Table Of Contents
Managing Global Settings
Network Settings
Address Pools
Viewing Address Pools
Adding Address Pools
Adding IP Address Pool Range
Editing Address Pools
Editing IP Address Pool Range
Deleting Address Pools
DNS
Viewing Global DNS Settings
Editing Global DNS Settings
Editing General DNS Settings
Editing DNS Global Settings
Viewing VRF DNS Settings
Adding VRF DNS Settings
Editing VRF DNS Settings
Deleting VRF DNS Settings
Adding IP Hosts
Editing IP Hosts
Removing IP Hosts
Static Routes
Viewing Static Routes
Adding Static Routes
Deleting Static Routes
Interfaces
Viewing Interfaces
Adding Interfaces
Editing Interfaces
Selecting a VRF for the Interface
Deleting Interfaces
VRF Instances
Viewing VRF Instances
Adding VRF Instances
Selecting Routed Interfaces
Editing VRF Instances
Adding and Deleting Interfaces in VRF
Deleting VRF Instances
Security
AAA
Viewing AAA Settings
Editing RADIUS Global Settings
Selecting an Interface
Adding VRF Source Interfaces
Editing VRF Source Interfaces
Deleting VRF Source Interfaces
Server Groups
Viewing Server Group Settings
Adding Server Groups
Editing Server Groups
Deleting Server Groups
Adding RADIUS Servers for the Server Group
Editing RADIUS Server Settings for the Server Group
Deleting a RADIUS Server in the Server Group
Authentication Lists
Viewing Authentication Lists
Adding Authentication Lists
Selecting a Method List
Editing Authentication Lists
Deleting Authentication Lists
Network ACLs
Viewing Network ACLs
Adding ACL Rules
Editing ACL Rules
Deleting ACL Rules
Adding Extended Rule Entries
Selecting the Protocol and Service
Editing Extended Rule Entries
Cloning Extended Rule Entries
Deleting Extended Rule Entries
Adding Standard Rule Entries
Editing Standard Rule Entries
Cloning Standard Rule Entries
Deleting Standard Rule Entries
Connection Policies
TCP Policies
Viewing TCP Policies
Adding TCP Policies
Editing TCP Policies
Deleting TCP Policies
Assigning a TCP Policy to Virtual Contexts
Assigning a TCP Policy to Virtual Gateways
SSL Policies
Viewing SSL Policies
Adding SSL Policies
Editing SSL Policies
Deleting SSL Policies
Assigning an SSL Policy to Virtual Contexts
Assigning an SSL Policy to Virtual Gateways
Time Ranges
Viewing Time Ranges
Adding Time Ranges
Editing Time Ranges
Deleting Time Ranges
Adding Periodic Entries
Editing Periodic Entries
Deleting Periodic Entries
What Are Global Settings and What Are They Used for?
Managing Global Settings
The Global Settings feature allows you to configure Network Settings, Security Features, Connection Policies and Time Ranges.
Managing Global Settings contains the following sections:
•
Network Settings
•Security
•Connection Policies
•Time Ranges
Network Settings
This section includes the following:
•Address Pools
•DNS
•Static Routes
•Interfaces
•VRF Instances
Address Pools
You can use this feature to configure static local IP Address Pools to be used in Tunnel Mode configuration. You can add, edit and delete Address Pools using this feature.
•Viewing Address Pools
•Adding Address Pools
•Editing Address Pools
•Deleting Address Pools
Viewing Address Pools
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane.
The Global Settings page is displayed.
Step 2 Select the object Address Pools from the Network Settings Group folder. The Address Pools page appears with the following information.
Field
|
Description
|
Pool Name
|
Name of the Pool.
|
Address Range
|
The IP Address range of Address Pools. You can configure multiple address ranges.
|
Cache Size
|
Cache Size for the address pool.
|
Group Name
|
Group Name for the address pool.
|
•Click Add to add address pools.
•Select an Address Pool and click Edit to edit address pools.
•Select an Address Pool and click Delete to delete address pools.
Adding Address Pools
Step 1 Click Add in the Address Pools page. The Add Address Pools dialog box appears with the following fields.
Field
|
Description
|
Use Pool name as default.
|
Specifies that default be used as the Pool Name.
|
Pool Name
|
Name of the pool.
|
Group Name
|
Group Name for the address pool.
|
Cache Size
|
Cache Size for the address pool.
|
IP Address Range
|
Start IP Address
|
The first IP address of an IP address range. You can configure multiple address ranges.
|
End IP Address
|
The last IP address of an IP address range. You can configure multiple address ranges.
|
Step 2 Enter the appropriate values and Click OK to add Address Pool.
Adding IP Address Pool Range
Step 1 Click Add in the Add Address Pool or Edit Address Pool dialog box. The Add IP Pool Address Range dialog box appears with the following information.
Field
|
Description
|
Pool Name
|
Name of the address pool. You cannot edit the value in this field.
|
Start IP Address
|
The first IP address of an IP address range.You can configure multiple address ranges.
|
End IP Address
|
The last IP address of an IP address range. You can configure multiple address ranges.
|
Step 2 Enter the appropriate values and click OK.
Editing Address Pools
Step 1 Click Edit in the Address Pools page. The Edit Address Pools dialog box appears with the following fields.
Field
|
Description
|
Pool Name
|
Name of the pool. You cannot edit the values in this field.
|
Group Name
|
Group Name for the address pool. You cannot edit the values in this field.
|
Cache Size
|
Cache size for the address pool.
|
IP Address Range
|
Start IP Address
|
The first IP address of an IP address range. You can configure multiple address ranges.
|
End IP Address
|
The last IP address of an IP address range. You can configure multiple address ranges.
|
Step 2 Modify the appropriate values and click OK.
Editing IP Address Pool Range
Step 1 Click Edit in the Edit Address Pool or Add Address Pool dialog box. The Edit IP Address Pool Range dialog box appears with the following information.
Field
|
Description
|
Pool Name
|
Name of the address pool. You cannot edit the value in this field.
|
Start IP Address
|
The first IP address of an IP address range.You can configure multiple address ranges.
|
End IP Address
|
The last IP address of an IP address range. You can configure multiple address ranges.
|
Step 2 Modify the appropriate values and click OK.
Deleting Address Pools
Step 1 Select an Address Pool or multiple Address Pools and click Delete in the Address Pool page. The Delete IP Pools pop-up appears.
Step 2 Click Yes. The Address Pool or multiple Address Pools will be deleted.
DNS
You can view and edit Global DNS settings and view, add, edit and delete VRF DNS settings using this feature.
•Viewing Global DNS Settings
•Editing Global DNS Settings
•Editing General DNS Settings
•Editing DNS Global Settings
•Viewing VRF DNS Settings
•Adding VRF DNS Settings
•Editing VRF DNS Settings
•Deleting VRF DNS Settings
Viewing Global DNS Settings
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane.
The Global Settings page is displayed.
Step 2 Select the object DNS Settings from the Network Settings Group folder. The DNS Settings page appears.
Step 3 Select the Global tab from the DNS page. The DNS page is displayed with the following information.
Field
|
Description
|
General
|
DNS Status
|
Whether DNS is enabled.
|
Round Robin Status
|
Whether round robin is enabled.
|
Timeout (secs)
|
Timeout for DNS queries in seconds. Range of values: 1-3600 seconds.
|
Retry Count
|
Retry count for DNS queries. Range of values: 0-100 seconds.
|
DNS Global
|
Domain Name
|
Defines a default domain name that the Cisco IOS software will use to complete unqualified hostnames.
|
Domain List
|
Defines a list of default domain names to complete unqualified hostnames.
|
Name Servers
|
Specifies one or more hosts that supply name information.
|
Hostname
|
Host name.
|
IP Addresses
|
IP addresses.
|
Editing Global DNS Settings
You can edit General DNS settings and DNS Global settings using this feature.
