|
|
The VPN 3002 Hardware Client Manager is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3002 with a standard web browser. To use it, you connect to the VPN 3002, using a PC and browser on the same private network with the VPN 3002.
The Manager uses the standard web client / server protocol, HTTP (Hypertext Transfer Protocol), which is a cleartext protocol. However, you can also use the Manager in a secure, encrypted HTTP connection over SSL (Secure Sockets Layer) protocol, known as HTTPS.
When the SSL certificate is installed, you can connect directly using HTTPS; see "Connecting to the VPN 3002 Using HTTPS."
The VPN 3002 Hardware Client Manager requires either Microsoft Internet Explorer version 4.0 or higher, or Netscape Navigator version 4.5-4.7. For best results, we recommend Internet Explorer. Whatever browser and version you use, install the latest patches and service packs for it.
 |
Note You cannot use the Live Event Log feature with Netscape Navigator version 4.0 |
Be sure JavaScript and Cookies are enabled in the browser. Refer to the documentation for your browser for instructions.
Do not use the browser navigation toolbar buttons Back, Forward, or Refresh/Reload with the VPN 3002 Hardware Client Manager unless instructed to do so. To protect access security, clicking Refresh/Reload automatically logs out the Manager session. Clicking Back or Forward might display stale Manager screens with incorrect data or settings.
We recommend that you hide the browser navigation toolbar to prevent mistakes while using the
VPN 3002 Hardware Client Manager.
For optimal use, we recommend setting your monitor or display:
When your system administration tasks and network permit a cleartext connection between the VPN 3002 and your browser, you can use the standard HTTP protocol to connect to the system.
Even if you plan to use HTTPS, you use HTTP at first to install an SSL certificate in your browser.
Step 2 In the browser Address or Location field, you can just enter the VPN 3002 private interface IP address; for example, 10.10.147.2. The browser automatically assumes and supplies an http:// prefix.
The browser displays the VPN 3002 Hardware Client Manager login screen.
To continue using HTTP for the whole session, skip to "Logging into the VPN 3002 Hardware Client Manager."
The Manager provides the option of using HTTP over SSL with the browser. SSL creates a secure session between your browser (VPN 3002 hardware client) and the VPN Concentrator (server). This protocol is known as HTTPS, and uses the https:// prefix to connect to the server. The browser first authenticates the server, then encrypts all data passed during the session.
HTTPS is often confused with a similar protocol, S-HTTP (Secure HTTP), which encrypts only HTTP application-level data. SSL encrypts all data between client and server at the IP socket level, and is thus more secure.
SSL uses digital certificates for authentication. The VPN 3002 creates a self-signed SSL server certificate when it boots, and this certificate must be installed in the browser. Once the certificate is installed, you can connect using HTTPS. You need to install the certificate from a given VPN 3002 only once.
Managing the VPN 3002 is the same with or without SSL. Manager screens might take slightly longer to load with SSL because of encryption/decryption processing. When connected via SSL, the browser shows a locked-padlock icon on its status bar. Both Microsoft Internet Explorer and Netscape Navigator support SSL.
For HTTPS to work on the public interface, you must enable HTTPS on the VPN 3002 through the command-line interface or from an HTTP session on the private interface first.
Follow these steps to install and use the SSL certificate for the first time. We provide separate instructions for Internet Explorer and Netscape Navigator when they diverge.
Step 2 On the login screen, click the Install SSL Certificate link.
The Manager displays the Install SSL Certificate screen and automatically begins to download and install its SSL certificate in your browser.
The installation sequence now differs depending on the browser. Continue below for Internet Explorer, or skip to "Installing the SSL Certificate with Netscape."
This section describes SSL certificate installation using Microsoft Internet Explorer 5.0. (With Internet Explorer 4.0, some dialog boxes are different but the process is similar.)
You need to install the SSL certificate from a given VPN 3002 only once. If you do reinstall it, the browser repeats all these steps each time.
A few seconds after the VPN 3002 Hardware Client Manager SSL screen appears, Internet Explorer displays a File Download dialog box that identifies the certificate filename and source, and asks whether to Open or Save the certificate. To immediately install the certificate in the browser, select Open. If you Save the file, the browser prompts for a location; you must then double-click the file to install it.
The browser displays the Certificate dialog box with information about the certificate. You must now install the certificate.
Step 2 Click Install Certificate.
The browser starts a wizard to install the certificate. The certificate store is where such certificates are stored in Internet Explorer.
