VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7
Using the VPN Concentrator Manager
Download this chapter
Using the VPN Concentrator ManagerUsing the VPN Concentrator Manager
give_us_feedback

Table Of Contents

Using the VPN Concentrator Manager

Browser Requirements

JavaScript and Cookies

Navigation Toolbar

Recommended PC Monitor/Display Settings

Connecting to the VPN Concentrator Using HTTP

Installing the SSL Certificate in Your Browser

Installing the SSL Certificate with Internet Explorer

Viewing Certificates with Internet Explorer

Installing the SSL Certificate with Netscape

Reinstallation

First-time Installation

Viewing Certificates with Netscape

Connecting to the VPN Concentrator Using HTTPS

Logging into the VPN Concentrator Manager

Configuring HTTP, HTTPS, and SSL Parameters

Organization of the VPN Concentrator Manager

Navigating the VPN Concentrator Manager


Using the VPN Concentrator Manager

The VPN Concentrator Manager (also referred to as the Manager) is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3000 Series Concentrator with a standard web browser. To use it, you need only to connect to the VPN Concentrator using a PC and browser on the same private network as the VPN Concentrator.

The Manager uses the standard web client/server protocol, HTTP, which is a cleartext protocol. However, you can also use the Manager in a secure, encrypted HTTP connection over SSL (Secure Sockets Layer) protocol, which is known as HTTPS.

To use a cleartext HTTP connection, see the Connecting to the VPN Concentrator Using HTTP.

To use HTTP over SSL (HTTPS) with the Manager the first time, connect to the Manager using HTTP, and install an SSL certificate in the browser; see the Installing the SSL Certificate in Your Browser.

Once the SSL certificate is installed, you can connect directly using HTTPS; see the Connecting to the VPN Concentrator Using HTTPS.

Browser Requirements

The VPN Concentrator Manager requires one of the following browsers:

Microsoft Internet Explorer version 6.0 SP1 or higher (Windows) (SP2 required for Windows XP)

Netscape Navigator version 7.2 or higher (Windows, Linux, or Solaris)

Mozilla 1.73 or higher (Windows, Linux, or Solaris)

Firefox 1.0 (Windows, Macintosh, or Linux)

For best results, we recommend Internet Explorer. Whatever browser and version you use, install the latest patches and service packs for it.

JavaScript and Cookies

Be sure JavaScript and Cookies are enabled in the browser. Check these settings.

Browser
JavaScript
Cookies

Internet Explorer 6.0

1. On the Tools menu, choose Internet Options.

2. On the Security tab, click Custom Level.

3. In the Security Settings window, scroll down to Scripting.

4. Click Enable under Active scripting.

5. Click Enable under Scripting of Java applets.

1. On the Tools menu, choose Internet Options.

2. On the Privacy tab, set the slider at or below Medium High.

Netscape Navigator
7.2 and Mozilla 1.7

1. On the Edit menu, choose Preferences.

2. Under the Advanced category, choose Scripts & Plug-ins.

3. Check the Navigator check box.

4. Check all Allow Web pages check boxes.

1. On the Edit menu, choose Preferences.

2. Under the Privacy & Security category, choose Cookies.

3. Choose Enable All Cookies.


Navigation Toolbar

Do not use the browser navigation toolbar buttons Back, Forward, or Refresh/Reload with the VPN Concentrator Manager unless instructed to do so. To protect access security, clicking Refresh /Reload automatically logs out the Manager session. Clicking Back or Forward might result in outdated Manager screens with incorrect data or settings being displayed.

We recommend that you hide the browser navigation toolbar to prevent mistakes from occurring during use of the VPN Concentrator Manager.

Recommended PC Monitor/Display Settings

For easiest use, we recommend that you use the following settings on your monitor or display:

Desktop area = 1024 x 768 pixels or greater. The minimum desktop area is 800 x 600 pixels.

Color palette = 256 colors or more.

Connecting to the VPN Concentrator Using HTTP

When your system administration tasks and network permit a cleartext connection between the VPN Concentrator and your browser, you can use the standard HTTP protocol to connect to the system.

Even if you plan to use HTTPS, you must first use HTTP to install an SSL certificate in your browser.

Step 1 Bring up the browser.

Step 2 In the browser Address or Location field, enter the VPN Concentrator Ethernet 1 (Private) interface IP address, for example: 10.10.99.50. The browser automatically assumes and supplies an http:// prefix.

The browser displays the VPN Concentrator Manager login screen. (See Figure 1-1.)

Figure 1-1 VPN Concentrator Manager Login Screen

To continue using HTTP for the whole session, skip to Logging into the VPN Concentrator Manager.

