ViPNet Coordinator HW/VA 3.3. Administrator's Guide
|
|
|
- Isabella Rose
- 8 years ago
- Views:
Transcription
1 ViPNet Crdinatr HW/VA 3.3 Administratr's Guide
2 Inftecs. All rights reserved. Versin: ENU This dcument is included in the sftware distributin kit and is subject t the same terms and cnditins as the sftware itself. N part f this publicatin may be reprduced, published, stred in an electrnic database, r transmitted, in any frm r by any means electrnic, mechanical, recrding, r therwise fr any purpse, withut the prir written cnsent f Inftecs JSC. ViPNet is a registered trademark f Inftecs JSC, Mscw, Russia. All brands and prduct names that are trademarks r registered trademarks are the prperty f their wners. Glbal cntacts page
3 Cntents Intrductin... 8 Abut This Dcument... 9 Audience... 9 Dcument Cnventins... 9 Quick Reference Abut ViPNet Crdinatr HW/VA Supprted Crdinatr HW/VA Platfrms ViPNet Crdinatr HW100 hardware appliances ViPNet Crdinatr HW1000 hardware appliance ViPNet Crdinatr VA virtual appliances Cre Features Distributin Kit System Requirements What's New in Versin Feedback Chapter 1. General Infrmatin ViPNet Crdinatr HW/VA Purpse and Scpe Cmpnents Prtected ViPNet Netwrk Crdinatr's Rle n a ViPNet Netwrk Security Levels Chapter 2. ViPNet Crdinatr HW/VA Setup Checklist: ViPNet Crdinatr HW/VA Setup Upgrading the sftware n a ViPNet Crdinatr HW/VA appliance Remte Upgrading Autmatic Lcal Upgrading Manual Lcal Upgrading Cnfiguring ViPNet Crdinatr HW/VA in ViPNet Netwrk Manager Installing a Key Set Autmatic Key Set Installatin... 37
4 Manual Key Set Installatin Deleting Keys frm ViPNet Crdinatr HW/VA Restring ViPNet Crdinatr HW/VA t the Factry State Chapter 3. Accessing ViPNet Crdinatr HW/VA Access Mdes and Permissins Managing a ViPNet Crdinatr HW/VA Hst Lgging On t the Web Interface Managing ViPNet Crdinatr HW/VA via the Web Interface Chapter 4. Cnfiguring System Settings Cnfiguring Date and Time Cnfiguring the Swap File Cnfiguring Event Lg Settings Viewing the System Inf Chapter 5. Cnnecting ViPNet Crdinatr HW/VA t a Netwrk Abut Cnfiguring Netwrk Settings Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings in ViPNet Netwrk Manager Cnnecting t an Ethernet Netwrk with ViPNet Netwrk Manager Cnfiguring Tunneling n a ViPNet Crdinatr HW/VA Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings via the Web Interface Cnnecting t an Ethernet Netwrk Cnnecting t a Wi-Fi Netwrk Cnnecting t a 3G/LTE Mbile Netwrk Assigning IP Address Aliases Mdifying the Ruting Table Cnnecting t an Ethernet Netwrk by Using the Cmmand Line Interface Chapter 6. Cnfiguring Integrated Services Cnfiguring Netwrk Services Cnfiguring a Wi-Fi Access Pint Cnfiguring a DHCP Server Cnfiguring a DNS Server Cnfiguring an NTP Server Cnfiguring the Prxy Server Cnfiguring Prxy General Settings... 84
5 Cnfiguring Cntent Cntrl Cnfiguring the Anti-Virus Cnfiguring the VIP Server Cnfiguring VIP Server General Settings Managing User Accunts Cnfiguring VIP Trunks Cnfiguring an IPsec Gateway Chapter 7. Cnfiguring the Integrated Firewall Abut the Integrated Firewall Changing the Security Level n a Netwrk Interface Cnfiguring Unencrypted Traffic Prcessing Rules Traffic Filtering Rules Netwrk Address Translatin Rules IP Packets Lgging Cnfiguring IP Packets Lgging Viewing the IP Packets Lg Chapter 8. Prviding Reliable Access t Netwrk Resurces by Using Alternate Traffic Channels Abut Using Alternate Traffic Channels Cnfiguring the Ladbalancer Service fr the Redundant Channel Mde Cnfiguring the Ladbalancer Service fr the Traffic Lad Balancing Mde Alternate Channels' Events Lg Chapter 9. Failver System Failver System Purpse Services Unavailable in the Cluster Mde Operatin f the Failver System in the Single Mde Managing the Failver System Chapter 10. ViPNet Crdinatr HW/VA Deplyment Scenaris Prtecting a Lcal Netwrk with ViPNet Crdinatr HW/VA Checklist: Deplying a Lcal Netwrk Deplying a DMZ Segment Prviding Access t a ViPNet Crdinatr HW/VA Hst by Assigning IP Address Aliases Using a Centralized Prxy Server
6 Prviding Secure Access t Resurces n a Crprate LAN frm Remte Hsts (Client-t-Site Cnnectin) Access frm a Remte ViPNet Hst Access frm Remte Hsts withut Installed ViPNet Sftware ver a ViPNet Channel Prviding Secure Access t a Crprate LAN frm Mbile Devices ver an IPsec Channel Cnnecting Apple Mbile Devices Cnnecting Andrid Mbile Devices Prviding Mbile Devices with Access t the Internet during IPsec Sessins Prviding Secure Access t Resurces n a Crprate LAN frm ther LANs (Site-t-Site Cnnectin) Cnnecting ver a Prtected ViPNet Channel Cnnecting ver a Prtected IPsec Channel Appendix A. Cnfiguring the Integrated Firewall Manually fr Hsts' Access t the Internet frm a LAN Appendix B. Infrmatin abut Third-Party Sftware Cmpnents Apache Busybx Editline Library (libedit) ICU IPsec-Tls Libclamav libxml MD Nan STLprt SQLite Squid sysklgd UCD-SNMP Xerces-c zlib Appendix C. Versin Histry What's New in Versin
7 What's New in Versin What's New in Versin What's New in Versin Appendix D. Glssary Appendix E. Index
8 Intrductin Abut This Dcument 9 Abut ViPNet Crdinatr HW/VA 12 What's New in Versin Feedback 19 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 8
9 Abut This Dcument Audience This dcument is intended fr ViPNet VPN netwrk administratrs perfrming ViPNet Crdinatr HW/VA setup. It cntains a general descriptin f the ViPNet Crdinatr HW/VA appliance and brief instructins n installing and cnfiguring ViPNet Crdinatr HW/VA, as well as the mst cmmn use cases. In rder t use this dcument effectively, yu shuld be familiar with netwrk technlgies and the ViPNet technlgy in particular. Fr mre infrmatin n ViPNet netwrks, see the dcument ViPNet VPN. User's Guide. Dcument Cnventins This dcument cncerns the fllwing cnventins: Table 1: Dcument cnventins Icn Descriptin Warning: Indicates an bligatry actin r infrmatin which may be critical fr cntinuing user peratins. Nte: Indicates a nn-bligatry, but desirable actin r infrmatin which may be helpful fr users. Tip: Cntains additinal infrmatin. Table 2: Cnventins fr highlighted infrmatin Icn Name Key+Key Menu > Submenu > Cmmand Cde Descriptin The name f an interface element. Fr instance, the name f a windw, a bx, a buttn r a key. Shrtcut keys. T use the shrtcut keys, press and hld the first key and press ther keys. A hierarchical sequence f elements. Fr instance, menu items r sectins in the navigatin pane. A file name, path, text file (cde) fragment r a cmmand executed frm the cmmand line. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 9
10 The fllwing cnventins are used in this dcument fr cmmands' descriptin: The cmmands yu can execute nly in the administratr mde are rubricated. Fr example: cmmand The parameters, which shuld be specified by a user, are enclsed in angle brackets. Fr example: cmmand <parameter> Optinal parameters are enclsed in square brackets. Fr example: cmmand <mandatry parameter> [ptinal parameter] If yu can specify ne f several parameters when typing a cmmand, the available variants are enclsed in curly brackets and divided with a vertical bar. Fr example: cmmand {variant-1 variant-2} ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 10
11 Quick Reference Table 3: Quick reference t the dcument's sectins Reference Getting started ViPNet Crdinatr HW/VA Setup (n page 27) Accessing ViPNet Crdinatr HW/VA (n page 42) Cnfiguring System Settings (n page 50) Cnfiguring the hst Cnnecting ViPNet Crdinatr HW/VA t a Netwrk (n page 56) Prviding Reliable Access t Netwrk Resurces by Using Alternate Traffic Channels (n page 111) Failver System (n page 118) Cnfiguring the integrated services Cnfiguring Netwrk Services Cnfiguring a Wi-Fi Access Pint (n page 77) Cnfiguring a DHCP Server (n page 78) Cnfiguring a DNS Server (n page 80) Cnfiguring an NTP Server (n page 81) Cnfiguring the Prxy Server (n page 83) Cnfiguring the VIP Server (n page 91) Cnfiguring an IPsec Gateway (n page 96) Cnfiguring the Integrated Firewall (n page 98) Prtecting a Lcal Netwrk with ViPNet Crdinatr HW/VA (n page 124) Using a Centralized Prxy Server (n page 131) Deplyment scenaris Prviding Secure Access t Resurces n a Crprate LAN frm Remte Hsts (Client-t-Site Cnnectin) (n page 133) Prviding Secure Access t a Crprate LAN frm Mbile Devices ver an IPsec Channel (n page 137) Prviding Secure Access t Resurces n a Crprate LAN frm ther LANs (Site-t-Site Cnnectin) (n page 143) ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 11
12 Abut ViPNet Crdinatr HW/VA ViPNet Crdinatr HW/VA is a system based n an adapted Linux OS versin, which functins as a server in a prtected ViPNet VPN netwrk (crdinatr) (see Crdinatr's Rle n a ViPNet Netwrk n page 25). ViPNet Crdinatr HW/VA supprts a variety f platfrms with different available features. Supprted Crdinatr HW/VA Platfrms ViPNet Crdinatr HW/VA supprts the fllwing platfrms: ViPNet Crdinatr HW hardware appliances: HW100 series, cmpact appliances fr serving ffice VPNs f mderate size, deplyed as stand-alne cmputers in cmmn-use ffice rms. HW1000 series, appliances fr serving large and ultra-large crprate VPNs, deplyed in specialized server rms in server racks. ViPNet Crdinatr VA virtual appliances fr deplyment in virtual envirnment. Capacities f a virtual appliance are limited by its license. Virtual appliance licenses fr VA100,VA1000, and VA2000 enable features similar t thse f the crrespnding hardware appliances HW100, HW1000, and HW2000. Nte: Sme minr capacities may differ between a hardware appliance and the crrespnding virtual appliance. Fr the license limitatin details, see the sectins belw. ViPNet Crdinatr HW100 hardware appliances Table 4: ViPNet Crdinatr HW mdificatins HW 100 X1 HW 100 X2 HW 100 X4 HW 100 X5 HW 100 X6 Physical parameters Frm-factr standalne cmputer standalne cmputer standalne cmputer standalne cmputer standalne cmputer ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 12
13 Size, mm (L x W x H) 130 x 187 x x 187 x x 135 x x 135 x x 135 x 30 Weight, kg Pwer supply 60 W 60 W 30 W 30 W 30 W General capacities Prcessr IntelAtm, 2 cre IntelAtm, 2 cre IntelAtm, 4 cre IntelAtm, 4 cre IntelAtm, 4 cre RAM (min), GB Hard disk space (min), GB USB prts Other prts Netwrk interfaces VGA VGA HDMI, COM HDMI, COM HDMI, COM Ethernet 4x 1 Gbps 4x 1 Gbps 3x 1 Gbps 3x 1 Gbps 3x 1 Gbps Wi-Fi nne nne nne integrated nne 3G/LTE mdem external USB-device (nt included in the distributin kit) 3G Nte: ViPNet Crdinatr HW mdificatins HW 100 X1/X4/X5/X6 d nt supprt the fllwing features: Adding VPN clients. On a VPN, these appliances can nly tunnel cnnectins with unprtected hsts. Prxy server functins (see Cnfiguring the Prxy Server n page 83), including anti-virus and cntent filtering. Memry expanding by swapping (see Cnfiguring the Swap File n page 52). The Failver system in cluster mde (see Failver System n page 118) is nt available fr Crdinatr HW mdificatins. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 13
14 ViPNet Crdinatr HW1000 hardware appliance Table 5: ViPNet Crdinatr HW1000 D1 mdificatin Physical parameters Frm-factr rack-maunt server Size, mm (L x W x H) 434 x x 42.4 Weight, kg Pwer supply 250 W General capacities Prcessr Intel Xen E v3 RAM, GB 8 Hard disk space, GB 2x 300 GB USB prts 2x USB 2.0, 2x USB 3.0 Other prts VGA, COM Netwrk interfaces Ethernet Wi-Fi 2x 1 Gbps nne ViPNet Crdinatr VA virtual appliances Table 6: ViPNet Crdinatr VA mdificatins VA 100 VA 1000 VA 2000 Number f trafficprcessing kernel threads Netwrk interfaces Ethernet 4 prts 4 prts 4 prts Wi-Fi, 3G/LTE mdem nne nne nne Cre Features ViPNet Crdinatr HW/VA cre features are listed in the table belw. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 14
15 Nte: Sme features are available nly fr particular supprted platfrms (see Supprted Crdinatr HW/VA Platfrms n page 12). Table 7: ViPNet Crdinatr HW/VA features Feature Supprt Netwrk Cnnectivity Wi-Fi access pint VPN Static ruting Stateful firewall NAT Using alternate traffic channels Ethernet, Wi-Fi, 3G/LTE Supprted ViPNet VPN: advanced pint-t-multipint VPN technlgy. IPsec: IKEV1 site-t-site, client-t-site. Supprted Supprted Supprted Tw mdes: redundant channel, traffic lad balancing. Services DHCP DNS NTP Prxy server Prxy cntent cntrl Prxy anti-virus filtering VIP Failver system Client, server Server Server HTTP, HTTPS Supprted ClamAV SIP server Supprted (n Crdinatr VA platfrms) Managing ViPNet Crdinatr HW/VA Cnfiguring SSH Remte sftware upgrade Backup Via the web interface Via the cmmand line interface In the ViPNet Netwrk Manager prgram Server Supprted Backing up and restring f cnfiguratins by using a USB drive ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 15
16 Lgging SNMP mnitring Syslg, rsyslg (remte syslg) Supprted Nte: ViPNet Crdinatr HW mdificatins HW 100 X1/X4/X5/X6 d nt supprt the fllwing features: Adding VPN clients. On a VPN, these appliances can nly tunnel cnnectins with unprtected hsts. Prxy server functins (see Cnfiguring the Prxy Server n page 83), including anti-virus and cntent filtering. Memry expanding by swapping (see Cnfiguring the Swap File n page 52). The Failver system in cluster mde (see Failver System n page 118) is available nly fr Crdinatr VA mdificatins (see Supprted Crdinatr HW/VA Platfrms n page 12). Distributin Kit A ViPNet Crdinatr HW/VA distributin kit includes: Depending n the appliance's frm-factr: fr the ViPNet Crdinatr HW appliance mdificatins, the ViPNet Crdinatr HW appliance. fr the ViPNet Crdinatr VA mdificatins, the virtual appliance deplyment file (crdinatrhw_vipnet_x.x-xxx.va). The same file is used fr the deplyment f ViPNet Crdinatr VA f any mdificatin (see Supprted Crdinatr HW/VA Platfrms n page 12). The ViPNet sftware upgrade files: The sftware upgrade package file crdinatrhw_vipnet_driv_x.x-xxx.lzh, which yu will need t upgrade an earlier versin f ViPNet Crdinatr HW/VA t versin 3.2. The sftware upgrade cnfiguratin file hwinit-x.x-xxx_upgrade.xml. Dcumentatin in PDF frmat, including: ViPNet Crdinatr HW/VA. Administratr's Guide. ViPNet Crdinatr HW/VA. Failver System. ViPNet Crdinatr HW/VA. Reference Guide. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 16
17 System Requirements The minimum requirements t run ViPNet Crdinatr HW/VA are as fllws: Fr lcal access t a hardware appliance (see Managing a ViPNet Crdinatr HW/VA Hst n page 45), use the fllwing devices: mnitr, USB keybard. The fllwing virtual envirnments are supprted fr deplying a virtual appliance: VMware Wrkstatin, VMware vsphere, Oracle Virtual Bx. Yur ViPNet Netwrk Manager prgram must be versin 4.2 r later. Supprted 3G/LTE USB mdems: 3G Huawei K3772 (Vdafne), 3G Huawei E303 (Vdafne), LTE Huawei E398 (Deutsche Telekm Speedstick LTE III). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 17
18 What's New in Versin 3.3 In versin 3.3, the ViPNet Crdinatr HW1000 D1 hardware platfrm was added, sme minr bugs were fixed. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 18
19 Feedback Finding Additinal Infrmatin Fr mre infrmatin abut Inftecs prducts and technlgies, see the fllwing resurces: ViPNet dcumentatin web prtal Infrmatin abut current Inftecs prducts Infrmatin abut Inftecs slutins Frequently asked questins Cntacting Inftecs We value any feedback frm yu. If yu have any questins cncerning Inftecs prducts and slutins, any suggestins, cmplains r ther feedback, feel free t cntact us by means f the fllwing: Glbal cntacts page Telephne (Germany): +49 (0) Telephne (USA): +1 (646) Errata Inftecs makes every effrt t ensure that there are n errrs r misprints in the text f all dcuments supplied with ViPNet sftware. Hwever, n ne is perfect, and mistakes d ccur. If yu find an errr in ne f ur dcuments, like a spelling mistake r sme inaccuracy in describing user scenaris r system features, we wuld be very grateful fr yur feedback. By sending in errata yu may save ther reader hurs f frustratin, and at the same time yu will be helping us prvide dcumentatin in even higher quality. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 19
20 1 General Infrmatin ViPNet Crdinatr HW/VA Purpse and Scpe 21 Cmpnents 23 Prtected ViPNet Netwrk 24 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 20
21 ViPNet Crdinatr HW/VA Purpse and Scpe The ViPNet Crdinatr HW/VA appliance is implemented as a part f the ViPNet VPN sftware suite designed fr virtual private netwrks (see Virtual prtected netwrk (VPN) n page 233) deplyment and management. This is an integrated slutin that prvides cnnectivity t crprate netwrks, remte and mbile users, branch ffices, and business partners n a wide range f pen platfrms and security appliances. ViPNet Crdinatr HW/VA integrates access cntrl, authenticatin, and encryptin t guarantee the security f netwrk cnnectins ver a public netwrk, fr example, the Internet. ViPNet Crdinatr HW/VA is a system based n an adapted Linux OS versin, intended t supprt ViPNet services. It can functin as: A VPN server, which cncentrates the inbund VPN cnnectins (a VPN cncentratr). ViPNet Crdinatr HW/VA supprts secure cnnectins ver the ViPNet technlgy, which enables peer-t-peer cnnectins (see Prtected ViPNet Netwrk n page 24), and the IPsec (see IPsec prtcl n page 230). Yu can als use ViPNet Crdinatr HW/VA t establish a secure cmmunicatins channel (a bridge) between ViPNet netwrks and IPsec netwrks, the site-t-site VPN (see Prviding Secure Access t Resurces n a Crprate LAN frm ther LANs (Site-t- Site Cnnectin) n page 143). A stateful firewall (n page 229) that traces the state and the significant attributes f each netwrk cnnectin thrughut each crrespnding sessin. With ViPNet Crdinatr HW/VA, yu can cnfigure traffic filtering rules (see Traffic Filtering Rules n page 104) fr each netwrk interface based n prtcls, IP addresses, and prts. Yu can als cnfigure ViPNet Crdinatr HW/VA t perfrm netwrk addresses translatin (NAT) (see Netwrk Address Translatin Rules n page 106). A VPN gateway (tunneling server) prtecting remte access t tunneled crprate resurces (see Prviding Secure Access t Resurces n a Crprate LAN frm Remte Hsts (Client-t-Site Cnnectin) n page 133). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 21
22 ViPNet Crdinatr HW/VA may als functin as: a DHCP, DNS, NTP server (see Cnfiguring Netwrk Services n page 77); a prxy server (see Cnfiguring the Prxy Server n page 83) with web cntent filtering and anti-virus services; a VIP server (see Cnfiguring the VIP Server n page 91), which allws yu t implement an ffice IP telephny system. T learn abut deplying ViPNet Crdinatr HW/VA fr perfrming varius tasks in a crprate netwrk, see the sectin ViPNet Crdinatr HW/VA Deplyment Scenaris (n page 123). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 22
23 Cmpnents The ViPNet Crdinatr HW/VA appliance includes the fllwing cmpnents: The kernel-level netwrk prtectin driver (ViPNet driver), which interacts with the netwrk card drivers directly and cntrls all traffic exchange between the cmputer and an external netwrk. The cntrl daemn, which lads the necessary parameters t the iplir driver, sends and receives data n the clients IP addresses, lgs traffic and perfrms a variety f ther tasks. We recmmend that yu keep this prgram always running. But even if it stps, the ViPNet driver will prceed t wrk and the traffic exchange will remain uninterrupted. A cryptgraphic driver, which manages cryptgraphic peratins when requested by the iplir driver. The failver system cnsisting f a driver and a special daemn. The driver wrks at the kernel level and in mst cases remains functinal even when the system des nt respnd t external events. The MFTP transprt mdule, which prvides transprt envelpes exchange between ViPNet hsts. A cmmand line interface, which is used t administer ViPNet Crdinatr HW/VA. A DHCP server, which is used t assign dynamic IP addresses t DHCP clients. A DNS server, which reslves dmain names int IP addresses. An NTP server, which ensures time synchrnizatin. A prxy server with ptinal web cntent filtering and anti-virus services. A VIP server, which allws yu t implement an ffice IP telephny system. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 23
24 Prtected ViPNet Netwrk The ViPNet Crdinatr HW/VA appliance is designed fr being used n a prtected ViPNet netwrk, which is deplyed n the basis f the ViPNet VPN sftware suite. A ViPNet netwrk is a virtual prtected netwrk (see Virtual prtected netwrk (VPN) n page 233), which can be deplyed ver lcal r glbal netwrks f any physical tplgy. The ViPNet technlgy ensures encrypted cmmunicatin between ViPNet hsts (see ViPNet hst n page 232) ver the peer-t-peer scheme, the feature that is lacking in many ppular VPN slutins. Infrmatin transferred ver a ViPNet netwrk is prtected with special ViPNet sftware, whse main features are: Traffic filtering fr all ViPNet hsts. The traffic is filtered accrding t preset security levels (n page 26) and user-defined filtering rules. Encryptin f traffic between ViPNet hsts. The traffic is encrypted and decrypted by using symmetric keys (see Symmetric key n page 231), which are generated and distributed centrally frm the ViPNet netwrk administratr's wrkstatin. Yu can administer a ViPNet netwrk by using the ViPNet Netwrk Manager prgram (see ViPNet Netwrk Manager n page 233). With ViPNet Netwrk Manager, yu can create and cnfigure hsts n yur ViPNet netwrk, manage links between them, create and centrally distribute their key sets, and centrally upgrade ViPNet hsts' sftware. There are tw types f ViPNet hsts: Client (ViPNet client) (n page 228): a ViPNet users' wrkstatin. On each client, the ViPNet Client sftware must be installed. Crdinatr (ViPNet crdinatr) (n page 228): a ViPNet netwrk server (see Crdinatr's Rle n a ViPNet Netwrk n page 25). A ViPNet Crdinatr HW/VA appliance is a crdinatr. A ViPNet netwrk may als invlve: Lcal netwrk cmputers that dn't have ViPNet sftware installed, but that are prtected by the tunneling technlgy (see Tunneling n page 232). These hsts are called 'tunneled ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 24
25 hsts' and are tunneled by the ViPNet crdinatrs, which cnnect them t ther netwrks (fr example, t the Internet). Mbile devices cnnected t a ViPNet netwrk ver the IPsec prtcl (see Prviding Secure Access t a Crprate LAN frm Mbile Devices ver an IPsec Channel n page 137). Crdinatr's Rle n a ViPNet Netwrk A VPN server in a ViPNet netwrk is called a crdinatr (ViPNet crdinatr) (n page 228). Depending n the tasks in yur ViPNet netwrk, a crdinatr can functin as: A VPN server, which gathers ViPNet hsts' status infrmatin and ntifies its clients abut ther hsts' statuses. Each client (ViPNet client) (n page 228) regularly sends messages abut its state t its VPN server. VPN servers then exchange the infrmatin received frm their clients. As a result, all ViPNet clients receive data n the state and availability f ViPNet hsts linked t these clients frm their VPN servers. A firewall. A crdinatr filters unencrypted, encrypted, and tunneled IP packets n each netwrk interface based n their IP addresses, prtcls, and prts. Unencrypted and tunneled traffic is filtered accrding t the preset rules and security levels (n page 26). A crdinatr may als translate IP addresses (perfrms NAT) fr bth encrypted and unencrypted traffic (see Netwrk addresses translatin (NAT) n page 230). NAT fr encrypted traffic is perfrmed accrding t the pre-set parameters that yu can't change. NAT fr unencrypted traffic allws yu t cnfigure rules fr bth static and dynamic address translatin fr tw main purpses: Cnnecting a lcal netwrk t the Internet when the number f lcal hsts exceeds the number f public IP addresses issued by the Internet service prvider. Accessing the lcal netwrk hsts frm the Internet. A VPN gateway (tunneling server). Yu can use a crdinatr t encrypt the traffic frm an unprtected hst (n page 232) when passing ver ptentially insecure netwrk segments. A crdinatr receives traffic frm a tunneled hst (n page 232) unencrypted, encrypts the traffic, and frwards it t the destinatin address r anther crdinatr. When a crdinatr receives the encrypted traffic t be frwarded t a tunneled hst, it decrypts the traffic and frwards it t the tunneled hst unencrypted. A transprt server, which ensures the delivery f keys and sftware upgrades frm ViPNet Netwrk Manager t ViPNet hsts, as well as the exchange f transprt envelpes (see Transprt envelpe n page 231) between ViPNet hsts. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 25
26 The applicatin and cntrl envelpes are ruted using the ViPNet MFTP transprt mdule. It receives the envelpes frm ViPNet hsts and then frwards them t their destinatin hst r t anther transprt server. Security Levels ViPNet Crdinatr HW/VA has fur pre-set plicies f unencrypted traffic filtering, which are called security levels: 1 Blck IP packets f all cnnectins. Only cnnectins t prtected ViPNet hsts (see Prtected hst n page 231) are allwed; all cnnectins t unprtected hsts (including tunneled nes) are blcked. 2 Blck all cnnectins except fr the allwed nes. Cnnectins t ViPNet hsts are allwed. Cnnectins t unprtected hsts can be established nly if they are explicitly permitted by the traffic filtering rules. The secnd security level is recmmended and is set by default fr all netwrk interfaces f the crdinatr. 3 Allw all utbund cnnectins except fr the prhibited nes. Cnnectins t prtected ViPNet hsts are allwed. Outbund cnnectins t unprtected hsts can be established nly if they are nt explicitly prhibited by the traffic filtering rules. Inbund cnnectins frm unprtected hsts are available nly if they are explicitly permitted by the traffic filtering rules. 4 Allw all cnnectins. Cnnectins t prtected ViPNet hsts are allwed. Any cnnectins t unprtected hsts can be established regardless f the cnfigured traffic filtering rules. Warning: We dn't recmmend yu t use the furth security level n crdinatr's netwrk interfaces, as the crdinatr becmes unprtected frm any unauthrized access in this case. Use this security level nly fr the reserve channel in a failver cluster (see Failver System Purpse n page 119) r fr testing during a shrt perid f time. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 26
27 2 ViPNet Crdinatr HW/VA Setup Checklist: ViPNet Crdinatr HW/VA Setup 28 Upgrading the sftware n a ViPNet Crdinatr HW/VA appliance 29 Cnfiguring ViPNet Crdinatr HW/VA in ViPNet Netwrk Manager 32 Installing a Key Set 36 Deleting Keys frm ViPNet Crdinatr HW/VA 40 Restring ViPNet Crdinatr HW/VA t the Factry State 41 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 27
28 Checklist: ViPNet Crdinatr HW/VA Setup If yu use an earlier versin f ViPNet Crdinatr HW/VA, yu can upgrade it t versin 3.2 (see Upgrading the sftware n a ViPNet Crdinatr HW/VA appliance n page 29). If yu want t deply ViPNet Crdinatr HW/VA anew, cmplete the fllwing steps: Table 8: ViPNet Crdinatr HW/VA setup checklist Task Purchase r upgrade yur ViPNet VPN license (see ViPNet netwrk license n page 232) s that it allws yu t use a ViPNet Crdinatr HW/VA. If yu are deplying a ViPNet Crdinatr VA, deply the virtual appliance image file *.va in yur virtual envirnment. In ViPNet Netwrk Manager, create and cnfigure a new crdinatr. Create a key set fr the crdinatr. On the ViPNet Crdinatr HW/VA hst, install the crrespnding key set. Cnnect the ViPNet Crdinatr HW/VA hst t Ethernet netwrk. Cnfigure ViPNet Crdinatr HW/VA date and time. T verify that ViPNet Crdinatr HW/VA perates crrectly, check cnnectin between ViPNet hsts r tunneled hsts. Reference Cntact a representative f Inftecs. Fllw the virtual envirnment sftware guidelines. Cnfiguring ViPNet Crdinatr HW/VA in ViPNet Netwrk Manager (n page 32) Installing a Key Set (n page 36) Cnfiguring Date and Time (n page 51) Viewing the System Inf (n page 54) Warning: If yu are planning t deply a failver cluster (see Failver System Purpse n page 119), it is crucial that yu fllw the guidelines given in the dcument ViPNet Crdinatr HW/VA. Failver cluster, the chapter Deplying and Upgrading a Failver Cluster. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 28
29 Upgrading the sftware n a ViPNet Crdinatr HW/VA appliance If a new versin f the ViPNet Crdinatr HW/VA sftware is released, it is recmmended that yu upgrade the sftware n yur hst. This ensures reliability f the sftware and enables its new features. Fr upgrading, yu need upgrade package files, which are included int the distributin kit and which als may be btained frm a representative f Inftecs. Warning: T rll back t an earlier versin, install the upgrade package file f this versin. Hwever, yu can't rll back t versin 3.1 r earlier. There are several ways yu can upgrade the sftware n yur ViPNet Crdinatr HW/VA appliance: Remte upgrading frm ViPNet Netwrk Manager. This allws yu t upgrade the ViPNet Crdinatr HW/VA sftware n many hsts in a centralized way and withut handling the sftware upgrade files t hst users. Remte upgrading is als the easiest way t upgrade the sftware f a failver cluster (see Failver System Purpse n page 119), because all necessary actins are perfrmed autmatically. Lcal upgrading by using a USB drive. Yu can make the upgrading lcally if the ViPNet Crdinatr HW/VA is ffline and cannt receive upgrade files frm ViPNet Netwrk Manager hst. Yu will need a sftware upgrade package file, which yu can btain frm a representative f Inftecs. Yu can perfrm lcal upgrading autmatically withut any additinal cnfiguring afterwards. Fr autmatic upgrading, yu will need t cpy the sftware upgrade package and the upgrade cnfiguratin file hwinit-x.x-xxx_upgrade.xml t the rt flder f the USB drive. Make sure that these tw files are the nly files f this type in the rt flder f the USB drive. Yu can als perfrm lcal upgrading manually by using an interactive wizard. This might be useful if yu dn't want t lcate the sftware upgrade package file in the rt flder f the USB drive. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 29
30 Remte Upgrading Use the ViPNet Netwrk Manager prgram t upgrade the ViPNet Crdinatr HW/VA sftware remtely bth n a single ViPNet Crdinatr HW/VA hst r n a failver cluster (see Failver System Purpse n page 119). Fr upgrading the sftware remtely, d the fllwing: 1 Obtain the sftware upgrade package file frm the distributr. 2 On the hst with the ViPNet Netwrk Manager sftware installed, n the main menu f ViPNet Netwrk Manager, click Tls > Update ViPNet Sftware. 3 Fllw the guidelines f the Update ViPNet Sftware wizard. Fr mre infrmatin abut remte sftware upgrading, see the dcument ViPNet VPN. User's Guide, the chapter Managing a ViPNet Netwrk. Autmatic Lcal Upgrading T upgrade the ViPNet Crdinatr HW/VA sftware autmatically, d the fllwing: 1 Cpy the sftware upgrade package file crdinatr_driv_x.x-xxx.lzh and the upgrade cnfiguratin file hwinit-x.x-xxx_upgrade.xml t the rt flder f a remvable USB drive. The upgrade cnfiguratin file is a part f the distributin kit (n page 16). 2 If the ViPNet Crdinatr HW/VA appliance is turned ff, turn it n. 3 Cnnect the USB drive t the appliance. 4 Rebt the appliance by executing the machine rebt cmmand. Upn rebting, the ViPNet Crdinatr HW/VA sftware will detect the sftware upgrade files n the USB drive. The sftware upgrade will be installed autmatically. 5 After the installatin prcess is cmplete, a message will be displayed prmpting yu t remve the USB drive. Remve it and press Enter. After the appliance rebts, upgrading will be cmpleted. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 30
31 Manual Lcal Upgrading Warning: If yu want t upgrade the sftware f a failver cluster manually, it is crucial that yu fllw the guidelines given in the dcument ViPNet Crdinatr HW/VA. Failver System, the chapter Deplying and Upgrading a Failver Cluster. T upgrade the ViPNet Crdinatr HW/VA sftware manually, d the fllwing: 1 Cpy the sftware upgrade package file crdinatr_driv_x.x-xxx.lzh t a remvable USB drive (lcating it in the rt directry is nt required). 2 If the ViPNet Crdinatr HW/VA appliance is turned ff, turn it n. 3 Lg n as an administratr by executing the enable cmmand. 4 T start upgrading, execute the admin upgrade sftware usb cmmand. Yu will be prmpted t cnnect the USB drive. 5 Cnnect the USB drive t the appliance and then press Enter. The USB drive will be scanned fr the sftware upgrade package files, and the numbered list f available files will be displayed. 6 Type the file number and then press Enter. Wait until the upgrading prcess is finished. This may take several minutes. Yu will knw that upgrading is finished when yu see that the cmmand line interface is accessible. 7 Rebt the appliance by executing the machine rebt cmmand. After the rebt, the sftware upgrade is cmpleted. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 31
32 Cnfiguring ViPNet Crdinatr HW/VA in ViPNet Netwrk Manager A ViPNet Crdinatr HW/VA appliance functins as a crdinatr (ViPNet crdinatr) (n page 228) n a ViPNet netwrk. Befre yu start wrking with ViPNet Crdinatr HW/VA, in ViPNet Netwrk Manager, add a new crdinatr (r cnfigure an existing crdinatr as required) and create a new key set fr it. After this, install this key set n the ViPNet Crdinatr HW/VA hst (see Manual Key Set Installatin n page 37). Nte: Belw yu may find the guidelines fr cnfiguring the hst in ViPNet Netwrk Manager versin 4.1 r later. In earlier versins, sme f the settings described may be unavailable, and yu will need t make them later ver the web interface r the cmmand line interface (see Managing a ViPNet Crdinatr HW/VA Hst n page 45). T create and cnfigure a ViPNet Crdinatr HW/VA crdinatr, in the main windw f ViPNet Netwrk Manager, d the fllwing: 1 In the navigatin pane, right-click My netwrk and, n the cntext menu, click Add Crdinatr HW/VA. Give the new crdinatr a name. Nte: The Add Crdinatr HW/VA variants will be available nly if yur ViPNet VPN netwrk license permits the use f ViPNet Crdinatr HW/VA. Otherwise, cntact a representative f Inftecs. 2 If necessary, add clients t the crdinatr. 3 In the navigatin pane, select the new crdinatr. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 32
33 Figure 1: Cnfiguring a ViPNet Crdinatr HW/VA hst in ViPNet Netwrk Manager 4 If yu want t set yur wn ViPNet Crdinatr HW/VA user passwrd, click Change passwrd. In the User Passwrd windw, select User-defined, type and cnfirm the new passwrd, and then click OK. 5 If yu are deplying a failver cluster, select the Enable ViPNet Failver check bx. Nte: The Enable ViPNet Failver check bx will be available nly if yur ViPNet VPN netwrk license permits the use f ViPNet failver cluster. 6 On the Netwrk ptins tab, set the parameters f the netwrk adapters: Cnfigure the Ethernet adapters, including the way their IP addresses are assigned t them. Cnfigure the Wi-Fi adapters. Nte: When yu create ViPNet hst keys fr a failver cluster (see Failver System n page 118) in the ViPNet Netwrk Manager prgram, yu dn't need t make any settings n the Netwrk Settings tab. If yu d, they will be ignred by the cluster. Yu will cnfigure interfaces n a cluster lcally (see the dcument ViPNet Crdinatr HW/VA. Failver System. Administratr's Guide. ) ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 33
34 7 If yu are planning t add any VPN clients t the crdinatr, n the Access IP addresses tab, specify the crdinatr's IP addresses r DNS names via which the ther hsts n the VPN will access it: If the crdinatr will have static IP addresses, yu can specify them in the IP addresses bx. If the crdinatr will have dynamic IP addresses, in the DNS names bx, yu can set its DNS names registered with a dynamic DNS service (fr example, DynDNS). Tip: If yu dn't knw the access addresses at the mment, yu may specify them later after yu finish the crdinatr setup. If yu are ging t use the crdinatr nly fr tunneling, there is n need t specify access addresses. Nte: ViPNet Crdinatr HW mdificatins HW 100 X1/X4/X5/X6 d nt supprt adding VPN clients. 8 On the Firewall tab, set parameters fr cnnecting t the external netwrk (fr example, t the Internet): If the crdinatr is directly cnnected t the external netwrk, clear the Use the firewall check bx. If the crdinatr is cnnected t the external netwrk via a firewall, select the Use the firewall check bx and, in the Firewall type list, set ther cnnectin parameters. 9 If yu are planning the crdinatr t tunnel unprtected hsts' traffic, then, n the Tunnel tab, in the IP addresses f tunneled cnnectins list, add IP addresses f the unprtected hsts t be tunneled by ViPNet Crdinatr HW/VA. 10 If yu want t use yur ViPNet Crdinatr HW/VA hst as an IPsec gateway, n the IPsec cnnectin tab, cnfigure the necessary settings. Fr mre infrmatin see the sectin Cnfiguring an IPsec Gateway (n page 96). Warning: If yu want t install the key set fr yur ViPNet Crdinatr HW/VA hst autmatically (see Autmatic Key Set Installatin n page 37), dn't cnfigure the IPsec cnnectin settings befre yu install the key set. After the key set installatin, cnfigure the IPsec cnnectin in ViPNet Netwrk Manager and then send the keys t ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 34