Step 3 Click Next to continue.
The wizard opens the next dialog box asking you to select a certificate store.
Step 4 Let the wizard Automatically select the certificate store, and click Next.
The wizard opens a dialog box to complete the installation.
Step 5 Click Finish.
The wizard opens the Root Certificate Store dialog box asking you to confirm the installation.
Step 6 To install the certificate, click Yes. This dialog box closes, and a final wizard confirmation dialog box opens.
Step 7 Click OK to close this dialog box, and click OK on the Certificate dialog box (Figure 1-4) to close it.
You can now connect to the VPN 3002 using HTTP over SSL (HTTPS).
Step 8 On the Manager SSL screen (Figure 1-2), click the link that says After installing the SSL certificate, click here to connect to the VPN 3002 Hardware Client using SSL.
Depending on how your browser is configured, you might see a Security Alert dialog box.
Step 9 Click OK.
The VPN 3002 Hardware Client displays the HTTPS version of the Manager login screen.
The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case you might see a Security Alert screen.
Proceed to Logging into the VPN 3002 Hardware Client Manager to log in as usual.
There are (at least) two ways to examine certificates stored in Internet Explorer.
First, note the padlock icon on the browser status bar in Figure 1-11. If you double-click the icon, the browser opens a Certificate Properties screen showing details of the specific certificate in use.
Click any of the Field items to see Details. Click Close when finished.
Second, you can view all the certificates that are stored in Internet Explorer 4.0. Click the browser View menu and select Internet Options. Click the Content tab, then click Authorities in the Certificates section.
In Internet Explorer 5.0, click the browser Tools menu and select Internet Options. Click the Content tab, then click Certificates in the Certificates section. On the Certificate Manager, click the Trusted Root Certification Authorities tab.
The VPN 3002 Hardware Client SSL certificate name is its Ethernet 1 (private) IP address.
Select a certificate, then click View Certificate. The browser displays the Certificate Properties screen, as in Figure 1-12 above.
This section describes SSL certificate installation using Netscape Navigator / Communicator 4.5.
You need to install the SSL certificate from a given VPN 3002 only once. If you try to reinstall it, Netscape displays the note in Figure 1-14. Click OK and just connect to the VPN 3002 using SSL (see Step 7 in this section.
The instructions below follow from Step 2 in "Installing the SSL Certificate in Your Browser," and describe first-time certificate installation.
A few seconds after the VPN 3002 Hardware Client Manager SSL screen appears, Netscape displays a New Certificate Authority screen.
Netscape displays the next New Certificate Authority screen, which further explains the process.
Step 2 Click Next> to proceed.
Netscape displays the next New Certificate Authority screen, which lets you examine details of the VPN 3002 Hardware Client SSL certificate.
Step 3 Click Next> to proceed.
Netscape displays the next New Certificate Authority screen, with choices for using the certificate. No choices are checked by default.
Step 4 You must check at least the first box, Accept this Certificate Authority for Certifying network sites. Click Next> to proceed.
Netscape displays the next New Certificate Authority screen, which lets you choose to have the browser warn you about sending data to the VPN 3002.
Step 5 Checking the box is optional. Doing so means that you get a warning whenever you apply settings on a Manager screen, so it is probably less intrusive to manage the VPN 3002 without those warnings. Click Next> to proceed.
Netscape displays the final New Certificate Authority screen, which asks you to name the certificate.
Step 6 In the Nickname field, enter a descriptive name for this certificate. "Nickname" is something of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN 3002 10.10.147.2. This name appears in the list of installed certificates; see "Viewing Certificates with Netscape," below.
You can now connect to the VPN 3002 using HTTP over SSL (HTTPS).
Step 7 On the Manager SSL screen (Figure 1-2), click the link that says After installing the SSL certificate, click here to connect to the VPN 3002 Hardware Client using SSL.
Depending on how your browser is configured, you might see a Security Information Alert dialog box.
Step 8 Click Continue.
The VPN 3002 displays the HTTPS version of the Manager login screen.
The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case, you might see a Security Information Alert dialog box.
Proceed to the section, "Logging into the VPN 3002 Hardware Client Manager," to log in as usual.
There are (at least) two ways to examine certificates stored in Netscape Navigator / Communicator 4.5.
First, note the locked-padlock icon on the bottom status bar in Figure 1-22. If you click the icon, Netscape opens a Security Info window. (You can also open this window by clicking Security on the Navigator Toolbar at the top of the Netscape window.)