Installing the SSL Certificate in Your Browser

The VPN Concentrator Manager provides the option of using HTTP over SSL with the browser. SSL creates a secure session between your browser (client) and the VPN Concentrator (server). This protocol is known as HTTPS, and uses the https:// prefix to connect to the server. The browser first authenticates the server, then encrypts all data passed during the session.

HTTPS is often confused with a similar protocol, S-HTTP (Secure HTTP), which encrypts only HTTP application-level data. SSL encrypts all data between client and server at the IP socket level, and is thus more secure.

SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots, and this certificate must be installed in the browser. Once the certificate is installed, you can connect using HTTPS. You need to install the certificate from a given VPN Concentrator only once.

Managing the VPN Concentrator is the same with or without SSL. Manager screens might take slightly longer to load with SSL because of encryption/decryption processing. When connected via SSL, the browser shows a locked-padlock icon on its status bar. Both Microsoft Internet Explorer and Netscape Navigator support SSL.

Follow these steps to install and use the SSL certificate for the first time. We provide separate instructions for Internet Explorer and Netscape Navigator when they diverge.

Step 1 Connect to the VPN Concentrator using HTTP as noted in the preceding text.

Step 2 On the login screen, click the Install SSL Certificate link.

The Manager displays the Install SSL Certificate screen (see Figure 1-2) and automatically begins to download and install its SSL certificate in your browser.

Figure 1-2 Install SSL Certificate Screen

At this point in the process, the installation sequence differs depending on the browser being used.

For Internet Explorer, proceed to the next section, Installing the SSL Certificate with Internet Explorer.

For Netscape Navigator, see Installing the SSL Certificate with Netscape.

Installing the SSL Certificate with Internet Explorer

Note This section describes SSL certificate installation using Microsoft Internet Explorer 5.0. With other versions of Internet Explorer, some dialog boxes might differ but the process is similar.

You need to install the SSL certificate from a given VPN Concentrator only once. If you do reinstall it, the browser repeats all these steps each time.

A few seconds after the VPN Concentrator Manager SSL screen appears, Internet Explorer displays a File Download dialog box that identifies the certificate filename and source, and asks whether to open or save the certificate. To immediately install the certificate in the browser, click the Open this file from its current location radio button. If you save the file, the browser prompts for a location; you must then double-click on the file to install it.

Figure 1-3 Internet Explorer File Download Dialog Box

Step 1 Click the Open this file from its current location radio button, then click OK.

The browser displays the Certificate dialog box with information about the certificate. (See Figure 1-4.) You must now install the certificate.

Figure 1-4 Internet Explorer Certificate Dialog Box

Step 2 Click Install Certificate.

The browser starts a wizard to install the certificate. (See Figure 1-5.) In Internet Explorer, these certificates are stored in the "certificates store."

Figure 1-5 Internet Explorer Certificate Manager Import Wizard Dialog Box

Step 3 Click Next to continue.

The wizard opens the next dialog box; you are asked to choose a certificate store. (See Figure 1-6.)

Figure 1-6 Internet Explorer Certificate Manager Import Wizard Dialog Box

Step 4 Click Automatically select the certificate store, then click Next.

The wizard opens a dialog box to complete the installation. (See Figure 1-7.)

Figure 1-7 Internet Explorer Certificate Manager Import Wizard Dialog Box

Step 5 Click Finish.

The wizard opens the Root Certificate Store dialog box; you are asked to confirm the installation. (See Figure 1-8.)

Figure 1-8 Internet Explorer Root Certificate Store Dialog Box

Step 6 To install the certificate, click Yes. The dialog box then closes, and a final wizard confirmation dialog box opens. (See Figure 1-9.)

Figure 1-9 Internet Explorer Certificate Manager Import Wizard Final Dialog Box

Step 7 Click OK to close this dialog box, and click OK on the Certificate dialog box to close it. (See Figure 1-4.)

You can now connect to the VPN Concentrator using HTTP over SSL (HTTPS).

Step 8 On the Manager SSL screen (see Figure 1-2), click the link that says, After installing the SSL certificate, click here to connect to the VPN 3000 Concentrator Series using SSL.

Depending on how your browser is configured, you might see a Security Alert dialog box. (See Figure 1-10.)

Figure 1-10 Internet Explorer Security Alert Dialog Box

Step 9 Click OK.

The VPN Concentrator displays the HTTPS version of the Manager login screen. (See Figure 1-11.)

Figure 1-11 VPN Concentrator Manager Login Screen Using HTTPS (Internet Explorer)

The browser maintains the HTTPS state until you close the browser or access an insecure site; in the latter case you might see a Security Alert screen.

The following section, Viewing Certificates with Internet Explorer, provides additional information about managing certificates. However, it is not a required step.

