nokia secure access system getting started guide · “nokia secure access system requirements”...

Part No. N450867005 Rev A

Published July 2005

Nokia Secure Access SystemGetting Started Guide

Version 3.2

COPYRIGHT©2005 Nokia. All rights reserved.Rights reserved under the copyright laws of the United States.

RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

050110

2 Nokia Secure Access System Getting Started Guide

CreditsThis product includes software developed by the Apache Software Foundation (http://www.apache.org/).

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see .

Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign.

This product includes software developed by Ralf S. Engelschall . Redistributions of any form whatsoever must retain the following acknowledgement: “This product includes software developed by Ralf S. Engelschall”.

This product includes software developed by Ralf S. Engelschall for use in the mod_ssl project (http://www.modssl.org/).

This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/).

This product contains ICU; International Components for Unicode library developed by International Business Machines Corporation.

This product contains the SpiderMonkey (JavaScript-C) Engine from mozilla.org (http://www.mozilla.org/js/spidermonkey/) and is licensed under the Mozilla Public License. See http://www.mozilla.org/MPL for the latest version of the license.

This product includes ssldump, developed by Eric Rescorla for RTFM, Inc.

This product contains the zlib library, written by Jean-loup Gailly and Mark Adler

This product includes cryptographic software written by Tim Hudson ([email protected]).

This product includes cryptographic software written by Eric Young ([email protected]).

This product includes psapi.dll copyright Microsoft Corporation 1981-1996. Please see PSAPI-LICENSE.txt in the Legal directory for license terms.

This product contains software written by ImageMagick Studio LLC, a non-profit organization dedicated to making software imaging solutions freely available. Copyright 1999-2005 ImageMagick Studio LLC

This software is based in part on the work of the Independent JPEG Group.

This product includes software developed by Greg Roelofs and contributors for the book, “PNG: The definitive Guide”, published by O'Reilly and Associates.

Nokia Secure Access System Getting Started Guide 3

Nokia Contact InformationCorporate Headquarters

Regional Contact Information

Nokia Customer Support

Web Site http://www.nokia.com

Telephone 1-888-477-4566 or 1-650-625-2000

Fax 1-650-691-2170

Mail Address

Nokia Inc.313 Fairchild DriveMountain View, California94043-2215 USA

Americas Nokia Inc.313 Fairchild DriveMountain View, CA 94043-2215USA

Tel: 1-877-997-9199Outside USA and Canada: +1 512-437-7089email: [email protected]

Europe, Middle East, and Africa

Nokia House, Summit AvenueSouthwood, FarnboroughHampshire GU14 ONG UK

Tel: UK: +44 161 601 8908Tel: France: +33 170 708 166email: [email protected]

Asia-Pacific 438B Alexandra Road#07-00 Alexandra TechnoparkSingapore 119968

Tel: +65 6588 3364email: [email protected]

Web Site: https://support.nokia.com/

Email: [email protected]

Americas Europe

Voice: 1-888-361-5030 or 1-613-271-6721

Voice: +44 (0) 125-286-8900

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

Asia-Pacific

Voice: +65-67232999

Fax: +65-67232897

050602


http://www.nokia.commailto:[email protected]:[email protected]:[email protected]://support.nokia.com/mailto:[email protected]

Contents

About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Organization of Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Conventions This Guide Uses. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Web User Interface Conventions . . . . . . . . . . . . . . . . . . . . . . . . 9

Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Nokia Secure Access System Documentation . . . . . . . . . . . . . 10Supporting Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1 Welcome to Nokia Secure Access System . . . . . . . . . . . . . . . . 11Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

About Nokia Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . 12About Nokia IPSO Operating System . . . . . . . . . . . . . . . . . . . . . 12About Nokia Secure Access System Application . . . . . . . . . . . . 13

Nokia Secure Access System Requirements. . . . . . . . . . . . . . . . . 13Security Platform Requirements. . . . . . . . . . . . . . . . . . . . . . . . 13Client Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Nokia Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Nokia Secure Access System Gateway Manager . . . . . . . . . . . . . 17

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2 Setting Up a Nokia Secure Access System . . . . . . . . . . . . . . . 21Preparing to Activate Nokia SAS Application . . . . . . . . . . . . . . . . . 22Activating Nokia Secure Access System Application . . . . . . . . . . . 24Performing Gateway Manager Configuration Tasks . . . . . . . . . . . 27


Signing On to Gateway as Administrator . . . . . . . . . . . . . . . . . . 27Installing Nokia Secure Access System License. . . . . . . . . . . . . 31Configuring HTTPS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Additional Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

A Installing or Upgrading Gateway Software . . . . . . . . . . . . . . . . 43Determining If Current Package Is Already Installed . . . . . . . . . . . 44Obtaining the Current Package . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Installing the Package with Nokia Network Voyager . . . . . . . . . . . 45

Transferring the Package to the Appliance . . . . . . . . . . . . . . . . . 46Installing or Upgrading the Package . . . . . . . . . . . . . . . . . . . . . . 47

Installing the Package From the Command Line Interface . . . . . . 52newpkg Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

B Using DHCP for Network Configuration . . . . . . . . . . . . . . . . . . 57Configuring the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Running the DHCP Client on the Nokia Appliance . . . . . . . . . . . . 59Correcting an Accidental DHCP Network Configuration . . . . . . . . 60


About this Guide

Nokia Secure Access System enables enterprises to securely extend enterprise network resources to users outside the intranet. Users can access enterprise resources from any Web-capable platform and location. The Nokia Secure Access System gateway consists of:

A Nokia SSL VPN applianceThe Nokia IPSO operating systemThe Nokia Secure Access System application

Intended AudienceThis guide is intended for the system administrator who installs and configures the SSL VPN gateway. The procedures in this guide describe basic installation and configuration tasks necessary to activate the gateway. Procedures for creating a working configuration are outlined in “Additional Configuration Tasks” on page 40 and described in detail in the documents listed in “Related Documentation” on page 10.

