|
This publication contains the procedures for configuring the Cisco Content Transformation Engine 1400 Series (CTE).
For information on installing the CTE, refer to the Cisco CTE 1400 Hardware Installation Guide.
Note Throughout this publication, the Cisco CTE 1400 Series is referred to as the CTE. |
This publication consists of these sections:
Improper configuration of the CTE can result in a security risk. Before you deploy the CTE, verify that the CTE does not have access to protected intranet sites.
By default, the CTE proxies only the web pages that it has identified (transcoded in Design Studio) to prevent access to protected servers that are on the same subnet as the CTE. If you choose to override that default, do not put the CTE on the same subnet as the protected servers.
Note If you configure the CTE to proxy all web pages, the CTE provides access to computers on the same subnet as the web servers that are configured to work with the CTE. For example, suppose a CTE has an external IP address of 24.221.1.1 and an internal IP address of 192.168.1.31. On the same subnet, you have an intranet server, protected from outside access, with an IP address of 192.168.1.20. It is possible to access all ports on the protected intranet server through the CTE by using the URL http://24.221.1.1/http://192.168.1.20. |
The CTE transforms and delivers back-end website content to a variety of mobile devices, including Wireless Application Protocol (WAP) phones, Personal Digital Assistants (PDAs), and the Cisco IP phone. The CTE is a 1U device that installs into any network infrastructure without requiring changes to the existing hardware or back-end software. The CTE sits in front of content servers and works with other networking products such as server load balancers, cache engines, web servers, firewalls, Virtual Private Network (VPN) solutions, routers, and IEEE 802.11 broadband wireless devices.
Design Studio is a PC-based application that you can use to create transformation rules for a set of content and to upload the rules to a CTE. Assisting in the management of configuration files sent between Design Studio and a CTE is Services Manager, which is a centralized configuration management tool.
These sections describe the CTE:
Table 1 summarizes the features of the CTE.
|
1 WML = Wireless Markup Language. 2 RIM = Research in Motion. 3 cHTML = Compact HTML. 4 XSL = Extensible Stylesheet Language. 5 For more information, see the "Security" section. 6 PEM = Privacy Enhanced Mail. |
The CTE supports FlexLM licensing.
You can upload a new license through the CTE Administration Interface. For more information, see the "Uploads Screen" section.
Internet, extranet, and intranet sites require different levels of security, all supported by the CTE. As shown in Figure 1, those sites have the following characteristics:
The CTE terminates Secure Sockets Layer (SSL) sessions to provide an endpoint for a secure link. Some PDAs support SSL connections from the device to the CTE. However, WAP phones and the Palm 7 device do not support SSL. WAP phones use Wireless Transport Layer Security (WTLS) and Palm 7 devices use Elliptical Curve Cryptography (ECC). Carrier gateways usually convert WTLS and ECC to SSL; during the conversion, text is not secure.
When a new device user makes a first request through the CTE, the CTE creates a new session for that user. In previous releases, the CTE did not store any session data. Consequently, the CTE could support 10,000 concurrent user sessions. With the introduction of JavaScript, the CTE must store data for each session. Therefore, the number of active sessions is limited by memory.
The CTE supports two configuration options to control the cache that stores session data: maximum and minimum session timeout thresholds. Both of these settings (Session Timeout and Minimum Session Timeout) can be set through the Advanced > General screen in the CTE Administration screens. For more information, see the "General Screen" section.
When the maximum session timeout is set and a session has not been active for the specified time period, the CTE terminates the session and clears the data from the cache. Any session that has been inactive longer than the maximum session timeout can be removed. Data from a terminated session, which includes authentication information and other sensitive data, is physically removed from memory, preventing unauthorized access.
The minimum session timeout determines the minimum time between two requests that a session is guaranteed to be active. For example, if the minimum session timeout is set for 5 minutes, and a user requests information through the CTE every 4 minutes and 59 seconds, that session will remain active indefinitely. If the user waits more than 5 minutes between requests, the session becomes unprotected and can be replaced by a new session.
If the minimum session timeout is not set, the CTE can support 10,000 sessions. However, not setting a minimum session timeout creates an environment in which each request initiates a new session and there is no guaranteed stability for any session during busy periods.
The only way to increase the number of active sessions is to increase memory (RAM and/or disk) or to lower the amount of memory allocated to each user. If the memory is lowered, however, performance can suffer because the CTE must retrieve and process the data again.