Step 10 Proceed to Logging into the VPN Concentrator Manager to log in as usual.

Viewing Certificates with Internet Explorer

Examine certificates stored in Internet Explorer using either of the following methods.

Note The VPN Concentrator SSL certificate name is its Ethernet 1 (Private) IP address.

To View Details of the Certificate in Use

Step 1 Note the padlock icon on the browser status bar (at the bottom of the browser) in Figure 1-11. Double-click on the icon.

The browser opens a Properties screen showing details of the specific certificate in use. (See Figure 1-12.)

Figure 1-12 Internet Explorer 4.0 Certificate Properties Screen

Step 2 Select any one of the Field items to see details.

Step 3 Click Close when finished.

To View All Stored Certificates (Internet Explorer 4.0 Only)

Note These steps apply only to Internet Explorer 4.0. If you are using Internet Explorer 5.0, skip to the next section.

Step 1 Click the browser View menu. Choose Internet Options.

Step 2 Click the Content tab, then click Authorities in the Certificates section.

The browser displays the Certificate Authorities screen. (See Figure 1-13.)

Figure 1-13 Internet Explorer 4.0 Certificate Authorities Screen

Step 3 Select a certificate. Click View Certificate.

The browser displays the Certificate Properties screen. (See Figure 1-12.)

To View All Stored Certificates (Internet Explorer 5.0 Only)

Note These steps apply only to Internet Explorer 5.0. If you are using an earlier version of Internet Explorer, follow the steps in the previous section.

Step 1 Click the browser Tools menu. Choose Internet Options.

The browser displays the Internet Options screen.

Step 2 Click the Content tab. In the Certificates section, click Certificates... .

The browser displays the Certificate Manager screen.

Step 3 In the Certificate Manager screen, click the Trusted Root Certification Authorities tab. Select a certificate, then click View Certificate.

The browser displays the Certificate Properties screen. (See Figure 1-12.)

Installing the SSL Certificate with Netscape

This section describes SSL certificate installation using Netscape Navigator/Communicator 4.5.

Reinstallation

You need to install the SSL certificate from a given VPN Concentrator only once. If you attempt to reinstall it, Netscape displays the note shown in Figure 1-14. Click OK, and connect to the VPN Concentrator using SSL (see Step 8 on page -14).

Figure 1-14 Netscape Reinstallation Note

First-time Installation

The instructions below follow from Step 2 on page 1-3 and describe first-time certificate installation.

A few seconds after the VPN Concentrator Manager SSL screen appears, Netscape displays a New Certificate Authority screen. (See Figure 1-15.)

Figure 1-15 Netscape New Certificate Authority Screen 1

Step 1 Click Next> to proceed.

Netscape displays the next New Certificate Authority screen, which further explains the process.
(See Figure 1-16.)

Figure 1-16 Netscape New Certificate Authority Screen 2

Step 2 Click Next> to proceed.

Netscape displays the next New Certificate Authority screen, which lets you examine details of the VPN Concentrator SSL certificate. (See Figure 1-17.)

Figure 1-17 Netscape New Certificate Authority Screen 3

Step 3 Click Next> to proceed.

Netscape displays the next New Certificate Authority screen, with choices for using the certificate. No choices are checked by default. (See Figure 1-18.)

Figure 1-18 Netscape New Certificate Authority Screen 4

Step 4 You must check at least the first box, Accept this Certificate Authority for Certifying network sites. Click Next> to proceed.

Netscape displays the next New Certificate Authority screen, which lets you choose to have the browser warn you about sending data to the VPN Concentrator. (See Figure 1-19.)

Figure 1-19 Netscape New Certificate Authority Screen 5

Step 5 Checking the box is optional.

Note If the box is checked, you will get a warning whenever you apply settings on a Manager screen. It is probably less intrusive to manage the VPN Concentrator without those warnings.

Step 6 Click Next> to proceed.

Netscape displays the final New Certificate Authority screen, which asks you to provide a nickname for the certificate. (See Figure 1-20.)

Figure 1-20 Netscape New Certificate Authority Screen 6

Step 7 In the Nickname field, enter a descriptive name for this certificate. "Nickname" is something of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN Concentrator 10.10.147.2. This name appears in the list of installed certificates; see the Viewing Certificates with Netscape section page 15.

Click Finish.

You can now connect to the VPN Concentrator using HTTP over SSL (HTTPS).

Step 8 On the Manager SSL screen (see Figure 1-2), click the link that says, After installing the SSL certificate, click here to connect to the VPN Concentrator using SSL.

Depending on how your browser is configured, you might see a Security Information Alert dialog box. (See Figure 1-21.)

Figure 1-21 Netscape Security Information Alert Dialog Box

Step 9 Click Continue.

