresh and set refresh options 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Configure The Web Cache Configuration page opens 3 Inthe Active Refresh area click Options The Active Refresh Options page opens 4 Select the Enable Active Refresh check box and then configure active refresh settings Click Help for more information about each field on any page 313371 A Chapter 7 Web cache configuration 271 Interpreting active refresh statistics The active refresh statistics display the number of Web entries the cache server actively retrieved from originating Web servers so that the entries were available in the cache when a user requested them The percent displays the percentage of active refresh entries that have been accessed by users since the entries were refreshed Users would have to wait to retrieve the entries if active refresh is disabled Expect a hit rate of between 40 to 60 but the percentage will vary based on usage A high percentage indicates that users a
156. dynamic or fixed IP addressed accounts and with any alternative connectivity IPX networks An IPX network is automatically secure because there is no IP traffic on the network In this type of network the Contivity Branch Access management software provides quick and easy access to the Internet For IPX networks with IPX workstations Contivity Branch Access supports up to 250 application sessions This means that IPX workstations can access the Contivity unit using up to 250 application instances 313367 A Chapter 1 Introduction 35 Services Contivity Branch Access provides Table 1 describes the services that Contivity Branch Access provides for IP networks Table 1 Services Contivity Branch Access provides Service Features Address The address translation service enables the Contivity unit to act like a standard router by Translation routing IP information from one location to another This service enables the Contivity unit to go beyond the simple routing role by translating illegal reserved private LAN workstation IP addresses into legal IP addresses Address translation supports the IPsec Encapsulating Security Payload ESP protocol Alarms System log SYSLOG messages and Simple Mail Transfer Protocol SNMP traps broadcast alarms to third party daemons for real time system updates Client Login Contivity Branch Access provides for user identification with your existing LAN directory to annotate logging a
157. e 000 cece eee eee 130 Restricting access to a few sites for everyone eee eee 132 Allowing access to a few sites 0 000 cee ees 134 Using the Contivity Branch Access Management Software Version 7 20 8 Contents Managing a remote Contivily UA eco ccissdeivow see e ee eben radist sirus saas 135 Using the Control program to control Internet access times 136 Using the Control COMMANGS 2cciceecncneee chee deseo ce een ee bau eees 137 Sample Control commandS lt 4 6 ei desea c eyed og Gea ER ped a eA 137 Example Configuring a task in the Windows task scheduler 139 Chapter 4 Internet activity lOQQING 2425265 cas ence ews cue Sos de ees cenea sens 141 Monitor program OVENIEW 2c iii cee tee ee EREN 8 141 Montor Weber DUNONS iia wok hie tte Re ee ede eee ae 142 Montong a Contviy UNI cin Gs Ga doe hk Pe PR Re Ra aka 143 VIR WING Slates 405 4 wg eh ee SMES Ss HES Oh ee SOR eS 143 Stats toolbar DUOS we ck Ks ok wd HA oa a deeds SL eth and 146 DGS MONU sac nd cee che ee see Reka CoeNO MES eR eee ee ea REO 8 146 VOWS 4 54054 adowdied 4 Caer Ied bd eer e Tee eed ed ea edd 147 Users toolbar DOODS 2225 esncabel aoe ruses age aa Air 148 USES MENU tesa crease eve eeee eee EHO ERE EES Oded BEE M OOS 149 Uers Sor THEW su 2h Ke E on Fs eh OU Gaw es ed oR a ead Dies oad 149 Viewing Web SIG ACCESE onic seed cx eeee es MERE RMS RERRE RARER E EMER EGS 150 Log tobar DUNS 2 4 0 niedtid es
158. e Internet access For example Peter is a member of the group New Hires which has access to the Internet on Monday through Friday from 10 a m to 2 p m Peter is also a member of the group Development which has unlimited access to the Internet With Admin Peter has Internet access on Monday through Friday from 10 a m to 2 p m only because that is the most restrictive You can view the access effectively applied to the user s access to the Internet Refer to Viewing effective user access on page 97 313371 A Chapter 3 User access administration 99 When a user accesses Contivity Branch Access the software searches the user database in this sequence 1 The software determines if the user has a Contivity Branch Access user profile 2 The software determines if the user s groups are configured as Contivity Branch Access groups If the user has a Contivity Branch Access user profile or is a member of one or more Contivity Branch Access groups the software uses the most restrictive access attributes 3 If the software finds no Contivity Branch Access group or user profile for the user it designates the default Contivity Branch Access user profile settings as the user s Internet access settings Note Any users not assigned specifically to a group or who do not have a Contivity Branch Access user profile automatically assume the default Contivity Branch Access user profile and are identified by their IP addre
159. e Contivity unit as the DNS proxy server be used by all SOCKS workstations In this case requests to resolve restricted host names are refused preventing the workstation from making the connection Since the DNS proxy is typically used in conjunction with the SOCKS server to provide complete isolation of the local network from the Internet few problems should occur 313371 A Chapter 5 Proxy services 189 Configuring socksified applications Contivity Branch Access supports applications configured to use SOCKS enabled or socksified applications Configuring workstation software varies for each application See your software documentation for specific instructions on configuring workstation software You typically need to provide the following information IP address of the SOCKS server The IP address is shown in the Interfaces list box and is associated with the LAN router interface e Domain name You need to set up the Contivity unit a DNS proxy server in order to keep access control for host names e SOCKS proxy port This port is currently required to be 1080 which is the well known port for SOCKS servers e SOCKS protocol version Contivity Branch Access supports both SOCKS versions 4 and 5 If SOCKS is required select the latest version supported by your application e Authentication method If SOCKS Version 5 is supported you may have the option of selecting authentication methods Contivity Branch
160. e IP address and mask such as 192 168 1 1 24 You can add an alias interface to Eth to provide an additional address and mask so that two different IP networks are operating on the same physical interface This is desirable in some cases where public and private addresses are used on a single LAN and an additional LAN segment is not available such as with a Contivity 100 unit To add an alias to your Contivity unit 1 Start Setup and if prompted select a unit to configure Click Add Click Alias The Enter Alias Name and IP Address and Select Interface dialog box opens Figure 110 313371 A Chapter 6 Advanced IP configuration 231 Figure 110 Enter Alias Name and IP Address and Select Interface dialog box Enter Alias Name and IP Address and Select Interface x IP address fs Subnet mask fs Enter the name of the alias and select the interface Enter a numeric IP address from the pool of addresses on your LAN to be used by the Instant Internet unit The subnet mask is automatically generated and normally does not require changing 4 Enter the following information e Name Enter a unique name for the interface e Interface Select the interface to which the alias will be added e IP Address Enter the alias IP address for the interface Subnet Mask Enter the alias subnet mask for the interface The default is 255 255 255 255 5 Click OK You return to
161. e IP forwarding Enable Token Ring source routing r Disable Eth1 interface at Disable time Enable time Notify DNS server of Eth interface address change Mme DNS address fs canet_ 313371 A Chapter 10 Contivity unit configuration support and diagnostics 329 3 Do any of the following e Enable IP Forwarding Select this check box to enable IP Forwarding for the interface e Enable Token Ring Source Routing Select this check box to enable source routing for the interface This option is available only for a token ring interface e Disable lt interface gt interface at Specify the time that Internet access is not available This option is useful if you do not want to permit Internet access during certain times of the day Enter a time for the interface to be disabled Disable time and time for it to be enabled Enable time e Notify DNS server of lt interface gt address change Specify the following Name Enter a fully qualified domain name FQDN for your Contivity unit When a user connects to your unit for example to access public servers or a VPN tunnel the user enters this name and is directed to your unit This name should be non obvious for example www n4o5r6t7e81 com DNS address Enter the IP address of the Dynamic DNS server When you enter this information Contivity Branch Access notifies the DNS server with the IP a
162. e Interfaces area select the IPsec interface for which you want to modify the PFS 3 Click Configure The IPsec Configuration dialog box opens Figure 2 Using the Contivity Branch Access Management Software Version 7 20 40 Chapter 2 IP security and VPN Figure 2 IPsec Configuration IPsec Configuration dialog box Key Destination 192 168 0 0 Mode Main C Aggressive NAT T PESAT Timeout minutes IP address Source lt none gt m Local Addresses Remote Addresses 192 168 1 0 Z 24 Add 192 168 1 1 Add r Encryption m Authentication E DES E MD5 null SHA El o null Default Network Connection Monitor C Control lt none gt M Es cnonen Cancel 4 Select the PFS check box to enable perfect forward secrecy e To disable PFS clear the check box 5 Click OK Using the default network specification Contivity Branch Access has an IPsec form of default network This default network is used to select the Contivity Branch Access unit s source address for a packet whose destination is at the other end of an IPsec tunnel This feature allows Contivity Branch Access to participate in its own IPsec tunnels for its own services such as DNS and proxies You can also combine the default network command with NAT so that all addresses can be translated to a single source address that is also a valid source address in an IPsec tun
163. e Users WINdOW c c06 tnnecd ee ee Chet ee eee ee ex 148 Sampie Log ERNIE cscs ace wtih a Rae eh aa aaa ata bec eae lah 150 Sample Diag WINGOW sic nes Ohad e eke DES emi eE Ree SEER CRRA OLR 153 Taco CIAO DOK 62 ib abated Rhee EEG REE e keee 155 Sample trace results filo occ ci ae bie ik dame oe alia eae a 156 Multiple Contvity units WINDOW ois aed ceed gSaew eee ede ee Oe eee ds 158 FIDO LOG WINAOW cc Gee ae ee dade Se eke eT aehe eek ta Sede 160 Event Information dialog DOX cs ciccun eee nd doe e dee ak dena euhe 162 Sample SYSLOG OUP vc ccccitceccrnes tamed ewe enemas s rrer 165 Alarme dialog BOK o5 5 o45 cede pea dan cesar ceo de edo ook ee edd 171 Enter SYSLOG Host dialog DOK sic ssgwsaiddeerwresadedeawewadd 171 Sample SYSLOG Ouiput 2 cccccieeva vera deen cewensevew sien s 173 Alarms SN DOK isis okt ea LoS eee A ee aes eR 175 Enter SNMP Host dialog POX 4cses5 ccna aesad ede w sessed a dinss 175 Services dialog BOK nc e b dee ser ped kd eed eR Sh eR ph I Be Ine 181 WEB Proxy Configuration dialog DOX osicuwisedeicus Gio ke arena 181 WEB Server Configuration dialog box 0 c eee eee 183 Semices Wald DOK yous vets ieee wee PRENSA S46 HSN Leb D 186 Devices dialog DOK a caw coded dw eUd ooh OR REM PRR Ew ORR COE WS 187 Static Routes dialog DOK ccs concn tteva deen adeveteuen ieee we wane 198 Static Route Configuration dialog box 2 00 e eee eee 198 Other Settings dialog GOK uscgigaredadeiaapatavesedpaxeaceees 200 Interfa
164. e cache performs when a Web server error occurs 258 Resetting cache statistics 00000 c cee ees 258 Managing COOKIES ceir irai PESTS ICES LS TRS 1 HS Reha HOw Redon 259 Establishing a cookie management policy 0c eee eee 260 Managing cookies for all unconfigured Web sites 0055 261 Managing cookies for a particular Web site 020000 0c eee eee 262 Enabling cookies for a particular Web site 200 02 eee eee 262 Sorring the Web sites list 2t0 ede ped aes ehae bad os Gees tReeoGsa diate 263 Managing Web SIG BOCESS ck hea wh RAR eee Ke ARG ewe OS RR b wR Ae 264 Blocking Web site ACCESS sci ike eed eee ee eR ERD ee eRe eR ERR 265 Blocking access to all unconfigured Web sites 2 04 265 Blocking access to a particular Web site 2200002000s 266 Setting Web site activity display options 0 00 cee ee eee 266 Configuring Web site display options 0 000 cee eee ee 267 Bypassing the cache fora Website 00 0 eee eee eee 267 Using the Contivity Branch Access Management Software Version 7 20 12 Contents Saving and Restoring Web site configuration 00002 eee eae 269 Reiroshing cache entries ic0 uk bide eh Lad ood PRR ee a a 270 Setting active refresh OPONIS 2 42 cn2cn eevee cnde dawns ce een iw eew awed a 270 Interpreting active refresh statistics 00 00 0c
165. e header 256 no cache request 256 non Contivity client 39 56 69 non split tunneling 41 non text Web entry 246 NT domain icon 85 setting 83 users and groups 85 O OS 2 workstation 35 P password changing 324 privileged 323 user 323 perfect forward secrecy PFS overview 39 virtual private network VPN 58 phone number secondary 279 313371 A Index 375 ping background 44 control 43 monitor 43 using 335 port controlling access to 105 in IP address 104 numbers 105 Web proxy server 182 well known numbers 105 PPPoE connection communication settings 294 private server publishing 205 product support 29 proxy server caching 237 DNS 185 189 HTTP 180 SOCKS 186 third party 182 transparent 237 Web 180 publications hard copy 28 related 27 publishing a server dynamic IP addresses 208 NetMeeting 210 overview 204 static IP addresses 207 Q query request 255 R RAW sockets access control 188 error messages 349 in ping and trace 333 where used 127 registration information changing 322 relay agent BootP server 220 DHCP server 220 request CGI 255 cookie 253 forcing 256 no cache 256 not served from the cache 252 query 255 special 248 routing information protocol RIP 228 S scopes DHCP server 219 224 script modem 288 Secure Hash Algorithm SHA 38 Security Association SA 38 60 security IPX 297 selection list Contivity unit notin 315 serial number 26
166. e one used on the other end of the tunnel e Key Enter a key for the tunnel The key is the password for the tunnel and must be mutually agreed upon by both Contivity Branch Access units A key cannot begin with a backslash e Destination Enter the remote Contivity Branch Access unit s public address or fully qualified domain name FQDN If you specify an FQDN it is resolved each time a connection is initiated In the Local Addresses area click Add to enter the IP addresses of a local network allowed to participate in the tunnel For details refer to Managing local and remote IP addresses on page 41 You can specify an address here to force a packet to go through the tunnel The default local address is that of your LAN In the Remote Addresses area click Add to enter the IP addresses of the remote site that allowed to participate in the tunnel For details refer to Adding a local or remote IP address on page 41 Click OK The Monitor Connection dialog box opens Figure 14 313371 A Chapter 2 IP security and VPN 55 Figure 14 Monitor Connection dialog box Monitor Connection 10 Do one of the following e Ifyou do not want to monitor or control the connection click No Skip to step 13 e Ifyou want to monitor or control the connection click Yes The Enter Monitor Control Connection Information dialog box opens Figure 15 Continue with step 11 Figure 15 Enter Monitor Con
167. e types of users are identified in Admin by their IP address Users that do not have the iiLogin workstation identification use the Internet access settings for the Default user However if you want to control their access then you can create a wildcard user with a name that reflects the IP address of these users For instructions on how to create a new user refer to Creating a new user or group on page 89 313371 A Chapter 3 User access administration 89 For example you may assign the IP addresses 192 0 0 130 192 0 0 131 and 192 0 0 132 to guest workstations Using the IP address 102 0 0 is the wildcard character for your wildcard users will allow you to control these accesses as a group Only users identified in Admin by an IP address that falls in that range are affected by the access controls you place on this wildcard user All other users are affected by either the Default User s access controls or other access controls you may have set for them even if their IP address falls in the range of the wildcard user Creating and removing users and groups Contivity Branch Access provides the ability to create and maintain users and groups within Contivity Branch Access that are distinct and separate from your network This option is helpful if you want to add users or remove users on the basis of Internet access but do not want to make changes to the existing network directory service When you use Contivity Br
168. ectory Services NDS by default Contivity Branch Access uses the NDS user name and groups for access control If you have both NDS and Bindery users on your network you may want to force the use of the Bindery user name and groups Refer to Setting user name order on page 84 To view or not view NDS users and groups gt Choose View gt View NDS Users and Groups 313371 A Chapter 3 User access administration 87 Setting the context for NDS In NetWare Directory Services NDS context refers to the location of an object in the directory tree The context is necessary for NDS to locate specific network resources Note You must use the Novell NetWare client to set the context To edit the context for the selected user or group 1 Choose View gt Set Context 2 Edit the context and save the new configuration Managing Novell Bindery users and groups Contivity Branch Access displays Bindery users as red figure icons and groups as red folders in the Admin window For more information on managing users and groups refer to Managing users and groups on page 94 To view or not view Bindery users and groups gt Choose View gt View Bindery Users and Groups Note In a Novell environment when a user is logged into the NetWare Directory Services NDS Contivity Branch Access by default uses the NDS user name and groups for access control If you have both NDS and Bindery users on your net
169. eee ee eee 271 Troubleshooting the Web Cacne cpakaccad denne niers o rantina den ORR wa AS 272 requested a Web site but there was no response 0 20 eee 272 blocked a site but it still opens in a user s Web browser 272 requested a Web page but the content looks outdated 273 requested a Web page and the originating Web server takes a long tme to respond onus ares oh Ohi dee A 273 am not able to configure a personalized Web page 0 0000 274 logged on to a Web site but am prompted to log on again 274 added an item to my online shopping cart but it s still empty 274 Chapter 8 Advanced communications configuration 200e eee eens 277 Configuring advanced communication settings for an ISDN connection 277 Adding a backup PHONE NUMBEr osas ene esnan neia ae ee a Ae 278 Changing ISP connection settings s an anaana cece eee ees 279 Seting the inactivity MEO cdc caid ev deus Khao oe rakera eaa aae 280 Configuring advanced ISDN features 2 0000 0c eee ene 280 Enabling bandwidth on demand 0 0 eee eee eee 281 Contiguring voice Call OpllOnS oj csc aad cae Naame dad wwe Sk eg 282 Configuring incoming data call options 222000 cee eee 283 Configuring advanced communication settings for a dial up connection 284 Adding a backup phone number 002
170. eee eee 285 Changing IP address Settings 4 c10d eee cewek beeen awe oo beens eee en 286 Setting the inactivity timeout 2ccisceidodeans ced oee dense egies es bu eased 286 Configuring the modem speaker 22000 cece eee eee 286 Configuring a modem SCnpt i icciccess dene sidan dbee Se he ea dda din ani 288 Configuring dual analog modem settings 000000 eee eee 288 Setting the number of lines 000 0c cece ee 288 Enabling bandwidth on demand 02 cece eee eee eee es 289 Configuring advanced communication settings fora T1 connection 290 Configuring advanced communication settings foran E1 connection 292 313371 A Contents 13 Configuring advanced communication settings fora PPPoE connection 294 Chapter 9 IPX configuration and Support 2 0 cece eee 297 Using Contivity as an IPX to IP gateway ccccek ene der cea dean enane ene 297 Security considerations cccccccencieden beeen dedddddvieeeeaddwew enee 297 Performance CONSIDSIAIIONS i naan chee ee ee a a a 298 Nonm do oorr deni dson i om dares AARE RN ESAEREN 298 Number of simultaneous connections 00 2c eee eee ees 298 When to consider a higher speed connection 200 5 299 Configuring IPX workstations to use a new unit name 200 05 299 Configuring IPX frame Ipes 6 eid bodies boa oe eke belie Hele Pe aie BAG ea 301 Resolving Winsock GONNIGIS 5 veek is da
171. en frees the token after the data has made a complete circuit of the electrical ring token ring source routing This option is available only on token ring units and enables the use of token ring source routing protocol This protocol is required for operation through certain types of token ring bridges transceiver See MAU tunnel In a virtual private network VPN a special connection established between two sites Tunnels allow private IP traffic to flow across the Internet encapsulated within IP packets Through the tunnel all IP based resources and applications on the remote LAN become available to the local site UCT Universal Coordinated Time 313371 A Glossary 367 UTP Unshielded Twisted Pair VPN virtual private network A special type of network connection that permits remote users or LANs to communicate with another LAN over a public network such as the Internet WAN Wide Area Network Web cache A server or collection of servers that stores copies of Internet content The Web cache server can be either located on the LAN on which the clients it will serve are also located or it can be embedded within the enterprise WAN or at the client s Internet service provider Web configuration Allows you to configure the Contivity unit using a Web browser Web proxy or HTTP proxy Acts as a go between between the requester of pages from an HTTP server and the Internet Winsock A s
172. ent is for an aggressive mode single address connection as a non Contivity client Branch Initiator Client 7 Doone of the following e To configure a main mode connection static IP address click Branch Peer to Peer e To configure an aggressive mode connection dynamic IP address click Branch Initiator The IPsec Configuration dialog box opens Figure 19 Using the Contivity Branch Access Management Software Version 7 20 66 Chapter 2 IP security and VPN Figure 19 IPsec Configuration dialog box IPsec Configuration x 8 10 Destination fs Local Addresses Remote Addresses Add Add Remove Remove Cancel Enter the following information e Name Do one of the following For a main mode connection Peer to Peer accept the suggested default name or enter a unique name for the tunnel This name should be one that you can associate easily with this particular tunnel This name does not have to match the one used at the other end of the tunnel For an aggressive mode connection Initiator enter a unique name for the tunnel This name must match the initiator ID you configured for this connection on the CVS e Key The key is the password for the tunnel and must match the pre shared key you configured on the CVS A key cannot begin with a backslash e Destination Specify the public IP address of the CVS In the Local Add
173. er For details refer to Configuring a Contivity unit as a Web proxy server on page 180 To connect to the Contivity unit 1 2 In the Address or Location box of your Web browser type the IP address of the Contivity unit If the unit is password protected the Username and Password Required dialog box opens A user name is not required Enter the password for the unit The Home page opens Figure 115 313371 A Chapter 7 Web cache configuration 241 Figure 115 Instant Internet home page Instant Internet Home by Nortel Networks Admin Web Cache Serial Number I500EO7BF23FAC Version 7 20 To browse to the Home page gt On any page click Home Viewing the Contivity unit system status On the Web Cache page Figure 116 you can view a brief status of the cache server including whether caching is enabled the current cache level whether active refresh is enabled the hit rate and proxy information From this page you have direct access to the following pages and information e Web Cache Statistics click Statistics For more information on interpreting statistics refer to Increasing efficiency on page 243 e Web Sites click Web Sites For more information on managing Web sites refer to Managing cookies on page 259 and Managing Web site access on page 264 e Web Cache Configuration click Configure For more information on configuring the cache server refer to
174. er a person on the same network as the Contivity unit can initiate a call to the Messenger service Contivity Branch Access automatically configures itself for holding a NetMeeting with external computers However you must configure Contivity Branch Access to route incoming NetMeeting data to a particular workstation In this example the Contivity unit s public address is 134 177 3 28 provided by an ISP The IP address of the workstation that is set to accept an incoming NetMeeting call is 190 210 35 6 To set up the NetMeeting select the WAN interface as the public entries with ports 1720 and 1731 in the list of server publications You add the workstation s IP address of 190 210 35 6 and ports 1720 and 1731 as the private entries The published server information should look similar to that in Figure 97 for this example 313371 A Chapter 6 Advanced IP configuration 211 Figure 97 Example Publishing a server for NetMeeting Server Publication x Protocol Public IP Address Port Private IP Address Port 1720 190 210 35 6 1720 1731 190 210 35 6 1731 Remove Change OK Cancel After you set up the workstation to accept incoming NetMeeting calls remote users can call a workstation on your network using the IP address or the FQDN of the Contivity unit Note If your Contivity unit uses a dynamic IP address you can use Dynamic DNS so that users can enter the FQDN of the Contivi
175. er to Defining controlled Internet access on page 104 e None Absolutely no Internet access is permitted e Not Set For advanced administration only When a user is a member of one or more groups this option allows you to control the access of the user during specified times and leave the remaining time not set so that other group settings will take effect To set all days and hours for a specific button double click one of the access buttons and then proceed with step 7 Position the mouse pointer over the graph Drag to select the access hours for each day As you drag the color of the graph in the area you are dragging changes to the color designated by the button you selected Release the mouse button when you complete your selection You can designate as many areas this way as you choose Note that the graph is divided into half hour increments and that one square on the graph can have two colors in it Select the days of the week and hours of each day for which Internet access is to be allowed and then click OK Internet access is available for the specified days and times only Click OK After you make changes to User Access an asterisk appears to the left of the option indicating that specific Internet User Access settings have been defined For those times that you mark Controlled you can allow or prohibit specific IP addresses host names and port numbers for the group or user Refer to
176. erforms 258 Everyone group 82 Using the Contivity Branch Access Management Software 372 Index expiration percent about 246 automatically expiring 250 example 247 setting to zero 250 expiration time example 248 setting to zero 250 Web entry 247 F fault tolerance 308 filter See IP filter fully qualified domain name FQDN 51 204 G group adding auserto 92 adopting NT domain 85 Bindery groups 87 copying 95 96 deleting 93 displaying 94 95 displaying users in group 95 displaying users not in group 95 Internet access 99 managing 94 NDS groups 86 reports 129 H hit rate active refresh 271 increasing 252 statistics 252 home page 240 host connection troubleshooting 333 host route tracing 336 host echo port 338 HTTP proxy server configuring 180 configuring a client to use 184 transparent 182 icon iiLogin 88 314 in Admin 80 ignore group settings 101 1iLogin client not using 88 identifying an IP client 314 IP client 88 workstation error message 348 increased response times and active refresh 270 enabling 244 install cfg customizing 307 308 Instant Internet unit See Contivity unit interface alias 230 disabling 329 Internet access configuration example 130 configuring 105 control list 106 Control program 136 defining 99 denied message 265 disabling 100 effective user access 97 errors 349 group day and time 102 defining 99 disabling 100 ignore group set
177. es from an HTTP server and the Internet hub A physical layer device connected to other devices that restores a signal s amplitude and timing for transfer across a network Known as a repeater in most IEEE 802 3 standards and also called a concentrator IAC Internet Access Control IANA Internet Assigned Numbers Authority An organization responsible for assigning Internet wide IP addresses icon A graphic symbol on a user interface Ident A service used for troubleshooting validates the sender of a message or packet indirect host name access control When IP requests are subjected to host name access controls when the DNS Proxy forwards the query IKE Internet Key Exchange A key exchange and security negotiation protocol Using the Contivity Branch Access Management Software Version 7 20 358 Glossary Internet Protocol Part of the TCP IP suite of protocols Describes the software responsible for routing packets and addressing devices IP address Internet Protocol address A means of communication that allows communication over the Internet to be directed to the appropriate destination Every computer on the Internet must have a unique IP address IP addresses are allocated by an ISP in following format nnn nnn nnn nnn where nnn is a numeric value from 0 to 255 IP addressing might be referred to as being static fixed or dynamic IP address access control The IP Address Access Control is used
178. ess News Groups and Incoming Ports oo F WwW N Clear the Disable Ignore Group Settings No Raw Sockets and No Messages check boxes 7 Click OK When you clear the View NT Users and Groups check box the users are deleted Using the Contivity Branch Access Management Software Version 7 20 350 Appendix A Troubleshooting and error messages 313371 A 351 Glossary 3DES Triple Data Encryption Standard A 168 bit encryption standard used for VPN tunneling in Contivity Branch Access The export of 3DES encryption outside the U S is regulated by the U S Government If you require 3DES encryption you must purchase the 3DES Encryption Module part number DM0010001 ACL Access Control List The usual means by which access to and denial of network services is controlled by network security systems It is a list of the available services and the hosts permitted to use each service address A unique identifier assigned to networks and stations that allows each device individually to receive and reply to messages AMI Alternate Mark Inversion A signal encoding scheme in which a 1 is represented alternately as positive and negative voltage AMI does not use translation coding but can detect noise induced errors at the hardware level ANSI American National Standards Institute asynchronous A method of transmission in which the time intervals between characters are not required to be equal and signals are
179. essages displayed on workstations running third party applications that access the Internet IP workstations must be running iiLogin in order for these error messages to be shown In addition the administrator must decide whether or not the workstations should be shown these error messages Refer to Specifying the message a user sees upon an error on page 129 313371 A Appendix A Troubleshooting and error messages 349 Your administrator has restricted access to this site The user has attempted to access a site either by IP address or host name an incoming port or a news group that has been restricted in the either the user access time of day day of week or in the Internet access controls You may also get an access control violation error message if No RAW Sockets has been specified and you have attempted to ping trace or otherwise use ICMP to access a site Common questions and answers Question I moved my Contivity unit from a Windows NT domain to a peer to peer Windows 95 or Windows 98 Windows Me or Windows 2000 network Now the Admin utility will not let me delete the old domain users How can I delete the old users Answer You must set the access for the old users to the default user Use the following procedure Start the Admin utility Select the users that you want to delete and then click Change Select User Access Click Clear and then click OK Repeat steps 1 4 for Internet Acc
