ViPNet Coordinator Monitor 4.3. Administrator's Guide

Size: px
Start display at page:

Download "ViPNet Coordinator Monitor 4.3. Administrator's Guide"

Transcription

1 ViPNet Crdinatr Mnitr 4.3 Administratr's Guide

2 Inftecs Americas. All rights reserved. Versin: ENU This dcument is included in the sftware distributin kit and is subject t the same terms and cnditins as the sftware itself. N part f this publicatin may be reprduced, published, stred in an electrnic database, r transmitted, in any frm r by any means electrnic, mechanical, recrding, r therwise fr any purpse, withut the prir written cnsent f Inftecs Americas Inc. ViPNet is a registered trademark f Inftecs Americas Inc., New Yrk, USA. All brands and prduct names that are trademarks r registered trademarks are the prperty f their wners. Glbal cntacts page

3 Cntents Intrductin Abut This Dcument Audience Dcument Cnventins Abut ViPNet Crdinatr Mnitr ViPNet Crdinatr Purpse and Scpe ViPNet Crdinatr Cmpnents ViPNet Driver ViPNet Mnitr ViPNet MFTP ViPNet Applicatin Cntrl ViPNet CSP ViPNet Update System What's New in Versin System Requirements Distributin Kit Feedback Finding Additinal Infrmatin Cntacting Inftecs Errata Chapter 1. General Infrmatin Prtected ViPNet Netwrk Principle f the ViPNet Driver Operatin ViPNet Crdinatr's Features IP Addresses Server VPN Packets Ruter Firewall VPN Gateway Transprt Server Open Internet Server TCP Tunnel Usage Peculiarities Chapter 2. Installing, Upgrading, and Uninstalling ViPNet Crdinatr... 35

4 ViPNet Crdinatr Setup Installing ViPNet Crdinatr in the Silent Mde Additinal Setup Optins in the Silent Mde Upgrading ViPNet Crdinatr Receiving Upgrades frm ViPNet Netwrk Cntrl Center r ViPNet Netwrk Manager Receiving Upgrades with Grup Plicies Receiving Upgrades in Windws Update Center Upgrading and Restring Using the Setup File Adding, Remving, and Repairing ViPNet Crdinatr Cmpnents Uninstalling ViPNet Crdinatr Mving a ViPNet Hst t Anther Cmputer Chapter 3. Installing and Updating Keys and Hst Links Installing Keys and Hst Links Installing Keys and Hst Links fr One User Installing Keys and Hst Links fr Several Users n One Hst Advanced Mde f Keys and Hst Links Installatin Installing Keys and Hst Links n a Hst Where Several ViPNet Prgrams Are Installed Installing Keys and Hst Links in the Silent Mde Recurrent Installatin f Keys and Hst Links after a Prgram Failure Using Keys and Hst Links Installed Previusly Updating Keys, Hst Links, and Security Plicies Receiving Updates Updating Keys and Hst Links with a Key Set Uninstalling Keys and Hst Links What Shuld I D at Key Cmprmise? Chapter 4. Getting Started with ViPNet Crdinatr Starting ViPNet Mnitr Starting ViPNet Crdinatr n Terminal Servers in Cnsle and Remte Sessins User Lgn Mdes Passwrd Only Passwrd n Device PIN and Device Lgging On As Anther User Finishing the Wrk with ViPNet Mnitr ViPNet Mnitr Interface... 72

5 Wrking with the List f ViPNet Hsts Using ViPNet Mnitr with Restricted Interface Chapter 5. ViPNet Update System Abut ViPNet Update System Autmatic Updating Installing Updates Manually Viewing the Installed Updates Lg Chapter 6. Cnnecting t a Prtected ViPNet Netwrk ViPNet Netwrk Cnnectin Prtcls Principles f Establishing Cnnectins n a ViPNet Netwrk Cnnecting withut a Firewall Abut Cnnecting withut a Firewall Cnfiguring Cnnectin withut a Firewall Cnnecting via a Crdinatr Abut Cnnecting via a Crdinatr Cnfiguring a Cnnectin Cnnecting via a Firewall with Dynamic NAT Abut Cnnecting via a Firewall with Dynamic Address Translatin Cnfiguring a Cnnectin Cnnecting via a Firewall with Static NAT Abut Cnnecting via a Firewall with Static NAT Cnfiguring a Cnnectin Using an External IP Address t Access a Hst via a Firewall Chapter 7. Cnfiguring Access t the Hsts f Yur ViPNet Netwrk Virtual IP Addresses Abut Virtual IP Addresses General Principles f Assigning Virtual IP Addresses Cnfiguring Access t ViPNet Hsts Cnfiguring Access t ViPNet Hsts Tunneled by Anther Crdinatr Cnfiguring Access IP Addresses Pririty fr a Crdinatr Cnfiguring a TCP Tunnel Using Aliases fr ViPNet Hsts Viewing Infrmatin abut a ViPNet Hst Chapter 8. Cnfiguring and Using DNS and WINS Services in ViPNet Netwrks DNS and WINS Services

6 DNS WINS DNS and WINS Services in a ViPNet Netwrk Prtected r Tunneled DNS r WINS Server Usage Peculiarities Cnfiguratin Best Practices Unprtected DNS r WINS Server Cnfiguratin Best Practices Using a Prtected DNS Server t Wrk with Crprate Resurces Remtely Autmatic DNS (WINS) servers registratin Cnfiguring a DNS r WINS Servers List Manually Crprate DNS r WINS Server is Installed Right n the ViPNet Hst Crprate DNS r WINS Server is Tunneled by a Crdinatr An Example f the DNS.TXT File Using DNS Servers n Dmain Cntrllers Chapter 9. Cnfiguring the Integrated Firewall General Principles f Traffic Filtering Netwrk Filters Overview Using Object Grups Built-in Object Grups User-Defined Object Grups Set by Default Creating and Editing Object Grups Adding ViPNet Hsts Adding IP Addresses and DNS Names Adding Prtcls Adding Schedules Object Grups Nesting Creating Netwrk Filters Creating Private Netwrk Filters Creating Filters fr Tunneled Hsts Creating Frward Public Netwrk Filters Creating Lcal Public Netwrk Filters Restring Pre-defined Filters and Object Grups The Example f Object Grups and Netwrk Filters Usage Anti-spfing Blcking IP Traffic Disabling Traffic Prtectin

7 Chapter 10. Applicatin Prtcls Prcessing Applicatin Prtcls Overview Applicatin Prtcls Descriptin Applicatin Prtcls Optins Chapter 11. Cnfiguring Netwrk Address Translatin (NAT) Why D Yu Need NAT? NAT in the ViPNet Technlgy Destinatin IP Address Translatin Surce IP Address Translatin Creating Netwrk Address Translatin Rules Chapter 12. Encrypting Traffic f Unprtected Hsts (Tunneling) Overview Hw Tunneling Prtects Traffic Cnfiguring Tunneling Specifying Hsts t Be Tunneled Settings Required n Tunneled Hsts Cnfiguring Access t Tunneled Hsts frm an External Netwrk Chapter 13. Cnfiguring the Open Internet Server Open Internet Technlgy Overview Cnfiguring the Open Internet Cnfiguring the Crdinatr Functining as the Open Internet Server Chapter 14. ViPNet Crdinatr User Scenaris Using a DHCP Server n a ViPNet Netwrk Variants f DHCP Server Deplyment Deplying a DHCP Server and Clients in Different Subnetwrks Deplying a DMZ The Purpse f a DMZ Cnfiguring ViPNet Crdinatr Cnfiguring Frward Filters Cnfiguring NAT Rules Access Prtcls and Prts fr Varius Server Types Chapter 15. Integrated Cmmunicatin Tls Overview (Integrated Tls) Encrypted Instant Messaging

8 Interface f the Encrypted Instant Messaging Prgram Sending Messages Receiving Messages Stp Exchanging Instant Messages File Exchange File Exchange Prgram Interface Sending a File frm the ViPNet Mnitr Prgram Sending a File frm the Windws Cntext Menu Files Exchange in the Instant Messaging Sessin Receiving Files External Prgrams Viewing Web Resurces f a ViPNet Hst Shared Hst Resurces Overview Checking Cnnectin t a ViPNet Hst Chapter 16. ViPNet Hsts Management Wrking with the IP Packets Lg Cnfiguring IP Packets Search Optins Viewing Search Results Viewing the IP Packets Lg in Yur Web Brwser r Micrsft Excel Chsing IP Packets t View Calculating Traffic Vlume Best Practices f Encrypted and Unencrypted Cnnectins Analysis Creating a Netwrk Filter When Viewing the IP Packets Lg Viewing the IP Packets Lg Archive Viewing the IP Packets Lg f Anther Hst Cnfiguring IP Packets Lgging Viewing IP Packets Filtering Statistics Viewing Infrmatin abut the Crdinatr, Its Wrking Time, and the Number f Cnnectins Managing ViPNet Mnitr Cnfiguratins Scheduling Cnfiguratin Change Starting a Remte Access Prgram Installing Third-Party Sftware fr Remte Management Cnfiguring a Terminal Server fr Remte Management Cnfiguring Autlgn fr the Operating System and ViPNet Mnitr Cnfiguring Autlgn fr the Windws OS Wrking in the ViPNet Hst Administratr Mde ViPNet Mnitr Advanced Settings

