cc/td/doc/product/vpn/vpn3002/4_7
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Management Protocols

Configuration | System | Management Protocols | HTTP/HTTPS

About HTTP/HTTPS

Enable HTTP

Enable HTTPS

Enable HTTPS on Public

HTTP Port

HTTPS Port

Maximum Sessions

Apply/Cancel

Configuration | System | Management Protocols | Telnet

Enable Telnet

Enable Telnet/SSL

Telnet Port

Telnet/SSL Port

Maximum Connections

Apply / Cancel

Configuration | System | Management Protocols | SNMP

Enable SNMP

SNMP Port

Maximum Queued Requests

Apply / Cancel

Configuration | System | Management Protocols | SNMP Communities

Community Strings

Add/Modify/Delete

Configuration | System | Management Protocols | SNMP Communities | Add or Modify

Community String

Add or Apply / Cancel

Configuration | System | Management Protocols | SSL

Encryption Protocols

Client Authentication

SSL Version

Generated Certificate Key Size

Apply/Cancel

Configuration | System | Management Protocols | SSH

Enable SSH

Enable SSH on Public

SSH Port

Maximum Sessions

Key Regeneration Period

Encryption Protocols

Enable SCP

Apply / Cancel

Configuration | System | Management Protocols | XML

Enable

Enable HTTPS on Public

Enable SSH on Public


Management Protocols


The VPN 3002 Hardware Client includes various built-in servers, using various protocols, that let you perform typical network and system management functions. This section explains how you configure and enable those servers.

This section of the Manager lets you configure and enable built-in VPN 3002 servers that provide management functions using:

HTTP/HTTPS: Hypertext Transfer Protocol, and HTTP over SSL (Secure Sockets Layer) protocol.

Telnet: terminal emulation protocol, and Telnet over SSL.

SNMP: Simple Network Management Protocol.

SNMP Community Strings: identifiers for valid SNMP clients.

SSL: Secure Sockets Layer protocol.

SSH: Secure Shell.

XML: Extensible Markup Language

Configuration | System | Management Protocols | HTTP/HTTPS

This screen lets you configure and enable the VPN 3002 HTTP/HTTPS server: Hypertext Transfer Protocol and HTTP over SSL (Secure Sockets Layer) protocol. When the server is enabled, you can use a Web browser to communicate with the VPN 3002. HTTPS lets you use a Web browser over a secure, encrypted connection.

About HTTP/HTTPS

The Manager requires the HTTP/HTTPS server. If you click Apply, even if you have made no changes on this screen, you break your HTTP/HTTPS connection and you must restart the Manager session from the login screen.

If you disable either HTTP or HTTPS, and that is the protocol you are currently using, you can reconnect with the other protocol if it is enabled and configured.

Related information:

For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see Chapter 1.

To configure SSL parameters, see the Configuration | System | Management Protocols | SSL screen.

To install, generate, view, or delete the SSL certificate on the VPN 3002, see the Administration | Certificate Management screens.

Enable HTTP

Check the box to enable the HTTP server. The box is checked by default. HTTP must be enabled to install the SSL certificate in the browser initially, so you can thereafter use HTTPS. Disabling the HTTP server provides additional security, but makes system management less convenient. See the notes above.

Enable HTTPS

Check the box to enable the HTTPS server. The box is checked by default. HTTPS, also known as HTTP over SSL, lets you use the Manager over an encrypted connection.

Enable HTTPS on Public

Check the box to enable HTTPS on the Public interface.

HTTP Port

Enter the port number that the HTTP server uses. The default is 80, which is the well-known port.

HTTPS Port

Enter the port number that the HTTPS server uses. The default is 443, which is the well-known port.

Maximum Sessions

Enter the maximum number of concurrent, combined HTTP and HTTPS sessions (users) that the server allows. Minimum is 1, default is 4, maximum is 10.

Apply/Cancel

To apply your HTTP/HTTPS server settings, to include your settings in the active configuration, and to break the current HTTP/HTTPS connection, click Apply. If HTTP or HTTPS is still enabled, the Manager returns to the main login screen. If both HTTP and HTTPS are disabled, you can no longer use the Manager, and you will have to gain access through the console other configured connection.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen.

