Table Of Contents
Interfaces
Configuration | Interfaces
Screen Elements
Power
Screen Elements
Ethernet
Using the Tabs
Ethernet | General Tab
Screen Elements
Ethernet | RIP Tab
Screen Elements
Ethernet | OSPF Tab
Screen Elements
Ethernet | Bandwidth Tab
Screen Elements
Ethernet | WebVPN Tab
Screen Elements
Interfaces
The Interfaces section of the VPN 3000 Concentrator Series Manager applies primarily to Ethernet network interfaces. In this section, you configure functions that are interface-specific, rather than system-wide. There is also a screen to configure power-supply and voltage-sensor alarms.
Typically, you configure at least two network interfaces for the VPN Concentrator to operate as a VPN device: usually the Ethernet 1 (Private) and the Ethernet 2 (Public) interfaces. If you used Quick Configuration as described in the VPN 3000 Series Concentrator Getting Started manual, the system supplied many default parameters for the interfaces. In the Interfaces section, you can customize the configuration.
The VPN Concentrator uses filters to control, or govern, data traffic passing through the system (see Policy Management | Traffic Management). You apply filters both to interfaces and to groups and users. Group and user filters govern tunneled group and user data traffic; interface filters govern all data traffic.
Network interfaces usually connect to a router that routes data traffic to other networks. The VPN Concentrator includes IP routing functions: static routes, RIP (Routing Information Protocol), and OSPF (Open Shortest Path First). You configure RIP and interface-specific OSPF in the Interfaces section. You configure static routes, the default gateway, and system-wide OSPF in the IP Router section (see the Configuration | System | IP Routing screens).
RIP and OSPF are routing protocols that routers use to send messages to other routers to determine network connectivity, status, and optimum paths for sending data traffic. The VPN Concentrator supports RIP versions 1 and 2, and OSPF version 2. You can enable both RIP and OSPF on an interface.
Filter settings override RIP and OSPF settings on an interface; therefore, be sure settings in filter rules are consistent with RIP and OSPF use. For example, if you intend to use RIP, be sure you apply a filter rule that forwards TCP/UDP packets with the RIP port configured.
Configuration | Interfaces
This section lets you configure the three VPN Concentrator Ethernet interface modules. You can also configure alarm thresholds for the power-supply modules.
Model 3005 comes with two Ethernet interfaces. Models 3015 through 3080 come with three Ethernet interfaces.
•
Ethernet 1 (Private) is the interface to your private network (internal LAN).
•Ethernet 2 (Public) is the interface to the public network.
•Ethernet 3 (External) is the interface to an additional LAN (Models 3015 through 3080 only).
Configuring an Ethernet interface includes supplying an IP address, applying a traffic-management filter, setting the speed and transmission modes, and configuring RIP and OSPF routing protocols.
Note Interface settings take effect as soon as you apply them. If the system is in active use, changes might affect tunnel traffic.
The table shows all installed interfaces and their status.
Figure 3-1 Configuration | Interfaces Screen (Model 3005)
Figure 3-2 Configuration | Interfaces Screen (Models 3015 through 3080)
To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area.
Screen Elements
•Refresh — To update the screen contents, click the Refresh button. The date and time above this reminder indicate when the screen was last updated.
•Interface — The VPN Concentrator interface installed in the system. To configure an interface, click the appropriate link.
•Ethernet 1 (Private), Ethernet 2 (Public), Ethernet 3 (External) — To configure Ethernet interface parameters, click the appropriate highlighted link in the table or click in a highlighted module on the back-panel image. See Interfaces | Ethernet.
•[Renew | Release] — This field appears under Ethernet 1, 2, or 3 if DHCP Client is enabled for that interface.
–Renew: Renews the DHCP client lease for the interface.
–Release: Releases the DHCP client lease for the interface.
•DNS Server(s) — This field displays the IP addresses of up to three configured DNS servers.
To view or edit DNS server information, click DNS Server. The System | Servers | DNS window appears.