180. ew eu ea 32 How the Contivity unit can function in your network 000 ee eee eee 33 M E E E N PE E EPT a e EEE ES ETTEI ETTE 33 Vital private NERVOUS ss radarai a a ER Ow ES 34 PATON gtk bin ia hohe Re ae he Sa Oe RS aba 34 Services Contivity Branch Access provides 00 cee eee eee ees 35 Deciding what tO d HE 6 ous ear yck desi eieb 4 ode eee he ORE ea dese s 36 Chapter 2 IP security GHG VPNs dives s Sates deere ees ed oiees een Geen er wes 37 Understanding virtual private networking 0 00 eee ee 37 Understanding MOUSES sss siss hae ede dee FREE Se eee restado oa EH EAD A 38 Using perfect forward secrecy PFS ces ce ee cieeeeee keen neces ee ee ames 39 Using the default network specification 0 cee eee 40 Managing local and remote IP addresses 20000 cee eeeeeaee 41 Adding a local or remote IP address 0000 00 eens 41 Removing a local or remote IP address 00000 eee eee 42 EG PANS dct tas cave ee ae E Soleo A eh ace ae oh ae oon ae 42 Using the Contivity Branch Access Management Software Version 7 20 6 Contents Understanding how a Contivity unit to Contivity unit VPN works 47 Allowing only incoming connections 00 e eee eee 48 Allowing only outgoing connections 00 cee eee 50 Allowing both outgoing and incoming connections 53 Understanding how a Contivity Branch Access unit to CV
181. ew or change a unit s support hosts using Setup 1 Start Setup and if prompted select a unit to configure Choose Support gt Hosts Change the file as needed and then choose File gt Save e To close the file without saving your changes choose File gt Close e To print the file choose File gt Print Configuring a static route In its role as a conventional IP router Contivity Branch Access maintains a routing table to determine where to transmit packets Routes are specified using the address bits method For example the IP address 1 2 3 0 with the submask 255 255 255 0 is identical to the static route 1 2 3 0 24 The 24 bits entry indicates that the first 24 bits of the address specify the network portion with the remaining 8 bits specifying the host address 313371 A Chapter 6 Advanced IP configuration 197 In many cases the route to an IP network may not be automatically derived from the interface address and submask information This occurs any time another router must be used to reach a particular network The most common example is the default route that is used to reach any network not specified by any other route Typically the default route refers to the Internet but in certain situations it may refer to another router which in turn can reach both other internal networks as well as the Internet When direct Internet connectivity is available the default route always specifies the route to
182. fic sites including news groups incoming ports and RAW sockets ISDN Integrated Services Digital Network An international telecommunications standard for voice data and signaling over digital connections ISP Internet service provider ITU International Telecommunications Union LAN Local Area Network Lease DHCP When DHCP allocates an IP address it rents the address to the requesting client for a period of time called a lease The lease may be as short as a few minutes or as long as forever The client can renew the lease or let it expire leased line A private transmission line T1 E1 DDS V 35 or X 21 reserved for the leasing customer s sole use LED Light Emitting Diode LMI Local Management Interface Using the Contivity Branch Access Management Software Version 7 20 360 Glossary MAC Media Access Control A physical address that is the portion of the data link layer in 802 x networks that controls addressing information of the packet and enables data to be sent and received across a local area network MAU Media or medium attachment unit In token ring networks a device defined by the IEEE 802 5 standard that supplies a physical connection to the network cabling medium and includes circuitry to convert signals between a form suitable for the network and a form suitable for the station MD5 Message Digest 5 An authentication algorithm used to create a digital signature
183. figured refer to How a tunnel is initiated on page 59 Note Setup also creates an alias interface 313371 A Chapter 2 IP security and VPN 75 Troubleshooting a VPN tunnel connection If you have troubles establishing a VPN tunnel connection make sure to check both ends of the tunnel to make sure that the tunnel configuration matches Some common areas that may cause problems include but are not limited to e PFS settings e Default network settings e IP addresses Contivity provides several methods for testing and troubleshooting IPsec e Use the ipsec CLI command to view a list of active tunnels For details refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20 e View the Contivity Branch Access unit s IPsec log to view information about IPsec negotiations For details refer to Viewing a Contivity unit s IPsec log on page 76 e Use the Monitor program to monitor and control the status of individual tunnels The interface list contains the IPsec tunnel names When you select an IPsec interface Monitor displays the status You can bring the tunnel down using the line control button on the toolbar For details on using Monitor refer to Monitor program overview on page 141 e Use system logging SYSLOG to view messages about significant IPsec system events For details refer to Managing SYSLOG alarms on page 165 e Use CVS session statistics to view VPN co
184. g Web site access on page 264 How the Contivity unit functions as a proxy server When configured as a Web proxy server the Contivity unit is a demand side downstream caching proxy server that helps reduce bandwidth consumption and improve request and response times Depending on how you configure the Contivity unit it can operate as a network layer cache server or as a true proxy server A network layer cache server often called a transparent cache server operates by intercepting HTTP requests transparently to the Web browser and effectively shortening the Web entry retrieval process if the entry is in the cache Using the Contivity Branch Access Management Software Version 7 20 238 Chapter 7 Web cache configuration How the Contivity unit functions as a caching proxy server In its capacity as a downstream caching proxy server that stores copies of Internet content Web entries the Contivity unit manages traffic to and from the Internet Web content requested from the Internet is cached in a common pool of Web entries in the cache When another user requests the same Web content the entry is sent from the cache rather than from the originating Web server This process improves response times and saves bandwidth As a proxy server the Contivity unit functions as both a server and a client When connected to a remote server on the Internet it functions as a client requesting Web content When a user requests Web conte
185. g box Select Connection Device x Select the connection device Contivity is for connections with a Contivity YPN Switch Instant Internet is for connections with an Instant Internet unit Instant Internet Other 313371 A Chapter 2 IP security and VPN 49 4 Click Instant Internet The Select Type of Connections dialog box opens Figure 8 Figure 8 Select Type of Connections dialog box Select Type of Connections N 5 Click Responder The IPsec Configuration dialog box opens Figure 9 Figure 9 IPsec Configuration dialog box IPsec Configuration 6 Inthe Name box enter a name for the tunnel This name must match the one used on the other end of the tunnel Using the Contivity Branch Access Management Software Version 7 20 50 Chapter 2 IP security and VPN 7 8 9 In the Key box enter a key for the tunnel The key is the password for the tunnel and must be mutually agreed upon by both Contivity Branch Access units A key cannot begin with a backslash The Local Addresses area displays the IP addresses of local networks that are permitted to participate in the tunnel The default local address 0 0 0 0 0 allows all IP addresses on your LAN to be reached through the tunnel however this provides no security in terms of the peer s selection of local networks e To specify the addresses allowed in the tunnel click Add For more i
186. ghts and use duplication or disclosure by the U S Government is subject to the restrictions set forth in subparagraph c 1 of the Commercial Computer Software Restricted Rights clause of FAR 52 227 19 and the limitations set out in this license for civilian agencies and subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause of DFARS 252 227 7013 for agencies of the Department of Defense or their successors whichever is applicable 6 Use of software in the European Community This provision applies to all Software acquired for use within the European Community If Licensee uses the Software within a country in the European Community the Software Directive enacted by the Council of European Communities Directive dated 14 May 1991 will apply to the examination of the Software to facilitate interoperability Licensee agrees to notify Nortel Networks of any such intended examination of the Software and may procure support and assistance from Nortel Networks 7 Term and termination This license is effective until terminated however all of the restrictions with respect to Nortel Networks copyright in the Software and user manuals will cease being effective at the date of expiration of the Nortel Networks copyright those restrictions relating to use and disclosure of Nortel Networks confidential information shall continue in effect Licensee may terminate this license at any time The license will automatically
187. gs for an ISDN connection e Bandwidth on demand e Inbound voice and outbound priority e Incoming call settings To configure advanced ISDN features gt Click Advanced The ISDN Configuration advanced dialog box opens Figure 118 313371 A Chapter 8 Advanced communications configuration 281 Figure 118 ISDN Configuration advanced dialog box ISDN Configuration Enabling bandwidth on demand You can set the dial and hang up thresholds and the demand timeout for the ISDN interface To enable bandwidth on demand 1 Click Advanced The ISDN Configuration advanced dialog box opens Figure 118 2 Select the Dial on demand check box Using the Contivity Branch Access Management Software Version 7 20 282 Chapter 8 Advanced communications configuration 3 Change any of the following information Dial threshold Enter the percentage of bandwidth that must be in use before an additional interface can dial Hangup threshold Enter the percentage of bandwidth below which an interface hangs up Timeout Enter the number of minutes or seconds of inactivity over the ISDN connection after which Contivity Branch Access terminates the connection A value of 0 prevents the interface from timing out 4 Click OK Configuring voice call options You can set the way the ISDN interface handles incoming and outgoing ISDN voice calls To configure voice call options 1 Click Advanced
188. he configuration 263 To enable cookies for a particular Web site 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Web Sites The Web Sites page opens 3 Click the IP address or host name for the individual Web site The individual Web site s access information and settings page opens 4 In the Site Specific Options area do any of the following e To enable the Web site to set cookies on client workstations select the Allow this server to set cookies in clients check box e To enable clients to return cookies to the Web site select the Allow clients to return cookies to this server check box Click Help for more information about each field on any page Sorting the Web sites list On the Web Sites page you can view a list of all recently requested Web sites Each record displays the IP address or host name of the requested site the date and time of its most recent access and the number of times an entry has been requested from the Web site You can sort the list by name access time and number of requests The Contivity unit records the IP address or host name of each requested Web site Each time a user requests Web content and the originating Web server returns a response to that request the response is stored in the cache as a Web entry If an entry exists in the cache its associated IP address or host name appears in the Web sites list The fact that a Web site is in the list
189. he unit For details refer to Setting Up the Contivity 100 Unit or Setting Up the Contivity 400 Unit depending on the type of Contivity unit you have To change a unit s password 1 Start Setup and if prompted select a unit to configure 2 Do one of the following e To change the user password choose Setup gt Change User Password e To change the privileged password choose Setup gt Change Privileged Password The Change Password dialog box opens Figure 142 Figure 142 Change Password dialog box Enter new password oOo O Cancel 3 Enter the new password and then click OK The password is case sensitive therefore password is not the same as PASSWORD or Password 4 At the prompt to re enter the password enter the password again and then click OK 5 Inthe main Setup window click Save and Exit 313371 A Chapter 10 Contivity unit configuration support and diagnostics 325 Changing a unit s name If you have more than one Contivity unit it is very important that you give each unit a unique name To change the name of the Contivity unit 1 Start Setup and if prompted select a unit to configure 2 Choose Setup gt Change Name The Unit Name dialog box opens Figure 143 Figure 143 Unit Name dialog box Enter unit name TEXAS cae _ 3 Enter the new unit name You can enter up to 13 letters digits and symbols with no spaces 4 Click OK Click Save and Exit Changing
190. hed You can enable this option automatically when you set the cache level to Moderate or Aggressive refer to Selecting a cache level on page 245 or you can create a Custom cache level and enable the option individually refer to Setting options for special Web requests on page 255 e If the statistics show that requests are not returned from the cache because the request contained a CGI Common Gateway Interface request enable CGI requests to be cached You can enable this option automatically when you set the cache level to Moderate or Aggressive refer to Selecting a cache level on page 245 or you can create a Custom cache level and enable the option individually refer to Setting options for special Web requests on page 255 e Tf the statistics show that requests are not returned from the cache because a no cache header was embedded in the request or the response enable no cache responses to be cached For details refer to Setting options for special Web requests on page 255 e If the statistics show that requests are not returned from the cache because there were cookies in the response restrict servers from setting cookies on client workstations For details refer to Managing cookies on page 259 the cache but could be total the numbers or percentages for the aforementioned statistics If the total percentage is over 10 tuning these settings could increase the hit rate Note
191. hen the Contivity unit detects an incoming call it rejects the call and then initiates a call to the ISP The Contivity unit essentially interprets the incoming call as a request to bring up the line Select this option if your ISDN line is configured to disconnect after a period of inactivity but you need to allow traffic from the Internet to establish a connection This option may require additional arrangements with your ISP Allow incoming calls The Contivity unit answers all incoming calls and places calls as necessary For the unit to answer the call the remote site must supply the same user ID and password you entered when you configured the ISDN connection If you select this option enter the local phone numbers for the two B channels Call ISP disconnect wait for call back Contivity Branch Access initiates a call to your ISP When the ISP answers the call it validates your account disconnects and then calls the Contivity unit Select this option if you are charged by the minute for placing calls but your ISP is not This option may not be available in all areas and will require additional arrangements with your ISP If you select this option enter the local phone numbers for the two B channels Only incoming calls no outgoing Contivity Branch Access answers all incoming calls but does not place any calls For the unit to answer the call the remote site must supply the same user ID and password you entered when you
192. her heading Using the Contivity Branch Access Management Software Version 7 20 30 Preface 313371 A 31 Chapter 1 Introduction This chapter provides information about the types of network environments in which the Contivity unit works as well as the services that the Contivity Branch Access management software provides for your network Flexible Business Solution Contivity Branch Access provides small and medium size businesses and business branches with secure and managed Internet access as well as an extensive set of services that matches the needs of today s business activity This flexible hardware and software solution simplifies Internet access while significantly lowering costs and providing higher reliability and easier manageability of networked users Contivity Branch Access contains multiple Ethernet interfaces for single or redundant external broadband cable and xDSL modems as well as single and dual analog modems ISDN connections and even T1 or E1 connections with CSU DSU Any combination of interfaces can serve as primary or automatically switched backup redundant links for 100 uptime service for critical business needs Contivity Branch Access also allows for the transparent use of an external Web caching server Normally external Web caching servers require that each workstation to either be configured for proxy mode or be installed along with an external switching device to make the ca
193. host was recognized as unreachable To perform a trace test 1 Select the Host you want to trace If the host you want to trace is not in the list type the host name or IP address in the Host box Click Trace The trace test begins and you can watch its progress If you want to stop the trace test before it is complete click Stop This can be useful if you see the problem before the test completes You can set options for the trace test such as the number of hops per trace See Setting host connection test options on page 341 for more information A trace test returns the following information The selected host address with the maximum number of hops The host addresses traced The percentage of lost packets the number of packets received divided by the total number of packets sent The average number of milliseconds per hop In Figure 151 a trace was performed on the host name www nortelnetworks com The window is divided into two areas The top area shows a graphic representation of how long it took each trace trial to complete The bottom area shows the statistics of the trace test In the bottom area of the window the first column displays the sequence of hops the second column describes the number of milliseconds per test that it took to get to the specified host and the third column shows the host address traced Using the Contivity Branch Access Management Software Version 7 20 338 Chapter 10 Cont
194. hroughput approaches Ethernet wire speeds with the Contivity 100 unit and substantially exceeds that throughput with the Contivity 400 unit even while operating Triple Data Encryption Standard 3DES encryption and either Secure Hash Algorithm SHA or Message Digest 5 MDS authentication VPN tunnels through broadband could saturate any existing and proposed links even with full encryption How the Contivity unit can function in your network Before you install the Contivity unit you should understand your network environment and how the unit functions in the network The Contivity unit can function in your network in three ways It can e Provide security You can isolate your network from the Internet to help ensure network security You do this for three reasons To prevent Internet users outside your organization from seeing internal IP addresses To protect your network from being accessed by intruders or hackers To permit remote LANs to communicate with your LAN over a virtual private network VPN using IP security IPsec e Control Internet access You can restrict your users access by date and time and you can restrict access to certain sites or newsgroups e Ease administration The Contivity Branch Access management software allows you to adopt existing users and groups from your directory services IP networks For security purposes on an IP network you may want to isolate your network fr
195. ied an X is displayed You can add delete or change news groups to which the selected user has access 313371 A Chapter 3 User access administration 115 Adding news group access To add a news group to group or user access 1 Inthe Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 47 Figure 47 Change Settings of User dialog box Change Settings of User Robin 3 Click News Groups The Change News Groups dialog box opens Figure 48 Using the Contivity Branch Access Management Software Version 7 20 116 Chapter 3 User access administration Figure 48 Change News Groups dialog box Change News Groups of Robin 4 Click Add The Add News Group dialog box opens Figure 49 Figure 49 Add News Group dialog box Add News Group The following information is displayed e Allow Allows access e Do not allow Denies access e News Groups Enter the name of the news group for which you are defining access 313371 A Chapter 3 User access administration 117 5 Do one of the following e To allow access to the news group click Allow e To deny access to the news group click Do not allow 6 Enter the name of the news group for which you are defining access Note You can also allow or deny access to an entire section of news groups by placing an asterisk af
196. ield on any page Managing Web site access Establishing a Web site access policy helps you determine how to configure Web sites Your Web site access policy will be the result of experimentation When you establish your policy consider the following e If you block access to all unconfigured Web sites users will not have access to any Web site on the Internet and you must permit access to each site individually For details refer to Blocking access to all unconfigured Web sites on page 265 e If you permit access to all unconfigured Web sites users have access to any and all Web sites on the Internet and you must block access to inappropriate or unauthorized Web sites individually For details refer to Blocking access to a particular Web site on page 266 313371 A Chapter 7 Web cache configuration 265 Blocking Web site access You can block access to particular Web sites on an individual basis or for all unconfigured Web sites for a definition of unconfigured Web site refer to the note on page 260 When a user requests access to the restricted Web server the following message is displayed indicating that access is denied Access to this Web site has been blocked Contact your system administrator for more information Note After you block a Web site that site s entries are no longer sent from the Contivity unit However if a user has the local cache enabled the content requested from
197. ight differ depending on whether your installation uses nonstandard subnets With Contivity you do not change a subnet mask address unless you are familiar with IP addressing practices synchronous Signals that are sourced from the same timing reference Synchronous causes the interval between successive bits characters or events to remain constant or locked in to a specific clock frequency T1 A North American Telecommunications term for a digital carrier facility used to transmit a DS 1 formatted signal at 1 544 Mb s Using the Contivity Branch Access Management Software Version 7 20 366 Glossary TCP Transmission Control Protocol The major transport protocol in the Internet suite of protocols providing reliable connection oriented full duplex streams TCP IP Transmission Control Protocol Internet Protocol A set of networking protocols designed to link computers from multiple vendors Telnet A service that provides terminal emulation capabilities for logging into the Contivity unit from a remote location For more information about how to use this service with your Contivity unit refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20 token ring A network topology and data signaling scheme in which a special data packet called a token is passed from one station to another along an electrical ring A transmitting station takes possession of the token transmits the data th
198. igure Choose Support gt Services The Services dialog box opens Figure 84 on page 181 Select the WEB Configuration check box and then click Configure The WEB Server Configuration dialog box opens Figure 86 Figure 86 WEB Server Configuration dialog box WEB Server Configuration x Pot Cancel Enter the Port number for the Web proxy server The default is 80 Click OK You return to the Services dialog box Figure 84 on page 181 Click OK In the main Setup window click Save and Exit Using the Contivity Branch Access Management Software Version 7 20 184 Chapter 5 Proxy services Configuring a workstation to use a Contivity unit as a Web proxy server If you run the Web proxy server transparently you do not need to change the browser configuration for each workstation If you not run the Web proxy server transparently you must configure your workstations to use an Web HTTP proxy server To configure Netscape Communicator for the PC 1 2 Start Netscape Communicator Choose Edit gt Preferences The Preferences dialog box opens In the Category area double click Advanced Select Proxies The Proxies dialog box opens Select the Manual proxy configuration option In the HTTP Proxy box enter the IP address of the Contivity unit s LAN side interface In the Port box enter the port you selected when you enabled the Web proxy service typically 8080 Click OK through a
199. in Serial Number IS00E07BF23FAC Version 7 20 3 On the Home page click Admin The System Administration page opens Figure 156 Figure 156 Instant Internet System Administration page Instant Internet Admin Web Cache System Administration Help Pe Unit Information Serial Number I500E07BF23FAC System Memory 12 MB Version 7 20 System Started Sat Jun 9 18 20 13 2001 Current Time Wed Jun 13 18 33 50 2001 Up time 96 13 37 System Log PPPOE Log DIALUP Log 313371 A Appendix A Troubleshooting and error messages 347 Viewing a unit s log files Several log files are generated to help troubleshoot a connection The log files generated depend on your system configuration To view a unit s log files gt On the Home page click Admin The System Administration page opens and the available logs are listed in the Log Files area Figure 156 on page 346 Viewing a unit s update history Each Contivity unit maintains a record of the software versions that have been installed and upgraded To view a unit s update history gt On the System Administration page Figure 156 on page 346 click Update History The Update History page opens Changing a unit s system settings file To view or change a unit s system settings file 1 On the System Administration page Figure 156 on page 346 click Config The System Settings page opens 2 Make any changes to the system settings and then click Subm
200. in an IP address from ISP Specify an IP address Address translation JV Number of lines 2 M Inactivity timeout mins p secs Advanced Cancel Adding a backup phone number Contivity Branch Access dials the primary phone number first after each successful connection However for those times when the primary dial up phone number is busy or fails you can designate a backup phone number When Contivity Branch Access detects a busy signal or problem in dialing the main phone number it automatically dials the backup phone number to make a connection To add or change a backup phone number for a dial up connection gt In the Backup box enter the backup phone number and then click OK Using the Contivity Branch Access Management Software Version 7 20 286 Chapter 8 Advanced communications configuration Changing IP address settings To change IP address settings 1 Doone of the following e Obtain an IP address from ISP Select this option if your ISP assigns Dynamic IP addresses e Specify an IP address Select this option if your ISP assigns you a static IP address and then enter the static IP address 2 ClickOK Setting the inactivity timeout The inactivity timeout saves connect time charges during times when no one is requesting Internet access It specifies the number of minutes or seconds of inactivity over the dial up connection after which Contivity Branch Access terminates
201. in the background with no effect on the user s workstation activities To activate automatic logging gt Do one of the following e In Windows 3 x select the AutoLog icon in the Instant Internet program group e In Windows 95 Windows 98 Windows Me Windows NT or Windows 2000 choose Start gt Instant Internet gt AutoLog The AutoLog window opens Figure 76 Using the Contivity Branch Access Management Software Version 7 20 160 Chapter 4 Internet activity logging Figure 76 AutoLog window AutoLog IEE AutoLog toolbar buttons The AutoLog toolbar buttons Table 24 provide shortcut keys to the menu bar options Table 24 AutoLog toolbar buttons Button Description Starts saving all configured log information You can also choose File gt Run from AutoLog menu Stops logging You can also choose File gt Stop from the AutoLog menu Activates online Help When you click this button the mouse pointer changes to the symbol on the button Move the pointer to the option for which you require help and then click it Context sensitive online Help is displayed 313371 A Chapter 4 Internet activity logging 161 Enabling Auto Run When you enable the Auto Run option the AutoLog program automatically activates when the Event Activity Information log runs To enable the Auto Run option gt In the AutoLog window choose Options gt Auto Run A chec
202. inating the need to reserve space for caching e Increases the number of entries in the cache that are available to all users e Increases cache statistics because all requests for Web content pass through the Contivity unit which gives the truest measure of the efficiency of the cache Using the Contivity Branch Access Management Software Version 7 20 240 Chapter 7 Web cache configuration Decreases the amount of inappropriate or unauthorized content on a user s workstation When you block access to a Web site a message appears notifying the user that access has been blocked refer to Blocking Web site access on page 265 However if the user s local cache was enabled when the user accessed the Web site the first time the Web entries are still in the local cache and the user can view them If the user s local cache was disabled when the user accessed the site the message is displayed immediately Connecting to the Contivity unit using a Web browser Using Netscape Navigator or Microsoft Internet Explorer you can configure and manage all Web proxy and caching functions for the Contivity unit Note Web caching is supported only on Contivity 400 units gt Before you can use a Web browser to manage Web cache options or configure system files you must enable the Contivity unit as a Web proxy and enable Web configuration You must also configure each workstation to use the Contivity unit as the Web proxy serv
203. ing 260 recommended 260 313371 A Index 371 cookies and bandwidth savings 244 and online shopping cart 261 and prompt to log on again 261 blocking for unconfigured Web sites 261 cache action if blocked 261 defined 259 enabling for a particular Web site 262 establishing a management policy 260 managing 259 required 261 viewing for a Web site 266 Custom cache level available options 249 creating 250 customer support 29 D date changing 325 expiration for a Web entry 238 246 Default user 81 demilitarized zone DMZ adding a Web server 233 configuring 233 example publishing a Web server 235 overview 232 DES encryption 38 DHCP client 228 DHCP server configuring 218 Contivity unit 222 leases 219 relay agent 220 scopes 219 diagnostic tool chargen service 329 discard service 329 echo service 329 ident service 330 SNMP service 330 Telnet service 330 dial up connection backup phone number 285 bandwidth on demand 289 communication settings 284 inactivity timeout 286 modem script 288 modem speaker 286 Statistics 145 DMZ See demilitarized zone DMZ DNS proxy server 185 domain set for NT users and groups 83 dual analog modem 284 bandwidth on demand 289 number of lines 288 Dynamic DNS 204 E E1 connection communication settings 292 encryption 3DES 38 56 bit 38 DES 38 error messages IP client 348 RAW socket 349 Web cache server 248 error setting the action the cache server p