Configuration | System | Management Protocols | Telnet

This screen lets you configure and enable the VPN 3002 Telnet terminal emulation server, and Telnet over SSL (Secure Sockets Layer protocol). When the server is enabled, you can use a Telnet client to communicate with the VPN 3002. You can fully manage and administer the VPN 3002 using the Cisco Command Line Interface (CLI) via Telnet.

Telnet server login usernames and passwords are the same as those enabled and configured on the Administration | Access Rights | Administrators screens.

Telnet/SSL uses a secure, encrypted connection. This enabled by default for Telnet/SSL clients.

See the Configuration | System | Management Protocols | SSL screen to configure SSL parameters. See the Administration | Certificate Management | Certificates screen to manage the SSL digital certificate.

Enable Telnet

Check the box to enable the Telnet server. The box is checked by default. Disabling the Telnet server provides additional security, but doing so prevents using the Cisco CLI via Telnet.

Enable Telnet/SSL

Check the box to enable Telnet over SSL. The box is checked by default. Telnet/SSL uses Telnet over a secure, encrypted connection.

Telnet Port

Enter the port number that the Telnet server uses. The default is 23, which is the well-known port number.

Telnet/SSL Port

Enter the port number that Telnet over SSL uses. The default is 992, which is the well-known port number.

Maximum Connections

Enter the maximum number of concurrent, combined Telnet and Telnet/SSL connections that the server allows. Minimum is 1, default is 5, maximum is 10.

Apply / Cancel

To apply your Telnet settings, and to include the settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen.

Configuration | System | Management Protocols | SNMP

This screen lets you configure and enable the SNMP (Simple Network Management Protocol) agent. When enabled, you can use an SNMP manager to collect information from the VPN 3002 but not to configure it.

To use SNMP, you must also configure an SNMP Community on the Configuration | System | Management Protocols | SNMP Communities screen.

The settings on this screen have no effect on sending system events to SNMP trap destinations (see Configuration | System | Events | General and Trap Destinations). For those functions, the VPN 3002 acts as an SNMP client.

Enable SNMP

Check the box to enable SNMP. The box is checked by default. Disabling SNMP provides additional security.

SNMP Port

Enter the port number that SNMP uses. The default is 161, which is the well-known port number. Changing the port number provides additional security.

Maximum Queued Requests

Enter the maximum number of outstanding queued requests that the SNMP agent allows. Minimum is 1, default is 4, maximum is 200.

Apply / Cancel

To apply your SNMP settings, and to include the settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen.

Configuration | System | Management Protocols | SNMP Communities

This section of the Manager lets you configure and manage SNMP community strings, which identify valid communities from which the SNMP agent accepts requests. A community string is like a password: it validates messages between an SNMP manager and the agent.

To use the VPN 3002 SNMP agent, you must configure and add at least one community string. You can configure a maximum of 10 community strings. To protect security, the SNMP agent does not include the usual default public community string, and we recommend that you not configure it.

Community Strings

The Community Strings list shows SNMP community strings that have been configured. If no strings have been configured, the list shows --Empty--.

Add/Modify/Delete

To configure and add a new community string, click Add. The Manager opens the Configuration | System | Management Protocols | SNMP Communities | Add screen.

To modify a configured community string, select the string from the list and click Modify. The Manager opens the Configuration | System | Management Protocols | SNMP Communities | Modify screen.

To delete a configured community string, select the string from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen.

Configuration | System | Management Protocols | SNMP Communities | Add or Modify

These Manager screens let you:

Add: Configure and add a new SNMP community string.

Modify: Modify a configured SNMP community string.

Community String

Enter the SNMP community string. Maximum 31 characters, case-sensitive.

Add or Apply / Cancel

To add this entry to the list of configured community strings, click Add. Or to apply your changes to this community string, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Management Protocols | SNMP Communities screen; a new entry appears at the bottom of the Community Strings list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entry or changes, click Cancel. The Manager returns to the Configuration | System | Management Protocols | SNMP Communities screen, and the Community Strings list is unchanged.