•DNS Domain Name — The registered domain in which the VPN Concentrator is located, for example: cisco.com.
To view or edit DNS Domain Name information, click DNS Domain Name.
The System | Servers | DNS window appears.
•Status — The operational status of this interface.
–Up (Green): Configured, enabled, and operational; ready to pass data traffic.
–Down (Red): Configured but disabled or disconnected.
–Testing: In test mode; no regular data traffic can pass.
–Dormant (Red): Configured and enabled but waiting for an external action, such as an incoming connection.
–Not Present (Red): Missing hardware components.
–Lower Layer Down (Red): Not operational because a lower-layer interface is down.
–Unknown (Red): Not configured or not able to determine status.
–Not Configured: Present but not configured.
–Waiting for DHCP: DHCP is enabled, but the VPN Concentrator has not received an IP address.
–Lease expires in... (hh:mm:ss): If DHCP Client is enabled on any interface, the amount of time remaining on the lease appears here. You can also view this information on the Interfaces | Ethernet screens.
•IP Address — The IP address configured on this interface.
•Subnet Mask — The subnet mask configured on this interface.
•MAC Address — The unique hardware MAC (Medium Access Control) address for this interface, displayed in 6-byte hexadecimal notation.
•Default Gateway — This field displays the IP address of the default gateway for the subnet associated with this interface.
To view or edit default gateway information, click Default Gateway. The System | IP Routing | Default Gateways window displays.
When you are not using DHCP to obtain a default gateway, you configure a default gateway manually. If DHCP client on the Ethernet 2 (Public) interface is enabled, the default gateway is automatically entered in the routing table, and not in the System | IP Routing | Default Gateways screen.
When you configure a default gateway manually, the system automatically removes the DHCP-obtained default gateway from the routing table. To reverse this operation, renew the DHCP lease for the Ethernet 2 (Public) interface.
•Power Supplies — To configure alarm thresholds on system power supplies, click the appropriate highlighted link or click in a highlighted power-supply module in the back-panel image and see Interfaces | Power.
Back-Panel Image
You can configure Ethernet interface parameters or alarm thresholds on system power supplies by clicking the appropriate highlighted module in the back-panel image instead of the text in the table. See Interfaces | Ethernet and Interfaces | Power.
Power
This screen lets you configure alarm thresholds for voltages in the system power supplies, CPU, and main circuit board. You set high and low thresholds for the voltages. (For recommended thresholds, see Table 3-1.) When the system detects a voltage outside a threshold value, it generates a HARDWAREMON (hardware monitoring) event. (See Configuration | System | Events.) If a power supply is faulty, the appropriate Power Supply LED on the front panel is amber.
Table 3-1 Recommended Power Thresholds
Thresholds Monitor
|
Minimum-Maximum Range
(in Centivolts)
|
Tolerance
|
1.9V CPU
|
180-201 cV
|
±10 cV
|
2.5V CPU
|
241-260 cV
|
±10 cV
|
3.3V power supply
|
321-389 cV
|
±10% cV (+ 25 cV if redundant power supply)
|
5.0V power supply
|
471-577 cV
|
±10% cV (+ 25 cV if redundant power supply)
|
3.3V board
|
314-346 cV
|
±5%
|
5.0V board
|
474 - 524 cV
|
±5%
|
Warning If a voltage generates an alarm, shut down the system in an orderly way and contact Cisco support. Operating the system with out-of-range voltages, especially if they exceed the high threshold, might cause permanent damage.
You can view system voltages and status on the Monitoring | System Status | Power screen.
Figure 3-3 Configuration | Interfaces | Power screen (Model 3005)
Figure 3-4 Configuration | Interfaces | Power screen (Model 3015 through 3080)
Screen Elements
•Alarm Thresholds — The fields show default values for alarm thresholds in centivolts, for example, 361 = 3.61 volts. Enter or edit these values as desired.
The hardware sets voltage thresholds in increments that might not match an entered value. The fields show the actual thresholds, and the values might differ from your entries.