9 Restricting User Interface Prgram Startup Optins Cmputer Lcking Settings Traffic Prtectin Optins Advanced Security Settings Setting the User Lgn Mde Viewing the Event Lg Start and Abnrmal Terminatin Optins Chapter 17. Security Service Settings Changing a User Passwrd Setting a User-Defined Passwrd Setting a Randm Passwrd Setting a Randm Numeric Passwrd Cnfiguring Encryptin Managing External Strage Devices External Device Initializatin Changing a Device PIN Cnfiguring the ViPNet CSP Prgram Chapter 18. Wrking with Certificates and Keys Viewing Certificates in the Certificate Manager Windw Viewing Persnal Certificates Viewing Trusted Rt Certificates Viewing Issued Certificates Viewing the Certificatin Path Viewing Certificate Fields and Printing a Certificate Managing Certificates Installing Certificates in a Stre Installing Certificates in a Stre Autmatically Installing Certificates in a Stre Manually Installing RSA Certificates Chsing Certificates fr Current Usage Renewing a Private Key and a Certificate Cnfiguring Ntificatin That a Private Key and a Certificate Have Expired Prcedure f Renewing a Private Key and a Certificate Installing Certificates in Cntainers Installing a Certificate Autmatically Installing a Certificate Manually

10 Wrking with Certificate Requests Viewing a Certificate Request Deleting a Certificate Request Exprting a Certificate Certificate Exprt Frmats Wrking with a Key Cntainer Changing the Cntainer Passwrd Deleting a Passwrd t a Key Cntainer, If the Passwrd Is Stred n a Cmputer Verifying a Key Cntainer Installing a New Key Cntainer and Changing the Key Cntainer with the Current Certificate Mving a Key Cntainer Appendix A. Trubleshting Cllecting Infrmatin fr Trubleshting Cmmn Issues Cannt Validate the Setup File's Signing Certificate Cannt Install ViPNet Crdinatr in the Silent Mde Cannt Start the Prgram Incrrect Passwrd r User Keys Nt Fund Cannt Lg On with a Certificate Cannt Save the Passwrd Cannt Cnnect t the Internet Cannt Cnnect t a ViPNet Hst Cannt Address a Dmain Hst by Its DNS Name Cannt Cnnect t an Unprtected Hst n a Lcal Netwrk Cannt Establish Cnnectin ver the SSL Prtcl Cannt Establish Cnnectin ver the PPPE Prtcl Traffic frm Tunneled Hsts Can't Pass thrugh a Crdinatr There is a Hst Registered n the Netwrk with the Identifier that Cincides with Yur Hst's Identifier Cnflicting IP Addresses r DNS Names Cannt Start the MSSQLSERVER service Cannt Change Settings f the ViPNet Mnitr Prgram Cannt Use a Hardware Randm Numbers Generatr Failures in the Wrk f Third-Party Prgrams Checking the Status f Accepted Updates Unable t Apply the Sftware Update Received frm the Netwrk Cntrl Center Security Service Alerts

11 Passwrd Expired Current Certificate is Invalid r Nt Fund Current Private Key r the Crrespnding Certificate Validity Perid is Ging t Expire Current Private Key Expired Valid Certificate Revcatin List Nt Fund Certificate Issued n the Administratr's Initiative Has Been Installed Appendix B. Keys and Certificates Cryptgraphy Overview Symmetric Encryptin Asymmetric Encryptin Cmbining Symmetric and Asymmetric Encryptin Cmbining a Hash Functin and an Asymmetric Algrithm f a Digital Signature Public Key Certificates Overview Definitin and Scpe Structure PKI in Public Key Cryptgraphy Encrypting Dcuments Using Certificates Encrypting Decrypting Signing Digital Dcuments Using Certificates Signing Verifying a Digital Signature Signing and Encrypting Digital Dcuments Using Certificates Signing and Encrypting Decrypting and Verifying Keys in ViPNet Sftware Symmetric Keys in ViPNet Sftware Appendix C. Events Tracked by the ViPNet Sftware Blcked IP Packets Service Events and Allwed IP Packets Events Appendix D. External Strage Devices Overview Supprted External Strage Devices Appendix E. Recmmendatins n Prviding Cmpatibility f the ViPNet Crdinatr Sftware with Third-Party Prgrams

12 Cmpatibility f the ViPNet Sftware and the Hyper-V Technlgy Appendix F. Versin Histry What's New in Versin What's New in Versin What's New in Versin What's New in Versin What's New in Versin What's New in Versin What's New in Versin What's New in Versin What's New in Versin What's New in Versin What's New in Versin Appendix G. Glssary Appendix H. Index

13 Intrductin Abut This Dcument 14 Abut ViPNet Crdinatr Mnitr 16 What's New in Versin System Requirements 20 Distributin Kit 21 Feedback 22 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 13

14 Abut This Dcument This dcument describes the main ViPNet Crdinatr cmpnent, namely ViPNet Mnitr, its purpse and scpe. It als cntains infrmatin n hw t cnfigure and use the ViPNet Crdinatr sftware. Nte: In this dcument, ViPNet Mnitr functinality is described given that a user has maximum permissins. If any prgram features r settings are nt available, cntact yur ViPNet netwrk administratr. Befre yu start reading this dcument, we recmmend yu t have a lk at the ViPNet netwrk deplyment guide that prvides a general cncept f netwrking based n the ViPNet technlgy, describes the purpse f all ViPNet hst types, and cntains recmmendatins n deplying a ViPNet netwrk, tgether with a brief step-by-step deplyment scenari. Audience This dcument is intended fr system administratrs wh are respnsible fr installing, cnfiguring, and using the ViPNet Crdinatr sftware. It is suppsed that the administratr is experienced in netwrking well enugh t deply a lcal netwrk, t set up server perating systems, and t cnfigure firewalls. Dcument Cnventins This dcument uses the fllwing cnventins: Table 1. Dcument cnventins Icn Descriptin Warning: Indicates an bligatry actin r infrmatin that may be critical fr cntinuing user peratins. Nte: Indicates a nn-bligatry, but desirable actin r infrmatin that may be helpful fr users. Tip: Cntains additinal infrmatin. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 14

15 Table 2. Cnventins fr highlighted infrmatin Icn Name Key+Key Menu > Submenu > Cmmand Cde Descriptin The name f an interface element. Fr instance, the name f a windw, a bx, a buttn, r a key. Shrtcut keys. T use the shrtcut keys, press and hld the first key and press ther keys. A hierarchical sequence f elements. Fr instance, menu items r sectins in the navigatin pane. A file name, path, text file (cde) fragment r a cmmand executed frm the cmmand line. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 15

16 Abut ViPNet Crdinatr Mnitr ViPNet Crdinatr Purpse and Scpe The ViPNet Crdinatr sftware is intended fr using in ViPNet netwrks managed with the ViPNet Administratr sftware r the ViPNet Netwrk Manager prgram. ViPNet Crdinatr is installed n the cmputers that functin as servers n a prtected ViPNet netwrk (see ViPNet Crdinatr's Features n page 27). ViPNet Crdinatr functinality is cmprised f its cmpnents features. ViPNet Crdinatr Cmpnents The ViPNet Crdinatr sftware has the fllwing cmpnents: The ViPNet driver, which is a netwrk prtectin kernel-level driver. The ViPNet MFTP transprt mdule. The ViPNet Mnitr prgram, which is a graphical interface fr cntrlling the ViPNet driver, event lgging and wrking with a set f cmmunicatin and ther functins. The ViPNet Applicatin Cntrl sftware (when using in ViPNet netwrks managed with ViPNet Administratr, if yu have a license). The cryptgraphic service prvider ViPNet CSP. ViPNet Update System. Nte: The ViPNet Crdinatr sftware des nt include the ViPNet Business Mail prgram. ViPNet Driver The ViPNet driver (see Principle f the ViPNet Driver Operatin n page 25) is a netwrk prtectin lwlevel driver that encrypts and filters the IP traffic. The ViPNet driver interacts directly with the drivers f yur cmputer's netwrk interfaces (either physical r emulated), which ensures that the ViPNet driver is cmpletely independent f the perating system and its undcumented features. The ViPNet driver intercepts and cntrls the whle IP traffic, whether it is inbund r utbund. One f the mst imprtant features f the ViPNet driver is its efficient cntrl f IP traffic n the system startup. The Windws OS uses nly ne service at its startup. The ViPNet driver and encryptin keys are initialized befre yu access the system, in ther wrds, befre ther OS services and drivers are started. As a result, the ViPNet driver is the first t get cntrl ver the TCP/IP stack. By the mment netwrk adapters drivers are initialized, the ViPNet driver is ready t encrypt and filter traffic. Thus, the ViPNet ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 16