Another variable that can affect CTE performance is the number of simultaneous connections. A connection is used for each request. A session can use several simultaneous connections. For example, when a user requests a web page and that page contains images, frames, and other elements, the user's browser makes one request for each element. If a page has ten elements, the initial request makes one connection to retrieve the main page and the browser makes ten connections to retrieve the ten elements.
The CTE uses rules supplied by Design Studio to fulfill requests for wireless content. A CTE is typically installed behind a server load balancer. When a wireless device requests a web page, the CTE accepts the request from the wireless device and requests the content from the back-end servers. Functioning as a reverse-proxy, the CTE acts like a web server to the client device and acts like a client device to the web servers.
Figure 2 shows the path that a wireless user request for a web page takes when the CTE is connected to a server load balancer. This configuration is recommended for sites where most of the network traffic intercepted by the CTE uses content supplied by the servers directly connected to the server load balancer.
Note The numbers in Figure 2 refer to the following process. |
The path the wireless user request takes is as follows:
1. A wireless user requests a URL. A wireless carrier transmits the request to a communications tower, through the WAP carrier gateway, and to the Internet.
2. The server load balancer that receives the request evaluates the request header. The server load balancer directs HTML/XML requests to the web server farm and directs requests from wireless devices to the CTE.
3. The CTE terminates the request and then, acting as a proxy, sends a request to the server load balancer for the HTML/XML page.
4. When the CTE receives the page, it uses the rules in the configuration file to transform the content.
5. The CTE sends the transformed page to the server load balancer for forwarding to the wireless device.
A variation of the preceding configuration is to direct requests from the CTE through a router that sits in front of the server load balancer, as shown in Figure 3. This configuration is recommended for sites where most of the network traffic intercepted by the CTE uses content supplied by servers at other locations. For example, a results page served by a search engine portal contains links to content that resides outside of the domain of the search site.
You can connect a CTE to a web server that routes traffic to the CTE or to web servers based on browser detection, as shown in Figure 4.
You can also connect a CTE directly to a web server, as shown in Figure 5. In this case, all web traffic goes through the CTE, which passes HTML/XML requests to the web server and handles requests from wireless devices. This configuration is recommended when you designate specific IP addresses for wireless traffic.
Figure 6 and the following procedure describe how URL requests from a wireless device are handled by the CTE and connected devices.
Note The numbers in Figure 6 refer to the steps in the following procedure. |
When a wireless device sends a URL to a web server, the traffic flow is as follows:
Step 2 The server load balancer that receives the request looks at the header.
Step 3 The server load balancer directs HTML/XML requests to the web server farm.
Step 4 The server load balancer directs requests from wireless devices to the CTE.
Step 5 The CTE sends the new request to the server load balancer for the HTML/XML content. The CTE, acting as a proxy, sends a request to the server load balancer for the HTML/XML content. The server load balancer obtains the content from a web server and sends it to the CTE.
Step 6 The CTE uses the rules created by Design Studio to transform the content and then sends the transformed content to the server load balancer. The server load balancer forwards the content to the wireless device.
As shown in Figure 7, you can also route requests based on a URL so that requests from designated URLs (such as mobile.site.com) are passed directly to the CTE.
Input encoding, the formats into which information coming to the CTE can be written, is configurable through the Administration Interface. By default, input encoding is set to Western European (ISO-8859-1, Latin-1, ASCII). Only one input encoding format can be active at a time. Other input encoding schemes are listed in Table 10.
Output encoding, the formats into which information sent from the CTE can be written, is specified in the DDF file of each device driver. If there is an error in a particular DDF file, each device driver has a hard-coded default value for output encoding. Formats supported for output encoding are listed in Table 2.
Table 2 Output Encoding Formats
The configuration instructions in this publication assume the following setup:
The "Operation Modes" section covers typical network configurations for the CTE. Use Table 3 as a guide to determine the best location for a CTE, based on network topology and website characteristics.
Table 3 CTE Network Location Guidelines
|
The general process for configuring a CTE and connected devices is as follows:
1. Draw a diagram of the data flow for the CTE, including all IP addresses and VLAN numbers.
2. Physically connect the CTE to the network.
Depending on your network topology, you may need to use one or both of the CTE ports (NICs).