•CPU — High and low thresholds for the voltage sensors on the CPU chip. The value is system dependent, either 2.5 or 1.9 volts.
•Power Supply A, B — High and low thresholds for the 3.3- and 5-volt outputs from the power supplies. You can enter values for the second power supply on Models 3015-3080 even if it is not installed.
•Board — High and low thresholds for the 3.3- and 5-volt sensors on the main circuit board.
Reminder:
After you apply changes, the Manager returns to the Configuration | Interfaces screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Ethernet
This screen lets you configure parameters for the Ethernet interface you selected. It displays the current parameters, if any.
Configuring an Ethernet interface includes supplying an IP address, identifying it as a public interface, applying a traffic-management filter, setting speed and transmission mode, configuring RIP and OSPF routing protocols, and setting WebVPN parameters.
To apply a custom filter, you must configure the filter first; see Policy Management | Traffic Management.
Caution If you modify any parameters of the interface that you are currently using to connect to the VPN Concentrator, you will break the connection, and you will have to restart the Manager from the login screen.
Using the Tabs
This screen includes several tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel.
Ethernet | General Tab
This tab lets you configure general interface parameters: DHCP client, IP address, subnet mask, public interface status, filter, speed, transmission mode, maximum transmission unit, and IPSec fragmentation policy.
Figure 3-5 Configuration | Interfaces | Ethernet 1 2 3 Screen, General Tab
Screen Elements
•Disabled — To make the interface offline, click the Disabled radio button. This state lets you retain or change its configuration parameters
If the interface is configured but disabled (offline), the appropriate Ethernet Link Status LED blinks green on the VPN Concentrator front panel.
•DHCP Client — Click this radio button if you want to obtain the IP address, the subnet mask, and the default gateway for this interface via DHCP. If you click this button, you cannot make entries in the IP address and subnet mask fields that follow.
Note Because some Internet service providers require that the host name be specified in DHCP requests, you might have to specify the system name when running the DHCP Client on the VPN Concentrator public interface. (Specify the system name on the System | General | Identification screen.) The VPN Concentrator uses the system name as the host name in DHCP requests.
•Static IP Addressing — Click this radio button to manually configure the interface IP address and subnet mask.
•IP Address — If you want to set a static IP address for this interface, enter the IP address here. Be sure no other device is using this address on the network.
•Subnet Mask — Enter the subnet mask for this interface. The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0. You can accept this entry or change it.
•Public Interface — To make this interface a public interface, check the Public Interface check box. A public interface is an interface to a public network, such as the Internet. You must configure a public interface before you can configure NAT and IPSec LAN-to-LAN, for example. You should designate only one VPN Concentrator interface as a public interface.
•MAC Address — This is the unique hardware MAC (Medium Access Control) address for this interface, displayed in six byte hexadecimal notation. You cannot change this address.
•Filter — The filter governs the handling of data packets through this interface: whether to forward or drop, in accordance with configured criteria. Cisco supplies three default filters that you can modify and use with the VPN Concentrator. You can configure filters on the Policy Management | Traffic Management screens.
Click the drop-down menu button and choose the filter to apply to this interface:
–1. Private (Default): Allow all packets except source-routed IP packets. Cisco supplies this default filter for Ethernet 1, but it is not selected by default.
–2. Public (Default): Allow inbound and outbound tunneling protocols plus ICMP and VRRP. Allow fragmented IP packets. Drop everything else, including source-routed packets. Cisco supplies this default filter for Ethernet 2, and it is selected by default for Ethernet 2.
–3. External (Default): No rules applied to this filter. Drop all packets. Cisco supplies this default filter for Ethernet 3, but it is not selected by default.
–4. Firewall Filter for VPN Client (Default): Allow outbound packets only. Cisco supplies this default filter for the VPN Client, when using Policy Pushed firewall configuration.
–None: No filter applied to the interface, which means there are no restrictions on data packets. This is the default selection for Ethernet 1 and 3.
Other filters that you have configured also appear in this menu.