17 driver prvides a secure cnnectin t the dmain cntrller and the cntrl f applicatins netwrk activity, as well as blcks packets received frm unprtected hsts. On the OS startup, the ViPNet Mnitr sftware verifies its wn check sums, warranting the integrity f the sftware, keys, hst links and the list f applicatins that are allwed t access the netwrk. ViPNet Mnitr The main feature f the ViPNet Mnitr prgram is cnfiguring the ViPNet driver (see Principle f the ViPNet Driver Operatin n page 25) parameters and lgging events assciated with traffic prcessing by the driver in the IP packets registratin lg. If yu exit ViPNet Mnitr, the ViPNet driver will cntinue prtecting the IP traffic f the hst, but in this case, the infrmatin abut IP packets prcessed by the ViPNet driver may fail t be saved t the IP packets registratin lg (the ViPNet driver can stre n mre than 10,000 lg entries in its memry). The ViPNet Mnitr prgram: Allws yu t cnfigure the parameters f the integrated firewall (see Cnfiguring the Integrated Firewall n page 126). Allws yu t manage the parameters f prcessing the applicatin prtcls FTP, HTTP, SIP. Prvides a set f integrated features fr prtected exchange f messages, cnferencing, file exchange, and mre. ViPNet MFTP As a part f the ViPNet Crdinatr sftware, the ViPNet MFTP transprt mdule functins as the mail envelpes transprt server, ensuring exchange f cntrl packets, keys, and hst links with ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. Fr mre infrmatin abut the transprt mdule, see the dcument ViPNet MFTP. Administratr s Guide. ViPNet Applicatin Cntrl ViPNet Applicatin Cntrl is an ptinal cmpnent f the ViPNet Crdinatr sftware. T cntrl the netwrk activity f applicatins n each hst, yu need t have a special entry in the ViPNet registratin file. ViPNet Applicatin Cntrl allws yu t: Obtain infrmatin abut all the applicatins attempting t access the Internet. Limit, allw r blck access t the Internet fr an applicatin. View the events lg t get infrmatin abut applicatins netwrk activity. Fr mre infrmatin abut the prgram, see the dcument ViPNet Applicatin Cntrl. User s Guide. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 17

18 ViPNet CSP The ViPNet CSP prgram is a cryptgraphic service prvider calling cryptgraphic functins via the Micrsft CryptAPI 2.0 interface. Thus cryptgraphic functins implemented in accrdance with Russian standards can be used in different prgrams, fr example, Micrsft Office. ViPNet CSP allws yu t: Create and verify a digital signature. Encrypt the data including messages. Perfrm authenticatin and prtect cnnectins ver the TLS/SSL prtcl. Warning: When installing ViPNet CSP included in ViPNet Crdinatr, the TLS/SSL supprt is disabled by default. T enable the TLS/SSL supprt, run the ViPNet CSP setup prgram and add the cmpnent TLS/SSL prtcl supprt. Fr mre infrmatin abut the ViPNet CSP cryptgraphic service prvider, see the dcument ViPNet CSP. User s Guide. ViPNet Update System ViPNet Update System is respnsible fr receiving and installing sftware, keys, and hst links updates in ViPNet Crdinatr, as well as fr updating security plicies that were sent frm ViPNet Plicy Manager. Fr mre infrmatin, see the sectin ViPNet Update System. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 18

19 What's New in Versin This sectin cntains a brief descriptin f changes made in ViPNet Crdinatr and its new features. Fr the histry f changes made in previus versins, see Versin Histry (n page 352). RSA certificates In versin 4.3.1, yu can install and use RSA certificates in ViPNet Crdinatr. Limited functinality f ViPNet CSP when using the default installatin settings When installing ViPNet CSP included in ViPNet Crdinatr 4.3.1, the TLS/SSL supprt is disabled by default. Yu can enable the TLS/SSL supprt by running the ViPNet CSP installatin file and adding the crrespnding cmpnent. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 19

20 System Requirements The minimum system requirements fr yur cmputer t run ViPNet Crdinatr are as fllws: Prcessr: Intel Cre 2 Du r any ther x86-cmpatible prcessr f similar characteristics with tw r mre cres. RAM: depends n the number f clients registered at the crdinatr (see the table belw): Number f clients Up t 1,000 Up t 5,000 RAM Nt less than 1 GB Nt less than 2 GB Free disk space: 1 GB. A netwrk interface r a mdem. The number f netwrk interfaces required depends n the crdinatr functinality requirements. Operating system Micrsft Windws XP (32 bit),-server 2003 (32 bit),-vista (32/64 bit),-server 2008 (32/64 bit),-server 2008 R2 (64 bit),-windws 7 (32/64 bit),-windws 8 (32/64 bit),-windws 8.1 (32/64 bit),-server 2012 (64 bit),-server 2012 R2 (64-bit). Yu must install the latest service pack fr yur versin f Windws. If yur perating system is ther than Windws 8 r Windws Server 2012, the update rllup fr time znes KB must be installed n yur cmputer. Internet Explrer 6.0 r later. Nte: N ther firewalls r NAT devices shuld be installed n the cmputer that yu plan t use as ViPNet Crdinatr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 20

21 Distributin Kit The ViPNet Crdinatr distributin kit includes: A prgram installatin file. Dcumentatin in the PDF frmat: ViPNet Crdinatr Mnitr. Administratr s Guide. ViPNet Crdinatr. Quick Start. ViPNet MFTP. Administratr s Guide. ViPNet Applicatin Cntrl. User s Guide. ViPNet CSP. User s Guide. ViPNet Netwrk Deplyment. Administratr s Guide. ViPNet Permissins Classificatin. Supplement t ViPNet Dcumentatin. What's New in ViPNet Client and ViPNet Crdinatr versin 4.x. Supplement t ViPNet Dcumentatin. Glssary. Supplement t ViPNet Dcumentatin. ViPNet Client/Crdinatr. Infrmatin abut Third-Party Sftware Cmpnents. ViPNet CSP. Infrmatin abut Third-Party Sftware Cmpnents. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 21

22 Feedback Finding Additinal Infrmatin Fr mre infrmatin abut Inftecs prducts and technlgies, see the fllwing resurces: ViPNet dcumentatin web prtal Infrmatin abut current Inftecs prducts Infrmatin abut Inftecs slutins Cntacting Inftecs We value any feedback frm yu. If yu have any questins cncerning Inftecs prducts and slutins, any suggestins, cmplains r ther feedback, feel free t cntact us by means f the fllwing: Glbal cntacts page Telephne (Germany): +49 (0) Telephne (USA): +1 (646) Errata Inftecs makes every effrt t ensure that there are n errrs r misprints in the text f all dcuments supplied with ViPNet sftware. Hwever, n ne is perfect, and mistakes d ccur. If yu find an errr in ne f ur dcuments, like a spelling mistake r sme inaccuracy in describing user scenaris r system features, we wuld be very grateful fr yur feedback. By sending in errata yu may save ther reader hurs f frustratin, and at the same time yu will be helping us prvide dcumentatin f even higher quality. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 22

23 1 General Infrmatin Prtected ViPNet Netwrk 24 Principle f the ViPNet Driver Operatin 25 ViPNet Crdinatr's Features 27 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 23

24 Prtected ViPNet Netwrk The ViPNet sftware suites are universal tls fr the deplyment f virtual prtected netwrks (VPNs) f any cnfiguratin. They ensure transparent cmmunicatin between cmputers cnnected t a ViPNet netwrk, regardless f the cnnectin type and cmputer lcatin. Advanced security is prvided by the ViPNet sftware installed n each f the crprate netwrk cmputers. After that, the data the netwrk users exchange becmes inaccessible fr ther users nt participating in this exchange. The infrmatin stred n ViPNet netwrk cmputers lcally is securely prtected against unauthrized access bth frm crprate netwrk cmputers and cmputers utside the ViPNet netwrk. When yu deply a virtual ViPNet netwrk, yu install the fllwing ViPNet sftware n cmputers (hsts): the ViPNet Client sftware is installed n cmputers that are called clients, and the ViPNet Crdinatr sftware is installed n private netwrk servers that are called crdinatrs. Yu install ViPNet Client t include separate cmputers in a VPN and ensure netwrk prtectin n them. Yu install ViPNet Crdinatr n cmputers n the edge f lcal area netwrks and LAN segments. ViPNet Crdinatr ensures: cnnecting unprtected and prtected cmputers in LANs int a crprate netwrk regardless f the hst cnnectin methd and IP address type; netwrk segmentatin; ntifying clients abut the statuses f ther ViPNet hsts they have links with. Yu can manage yur ViPNet netwrk by means f the fllwing sftware: ViPNet Administratr sftware cnsisting f the fllwing tw cmpnents: Netwrk Cntrl Center and Key and Certificatin Authrity. Fr mre details, see the dcument ViPNet Netwrk Deplyment. Administratr s Guide. ViPNet Netwrk Manager prgram. Fr mre details, see the dcument ViPNet VPN. User s Guide. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 24

25 Principle f the ViPNet Driver Operatin The ViPNet driver is the cre f the ViPNet sftware. Its main functins are filtering, encryptin and decryptin f incming and utging IP packets. Each utging IP packet is prcessed by the ViPNet driver in ne f the fllwing ways: is encrypted and sent; is sent as is (unencrypted); is blcked (accrding t the netwrk filters). Each incming IP packet is prcessed in ne f the fllwing ways: is allwed (if the packet is unencrypted and the filters allw unencrypted traffic); is decrypted (if the packet was encrypted); is blcked (accrding t the netwrk filters). The ViPNet driver wrks between the data link and netwrk layers f the OSI mdel, which allws prcessing IP packets befre they reach the TCP/IP stack and, eventually, the applicatin layer. Thus, the ViPNet driver prtects IP traffic f all applicatins nt affecting yur usual wrkflw. Figure 1. The ViPNet driver in the OSI mdel ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 25