3. Verify that the server load balancer can ping the CTE.
4. If configuring multiple CTEs, associate the various CTE network connections with a CTE server farm.
5. Configure the server load balancer so that the CTE can access web content on the web servers.
6. Configure the server load balancer so that the CTE is accessible by clients requesting web content.
7. Verify that the data flow of the CTE is as planned.
8. If a client does not require in-line data transformation by the CTE, direct its traffic to the web servers if possible.
These sections describe how to configure the CTE and connected devices:
Note Before you deploy the CTE, verify that port 9001 is not accessible from outside of your firewall. The
CTE communicates with Design Studio through port 9001 using clear-text transmissions. Only
ports 80 and 443 should be visible from outside of your firewall. Most firewalls allow administrators to deny external IP addresses access to specific ports that are set up internally. See your firewall administrator guide for information on setting up rules to block specific ports. |
To connect the CTE to a network, you need two network cables. Only one cable may be necessary if you connect the CTE directly to one web server. Before configuring the CTE and connected devices, plan the network information that you want to use for the following, as appropriate:
Note The CTE does not work with Dynamic Host Configuration Protocol (DHCP). You must use static IP addresses for the CTE. |
The CTE console provides initial access to the CTE, letting you set up the CTE for use. From the console, you can configure network parameters, configure SNMP, set the gateways, manage users, and restart or shut down the CTE.
If you completed the installation procedures described in the Cisco CTE 1400 Hardware Installation Guide, you already have a CTE console open on a computer that has a serial connection to the CTE. If the CTE console has been closed, reopen the connection to the CTE console as follows.
To open a CTE console, perform these steps:
Step 2 Log on to the CTE console as root. You will be prompted to choose a password.
Step 3 Enter a new root password. You will be prompted to reenter the password for verification.
Step 4 The CTE prompts you for the following:
Step 5 Enter the IP address and netmask of the eth0 port and the IP address of the default gateway.
Step 6 The CTE will ask you to commit the changes. Type yes to commit them, and the Main menu of the CTE console appears. If you do not want to commit the changes, type no, and then type 0 (Express Setup) to reenter the settings.
Step 7 If the CTE console does not open, check the following:
You can connect a CTE directly to a web server if your site has only one web server and you want all traffic destined for the web server to pass through the CTE. The CTE determines how to handle requests for web content based on the request header, which indicates the type of device making the request. The CTE intercepts requests from supported mobile devices and passes through other requests.
Connecting a CTE directly to a web server does not require any changes to the web server configuration.
The following sections describe how to connect a CTE to a web server and configure the CTE to work with the web server:
Connecting a CTE to a web server requires either one or two network cables as follows:
Figure 8 shows how to connect a CTE to a web server.
Note The IP addresses used throughout this publication are example addresses, not actual ones. |
Use the CTE console and the CTE Administration menus to display and configure parameters for the CTE.
When the CTE console first appears, the console displays the Main menu:
To display current network parameters, perform these steps:
Step 2 Type 6 (Display Configuration), and the console displays all set parameters:
To configure network parameters, perform these steps:
Step 2 From the Network Settings menu, type 0 (Configure Interface 0) and press Enter. The following menu appears:
Step 3 Type 0 to set the IP address for Interface 0, and enter the address at the following prompt:
Press Enter to retain the same value, type 0 to clear the value, or enter a new IP address and press Enter.
Step 4 Type 1 to set the netmask for Interface 0, and enter the netmask at the following prompt:
Press Enter to retain the same value, type 0 to clear the value, or enter a new netmask and press Enter.
Step 5 Type 2 to set duplex mode, and the following menu appears:
Type 0, 1, or 2 depending on the transmission mode you want to specify.
Step 6 Type 3 to set the MTU (maximum transmitted unit), and enter a value at the following prompt, or press Enter to retain the default value of 1500.
Step 7 To display the current settings for both Interfaces 0 and 1, type 4, and the console displays the following:
Step 8 To return to the Network Settings menu, type 5.
Note When changes are pending, the Network Settings menu contains two additional options: [7] Commit Changes and [8] Cancel Changes. These options are only present on the menu when changes are pending but not yet saved. |
Step 9 After you have made any changes, you will need to commit them. To commit your changes, type 7 (Commit Changes) on the Network Settings menu. You can also choose to cancel any changes by typing 8 (Cancel Changes).