•Editing General DNS Settings
•Editing DNS Global Settings
Editing General DNS Settings
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane.
The Global Settings page is displayed.
Step 2 Select the object DNS Settings from the Network Settings Group folder. The DNS Settings page appears.
Step 3 Select the Global tab in the DNS page and Click Edit in the General pane. The Edit DNS General dialog box appears with the following information.
Field
|
Description
|
DNS Status
|
Whether DNS is enabled.
|
Round Robin Status
|
Whether round robin is enabled.
|
Timeout(1-3600)secs
|
Timeout for DNS queries in seconds. Range of values: 1-3600 seconds.
|
Retry Count(0 - 100)
|
Retry count for DNS queries. Range of values: 0-100 seconds.
|
Step 4 Modify the appropriate values and click OK.
Editing DNS Global Settings
Step 1 Select the Global tab in the DNS page and Click Edit in the DNS Global pane. The Edit Global DNS dialog box appears with the following information.
Field
|
Description
|
Domain Name
|
Defines a default domain name that the Cisco IOS software will use to complete unqualified hostnames.
|
Domain List
|
Domain List Entry
|
A default domain name entry to complete unqualified hostnames.
|
Name Servers
|
Name Server
|
A host that supplies name information.
|
IP Hosts
|
HostName
|
Host name.
|
IP Addresses
|
IP addresses.
|
Step 2 Modify the values as appropriate and click OK.
Viewing VRF DNS Settings
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object DNS Settings from the Network Settings Group folder. The DNS Settings page appears.
Step 3 Select the VRF tab from the DNS page. The VRF page is displayed with the following information.
Field
|
Description
|
VRF
|
VRF Name
|
Name of the VRF instance.
|
No. of Domain Lists
|
Number of domain lists for the VRF.
|
No of Name Servers
|
Number of name servers for the VRF.
|
No of Hostnames
|
Number of hostnames for the VRF.
|
VRF Details
|
VRF Name
|
Name of the VRF instance.
|
Domain Name
|
VRF specific domain name.
|
Domain Lists
|
VRF specific domain list.
|
Name Servers
|
VRF specific name server.
|
Hostname
|
Hostname of the VRF server.
|
IP Addresses
|
IP address of the VRF server.
|
•Click Add to add a VRF.
•Click Edit to edit VRF settings.
•Click Delete to delete VRF settings.
Adding VRF DNS Settings
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane.
The Global Settings page is displayed.
Step 2 Select the object DNS Settings from the Network Settings Group folder. The DNS Settings page appears.
Step 3 Select the VRF tab from the DNS page. The VRF page is displayed.
Step 4 Click Add on the VRF page. THe VRF DNS dialog box appears with the following information.
Field
|
Description
|
VRF Name
|
Name of the VRF instance.
|
Domain Name
|
VRF specific domain name.
|
Domain List
|
Domain List Entry
|
VRF specific domain list entry to be added to the Domain List.
|
Name Servers
|
Name Server
|
VRF specific name server IP address to be entry to be added to the Name Server List.
|
IP Hosts
|
Hostname
|
Hostname of the IP host.
|
IP Addresses
|
IP address of the IP host.
|
Step 5 Click OK.
Editing VRF DNS Settings
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object DNS Settings from the Network Settings Group folder. The DNS Settings page appears.
Step 3 Select the VRF tab from the DNS page. The VRF page is displayed.
Step 4 Click Edit on the VRF page. THe VRF DNS dialog box appears with the following information.
Field
|
Description
|
VRF Name
|
Name of the VRF instance. You cannot edit the value in this field.
|
Domain Name
|
VRF specific domain name.
|
Domain List
|
Domain List Entry
|
VRF specific domain list entry to be added to the Domain List.
|
Name Servers
|
Name Server
|
VRF specific name server IP address to be entry to be added to the Name Server List.
|
IP Hosts
|
Hostname
|
Hostname of the IP host.
|
IP Addresses
|
IP address of the IP host.
|
Step 5 Click OK.
Deleting VRF DNS Settings
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object DNS Settings from the Network Settings Group folder. The DNS Settings page appears.
Step 3 Select the VRF tab from the DNS page. The VRF page is displayed.
Step 4 Select a VRF DNS entry or multiple VRF DNS entries and click Delete in the VRF page. The Delete the DNS entries for VRF pop-up appears.
Step 5 Click Yes. The selected VRF DNS entry or entries will be deleted.
Adding IP Hosts
You can use the Add IP Host dialog box to add IP hosts and corresponding IP addresses in the Add VRF DNS, Edit VRF DNS or Edit Global DNS dialog boxes.
Step 1 Click Add in the IP hosts pane. The Add IP hosts dialog appears with the following information.
Field
|
Description
|
Hostname
|
Hostname of the IP host.
|
IP Address
|
IP address of the IP host.
|
Step 2 Enter the appropriate values and click Add.
The hostname and IP address will be added to the IP Address pane. You can add multiple IP addresses for a Hostname. Select an IP address and click Delete to delete an IP address you entered.
Step 3 Click OK.
The hostname and IP addresses will be added to the IP Hosts pane.
Editing IP Hosts
You can use the Edit IP Host dialog box to edit the corresponding IP addresses of IP hosts in the Add VRF DNS, Edit VRF DNS or Edit Global DNS dialog boxes.
Step 1 Select the IP Hostname you want to edit and Click Edit in the IP Hosts pane. The Edit IP Hosts dialog appears with the following information.
Field
|
Description
|
Hostname
|
Hostname of the IP host. The value in this field cannot be edited.
|
IP Address
|
IP address of the IP host.
|
Step 2 Enter the appropriate values and click Add.
The hostname and IP address will be added to the IP Address pane. You can add multiple IP addresses for a hostname. Select an IP address and click Delete to delete an IP address you entered.
Step 3 Click OK.
The hostname and IP addresses will be added to the IP Hosts pane.
Removing IP Hosts
You can remove IP hosts and corresponding IP addresses in the Add VRF DNS, Edit VRF DNS or Edit Global DNS dialog boxes.
Step 1 Select the IP host or IP hosts and corresponding IP addresses that you want to remove and click Remove in the IP Hosts pane.
Step 2 Click OK in the dialog box. The IP host or IP hosts and corresponding IP addresses are removed from the IP Hosts name.
Static Routes
You can view, add, and delete Static Routes using this feature.
•Viewing Static Routes
•Adding Static Routes
•Deleting Static Routes
Viewing Static Routes
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Static Routes from the Network Settings Group folder. The Static Routes page appears with the following information.
Field
|
Description
|
IP Address
|
IP address of static route.
|
Net Mask
|
Network mask for the IP address.
|
Next Hop
|
Next hop IP address.
|
Metric (1-255)
|
Distance metric for the static route. This is within the range 1-255.
|
VRF Name
|
VRF instance name.
|
•Click Add to add a Static Route.
•Click Delete to delete a Static Route.
Adding Static Routes
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane.
The Global Settings page is displayed.
Step 2 Select the object Static Routes from the Network Settings Group folder. The Static Routes page appears.
Step 3 Click Add in the Static Routes page. The Add Static Route dialog box appears with the following information.
Field
|
Description
|
IP Address
|
IP address of static route.
|
Net Mask
|
Network mask of static route.
|
Next Hop
|
Next hop IP address.
|
Metric (1-255)
|
Distance metric for the static route. This is within the range 1-255.
|
VRF Name
|
VRF instance name.
|
Step 4 Enter the appropriate values and click OK.
Deleting Static Routes
Step 1 Select a Static Route or multiple Static Routes from the Static Routes table and click Delete in the Static Routes page. The Delete Static Route pop-up appears.