35 the ViPNet Crdinatr HW/VA. After the keys are accepted n the hst, the new settings will be applied. 11 After setting all necessary parameters, n the Keys tab, click Save keys and specify the flder t save the keys t. In the specified flder, a flder named ViPNet_NNNN_keys will be created, where NNNN is the number f yur ViPNet netwrk. In this flder yu will find: A subflder cntaining the key set fr the ViPNet Crdinatr HW/VA hst (the *.dst file) and the hwinit_set.xml file, which is required fr the autmatic key set installatin (n page 37). The text file ViPNet.txt, cntaining user passwrds fr the hsts. 12 Install this key set n the ViPNet Crdinatr HW/VA appliance (see Installing a Key Set n page 36). Nte: If sme f the abve-mentined parameters fr the crdinatr were nt set, we recmmend yu t set them later in ViPNet Netwrk Manager. In this case, upn keys updating, the hsts linked t the crdinatr will receive the crdinatr's addresses, the tunneled hsts' addresses and ther parameters frm ViPNet Netwrk Manager. 13 Transfer their passwrd t hsts' users. Fr mre infrmatin abut hst parameters cnfiguratin in ViPNet Netwrk Manager, see the dcument ViPNet VPN. User's Guide. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 35
36 Installing a Key Set T start wrking with a ViPNet Crdinatr HW/VA hst, install a key set n it. Fr installing a key set, yu will need t cnfigure the ViPNet Crdinatr HW/VA hst in ViPNet Netwrk Manager, save its key set (see Cnfiguring ViPNet Crdinatr HW/VA in ViPNet Netwrk Manager n page 32), and then transfer it t the crrespnding hst either n a USB drive r n a CD/DVD. There are tw ways yu can install a key set n a ViPNet Crdinatr HW/VA hst: Yu can install the key set autmatically frm a USB drive. Autmatic installatin is easier, and is especially recmmended, when the hst des nt have a mnitr and a keybard, because, at autmatic installatin, yu dn't need t make any cnfiguratins n the hst. Fr autmatic installatin, n the ViPNet Netwrk Manager hst, cpy the key set and the cnfiguratin file hwinit_set.xml (see Cnfiguring ViPNet Crdinatr HW/VA in ViPNet Netwrk Manager n page 32) t the rt flder f the USB drive. When yu install the key set n the hst, make sure that the prper key set is the nly key set in the rt flder f the USB drive. Yu can install the key set manually frm a USB drive r a CD/DVD by using an interactive wizard. The manual installing allws yu t have many key sets n the drive, which dn't need t be lcated in its rt, and may be lcated in separate flders. This may be cnvenient if yu are planning t cpy many key sets t a single drive and then t use it fr key set installatin n several hsts. Installing manually, yu will be able t specify a prper key set n each hst. Fr the manual installatin, yu will need t cpy the key sets t the drive. There is n need t cpy the hwinit_set.xml cnfiguratin file. Warning: If yu are deplying a failver cluster (see Failver System Purpse n page 119), it is crucial that yu fllw the guidelines given in the dcument ViPNet Crdinatr HW/VA. Failver cluster, the chapter Deplying and Upgrading a Failver Cluster. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 36
37 Autmatic Key Set Installatin T install a key set autmatically: 1 Cnnect the USB drive cntaining the key set and the cnfiguratin file (see Installing a Key Set n page 36) t the ViPNet Crdinatr HW/VA hst. 2 Turn n the appliance. The ViPNet Crdinatr HW/VA sftware will detect the USB drive with the key set and start autmatic installatin. When the key set installatin is cmpleted, the ViPNet Crdinatr HW/VA daemns will start autmatically. 3 If necessary, cnfigure ViPNet Crdinatr HW/VA (see Quick Reference n page 10). Manual Key Set Installatin T install a key set n a ViPNet Crdinatr HW/VA hst manually, yu will need a USB drive r a CD/DVD cntaining the prper key set (see Installing a Key Set n page 36). A special wizard will guide yu thrugh the installatin and will als allw yu t cnfigure the main ViPNet Crdinatr HW/VA parameters. T install the key set: 1 Turn n the appliance and wait fr the ViPNet sftware t lad. 2 When prmpted t enter the user lgin, type user and press Enter. 3 When prmpted t enter the user passwrd, als type user and press Enter. Upn successful lgn, the ViPNet Crdinatr HW/VA setup prgram will be started. Select ne f the tw mdes f the setup prgram: 1 starts the cmmand line interface. In this case yu will make cnfiguratins by typing frm the keybard. 2 starts the interactive wizard. In this case yu will make cnfiguratins by selecting the prper ptins with yur keybard. Bth mdes ffer the same set f steps fr precnfiguring ViPNet Crdinatr HW/VA. Further in this sectin, we describe yur actins in the cmmand line interface mde. If yu are ging t use the interactive wizard, undertake the similar steps. 4 Select the cmmand line interface setup prgram perating mde by typing 1 and pressing Enter. 5 When prmpted t start key set installatin ( Wuld yu like t start installing keys r restring cnfiguratin? ), type y and press Enter. 6 Select the key set installatin mde ( Wuld yu like installing keys frm TFTP, USB r CD strage device? ): ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 37
38 t select the installatin frm a USB drive, type u and press Enter. t select the installatin frm a CD, type c and press Enter. 7 When prmpted t cnnect the drive with yur key set ( Insert USB strage device (r CD disk) with DST r VBE file and press Enter ), cnnect the drive with the key set t the appliance and press Enter. 8 If there are several key sets n the drive, a list f available key sets will be displayed and yu will be prmpted t select the required ne ( Chse file by number r press Enter fr next page ). Type the required key set's number and press Enter. 9 When prmpted t enter the hst user passwrd, type the crdinatr's user passwrd and press Enter. Yu will be ntified abut successful lgn. 10 Specify parameters fr each f the crdinatr's netwrk interfaces: When prmpted t enable a netwrk interface ( Activate interface ethn? ), type ne f the fllwing: y t enable the interface. n t disable the interface. x t apply the cnfiguratin f the interface that was made fr this interface in the ViPNet Netwrk Manager prgram (Netwrk ptins tab) (see Cnfiguring ViPNet Crdinatr HW/VA in ViPNet Netwrk Manager n page 32). This ptin is available in case that the ViPNet netwrk administratr has made any cnfiguratins fr the interface in ViPNet Netwrk Manager. Then press Enter. If yu have selected t enable the interface (the y ptin), yu will be prmpted t allw a DHCP server t assign netwrk parameters t the interface ( Use dhcp n the interface ethn? ). Type y fr the server t assign the parameters dynamically r n t cnfigure static settings later. Then press Enter. Nte: If yu chse t cnfigure netwrk parameters fr all interfaces later, then yu will be prmpted t ptinally specify DNS and NTP server addresses in fllwing steps (when setting the system time n the appliance). 11 Set the time zne and the system time f the appliance. Yu will be prmpted t define yur lcatin: When prmpted t select a cntinent frm the list ( Please select а cntinent r cean ), type the number f the cntinent and press Enter. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 38
39 When prmpted t select a cuntry frm the list ( Please select a cuntry ), type the number f the cuntry and press Enter. When prmpted t select a time zne f the cuntry ( Please select ne f the fllwing time zne regins ), type the required number and press Enter. The time zne will be defined accrding t the selected lcatin and displayed n the screen. T accept the set lcatin, type 1 ( Yes ). T define anther lcatin, type 2 ( N ). Then press Enter. After yu define the time zne, the current system time will be displayed n the screen. T accept the displayed time, press Enter. T change the system time, type the date and time in the frmat YYYY-MM-DD hh:mm:ss, then press Enter. 12 Upn cmpleting the setup prcess, yu will be prmpted t start the ViPNet Crdinatr HW/VA cmmand line interface ( D yu want t start the cmmand shell nw? ). T d this, type y. T cancel the peratin, type n. Then press Enter. 13 If necessary, upn key set installatin, yu can cnfigure the hst (see Quick Reference n page 10). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 39
40 Deleting Keys frm ViPNet Crdinatr HW/VA Smetimes yu may need t delete keys frm yur ViPNet Crdinatr HW/VA. Fr example, yu may have a ViPNet Crdinatr HW/VA hst that wrks as a crdinatr n yur netwrk, and yu want t deply it as a new crdinatr in a different netwrk lcatin. In such a case, yu will need t install a new key set n the hst. Befre this, yu must delete the current keys frm the hst. T d this: 1 In the cmmand line interface (see Managing a ViPNet Crdinatr HW/VA Hst n page 45), lg n as an administratr by executing the enable cmmand. 2 Execute the admin remve keys cmmand. 3 Cnfirm that yu want t delete keys by typing Yes and pressing Enter. 4 Wait until the keys are deleted. After that, yu can install a new key set (see Installing a Key Set n page 36). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 40
41 Restring ViPNet Crdinatr HW/VA t the Factry State When yu restre yur ViPNet Crdinatr HW/VA appliance t the factry state, all its userdefined settings, keys, and lgs are discarded, and the sftware turns t the state in which it was immediately after its installatin. Yu may need t reset the appliance in the fllwing cases: Yu want t transfer a ViPNet Crdinatr HW/VA hst t ther users, and yu want the hst's keys, lgs, and any ther infrmatin abut its previus state t be unavailable t new users. Due t a sftware failure, yu can't access the user interface. T restre t the factry state, use a remvable USB drive cntaining a special cnfiguratin file hwinit_reset.xml. This file is autmatically created n the ViPNet Netwrk Manager hst, in the ViPNet_NNNN_keys flder (where NNNN is the number f yur ViPNet netwrk), when yu save keys fr the ViPNet Crdinatr HW/VA hst (see Cnfiguring ViPNet Crdinatr HW/VA in ViPNet Netwrk Manager n page 32). T restre the ViPNet Crdinatr HW/VA t the factry state: 1 In ViPNet Netwrk Manager, save keys fr the ViPNet Crdinatr HW/VA hst. The hwinit_reset.xml file will be autmatically created. 2 Cpy the hwinit_reset.xml file frm the ViPNet_NNNN_keys flder t the rt flder f a remvable USB drive. 3 If the ViPNet Crdinatr HW/VA appliance is turned n, turn it ff. 4 Cnnect the USB drive t the appliance. 5 Turn n the appliance. The ViPNet Crdinatr HW/VA sftware will detect the USB drive with the hwinit_reset.xml file. Then the ViPNet keys will be remved, and the sftware settings will be cleared autmatically. The appliance will rebt. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 41
42 3 Accessing ViPNet Crdinatr HW/VA Access Mdes and Permissins 43 Managing a ViPNet Crdinatr HW/VA Hst 45 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 42
43 Access Mdes and Permissins Deplyment and maintenance f a ViPNet Crdinatr HW/VA hst is perfrmed in ne f the fllwing access mdes: the n authenticatin mde; the hst user mde; the hst administratr mde; the netwrk administratr mde. Accessing the hst may require authenticatin with passwrds. Table 9: Main actins available in the fur access mdes Access mdes N authenti- catin Hst user Hst administratr Netwrk administratr Access Interface USB drive (lcal access) Authenticatin n user passwr d web interface (remte access), cmmand line interface (lcal / remte access) user passwrd, ViPNet hsts' administratr passwrd The ViPNet Netwrk Manager prgram (remte access) ViPNet Netwrk Manager user passwrd Setup Installing the ViPNet sftware yes yes yes n Installing a key set yes yes yes n Upgrading the ViPNet sftware yes yes yes yes Maintenance Mnitring and diagnstics n yes yes n ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 43
44 Making system settings n n yes n Cnfiguring netwrk interfaces Cnfiguring the integrated firewall Starting and stpping the integrated services Cnfiguring the integrated services Cnfiguring ViPNet and IPsec VPN n n yes yes n n yes n n yes yes n n n yes n n n yes yes Fr mre infrmatin abut btaining hst user's and hsts' administratr's passwrds, see the dcument ViPNet VPN. User guide., the chapter Managing a ViPNet Netwrk. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 44
45 Managing a ViPNet Crdinatr HW/VA Hst Yu can manage a ViPNet Crdinatr HW/VA by ne f the fllwing means: Lcally by using a USB drive t install a key set (see Installing a Key Set n page 36) r t upgrade the ViPNet Crdinatr HW/VA sftware (see Upgrading the sftware n a ViPNet Crdinatr HW/VA appliance n page 29) withut a user lgn. Frm ViPNet Netwrk Manager. This allws ViPNet netwrk administratrs t cnfigure netwrk settings, external firewall parameters, and ther settings. These settings are applied n the ViPNet Crdinatr HW/VA hst, when yu install a key set (see Installing a Key Set n page 36) r when the hst keys sent frm ViPNet Netwrk Manager via yur ViPNet netwrk are received n the ViPNet Crdinatr HW/VA. Althugh yu can cnfigure these parameters by ther means, we strngly recmmend that yu set netwrk parameters (netwrk interfaces, the default gateway, rutes), external firewall parameters, and tunneled hsts' addresses in ViPNet Netwrk Manager. We als recmmend that yu specify the IP addresses and DNS names in ViPNet Netwrk Manager, t, because this makes the netwrk administering easier and the crrespnding changes in ther hsts' settings are made centrally by sending ut hst keys updates t them. T find mre abut wrking with ViPNet Netwrk Manager, see the dcument ViPNet VPN. User's Guide. Nte: If yu are using ViPNet Netwrk Manager versin 4.0 r earlier, yu will nt have the access t the ViPNet Crdinatr HW/VA hsts' netwrk settings. Via the web interface. This allws yu t cnfigure the hst's netwrk settings, system parameters, and integrated services. The web interface runs n a web server integrated in the ViPNet Crdinatr HW/VA appliance. The web interface is a cnvenient way t cnfigure a ViPNet Crdinatr HW/VA frm any ViPNet hst that has a link with it in the ViPNet netwrk r frm any cmputer lcated n the same lcal netwrk. T access the web interface, in the address bar f a web brwser, type the IP address f the ViPNet Crdinatr HW/VA hst (see Lgging On t the Web Interface n page 46). T lg n, use the ViPNet hst user's passwrd. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 45
46 Via the cmmand line interface. This allws yu t cnfigure all hst's parameters. Sme settings can be dne nly by using the cmmand line, including the parameters f the integrated firewall. Yu can use the cmmand line interface in the fllwing way: lcally, by cnnecting a mnitr and a keybard t the appliance. remtely ver the SSH prtcl. The cmmand line interface becmes available upn ViPNet Crdinatr HW/VA user's lgn. T lg nt ViPNet Crdinatr HW/VA, enter the lgn user and yur user passwrd. The cmmand line interface may functin in ne f the fllwing tw access mdes (see Access Mdes and Permissins n page 43): The hst user mde (the default mde), with a limited set f cmmands available. In this mde, the '>' symbl is used as a cmmand prmpt. The hst administratr mde, which prvides access t all available cmmands. In this mde, the '#' symbl is used as a cmmand prmpt. T switch t the administratr mde, execute the enable cmmand and enter the ViPNet hst's administratr passwrd. T exit the administratr mde, execute the exit cmmand. Fr the cnventins used t describe the cmmands in the cmmand line interface, see Dcument Cnventins (n page 9). Fr the detailed descriptin f the ViPNet Crdinatr HW/VA cmmands, see the dcument ViPNet Crdinatr HW/VA. Reference Guide. Nte: Yu may access the ViPNet Crdinatr HW/VA hst frm ther ViPNet hsts ver the web and cmmand line interfaces withut any additinal cnfiguratins. If yu need t access the hst frm a hst withut ViPNet sftware, set the filters n the ViPNet Crdinatr HW/VA t allw the inbund HTTP r SSH cnnectin with this hst, respectively (see Traffic Filtering Rules n page 104). Lgging On t the Web Interface Using the ViPNet Crdinatr HW/VA web interface is an easy way t cnfigure netwrk cnnectin, system settings, and integrated services f a ViPNet Crdinatr HW/VA hst. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 46
47 After a ViPNet Crdinatr HW/VA is deplyed, including the installatin f a key set (see Installing a Key Set n page 36), yu can remtely access a ViPNet Crdinatr HW/VA via its web interface. T d this, n a prtected hst that has a link with the ViPNet Crdinatr HW/VA, d ne f the fllwing: In the ViPNet Mnitr prgram: Open the Private Netwrk sectin. In the view pane, select the ViPNet Crdinatr HW/VA hst On the tlbar, click Web. The lgn page will pen in yur default web brwser. Access the ViPNet Crdinatr HW/VA lgn page in yur web brwser by typing its IP address. Nte: In this way, yu can access the ViPNet Crdinatr HW/VA frm any hst lcated with it in the same lcal netwrk, given that the filters n the ViPNet Crdinatr HW/VA allw the inbund HTTP cnnectin with this hst (see Traffic Filtering Rules n page 104). On the lgn page, d the fllwing: 1 In the crrespnding bx, type the hst user's passwrd. 2 Click Lg n. The hme page will pen. After yu lg n as a user, yu can view the ViPNet Crdinatr HW/VA settings, but yu can't mdify any settings. 3 T cnfigure the ViPNet Crdinatr HW/VA settings, enter the administratr passwrd. T lg n as an administratr: 3.1 Click Lg n as an administratr in the tp right crner f the web page. 3.2 In the Lg n as an administratr windw, enter the hsts' administratr's passwrd. Several user sessins may be running at a time, but there may be nly ne administratr sessin. If anther administratr lgs n while yur administratr sessin is active, yu will be discnnected. Nte that, if yu are lgged n as a user, the ViPNet Crdinatr HW/VA settings may be mdified by an administratr in anther sessin. In this case, yu will nt be able t see the new settings until yu refresh the page in yur web brwser. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 47
48 Nte: T refresh the infrmatin displayed in the ViPNet Crdinatr HW/VA web interface, press F5. 4 T exit the ViPNet Crdinatr HW/VA web interface, click Lg ut in the tp right crner f the web page. Nte that yu will be lgged ut autmatically if yu stay inactive fr 15 minutes. Managing ViPNet Crdinatr HW/VA via the Web Interface With the web interface, yu can access the fllwing parameters: Figure 2: Web interface hme page 1 Lgn mde (see Access Mdes and Permissins n page 43): In the hst user mde, yu can view system and netwrk settings, turn n and ff the integrated services and view their settings. In the hst administratr mde, yu can als mdify the hst's settings. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 48
49 2 Netwrk settings (see Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings via the Web Interface n page 65): Cnnecting t an Ethernet netwrk. Cnnecting t a Wi-Fi netwrk. Mdifying the ruting table. 3 Prxy server cmpnents (see Cnfiguring the Prxy Server n page 83): Prxy server general settings. Cntent filter. Anti-virus. 4 Netwrk services: DHCP server (see Cnfiguring a DHCP Server n page 78). NTP server (see Cnfiguring an NTP Server n page 81). DNS server (see Cnfiguring a DNS Server n page 80). 5 VIP server (see Cnfiguring the VIP Server n page 91). 6 System settings (see Cnfiguring System Settings n page 50). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 49
50 4 Cnfiguring System Settings Cnfiguring Date and Time 51 Cnfiguring the Swap File 52 Cnfiguring Event Lg Settings 53 Viewing the System Inf 54 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 50
51 Cnfiguring Date and Time Fr a ViPNet Crdinatr HW/VA appliance t cmmunicate with ther ViPNet hsts crrectly, yu shuld cnfigure the system date and time as described belw. Warning: If the system date and time have been specified incrrectly, encrypted cnnectins with ther ViPNet hsts may be blcked. T cnfigure system date and time: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click System Settings. 3 At the tp f the page, click Date and time settings. Figure 3: Changing date and time settings 4 T change the time zne: 4.1 In the Time zne bx, select the gegraphical area, where the ViPNet Crdinatr HW/VA hst is lcated. 4.2 Click Save the time zne. The current time in the bx belw will be updated autmatically. 5 T change the current date and time: 5.1 Click the icn next t the Date bx, and then select the current date by using the calendar. 5.2 In the Time bx, type the current time in the 24-hur HH:MM frmat. 5.3 Click Save the date and time. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 51
52 Cnfiguring the Swap File A swap file prvides additinal virtual memry, which may be used by the sftware running n yur appliance. Yu can cnfigure the swap file by using the cmmand line interface (see Managing a ViPNet Crdinatr HW/VA Hst n page 45). Nte: ViPNet Crdinatr HW mdificatins HW 100 X1/X4/X5/X6 d nt supprt expanding virtual memry by swapping. T cnfigure the swap file: T specify the maximum swap file size, execute this cmmand: machine swap set <size in megabytes> If yu specify the swap file size that exceeds the available free disk space, the crrespnding message will be displayed. Warning: After yu specify the maximum swap file size, minimum 256 MB f free disk space shuld remain. T enable swapping, execute this cmmand: machine swap mde n T view infrmatin abut memry and swap file usage, execute this cmmand: machine shw memry T disable swapping, execute the fllwing cmmand: machine swap mde ff After yu execute this cmmand, the swap file will be deleted. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 52
53 Cnfiguring Event Lg Settings The event lg cntains infrmatin n the events that have ccurred within ViPNet Crdinatr HW/VA peratin. The event lg may be stred n a lcal disk r n anther, specially cnfigured hst. T wrk with the event lg, use the fllwing cmmands: T specify a hst t stre the event lg n r t disable event lgging, execute the cmmand: machine set lghst {lcal <IP address> null} T specify the hst, chse ne f the fllwing values: lcal, ViPNet Crdinatr HW/VA's lcal disk; IP address, the IP address f the hst t which the system events infrmatin will be sent; Nte: If this is nt a prtected hst, cnfigure a firewall rule (see Cnfiguring Unencrypted Traffic Prcessing Rules n page 102) that will allw the traffic directed t this hst ver UDP t prt 514. null, dn't lg events. If the event lg is stred n a lcal disk, t view the lg, execute this cmmand: machine shw lgs Yu can exprt the event lg stred n a lcal disk t a remvable USB drive with the FAT32 r ext2 file system. T d this, cnnect the USB drive t the appliance and execute this cmmand: admin exprt lgs usb T delete the event lg stred n a lcal disk, execute this cmmand: admin remve lgs ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 53
54 Viewing the System Inf T get infrmatin abut CPU and memry usage and view the status f the ViPNet Crdinatr HW/VA sftware cmpnents: 1 Lg n t the ViPNet Crdinatr HW/VA web interface (see Lgging On t the Web Interface n page 46). 2 On the hme page, click System Settings. 3 At the tp f the page, click System state. The ViPNet identifier f yur hst, statuses f the sftware cmpnents, memry infrmatin, and CPU and memry usage time diagrams will be displayed. Figure 4: Viewing the system status 4 T view detailed infrmatin n versins f the ViPNet Crdinatr HW/VA cmpnents, at the bttm f the page, click Abut ViPNet Crdinatr HW/VA. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 54
55 T btain additinal infrmatin n the state f ViPNet Crdinatr HW/VA cmpnents r view lgs, yu may use the fllwing cmmands f the cmmand line interface (see Managing a ViPNet Crdinatr HW/VA Hst n page 45): T check cnnectin with an unprtected r tunneled hst: inet ping <IP address> T check cnnectin with a ViPNet hst: iplir ping <ViPNet hst identifier> When yu type an identifier, autcmplete and prmpting features wrk. The data fr prmpting is taken frm the list f ViPNet Crdinatr HW/VA hst's links. T view the firewall cnfiguratin file (see Cnfiguring the Integrated Firewall n page 98): iplir shw cnfig firewall T view the IP packets lg (see Viewing the IP Packets Lg n page 109): iplir view T view the event lg (see Cnfiguring Event Lg Settings n page 53): machine shw lgs ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 55
56 5 Cnnecting ViPNet Crdinatr HW/VA t a Netwrk Abut Cnfiguring Netwrk Settings 57 Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings in ViPNet Netwrk Manager 58 Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings via the Web Interface 65 Cnnecting t an Ethernet Netwrk by Using the Cmmand Line Interface 74 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 56
57 Abut Cnfiguring Netwrk Settings Yu can cnfigure ViPNet Crdinatr HW/VA netwrk settings in ne f the fllwing ways: Remtely frm the VPN administratr's wrkplace (see Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings in ViPNet Netwrk Manager n page 58). Remtely frm ther ViPNet hsts linked with it n the VPN via the web interface (see Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings via the Web Interface n page 65). It can be perfrmed nly when the ViPNet Crdinatr HW/VA hst is n the netwrk. In the cmmand line interface lcally r remtely ver the SSH prtcl (see Cnnecting t an Ethernet Netwrk by Using the Cmmand Line Interface n page 74). We recmmend that yu use it in the fllwing cases: If a ViPNet Crdinatr HW/VA hst discnnects frm the netwrk and becmes inaccessible frm ther hsts. After yu prvide the access t the hst frm ther cmputers, yu will be able t make the rest f the necessary netwrk settings in ViPNet Netwrk Manager r via the web interface. If yu are cnfiguring netwrk settings f a failver cluster (see Failver System Purpse n page 119). Warning: The cmmand line interface is the nly crrect way t cnfigure netwrk interfaces n a failver cluster. The settings that yu make n the administratr's wrkplace (in ViPNet Netwrk Manager) r via the web interface will nt be applied n the cluster r will cause cnflicts in its cnfiguratin. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 57
58 Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings in ViPNet Netwrk Manager Warning: If yu are wrking with a failver cluster, then dn't cnfigure its netwrk settings in ViPNet Netwrk Manager, because the settings that yu will make will nt be applied n the cluster r will disturb its cnfiguratin. Fr cnfiguring netwrk settings f the cluster, use the cmmand line interface (see Cnnecting t an Ethernet Netwrk by Using the Cmmand Line Interface n page 74). Cnfigure the ViPNet Crdinatr HW/VA netwrk settings in ViPNet Netwrk Manager in the fllwing way: 1 Cnfigure cnnecting t an Ethernet netwrk (see Cnnecting t an Ethernet Netwrk with ViPNet Netwrk Manager n page 59). 2 If necessary, cnfigure tunneling (see Cnfiguring Tunneling n a ViPNet Crdinatr HW/VA n page 63). 3 D ne f the fllwing: If yu are perfrming the ViPNet Crdinatr HW/VA setup and yu have nt yet installed a key set n it: In ViPNet Netwrk Manager, create a key set. Install the key set n the ViPNet Crdinatr HW/VA hst. Warning: D nt reinstall a key set n a hst with a key set installed earlier. This may cause cnflicts n the VPN. If the key set is already installed n the ViPNet Crdinatr HW/VA hst, in ViPNet Netwrk Manager, send hst keys t the hst. Fr mre infrmatin abut creating key sets and sending keys t hsts, see dcument ViPNet VPN. User's Guide ). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 58
59 4 If yu assigned static IP addresses, when cnnecting t a netwrk, then, n the ViPNet Crdinatr HW/VA hst, manually specify IP addresses f the DNS servers (see Cnfiguring a DNS Server n page 80) and NTP servers (see Cnfiguring an NTP Server n page 81), which yu wuld like t use. If yu selected dynamic IP addresses, the DNS and NTP servers may have been autmatically btained frm the DHCP server. Check it by viewing the list f available DNS servers (see Cnfiguring a DNS Server n page 80) and NTP servers (see Cnfiguring an NTP Server n page 81). If the addresses have nt been btained autmatically, specify them manually, fllwing the guidelines in the specified sectins. Cnnecting t an Ethernet Netwrk with ViPNet Netwrk Manager Perfrm the steps given in this sectin n the hst with ViPNet Netwrk Manager. Nte: Yu will be able t g thrugh steps given belw if yu have ViPNet Netwrk Manager versin 4.1 r later. Otherwise, cnfigure the cnnectin by using the web interface (see Cnnecting t an Ethernet Netwrk n page 65) r the cmmand line interface (see Cnnecting t an Ethernet Netwrk by Using the Cmmand Line Interface n page 74). T cnnect yur ViPNet Crdinatr HW/VA t an Ethernet netwrk, d the fllwing: 1 In the main windw f the ViPNet Netwrk Manager prgram, in the navigatin pane, in the hsts list, select the ViPNet Crdinatr HW/VA hst. 2 In the view pane, select the Netwrk Optins tab. 3 Cnfigure each interface f the hst in the fllwing way: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 59
60 3.1 By clicking Add r Edit belw the Netwrk Interfaces list, create a new r edit an existing netwrk interface. Figure 5: Adding a new netwrk interface 3.2 In the Netwrk Interface windw, in the Interface name bx, select the netwrk interface yu want t cnfigure. Ethernet interfaces installed in the perating system get the names eth0, eth1, and s n (accrding t the number f the interfaces in the system). 3.3 Make sure that the Enable the interface at the startup f the appliance check bx is selected. 3.4 Cnfigure the IP address f the interface: If yu want t assign a static IP address, select Use Static IP address and set the IP address and the mask. If yu want the IP address t be btained autmatically frm the DHCP server, select Autmatically (via DHCP). If necessary, set the default gateway IP address t be btained frm a DHCP server by selecting the crrespnding check bx. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 60
61 If required, assign IP address aliases t the netwrk interface (see Prviding Access t a ViPNet Crdinatr HW/VA Hst by Assigning IP Address Aliases n page 128). T d this, click Add and set the alias. Figure 6: Cnfiguring a netwrk interface 3.5 T save the changes, click OK. 4 In the Default gateway bx, type the IP address f the default gateway. Figure 7: Setting the default gateway ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 61
62 5 If required, cnfigure the static rutes f the hst. By clicking Add r Edit belw the Static rutes list, create a new r edit an existing static rute. Figure 8: Adding a new static rute In the Static Rute windw, set the needed parameters, and then click OK. 6 In the view pane, select the Firewall tab. Make the fllwing settings: If the hst will access the netwrk by using an external firewall, select the Use firewall check bx. Select the type f the firewall and make the rest settings. If the hst will access the netwrk directly, withut using an external firewall, clear the Use firewall check bx. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 62
63 Figure 9: Cnfiguring access t the netwrk thrugh an external firewall Cnfiguring Tunneling n a ViPNet Crdinatr HW/VA Perfrm the steps given in this sectin n the hst with ViPNet Netwrk Manager. T cnfigure tunneling n a ViPNet Crdinatr HW/VA, d the fllwing: 1 In the main windw f the ViPNet Netwrk Manager prgram, in the navigatin pane, in the hsts list, select the ViPNet Crdinatr HW/VA hst that will perfrm the tunneling. 2 In the view pane, select the Tunneling tab. 3 By clicking Add r Edit, add a new r edit a selected IP address r addresses range fr tunneling. Figure 10: Adding a tunneled IP address ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 63
64 4 In the IP Address r Range windw, specify the address r the range f addresses that will be tunneled, then click OK. Figure 11: Setting a tunneled IP addresses range ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 64
65 Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings via the Web Interface Warning: If yu are wrking with a failver cluster, then dn't cnfigure its netwrk settings via the web interface, because the settings that yu will make will nt be applied n the cluster r will disturb its cnfiguratin. Fr cnfiguring netwrk settings f the cluster, use the cmmand line interface (see Cnnecting t an Ethernet Netwrk by Using the Cmmand Line Interface n page 74). Cnnecting t an Ethernet Netwrk T cnfigure cnnectin t an Ethernet netwrk via the web interface: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Netwrk Settings. 3 On the Netwrk Interfaces page, in the left pane, select the netwrk interface yu want t cnfigure. The Ethernet interfaces installed in the perating system take the names f eth0, eth1, and s n (accrding t the number f the interfaces in the system). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 65
66 Figure 12: Ethernet interface settings 4 Make sure that the netwrk interface is enabled. Otherwise, click the switch at the tp f the page. The status f the netwrk interface is displayed next t the switch. 5 Select hw yu wuld like t cnfigure the cnnectin: Autmatically t btain the cnnectin settings frm a DHCP server. Manually t assign a static IP address t the interface. 6 If yu have decided t cnfigure the cnnectin manually: In the crrespnding bxes, specify an IP address and a netwrk mask fr the interface, then click Save. Specify IP addresses f the DNS servers (see Cnfiguring a DNS Server n page 80) and NTP servers (see Cnfiguring an NTP Server n page 81) that yu will use. Nte: If yu select autmatic cnfiguratin, IP addresses f DNS and NTP servers may be btained frm a DHCP server. 7 If required, mdify the ruting table f the hst (see Mdifying the Ruting Table n page 72). 8 If required, assign IP address aliases t the netwrk interface (see Assigning IP Address Aliases n page 71). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 66
67 Cnnecting t a Wi-Fi Netwrk If yur ViPNet Crdinatr HW/VA appliance has a Wi-Fi adapter, yu can cnnect t a wireless netwrk. Nte: A ViPNet Crdinatr HW/VA hst may als functin as an access pint (see Cnfiguring a Wi-Fi Access Pint n page 77). Functining as a client and an access pint at the same time is nt supprted in ViPNet Crdinatr HW/VA. T cnfigure cnnectin t a Wi-Fi netwrk as a client: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Netwrk Settings. 3 On the Netwrk interfaces page, in the left pane, select the Wi-Fi netwrk interface. The Wi-Fi interface installed in the perating system is assigned the name f wlan0. Figure 13: Cnnecting t a Wi-Fi netwrk 4 Make sure that the Wi-Fi interface is enabled. Otherwise, click the switch at the tp f the page. The status f the netwrk interface is displayed next t the switch. 5 In the Wi-Fi mde bx, select Client. A list f available Wi-Fi netwrks will be displayed. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 67
68 Prtected netwrks are indicated with the icn authenticatin types, are indicated with the icn netwrks, click Refresh.. Netwrks, that have unsupprted. T refresh the list f available 6 In the list f available Wi-Fi netwrks, select the netwrk yu want t cnnect t, and then click Cnnect. 7 If the netwrk is prtected, in the Cnnect t <netwrk name> windw, type the netwrk passwrd, and then click Cnnect. If yu want t cnnect t a hidden Wi-Fi netwrk, and yu knw the name f this netwrk and the security key, d the fllwing: 1 On the Wi-Fi cnfiguratin page, select the client cnnectin mde (see earlier in this sectin). 2 Click Cnnect t a hidden netwrk. 3 In the Cnnect t a Hidden Netwrk windw specify the name, encryptin type, and passwrd f the netwrk yu want t cnnect t. Figure 14: Cnnecting t a hidden netwrk 4 Click Cnnect. Cnnecting t a 3G/LTE Mbile Netwrk ViPNet Crdinatr HW/VA can cnnect t the Internet ver 3G/LTE by using a USB mdem. In the perating system, a 3G/LTE mdem is displayed as a netwrk interface named pppx. T cnnect t the Internet, yu can use the services f any mbile peratr. T d this, buy a SIM card and enable the required services (if necessary). Fr mre infrmatin n the terms f cnnecting t the mbile Internet, cntact yur mbile prvider. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 68
69 Warning: An appliance that is cnfigured t access the Internet via a 3G/LTE mdem cannt simultaneusly cnnect t the Internet via any ther interfaces (Ethernet r Wi-Fi). T cnnect t a mbile netwrk, d the fllwing: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 Check that default gateways are nt assigned t any f appliance's netwrk interfaces (manually r ver DHCP): 2.1 On the hme page, click Netwrk Settings. 2.2 On the Netwrk Interfaces page, in the left pane, select each interface ne by ne and check if its cnnectin is cnfigured autmatically (via DHCP). Figure 15: Checking interface parameters If it is cnfigured autmatically (fr Cnfigure cnnectin, the ptin Autmatically is selected), d ne f the fllwing: disable the interface by clicking the switch at the tp f the page, fr Cnfigure cnnectin, select the ptin Manually and click Save. 2.3 On the Static Rutes page, click the Refresh buttn. 2.4 Check if any default gateway recrds are present in the table. If they are, delete them frm the table by clicking, and then, OK. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 69
70 A default gateway recrd the Destinatin address and Subnet mask values Figure 16: Default gateway displayed in static rutes table 2.5 Return t the hme page by clicking at the tp left. 3 Enable the mdem: 3.1 Cnnect the 3G/LTE mdem t yur appliance's USB prt. 3.2 On the hme page, click Netwrk Settings. 3.3 On the Netwrk Interfaces page, in the left pane, select the mdem interface that yu want t cnfigure. 3.4 In the Mbile peratr bx, select yur mbile peratr. Figure 17: Cnfiguring the 3G/LTE mdem 3.5 If yur SIM card is PIN-prtected, in the PIN bx, type yur PIN cde. 3.6 T save the settings, click Save. 3.7 Enable the mdem by clicking the switch at the tp f the page. 3.8 Return t the hme page by clicking at the tp left. 4 Cnfigure the integrated firewall t allw hsts n a LAN behind the crdinatr t access the Internet via the 3G/LTE cnnectin. If yur Crdinatr HW platfrm supprts the prxy server functins (see ViPNet Crdinatr HW hardware appliances n page 12), yu can cnfigure the prxy server ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 70