26 Due t this apprach, intrductin f the ViPNet technlgy des nt require any changes in wellestablished business prcesses, and the ViPNet netwrk deplyment csts are nt high. Nte: Fr the sake f simplicity, in the figure abve: The transprt and sessin layers are cmbined int the transprt layer. The applicatin and presentatin layers are cmbined int the applicatin layer. The figure belw demnstrates hw the ViPNet driver participates in prcessing a request fr viewing a web page. The web page is hsted by an IIS server installed n cmputer B. Figure 2. TCP/IP netwrk prtected with the ViPNet sftware Cmputer A requests cmputer B t display the web page ver the HTTP prtcl. This request is transferred t lwer layers f the TCP/IP stack, and service infrmatin is added t this request in each f the layers. Then the ViPNet driver n cmputer A receives the request and encrypts it by adding its wn infrmatin t the request. The ViPNet driver n cmputer B receives the request and remves service infrmatin frm it. Then the ViPNet driver decrypts the request and sends it t the applicatin layer via the TCP/IP stack fr prcessing. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 26

27 ViPNet Crdinatr's Features On a ViPNet netwrk, a crdinatr functins as a VPN server. Depending n the tasks that shuld be perfrmed n yur crprate ViPNet netwrk, n the netwrk structure, and ther cnditins, a ViPNet crdinatr may perfrm ne r several f the fllwing functins: A VPN server (see IP Addresses Server n page 27), which gathers ViPNet hsts' (see ViPNet hst n page 387) status infrmatin and ntifies its clients abut ther hsts' statuses and access parameters f ther clients (als called an IP addresses server ). A VPN ruter (see VPN Packets Ruter n page 28), which ensures ruting f unencrypted traffic passing thrugh the crdinatr t ther prtected hsts (s-called frward unencrypted traffic ). A stateful firewall (see Firewall n page 29), which tracks the state f netwrk cnnectins and is able t hld significant attributes f each cnnectin in memry, frm start t finish. It perfrms netwrk addresses translatin (NAT) fr frward unencrypted traffic as well. A VPN gateway (tunneling server) (see VPN Gateway n page 30). Yu can use a crdinatr t ensure traffic encryptin fr unprtected hsts (see Unprtected hst n page 386) within ptentially insecure netwrk segments. A transprt server (see Transprt Server n page 31), which ensures the delivery f keys and hst links updates created in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager t ViPNet hsts, as well as the pssibility t send ViPNet sftware upgrades centrally frm ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. An Open Internet server (see Open Internet Server n page 32), which is used fr establishment f secure cnnectins between crprate netwrk cmputers and the Internet. The ViPNet Crdinatr prgram may be installed n a hst if, in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager, this hst is registered as a crdinatr and the VPN server rle is assigned t it. IP Addresses Server When a hst with the ViPNet Client (see Client (ViPNet client) n page 380) sftware installed cnnects t the prtected netwrk r changes its cnnectin prperties, it reprts its status and cnnectin parameters t the crdinatr that functins as an IP addresses server fr this client. In return, the IP addresses server infrms the client abut statuses and cnnectin parameters f ViPNet hsts this client is linked with. Thus, an IP addresses server perfrms the fllwing tasks: cllects infrmatin abut ViPNet hsts; infrms each client that uses this IP addresses server abut access parameters f the ViPNet hsts this client is linked with. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 27

28 Figure 3. A VPN server in a ViPNet netwrk In ViPNet Mnitr, in the Private Netwrk sectin, yu may see the list f ViPNet hsts that have links with this client. A ViPNet client cnnected t the private netwrk cnfirms its status by sending messages t its IP addresses server in certain time intervals (5 minutes by default). If the IP addresses server des nt receive such messages, it changes the client's status t Unreachable. Crdinatrs infrm each ther abut their access parameters in the same manner. A crdinatr peridically (every 15 minutes, by default) cnfirms its status t ther crdinatrs it has links with. Besides, crdinatrs that perfrm the IP address server functin exchange infrmatin abut their clients. An IP addresses server functins as fllws: When yur crdinatr receives sme new data abut its client (a client that uses this crdinatr as an IP addresses server), it frwards this data t its ther clients and t the crdinatrs it is linked with. When yur crdinatr receives new data abut clients f ther crdinatrs, it frwards this data t its clients that are cnnected with ther crdinatr's clients. If the IP addresses server des nt receive any data abut its client at the end f the plling perid, it cnsiders this client t be unreachable and sends this infrmatin t ther hsts. If a crdinatr n yur ViPNet netwrk cmmunicates with anther ViPNet netwrk, it infrms the gateway crdinatr f that netwrk abut the state f all yur ViPNet hsts linked with anther netwrk hsts. The gateway crdinatr receives this infrmatin and frwards it t all crdinatrs n that ViPNet netwrk and t its clients that have links with yur netwrk hsts. In ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager, every client is registered n a crdinatr that functins as its transprt server. By default, this crdinatr als functins as the client's IP addresses server. Yu cannt change the IP addresses server fr a client in ViPNet Mnitr, but yu may select any crdinatr linked with this client t be used as its IP addresses server. VPN Packets Ruter A crdinatr rutes frward encrypted traffic, transferring it t ther prtected hsts. The ruting is perfrmed within a ViPNet netwrk, as well as when interacting with ther ViPNet netwrks. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 28

29 Figure 4. A crdinatr ruting encrypted traffic n a ViPNet netwrk Encrypted traffic is ruted based n the ViPNet hst identifiers specified in the unencrypted part f IP packets, which is prtected against falsificatin. The ruting is perfrmed ver a prprietary prtcl designed fr secure dynamic ruting f traffic. Alng with the ruting, netwrk address translatin (NAT) (see Netwrk addresses translatin (NAT) n page 382) is perfrmed fr encrypted traffic. All frward encrypted packets that are received by a crdinatr are sent t ther hsts with the crdinatr's IP address as their surce IP address. NAT fr encrypted traffic is perfrmed autmatically, accrding t the parameters that yu cannt change. If a third-party device, filtering and translating the passing traffic, is deplyed n the edge f a ViPNet netwrk, the crdinatr can functin as a cnnectin server. Clients establish cmmunicatin with each ther via a cnnectin server nly if they cannt establish a direct cnnectin. Yu can specify different cnnectin servers fr different clients. By default, a client's cnnectin server is the same as its IP address server. Figure 5. Establishing cnnectin between ViPNet hsts Firewall The crdinatr can filter any IP packets n each netwrk interface by addresses, prtcls, and prts in accrdance with the netwrk filters (see General Principles f Traffic Filtering n page 127). With netwrk filters, yu can blck unwanted cnnectins as well as allw cnnectins with unprtected hsts lcated utside f the ViPNet netwrk. Alng with the user-defined netwrk filters, ViPNet Mnitr ffers an anti-spfing system (see Antispfing n page 159). This system prtects yur cmputer frm a cmmn netwrk attack. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 29

30 Figure 6. A crdinatr functining as a firewall A crdinatr may be lcated n the edge f a lcal netwrk and functin as a firewall fr prtected and unprtected hsts, as well as translate netwrk addresses fr unencrypted traffic that passes thrugh the crdinatr. The NAT fr unencrypted traffic feature allws yu t cnfigure rules fr the tw main purpses: Cnnect a lcal netwrk t the Internet in case the number f the lcal hsts is greater than the number f public IP addresses allcated by the Internet prvider. Thus, NAT allws hsts that have private IP addresses t access the Internet using the crdinatr's public IP address. This is pssible due t the surce address translatin. T prvide public netwrk hsts with access t private netwrk hsts. As a result f using the NAT technlgy, Internet users can access lcal netwrk hsts by public IP addresses, even thugh private addresses are used in the lcal netwrk. This is pssible due t the destinatin address translatin. Fr mre details abut NAT fr unencrypted traffic, see Cnfiguring Netwrk Address Translatin (NAT) (n page 169). Nte: NAT fr encrypted traffic is perfrmed autmatically (see VPN Packets Ruter n page 28). VPN Gateway A VPN gateway feature allws yu t include unprtected hsts int a prtected ViPNet netwrk withut installing ViPNet sftware n thse hsts. Yu can als prtect cnnectins with unprtected hsts when data is transferred via the Internet r ther public netwrks. This is pssible due t the tunneling technlgy (see Encrypting Traffic f Unprtected Hsts (Tunneling) n page 178). The tunneling cnsists in unprtected hsts' traffic encryptin, which is carried ut by the crdinatr functining as the hst's VPN gateway. With the tunneling technlgy, yu can establish a prtected cnnectin between an unprtected hst and a prtected ViPNet hst r between tw unprtected hsts that are tunneled by tw different crdinatrs. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 30