Step 2 Click Yes. The selected Static Route or Static Routes will be deleted.
Interfaces
You can view, add, edit and delete interfaces using this feature.
•Viewing Interfaces
•Adding Interfaces
•Editing Interfaces
•Deleting Interfaces
Viewing Interfaces
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Interfaces from the Network Settings Group folder. The Interfaces page appears with the following information.
Field
|
Description
|
Interface Name
|
Name of the interface.
|
VLAN
|
VLAN identifier.
|
IP Address
|
Subinterface IP address.
|
Net Mask
|
Subinterface network mask.
|
VRF
|
Name of the VRF associated with the VLAN.
|
Admin Status
|
Administrative status of the interface, either up or down.
|
Operational Status
|
Indicates the operational status of the interface.
•A  icon indicates that the interface is administratively down.
•A  icon indicates that the interface is operationally down.
•A  icon indicates that the interface is up.
|
•Click Add to add interface.
•Click Edit to edit interface.
•Click Delete to delete interfaces.
•Click Admin Status and select Up or Down to set administrative status of the interface.
For a Virtual Gateway, a non VRF-aware interface is needed in the same subnet as the Gateway. In a Virtual Context, if NAT range has been specified, you must ensure that an interface exists in the same subnet as the NAT range.
Adding Interfaces
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Interfaces from the Network Settings Group folder. The Interfaces page appears.
Step 3 Click Add in the Interfaces page. The Add interface page appears with the following information.
Field
|
Description
|
WebVPN Interface
|
Name of the interface.
|
VLAN Number
|
VLAN identifier.
|
IP address
|
Subinterface IP address.
|
Network Mask
|
Subinterface network mask.
|
VRF Name
|
Name of VRF associated with the VLAN.
|
Administrative State
|
Administrative status of the interface, either up or down.
|
Step 4 Enter the appropriate values and click OK.
Editing Interfaces
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object, Interfaces, from the Network Settings Group folder. The Interfaces page appears.
Step 3 Click Edit in the Interfaces page. The Edit interface page appears with the following information.
Field
|
Description
|
WebVPN Interface
|
Name of the interface. You cannot edit the value in this field.
|
VLAN Number
|
VLAN identifier.
|
IP address
|
Subinterface IP address.
|
Network Mask
|
Subinterface network mask.
|
VRF Name
|
Name of VRF associated with the VLAN.
|
Administrative State
|
Administrative status of the interface, either up or down.
|
Step 4 Enter the appropriate values and click OK.
Note You cannot edit an interface used to launch CVDM.
If IP address is changed on an interface (or the interface is deleted) and:
•if that interface had associated gateways, the IP address on those gateways will be cleared.
•if that interface is the back-end interface for any virtual context NAT range, the NAT range will be rendered invalid.
•if that interface was in the same subnet as the address pool used by any group policy inside a virtual context, that group policy might become unusable.
Selecting a VRF for the Interface
Step 1 Click the VRF Name ellipsis selector button in the Add or Edit Interface dialogs. The Select VRF dialog box appears.
Step 2 Select a VRF Name and click OK in the Select VRF dialog box.
Step 3 Click OK in the Add or Edit Interface dialog box.
Deleting Interfaces
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object, Interfaces, from the Network Settings Group folder. The Interfaces page appears.
Step 3 Select an Interface or multiple Interfaces from the Interfaces page and click Delete in the Interfaces page. The Delete Interface pop-up appears.
Step 4 Click Yes. The selected interface or interfaces will be deleted.
Note You cannot delete an interface used to launch CVDM.
VRF Instances
You can use a VRF instance to:
•Configure VRF-aware interfaces
•Configure a VRF-aware context (to isolate the routing lookup to different tables)
•Configure VRF-aware domain resolution
•Configure VRF-aware static routes
•Configure VRF-aware AAA and server groups
Viewing VRF Instances
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object VRF Instances from the Network Settings Group folder. The VRF Instances page appears with the following information.
Field
|
Description
|
Name
|
Name of the VRF.
|
Route Designator
|
VRF route designator.
|
Description
|
Brief description of the VRF.
|
Interfaces in VRF
|
List of interfaces contained in the VRF.
|
•Click Add to add VRF Instances.
•Click Edit to edit VRF Instances
•Click Delete to delete VRF Instances.
Adding VRF Instances
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object VRF Instances from the Network Settings Group folder. The VRF Instances page appears.
Step 3 Click Add on the VRF instances page. The Add VRF Instances dialog box appears with the following information.
Field
|
Description
|
VRF Name
|
The name of the VRF instance.
|
Route Designator
|
The route designator for the VRF.
|
Description
|
Brief description of the VRF.
|
Interfaces in VRF
|
Displays the interfaces associated with the VRF. To add or delete interfaces in VRF see Adding and Deleting Interfaces in VRF.
|
Step 4 Enter the appropriate values and click OK.
Selecting Routed Interfaces
To select Routed Interfaces for a VRF Instance:
Step 1 Click Add in the Interfaces in VRF panel in the Add VRF or Edit VRF dialog box. The Select Routed Interfaces dialog box appears.
Step 2 Select an interface from the Routed Interfaces dialog box and click OK.
Editing VRF Instances
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object VRF Instances from the Network Settings Group folder. The VRF Instances page appears.
Step 3 Click Edit on the VRF instances page. The Edit VRF Instances dialog box appears with the following information.
Field
|
Description
|
VRF Name
|
The name of the VRF. You cannot edit the value in this field.
|
Route Designator
|
The route designator for the VRF.
|
Description
|
Brief description of the VRF.
|
Interfaces in VRF
|
Displays the interfaces associated with the VRF. To add or delete interfaces in VRF see Adding and Deleting Interfaces in VRF.
|
Step 4 Modify the appropriate values and click OK.
Adding and Deleting Interfaces in VRF
To add Interfaces in VRF:
Step 1 Click Add to add an interface in the Interfaces in VRF pane of the Add VRF or Edit VRF dialog box. The Select Routed Interfaces dialog box appears with the list of routed interfaces.
Step 2 Select a routed interface from the Select Routed Interfaces dialog box and click OK. The selected routed interface will be added to the Interfaces in VRF pane of the Add VRF or Edit VRF dialog box.
To delete interfaces in VRF:
Step 1 Select an interface name in the Interfaces in VRF pane of the Add VRF or Edit VRF dialog box.
Step 2 Click Delete in the Interfaces in VRF pane.
Step 3 Click OK in the dialog box.
Deleting VRF Instances
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object VRF Instances from the Network Settings Group folder. The VRF Instances page appears.
Step 3 Select the VRF Instance or multiple VRF Instances you want to delete and click Delete on the VRF Instances page. The Delete VRF pop-up appears.
Step 4 Click Yes. The selected VRF Instance or Instances will be deleted.
Note If a VRF Instance is in use in a virtual context or it has some DNS entries etc., a warning message that the VRF is in use by the components that are using it will be displayed to the user. The VRF instance will be deleted only if you confirm that it can be deleted.
Security
You can configure AAA, Server Groups, Authentication Lists and Network ACLs using this feature.
•AAA
•Server Groups
•Authentication Lists
•Network ACLs
AAA
With CVDM-WebVPNSM, you can implement and configure authentication on your WebVPN module.
Note AAA will be enabled only if enable password is set on the device. If AAA is not already enabled, then the AAA screen will display a link to enable AAA. Click on the link to enable AAA. All AAA functionality can be performed only after AAA is enabled.
Viewing AAA Settings
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object AAA from the Security Group folder. The AAA page appears with the following information.
Field
|
Description
|
RADIUS Global Settings
|
Source Interface
|
IP address of the source interface.
|
Timeout
|
Number of seconds that a router should attempt to contact this server before going on to another server.
|
Key
|
Key used when contacting the RADIUS server.
|
VRF Source Interfaces
|
VRF Name
|
Name of the VRF instance.
|
Source Interface
|
The source interface for the VRF.
|
•Click Edit on the RADIUS Global Settings pane to edit RADIUS Global settings.