The VPN Concentrator displays the HTTPS version of the Manager login screen. (See Figure 1-22.)

Figure 1-22 VPN Concentrator Manager Login Screen Using HTTPS (Netscape)

The browser maintains the HTTPS state until you close the browser or access an insecure site; in the latter case, you might see a Security Information Alert dialog box.

The following section, Viewing Certificates with Netscape, provides additional information about managing certificates. However, it is not a required step.

Step 10 Proceed to Logging into the VPN Concentrator Manager to log in.

Viewing Certificates with Netscape

Examine certificates stored in Netscape Navigator/Communicator 4.5 using either of the following methods.

To View Details of the Certificate in Use

Step 1 Note the locked-padlock icon on the bottom status bar. If you click the icon, Netscape opens a Security Info window. (See Figure 1-23.)

Note You can also open this window by clicking Security on the Navigator Toolbar at the top of the Netscape window.

Figure 1-23 Netscape Security Info Window

Step 2 Click the View Certificate button to see details of the specific certificate in use. The View Certificates screen opens. (See Figure 1-24.)

Figure 1-24 Netscape View Certificate Screen

Step 3 Click OK when finished.

To View All Stored Certificates

Step 1 In the Security Info window (see Figure 1-25), select Certificates, then Signers. The "nickname" you entered in Step 7 on page 1-14 identifies the VPN Concentrator SSL certificate.

Figure 1-25 Netscape Certificates Signers List

Step 2 Select a certificate, then click Edit, Verify, or Delete. Click OK when finished.

Connecting to the VPN Concentrator Using HTTPS

Once you have installed the VPN Concentrator SSL certificate in the browser, you can connect directly using HTTPS:

Step 1 Bring up the browser.

Step 2 In the browser Address or Location field, enter https:// plus the VPN Concentrator private interface IP address or hostname, plus /admin; for example, https://10.10.147.2/admin.

The browser displays the VPN Concentrator Manager HTTPS login screen. (See Figure 1-26.)

Figure 1-26 VPN Concentrator Manager HTTPS Login Screen

A locked-padlock icon on the browser status bar indicates an HTTPS session. This login screen does not include the Install SSL Certificate link.

Logging into the VPN Concentrator Manager

The procedure for logging into the VPN Concentrator Manager is the same for both types of connections, cleartext HTTP and secure HTTPS.

Entries are case-sensitive. With Microsoft Internet Explorer, you can select the Tab key to move from field to field; other browsers might work differently. If you make a mistake, click the Clear button and start over.

The following steps use the factory-supplied default entries. If you have changed them, use your entries.

Step 1 Click in the Login field and type admin. (Do not press Enter.)

Step 2 Click in the Password field and type admin. (The field shows *****.)

Step 3 Click the Login button.

The VPN Concentrator Manager displays the main welcome screen. (See Figure 1-27.)

Figure 1-27 Manager Main Welcome Screen

From here you can navigate the Manager using either the table of contents in the left frame, or the Manager toolbar in the top frame.

Configuring HTTP, HTTPS, and SSL Parameters

HTTP, HTTPS, and SSL are enabled by default on the VPN Concentrator, and they are configured with recommended parameters that should suit most administration tasks and security requirements.

To configure HTTP parameters, see the System | Management Protocols | HTTP screen.

To configure SSL and HTTPS parameters, see the Tunneling and Security | SSL screen.

For additional security, by default these parameters are accessible only from the private interface or through established VPN tunnels.

Organization of the VPN Concentrator Manager

The VPN Concentrator Manager consists of three major sections and many subsections:

Configuration: Setting all the parameters for the VPN Concentrator that govern its use and its function as a VPN device:

Interfaces: Ethernet and power-supply interface parameters.

System: Parameters for system-wide functions such as server access, address management, IP routing, built-in management servers, event handling, and system identification.

User Management: Attributes for groups and users that determine their access to and use of the VPN.

Policy Management: Policies that control access times and data traffic through the VPN via filters, rules, and IPSec Security Associations.

Tunneling and Security: Attributes for PPTP, L2TP, IPSec, SSH, SSL, and WebVPN.

Administration: Managing higher-level functions that keep the VPN Concentrator operational and secure, such as who is allowed to configure the system, what software runs on it, and managing its digital certificates.

Monitoring: Viewing routing tables, event logs, system LEDs and status, data on user sessions, and statistics for protocols and system functions.

This manual covers configuration. For information on administration or monitoring, refer to VPN 3000 Concentrator Series Reference Volume II: Administration and Monitoring. For Quick Configuration, refer to the VPN 3000 Concentrator Series Getting Started manual.

Navigating the VPN Concentrator Manager

Your primary tool for navigating the VPN Concentrator Manager is the table of contents in the left frame.