204. ing tool you can e Determine if a host is accessible e View a host s response or lag time e View the packet loss for a host To perform a ping test 1 Select the Host you want to ping If the host you want to ping is not in the list type the host name or IP address in the Host box 2 Click Ping The ping test begins and you can watch its progress If you want to stop the ping test before it is complete click Stop This can be useful if you see the problem before the test completes You can set options for the ping test such as the number of pings See Setting host connection test options on page 341 for more information The ping test returns the following information e The host address with number of data bytes and timeout length e The milliseconds per ping e The percentage of lost packets the number of packets not received divided by the total number of packets sent e The average number of milliseconds per ping In Figure 150 a ping test was performed on the host name www nortelnetworks com The window is divided into two areas The top area shows a graphic representation of how long it took each ping trial to complete The bottom area shows the statistics of the ping test In the bottom area of the window the first column of data displays the sequence of trials the second column describes the number of milliseconds it took to complete each trial and the third column shows the address pinged Using
205. instances Firmware The version of the firmware running on the Contivity unit Speed The speed in kilobits at which data is being sent and received To calculate the speed in kilobytes divide by 8 If the selected interface is communicating outside the LAN External is displayed Up The number of days hours minutes and seconds the Contivity unit has been up since last reset 313371 A Chapter 4 Internet activity logging 145 Table 15 Stats window statistics continued Item Description Show e Sends Select this option to view only sent data e Recvs Select this option to view only received date e Both Select this option to view both sent and received data Sent data is displayed in blue received data is displayed in red In Bytes Out Bytes The data sent and received since the last reset in kilobytes To calculate this amount in kilobits multiply the kilobytes by 8 Interface If you have more than one interface you can choose the interface you want to monitor including the VPN tunnel you want to monitor Table 16 lists additional statistics that are displayed for a dial up or ISDN interface or a VPN tunnel Table 16 Stats window statistics for a dial up or ISDN interface or a VPN tunnel Item Description Last call Day date time and year of last Internet connection as well as a description of the connection Status Whether the interface connectio
206. is example your SYSLOG daemon is running on a workstation with the IP address 198 168 1 12 and you have configured it to report only Error messages which reports Contivity Branch Access messages with Emergency Alert Critical and Error priority The Contivity unit has the facility identifier of Local2 To capture SYSLOG messages 1 Start Setup and if prompted select a unit to configure 313371 A Chapter 4 Internet activity logging 173 Choose Support gt Alarms In the Alarms dialog box Figure 79 on page 171 in the SYSLOG Hosts area click Add 4 Inthe Enter SYSLOG Host dialog box Figure 80 on page 171 in the SYSLOG Host box enter 198 168 1 12 the IP address of the SYSLOG daemon and then click OK 5 Inthe Alarms dialog box Figure 79 on page 171 enter the following information e Facility Select Local2 e Priority Select Error Click OK 7 Inthe main Setup window click Save and Exit Example Testing the SYSLOG daemon You can immediately test the system logging using Telnet Any Telnet connection attempted or successful forwards a Notification priority so you must set the priority to at least Notify in both the SYSLOG daemon software and in Contivity Branch Access To test system logging using Telnet 1 Start the SYSLOG daemon 2 Usea Telnet application to connect to the Contivity unit Figure 81 shows an example of the SYSLOG output In this example a workstation with a LAN
207. ise by a technical support representative Using the Contivity Branch Access Management Software Version 7 20 292 Chapter 8 Advanced communications configuration e Backup interface An ISDN connection is available for use as a backup connection to the Internet should your T1 connection become unavailable Configuring advanced communication settings for an E1 connection If you have an E1 interface on the Contivity unit you can configure the starting channel clock auto loopback setting CRC4 checksum and a backup interface To configure advanced communication settings for an E1 interface 1 Start Setup and if prompted select a unit to configure 2 In the Interfaces area select the E1 interface and then click Configure The E1 Configuration dialog box opens Figure 124 Figure 124 E1 Configuration dialog box E1 Configuration x Framing format CCS CCAS Line encoding HDB3 C AMI Line speed 1984 Kbps 64 x 31 7 Type PPP C Frame Relay LMI type Annex D Annex A IP address 192 168 1 1 Subnet mask 255 255 255 0 Router address Address translation V Advanced Cancel 313371 A Chapter 8 Advanced communications configuration 293 3 Click Advanced The E1 Advanced Configuration dialog box opens Figure 125 Figure 125 E1 Advanced Configuration dialog box Starting channel RE M Clock External C Internal Auto loopback IV CRC4
208. it When you click Submit the changes take effect immediately If you make changes and then decide that you do not want to submit them click Reset to restore the settings to the previous selections You cannot reset settings after you submit them Using the Contivity Branch Access Management Software Version 7 20 348 Appendix A Troubleshooting and error messages Changing a unit s port mappings To view or change a unit s port mappings 1 On the System Administration page Figure 156 on page 346 click Port Mappings The Port Mappings page opens 2 Make any changes to the port mappings and then click Submit When you click Submit the changes take effect immediately If you make changes and then decide that you do not want to submit them click Reset to restore the settings to the previous selections You cannot reset settings after you submit them Changing a unit s hosts To view or change a unit s hosts 1 On the System Administration page Figure 156 on page 346 click Hosts The Hosts page opens 2 Make any changes to the hosts information and then click Submit When you click Submit the changes take effect immediately If you make changes and then decide that you do not want to submit them click Reset to restore the settings to the previous selections You cannot reset settings after you submit them IP workstation error messages This information assists you in interpreting and troubleshooting error m
209. it e Using built in tools to test a connection to the Internet and to a host e Supporting IP Using the Contivity Branch Access Management Software Version 7 20 26 Preface Before you use this manual you need to do two things First write down the model number and serial number of the Contivity unit This information will be required if you need to call Nortel Networks Technical Support These numbers are located on the back of the Contivity unit You can also view the serial number using the Setup utility For more information see Viewing a Contivity unit s serial number on page 343 Model Example CQ1001104 or DM1401E67 Serial Example 10300004F or 14000181CC404F Second review the basic installation process in Installing the Contivity Branch Access Management Software Version 7 20 and determine how you want Contivity Branch Access to function in your network Note All references to Contivity unit and unit also apply to the Instant Internet unit Text conventions This manual uses the following text conventions angle brackets lt gt Indicate that you choose the text to enter based on the description inside the brackets Do not type the brackets when entering the command Example If the command syntax is ping lt ip_address gt you enter ping 192 32 10 12 bold courier text Indicates text that you need to enter and command names and options Example Enter ipconfig rele
210. it encryption 3DES as an add on feature Note The export of 3DES encryption outside North America is regulated by the U S Government If you require 3DES encryption you must purchase the 3DES Encryption Module part number DM0010001 Contact your Nortel Networks sales representative for more information For authentication Contivity Branch Access supports e MDS Message Digest 5 e SHA Secure Hash Algorithm Understanding modes When you configure a tunnel between two Contivity Branch Access units or a Contivity Branch Access unit and a CVS the Setup program determines what mode needs to be used After you add a VPN you can change the mode to be used in the tunnel Internet Security Association and Key Management Protocol ISAKMP negotiations proceed in two phases During phase 1 two ISAKMP peers establish a secure authenticated channel with which to communicate The ISAKMP is used to protect further negotiation traffic During phase 2 other Security Associations SA are negotiated on behalf of IPsec The key is the password for the tunnel and must be mutually agreed upon by both ends Internet Key Exchange IKE defines two basic methods used to accomplish a phase 1 authenticated key exchange e Main mode A main mode connection provides identity protection because the identity of the endpoints peers is exchanged in encrypted messages after the Diffie Hellman key exchange The IP address is used for identific
211. it to configure 2 Inthe Interfaces area select the PPPoE interface and then click Configure The PPPoE Configuration dialog box opens Figure 126 Figure 126 PPPoE Configuration dialog box C Obtain an IP address from ISP DHCP C Specify an IP address _ Obtain an IP address from ISP PPPoE Address translation 7 Advanced Cancel 3 Click Advanced The PPPoE Configuration advanced dialog box opens Figure 127 313371 A Chapter 8 Advanced communications configuration 295 Figure 127 PPPoE Configuration advanced dialog box Demand mode V Timeout _10 mins _ sees OK Cancel 4 Enter the following information e Demand mode Select this check box to enable dial on demand When you clear this check box the Contivity unit establishes and maintains a connection indefinitely e Timeout Enter the number of minutes or seconds of inactivity over the PPPoE connection after which Contivity Branch Access terminates the connection A value of 0 prevents the interface from timing out 5 Click OK Using the Contivity Branch Access Management Software Version 7 20 296 Chapter 8 Advanced communications configuration 313371 A 297 Chapter 9 IPX configuration and support This chapter describes how to use your Contivity unit in an IPX environment Note Contivity Branch Access does not support IPX in a Windows 2000
212. it to configure 2 Choose Setup gt Registration The Registration Information dialog box opens Figure 141 313371 A Chapter 10 Contivity unit configuration support and diagnostics 323 Figure 141 Registration Information dialog box Registration Information x M Customer Information prone Proe r Purchased from comas prone MLAN Information Network Version fe och OK of Workstations ss 3 Change or information and then click OK Changing a unit s password There are two levels of passwords for a Contivity unit user and privileged The password determines the type of access granted to the unit The Contivity Branch Access administrative utilities require the privileged password The Monitor program requires the privileged password for those functions now protected by the administrator password Monitor displays statistic and diagnostic information without requiring any password Unconfigured units and units without a password are automatically granted privileged access Be sure to remember your privileged password You must enter it to make any configuration changes to the unit Using the Contivity Branch Access Management Software Version 7 20 324 Chapter 10 Contivity unit configuration support and diagnostics If you forget your password and need to configure the Contivity unit you can do so by resetting the Configuration switches on the back of t
213. ivative works from the Software or user manuals or any copy in whole or in part Except as expressly provided in this Agreement Licensee may not copy or transfer the Software or user manuals in whole or in part The Software and user manuals embody Nortel Networks and its licensors confidential and proprietary intellectual property Licensee shall not sublicense assign or otherwise disclose to any third party the Software or any information about the operation design performance or implementation of the Software and user manuals that is confidential to Nortel Networks and its licensors however Licensee may grant permission to its consultants subcontractors and agents to use the Software at Licensee s facility provided they have agreed to use the Software only in accordance with the terms of this license 3 Limited warranty Nortel Networks warrants each item of Software as delivered by Nortel Networks and properly installed and operated on Nortel Networks hardware or other equipment it is originally licensed for to function substantially as described in its accompanying user manual during its warranty period which begins on the date Software is first shipped to Licensee If any item of Software fails to so function during its warranty period as the sole remedy Nortel Networks will at its discretion provide a suitable fix patch or workaround for the problem that may be included in a future Software release Nortel Networks further wa
214. ividual server connected to a port on the seven port Ethernet switch Eth1 on the front of the Contivity unit The primary benefit of using the Ethernet switch for your DMZ is to isolate data traffic from one server to another and to eliminate the need for a separate hub To add a server to the DMZ 1 Determine an appropriate IP address range for the DMZ subnet and assign the server an IP address on the DMZ subnet 2 Connect the server to the DMZ e Usea crossover cable to connect an Ethernet connector Eth2 or Eth3 on the rear of the Contivity unit directly to a single machine on the DMZ e Use a straight through cable to connect an Ethernet connector on the rear of the Contivity unit Eth2 or Eth3 to a hub or switch to connect multiple machines to the DMZ e Use either a straight through or crossover cable to connect the Ethernet switch Eth1 on the front of the Contivity unit to a single machine on the DMZ or to a hub or switch Configuring a Contivity unit to support a DMZ After you connect a DMZ to your Contivity unit you configure Contivity Branch Access to support the DMZ You must e Configure the interface e Publish the server e Decide whether to enable IP forwarding Configuring the interface to support the DMZ To configure the interface to support the DMZ 1 Start Setup and if prompted select a unit to configure Click Add Click Network The Enter IP Information for Interface dialog box opens Figure 112
215. ivity Branch Access Management Software Version 7 20 168 Chapter 4 Internet activity logging Table 27 SYSLOG messages for IPsec events continued Priority Message Meaning Error no proposal chosen One end did not choose any of the other end s proposals 1 Check the encryption types on both ends to ensure they match 2 Enable all required authentication types 3 Configure both ends to use the same routing type 4 Configure both ends to have matching local and remote network definitions 5 Ensure the PFS settings on both ends match Either enable PFS on the remote end or disable PFS on the local end Error quick mode no subnet A message was received with an incorrect subnet Check the tunnel configuration Error receive bad authorize from A received packet was corrupted lt destination gt Error receive bad decrypt from A received packet was corrupted lt destination gt Error receive bad trailer from A received packet was corrupted lt destination gt Error receive no subnet A message was received without a subnet Check the tunnel configuration Error tunnel limit exceeded The maximum number of tunnels are in use Error unexpected message type An unsupported message type was received from lt destination gt Warning invalid aggressive mode An invalid or duplicate message was received message from lt destination gt Warning invalid decrypt or payloads An inv
216. ivity unit configuration support and diagnostics After the trace completes the percentage of lost packets and the average number of milliseconds per hop are displayed at the bottom of the statistics area of the window Figure 151 Trace test lITools olx File Edit Action View Help D Stop Oms 47 100 60 1 ttxsrO us nortel com Oms 206 210 194 4 corwanvpn perftech com 22 ms 47 230 0 6 erchg 4e1 us nortel com 21 ms 47 103 242 1 trchr32 us nortel com 23ms 47 101 0 211 tngbre1 us nortel com 62ms 47 255 2 53 tbrwrc1 ca nortel com 64ms 47 255 252 6 75ms 47 249 2 12 etcfc2e2 ca nortel com 76ms 47 249 32 64 www nortelnetworks com Lost packets 0 00 An average of 49 milliseconds per hop Done 7 2 3 4 5 6 7 8 9 For Help press F1 Testing the echo port of a host You can use the stress tool to test the echo port of a selected host An echo port is a well known port that returns any data sent to it The stress test generates a load on the system to see what the throughput is to a host Using the stress tool you can e Load a host for testing e Measure the throughput of a host 313371 A Chapter 10 Contivity unit configuration support and diagnostics 339 To test the echo port of a host 1 Choose the Host you want to test If the host you want to stress is not in the list type the host name or IP address in the Host box 2 Click Stress The stress test begins and y
217. k mark next to the menu item indicates that it is enabled Configuring automatic logging The AutoLog window displays the following information e Log Type Shows whether the type of log is a User log or a Connection log e Server Name Shows the name of the selected Contivity unit e Frequency Shows how often the logs are automatically saved When you activate AutoLog for the first time the AutoLog window columns are blank You must configure the log types server names and frequency of auto saves To configure log types server names and the frequency of auto saves 1 Inthe AutoLog window click Add The Event Information dialog box opens Figure 77 Using the Contivity Branch Access Management Software Version 7 20 162 Chapter 4 Internet activity logging Figure 77 Event Information dialog box Event Information x m Server to log Logging interval C Jiho z Log Type Create new log file oo C Every time Connection Daily Lookup Addresses P Weekly Ree C Monthly Log file directory Log file name Cydddccc log Cancel In the Server to log list select a Contivity unit for automatic logging In the Log Type area select whether the log is a User log or a Connection log To have Contivity Branch Access look up addresses select the Lookup Addresses check box If you enable this option Contivity Branch Access automatically turns numeric addresses i
218. l Auto loopback IV Backup interface lt none gt Le Cancel 4 Configure any of the following e Starting Channel A T1 line has 24 channels 1to 24 When you order a fractional T1 service only part of the channels are available for data transmission In some cases the Contivity unit may need to send data on a block of channels that do not start on Channel 1 so you must change the starting channel e Channels are Depending on what your T1 service provider assigns you you will select Consecutive every one or Alternating every other one In some rare cases you may have a block of channels available but may be able to send data only on every other channel In this case select alternating e Line style The T1 bandwidth is used to carry T1 performance data and commands such as loopback This data may follow one of two standards ANSI T1 403 or AT amp T 54016 This value should be supplied by your T1 service provider If this value is set incorrectly the performance data may not be available and a loopback request may not be recognized e Clock If the network provides the clock for the T1 line select External If the Contivity unit provides the clock select Internal In almost all cases the network provides the clock e Auto loopback Auto loopback is used for diagnostics and allows the network to force the Contivity unit into loopback Leave this check box selected unless directed otherw
219. l cookies for all unconfigured Web sites and permit cookies only for individual Web sites that require them In this manual the term unconfigured Web site is used to refer to any Web site that is accessed for the first time through the Contivity unit as well as any Web site that does not have site specific settings The term configured Web site refers to any Web site that has site specific settings configured on its cache settings page For example if you cache entries from www abcnews com and then set the default Web site option to block cookies for all Web servers the Contivity unit no longer accepts cookies from www abcnews com because it is an unconfigured Web site that complies with the default Web site options However if you set the site specific option for www abcnews com to allow the Web server to set cookies it is a configured Web site Setting the default Web site option to block cookies to all servers has no effect on www abcnews com you can still view entries with cookies for that site 313371 A Chapter 7 Web cache configuration 261 If a Web site requires cookies but they are blocked any of the following may occur The originating Web server returns a message indicating that cookies are required When a Web site requires a user ID and password the Web site prompts the user to sign on again after the user signs on the first time When a Web site offers online shopping the user adds an item
220. lity to provide fault tolerance automatic user load balancing and modified user access to individual units You can set specific defaults in the install cfg file before installing the individual workstation software then you can use these defaults to assign specific users to specific Contivity units during automatic workstation installation Using the Contivity Branch Access Management Software Version 7 20 308 Chapter 9 IPX configuration and support For details on using the install cfg file refer to Installing the Contivity Branch Access Management Software Version 7 20 Note When you install multiple Contivity units be sure to install each unit individually that is plug in one unit configure the unit and complete the installation before plugging in the next unit This practice maintains the simplicity of installing multiple units and avoids any confusion regarding which unit is currently being configured Configuring fault tolerance and automatic user load balancing With multiple Contivity units you achieve fault tolerance and automatic user load balancing with the unit line parameter in the install cfg file unit iiboxl If you want to connect to a particular unit and use a second unit as backup in the event that the first unit is down or busy or has reached its simultaneous application limit the install cfg entry looks like this unit iibox1 backupii where you have two Contivity units one called iibox1
221. ll local subnets that will participate in the VPN If you are using non split tunneling specify an IP address of 0 0 0 0 and a mask of 0 0 0 0 For more information on split and non split tunneling refer to Managing local and remote IP addresses on page 41 Click Add to create the new network Click Close In the CVS main window choose Profiles gt Groups Either add a group or select an existing group that will use the VPN and configure the group with the following information a c In the Connectivity area click Configure In the Idle Timeout box configure the timeout for 1 minute and then click OK In the IPsec area click Configure and then do the following Inthe Split Tunnel Networks box specify the network you created in step 2 Inthe Client Selection area configure the CVS to allow non Contivity clients for the selected group Click OK In the CVS main window choose Profiles gt Users 313371 A Chapter 2 IP security and VPN 71 9 Either add a user or select an existing user from the group that you configured in step 7 and configure the user with the following information Note You must configure the user as a local user in the LDAP database internal or external you cannot use RADIUS authentication for this type of connection 10 Edit the new or selected user with the following information a In the General area assign an IP address to the remote user in the Stati
222. ll dialog boxes to save your changes Netscape Communicator now uses the HTTP Web proxy when it connects to any non local host To configure Internet Explorer for the PC Start Internet Explorer Choose Tools gt Internet Options The Internet Options dialog box opens Click the Connections tab In the Local Area Network LAN settings area click LAN Settings The Local Area Network LAN Settings dialog box opens 313371 A Chapter 5 Proxy services 185 In the Proxy server area click the Use a proxy server check box Click Advanced The Proxy Settings dialog box opens 7 Inthe HTTP Proxy address to use box enter the IP address of the Contivity unit s LAN side interface 8 In the Port box enter the port you selected when you enabled the Web proxy service typically 8080 9 Click OK through all dialog boxes to save your changes Internet Explorer now uses the HTTP Web proxy when it connects to any non local host Configuring a Contivity unit as a DNS proxy server A Domain Name Service DNS server translates host names into IP addresses Your ISP usually provides this service Contivity Branch Access provides a DNS proxy service through which your IP workstations can access your ISP s server There are several advantages to using this service e Access control By setting up the Contivity unit as a DNS proxy server you can apply host name access controls to your IP workstations e Maintenance
223. log boxes to save your changes Netscape Communicator now uses the SOCKS server when connecting to any non local host To configure Internet Explorer for the PC Start Internet Explorer Choose Tools gt Internet Options The Internet Options dialog box opens Click the Connections tab In the Local Area Network LAN settings area click LAN Settings The Local Area Network LAN Settings dialog box opens In the Proxy server area click the Use a proxy server check box Click Advanced The Proxy Settings dialog box opens In the Socks Proxy address to use box enter the IP address of the Contivity unit s LAN side interface In the Port box enter 1080 313371 A Chapter 5 Proxy services 191 9 Click OK through all dialog boxes to save your changes Internet Explorer now uses the SOCKS server when connecting to any non local host Third party socksifying software Although SOCKS is supported directly by some common applications many older applications that are not SOCKS enabled can be socksified Socksifying allows these applications to use the SOCKS server transparently SOCKS workstation software which performs this transparent socksification of non SOCKS enabled software is often called a socksifying layer because it acts as an invisible layer between the application and the platform s native TCP IP software For the PC platform several third party socksifying layers are available both commercially a
224. mail that functions as a unified post office for addressing mail to all users on all nodes of wide area and local area networks SNMP Simple Network Management Protocol A standard for network management that permits authorized SNMP management systems requesting an SNMP get to receive the standard Management Information Base II MIB ID variables 313371 A Glossary 365 SNMP trap A message sent to an SNMP host when the community string of the SNMP host does not match the community string of the Contivity unit SOCKS An Internet protocol that lets IP client applications connect to the Internet through a firewall SPID Service Profile Identifier Used only in North America SPID numbers are unique identifier numbers provided by your local telephone company when you install an ISDN line Usually two SPID numbers are provided but sometimes one and even none is provided In many cases both SPID numbers are required if you want to connect at a speed greater than 64 Kb s A SPID number is typically 14 digits long and consists of the 10 digit telephone number area code plus phone number followed by the digits 0101 Other variations of this number are possible and your telephone company can provide you with the correct information for your ISDN line STP Shielded Twisted Pair subnet mask A value used to route packets on TCP IP networks The subnet mask is automatically computed based on the IP address and m
225. mation release lt ip_address gt A DHCP client has released its address lt hostname gt lt mac_address gt Information renew lt ip_address gt A DHCP client has renewed its address Table 27 describes the SYSLOG messages for IPsec events Table 27 SYSLOG messages for IPsec events SA from lt destination gt Priority Message Meaning Critical bind failed Critical code fault Contact Nortel Networks Technical Support immediately Critical socket error lt error gt from Critical code fault Contact Nortel Networks Technical lt ip_address gt Support immediately Critical transmit encrypt failed Critical code fault Contact Nortel Networks Technical Support immediately Error ESP no tunnel A message has been received that does not match any current tunnel Error invalid hash value from A message has been received with an invalid authorization lt destination gt or key Check the tunnel configuration Error invalid inform message from An invalid or unsupported request was received lt destination gt Error invalid SA format An invalid format was received Error invalid user name User name is incorrect Check the tunnel configuration Error ISAKMP from unexpected A message was received from an unconfigured address address lt ip_address gt Check the tunnel configuration Error new message without ISAKMP A message did not follow the IPSec message sequence protocol Using the Cont
226. meden 196 COniguning a Sane OUlE 6 4 4 5 505 ae ned td dea ede H4GN e oad s deed ood ed sl a 196 CONN P IWAN 63 ceri oy Seenee eyeSEeerpebepetee debe a 199 Enabling IP forwarding 2ccittcee ceeesteba ee deer thee wi etenteeeaduwns 199 Enabling IP forwarding for a Contivity unit 0000 00 200 Enabling IP forwarding for two interfaces 000 e eee ee eee 201 Using the Contivity Branch Access Management Software Version 7 20 10 Contents Enabling IP forwarding for two Ethernet interfaces 201 Using network address translation NAT 0 00 cee eee 202 COMIQUING NAT sicccrccsracenvarsetdes eee eee eee Ea eee eR ee ii 203 Disabling address translation 00 0c cece eee eee eee 203 Publishing a private SeNVEl icc cuascceedoeran seid denee eeend cexedewads 204 Using Dynamic DNS cscccteeeceeee eee eens Fa ed eee Pada r eee ee 204 Configuring Contivity Branch Access to publish a private server 205 Comounng an IP TMG hac c bide eee ed ARR DRRE Ad sede eReeded ed EAr 211 Processing a packet through an IP filler 2 0000 eee eee eee 212 Applying a filter to an interface cocci sk acaba wndkaaeae wens wee baa we 217 Enabling a Contivity unit as a DHCP sServer 000200 cece eee eee 218 SROPes ANd Ea5eS 65 hein AU Rabe eee we Ee Rabe sa eae a 219 Using the DHCP BootP relay agent feature 2 2000 cee eee 220 Configuring a Contivity unit as a D
227. mote Contivity Branch Access unit s public address or fully qualified domain name FQDN If you specify an FQDN it is resolved each time a connection is initiated In the Local Addresses area click Add to enter the IP addresses of a local network allowed to participate in the tunnel For more information refer to Managing local and remote IP addresses on page 41 The default local address is that of your LAN In the Remote Addresses area click Add to enter the IP addresses of the remote site that is accessed through the tunnel For details refer to Adding a local or remote IP address on page 41 Click OK The Monitor Connection dialog box opens Figure 11 Using the Contivity Branch Access Management Software Version 7 20 52 Chapter 2 IP security and VPN Figure 11 Monitor Connection dialog box Monitor Connection 10 Do one of the following e Ifyou do not want to monitor or control the connection click No Skip to step 13 e Ifyou want to monitor or control the connection click Yes The Enter Monitor Control Connection Information dialog box opens Figure 12 Continue with step 11 Figure 12 Enter Monitor Control Connection Information dialog box Enter Monitor Control Connection Information 313371 A Chapter 2 IP security and VPN 53 11 Enter the following information e Connection Choose whether you want to monitor or control the connection For more inf
228. moved Click Remove and then click Yes When you use an NTP server for the time and date the Contivity unit checks that server every 12 hours for the correct time If you have a dial up connection this check occurs only when a line is up You can view the NTP log provided in Setup to verify that the correct server supplied the time and any adjustments 7 Click Time Zone The Time Zone dialog box opens Figure 145 Figure 145 Time Zone dialog box GMT 12 00 Eniwetok Kwajalein GMT 11 00 Midway Island Samoa GMT 10 00 Hawaii GMT 09 00 Alaska GMT 08 00 Pacific Time US amp Canada Tijuana GMT 07 00 Arizona GMT 07 00 Mountain Time US amp Canada GMT 06 00 Central Time US amp Canada IV Automatically adjust clock for daylight saving changes Cancel 8 Select the time zone e To automatically adjust the unit s clock for daylight savings time select the check box 9 Click OK through all dialog boxes 10 In the main Setup window click Save and Exit Using the Contivity Branch Access Management Software Version 7 20 328 Chapter 10 Contivity unit configuration support and diagnostics Selecting additional support options To view and select additional support options 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Other Settings The Other Settings dialog box opens Figure 146 Figure 146 Other Settings dialog box Enabl