•Speed — Click the Speed drop-down menu button and choose the interface speed:
–10 Mbps: Fix the speed at 10 megabits per second (10Base-T networks).
–100 Mbps: Fix the speed at 100 megabits per second (100Base-T networks).
–10/100 auto: Let the VPN Concentrator automatically detect and set the appropriate speed, either 10 or 100 Mbps (default). Be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the speed. Otherwise, choose the appropriate fixed speed.
•Duplex — Click the Duplex drop-down menu button and choose the interface transmission mode:
–Auto: Let the VPN Concentrator automatically detect and set the appropriate transmission mode, either full or half duplex (default). Be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the transmission mode. Otherwise, choose the appropriate fixed mode.
–Full-Duplex: Fix the transmission mode as full duplex: transmission in both directions at the same time.
–Half-Duplex: Fix the transmission mode as half duplex: transmission in only one direction at a time.
•MTU — The MTU value specifies the maximum transmission unit (packet size) in bytes for the interface. Valid values range from 68 through 1500. The default value, 1500, is the MTU for IP.
Change this value only on an interface that terminates a VPN tunnel, typically a public or external interface.
Change this value only when the VPN Concentrator is dropping large packets because of the additional 8 bytes that a PPPoE header adds, or when other intermediate devices drop large, fragmentable packets without issuing an ICMP message. In such these cases, determine the largest packet size that can pass without being dropped, and set the MTU to that value. The object is to reduce overhead on the system by sending packets that are as large as possible, but that are not so large as to require fragmentation and reassembly.
A good way to find out the largest packet size that can be passed is to use the PING utility as follows:
ping -f -l <frame size in bytes> <destination IP address>, where
f = do not fragment
l = packet length.
For example: ping -f -l 1400 10.10.32.4
Note The value you use when pinging does not include IP, ICMP, or Ethernet headers, which total 42 bytes. You need to include these 42 bytes when you set the MTU value for the interface.
If the interface is receiving large packets that require fragmentation, and the DF (Don't Fragment) bit is set, use the third option in the IPSec Fragmentation Policy field below. You can find out if the DF bit is set by using a traffic analyzer, or you may receive this ICMP message: "Fragmentation required but the DF bit is set."
Note Changing the MTU or the fragmentation option on any interface tears down all existing connections. For example, if 100 active tunnels terminate on the public interface, and you change the MTU or the fragmentation on the external interface, all of the active tunnels on the public interface are dropped.
•Public Interface IPSec Fragmentation Policy — Refer to the section that follows.
IPSec Fragmentation
The IPSec fragmentation policy specifies how to treat packets that exceed the MTU setting when tunneling traffic through the public interface. This feature provides a way to handle cases where a router or NAT device between the VPN Concentrator and the client rejects or drops IP fragments. For example, suppose a client wants to use FTP get from an FTP server behind a VPN Concentrator. The FTP server transmits packets that when encapsulated would exceed the VPN Concentrator's MTU size on the public interface. The following options determine how the VPN Concentrator processes these packets.
The fragmentation policy you set here applies to all traffic travelling out the VPN Concentrator public interface to clients running version 3.6 or later software. The second and third options described below may affect performance.
Note Clients running software versions earlier than 3.6 or L2TP over IPSec clients can use only the first option, "Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission."
The setting you configure applies to 3.6 and later clients only. The VPN Concentrator ignores the setting for clients running software versions earlier than 3.6 and protocols other than IPSec. For these clients the first option applies: "Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission."
•Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission — The VPN Concentrator encapsulates all tunneled packets. After encapsulation, the VPN Concentrator fragments packets that exceed the MTU setting before transmitting them through the public interface. This is the default policy for the VPN Concentrator. This option works for situations where fragmented packets are allowed through the tunnel without hindrance. For the FTP example, large packets are encapsulated and then fragmented at the IP layer. Intermediate devices may drop fragments or just out-of-order fragments. Load-balancing devices can introduce out-of-order fragments.