Configuration | System | Management Protocols | SSL

This screen lets you configure the VPN 3002 SSL (Secure Sockets Layer) protocol server. These settings apply to both HTTPS and Telnet over SSL. HTTPS lets you use a web browser over a secure, encrypted connection to manage the VPN 3002.

SSL creates a secure session between the client and the VPN 3002 server. The client first authenticates the server, they negotiate session security parameters, and then they encrypt all data passed during the session. If, during negotiation, the server and client cannot agree on security parameters, the session terminates.

SSL uses digital certificates for authentication. The VPN 3002 creates a self-signed SSL server certificate when it boots; or you can install in the VPN 3002 an SSL certificate that has been issued in a PKI context. This certificate must then be installed in the client (for HTTPS; Telnet does not usually require it). You need to install the certificate from a given VPN 3002 only once.

The default SSL settings should suit most administration tasks and network security requirements. We recommend that you not change them without good reason.


Note To ensure the security of your connection to the Manager, if you click Apply on this screen, even if you have made no changes, you break your connection to the Manager and you must restart the Manager session from the login screen.


Related information:

For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see Chapter 1.

To configure HTTPS parameters, see the Configuration | System | Management Protocols | HTTP/HTTPS screen.

To configure Telnet/SSL parameters, see the Configuration | System | Management Protocols | Telnet screen.

To manage SSL digital certificates, see the Administration | Certificate Management screens.

Encryption Protocols

Check the boxes for the encryption algorithms that the VPN 3002 SSL server can negotiate with a client and use for session encryption. All are checked by default. You must check at least one algorithm to enable SSL. Unchecking all algorithms disables SSL.

The algorithms are negotiated in the following order (you cannot change the order, but you can enable or disable selected algorithms):

RRC4-128/MD5 = RC4 encryption with a 128-bit key and the MD5 hash function. This option is available in most SSL clients.

3DES-168/SHA = Triple-DES encryption with a 168-bit key and the SHA-1 hash function. This is the strongest (most secure) option.

DES-56/SHA = DES encryption with a 56-bit key and the SHA-1 hash function.

RC4-40/MD5 Export = RC4 encryption with a 128-bit key, 40 bits of which are private, and the MD5 hash function. This option is available in the non-U.S. versions of many SSL clients.

DES-40/SHA Export = DES encryption with a 56-bit key, 40 bits of which are private, and the SHA-1 hash function. This option is available in the non-U.S. versions of many SSL clients.

Client Authentication

This parameter applies to HTTPS only; it is ignored for Telnet/SSL.

Check the box to enable SSL client authentication. The box is not checked by default. In the most common SSL connection, the client authenticates the server, not vice-versa. Client authentication requires personal certificates installed in the browser, and trusted certificates installed in the server. Specifically, the VPN 3002 must have a root CA certificate installed; and a certificate signed by one of the VPN 3002 trusted CAs must be installed in the Web browser. See Administration | Certificate Management.

SSL Version

Click the drop-down menu button and select the SSL version to use. SSL Version 3 has more security options than Version 2, and TLS (Transport Layer Security) Version 1 has more security options than SSL Version 3. Some clients that send an SSL Version 2 "Hello" (initial negotiation), can actually use a more secure version during the session. Telnet/SSL clients usually can use only SSL Version 2.

Choices are:

Negotiate SSL V2/V3 = The server tries to use SSL Version 3 but accepts Version 2 if the client can not use Version 3. This is the default selection. This selection works with most browsers and Telnet/SSL clients.

SSL V3 with SSL V2 Hello = The server insists on SSL Version 3 but accepts an initial Version 2 "Hello."

SSL V3 Only = The server insists on SSL Version 3 only.

SSL V2 Only = The server insists on SSL Version 2 only. This selection works with most Telnet/SSL clients.

TLS V1 Only = The server insists on TLS Version 1 only. At present, only Microsoft Internet Explorer 5.0 supports this option.

TLS V1 with SSL V2 Hello = The server insists on TLS Version 1 but accepts an initial SSL Version 2 "Hello." At present, only Microsoft Internet Explorer 5.0 supports this option.