NoteAdministrators who want to create a high-availability configuration can configure the individual gateways with the instructions provided in this guide, then go to the Nokia Secure Access System New Features Guide Version 3.2 for information on creating a high-availability configuration.


About this Guide

Organization of GuideThis Getting Started Guide focuses on two chapters and two appendices:

Chapter 1, Overview of the Nokia Secure Access System appliance, System requirements, information on Nokia Network Voyager and Nokia Secure Access System gateway manager.Chapter 2, Setup, configuration and activation of the Nokia Secure Access System application. Appendix A, Installing or Upgrading Gateway SoftwareAppendix B, Using the built-in dynamic host configuration protocol (DHCP) client to configure your Nokia appliance instead of using a console (direct serial) connection.


Conventions This Guide UsesThis document uses the following conventions.

Notices

NoteNotes provide information of special interest or recommendations.

Web User Interface ConventionsThroughout this guide, a greater than sign (>), is used to indicate navigation through the Web user interface menu by clicking menu options and links. For example, to configure a new user group, choose User Configuration > User Groups > New User Group.

NoteThe globe icon indicates that the adjacent field (in yellow) supports Unicode encoding.

NoteWhen you provide information in the Nokia Secure Access System configuration fields, click Save Settings before you select tabs or buttons to ensure that your changes are saved before you go to a new configuration page.


About this Guide

Related DocumentationCheck the CD-ROM supplied with Nokia Secure Access System for the following documents:

Nokia Secure Access System DocumentationNokia Secure Access System Release Notes v3.2Provides a brief description of the current release as well as recent information that is not contained in other documents.Nokia Secure Access System v3.2 New Features Guide Provides a detailed descriptions of new features in the current v3.2 release, as well as features added in release v3.1.Nokia Secure Access System User Guide v3.2Provides end user instructions for accessing resources through the gateway.Nokia Secure Access System Technology Overview v3.0Provides an overview of the technologies that the Nokia Secure Access System uses.Nokia Secure Access System Configuration Guide v3.0Provides detailed gateway and configuration information.

Supporting DocumentationGetting Started Guide and Release Notes for Nokia IPSO 3.8.1 Nokia Network Voyager for IPSO 3.8.1 Reference GuideThe hardware installation guide for your security platform. The installation guides for the Nokia 50s, Nokia 60s, Nokia 100s, and Nokia 500s are available on the CD-ROM supplied with Nokia Secure Access System. The installation guides for other supported platforms can be downloaded from the Nokia Support site.


1 Welcome to Nokia Secure Access System

Nokia Secure Access System enables enterprises to securely extend enterprise network resources to users outside the intranet. Users can access enterprise resources from any Web-capable platform and location. This chapter details the following elements of the Nokia Secure Access System:

“Appliance Overview” on page 11“Nokia Secure Access System Requirements” on page 13“Nokia Network Voyager” on page 16“Nokia Secure Access System Gateway Manager” on page 17

Appliance OverviewThe Nokia Secure Access System consists of three components shipped as an integrated appliance for easy configuration and management:The Nokia Secure Access System gateway consists of:

A Nokia SSL VPN applianceThe Nokia IPSO operating systemThe Nokia Secure Access System application

The next sub-sections describe each of these components.



About Nokia Security PlatformNokia Secure Access System is currently available as an integrated appliance on four different hardware platforms to support a wide range of user load and high availability requirements:

Nokia 50sNokia 60sNokia 100sNokia 500s

Nokia Secure Access System automatically uses any hardware encryption accelerator available on the platform or uses software encryption if no accelerator hardware is available. No user configuration is required.Users that want to use an IP security platform they already own as a Nokia Secure Access System gateway should contact their Nokia service provider for information on the platforms supported and the operating system requirements. These issues are not covered in this document.

NoteNo other application should be hosted on the platform running Nokia Secure Access System. Specifically, you cannot run a Check Point firewall on the same platform as Nokia Secure Access System.

About Nokia IPSO Operating SystemNokia IP security platforms run the Nokia IPSO operating system. The Nokia Secure Access System software is installed as a package on Nokia IPSO. A small number of network and system-related management tasks are performed using Nokia Network Voyager, the Nokia IPSO management interface. For more information about the Network Voyager, see “Nokia Network Voyager” on page 16. For more information about configuring Nokia IPSO, see the Nokia Network Voyager Reference Guide.


Nokia Secure Access System Requirements

About Nokia Secure Access System ApplicationThe Nokia Secure Access System application offers a wide spectrum of services such as reverse-proxy, application translation, HTTP proxy, port-forwarding, and email access. Nokia Secure Access System can also provide network extension services like those traditionally implemented through an IPSec VPN. You can rapidly deploy Nokia Secure Access System without installing new software on each client computer.Nokia Secure Access System features are administered through a gateway manager application that becomes available after the package is activated. For more information on the gateway manager, see “Nokia Secure Access System Gateway Manager” on page 17.

Nokia Secure Access System RequirementsThis section describes hardware requirements and supported software necessary to run Nokia Secure Access System, including security platforms, client operating systems, Web browsers and email clients.