71 (see Cnfiguring Prxy General Settings n page 84), and the firewall will be cnfigured autmatically. Otherwise, yu will need t cnfigure the integrated firewall manually (see Cnfiguring the Integrated Firewall Manually fr Hsts' Access t the Internet frm a LAN n page 150). 5 On cmputers accessing the Internet thrugh the appliance, make the fllwing cnfiguratins: If yu have enabled the transparent prxy server mde, set the appliance as the cmputer's default gateway. If yu have nt enabled the transparent mde, then, in web brwser, set the appliance as the prxy server. Use the appliance's IP address and prt that it listens t n the crrespnding netwrk. Nte: T ptimize yur 3G/LTE mbile netwrk cnnectin and t reduce the pssibility f errrs, we recmmend yu t cnfigure the daily autmatic rebt f yur appliance. Yu can cnfigure it t be dne at a nn-critical time (fr example, during the night). Fr mre infrmatin, see the dcument ViPNet Crdinatr HW/VA. Reference Guide, sectin Cnnecting t a 3G/LTE Mbile Netwrk. Assigning IP Address Aliases Assigning IP address aliases t netwrk interfaces is useful fr implementing a variety f netwrk tplgies (see Prviding Access t a ViPNet Crdinatr HW/VA Hst by Assigning IP Address Aliases n page 128). T assign IP address aliases n a netwrk interface, d the fllwing: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Netwrk Settings. 3 On the Netwrk interfaces page, in the left pane, select the netwrk interface yu want t cnfigure. 4 T add an IP address alias t the netwrk interface: 4.1 Under Aliases fr eth, click Add. 4.2 In the new rw, specify the required IP address and netwrk mask yu want t assign t the netwrk interface. Then click Save. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 71
72 Figure 18: IP address aliases 5 T mdify an IP address alias: 5.1 Duble-click the entry f the alias yu want t mdify. 5.2 Edit the IP address and netwrk mask, then click Save. 6 T delete an IP address alias: 6.1 In the entry f the alias yu want t delete, click. 6.2 In the message bx, click OK. The alias will be deleted. Mdifying the Ruting Table If required, yu can mdify the ruting table f a ViPNet Crdinatr HW/VA hst. T d this: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Netwrk Settings. 3 At the tp f the page, click Ruting. The ruting table will be displayed, cntaining the fllwing rutes: Figure 19: The ruting table 1. The default gateway. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 72
73 2. The user-defined rutes. 3. The rutes added autmatically fr each netwrk interface and its alias. They are evaluated accrding t the interfaces' IP addresses and cannt be mdified r deleted. In the example given abve, the interfaces have the fllwing IP addresses: eth0: eth0 alias: eth1: Nte: If n rutes are displayed in the table, refresh it by clicking Refresh. 4 T add r mdify the default gateway, in the crrespnding bx, type its IP address and click Save. The default gateway entry in the ruting table will be mdified. 5 T add a new rute: Click Add. Fr the new rute, specify the destinatin IP address, the gateway used t access the destinatin address, and the subnet mask. The netwrk interface will be defined autmatically. Click Save. 6 T mdify a rute: Duble-click the rute entry yu want t mdify. Edit the rute prperties, then click Save. 7 T delete a rute: In the rute entry yu want t delete, click the icn. In the message bx, click OK. The rute will be remved. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 73
74 Cnnecting t an Ethernet Netwrk by Using the Cmmand Line Interface If yur ViPNet Crdinatr HW/VA hst is inaccessible frm the netwrk, yu may need t cnfigure the hst's cnnectin lcally by using the cmmand line interface. Tip: Yu need t cnfigure lcally nly ne netwrk interface. When this is dne, the hst will be n the netwrk, and yu will be able t cnfigure the rest f its parameters remtely via a user-friendly web interface (see Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings via the Web Interface n page 65). When cnfiguring an Ethernet interface, yu will be using its name. The Ethernet interfaces take the names eth0, eth1, and s n. T cnfigure a netwrk interface, d the fllwing: 1 In the cmmand line interface, switch t the administratr mde by executing the enable cmmand. 2 Enable the interface by executing the cmmand inet ifcnfig <interface name> up 3 Select ne f the fllwing: If yu want the cnnectin settings t be btained frm a DHCP server, execute the cmmand inet ifcnfig <interface name> dhcp If yu want t make the cnnectin settings manually: specify the interface's IP address and netwrk mask by executing the cmmand inet ifcnfig <interface name> address <IP address> netmask <netwrk mask> specify the interface's default gateway by executing the cmmand inet rute add default gw <gateway IP address> Example f the cmmands' usage: inet ifcnfig eth0 up inet ifcnfig eth0 address netmask inet rute add default gw ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 74
75 Fr mre infrmatin abut lcal cnfiguratin f netwrk interfaces, see the dcument ViPNet Crdinatr HW/VA. Reference Guide. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 75
76 6 Cnfiguring Integrated Services Cnfiguring Netwrk Services 77 Cnfiguring the Prxy Server 83 Cnfiguring the VIP Server 91 Cnfiguring an IPsec Gateway 96 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 76
77 Cnfiguring Netwrk Services A ViPNet Crdinatr HW/VA appliance can prvide varius netwrk services t hsts n a lcal netwrk, making it easy t deply a small ffice netwrk. Cnfiguring a Wi-Fi Access Pint If yur appliance has a Wi-Fi adapter, yu may use ViPNet Crdinatr HW/VA as a Wi-Fi access pint. Nte: A ViPNet Crdinatr HW/VA hst may als functin as a Wi-Fi client (see Cnnecting t a Wi-Fi Netwrk n page 67). Functining as a client and an access pint at the same time is nt supprted in ViPNet Crdinatr HW/VA. If the Wi-Fi access pint is enabled, the IP address is autmatically assigned t the Wi-Fi netwrk interface, and a DHCP server is started n this interface. The DHCP server has the fllwing fixed parameters yu can't edit: The range f allcated IP addresses: DNS and NTP servers' address: (the address f the wlan0 netwrk interface). T cnfigure ViPNet Crdinatr HW/VA as a Wi-Fi access pint: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Netwrk Settings. 3 On the Netwrk interfaces page, in the left pane, select the Wi-Fi netwrk interface. The Wi-Fi interface installed in the perating system is assigned the name f wlan0. 4 Make sure that the Wi-Fi interface is enabled. Otherwise, click the switch at the tp f the page. The status f the netwrk interface is displayed next t the switch. 5 In the Wi-Fi mde list, select Access pint. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 77
78 Figure 20: Cnfiguring a Wi-Fi access pint 6 In the Netwrk name bx, specify the name f yur Wi-Fi netwrk. 7 In the Channel list, select the number f the Wi-Fi channel t be used by yur access pint. 8 Under Wi-Fi standard, select a wireless cnnectin standard fr yur Wi-Fi netwrk. The fllwing standards are supprted: b (IEEE b): 2,4 GHz, cnnectin speed up t 11 Mbps. g (IEEE g): 2,4 GHz, cnnectin speed up t 54 Mbps. 9 In the Encryptin type list, select the encryptin type fr users' authenticatin: If yu select N encryptin, users will be able t cnnect t the netwrk withut entering a passwrd. If yu select WPA r WPA2, in the Netwrk security key bx, type a passwrd fr users' authenticatin. Yu shuld tell this passwrd t the users cnnecting t yur Wi- Fi netwrk. 10 T save the settings, click Save. 11 T ensure cnnectins between devices n the Wi-Fi netwrk and cmputers n yur Ethernet netwrk, n the ViPNet Crdinatr HW/VA hst, in the firewall cnfiguratin file, cnfigure frward rules allwing IP packets transferred between these netwrks (see Cnfiguring Unencrypted Traffic Prcessing Rules n page 102). Cnfiguring a DHCP Server ViPNet Crdinatr HW/VA may functin as a DHCP server n a LAN (see DHCP server n page 228). If the ViPNet Crdinatr HW/VA hst is used as a Wi-Fi (see Cnfiguring a ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 78
79 Wi-Fi Access Pint n page 77) access pint, then, n the crrespnding netwrk interface, the DHCP server is autmatically started, and yu can't change its parameters. T run the DHCP server n an Ethernet netwrk interface, yu shuld cnfigure the server manually. T d this: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Netwrk Services. 3 At the tp f the page, click DHCP server. Figure 21: Cnfiguring DHCP server settings 4 In the Netwrk interface list, select the Ethernet netwrk interface the DHCP server will run n. Nte: Yu can use the DHCP server nly n an interface with an IP address frm the private netwrk range: /8, /12 r /16. 5 In the IP address scpe bxes, specify the start and end IP addresses f the range that shuld be assigned t DHCP clients. 6 In the Gateway bx, type the IP address f the default gateway, which shuld be btained by DHCP clients frm the server. 7 Under IP address lease time, specify the time interval, fr which the IP address assignment is valid: Select units t specify the lease time: days r hurs. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 79
80 Type r select the time interval length in days r hurs. 8 T save the settings, click Save. 9 T start the DHCP server, click the switch at the tp f the page. The DHCP server's status is displayed next t the switch. Cnfiguring a DNS Server ViPNet Crdinatr HW/VA may functin as a DNS server n a LAN (see DNS server n page 229). A DNS server integrated int ViPNet Crdinatr HW/VA redirects the incming DNS requests t superir DNS servers and transfers the received respnses t its wn clients. By default, client requests are redirected t the rt DNS servers. Yu can specify a custm list f the DNS servers the DNS requests shuld be redirected t. The ViPNet Crdinatr HW/VA hst sends its DNS requests t the servers frm this list, even when the integrated DNS server is disabled. T cnfigure the DNS server: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Netwrk Services. 3 At the tp f the page, click DNS server. A list f DNS servers displayed n the DNS server page may cntain user-defined server IP addresses, as well as IP addresses btained autmatically frm a DHCP server. The type f each DNS server is shwn in the Type clumn. Yu can't mdify r delete server IP addresses btained autmatically. Figure 22: Cnfiguring DNS settings 4 T start r stp the integrated DNS server, click the switch at the tp f the page. The DNS server's status is displayed next t the switch. 5 T add a DNS server's IP address t the list: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 80
81 Click Add. In the new rw, specify the IP address f the DNS server yu want t add. Then press Enter. 6 T edit a DNS server's IP address: Click the IP address yu want t change. Edit the address, then press Enter. 7 T delete a DNS server's IP address frm the list: In the entry f the DNS server's address yu want t delete, click the icn. In the message bx, click OK. The DNS server's address will be deleted. Cnfiguring an NTP Server ViPNet Crdinatr HW/VA may functin as an NTP server n a LAN (see NTP server n page 231). T infrm its clients abut the crrect time, an integrated NTP server autmatically synchrnizes the system clck with the universal time. By default, the server pl.ntp.rg is used fr the synchrnizatin. Yu can specify a custm list f NTP servers t synchrnize the ViPNet Crdinatr HW/VA system clck with. The synchrnizatin is perfrmed even when the integrated NTP server is disabled. T cnfigure the NTP server: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Netwrk Services. 3 At the tp f the page, click NTP server. A list f NTP servers displayed n the NTP server page may cntain user-defined servers, as well as servers btained autmatically frm a DHCP server. The type f each NTP server is shwn in the Type clumn. Yu can't mdify r delete servers btained autmatically. Nte: The default server pl.ntp.rg is nt displayed n the list. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 81
82 Figure 23: Cnfiguring NTP settings 4 T start r stp the integrated NTP server, click the switch at the tp f the page. If the server fails t synchrnize with any f the specified servers and with the default server, the NTP server will autmatically stp. The NTP server's status is displayed next t the switch. Warning: The default server and any servers in the table dented by their DNS names will be accessible nly if the DNS server is started (see Cnfiguring a DNS Server n page 80). 5 T add an NTP server t the list: Click Add. In the new rw, specify the IP address r DNS name f the NTP server yu want t add. Then press Enter. 6 T mdify an NTP server's IP address r DNS name: Click the entry f the NTP server yu want t mdify. Edit the IP address r DNS name, then press Enter. 7 T delete an NTP server frm the list: In the entry f the NTP server yu want t delete, click the icn. In the message bx, click OK. The NTP server will be remved. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 82
83 Cnfiguring the Prxy Server A prxy server facilitates secure wrk f crprate netwrk users n the Internet by cntrlling their access t web resurces. If a user addresses a web resurce ver the HTTP r FTP prtcl, the user's request is prcessed by a prxy server, which can either dwnlad the requested data and transfer them t the user, r deny access t the resurce. ViPNet Crdinatr HW/VA has an integrated prxy server, which has the fllwing features: Data caching t speed up user access t cmmnly used resurces. A transparent prxy intercepts web cmmunicatin withut requiring any special client cnfiguratin. Web cntent cntrl (see Cnfiguring Cntent Cntrl n page 87). Virus check f the web cntent (see Cnfiguring the Anti-Virus n page 89). Nte: ViPNet Crdinatr HW mdificatins HW 100 X1/X4/X5/X6 d nt supprt prxy server, including the anti-virus and cntent cntrl filtering. In the scheme belw, yu can see hw a prxy server prcesses a user request. Figure 24: A prxy server with cntent cntrl and virus check ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 83
84 As sn as a user addresses a web resurce, the request is prcessed as fllws: 1 The request is sent t a prxy server. 2 If the cntent cntrl is enabled, the prxy server checks whether the resurce's URL matches any patterns in a database f URL patterns t be banned. 3 If the required URL is acceptable, the prxy server fetches the requested cntent. 4 If the integrated anti-virus has been enabled, the fetched cntent is checked fr viruses. 5 Upn a successful check, the cntent is transferred t the user. If access t the cntent is denied at any f the steps abve, the user will be infrmed abut this. If a crprate netwrk cmprises f several lcal netwrks, all f them can be maintained by a central prxy server based n ViPNet Crdinatr HW/VA. In this case, ViPNet Crdinatr HW/VA servers deplyed in the lcal netwrks will frward user requests t the central prxy server fr prcessing. Fr mre infrmatin, see Using a Central Prxy Server (see Using a Centralized Prxy Server n page 131). Cnfiguring Prxy General Settings If yu want t enable the integrated prxy server in rder t secure Internet access fr yur lcal users, yu shuld cnfigure general parameters f the prxy server first (see Cnfiguring Prxy General Settings n page 84). Optinally yu can enable cntent filtering and antivirus prtectin. Fr mre infrmatin see Cnfiguring Cntent Cntrl (n page 87) and Cnfiguring the Anti-virus (n page 89). Cnfiguring the basic parameters implies specifying the external netwrk interface f the server, the listening IP addresses, and IP addresses f the lcal netwrks that are allwed t use the prxy server. Yu may als enable the transparent prxy server mde. When the prxy server functins as a 'nn-transparent' prxy (the transparent mde is disabled), in user prgrams like a web brwser, yu shuld specify the prxy server's IP address and prt. When the prxy server functins in the transparent mde, advanced cnfiguring f the prgrams is nt required. The users are frced t use the prxy server. On the users' cmputers, specify the IP address f the prxy server (the ViPNet Crdinatr HW/VA hst) as the default gateway. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 84
85 Nte: When yu cnfigure the prxy server parameters, the required traffic filtering and NAT rules are created autmatically in the firewall cnfiguratin file (see Cnfiguring Unencrypted Traffic Prcessing Rules n page 102). T cnfigure the general parameters f the prxy server: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Prxy Server. 3 At the tp f the page displayed, click Prxy Server again. 4 On the Prxy Server page, click the General tab and specify the fllwing parameters: In the External netwrk interface list, select the netwrk interface cnnected t the Internet. In the Cache size bx, specify the prxy server's cache size. The available disk space is shwn next t the bx. If yu want the prxy server t functin in the transparent mde, select the Transparent prxy server mde check bx. Click Save. Figure 25: Prxy server's general settings 5 On the Addresses the prxy server listens t tab, specify the IP addresses and prts f the prxy server that shuld be used t receive user requests: T add an IP address and a prt t the list: Click Add. In the new rw, select the IP address and type the prt number t listen n. Then click Save. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 85
86 Figure 26: The list f IP addresses t listen t T mdify an IP address and a prt: Duble-click the entry f the IP address yu want t mdify. Edit the IP address and prt, then click Save. T delete an IP address and a prt: In the entry f the IP address yu want t delete, click the icn. In the message bx, click OK. The IP address and the prt will be deleted. Warning: We recmmend yu t use netwrk interfaces with static IP addresses t listen n. When the netwrk interfaces' IP addresses are changed, yu shuld stp the prxy server, then specify the current IP addresses fr the interfaces used t establish cnnectin, and then start the prxy server again. 6 On the Netwrks tab, specify a list f lcal netwrks, which are allwed t use the prxy server: T add a netwrk's IP address: Click Add. In the new rw, specify the IP address f the netwrk in CIDR ntatin. Fr example, /24. Then press Enter. Figure 27: The list f netwrks allwed t use the prxy sever ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 86
87 T mdify a netwrk IP address: Click the entry f the IP address yu want t mdify. Edit the address, and then press Enter. T delete an IP address frm the netwrks list: In the entry f the IP address yu want t delete, click the icn. In the message bx, click OK. The IP address will be deleted. 7 T start the prxy server, n the General tab, click the switch at the tp r the page. The prxy server's status is displayed next t the switch. Nte: Befre yu start the prxy server, yu shuld specify an IP address and prt t listen n, as well as the ViPNet Crdinatr HW/VA's external netwrk interface. 8 If yu want t prvide access t the Internet via the prxy server fr unprtected hsts, yu shuld cnfigure prper traffic prcessing rules (see Cnfiguring Unencrypted Traffic Prcessing Rules n page 102). Cnfiguring Cntent Cntrl Cntent cntrl allws yu t blck unwanted web resurces. A database f URL addresses is used fr web cntent filtering. Yu can fetch this base frm the Internet r frm anther ViPNet Crdinatr HW/VA hst, which is used as a URL database server. URLs in the database can be divided int brad classes f cntent, such as gambling, nline shpping, scial netwrking, and s n. The web filter can blck these classes f cntent independently frm each ther. If the user requests a URL that matches a blcked URL pattern, the request will be rejected and the user will be infrmed that the web page can't be displayed. The cntent cntrl is enabled autmatically when yu enable the prxy server (see Cnfiguring Prxy General Settings n page 84). T cnfigure cntent cntrl parameters: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Prxy Server. 3 At the tp f the page displayed, click Cntent Filter. 4 On the Cntent Filter page, click the General tab. A list f filtering categries and the URL database update settings will be displayed. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 87
88 Figure 28: Cntent filter general settings 5 If yu are cnfiguring the cntent filter fr the first time, yu shuld dwnlad the URL database first. Specify the surce yu want t dwnlad the database frm. In the Update surce list, select ne f the fllwing ptins: Internet t dwnlad the database updates frm the Internet. Anther Crdinatr t dwnlad the database updates frm anther ViPNet Crdinatr HW/VA hst linked with the hst yu are currently cnfiguring. If yu select Anther Crdinatr, in the Hst name in the ViPNet netwrk list, select the hst t dwnlad updates frm. If yu want the URL database t be updated autmatically, in the Update the database autmatically list, select the required update frequency. If yu select dn't update, the autmatic update will be disabled. T dwnlad a URL database update immediately, click Update nw. 6 Select the filtering categries that shuld be blcked by the cntent filter: T blck certain categries, select them in the All list and either: drag them t the Blcked list; click the buttn. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 88
89 T remve certain categries frm the ban list, select them in the Blcked list and either: drag them t the All list; click the buttn. 7 T save the general settings, click Save. 8 If necessary, n the Exceptins tab, cnfigure a list f exceptins: the lcal hsts fr which web cntent will nt be filtered. Figure 29: A list f cntent filter exceptins T add an IP address t the exceptins list: Click Add. In the new rw, specify the exceptin IP address. Then press Enter. T mdify an exceptin IP address: Click the entry f the IP address yu want t mdify. Edit the address, then press Enter. T delete an IP address frm the exceptins list: In the entry f the IP address yu want t delete, click the icn. In the message bx, click OK. The IP address will be deleted. Cnfiguring the Anti-Virus If yu use ViPNet Crdinatr HW/VA as a prxy server, yu can enable antivirus scanning f all HTTP traffic passing thrugh the prxy server in bth directins: frm the Internet t the user and frm the user t the Internet (fr example, when yu are adding an attachment t an e- mail message via a web interface). Antivirus prtectin is perfrmed by Clam AntiVirus which is a free pen surce sftware develped by Surcefire cmpany. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 89
90 T cnfigure antivirus prtectin: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click Prxy Server. 3 At the tp f the page displayed, click Anti-Virus. Figure 30: Anti-virus settings 4 If yu are cnfiguring the anti-virus fr the first time, yu shuld dwnlad the antivirus database first. T d this, click Update nw. 5 If yu want the antivirus database t be updated autmatically every day: Select the Update the database autmatically check bx. Click Save. 6 T enable the anti-virus, click the switch at the tp f the page. The anti-virus's status is displayed next t the switch. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 90
91 Cnfiguring the VIP Server The VIP server implemented as a cmpnent f the ViPNet Crdinatr HW/VA appliance allws yu t build a crprate IP telephny system. If yu want t rganize prtected vice cmmunicatin between several ffices, deply a VIP server based n ViPNet Crdinatr HW/VA in each ffice and setup trunks (see Trunk n page 231) cnnecting the servers t each ther. Trunks allw users f different VIP servers t call each ther. The integrated VIP server supprts SIP prtcl. Users can cnnect t the server by means f any sftware SIP client r hardware SIP phne. SIP clients shuld be installed accrding t the fllwing rules: Sftware SIP clients shuld be installed n prtected ViPNet hsts r tunneled hsts. In SIP client sftware, specify the ViPNet Crdinatr HW/VA visibility address as the SIP server address. Hardware SIP phnes shuld be tunneled by ViPNet Crdinatr HW/VA. Specify the IP address f the external interface f ViPNet Crdinatr HW/VA as the SIP server address. T ensure prper peratin f SIP clients tunneled by ViPNet Crdinatr HW/VA, cnfigure filtering rules fr unprtected traffic (see Traffic Filtering Rules n page 104) that allw inbund lcal cnnectins f tunneled clients with ViPNet Crdinatr HW/VA ver TCP and UDP t prt If yu are cnnecting mbile devices t the ViPNet Crdinatr HW/VA ver the IPsec channel (see Prviding Secure Access t a Crprate LAN frm Mbile Devices ver an IPsec Channel n page 137), in ViPNet Netwrk Manager, cnfigure the ViPNet Crdinatr HW/VA hst t tunnel them. Fr this, select the ViPNet Crdinatr HW/VA hst and, n the Tunneling tab, specify the IP address range distributed amng IPsec devices t be tunneled. The range is ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 91
92 Figure 31: Using the integrated prxy server Cnfiguring VIP Server General Settings T enable r disable the integrated VIP server and cnfigure its general settings: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click VIP Server. 3 At the tp f the page displayed, click General. Figure 32: VIP server's general settings 4 In the External interface list, select the netwrk interface f the ViPNet Crdinatr HW/VA fr establishing cnnectins with remte VIP servers (see Cnfiguring VIP Trunks n page 94). 5 In the Internal interface list, select the netwrk interface, which shuld be used by yur VIP clients t cnnect t the server. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 92
93 6 T save the settings, click Save. 7 T start the VIP server, click the switch at the tp f the page. The status f the VIP server is displayed next t the switch. Managing User Accunts T manage user accunts registered n yur VIP server: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click VIP Server. 3 At the tp f the page displayed, click Accunts. A list f user accunts will be displayed. Figure 33: User accunts list 4 T add a new VIP user accunt: Click Add. In the new rw, specify a 4-digit telephne number, type the user's name, and specify a passwrd fr the accunt. Then click Save. 5 T mdify a user accunt: Duble-click the entry f the accunt yu want t mdify. Edit the accunt prperties, then click Save. 6 T delete a user accunt: In the entry f the accunt yu want t delete, click the icn. In the message bx, click OK. The accunt will be deleted. 7 Phne numbers f the users currently cnnected t the server are marked as active. T view detailed infrmatin n an active user, click the user's phne number. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 93
94 Figure 34: Detailed user infrmatin Cnfiguring VIP Trunks In rder t enable VIP cmmunicatin with users frm remte netwrks, yu can cnfigure VIP trunks cnnecting the integrated VIP server f yur ViPNet Crdinatr HW/VA hst t remte VIP servers (see figure n page 92). T manage VIP trunks: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr (see Lgging On t the Web Interface n page 46). 2 On the hme page, click VIP Server. 3 At the tp f the page displayed, click Trunks. A list f VIP trunks will be displayed. Figure 35: Trunks list 4 T add a new VIP trunk: 4.1 Click Add. 4.2 In the new rw, specify prperties f the new trunk: In the Gateway name clumn, specify a unique name fr the new trunk. In the Gateway IP address clumn, type the IP address f the remte VIP server. In the Lcal number pattern clumn, specify the pattern f yur lcal telephne numbers that shuld cmmunicate with remte numbers. The pattern shuld ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 94
95 cntain the first digit f a lcal number appended with the xxx symbls, fr example 3xxx. In the Remte number pattern clumn, specify the pattern f remte telephne numbers that shuld cmmunicate with yur lcal numbers. Fr example, 2xxx. 4.3 Click Save. 5 T mdify a VIP trunk: 5.1 Duble-click the entry f the trunk yu want t mdify. 5.2 Edit the trunk prperties, then click Save. 6 T delete a VIP trunk: 6.1 In the entry f the trunk yu want t delete, click the icn. 6.2 In the message bx, click OK. The trunk will be deleted. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 95
96 Cnfiguring an IPsec Gateway In crprate netwrks, yu ften need t prtect cnnectins with remte netwrks r hsts. Fr example, yu have a crprate applicatin server that shuld be accessible frm the Internet via a prtected channel. Smetimes yu can't slve this prblem using ViPNet technlgy. Fr example, it is impssible t install ViPNet sftware n mbile devices. With ViPNet Crdinatr HW/VA, yu may prtect traffic using encryptin ver the IPsec prtcl. In this case, ViPNet Crdinatr HW/VA functins as a ViPNet IPsec gateway. ViPNet Crdinatr HW/VA supprts tw types f IPsec cnnectin: site-t-site (see Cnnecting ver a Prtected IPsec Channel n page 145) and client-t-site (see Prviding Secure Access t a Crprate LAN frm Mbile Devices ver an IPsec Channel n page 137). Fr either f them, ViPNet Crdinatr HW/VA supprts authenticatin by a pre-shared key (PSK) r by a certificate (RSA). ViPNet Crdinatr HW/VA supprts up t 40 cncurrent client-t-site IPsec cnnectins. Warning: When yu use a ViPNet Crdinatr HW/VA as an IPsec gateway, it needs t have a public static IP address. Therefre, yu cannt deply a ViPNet Crdinatr HW/VA as an IPsec gateway if it is lcated behind a NAT. Depending n the authenticatin type, select the way that will be mst cnvenient fr yu t cnfigure the service n yur ViPNet Crdinatr HW/VA hst: If yu want t use PSK authenticatin, then this is easier t cnfigure the IPsec cnnectin in the ViPNet Netwrk Manager sftware. Fr cnfiguring an IPsec cnnectin in ViPNet Netwrk Manager, in the hsts list, select the hst, and then, n the IPsec cnnectin tab, cnfigure the necessary settings. After the keys are sent frm ViPNet Netwrk Manager and applied n the hst, the settings will be applied as well. Fr mre infrmatin abut wrking with ViPNet Netwrk Manager and sending the keys, see the dcument ViPNet VPN. User's Guide. If yu want t use RSA authenticatin, cnfigure it by using the cmmand line interface. Yu cannt cnfigure RSA authenticatin in ViPNet Netwrk Manager r via the web interface. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 96
97 Warning: If yu cnfigure the client-t-site r site-t-site IPsec cnnectin by using the cmmand line interface, dn't ever change the crrespnding IPsec settings fr yur ViPNet Crdinatr HW/VA hst in ViPNet Netwrk Manager. Otherwise, the settings that yu made by using the cmmand line interface will be lst after yu send keys t the ViPNet Crdinatr HW/VA hst. Hwever, yu can safely cnfigure site-t-site cnnectin via the ViPNet Netwrk Manager and client-t-site cnnectin via the cmmand line interface, r vice versa. T ensure that the settings will nt be ccasinally changed later, in the ViPNet Netwrk Manager, in its main windw, in the view pane, n the IPsec cnnectin tab, clear the fllwing check bx: If yu are cnfiguring the site-t-site cnnectin, clear the Use the crdinatr t establish prtected IPsec cnnectins with ther netwrks check bx. If yu are cnfiguring the client-t-site cnnectin, clear the Use the crdinatr as an IPsec gateway fr cnnecting smartphne clients check bx. T find ut mre abut cnfiguring the IPsec cnnectin n a ViPNet Crdinatr HW/VA by using the cmmand line interface, see the fllwing sectins: abut cnfiguring a site-t-site cnnectin, see Cnnecting ver a Prtected IPsec Channel (n page 145). abut cnfiguring a client-t-site cnnectin, see Prviding Access t Crprate Resurces fr Mbile Devices ver a Prtected IPsec Channel (see Prviding Secure Access t a Crprate LAN frm Mbile Devices ver an IPsec Channel n page 137). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 97
98 7 Cnfiguring the Integrated Firewall Abut the Integrated Firewall 99 Changing the Security Level n a Netwrk Interface 101 Cnfiguring Unencrypted Traffic Prcessing Rules 102 IP Packets Lgging 108 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 98
99 Abut the Integrated Firewall As a crdinatr, a ViPNet Crdinatr HW/VA hst has an integrated firewall fr prcessing the IP traffic transferred thrugh it: IP packets filtering accrding t the packets' parameters, such as surce and destinatin IP addresses, interfaces, prts, and s n. Yu can cnfigure separate filtering rules fr the fllwing types f traffic: Encrypted traffic passed between ViPNet hsts thrugh the crdinatr. Tunneled traffic (the traffic f hsts tunneled by the crdinatr). Unencrypted traffic addressed frm an unprtected hst (a hst withut ViPNet sftware installed) t the crdinatr. Frwarded traffic passed thrugh the crdinatr (fr example, when a hst n yur LAN tries t access the Internet thrugh the crdinatr as its default gateway). By default, the traffic between ViPNet hsts and tunneled hsts is allwed by the firewall. Each ViPNet hst can exchange IP traffic with the fllwing hsts: ther ViPNet hsts linked with it n the VPN; hsts tunneled by crdinatrs linked with it n the VPN. By default, the frwarded and the inbund unencrypted traffic is blcked n a crdinatr. Yu can allw it by changing security levels and cnfiguring traffic prcessing rules n the crdinatr's interfaces. Tip: Fr example, if yu want a ViPNet Crdinatr HW/VA hst t be accessible via the web interface (see Managing a ViPNet Crdinatr HW/VA Hst n page 45) frm an unprtected hst n yur LAN, yu will need t explicitly allw the inbund unencrypted traffic frm the unprtected hst's IP address t the ViPNet Crdinatr HW/VA hst thrugh the crrespnding netwrk interface. NAT fr unencrypted traffic. Anti-spfing, a technlgy aiming t blck IP packets with fake surce addresses. Fr the IP packets received n a crdinatr's netwrk interface, yu expect the surce IP address t belng t a certain address range. Fr example, n an interface cnnected t a LAN, yu are nt expecting t receive IP packets with a public surce address. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 99
100 Anti-spfing is based n a set f frmalized rules describing the surce IP addresses expected n each netwrk interface. The packets nt cmpliant with this set f rules are being blcked. Fr mre details n using and cnfiguring anti-spfing, see the dcument ViPNet Crdinatr HW/VA. Reference Guide. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 100
101 Changing the Security Level n a Netwrk Interface A security level (see Security Levels n page 26) n a netwrk interface defines filtering plicy fr unencrypted traffic passing thrugh this interface. Each netwrk interface's parameters are written t its wn cnfiguratin file where yu can change the security level with the mde parameter. Nte: By default, the secnd security level is set n all netwrk interfaces f a ViPNet Crdinatr HW/VA hst. We dn't recmmend yu t use the furth security level ther than fr testing purpses, fr a shrt time perid. T change a security level n a netwrk interface: 1 In the cmmand line interface, switch t the administratr mde by executing the enable cmmand. 2 Stp the ViPNet driver with the iplir stp cmmand. 3 T edit the netwrk interface's cnfiguratin file, execute the fllwing cmmand: iplir cnfig <interface name> Nte: T view the list f netwrk interfaces, execute the inet shw interface cmmand. 4 Specify the required security level number as the value f the mde parameter: 1 blck IP packets f all cnnectins. 2 blck all cnnectins except fr allwed nes. 3 allw all utbund cnnectins except fr prhibited nes. 4 allw all cnnectins. 5 T save a cnfiguratin file, press Ctrl+O, and then press Enter. 6 T clse a file, press Ctrl+X. 7 Start the ViPNet driver executing the iplir start cmmand. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 101
102 Cnfiguring Unencrypted Traffic Prcessing Rules ViPNet Crdinatr HW/VA can filter and translate addresses fr unencrypted IP traffic. Unencrypted IP packets prcessing rules are listed in the firewall cnfiguratin file. T cnfigure the rules, edit the firewall cnfiguratin file by using the cmmand line interface. T edit the firewall cnfiguratin file, execute the iplir cnfig firewall cmmand. The firewall cnfiguratin file cnsists f several sectins. Unencrypted traffic prcessing rules appear in the fllwing sectins: [lcal] cntains filtering rules fr lcal IP packets. In ther wrds, the packets whse surce r destinatin is this ViPNet Crdinatr HW/VA hst. [bradcast] cntains bradcast IP packets filtering rules. [frward] cntains filtering rules fr frward IP packets. In ther wrds, the packets that pass thrugh this ViPNet Crdinatr HW/VA hst n the way frm surce t destinatin, while this hst is neither the packets' surce, nr destinatin. [tunnel] cntains filtering rules fr tunneled hsts' IP packets. In ther wrds, the packets that are transferred between ViPNet Crdinatr HW/VA's tunneled hsts and either ViPNet hsts r hsts tunneled by ther ViPNet crdinatrs. [nat] cntains netwrk address translatin rules. ViPNet Crdinatr HW/VA supprts tw types f address translatin: Surce address translatin, which is als called dynamic address translatin (dynamic NAT). This type f NAT is used t prvide cmputers that have private IP addresses with access t the Internet. In an IP packet is transferred frm a hst n the LAN t a public netwrk, ViPNet Crdinatr HW/VA substitutes the surce address f this packet t its wn public address. In respnse IP packets, the destinatin address (the abve-mentined ViPNet Crdinatr HW/VA's public address) is substituted with a private address f the hst in the LAN. Destinatin address translatin, which is als called static address translatin (static NAT). This type f NAT is used t prvide public netwrk hsts (hsts in the Internet) with access t a hst in the LAN. If an IP packet is received n a specific prt f ViPNet Crdinatr HW/VA's public address, the destinatin address f this packet is ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 102