•Click Add on the VRF Source Interfaces pane to add Source interface for a VRF.
Editing RADIUS Global Settings
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object AAA from the Security Group folder. The AAA page appears.
Step 3 Click Edit on the Global RADIUS Settings pane.
Field
|
Description
|
Source Interface
|
Interface that will serve as the source interface for all AAA servers configured on the WebVPN module.
|
Timeout
|
Enter the number of seconds that the router should attempt to contact this server before going on to another server.
|
Key
|
Enter the key used when contacting the RADIUS server.
|
Confirm Key
|
Re-enter the key used when contacting the RADIUS server.
|
Step 4 Modify the values as appropriate and click OK.
Selecting an Interface
Step 1 Click Edit in the RADIUS Global Settings pane of the AAA page. The Edit RADIUS Setting dialog box appears.
Step 2 Click the Source Interface ellipsis button. The Select an Interface dialog box appears.
Step 3 Select an interface and click OK. The selected interface is added to the Source Interface field. in the Edit RADIUS settings dialog box.
Adding VRF Source Interfaces
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object AAA from the Security Group folder. The AAA page appears.
Step 3 Click Add in the VRF Source Interfaces pane. The Add Source Interface for a VRF dialog appears with the following information.
Field
|
Description
|
VRF
|
VRF name.
|
Source Interface
|
The source interface for the VRF.
|
Step 4 Enter the appropriate values and click OK.
Editing VRF Source Interfaces
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object AAA from the Security Group folder. The AAA page appears.
Step 3 Click Edit in the VRF Source Interfaces pane. The Edit Source Interface for a VRF dialog appears with the following information.
Field
|
Description
|
VRF
|
VRF name. You cannot edit the value in this field.
|
Source Interface
|
The source interface for the VRF.
|
Step 4 Modify the appropriate values and click OK.
Deleting VRF Source Interfaces
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object AAA from the Security Group folder. The AAA page appears.
Step 3 Select a Source interface or multiple Source Interfaces and click Delete in the VRF Source Interfaces pane. The Delete Entries pop-up appears.
Step 4 Click Yes. The selected VRF Source Interface or Interfaces will be deleted.
If a VRF is deleted and:
•VRF had some DNS entries, they become invalid.
•If there were any static routes for this VRF, they get removed.
•VRF has some associated AAA server group entries, they become invalid.
•VRF was used by a virtual context, the context becomes operationally down.
Server Groups
You can view, add, edit and delete server groups using this feature. You can also add RADIUS servers to the server group, edit RADIUS server settings and delete RADIUS servers in the server group.
•Viewing Server Group Settings
•Adding Server Groups
•Editing Server Groups
•Deleting Server Groups
•Adding RADIUS Servers for the Server Group
•Editing RADIUS Server Settings for the Server Group
•Deleting a RADIUS Server in the Server Group
Viewing Server Group Settings
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Server Groups from the Security Group folder. The Server Groups page appears with the following information.
Fields
|
Description
|
Server Groups
|
Server Group Name
|
Name of the server group.
|
Servers in Group
|
Servers in a server group.
|
VRF Name
|
VRF Name associated with the server group.
|
RADIUS Servers in the Server Group
|
IP Address
|
IP address of the server.
|
Authentication Port
|
The server port used for authentication requests.
|
Accounting Port
|
The server port used for accounting requests.
|
Private Server
|
Private RADIUS server.
|
Key
|
Enter the key used when contacting the RADIUS server.
|
Timeout
|
The number of seconds that the router should attempt to contact this server before going on to the next server in the group list.
The default is 5 seconds. Valid values range from 1 to 1000 seconds.
|
Type
|
RADIUS server. Only RADIUS server is supported.
|
Adding Server Groups
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Server Groups from the Security Group folder. The Server Groups page appears.
Step 3 Click Add. The Add AAA server group dialog box appears with the following fields.
Field
|
Description
|
Server Group Name
|
Name of the server group.
|
VRF
|
VRF associated with the server group.
|
RADIUS Server(s) in the group
|
IP Address
|
IP address of the server.
|
Authentication Port
|
The server port used for authentication requests.
|
Accounting Port
|
The server port used for accounting requests.
|
Private Server
|
Private RADIUS server.
|
Timeout
|
The number of seconds that the router should attempt to contact this server before going on to the next server in the group list.
The default is 5 seconds. Valid values range from 1 to 1000 seconds.
|
Step 4 Enter the appropriate values and click OK.
Editing Server Groups
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Server Groups from the Security Group folder. The Server Groups page appears.
Step 3 Click Edit in the Server Groups pane. The Edit AAA server group dialog box appears with the following fields.
Field
|
Description
|
Server Group Name
|
Name of the server group. You cannot edit the value in this field.
|
VRF
|
VRF associated with the server group.
|
RADIUS Server(s) in the group
|
IP Address
|
IP address of the server.
|
Authentication Port
|
The server port used for authentication requests.
|
Accounting Port
|
The server port used for accounting requests.
|
Private Server
|
Private RADIUS server.
|
Timeout
|
The number of seconds that the router should attempt to contact this server before going on to the next server in the group list.
The default is 5 seconds. Valid values range from 1 to 1000 seconds.
|
Step 4 Modify the values as appropriate and click OK.
Deleting Server Groups
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Server Groups from the Security Group folder. The Server Groups page appears.
Step 3 Click Delete in the Server Groups pane.
Adding RADIUS Servers for the Server Group
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Server Groups from the Security Group folder. The Server Groups page appears.
Step 3 Click Add in the RADIUS Servers in the Server group pane. The Add AAA Server dialog box appears with the following fields.
Field
|
Description
|
IP Address
|
IP address of the server.
|
Authentication Port
|
The server port used for authentication requests.
|
Accounting Port
|
The server port used for accounting requests.
|
Private Server
|
Private RADIUS server.
|
Key
|
Enter the key used when contacting the RADIUS server.
|
Timeout
|
The number of seconds that the router should attempt to contact this server before going on to the next server in the group list.
The default is 5 seconds. Valid values range from 1 to 1000 seconds.
|
Type
|
The type of server.
|
Step 4 Enter the appropriate values and click OK.
Editing RADIUS Server Settings for the Server Group
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Server Groups from the Security Group folder. The Server Groups page appears.
Step 3 Click Edit in the RADIUS Servers in the Server group pane. The Edit AAA Server dialog box appears with the following fields.
Field
|
Description
|
IP Address
|
IP address of the server.
|
Authentication Port
|
The server port used for authentication requests.
|
Accounting Port
|
The server port used for accounting requests.
|
Private Server
|
Private RADIUS server.
|
Key
|
Enter the key used when contacting the RADIUS server.
|
Timeout
|
The number of seconds that the router should attempt to contact this server before going on to the next server in the group list.
The default is 5 seconds. Valid values range from 1 to 1000 seconds.
|
Type
|
The type of server.
|
Step 4 Enter the appropriate values and click OK.
Deleting a RADIUS Server in the Server Group
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Server Groups from the Security Group folder. The Server Groups page appears.
Step 3 Click Delete in the RADIUS Servers in the Server Group pane. The Delete AAA Server pop up appears.
Step 4 Click Yes.
Authentication Lists
You can view, add, edit and delete authentication lists using this feature.
•Viewing Authentication Lists
•Adding Authentication Lists
•Editing Authentication Lists
•Deleting Authentication Lists
Viewing Authentication Lists
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Authentication Lists from the Security Group folder. The Authentication Lists page appears with the following fields.