31 The tunneling technlgy allws yu t prtect the traffic between the hsts, n which yu cannt install the ViPNet Client r the ViPNet Crdinatr sftware (fr example: a server, a netwrk printer, a netwrkattached strage, and s n). When tunneled, the unprtected hst's traffic is prtected in the fllwing way: Unprtected IP packets are transferred frm the tunneled hst t a crdinatr. On the crdinatr, the IP packets get prcessed by netwrk filters, encrypted, and transferred t the prtected hst, t which these packets are addressed, r t a different crdinatr. If a crdinatr receives encrypted IP packets addressed t a tunneled hst, then these packets are prcessed by netwrk filters, unencrypted, and transferred t the destinatin hst. Figure 7. Tunneling n a ViPNet netwrk T enable the tunneling feature n a crdinatr, n behalf f the ViPNet netwrk administratr, in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager, yu shuld set the maximum number f cnnectins that may be tunneled by the crdinatr at the same time. Yu als shuld specify IP addresses f tunneled hsts (see Cnfiguring Tunneling n page 181) in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. Transprt Server In ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager, every newly created hst is assigned t sme crdinatr. And this crdinatr becmes the client's transprt server. A ViPNet hst user cannt change the specified transprt server t anther ne. A transprt server ensures the delivery f cntrl messages, key set updates, and sftware upgrades frm ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager t hsts and the exchange f applicatin and transprt envelpes between hsts (see Transprt envelpe n page 386). Applicatin and cntrl envelpes are ruted by the ViPNet MFTP transprt mdule, which perates n the applicatin layer. On a crdinatr, the transprt mdule receives envelpes frm ther ViPNet hsts and frwards them t the destinatin hst. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 31

32 Figure 8. A transprt server n a ViPNet netwrk Fr mre infrmatin abut the transprt mdule, see ViPNet MFTP. Administratr s Guide. Open Internet Server The Open Internet technlgy (see Cnfiguring the Open Internet Server n page 186) allws yu t cnfigure access frm prtected hsts t the Internet and t ViPNet hsts separately. This makes the access t the Internet as safe as pssible withut discnnecting a cmputer frm its crprate netwrk. Figure 9. An Open Internet server n a ViPNet netwrk The clients linked t an Open Internet server can wrk nly in ne f the tw mdes: Wrking n the Internet. The crprate prtected netwrk resurces are inaccessible, thugh the cmputer is nt physically discnnected frm the netwrk. Wrking n the lcal netwrk. Access t the Internet is fully blcked, thugh the cmputer is nt physically discnnected frm the public netwrk. These tw mdes d nt verlap, thus eliminating any real-time attacks n the crprate netwrk cmputers via the cmputers accessing the Internet. If sme malicius sftware gets t a cmputer with access t the Internet, a special ViPNet sftware cmpnent that cntrls ViPNet applicatins (see ViPNet Applicatin Cntrl n page 17) will detect the malware and blck its access t the crprate netwrk. T start using the Open Internet technlgy n a crdinatr, in the ViPNet Netwrk Cntrl Center prgram, turn n the Open Internet server feature fr this crdinatr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 32

33 TCP Tunnel On a crdinatr, yu can cnfigure a TCP tunnel fr cmmunicatin between clients n external netwrks with ther ViPNet clients in case the UDP prtcl is blcked by the ISP when clients cnnect t external netwrks. Figure 10. TCP tunnel If a remte client cannt cnnect t ther hsts ver UDP and a TCP tunnel is cnfigured n its cnnectin server, it will establish cnnectin t hsts ver the TCP tunnel f the cnnectin server. On the cnnectin server, the received IP packets are retrieved frm the TCP tunnel and transferred t destinatin hsts ver UDP. Usage Peculiarities Often yu may need t access a crdinatr with a dynamic external access address (fr example, the crdinatr is cnnected t the netwrk via a DSL mdem) frm ther ViPNet hsts. Yu can slve this task by publishing this address n a public DNS server deplyed n the Internet and specifying the crdinatr's DNS name in the ViPNet Mnitr prgram n the ther ViPNet hsts. On a crprate netwrk, yu may need t use the public DNS server in ther cases, t. Public DNS servers may be expsed t varius netwrk attacks, when the IP address f the destinatin netwrk hst is substituted ( spfed ) t make the surce prtected hst address the attacker's cmputer. If such an attack is successful, the netwrk hst that addresses the prtected hst by its DNS name establishes an unencrypted cnnectin t the attacking cmputer, because the attacker's cmputer IP address is unknwn fr the ViPNet driver. As a result, the malicius user may btain cnfidential infrmatin frm the prtected cmputer. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 33

34 Figure 11. Attacking an unprtected DNS server T prevent such attacks, n yur ViPNet hst, in the ViPNet Mnitr settings, fr all prtected applicatin servers that are registered n the public DNS server and accessible frm yur ViPNet hst, specify DNS names (see Cnfiguring Access t ViPNet Hsts n page 102). Thus, attacks are prevented as fllws: the ViPNet driver addresses the server by a DNS name, and the address may be spfed by the malicius user; but when the ViPNet driver receives the respnse t the DNS request, it substitutes the address with the hst's visibility IP address (real r virtual) that crrespnds t the DNS name yu specified in ViPNet Mnitr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 34

35 2 Installing, Upgrading, and Uninstalling ViPNet Crdinatr ViPNet Crdinatr Setup 36 Installing ViPNet Crdinatr in the Silent Mde 38 Upgrading ViPNet Crdinatr 40 Adding, Remving, and Repairing ViPNet Crdinatr Cmpnents 43 Uninstalling ViPNet Crdinatr 45 Mving a ViPNet Hst t Anther Cmputer 46 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 35

36 ViPNet Crdinatr Setup Warning: Befre installing the ViPNet Crdinatr sftware, make sure that n thirdparty firewalls r applicatins perfrming netwrk address translatin (NAT) are installed n yur cmputer. Using ViPNet Crdinatr and anther firewall simultaneusly may lead t cnflicts between the prgrams and prblems with netwrk access. Befre yu install ViPNet Crdinatr, make sure that netwrk settings n yur cmputer are standard and that the time zne, date and time are specified crrectly. Yu must have Windws OS administratr rights t install the prgram. T install ViPNet Crdinatr, yu need: The setup file. A key set fr the hst (a *.dst file) (see Key set n page 382). If several users are ging t wrk n the hst, an individual key set is required fr each user. The ViPNet hst user passwrd r external strage device (see External Strage Devices n page 347). The ViPNet netwrk administratr prvides yu with the key set and user passwrd (r an external device). T install the ViPNet Crdinatr sftware: 1 Click the setup file. Wait until the preparatin fr installatin is finished. Nte: After yu start the setup prgram, yu may be warned that the setup file's signing certificate cannt be verified. In this case, see Cannt Validate the Setup File's Signing Certificate (n page 303). 2 Read the terms and cnditins f the license agreement. If yu accept the terms and cnditins, select the crrespnding check bx. Then click Cntinue. 3 If yu want the cmputer t be restarted autmatically after the sftware is installed, select the crrespnding check bx. 4 If yu want t adjust the installatin parameters, click Custmize and specify: ViPNet Crdinatr cmpnents yu are ging t install. The path t the ViPNet Crdinatr cmpnents installatin flder. The user name and rganizatin. The name f the ViPNet Crdinatr flder n the Start menu. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 36

37 T start ViPNet Crdinatr installatin, click Install nw. Nte: Yu can install ViPNet Crdinatr in the silent mde (see Installing ViPNet Crdinatr in the Silent Mde n page 38). In this mde, the installatin prcess will nt be displayed n the screen. 5 Depending n whether there are keys and hst links installed earlier n this cmputer, d ne f the fllwing: If n keys and hst links have been installed, install them (see Installing Keys and Hst Links n page 49). If ViPNet sftware has already been installed n this cmputer and keys and hst links have been deplyed fr it, then, n the ViPNet Mnitr startup, specify the paths t the user keys and hst keys flders (see Using Keys and Hst Links Installed Previusly n page 56). Warning: In the latter case, we strngly recmmend yu nt t btain a new key set frm the ViPNet netwrk administratr and nt t install new keys fr the ViPNet Crdinatr sftware, because it may lead t ViPNet sftware malfunctin. At the first start f the ViPNet Mnitr prgram, the standard Windws firewall will be disabled autmatically. T eliminate pssible cnflicts, d nt enable the Windws firewall while yu are wrking with ViPNet Crdinatr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 37

38 Installing ViPNet Crdinatr in the Silent Mde If yu install ViPNet Crdinatr in the silent mde, the user interface f the installatin prgram is nt displayed n the cmputer screen. Yu shuld use the Windws cmmand line t start installatin and set the same parameters as thse set by the user when installing the prgram in a regular mde. When yu use the silent mde, yu can install the prgram remtely r create a prgram that will call Windws cmmand line and autmatically start the prgram installatin with the preset parameters. Fr example, yu may write a lgn script, which will start the prgram installatin autmatically at system startup. Yu may find the infrmatin abut writing lgn scripts n the Micrsft web page T start the ViPNet Crdinatr setup prgram in the silent mde, in the Windws cmmand line, execute ne f the fllwing cmmands: <setup file name> /qn fr silent mde installatin withut displaying the prcess n the screen; <setup file name> /qb fr silent mde installatin displaying the prgress bar. If necessary, yu may specify additinal ViPNet Crdinatr setup ptins in the cmmand line. After the installatin prcess is started, yu cannt change the setup parameters. Nte: Wait fr several minutes after yu start setup in the silent mde. If it seems that the installatin has been cmpleted unsuccessfully (n shrtcut appears n the desktp, the cmputer is nt restarted), see Cannt Install ViPNet Crdinatr in the Silent Mde (n page 303). In the silent mde, ViPNet Crdinatr is installed in the fllwing flders: If yu install ViPNet Crdinatr n this cmputer fr the first time, it is installed in: The flder C:\Prgram Files\inftecs\ViPNet Crdinatr fr the 32-bit Windws OS. The flder C:\Prgram Files (x86)\inftecs\vipnet Crdinatr fr the 64-bit Windws OS. The current installatin flder, if ViPNet Crdinatr has already been installed n this cmputer. Additinal Setup Optins in the Silent Mde If necessary, in the cmmand line, specify additinal setup ptins: If yu want t install nly sme f ViPNet Crdinatr cmpnents, in the cmmand line, list them. T d this, use the fllwing parameter: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 38