103 substituted with a specified address n the LAN. In respnse IP packets, the surce address is substituted. Each f the abve-described sectins may cntain ne r several rules f unencrypted IP packets prcessing. Each rule is described with the rule parameter, whse value cnsists f the fllwing cmpnents: rule= <cntrl cmpnent> <actin> <cnditin> Nte: Fr a traffic filtering rule, yu can als specify rule scheduling. In this dcument, we dn't describe schedule cnfiguratin. Each rule cmpnent may cntain several tkens. The cntrl cmpnent describes the rule cnditins nt related directly t packets prcessing. The cntrl cmpnent shuld always be specified at the beginning f the rule. The cnditin defines the packets' parameters t apply the rule t. The specified actin is applied t the packets fitting the rule's cnditin. The cntrl cmpnents f all traffic prcessing rules are similar t each ther, while the actin and cnditin vary fr traffic filtering (see Traffic Filtering Rules n page 104) and address translatin rules (see Netwrk Address Translatin Rules n page 106). The cntrl cmpnent may cntain the fllwing ptinal tkens: num <number> is a tken defining the rule's pririty in the sectin. The number may take values frm 0 t The rules are applied t an IP packet accrding t their pririty. If n number is specified, the rule's pririty will be defined autmatically, accrding t the rules rder in the sectin. disable is a tken used t disable a rule temprarily. After yu delete the disable tken, the rule is enabled. Fr infrmatin n cnfiguring the cnditin and actin fr traffic filtering and address translatin rules, see the crrespnding sectins. When specifying IP address ranges, yu may use the cmpsite range tken internet that stands fr the anyip range, excluding the three private IP address ranges: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 103
104 Traffic Filtering Rules Unencrypted packets filtering rules are specified in the [lcal], [bradcast], [tunnel] and [frward] sectins f the firewall cnfiguratin file. By default, the fllwing rules are specified: In the [lcal] and [bradcast] sectins, a number f rules allwing IP packets used by the DHCP, DNS, and NTP services. In the [tunnel] sectin, a rule allwing cnnectins between all hsts tunneled by ViPNet Crdinatr HW/VA and all the ViPNet hsts linked with the ViPNet Crdinatr HW/VA hst. In mst cases, yu dn't need t cnfigure any additinal rules in this sectin. Each rule is described with the rule parameter. Its value cnsists f the fllwing cmpnents: rule= <cntrl cmpnent> <actin> <cnditin> The cntrl cmpnent is described in Cnfiguring Unencrypted Traffic Prcessing Rules (n page 102). The actin defines what shuld be dne t an IP packet whse parameters fit the rule's cnditin (see belw). The actin is specified by ne f the fllwing parameters: pass t allw the IP packet. drp t blck the IP packet. A rule is defined by cnditins. If an actin matches all cnditins, it is applied t the packet. Cnditins can have the fllwing parameters: prt <prtcl> is a mandatry parameter, specifying the transprt-layer prtcl the packet shuld belng t. As a prtcl, yu may specify: tcp, udp r icmp. Any IP prtcls' numbers. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 104
105 any meaning any prtcl. If ne and the same rule shuld prcess packets f different prtcls, list them dividing by a cmma. Nte: Fr the rules in the [bradcast] sectin yu can specify nly the udp and icmp values. frm <addresses list> is a mandatry parameter, defining the packet's surce IP address and prt. Yu shuld divide the address and prt with a cln, fr example: :22. If yu dn't specify any prt, the cnditin is applied t all prts. Nte: Yu can't specify prt numbers if the parameter value is icmp r any. Besides single IP addresses and prts, yu may specify address r prt ranges, r address masks. Yu may als list several addresses, divided with a cmma. Fr example: : /24: :22, :25 Instead f addresses and address ranges, yu may use the fllwing keywrds: anyip fr all addresses (in the range f ). bradcast fr the address t <addresses list> is a mandatry parameter, defining the packet's destinatin address and prt. Addresses and prts are specified similar t the frm parameter. In the [bradcast] sectin, yu can specify the fllwing IP addresses in the t parameter: bradcast fr the address directed-bradcast fr bradcast addresses f all the subnetwrks cnnected t this hst's netwrk interfaces. Specific bradcast addresses f the subnetwrks cnnected t this hst's netwrk interfaces. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 105
106 in r ut is an ptinal parameter, defining directin f the established cnnectin (inbund r utbund). When yu edit this parameter, be careful nt t cnfuse the directin f cnnectin establishment with the directin f transferring a single IP packet. If yu dn't specify cnnectin establishment directin, cnnectins established in bth directins will match the cnditin. Cnnectins ver the TCP prtcl are always identified. In sme cases, the directin f cnnectin may be identified fr the UDP prtcl. Nte: Fr the rules in the [frward] and [tunnel] sectins, yu can't specify the cnnectin establishment directin. Here are sme examples f IP packets filtering rules: rule= num 15 pass prt any frm anyip t :22 in rule= pass prt tcp,udp frm anyip:53 t /16, /24 Netwrk Address Translatin Rules Netwrk address translatin (NAT) rules fr unencrypted IP packets are cnfigured in the [nat] sectin f the firewall cnfiguratin file. Each address translatin rule is defined by a rule parameter and can have the fllwing values: rule= <cntrl cmpnent> <actin> <cnditin> The cntrl cmpnent is described in Cnfiguring Unencrypted Traffic Prcessing Rules (n page 102). The actin is defined by the change tken with the parameter specifying addresses t be substituted and addresses t be used. Depending n the translatin type, the actin may be as fllws: Fr translating a surce IP address: change src= {<address>:dynamic eth<x> mdem} The surce IP address will be replaced accrding t the expressin that yu specify: The <address> string defines that the packet's surce address will be replaced with a particular IP address. This can be the public IP address f yur ViPNet Crdinatr HW/VA, when it is static, r an alias f this interface. The eth<x> string defines that the packet's surce IP address will be replaced with the current IP address f the interface X. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 106
107 Fr example, if the public IP address f yur ViPNet Crdinatr HW/VA is dynamic, yu d nt need t update the NAT rule each time the IP address changes. The ethx string in the rule updates autmatically after an IP address change. The mdem string defines that the packet's surce IP address will be replaced with the IP address assigned t the hst's 3G/LTE mdem. Examples: change src= :dynamic change src=eth1 Fr translating a destinatin IP address: change dst= <address>:<prt> where <address> and <prt> are the address and the prt f the cmputer n yur LAN, t which the packet will be frwarded. Example: change dst= :8080 The cnditin fr the address translatin rules has almst the same syntax as fr filtering rules, but with sme specific characteristics: T translate destinatin addresses (dynamic address translatin) fr the prt tken, specify any, and fr the t tken, specify anyip. Fr surce address translatin, the frm tken specifies a set f lcal netwrk addresses t be translated, and yu may specify nly addresses, ranges, masks and their lists in the frm tken. Yu shuld nt specify prts r prt ranges there. Fr destinatin address translatin (static address translatin), the frm tken shuld take the anyip value, and the t tken shuld specify the crdinatr's external address and prt, where the packets will arrive fr frwarding. In this case, yu may specify nly the address r the address list, as well as the prt r the prt range in the t tken. Yu can't specify address ranges, address masks, and prt ranges. Here are sme examples f address translatin rules: Fr surce address translatin: rule= num 10 change src= :dynamic prt any frm /24 t anyip Fr destinatin address translatin: rule= num 100 change dst= :8080 prt tcp frm anyip t :80 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 107
108 IP Packets Lgging The IP packets lg cntains infrmatin n encrypted and unencrypted IP packets that have been prcessed by the ViPNet driver f the ViPNet Crdinatr HW/VA sftware. The data is cllected n all the appliance's netwrk interfaces, and yu can cnfigure lgging settings fr each netwrk interface separately (see Cnfiguring IP Packets Lgging n page 108). If needed, yu can search fr recrds in the IP packets lg by different IP packets' parameters (see Viewing the IP Packets Lg n page 109). Cnfiguring IP Packets Lgging Infrmatin abut the events related t prcessing IP packets n ViPNet Crdinatr HW/VA's netwrk interfaces is written t the IP packets lg (see Viewing the IP Packets Lg n page 109). Yu can specify entry detailing and maximum lg size fr each f yur ViPNet Crdinatr HW/VA's netwrk interfaces. T cnfigure lgging parameters fr the IP packets passing thrugh a certain netwrk interface: 1 In the cmmand line interface, switch t the administratr mde by executing the enable cmmand. 2 T start editing the cnfiguratin file f a netwrk interface: iplir cnfig <netwrk interface name> Nte: T view a list f netwrk interfaces, execute the inet shw interface cmmand. 3 In the [db] sectin, specify the required values f the fllwing parameters: maxsize is the maximum size f the lg in megabytes. As sn as the lg reaches the maximum size, the ldest entries get verwritten with newer nes. If this parameter's value is null, lgging is disabled n this netwrk interface. timediff is a time perid (in secnds), within which events with similar characteristics are united int ne lg entry. The default value is 60 secnds. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 108
109 Fr example, infrmatin abut allwed encrypted IP packets with the same surce address and prt and the same destinatin address and prt will be united within ne lg entry. If this parameter's value is null, each IP packet will have a separate lg entry. registerall allws yu t enable and disable IP packets lgging. This parameter may take the fllwing values: n lg any IP packet. ff (the default value) lg nly blcked IP packets and the events related t changing ViPNet hsts' IP addresses. registerbradcast allws yu t enable r disable bradcast IP packets lgging. This parameter may take the fllwing values: n lg bradcast IP packets. ff (the default value) dn't lg bradcast IP packets. registertcpserverprt allws yu t enable r disable surce prt lgging fr TCP packets. This parameter may take the fllwing values: n dn't lg a surce prt. In this case, lg entries will be srted by a destinatin prt. ff (the default entry) lg a surce prt. 4 T save the cnfiguratin file, press Ctrl+O, then press Enter. 5 T clse the file, press Ctrl+X. Viewing the IP Packets Lg T track certain kinds f traffic f the ViPNet Crdinatr HW/VA hst yu can use the infrmatin frm the IP packets lg. T view the IP packets lg: 1 In the cmmand line interface, execute the iplir view cmmand. 2 In the Set search parameters windw, specify IP packets search criteria, such as: a time interval the packets were lgged within, netwrk interfaces the packets were lgged n, cnnectin parameters (directin, surce and destinatin IP addresses and prts), a type f IP packets, the required events are assciated with, ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 109
110 and sme ther parameters. By default, the search result cntains all entries within the last three hurs. Figure 36: Defining search criteria in the IP packets lg 3 Click Find. The search results will be displayed in the View results windw. 4 T view detailed infrmatin abut an event, highlight the required list entry and press Enter. Fr mre infrmatin abut viewing the IP packets lg, see the dcument ViPNet Crdinatr HW/VA. Reference Guide. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 110
111 8 Prviding Reliable Access t Netwrk Resurces by Using Alternate Traffic Channels Abut Using Alternate Traffic Channels 112 Cnfiguring the Ladbalancer Service fr the Redundant Channel Mde 113 Cnfiguring the Ladbalancer Service fr the Traffic Lad Balancing Mde 115 Alternate Channels' Events Lg 117 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 111
112 Abut Using Alternate Traffic Channels If yu need t stabilize access t a netwrk r t a web resurce, yu can use tw independent channels, which will duplicate each ther in case f a channel's failure r will have the traffic balanced between them. Fr example, t avid cnnectin jams and failures, yu may access the Internet via tw prviders, which allws yu t distribute yur traffic and t have an Internet cnnectin backup channel. The use f alternate channels is cntrlled by the ladbalancer service. Nte: Yu can use alternate channels nly fr unencrypted (nn-vpn) cnnectins. Currently the service supprts tw alternate channels f the Ethernet type. Yu can enable the usage f alternate channels in fllwing mdes: The redundant channel mde. In this case, yu set ne f the tw channels as the primary channel. If it fails, the traffic will be transferred via the alternate channel. In this case, the cnnectin thrugh the primary channel will be peridically checked, and if it recvers, the traffic will be redirected back t it. The traffic lad balancing mde. In this case, the traffic is balanced between the tw channels with the pririty that yu can specify. Fr example, yu can set ne channel t transfer 80% f yur traffic, and the ther ne, t transfer the rest. If any f the channels fails, 100% f the traffic will be transferred via the perable channel, until the failed channel recvers. When the alternate channels usage is enabled, the ladbalancer service peridically checks the tw channels' availability by attempting t access the cnnectin test IP address. The service tries t access the test IP address by an ICMP request via either f the channels, in turn. The address' availability via a channel means that the channel is active, and its unavailability means that the channel has failed. If bth channels fail, the service keeps checking them, and when any f them recvers, the traffic is autmatically redirected t it. When yu will be cnfiguring the ladbalancer service, yu will need t select a test IP address that is accessible via bth channels, when they are available. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 112
113 Cnfiguring the Ladbalancer Service fr the Redundant Channel Mde T cnfigure the redundant channel mde n yur ViPNet Crdinatr HW/VA hst, d the fllwing: 1 In the cmmand line interface, enable the administratr mde by executing the enable cmmand. 2 Stp the ladbalancer service by executing the service ladbalancer stp cmmand. 3 Set the redundant channel mde by executing the service ladbalancer set mde failver cmmand. 4 Add and cnfigure the tw channels: 4.1 Set the name f the first channel by executing the service ladbalancer add prvider <name> cmmand. 4.2 Set the default gateway f the first channel by executing the service ladbalancer set prvider <name> gateway <ip_address> cmmand. 4.3 Set the hst's netwrk adapter facing the first channel by executing the service ladbalancer set prvider <name> interface <interface> cmmand. 4.4 Repeat similar steps t cnfigure the secnd channel. 5 Set the default channel by executing the service ladbalancer set prvider <name> default cmmand. When this channel is available, all the traffic will be passed ver it. 6 Set the test IP address (see Abut Using Alternate Traffic Channels n page 112) (which will be used fr the channels' availability check) by executing the service ladbalancer set testip <ip_address> cmmand. 7 Set the test IP address pll time (frm 10 t 600 secnds) by executing the service ladbalancer set plltime <time> cmmand. The default pll time is 10 secnds. 8 If yu need ViPNet Crdinatr HW/VA t perfrm surce NAT fr an internal netwrk, enable this by using the service ladbalancer nat add lcalnet <netwrk> cmmand. <netwrk> is a netwrk IP address in the CIDR frmat, fr example, /24. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 113
114 Warning: Fr NAT t be perfrmed crrectly, als make the crrespnding firewall settings (see Cnfiguring the Integrated Firewall n page 98). Yu can d it after yu finish cnfiguring the ladbalancer service. 9 Enable the autmatic start f the ladbalancer service at the hst's start by using the service ladbalancer mde n cmmand. 10 T start the ladbalancer service at nce (withut rebting the appliance), execute the service ladbalancer start cmmand. Fr mre infrmatin abut wrking with the ladbalancer service and creating, editing, and deleting channels, see the dcument ViPNet Crdinatr HW/VA. Reference Guide. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 114
115 Cnfiguring the Ladbalancer Service fr the Traffic Lad Balancing Mde T cnfigure the traffic lad balancing mde n yu ViPNet Crdinatr HW/VA, d the fllwing: 1 In the cmmand line interface, switch t the administratr mde by executing the enable cmmand. 2 Stp the ladbalancer service by executing the service ladbalancer stp cmmand. 3 Set the lad balancing mde by executing the service ladbalancer set mde balancing cmmand. 4 Add and cnfigure the tw channels: 4.1 Set the name f the first channel by executing the service ladbalancer add prvider <name> cmmand. 4.2 Set the default gateway f the first channel by executing the service ladbalancer set prvider <name> gateway <ip_address> cmmand. 4.3 Set the hst's netwrk adapter facing the first channel by executing the service ladbalancer set prvider <name> interface <interface> cmmand. 4.4 Set the first channel's pririty that determines its share in the traffic, by executing the service ladbalancer set prvider <name> weight <weight> cmmand. Set the pririty by using an integer frm 1 t 10. The rati f the pririties f the tw channels determines their share in the traffic. Fr example, if yu assign pririties 2 and 4 t yur channels, ne third f the traffic will pass via the first channel, and the rest, via the ther channel. If yu set pririties 3 and 6, the traffic share will be the same: ne third t tw thirds. 4.5 Cmplete the same steps t add and cnfigure the secnd channel. 5 Set the test IP address (see Abut Using Alternate Traffic Channels n page 112) (which will be used fr the channels' availability check) by executing the service ladbalancer set testip <ip_address> cmmand. 6 Set the test IP address pll time (frm 10 t 600 secnds) by executing the service ladbalancer set plltime <time> cmmand. The default pll time is 10 secnds. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 115
116 7 If yu need ViPNet Crdinatr HW/VA t perfrm surce NAT fr an internal netwrk, enable this by using the service ladbalancer nat add lcalnet <netwrk> cmmand. <netwrk> is a netwrk IP address in the CIDR frmat, fr example, /24. Warning: Fr NAT t be perfrmed crrectly, als make the crrespnding firewall settings (see Cnfiguring the Integrated Firewall n page 98). Yu can d it after yu finish cnfiguring the ladbalancer service. 8 Enable the autmatic start f the ladbalancer service at the hst's start by using the service ladbalancer mde n cmmand. 9 T start the ladbalancer service at nce (withut rebting the appliance), execute the service ladbalancer start cmmand. Fr mre infrmatin abut wrking with the ladbalancer service and creating, editing, and deleting channels, see the dcument ViPNet Crdinatr HW/VA. Reference Guide. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 116
117 Alternate Channels' Events Lg The events cncerning the usage f the alternate traffic channels are written t the system lg everything.lg. The fllwing events are lgged: a channel's failure; a channel's recvery; switching between channels. Yu can view the lg by executing the cmmand machine shw lgs. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 117
118 9 Failver System Failver System Purpse 119 Services Unavailable in the Cluster Mde 120 Operatin f the Failver System in the Single Mde 121 Managing the Failver System 122 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 118
119 Failver System Purpse The failver system is designed t prvide a failsafe slutin based n ViPNet Crdinatr HW/VA. This system can functin in tw mdes: 1 Single mde (the mde f a standalne server). Wrking in the single mde, the failver system ensures reliability and failsafe perability f the main ViPNet services: permanent mnitring f the services status and lgging f the system resurces usage; service failure detectin and an unlimited number f subsequent attempts t recver the failed service; preventing internal failures in the failver system itself; rebting the system in case f a VPN netwrk prtectin driver failure. 2 Cluster mde (the failver cluster mde). A failver cluster cnsists f tw hsts, the cluster ndes, which are cnnected with each ther and duplicate each ther's functins. One f the ndes in a cluster is active and functins as a crdinatr (ViPNet crdinatr) (n page 228). The ther ne is passive and is in the standby mde. If the active nde fails, it becmes passive, while the ther nde becmes active, taking ver the functins f the failed nde. When the failver system is wrking in the cluster mde, it als ensures reliability f the main ViPNet services in the same way as it des in the single mde. Nte: The Failver system in cluster mde (see Failver System n page 118) is available nly fr Crdinatr VA mdificatins (see Supprted Crdinatr HW/VA Platfrms n page 12). Belw, yu will find the guidelines fr cnfiguring the server in the single mde. Fr infrmatin abut wrking in the cluster mde, see the dcument ViPNet Crdinatr HW/VA. Failver System. Administratr's Guide. Nte: In the cluster mde, sme services f the ViPNet Crdinatr HW/VA are unavailable (see Services Unavailable in the Cluster Mde n page 120). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 119
120 Services Unavailable in the Cluster Mde In the cluster mde, the fllwing features f ViPNet Crdinatr HW/VA (see Cre Features n page 14) are unavailable: Netwrk features: Wi-Fi access pint. 3G/LTE mdem. Services: DHCP. HTTP/HTTPS/FTP prxy server, including the web cntent filtering and anti-virus services. IPsec server. VIP server. Mnitring a ViPNet Crdinatr HW/VA: SNMP. If the failver system is wrking in the single mde and any f these services r features are enabled, then it can't be switched t the cluster mde until these services r features are disabled. When yu are enabling the cluster mde, yu are asked if these services and features shuld be autmatically disabled. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 120
121 Operatin f the Failver System in the Single Mde In the single mde, the failver system ensures perability f ViPNet Crdinatr HW/VA by mnitring: the system health. This is perfrmed at the kernel level and, in mst cases, even if the system fails t respnd t any external events. The system health remains t be mnitred even when yu disable the failver system. the perability f the ViPNet cntrl daemn (iplircfg) and the MFTP transprt mdule (mftpd). If these services fail, then the failver system initiates the applicatin recvery prcedure. The failver system may be cnfigured t rebt the appliance (see Managing the Failver System n page 122) in case f its wn r its tracked applicatins' repeated failures. Fr mre infrmatin abut the failver system wrking in the failver system, see the dcument ViPNet Crdinatr HW/VA. Failver System. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 121
122 Managing the Failver System In the single mde (see Operatin f the Failver System in the Single Mde n page 121), yu can manage the failver system in a fllwing way: T start the failver system, execute the failver start cmmand. T stp the failver system, execute the failver stp cmmand. T cnfigure the failver system, edit the failver system cnfiguratin file. T pen the file fr editing, execute the failver cnfig edit cmmand. In the [misc] sectin, yu can cnfigure the rebt parameter that enables (yes) r disables (n) the autmatic rebt in case f the failver system failure (see Operatin f the Failver System in the Single Mde n page 121). In the [debug] sectin, yu can cnfigure the fllwing parameters: debuglevel, which defines the lgging level. The parameter can take the value f -1 r an integer frm 1 up t 5. If the parameter value is -1, then the lgging is disabled. The default parameter value is 3. debuglgfile, which is the lg strage file specified in the syslg:<facility.level> frmat. The default parameter value is syslg:daemn.debug. Warning: If the failver system has been stpped, and yu start it by executing the failver start cmmand manually n a ViPNet Crdinatr HW/VA, the mnitred applicatins (the ViPNet cntrl daemn and the MFTP transprt mdule) are nt restarted autmatically. Yu will need t start them manually by executing the cmmands iplir start and mftp start. T view the status f the failver system, d ne f the fllwing: Access the hst via the web interface (see Lgging On t the Web Interface n page 46) and select System Settings. Access the hst via the cmmand line interface and execute the failver shw inf cmmand. Fr mre infrmatin abut wrking with failver system and abut cnfiguring a failver cluster (see Failver System Purpse n page 119), see the dcument ViPNet Crdinatr HW/VA. Failver System. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 122
123 10 ViPNet Crdinatr HW/VA Deplyment Scenaris Prtecting a Lcal Netwrk with ViPNet Crdinatr HW/VA 124 Using a Centralized Prxy Server 131 Prviding Secure Access t Resurces n a Crprate LAN frm Remte Hsts (Client-t-Site Cnnectin) 133 Prviding Secure Access t a Crprate LAN frm Mbile Devices ver an IPsec Channel 137 Prviding Secure Access t Resurces n a Crprate LAN frm ther LANs (Site-t- Site Cnnectin) 143 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 123
124 Prtecting a Lcal Netwrk with ViPNet Crdinatr HW/VA With ViPNet Crdinatr HW/VA, yu can easily deply a small prtected crprate LAN. Fr example, yu have a ViPNet netwrk deplyed in yur head ffice, and yu are planning t deply a LAN in yur new branch ffice. The cmputers n the LAN need t have access t the Internet, and several cmputers als need t have secure access t the head ffice VPN. T arrange this tplgy, n the edge f the branch ffice LAN, deply a ViPNet Crdinatr HW/VA hst. Cnnect ne f the hst's Ethernet interfaces t the Internet, and the ther, t the LAN. Figure 37: Deplying a lcal netwrk using ViPNet Crdinatr HW/VA As a crdinatr (VPN server and gateway), the hst will prvide the tunneling f certain hsts n the LAN (the tunneled hsts), which will allw them t access crprate resurces n the head ffice VPN (see Cnnecting ver a Prtected ViPNet Channel n page 143). If the LAN als cntains ther ViPNet hsts (fr example, ViPNet Client hsts), they will als be able t access the head ffice VPN. In additin t being a VPN server and gateway, a ViPNet Crdinatr HW/VA hst may functin n a branch ffice LAN as: A ruter prviding data exchange between the LAN and the Internet. A Wi-Fi access pint. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 124
125 A firewall with netwrk address translatin (NAT). Yu may cnfigure the firewall t allw r blck the access t the Internet f the hsts n the LAN. Nte: Hsts n the LAN will be able t access the Internet, if yu additinally cnfigure the crdinatr's interface that faces the public netwrk. Fr this, d ne f the fllwing: change the security level f the interface frm secnd (the default level) t third (see Changing the Security Level n a Netwrk Interface n page 101); cnfigure the firewall rules t allw the traffic frm the hsts n the LAN t the Internet (see Cnfiguring the Integrated Firewall Manually fr Hsts' Access t the Internet frm a LAN n page 150). A DHCP, DNS, and NTP server fr hsts n the LAN. A prxy server with ptinal web cntent filtering and anti-virus services that prtect lcal users frm unwanted cnnectins. A VIP server with SIP prtcl supprt. It allws yu t build a prtected crprate IP telephny system ver several lcal ffices. In the sectin Deplying a DMZ Segment (n page 126), yu may find an example f splitting a LAN int lgical segments with ViPNet Crdinatr HW/VA. Checklist: Deplying a Lcal Netwrk T deply a LAN using ViPNet Crdinatr HW/VA, fllw the checklist belw. Table 10: Deplying a LAN Task Deply a ViPNet Crdinatr HW/VA hst n the edge f the LAN. If necessary, cnfigure the ViPNet Crdinatr HW/VA hst as a Wi-Fi access pint. Cnfigure the integrated DHCP, DNS, and NTP servers fr the Ethernet netwrk. Reference Checklist: ViPNet Crdinatr HW/VA Setup (n page 28) Cnfiguring a Wi-Fi Access Pint (n page 77) Cnfiguring a DHCP Server (n page 78) Cnfiguring a DNS Server (n page 80) Cnfiguring an NTP Server (n page 81) ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 125
126 If yu want t prvide users with secure Internet access, cnfigure the integrated prxy server. If yu want t build an ffice IP telephny system, cnfigure the integrated VIP server. If necessary, cnfigure advanced rules fr public netwrk traffic filtering. Cnfiguring the Prxy Server (n page 83) Cnfiguring the VIP Server (n page 91) Cnfiguring Unencrypted Traffic Prcessing Rules (n page 102) Tip: We recmmend yu t print this checklist and select the check bxes as yu advance thrugh the tasks utlined in this checklist. Deplying a DMZ Segment When yu prvide public services fr external users ( , web, and s n), yur public servers are the weak pints n yur LAN. When successfully attacked, they put in threat the security f the whle LAN. A gd slutin is t deply the public servers in a separate lgical segment f yur LAN (a DMZ) and t cntrl the data exchange between the DMZ and the rest f yur LAN. By cnfiguring a firewall (n page 229) n a ViPNet Crdinatr HW/VA hst, yu can split yur crprate LAN int lgical segments with separately cnfigured access plicies, withut the need t install any ViPNet sftware n the LAN hsts themselves. Fr example, yu may split yur LAN int the fllwing tw segments: A prtected segment, with hsts allwed t establish utbund cnnectins t external hsts n the Internet and n the DMZ, but inaccessible frm the Internet and frm the DMZ (inbund cnnectins are prhibited). These hsts are prtected against unauthrized access frm utside the segment. A DMZ segment (see DMZ (demilitarized zne) n page 229), with hsts accessible frm the Internet and frm the prtected segment ver certain prtcls and prts. Cnsider the fllwing example: Yu need t split yur LAN int tw segments: the prtected segment and the DMZ. Yu need t make a server n the DMZ accessible frm the Internet (IP address , prt 80). The prtected segment hsts' IP addresses are frm the address pl /24. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 126
127 The external netwrk interface f the crdinatr has the IP address Figure 38: Using ViPNet Crdinatr HW/VA fr segmenting a lcal netwrk Yu can prvide the described LAN segmentatin and cnnectivity by cnfiguring frward traffic filtering rules and NAT rules n the crdinatr: 1 Deply a ViPNet Crdinatr HW/VA hst (see Checklist: ViPNet Crdinatr HW/VA Setup n page 28) n the edge f the LAN. 2 Access the ViPNet Crdinatr HW/VA via the cmmand line interface (see Managing a ViPNet Crdinatr HW/VA Hst n page 45). 3 Stp the cntrl daemn by executing the cmmand iplir stp 4 Lg n as an administratr by executing the enable cmmand. 5 Open the firewall cnfiguratin file fr editing by executing the cmmand iplir cnfig firewall 6 In the [frward] sectin, add the fllwing lines that cntain filtering rules fr frward IP packets: The rule allwing utbund cnnectins frm the prtected segment t any IP addresses ver any prtcl: rule= num 1 prt any frm /24 t anyip pass The rule allwing any HTTP cnnectins frm the Internet and the prtected segment with the server in the DMZ segment ver the prt 80: rule= num 2 prt tcp frm anyip t :80 pass ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 127
128 The num parameter sets a rule's pririty in the sectin. Nte: The traffic that is nt explicitly allwed is blcked. Therefre, there is n need fr any rules that wuld blck the inbund traffic n the edge f the prtected segment. 7 In the [nat] sectin, add the fllwing NAT rules: The rule fr rganizing access frm the prtected segment t the Internet: rule= change src= :dynamic prt any frm /24 t anyip The rule fr rganizing access frm the Internet t the DMZ segment: rule= change dst= :80 prt tcp frm anyip t :80 8 T save the cnfiguratin file, press Ctrl+O, then press Enter. 9 T clse the file, press Ctrl+X. 10 Start the cntrl daemn by executing the iplir start cmmand. 11 Make sure that the apprpriate cnnectins are available, and the unwanted cnnectins are nt, accrding t the desired LAN tplgy (see figure n page 127). Prviding Access t a ViPNet Crdinatr HW/VA Hst by Assigning IP Address Aliases If required, yu can assign IP address aliases t Ethernet netwrk interfaces f a ViPNet Crdinatr HW/VA hst. An Ethernet interface is accessible via its IP address (assigned autmatically by the DHCP server r manually). If yu assign IP aliases t an interface, it will als be accessible via these aliases. Assigning IP aliases allws yu t implement a variety f useful schemes f access t the ViPNet Crdinatr HW/VA hst, fr example: Fr managing a ViPNet Crdinatr HW/VA hst remtely via the cmmand line interface r the web interface (see Managing a ViPNet Crdinatr HW/VA Hst n page 45), yu need t access it by its IP address. But if the crdinatr receives the IP address frm a DHCP server, then it will nt be cnstant. By assigning an alias t an interface that receives its IP address frm a DHCP server, yu prvide the access t the hst by a static IP address. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 128
129 When yu are implementing a LAN segmentatin scheme, yu need a ViPNet Crdinatr HW/VA hst t face the LAN segments and the Internet with its different Ethernet interfaces. Fr example, in the sample DMZ scheme (see figure n page 127), the hst needs t have addresses , , and assigned t its interfaces. Hwever, yu can implement this scheme even if yur ViPNet Crdinatr HW/VA hst has nly ne Ethernet interface. Yu just need t assure that each f the three addresses is either the interface's alias r its main IP address. Cnsider the fllwing example: A small ffice LAN includes several cmputers that access the Internet via a ruter with the DHCP functin: they receive their IP addresses frm the ruter. The assigned addresses belng t the /24 address pl. Several hsts and devices n the LAN need t be cnnected t prtected resurces n a remte ViPNet VPN. Yu have a ViPNet Crdinatr HW/VA hst n yur LAN, and yu are planning t cnfigure it fr tunneling the cnnectins f the hsts and devices with the remte VPN (see Cnnecting ver a Prtected ViPNet Channel n page 143). The ViPNet Crdinatr HW/VA hst has nly ne Ethernet interface. Yu are planning t cnfigure the ViPNet Crdinatr HW/VA hst remtely via the cmmand line r web interface. Figure 39: Using an IP address alias T implement the described scheme, d the fllwing: 1 Cnfigure the Ethernet netwrk interface f the ViPNet Crdinatr HW/VA hst t btain the IP address frm the DHCP server (see Cnnecting t an Ethernet Netwrk ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 129
130 n page 65). On the scheme abve, the crdinatr has received the address frm the DHCP server. 2 Create a separate subnet ( /24) fr the hsts n the LAN that yu wish t cnnect t the VPN: 2.1 Assign IP addresses frm the /24 subnet t the tunneled hsts. 2.2 On the tunneled hsts, specify the crdinatr's IP address alias as the default gateway (yu will assign this alias t the crdinatr's interface in later steps). 3 In ViPNet Netwrk Manager, cnfigure tunneling: 3.1 On the crdinatr's netwrk interface, add the IP address alias (see Cnnecting t an Ethernet Netwrk with ViPNet Netwrk Manager n page 59). 3.2 Add the IP addresses f the crdinatr's tunneled hsts t the list f tunneled IP addresses (see Cnfiguring Tunneling n a ViPNet Crdinatr HW/VA n page 63). 3.3 Send keys t the crdinatr. 4 Enable remte cnfiguratin f the ViPNet Crdinatr HW/VA hst via the web interface r the cmmand line interface frm a hst n the LAN: Assign a static IP address t the hst yu want t use fr remte cnfiguratin. On the ViPNet Crdinatr HW/VA hst, cnfigure an unprtected traffic filtering rule (see Traffic Filtering Rules n page 104) that will allw inbund cnnectins ver the HTTP prtcl (TCP prt 80) and the SSH prtcl (TCP prt 22) frm the hst yu want t use fr remte cnfiguratin. Fr example: rule= pass prt tcp frm t :22 rule= pass prt tcp frm t :80 ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 130