•Fragment prior to IPSec encapsulation with Path MTU Discovery (ICMP) — The VPN Concentrator fragments tunneled packets that would exceed the MTU setting during encapsulation. For this option, the VPN Concentrator drops large packets that have the Don't Fragment (DF) bit set, and sends an ICMP message "Packet needs to be fragmented but DF is set" to the packet's initiator. The ICMP message includes the maximum MTU size allowed. Path MTU Discovery means that an intermediate device (in this case the VPN Concentrator) informs the source of the MTU permitted to reach the destination.
If a large packet does not have the DF bit set, the VPN Concentrator fragments prior to encapsulating, thus creating two independent non-fragmented IP packets and transmits them out the public interface. This is the default policy for the VPN 3002 hardware client.
For this example, the FTP server may use Path MTU Discovery to adjust the size of the packets it transmits to this destination.
•Fragment prior to IPSec encapsulation without Path MTU Discovery (Clear DF bit) — The VPN Concentrator fragments tunneled packets that exceed the MTU setting before encapsulating them. If the DF bit on these packets is set, the VPN Concentrator clears the DF bit, fragments the packets, and then encapsulates them. This action creates two independent non-fragmented IP packets leaving the public interface and successfully transmits these packets to the peer site by turning the fragments into complete packets to be reassembled at the peer site. In our example, the VPN Concentrator overrides the MTU and allows fragmentation by clearing the DF bit.
Ethernet | RIP Tab
RIP is a routing protocol that routers use for messages to other routers, to determine network connectivity, status, and optimum paths for sending data traffic. RIP uses distance-vector routing algorithms, and it is an older protocol that generates more network traffic than OSPF. The VPN Concentrator includes IP routing functions that support RIP versions 1 and 2. Many private networks with simple topologies still use RIPv1, although it lacks security features. RIPv2 is generally considered the preferred version; it includes functions for authenticating other routers, for example.
To use the Network Autodiscovery feature in IPSec LAN-to-LAN configuration, or to use the automatic list generation feature in Network Lists, you must enable Inbound RIPv2/v1 on Ethernet 1. (It is enabled by default.)
Figure 3-6 Configuration | Interfaces | Ethernet 1 2 3 screen, RIP Tab
Screen Elements
•Inbound RIP — This parameter applies to RIP messages coming into the VPN Concentrator. It configures the system to listen for RIP messages on this interface.
Click the Inbound RIP drop-down menu button and choose the inbound RIP function:
–Disabled: No inbound RIP functions. The system does not listen for any RIP messages on this interface (default for Ethernet 2 and 3).
–RIPv1 Only: Listen for and interpret only RIPv1 messages on this interface.
–RIPv2 Only: Listen for and interpret only RIPv2 messages on this interface.
–RIPv2/v1: Listen for and interpret either RIPv1 or RIPv2 messages on this interface (default for Ethernet 1).
•Outbound RIP — This parameter applies to RIP messages going out of the VPN Concentrator; that is, it configures the system to send RIP messages on this interface.
Click the Outbound RIP drop-down menu button and choose the outbound RIP function:
–Disabled: No outbound RIP functions. The system does not send any RIP messages on this interface (default).
–RIPv1 Only: Send only RIPv1 messages on this interface.
–RIPv2 Only: Send only RIPv2 messages on this interface.
–RIPv2/v1 compatible: Send RIPv2 messages that are compatible with RIPv1 on this interface.
Ethernet | OSPF Tab
OSPF is a routing protocol that routers use for messages to other routers, to determine network connectivity, status, and optimum paths for sending data traffic. OSPF uses link-state routing algorithms, and it is a newer protocol than RIP. It generates less network traffic and generally provides faster routing updates, but it requires more processing power than RIP. The VPN Concentrator includes IP routing functions that support OSPF version 2 (RFC 2328).
OSPF involves interface-specific parameters that you configure here, and system-wide parameters that you configure on the Configuration | System | IP Routing screens.