Field
|
Description
|
Name
|
Name of the authentication list.
|
Type
|
Authorization type used by the authentication list. Only the login option is supported.
|
Method 1
Method 2
Method 3
Method 4
|
Authorization methods used by the authentication list.
The following are supported values:
•None—No authentication occurs
•Line—A line user ID and password is used for authentication
•Enable—An enable password is used for authentication
•Local—The local username database is used for authentication
•Local-case—A case-sensitive local username is used for
•Group radius—A RADIUS server is used for authentication
A method is a configured server group used for authorizing users. You can configure up to four methods and specify the order in which you want the device to query them. The device attempts to communicate with the first method. If one of the servers in this method authenticates the user, then authentication is successful. If authentication fails, then the router uses the next method in the list.
|
|
|
|
•Click Add to add an authentication list.
•Click Edit to add an authentication list.
•Click Delete to add an authentication list.
Adding Authentication Lists
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Authentication Lists from the Security Group folder. The Authentication Lists page appears.
Step 3 Click Add. The Add Authentication list dialog box appears with the following fields.
Field
|
Description
|
Use Name as Default
|
Use the new authentication list as the default authentication list.
|
Name
|
The name of the new authentication list. This field is disabled if the Use name as "default" check box is selected.
|
Type
|
Authorization type used by the new authentication list. This field cannot be edited. Only the login option is supported.
|
Method1 column
Method2 column
Method3 column
Method4 column
|
Authorization methods used by the authentication list.
The following are supported values:
•None—No authentication occurs
•Line—A line user ID and password is used for authentication
•Enable—An enable password is used for authentication
•Local—The local username database is used for authentication
•Local-case—A case-sensitive local username is used for authentication
•Group radius—A RADIUS server is used for authentication
A method is a configured server group used for authorizing users. You can configure up to four methods and specify the order in which you want the device to query them. The device attempts to communicate with the first method. If one of the servers in this method authenticates the user, then authentication is successful. If authentication fails, then the router uses the next method in the list.
|
Step 4 Enter the appropriate values and click OK.
Selecting a Method List
Step 1 Click on any of the Method field buttons in the Add Authentication List dialog box. The Select a Method dialog box appears.
Step 2 Select a Method from the list of methods and click OK.
Editing Authentication Lists
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Authentication Lists from the Security Group folder. The Authentication Lists page appears.
Step 3 Click Edit. The Edit Authentication list dialog box appears with the following fields.
Field
|
Description
|
Name
|
The name of the new authentication list. This field is disabled if the Use name as "default" check box is selected. You cannot edit the value in this field.
|
Type
|
Authorization type used by the new authentication list. You cannot edit the value in this field. Only the login option is supported.
|
Method1 column
Method2 column
Method3 column
Method4 column
|
Authorization methods used by the authentication list.
The following are supported values:
•None—No authentication occurs
•Line—A line user ID and password is used for authentication
•Enable—An enable password is used for authentication
•Local—The local username database is used for authentication
•Local-case—A case-sensitive local username is used for authentication
•Group radius—A RADIUS server is used for authentication
A method is a configured server group used for authorizing users. You can configure up to four methods and specify the order in which you want the device to query them. The device attempts to communicate with the first method. If one of the servers in this method authenticates the user, then authentication is successful. If authentication fails, then the router uses the next method in the list.
|
Step 4 Modify the values as appropriate and click OK.
Deleting Authentication Lists
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Authentication Lists from the Security Group folder. The Authentication Lists page appears.
Step 3 Select an Authentication list or multiple Authentication lists and Click Delete. The Delete Authentication list pop-up appears.
Step 4 Click Yes. The selected authentication list or lists will be deleted.
Network ACLs
You can view Network ACLs, configure ACL rules, Extended Rule entries and Standard Rule entries using this feature.
•Viewing Network ACLs
•Adding ACL Rules
•Editing ACL Rules
•Deleting ACL Rules
•Adding Extended Rule Entries
•Editing Extended Rule Entries
•Cloning Extended Rule Entries
•Deleting Extended Rule Entries
•Adding Standard Rule Entries
•Editing Standard Rule Entries
•Cloning Standard Rule Entries
•Deleting Standard Rule Entries
Viewing Network ACLs
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder. The Network ACLs page appears with the following fields.
Field
|
Description
|
Name/Number
|
Name of the access list.
|
Type
|
Standard or extended access list.
|
Description
|
Description of the ACL.
|
ACL Rule Details
|
Action
|
Indicates whether to permit or deny.
|
Source
|
IP Address Mask
|
Source IP address mask.
|
Port
|
Source port.
|
Destination
|
IP Address Mask
|
Destination IP address mask.
|
Port
|
Destination port.
|
Protocol/type
|
Whether TCP, UDP, ICMP or IP.
|
Description
|
Description of the ACL Rule.
|
Time Range
|
Time range for extended ACL only.
|
•Click Add to add an ACL Rule.
•Click Edit to edit an ACL Rule.
•Click Delete to delete an ACL Rule.
Adding ACL Rules
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Click Add in the ACLs pane. The Add ACL rule dialog box appears with the following fields.
Field
|
Description
|
Name
|
Name of ACL rule.
|
Type
|
Type of rule, whether Extended or Standard.
|
Description
|
Description of the rule.
|
Rule Entry
|
Rule entry.
|
Step 4 Enter the appropriate values and Click OK.
Editing ACL Rules
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Click Edit in the ACLs pane. The Edit ACL Rule dialog box appears with the following fields.
Field
|
Description
|
Name
|
Name of ACL rule.
|
Type
|
Type of rule, whether Extended or Standard.
|
Description
|
Description of the rule.
|
Rule Entry
|
Rule entry.
|
Step 4 Modify the appropriate values and Click OK.
Deleting ACL Rules
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Click Delete in the ACLs pane. The Do You Want to Delete the ACL pop-up appears.
Step 4 Click Yes.
Adding Extended Rule Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Select the ACL to which you want to add an ACL Entry and click Add in the ACL Rule Details pane. The Add a Rule Entry dialog box appears with the following fields.
Field
|
Description
|
Action
|
Select an Action
|
Whether to protect the traffic or not.
|
Description
|
Description
|
Description of the Extended Rule.
|
Source Host/Network
|
Type
|
Source host/Network type.
|
Destination Host/Network
|
Type
|
Destination host/Network type.
|
Protocol and Service
|
Source Port
|
Source port of the service.
|
Destination Port
|
Destination port of the service.
|
Time Range
|
Time range for the ACL.
|
Step 4 Enter the appropriate values and click OK.
Selecting the Protocol and Service
Step 1 Select a protocol and service from the Protocol and Service pane in the Add an Extended Rule Entry dialog box.
Step 2 Click the ellipsis selector button. The Service dialog box appears.
Step 3 Select a service and click OK. The service for the protocol will be selected.
Editing Extended Rule Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Select the ACL Rule Entry which you want to edit and click Edit in the ACL Rule Details pane. The Edit a Rule Entry dialog box appears with the following fields.
Field
|
Description
|
Action
|
Select an Action
|
Whether to protect the traffic or not.
|
Description
|
Description
|
Description of the Extended Rule.
|
Source Host/Network
|
Type
|
Source host/Network type.
|
Destination Host/Network
|
Type
|
Destination host/Network type.
|
Protocol and Service
|
Source Port
|
Source port of the service.
|
Destination Port
|
Destination port of the service.
|
Time Range
|
Time range for the ACL.
|
Step 4 Modify the appropriate values and click OK.
Cloning Extended Rule Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Click Add in the ACLs pane. The Add ACL rule dialog box appears. Enter the appropriate values and add an Extended Rule Entry.