131 Using a Centralized Prxy Server Cmputers n a LAN usually require the prtectin f their access t the Internet with a prxy server. When yu manage several LANs, yu can prtect them with separate prxy servers. Hwever, their maintenance will take a lt f effrt. T reduce maintenance csts, yu can use a centralized prxy server that will prtect the LANs cllectively: 1 On the LANs, deply ViPNet Crdinatr HW/VA hsts that will redirect user requests t the centralized prxy server ver a prtected ViPNet tunnel (perfrm the tunneling f the requests). 2 Deply a ViPNet Crdinatr HW/VA crdinatr and use its built-in prxy server service fr the LANs' centralized prtectin. All the lad n requests prcessing and virus check lies upn the centralized prxy server and requires substantial cmputatinal pwer. Therefre, if yu are planning t use a crdinatr as a centralized prxy server, select a pwerful ViPNet Crdinatr HW/VA platfrm (see Supprted Crdinatr HW/VA Platfrms n page 12). The prpsed scheme supprts the transparent prxy server mde. Figure 40: A scheme with a central prxy server ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 131
132 T deply this scheme: 1 On the hst that will be the centralized prxy server: Deply the ViPNet Crdinatr HW/VA appliance (see Checklist: ViPNet Crdinatr HW/VA Setup n page 28). Specify parameters f the integrated prxy server (see Cnfiguring Prxy General Settings n page 84). If necessary, cnfigure cntent cntrl (see Cnfiguring Cntent Cntrl n page 87) and the anti-virus (see Cnfiguring the Anti-Virus n page 89). 2 In ViPNet Netwrk Manager, cnfigure tunneling (see Cnfiguring Tunneling n a ViPNet Crdinatr HW/VA n page 63) f hsts n the LANs by their ViPNet Crdinatr HW/VA hsts. 3 Make the fllwing settings n the hsts n the LANs: T use the prxy server in the 'nn-transparent' mde, n the LANs' hsts (bth tunneled hsts and ViPNet hsts), in user applicatins (fr example, in a web brwser), specify the centralized prxy server's IP address and prt. T use the prxy server in the 'transparent' mde, n each LAN's ViPNet Crdinatr HW/VA crdinatr, cnfigure a static NAT rule (see Netwrk Address Translatin Rules n page 106) as fllws: rule= prt tcp frm <lcal IP addresses> t any:<web resurces' prts> change dst=<centralized prxy's IP address>:<centralized prxy's prt>, where: lcal IP addresses are the LAN hsts' IP addresses; web resurces' prts are the prts used by the prtcls that access web resurces; centralized prxy's IP address is the visibility IP address (see Visibility addresses n page 233) f the centralized prxy server hst n the given LAN's crdinatr; centralized prxy's prt is the centralized prxy server's listening prt. A rule sample: rule= prt tcp frm /24 t any:(21,80, 443, 8080) change dst= :3128 Warning: Yu can't access the Internet frm a ViPNet hst n a LAN ver a centralized prxy server, if yu enable the transparent mde. T get the access, cnfigure the nn-transparent mde n the prxy server. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 132
133 Prviding Secure Access t Resurces n a Crprate LAN frm Remte Hsts (Client-t-Site Cnnectin) There may be hsts n yur crprate LAN that d nt (r cannt) have any ViPNet sftware installed, like servers, netwrk printers, mbile devices, pint-f-sale terminals, and s n (later in this dcument, these hsts are referred t as unprtected hsts ). Despite that, yu can prtect the cnnectins t these hsts by using the tunneling technlgy (see Tunneling n page 232). The tunneling can be perfrmed by a ViPNet Crdinatr HW/VA hst r anther ViPNet crdinatr. It allws fr encrypted cnnectin f a tunneled hst n yur crprate LAN: with ViPNet hsts n and utside yur LAN; with unprtected hsts f ther LANs tunneled by ther crdinatrs. The tunneled hst sends IP packets t ViPNet Crdinatr HW/VA unencrypted. The ViPNet Crdinatr HW/VA encrypts these IP packets and frwards them t a ViPNet hst r a remte ViPNet crdinatr that will decrypt the packets and frward them t anther tunneled hst. ViPNet Crdinatr HW/VA can tunnel unprtected hsts cnnected t it via the fllwing interfaces: Ethernet. Wi-Fi, if the ViPNet Crdinatr HW/VA hst is cnfigured as a Wi-Fi access pint (see Cnfiguring a Wi-Fi Access Pint n page 77). Tip: As an encryptin / decryptin prcess, traffic tunneling requires a cnsiderable amunt f cmputing capacity. If yu plan that the tunneled hsts will be frequently accessed, prvide the required cmputing capacity by selecting the apprpriate mdificatin f the ViPNet Crdinatr HW/VA appliance (see Supprted Crdinatr HW/VA Platfrms n page 12). ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 133
134 Access frm a Remte ViPNet Hst Assume that there are several servers n yur crprate LAN withut installed ViPNet sftware. Yu need t prvide prtected access t the servers fr ViPNet netwrk users that wrk n the LAN r remtely. Figure 41: Tunneling unprtected hsts with ViPNet Crdinatr HW/VA T tunnel the servers with ViPNet Crdinatr HW/VA: 1 Deply a ViPNet Crdinatr HW/VA hst n the edge f the LAN (see Edge f a lcal netwrk n page 229). 2 In ViPNet Netwrk Manager, cnfigure ViPNet Crdinatr HW/VA (see Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings in ViPNet Netwrk Manager n page 58). When yu d this, n the Tunnel tab, in the IP addresses f tunneled cnnectins list, add the addresses f the unprtected servers t be tunneled. 3 In ViPNet Netwrk Manager, create keys and send them t ViPNet hsts. 4 On tunneled hsts, d ne f the fllwing: Set ViPNet Crdinatr HW/VA as the default gateway. Cnfigure a static rute fr frwarding the traffic addressed t ViPNet hsts via ViPNet Crdinatr HW/VA. Fr example, n a tunneled hst with Windws OS, in the cmmand line interface, execute the fllwing cmmand: rute add <destinatin IP address> mask <subnet mask> <ViPNet Crdinatr HW/VA's IP address> -p 5 Check that the tunneling is perfrmed crrectly by establishing cnnectin between a ViPNet hst and the tunneled hst. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 134
135 Access frm Remte Hsts withut Installed ViPNet Sftware ver a ViPNet Channel Assume there is a clud-based applicatin server n yur crprate LAN prtected by a ViPNet crdinatr. Yu need t secure access t the applicatin server fr the users f the hsts and devices tunneled by anther ViPNet crdinatr. Yu may use ViPNet Crdinatr HW/VA hsts as tw tunneling crdinatrs. In the example belw, we describe hw t cnfigure tw ViPNet Crdinatr HW/VA crdinatrs fr tunneling the applicatin server and the unprtected hsts. Figure 42: Prtecting a cnnectin between unprtected hsts Cnfigure the ViPNet Crdinatr HW/VA hst that will functin as a tunneling crdinatr fr the applicatin server (further ViPNet Crdinatr HW/VA #2 ): 1 Deply a ViPNet Crdinatr HW/VA #2 hst n the edge f the LAN with the applicatin server (see Edge f a lcal netwrk n page 229). Prvide its accessibility frm the public netwrk by a static address r a fixed DNS name. 2 In ViPNet Netwrk Manager, cnfigure the crdinatr t tunnel the applicatin server. When yu d this, n the Tunnel tab, in the IP addresses f tunneled cnnectins list, add the addresses range f the unprtected applicatin server t be tunneled. 3 On the tunneled applicatin server, d ne f the fllwing: Set ViPNet Crdinatr HW/VA #2 as the default gateway. Cnfigure a static rute t frward the unprtected hsts' traffic thrugh ViPNet Crdinatr HW/VA #2. Fr example, n a tunneled server running Windws, in the cmmand line interface, execute the fllwing cmmand: rute add <destinatin IP address> mask <subnet mask> <ViPNet Crdinatr HW/VA #2's IP address> -p ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 135
136 where <destinatin IP address> is the virtual addresses range n ViPNet Crdinatr HW/VA #2. Cnfigure the ViPNet Crdinatr HW/VA hst that will tunnel the unprtected hsts accessing the applicatin server (further ViPNet Crdinatr HW/VA #1 ): 1 Deply a ViPNet Crdinatr HW/VA #1 hst n the edge f the LAN with the hsts accessing the applicatin server. 2 In ViPNet Netwrk Manager, cnfigure ViPNet Crdinatr HW/VA #1. Set the fllwing parameters: On the Firewall tab, cnfigure the firewall cnnectin mde with dynamic address translatin. As an inbund cnnectins crdinatr, select ViPNet Crdinatr HW/VA #2. On the Tunnel tab, in the IP addresses f tunneled cnnectins list, add the addresses f the unprtected hsts t be tunneled: Fr devices cnnected ver Wi-Fi (see Cnfiguring a Wi-Fi Access Pint n page 77), add addresses frm the range, ne by ne. Fr devices cnnected ver the Ethernet, yu can add any ther addresses r ranges. Link ViPNet Crdinatr HW/VA #1 with ViPNet Crdinatr HW/VA #2. 3 On the tunneled hsts cnnected t ViPNet Crdinatr HW/VA #1 ver the Ethernet, d ne f the fllwing: Set ViPNet Crdinatr HW/VA #1 as the default gateway. If the tunneled hst is cnnected t ViPNet Crdinatr HW/VA #1 ver the Ethernet, cnfigure a static rute t frward the traffic addressed t the applicatin server thrugh ViPNet Crdinatr HW/VA #1. Fr example, n a tunneled server running Windws, in the cmmand line interface, execute the fllwing cmmand: rute add <destinatin IP address> mask <subnet mask> <ViPNet Crdinatr HW/VA #1's IP address> -p After yu cmplete the cnfiguratin, check that the tunneling is perfrmed crrectly by establishing cnnectin between the applicatin server and the unprtected hsts. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 136
137 Prviding Secure Access t a Crprate LAN frm Mbile Devices ver an IPsec Channel Mdern business prcesses require efficient use f mbile devices. With mbile devices, yu can use crprate , IP telephny, and ther crprate netwrk resurces, even when yu are far away frm the ffice. T implement prtected access t crprate resurces lcated n a ViPNet netwrk, users may use varius smartphnes and tablets. In this case, traffic is prtected by a cmbinatin f the IPsec and ViPNet technlgies. Figure 43: Apple mbile device cnnecting t ViPNet Crdinatr HW/VA A ViPNet Crdinatr HW/VA hst functins as an IPsec ViPNet gateway prviding access t tunneled and prtected ViPNet hsts fr mbile devices. A mbile device establishes cnnectin t a ViPNet Crdinatr HW/VA hst ver the IPsec prtcl. A prtected client-t site IPsec channel is created, and an IP address frm the address pl /24 is autmatically assigned t the mbile device. The mbile device's traffic is decrypted by the ViPNet Crdinatr HW/VA hst. Then, the unencrypted traffic is either frwarded t an unprtected hst behind the ViPNet Crdinatr HW/VA hst r the traffic is encrypted by using ViPNet keys and is transferred t a prtected ViPNet hst. The hsts, lcated n the netwrk prtected by the ViPNet Crdinatr HW/VA, are accessible frm mbile devices by IP addresses. The mbile devices cnnected t yur ViPNet Crdinatr HW/VA ver the IPsec prtcl have the crdinatr set as their default gateway. Withut prper cnfiguratin, these devices can access the resurces f yur crprate netwrk, but cannt access the Internet. If yu want t prvide the mbile IPsec clients with access t the Internet, use the integrated prxy server r ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 137
138 cnfigure NAT rules n yur ViPNet Crdinatr HW/VA hst (see Prviding Mbile Devices with Access t the Internet during IPsec Sessins n page 142). ViPNet Crdinatr HW/VA supprts up t 40 cncurrent client-t-site IPsec cnnectins. Additinally, the number f mbile clients n yur ViPNet netwrk may be limited by yur ViPNet VPN license. The basic settings yu shuld make in ViPNet Netwrk Manager are cmmn fr Apple and Andrid devices (see Cnnecting Apple Mbile Devices n page 138). The difference is that ViPNet Netwrk Manager prvides an easy way t cnfigure IPsec settings n ipad and iphne autmatically, while Andrid devices shuld be cnfigured manually (see Cnnecting Andrid Mbile Devices n page 141). Cnnecting Apple Mbile Devices T access prtected crprate resurces with an Apple mbile device, cnfigure the IPsec cnnectin prperties in ViPNet Netwrk Manager. T d this: 1 In ViPNet Netwrk Manager, in the navigatin pane, select the ViPNet Crdinatr HW/VA hst that will functin as an IPsec gateway. Warning: If yu have nt installed a key set n yur ViPNet Crdinatr HW/VA hst yet and yu want t install the keys autmatically (see Autmatic Key Set Installatin n page 37), yu shuld cnfigure the IPsec cnnectin settings nly after yu install the key set. 2 If yu have nt cnfigured the ViPNet Crdinatr HW/VA t be used as an IPsec gateway previusly, n the IPsec cnnectin tab, d the fllwing: 2.1 In the Netwrk interface name bx, select the netwrk interface f the ViPNet Crdinatr HW/VA hst, which is accessible frm the Internet. 2.2 Select the Use crdinatr as an IPsec gateway fr cnnecting yur smartphne clients check bx. 2.3 In the Gateway's IP address r DNS name bx, type the public IP address r the DNS name that is used t access the ViPNet Crdinatr HW/VA frm the Internet. 2.4 In the Pre-shared key bx, type a symbl string (8 t 63 characters) that will be used as the passwrd fr cnnectin authenticatin. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 138
139 Figure 44: Cnfiguring IPsec cnnectin prperties fr Apple mbile devices 3 If yu want Apple mbile devices t access ViPNet hsts, click the Tunnel tab and add the netwrk IP address /24 t the IP addresses f tunneled cnnectins list. By default, IP addresses frm this netwrk are assigned t mbile devices when they cnnect t the ViPNet Crdinatr HW/VA ver the IPsec prtcl. 4 On the tlbar, click Add client, and then, n the menu, click Client ios IPsec. 5 If necessary, rename the new client. T d this, right-click the mbile client and, n the cntext menu, click Rename. 6 In the navigatin pane, select the new mbile client. Its parameters will be displayed in the view pane. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 139
140 Figure 45: Cnfiguring mbile client's settings 7 T set the user passwrd that will be used t cnnect t the IPsec gateway, click Change passwrd. Then, in the User passwrd windw, set the required passwrd. Warning: The user passwrd shuld nt cntain the fllwing characters: the questin mark (?), the backslash (\), and the single qute ('). 8 In the User's bx, type the address that can be used t send the IPsec cnnectin settings t the mbile device. 9 Click Send prfile. The mail prgram yu use by default will be started. A new message addressed t the mbile device user will be autmatically created in the mail prgram. The IPsec prfile cntaining the IPsec cnnectin parameters will be attached t the message. 10 Send the message. Upn receiving the message, the user f the mbile device shuld apply the IPsec prfile. Fr mre infrmatin, see the dcument ViPNet VPN. User s Guide. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 140
141 11 In the navigatin pane, select the ViPNet Crdinatr HW/VA hst that will functin as an IPsec gateway. In the view pane, n the Keys tab, click Send Keys t transfer the IPsec cnnectin settings t the ViPNet Crdinatr HW/VA hst. If yu have nt installed a key set n the ViPNet Crdinatr HW/VA hst yet, click Save Keys t save the *.dst file. Then install the key set n the hst (see Installing a Key Set n page 36). Cnnecting Andrid Mbile Devices T access prtected crprate resurces with an Andrid mbile device, cnfigure the IPsec cnnectin prperties in ViPNet Netwrk Manager in the same way as fr Apple devices. The difference is that yu can't send an IPsec prfile t an Andrid device. Yu will need t cnfigure the device manually. T cnnect an Andrid device t prtected crprate resurces: 1 Fllw the steps 1 7 described in the sectin Cnnecting Apple Mbile Devices (n page 138). 2 Send keys t the ViPNet Crdinatr HW/VA hst used as an IPsec gateway t transfer the IPsec cnnectins settings. 3 On yur Andrid device, add an IPsec prfile: 3.1 Open the Settings applicatin and tap Wireless & Netwrking > VPN. 3.2 Add a new VPN prfile. 3.3 Specify the cnnectin type L2TP/IPSec PSK. 3.4 T specify the server address, type the IP address r DNS name f the ViPNet Crdinatr HW/VA hst yu specified in ViPNet Netwrk Manager, n the IPsec cnnectin tab (see figure n page 139). 3.5 T specify the IPsec pre-shared key, type the pre-shared key yu specified n the IPsec cnnectin tab. 3.6 Save the VPN prfile. 4 Tap the created VPN prfile. User credentials will be requested: 4.1 Type the user name yu specified in ViPNet Netwrk Manager, n the mbile client's prperties tab (see figure n page 140). 4.2 Type the passwrd yu specified n the mbile client's prperties tab. 4.3 Tap Cnnect. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 141
142 Nte: On yur Andrid device, the names and psitins f the ptins described in this sectin may be different. Fr mre infrmatin, refer t yur device's user guides. Prviding Mbile Devices with Access t the Internet during IPsec Sessins The easiest way t prvide the mbile IPsec clients with access t the Internet is t use the ViPNet Crdinatr HW/VA integrated prxy server in the transparent mde (see Cnfiguring the Prxy Server n page 83). T d this: 1 Lg n t the ViPNet Crdinatr HW/VA web interface as an administratr and g t the prxy server cnfiguratin page (see Cnfiguring Prxy General Settings n page 84). 2 On the General tab: In the External netwrk interface list, select the netwrk interface cnnected t the Internet. Select the Transparent prxy server mde check bx. Click Save. 3 On the Listening IP addresses tab, add t the list any lcal IP address f the ViPNet Crdinatr HW/VA hst (except ). 4 On the Netwrks tab, add the netwrk IP address /24 t the list. IP addresses frm this netwrk are assigned t mbile devices when they cnnect t the ViPNet Crdinatr HW/VA ver the IPsec prtcl. 5 On the General tab, start the prxy server. Instead f using the prxy server, yu may cnfigure traffic prcessing rules that will allw the mbile IPsec clients t cnnect t the Internet: A frward rule (see Traffic Filtering Rules n page 104) allwing utbund traffic frm the /24 netwrk t the Internet. A surce address translatin rule (see Netwrk Address Translatin Rules n page 106) translating the IP addresses frm the /24 netwrk t the public IP address f the ViPNet Crdinatr HW/VA hst. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 142
143 Prviding Secure Access t Resurces n a Crprate LAN frm ther LANs (Site-t-Site Cnnectin) With ViPNet Crdinatr HW/VA, yu can cnnect yur LAN with anther LANs ver a prtected channel (fr example, cnnect a branch ffice LANs t the head ffice VPN): If the ther LAN is prtected with ViPNet technlgy, yu may cnnect t it ver a ViPNet channel (see Cnnecting ver a Prtected ViPNet Channel n page 143). If the ther LAN is prtected with IPsec technlgy, yu may cnnect t it ver an IPsec channel (see Cnnecting ver a Prtected IPsec Channel n page 145). In this case, ViPNet Crdinatr HW/VA functins as a ViPNet IPsec gateway. Cnnecting ver a Prtected ViPNet Channel Assume that there is a ViPNet VPN netwrk deplyed in the head ffice. We need t establish an encrypted cnnectin between the head ffice and the branch ffice. The branch ffice has bth prtected ViPNet hsts and tunneled hsts. T establish such a cnnectin: In the head ffice, there needs t be a crdinatr accessible frm the Internet by a static IP address r a fixed DNS name. Yu need t deply a ViPNet Crdinatr HW/VA hst n the edge f the branch ffice LAN. It will functin as a firewall fr ViPNet hsts and tunnel the unprtected hsts n the LAN. The crdinatr must be cnnected t the Internet t be able t access the head ffice VPN, but desn't itself need t be accessible frm the head ffice (fr example, it may have a dynamic IP address). Althugh the term site-t-site cnnectin in its general use crrespnds t tunneling f cnnectins between hsts n the LAN and the head ffice VPN, yur branch ffice LAN may als cntain ViPNet clients, which will be able t cnnect t the head ffice VPN, t. In the example belw, the branch ffice LAN will include bth tunneled hsts and ViPNet clients. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 143
144 Figure 46: Using ViPNet Crdinatr HW/VA fr establishing cnnectin between tw ffices T establish encrypted cnnectin with the branch ffice ver a prtected tunnel: 1 Deply a ViPNet Crdinatr HW/VA hst n the branch ffice LAN (see Checklist: ViPNet Crdinatr HW/VA Setup n page 28). When ding this: 1.1 Make sure that the head ffice crdinatr is accessible frm the branch ffice crdinatr ver the Internet by its IP addresses and DNS names. 1.2 When cnfiguring the ViPNet Crdinatr HW/VA hst in ViPNet Netwrk Manager (see Cnfiguring ViPNet Crdinatr HW/VA Netwrk Settings in ViPNet Netwrk Manager n page 58), d the fllwing: Add branch ffice ViPNet clients t the new crdinatr. On the IP addresses tab, specify the ViPNet Crdinatr HW/VA's IP addresses. Depending n the ViPNet Crdinatr HW/VA's Internet cnnectin type, n the Firewall tab, specify the firewall parameters. Nte: In mst cases, access t the Internet is available if With dynamic address translatin is selected as the firewall type. In this case, as the Crdinatr fr incming traffic, select the head ffice crdinatr. On the Client firewall tab, specify the ViPNet Crdinatr HW/VA hst as the firewall fr clients. If the ViPNet Crdinatr HW/VA hst shuld tunnel the unprtected hsts lcated in the branch ffice, n the Tunnel tab, cnfigure the required parameters (see Cnfiguring Tunneling n a ViPNet Crdinatr HW/VA n page 63). 2 If yu are planning t have any ViPNet clients n the branch LAN, deply them. When ding this, in ViPNet Netwrk Manager, fr each client, verify the fllwing: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 144
145 the ViPNet Crdinatr HW/VA crdinatr is set as an IP addresses server (a VPN server), client firewall ptins are specified prperly. Fr mre infrmatin, see the dcument ViPNet VPN. User's Guide. 3 If there are any tunneled hsts in the branch ffice, n these hsts, d ne f the fllwing: Set ViPNet Crdinatr HW/VA as the default gateway. Cnfigure a static rute t frward the traffic addressed t ViPNet hsts thrugh ViPNet Crdinatr HW/VA. Fr example, n a tunneled hst with Windws OS, in the cmmand line interface, enter: rute add <destinatin IP address> mask <subnet mask> <ViPNet Crdinatr HW/VA's IP address> -p 4 Upn successful cnfiguratin, prtected cnnectin will be established between the tw ffices. T check this, try t cnnect t a hst n the head ffice VPN frm a hst n the branch ffice LAN. Cnnecting ver a Prtected IPsec Channel Assume that yur crprate netwrk is prtected with a ViPNet VPN. Yu need t create a prtected cmmunicatins channel with yur partner cmpany, but they dn't use the ViPNet technlgy. In this case, yu may establish a tunnel between the tw crprate netwrks ver with the IPsec prtcl. An IPsec tunnel is an encrypted traffic channel established between the tw IPsec gateways deplyed in each f the tw netwrks. There is a variety f IPsec gateway sftware servers and appliances (Cisc appliances, servers running Linux, FreeBSD, Windws Server, and thers). Yu may use a ViPNet Crdinatr HW/VA hst as yur netwrk's IPsec gateway. Warning: Yu can't create a prtected IPsec channel between tw ViPNet Crdinatr HW/VA hsts that belng t the same ViPNet netwrk. Hwever, yu may d it fr hsts belnging t yur partner netwrks (fr mre infrmatin, see the dcument ViPNet VPN. User's Guide, the chapter Cnnecting t a Partner Netwrk ). Cnsider the fllwing example: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 145
146 Figure 47: Cnnecting ver the IPsec prtcl A hst n the remte netwrk with the IP address establishes cnnectin t a ViPNet hst with the IP address IP packets frm the hst are transferred unencrypted t the remte IPsec gateway device. On the device, IP packets are encrypted and the surce address is substituted with the device's public address Then, ViPNet Crdinatr HW/VA perfrms decryptin and frwards the packets t the hst in their riginal state. When cnfiguring IPsec cnnectin n a remte IPsec gateway and ViPNet Crdinatr HW/VA hsts, make sure that the IP address spaces f the cmmunicating netwrks cmply with each ther, as well as the devices' real addresses, the encryptin prtcl, and the authenticatin methd. In ViPNet Netwrk Manager, yu can cnfigure an IPsec cnnectin with authenticatin by a pre-shared key (PSK). If yu want t use certificate authenticatin, see the dcument ViPNet Crdinatr HW/VA. Reference Guide. T cnfigure a site-t-site IPsec cnnectin, in ViPNet Netwrk Manager, d the fllwing: 1 In the navigatin pane, select the ViPNet Crdinatr HW/VA hst that will functin as an IPsec gateway. Warning: If yu have nt installed a key set n yur ViPNet Crdinatr HW/VA hst yet and yu want t install the keys autmatically (see Autmatic Key Set Installatin n page 37), cnfigure the IPsec cnnectin settings nly after yu install the key set. 2 In the view pane, click the IPsec cnnectin tab. 3 If yu have nt previusly cnfigured the ViPNet Crdinatr HW/VA t be used as an IPsec gateway, d the fllwing: 3.1 In the Netwrk interface name list, select the netwrk interface f the ViPNet Crdinatr HW/VA hst that faces the Internet. 3.2 Select the Use crdinatr t establish prtected IPsec cnnectin fr ther netwrks check bx. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 146
147 Figure 48: Adding an IPsec channel t anther netwrk 4 T cnfigure a new IPsec cnnectin t a remte netwrk, click Add. The IPsec Gateway New windw will be displayed. 5 On the Cnnectin tab, in the Remte gateway name bx, specify a unique name fr the remte netwrk cnnectin. Figure 49: Specifying remte IPsec gateway prperties ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 147
148 6 In the Remte gateway IP address bx, type the access IP address f the remte IPsec gateway. 7 Click Add and then, in the Lcal and Remte Netwrk Addresses windw, specify the IP addresses f the tw netwrks that will be cnnected ver the IPsec channel. The netwrk addresses shuld be specified in the CIDR ntatin, fr example: /24. Figure 50: Specifying lcal and remte netwrks If necessary, repeat this step t add mre pairs f lcal and remte netwrks. 8 Click the Encryptin tab and specify the cnnectin encryptin parameters: In the Pre-shared Key bx, type a string (8 t 63 characters) that will be used as the passwrd fr cnnectin authenticatin. Warning: The pre-shared key shuld nt cntain the fllwing characters: the questin mark (?), the backslash (\), and the single qute ('). If necessary, in ther bxes, specify encryptin and hashing algrithms, the Diffie Hellman parameter value, and key lifetime. Figure 51: Specifying encryptin parameters ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 148
149 Warning: Infrm the administratr f the remte netwrk that the same encryptin parameters shuld be specified n the remte gateway. 9 In the view pane, n the Keys tab, click Send Keys t transfer the IPsec cnnectin settings t the ViPNet Crdinatr HW/VA hst. If yu have nt installed a key set n the ViPNet Crdinatr HW/VA hst yet, click Save Keys t save a *.dst file. Then install the key set n the hst (see Installing a Key Set n page 36). 10 On the ViPNet Crdinatr HW/VA hst, cnfigure a frward rule (see Traffic Filtering Rules n page 104) allwing traffic between the remte netwrk and the lcal netwrk yu specified in ViPNet Netwrk Manager. Nte: If yu want cmputers frm the remte netwrk t access ViPNet hsts n yur lcal netwrk, cnfigure firewall rules n yur lcal hsts t allw inbund traffic frm the remte hsts. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 149
150 A Cnfiguring the Integrated Firewall Manually fr Hsts' Access t the Internet frm a LAN When yu are cnfiguring the 3G/LTE Internet access thrugh the appliance, yu need t cnfigure the integrated firewall (see Cnfiguring the Integrated Firewall n page 98) t allw the hsts behind the crdinatr t access the Internet. If yur Crdinatr HW platfrm desn't supprt prxy server functins, yu will need t cnfigure the firewall manually by using the cmmand line interface (see Managing a ViPNet Crdinatr HW/VA Hst n page 45). D the fllwing: 1 In the cmmand line interface, switch t the administratr mde by executing the enable cmmand. 2 Stp the ViPNet driver by executing the iplir stp cmmand. 3 Open the firewall cnfiguratin file by executing the iplir cnfig firewall cmmand. 4 In the [nat] sectin, add a NAT rule fr cnnectins f lcal hsts with the Internet. Fr example, if the lcal netwrk address is /24, then add the rule rule = num <X> prt any frm /24 t internet change src=<interface>:dynamic ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 150
151 where <interface> may take ne f the fllwing values: if yu are cnfiguring a 3G/LTE cnnectin: mdem if yu are cnfiguring a Wi-Fi cnnectin: wlan0 if yu are cnfiguring an Ethernet cnnectin: eth<x> (the interface that faces the public netwrk). 5 In the [frward] sectin, add a rule that will allw the cnnectin f lcal hsts t the Internet. Fr example, rule = num <X> prt any frm /24 t anyip pass 6 Save and exit by pressing Ctrl+X. 7 Start the ViPNet driver by executing the iplir start cmmand. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 151
152 B Infrmatin abut Third-Party Sftware Cmpnents Third-party sftware cmpnents were used during the applicatin develpment. Use and distributin f thse cmpnents are regulated by the terms f crrespnding license agreements. The texts f the license agreements are presented belw. Further, fr at least three years frm the date f distributin f the applicable prduct r sftware, we will give t anyne wh cntacts us, fr a charge f n mre than ur cst f physically perfrming surce cde distributin, a cmplete machine-readable cpy f the cmplete crrespnding surce cde fr the versin f the prgrams that we distributed t yu if we are in pssessin f such. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 152
153 Apache Cpyright 2012 The Apache Sftware Fundatin, Licensed under the Apache License, Versin Apache and the Apache feather lg are trademarks f The Apache Sftware Fundatin. Apache License, Versin 2.0 Apache License Versin 2.0, January TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitins. License shall mean the terms and cnditins fr use, reprductin, and distributin as defined by Sectins 1 thrugh 9 f this dcument. Licensr shall mean the cpyright wner r entity authrized by the cpyright wner that is granting the License. Legal Entity shall mean the unin f the acting entity and all ther entities that cntrl, are cntrlled by, r are under cmmn cntrl with that entity. Fr the purpses f this definitin, cntrl means (i) the pwer, direct r indirect, t cause the directin r management f such entity, whether by cntract r therwise, r (ii) wnership f fifty percent (50%) r mre f the utstanding shares, r (iii) beneficial wnership f such entity. Yu (r Yur) shall mean an individual r Legal Entity exercising permissins granted by this License. Surce frm shall mean the preferred frm fr making mdificatins, including but nt limited t sftware surce cde, dcumentatin surce, and cnfiguratin files. Object frm shall mean any frm resulting frm mechanical transfrmatin r translatin f a Surce frm, including but nt limited t cmpiled bject cde, generated dcumentatin, and cnversins t ther media types. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 153
154 Wrk shall mean the wrk f authrship, whether in Surce r Object frm, made available under the License, as indicated by a cpyright ntice that is included in r attached t the wrk (an example is prvided in the Appendix belw). Derivative Wrks shall mean any wrk, whether in Surce r Object frm, that is based n (r derived frm) the Wrk and fr which the editrial revisins, anntatins, elabratins, r ther mdificatins represent, as a whle, an riginal wrk f authrship. Fr the purpses f this License, Derivative Wrks shall nt include wrks that remain separable frm, r merely link (r bind by name) t the interfaces f, the Wrk and Derivative Wrks theref. Cntributin shall mean any wrk f authrship, including the riginal versin f the Wrk and any mdificatins r additins t that Wrk r Derivative Wrks theref, that is intentinally submitted t Licensr fr inclusin in the Wrk by the cpyright wner r by an individual r Legal Entity authrized t submit n behalf f the cpyright wner. Fr the purpses f this definitin, submitted means any frm f electrnic, verbal, r written cmmunicatin sent t the Licensr r its representatives, including but nt limited t cmmunicatin n electrnic mailing lists, surce cde cntrl systems, and issue tracking systems that are managed by, r n behalf f, the Licensr fr the purpse f discussing and imprving the Wrk, but excluding cmmunicatin that is cnspicuusly marked r therwise designated in writing by the cpyright wner as Nt a Cntributin. Cntributr shall mean Licensr and any individual r Legal Entity n behalf f whm a Cntributin has been received by Licensr and subsequently incrprated within the Wrk. 2. Grant f Cpyright License. Subject t the terms and cnditins f this License, each Cntributr hereby grants t Yu a perpetual, wrldwide, nn-exclusive, n-charge, ryaltyfree, irrevcable cpyright license t reprduce, prepare Derivative Wrks f, publicly display, publicly perfrm, sublicense, and distribute the Wrk and such Derivative Wrks in Surce r Object frm. 3. Grant f Patent License. Subject t the terms and cnditins f this License, each Cntributr hereby grants t Yu a perpetual, wrldwide, nn-exclusive, n-charge, ryalty-free, irrevcable (except as stated in this sectin) patent license t make, have made, use, ffer t sell, sell, imprt, and therwise transfer the Wrk, where such license applies nly t thse patent claims licensable by such Cntributr that are necessarily infringed by their Cntributin(s) alne r by cmbinatin f their Cntributin(s) with the Wrk t which such Cntributin(s) was submitted. If Yu institute patent litigatin against any entity (including a crss-claim r cunterclaim in a lawsuit) alleging that the Wrk r a Cntributin incrprated within the Wrk cnstitutes direct r cntributry patent infringement, then any patent licenses granted t Yu under this License fr that Wrk shall terminate as f the date such litigatin is filed. 4. Redistributin. Yu may reprduce and distribute cpies f the Wrk r Derivative Wrks theref in any medium, with r withut mdificatins, and in Surce r Object frm, prvided that Yu meet the fllwing cnditins: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 154
155 Yu must give any ther recipients f the Wrk r Derivative Wrks a cpy f this License; and Yu must cause any mdified files t carry prminent ntices stating that Yu changed the files; and Yu must retain, in the Surce frm f any Derivative Wrks that Yu distribute, all cpyright, patent, trademark, and attributin ntices frm the Surce frm f the Wrk, excluding thse ntices that dn't pertain t any part f the Derivative Wrks; and If the Wrk includes a NOTICE text file as part f its distributin, then any Derivative Wrks that Yu distribute must include a readable cpy f the attributin ntices cntained within such NOTICE file, excluding thse ntices that dn't pertain t any part f the Derivative Wrks, in at least ne f the fllwing places: within a NOTICE text file distributed as part f the Derivative Wrks; within the Surce frm r dcumentatin, if prvided alng with the Derivative Wrks; r, within a display generated by the Derivative Wrks, if and wherever such third-party ntices nrmally appear. The cntents f the NOTICE file are fr infrmatinal purpses nly and dn't mdify the License. Yu may add Yur wn attributin ntices within Derivative Wrks that Yu distribute, alngside r as an addendum t the NOTICE text frm the Wrk, prvided that such additinal attributin ntices can't be cnstrued as mdifying the License. Yu may add Yur wn cpyright statement t Yur mdificatins and may prvide additinal r different license terms and cnditins fr use, reprductin, r distributin f Yur mdificatins, r fr any such Derivative Wrks as a whle, prvided Yur use, reprductin, and distributin f the Wrk therwise cmplies with the cnditins stated in this License. 5. Submissin f Cntributins. Unless Yu explicitly state therwise, any Cntributin intentinally submitted fr inclusin in the Wrk by Yu t the Licensr shall be under the terms and cnditins f this License, withut any additinal terms r cnditins. Ntwithstanding the abve, nthing herein shall supersede r mdify the terms f any separate license agreement yu may have executed with Licensr regarding such Cntributins. 6. Trademarks. This License des nt grant permissin t use the trade names, trademarks, service marks, r prduct names f the Licensr, except as required fr reasnable and custmary use in describing the rigin f the Wrk and reprducing the cntent f the NOTICE file. 7. Disclaimer f Warranty. Unless required by applicable law r agreed t in writing, Licensr prvides the Wrk (and each Cntributr prvides its Cntributins) n an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express r implied, including, withut limitatin, any warranties r cnditins f TITLE, NON-INFRINGEMENT, MERCHANTABILITY, r FITNESS FOR A PARTICULAR PURPOSE. Yu are slely respnsible fr determining the apprpriateness f using r redistributing the Wrk and assume any risks assciated with Yur exercise f permissins under this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 155