Generated Certificate Key Size

Click the drop-down menu button and select the size of the RSA key that the VPN 3002 uses in its self-signed (generated) SSL server certificate. A larger key size increases security, but it also increases the processing necessary in all transactions over SSL. The increases vary depending on the type of transaction (encryption or decryption).

Choices are:

512-bit RSA Key = This key size provides sufficient security. It is the most common, and requires the least processing.

768-bit RSA Key = This key size provides normal security and is the default selection. It requires approximately 2 to 4 times more processing than the 512-bit key.

1024-bit RSA Key = This key size provides high security. It requires approximately 4 to 8 times more processing than the 512-bit key.

Apply/Cancel

To apply your SSL settings, and to include your settings in the active configuration, click Apply. The Manager returns to the initial Login screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen.

Configuration | System | Management Protocols | SSH

This screen lets you configure the VPN 3002 SSH (Secure Shell) protocol server. SSH is a secure Telnet-like terminal emulator protocol that you can use to manage the VPN 3002, using the Command Line Interface, over a remote connection.

The SSH server supports SSH1 (protocol version 1.5), which uses two RSA keys for security. All communication over the connection is encrypted. To provide additional security, the remote client authenticates the server and the server authenticates the client.

At the start of an SSH session, the VPN 3002 sends both a host key and a server key to the client, which responds with a session key that it generates and encrypts using the host and server keys. The RSA key of the SSL certificate is used as the host key, which uniquely identifies the VPN 3002. See
Configuration | System | Management Protocols | SSL.

Enable SSH

Check the box to enable the SSH server. The box is checked by default. Disabling the SSH server provides additional security by preventing SSH access.

Enable SSH on Public

Check the box to enable SSH on the Public interface.

SSH Port

Enter the port number that the SSH server uses. The default is 22, which is the well-known port.

Maximum Sessions

Enter the maximum number of concurrent SSH sessions allowed. Minimum is 1, default is 4, and maximum is 10.

Key Regeneration Period

Enter the server key regeneration period in minutes. If the server key has been used for an SSH session, the VPN 3002 regenerates the key at the end of this period. Minimum is 0 (which disables key regeneration, default is 60 minutes, and maximum is 10080 minutes (1 week).


Note Use 0 (disable key regeneration) only for testing, since it lessens security.


Encryption Protocols

Check the boxes for the encryption algorithms that the VPN 3002 SSH server can negotiate with a client and use for session encryption. All algorithms are checked by default. You must check at least one algorithm to enable a secure session. Unchecking all algorithms disables SSH.

3DES-168 = Triple-DES encryption with a 168-bit key. This option is the most secure but requires the greatest processing overhead.

RC4-128 = RC4 encryption with a 128-bit key. This option provides adequate security and performance.

DES-56 = DES encryption with a 56-bit key. This option is least secure but provides the greatest export flexibility.

No Encryption = Connect without encryption. This option provides no security and is for testing purposes only. It is not checked by default.

Enable SCP

Check the Enable SCP check box to enable file transfers using secure copy (SCP) over SSH.

Apply / Cancel

To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen.

Configuration | System | Management Protocols | XML

This screen lets you configure the VPN 3002 to support an XML-based interface. Enabling XML management (the default condition) allows the VPN 3002 to be more easily managed by a centralized management system. XML is enabled by default. To disable the XML option, clear the check box. To reenable the XML option, click the check box.

On this screen, you can also configure the VPN 3002 to enable HTTPS or SSH (or both) on the public interface and to lock the XML interface to a specific HTTPS or SSH IP address.

Enable

Check the Enable check box, the default, to enable the XML management capability. You must also enable HTTPS or SSH on the VPN 3002 public interface. Disabling the XML management capability is not recommended.

Enable HTTPS on Public

Check the Enable HTTPS on Public check box to allow XML management over HTTPS on the
VPN 3002 public interface.

Enable SSH on Public

Check the Enable SSH on Public check box to allow XML management over Secure Shell (SSH) on the VPN 3002 public interface.


hometocprevnextglossaryfeedbacksearchhelp

Posted: Tue Apr 19 12:55:09 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.