Security Platform RequirementsNokia Secure Access System ships pre-installed along with Nokia IPSO on the following Nokia SSL VPN appliances:

Nokia 50sNokia 60sNokia 100sNokia 500s

NoteAll s-series platforms require Nokia IPSO 3.8.1 Build 29 or higher.



Client RequirementsThe following software is supported for client systems connecting to the gateway.

Supported Operating Systems

The following client operating systems are supported:Microsoft Windows operating systems:

XP Professional with SP1XP Professional with SP2 + HotfixXP Home with SP2 + HotfixWindows 2000 SP4

Red Hat Enterprise Linux v.3 and v.44Fedora Core 3MAC OS X

Supported Web Browsers

Most SSL-capable Web browsers can be used to access the Nokia Secure Access System gateway. The following browsers are compatibility tested:

Microsoft Internet Explorer v5.5, v6.0, and laterNetscape v8.0 and later (not supported for the gateway manager)Mozilla v1.7.2 and laterFirefox v1.0.1 and laterApple OS X Safari (not supported for the gateway manager)Opera 7.x and later (not supported for the gateway manager)

Supported Email Clients

The following email clients have been verified for use through the Nokia Secure Access System gateway:

Microsoft Outlook 2000, 2002, 2003Outlook Express 6.0


Nokia Secure Access System Requirements

Lotus Notes client 5.011, 6.0.2, 6.5.xEudora 6.0Netscape 6.0Mozilla Thunderbird v1.0

Other clients may work, but have not been tested.



Nokia Network VoyagerNokia Network Voyager is an SSL-capable, Web-based element management interface to Nokia security platforms. Network Voyager is installed on your platform along with Nokia IPSO.

Use Nokia Network Voyager to configure and monitor your appliance. These functions include:

Network interface configuration.Routing configuration.Configuration of network services such as VRRP (Virtual Router Redundancy Protocol) and NTP (Network Time Protocol).


Nokia Secure Access System Gateway Manager

Configuration of DNS (Domain Name System) servers used by the gateway.Upgrades of the Nokia Secure Access System software application.Upgrades of the Nokia IPSO operating system.Backup and restore of the operating system.

The majority of the day-to-day gateway management tasks are performed in the Nokia Secure Access System gateway manager.

Nokia Secure Access System Gateway ManagerAfter you install the Nokia Secure Access System, the gateway manager application is available to manage the users, resources, and access control policies of the gateway.



The left side of the main window displays a menu with the settings that you can configure, as described in Table 1.

Table 1 Nokia Secure Access System Configuration Menu

Menu Item Description

General View and configure general gateway settings including a status overview, gateway monitoring, gateway logging, exporting and importing gateway configurations, entering and updating server licenses, and enabling configuration sharing.

Appearance Customize the appearance of the user portal including managing graphics elements as well as customizing the user sign-on page, the user portal, and various messages displayed to users.

Global Properties Configure network settings, access control, Nokia Secure Workspace, Nokia Secure Connector, SNMP, variables, enable language packs, and determine the method for downloading the JRE plugin to client systems.

End-Point Security Configure Secure Connector security scans and client integrity scanning.

Certificates Configure gateway server certificates and back-end trusted CA certificates, including generating a new server certificate, importing an existing certificate, and configuring certificate revocation lists.

User Configuration Configure users, user groups, and authentication.

Resources Define the resources available to the user through the portal including: Web resources (HTTP and HTTPS servers), File resources (FTP, Windows, and NFS file servers) Email resources (POP, IMAP, and SMTP servers) and Port-forwarding resources (tunneled TCP and UDP traffic).

System Access Nokia Network Voyager to perform operating system related management tasks.


Nokia Secure Access System Gateway Manager

Before You StartTo perform the procedures in this document, you need the following items:

Rack screws and an appropriate screwdriver to mount the hardware.Hostname assigned to the gateway. Initial password for the administrator account. IP address and mask length of Ethernet1 (ETH1), IP address of default route or internal address of firewall for Ethernet1 (ETH1), for one network interface you can use to continue the configuration process with Network VoyagerThe default route (gateway) address.Domain Name where SSL VPN appliance resides, IP address of primary DNS (Domain Name Server), IP address of Secondary and Tertiary DNS (optional)The License Authorization Code (LAC) supplied with the appliance.


2 Setting Up a Nokia Secure Access System

This chapter describes how to set up your Nokia Secure Access System and activate the Nokia Secure Access System application.See the following sections for details on setup, activation and configuration:

“Preparing to Activate Nokia SAS Application” on page 22“Activating Nokia Secure Access System Application” on page 24“Performing Gateway Manager Configuration Tasks” on page 27“Additional Configuration Tasks” on page 40

Your Nokia appliance ships with the Nokia IPSO operating system and Nokia Secure Access System software application installed. If you need to install or update the Nokia Secure Access System software application, see Appendix A, “Installing or Upgrading Gateway Software.” If you need to install or update the IPSO operating system, see the IPSO Getting Started and Release Notes on the distribution CD.

NoteBefore turning on the system, if you plan to use a dynamic host configuration protocol (DHCP) client to configure your Nokia appliance instead of using a console (direct serial) connection, see Appendix B, “Using DHCP for Network Configuration”



NoteThe procedures in this guide describe how to deploy the gateway in an enterprise DMZ using a single interface. If you plan to deploy in a different network topology, see the Nokia Secure Access System Technology Overview for additional information.