39 ADDLOCAL="<list f the cmpnents>" ViPNet Crdinatr cmpnents are as fllws: Cre is the base sftware cmpnent. Mnitr is the ViPNet Mnitr prgram. RF is the ViPNet Applicatin Cntrl prgram. This cmpnent can be installed nly if the ViPNet Mnitr cmpnent is als installed. Warning: The Cre cmpnent is mandatry fr the installatin. If yu d nt specify the sftware cmpnents using the ADDLOCAL parameter, all f them will be installed. If yu want desktp shrtcuts t be created fr the installed cmpnents, set CREATESHORTCUT_DESKTOP="Yes" In the cmmand line, yu may als specify the cmputer restart ptins after the installatin prcess is cmpleted: /frcerestart t frce cmputer restart upn the installatin has been cmpleted (set by default in the silent mde); /nrestart t disable frced cmputer restart after the installatin. Suppse, yu want t install ViPNet Crdinatr in the silent mde under fllwing cnditins: yur cmputer must nt restart after the installatin, the ViPNet Applicatin Cntrl cmpnent must nt be installed, desktp shrtcuts must be created fr installed cmpnents. T d this, execute the fllwing cmmand: <setup file name> /qn /nrestart ADDLOCAL="Cre,Mnitr" CREATESHORTCUT_DESKTOP="Yes" ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 39

40 Upgrading ViPNet Crdinatr If a new versin f the ViPNet Crdinatr sftware has been released, yu can upgrade this sftware n yur cmputer. Warning: Yu can upgrade yur sftware t the 4.x versin nly if yu have versin 3.2.x r later installed. Befre yu start upgrading, exit the prgram. If yu start upgrading while the prgram is running, the settings made befre the upgrade may be missing in the new versin. Fr example, private netwrk settings may be unapplied. If the versin f yur sftware is earlier, then, first, upgrade it t the versin 3.2.x, and then, t the versin 4.x. Otherwise, the upgrade t the versin 4.x will fail. Befre the upgrade, yur license is verified. If the upgrade versin is later than the ne permitted by yur license, the sftware will nt be upgraded. In this case, t restre the hst's perability, uninstall the new sftware versin and reinstall the versin permitted by yur license. Yu can upgrade the sftware in several ways: Yu can accept the upgrade n yur hst which was sent centrally by the ViPNet netwrk administratr using the ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. Such upgrades are accepted autmatically (see Receiving Upgrades frm ViPNet Netwrk Cntrl Center r ViPNet Netwrk Manager n page 40). Yu can upgrade ViPNet Crdinatr by accepting a Windws grup plicy (see Receiving Upgrades with Grup Plicies n page 41) r by accepting updates in the Windws Update Center (see Receiving Upgrades in Windws Update Center n page 41). Such updates are sent centrally by the ViPNet netwrk administratr using Windws means f creating grup plicies. Yu can upgrade the prgram manually with a new setup file. Nte: On a cmputer running Windws XP r Windws Vista, after yu start the upgrading prcess, yu may be warned that the setup file's signing certificate cannt be verified. In this case, see Cannt Validate the Setup File's Signing Certificate (n page 303). Receiving Upgrades frm ViPNet Netwrk Cntrl Center r ViPNet Netwrk Manager If ViPNet Crdinatr upgrade was sent frm ViPNet Administratr r ViPNet Netwrk Manager, yu may accept it n yur ViPNet hst in the ViPNet Update System (see Abut ViPNet Update System n page 78). Depending n ViPNet Update System settings, yu will receive ViPNet Crdinatr upgrades ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 40

41 autmatically r yu will be prmpted t install the upgrades manually (see Installing Updates Manually n page 80). Receiving Upgrades with Grup Plicies The ViPNet netwrk administratr can send the ViPNet Crdinatr sftware upgrades t yur netwrk hst as a grup plicy using the means f managing grup plicies. Such upgrades are installed tgether with grup plicies n yur netwrk and d nt require any actin frm yu. Fr the infrmatin abut grup plicies and hw t use them, g t the Micrsft web page Receiving Upgrades in Windws Update Center The ViPNet netwrk administratr can send the ViPNet Crdinatr upgrades t yur netwrk hst using the means f managing updates (fr example, Micrsft System Center Essentials). Such upgrades will be installed n yur cmputer frm the Windws Update Center. Warning: During the upgrading prcess, it is verified whether the license allws yu t install this upgrade. If the upgrade versin is later than the ne allwed by the license, the sftware will nt be upgraded. T install the received upgrades: 1 On the Start menu, chse All Prgrams > Windws Update. 2 In the Windws Update windw, check fr upgrades. If there are any upgrades, the Install Updates buttn will be available. 3 T upgrade ViPNet Crdinatr, chse ViPNet Crdinatr and ViPNet CSP fr upgrading. Then click Install Updates. 4 Wait until the upgrading prcess is cmpleted. If necessary, restart yur cmputer. Upgrading and Restring Using the Setup File Get the setup file f a new sftware versin. Then: 1 Run the setup file. Wait until the preparatin fr ViPNet Crdinatr installatin is finished. 2 In the ViPNet Update ViPNet Crdinatr windw, specify upgrade ptins. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 41

42 If the versin number f the ViPNet CSP prgram installed n yur cmputer is the same as the versin number specified in the setup file, the Restre ViPNet CSP check bx will be displayed in this windw. Select this check bx if yu want t reinstall ViPNet CSP during the upgrade. Tip: If ViPNet CSP functins well n this cmputer, yu may leave the check bx clear. In this case, ViPNet Crdinatr will be upgraded faster. If the ViPNet CSP versin running n the hst is nt the same as the versin in the setup file, the check bx will be unavailable and the ViPNet CSP prgram will be reinstalled autmatically. If yu want the cmputer t be restarted autmatically after ViPNet Crdinatr upgrade, select the crrespnding check bx. Figure 12. ViPNet Crdinatr upgrade ptins 3 Click Start update. 4 If sme ViPNet prgrams are still running, yu may be ntified that they cannt be upgraded. In this case, exit the ViPNet prgrams and cntinue. 5 Wait until the upgrade prcess is cmpleted. If yu have chsen t restart the cmputer autmatically, after the upgrade is cmpleted, yur cmputer will be restarted. Otherwise, in the last setup windw, click Clse and restart yur cmputer manually. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 42

43 Adding, Remving, and Repairing ViPNet Crdinatr Cmpnents If necessary, yu can install r uninstall ViPNet Crdinatr cmpnents r repair the sftware. T perfrm these peratins, yu need a ViPNet Crdinatr setup file f the required versin. Nte: If yu uninstall any ViPNet Crdinatr cmpnents, the user data (ViPNet keys and hst links, settings, and ther data) is saved and may be used after reinstallatin f the sftware. T add r remve a cmpnent r t repair ViPNet Crdinatr, d the fllwing: 1 Run the setup file. Wait until the preparatin fr the cmpnents' installatin is finished. 2 In the Reinstall r remve yur ViPNet sftware windw, click the required ptin: t add r remve a cmpnent, click Add r remve cmpnents; t repair the sftware, click Reinstall. Figure 13. Mdifying installed cmpnents Then, click Cntinue. 3 If yu install r uninstall any ViPNet sftware cmpnents, make the necessary changes in the Chse cmpnents windw. Then, click Cntinue. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 43

44 4 Wait fr the peratin t be cmpleted. Then, click Clse. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 44

45 Uninstalling ViPNet Crdinatr If necessary, yu can uninstall the ViPNet Crdinatr prgram and all its cmpnents frm yur cmputer. When yu uninstall the ViPNet Crdinatr prgram, yu can save the data generated and used in yur wrkflw: ViPNet keys and hst links, prgram settings, and ther data. T delete ViPNet Crdinatr frm yur cmputer: 1 Run the setup file. Wait until the preparatin fr uninstallatin is finished. 2 On the cmpnents page, select Remve All Cmpnents. If yu want the cmputer t be restarted autmatically after the sftware is uninstalled, select the crrespnding check bx. 3 Click Cntinue. 4 Depending n whether yu want t save the user data r nt, select r clear the Delete all user data check bx. 5 T cntinue, click Uninstall. 6 Wait until the sftware is uninstalled. If yu have chsen t restart the cmputer autmatically, after the sftware is uninstalled, yur cmputer will be restarted. If yu have chsen nt t restart the cmputer autmatically, in the sftware uninstalling cmplete windw, click Finish, and then restart the cmputer manually. Tip: Yu can als cmpletely uninstall ViPNet Crdinatr by chsing Install ViPNet Crdinatr in the Start menu r Start screen. The user data will be saved. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 45