229. n aggressive mode connection Initiator To configure Contivity Branch Access as a branch office VPN tunnel 1 Start Setup and if prompted select a unit to configure 2 Inthe main Setup window click Add 3 The Select Connection Type dialog box opens Figure 16 Figure 16 Select Connection Type dialog box Select Connection Type x Select the connection type Dialup is for connections using the built in modem Network is for a connection to a LAN Alias is for multiple IP addresses on the same interface IPsec is for establishing an IPsec tunnel to another device Network Alias IPsec 4 Click IPsec The Select Connection Device dialog box opens Figure 7 313371 A Chapter 2 IP security and VPN 65 Figure 17 Select Connection Device dialog box Select Connection Device x Select the connection device Contivity is for connections with a Contivity YPN Switch Instant Internet is for connections with an Instant Internet unit Instant Internet Other 6 Click Contivity The Select Type of Connection dialog box opens Figure 18 Figure 18 Select Type of Connection dialog box Select the type of connection to the Contivity YPN Switch Branch Peer to Peer is for a main mode branch connection requires a static public IP address Branch Initiator is to initiate an aggressive mode branch connection requires CYS version 4 0 or later Cli
230. n dialog box opens Figure 23 Figure 23 IPsec Configuration dialog box IPsec Configuration x Destination fs Using Client Address Redistribuiton CAR j Static Address eth E r Remote Addresses Add Remove Caneel 6 Enter the following information e Name Enter a name for the tunnel This name is the local user you configured on the CVS e Key The key is the password for the tunnel and must match the pre shared key you configured on the CVS A key cannot begin with a backslash e Destination Specify the public IP address of the CVS 313371 A Chapter 2 IP security and VPN 73 7 Select whether the client initiates a tunnel e Using Client Address Redistribution CAR When a client initiates a tunnel the CVS assigns an inner address to the client If the address does not belong to any of the locally attached CVS networks you must enable CAR to ensure that these addresses are advertised in the dynamic route updates sent by the CVS e Static Address Select the interface that was assigned to the local user on the CVS The interface is often the same as the Contivity Branch Access unit s private LAN interface If the address is not the same Setup creates an alias interface for the Contivity Branch Access unit and assigns it a static address 8 Click Add to enter the remote IP addresses allowed to participate in the tunnel Note These addres
231. n ew ead eeee CHEE oR Aka OWS 302 16 Dit WINGOCKS cccc ntact aienen ceeded Bbaeee ee eRe eee eRe Ee Re ES 302 MOONE WINSDEKS cat se ach de and Syed did Rao Hib REA PRA del Raper deed aA 303 Winsock 1 1 and Winsook 2 0 i cansveed se bepew eee sa GaRweeeed oerenewees 303 Using multiple versions of Winsock 0 00 eee eee 303 Using multiple 16 bit WINSOCKS 25 cc csc cu ee de ec cae duure 304 Using multiple 32 bit WINSOCKS 40505 5 600s eased eee aes e ee aE eS 304 Winsock files installed 0605 s86s0se5n ses eneese renee seneneenes 305 WORUOWS OO bd ceded dado Ween de ioe A OA 305 Windows 95 Windows 98 and Windows Me 2000085 305 MOA BEF co 2s 4p hho een LOLS aes HORA SA HSN Ee 306 Waona NTAD anc cote ndwn dg Kode ow hse RAEUS PASE MSS e EEOLSS 306 Resolving Winsock conflicts during installation 0 0 0c ee eee 306 IP filters and Winsock compatibility icc eke Re a alec A ale 307 Configuring the Contivity unit in a multiple unit environment 307 Configuring fault tolerance and automatic user load balancing 308 Configuring multiple default sets 2 c00cccccnn cab ee dok eee keke Oe as 309 Installing multiple Contivity units 2 0 2 0 000 eee eee 312 Tips for installing multiple Contivity units 00 2 0 000 cee eee eee ee 312 Using the Contivity Branch Access Management Software Version 7 20 14 Contents Chapter 10 Contivity unit configuration support
232. n is up or down and the number or hours and minutes up or down For a VPN tunnel it shows authentication and encryption types for a connection For ISDN the status field always has the form up down n m active dialing x no MP y disabled e up down The status of the interface This status depends on whether the interface is fully activated and IPCP negotiation is complete n m active Where n is the number of individual B channels active and m is the number of available B channels in the bundle normally 2 e dialing x Appears only if one or more of the B channels are attempting to connect x is the number of channels dialing e no MP Appears only if a Multilink connection is attempted but the ISP does not allow MP or the ISP rejects the MP request e y disabled Appears only if one or more individual B channel interfaces are disabled y indicates the number of disabled interfaces Timeout Current timeout value is displayed in 0 00 0 00 format The first value shows how much time has elapsed with no activity The second value shows the inactivity timeout value For a VPN tunnel it shows the SA lifetime timeout Connects The number of successful connections number of connection attempts and percentage of successful connections Disconnects The number of lines dropped from the user s end of the connection number of total line drops and percentage of connections dropped from the user s end
233. n the Add Incoming Port dialog box Table 10 Add Incoming Port dialog box items Item Description Allow Allows access Do not allow Denies access Type e TCP connection oriented e UDP connectionless e Both TCP and UDP IP Address Enter the IP address of the host name If you do not know the IP address you can enter the host name and select the Lookup IP Address button Contivity Branch Access looks up the IP address of the specified host name Port Select a port number If you are specifying a range of ports this is the beginning port number Ending Port To enter a range of ports select an ending port number 5 Doone ofthe following e To allow access to the incoming port click Allow e To deny access to the incoming port click Do not allow Select a Type Specify an IP Address Specify an Ending port 0 Click OK 6 7 8 Specify an Incoming Port 9 1 Removing incoming port access To remove an incoming port from the list 1 Inthe Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 57 Using the Contivity Branch Access Management Software Version 7 20 124 Chapter 3 User access administration Figure 57 Change Settings of User dialog box Change Settings of User Robin 3 Click Incoming Ports 4 Inthe Change Incoming Ports dialog box select the i
234. n the Web Cache page click Configure The unit Configuration page opens 3 In the unit Level area click Customize The Custom Cache Level page opens 4 Configure the Custom cache level options Click Help for more information about each field on any page 313371 A Chapter 7 Web cache configuration 251 Interpreting statistics On the Web Cache Statistics page you can view statistical information about the Contivity unit s Web cache The data available on this page can help you understand how your organization uses the cache You can use these statistics to assess the effectiveness of the Web cache and to fine tune options to enjoy the greatest bandwidth savings Note Some of the statistics on the Web Cache Statistics page are for your information only You cannot fine tune them More information about these fixed statistics is available on the Statistics Help page This chapter focuses on the statistics you can manipulate when you fine tune your cache settings To view Web cache statistics 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Statistics The Web Cache Statistics page opens Click Help for more information about each field on any page Using statistics to fine tune cache settings On the Web Cache Statistics page you can view information on the response rate maximum and average entry size entry expiration settings entry request counts cache utiliz
235. ncel The Create a User dialog box opens Figure 29 Figure 29 Create a User dialog box Canoe 4 Enter the new user name User names can be up to 255 characters in length and must be unique 5 Click OK 313371 A Chapter 3 User access administration 91 Creating a group To create a new group 1 Do one of the following e On the toolbar click Groups e Choose Groups gt View Group List 2 Select the icon of the group you want to use as a template If you do not want to use a template you do not have to select a group 3 On the toolbar click Create If you selected a group in step 2 you are prompted to verify that the group s profile is to serve as a template Figure 30 Figure 30 Prompt to use selected group as a template Instant Internet Admin Ea 2 Create new group using lt Everyone gt as a template The Create a Group dialog box opens Figure 31 Figure 31 Create a Group dialog box Group name _ _ o O Caneel 4 Enter the new group name Group names can be up to 255 characters in length and must be unique 5 Click OK Using the Contivity Branch Access Management Software Version 7 20 92 Chapter 3 User access administration Adding a user to a group When you add a user to a group the user inherits the group s characteristics You can add a user to or remove it from a group To add a user to a group by dragging 1 On the toolbar click
236. ncoming port to which the group or user is to be denied access 313371 A Chapter 3 User access administration 125 5 Click Delete A confirmation message box opens Figure 58 Figure 58 Delete incoming port confirmation message box Instant Internet Admin Q Delete the selected incoming port J we 6 Confirm the deletion when prompted The incoming port is deleted from the group s or user s access list and the user no longer has access to that incoming port Changing incoming port access To change group or user access of current incoming ports 1 Inthe Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 59 Using the Contivity Branch Access Management Software Version 7 20 126 Chapter 3 User access administration Figure 59 Change Settings of User dialog box Change Settings of User Robin Click Incoming Ports 4 Inthe Change Incoming Ports dialog box select the incoming port for which the group or user access is to be changed 5 Click Change The Change Incoming Port dialog box opens Figure 60 313371 A Chapter 3 User access administration 127 Figure 60 Change Incoming Port dialog box Change Incoming Port x Allow C Do not allow Type TCP UDP Both IP Address 192 168 1 15 h Cancel Change the information Click OK When
237. ncreasing efficiency and saving bandwidth You can e Change the cache level The Contivity unit is shipped with three predefined cache levels and an additional custom level that sets expiration and certain special Web request options for the Contivity unit The first thing you can do to increase efficiency is change from the default Moderate cache level to the Aggressive level For details refer to Selecting a cache level on page 245 e Restrict Web servers from setting cookies on client workstations Restricting cookies enables the cache server to cache Web entries it may otherwise be unable to cache For details refer to Managing cookies on page 259 e Restrict user access to certain Web sites Frequent or recreational access to unacceptable Web sites can fill up the cache and unnecessarily increase bandwidth consumption For details refer to Managing Web site access on page 264 e Review the cache statistics and make adjustments based on individual statistics Fine tuning cache settings can increase bandwidth savings For details refer to Using statistics to fine tune cache settings on page 251 313371 A Chapter 7 Web cache configuration 245 When you first install the Contivity unit you should run it with the default settings until the cache entries fill up to 100 Cache entries full statistic on the Web Cache Statistics page to establish a benchmark against which you can measure future changes Af
238. nd establish access control policies Contivity Branch Access also provides graphic views of branch throughputs both for Internet access and VPN tunnels DHCP Server Using the Contivity unit as a DHCP server allows you to configure a single option on each workstation and then configure the Contivity unit once When you install the Contivity Branch Access management software the Install program determines whether or not you are running DHCP on your network If not the software configures itself as a DHCP server If the software does not configure itself as a DHCP server and you want to use this service you must enable it Configuration DNS Proxy The Contivity unit acts as a Domain Name Service DNS proxy server by translating host Server names into numerical IP addresses IP Routing The Contivity unit provides access to the Internet through IP routing It maintains routing tables that help it determine the destination of data packets This enables non Windows workstations Macintosh UNIX and OS 2 to access the Internet through the Contivity unit as IP workstations Remote You can use a Telnet application and CLI commands to configure the Contivity unit from a remote location Additionally you can use a terminal emulation application with the CLI commands to configure the unit out of band management Remote configuration also supports remote recovery which limits on site visits by technical support personnel For de
239. nd publicly See your software product documentation for setup information Additional SOCKS information More information on socksifying software packages can be found on the following Web sites e www socks nec com NEC produces several public domain socksifying layers for various platforms including Windows 3 x Windows 95 Windows 98 Windows Me Windows NT and several UNIX operating systems e www hummingbird com Hummingbird produces a freely downloadable socksifying layer for Windows NT 4 0 Its technology was used by Microsoft for Internet Explorer s SOCKS support Note The Contivity unit as a SOCKS server has been tested with NEC s SOCKS CAP32 workstation software Using the Contivity Branch Access Management Software Version 7 20 192 Chapter 5 Proxy services 313371 A 193 Chapter 6 Advanced IP configuration When you initially install and configure Contivity Branch Access it uses a set of default services that most network administrators will prefer to use If you want Contivity Branch Access to use IP services that are different than the defaults you need to use Setup to configure the IP services that you want it to use This chapter provides information on configuring IP services for Contivity Branch Access For more information about these services refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20 Using Setup Setup is the utility yo
240. nd trace receive errors if No RAW Sockets is enabled 313371 A Chapter 3 User access administration 129 Specifying the message a user sees upon an error The No Messages option in the Change Settings for User dialog box allows you to control what users see when they attempt to access restricted Contivity Branch Access sites When messages are enabled a message is displayed with an explanation of why the user s attempted access failed For example if the user tried to access www xrated com which has been disallowed the message Host name restricted is displayed However if you select No Messages the user sees only the application s error message such as Host name does not appear in the DNS table or a similar message that does not reveal why the access failed Creating reports The Reports option lets you select user and group Internet access reports and save them to disk for use with other applications You can select specific user and group reports or you can save all reports to the specified drive and directory To create a report 1 Choose File gt Reports The Select Reports dialog box opens Figure 62 Figure 62 Select Reports dialog box Users n IV Configured Access C All IV Effective Access M Users Group F Groups M Configured Access OK Cancel Using the Contivity Branch Access Management Software Version 7 20 130 Chapter
241. nection to the Internet If you have a leased line or router connection you generally do not have to reconfigure the unit if you change ISPs To change your ISP information 1 Start Setup and if prompted select a unit to configure 2 Inthe Interfaces area select the dial up or ISDN interface 313371 A Chapter 10 Contivity unit configuration support and diagnostics 321 3 Click Configure One of two things happens e Ifyou selected a dial up interface the Dialup Configuration dialog box opens Figure 139 If your unit does not have a dual analog modem the Number of lines selection list is not displayed Figure 139 Dialup Configuration dialog box Dialup Configuration e Ifyou selected an ISDN interface the ISDN Configuration dialog box opens Figure 140 Using the Contivity Branch Access Management Software Version 7 20 322 Chapter 10 Contivity unit configuration support and diagnostics Figure 140 ISDN Configuration dialog box ISDN Configuration North American National ISDN 1 xl 128 Kbps 64x 2 gt Voice I 4 Change the ISP information and then click OK Changing registration information You should review and update your registration information periodically so that you can receive the latest product news and information on upgrades through e mail from Nortel Networks To review or update your registration information 1 Start Setup and if prompted select a un
242. nel 313371 A Chapter 2 IP security and VPN 41 To modify your default network setting 1 Start Setup and if prompted select a unit to configure 2 Select the IPsec interface for which you want to modify the default network setting 3 Click Configure The IPsec Configuration dialog box opens Figure 2 on page 40 4 Inthe Default Network area select an interface from the list Click OK Managing local and remote IP addresses You can add or remove local and remote IP addresses for a VPN tunnel Adding a remote address of 0 0 0 0 0 designates non split tunneling while specifying the actual remote subnet designates split tunneling e Non split tunneling When you configure a VPN with non split tunneling Contivity Branch Access sends all packets over the IPsec tunnel e Split tunneling When you configure a VPN with split tunneling Contivity Branch Access sends the packets destined for the Internet outside of the IPsec tunnel and directly to the Internet and sends only the packets destined for the VPN over the IPsec tunnel The benefit of a split tunnel configuration is that each site s Internet traffic does not traverse the IPsec tunnel and the home office does not have to provide Internet connectivity for all of the branch offices Adding a local or remote IP address To add a local or remote IP address 1 In the IPsec Configuration dialog box in the Local Addresses or Remote Addresses area click Add
243. nform or Delete e The Contivity unit did not choose any of the remote end s proposals e The remote end s subnets did not agree with the Contivity unit s local and remote configuration 33 Sent Security Association e Remote end did not choose any of the Contivity unit s waiting for Security Association proposals e Contivity units subnets did not agree with the remote end s local and remote configuration e Perfect Forward Secrecy PFS is not configured and remote end requires it e Perfect Forward Secrecy PFS sent but not received 34 Sent Security Association waiting for Hash 35 Phase 2 complete 36 Phase 2 complete 39 Sent Delete Contivity unit s subnets did not agree with the remote end s local and remote configuration Table 5 Other state No Meaning Reason 99 Received error Notification Contivity unit s subnets did not agree with the remote end s local and remote configuration 313371 A 79 Chapter 3 User access administration This chapter introduces the Contivity Branch Access Administration Admin program and provides instructions on how to use Admin to set Internet access rights for users and groups Admin program overview The Administration program Admin is the utility you use to establish and set Internet access rights for users and groups within the Contivity Branch Access management software Access rights control the times and days that users have
244. nformation refer to Adding a local or remote IP address on page 41 When you are finished entering information click OK In the main Setup window click Save and Exit Allowing only outgoing connections Configure Contivity Branch Access to allow only outgoing connections when a Contivity Branch Access unit is initiating a connection but is not receiving incoming connections such as when the unit has a dynamic IP address To allow only outgoing connections to establish a tunnel A OO N Start Setup and if prompted select a unit to configure Click Add In the Select Connection Type dialog box Figure 6 on page 48 click IPsec In the Select Connection Device dialog box Figure 7 on page 48 click Instant Internet In the Select Type of Connections dialog box Figure 8 on page 49 click Initiator The IPsec Configuration dialog box opens Figure 10 313371 A Chapter 2 IP security and VPN 51 Figure 10 IPsec Configuration dialog box IPsec Configuration x Destination fs Add Add Remove Remove Cancel 6 7 Enter the following information e Name Enter a name for the tunnel This name must match the one used on the other end of the tunnel e Key Enter a key for the tunnel The key is the password for the tunnel and must be mutually agreed upon by both Contivity Branch Access units A key cannot begin with a backslash e Destination Enter the re
245. ng J7 Disable Dialup interface at Disable time Enabletime m Notify DNS server of Dialup interface address change DNS address LoS O Cancel 6 Inthe Notify DNS Server of dial up interface address change area enter the FQDN of the Web server in the Name box In this example use the name iibox dynamic myzone com 7 Inthe DNS address box enter the IP address of the Dynamic DNS server In this example use the address 192 122 98 75 Click OK In the main Setup window click Save and Exit Using the Contivity Branch Access Management Software Version 7 20 210 Chapter6 Advanced IP configuration The reference to the fully qualified domain name FQDN now reflects the current address of the dial up interface Note The time to live or the amount of time that the results of the DNS query can be cached before a new lookup is performed is kept very small so that changes to the interface s address are reflected in the DNS relatively quickly Example Publishing a server for NetMeeting You can use Microsoft s NetMeeting version 3 01 or later to conference two or more individuals together over the Internet NetMeeting allows you to talk to one another view presentations together or work on a white board together regardless of your location Note Connecting to a directory server or Microsoft s MSN Messenger service works only for outgoing calls Howev
246. ng for a dial up ISDN or leased line interface and a LAN interface 1 Enable IP forwarding for the unit Refer to Enabling IP forwarding for a Contivity unit on page 200 2 Inthe main Setup window click Save and Exit You must allow the changes to take effect immediately before IP forwarding is enabled 3 Ensure that any computer on your network running TCP IP that you want to have access to the Internet using the Contivity unit has the default gateway configured to be the IP address of the Contivity unit s client side interface The subnet mask should match the subnet mask that you entered for the Network Interface You can also enable IP forwarding with two Ethernet interfaces Before enabling IP forwarding check with your ISP to ensure that you have a LAN account that provides you with a range of IP addresses Enabling IP forwarding for two Ethernet interfaces To enable IP forwarding with two Ethernet interfaces 1 Configure your router to route the additional networks through the Contivity unit s router interface connected to the router Ethl Eth2 If the client side interface does not have an IP address add one a Start Setup and if prompted select a unit to configure b Click Add c Assign an appropriate IP address and subnet mask The IP address must be on a different subnet than the router side interface If you are already using a legal ISP assigned address between the router and the Contivity unit
247. ng the Web sites list on page 263 and look for Web servers that have site names related to the problem site entries are cached for that site which can affect the cache statistics Before you bypass the cache be sure to eliminate the possibility that the site requires cookies or that there is a problem with the originating Web server Note When you bypass the cache for a particular Web site no Web gt To bypass the cache for a particular Web site 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Web Sites The Web Sites page opens 3 Click the IP address or host name for the individual Web site The cache settings page for the individual Web site opens 4 In the Site Specific Options area select the Bypass the Web Proxy Cache when accessing this server check box Click Help for more information about each field on any page 313371 A Chapter 7 Web cache configuration 269 Saving and Restoring Web site configuration Contivity Branch Access provides you with a way to save and restore your Web site configuration This tool is useful when you need to return the unit for repair However the tool is also useful for sharing cookie lists with other Contivity Branch Access users To save a Web site configuration 1 7 On the Home page click Web Cache The Web Cache page opens On the Web Cache page click Web Sites Click Backup In the Filename box enter
248. ngs l Enable logging Internet News Groups Incoming Ports No RAW Sockets No Messages 3 Click News Groups In the Change News Groups dialog box select the news group for which the group or user access is to be changed Using the Contivity Branch Access Management Software Version 7 20 120 Chapter 3 User access administration 4 Click Change The Change News Group dialog box opens Figure 53 Figure 53 Change News Group dialog box Allow C Do not allow News Group Change the information Click OK When you make changes to news group access an asterisk is displayed to the left of the option indicating that specific news group access control settings have been defined Managing incoming port access The Incoming Ports button on the Change Settings for User dialog box Figure 54 enables you to designate incoming ports to which each user or group is allowed access An incoming port is the port number that outside workstations can access Incoming ports allow a user to run server applications on a local computer For example if a user has incoming port access to port 80 the user can start a Web server on a local computer To run the server s FTP applications on a local computer select incoming port 21 Incoming port access is designated by a check mark next to the name of the port within the Incoming Ports access option If access to an incoming p
249. nnection information For more information refer to your Contivity VPN Switch documentation You can diagnose most IPsec connectivity problems using a combination of the Contivity Branch Access IPsec log and the CVS session statistics Using the Contivity Branch Access Management Software Version 7 20 76 Chapter 2 IP security and VPN Viewing a Contivity unit s IPsec log The IPsec log details low level protocol information regarding IPsec negotiations for a virtual private network VPN tunnel You must first activate this log each time you want to view it in Setup using the ipsec log CLI command For details refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20 To view a Contivity Branch Access unit s IPsec log 1 Start Setup and if prompted select a unit to configure Choose View gt Ipsec Log Review the file as needed To print the file choose File gt Print 4 To close the file choose File gt Close IPsec connection state information Table 2 Table 3 Table 4 and Table 5 display state information for an IPsec connection available in the IPsec log An even numbered state indicates that the remote gateway CVS or Contivity Branch Access unit initiated the transaction An odd numbered state indicates that the selected Contivity unit initiated the transaction 313371 A Chapter 2 IP security and VPN 77 Table 2 Phase 1 main mode states No Meaning Reason
250. nnel disabling 278 secondary phone number 279 statistics 145 voice calls 282 ISP changing 320 L leases DHCP server 219 227 load balance 308 local cache 239 log file connection 101 161 164 exporting 164 IPsec 76 network time protocol NTP 327 unit 344 user 161 164 Using the Contivity Branch Access Management Software 374 Index logging See AutoLog MAC address 154 164 Macintosh workstation 35 88 mail server 207 208 message Internet access denied 265 restricted Internet access 129 Message Digest 5 MD5 38 minimum expiration time example 248 setting to zero 250 modem analog 284 dual analog 284 dual analog number of lines 288 script 288 speaker 286 Monitor program overview 141 starting 141 statistics 146 trace 154 users 150 monitoring real time 141 move to server Bindery users and groups 85 MSN Messenger Service 210 N name order user 84 name server list order 316 overview 316 NAT See network address translation NAT NDS users and groups set context 87 viewing 86 NetMeeting 210 Netscape configuring to use SOCKS 190 configuring to use Web HTTP proxy server 184 NetWare preferred server 88 network and Contivity Branch Access 33 IP 33 180 193 IPX 34 network address translation NAT configuring 203 overview 202 server publications 204 network directory service 82 85 network layer cache server 237 network time protocol NTP 326 news group 114 no cach
251. nt the Contivity unit delivers the request from the user to the Internet as if it is the client user When accepting requests from users on your network the Contivity unit functions as a server and returns requested Web content from the Internet to the user as if it was the originating Web server How Web caching works Each time a user requests Web content and the originating Web server returns a response to that request the response is stored in the cache as an entry An entry is generated for every element of a requested Web page including graphics text and interactive items If a page containing 10 graphics is viewed by a user 11 entries are cached one for the page itself and one for each graphic Note If a need arises to clear the Web cache restart the unit Carefully consider the consequences of this action before doing so How the Contivity unit expires entries The Web entry originator can stamp the entry with an expiration date and time When an entry has an expiration date and time the Contivity unit honors the expiration stamp and expires the entry accordingly If there is no expiration date and time stamp the Contivity unit calculates an internal expiration time based on the cache level For details refer to Predefined cache levels default values on page 249 313371 A Chapter 7 Web cache configuration 239 Before the Contivity unit sends requested Web content to the user it evaluates each
252. nto readable names In the Log File directory box specify the name of the directory where you want Contivity to store the AutoLog files Contivity Branch Access assigns log file names in the following manner e U Specifies the file is a User log file e C Specifies the file is a Connection log file e y Specifies the last digit of the current year e ddd Specifies the day of the year that the file is created for example 140th 300th e cee Specifies a count to keep each file unique In the Logging Interval area specify a logging interval You can enter and select increments of a number of minutes hours or days 313371 A Chapter 4 Internet activity logging 163 7 Inthe Create new log file area select how often Contivity Branch Access should create a new log file Each time a new file is saved AutoLog assigns a new count number to the log file name to keep each file unique You can choose e Every time Creates a new log file each time a scheduled save is performed e Daily Creates a new log file every day e Weekly Creates a new log file once a week e Monthly Creates a new log file once a month e Never Creates a new log file Contivity Branch Access repeatedly adds the selected log information to the same file name 8 Click OK Editing an automatic logging configuration To edit the automatic logging configuration 1 Inthe AutoLog window select the log configuration you wan