Preparing to Activate Nokia SAS ApplicationTo set up the platform:1. Unpack and install the platform.

Unpack and rack mount the platform, then connect the power and network cables. A hardware installation quick reference card for the platform you purchased is included in the box. For detailed hardware installation instructions, see the hardware installation guide for your platform available in the /doc directory of the distribution CD or from the Nokia Support site.

NoteThis guide is intended for those deploying a new Nokia Secure Access System. If you are attempting to deploy the Nokia Secure Access System software on a Nokia security platform you already own, contact your Nokia representative for assistance.

2. Perform the Initial Network Configuration.Connect to the console and perform the initial configuration. For detailed instructions, see the hardware installation guide for your platform. At this point in the initial configuration, you will enter the hostname (the name of the Nokia SSL VPN appliance) and the initial administrator password (password for use by administrators to access the SSL VPN appliance).


Preparing to Activate Nokia SAS Application

The first time you supply power to the platform, the initial configuration process begins.After you complete the initial configuration, use Nokia Network Voyager to perform operating system-related configuration tasks and to activate the Nokia Secure Access System application.

3. Perform Network Voyager Configuration TasksAfter you complete the initial configuration, access the Nokia Network Voyager using a Web browser to configure and monitor your appliance. For detailed instructions, see the hardware installation guide for your platform.These tasks include entering the gateway IP address or hostname in the Web browser address bar, authenticating to Network Voyager with the username and password you specified during the initial configuration, setting local time, setting default domain suffix, and specifying a valid DNS server so that the gateway can resolve hostnames.

4. Enable SSL Access to Nokia Network VoyagerSecure Socket Layer (SSL) provides a secure way to connect to Nokia Network Voyager. Before you activate Nokia Secure Access System, enable SSL Web access by using Network Voyager to insure secure communications. The gateway manager application uses SSL by default.The steps involved in this task include confirming that the setting for Allow Voyager Web access is Yes, entering the number of port to activate, and choosing the encryption level appropriate to your security needs.



Activating Nokia Secure Access System Application

Your Nokia appliance ships with the Nokia Secure Access System application installed. These instructions describe how to activate the pre-installed software. If you are not sure the Nokia Secure Access System application is installed, or you need to upgrade the application, see Appendix A, “Installing or Upgrading Gateway Software.”

NoteNo other application should be hosted on the platform running Nokia Secure Access System. Specifically, you cannot run a Check Point firewall on the same platform as Nokia Secure Access System.

To activate the Nokia Secure Access System application1. From the Nokia Network Voyager main page, select System

Configuration.The Configuration page opens.

2. From the Configuration page, select Manage Installed Packages (Application).


Activating Nokia Secure Access System Application

The Manage Packages page opens.

3. In the Applications group, check that the Nokia Secure Access System package is set to On.

4. Click Apply.5. Click Save. You do not need to reboot your system.

The Nokia Secure Access System package is installed, activated, and enabled.

NoteDuring the installation, Nokia Network Voyager is moved from port 80 (if used) to port 8080 or from port 443 (if used) to port 8443 so that Nokia Secure Access System can use ports 80 and 443.

6. If you are not already on the Nokia Secure Access System page (by following the link after you install the package), access this page from the



Nokia Network Voyager main page by selecting Security and Access Configuration then selecting Nokia Secure Access System.The Nokia Secure Access System page opens.

If the status is shown as enabled, use the “Click here to sign onto NSAS” to proceed. See “Signing On to Gateway as Administrator” on page 27.If the status is shown as disabled, User the “Click here” link to initialize the Nokia Secure Access System.

The resulting page advances you to the Nokia Network Voyager Web server on the new port, which is either 8080 or 8443.

7. If necessary, log on to Network Voyager again by using the username admin and the same administrator password as before.

NoteWhen cookie-based session management is enabled in Network Voyager, you can select Acquire Exclusive Configuration Lock when you log on to Network Voyager. If you acquire this lock before you install and enable the Nokia Secure Access System application, the lock does not clear when the Network Voyager Web server port switches from port 80 to 8080, or from port 443 to 8443. When you


Performing Gateway Manager Configuration Tasks

log on to Network Voyager after the port change, the error message “Could not acquire exclusive configuration lock” appears. If this occurs, override the lock by clicking Log In with Advanced Options and selecting Yes for Override Locks Acquired by Other Users.

The Nokia Secure Access System page now shows that the status is enabled. You can now sign on to the Nokia Secure Access System gateway. Continue to “Signing On to Gateway as Administrator” on page 27.


After you activate the Nokia Secure Access System application, you can sign on to the gateway manager to perform the remaining configuration tasks.

Signing On to Gateway as AdministratorTo access the gateway manager sign-on page, either enter the gateway URL into your Web browser or click the link on the Nokia Secure Access System page in Nokia Network Voyager.

To use Nokia Network Voyager to access sign-on page 1. From the Network Voyager main page, click Security and Access

Configuration.The Configuration page opens.



NoteIf Nokia Secure Access System link does not appear under the Security and Access Configuration heading, the package is not installed or activated. See “Determining If Current Package Is Already Installed” on page 44.

2. Click Nokia Secure Access System.The Nokia Secure Access System page opens.



3. Click the following link:Click here to sign on to the Nokia Secure Access System.This link takes you directly to the gateway manager after you sign on to the gateway, instead of to your portal page.

To authenticate at sign-on page1. Enter username admin in the Username text box.