46 Mving a ViPNet Hst t Anther Cmputer Yu can mve a functining hst frm ne cmputer t anther (fr example, in case f replacing a cmputer with a new ne) and save the current settings f the ViPNet Mnitr sftware. T d that, yu shuld cpy keys and hst links and ther data frm the ViPNet Crdinatr flder t yur new cmputer. Keys and hst links backups will als allw yu t restre the ViPNet hst after yu reinstall the perating system. Warning: Yu cannt use instructins in this sectin t mve yur ViPNet hst frm a 32-bit Windws OS t a 64-bit ne and vice versa, because it may lead t ViPNet sftware malfunctin. If yu still need t, yu can mve yu ViPNet hst crrectly nly if yu install keys and hst links n a new cmputer by using the key set. After mving the keys and hst links, yu shuld delete the riginal nes. Yu cannt install the same keys n several cmputers. T mve the keys and hst links: 1 Cpy the fllwing flders and files frm the ViPNet Crdinatr installatin flder t an external device r anther safe lcatin: \d_statin; \databases; \Prtcl (if yu need t cpy the prtcls f prtected instant messaging); \TaskDir (if yu need t cpy files received via File Exchange); user keys flders that are usually \user_aaaa (where AAAA is a hexadecimal identifier f a ViPNet user withut the netwrk number). In sme cases, the ViPNet Crdinatr installatin flder may functin as the user keys flder, and yu shuld cpy the \key_disk flder then. \ut; NMATRIX.DAT; NODEXXXX.MAP (where XXXX is a hexadecimal identifier f the ViPNet hst withut the netwrk number); AP*.TXT files: APAXXXX.TXT, APCXXXX.TXT, APIXXXX.TXT, APLXXXX.TXT, APNXXXX.CRC, APNXXXX.CRG, APNXXXX.TXT, APSXXXX.TXT, APUXXXX.TXT (where XXXX is a hexadecimal identifier f a ViPNet hst withut the netwrk number); inftecs.re; ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 46

47 iplir.cfg, iplirmain.cfg; ipliradr.d$; linkxxxx.txt, ndexxxx.tun (where XXXX is a hexadecimal identifier f a ViPNet hst withut the netwrk number); mftp.ini. Nte: By default, ViPNet Crdinatr is installed in the C:\Prgram Files\inftecs\ViPNet Crdinatr flder f 32-bit Windws versins and in the C:\Prgram Files (x86)\inftecs\vipnet Crdinatr flder f 64-bit versins. Sme f the files and flders mentined abve may be missing frm the ViPNet Crdinatr prgram flder. 2 Befre yu mve keys and hst links t a new cmputer, install ViPNet Crdinatr n this cmputer, but d nt install keys and hst links. 3 When yu mve the cpied keys and hst links t a cmputer with ViPNet Crdinatr, make sure that n keys and hst links f any ther hst are installed n that cmputer. If the keys and hst links f sme ther hst are already installed, remve them as described in the Uninstalling Keys and Hst Links (n page 60) sectin r delete the fllwing flders and files: User keys flders \user_bbbb (where BBBB is a hexadecimal identifier f a ViPNet user withut the netwrk number). Files AP*.TXT, APNYYYY.CRC, APNYYYY.CRG (where YYYY is a hexadecimal identifier f a ViPNet hst withut the netwrk number). 4 Stre the keys and hst links cpied n step 1 in the new installatin flder f ViPNet Crdinatr (mve and replace). 5 If necessary, in the mftp.ini file, replace the path t the ld ViPNet Crdinatr installatin flder with the path t the new flder fr all the parameters cncerned. 6 Delete the certlist.sst file lcated in the \d_statin\abn_aaaa subflder (where AAAA is a hexadecimal identifier f a ViPNet user withut the netwrk number). 7 Start ViPNet Mnitr. In the lgn windw, t the right f the Setup buttn, click and chse User Keys Flder. Specify the path t the user keys flder. 8 Lg n t ViPNet Mnitr. 9 Install the key cntainer (see Installing a New Key Cntainer and Changing the Key Cntainer with the Current Certificate n page 299). 10 On the cmputer yu mved the hst frm, delete the riginal keys and hst links (see Uninstalling Keys and Hst Links n page 60). Nw yu can wrk with the ViPNet Crdinatr sftware. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 47

48 3 Installing and Updating Keys and Hst Links Installing Keys and Hst Links 49 Using Keys and Hst Links Installed Previusly 56 Updating Keys, Hst Links, and Security Plicies 57 Uninstalling Keys and Hst Links 60 What Shuld I D at Key Cmprmise? 61 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 48

49 Installing Keys and Hst Links Yu shuld install keys and hst links when yu deply ViPNet sftware n yur netwrk hst, add new ViPNet users t yur hst, and in sme ther cases when keys and hst links installed n yur hst have been damaged r utdated. If yu want t install keys and hst links fr the first time and fr ne user, fllw the instructins in the sectin Installing Keys and Hst Links fr One User (n page 50). In the cases mentined belw, yu shuld read the crrespnding sectins befre installing keys and hst links: If yu want mre than ne user t wrk n a hst r yu are ging t add a new user t the hst with users already wrking n it, see the sectin Installing Keys and Hst Links fr Several Users n One Hst (n page 51). If yu want t set flders fr string the keys and hst links, see the sectin Advanced Mde f Keys and Hst Links Installatin (n page 52). If there are several ViPNet prgrams n a ViPNet hst, but n keys and hst links are installed fr any f the prgrams, see the sectin Using Keys and Hst Links Installed Previusly (n page 56). Nte: If the hst has keys and hst links installed fr any ViPNet prgram, fllw the guidelines f the sectin Using Keys and Hst Links Installed Previusly (n page 56). If yu want t install the prgram by using the Windws cmmand line, see the sectin Installing Keys and Hst Links in the Silent Mde (n page 54). If the key set cntains an RSA certificate, fllw the instructins in the sectin Installing RSA Certificates (n page 278). If due t a prgram r system failure, yu cannt lg n t the ViPNet Mnitr prgram, as a result f which yu have t perfrm a recurrent installatin f keys and hst links, see the sectin Recurrent Installatin f Keys and Hst Links after Prgram Failure (see Recurrent Installatin f Keys and Hst Links after a Prgram Failure n page 55). In a ViPNet netwrk managed with the ViPNet Administratr sftware, a backup set f persnal keys (n page 379) is transferred t each user in a key set. A file cntaining a backup set f persnal keys is AAAA.pk (where AAAA is a ViPNet user identifier). When keys and hst links are installed, it is stred in the user keys flder (n page 386). Fr security purpses, after the first keys and hst links installatin, we recmmend yu t mve the backup set f persnal keys frm the user keys flder t an external strage device and keep it in a safe place with restricted access (fr example, a safe). After yu receive a backup set f persnal keys, yu are persnally liable fr its safety. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 49

50 Warning: If smene gt access t yur backup set f persnal keys r yu suppse it might have happened, fllw the instructins in What Shuld I D at Key Cmprmise? (n page 61). Installing Keys and Hst Links fr One User T install keys and hst links: 1 Get a key set (n page 382) frm the ViPNet netwrk administratr. 2 Exit frm all the ViPNet Crdinatr cmpnents (see Finishing the Wrk with ViPNet Mnitr n page 71). 3 Start the key setup prgram in ne f the fllwing ways: Duble-click the key set file. Start ViPNet Mnitr. Then, in the lgn windw, t the right f the Setup buttn, click and, n the menu, click Install keys. Figure 14. Keys installatin 4 If there are ViPNet prgrams running n yur cmputer, yu will be prmpted t exit them. Exit the prgrams and click Retry. 5 If, n the Specify a key set file page, the file lcatin is nt displayed, specify it by using the Brwse buttn. 6 Make sure that yu have chsen the key set intended fr yur hst. The hst and user names are displayed belw the path t the key set. If necessary, specify anther key set. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 50

51 Figure 15. Chsing a key set file By default, keys and hst links are installed in the ViPNet Crdinatr installatin flder. If necessary, yu can specify ther flders fr installing them (see Advanced Mde f Keys and Hst Links Installatin n page 52). 7 Click Install keys. Nte: The Install keys buttn may be disabled if mre than ne ViPNet prgram (see Installing Keys and Hst Links n a Hst Where Several ViPNet Prgrams Are Installed n page 54) is installed n the hst. 8 If the keys installatin is cmpleted successfully, the crrespnding message will be displayed. 9 T view infrmatin abut keys installatin, click the Details abut actins made link. T finish the keys installatin, click Clse. If the keys installatin has failed, read the message abut errrs and cntact the ViPNet netwrk administratr. Upn successful keys installatin, yu can start ViPNet Crdinatr. Installing Keys and Hst Links fr Several Users n One Hst If mre than ne user is ging t wrk n a hst, install keys fr each user. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 51