Step 10 To configure Interface 1 from the Network Settings menu, type 1 (Configure Interface 1) and press Enter. Perform steps 2 through 9 as described for Interface 0.
Step 11 From the Network Settings menu, type 2 (Set DNS) and press Enter.
Step 12 Answer the prompts as follows:
Step 13 Type 3 (Set Gateway) and press Enter to define the IP address of the default gateway address.
Step 14 Type 4 (Set Gateway Device) and press Enter to define the default gateway device.
This display (from the configuration shown in Figure 8) shows different subnets and contains the following network parameters:
Step 15 To commit your changes, type 7 (Commit Changes) on the Network Settings menu. You can also choose to cancel any changes by typing 8 (Cancel Changes).
Step 16 After your changes are saved, type 7 to return to the Main menu.
To continue configuring the CTE, perform these steps:
https://<IP-address>:<administration-port>
Step 2 Click Yes if a Security Information dialog box appears.
Step 3 Log in as root, and enter your root password.
Note You can create additional administrative usernames and passwords from the CTE console. For more information, see the description of [2] Manage Administrative Users in Table 4. |
Step 4 On the Interfaces screen of the Network tab, define the Masquerade Hosts for Interface 0 and Interface 1. The masquerade host is an IP address that can be used for Network Address Translation (NAT).
NAT makes all requests appear to originate from the same client, so that the CTE sends its response to the request back on the correct network connection. If the NAT IP address is not defined, the CTE sends responses out through the NIC where the gateway is identified.
Step 5 On the General screen of the Advanced tab, define a default URL that the CTE will request if you attempt to access the CTE directly (for example, http:// cte_name). Defining this field allows administrators to configure a default web page to proxy.
Step 6 Click the Submit button at the bottom of the window to save your changes.
To configure additional CTEs, repeat the above procedure for each CTE.
You can connect a CTE to a server load balancer such as the Cisco Content Services Switch (CSS) 11000 or the Catalyst 6000 family Content Switching Module (CSM). Characteristics of this configuration include the following:
If multiple CTEs are in use, each CTE has a different masquerade host IP address. In addition, the CTE modifies all URLs embedded within a page to include the masquerade host IP address. This use of the masquerade host IP address ensures that the redirected client returns to the CTE it first encountered, providing session stickiness. The association between a particular request and the CTE is broken only when the client makes a new connection on port 80.
The CTE farm and the web server farm are directly accessible through load-balanced virtual IP (VIP) addresses. This configuration enables you to direct traffic that originates from a wireless device to the CTE farm VIP address.
The procedures in this section are specific to the CSS, although the CSM setup is similar. Figure 9 shows a CSM setup in which CTE requests go to the server load balancer, rather than the router.
This section uses the example configuration shown in Figure 10.
The following sections describe how to configure a CTE with a server load balancer:
To establish the physical connection, do the following:
Use the CTE console and the CTE Administration tools to display and configure parameters for the CTE.
When the CTE console first appears, the console displays the Main menu:
To display current network parameters, perform these steps:
Step 2 Type 6 (Display Configuration), and the console displays all set parameters:
To configure network parameters, perform these steps:
Step 2 From the Network Settings menu, type 0 (Configure Interface 0) and press Enter. The following menu appears:
Step 3 Type 0 to set the IP address for Interface 0, and enter the address at the following prompt:
Press Enter to retain the same value, type 0 to clear the value, or enter a new IP address and press Enter.
Step 4 Type 1 to set the netmask for Interface 0, and enter the netmask at the following prompt:
Press Enter to retain the same value, type 0 to clear the value, or enter a new netmask and press Enter.
Step 5 Type 2 to set duplex mode, and the following menu appears:
Type 0, 1, or 2 depending on the transmission mode that you want to specify.
Step 6 Type 3 to set the MTU (maximum transmitted unit), and enter a value at the following prompt, or press Enter to retain the default value of 1500.
Step 7 To display the current settings for both Interfaces 0 and 1, type 4, and the console displays the following:
Step 8 To return to the Network Settings menu, type 5.
Note When changes are pending, the Network Settings menu contains two additional options: [7] Commit Changes and [8] Cancel Changes. These options are only present on the menu when changes are pending but not yet saved. |
Step 9 After you have made any changes, you will need to commit them. To commit your changes, type 7 (Commit Changes) on the Network Settings menu. You can also choose to cancel any changes by typing 8 (Cancel Changes).