156 8. Limitatin f Liability. In n event and under n legal thery, whether in trt (including negligence), cntract, r therwise, unless required by applicable law (such as deliberate and grssly negligent acts) r agreed t in writing, shall any Cntributr be liable t Yu fr damages, including any direct, indirect, special, incidental, r cnsequential damages f any character arising as a result f this License r ut f the use r inability t use the Wrk (including but nt limited t damages fr lss f gdwill, wrk stppage, cmputer failure r malfunctin, r any and all ther cmmercial damages r lsses), even if such Cntributr has been advised f the pssibility f such damages. 9. Accepting Warranty r Additinal Liability. While redistributing the Wrk r Derivative Wrks theref, Yu may chse t ffer, and charge a fee fr, acceptance f supprt, warranty, indemnity, r ther liability bligatins and/r rights cnsistent with this License. Hwever, in accepting such bligatins, Yu may act nly n Yur wn behalf and n Yur sle respnsibility, nt n behalf f any ther Cntributr, and nly if Yu agree t indemnify, defend, and hld each Cntributr harmless fr any liability incurred by, r claims asserted against, such Cntributr by reasn f yur accepting any such warranty r additinal liability. END OF TERMS AND CONDITIONS APPENDIX: Hw t apply the Apache License t yur wrk T apply the Apache License t yur wrk, attach the fllwing bilerplate ntice, with the fields enclsed by brackets [] replaced with yur wn identifying infrmatin. (Dn't include the brackets!) The text shuld be enclsed in the apprpriate cmment syntax fr the file frmat. We als recmmend that a file r class name and descriptin f purpse be included n the same printed page as the cpyright ntice fr easier identificatin within third-party archives. Cpyright [yyyy] [name f cpyright wner] Licensed under the Apache License, Versin 2.0 (the License); yu may nt use this file except in cmpliance with the License. Yu may btain a cpy f the License at Unless required by applicable law r agreed t in writing, sftware distributed under the License is distributed n an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express r implied. See the License fr the specific language gverning permissins and limitatins under the License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 156
157 Busybx Cpyright Erik Andersen Mail all cmments, insults, suggestins and bribes t Denys Vlasenk vda.linux@ggl .cm vda.linux@ggl .cm BusyBx is licensed under the GNU General Public License versin 2, which is ften abbreviated as GPLv2. GNU GENERAL PUBLIC LICENSE Versin 2, June 1991 Cpyright (C) 1989, 1991 Free Sftware Fundatin, Inc. 51 Franklin Street, Fifth Flr, Bstn, MA , USA Everyne is permitted t cpy and distribute verbatim cpies f this license dcument, but changing it is nt allwed. Preamble The licenses fr mst sftware are designed t take away yur freedm t share and change it. By cntrast, the GNU General Public License is intended t guarantee yur freedm t share and change free sftware--t make sure the sftware is free fr all its users. This General Public License applies t mst f the Free Sftware Fundatin's sftware and t any ther prgram whse authrs cmmit t using it. (Sme ther Free Sftware Fundatin sftware is cvered by the GNU Lesser General Public License instead.) Yu can apply it t yur prgrams, t. When we speak f free sftware, we are referring t freedm, nt price. Our General Public Licenses are designed t make sure that yu have the freedm t distribute cpies f free sftware (and charge fr this service if yu wish), that yu receive surce cde r can get it if ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 157
158 yu want it, that yu can change the sftware r use pieces f it in new free prgrams; and that yu knw yu can d these things. T prtect yur rights, we need t make restrictins that frbid anyne t deny yu these rights r t ask yu t surrender the rights. These restrictins translate t certain respnsibilities fr yu if yu distribute cpies f the sftware, r if yu mdify it. Fr example, if yu distribute cpies f such a prgram, whether gratis r fr a fee, yu must give the recipients all the rights that yu have. Yu must make sure that they, t, receive r can get the surce cde. And yu must shw them these terms s they knw their rights. We prtect yur rights with tw steps: (1) cpyright the sftware, and (2) ffer yu this license which gives yu legal permissin t cpy, distribute and/r mdify the sftware. Als, fr each authr's prtectin and urs, we want t make certain that everyne understands that there is n warranty fr this free sftware. If the sftware is mdified by smene else and passed n, we want its recipients t knw that what they have is nt the riginal, s that any prblems intrduced by thers will nt reflect n the riginal authrs' reputatins. Finally, any free prgram is threatened cnstantly by sftware patents. We wish t avid the danger that redistributrs f a free prgram will individually btain patent licenses, in effect making the prgram prprietary. T prevent this, we have made it clear that any patent must be licensed fr everyne's free use r nt licensed at all. The precise terms and cnditins fr cpying, distributin and mdificatin fllw. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies t any prgram r ther wrk which cntains a ntice placed by the cpyright hlder saying it may be distributed under the terms f this General Public License. The Prgram, belw, refers t any such prgram r wrk, and a wrk based n the Prgram means either the Prgram r any derivative wrk under cpyright law: that is t say, a wrk cntaining the Prgram r a prtin f it, either verbatim r with mdificatins and/r translated int anther language. (Hereinafter, translatin is included withut limitatin in the term mdificatin.) Each licensee is addressed as yu. Activities ther than cpying, distributin and mdificatin are nt cvered by this License; they are utside its scpe. The act f running the Prgram is nt restricted, and the utput frm the Prgram is cvered nly if its cntents cnstitute a wrk based n the Prgram (independent f having been made by running the Prgram). Whether that is true depends n what the Prgram des. 1. Yu may cpy and distribute verbatim cpies f the Prgram's surce cde as yu receive it, in any medium, prvided that yu cnspicuusly and apprpriately publish n each cpy an ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 158
159 apprpriate cpyright ntice and disclaimer f warranty; keep intact all the ntices that refer t this License and t the absence f any warranty; and give any ther recipients f the Prgram a cpy f this License alng with the Prgram. Yu may charge a fee fr the physical act f transferring a cpy, and yu may at yur ptin ffer warranty prtectin in exchange fr a fee. 2. Yu may mdify yur cpy r cpies f the Prgram r any prtin f it, thus frming a wrk based n the Prgram, and cpy and distribute such mdificatins r wrk under the terms f Sectin 1 abve, prvided that yu als meet all f these cnditins: a) Yu must cause the mdified files t carry prminent ntices stating that yu changed the files and the date f any change. b) Yu must cause any wrk that yu distribute r publish, that in whle r in part cntains r is derived frm the Prgram r any part theref, t be licensed as a whle at n charge t all third parties under the terms f this License. c) If the mdified prgram nrmally reads cmmands interactively when run, yu must cause it, when started running fr such interactive use in the mst rdinary way, t print r display an annuncement including an apprpriate cpyright ntice and a ntice that there is n warranty (r else, saying that yu prvide a warranty) and that users may redistribute the prgram under these cnditins, and telling the user hw t view a cpy f this License. (Exceptin: if the Prgram itself is interactive but des nt nrmally print such an annuncement, yur wrk based n the Prgram is nt required t print an annuncement.) These requirements apply t the mdified wrk as a whle. If identifiable sectins f that wrk are nt derived frm the Prgram, and can be reasnably cnsidered independent and separate wrks in themselves, then this License, and its terms, dn't apply t thse sectins when yu distribute them as separate wrks. But when yu distribute the same sectins as part f a whle which is a wrk based n the Prgram, the distributin f the whle must be n the terms f this License, whse permissins fr ther licensees extend t the entire whle, and thus t each and every part regardless f wh wrte it. Thus, it is nt the intent f this sectin t claim rights r cntest yur rights t wrk written entirely by yu; rather, the intent is t exercise the right t cntrl the distributin f derivative r cllective wrks based n the Prgram. In additin, mere aggregatin f anther wrk nt based n the Prgram with the Prgram (r with a wrk based n the Prgram) n a vlume f a strage r distributin medium des nt bring the ther wrk under the scpe f this License. 3. Yu may cpy and distribute the Prgram (r a wrk based n it, under Sectin 2) in bject cde r executable frm under the terms f Sectins 1 and 2 abve prvided that yu als d ne f the fllwing: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 159
160 a) Accmpany it with the cmplete crrespnding machine-readable surce cde, which must be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, b) Accmpany it with a written ffer, valid fr at least three years, t give any third party, fr a charge n mre than yur cst f physically perfrming surce distributin, a cmplete machine-readable cpy f the crrespnding surce cde, t be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, c) Accmpany it with the infrmatin yu received as t the ffer t distribute crrespnding surce cde. (This alternative is allwed nly fr nncmmercial distributin and nly if yu received the prgram in bject cde r executable frm with such an ffer, in accrd with Subsectin b abve.) The surce cde fr a wrk means the preferred frm f the wrk fr making mdificatins t it. Fr an executable wrk, cmplete surce cde means all the surce cde fr all mdules it cntains, plus any assciated interface definitin files, plus the scripts used t cntrl cmpilatin and installatin f the executable. Hwever, as a special exceptin, the surce cde distributed need nt include anything that is nrmally distributed (in either surce r binary frm) with the majr cmpnents (cmpiler, kernel, and s n) f the perating system n which the executable runs, unless that cmpnent itself accmpanies the executable. If distributin f executable r bject cde is made by ffering access t cpy frm a designated place, then ffering equivalent access t cpy the surce cde frm the same place cunts as distributin f the surce cde, even thugh third parties are nt cmpelled t cpy the surce alng with the bject cde. 4. Yu may nt cpy, mdify, sublicense, r distribute the Prgram except as expressly prvided under this License. Any attempt therwise t cpy, mdify, sublicense r distribute the Prgram is vid, and will autmatically terminate yur rights under this License. Hwever, parties wh have received cpies, r rights, frm yu under this License will nt have their licenses terminated s lng as such parties remain in full cmpliance. 5. Yu are nt required t accept this License, since yu have nt signed it. Hwever, nthing else grants yu permissin t mdify r distribute the Prgram r its derivative wrks. These actins are prhibited by law if yu dn't accept this License. Therefre, by mdifying r distributing the Prgram (r any wrk based n the Prgram), yu indicate yur acceptance f this License t d s, and all its terms and cnditins fr cpying, distributing r mdifying the Prgram r wrks based n it. 6. Each time yu redistribute the Prgram (r any wrk based n the Prgram), the recipient autmatically receives a license frm the riginal licensr t cpy, distribute r mdify the Prgram subject t these terms and cnditins. Yu may nt impse any further restrictins n the recipients' exercise f the rights granted herein. Yu are nt respnsible fr enfrcing cmpliance by third parties t this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 160
161 7. If, as a cnsequence f a curt judgment r allegatin f patent infringement r fr any ther reasn (nt limited t patent issues), cnditins are impsed n yu (whether by curt rder, agreement r therwise) that cntradict the cnditins f this License, they dn't excuse yu frm the cnditins f this License. If yu can't distribute s as t satisfy simultaneusly yur bligatins under this License and any ther pertinent bligatins, then as a cnsequence yu may nt distribute the Prgram at all. Fr example, if a patent license wuld nt permit ryaltyfree redistributin f the Prgram by all thse wh receive cpies directly r indirectly thrugh yu, then the nly way yu culd satisfy bth it and this License wuld be t refrain entirely frm distributin f the Prgram. If any prtin f this sectin is held invalid r unenfrceable under any particular circumstance, the balance f the sectin is intended t apply and the sectin as a whle is intended t apply in ther circumstances. It is nt the purpse f this sectin t induce yu t infringe any patents r ther prperty right claims r t cntest validity f any such claims; this sectin has the sle purpse f prtecting the integrity f the free sftware distributin system, which is implemented by public license practices. Many peple have made generus cntributins t the wide range f sftware distributed thrugh that system in reliance n cnsistent applicatin f that system; it is up t the authr/dnr t decide if he r she is willing t distribute sftware thrugh any ther system and a licensee can't impse that chice. This sectin is intended t make thrughly clear what is believed t be a cnsequence f the rest f this License. 8. If the distributin and/r use f the Prgram is restricted in certain cuntries either by patents r by cpyrighted interfaces, the riginal cpyright hlder wh places the Prgram under this License may add an explicit gegraphical distributin limitatin excluding thse cuntries, s that distributin is permitted nly in r amng cuntries nt thus excluded. In such case, this License incrprates the limitatin as if written in the bdy f this License. 9. The Free Sftware Fundatin may publish revised and/r new versins f the General Public License frm time t time. Such new versins will be similar in spirit t the present versin, but may differ in detail t address new prblems r cncerns. Each versin is given a distinguishing versin number. If the Prgram specifies a versin number f this License which applies t it and any later versin, yu have the ptin f fllwing the terms and cnditins either f that versin r f any later versin published by the Free Sftware Fundatin. If the Prgram des nt specify a versin number f this License, yu may chse any versin ever published by the Free Sftware Fundatin. 10. If yu wish t incrprate parts f the Prgram int ther free prgrams whse distributin cnditins are different, write t the authr t ask fr permissin. Fr sftware which is cpyrighted by the Free Sftware Fundatin, write t the Free Sftware Fundatin; we smetimes make exceptins fr this. Our decisin will be guided by the tw gals f preserving ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 161
162 the free status f all derivatives f ur free sftware and f prmting the sharing and reuse f sftware generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Hw t Apply These Terms t Yur New Prgrams If yu develp a new prgram, and yu want it t be f the greatest pssible use t the public, the best way t achieve this is t make it free sftware which everyne can redistribute and change under these terms. T d s, attach the fllwing ntices t the prgram. It is safest t attach them t the start f each surce file t mst effectively cnvey the exclusin f warranty; and each file shuld have at least the cpyright line and a pinter t where the full ntice is fund. ne line t give the prgram's name and an idea f what it des. Cpyright (C) yyyy name f authr ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 162
163 This prgram is free sftware; yu can redistribute it and/r mdify it under the terms f the GNU General Public License as published by the Free Sftware Fundatin; either versin 2 f the License, r (at yur ptin) any later versin. This prgram is distributed in the hpe that it will be useful, but WITHOUT ANY WARRANTY; withut even the implied warranty f MERCHANTABILITY r FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License fr mre details. Yu shuld have received a cpy f the GNU General Public License alng with this prgram; if nt, write t the Free Sftware Fundatin, Inc., 51 Franklin Street, Fifth Flr, Bstn, MA , USA. Als add infrmatin n hw t cntact yu by electrnic and paper mail. If the prgram is interactive, make it utput a shrt ntice like this when it starts in an interactive mde: Gnmvisin versin 69, Cpyright (C) year name f authr Gnmvisin cmes with ABSOLUTELY NO WARRANTY; fr details type 'shw w'. This is free sftware, and yu are welcme t redistribute it under certain cnditins; type 'shw c' fr details. The hypthetical cmmands 'shw w' and 'shw c' shuld shw the apprpriate parts f the General Public License. Of curse, the cmmands yu use may be called smething ther than 'shw w' and 'shw c'; they culd even be muse-clicks r menu items--whatever suits yur prgram. Yu shuld als get yur emplyer (if yu wrk as a prgrammer) r yur schl, if any, t sign a cpyright disclaimer fr the prgram, if necessary. Here is a sample; alter the names: Yydyne, Inc., hereby disclaims all cpyright interest in the prgram `Gnmvisin' (which makes passes at cmpilers) written by James Hacker. signature f Ty Cn, 1 April 1989 Ty Cn, President f Vice This General Public License des nt permit incrprating yur prgram int prprietary prgrams. If yur prgram is a subrutine library, yu may cnsider it mre useful t permit linking prprietary applicatins with the library. If this is what yu want t d, use the GNU ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 163
164 Lesser General Public License instead f this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 164
165 Editline Library (libedit) Sme files are: Cpyright (c) 1992, 1993 The Regents f the University f Califrnia. All rights reserved. This cde is derived frm sftware cntributed t Berkeley by Christs Zulas f Crnell University. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: 1. Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. 2. Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. 3. Neither the name f the University nr the names f its cntributrs may be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Sme files are: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 165
166 Cpyright (c) 2001 The NetBSD Fundatin, Inc. All rights reserved. This cde is derived frm sftware cntributed t The NetBSD Fundatin by Anthny Mallet. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: 1. Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. 2. Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Sme files are: Cpyright (c) 1997 The NetBSD Fundatin, Inc. All rights reserved. This cde is derived frm sftware cntributed t The NetBSD Fundatin by Jarmir Dlecek. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: 1. Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 166
167 2. Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Sme files are: Cpyright (c) 1998 Tdd C. Miller <Tdd.Miller@curtesan.cm> Permissin t use, cpy, mdify, and distribute this sftware fr any purpse with r withut fee is hereby granted, prvided that the abve cpyright ntice and this permissin ntice appear in all cpies. THE SOFTWARE IS PROVIDED AS IS AND TODD C. MILLER DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 167
168 ICU ICU License - ICU and later COPYRIGHT AND PERMISSION NOTICE Cpyright (c) Internatinal Business Machines Crpratin and thers All rights reserved. Permissin is hereby granted, free f charge, t any persn btaining a cpy f this sftware and assciated dcumentatin files (the Sftware), t deal in the Sftware withut restrictin, including withut limitatin the rights t use, cpy, mdify, merge, publish, distribute, and/r sell cpies f the Sftware, and t permit persns t whm the Sftware is furnished t d s, prvided that the abve cpyright ntice(s) and this permissin ntice appear in all cpies f the Sftware and that bth the abve cpyright ntice(s) and this permissin ntice appear in supprting dcumentatin. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Except as cntained in this ntice, the name f a cpyright hlder shall nt be used in advertising r therwise t prmte the sale, use r ther dealings in this Sftware withut prir written authrizatin f the cpyright hlder. All trademarks and registered trademarks mentined herein are the prperty f their respective wners. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 168
169 IPsec-Tls Cpyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, and 2002 WIDE Prject. All rights reserved. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: 1. Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. 2. Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. 3. Neither the name f the prject nr the names f its cntributrs may be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 169
170 Libclamav Libclamav is licensed under the GNU General Public License versin 2, which is ften abbreviated as GPLv2. GNU GENERAL PUBLIC LICENSE Versin 2, June 1991 Cpyright (C) 1989, 1991 Free Sftware Fundatin, Inc. 51 Franklin Street, Fifth Flr, Bstn, MA , USA Everyne is permitted t cpy and distribute verbatim cpies f this license dcument, but changing it is nt allwed. Preamble The licenses fr mst sftware are designed t take away yur freedm t share and change it. By cntrast, the GNU General Public License is intended t guarantee yur freedm t share and change free sftware--t make sure the sftware is free fr all its users. This General Public License applies t mst f the Free Sftware Fundatin's sftware and t any ther prgram whse authrs cmmit t using it. (Sme ther Free Sftware Fundatin sftware is cvered by the GNU Lesser General Public License instead.) Yu can apply it t yur prgrams, t. When we speak f free sftware, we are referring t freedm, nt price. Our General Public Licenses are designed t make sure that yu have the freedm t distribute cpies f free sftware (and charge fr this service if yu wish), that yu receive surce cde r can get it if yu want it, that yu can change the sftware r use pieces f it in new free prgrams; and that yu knw yu can d these things. T prtect yur rights, we need t make restrictins that frbid anyne t deny yu these rights r t ask yu t surrender the rights. These restrictins translate t certain respnsibilities fr yu if yu distribute cpies f the sftware, r if yu mdify it. Fr example, if yu distribute cpies f such a prgram, whether gratis r fr a fee, yu must give the recipients all the rights that yu have. Yu must make sure that they, t, receive r can get the surce cde. And yu must shw them these terms s they knw their rights. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 170
171 We prtect yur rights with tw steps: (1) cpyright the sftware, and (2) ffer yu this license which gives yu legal permissin t cpy, distribute and/r mdify the sftware. Als, fr each authr's prtectin and urs, we want t make certain that everyne understands that there is n warranty fr this free sftware. If the sftware is mdified by smene else and passed n, we want its recipients t knw that what they have is nt the riginal, s that any prblems intrduced by thers will nt reflect n the riginal authrs' reputatins. Finally, any free prgram is threatened cnstantly by sftware patents. We wish t avid the danger that redistributrs f a free prgram will individually btain patent licenses, in effect making the prgram prprietary. T prevent this, we have made it clear that any patent must be licensed fr everyne's free use r nt licensed at all. The precise terms and cnditins fr cpying, distributin and mdificatin fllw. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies t any prgram r ther wrk which cntains a ntice placed by the cpyright hlder saying it may be distributed under the terms f this General Public License. The Prgram, belw, refers t any such prgram r wrk, and a wrk based n the Prgram means either the Prgram r any derivative wrk under cpyright law: that is t say, a wrk cntaining the Prgram r a prtin f it, either verbatim r with mdificatins and/r translated int anther language. (Hereinafter, translatin is included withut limitatin in the term mdificatin.) Each licensee is addressed as yu. Activities ther than cpying, distributin and mdificatin are nt cvered by this License; they are utside its scpe. The act f running the Prgram is nt restricted, and the utput frm the Prgram is cvered nly if its cntents cnstitute a wrk based n the Prgram (independent f having been made by running the Prgram). Whether that is true depends n what the Prgram des. 1. Yu may cpy and distribute verbatim cpies f the Prgram's surce cde as yu receive it, in any medium, prvided that yu cnspicuusly and apprpriately publish n each cpy an apprpriate cpyright ntice and disclaimer f warranty; keep intact all the ntices that refer t this License and t the absence f any warranty; and give any ther recipients f the Prgram a cpy f this License alng with the Prgram. Yu may charge a fee fr the physical act f transferring a cpy, and yu may at yur ptin ffer warranty prtectin in exchange fr a fee. 2. Yu may mdify yur cpy r cpies f the Prgram r any prtin f it, thus frming a wrk based n the Prgram, and cpy and distribute such mdificatins r wrk under the terms f Sectin 1 abve, prvided that yu als meet all f these cnditins: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 171
172 a) Yu must cause the mdified files t carry prminent ntices stating that yu changed the files and the date f any change. b) Yu must cause any wrk that yu distribute r publish, that in whle r in part cntains r is derived frm the Prgram r any part theref, t be licensed as a whle at n charge t all third parties under the terms f this License. c) If the mdified prgram nrmally reads cmmands interactively when run, yu must cause it, when started running fr such interactive use in the mst rdinary way, t print r display an annuncement including an apprpriate cpyright ntice and a ntice that there is n warranty (r else, saying that yu prvide a warranty) and that users may redistribute the prgram under these cnditins, and telling the user hw t view a cpy f this License. (Exceptin: if the Prgram itself is interactive but des nt nrmally print such an annuncement, yur wrk based n the Prgram is nt required t print an annuncement.) These requirements apply t the mdified wrk as a whle. If identifiable sectins f that wrk are nt derived frm the Prgram, and can be reasnably cnsidered independent and separate wrks in themselves, then this License, and its terms, dn't apply t thse sectins when yu distribute them as separate wrks. But when yu distribute the same sectins as part f a whle which is a wrk based n the Prgram, the distributin f the whle must be n the terms f this License, whse permissins fr ther licensees extend t the entire whle, and thus t each and every part regardless f wh wrte it. Thus, it is nt the intent f this sectin t claim rights r cntest yur rights t wrk written entirely by yu; rather, the intent is t exercise the right t cntrl the distributin f derivative r cllective wrks based n the Prgram. In additin, mere aggregatin f anther wrk nt based n the Prgram with the Prgram (r with a wrk based n the Prgram) n a vlume f a strage r distributin medium des nt bring the ther wrk under the scpe f this License. 3. Yu may cpy and distribute the Prgram (r a wrk based n it, under Sectin 2) in bject cde r executable frm under the terms f Sectins 1 and 2 abve prvided that yu als d ne f the fllwing: a) Accmpany it with the cmplete crrespnding machine-readable surce cde, which must be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, b) Accmpany it with a written ffer, valid fr at least three years, t give any third party, fr a charge n mre than yur cst f physically perfrming surce distributin, a cmplete machine-readable cpy f the crrespnding surce cde, t be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 172
173 c) Accmpany it with the infrmatin yu received as t the ffer t distribute crrespnding surce cde. (This alternative is allwed nly fr nncmmercial distributin and nly if yu received the prgram in bject cde r executable frm with such an ffer, in accrd with Subsectin b abve.) The surce cde fr a wrk means the preferred frm f the wrk fr making mdificatins t it. Fr an executable wrk, cmplete surce cde means all the surce cde fr all mdules it cntains, plus any assciated interface definitin files, plus the scripts used t cntrl cmpilatin and installatin f the executable. Hwever, as a special exceptin, the surce cde distributed need nt include anything that is nrmally distributed (in either surce r binary frm) with the majr cmpnents (cmpiler, kernel, and s n) f the perating system n which the executable runs, unless that cmpnent itself accmpanies the executable. If distributin f executable r bject cde is made by ffering access t cpy frm a designated place, then ffering equivalent access t cpy the surce cde frm the same place cunts as distributin f the surce cde, even thugh third parties are nt cmpelled t cpy the surce alng with the bject cde. 4. Yu may nt cpy, mdify, sublicense, r distribute the Prgram except as expressly prvided under this License. Any attempt therwise t cpy, mdify, sublicense r distribute the Prgram is vid, and will autmatically terminate yur rights under this License. Hwever, parties wh have received cpies, r rights, frm yu under this License will nt have their licenses terminated s lng as such parties remain in full cmpliance. 5. Yu are nt required t accept this License, since yu have nt signed it. Hwever, nthing else grants yu permissin t mdify r distribute the Prgram r its derivative wrks. These actins are prhibited by law if yu dn't accept this License. Therefre, by mdifying r distributing the Prgram (r any wrk based n the Prgram), yu indicate yur acceptance f this License t d s, and all its terms and cnditins fr cpying, distributing r mdifying the Prgram r wrks based n it. 6. Each time yu redistribute the Prgram (r any wrk based n the Prgram), the recipient autmatically receives a license frm the riginal licensr t cpy, distribute r mdify the Prgram subject t these terms and cnditins. Yu may nt impse any further restrictins n the recipients' exercise f the rights granted herein. Yu are nt respnsible fr enfrcing cmpliance by third parties t this License. 7. If, as a cnsequence f a curt judgment r allegatin f patent infringement r fr any ther reasn (nt limited t patent issues), cnditins are impsed n yu (whether by curt rder, agreement r therwise) that cntradict the cnditins f this License, they dn't excuse yu frm the cnditins f this License. If yu can't distribute s as t satisfy simultaneusly yur bligatins under this License and any ther pertinent bligatins, then as a cnsequence yu may nt distribute the Prgram at all. Fr example, if a patent license wuld nt permit ryaltyfree redistributin f the Prgram by all thse wh receive cpies directly r indirectly thrugh ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 173
174 yu, then the nly way yu culd satisfy bth it and this License wuld be t refrain entirely frm distributin f the Prgram. If any prtin f this sectin is held invalid r unenfrceable under any particular circumstance, the balance f the sectin is intended t apply and the sectin as a whle is intended t apply in ther circumstances. It is nt the purpse f this sectin t induce yu t infringe any patents r ther prperty right claims r t cntest validity f any such claims; this sectin has the sle purpse f prtecting the integrity f the free sftware distributin system, which is implemented by public license practices. Many peple have made generus cntributins t the wide range f sftware distributed thrugh that system in reliance n cnsistent applicatin f that system; it is up t the authr/dnr t decide if he r she is willing t distribute sftware thrugh any ther system and a licensee can't impse that chice. This sectin is intended t make thrughly clear what is believed t be a cnsequence f the rest f this License. 8. If the distributin and/r use f the Prgram is restricted in certain cuntries either by patents r by cpyrighted interfaces, the riginal cpyright hlder wh places the Prgram under this License may add an explicit gegraphical distributin limitatin excluding thse cuntries, s that distributin is permitted nly in r amng cuntries nt thus excluded. In such case, this License incrprates the limitatin as if written in the bdy f this License. 9. The Free Sftware Fundatin may publish revised and/r new versins f the General Public License frm time t time. Such new versins will be similar in spirit t the present versin, but may differ in detail t address new prblems r cncerns. Each versin is given a distinguishing versin number. If the Prgram specifies a versin number f this License which applies t it and any later versin, yu have the ptin f fllwing the terms and cnditins either f that versin r f any later versin published by the Free Sftware Fundatin. If the Prgram des nt specify a versin number f this License, yu may chse any versin ever published by the Free Sftware Fundatin. 10. If yu wish t incrprate parts f the Prgram int ther free prgrams whse distributin cnditins are different, write t the authr t ask fr permissin. Fr sftware which is cpyrighted by the Free Sftware Fundatin, write t the Free Sftware Fundatin; we smetimes make exceptins fr this. Our decisin will be guided by the tw gals f preserving the free status f all derivatives f ur free sftware and f prmting the sharing and reuse f sftware generally. NO WARRANTY ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 174
175 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Hw t Apply These Terms t Yur New Prgrams If yu develp a new prgram, and yu want it t be f the greatest pssible use t the public, the best way t achieve this is t make it free sftware which everyne can redistribute and change under these terms. T d s, attach the fllwing ntices t the prgram. It is safest t attach them t the start f each surce file t mst effectively cnvey the exclusin f warranty; and each file shuld have at least the cpyright line and a pinter t where the full ntice is fund. ne line t give the prgram's name and an idea f what it des. Cpyright (C) yyyy name f authr This prgram is free sftware; yu can redistribute it and/r mdify it under the terms f the GNU General Public License as published by the Free Sftware Fundatin; either versin 2 f the License, r (at yur ptin) any later versin. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 175
176 This prgram is distributed in the hpe that it will be useful, but WITHOUT ANY WARRANTY; withut even the implied warranty f MERCHANTABILITY r FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License fr mre details. Yu shuld have received a cpy f the GNU General Public License alng with this prgram; if nt, write t the Free Sftware Fundatin, Inc., 51 Franklin Street, Fifth Flr, Bstn, MA , USA. Als add infrmatin n hw t cntact yu by electrnic and paper mail. If the prgram is interactive, make it utput a shrt ntice like this when it starts in an interactive mde: Gnmvisin versin 69, Cpyright (C) year name f authr Gnmvisin cmes with ABSOLUTELY NO WARRANTY; fr details type 'shw w'. This is free sftware, and yu are welcme t redistribute it under certain cnditins; type 'shw c' fr details. The hypthetical cmmands 'shw w' and 'shw c' shuld shw the apprpriate parts f the General Public License. Of curse, the cmmands yu use may be called smething ther than 'shw w' and 'shw c'; they culd even be muse-clicks r menu items--whatever suits yur prgram. Yu shuld als get yur emplyer (if yu wrk as a prgrammer) r yur schl, if any, t sign a cpyright disclaimer fr the prgram, if necessary. Here is a sample; alter the names: Yydyne, Inc., hereby disclaims all cpyright interest in the prgram `Gnmvisin' (which makes passes at cmpilers) written by James Hacker. signature f Ty Cn, 1 April 1989 Ty Cn, President f Vice This General Public License des nt permit incrprating yur prgram int prprietary prgrams. If yur prgram is a subrutine library, yu may cnsider it mre useful t permit linking prprietary applicatins with the library. If this is what yu want t d, use the GNU Lesser General Public License instead f this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 176
177 libxml2 Sme files are: Cpyright (C) 1998 Bjrn Reese and Daniel Stenberg. Permissin t use, cpy, mdify, and distribute this sftware fr any purpse with r withut fee is hereby granted, prvided that the abve cpyright ntice and this permissin ntice appear in all cpies. THIS SOFTWARE IS PROVIDED ''AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE AUTHORS AND CONTRIBUTORS ACCEPT NO RESPONSIBILITY IN ANY CONCEIVABLE MANNER. Sme files are: Cpyright (C) Daniel Veillard. All Rights Reserved. Permissin is hereby granted, free f charge, t any persn btaining a cpy f this sftware and assciated dcumentatin files (the Sftware), t deal in the Sftware withut restrictin, including withut limitatin the rights t use, cpy, mdify, merge, publish, distribute, sublicense, and/r sell cpies f the Sftware, and t permit persns t whm the Sftware is furnished t d s, subject t the fllwing cnditins: The abve cpyright ntice and this permissin ntice shall be included in all cpies r substantial prtins f the Sftware. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE DANIEL VEILLARD BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 177
178 Except as cntained in this ntice, the name f Daniel Veillard shall nt be used in advertising r therwise t prmte the sale, use r ther dealings in this Sftware withut prir written authrizatin frm him. Sme files are: Cpyright (C) 2000 Bjrn Reese and Daniel Veillard. Permissin t use, cpy, mdify, and distribute this sftware fr any purpse with r withut fee is hereby granted, prvided that the abve cpyright ntice and this permissin ntice appear in all cpies. THIS SOFTWARE IS PROVIDED ''AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE AUTHORS AND CONTRIBUTORS ACCEPT NO RESPONSIBILITY IN ANY CONCEIVABLE MANNER. Authr: breese@users.surcefrge.net Sme files are: Cpyright (C) 2000 Gary Penningtn and Daniel Veillard. Permissin t use, cpy, mdify, and distribute this sftware fr any purpse with r withut fee is hereby granted, prvided that the abve cpyright ntice and this permissin ntice appear in all cpies. THIS SOFTWARE IS PROVIDED ''AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE AUTHORS AND CONTRIBUTORS ACCEPT NO RESPONSIBILITY IN ANY CONCEIVABLE MANNER. Authr: Gary.Penningtn@uk.sun.cm ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 178