253. ntry 246 time zone changing 325 timeout inactivity 145 setting in Stats 145 token ring source routing 329 Tools options 341 ping 334 program overview 333 starting 333 stress 338 trace 336 trace host echo port 338 host route 336 transparent cache server 237 transparent proxy server 237 313371 A Index 377 troubleshooting blocked site opens in Web browser 272 cannot configure a personalized Web page 274 empty shopping cart 274 host connection 333 no response 272 outdated Web content 273 prompt to log on again 274 slow response 273 stale Web content 273 tunnel about 37 branch to branch 56 disconnecting 146 dynamic IP address 56 initiating 59 Internet Key Exchange IKE 60 monitoring 145 non split 41 phase negotiation 60 phase 2 negotiation 60 Secure Association SA 60 split 41 static IP address 56 Statistics 145 timeout 60 troubleshooting 75 validity 59 validity dial up connection 59 tunnel mode aggressive 39 determining 38 main 38 U UDP protocol 188 selecting connection type 110 123 unconfigured Web site access blocking 265 cookies blocking 261 defined 260 unit configuration backup 317 restore 318 unit information date 325 hosts 196 ISP 320 name 325 password 324 port mappings 195 registration 322 TCP IP settings 194 time 325 time zone 325 unit log 344 update history 345 347 users 344 UNIX workstation 35 88 user adding toa group 92 adopting
254. o an interface on page 217 Processing a packet through an IP filter When a packet is dropped into the top of the stack of filters the matching criteria at each filter is applied If a match occurs the specified permit or deny action is executed If a match does not occur the packet drops down to the next filter in the stack and the matching process is applied again If a packet drops through all the filters and a match never occurs Contivity Branch Access must be configured with a default action to handle the packet The default action could be either to permit all packets that do not match or to deny them The default action in Contivity Branch Access is to deny these types of packets Any packet that is referred to a filter list but does not find a match is automatically dropped This last default filter is called an implicit deny any filter As the name implies the line does not show up in any filter list you build It is simply a default action and it exists at the end of any and all filter lists You can however override this implicit deny filter by making the last line of the list an explicit permit any filter Packets dropping through all the other filters will match the explicit permit any filter before they get to the default implicit deny any filter Therefore all packets not matching anything else are permitted and nothing ever reaches the implicit deny 313371 A Chapter 6 Advanced IP configuration 213
255. o avoid editing the access list often you can specify the host name without the IP address Remember however that you must also allow host names for any IP addresses that you allow Click Allow Enter the Host Name If you want to specify an IP address but do not know what it is click Lookup IP Address 7 Select a Type 8 Enter the IP Address optional 9 Enter the Port number 10 Click OK 313371 A Chapter 3 User access administration 111 Removing Internet access To remove Internet access from a group or user 1 Inthe Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 42 Figure 42 Change Settings of User dialog box Change Settings of User Robin 3 Click Internet Access The Change Internet Access dialog box opens Figure 43 and displays the current access control list for the group or user Using the Contivity Branch Access Management Software Version 7 20 112 Chapter 3 User access administration Figure 43 Change Internet Access dialog box Change Internet Access of Robin 4 Select the Internet address for which the group or user is to be denied access 5 Click Delete A confirmation message box opens Figure 44 Figure 44 Delete access confirmation message box 6 Click Yes to confirm the deletion The IP address is deleted from the group s or use
256. of type Drives lAdmin Files iis x Bc v Navigate to the drive and directory of the backup configuration file 4 Select the File Name of the backup configuration file Click OK You are prompted to restore the users and groups Figure 138 313371 A Chapter 10 Contivity unit configuration support and diagnostics 319 Figure 138 Prompt to restore users and groups Instant Internet Setup Would you also like to restore the Users and Groups No 6 Ifyou want to restore the user and group configurations in Admin click Yes otherwise click No 7 Inthe Setup main window click Save and Exit Changing the unit configuration Before you change the Contivity unit s configuration you should back up the current configuration If the changes you make cause problems you can restore the original configuration using this backup file Refer to Saving and restoring unit configurations on page 317 To change the Contivity unit s configuration gt Start Setup and if prompted select a unit to configure The Setup program first ensures that the unit is functioning properly and then displays the main Setup window Note If you forget your password and need to configure the unit you can do so by resetting the DIP switches on the back of the unit For details refer to the hardware manual for your Contivity unit Refer to the appropriate sections that follow for instructions on changing
257. oftware layer that isolates the network transport protocol from the client application requesting a network service Winsock runs only on Microsoft Windows operating systems and environments WWW World Wide Web xDSL See DSL Using the Contivity Branch Access Management Software Version 7 20 368 Glossary 313371 A 369 Index Numbers 3DES encryption 38 A active refresh about 270 and bandwidth savings 270 and increased response times 244 recommended times 270 statistics 271 Admin Default user 81 Everyone group 82 icons 80 network directory service 82 program overview 79 SOCKS proxy server 187 starting 80 alias interface 230 analog modem 284 AutoLog auto run option 161 configuring 161 deleting alog 163 program overview 159 starting 159 automatic logging See AutoLog B back up unit configuration 317 bandwidth about 243 and active refresh 270 saving 238 saving with Web cache 243 savings increasing 244 bandwidth savings and active refresh 270 and cache levels 244 and cache settings 244 and user access 244 increasing 244 benchmark establishing for statistics 245 Bindery users and groups move to server 85 viewing 87 blocked Web site and the local cache 265 troubleshooting 272 BootP server 220 C cache bypassing for a Web site 267 clearing 258 efficiency increasing 243 filling up 245 increasing response times 244 270 performance increasing 243 reasons to bypa
258. ogging This chapter offers information on advanced Contivity Branch Access features that enable experienced network supervisors to monitor and log Internet activity using the Monitor program the AutoLog program SYSLOG messages and SNMP traps Monitor program overview The Contivity Branch Access Monitor program is a utility that monitors individual Contivity units in real time It provides a dynamic display of the performance and load of a specific Contivity unit or multiple units on bar graphs and histograms With Monitor you can display and monitor statistics logs and diagnostics of one or more Contivity units Because it provides multi document interface MDD you can use Monitor to view an individual Contivity unit or several units simultaneously Monitor displays statistic and diagnostic information without requiring any password However if you protected your unit with a password you must enter the privileged password to perform any administrative functions For more information about the privileged password refer to Changing a unit s password on page 323 To start the Monitor program 1 Locate the Instant Internet menu or program group depending on your operating system 2 Select Monitor Using the Contivity Branch Access Management Software Version 7 20 142 Chapter 4 Internet activity logging 3 If prompted select a Contivity unit to monitor If the Contivity unit is not in the list of unit
259. om the Internet You can do this by configuring the network workstations to pass through a router before accessing the Internet However using a router to isolate the LAN can be time consuming to set up and maintain because each LAN user must have a legal IP address and be protected from hackers Contivity Branch Access on the other hand makes it easy to isolate your IP network from the Internet by using address translation to translate illegal reserved private LAN workstation IP addresses into legal IP addresses Using the Contivity Branch Access Management Software Version 7 20 34 Chapter 1 Introduction On IP networks with IP workstations there is essentially no limit to the number of application sessions instances that can access the Contivity unit Virtual private networks You can use IP security IPsec to create a virtual private network VPN A VPN is a special type of connection that permits remote users or LANs to communicate with another user or LAN over a public network such as the Internet When you set up a VPN you are essentially using a public network as your own private secure network Contivity Branch Access includes a portfolio of VPN options that accept highly variable ISP environments at branch offices while maintaining critical service levels for real business needs You can install and configure a VPN branch anywhere Internet access is available through any network or ISP connectivity with
260. on and use acknowledge that such portions of the software were developed by the University of California Berkeley The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission 313371 A SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE In addition the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure that may incorporate by reference certain limitations and notices imposed by third parties Nortel Networks Inc software license agreement NOTICE Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre enabled software each of which is referred to as Software in this Agreement BY COPYING OR USING THE SOFTWARE YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH NORTEL NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE If you do not accept these terms and conditions return the product unused and in the original shipping container within 30 days of purchase to obtain a credit for the full purchase price 1 License grant Nortel
261. onitoring program can collect the logging data on a different computer running Windows You can display or save this data to a common file format so that you can manipulate the data into the format you want with an external program such as Excel Refer to Monitor program overview on page 141 Using the Contivity Branch Access Management Software Version 7 20 102 Chapter 3 User access administration To enable logging for a user gt In the Change Settings of User dialog box Figure 37 select the Enable logging check box Configuring Internet access The User Access button in the Change Settings of User dialog box lets you specify days of the week and times during the day when users may access the Internet The User Access option defines the settings for days of week and hours of day To configure user access for a specific day of week and time of day 1 In the Change Settings of User dialog box Figure 37 click User Access The Change User Access dialog box opens Figure 38 showing the days of week and hours in a day Figure 38 Change User Access dialog box M PI 125 2 4 5 6 T er S02 2 a4 SiG FF 88 10 Mon 1 See OO Choe eee Cancel Clear 313371 A Chapter 3 User access administration 103 7 To select user access click the appropriate button e Full Total uncontrolled Internet access e Controlled Internet access is limited to specified IP addresses and ports Ref
262. ore cache usage at the risk that the cache may return a stale or outdated entry Setting the percentage low ensures that the entry is more current at the risk of less cache usage The degree of staleness is not how long an entry has been in the cache but how long since the cached copy was synchronized with the originating Web server s copy Only you can decide what degree of staleness is acceptable A copy of one of Shakespeare s plays that is one year old is probably acceptable to most users but a stock quote that is ten minutes old might be worthless 313371 A Chapter 7 Web cache configuration 247 If you use the Aggressive level with a text expiration of 100 the Contivity unit subtracts the text entry s last modified date and time which is always stamped on the entry from the current date and time If a request for that entry comes within 100 of the time before the calculated expiration time the cached entry is sent to the user Example one A user requests a Web page of Shakespeare s sonnets called sonnets html at noon on 7 4 2000 that has a last modified date and time of 48 hours ago at noon on 7 2 2000 With the Aggressive text expiration set to 100 the sonnets html page will expire 48 hours into the future at noon on 7 6 2000 In this case the cached entry is sent to the user Example two The sonnets html Web page that a user requested at noon on 7 4 2000 contains a picture of William Shakespeare called bard
263. ormation refer to Using pings on page 42 e IP Address Enter the IP address of a device that is reachable through the tunnel and represents the desired connectivity usually the private address of the remote unit e Source Select the source interface of the connection being monitored or controlled 12 Click OK 13 In the main Setup window click Save and Exit Allowing both outgoing and incoming connections Configure Contivity Branch Access to allow both incoming and outgoing connections to establish a tunnel only if your environment does not require high security To allow both incoming and outgoing connections to establish a tunnel Start Setup and if prompted select a unit to configure Click Add In the Select Connection Type dialog box Figure 6 on page 48 click IPsec A OO N In the Select Connection Device dialog box Figure 7 on page 48 click Instant Internet 5 Inthe Select Type of Connections dialog box Figure 8 on page 49 click Peer to Peer The IPsec Configuration dialog box opens Figure 13 Using the Contivity Branch Access Management Software Version 7 20 54 Chapter 2 IP security and VPN Figure 13 IPsec Configuration dialog box IPsec Configuration x Destination fs Local Addresses Remote Addresses Add Add Remove Remove Cancel Enter the following information e Name Enter a name for the tunnel This name must match th
264. ort and diagnostics This chapter describes how to view and change the Contivity unit configuration Restarting a Contivity unit To restart the Contivity unit 1 Start Setup and if prompted select a unit to restart 2 Choose File gt Restart Unit The Restarting Instant Internet dialog box opens Figure 131 Figure 131 Restarting Instant Internet dialog box Restarting Instant Internet x i Waiting for Instant Internet to restart Using the Contivity Branch Access Management Software Version 7 20 314 Chapter 10 Contivity unit configuration support and diagnostics Identifying the login workstation When the Contivity Branch Access management software is installed on an IP workstation running Windows 95 Windows 98 Windows Me Windows NT or Windows 2000 the iiLogin icon Figure 132 appears in the system tray Figure 132 iiLogin icon You can view the user name user type unit IP address and the name order of directory services For more information refer to Identifying IP Workstations of Installing the Contivity Branch Access Management Software Version 7 20 To identify the Login workstation gt Double click the iiLogin icon The iiLogin Connected as username dialog box opens Figure 133 Figure 133 iiLogin Connected as username dialog box iiLogin Connected as Default Instant Internet Client Login 7 20 Copyright 1998 2001 Nortel Networks Username Default User
265. ort is denied an X is displayed next to the name of the port You can add delete or change incoming ports to which the selected user has access 313371 A Chapter 3 User access administration 121 Port numbers 0 25 50 79 106 109 110 and the range 5001 65535 are open by default You can have total control of port access by configuring incoming ports individually for any particular group or user Adding incoming port access To add an incoming port to group or user access 1 Inthe Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 54 Figure 54 Change Settings of User dialog box Change Settings of User Robin x Disable Ignore group settings l Enable logging l Internet News Groups Incoming Ports No RAW Sockets No Messages OK Cancel 3 Click Incoming Ports The Change Incoming Ports dialog box opens Figure 55 Using the Contivity Branch Access Management Software Version 7 20 122 Chapter 3 User access administration Figure 55 Change Incoming Ports dialog box Change Incoming Ports of Robin 4 Click Add The Add Incoming Port dialog box opens Figure 56 Figure 56 Add Incoming Port dialog box Add Incoming Port 313371 A Chapter 3 User access administration 123 Table 10 describes the items i
266. otocol with the keys exchanged across the secure phase 1 tunnel These SAs refer to specific network pairs It is important to understand that there is a separate SA for each possible combination of subnets For example if the Contivity Branch Access unit s IPsec configuration has two local subnets and four remote subnets then a total of eight separate SAs exists if all subnets are communicating with each other In this case the CVS has four subnets listed in the Local Accessible Networks and two subnets listed in the Remote Accessible Networks for the branch office connection Note When troubleshooting a VPN tunnel remember that each of these SAs is established as needed and each is subject to its own possible success or failure during negotiation Either gateway can establish communications For example an SA can be initiated by either the Contivity Branch Access unit or by the CVS However the initiator of an SA determines the timeout for that SA For example if the CVS initiates a tunnel and has a timeout value of 15 and the Contivity Branch Access unit accepts the tunnel but has a timeout of 18 the timeout value for the tunnel is 15 because the CVS initiated the tunnel When the Contivity Branch Access unit initiates a phase 1 connection it sets the timeout to be the same as that used for the phase 2 SAs This approximates the effect of perfect forward secrecy PFS because the phase 1 SA expires after the specified timeout
267. ou can watch its progress If you want to stop the stress test before it is complete click Stop This can be useful if you see the problem before the test completes You can set options for the stress test such as the number of times the test is performed See Setting host connection test options on page 341 for more information A stress test returns the following information e The milliseconds per transmission block e The size of the transmission block e The number of bytes per second e The total number of bytes and seconds e The average number of bytes per second In Figure 152 a stress test was performed on the host name www instant net The window is divided into two areas The top area shows a graphic representation of how long it took each stress trial to complete The bottom area shows the statistics of the stress test In the bottom area of the window the first column shows the number of transmits performed The second column displays the number of milliseconds per test that it took to get to the specified site or host The third column shows the number of bytes sent and received and the fourth column shows the number of bytes sent per second After the stress test completes the total number of bytes sent and the average number of bytes per second are displayed at the bottom of the statistics area of the window Using the Contivity Branch Access Management Software Version 7 20 340 Chapter 10 Contivity uni
268. oup s specific network directory service not in Contivity Branch Access Setting the domain You can choose the domain of the users and groups you want to view To set the domain 1 Choose View gt Set Domain The Set Domain dialog box opens Figure 26 Figure 26 Set Domain dialog box a Arkansas A California A Colorado Delaware amp Georgia A Kansas dh New York EN Texas Cancel 2 Select the domain you want to view and then click OK Using the Contivity Branch Access Management Software Version 7 20 84 Chapter 3 User access administration Setting user name order If you are using multiple networks in your environment you can specify the order that Contivity Branch Access uses to identify users and groups The order is determined by user type NT NDS or Bindery For example if Jane has a logon of JANE under the NT domain and another logon for a Novell server with NDS as JDOE you can use this option to determine which user identification Contivity Branch Access will use to identify Jane If Set User Name Order has NDS first then Contivity Branch Access identifies Jane as JDOE This does not affect how the Novell Server identifies her IP workstations running Windows 95 Windows 98 Windows Me Windows NT or Windows 2000 can check how they are identified from their workstation by clicking the iiLogin icon in the status area of the taskbar Refer to Identifying the login workstation
269. owing e Routes Select the interface s that should announce information e Version Select the version of RIP you want to use V1 Sends RIP messages to all known routers without subnet information V2 Broadcast Sends RIP messages to all known routers including information for subnet masks The V2 Broadcast option is included to be backward compatible for older versions of the Contivity VPN Switch software Use V2 Multicast for all other purposes e V2 Multicast Sends RIP messages to all known routers including information for subnet masks but minimizes the load on other computers because the number of RIP messages being sent and received are limited to computers with V2 Multicast enabled Using the Contivity Branch Access Management Software Version 7 20 230 Chapter 6 Advanced IP configuration 5 Click OK 6 Inthe main Setup window click Save and Exit Configuring an alias for an interface Your Contivity unit can support multiple IP addresses and subnets on one physical interface Each IP address has a name that helps distinguish what each IP address is being used for The name given to an additional IP address is its alias When combined with static NAT an alias is useful when publishing additional public addresses for Web and mail servers existing in the privately addressed local network Example Configuring an alias The Eth seven port Ethernet switch interface may already have a privat
270. ox 02 c eee eee eee 65 Figure 19 IPsec Configuration dialog BOX cei a ee ee ee srureeni 66 Figure 20 Monitor Connection dialog BOX 24 ica as eecdoaneaveesdoeeaw eRe dad 67 Figure 21 Enter Monitor Control Connection Information dialog box 67 Figure 22 IPsec Configuration dialog box 0 cee eee ees 68 Figure 23 IPsec Configuration dialog box 00 cece eee eee eee 72 Figure 24 Enter Monitor Control Connection Information dialog box 74 Foue 25 IDGiSUIUSer leo 2 2ic craw te eeieedentnswadarwereene sane oReays 81 Figure 26 Sei Domai dialog DOR 26022 ssciee ect sesea eect deeaene ea Pew ams 83 Figure 27 Set User Name Order dialog box 0 000 84 Figure 28 Prompt to use selected user as a template 2 005 90 Figure29 Create a User dialog Box 2 cisiccaucedanteaeotenebeeauderes 90 Using the Contivity Branch Access Management Software Version 7 20 18 Figures Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 Figure 51 Figure 52 Figure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Prompt to use selected group as a template 91 Create a Group dialog BOX sc oasrre Oe Lek Oh ALR Ce 91 Dele
271. ox Figure 114 and the server publication information is displayed Figure 114 Server Publication dialog box Protocol Public IP Address Port Private IP Address Port 134 177 3 28 80 134 177 3 28 80 Remove Change OK Cancel 5 Click OK You now have a Web server that can be accessed from the Internet on a secure LAN Your LAN clients can also access the Web server through this server publication but if IP forwarding is disabled they can access it only in the same way that external clients can access it from the Internet If IP forwarding enabled then unrestricted access is allowed between the private LAN and the DMZ 313371 A 237 Chapter 7 Web cache configuration This chapter introduces Web caching and describes how to administer the Contivity unit s Web cache Introduction to Web caching When you configure the Contivity unit as a Web proxy server it functions as a proxy server for Web requests and a repository for Web content When you use the unit as a Web cache you can e Reduce access time and save bandwidth when you use cache content for shared entries For details refer to Increasing efficiency on page 243 e Maintain corporate privacy and increase cache performance when you block cookies For details refer to Managing cookies on page 259 e Reduce employee recreation on company time when you block access to certain sites For details refer to Managin
272. oxy server the following Admin options do not apply to SOCKS workstations e Incoming ports access control SOCKS does not allow any incoming connections except after an outgoing connection is made to an allowed host e RAW sockets access control SOCKS does not provide proxy services that is it prohibits traffic for protocols other than TCP and UDP e No message option The application and the SOCKS workstation software are responsible for presenting and interpreting error messages from the SOCKS server Note The No message option does apply to workstations using the workstation login Host name access controls and SOCKS SOCKS requires that the workstation software specify a destination when making a request to the SOCKS server It does allow the workstation to specify the destination either by IP address or by host name To enable access control by host name the Contivity unit must be allowed to resolve host names to IP addresses There are two ways to enforce host name access controls e Directly Direct host name access control is easy to enforce but requires the use of a SOCKS version 5 workstation or shim that supports remote host name resolution NEC SocksCap32 supports this feature Unfortunately a limited number of workstations provide this feature Most workstations are limited to SOCKS version 4 which does not support this feature e Indirectly Indirect host name access control requires that th
273. p and if prompted select a unit to configure 2 Choose File gt Backup to Disk The Backup Setup Configuration dialog box opens Figure 136 Figure 136 Backup Setup Configuration dialog box File name rains E 7 Save file as ETON C Cancel Help 4 Network llSetup Files s gt Files iis H c v 3 Navigate to the drive and directory to which you want to save the configuration If you want to save the configuration to a floppy disk insert a disk in the floppy drive 4 Enter a name in the File Name box Using the Contivity Branch Access Management Software Version 7 20 318 Chapter 10 Contivity unit configuration support and diagnostics 5 Inthe Save File as Type box select iis 6 Click OK Restoring a unit configuration from disk When you restore a Contivity unit s configuration you restore and overwrite all configuration settings Note Configuration changes do not take place until you click Save and Exit If you restored a configuration in error click Cancel changes To restore a configuration from disk 1 Start Setup and if prompted select a unit to configure 2 Choose File gt Restore from Disk The Restore Setup Configuration dialog box opens Figure 137 Figure 137 Restore Setup Configuration dialog box Restore Setup Configuration 21x File name Folders o c instinet mack Cancel Eq ce Sy instinet Help Network List files
274. pe Configuration dialog DOX isere cess edn ke ewe eee eae 4 225 Enter Excluded Addresses dialog box 200e eee eees 226 Enter Server Address dialog box 0 0 e eee eee eee 227 PP OG BO ek cask a ate ate RRR hel eRe E RRR ee 229 Enter Alias Name and IP Address and Select Interface dialog box 231 Interface Configuration dialog box 0 0 232 Enter IP Information for Interface dialog box 000005 234 Enter IP Information for Interface dialog box 0 000 235 server Publication dialog BOX ccsssceieecensveeindei gander 236 instant internet homie pag icind cane evaeds Veet eGeen epedoenaied 241 Web Cache page sco cisecivweu iden ieeecddenredea sev ew duwas 242 ISDN Configuration dialog BOX o 2ic66 000s atackn neh ah oben oan 278 ISDN Configuration advanced dialog box 000005 281 Dialup Configuration dialog box 2000 0c eee ees 284 Dialup Configuration dual analog dialog box 4 4 285 Dialup Configuration advanced dialog box 2 0 287 Ti Conmiguration dialog DOX ceacr ick ves e Gee esse Gk ea oes 290 T1 Advanced Configuration dialog box 0 0c eee ee eee 291 El Configuration dialog DOX cccsiccescceseneevaa cave ee eva cade 292 E1 Advanced Configuration dialog box 20 cee eee eee 293 PPPoE Configuration dialog BOX 22 ccaasearnderdesdidgeaiasaad 294 PPPoE Configuration advanced dialog box
275. pecifies access to all ports at all IP addresses beginning with 198 Ni TCP only 80 Specifies IP access only to port 80 at all connection oriented IP addresses X TCP only 21 Specifies no FTP access from any address When you click Internet Access in the Change Settings of User dialog box the Internet Access dialog box opens with the group s or user s current Internet access control list in the format of access symbol type IP address port number and host name Internet accessibility is listed from the most specific to the least specific Table 8 shows a sample Internet access control list Table 8 Sample Internet access control list Allow Type Address Port Explanation Ni TCP and UDP User has unlimited Internet access X TCP 198 67 8 99 80 User may not browse this IP address Ni TCP and UDP 198 67 8 99 IP address has unlimited access User can access any port for the specified IP address TCP only 80 User may browse only X TCP and UDP 25 User may not access SMTP X TCP and UDP User has no Internet access You can redefine a group s or user s access control list from the Internet Access dialog box You can add delete or change IP addresses host names and port numbers to which the specified group or user has access 313371 A Chapter 3 User access administration 107 If a user or group access is set to Full refer to Config
276. possible only when the dial up connection can exist at all times One way to maintain traffic is to send a ping command back and forth from one gateway s network to the other e Reduce the VPN connection timeout By using shorter timeouts you can determine the maximum amount of time required for the system to recover Before you implement this solution consider that substantial computational overhead is required Note The phase 1 negotiation timeout is controlled on the CVS with the Forced Logoff parameter whereas a subnet tunnel is controlled by the re key timeout e Use a ping to monitor or control the tunnel refer to Using pings on page 42 Tunnel timeouts The Contivity Branch Access unit s IPsec feature performs all communications across a Security Association SA also referred to as a tunnel An SA is negotiated using Internet Key Exchange IKE standards using two main types of negotiation phase and phase 2 and a timeout specified by time or amount of data is associated with each SA When this timeout expires the SA is no longer valid and a new one must be negotiated if needed The phase 1 negotiation uses a very secure algorithm that establishes secure communications between the gateways the Contivity Branch Access unit and the CVS but does not refer to any specific tunnel 313371 A Chapter 2 IP security and VPN 61 When phase 1 is complete additional SAs are negotiated using the phase 2 pr
277. pted select a unit to configure 313371 A Chapter 5 Proxy services 181 2 Choose Support gt Services The Services dialog box opens Figure 84 Figure 84 Services dialog box Services Chargen DHCP Discard DNS Proxy Echo Ident SNMP SOCKS Telnet WEB Proxy WEB Configuration Dontigure 3 Select the Web Proxy check box 4 Click Configure The WEB Proxy Configuration dialog box opens Figure 85 Figure 85 WEB Proxy Configuration dialog box WEB Proxy Configuration M Using the Contivity Branch Access Management Software Version 7 20 182 Chapter 5 Proxy services 5 Do one of the following 6 If you want the Web proxy server to run transparently select the Run transparently check box and then choose the interface on which you want the Web proxy to run transparently This option is helpful because when it is enabled you do not need to configure the Web browser on each workstation The browsers will automatically use the Contivity unit as the Web proxy server The Web proxy must be run transparently if you want to effectively control user access If you do not want the Web proxy server to run transparently enter the Port usually 8080 where you want the Web proxy server to run If you do not run the Web proxy server transparently you must configure the Web browsers on all workstations to use the Contivity unit as the Web proxy server For details refer to