Step 10 To configure Interface 1 from the Network Settings menu, type 1 (Configure Interface 1) and press Enter. Perform Steps 2 through 9 as described for Interface 0.
Step 11 From the Network Settings menu, type 2 (Set DNS) and press Enter.
Step 12 Answer the prompts as follows:
Step 13 Type 3 (Set Gateway) and press Enter to define the IP address of the default gateway address.
Step 14 Type 4 (Set Gateway Device) and press Enter to define the default gateway device.
For Figure 10, the network parameters for CTE are as follows:
Step 15 To commit your changes, type 7 (Commit Changes) on the Network Settings menu. You can also choose to cancel any changes by typing 8 (Cancel Changes).
Step 16 After your changes are saved, type 7 to return to the Main menu.
To continue configuring the CTE, go to the CTE Administration Interface, and perform these steps:
Step 2 From any browser, enter the following URL:
https://<IP-address>:<administration-port>
Step 3 Click Yes if a Security Information dialog box appears.
Step 4 Log in as root, and enter your root password.
Note You can create additional administrative usernames and passwords from the CTE console. For more information, see the description of [2] Manage Administrative Users in Table 4. |
Step 5 On the Interfaces screen of the Network tab, define the Masquerade Hosts for Interface 0 and Interface 1. The masquerade host is an IP address that can be used for NAT.
NAT makes all requests appear to originate from the same client, so that the CTE sends its response to the request back on the correct network connection. If the NAT IP address is not defined, the CTE sends responses out through the NIC where the gateway is identified.
Step 6 On the General screen of the Advanced tab, define a default URL that the CTE will request if you attempt to access the CTE directly (for example, http:// cte_name). Defining this field allows administrators to configure a default web page to proxy.
Step 7 Press the Submit button at the bottom of the window to save your changes.
To configure additional CTEs, repeat the above procedure for each CTE.
The basic process for configuring a server load balancer, such as the CSS, is as follows:
1. Establish a console port connection to the server load balancer.
2. Define the interfaces to the VLANs.
4. Define services, owners, and content rules.
5. Check network connectivity.
This section describes the general steps for configuring the CSS, based on the example configuration shown in Figure 10. For the CLI commands needed to complete this configuration, see the "Configuration Example" section.
To configure a server load balancer for operation with a CTE, perform these steps:
Step 2 Create links between the CTE ports and the server load balancer by adding the client-side and server-side VLANs and defining the interfaces to the VLANs.
In the example configuration in Figure 10, the e1 and e2 ports are the interfaces for VLAN2; e3 and e4 are the interfaces for VLAN3.
Step 3 Specify the IP addresses for the VLAN circuits.
In the sample configuration, the IP address for the VLAN2 circuit is 192.168.2.254. The IP address for the VLAN3 circuit is 192.168.3.254.
Step 4 Create services to identify the two CTEs.
In the sample configuration, the IP address for the CTE1 service is 192.168.2.1 and the IP address for the CTE2 service is 192.168.2.2.
Step 5 Create an owner so that you can define content rules for the CTE1 and CTE2 services.
Step 6 Create a Layer 3 content rule for the services.
In the sample configuration, the content rule is configured with the virtual IP address 192.168.3.252 and is added to the CTE1 and CTE2 services.
Step 7 Check network connectivity.
The CTE Console menu and Administration Interface allow you to set up and administer your CTE. This section describes both tools:
The CTE Console menu lets you set up the CTE initially. From this menu, you can perform the tasks described in Table 4.
|
The CTE Administration Interface lets you monitor and maintain the activity on your CTE from any browser on the Internet. Through this interface, you can specify or display information in the following four categories:
To access the CTE Administration Interface, perform these steps:
Step 2 From any browser, enter the URL:
https://<IP-address>:<administration-port>
Step 3 Click Yes on the Security Information dialog box.
The CTE Administration Interface login dialog, shown in Figure 11, appears.
Step 4 Log in as root, and enter your root password.
Note You can create additional administrative usernames and passwords from the CTE console. For more information, see the description of [2] Manage Administrative Users in Table 4. |
The initial CTE Administration screen appears. These screens are described in the following sections.
The first tab on the Administration screen, Network, is divided into the following screens:
When you first open the CTE Administration screen, it appears as shown in Figure 12.