Click View Certificate to see details of the specific certificate in use.
Second, you can view all the certificates that are stored in Netscape. On the Security Info window, select Certificates, then Signers. The "nickname" you entered in Step 6 in the section, "First-time Installation," identifies the VPN 3002 Hardware Client SSL certificate.
Select a certificate, then click Edit, Verify, or Delete. Click OK when finished.
When you have installed the SSL certificate in the browser, you can connect directly using HTTPS.
Step 2 In the browser Address or Location field, enter https:// plus the VPN 3002 private interface IP address; for example, https://10.10.147.2.
The browser displays the VPN 3002 Hardware Client Manager HTTPS login screen.
A locked-padlock icon on the browser status bar indicates an HTTPS session. Also, this login screen does not include the Install SSL Certificate link.
HTTP, HTTPS, and SSL are enabled by default on the VPN 3002, and they are configured with recommended parameters that should suit most administration tasks and security requirements.
To configure HTTP and HTTPS parameters, see the Configuration | System | Management Protocols | HTTP/HTTPS screen.
To configure SSL parameters, see the Configuration | System | Management Protocols | SSL screen.
Logging into the VPN 3002 Hardware Client Manager is the same for both types of connections, cleartext HTTP or secure HTTPS.
Entries are case-sensitive. With Microsoft Internet Explorer, you can select the Tab key to move from field to field; other browsers might work differently. If you make a mistake, click the Clear button and start over.
The following entries are the factory-supplied default entries. If you have changed them, use your entries.
Step 2 Click in the Password field and type admin. (The field shows *****.)
Step 3 Click the Login button.
The Manager displays the main welcome screen (Figure 1-33).
From here you can navigate the Manager using either the table of contents in the left frame, or the Manager toolbar in the top frame.
Interactive hardware client and individual user authentication provide security by requiring manual entry of usernames and passwords prior to connection. You configure these features on the VPN Concentrator to which this VPN 3002 connects, and the VPN Concentrator pushes the policies you set to the VPN 3002. You can use interactive hardware client authentication and individual user authentication in combination or separately.
For complete configuration information refer to the section on the Hardware Client tab in the User Management chapter of the VPN 3000 Series Concentrator Reference Volume 1: Configuration.
When you enable interactive hardware client authentication, the VPN 3002 does not use a saved username and password. Instead, to connect you must manually enter a valid username and password for the VPN 3002 when prompted. When the VPN 3002 initiates the tunnel, it sends the username and password to the VPN Concentrator to which it connects. The VPN Concentrator facilitates authentication, on either the internal or an external server. If the username and password are valid, the tunnel is established.
Individual user authentication protects the central site from access by unauthorized persons on the same LAN as the VPN 3002.
When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the VPN Concentrator, even though the tunnel already exists.
|
Note You cannot use the command-line interface to login if user authentication is enabled. You must use a browser. |
You access the interactive hardware client authentication and individual user authentication login screens from the VPN 3002 Hardware Client Manager login screen. The sequence in the login example that follows assumes that both interactive hardware client authentication and individual user authentication are required for this VPN 3002 to connect.
The Connection/Login Status screen displays
The VPN 3002 Interactive Authentication screen displays.
Step 2 Click Connect.
If you have entered the valid username and password, the Connect Login Status screen displays the message that the VPN 3002 is connected. Next you authenticate the user.
The Individual User Authentication screen displays.
Step 2 Click Login. If the username and password you entered are valid, the Connection/Login Status window displays information about the connection.
The user behind the VPN 3002 is connected to the VPN Concentrator at the central site.
Click Go back to the VPN 3002 administrative login page to return to the VPN 3002 Hardware Client Manager login screen and access other features and functions of the VPN 3002.
The VPN 3002 Hardware Client Manager window on your browser consists of three frames—top, left, and main—and it provides helpful messages and tips as you move the mouse pointer over window items. The title bar and status bar also provide useful information
The VPN 3002 Hardware Client Manager consists of three major sections and many subsections:
This manual covers all these topics. For Quick Configuration, refer to the VPN 3002 Hardware Client Getting Started guide.
Your primary tool for navigating the VPN 3002 Hardware Client Manager is the table of contents in the left frame. Figure 1-34 shows all its entries, completely expanded. (The figure shows the frame in multiple columns, but the actual frame is a single column. Use the scroll controls to move up and down the frame.)
Posted: Wed Feb 4 11:06:38 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