2. Enter the administrator password in the Password text box.



NoteThe sign-on page displays in the default language, English. For information on installing language packs that allow users to view the system in other languages, see the Nokia Secure Access System Configuration Guide v3.0.

3. Click Sign In. Initially, the Nokia Secure Access System administrator account uses authentication established for the Nokia IPSO admin account during the initial network configuration. You can change the authentication method for the Nokia Secure Access System administrator account to use an authentication method defined for other gateway users or to use certificate authentication. For details, see the Nokia Secure Access System Configuration Guide v3.0.Until the Nokia Secure Access System license is installed, you will see a license warning.

4. Click the indicated link to proceed. The Nokia Secure Access System configuration page opens.



From the Nokia Secure Access System configuration pages, you can perform the remaining tasks needed to activate the gateway

Installing Nokia Secure Access System LicenseThe Nokia Secure Access System ships with no license file on the gateway. This section describes how to generate a license file and install it on the gateway. You generate a license file by contacting the Nokia License Center and providing the following information:

Host Identifier numberThe Host Identifier is the serial number of the platform. It is available from the Configure License page and on the serial number tag located on the back of the platform.



License Authorization Code (LAC)Your License Authorization Code is generally provided in a brightly colored envelope included with the platform. If you purchased your appliance through an authorized Nokia reseller, the LAC may be emailed to the email address on the purchase order and is usually received before the hardware.

You can access the Nokia License Center directly at https://support.nokia.com/license or by choosing the link supplied on the Configure License page.

To generate the license from the Nokia License Center1. From the configuration menu, choose General > License.

From the Configure License page, copy the host identifier number to a clipboard, or write it down, because you will need it later in this procedure.

NoteThe license generated with the LAC applies only to that hardware serial number and the license generated can only be used on that platform.

2. From the Configure License page, click the License Center link https://support.nokia.com/license.The Nokia License Center page opens.


https://support.nokia.com/licensehttps://support.nokia.com/licensehttps://support.nokia.com/licensehttps://support.nokia.com/license


3. Log in to the License Center:Enter your login name and password.

orClick Register if you are a first time visitor.

If you are a first time visitor, your username and password is emailed to you after you complete the new user registration process.

4. Enter the LAC supplied with your platform in the dialog box. Access this dialog box after you are logged in to the License Center with your username and password.



5. Click Generate Licenses.6. Cut and paste the host identifier into the Nokia IPSO serial number field.

You can obtain this number from the Nokia Secure Access System Configure License page.

7. Click Generate.The license is generated.

8. Enter the company name and user email address that the license is to be sent to.

9. Click Confirm.10. To save the file, do one of the following:

Click Save for File.or

Copy and paste the information between Begin License and End License.



The license is emailed to you. You might want to add the .lic extension when you name the license.

NoteNokia recommends that you save your License Authentication Code (LAC). You might need it for emergency recovery.

To import the gateway license1. From the configuration menu, choose General > License.

The Configure License page opens.



The current license information appears, including the host identifier, license file name, and features of the license. Upon initial installation of Nokia Secure Access System, no license file is present on the gateway.

2. To upload a new license, in the File Name text box enter the file name of the license file stored on your computer, or click Browse to locate the file.

3. Click Upload New License.The license is uploaded to the gateway and the Configure License page refreshes. The license feature details show the number of simultaneous users that the gateway supports, the expiration time of the license, and the



license status. The license status is authenticated when the license is valid for the platform, as identified by the Host Identifier.

Configuring HTTPS SettingsHypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL (HTTPS) is a Web protocol that encrypts and decrypts user page requests and pages that the Web server returns. HTTPS is the main protocol that the client computer uses to contact Nokia Secure Access System on the Web interface.When the gateway initially starts up, it listens on the TCP socket for connections from the client computer. By default, it listens to the standard HTTPS port, 443, and redirects requests from the standard HTTP port, 80, to 443 on all interfaces.Use the HTTPS settings page to specify HTTPS listening addresses, port settings, and settings for SSL support.

NoteThe default HTTPS settings are sufficient for most deployments. Use the procedure below if the default settings will not work for your network.

To configure HTTPS settings1. From the configuration menu, choose Global Properties > Network.

The HTTPS Settings page opens.2. Specify the interfaces on which to listen for HTTPS connections.

By default, all interfaces are checked. The gateway responds to requests from any addresses that are checked.To disable an address, uncheck the box next to the address to disable.



NoteThe gateway always listens for connections on the loopback interface 127.0.0.1. This cannot be disabled. This interface is not listed on the HTTPS Settings page.

3. Specify the External Server name.

This is the name defined in the externally visible DNS server that users should use to refer to the gateway or gateway cluster. This is also the name defined by default in the Secure Connector installer and should match the CN attribute of the server certificate. For more information about configuring Secure Connector, see the Nokia Secure Access System Configuration Guide.

4. Specify the port settings.

The gateway listens for incoming SSL Web requests on port 443 by default. Edit this value to have the gateway listen on a different port.The gateway can redirect plain text HTTP Web requests to the secure HTTPS port, if desired. This is most useful on port 80, where Web requests arrive by default. Specify the port from which to redirect. Requests are redirected to the secure port you specified.

The redirect setting is useful because it allows the gateway to handle a plain text request (perhaps accidental, for example the user forgot to add



https:// to the URL, and entered nsas.company.com) by redirecting it to the correct place, the secure port.