The CTE Administration screen has four tabs across the top representing the four areas of information that you can display and define. When the initial screen appears, the Network tab is displayed. There are five different Network administration screens, which are listed in the left column. The Interfaces screen is in view initially. To move between screens, click a screen name in the left column and the screen display will change to reflect your choice.
To save changes you make on any of the Administration screens, click the Submit button at the bottom of each screen.
From the Interfaces screen, you can view and set the values shown in Table 5.
Table 5 Interfaces Screen Settings
|
Click the Submit button to save your changes.
When you choose Ports in the left column of the Network screen, the information shown in Figure 13 appears:
Values for many of these items are already defined and displayed on the screen. You can change them to reflect changes in your configuration.
From the Ports screen, you can view and set values for each item on the screen, as shown in Table 6.
|
Click the Submit button to save your changes.
When you choose DNS in the left column of the Network screen, the information shown in Figure 14 appears.
From the DNS screen, you can view and set values for each item on the screen, as shown in Table 7.
Click the Submit button to save your changes.
When you choose Routes in the left column of the Network screen, the information shown in Figure 15 appears.
From the Routes screen, you can view and set values for each item on the screen, as shown in Table 8.
Table 8 Routes Screen Settings
|
When you have defined the route, click the Add Static Route button to save your changes.
When you choose Proxy in the left column of the Network screen, the information shown in Figure 16 appears.
From the Proxy screen, you can view and set values for each item on the screen, as shown in Table 9.
|
Click the Submit button to save your changes.
The second tab on the Administration screen, Advanced, is divided into the following screens:
When you choose General in the left column of the Advanced screen, the information shown in Figure 17 appears.
From the General screen, you can view and set values for each item on the screen, as shown in Table 10.
Table 10 General Screen Settings
|
Click the Submit button to save your changes.
When you choose IP Phone in the left column of the Advanced screen, the information shown in Figure 18 appears.
From the IP Phone screen, you can define a default IP phone username and password, as shown in Table 11.
Table 11 IP Phone Screen Settings
|
Click the Submit button to save your changes.
The third tab on the Administration screen, Logging, is divided into the following screens:
The logging features allow you to enable or disable the logging of system performance information and view the information collected during the logging. By reviewing the information provided, you can track unusual changes that can affect the stability and performance of the CTE.
The Configure screen lets you define SNMP settings and enable all logging methods.
When you choose Configure in the left column of the Logging screen, the information shown in Figure 19 appears.
From the Configure screen, you can view and set values for each item on the screen, as shown in Table 12.
Table 12 Configure Screen Settings
|
Click the Submit button to save your changes.
Note Before you can view the System Log, make sure that you have enabled the logging of system messages on the Configure screen of the Logging tab. |
When you choose System Log in the left column of the Advanced screen, you can view a log of system messages, as shown in Figure 20.
Note Before you can view health data, make sure that you have enabled the Health Log setting on the Configure screen of the Logging tab. |
When you choose Health Log in the left column of the Advanced screen, the administration interface displays two types of information:
The fields in this portion of the screen display the number of requests received from each listed device.
The fields in this portion of the screen display:
Note Before you can view the SNMP Log, make sure that you have enabled the logging of SNMP messages on the Configure screen of the Logging tab. |
When you choose SNMP in the left column of the Advanced screen, you can view a log of SNMP messages.
The fourth tab on the Administration screen, Administration, is divided into the following screens:
When you choose Users in the left column of the Administration screen, the information shown in Figure 23 appears.
From the Users screen, you can create new Design Studio users, delete users, and change user passwords. The fields for Username and Password are shown in Table 13.
Table 13 Users Screen Settings
|
Use the buttons on the Users screen as follows:
When you choose Uploads in the left column of the Administration screen, the information shown in Figure 24 appears.
From the Uploads screen, you can view and set values for each item on the screen, as shown in Table 14.
Table 14 Uploads Screen Settings
|
Click the Submit button to save your changes.
This section contains the CTE console/administration and CLI commands needed to configure two CTEs with a Cisco CSS 11000, as shown in Figure 25.
To configure network parameters for CTE1, perform these steps from the CTE console and CTE Administration Interface:
|
To configure network parameters for additional CTEs, perform the same steps as you did for CTE1, specifying the following unique information for each CTE:
To configure the server load balancer, perform these steps from a computer that is connected to the console port of the server load balancer and logged into the CSS:
Note The following steps are representative of what is required to configure a server load balancer. The specific commands that you need to use are based on your network topology. |
|
Upon startup, Design Studio prompts for a username, password, CTE IP address, and server upload port. The username and password are created through the CTE Administration screens.