Figure 3-7 Configuration | Interfaces | Ethernet 1 2 3 Screen, OSPF Tab
Screen Elements
•OSPF Enabled — Check this box to enable OSPF routing on this interface. (By default it is unchecked.)
To activate the OSPF system, you must also configure and enable OSPF on the System | IP Routing | OSPF screen.
•OSPF Area ID — The area ID identifies the subnet area within the OSPF Autonomous System or domain. Routers within an area have identical link-state databases. While its format is that of a dotted decimal IP address, the ID is only an identifier and not an address.
The 0.0.0.0 area ID identifies a special area, the backbone, that contains all area border routers, which are the routers connected to multiple areas.
Enter the area ID in the field, using IP address format. The default entry is 0.0.0.0, the backbone. Your entry also appears in the OSPF Area list on the System | IP Routing | OSPF Areas screen.
•OSPF Priority — This entry assigns a priority to the OSPF router on this interface. OSPF routers on a network elect one to be the Designated Router, which has the master routing database and performs other administrative functions. In case of a tie, the router with the highest priority number wins. A 0 entry means this router is ineligible to become the Designated Router.
Enter the priority as a number from 0 to 255. The default is 1.
•OSPF Metric — This entry is the metric, or cost, of the OSPF router on this interface. The cost determines preferred routing through the network, with the lowest cost being the most desirable.
Enter the metric as a number from 1 to 65535. The default is 1.
•OSPF Retransmit Interval — This entry is the number of seconds between OSPF Link State Advertisements (LSAs) from this interface, which are messages that the router sends to describe its current state.
Enter the interval as a number from 0 to 3600 seconds. The default is 5 seconds, which is a typical value for LANs.
•OSPF Hello Interval — This entry is the number of seconds between Hello packets that the router sends to announce its presence, join the OSPF routing area, and maintain neighbor relationships. This interval must be the same for all routers on a common network.
Enter the interval as a number from 1 to 65535 seconds. The default is 10 seconds, which is a typical value for LANs.
•OSPF Dead Interval — This entry is the number of seconds for the OSPF router to wait before it declares that a neighboring router is out of service, after the router no longer sees the neighbor's Hello packets. This interval should be some multiple of the Hello Interval, and it must be the same for all routers on a common network.
Enter the interval as a number from 0 to 65535 seconds. The default is 40 seconds, which is a typical value for LANs.
•OSPF Transit Delay — This entry is the estimated number of seconds it takes to transmit a link state update packet over this interface, and it should include both the transmission and propagation delays of the interface. This delay must be the same for all routers on a common network.
Enter the delay as a number from 0 to 3600 seconds. The default is 1 second, which is a typical value for LANs.
•OSPF Authentication — This parameter sets the authentication method for OSPF protocol messages. OSPF messages can be authenticated so that only trusted routers can route messages within the domain. This authentication method must be the same for all routers on a common network.
Click the OSPF Authentication drop-down menu button and choose the authentication method:
–None: No authentication. OSPF messages are not authenticated (default).
–Simple Password: Use a clear-text password for authentication. This password must be the same for all routers on a common network. If you choose this method, enter the password in the OSPF Password field that follows.
–MD5: Use the MD5 hashing algorithm with a shared key to generate an encrypted message digest for authentication. This key must be the same for all routers on a common network. If you choose this method, enter the key in the OSPF Password field that follows.
•OSPF MD5 Authentication Key ID — If you chose MD5 for OSPF Authentication, type the number of the MD5 key to use in this field.
•OSPF Password — If you chose Simple Password or MD5 for OSPF Authentication, enter the appropriate password or key in this field. Otherwise, leave the field blank.
–For Simple Password authentication, enter the common password. The maximum password length is 8 characters. The Manager displays your entry in clear text.
–For MD5 authentication, enter the shared key. The maximum shared key length is 8 characters. The Manager displays your entry in clear text.
Ethernet | Bandwidth Tab
The Bandwidth Parameters Tab lets you enable bandwidth management on the selected interface, define the link rate for the interface and assign a bandwidth management policy to be used on the interface. Before you do these steps, you must have already created a bandwidth management policy. To create a bandwidth management policy, use the Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen.