179 MD5 MD5.H Cpyright (C) 1999, Aladdin Enterprises MD5.H Cpyright (C) 1990, RSA Data Security, Inc License t cpy and use this sftware is granted prvided that it is identified as the RSA Data Security, Inc. MD5 Message-Digest Algrithm in all material mentining r referencing this sftware r this functin. License is als granted t make and use derivative wrks prvided that such wrks are identified as derived frm the RSA Data Security, Inc. MD5 Message-Digest Algrithm in all material mentining r referencing the derived wrk. RSA Data Security, Inc. makes n representatins cncerning either the merchantability f this sftware r the suitability f this sftware fr any particular purpse. It is prvided as is withut express r implied warranty f any kind. These ntices must be retained in any cpies f any part f this dcumentatin and/r sftware. MD5-CC 1.02 Cpyright (C) , RSA Data Security, Inc Cpyright (C) 1995, Mrdechai T. Abzug This sftware cntains a C++/bject riented translatin and mdificatin f MD5 (versin 1.02) by Mrdechai T. Abzug. Translatin and mdificatin (c) 1995 by Mrdechai T. Abzug Cpyright RSA Data Security, Inc. The MD5 algrithm is defined in RFC This implementatin is derived frm the reference C cde in RFC 1321 which is cvered by the fllwing cpyright statement: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 179
180 Cpyright (C) , RSA Data Security, Inc. Created All rights reserved. License t cpy and use this sftware is granted prvided that it is identified as the RSA Data Security, Inc. MD5 Message-Digest Algrithm'' in all material mentining r referencing this sftware r this functin. License is als granted t make and use derivative wrks prvided that such wrks are identified as derived frm the RSA Data Security, Inc. MD5 Message-Digest Algrithm'' in all material mentining r referencing the derived wrk. RSA Data Security, Inc. makes n representatins cncerning either the merchantability f this sftware r the suitability f this sftware fr any particular purpse. It is prvided as is'' withut express r implied warranty f any kind. These ntices must be retained in any cpies f any part f this dcumentatin and/r sftware. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 180
181 Nan Cpyright (C) Chris Allegretta This prgram is free sftware; yu can redistribute it and/r mdify it under the terms f the GNU General Public License as published by the Free Sftware Fundatin; either versin 2, r (at yur ptin) any later versin. This prgram is distributed in the hpe that it will be useful, but WITHOUT ANY WARRANTY; withut even the implied warranty f MERCHANTABILITY r FITNESS FOR A PARTICULAR PURPOSE. Nan is licensed under the GNU General Public License versin 2, which is ften abbreviated as GPLv2. GNU GENERAL PUBLIC LICENSE Versin 2, June 1991 Cpyright (C) 1989, 1991 Free Sftware Fundatin, Inc. 51 Franklin Street, Fifth Flr, Bstn, MA , USA Everyne is permitted t cpy and distribute verbatim cpies f this license dcument, but changing it is nt allwed. Preamble The licenses fr mst sftware are designed t take away yur freedm t share and change it. By cntrast, the GNU General Public License is intended t guarantee yur freedm t share and change free sftware--t make sure the sftware is free fr all its users. This General Public License applies t mst f the Free Sftware Fundatin's sftware and t any ther prgram whse authrs cmmit t using it. (Sme ther Free Sftware Fundatin sftware is cvered by the GNU Lesser General Public License instead.) Yu can apply it t yur prgrams, t. When we speak f free sftware, we are referring t freedm, nt price. Our General Public Licenses are designed t make sure that yu have the freedm t distribute cpies f free ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 181
182 sftware (and charge fr this service if yu wish), that yu receive surce cde r can get it if yu want it, that yu can change the sftware r use pieces f it in new free prgrams; and that yu knw yu can d these things. T prtect yur rights, we need t make restrictins that frbid anyne t deny yu these rights r t ask yu t surrender the rights. These restrictins translate t certain respnsibilities fr yu if yu distribute cpies f the sftware, r if yu mdify it. Fr example, if yu distribute cpies f such a prgram, whether gratis r fr a fee, yu must give the recipients all the rights that yu have. Yu must make sure that they, t, receive r can get the surce cde. And yu must shw them these terms s they knw their rights. We prtect yur rights with tw steps: (1) cpyright the sftware, and (2) ffer yu this license which gives yu legal permissin t cpy, distribute and/r mdify the sftware. Als, fr each authr's prtectin and urs, we want t make certain that everyne understands that there is n warranty fr this free sftware. If the sftware is mdified by smene else and passed n, we want its recipients t knw that what they have is nt the riginal, s that any prblems intrduced by thers will nt reflect n the riginal authrs' reputatins. Finally, any free prgram is threatened cnstantly by sftware patents. We wish t avid the danger that redistributrs f a free prgram will individually btain patent licenses, in effect making the prgram prprietary. T prevent this, we have made it clear that any patent must be licensed fr everyne's free use r nt licensed at all. The precise terms and cnditins fr cpying, distributin and mdificatin fllw. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies t any prgram r ther wrk which cntains a ntice placed by the cpyright hlder saying it may be distributed under the terms f this General Public License. The Prgram, belw, refers t any such prgram r wrk, and a wrk based n the Prgram means either the Prgram r any derivative wrk under cpyright law: that is t say, a wrk cntaining the Prgram r a prtin f it, either verbatim r with mdificatins and/r translated int anther language. (Hereinafter, translatin is included withut limitatin in the term mdificatin.) Each licensee is addressed as yu. Activities ther than cpying, distributin and mdificatin are nt cvered by this License; they are utside its scpe. The act f running the Prgram is nt restricted, and the utput frm the Prgram is cvered nly if its cntents cnstitute a wrk based n the Prgram (independent f having been made by running the Prgram). Whether that is true depends n what the Prgram des. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 182
183 1. Yu may cpy and distribute verbatim cpies f the Prgram's surce cde as yu receive it, in any medium, prvided that yu cnspicuusly and apprpriately publish n each cpy an apprpriate cpyright ntice and disclaimer f warranty; keep intact all the ntices that refer t this License and t the absence f any warranty; and give any ther recipients f the Prgram a cpy f this License alng with the Prgram. Yu may charge a fee fr the physical act f transferring a cpy, and yu may at yur ptin ffer warranty prtectin in exchange fr a fee. 2. Yu may mdify yur cpy r cpies f the Prgram r any prtin f it, thus frming a wrk based n the Prgram, and cpy and distribute such mdificatins r wrk under the terms f Sectin 1 abve, prvided that yu als meet all f these cnditins: a) Yu must cause the mdified files t carry prminent ntices stating that yu changed the files and the date f any change. b) Yu must cause any wrk that yu distribute r publish, that in whle r in part cntains r is derived frm the Prgram r any part theref, t be licensed as a whle at n charge t all third parties under the terms f this License. c) If the mdified prgram nrmally reads cmmands interactively when run, yu must cause it, when started running fr such interactive use in the mst rdinary way, t print r display an annuncement including an apprpriate cpyright ntice and a ntice that there is n warranty (r else, saying that yu prvide a warranty) and that users may redistribute the prgram under these cnditins, and telling the user hw t view a cpy f this License. (Exceptin: if the Prgram itself is interactive but des nt nrmally print such an annuncement, yur wrk based n the Prgram is nt required t print an annuncement.) These requirements apply t the mdified wrk as a whle. If identifiable sectins f that wrk are nt derived frm the Prgram, and can be reasnably cnsidered independent and separate wrks in themselves, then this License, and its terms, dn't apply t thse sectins when yu distribute them as separate wrks. But when yu distribute the same sectins as part f a whle which is a wrk based n the Prgram, the distributin f the whle must be n the terms f this License, whse permissins fr ther licensees extend t the entire whle, and thus t each and every part regardless f wh wrte it. Thus, it is nt the intent f this sectin t claim rights r cntest yur rights t wrk written entirely by yu; rather, the intent is t exercise the right t cntrl the distributin f derivative r cllective wrks based n the Prgram. In additin, mere aggregatin f anther wrk nt based n the Prgram with the Prgram (r with a wrk based n the Prgram) n a vlume f a strage r distributin medium des nt bring the ther wrk under the scpe f this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 183
184 3. Yu may cpy and distribute the Prgram (r a wrk based n it, under Sectin 2) in bject cde r executable frm under the terms f Sectins 1 and 2 abve prvided that yu als d ne f the fllwing: a) Accmpany it with the cmplete crrespnding machine-readable surce cde, which must be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, b) Accmpany it with a written ffer, valid fr at least three years, t give any third party, fr a charge n mre than yur cst f physically perfrming surce distributin, a cmplete machine-readable cpy f the crrespnding surce cde, t be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, c) Accmpany it with the infrmatin yu received as t the ffer t distribute crrespnding surce cde. (This alternative is allwed nly fr nncmmercial distributin and nly if yu received the prgram in bject cde r executable frm with such an ffer, in accrd with Subsectin b abve.) The surce cde fr a wrk means the preferred frm f the wrk fr making mdificatins t it. Fr an executable wrk, cmplete surce cde means all the surce cde fr all mdules it cntains, plus any assciated interface definitin files, plus the scripts used t cntrl cmpilatin and installatin f the executable. Hwever, as a special exceptin, the surce cde distributed need nt include anything that is nrmally distributed (in either surce r binary frm) with the majr cmpnents (cmpiler, kernel, and s n) f the perating system n which the executable runs, unless that cmpnent itself accmpanies the executable. If distributin f executable r bject cde is made by ffering access t cpy frm a designated place, then ffering equivalent access t cpy the surce cde frm the same place cunts as distributin f the surce cde, even thugh third parties are nt cmpelled t cpy the surce alng with the bject cde. 4. Yu may nt cpy, mdify, sublicense, r distribute the Prgram except as expressly prvided under this License. Any attempt therwise t cpy, mdify, sublicense r distribute the Prgram is vid, and will autmatically terminate yur rights under this License. Hwever, parties wh have received cpies, r rights, frm yu under this License will nt have their licenses terminated s lng as such parties remain in full cmpliance. 5. Yu are nt required t accept this License, since yu have nt signed it. Hwever, nthing else grants yu permissin t mdify r distribute the Prgram r its derivative wrks. These actins are prhibited by law if yu dn't accept this License. Therefre, by mdifying r distributing the Prgram (r any wrk based n the Prgram), yu indicate yur acceptance f this License t d s, and all its terms and cnditins fr cpying, distributing r mdifying the Prgram r wrks based n it. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 184
185 6. Each time yu redistribute the Prgram (r any wrk based n the Prgram), the recipient autmatically receives a license frm the riginal licensr t cpy, distribute r mdify the Prgram subject t these terms and cnditins. Yu may nt impse any further restrictins n the recipients' exercise f the rights granted herein. Yu are nt respnsible fr enfrcing cmpliance by third parties t this License. 7. If, as a cnsequence f a curt judgment r allegatin f patent infringement r fr any ther reasn (nt limited t patent issues), cnditins are impsed n yu (whether by curt rder, agreement r therwise) that cntradict the cnditins f this License, they dn't excuse yu frm the cnditins f this License. If yu can't distribute s as t satisfy simultaneusly yur bligatins under this License and any ther pertinent bligatins, then as a cnsequence yu may nt distribute the Prgram at all. Fr example, if a patent license wuld nt permit ryaltyfree redistributin f the Prgram by all thse wh receive cpies directly r indirectly thrugh yu, then the nly way yu culd satisfy bth it and this License wuld be t refrain entirely frm distributin f the Prgram. If any prtin f this sectin is held invalid r unenfrceable under any particular circumstance, the balance f the sectin is intended t apply and the sectin as a whle is intended t apply in ther circumstances. It is nt the purpse f this sectin t induce yu t infringe any patents r ther prperty right claims r t cntest validity f any such claims; this sectin has the sle purpse f prtecting the integrity f the free sftware distributin system, which is implemented by public license practices. Many peple have made generus cntributins t the wide range f sftware distributed thrugh that system in reliance n cnsistent applicatin f that system; it is up t the authr/dnr t decide if he r she is willing t distribute sftware thrugh any ther system and a licensee can't impse that chice. This sectin is intended t make thrughly clear what is believed t be a cnsequence f the rest f this License. 8. If the distributin and/r use f the Prgram is restricted in certain cuntries either by patents r by cpyrighted interfaces, the riginal cpyright hlder wh places the Prgram under this License may add an explicit gegraphical distributin limitatin excluding thse cuntries, s that distributin is permitted nly in r amng cuntries nt thus excluded. In such case, this License incrprates the limitatin as if written in the bdy f this License. 9. The Free Sftware Fundatin may publish revised and/r new versins f the General Public License frm time t time. Such new versins will be similar in spirit t the present versin, but may differ in detail t address new prblems r cncerns. Each versin is given a distinguishing versin number. If the Prgram specifies a versin number f this License which applies t it and any later versin, yu have the ptin f fllwing the terms and cnditins either f that versin r f any later versin published by the ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 185
186 Free Sftware Fundatin. If the Prgram des nt specify a versin number f this License, yu may chse any versin ever published by the Free Sftware Fundatin. 10. If yu wish t incrprate parts f the Prgram int ther free prgrams whse distributin cnditins are different, write t the authr t ask fr permissin. Fr sftware which is cpyrighted by the Free Sftware Fundatin, write t the Free Sftware Fundatin; we smetimes make exceptins fr this. Our decisin will be guided by the tw gals f preserving the free status f all derivatives f ur free sftware and f prmting the sharing and reuse f sftware generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Hw t Apply These Terms t Yur New Prgrams If yu develp a new prgram, and yu want it t be f the greatest pssible use t the public, the best way t achieve this is t make it free sftware which everyne can redistribute and change under these terms. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 186
187 T d s, attach the fllwing ntices t the prgram. It is safest t attach them t the start f each surce file t mst effectively cnvey the exclusin f warranty; and each file shuld have at least the cpyright line and a pinter t where the full ntice is fund. ne line t give the prgram's name and an idea f what it des. Cpyright (C) yyyy name f authr This prgram is free sftware; yu can redistribute it and/r mdify it under the terms f the GNU General Public License as published by the Free Sftware Fundatin; either versin 2 f the License, r (at yur ptin) any later versin. This prgram is distributed in the hpe that it will be useful, but WITHOUT ANY WARRANTY; withut even the implied warranty f MERCHANTABILITY r FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License fr mre details. Yu shuld have received a cpy f the GNU General Public License alng with this prgram; if nt, write t the Free Sftware Fundatin, Inc., 51 Franklin Street, Fifth Flr, Bstn, MA , USA. Als add infrmatin n hw t cntact yu by electrnic and paper mail. If the prgram is interactive, make it utput a shrt ntice like this when it starts in an interactive mde: Gnmvisin versin 69, Cpyright (C) year name f authr Gnmvisin cmes with ABSOLUTELY NO WARRANTY; fr details type 'shw w'. This is free sftware, and yu are welcme t redistribute it under certain cnditins; type 'shw c' fr details. The hypthetical cmmands 'shw w' and 'shw c' shuld shw the apprpriate parts f the General Public License. Of curse, the cmmands yu use may be called smething ther than 'shw w' and 'shw c'; they culd even be muse-clicks r menu items--whatever suits yur prgram. Yu shuld als get yur emplyer (if yu wrk as a prgrammer) r yur schl, if any, t sign a cpyright disclaimer fr the prgram, if necessary. Here is a sample; alter the names: Yydyne, Inc., hereby disclaims all cpyright interest in the prgram `Gnmvisin' (which makes passes at cmpilers) written by James Hacker. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 187
188 signature f Ty Cn, 1 April 1989 Ty Cn, President f Vice This General Public License des nt permit incrprating yur prgram int prprietary prgrams. If yur prgram is a subrutine library, yu may cnsider it mre useful t permit linking prprietary applicatins with the library. If this is what yu want t d, use the GNU Lesser General Public License instead f this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 188
189 STLprt License Agreement Bris Fmitchev grants Licensee a nn-exclusive, nn-transferable, ryalty-free license t use STLprt and its dcumentatin withut fee. By dwnlading, using, r cpying STLprt r any prtin theref, Licensee agrees t abide by the intellectual prperty laws and all ther applicable laws f the United States f America, and t all f the terms and cnditins f this Agreement. Licensee shall maintain the fllwing cpyright and permissin ntices n STLprt surces and its dcumentatin unchanged: Cpyright 1999,2000 Bris Fmitchev This material is prvided as is, with abslutely n warranty expressed r implied. Any use is at yur wn risk. Permissin t use r cpy this sftware fr any purpse is hereby granted withut fee, prvided the abve ntices are retained n all cpies. Permissin t mdify the cde and t distribute mdified cde is granted, prvided the abve ntices are retained, and a ntice that the cde was mdified is included with the abve cpyright ntice. The Licensee may distribute binaries cmpiled with STLprt (whether riginal r mdified) withut any ryalties r restrictins. The Licensee may distribute riginal r mdified STLprt surces, prvided that: The cnditins indicated in the abve permissin ntice are met; The fllwing cpyright ntices are retained when present, and cnditins prvided in accmpanying permissin ntices are met : Cpyright 1994 Hewlett-Packard Cmpany Cpyright 1996,97 Silicn Graphics Cmputer Systems, Inc. Cpyright 1997 Mscw Center fr SPARC Technlgy. Permissin t use, cpy, mdify, distribute and sell this sftware and its dcumentatin fr any purpse is hereby granted withut fee, prvided that the abve cpyright ntice appear in ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 189
190 all cpies and that bth that cpyright ntice and this permissin ntice appear in supprting dcumentatin. Hewlett-Packard Cmpany makes n representatins abut the suitability f this sftware fr any purpse. It is prvided as is withut express r implied warranty. Permissin t use, cpy, mdify, distribute and sell this sftware and its dcumentatin fr any purpse is hereby granted withut fee, prvided that the abve cpyright ntice appear in all cpies and that bth that cpyright ntice and this permissin ntice appear in supprting dcumentatin. Silicn Graphics makes n representatins abut the suitability f this sftware fr any purpse. It is prvided as is withut express r implied warranty. Permissin t use, cpy, mdify, distribute and sell this sftware and its dcumentatin fr any purpse is hereby granted withut fee, prvided that the abve cpyright ntice appear in all cpies and that bth that cpyright ntice and this permissin ntice appear in supprting dcumentatin. Mscw Center fr SPARC Technlgy makes n representatins abut the suitability f this sftware fr any purpse. It is prvided as is withut express r implied warranty. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 190
191 SQLite SQLite Cpyright SQLite is in the Public Dmain All f the deliverable cde in SQLite has been dedicated t the public dmain by the authrs. All cde authrs, and representatives f the cmpanies they wrk fr, have signed affidavits dedicating their cntributins t the public dmain and riginals f thse signed affidavits are stred in a firesafe at the main ffices f Hwaci. Anyne is free t cpy, mdify, publish, use, cmpile, sell, r distribute the riginal SQLite cde, either in surce cde frm r as a cmpiled binary, fr any purpse, cmmercial r nn-cmmercial, and by any means. The previus paragraph applies t the deliverable cde in SQLite - thse parts f the SQLite library that yu actually bundle and ship with a larger applicatin. Prtins f the dcumentatin and sme cde used as part f the build prcess might fall under ther licenses. The details here are unclear. We dn't wrry abut the licensing f the dcumentatin and build cde s much because nne f these things are part f the cre deliverable SQLite library. All f the deliverable cde in SQLite has been written frm scratch. N cde has been taken frm ther prjects r frm the pen internet. Every line f cde can be traced back t its riginal authr, and all f thse authrs have public dmain dedicatins n file. S the SQLite cde base is clean and is uncntaminated with licensed cde frm ther prjects. Obtaining An Explicit License T Use SQLite Even thugh SQLite is in the public dmain and des nt require a license, sme users want t btain a license anyway. Sme reasns fr btaining a license include: Yu are using SQLite in a jurisdictin that des nt recgnize the public dmain. Yu are using SQLite in a jurisdictin that des nt recgnize the right f an authr t dedicate their wrk t the public dmain. Yu want t hld a tangible legal dcument as evidence that yu have the legal right t use and distribute SQLite. Yur legal department tells yu that yu have t purchase a license. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 191
192 If yu feel like yu really have t purchase a license fr SQLite, Hwaci the cmpany that emplys the architect and principal develpers f SQLite, will sell yu ne Cntributed Cde In rder t keep SQLite cmpletely free and unencumbered by cpyright, all new cntributrs t the SQLite cde base are asked t dedicate their cntributins t the public dmain. If yu want t send a patch r enhancement fr pssible inclusin in the SQLite surce tree, please accmpany the patch with the fllwing statement: The authr r authrs f this cde dedicate any and all cpyright interest in this cde t the public dmain. We make this dedicatin fr the benefit f the public at large and t the detriment f ur heirs and successrs. We intend this dedicatin t be an vert act f relinquishment in perpetuity f all present and future rights t this cde under cpyright law. We are nt able t accept patches r changes t SQLite that are nt accmpanied by a statement such as the abve. In additin, if yu make changes r enhancements as an emplyee, then a simple statement such as the abve is insufficient. Yu must als send by surface mail a cpyright release signed by a cmpany fficer. A signed riginal f the cpyright release shuld be mailed t: Hwaci 6200 Maple Cve Lane Charltte, NC USA A template cpyright release is available in PDF r HTML Yu can use this release t make future changes. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 192
193 Squid Squid is cpyrighted (C) 2001 by the Regents f the University f Califrnia, with all rights reserved. This prgram is free sftware; yu can redistribute it and/r mdify it under the terms f the GNU General Public License (versin 2) as published by the Free Sftware Fundatin. It is distributed in the hpe that it will be useful, but WITHOUT ANY WARRANTY; withut even the implied warranty f MERCHANTABILITY r FITNESS FOR A PARTICULAR PURPOSE. Squid is licensed under the GNU General Public License versin 2, which is ften abbreviated as GPLv2. GNU GENERAL PUBLIC LICENSE Versin 2, June 1991 Cpyright (C) 1989, 1991 Free Sftware Fundatin, Inc. 51 Franklin Street, Fifth Flr, Bstn, MA , USA Everyne is permitted t cpy and distribute verbatim cpies f this license dcument, but changing it is nt allwed. Preamble The licenses fr mst sftware are designed t take away yur freedm t share and change it. By cntrast, the GNU General Public License is intended t guarantee yur freedm t share and change free sftware--t make sure the sftware is free fr all its users. This General Public License applies t mst f the Free Sftware Fundatin's sftware and t any ther prgram whse authrs cmmit t using it. (Sme ther Free Sftware Fundatin sftware is cvered by the GNU Lesser General Public License instead.) Yu can apply it t yur prgrams, t. When we speak f free sftware, we are referring t freedm, nt price. Our General Public Licenses are designed t make sure that yu have the freedm t distribute cpies f free sftware (and charge fr this service if yu wish), that yu receive surce cde r can get it if ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 193
194 yu want it, that yu can change the sftware r use pieces f it in new free prgrams; and that yu knw yu can d these things. T prtect yur rights, we need t make restrictins that frbid anyne t deny yu these rights r t ask yu t surrender the rights. These restrictins translate t certain respnsibilities fr yu if yu distribute cpies f the sftware, r if yu mdify it. Fr example, if yu distribute cpies f such a prgram, whether gratis r fr a fee, yu must give the recipients all the rights that yu have. Yu must make sure that they, t, receive r can get the surce cde. And yu must shw them these terms s they knw their rights. We prtect yur rights with tw steps: (1) cpyright the sftware, and (2) ffer yu this license which gives yu legal permissin t cpy, distribute and/r mdify the sftware. Als, fr each authr's prtectin and urs, we want t make certain that everyne understands that there is n warranty fr this free sftware. If the sftware is mdified by smene else and passed n, we want its recipients t knw that what they have is nt the riginal, s that any prblems intrduced by thers will nt reflect n the riginal authrs' reputatins. Finally, any free prgram is threatened cnstantly by sftware patents. We wish t avid the danger that redistributrs f a free prgram will individually btain patent licenses, in effect making the prgram prprietary. T prevent this, we have made it clear that any patent must be licensed fr everyne's free use r nt licensed at all. The precise terms and cnditins fr cpying, distributin and mdificatin fllw. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies t any prgram r ther wrk which cntains a ntice placed by the cpyright hlder saying it may be distributed under the terms f this General Public License. The Prgram, belw, refers t any such prgram r wrk, and a wrk based n the Prgram means either the Prgram r any derivative wrk under cpyright law: that is t say, a wrk cntaining the Prgram r a prtin f it, either verbatim r with mdificatins and/r translated int anther language. (Hereinafter, translatin is included withut limitatin in the term mdificatin.) Each licensee is addressed as yu. Activities ther than cpying, distributin and mdificatin are nt cvered by this License; they are utside its scpe. The act f running the Prgram is nt restricted, and the utput frm the Prgram is cvered nly if its cntents cnstitute a wrk based n the Prgram (independent f having been made by running the Prgram). Whether that is true depends n what the Prgram des. 1. Yu may cpy and distribute verbatim cpies f the Prgram's surce cde as yu receive it, in any medium, prvided that yu cnspicuusly and apprpriately publish n each cpy an ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 194
195 apprpriate cpyright ntice and disclaimer f warranty; keep intact all the ntices that refer t this License and t the absence f any warranty; and give any ther recipients f the Prgram a cpy f this License alng with the Prgram. Yu may charge a fee fr the physical act f transferring a cpy, and yu may at yur ptin ffer warranty prtectin in exchange fr a fee. 2. Yu may mdify yur cpy r cpies f the Prgram r any prtin f it, thus frming a wrk based n the Prgram, and cpy and distribute such mdificatins r wrk under the terms f Sectin 1 abve, prvided that yu als meet all f these cnditins: a) Yu must cause the mdified files t carry prminent ntices stating that yu changed the files and the date f any change. b) Yu must cause any wrk that yu distribute r publish, that in whle r in part cntains r is derived frm the Prgram r any part theref, t be licensed as a whle at n charge t all third parties under the terms f this License. c) If the mdified prgram nrmally reads cmmands interactively when run, yu must cause it, when started running fr such interactive use in the mst rdinary way, t print r display an annuncement including an apprpriate cpyright ntice and a ntice that there is n warranty (r else, saying that yu prvide a warranty) and that users may redistribute the prgram under these cnditins, and telling the user hw t view a cpy f this License. (Exceptin: if the Prgram itself is interactive but des nt nrmally print such an annuncement, yur wrk based n the Prgram is nt required t print an annuncement.) These requirements apply t the mdified wrk as a whle. If identifiable sectins f that wrk are nt derived frm the Prgram, and can be reasnably cnsidered independent and separate wrks in themselves, then this License, and its terms, dn't apply t thse sectins when yu distribute them as separate wrks. But when yu distribute the same sectins as part f a whle which is a wrk based n the Prgram, the distributin f the whle must be n the terms f this License, whse permissins fr ther licensees extend t the entire whle, and thus t each and every part regardless f wh wrte it. Thus, it is nt the intent f this sectin t claim rights r cntest yur rights t wrk written entirely by yu; rather, the intent is t exercise the right t cntrl the distributin f derivative r cllective wrks based n the Prgram. In additin, mere aggregatin f anther wrk nt based n the Prgram with the Prgram (r with a wrk based n the Prgram) n a vlume f a strage r distributin medium des nt bring the ther wrk under the scpe f this License. 3. Yu may cpy and distribute the Prgram (r a wrk based n it, under Sectin 2) in bject cde r executable frm under the terms f Sectins 1 and 2 abve prvided that yu als d ne f the fllwing: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 195
196 a) Accmpany it with the cmplete crrespnding machine-readable surce cde, which must be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, b) Accmpany it with a written ffer, valid fr at least three years, t give any third party, fr a charge n mre than yur cst f physically perfrming surce distributin, a cmplete machine-readable cpy f the crrespnding surce cde, t be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, c) Accmpany it with the infrmatin yu received as t the ffer t distribute crrespnding surce cde. (This alternative is allwed nly fr nncmmercial distributin and nly if yu received the prgram in bject cde r executable frm with such an ffer, in accrd with Subsectin b abve.) The surce cde fr a wrk means the preferred frm f the wrk fr making mdificatins t it. Fr an executable wrk, cmplete surce cde means all the surce cde fr all mdules it cntains, plus any assciated interface definitin files, plus the scripts used t cntrl cmpilatin and installatin f the executable. Hwever, as a special exceptin, the surce cde distributed need nt include anything that is nrmally distributed (in either surce r binary frm) with the majr cmpnents (cmpiler, kernel, and s n) f the perating system n which the executable runs, unless that cmpnent itself accmpanies the executable. If distributin f executable r bject cde is made by ffering access t cpy frm a designated place, then ffering equivalent access t cpy the surce cde frm the same place cunts as distributin f the surce cde, even thugh third parties are nt cmpelled t cpy the surce alng with the bject cde. 4. Yu may nt cpy, mdify, sublicense, r distribute the Prgram except as expressly prvided under this License. Any attempt therwise t cpy, mdify, sublicense r distribute the Prgram is vid, and will autmatically terminate yur rights under this License. Hwever, parties wh have received cpies, r rights, frm yu under this License will nt have their licenses terminated s lng as such parties remain in full cmpliance. 5. Yu are nt required t accept this License, since yu have nt signed it. Hwever, nthing else grants yu permissin t mdify r distribute the Prgram r its derivative wrks. These actins are prhibited by law if yu dn't accept this License. Therefre, by mdifying r distributing the Prgram (r any wrk based n the Prgram), yu indicate yur acceptance f this License t d s, and all its terms and cnditins fr cpying, distributing r mdifying the Prgram r wrks based n it. 6. Each time yu redistribute the Prgram (r any wrk based n the Prgram), the recipient autmatically receives a license frm the riginal licensr t cpy, distribute r mdify the Prgram subject t these terms and cnditins. Yu may nt impse any further restrictins n the recipients' exercise f the rights granted herein. Yu are nt respnsible fr enfrcing cmpliance by third parties t this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 196
197 7. If, as a cnsequence f a curt judgment r allegatin f patent infringement r fr any ther reasn (nt limited t patent issues), cnditins are impsed n yu (whether by curt rder, agreement r therwise) that cntradict the cnditins f this License, they dn't excuse yu frm the cnditins f this License. If yu can't distribute s as t satisfy simultaneusly yur bligatins under this License and any ther pertinent bligatins, then as a cnsequence yu may nt distribute the Prgram at all. Fr example, if a patent license wuld nt permit ryaltyfree redistributin f the Prgram by all thse wh receive cpies directly r indirectly thrugh yu, then the nly way yu culd satisfy bth it and this License wuld be t refrain entirely frm distributin f the Prgram. If any prtin f this sectin is held invalid r unenfrceable under any particular circumstance, the balance f the sectin is intended t apply and the sectin as a whle is intended t apply in ther circumstances. It is nt the purpse f this sectin t induce yu t infringe any patents r ther prperty right claims r t cntest validity f any such claims; this sectin has the sle purpse f prtecting the integrity f the free sftware distributin system, which is implemented by public license practices. Many peple have made generus cntributins t the wide range f sftware distributed thrugh that system in reliance n cnsistent applicatin f that system; it is up t the authr/dnr t decide if he r she is willing t distribute sftware thrugh any ther system and a licensee can't impse that chice. This sectin is intended t make thrughly clear what is believed t be a cnsequence f the rest f this License. 8. If the distributin and/r use f the Prgram is restricted in certain cuntries either by patents r by cpyrighted interfaces, the riginal cpyright hlder wh places the Prgram under this License may add an explicit gegraphical distributin limitatin excluding thse cuntries, s that distributin is permitted nly in r amng cuntries nt thus excluded. In such case, this License incrprates the limitatin as if written in the bdy f this License. 9. The Free Sftware Fundatin may publish revised and/r new versins f the General Public License frm time t time. Such new versins will be similar in spirit t the present versin, but may differ in detail t address new prblems r cncerns. Each versin is given a distinguishing versin number. If the Prgram specifies a versin number f this License which applies t it and any later versin, yu have the ptin f fllwing the terms and cnditins either f that versin r f any later versin published by the Free Sftware Fundatin. If the Prgram des nt specify a versin number f this License, yu may chse any versin ever published by the Free Sftware Fundatin. 10. If yu wish t incrprate parts f the Prgram int ther free prgrams whse distributin cnditins are different, write t the authr t ask fr permissin. Fr sftware which is cpyrighted by the Free Sftware Fundatin, write t the Free Sftware Fundatin; we smetimes make exceptins fr this. Our decisin will be guided by the tw gals f preserving ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 197