To create a login for a Design Studio user, perform these steps:
Step 2 Click Users in the left column.
Step 3 In the Username field, type a username of at least six characters.
Step 4 In the Password field, type a password of at least eight characters.
Step 5 Click the Add User button.
Always use the CTE console to shut down the CTE. Never shut down the CTE by powering off the CTE.
To shut down the CTE server software, perform these steps:
Step 2 Type 1 or S and press Enter.
To restart the CTE server software, perform these steps:
Step 2 Type 0 or R and press Enter.
The CTE Design Studio accepts by default a Privacy Enhanced Mail (PEM) format certificate file for upload to the CTE. PEM is a text format that is the Base 64 encoding of the Distinguished Encoding Rules (DER) binary format. The PEM format specifies the use of text BEGIN and END lines that indicate the type of content that is being encoded.
The certificate must have the following characteristics:
If the private key is encrypted, you must use the CTE console to start the CTE each time the appliance powers up.
This section describes how to perform the tasks associated with uploading a secure certificate:
To generate a certificate signing request (CSR), perform these steps:
Step 2 Follow the instructions to create your request, naming the CSR file and specifying where it will reside.
The program will create two files:
Step 3 Submit your CSR to the Certificate Authority (CA), as instructed by the CertMaker program.
The CA will return a Signed Certificate to you by e-mail within several days.
To unencrypt the private key, perform these steps:
If you enter this command without arguments, you will be prompted as follows:
Step 2 Enter the name of the password to be encrypted.
You can enter the openssl rsa command with arguments if you know the name of the private key and the unencrypted PEM file.
In the following example, if the private key filename is cte_keytag_key.pvk, and the unencrypted filename is keyout.pem, you would enter the openssl rsa -in cte_keytag_key.pvk -out keyout.pem command.
For more information, refer to the following URL:
http://www.openssl.org/docs/apps/rsa.html#EXAMPLES
For information on downloading OpenSSL for Windows, refer to the following URL:
http://sourceforge.net/project/showfiles.php?group_id=23617&release_id=48801
When you have received the Signed Certificate from the CA, before you can upload it to the CTE, you must combine it with the Private Key. To do this, perform these steps:
Step 2 Save and name the PEM file. For example, you can name the file CTE.pem.
Step 3 In the CTE Administration interface, go to the Network tab, and from the Interfaces screen, set the value for Interface 0 Masq Host to the DNS name for which the certificate was registered.
Step 4 In the CTE Administration interface, go to the Administration tab, click the Uploads screen, and choose Upload Certificate.
Step 5 Browse to the certificate file and select it.
Step 6 Click the Submit button.
Caution Any certificate that has more than one level must include all intermediate certificates, or the system may become unusable. |
To see if your certificate has more than one level, and if it does, to handle the intermediate certificates properly, perform these steps:
Step 2 Open Internet Explorer, and access a page through the CTE. For example, enter a URL similar to the following:
https://<IP_address>:<http_port>//www.google.com
Step 3 Double-click the Lock symbol in the bottom right corner of the browser.
Step 4 Switch to the Certificate Path window pane at the top of the screen.
Step 5 Double-click the first path level to bring up the Certificate information for the first level and go to the Details screen.
Step 6 Click the Copy to File button at the bottom. A Certificate Export Wizard appears. Click Next.
Step 7 Make sure that the format selected is: "DER encoding binary X.509(.CER)"
Step 8 Click Next.
Step 9 Enter a filename. For example, you can enter G:\tmp\root.cer.
Step 10 Review the information and note the complete filename. Click Finish.
Step 11 Click OK to close the Certificate information window for the first level.
Step 12 Repeat Steps 5-11 for all levels except the last level.
Step 13 Insert all certificates into one file, and make sure that any intermediate certificates are part of any certificate file you upload.
The format of the uploaded file should be the following:
private key
Server Certificate
Intermediate Certificate 0
Intermediate Certificate 1
Intermediate Certificate 2
The CTE and Design Studio each have proxy settings that you will want to set if your network does not allow your computer access to HTTP or HTTPS traffic.