For detailed information on the Bandwidth Management feature, see the Policy Management | Traffic Management | Bandwidth Policies | Add or Modify section.
Figure 3-8 Configuration | Interfaces | Ethernet 1 2 3 Screen, Bandwidth Tab
Screen Elements
•Bandwidth Management — To enable bandwidth management on this interface, check this box.
•Link Rate — The link rate is the speed of the network connection through the Internet.
Note The defined link rate is the available Internet bandwidth, not the physical LAN connection rate. If the router in front of the VPN Concentrator has a T1 connection to the Internet, set the link rate to 1544 kbps.
Enter a value for the speed of the network connection for this interface, and select a unit of measurement.
–bps—bits per second
–kbps—one thousand bits per second
–Mbps—one million bits per second
The default link rate is 1544 kbps.
•Bandwidth Policy — Select a policy from the drop-down list. If there are no policies in this list, you must go to Policy Management | Traffic Management | Bandwidth Policies and define one or more policies.
The policy you apply here is a default bandwidth policy for all users on this interface. This policy is applied to users who do not have a bandwidth management policy applied to their group.
Ethernet | WebVPN Tab
This screen lets you configure interface-specific parameters for WebVPN. On any interface, you can configure these features either singly or in combination. To use the following features on an interface, you must enable them here:
•WebVPN (HTTPS) connections.
•POP3S, IMAP4S, and SMTPS for e-mail proxy sessions.
•HTTPS Management sessions.
Note To define e-mail servers, ports, and protocols for e-mail proxy support, go to Tunneling and Security | WebVPN | E-Mail Proxy.
For guidance on configuring user e-mail accounts, see Appendix B, "Configuring the VPN Concentrator for WebVPN," and Appendix C, "WebVPN End User Set-up."
Figure 3-9 Configuration | Interfaces | Ethernet 1 2 3 Screen, WebVPN Tab
Screen Elements
•Allow Management HTTPS sessions — To enable a user on this interface to manage HTTPS sessions, check this box, which is the default. Disabling HTTPS on the interface you are using to manage the Concentrator ends (abruptly) the management session and displays a warning message.
Figure 3-10 HTTPS Error Message Screen
•Allow WebVPN HTTPS sessions — To enable WebVPN sessions on this interface, check this box, which is the default. When this parameter is enabled the VPN Concentrator Login screen includes a WebVPN Login link.
By default, HTTPS traffic enters the VPN Concentrator through port 443. To change the port or edit other HTTPS parameters, go to Tunneling and Security | SSL | HTTPS.
•Redirect to HTTP to HTTPS — Check to force any incoming HTTP connections to be redirected to HTTPS. When checked, HTTP connections are no longer permitted on the interface.
•Allow POP3S sessions — To enable e-mail programs that use the POP3S protocol to run on this interface using the e-mail proxy feature, check this box. By default the box is unchecked. Also by default, POP3S traffic enters the VPN Concentrator through port 995. To change the port or edit other e-mail parameters, go to Tunneling and Security | WebVPN | E-Mail Proxy.
•Allow IMAP4S sessions — To enable e-mail programs that use the IMAP4S protocol to run on this interface using the e-mail proxy feature, check this box. By default the box is unchecked. Also by default, IMAP4S traffic enters the VPN Concentrator through port 993. To change the port or edit other e-mail parameters, go to Tunneling and Security | WebVPN | E-Mail Proxy.
•Allow SMTPS sessions — To enable e-mail programs that use the SMTPS protocol to run on this interface using the e-mail proxy feature, check this box. By default the box is unchecked. Also by default, SMTPS traffic enters the VPN Concentrator through port 988. To change the port or edit other e-mail parameters, go to Tunneling and Security | WebVPN | E-Mail Proxy.
Reminder:
After you apply changes, the Manager returns to the Configuration | Interfaces screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