198 the free status f all derivatives f ur free sftware and f prmting the sharing and reuse f sftware generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Hw t Apply These Terms t Yur New Prgrams If yu develp a new prgram, and yu want it t be f the greatest pssible use t the public, the best way t achieve this is t make it free sftware which everyne can redistribute and change under these terms. T d s, attach the fllwing ntices t the prgram. It is safest t attach them t the start f each surce file t mst effectively cnvey the exclusin f warranty; and each file shuld have at least the cpyright line and a pinter t where the full ntice is fund. ne line t give the prgram's name and an idea f what it des. Cpyright (C) yyyy name f authr ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 198
199 This prgram is free sftware; yu can redistribute it and/r mdify it under the terms f the GNU General Public License as published by the Free Sftware Fundatin; either versin 2 f the License, r (at yur ptin) any later versin. This prgram is distributed in the hpe that it will be useful, but WITHOUT ANY WARRANTY; withut even the implied warranty f MERCHANTABILITY r FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License fr mre details. Yu shuld have received a cpy f the GNU General Public License alng with this prgram; if nt, write t the Free Sftware Fundatin, Inc., 51 Franklin Street, Fifth Flr, Bstn, MA , USA. Als add infrmatin n hw t cntact yu by electrnic and paper mail. If the prgram is interactive, make it utput a shrt ntice like this when it starts in an interactive mde: Gnmvisin versin 69, Cpyright (C) year name f authr Gnmvisin cmes with ABSOLUTELY NO WARRANTY; fr details type 'shw w'. This is free sftware, and yu are welcme t redistribute it under certain cnditins; type 'shw c' fr details. The hypthetical cmmands 'shw w' and 'shw c' shuld shw the apprpriate parts f the General Public License. Of curse, the cmmands yu use may be called smething ther than 'shw w' and 'shw c'; they culd even be muse-clicks r menu items--whatever suits yur prgram. Yu shuld als get yur emplyer (if yu wrk as a prgrammer) r yur schl, if any, t sign a cpyright disclaimer fr the prgram, if necessary. Here is a sample; alter the names: Yydyne, Inc., hereby disclaims all cpyright interest in the prgram `Gnmvisin' (which makes passes at cmpilers) written by James Hacker. signature f Ty Cn, 1 April 1989 Ty Cn, President f Vice This General Public License des nt permit incrprating yur prgram int prprietary prgrams. If yur prgram is a subrutine library, yu may cnsider it mre useful t permit linking prprietary applicatins with the library. If this is what yu want t d, use the GNU ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 199
200 Lesser General Public License instead f this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 200
201 sysklgd Cpyright (c) 1995 Dr. G.W. Wettstein This file is part f the sysklgd package, a kernel and system lg daemn. This prgram is free sftware; yu can redistribute it and/r mdify it under the terms f the GNU General Public License as published by the Free Sftware Fundatin; either versin 2 f the License, r (at yur ptin) any later versin. This prgram is distributed in the hpe that it will be useful, but WITHOUT ANY WARRANTY; withut even the implied warranty f MERCHANTABILITY r FITNESS FOR A PARTICULAR PURPOSE. Sysklgd is licensed under the GNU General Public License versin 2, which is ften abbreviated as GPLv2. GNU GENERAL PUBLIC LICENSE Versin 2, June 1991 Cpyright (C) 1989, 1991 Free Sftware Fundatin, Inc. 51 Franklin Street, Fifth Flr, Bstn, MA , USA Everyne is permitted t cpy and distribute verbatim cpies f this license dcument, but changing it is nt allwed. Preamble The licenses fr mst sftware are designed t take away yur freedm t share and change it. By cntrast, the GNU General Public License is intended t guarantee yur freedm t share and change free sftware--t make sure the sftware is free fr all its users. This General Public License applies t mst f the Free Sftware Fundatin's sftware and t any ther prgram whse authrs cmmit t using it. (Sme ther Free Sftware Fundatin sftware is cvered by the GNU Lesser General Public License instead.) Yu can apply it t yur prgrams, t. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 201
202 When we speak f free sftware, we are referring t freedm, nt price. Our General Public Licenses are designed t make sure that yu have the freedm t distribute cpies f free sftware (and charge fr this service if yu wish), that yu receive surce cde r can get it if yu want it, that yu can change the sftware r use pieces f it in new free prgrams; and that yu knw yu can d these things. T prtect yur rights, we need t make restrictins that frbid anyne t deny yu these rights r t ask yu t surrender the rights. These restrictins translate t certain respnsibilities fr yu if yu distribute cpies f the sftware, r if yu mdify it. Fr example, if yu distribute cpies f such a prgram, whether gratis r fr a fee, yu must give the recipients all the rights that yu have. Yu must make sure that they, t, receive r can get the surce cde. And yu must shw them these terms s they knw their rights. We prtect yur rights with tw steps: (1) cpyright the sftware, and (2) ffer yu this license which gives yu legal permissin t cpy, distribute and/r mdify the sftware. Als, fr each authr's prtectin and urs, we want t make certain that everyne understands that there is n warranty fr this free sftware. If the sftware is mdified by smene else and passed n, we want its recipients t knw that what they have is nt the riginal, s that any prblems intrduced by thers will nt reflect n the riginal authrs' reputatins. Finally, any free prgram is threatened cnstantly by sftware patents. We wish t avid the danger that redistributrs f a free prgram will individually btain patent licenses, in effect making the prgram prprietary. T prevent this, we have made it clear that any patent must be licensed fr everyne's free use r nt licensed at all. The precise terms and cnditins fr cpying, distributin and mdificatin fllw. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies t any prgram r ther wrk which cntains a ntice placed by the cpyright hlder saying it may be distributed under the terms f this General Public License. The Prgram, belw, refers t any such prgram r wrk, and a wrk based n the Prgram means either the Prgram r any derivative wrk under cpyright law: that is t say, a wrk cntaining the Prgram r a prtin f it, either verbatim r with mdificatins and/r translated int anther language. (Hereinafter, translatin is included withut limitatin in the term mdificatin.) Each licensee is addressed as yu. Activities ther than cpying, distributin and mdificatin are nt cvered by this License; they are utside its scpe. The act f running the Prgram is nt restricted, and the utput frm the Prgram is cvered nly if its cntents cnstitute a wrk based n the Prgram (independent f having been made by running the Prgram). Whether that is true depends n what the Prgram des. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 202
203 1. Yu may cpy and distribute verbatim cpies f the Prgram's surce cde as yu receive it, in any medium, prvided that yu cnspicuusly and apprpriately publish n each cpy an apprpriate cpyright ntice and disclaimer f warranty; keep intact all the ntices that refer t this License and t the absence f any warranty; and give any ther recipients f the Prgram a cpy f this License alng with the Prgram. Yu may charge a fee fr the physical act f transferring a cpy, and yu may at yur ptin ffer warranty prtectin in exchange fr a fee. 2. Yu may mdify yur cpy r cpies f the Prgram r any prtin f it, thus frming a wrk based n the Prgram, and cpy and distribute such mdificatins r wrk under the terms f Sectin 1 abve, prvided that yu als meet all f these cnditins: a) Yu must cause the mdified files t carry prminent ntices stating that yu changed the files and the date f any change. b) Yu must cause any wrk that yu distribute r publish, that in whle r in part cntains r is derived frm the Prgram r any part theref, t be licensed as a whle at n charge t all third parties under the terms f this License. c) If the mdified prgram nrmally reads cmmands interactively when run, yu must cause it, when started running fr such interactive use in the mst rdinary way, t print r display an annuncement including an apprpriate cpyright ntice and a ntice that there is n warranty (r else, saying that yu prvide a warranty) and that users may redistribute the prgram under these cnditins, and telling the user hw t view a cpy f this License. (Exceptin: if the Prgram itself is interactive but des nt nrmally print such an annuncement, yur wrk based n the Prgram is nt required t print an annuncement.) These requirements apply t the mdified wrk as a whle. If identifiable sectins f that wrk are nt derived frm the Prgram, and can be reasnably cnsidered independent and separate wrks in themselves, then this License, and its terms, dn't apply t thse sectins when yu distribute them as separate wrks. But when yu distribute the same sectins as part f a whle which is a wrk based n the Prgram, the distributin f the whle must be n the terms f this License, whse permissins fr ther licensees extend t the entire whle, and thus t each and every part regardless f wh wrte it. Thus, it is nt the intent f this sectin t claim rights r cntest yur rights t wrk written entirely by yu; rather, the intent is t exercise the right t cntrl the distributin f derivative r cllective wrks based n the Prgram. In additin, mere aggregatin f anther wrk nt based n the Prgram with the Prgram (r with a wrk based n the Prgram) n a vlume f a strage r distributin medium des nt bring the ther wrk under the scpe f this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 203
204 3. Yu may cpy and distribute the Prgram (r a wrk based n it, under Sectin 2) in bject cde r executable frm under the terms f Sectins 1 and 2 abve prvided that yu als d ne f the fllwing: a) Accmpany it with the cmplete crrespnding machine-readable surce cde, which must be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, b) Accmpany it with a written ffer, valid fr at least three years, t give any third party, fr a charge n mre than yur cst f physically perfrming surce distributin, a cmplete machine-readable cpy f the crrespnding surce cde, t be distributed under the terms f Sectins 1 and 2 abve n a medium custmarily used fr sftware interchange; r, c) Accmpany it with the infrmatin yu received as t the ffer t distribute crrespnding surce cde. (This alternative is allwed nly fr nncmmercial distributin and nly if yu received the prgram in bject cde r executable frm with such an ffer, in accrd with Subsectin b abve.) The surce cde fr a wrk means the preferred frm f the wrk fr making mdificatins t it. Fr an executable wrk, cmplete surce cde means all the surce cde fr all mdules it cntains, plus any assciated interface definitin files, plus the scripts used t cntrl cmpilatin and installatin f the executable. Hwever, as a special exceptin, the surce cde distributed need nt include anything that is nrmally distributed (in either surce r binary frm) with the majr cmpnents (cmpiler, kernel, and s n) f the perating system n which the executable runs, unless that cmpnent itself accmpanies the executable. If distributin f executable r bject cde is made by ffering access t cpy frm a designated place, then ffering equivalent access t cpy the surce cde frm the same place cunts as distributin f the surce cde, even thugh third parties are nt cmpelled t cpy the surce alng with the bject cde. 4. Yu may nt cpy, mdify, sublicense, r distribute the Prgram except as expressly prvided under this License. Any attempt therwise t cpy, mdify, sublicense r distribute the Prgram is vid, and will autmatically terminate yur rights under this License. Hwever, parties wh have received cpies, r rights, frm yu under this License will nt have their licenses terminated s lng as such parties remain in full cmpliance. 5. Yu are nt required t accept this License, since yu have nt signed it. Hwever, nthing else grants yu permissin t mdify r distribute the Prgram r its derivative wrks. These actins are prhibited by law if yu dn't accept this License. Therefre, by mdifying r distributing the Prgram (r any wrk based n the Prgram), yu indicate yur acceptance f this License t d s, and all its terms and cnditins fr cpying, distributing r mdifying the Prgram r wrks based n it. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 204
205 6. Each time yu redistribute the Prgram (r any wrk based n the Prgram), the recipient autmatically receives a license frm the riginal licensr t cpy, distribute r mdify the Prgram subject t these terms and cnditins. Yu may nt impse any further restrictins n the recipients' exercise f the rights granted herein. Yu are nt respnsible fr enfrcing cmpliance by third parties t this License. 7. If, as a cnsequence f a curt judgment r allegatin f patent infringement r fr any ther reasn (nt limited t patent issues), cnditins are impsed n yu (whether by curt rder, agreement r therwise) that cntradict the cnditins f this License, they dn't excuse yu frm the cnditins f this License. If yu can't distribute s as t satisfy simultaneusly yur bligatins under this License and any ther pertinent bligatins, then as a cnsequence yu may nt distribute the Prgram at all. Fr example, if a patent license wuld nt permit ryaltyfree redistributin f the Prgram by all thse wh receive cpies directly r indirectly thrugh yu, then the nly way yu culd satisfy bth it and this License wuld be t refrain entirely frm distributin f the Prgram. If any prtin f this sectin is held invalid r unenfrceable under any particular circumstance, the balance f the sectin is intended t apply and the sectin as a whle is intended t apply in ther circumstances. It is nt the purpse f this sectin t induce yu t infringe any patents r ther prperty right claims r t cntest validity f any such claims; this sectin has the sle purpse f prtecting the integrity f the free sftware distributin system, which is implemented by public license practices. Many peple have made generus cntributins t the wide range f sftware distributed thrugh that system in reliance n cnsistent applicatin f that system; it is up t the authr/dnr t decide if he r she is willing t distribute sftware thrugh any ther system and a licensee can't impse that chice. This sectin is intended t make thrughly clear what is believed t be a cnsequence f the rest f this License. 8. If the distributin and/r use f the Prgram is restricted in certain cuntries either by patents r by cpyrighted interfaces, the riginal cpyright hlder wh places the Prgram under this License may add an explicit gegraphical distributin limitatin excluding thse cuntries, s that distributin is permitted nly in r amng cuntries nt thus excluded. In such case, this License incrprates the limitatin as if written in the bdy f this License. 9. The Free Sftware Fundatin may publish revised and/r new versins f the General Public License frm time t time. Such new versins will be similar in spirit t the present versin, but may differ in detail t address new prblems r cncerns. Each versin is given a distinguishing versin number. If the Prgram specifies a versin number f this License which applies t it and any later versin, yu have the ptin f fllwing the terms and cnditins either f that versin r f any later versin published by the ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 205
206 Free Sftware Fundatin. If the Prgram des nt specify a versin number f this License, yu may chse any versin ever published by the Free Sftware Fundatin. 10. If yu wish t incrprate parts f the Prgram int ther free prgrams whse distributin cnditins are different, write t the authr t ask fr permissin. Fr sftware which is cpyrighted by the Free Sftware Fundatin, write t the Free Sftware Fundatin; we smetimes make exceptins fr this. Our decisin will be guided by the tw gals f preserving the free status f all derivatives f ur free sftware and f prmting the sharing and reuse f sftware generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Hw t Apply These Terms t Yur New Prgrams If yu develp a new prgram, and yu want it t be f the greatest pssible use t the public, the best way t achieve this is t make it free sftware which everyne can redistribute and change under these terms. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 206
207 T d s, attach the fllwing ntices t the prgram. It is safest t attach them t the start f each surce file t mst effectively cnvey the exclusin f warranty; and each file shuld have at least the cpyright line and a pinter t where the full ntice is fund. ne line t give the prgram's name and an idea f what it des. Cpyright (C) yyyy name f authr This prgram is free sftware; yu can redistribute it and/r mdify it under the terms f the GNU General Public License as published by the Free Sftware Fundatin; either versin 2 f the License, r (at yur ptin) any later versin. This prgram is distributed in the hpe that it will be useful, but WITHOUT ANY WARRANTY; withut even the implied warranty f MERCHANTABILITY r FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License fr mre details. Yu shuld have received a cpy f the GNU General Public License alng with this prgram; if nt, write t the Free Sftware Fundatin, Inc., 51 Franklin Street, Fifth Flr, Bstn, MA , USA. Als add infrmatin n hw t cntact yu by electrnic and paper mail. If the prgram is interactive, make it utput a shrt ntice like this when it starts in an interactive mde: Gnmvisin versin 69, Cpyright (C) year name f authr Gnmvisin cmes with ABSOLUTELY NO WARRANTY; fr details type 'shw w'. This is free sftware, and yu are welcme t redistribute it under certain cnditins; type 'shw c' fr details. The hypthetical cmmands 'shw w' and 'shw c' shuld shw the apprpriate parts f the General Public License. Of curse, the cmmands yu use may be called smething ther than 'shw w' and 'shw c'; they culd even be muse-clicks r menu items--whatever suits yur prgram. Yu shuld als get yur emplyer (if yu wrk as a prgrammer) r yur schl, if any, t sign a cpyright disclaimer fr the prgram, if necessary. Here is a sample; alter the names: Yydyne, Inc., hereby disclaims all cpyright interest in the prgram `Gnmvisin' (which makes passes at cmpilers) written by James Hacker. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 207
208 signature f Ty Cn, 1 April 1989 Ty Cn, President f Vice This General Public License des nt permit incrprating yur prgram int prprietary prgrams. If yur prgram is a subrutine library, yu may cnsider it mre useful t permit linking prprietary applicatins with the library. If this is what yu want t d, use the GNU Lesser General Public License instead f this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 208
209 UCD-SNMP License Varius cpyrights apply t this package, listed in varius separate parts belw. Please make sure that yu read all the parts Part 1: CMU/UCD cpyright ntice: (BSD like) Cpyright 1989, 1991, 1992 by Carnegie Melln University Derivative Wrk , Cpyright 1996, The Regents f the University f Califrnia All Rights Reserved Permissin t use, cpy, mdify and distribute this sftware and its dcumentatin fr any purpse and withut fee is hereby granted, prvided that the abve cpyright ntice appears in all cpies and that bth that cpyright ntice and this permissin ntice appear in supprting dcumentatin, and that the name f CMU and The Regents f the University f Califrnia nt be used in advertising r publicity pertaining t distributin f the sftware withut specific written permissin. CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Part 2: Netwrks Assciates Technlgy, Inc cpyright ntice (BSD) Cpyright (c) , Netwrks Assciates Technlgy, Inc ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 209
210 All rights reserved. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: * Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. * Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. * Neither the name f the Netwrks Assciates Technlgy, Inc nr the names f its cntributrs may be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 3: Cambridge Bradband Ltd. cpyright ntice (BSD) Prtins f this cde are cpyright (c) , Cambridge Bradband Ltd. All rights reserved. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: * Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 210
211 * Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. * The name f Cambridge Bradband Ltd. may nt be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 4: Sun Micrsystems, Inc. cpyright ntice (BSD) Cpyright 2003 Sun Micrsystems, Inc., 4150 Netwrk Circle, Santa Clara, Califrnia 95054, U.S.A. All rights reserved. Use is subject t license terms belw. This distributin may include materials develped by third parties. Sun, Sun Micrsystems, the Sun lg and Slaris are trademarks r registered trademarks f Sun Micrsystems, Inc. in the U.S. and ther cuntries. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: * Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. * Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 211
212 * Neither the name f the Sun Micrsystems, Inc. nr the names f its cntributrs may be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 5: Sparta, Inc cpyright ntice (BSD) Cpyright (c) , Sparta, Inc All rights reserved. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: * Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. * Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. * Neither the name f Sparta, Inc nr the names f its cntributrs may be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 212
213 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 6: Cisc/BUPTNIC cpyright ntice (BSD) Cpyright (c) 2004, Cisc, Inc and Infrmatin Netwrk Center f Beijing University f Psts and Telecmmunicatins. All rights reserved. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: * Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. * Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. * Neither the name f Cisc, Inc, Beijing University f Psts and Telecmmunicatins, nr the names f their cntributrs may be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 213
214 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 7: Fabasft R&D Sftware GmbH & C KG cpyright ntice (BSD) Cpyright (c) Fabasft R&D Sftware GmbH & C KG, 2003 ss@fabasft.cm Authr: Bernhard Penz Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: * Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. * Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. * The name f Fabasft R&D Sftware GmbH & C KG r any f its subsidiaries, brand r prduct names may nt be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 8: Apple Inc. cpyright ntice (BSD) Cpyright (c) 2007 Apple Inc. All rights reserved. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 214
215 Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: 1. Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. 2. Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. 3. Neither the name f Apple Inc. (Apple) nr the names f its cntributrs may be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 9: ScienceLgic, LLC cpyright ntice (BSD) Cpyright (c) 2009, ScienceLgic, LLC All rights reserved. Redistributin and use in surce and binary frms, with r withut mdificatin, are permitted prvided that the fllwing cnditins are met: * Redistributins f surce cde must retain the abve cpyright ntice, this list f cnditins and the fllwing disclaimer. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 215
216 * Redistributins in binary frm must reprduce the abve cpyright ntice, this list f cnditins and the fllwing disclaimer in the dcumentatin and/r ther materials prvided with the distributin. * Neither the name f ScienceLgic, LLC nr the names f its cntributrs may be used t endrse r prmte prducts derived frm this sftware withut specific prir written permissin. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 216
217 Xerces-c Cpyright 2012 The Apache Sftware Fundatin, Licensed under the Apache License, Versin Apache and the Apache feather lg are trademarks f The Apache Sftware Fundatin. Apache License, Versin 2.0 Apache License Versin 2.0, January TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitins. License shall mean the terms and cnditins fr use, reprductin, and distributin as defined by Sectins 1 thrugh 9 f this dcument. Licensr shall mean the cpyright wner r entity authrized by the cpyright wner that is granting the License. Legal Entity shall mean the unin f the acting entity and all ther entities that cntrl, are cntrlled by, r are under cmmn cntrl with that entity. Fr the purpses f this definitin, cntrl means (i) the pwer, direct r indirect, t cause the directin r management f such entity, whether by cntract r therwise, r (ii) wnership f fifty percent (50%) r mre f the utstanding shares, r (iii) beneficial wnership f such entity. Yu (r Yur) shall mean an individual r Legal Entity exercising permissins granted by this License. Surce frm shall mean the preferred frm fr making mdificatins, including but nt limited t sftware surce cde, dcumentatin surce, and cnfiguratin files. Object frm shall mean any frm resulting frm mechanical transfrmatin r translatin f a Surce frm, including but nt limited t cmpiled bject cde, generated dcumentatin, and cnversins t ther media types. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 217
218 Wrk shall mean the wrk f authrship, whether in Surce r Object frm, made available under the License, as indicated by a cpyright ntice that is included in r attached t the wrk (an example is prvided in the Appendix belw). Derivative Wrks shall mean any wrk, whether in Surce r Object frm, that is based n (r derived frm) the Wrk and fr which the editrial revisins, anntatins, elabratins, r ther mdificatins represent, as a whle, an riginal wrk f authrship. Fr the purpses f this License, Derivative Wrks shall nt include wrks that remain separable frm, r merely link (r bind by name) t the interfaces f, the Wrk and Derivative Wrks theref. Cntributin shall mean any wrk f authrship, including the riginal versin f the Wrk and any mdificatins r additins t that Wrk r Derivative Wrks theref, that is intentinally submitted t Licensr fr inclusin in the Wrk by the cpyright wner r by an individual r Legal Entity authrized t submit n behalf f the cpyright wner. Fr the purpses f this definitin, submitted means any frm f electrnic, verbal, r written cmmunicatin sent t the Licensr r its representatives, including but nt limited t cmmunicatin n electrnic mailing lists, surce cde cntrl systems, and issue tracking systems that are managed by, r n behalf f, the Licensr fr the purpse f discussing and imprving the Wrk, but excluding cmmunicatin that is cnspicuusly marked r therwise designated in writing by the cpyright wner as Nt a Cntributin. Cntributr shall mean Licensr and any individual r Legal Entity n behalf f whm a Cntributin has been received by Licensr and subsequently incrprated within the Wrk. 2. Grant f Cpyright License. Subject t the terms and cnditins f this License, each Cntributr hereby grants t Yu a perpetual, wrldwide, nn-exclusive, n-charge, ryaltyfree, irrevcable cpyright license t reprduce, prepare Derivative Wrks f, publicly display, publicly perfrm, sublicense, and distribute the Wrk and such Derivative Wrks in Surce r Object frm. 3. Grant f Patent License. Subject t the terms and cnditins f this License, each Cntributr hereby grants t Yu a perpetual, wrldwide, nn-exclusive, n-charge, ryalty-free, irrevcable (except as stated in this sectin) patent license t make, have made, use, ffer t sell, sell, imprt, and therwise transfer the Wrk, where such license applies nly t thse patent claims licensable by such Cntributr that are necessarily infringed by their Cntributin(s) alne r by cmbinatin f their Cntributin(s) with the Wrk t which such Cntributin(s) was submitted. If Yu institute patent litigatin against any entity (including a crss-claim r cunterclaim in a lawsuit) alleging that the Wrk r a Cntributin incrprated within the Wrk cnstitutes direct r cntributry patent infringement, then any patent licenses granted t Yu under this License fr that Wrk shall terminate as f the date such litigatin is filed. 4. Redistributin. Yu may reprduce and distribute cpies f the Wrk r Derivative Wrks theref in any medium, with r withut mdificatins, and in Surce r Object frm, prvided that Yu meet the fllwing cnditins: ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 218
219 Yu must give any ther recipients f the Wrk r Derivative Wrks a cpy f this License; and Yu must cause any mdified files t carry prminent ntices stating that Yu changed the files; and Yu must retain, in the Surce frm f any Derivative Wrks that Yu distribute, all cpyright, patent, trademark, and attributin ntices frm the Surce frm f the Wrk, excluding thse ntices that dn't pertain t any part f the Derivative Wrks; and If the Wrk includes a NOTICE text file as part f its distributin, then any Derivative Wrks that Yu distribute must include a readable cpy f the attributin ntices cntained within such NOTICE file, excluding thse ntices that dn't pertain t any part f the Derivative Wrks, in at least ne f the fllwing places: within a NOTICE text file distributed as part f the Derivative Wrks; within the Surce frm r dcumentatin, if prvided alng with the Derivative Wrks; r, within a display generated by the Derivative Wrks, if and wherever such third-party ntices nrmally appear. The cntents f the NOTICE file are fr infrmatinal purpses nly and dn't mdify the License. Yu may add Yur wn attributin ntices within Derivative Wrks that Yu distribute, alngside r as an addendum t the NOTICE text frm the Wrk, prvided that such additinal attributin ntices can't be cnstrued as mdifying the License. Yu may add Yur wn cpyright statement t Yur mdificatins and may prvide additinal r different license terms and cnditins fr use, reprductin, r distributin f Yur mdificatins, r fr any such Derivative Wrks as a whle, prvided Yur use, reprductin, and distributin f the Wrk therwise cmplies with the cnditins stated in this License. 5. Submissin f Cntributins. Unless Yu explicitly state therwise, any Cntributin intentinally submitted fr inclusin in the Wrk by Yu t the Licensr shall be under the terms and cnditins f this License, withut any additinal terms r cnditins. Ntwithstanding the abve, nthing herein shall supersede r mdify the terms f any separate license agreement yu may have executed with Licensr regarding such Cntributins. 6. Trademarks. This License des nt grant permissin t use the trade names, trademarks, service marks, r prduct names f the Licensr, except as required fr reasnable and custmary use in describing the rigin f the Wrk and reprducing the cntent f the NOTICE file. 7. Disclaimer f Warranty. Unless required by applicable law r agreed t in writing, Licensr prvides the Wrk (and each Cntributr prvides its Cntributins) n an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express r implied, including, withut limitatin, any warranties r cnditins f TITLE, NON-INFRINGEMENT, MERCHANTABILITY, r FITNESS FOR A PARTICULAR PURPOSE. Yu are slely respnsible fr determining the apprpriateness f using r redistributing the Wrk and assume any risks assciated with Yur exercise f permissins under this License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 219
220 8. Limitatin f Liability. In n event and under n legal thery, whether in trt (including negligence), cntract, r therwise, unless required by applicable law (such as deliberate and grssly negligent acts) r agreed t in writing, shall any Cntributr be liable t Yu fr damages, including any direct, indirect, special, incidental, r cnsequential damages f any character arising as a result f this License r ut f the use r inability t use the Wrk (including but nt limited t damages fr lss f gdwill, wrk stppage, cmputer failure r malfunctin, r any and all ther cmmercial damages r lsses), even if such Cntributr has been advised f the pssibility f such damages. 9. Accepting Warranty r Additinal Liability. While redistributing the Wrk r Derivative Wrks theref, Yu may chse t ffer, and charge a fee fr, acceptance f supprt, warranty, indemnity, r ther liability bligatins and/r rights cnsistent with this License. Hwever, in accepting such bligatins, Yu may act nly n Yur wn behalf and n Yur sle respnsibility, nt n behalf f any ther Cntributr, and nly if Yu agree t indemnify, defend, and hld each Cntributr harmless fr any liability incurred by, r claims asserted against, such Cntributr by reasn f yur accepting any such warranty r additinal liability. END OF TERMS AND CONDITIONS APPENDIX: Hw t apply the Apache License t yur wrk T apply the Apache License t yur wrk, attach the fllwing bilerplate ntice, with the fields enclsed by brackets [] replaced with yur wn identifying infrmatin. (Dn't include the brackets!) The text shuld be enclsed in the apprpriate cmment syntax fr the file frmat. We als recmmend that a file r class name and descriptin f purpse be included n the same printed page as the cpyright ntice fr easier identificatin within third-party archives. Cpyright [yyyy] [name f cpyright wner] Licensed under the Apache License, Versin 2.0 (the License); yu may nt use this file except in cmpliance with the License. Yu may btain a cpy f the License at Unless required by applicable law r agreed t in writing, sftware distributed under the License is distributed n an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express r implied. See the License fr the specific language gverning permissins and limitatins under the License. ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 220
221 zlib License /* zlib.h -- interface f the 'zlib' general purpse cmpressin library versin 1.2.6, January 29th, 2012 Cpyright (C) Jean-lup Gailly and Mark Adler This sftware is prvided 'as-is', withut any express r implied warranty. In n event will the authrs be held liable fr any damages arising frm the use f this sftware. Permissin is granted t anyne t use this sftware fr any purpse, including cmmercial applicatins, and t alter it and redistribute it freely, subject t the fllwing restrictins: 1. The rigin f this sftware must nt be misrepresented; yu must nt claim that yu wrte the riginal sftware. If yu use this sftware in a prduct, an acknwledgment in the prduct dcumentatin wuld be appreciated but is nt required. 2. Altered surce versins must be plainly marked as such, and must nt be misrepresented as being the riginal sftware. 3. This ntice may nt be remved r altered frm any surce distributin. Jean-lup Gailly Mark Adler ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 221
222 C Versin Histry This chapter describes new functinality f the ViPNet Crdinatr HW/VA sftware. What's New in Versin 3.2 This sectin cntains a brief descriptin f changes made t ViPNet Crdinatr HW/VA 3.2 and its new features: Failver system On crdinatr VA platfrms, yu can deply a cluster that will functin as a standalne server n the netwrk, but will be mre rbust t fails. A failver cluster cnsists f tw ViPNet Crdinatr HW/VA appliances, which duplicate each ther's functins. The cluster will perate as lng as at least ne f these hsts is wrking. Wrk with the failver system is described in detail in a separate dcument ViPNet Crdinatr HW/VA. Failver System, which is a part f the distributin kit (n page 16). Mre stable access t a netwrk resurce by using alternate channels Yu can prvide yur ViPNet Crdinatr HW/VA with cntinuus access t a netwrk resurce (fr example, t the Internet) by cnnecting t it via tw channels. Yu can balance the traffic lad between the tw channels r enable the channel-switching mde, s that yur traffic will be transferred via the ther channel in case f a channel's failure. Cnfiguring ViPNet Crdinatr HW/VA netwrk parameters in the ViPNet Netwrk Manager sftware ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 222
223 Nw yu can cnfigure the netwrk parameters f ViPNet Crdinatr HW/VA in the ViPNet Netwrk Manager sftware, including the settings f the netwrk interfaces and ruting. Figure 52: Cnfiguring netwrk parameters in ViPNet Netwrk Manager 3G/LTE mdem cnfiguratin in web interface Nw yu can cnfigure and enable 3G/LTE mdem cnnectin via the appliance's web interface. The fllwing 3G/LTE USB mdems supprted: 3G Huawei K3772 (Vdafne), 3G Huawei E303 (Vdafne), LTE Huawei E398 (Deutsche Telekm Speedstick LTE III). ViPNet Crdinatr VA supprts additinal disk space Nw a virtual appliance can utilize an additinal 80 Gb disk. This allws the appliance t serve larger netwrks. Firewall cnfiguratin is mre flexible and simple ViPNet Crdinatr HW/VA 3.3. Administratr's Guide 223