You will need to set up proxy settings in the following circumstances:
When setting up communication with another host or network, you will sometimes need to create a static route from the CTE to the new destination. Static routes are set up on the CTE port not being used by the default gateway. To create a static route, use the Set Routes option on the CTE console.
To create a static route, perform these steps:
Step 2 Enter the IP address of the destination LAN.
Step 3 Enter the subnet mask for the gateway device. The default is 255.255.255.0.
Step 4 Enter the IP address for the default gateway.
Step 5 Enter the gateway device when prompted: eth0 or eth1 (eth0 is the default).
Step 6 Click the Add Static Route button.
Step 7 From the CTE console, select [1] Configure Network Interfaces.
Step 8 Select [5] Ping.
Step 9 Enter the host IP address for the device you want to ping, and press Enter.
If you are successfully communicating with the other machine, messages will appear saying that the same number of packets were transmitted and received, and zero packets were lost. If you are not communicating with the other machine, these status messages will indicate that zero packets were received and all the packets were lost.
If you are not communicating with the other machine, return to step 1 and create the static route again.
If you are communicating with the other machine, the route was created successfully.
When the CTE receives a request that requires access to an IP address to which it is not currently connected, creating a static route creates a path to the new destination.
Suppose that the IP address of the eth0 port on your CTE is 10.0.16.20 and there has been a request to access information at 129.6.0.20 to which you currently have no path. You can create a static route through the Ethernet port that is not set as your CTE's default gateway and out to the requested network address, as shown in Figure 26.
In Figure 26, you can see the following connections:
To set up this static route you need to establish the path between the eth1 port and IP address 129.6.0.20.
To set up the static route, perform these steps:
Step 2 Define the IP address of the destination LAN as 129.6.0.0.
Step 3 Define the subnet mask for the gateway device as the default value, 255.255.255.0.
Step 4 Define the IP address of the default gateway as 192.168.0.1.
Step 5 Define the gateway device as eth1.
Step 6 Click the Add Static Route button.
If the CTE device fails, follow the instructions in the CTE Hardware Installation Guide for diagnosing and recovering from a hardware failure. Once the hardware is operational, reinstall the CTE from the CD provided with the device.
To reinstall the CTE, perform these steps:
Step 2 When the installation completes, power off the CTE.
Step 3 Power on the CTE. As the device starts, eject the CD.
The CTE console menu displays a message informing you whether the installation was successful.
The following information explains how to deal with problems you might encounter when setting up and using the CTE.
Verify that the following are correctly set up:
Verify that the following are correctly set up:
If you are sure that the rules are correctly created and applied in Design Studio and that they have been uploaded to the CTE, verify the CTE configuration as follows:
The reboot function on the CTE is disabled. You must use the CTE console to start and stop the device.
By default, the CTE redirects traffic from HTTP to HTTPS. European-made phones do not support those secure redirects, so if you are using this type of phone you must disable secure redirects for the CTE. To do that, go to the CTE Administration interface, and under the General screen on the Advanced tab, set the Security field to No HTTPS, and click the Submit button to commit the change. (Be aware that no HTTPS sites can be proxied when you set this field to No HTTPS.)
If intermediate (multi-level) certificates are part of your secure certificate upload, you need to make sure that the intermediate certificates are part of the certificate file that you are uploading. Any certificate that has more than one level must include all intermediate certificates, or the system may become unusable. For information about how to add intermediate certificates to the uploaded certificate file, see the "Uploading a Secure Certificate to the CTE" section.
Because SSLV2 does not support certificate chaining, if you have a multi-level certificate, it will not work to support SSLV2 sessions.
For more information about the CTE, refer to the following publications:
For information about using Design Studio, see the Cisco CTE Design Studio User Guide.
The following sections explain how to obtain documentation from Cisco Systems.
You can access the most current Cisco documentation on the World Wide Web at the following URL:
Translated documentation is available at the following URL:
http://www.cisco.com/public/countries_languages.shtml
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Cisco documentation is available in the following ways:
http://www.cisco.com/cgi-bin/order/order_root.pl
http://www.cisco.com/go/subscription
If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click the Fax or Email option under the "Leave Feedback" section at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to:
You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Inquiries to Cisco TAC are categorized according to the urgency of the issue:
Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:
All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:
http://www.cisco.com/register/
If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.
The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Copyright © 2001 - 2002 Cisco Systems, Inc.
All rights reserved. Printed in USA.
Posted: Mon Aug 18 16:29:04 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.