5. Specify the SSL settings.

The SSL protocol allows the client and the gateway to authenticate to each other and to establish a secure encrypted connection:

To enable support for the SSL protocol version 2, click Enable SSLv2 support. To specify SSL encryption strength, select an encryption strength from the drop-down list. Encryption strength refers to the size of the keys that perform the symmetric encryption and is measured in bits. The default setting is set for high (128 bits or higher), which provides maximum security. Select a low encryption strength (40, 56, or 64 bit), if the users are allowed to access the gateway using browsers with export-strength encryption.

6. Click Save Settings.

NoteAfter you save the HTTPS settings, the system automatically restarts and all users must sign on to the gateway again.



Additional Configuration TasksYou are now ready to begin your deployment. Although Nokia Secure Access System deployments at every organization are different, most installations consist of six major tasks:1. Downloading product license key (see also“Installing Nokia Secure

Access System License” on page 31)2. Applying Nokia SSL VPN license (see also“Installing Nokia Secure

Access System License” on page 31)Use the Nokia Secure Access System gateway manager configuration screen as your starting point for access to the tasks in steps 3-6.

Step 3 - Creating a New User GroupStep 4 - Creating a new User IDStep 5 - Adding a new User ID to the User GroupStep 6 - Creating Resource


Additional Configuration Tasks

3. Creating a New User GroupFlow of configuration menus for this function: Configuration System --> User Configuration --> User Groups --> New User Groups --> Enter name and user group and description.

4. Creating a New User IDFlow of configuration menus for this function: Configuration System --> User Configuration --> Users --> Manage Users --> New User --> Enter name of User ID, user name and Save Settings --> Set Local Password --> Enter and confirm user password and Save Settings.

5. Adding a new User ID to the User GroupFlow of configuration menus for this function: Configuration System --> User Configuration --> User Groups --> Manage User Groups --> Select the user group created in step 3 above --> Click on Edit List --> Select new user to be added to user group. Click on Add and Save Settings.

6. Creating Resource (for example, Outlook Web Access)Flow of configuration menus for this function: Configuration System --> User Configuration --> Resources --> Web --> New Resources --> Properties- resource name, description text, base URL of MS Exchange server, portal link. Check box for pass-through authentication. Save Settings. ---> Click on Access Control - Simple tab. Enter name and user group and description.--> Select user group created in step 3 above. Click on Add, check box “Add port link to...”. Save Settings.

Information for planning each of these tasks is available in the Nokia Secure Access System Technology Overview v3.0. Specific procedures for performing the necessary tasks is provided in the Nokia Secure Access System Configuration Guide v3.0.


A Installing or Upgrading Gateway Software

Nokia Secure Access System appliances ship with the Nokia IPSO operating system and Nokia Secure Access System software already installed. To activate such an appliance, follow the instructions provided in Chapter 2, “Setting Up a Nokia Secure Access System.”This appendix provides instructions for downloading and installing the Nokia Secure Access System software application for those who need to update the Nokia Secure Access System package currently installed on their gateway.

NoteWhen you receive the appliance, check the latest version available at https://support.nokia.com to see if an upgrade is necessary.



Determining If Current Package Is Already Installed

From Nokia Network Voyager, you can determine if the package is already installed on your appliance.

To determine if package is pre-installed1. From the Nokia Network Voyager main page, select System

Configuration.2. From the Voyager Configuration page, select Manage Installed Packages.


If the list of the installed packages includes a package named Nokia Secure Access System, activate the package. See “Activating Nokia Secure Access System Application” on page 24.


Obtaining the Current Package

If the list of installed packages does not include a package named Nokia Secure Access System, install the package. See “Installing or Upgrading the Package” on page 47.

Obtaining the Current PackageIf the Nokia Secure Access System software application is not on your appliance, you can obtain the application from the Nokia support site at https://support.nokia.com. After you download the application, you can transfer the file to the /opt/packages directory on the Nokia Secure Access System gateway.

Installing the Package with Nokia Network Voyager

This section describes how to install the Nokia Secure Access System package (application) by using Nokia Network Voyager, including what you need to know before you start the installation, using FTP to transfer the package and installing and upgrading tasks.Before you install the package with Nokia Network Voyager, do the following:

Disable any other packages, including firewall and VPN packages.Verify that Nokia IPSO v3.8.1 is installed on your appliance. If your appliance is running an earlier version of Nokia IPSO, you can upgrade to a newer version by obtaining the Nokia IPSO installation file from http://support.nokia.com First, you should check for compatibility between Nokia IPSO and Nokia Secure Access System versions at https://support.nokia.com/register/productsSupported.jsp#ems. Then, you can install this file by using Nokia Network Voyager.


https://support.nokia.comhttps://support.nokia.com


Transferring the Package to the ApplianceAfter you download the package file, use FTP to transfer the package to the appliance, then install the package.

To download the package with Nokia Network Voyager1. Download the nsas_3_2_0_.tgz package file from the Nokia

support site at https://support.nokia.com.2. If the workstation on which you stored the package file does not allow

FTP access, transfer the package file to a computer that you can access with FTP.

3. From the Nokia Network Voyager main page, select System Configuration.

4. From the Voyager Configuration page, select Manage Installed Packages.The Manage Packages page opens.

5. From the Manage Packages page, select FTP and Install Packages.The FTP Packages page opens.

6. In the text boxes, provide the hostname or IP address of the FTP server and the directory path on that server (optional). Also, provide the username and the password for your account on the FTP server.

7. Click Apply.The FTP Packages page refreshes. A list of packages (.tgz files) found on the FTP server appears in the Site Listing panel.