278. r s access control list and the user no longer has access to that Internet address 313371 A Chapter 3 User access administration 113 Changing Internet access To change the Internet access of a user or group 1 Inthe Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 45 Figure 45 Change Settings of User dialog box Change Settings of User Robin 3 Click Internet Access The Change Internet Access dialog box opens Figure 46 and displays the current access control list for the group or user Using the Contivity Branch Access Management Software Version 7 20 114 Chapter 3 User access administration Figure 46 Change Internet Access dialog box Allow Type IP Address Port Host Name TCP 47 249 32 64 All www_nortelnetworks com Delete Change OK Cancel Clear Lookup 4 Select the Internet address for which the group or user access is to be changed 5 Click Change In the Change Internet Access dialog box change the information 6 Click OK Managing news group access The News Group button on the Change Settings of User dialog box Figure 47 enables you to designate specific news groups to which each user or group may gain or be denied access News group access is designated when a check mark is displayed next to the name of the news group If access is den
279. r dialog box 22200000 2 eee 121 Change Incoming Poris dialog BOX cocci wna aes eda oe ale 122 Add incoming Por daled DOK a1dcecpaneerbepenieiigeetaveds 122 Change Settings of User dialog box 2200000 00 124 Delete incoming port confirmation message box 125 Change Settings of User dialog box 2200000 eee 126 Change Incoming Port dialog box 22 000 ce eee eee 127 Change Settings of User dialog box 22000000 00s 128 Select Reports dialog DOK sss ateee ioedweeww dude ene ee ewes 129 Change User Access dialog box 200 e cece eee eee 131 Change Internet access to deny access to a site example 132 313371 A Figures 19 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 Figure 73 Figure 74 Figure 75 Figure 76 Figure 77 Figure 78 Figure 79 Figure 80 Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 Figure 88 Figure 89 Figure 90 Figure 91 Figure 92 Figure 93 Figure 94 Figure 95 Figure 96 Figure 97 Figure 98 Figure 99 Restrict Internet access example 0 ee eee eee eee 133 Allow Internet access example 00 eee eee eee ees 134 Control help SCG ii ccc ieee ne neke ieee nee e ete tki ee kee eR we 137 Monitor main WINGOW c24 koe eae ted a ed eee eae edo yea ae RMS 142 campe Glas WINGO 6 0 6 Aiea deere Reine Ree Reed pee Ei 144 Sampi
280. r the Contivity Branch Access Command Line Interface Version 7 20 To view or change a unit s system settings using Web configuration 1 Connect to the unit using a Web browser For details refer to Connecting to the Contivity unit using a Web browser on page 240 On the Home page click Admin On the System Administration page click Config The System Settings page opens Make any changes to the system settings and then click Submit When you click Submit the changes take effect immediately If you make changes and then decide that you do not want to submit them click Reset to restore the settings to the previous selections You cannot reset settings after you submit them To view or change a unit s system settings using Setup 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Advanced TCP IP Settings 313371 A Chapter 6 Advanced IP configuration 195 3 Change the file as needed and then choose File gt Save e To close the file without saving your changes choose File gt Close e To print the file choose File gt Print Changing a unit s port mappings To view or change a unit s port mappings using Web configuration 1 Connect to the unit using a Web browser For details refer to Connecting to the Contivity unit using a Web browser on page 240 On the Home page click Admin On the System Administration page click Port Mappings
281. re a plain text secret The caller sends a challenge message to its receiving peer and the receiver responds with a value it calculates based on the secret The first peer then matches the response with its own calculation of what the response should be If the values match the link is established Chargen A service used for troubleshooting that generates a test pattern characters at the maximum possible rate client A computer system or process that requests a service of another computer system or process A workstation requesting the contents of a file from a file server is a client of the file server cookie A cookie is information saved on your computer s hard disk that tracks your activity at a particular Web site and provides information to the server about your identity and browsing habits CRC Cyclic Redundancy Check A method for detecting data transmission errors CSU Channel Service Unit A device that terminates a T1 digital circuit to perform certain line conditioning functions and ensure network compliance CVS Contivity VPN Switch day time access control The Day Time Access Control restricts user access to the Internet on specified days of the week and or hours of the day DDNS Dynamic Domain Name Server or Dynamic Domain Name Service Using the Contivity Branch Access Management Software Version 7 20 354 Glossary DES Data Encryption Standard A 56 bit encryption standard used
282. re indicates that the IPsec tunnel is no longer operating properly If this happens any active IPsec tunnels are dropped and are re established as required by normal activity e Control mode The control mode is useful for maintaining permanent connections switching to a backup interface when a primary interface becomes unavailable and the primary interface does not have a reliable indication of its availability or both Using the Contivity Branch Access Management Software Version 7 20 44 Chapter 2 IP security and VPN For example in xDSL and cable modem environments the Contivity Branch Access interface that connects to the Internet is usually an Ethernet interface and that interface is always active as long as the link exists between Contivity Branch Access and the xDSL or cable modem A ping in control mode always attempts to use the specified interface even if it is considered inactive for normal use and if three consecutive responses are not received the interface is made inactive if an IPsec interface is used any associated tunnels are dropped The ping continues to transmit on the interface even while it is unavailable for normal traffic After a response is received the interface is made available again Note The control mode initiates a connection and is considered to be gt activity A control mode ping attempts to keep the path to the destination active at all times Background mode Backgroun
283. re requesting actively refreshed entries A lower percentage 10 to 15 indicates that active refresh is not providing much of a benefit and you may want to disable this option to save bandwidth To view active refresh statistics 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Statistics The Web Cache Statistics page opens 3 View the statistics in the Active Refresh area Click Help for more information about each field on the page Using the Contivity Branch Access Management Software Version 7 20 272 Chapter 7 Web cache configuration Troubleshooting the Web cache Following are some common problems you may encounter when using the Contivity unit as a Web proxy and what you can do to resolve them requested a Web site but there was no response Problem The Web site requires cookies and cookies are blocked Solution Enable cookies for the problem Web site For details refer to Managing cookies for a particular Web site on page 262 Problem The Web site uses a protocol that is not compatible with proxy servers Solution Bypass the cache for the problem Web site For details refer to Bypassing the cache for a Web site on page 267 Problem The originating Web server could be down or not responding Solution Send a request to the Web site again later Problem The Contivity unit is unable to communicate with the particular Web Server Solution
284. resses area click Add to enter the local IP addresses allowed to participate in the tunnel For more information refer to Adding a local or remote IP address on page 41 The information in this box should coincide with the network you configured on the CVS The default local address is that of your LAN In the Remote Addresses area click Add to enter the IP addresses of a remote site allowed to participate in the tunnel For more information refer to Adding a local or remote IP address on page 41 313371 A Chapter 2 IP security and VPN 67 11 Click OK The Monitor Connection dialog box opens Figure 20 Figure 20 Monitor Connection dialog box Monitor Connection 12 Do one of the following e If you do not want to monitor or control the connection click No Skip to step 15 e Ifyou want to monitor or control the connection click Yes The Enter Monitor Control Connection Information dialog box opens Figure 21 Continue with step 13 Figure 21 Enter Monitor Control Connection Information dialog box Enter Monitor 7 Control Connection Information Using the Contivity Branch Access Management Software Version 7 20 68 Chapter 2 IP security and VPN 13 Enter the following information e Connection Choose whether you want to monitor or control the connection For more information refer to Using pings on page 42 e IP Address Enter the IP address of a device that i
285. ries to discourage caching And some Web browsers insert a no cache header in the request when a user forces a request pressing the Shift key while clicking the browser s Reload toolbar button For example if you select to retrieve no cache requests from the cache when a user forces a request the request is not honored and is fulfilled from the cache 313371 A Chapter 7 Web cache configuration 257 To determine whether you need to enable no cache requests look at the statistic for no cache request in the Why requests are not served from the cache area When you enable the option to retrieve no cache requests from the cache you increase the possibility of stale data Nortel Networks recommends that you do not enable this option Note The option to retrieve no cache requests from the cache is not enabled for any predefined cache level If you want to enable no cache requests you must create a Custom cache level For details refer to Creating a custom cache level on page 250 To set options for special Web requests 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Configure The unit Configuration page opens 3 Inthe Web Cache Level area click Customize The Custom Cache Level page opens 4 Inthe Request Response Options area configure the special Web request settings Click Help for more information abou
286. ring group settings option isis eee ee Oe a RR 101 Enabling logging fOr a USEF citer eer eee eee ee eee eee ar ew ad exes 101 Configuring Internet access 00000 cece eens 102 Defining controlled Internet access 0000 00 cece ees 104 Overview of configuring Internet access 0 000 e eee eee 105 Adding Internet ACCESS 5 ius cakcen Skee ROU he eee Ad a a 107 Removing Internet access 2 cc canc cen ee dwn es een meee VERSE RE REESE 111 Changing Internet Access 2 4 0 cisceeieseiad cei andeiaeeei ered aseei os 113 Managing NEWS group ACCESS ceco teak yanana hed he wud ie oe eal om 114 Adding NEWS Group ACCESS 6 02 ek as cee see ede eee eee EN EMSS o See ee 115 Removing news group ACCESS c coed ie eds ob Petes heb Vee dakari anri 117 Changing News group ACCESS 2sc ced sade dead dws wos ede Cow ee SRR E EOL OS 119 Managing incoming POM ACCESS sco cece ed ee eee ee eas 120 Adding INCOMING POM ACCESS oo iawn eae sassi des aug hed age ended 121 Removing incoming port access c cccce iawn enews beeen rodri eee REDO ER 123 Changing incoming port ACCESS 4 5 6a44 odes cade b oN RE4 HOES ve US 125 Managing RAW SOCKENS ose cue ol veen dbean eee alow eee a LA Ge ead gaa 127 Specifying the message a user sees upon anerror 0 aanren 129 SPOR FEDS poeieetime ed HH ERE HRN a a oR he HE SR OE 129 Common user and group access examples 000002 e eee e eee eee 130 Allowing unlimited access for everyon
287. rrants to Licensee that the media on which the Software is provided will be free from defects in materials and workmanship under normal use for a period of 90 days from the date Software is first shipped to Licensee Nortel Networks will replace defective media at no charge if it is returned to Nortel Networks during the warranty period along with proof of the date of shipment This warranty does not apply if the media has been damaged as a result of accident misuse or abuse The Licensee assumes all responsibility for selection of the Software to achieve Licensee s intended results and for the installation use and results obtained from the Software Nortel Networks does not warrant a that the functions contained in the software will meet the Licensee s requirements b that the Software will operate in the hardware or software combinations that the Licensee may select c that the operation of the Software will be uninterrupted or error free or d that all defects in the operation of the Software will be corrected Nortel Networks is not obligated to remedy any Software defect that cannot be reproduced with the latest Software release These warranties do not apply to the Software if it has been i altered except by Nortel Networks or in accordance with its instructions ii used in conjunction with another vendor s product resulting in the defect or iii damaged by improper environment abuse misuse accident or negligence THE FOREGOING WAR
288. rvices Chargen DHCP Discard DNS Proxy Echo Ident SNMP SOCKS Telnet WEB Proxy WEB Configuration Dontigure 3 Select the DHCP check box 4 Click Configure The DHCP Configuration dialog box opens Figure 103 Using the Contivity Branch Access Management Software Version 7 20 222 Chapter6 Advanced IP configuration Figure 103 DHCP Configuration dialog box DHCP Configuration x m Scopes Name Start Address End Address 152 168 1244 Add Remove Configure DNS Servers WINS Servers 192 168 1 1 Add Add Remove _Remove Node type r Lease T Relay Agent 3 days 9 hours o mins Address S Cancel In the Relay Agent area click the check box to enable In the Address box enter the IP address of the DHCP server to be used by the Contivity unit 7 Click OK Configuring a Contivity unit as a DHCP server If a DHCP server was already running when you first set up the Contivity unit the unit did not configure itself as a DHCP server You can however later configure the Contivity unit as the DHCP server for your network To configure your Contivity unit as a DHCP server 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Services The Services dialog box opens Figure 104 313371 A Chapter 6 Advanced IP configuration 223 Figure 104 Services dialog box Services
289. s on page 331 e Telnet A service that provides terminal emulation capabilities for logging on to the Contivity unit from a remote location The default is to leave this option turned on For more information about how to use this service with the Contivity unit refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20 To enable diagnostic IP tools 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Services The Services dialog box opens Figure 147 Figure 147 Services dialog box Chargen DHCP Discard DNS Proxy Echo Ident SNMP SOCKS Telnet WEB Proxy WEB Configuration Configure Cancel KAKKAKOKOKRO 3 Select the check box of each diagnostic IP tool you want to enable 313371 A Chapter 10 Contivity unit configuration support and diagnostics 331 4 Click OK Defining the SNMP community string for get requests The SNMP protocol uses a community string to identify requesting and responding agents for information retrieval and traps When you enable this service you configure a community string for an SNMP get request This string serves as an authentication scheme or password and must match the string of the SNMP host Contivity Branch Access responds only to get requests from an SNMP host with a matching community string If the Contivity unit receives an SNMP get request but the community
290. s not delete cached entries it clears past results so that the statistics reflect cache usage with the current settings To delete all entries in the cache restart the Contivity unit For details refer to Restarting a Contivity unit on page 313 313371 A Chapter 7 Web cache configuration 259 To reset cache statistics 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Statistics The Web Cache Statistics page opens 3 Click Reset Statistics When you reset cache statistics all calculated values are reset to zero Managing cookies Web sites can collect and store information about the users who browse their site with a function known as a cookie A cookie is information saved on your computer s hard drive that sends information back to the originating Web server which uses that information to track your identity and browsing habits Cookies enable the Web site to personalize your browsing session according to your past preferences and generally make navigating the Web site or purchasing items easier A Web site is said to be serving cookies if it places a cookie file on your computer s hard drive When you browse through the site the cookie is returned with the information about your movements to the Web server In this case the workstation is said to be returning cookies The way cookies are managed on your hard drive depends on the Web browser you
291. s provided by your local telephone company Speed Select the connection speed from the Speed list Multilink PPP is required to support 112K or 128K multilink capabilities Your ISP might not offer multilink PPP if not the connection is made using one channel 56K or 64K Synchronous PPP is required for 56K or 64K Voice If you set the speed to 56K or 112K select whether to place the call as a voice call Obtain an IP address from ISP Select this option if your ISP assigns dynamic IP addresses Specify an IP address Select this option if your ISP assigns you a static IP address and then enter the static IP address Click OK Using the Contivity Branch Access Management Software Version 7 20 280 Chapter 8 Advanced communications configuration Setting the inactivity timeout The inactivity timeout saves connect time charges during times when no one is requesting Internet access It specifies the number of minutes or seconds of inactivity over the ISDN connection after which Contivity Branch Access terminates the connection When you need access again Contivity Branch Access automatically reestablishes a connection within a few seconds To configure the inactivity timeout for an ISDN connection 1 In the Inactivity timeout boxes enter the new timeout setting If you have a dedicated ISDN connection enter 0 2 ClickOK Configuring advanced ISDN features You can configure the following advanced settin
292. s a trademark of IBM Corporation UNIX is a trademark of X Open Company Limited The asterisk after a name denotes a trademarked item Restricted rights legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 Gi of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notwithstanding any other license agreement that may pertain to or accompany the delivery of this computer software the rights of the United States Government regarding its use reproduction and disclosure are as set forth in the Commercial Computer Software Restricted Rights clause at FAR 52 227 19 Statement of conditions In the interest of improving internal design operational function and or reliability Nortel Networks Inc reserves the right to make changes to the products described in this document without notice Nortel Networks Inc does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Portions of the code in this software product may be Copyright 1988 Regents of the University of California All rights reserved Redistribution and use in source and binary forms of such portions are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distributi
293. s allowed to all users within the Everyone Group similar to that in Figure 66 Figure 66 Allow Internet access example Change Internet Access of lt Everyone gt x Allow Type IP Address Port Host Name All All 134 177 3 28 www baynetworks com 207 25 71 26 www cnn com Add Delete Change Cancel Clear Lookup 313371 A Chapter 3 User access administration 135 4 Configure Incoming Ports to allow access to all ports and Both TCP and UDP Refer to Managing incoming port access on page 120 for more information All users now have access to only the sites on the list Note If a user s individual access settings are more restrictive than the Everyone Group settings Contivity Branch Access uses the more restrictive access settings Managing a remote Contivity unit Admin cannot manage the remote users and groups unless the LANs are linked together such that the administrator at the main site s workstation has access to the group The complete LAN directory is known when the workstation client runs Admin The workstation client rather than the Contivity unit obtains user or group information from the NT domain controller or NetWare server To use the remote site s groups and users rather than the local groups and users create an additional icon in the Contivity Branch Access section of the Start menu called Admin Remote which runs Admin with the remote command
294. s listed to confirm that the server exists and is in fact a domain name server Test Connection also does a forward and reverse DNS lookup for the Contivity unit s IP address on the default interface To test the connection to the Internet 1 Start Setup and if prompted select a unit to test 2 Choose Setup gt Test Connection A dialog box opens indicating the test results and any subsequent actions to take 313371 A Chapter 10 Contivity unit configuration support and diagnostics 333 Testing the connection to a host Contivity Branch Access is shipped with a set of utilities to assist you with testing and troubleshooting host connection problems iiLogin allows you to determine how an IP workstation is identified and to which Contivity unit the workstation is connected Tools allows you to view host connections through various features such as ping trace and stress It also allows you to troubleshoot problems that might occur Tools provides a user friendly screen to assist you in quickly finding an answer to host connection problems From this screen you can ping a host trace a host connection and stress test the host connection Note Many sites will not allow you to use these tools to test against them You may get errors if you try to test against a site that does not want you testing Also ping and trace will get errors if the No RAW Sockets option is enabled for the user logged on to that workstation
295. s reachable through the tunnel and represents the desired connectivity usually the private address of the remote unit e Source Select the source interface of the connection being monitored or controlled 14 Click OK 15 In the main Setup window select the VPN tunnel and then click Configure The IPsec Configuration dialog box opens Figure 22 Figure 22 IPsec Configuration dialog box IPsec Configuration 192 168 0 0 192 168 1 0 7 24 Add 192 168 1 1 Add _Remove _Remove DES null O 3DES disabled 313371 A Chapter 2 IP security and VPN 69 16 Clear the PFS check box if PFS is disabled on the CVS e NAT is optional For more information on NAT refer to Configuring NAT on page 203 17 In the Default Network area select your router connection from the list 18 Click OK 19 In the main Setup window click Save and Exit The tunnel is configured For more information on how to initiate a tunnel after it has been configured refer to How a tunnel is initiated on page 59 Tunneling to the CVS when the Contivity Branch Access unit acts as a non Contivity client When a tunnel is established between the CVS and a Contivity Branch Access unit that uses a single IP address through the tunnel the CVS is configured to accept the connection from a non Contivity client This type of connection allows a dynamic IP address from the ISP and an aggressive mode tunnel is used CVS version 2 6
296. s to choose from you can add it Refer to Adding a Contivity unit to the selection list on page 315 The Monitor main window opens Figure 68 Figure 68 Monitor main window MITEST stats Monitor toolbar buttons Table 14 describes the toolbar buttons in the Monitor main window Table 14 Monitor main window toolbar buttons Button Description Opens a window that shows you statistics about the Contivity unit Opens a window that shows which users are currently using the Contivity unit 313371 A Chapter 4 Internet activity logging 143 Table 14 Monitor main window toolbar buttons continued Button Description Opens a window that shows the logging activity of the Contivity unit Log Opens a window that shows diagnostic information about the connections to the Contivity unit The toolbar in the Monitor main window changes depending on the type of information you are monitoring For example the buttons available for Stats are different from the buttons available for Users To see this practice clicking the Stats Users Log and Diag buttons to see how the toolbar changes Monitoring a Contivity unit To monitor a Contivity unit 1 Inthe Monitor main window click the toolbar button Table 14 for the information you want to view 2 When prompted select the Contivity unit you want to monitor The information for the selected unit is displayed If
297. seconds between ping attempts The default is 1 second Timeout Enter the number of seconds to wait for a ping response The default is 5 seconds 313371 A Chapter 2 IP security and VPN 47 5 Select the type of ping to run e Monitor Used for IPsec a monitor ping checks the validity of a tunnel After a series of failed pings this option ends the tunnel This type of ping does not initiate a dial up connection or cause a dial up connection to be kept active The ping monitors the validity of the tunnel e Control A control ping manages the operating status of an interface This type of ping can be used to force a connection to be kept active at all times e Background Runs the ping in the background A background ping can be used to keep a dial up connection active 6 Ifyou selected Monitor or Control select the interface to monitor or control from the Interface list otherwise skip this step 7 Select the interface used to initiate the ping from the Source list The default source is the IP address of the interface that is closest to the destination 8 Click OK to close the Ping configuration dialog box 9 Click OK to close the Pings dialog box 10 In the Setup main window click Save and Exit Understanding how a Contivity unit to Contivity unit VPN works The Contivity Branch Access unit s VPN capabilities are designed to establish a secure tunnel with another Contivity Branch Access unit at a
298. sent and received Bytes The data sent and received since the last reset is displayed in kilobytes To calculate this amount in kilobits multiply the kilobytes by 8 Discards The number of packets discarded Errors The number of errors sent and received on the server selected for monitoring Last call This shows the time of the last call used only for dial up interface information Last successful call The time of the last successful call used only for dial up interface information Line state Shows whether a connection is up down or disabled Trace state This trouble shooting option shows what options you have selected on a trace The following options are available for trace status In Input Out Output NonIP Non IP messages and NoBC Suppress broadcasts This information is used by Nortel Networks technical support personnel for troubleshooting Bundle wanted In multiple dial out interfaces such as ISDN bundled into one interface this shows the bundle wanted Bundle in In multiple dial out interfaces this shows the actual bundle which may be different than the Bundle wanted Performing a Trace You can use the trace function to diagnose problems with a workstation a Contivity unit on the network a VPN tunnel or a connection with your ISP Also when you contact Nortel Networks Technical Support a support representative may request that you run a trace on a partic
299. ses must match the addresses of the networks you set up in the CVS For more information on adding IP addresses refer to Adding a local or remote IP address on page 41 9 Click OK to close the IPsec Configuration dialog box The Enter Monitor Control Connection Information dialog box opens Figure 24 Using the Contivity Branch Access Management Software Version 7 20 74 Chapter 2 IP security and VPN Figure 24 Enter Monitor Control Connection Information dialog box Enter Monitor Control Connection Information x Connection Monitor C Control Select control to automatically re establish an IPsec connection and select monitor to detect a connection failure Enter a numeric IP address to monitor the connection with You can optionally select an interface to use as the source address OK Cancel 10 Enter the following information e Connection Choose whether you want to monitor or control the connection For more information refer to Using pings on page 42 e IP Address Enter the IP address of any device that is reachable through the tunnel You might want to use the IP address of the main router at the home office e Source Select the source interface of the connection being monitored or controlled 11 Click OK 12 In the main Setup window click Save and Exit The tunnel is configured For more information on how to initiate a tunnel after it has been con
300. side IP address of 192 168 1 11 initiated a Telnet session with a Contivity unit with the IP address 222 68 1 18 Figure 81 Sample SYSLOG Output Priority Hostname Message Local2 Notice 222 68 1 18 Telnet login from 192 168 1 11 Using the Contivity Branch Access Management Software Version 7 20 174 Chapter 4 Internet activity logging Managing SNMP alarms Simple Network Management Protocol SNMP is a service that provides communications at the applications network layer The SNMP trap alarms feature enables third party SNMP network manager software or hosts to receive notification of pre defined significant events The SNMP host handles the message and provides a log and user notification Note Contivity Branch Access forwards SNMP traps to an SNMP host EJ To capture and view SNMP traps you must set up a third party SNMP application on your network SNMP message formats and trap events The format of the SNMP message depends on the third party SNMP daemon receiving the message A typical SNMP daemon usually provides the date and time stamp identifier of the device forwarding the message community string and text of the trap message Contivity Branch Access supports SNMP traps for two events Table 30 Table 30 SNMP trap events Trap Description Cold start Unit has restarted due to power up or restart Authentication failure Unit has received an SNMP get request but the comm
301. ss Refer to Setting up IP users not using iiLogin on page 88 Use the Change option to limit or expand user and group Internet access It is most common to change Internet access for a group rather than for an individual user unless a particular user has unique Internet access requirements Changing access for a group simultaneously changes the access of each user in the group To change user or group access 1 Select the icon of the user or group you want to change 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 37 Using the Contivity Branch Access Management Software Version 7 20 100 Chapter 3 User access administration Figure 37 Change Settings of User dialog box Change Settings of User Sally The options and buttons on this dialog box are explained in more detail in the following sections Disabling user or group access The disable option has a different meaning for users than it does for groups If you disable access for a user that user is denied access to the Internet If you disable access for a group access settings that have been defined for that group are ignored and individual settings are used to determine access for each member of the group Disabling access is most useful when dealing with groups you adopted from a directory service To disable user or group access gt In the Change Settings of User dialog box Figure 37 select the Disable
302. ss 268 Using the Contivity Branch Access Management Software 370 Index cache level Aggressive 249 and bandwidth savings 244 Conservative 249 default values 249 defined 246 Moderate 249 predefined 245 selecting 245 settings 249 cache server network layer 237 transparent 237 cache settings and bandwidth savings 244 experimenting 245 fine tuning 244 caching proxy server 237 CGI request 255 client DHCP Contivity unit as 228 identifying 88 314 iiLogin 88 314 IP 84 88 127 147 185 189 314 IPX 299 SOCKS 186 client address redistribution CAR 71 communication settings dial up 284 El 292 ISDN 277 PPPoE 294 T1 290 configured Web site defined 260 connection log 101 161 164 connections simultaneous 298 context set for NDS users and groups 87 Contivity unit adding to selection list 315 configuration backup 317 changing 313 319 restoring 318 DHCP client 228 hosts 196 ISP changing 320 managing with Control 135 multiple units 307 name 325 name server list 316 not in selection list 315 password 324 port mappings 195 registration changing 322 removing from selection list 316 restarting 313 restoring configuration 318 serial number 343 TCP IP settings 194 time 325 time zone 325 update history 345 347 user information 344 Contivity VPN Switch CVS 37 Control Internet access 136 program overview 136 conventions text 26 cookie management policy benefits 261 establish