Step 4 Click Clone in the Add ACL Rule dialog box. The Clone an Extended Rule entry dialog box appears with the following information:
Field
|
Description
|
Action
|
Select an Action
|
Whether to protect the traffic or not.
|
Description
|
Description
|
Description of the Extended Rule.
|
Source Host/Network
|
Type
|
Source host/Network type.
|
Destination Host/Network
|
Type
|
Destination host/Network type.
|
Protocol and Service
|
Protocol/type
|
Whether TCP, UDP, ICMP or IP.
|
Time Range
|
Time range for extended ACL only.
|
Step 5 Enter the appropriate values and click OK.
Deleting Extended Rule Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Select the Extended Rule Entry you want to delete and click Delete in the ACL Rule Details pane. The Confirm ACL deletion pop-up appears.
Step 4 Click Yes.
Adding Standard Rule Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Select the ACL to which you want to add an ACL Entry and click Add in the ACL Rule Details pane. The Add a Standard Rule Entry dialog box appears with the following fields.
Field
|
Description
|
Action
|
Select an Action
|
Whether to protect the traffic or not.
|
Source Host/Network
|
Type
|
Source host/Network type.
|
Description
|
Description
|
Description of the Standard Rule.
|
Log matches against this entry
|
Select this check box to log matches against this entry.
|
Step 4 Enter the values as appropriate and click OK.
Editing Standard Rule Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Select the ACL Rule Entry which you want to edit and click Edit in the ACL Rule Details pane. The Edit a Rule Entry dialog box appears with the following fields.
Field
|
Description
|
Action
|
Select an Action
|
Whether to protect the traffic or not.
|
Source Host/Network
|
Type
|
Source host/Network type.
|
Description
|
Description
|
Description of the Extended Rule.
|
Log matches against this entry
|
Select this check box to log matches against this entry.
|
Step 4 Modify the values as appropriate and click OK.
Cloning Standard Rule Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Click Add in the ACLs pane. The Add ACL rule dialog box appears. Enter the appropriate values and add a Standard Rule Entry.
Step 4 Click Clone in the Add ACL Rule dialog box. The Clone a Standard Rule entry dialog box appears with the following information.
Field
|
Description
|
Action
|
Select an Action
|
Whether to protect the traffic or not.
|
Source Host/Network
|
Type
|
Source host/Network type.
|
Description
|
Description
|
Description of the Standard Rule.
|
Log matches against this entry
|
Select this check box to log matches against this entry.
|
Step 5 Enter the appropriate values and click OK.
Deleting Standard Rule Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object Network ACLs from the Security Group folder.
Step 3 Select a Standard Rule Entry and click Delete in the ACL Rule Details pane. The Confirm ACL deletion pop-up appears.
Step 4 Click Yes.
Connection Policies
You can configure TCP Policies and SSL Policies using this feature. You can also assign TCP Policies and SSL Policies to Virtual Contexts and Virtual Gateways.
•Viewing TCP Policies
•Adding TCP Policies
•Editing TCP Policies
•Deleting TCP Policies
•Assigning a TCP Policy to Virtual Contexts
•Assigning a TCP Policy to Virtual Gateways
•Viewing SSL Policies
•Adding SSL Policies
•Editing SSL Policies
•Deleting SSL Policies
•Assigning an SSL Policy to Virtual Contexts
•Assigning an SSL Policy to Virtual Gateways
TCP Policies
You can view, add, edit and delete TCP policies using this feature. You can also assign a TCP Policy to Virtual Contexts and Virtual Gateways.
•Viewing TCP Policies
•Adding TCP Policies
•Editing TCP Policies
•Deleting TCP Policies
•Assigning a TCP Policy to Virtual Contexts
•Assigning a TCP Policy to Virtual Gateways
Viewing TCP Policies
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object TCP Policies from the Connection Policies Group folder. The Connection Policy page appears with the following fields.
Field
|
Description
|
TCP Policy
|
Policy Name
|
Defines TCP policy templates. All defaults are assumed unless otherwise specified.
|
MSS (bytes)
|
Configures the maximum segment size (MSS), in bytes, that the connection will identify in the SYN packet that it generates. The default is 1460 bytes. The valid range is from 256 to 2460 bytes.
|
Nagle algorithm
|
When you enable the Nagle algorithm, small amounts of data that are written by the application is queued into the connection-send queue, but is not sent until one of the following situations occurs:
•There is data pending and an ACK arrives that acknowledges the data that was previously sent.
•The application writes more data so that a full-sized segment is created and sent.
When you disable the Nagle algorithm, queueing of data does not occur. All data that is written by the application is sent immediately.
Nagle is enabled by default.
|
TOS Carryover
|
Forwards the type of service (ToS) value to all packets within a flow.
|
SYN Timeout
|
Configures the connection establishment timeout. The default is 75 seconds. The valid range is from 5 to 75 seconds.
|
Inactivity timeout
|
Configures the amount of time, in seconds, that an established connection can be inactive. The default is 600 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
Reassembly timeout
|
Configures the amount of time, in seconds, before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. The default is 60 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
FIN wait timeout
|
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
|
Rx Buffer Share
|
Configures the maximum receive buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
Tx Buffer Share
|
Configures the maximum transmit buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
Delayed ACK Threshold
|
Specifies the number of full-sized segments that must be received before a window-update ACK is sent. Valid values for packets are 1 to 10; the default value is 2.
|
Delayed ACK Timeout
|
Specifies the amount of time before a window-update ACK is sent. Default value is 200.
|
SSL Policy
|
Policy Name
|
Defines SSL policy templates.
|
Version
|
Defines the various protocol versions supported by the proxy server.
|
Session Cache
|
Enables the session-caching feature. Session caching is enabled by default.
|
Session Timeout
|
Configures the amount of time that an entry is kept in the session cache. The valid range is from 1 to 72000 seconds.
|
Session Cache Size
|
Specifies the size of the session cache. The valid range is from 1 to 262143 entries.
|
Handshake Timeout
|
Configures how long the module keeps the connection in handshake phase. The valid range is from 0 to 65535 seconds.
|
Close Protocol
|
Configures the SSL close-protocol behavior. Close-protocol is disabled by default.
|
TLS Version Rollback
|
Specifies the version of the SLL protocol (SSL2.0, SSL3.0, TLS1.0) in the ClientHello message. TLS rollback is disabled by default.
|
Acceptable Cipher Suites
|
Configures a list of cipher-suite names acceptable to the proxy server. The cipher-suite names follow the same convention as that of existing SSL stacks.
|
Adding TCP Policies
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object TCP Policy from the Connection Policies Group folder.
Step 3 Click Add in the TCP Policies page. The Add TCP Policy dialog box appears with the following fields.
Field
|
Description
|
Policy Name
|
Defines TCP policy templates. All defaults are assumed unless otherwise specified.
|
General
|
MSS (bytes)
|
Configures the maximum segment size (MSS), in bytes, that the connection will identify in the SYN packet that it generates. The default is 1460 bytes. The valid range is from 256 to 2460 bytes.
|
Nagle algorithm
|
When you enable the nagle algorithm, small amounts of data that are written by the application is queued into the connection-send queue, but is not sent until one of the following situations occurs:
•There is data pending and an ACK arrives that acknowledges the data that was previously sent.
•The application writes more data so that a full-sized segment is created and sent.
When you disable the Nagle algorithm, queueing of data does not occur. All data that is written by the application is sent immediately.
Nagle is enabled by default.
|
TOS Carryover
|
Forwards the type of service (ToS) value to all packets within a flow.
|
Timers
|
SYN Timeout
|
Configures the connection establishment timeout. The default is 75 seconds. The valid range is from 5 to 75 seconds.
|
Inactivity timeout
|
Configures the amount of time, in seconds, that an established connection can be inactive. The default is 600 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
Reassembly timeout
|
Configures the amount of time, in seconds, before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. The default is 60 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
FIN wait timeout
|
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
|
Rx Buffer Share
|
Configures the maximum receive buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
Tx Buffer Share
|
Configures the maximum transmit buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
FIN wait timeout
|
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
|
ACK
|
Delayed ACK Threshold
|
Specifies the number of full-sized segments that must be received before a window-update ACK is sent. Valid values for packets are 1 to 10; the default value is 2.
|
Delayed ACK Timeout
|
Specifies the amount of time before a window-update ACK is sent. default value is 200.
|
Step 4 Enter the appropriate values and click OK.