8. Select the nsas_3_2_0_.tgz file.9. Click Apply.

The package is downloaded to the appliance.10. Continue installing the Nokia Secure Access System package beginning

with step 4 of “To install or upgrade the package with Nokia Network Voyager.”


https://support.nokia.com


Installing or Upgrading the PackageThis section describes how to install the package by using Nokia Network Voyager. Each version of Nokia Secure Access System is installed in a uniquely named directory based on the version number. For example, Nokia Secure Access System 3.2 is stored at:/opt/nsas-3.2.0

The previous version, 3.1.1, is stored at:/opt/nsas-3.1.1

During the package upgrade, the new version of Nokia Secure Access System automatically imports the configuration from the previous package version. Once the package upgrade completes, the previous version of the package is deactivated but not deleted, and the new package is activated. When you upgrade the package, the old package configuration is maintained.

To install or upgrade the package with Nokia Network Voyager1. From the Nokia Network Voyager main page, select System

Configuration.2. From the Voyager Configuration page, select Manage Installed Packages.




3. From the Manage Packages page, select FTP and Install Packages.The FTP Packages page opens.



4. Select opt/packages/nsas_3_2_0_.tgz. If this option is not present in the list, see “To download the package with Nokia Network Voyager” on page 46.

5. Click Apply to unpack the package.

NoteThe package is first unpacked to the /opt/tmp directory.

This operation can take several seconds to complete. When the package is successfully unpacked, the Package Installation and Upgrade page refreshes and displays the package name, class, version, and description. On some platforms, you might see the message “Timeout waiting for response from database server” when completing this step. If this occurs, click Up to return to the Manage Packages page, then select FTP and



Install Packages. The link to install and upgrade the package will be visible on the FTP Packages page.

6. To install the unpacked package, click the following link, located at the bottom left side of the screen.

The Package Installation and Upgrade page opens.

To install the package:a. Click Yes on the Install option. b. Ensure that the Upgrade option is set to No.

To upgrade the package:a. Click Yes on the Upgrade option.b. Ensure that the Install option is set to No.c. Select the Nokia Secure Access System version to upgrade.



7. Click Apply.The screen refreshes and indicates that the operation was successful.

8. To enable the package, click the following link located in the bottom left corner of the window:Click here to finish the initial configuration.

If you are installing a package, the Nokia Secure Access System page opens and begins to generate the random number seed. If you are upgrading the package, the Nokia Secure Access System page opens.

NoteThe Nokia Secure Access System page shows that the system is creating the random number seed. The page refreshes itself when the operation is complete. If the random number was already seeded, you do not see this page.

The screen refreshes and shows package status.



If the package is enabled, select Click here to sign on to the Nokia Secure Access System.Continue to “To authenticate at sign-on page” on page 29. This link points to the gateway manager. You are taken directly to the gateway manager after you sign on to the gateway.If the package is disabled, continue to “Activating Nokia Secure Access System Application” on page 24.

Installing the Package From the Command Line Interface

Disable any other packages, including firewall and VPN packages before you install the Nokia Secure Access System package. This section describes how to install and enable the Nokia Secure Access System package from the Command Line Interface (CLI).You can install the package from the CLI by using the newpkg command. The newpkg command automatically extracts the package files into the /opt directory and activates the package. When you enter newpkg, the script



guides you through the installation process. You can also specify command options, which are listed in Table 2 on page 54.

NoteInstalling or upgrading the package by using the Nokia IPSO clish command is not supported.

To access the CLI1. Log on to the appliance by using a command-line connection (SSH,

console, or Telnet) over a TCP/IP network.For example:telnet 10.5.189.21

2. Sign on by using the username admin, and use the admin password.

To install the package from the CLI1. From the command line, enter:

newpkg -n/opt/packages/nsas_3_2_0_.tgz

The following options appear:Load new package from:

1. Install from CD-ROM.

2. Install from anonymous FTP server.

3. Install from FTP server with username and password.

4. Install from local filesystem.

5. Exit new package installation.

2. Enter 4.The following response appears:End of new package installation

cleaning up ..done



If the Network Voyager ports listed are different from 80 or 443, the Nokia Secure Access System package is installed, activated, and enabled. See “Signing On to Gateway as Administrator” on page 27.If you use the -i argument with the newpkg command, you must activate the package. See “Activating Nokia Secure Access System Application” on page 24.

newpkg OptionsTable 2 describes the options you can use with the newpkg command.The syntax of newpkg is:

newpkg [-o path] [-m media_type] [-l user_name] [-s server_ipaddrs] [-p password] [-n path]

Table 2 newpkg Options

Option Description

-d Print debug messages to the screen.

-h Display help lines for command-line parameters.

-i Install only (do not activate).

-l user_name User name for FTP.

-m media_type Media type. For example, FTP/CD-ROM/LOCAL orCDROM/AFTP/FTP/LOCAL.

-n path Full path to new package. For example, /pub/current/xxx.tgz.

-o path Full path to old package for upgrade. For example, /opt/xxx.

-p password Password for FTP.



To upgrade the package from the CLI1. From the command line, enter one of the following commands:

newpkg -o /opt/nsas- -n /opt/packages/nsas_3_2_0_.tgz

For example:newpkg -o /opt/nsas-1.3.0 -n/opt/packages/nsas_3_0_0_2004040514.tgznewpkg -o /opt/nsas- -m ftp -l username -s ip.addr.of.ftp.server -p password -n /directory/location/nsas_3_2_0_.tgz

For example:newpkg -o /opt/nsas-1.3.1 -m ftp -l jsmith -s 10.10.22.23 -p password -n /eng/newbuilds/nsas_3_2_0_2005070514.tgz

The -o option indicates the location, such as directory, of the old installed version to upgrade.The -n option indicates the location of the new file to install from and is an actual filename.