303. ss Port 134 177 3 28 25 192 168 1 1 25 Remove Change OK Cancel Example Publishing a Web server when the Contivity unit has a dynamic IP address In this example you are setting up a Web server when your ISP assigns the Contivity unit a dynamic IP address Contivity Branch Access has set up the local IP network and the DHCP server has assigned IP addresses The Contivity unit has a dial up connection to the Internet and an Ethernet connection to the LAN The Web server is called iibox dynamic myzone com and has the IP address 192 168 1 10 The Dynamic DNS name server for dynamic myzone com has the IP address 192 122 98 75 To publish a Web server when you have a dynamic IP address from your ISP 1 Enter the public address and port In this example select the dial up interface from the list as the public address and www 80 as the port 2 Enter the private address and port In this example specify 192 168 1 10 as the private address and www 80 as the port 313371 A Chapter 6 Advanced IP configuration 209 3 Click OK The Server Publication configuration dialog box closes and you return to the Server Publication dialog box Figure 93 on page 206 4 Click OK Choose Support gt Other Settings The Other Settings dialog box opens Figure 96 Figure 96 Other Settings dialog box Enable IP forwarding V Enable Token Ring source routi
304. ss unit by default PFS incurs significant additional computational overhead that you may want to avoid unless you understand the security implications and PFS is absolutely required e Contivity Branch Access does not support 40 bit Data Encryption Standard DES Contivity Branch Access does support 56 bit encryption DES for VPN tunneling as a standard feature and supports 168 bit encryption 3DES as an add on feature e During phase 1 negotiations the CVS requires single DES If you want to use 3DES you must also select single DES for encryption type Contivity Branch Access uses 3DES for the actual tunneled data if it is configured as higher priority than DES e Contivity Branch Access does not support compression however this does not affect compression on the CVS You can enable compression on the CVS DNS proxy server If you enable the Contivity Branch Access unit as a DNS proxy server the DNS addresses configured in Contivity Branch Access must be able to resolve all desired host names whether part of the public Internet the private network or otherwise As an alternative if you configure Contivity Branch Access clients to use a DNS proxy server other than the Contivity Branch Access unit they follow the rules for Microsoft networking which allows more flexibility in determining name resolution For more information refer to your Microsoft networking documentation 313371 A Chapter 2 IP security and V
305. st names Note If you leave Lookup Addresses enabled it takes a while for the initial Log window to open especially if there are a lot of entries Using the Contivity Branch Access Management Software Version 7 20 152 Chapter 4 Internet activity logging e Forget password If you select the Remember Password option when you are prompted for a password for a Contivity unit this option cancels that selection e Forget all passwords If you select the Remember Password option when you are prompted for a password for a Contivity unit this option cancels that selection for all Contivity units Log Sort menu Table 22 describes the sort options when the Log window is open Table 22 Sort options in the log window Item Description ID Sorts the log alphabetically by user ID Time Sorts the log chronologically by date and time of event Reverse sort Reverses the current sort order Viewing diagnostic information You can view diagnostic information for a particular Contivity unit To view diagnostic information gt Click the Diag toolbar button The Diag window opens Figure 72 shows a sample Diag window 313371 A Chapter 4 Internet activity logging 153 Figure 72 Sample Diag window TEST diag lolx Interface Trace Server TEST IP Addr 47 100 61 116 ie Net Mask 255 255 254 0 MTU size 1500 HW Addr OOAOCC 758386 Output queue 0 Flags Defaul
306. t Encapsulation Ethernet In Out Last time Bytes 273 966 658 3 829 434 Discards 0 0 Errors 0 0 Last call Bundle wanted Last successful call Bundle in Line state Up Loopback Trace state Note The information in the Diag window is not automatically refreshed Table 23 lists the statistics displayed in the Diag window Table 23 Diag window statistics Item Description Interface If the Contivity unit has more than one interface you can choose the interface you want to monitor including a VPN tunnel MTU size The Maximum Transmission Unit size Output queue The output packet queue size or the number of packets in the output queue Flags The flags set demand dialing default MP single Encapsulation The protocol used by the interface for example PPP or Frame Relay Server The name of the Contivity unit selected for monitoring Using the Contivity Branch Access Management Software Version 7 20 154 Chapter 4 Internet activity logging Table 23 Diag window statistics continued Item Description IP Addr The IP address of the Contivity unit interface being monitored or the destination IP address of the VPN tunnel being monitored Net Mask This shows the network mask address for the selected interface HW Addr The MAC address of the Contivity unit interface being monitored Last time The last day date time and year that data was
307. t configuration support and diagnostics If you try to stress a site that does not permit such connections you may receive an error message for example Error connecting socket 10060 or Error connection refused by host Figure 152 Stress test lITools olx File Edit Action View Help PZS eel amp Host ywyw instant net ha z 20000 5 15000 wo 50 60 70 80 90 100 5 10000 a 2 5000 ao 10 20 30 4 Trials 92 163 ms 2920 bytes for 17914 11 bytes per second m 93 165ms 2920 bytes for 17696 97 bytes per second 94 166 ms 2920 bytes for 17590 36 bytes per second 95 196 ms 2920 bytes for 14897 96 bytes per second 96 165ms 2920 bytes for 17696 97 bytes per second 97 169ms 2920 bytes for 17278 11 bytes per second 98 165ms 2920 bytes for 17696 97 bytes per second 99 165ms 2920 bytes for 17696 97 bytes per second 100 166 ms 2920 bytes for 17590 36 bytes per second total of 292000 bytes in 19 339 seconds An average of 15099 02 bytes per second oad Done xi For Help press F1 NUM h 313371 A Chapter 10 Contivity unit configuration support and diagnostics 341 Setting host connection test options You can customize how Tools performs a ping a trace and a stress To set options for a test 1 Click Options The Options dialog box opens Figure 153 Figure 153 Options dialog box in Tools Using the Contivity Branch Access Management Software Version 7 20 342
308. t each field on any page For details on setting a custom cache level refer to Creating a custom cache level on page 250 Using the Contivity Branch Access Management Software Version 7 20 258 Chapter 7 Web cache configuration Setting the action the cache performs when a Web server error occurs Originating Web servers sometimes send errors to users Typically this happens when a user requests Web content from an originating Web server that is down or is not responding In this situation you can select one of two responses the Contivity unit makes e Send the Web entry it has stored in the cache if the Contivity unit fails to connect to the originating Web server even if the cache entry is expired e Return the connection failure error message to the user To set the action the cache performs in response to an originating Web server error 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Configure The unit Configuration page opens 3 Inthe Web Cache Level area click Customize The Custom Cache Level page opens 4 Inthe Request Response Options area select or clear the Return expired cache entry on server error check box Click Help for more information about each field on any page Resetting cache statistics When you change configuration options you may want to reset the statistics to measure how the new configuration affects cache usage Resetting statistics doe
309. t to edited 2 Click Edit The Event Information dialog box opens Figure 77 on page 162 Make the required changes to the configuration 4 Click OK Deleting a log from the automatic logging configuration To delete a log that currently runs automatically 1 Inthe AutoLog window select the log configuration you want to delete 2 Click Delete Using the Contivity Branch Access Management Software Version 7 20 164 Chapter 4 Internet activity logging Exporting log files When a User log file or Connection log file is exported to a spreadsheet file you will see additional information that is not shown when you view the files in Monitor All information is exported with each field separated by a comma comma delimited format so that any spreadsheet can easily read the file Access time information in both the User log and Connection log files is exported in seconds so that any spreadsheet can easily convert the seconds into an hours minutes seconds format Exported user log files include the following information e User Name e MAC address or IP address e First access time e Last access time e Time on in seconds e Bytes sent e Bytes received e Applications in use Exported connection log files include the following information e Time of event e Connection ID e User Name e Event e MAC address or IP address only for Event start 313371 A Chapter 4 Internet activity logging 165 Managing SYSL
310. t user and determines whether to permit access to that address Contivity Branch Access sorts all access controls by e Day of week and time of day e Fully specified addresses e Partially specified addresses using wildcards The Internet Access option lets you allow or deny Internet access for a user or group You can specify the message type TCP or UDP IP address es and port s Note You must set the Day of Week and the Time of Day access to controlled blue for these entries to be enforced Refer to Configuring Internet access on page 102 You can designate Internet addresses as IP addresses or host names and you can select port numbers from the access list provided or enter them numerically Table 7 shows how you can specify Internet access Note the following e An asterisk the wildcard symbol is all encompassing whether designating full access no access or specific addresses or ports Using the Contivity Branch Access Management Software Version 7 20 106 Chapter 3 User access administration e A check mark o designates that user access is permitted to the specified address or port an X designates that no access is permitted Table 7 Designating Internet access Allow Type Address Port Explanation Ni TCP and UDP nee Specifies tota Internet access Ni TCP and UDP 206 210 192 99 Specifies access to all ports at this specific IP address only Ni TCP and UDP 198 S
311. tact Even if you do not have a static IP address Contivity Branch Access provides you with the ability to publish a server as a fully qualified domain name FQDN When you define the address translation for the server you specify the WAN interface name rather than its current IP address Using Dynamic DNS The Dynamic DNS performs a DNS update when the address of an interface changes Carefully consider the implications of using Dynamic DNS before you implement this feature for anything other than forming a virtual private network VPN There is generally no security with respect to the modification of an entry In private environments such as a VPN the lack of security is not as much of an issue because e The host name can be non obvious because the host name itself becomes a form of a password 313371 A Chapter 6 Advanced IP configuration 205 e Ina private environment you can configure the Dynamic DNS to accept updates only from certain ISP address ranges e Even if another host name is discovered or its address is compromised IPsec contains its own security measures such as the pre shared key and the particular address ranges to be exchanged You can configure Contivity Branch Access so that a DNS update is performed each time the address of an interface changes You must provide the following information e The fully qualified domain name FQDN to be updated e The IP address or FQDN for the DNS server th
312. tails refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20 SOCKS Proxy Server You can configure the Contivity unit as a SOCKS proxy server to handle TCP traffic for SOCKS clients If you have IP workstations already configured as SOCKS workstations you can use the unit to connect them to the Internet For details refer to Configuring a Contivity unit as a SOCKS proxy server on page 186 Using the Contivity Branch Access Management Software Version 7 20 36 Chapter 1 Introduction Table 1 Services Contivity Branch Access provides continued Service Features VPN Tunnel You can configure IP security IPsec to establish a virtual private network VPN tunnel between a Contivity unit and a Contivity VPN Switch CVS between a Contivity unit and a BayRS or between two Contivity units For details refer to Chapter 2 IP security and VPN Web This feature allows you to access and edit the Contivity Branch Access configuration files Configuration using a Web browser For details refer to Changing a unit s system files on page 194 Web HTTP Enabling the Contivity unit as a Web HTTP proxy server provides Proxy Server A single point of contact for LAN workstations e A single point for LAN workstations to obtain access to other proxies e Web caching to the network in addition to individual workstations Deciding what to do next Contivity
313. tamp Note The Contivity unit always uses the actual expiration date and time if the originator of a Web entry has set them for an entry Using the Contivity Branch Access Management Software Version 7 20 246 Chapter 7 Web cache configuration Changing the cache level is the first and easiest change you can make when you want to increase bandwidth savings How cache levels are defined Each predefined cache level sets e Default settings for an expiration percent and minimum expiration time for text and non text entries e Whether certain types of Web content requests CGI query and no cache are retrieved from the cache or from the originating Web server e Whether the user receives a cached entry or a message when an error occurs sentences and paragraphs Non text or binary entries refer to any entries other than text for example graphics files program code or executable files Note Text entries refer to text stored in ASCII code such as words gt Expiration percent The expiration percent specifies the percentage of the current date the Contivity unit should use when calculating a text or non text entry s expiration When an entry stored in the cache has no expiration date and time stamp the Contivity unit calculates the expiration time based on the following formula of current date and time entry s last modified date and time Setting the percentage high allows for m
314. te user confirmation message box 000 eeeee eee ee 93 Delete group confirmation message box ssaaa anaana nannan 94 Copy user confirmation message box 0 020ee eee eaee 96 Copy group confirmation message box 020 eee eee 96 Effective Settings of User dialog box ccc eee ee ees 97 Change Settings of User dialog box 2 220000000 100 Change User Access dialog box 000s 102 Change Settings of User dialog box 220000000 es 108 Change Internet Access dialog box 0 2 000 eee ee eee 109 Add Internet Access dialog box cee eee eee eens 109 Change Settings of User dialog box 0000 00s eee 111 Change Internet Access dialog box 2 2c eee eee eee 112 Delete access confirmation message box 2 ce eee eee 112 Change Settings of User dialog box 2 000000 eee 113 Change Internet Access dialog box 0 e eee eee 114 Change Settings of User dialog box 2000000 00 115 Change News Groups dialog box 0000 eee eee eee 116 Add News Group dialog box 0 00 cece eee eee eee 116 Change Settings of User dialog box 2200000 00s 118 Delete news group confirmation message box 4 118 Change Settings of User dialog box 2 2200000 00 119 Change News Group dialog box 0 00 eee eee 120 Change Settings of Use
315. ted for a password for a specific Contivity unit this option cancels that selection 313371 A Chapter 4 Internet activity logging 147 e Forget all passwords If you select the Remember Password option when you are prompted for a password for a Contivity unit this option cancels that selection for all Contivity units Note Monitor shows all of the configured tunnels including orphan tunnels If you want to view only active tunnels use the ipsec CLI command For details refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20 Viewing users You can view a list of all users connected to the Contivity unit The user name that appears in the log is controlled by the Set User Name Order you configure in the Admin program Refer to Setting user name order on page 84 IP workstations not logged in with the Contivity Branch Access workstation login are identified in the log by their IP address To view a list of users connected to a Contivity unit gt Click the Users toolbar button The Users window opens Figure 70 shows a sample Users window Using the Contivity Branch Access Management Software Version 7 20 148 Chapter 4 Internet activity logging Figure 70 Sample Users window IHUNIT 1 users OF x User Sent Received Time On Last accessed Apps RLEWIS 32 127 503 410 00 00 02 07 04 26 1999 10 06 12 MFLORES 297 454 2 713 582 00 00 06 26 0472671999 12 15 08
316. ter the news group address For example alt binaries pictures selects all the sub news groups within the alt binaries pictures news group 7 Click OK Removing news group access To remove a news group from the list 1 Inthe Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 50 Using the Contivity Branch Access Management Software Version 7 20 118 Chapter 3 User access administration Figure 50 Change Settings of User dialog box Change Settings of User Robin 3 Click News Groups In the Change News Groups dialog box select the news group to which the group or user is to be denied access 4 Click Delete A confirmation message box opens Figure 51 Figure 51 Delete news group confirmation message box Instant Internet Admin 313371 A Chapter 3 User access administration 119 5 Click Yes to confirm the deletion The news group is deleted from the group s or user s access list and the user no longer has access to that news group Changing news group access To change group or user access to current news groups 1 Inthe Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 52 Figure 52 Change Settings of User dialog box Change Settings of User Robin x Disable Ignore group setti
317. ter you review the statistics and understand the savings you gained with the default settings fine tune the cache settings and begin your experiments Note Be sure to adjust only one or two settings at a time to make it easier to measure the results of your changes Deciding how long to run an experiment When you experiment with the available cache settings you should let the cache entries fill up to 100 after each adjustment First monitor how much time elapses before the cache is filled with the current settings Then when you know that length of time run the experiment for twice that long to get meaningful data For example if the cache fills up in 2 days run your experiment for twice the amount of time 4 days to see the effects of your changes on the cache statistics Running the experiment for the same amount of time as it takes the cache to fill up may not provide accurate statistics Note To ensure that the statistics are accurate with your new settings reset the cache statistics before you begin each experiment For details refer to Resetting cache statistics on page 258 Selecting a cache level The Contivity unit is shipped with three predefined cache levels Conservative Moderate and Aggressive and an additional Custom level for which you can define your own settings Each cache level sets expiration options that are applied to entries in the cache that do not have an expiration date and time s
318. terminate if Licensee fails to comply with any of the terms and conditions of the license Upon termination for any reason Licensee will immediately destroy or return to Nortel Networks the Software user manuals and all copies Nortel Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license 8 Export and re export Licensee agrees not to export directly or indirectly the Software or related technical data or information without first obtaining any required export licenses or other governmental approvals Without limiting the foregoing Licensee on behalf of itself and its subsidiaries and affiliates agrees that it will not without first obtaining all export licenses and approvals required by the U S Government i export re export transfer or divert any such Software or technical data or any direct product thereof to any country to which such exports or re exports are restricted or embargoed under United States export control laws and regulations or to any national or resident of such restricted or embargoed countries or ii provide the Software or related technical data or information to any military end user or for any military end use including the design development or production of any chemical nuclear or biological weapons 9 General If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction the remainder of the provisions
319. that uses hash security to convert a message into a fixed string of digits MDI Multiple Document Interface Allows an application to have a main window and any number of child windows Medium Dependant Interface The interface changes depending upon the medium used Management Information Base II A standardized database of objects that allows an SNMP host to monitor a device defined by the MIB modem from modulation demodulation A device that transmits signals over telephone lines It converts binary electrical signals into acoustic signals and vice versa multilink PPP An extension to the PPP protocol that enables you to group a set of links into a bundle for more bandwidth The links in the bundle can operate at different speeds Typical links can be ISDN B channels dial up connections and leased lines 313371 A Glossary 361 name server A means of translating readable host computer names into actual IP addresses so that you don t have to remember long numbers to access other computers and destinations on the Internet Also called DNS NAT Network Address Translation The modifying of IP addresses and or port numbers as they pass through a router or other such device There are various types and implementations of NAT but Contivity Branch Access provides a many to one NAT whereby many internal IP addresses are represented as a single IP address to the outside world This method is also sometimes c
320. the Contivity unit s configuration Change the information as your ISP or as a Nortel Networks support representative advises After each change click Save and Exit The following prompt is displayed Using the Contivity Branch Access Management Software Version 7 20 320 Chapter 10 Contivity unit configuration support and diagnostics Do you want the changes to take effect immediately If you respond No the software writes the new configuration data to the unit but the new configuration does not take effect until you restart the Contivity unit If you respond Yes the software writes the new configuration data to the unit disconnects all users and restarts with the new configuration During the few moments of configuration the unit does not respond on the network but screen messages inform you of actions taking place Contivity Branch Access displays the message Do you want to test the connection If you respond Yes Contivity Branch Access tests the Internet connection and advises you of the results and any actions to take If you respond No you may choose to test now or anytime later by selecting either option from the Setup menu Changing your ISP If you change ISPs or any information about your connection changes user name password connection phone number you must reconfigure the Contivity unit with the new information Note You must change your ISP information only if you have a dial up or ISDN con
321. the connection A value of 0 prevents the interface from timing out 4 Click OK Using the Contivity Branch Access Management Software Version 7 20 290 Chapter 8 Advanced communications configuration Configuring advanced communication settings for a T1 connection If you have a T1 interface on the Contivity unit you can configure the starting channel line style clock auto loopback settings and a backup interface To configure advanced communication settings for a T1 interface 1 Start Setup and if prompted select a unit to configure 2 Inthe Interfaces area select the T1 interface and then click Configure The T1 Configuration dialog box opens Figure 122 Figure 122 T1 Configuration dialog box Framing format ESF D4 Line encoding B8ZS C AMI Data Normal C Inverted Line build out Rate multiplier 64K 56K Line speed 1536 Kbps 64 x 24 7 Type PPP Frame Relay LMI type Annex D Annex A IP address 198 162 1 11 Subnet mask 255 255 255 0 Router address Address translation Advanced Cancel 3 Click Advanced The T1 Advanced Configuration dialog box opens Figure 123 313371 A Chapter 8 Advanced communications configuration 291 Figure 123 T1 Advanced Configuration dialog box Starting channel FBE Channels are Consecutive C Alternating Line style ANSI T1 403 AT amp T 54016 Clock External C Interna
322. the same create an alias interface for the Contivity Branch Access unit and assign the static address to that alias For more information on aliases refer to Configuring an alias for an interface on page 230 e Set the default network to the interface that has the static address and enable output NAT on the IPsec interface This translates all packets leaving the IPsec interface before they are encrypted and encapsulated to have that interface s address as a source Alternatively you can configure input NAT on the private LAN interface e Another router bordering the CVS must provide a route to the Contivity Branch Access unit s public address You can use proxy ARP if the Contivity Branch Access unit s default network address is valid on the CVS private network e There are no restrictions on the connection medium used by the Contivity Branch Access unit The unit supports IPsec on any type of available interface including a LAN connection to another router Using the Contivity Branch Access Management Software Version 7 20 58 Chapter 2 IP security and VPN e Contivity Branch Access does not support certificates for authentication only pre shared keys are used The name of the IPsec interface created for the Contivity Branch Access unit must match the user ID that was created for the CVS e When you use Setup to configure a connection to the CVS perfect forward secrecy PFS is enabled on the Contivity Branch Acce
323. the Internet If more than one network is using the Contivity unit you can specify static routes so that the networks can communicate with each other through the unit You can configure a static route for multiple networks or for a single network that has subnetworks Static routes are essentially manually specified route entries that must be explicitly entered and maintained for accuracy Static routes leave little ambiguity in terms of the routing that the Contivity unit uses To add a static route 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Static Routes The Static Routes dialog box opens Figure 89 Using the Contivity Branch Access Management Software Version 7 20 198 Chapter 6 Advanced IP configuration Figure 89 Static Routes dialog box Static Routes 3 Click Add The Static Route Configuration dialog box opens Figure 90 Figure 90 Static Route Configuration dialog box Static Route Configuration 313371 A Chapter 6 Advanced IP configuration 199 4 Enter the following information Destination Address The IP address of the network you to which you are routing Bits The number of bits for the network portion of the address for example 24 If you do not specify the number of bits 32 an individual host is assumed Interface The name of the IP interface on which to transmit packets intended for this destination Gateway Ad
324. the main Setup window To turn on address translation for this alias 1 Select the alias interface in the Interfaces list and then click Configure The lt interface gt Configuration dialog box opens Figure 111 Using the Contivity Branch Access Management Software Version 7 20 232 Chapter6 Advanced IP configuration Figure 111 Interface Configuration dialog box Eth alias Configuration x Interface LAUJ IP address IEAI EE Subnet mask 255 255 255 0 Address translation Cancel 2 Select the Address Translation check box to enable NAT For more information on NAT refer to Configuring NAT on page 203 Click OK In the main Setup window click Save and Exit Using a demilitarized zone DMZ A demilitarized zone DMZ is a network segment that is separate from your internal network and usually contains publicly accessible servers The devices on a DMZ often have publicly announced IP addresses and require less security than your internal network Segmenting your Web FTP e mail or DNS servers in a DMZ allows you to host your own Internet services but keep your internal network secure You can use the Contivity unit for a DMZ in one of two ways e With a single server or a hub connected to an additional Ethernet connector such as the second Ethernet connector Eth2 on the back of the Contivity unit 313371 A Chapter 6 Advanced IP configuration 233 e With each ind
325. tings 101 incoming port 120 logging 101 logging See AutoLog 313371 A Index 373 news group 114 overview 104 report 129 restricted access message 129 user day andtime 102 defining 99 disabling 100 Internet addressing types of 104 Internet connection testing 332 Internet Key Exchange IKE 38 60 Internet Security Association and Key Management Protocol ISAKMP 38 IP address types of 104 virtual private network VPN 41 IP client accessing a DNS proxy server 185 configuring for Internet access 189 error messages 348 identification 84 identifying 147 identifying the login workstation 314 iiLogin icon 88 using RAW sockets 127 IP filter applying to an interface 217 configuring 211 overview 212 Winsock 307 IP forwarding dial up ISDN and leased line 201 Ethernet interfaces 201 TCP IP 199 IP network 33 180 193 IP security IPsec 37 IP services alias 230 configuring 193 DHCP server 218 diagnostic tools 329 DNS proxy server 185 IP filter 211 IP forwarding 199 network address translation NAT 203 routing information protocol RIP 228 SOCKS proxy server 186 static routes 196 Web proxy server 180 IPsec log 76 troubleshooting 75 virtual private network VPN 37 IPX client 299 frame type 301 network 34 security 297 simultaneous connections 298 ISDN connection backup phone number 278 bandwidth on demand 281 communication settings 277 data calls 283 inactivity timeout 280 second cha
326. tio If the statistics for single hit entries are above 80 the cache statistics are lower 20 to 30 hit ratio These statistics can vary depending on cache usage Viewing why requests are not sent from the cache When a user requests Web content the request passes through the cache and is evaluated The requested entries are sent from the cache whenever possible When a request is not fulfilled from the cache it is typically because the entry has expired In this case the request is fulfilled from the originating Web server In addition to expiring there are other reasons that entries are not sent from the cache The Contivity unit tracks and records statistics about these entries that are not sent from the cache You can improve some of these statistics by tuning the Contivity unit to enable certain types of special Web requests to be sent from the cache 313371 A Chapter 7 Web cache configuration 253 To increase the number of entries sent from the cache review the following statistics for why requests are not sent from the cache and then fine tune the cache settings accordingly e If the statistics show that requests are not returned from the cache because the entry exceeded the maximum size adjust the maximum entry size For details refer to Limiting the size of a cached entry on page 254 e Ifthe statistics show that requests are not returned because the request contained a query enable query results to be cac
327. tivity Branch Access Management Software Version 7 20 24 Tables Table 30 SNMP WED OVENS 4464644 oes v OER Gaeaes CRE RRL eae Redes 174 Table 31 Cache level default expiration settings for text and non text entries 249 313371 A 25 Preface The Contivity Branch Access hardware and software solution is a managed and secure gateway that connects any type of LAN to the Internet through a single IP address It connects directly to a network and lets all LAN users access the Internet simultaneously Contivity Branch Access along with your service provider can allow all network users to enjoy the broad information services available on the Internet automatically Within minutes you can browse the World Wide Web retrieve files search for information participate in news groups and send and receive e mail Before you begin This manual is intended for network administrators and contains information for performing the following functions e Administering the Contivity unit e Configuring IP security IPsec for a virtual private network VPN e Administering user and group Internet access e Monitoring the Contivity unit e Configuring the Contivity unit as a DNS Web or SOCKS proxy server e Configuring the IP services that the Contivity unit will use e Using Web cache configuration to administer and configure the Contivity unit s Web cache settings e Using support and diagnostic functions for the Contivity un