Editing TCP Policies
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object TCP Policy from the Connection Policies Group folder.
Step 3 Click Edit in the TCP Policies page. The Add TCP Policy dialog box appears with the following fields.
Field
|
Description
|
Policy Name
|
Defines TCP policy templates. All defaults are assumed unless otherwise specified. You cannot edit the value in this field.
|
General
|
MSS (bytes)
|
Configures the maximum segment size (MSS), in bytes, that the connection will identify in the SYN packet that it generates. The default is 1460 bytes. The valid range is from 256 to 2460 bytes.
|
Nagle algorithm
|
When you enable the nagle algorithm, small amounts of data that are written by the application is queued into the connection-send queue, but is not sent until one of the following situations occurs:
•There is data pending and an ACK arrives that acknowledges the data that was previously sent.
•The application writes more data so that a full-sized segment is created and sent.
When you disable the Nagle algorithm, queueing of data does not occur. All data that is written by the application is sent immediately.
Nagle is enabled by default.
|
TOS Carryover
|
Forwards the type of service (ToS) value to all packets within a flow.
|
Timers
|
SYN Timeout
|
Configures the connection establishment timeout. The default is 75 seconds. The valid range is from 5 to 75 seconds.
|
Inactivity timeout
|
Configures the amount of time, in seconds, that an established connection can be inactive. The default is 600 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
Reassembly timeout
|
Configures the amount of time, in seconds, before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. The default is 60 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
FIN wait timeout
|
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
|
Rx Buffer Share
|
Configures the maximum receive buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
Tx Buffer Share
|
Configures the maximum transmit buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
FIN wait timeout
|
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
|
ACK
|
Delayed ACK Threshold
|
Specifies the number of full-sized segments that must be received before a window-update ACK is sent. Valid values for packets are 1 to 10; the default value is 2.
|
Delayed ACK Timeout
|
Specifies the amount of time before a window-update ACK is sent. default value is 200.
|
Step 4 Modify the appropriate values and click OK.
Deleting TCP Policies
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object TCP Policy from the Connection Policies Group folder.
Step 3 Select a TCP Policy and click Delete in the TCP Policies page. The Delete TCP Policy Warning pop-up appears.
Step 4 Click Yes.
Assigning a TCP Policy to Virtual Contexts
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object TCP Policy from the Connection Policies Group folder.
Step 3 Click Assign Policy and select Assign to Virtual Contexts in the TCP Policies page. The Assign TCP Policy to Virtual Contexts dialog box appears.
Step 4 Select available Virtual Contexts from the Available Virtual Contexts column and click Add to associate the Virtual Context with the TCP Policy. Select an associated Virtual Context from the Associated Virtual Contexts Column and click Remove to dissociate the Virtual Context from the TCP Policy.
Step 5 Click OK to save the settings.
Assigning a TCP Policy to Virtual Gateways
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object TCP Policy from the Connection Policies Group folder.
Step 3 Click Assign Policy and select Assign to Virtual Gateways in the TCP Policies page. The Assign TCP Policy to Virtual Gateway dialog box appears.
Step 4 Select available Virtual Gateways from the Available Virtual Gateways column and click Add to associate the Virtual Gateway with the TCP Policy. Select an associated Virtual Gateway from the Associated Virtual Gateway Column and click Remove to dissociate the Virtual Gateway from the TCP Policy.
Step 5 Click OK to save the settings.
SSL Policies
You can view, add, edit and delete TCP policies using this feature. You can also assign a TCP Policy to Virtual Contexts and Virtual Gateways.
•Viewing SSL Policies
•Adding SSL Policies
•Editing SSL Policies
•Deleting SSL Policies
•Assigning an SSL Policy to Virtual Contexts
•Assigning an SSL Policy to Virtual Gateways
Viewing SSL Policies
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object SSL Policies from the Connection Policies Group folder. The Connection Policy page appears with the following fields.
Field
|
Description
|
Policy Name
|
Defines SSL policy templates.
|
Version
|
Defines the various protocol versions supported by the proxy server.
|
Session Cache
|
Enables the session-caching feature. Session caching is enabled by default.
|
Session Timeout
|
Configures the amount of time that an entry is kept in the session cache. The valid range is from 1 to 72000 seconds.
|
Session Cache Size
|
Specifies the size of the session cache. The valid range is from 1 to 262143 entries.
|
Handshake Timeout
|
Configures how long the module keeps the connection in handshake phase. The valid range is from 0 to 65535 seconds.
|
Close Protocol
|
Configures the SSL close-protocol behavior. Close-protocol is disabled by default.
|
TLS Version Rollback
|
Specifies the version of the SLL protocol (SSL2.0, SSL3.0, TLS1.0) in the ClientHello message. TLS rollback is disabled by default.
|
Acceptable Cipher Suites
|
Configures a list of cipher-suite names acceptable to the proxy server. The cipher-suite names follow the same convention as that of existing SSL stacks.
|
Adding SSL Policies
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object SSL Policies from the Connection Policies Group folder. The Connection Policy page appears.
Step 3 Click Add in the SSL Policies page. The Add SSL Policy dialog box appears. with the following fields.
Field
|
Description
|
Policy Name
|
Defines SSL policy templates.
|
Version
|
Defines the various protocol versions supported by the proxy server.
|
Session Cache
|
Enables the session-caching feature. Session caching is enabled by default.
|
Session Timeout
|
Configures the amount of time that an entry is kept in the session cache. The valid range is from 1 to 72000 seconds.
|
Session Cache Size
|
Specifies the size of the session cache. The valid range is from 1 to 262143 entries.
|
Handshake Timeout
|
Configures how long the module keeps the connection in handshake phase. The valid range is from 0 to 65535 seconds.
|
Close Protocol
|
Configures the SSL close-protocol behavior. Close-protocol is disabled by default.
|
TLS Version Rollback
|
Specifies the version of the SLL protocol (SSL2.0, SSL3.0, TLS1.0) in the ClientHello message. TLS rollback is disabled by default.
|
Acceptable Cipher Suites
|
Configures a list of cipher-suite names acceptable to the proxy server. The cipher-suite names follow the same convention as that of existing SSL stacks.
|
Step 4 Enter the appropriate values and click Yes.
Editing SSL Policies
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object SSL Policies from the Connection Policies Group folder. The Connection Policy page appears
Step 3 Click Edit in the SSL Policies page. The Edit SSL Policy dialog box appears. with the following fields.
Field
|
Description
|
Policy Name
|
Defines SSL policy templates. You cannot edit the value in this field.
|
Version
|
Defines the various protocol versions supported by the proxy server.
|
Session Cache
|
Enables the session-caching feature. Session caching is enabled by default.
|
Session Timeout
|
Configures the amount of time that an entry is kept in the session cache. The valid range is from 1 to 72000 seconds.
|
Session Cache Size
|
Specifies the size of the session cache. The valid range is from 1 to 262143 entries.
|
Handshake Timeout
|
Configures how long the module keeps the connection in handshake phase. The valid range is from 0 to 65535 seconds.
|
Close Protocol
|
Configures the SSL close-protocol behavior. Close-protocol is disabled by default.
|
TLS Version Rollback
|
Specifies the version of the SLL protocol (SSL2.0, SSL3.0, TLS1.0) in the ClientHello message. TLS rollback is disabled by default.
|
Acceptable Cipher Suites
|
Configures a list of cipher-suite names acceptable to the proxy server. The cipher-suite names follow the same convention as that of existing SSL stacks.
|
Deleting SSL Policies
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object SSL Policies from the Connection Policies Group folder. The Connection Policy page appears.