-s server_ipaddr Server IP address if media type is FTP/AFTP.

-v Verbose FTP.

Table 2 newpkg Options

Option Description



2. The following options appear:Load new package from:

1. Install from CD-ROM.

2. Install from anonymous FTP server.

3. Install from FTP server with username and password.

4. Install from local filesystem.

5. Exit new package installation.

3. Enter 4 or your applicable path.The following response appears:Do you want to upgrade from nsas-3.1.1 to nsas-3.2.0?[y/n]

4. Enter y.The following response appears:End of new package installation

cleaning up..done


B Using DHCP for Network Configuration

You can use the built-in dynamic host configuration protocol (DHCP) client to configure your Nokia appliance instead of using a console (direct serial) connection. This feature allows a properly configured DHCP server to provide your system with a

Host nameIP addressDefault route (gateway)

You can then use Nokia Network Voyager to reconfigure any of these settings. Once you do so, Voyager keeps the modified settings. (DHCP is not used if configuration information exists.) The DHCP server automatically sets the administrative password of the Nokia system to password.To use DHCP to configure your appliance, perform the following steps‘:1. Configure the DHCP server.2. Run the DHCP client on the Nokia system.



Configuring the DHCP ServerConfigure a DHCP server with (at a minimum) mappings for

A host name for the Nokia systemThe serial number of the applianceA static IP address for the appliance

IPSO also supports MAC-address based configuration.The minimum IP address lease required is 1 year.

NoteThe DHCP server must be on the same network as the Nokia appliance or DHCP/BOOTP relay must be configured on the intermediate routers.

Following is an example of relevant DHCP configuration information:ddns-update-style none;subnet 10.1.1.0 netmask 255.255.255.0 {

# default gatewayoption routers 10.1.1.1;option subnet-mask 255.255.255.0;

option domain-name-servers 24.5.207.179;

range dynamic-bootp 10.1.1.20 10.1.1.100;

host IP1260fixed {

# serial number of the boxoption dhcp-client-identifier "123456";

fixed-address 10.1.1.11;option host-name "IP1260";

}

}


Running the DHCP Client on the Nokia Appliance

Running the DHCP Client on the Nokia Appliance

CautionDo not perform the following procedures unless you have configured an appropriate DHCP server with configuration information for your appliance.

1. Connect a NIC installed in your appliance to your network. 2. Turn the appliance on.

The DHCP client program in the system starts automatically, and the DHCP server provides the appropriate configuration information. This can require 5 to 10 minutes.

3. From a computer on the same network, ping the IP address that you configured the DHCP server to provide to the Nokia system.When you get replies from ping, you can use Nokia Network Voyager to connect to the system.

4. Connect to the system using Voyager.To connect, start a Web browser and enter the IP address or host name of the system in the address or URL field of the browser.

5. Enter the user name admin and the password password.6. Modify the configuration of the system as appropriate.

NoteNokia strongly recommends that you change the password.



Correcting an Accidental DHCP Network Configuration

If you use a console connection to configure the Nokia system, the system prompts you for the appropriate configuration settings the first time you turn it on. The first prompt asks you to supply a host name. If you wait more than approximately 30 seconds before you type a response to the host name prompt, the DHCP client program starts automatically, and the system might be provided a host name and IP address that is unknown to you. This could happen if a DHCP server on your network is configured to supply configuration information to any system that requests it.In this situation, you will not be able to connect to the Nokia system over the network (because you don’t know the system’s IP address or host name). To resolve the problem, follow these steps.1. Establish a console connection to the system.2. Enter

rm /config/active

ormv /config/active /config/active.old

3. Reboot the appliance.4. Respond to the configuration prompts in a timely manner.


Nokia Secure Access System Getting Started GuideContact InformationContentsAbout this GuideIntended AudienceOrganization of GuideConventions This Guide UsesNoticesWeb User Interface Conventions

Related DocumentationNokia Secure Access System DocumentationSupporting Documentation

1- Welcome to Nokia Secure Access SystemAppliance OverviewAbout Nokia Security PlatformAbout Nokia IPSO Operating SystemAbout Nokia Secure Access System Application

Nokia Secure Access System RequirementsSecurity Platform RequirementsClient Requirements

Nokia Network VoyagerNokia Secure Access System Gateway ManagerBefore You Start

2- Setting Up a Nokia Secure Access SystemPreparing to Activate Nokia SAS ApplicationActivating Nokia Secure Access System ApplicationPerforming Gateway Manager Configuration TasksSigning On to Gateway as AdministratorInstalling Nokia Secure Access System LicenseConfiguring HTTPS Settings

Additional Configuration Tasks

A- Installing or Upgrading Gateway SoftwareDetermining If Current Package Is Already InstalledObtaining the Current PackageInstalling the Package with Nokia Network VoyagerTransferring the Package to the ApplianceInstalling or Upgrading the Package

Installing the Package From the Command Line Interfacenewpkg Options

B- Using DHCP for Network Configuration Configuring the DHCP ServerRunning the DHCP Client on the Nokia ApplianceCorrecting an Accidental DHCP Network Configuration

nokia secure access system getting started guide · “nokia secure access system requirements”...

Documents