328. to an order but does not see the item in the shopping cart A user s personalized settings for a Web site are not remembered on subsequent visits to the site Establishing a policy to block cookies for all unconfigured Web sites provides two benefits Allows more entries to be cached By default the Contivity unit does not cache text requests that contain cookies Protects your organization s online privacy by preventing cookies from being set and returned to anonymous Web servers Managing cookies for all unconfigured Web sites You can restrict unconfigured Web sites from setting cookies on client workstations as well as restrict clients from returning cookies to unconfigured Web sites All new and previously unconfigured Web sites accessed through the Contivity unit will use these default settings To block cookies for all unconfigured Web sites 1 On the Home page click Web Cache The Web Cache page opens On the Web Cache page click Web Sites The Web Sites page opens Click Default Options The Default Web Site Options page opens Using the Contivity Branch Access Management Software Version 7 20 262 Chapter 7 Web cache configuration 4 Inthe Options For All unconfigured Web Sites area configure the settings Click Help for more information about each field on any page Managing cookies for a particular Web site After you determine that the user does need access to the Web site you must first
329. to restrict users from contacting specified hosts by IP address Wildcards may be used to restrict ranges of addresses IPX Internet Packet Exchange The Novell NetWare protocol that provides datagram delivery of messages IPX facilitates communications between end stations on geographically dispersed LANs supporting a large range of applications and provides the network layer functions of addressing and routing to facilitate communications between a client and a NetWare server IPsec IP security A method of authenticating encrypted sessions by negotiating an encryption algorithm and key ISAKMP Internet Security Association and Key Management Protocol inactivity timeout A Contivity Branch Access parameter that specifies the number of minutes of inactivity over the dial up connection after which the Contivity unit terminates the connection and hangs up the phone When you need a new connection Contivity Branch Access dials the ISP and re establishes a connection which takes about 30 seconds 313371 A Glossary 359 interface A set of instructions that allows one device or protocol to send and receive data In the case of Contivity Branch Access an interface represents the protocol used to connect to the Internet and might be described as either dial up or router Internet Access Control IAC The function that Contivity Branch Access uses to control the times and days users have access to the Internet and to speci
330. to the selection list and then click OK The Contivity unit is now displayed in the selection list To remove a unit from the selection list gt Click Remove Note You can remove a unit only that you added to the list Understanding the name server list order Name servers translate readable host computer names into numeric IP addresses Your ISP supplies you with one or more name server addresses and also creates and maintains the name servers If you enter more than one name server Contivity Branch Access tries to connect to the first name server and if it fails continues down the list until a successful connection is made The server that responds is then moved to the top of the list 313371 A Chapter 10 Contivity unit configuration support and diagnostics 317 Saving and restoring unit configurations Using Setup you can back up configuration settings to a disk file so that you can restore the configuration when you exchange or upgrade the unit or when you make extensive changes to the unit s configuration For example if you want to make changes to the Advanced TCP IP Settings in the Contivity Branch Access management software it is a good idea to make a backup of the unit s current configuration before making any changes You can then restore the original configuration if the changes you make cause problems Backing up a unit configuration to disk To back up the configuration to disk 1 Start Setu
331. trol Connection Information dialog box Enter Monitor 7 Control Connection Information Using the Contivity Branch Access Management Software Version 7 20 56 Chapter 2 IP security and VPN 11 Enter the following information e Connection Choose whether you want to monitor or control the connection For more information refer to Using pings on page 42 e IP Address Enter the IP address of a device that is reachable through the tunnel and represents the desired connectivity usually the private address of the remote unit e Source Select the source interface of the connection being monitored or controlled 12 Click OK 13 In the main Setup window click Save and Exit Understanding how a Contivity Branch Access unit to CVS VPN works The Contivity Branch Access unit s VPN capabilities are designed to establish a tunnel with a Contivity VPN Switch CVS at another location You can configure a Contivity Branch Access unit to CVS VPN regardless of whether your unit receives a static IP address or a dynamic IP address from your ISP The type of connection that should be configured depends on the type of IP address the unit receives e Dynamic IP address When your Contivity Branch Access unit receives a dynamic IP address from your ISP the tunnel uses aggressive mode When a unit that uses dynamic IP addresses establishes a tunnel with a CVS the CVS considers the Contivity Branch Access unit to be
332. ty unit that you have registered in the Dynamic DNS Configuring an IP filter An IP filter permits or denies access of packets into out of or through Contivity Branch Access An IP filter is a powerful tool for controlling the behavior of packets and frames They protect the integrity of the Contivity unit and the networks to which it is passing traffic Typically a filter permits the passage of a few well understood packets and denies the passage of everything else Using the Contivity Branch Access Management Software Version 7 20 212 Chapter 6 Advanced IP configuration Each filter has a logical name and contains a list of rules You can apply filters to any interface on either input or output processing or both Filter rules are processed in the order specified and there is an implicit deny all filter at the end of the list When you do not specify a filter for an interface all traffic is allowed You can create filters that form templates for performing a particular type of filtering The reason for creating filters and then applying them to an interface instead of just applying them directly to an interface is that this method provides inherent consistency and allows you to apply the same list of rules to multiple interfaces without having to ensure consistency individually for each interface After you create a filter you can apply it as an input filter or an output filter For details refer to Applying a filter t
333. type Other Unit 192 168 1 1 Name Order NT Bindery NDS Status Connected as Default 313371 A Chapter 10 Contivity unit configuration support and diagnostics 315 Adding a Contivity unit to the selection list In a multi unit installation you are prompted to choose a unit to administer when you start any of the administration utilities Because of the nature of IP all available Contivity units may not appear in the selection list If you do not see the unit you want you can add the unit to the list of available units Note You cannot use this procedure to install a new Contivity unit This procedure merely locates an existing unit To add a Contivity unit to the list of available units 1 Start any administration utility The Instant Internet Units dialog box opens Figure 134 Figure 134 Instant Internet Units dialog box Unit Serial Number IP Address 102000036 192 0 4 88 102000024 192 0 4 102 101000DFB 192 0 4 178 Select an Instant Internet unit Add Remove Cancel 2 Click Add The Enter Unit s IP Address dialog box opens Figure 135 Using the Contivity Branch Access Management Software Version 7 20 316 Chapter 10 Contivity unit configuration support and diagnostics Figure 135 Enter Unit s IP Address dialog box Enter the numeric IP address of the Instant Internet unit 3 Enter the IP address of the Contivity unit you want to add
334. u use to create and configure servers and services for the Contivity unit When you install the Contivity Branch Access management software you create and configure general servers and services You can change these settings using Setup To start Setup 1 From the Instant Internet program group or menu depending on your operating system select Setup 2 If you have an IP network or a network with more than one Contivity unit the Instant Internet Units dialog box opens Select the unit you want and then click OK If you do not see the Contivity unit in the list refer to Adding a Contivity unit to the selection list on page 315 Note Before you begin back up the Contivity unit s configuration For details refer to Backing up a unit configuration to disk on page 317 Using the Contivity Branch Access Management Software Version 7 20 194 Chapter 6 Advanced IP configuration Changing a unit s system files System files are typically used for advanced configuration and troubleshooting You can change a unit s system TCP IP settings port mappings and support hosts using the Setup program or a Web browser You can also view the Contivity unit s log users and update history For details refer to Viewing system logs and entries on page 344 Changing a unit s system settings You must use CLI commands to change a unit s system advanced TCP IP settings For details refer to Reference fo
335. ular interface for example Eth1 or dial up and then ask you to export the results to a file in a certain format You can then e mail the trace results file to the Nortel Networks Technical Support representative for analysis 313371 A Chapter 4 Internet activity logging 155 To perform a trace 1 In the Diag window select an interface For an ISDN interface select one of the channels such as ISDN B1 2 Click Trace A Trace dialog opens Figure 73 Figure 73 Trace dialog box SERYERO trace pppoe2 3 Select the appropriate options for running the trace based on what the Nortel Networks Technical Support representative tells you 4 Click Start to begin the trace The trace information is displayed in the bottom half of the dialog box 5 Click Stop to end the trace Caution Do not leave a trace running for a long period of time A large trace results file can consume system resources and affect network performance Using the Contivity Branch Access Management Software Version 7 20 156 Chapter 4 Internet activity logging 6 To view the results of a trace click View The trace results file window opens Figure 74 shows a sample trace results file window Figure 74 Sample trace results file i pppoe2 log Notepad Me x File Edit Search Help 66 21 46 6539 tracing started at Tue Jun 5 11 61 36 2661 66 21 46 9168 pppoe2 snd Ppp typ ip IP len 96 id F688 ttl1 46 prot
336. unity string on the remote end does not match the Contivity unit s community string For details refer to Defining the SNMP community string for get requests on page 331 Configuring SNMP alarms for trap events When you configure SNMP alarms you define a community string for the Contivity unit and identify an SNMP host to receive SNMP traps The community string acts as a unique identifier for the Contivity unit as the originator of an SNMP trap message 313371 A Chapter 4 Internet activity logging 175 To configure SNMP alarms for trap events 1 Start Setup and if prompted select a unit to configure 2 Choose Support gt Alarms The Alarms dialog box opens Figure 82 Figure 82 Alarms dialog box Information 3 Inthe SNMP Hosts area click Add The Enter SNMP Host dialog box opens Figure 83 Figure 83 Enter SNMP Host dialog box Enter SNMP Host Using the Contivity Branch Access Management Software Version 7 20 176 Chapter 4 Internet activity logging 4 In the SNMP Host box enter the IP address or hostname of the server that is running the SNMP application and then click OK You return to the Alarms dialog box Figure 79 on page 171 e To delete an SNMP host select it in the list and then click Remove e To change the name or IP address of an SNMP host select it in the list and then click Configure Repeat steps 3 4 for each SNMP host you want to
337. unnel connection is completely independent of the dial up connection to the Internet and remains valid and expires as configured regardless of whether the dial up connection is active When static IP addressing is used for a VPN this is of little consequence because as soon as the connection is reestablished the tunnel traffic can continue When the Contivity Branch Access unit s Internet connection is re established if the public IP address assigned by the ISP differs from the previous one used to establish the tunnel Contivity Branch Access deletes the tunnel immediately Further traffic or a control ping re establishes the tunnel Using the Contivity Branch Access Management Software Version 7 20 60 Chapter 2 IP security and VPN If however the dial up connection is interrupted inadvertently or intentionally due to an idle timeout and the gateway at one endpoint of the tunnel informs the other endpoint that the tunnel is to be deleted this information cannot reach the remote gateway and it will not know that the tunnel is no longer valid After the dial up connection is re established it continues to attempt to use this now invalid tunnel as described above regarding one endpoint disconnecting This situation occurs due to a limitation of the IPsec protocol however there are three ways you can work around this limitation e Maintain traffic over the tunnel in both directions on a relatively constant basis This option is
338. upport 307 To run Internet applications properly Contivity Branch Access requires the Winsock that comes with this product If it finds another Winsock you must either delete the preexisting Winsock file or rename it Caution If you choose to continue installing the Contivity Branch Access management software while allowing multiple versions of winsock dll to run you risk improper operation of Contivity Branch Access with Internet applications IP filters and Winsock compatibility Filters apply to the Winsock server s packets although input filters would not apply since these packets are always generated internally and never come from an external source If you do not want the Winsock to be constrained by the output filters for an interface simply allow all traffic from the Contivity unit s IP address For example ip filter winsock allow source x x x x ifconfig network outfilter winsock The designation x x x x is the IP address assigned to the network interface This address works because internally generated packets destined for hosts on the network connected to the network interface always have a source IP address of the network interface Refer to Configuring an IP filter on page 211 for more information on IP filtering Configuring the Contivity unit in a multiple unit environment When you use multiple Contivity units in an IPX network you have several additional options Among these options are the abi
339. ur ISP uses multiple devices on the same phone number but does not support the PPP Multilink Protocol across the devices select the Do not disable second channel on PPP negotiation failure check box Adding a backup phone number Contivity Branch Access dials the primary phone number first after each successful connection However for those times when the primary ISDN phone number is busy or fails you can designate a backup phone number When Contivity Branch Access detects a busy signal or problem in dialing the main phone number it automatically dials the backup phone number to make a connection 313371 A Chapter 8 Advanced communications configuration 279 To add or change a backup phone number for an ISDN connection 1 In the Backup box enter the backup phone number If your second channel B channel dials a different phone number you can enter a secondary phone number Use a slash to separate the two numbers If the exchange first three digits is the same for both numbers you may enter only the last digits of the secondary phone number Example 555 1212 555 1213 or 555 1212 1213 2 Click OK Changing ISP connection settings To change IP address settings 1 Do one of the following Switch Type Select the switch type from the list Depending on the switch type you select one both or none of the SPID number boxes becomes active SPID If SPID number box is active enter the SPID number
340. ur Contivity unit can function as a DHCP server on your network and assign IP addresses to workstations and other IP devices dynamically Using the Contivity unit as a DHCP server is the recommended configuration for the unit You may want to use this feature if you do not want to administer static IP addresses for every workstation on your network For a discussion of using the Contivity unit as a DHCP server refer to Installing the Contivity Branch Access Management Software Version 7 20 313371 A Chapter 6 Advanced IP configuration 219 Additional DHCP configuration options are available through the command line interface CLI For details refer to Reference for the Contivity Branch Access Command Line Interface Version 7 20 Scopes and leases A DHCP scope is a pool of IP addresses together with a subnet mask and default gateway Each subnet can have only one scope with a single contiguous range of IP addresses You can create the effect of several ranges if necessary by creating a scope that encompasses all the desired ranges and then excluding the addresses that fall between the desired ranges You can establish multiple leases to support multiple subnets such as an Ethernet subnet and a token ring subnet When a computer using DHCP for its configuration a DHCP workstation is turned on it requests an IP address and other configuration information from the DHCP server If there is an available address in the DHCP server
341. uring Internet access on page 102 that user has access to everything on the Internet However if you add one restriction to the Internet access list the user has no Internet access at all Therefore if you want to restrict access to only a few sites you must first allow access to everything You can allow access to all IP addresses ports and host names and then disallow access one by one as desired Or you can disallow access to all IP addresses ports host names and then allow access one by one as desired The reverse is true if you have the user or group access set to Controlled In this case the user has no Internet access and you must specifically allow Internet access to IP addresses ports and host names When you make changes to Internet Access an asterisk appears to the left of the option indicating that specific Internet access control settings have been defined Adding Internet access To add Internet access to a user or group 1 Inthe Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 39 Using the Contivity Branch Access Management Software Version 7 20 108 Chapter 3 User access administration Figure 39 Change Settings of User dialog box Change Settings of User Robin 3 Click Internet Access The Change Internet Access dialog box opens Figure 40 and displays the current access
342. urrently connected to a specific Contivity unit 1 Choose View gt Users 2 To view up to the minute changes in users for the unit click Refresh 3 To return to the main Setup window click Cancel 313371 A Appendix A Troubleshooting and error messages 345 Viewing a unit s update history Each Contivity unit maintains a record of the versions that have been installed and upgraded This is the update history log To view an update history log for a unit 1 Choose View gt Update History 2 Review the file as needed To print the file choose File gt Print 3 Toclose the file choose File gt Close Managing system files through a Web browser Before you can use a Web browser to manage system files you must enable Web configuration For details refer to Enabling Web configuration on page 183 Connecting to the Contivity unit using a Web browser To connect to the Contivity unit using a Web browser 1 Inthe Address or Location box of your Web browser type the IP address of the Contivity unit If the unit is password protected the Username and Password Required dialog box opens A user name is not required 2 Enter the password for the unit The Home page opens Figure 155 Using the Contivity Branch Access Management Software Version 7 20 346 Appendix A Troubleshooting and error messages Figure 155 Instant Internet home page Instant Internet Home by Nortel Networks Adm
343. us users added Refresh Clears all columns for all users The displayed information is cumulative since the log was last reset When you select Clear the user s Sent Clear Received Time and Last columns are reset to zero After you select Clear users are added to the log as they access the Contivity unit Exports user data to a specified file for use at a later date This option is useful before clearing the User log JE Users menu The Users menu contains options for the above buttons and it also contains the following options e Forget password If you select the Remember Password option when you are prompted for a password for a specific Contivity unit this option cancels that selection e Forget all passwords If you select the Remember Password option when you are prompted for a password for a Contivity unit this option cancels that selection for all Contivity units Users Sort menu Table 19 describes the options on the Sort menu when the Users window is open Table 19 Sort options in the Users window Item Description Users Sorts the list by user name Bytes sent Sorts the list numerically by bytes sent Bytes received Sorts the list numerically by bytes received Time on Sorts the list numerically by the amount of time the user has been logged on Last access date Sorts the list chronologically by the date the user last accessed the selected Contivity unit
344. use For example Netscape Navigator uses a single cookie file cookie txt that is modified when a cookie is set Microsoft Internet Explorer manages individual cookie files in a directory Cookies cannot read anything from a computer s hard drive and cannot perform any functions that compromise a user s computer You can usually block cookies to improve cache efficiency and privacy without affecting Web site access Using the Contivity Branch Access Management Software Version 7 20 260 Chapter 7 Web cache configuration Establishing a cookie management policy Your cookie management policy will be the result of experimentation Usually you can view a Web site without having to return cookies so you can block the return of cookies and still cache the entry without affecting the data But some Web sites for example sites that use shopping carts or that allow you to manage an investment account require that clients return cookies to pass personal settings or information If a Web site requires cookies and you block cookies from that site the user may receive an error message indicating that cookies are required In this case you can enable cookies only for that site Statistically 20 to 25 of Web content contains cookies When you block cookies the Contivity unit caches Web entries it may not ordinarily cache if they contained cookies To take full advantage of the Contivity unit Nortel Networks recommends that you block al
345. w group folder labeled Everyone is added to the List of Groups All the users on your network are automatically added to the folder 3 If you want all your users to be able to use Internet Explorer set the Internet Access to allow 127 Refer to Defining controlled Internet access on page 104 Managing directory service users and groups Contivity Branch Access allows you to use the user groups that you already have set up in your network directory services This eases the administration setup process The directory services that Contivity Branch Access adopts automatically are e Windows 95 Windows 98 Windows Me Windows NT and Windows 2000 domain users and groups refer to Managing domain users and groups on page 85 e NetWare NDS users and groups refer to Managing NetWare NDS users and groups on page 86 313371 A Chapter 3 User access administration 83 e Novell Bindery users and groups refer to Managing Novell Bindery users and groups on page 87 Adopting existing users and groups is convenient because you do not have to create each new user or group or manage a duplicate database Instead Contivity Branch Access finds the users and groups for you and maintains their Internet access settings Note You cannot administer network directory users from Contivity Branch Access If you want to make changes to users or groups and their members you must make the changes in the user or gr
346. ween two Contivity Branch Access units Understanding virtual private networking Contivity Branch Access includes IP security IPsec virtual private networking VPN capabilities designed to establish a tunnel with a Contivity VPN Switch CVS another Contivity Branch Access unit at a different location or other IPsec compliant devices A VPN is a special type of connection that permits remote users or LANs to communicate with another LAN over a public network such as the Internet When you set up a VPN you are essentially using a public network as your own private secure network When users connect through the VPN you incur only the local toll charges to your ISP To create a VPN a special connection called a tunnel is first established between the two sites Tunnels allow private IP traffic to flow across the Internet including NetBIOS information for Windows networking encapsulated within IP packets Through the tunnel all IP based resources and applications on the remote LAN become available to the local site Using the Contivity Branch Access Management Software Version 7 20 38 Chapter 2 IP security and VPN User data sessions through tunnels can specify DES encryption to assure privacy authentication which proves that the data was not intercepted and modified or both Contivity Branch Access supports 56 bit encryption DES for VPN tunneling as a standard feature Contivity Branch Access also supports 168 b
347. work you may want to force the use of the Bindery user name and groups Refer to Setting user name order on page 84 Using the Contivity Branch Access Management Software Version 7 20 88 Chapter 3 User access administration Setting the NetWare preferred server Contivity Branch Access provides the ability to set the NetWare server of the users and groups you want to view When a preferred server is set it becomes the one that is displayed first Note You must be running a NetWare client to use this feature To set the NetWare preferred server 1 Choose View gt Set Preferred Server 2 Select the preferred server and then click OK To assign different access settings for the same bindery user or group on different servers select Unique users and groups by server Setting up IP users not using iiLogin When Contivity Branch Access is installed on an IP workstation running Windows 95 Windows 98 Windows Me Windows NT or Windows 2000 a Contivity Branch Access icon iiLogin appears in the your system tray You can double click the icon to find out how that workstation is logged on For more information refer to Installing the Contivity Branch Access Management Software Version 7 20 UNIX and Macintosh workstations cannot use the iiLogin workstation identification Others such as guests or temporary employees who use your network occasionally also may not have an iiLogin workstation identification Thes
348. y if the originating Web server sends an error For details refer to Setting options for special Web requests on page 255 313371 A Chapter 7 Web cache configuration 249 Predefined cache levels default values You can choose from the following predefined cache levels e Conservative This level reduces Internet traffic and decreases the possibility of the cache returning stale information but it also minimizes the effectiveness of the cache Select this option only if your users are having problems receiving fresh data e Moderate This level extends entry expiration times to further reduce Internet traffic and allows cached responses to CGI and query requests This is the system default e Aggressive This level further extends expiration times and allows cached responses to CGI and query requests This level provides the most bandwidth savings Table 31 shows the default expiration settings for text and non text entries and request and response settings for each predefined cache level Table 31 Cache level default expiration settings for text and non text entries Return Expired Cache Entry on Server Error Conservative Moderate Aggressive Text Non Text Text Non Text Text Non Text Expiration Percent 10 20 20 40 100 200 Minimum Expiration 5 10 10 20 30 60 Time in minutes CGI Requests Disabled Enabled Enabled Query Requests Disabled Enabled Enabled
349. y it to the interface as an input filter or an output filter A common question is When do you use an input filter versus an output filter In many cases it does not make a difference In complex configurations with multiple interfaces however there is a benefit of one over the other For example if you have a network with a host to which no one should be allowed to Telnet you can apply an output filter to that interface to which the host is connected that blocks Telnet packets from being transmitted to that host Then there is no need to apply this filter to the input of all other interfaces To apply a filter to an interface 1 Start Setup and if prompted select a unit to configure 2 Inthe Interfaces area select an interface and then click Filters The lt interface name gt Filter Configuration dialog box opens Figure 101 Using the Contivity Branch Access Management Software Version 7 20 218 Chapter6 Advanced IP configuration Figure 101 Interface Filter Configuration dialog box Eth2 Filter Configuration x In fiter Out filter lt none gt e Filters Add is Configure Cancel 3 Select the filters you want to apply to the interface e In filter Applies the filter to incoming packets as they are received e Out filter Applies the filter to packets just before they are transmitted by the interface 4 Click OK Enabling a Contivity unit as a DHCP server Yo
350. you do not see the Contivity unit you want to monitor refer to Adding a Contivity unit to the selection list on page 315 Viewing statistics The Stats windows displays the statistical information available for the selected Contivity unit including a real time graph that shows the data being either sent or received in kilobits per second To view Statistics for a unit 1 Click the Stats toolbar button The Stats window opens Figure 69 Using the Contivity Branch Access Management Software Version 7 20 144 Chapter 4 Internet activity logging Figure 69 Sample Stats window F GS ISDN stats 21 N o Kb sec Interface Last call Status Timeout 00 00 6 Connects Disconnects lolx Server GS ISDN IP Addr 192 0 4 1 Apps 0 Firmware 6 00 Speed 100000 Kb Up 0 days 0 hrs 6 mins 20 secs Show Sends C Recvs Both In Bytes Out Bytes 1 098 652 160 094 2 In the Interfaces statistics area select the interface for which you want to view Table 15 lists the statistics displayed in the Stats window Table 15 Stats window statistics Item Description Server The name of the Contivity unit selected for monitoring IP Addr The IP address of the selected interface or the destination IP address of the selected VPN tunnel Apps The number of applications currently accessing the unit Contivity can support an unlimited number of IP workstation application
351. you make changes to an incoming port s access an asterisk appears to the left of the option indicating that specific incoming ports access control settings have been defined Managing RAW sockets The No RAW Sockets option on the Change Settings for User dialog box Figure 61 applies to IP workstations when address translation is enabled for the client side interface Some Internet applications typically diagnostics such as ping use a protocol of RAW sockets for communication Because these sockets require special low level control of the IP packets some administrators may want to restrict user access to these diagnostics This type of connection is not blocked by restricting the IP address in the access control list To prohibit the use of RAW sockets 1 Inthe Admin window select a group folder or user icon Using the Contivity Branch Access Management Software Version 7 20 128 Chapter 3 User access administration 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 61 Figure 61 Change Settings of User dialog box Change Settings of User Robin 3 Select the No RAW Sockets check box This prohibits the use of RAW sockets An error message that the Internet user will see when the No RAW Sockets option is selected is Error 10044 WSAESOCKTNOSUPPORT If messages are allowed IP workstations will receive an ICMP restricted message panel Note In Tools ping a
Download Pdf Manuals
Related Search