Step 3 Select an SSL Policy and click Delete in the SSL Policies page. The Delete SSL Policy Warning appears.
Step 4 Click Yes.
Assigning an SSL Policy to Virtual Contexts
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object SSL Policy from the Connection Policies Group folder.
Step 3 Click Assign Policy and select Assign to Virtual Contexts in the SSL Policies page. The Assign SSL Policy to Virtual Contexts dialog box appears.
Step 4 Select available Virtual Contexts from the Available Virtual Contexts column and click Add to associate the Virtual Context with the SSL Policy. Select an associated Virtual Context from the Associated Virtual Contexts Column and click Remove to dissociate the Virtual Context from the SSL Policy.
Step 5 Click OK to save the settings.
Assigning an SSL Policy to Virtual Gateways
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the object SSL Policy from the Connection Policies Group folder.
Step 3 Click Assign Policy and select Assign to Virtual Gateways in the TCP Policies page. The Assign SSL Policy to Virtual Gateway dialog box appears.
Step 4 Select available Virtual Gateways from the Available Virtual Gateways column and click Add to associate the Virtual Gateway with the SSL Policy. Select an associated Virtual Gateway from the Associated Virtual Gateway Column and click Remove to dissociate the Virtual Gateway from the SSL Policy.
Step 5 Click OK to save the settings.
Time Ranges
You can view, add, edit and delete Time Ranges using this feature.
•Viewing Time Ranges
•Adding Time Ranges
•Editing Time Ranges
•Deleting Time Ranges
Viewing Time Ranges
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the Time Ranges Group folder. The Time Ranges page appears with the following fields.
Field
|
Description
|
Name
|
Name of the Time Range.
|
Start
|
Time
|
Start time of the Time Range.
|
Date
|
Start date of the Time Range.
|
End
|
Time
|
End time of the Time Range.
|
Date
|
End date of the Time Range.
|
Used by ACLs
|
ACLs using this time range.
|
Periodic Entries
|
Days of the Week
|
Days of the week when the periodic time range is active.
|
Start Time
|
Start time of the periodic Time Range.
|
End Time
|
End time of the periodic Time Range.
|
Adding Time Ranges
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the Time Ranges Group folder. The Time Ranges page appears
Step 3 Click Add in the Time Ranges pane. The Add Time Ranges Window appears with the following fields.
Field
|
Description
|
Name
|
Name of the time range.
|
Start Date/Time
|
Start Now
|
Start time range immediately.
|
Start At
|
Set time for time range to start.
|
End Date Time
|
Never End
|
Time range to continue indefinitely.
|
End At
|
Set time for time range to end.
|
Periodic Time Ranges
|
Days of the week
|
Days of the week when periodic Time range should be active.
|
Start Time
|
Start time for periodic time range.
|
End time
|
End time for periodic time range.
|
Step 4 Enter the appropriate values and click OK.
Note For the Time Range with Start Now and Never End you will need to set at least one Periodic Time Range entry.
Editing Time Ranges
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the Time Ranges Group folder. The Time Ranges page appears.
Step 3 Click Edit in the Time Ranges pane. The Edit Time Ranges Window appears with the following fields.
Field
|
Description
|
Name
|
Name of the time range. You cannot edit the values in this field.
|
Start Date/Time
|
Start Now
|
Start time range immediately.
|
Start At
|
Set time for time range to start.
|
End Date Time
|
Never End
|
Time range to continue indefinitely.
|
End At
|
Set time for time range to end.
|
Periodic Time Ranges
|
Days of the week
|
Days of the week when periodic time range should be active.
|
Start Time
|
Start time for periodic time range.
|
End time
|
End time for periodic time range.
|
Step 4 Modify the appropriate values and click OK.
Deleting Time Ranges
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the Time Ranges Group folder. The Time Ranges page appears
Step 3 Select a Time Range or multiple Time Ranges and click Delete in the Time Ranges pane. The Delete Time Range Warning pop-up appears.
Step 4 Click Yes.
Adding Periodic Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the Time Ranges Group folder. The Time Ranges page appears.
Step 3 Click Add in the Periodic Entries pane. The Add Periodic Entry Window appears.with the following fields.
Field
|
Description
|
Days of the week
|
Days of the week when periodic Time Range should be active.
|
Start Time
|
Start time for periodic time range.
|
End time
|
End time for periodic time range.
|
Step 4 Enter the appropriate values and click OK.
Editing Periodic Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the Time Ranges Group folder. The Time Ranges page appears.
Step 3 Click Edit in the Periodic Entries pane. The Edit Periodic Entry Window appears with the following fields.
Field
|
Description
|
Days of the week
|
Days of the week when periodic Time Range should be active.
|
Start Time
|
Start time for periodic time range.
|
End time
|
End time for periodic time range.
|
Step 4 Modify the appropriate values and click OK.
Deleting Periodic Entries
Step 1 Click Setup in the taskbar and Global Settings in the left-most pane. The Global Settings page is displayed.
Step 2 Select the Time Ranges Group folder. The Time Ranges page appears.
Step 3 Select the Periodic entry or periodic entries you want to delete and click Delete in the Periodic Entries pane. The Delete Periodic Entry pop-up appears.
Step 4 Click OK.
What Are Global Settings and What Are They Used for?
Global Settings comprises of:
•Network Settings
•Security
•Connection Policies
•Time Ranges
Network Settings
•Address Pools
•DNS
•Static Routes
•Interfaces
•VRF Instances
Address Pools
Address pools are used in group policy configuration to assign addresses to remote users. These will be used in the tunnel mode.
DNS
You can configure Global DNS and VRF-aware DNS entries for the WebVPN module using this feature.
Static Routes
You can configure Global Static Routes and VRF-aware Static Routes for the WebVPN module.
Interfaces
Interfaces are primarily used in the following areas:
Front-end interface (Gateway side): For a virtual gateway to be operational, an interface has to be created in the same subnet as this gateway. This interface must be a non-VRF interface.
Back end interface (Server side): For a virtual context the user specifies a NAT range. For this virtual context/NAT range to work as expected, an interface should exist in the same subnet as this NAT range.
If the virtual context is VRF-aware, then the above interface should also be in the same VRF.
VRF Instances
You can use a VRF instance to:
•Configure VRF-aware interfaces
•Configure a VRF-aware context (to isolate the routing lookup to different tables)
•Configure VRF-aware domain resolution
•Configure VRF-aware static routes
•Configure VRF-aware AAA and server groups
Security
•AAA
•Server Groups
•Authentication Lists
•Network ACLs
AAA
You can implement and configure authentication using AAA on your WebVPN module.
Server Groups
You can view, add, edit and delete server groups using this feature. You can also add RADIUS Servers to the server group, edit RADIUS server settings and delete RADIUS servers in the server group.
Authentication List
Authentication Lists are used in virtual context configurations to configure authentication for the virtual context. An authentication list is used by a virtual context to authenticate an end user using AAA RADIUS.
Network ACLs
Network ACLs are used in group policy configuration. ACLs are used to filter the traffic from the SSLVPN tunnel.
Connection Policies
•TCP Policies
•SSL Policies
TCP Policies
You can configure TCP policies for your WebVPN module using this feature. You can also assign a TCP policy for virtual contexts and virtual gateways.
SSL Policies
You can configure SSL policies for your WebVPN module using this feature. You can also assign an SSL policy for virtual contexts and virtual gateways.
Time Ranges
•Time Ranges
Time Ranges are used to configure time based, extended ACLs.