52 If sme user already wrks n this ViPNet hst and yu want t add new users, yu need t install the keys nly fr new users. Nte: Yu cannt install the keys and hst links fr several users belnging t different ViPNet netwrks n ne cmputer. T install keys and hst links fr several users n ne cmputer: 1 Get a key set fr each new user frm the ViPNet netwrk administratr. 2 Install keys and hst links (see Installing Keys and Hst Links fr One User n page 50) by using the key set f each new user ne by ne. As a result, in the lgn windw, in the list f users, yu will find all the users whse keys and hst links yu have installed n this hst. Advanced Mde f Keys and Hst Links Installatin By default, keys and hst links are installed in the prgram installatin flder. If necessary, yu may install keys and hst links in the advanced mde, which enables yu t select flders fr installing them. Yu may need that in case: Yu want t stre yur keys and hst links n a special remvable drive fr security reasns. Yu d nt have rights t edit r save files in the flder C:\Prgram Files\ r C:\Prgram Files (x86)\ (including the prgram installatin flder). The flders yu specify manually in the advanced mde shuld meet the fllwing requirements: The flders d nt cntain the keys and hst links f any ther ViPNet prgram. Yu have the rights t edit and save files in these flders. Prtectin f infrmatin cntained in these flders is implemented in accrdance with yur cmpany's security requirements. The ViPNet Crdinatr sftware has cnstant access t these flders. Warning: If yu specify the flders incrrectly, the installatin prcess may fail. We d nt recmmend yu t use the advanced mde if yu d nt really need t. T install keys in the advanced mde: 1 Get a new key set frm the ViPNet netwrk administratr. 2 Fllw the instructins in the sectin Installing Keys and Hst Links fr One User (n page 50). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 52

53 On the Specify a key set file page (see. figure 15 n page 51), select the Advanced mde (fr ViPNet administratrs nly) check bx and click Next. 3 On the next page: In the Flder fr ViPNet hst keys bx, specify the flder where keys and hst links f the ViPNet hst will be installed. In the Flder fr ViPNet user keys (see User keys flder n page 386) bx, specify the flder where keys and hst links f the ViPNet user will be installed. Figure 16. Specifying installatin flders fr ViPNet hst keys and fr user keys in the advanced mde 4 T start installatin, click Update keys. 5 If the keys installatin has been cmpleted successfully, the crrespnding message will be displayed. T view infrmatin abut keys installatin, click the Details abut actins made link. T finish the keys installatin, click Clse. If the keys installatin has failed, read the message abut errrs and cntact the ViPNet netwrk administratr. 6 At the first startup f ViPNet Crdinatr, select the flders where yu installed hst keys and user keys. T d this: In the lgn windw, t the right f the Setup buttn, click and chse ViPNet Hst Keys Flder. In the Brwse windw, specify the path t the required flder. Again, t the right f the Setup buttn, click and chse User Keys Flder. Specify the path t the user keys flder. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 53

54 Installing Keys and Hst Links n a Hst Where Several ViPNet Prgrams Are Installed If, apart frm yur ViPNet prgram, ther ViPNet prgrams are als installed n the hst, but fr nne f them keys and hst links have been installed, then yu shuld chse a prgram, whse installatin flder will be used fr string keys and hst links. Warning: If keys and hst links are already installed fr sme f the ViPNet prgrams n yur hst, then d nt install new keys and hst links. In this case, fllw the guidelines in the sectin Using Keys and Hst Links Installed Previusly (n page 56). T install keys and hst links: 1 Start installing keys and hst links (see Installing Keys and Hst Links fr One User n page 50). After specifying the key set file, click Next. 2 In the ViPNet prgram selectin windw, select ViPNet Crdinatr. As a result, the keys and hst links will be installed in the ViPNet Crdinatr installatin flder. Nte: In the advanced mde f keys installatin (see Advanced Mde f Keys and Hst Links Installatin n page 52), this windw is nt displayed. 3 If the keys installatin has been cmpleted successfully, the crrespnding message will be displayed. T view infrmatin abut keys installatin, click the Details abut actins made link. T finish the keys installatin, click Clse. If the keys installatin has failed, read the message abut errrs and cntact the ViPNet netwrk administratr. 4 At the first start f ther ViPNet prgrams installed n the hst, when yu are prmpted t select the hst keys flder, select the ViPNet Crdinatr installatin flder. Upn successful keys installatin, start the ViPNet Crdinatr prgram. Installing Keys and Hst Links in the Silent Mde If yu install ViPNet Crdinatr in the silent mde, the user interface f the installatin prgram is nt displayed n the cmputer screen. Yu may start installatin in this mde frm the Windws Cmmand Line. The parameters that yu nrmally set when installing the prgram in the regular mde (see Installing Keys and Hst Links fr One User n page 50), shuld be set in the Windws Cmmand Line when installing in the silent mde. When yu use the silent mde, yu can install keys and hst links remtely r create a prgram that will call the Windws Cmmand Line and autmatically start keys and hst links installatin with the preset parameters. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 54

55 Fr example, yu may write a lgn script, which will start keys and hst links installatin autmatically at system startup. Yu may find the infrmatin abut writing lgn scripts n the Micrsft web page T start the keys and hst links setup prgram in the silent mde, in the Windws Cmmand Line, execute the cmmand: keysetup <*.dst file> /td <path t the keys and hst links flder> /term /check Fr example, "C:\Prgram Files (x86)\inftecs\vipnet Crdinatr\keysetup" "C:\keys\abn_0002.dst" /td "C:\Prgram Files (x86)\inftecs\vipnet Crdinatr" /term /check Warning: Yu can specify nly an existing flder as the keys and hst links installatin flder. If yu specify a flder that des nt exist, the keys will nt be installed. After the peratin is successfully cmpleted, start ViPNet Crdinatr. Tip: T learn mre abut Windws Cmmand Line ptins fr keys and hst links installatin, execute the cmmand: keysetup /? Recurrent Installatin f Keys and Hst Links after a Prgram Failure It may happen that yu cannt lg n t the ViPNet Mnitr prgram because f a system r sftware failure. In this case, yu shuld cntact the technical supprt t restre access t the prgram. The ViPNet netwrk administratr will prvide yu with a new key set, and yu will need t install the new keys and hst links. Warning: We strngly recmmend yu nt t perfrm a recurrent keys installatin unless it is really necessary, because it may lead t failure f cnnectin between the hsts registered n the crdinatr. 1 T perfrm recurrent installatin f keys and hst links n a netwrk hst: Get a new key set frm the ViPNet netwrk administratr. 2 Install keys and hst links (see Installing Keys and Hst Links fr One User n page 50) with the use f this key set. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 55

56 Using Keys and Hst Links Installed Previusly When yu install ViPNet Crdinatr, there may be ther ViPNet prgrams present n the cmputer that require keys and hst links and the MFTP transprt mdule fr prper peratin. In this case, in ViPNet Crdinatr, specify the ViPNet hst keys flder that is used by the previusly installed prgrams. Nte: If n keys r hst links are installed n yur hst fr any ViPNet prgram, fllw the instructins in Installing Keys and Hst Links n a Hst Where Several ViPNet Prgrams Are Installed (n page 54). T specify a hst keys flder fr a ViPNet hst: 1 Start ViPNet Mnitr. 2 In the lgn windw, t the right f the Setup buttn, click and chse ViPNet Hst Keys Flder. 3 In the Brwse windw, specify the path t the required flder. Nte: By default, the ViPNet installatin flder serves as the ViPNet hst keys flder. After yu specify the netwrk hst keys flder, yu can start wrking with ViPNet Crdinatr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 56

57 Updating Keys, Hst Links, and Security Plicies Yu shuld update keys, hst links, and security plicies f a ViPNet hst n a regular basis t keep the hst wrking prperly. If a ViPNet netwrk administratr mdifies the netwrk structure r edits certain ViPNet hsts' parameters, fr example, creates new links between ViPNet hsts, then keys and hst links n the ViPNet hsts are autmatically updated. Key and hst links updates are created by the ViPNet netwrk administratr in ViPNet Administratr r ViPNet Netwrk Manager. If yur crprate security plicy changes, yu shuld renew security plicies in ViPNet Plicy Manager and send the updates t ViPNet hsts in yur netwrk. A security plicy received by a managed ViPNet hst frm the ViPNet Plicy Manager hst defines the current security plicy f the managed hst. Netwrk filters set n this hst affect the current security plicy, t (see Netwrk Filters Overview n page 130). The current security plicy fr this hst is applied t all users registered n the ViPNet hst and t all ViPNet Mnitr cnfiguratins. When yu add new users r cnfiguratins n the hst, the current plicy is applied t them, t. Yu can receive keys, hst links, and security plicies updates n a ViPNet hst with ViPNet Update System (see Abut ViPNet Update System n page 78). If fr any reasn an update cannt be received via ViPNet Update System, yu may install it manually with a key set (see Updating Keys and Hst Links with a Key Set n page 57). Receiving Updates The ViPNet netwrk administratr sends keys and hst links updates t hsts frm ViPNet Administratr r ViPNet Netwrk Manager, while security plicies updates are sent frm ViPNet Plicy Manager. Yu can receive keys, hst links, and security plicies updates n a ViPNet hst with ViPNet Update System (see Abut ViPNet Update System n page 78). Depending n ViPNet Update System settings, the received updates can be installed autmatically r manually. Updating Keys and Hst Links with a Key Set If fr sme reasn keys and hst links update cannt be received via the netwrk (see Receiving Updates n page 57), yu can update them manually by using a key set. T d this: 1 Get a new key set frm the ViPNet netwrk administratr. Fllw the instructins in the Installing Keys and Hst Links fr One User (n page 50) sectin by using the new key set. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 57

58 When yu specify the key set (see. figure 15 n page 51), the key setup prgram autmatically checks whether the previusly installed keys crrespnd t the new nes (fr example, whether these keys are intended fr the same ViPNet hst). Warning: When keys are installed in the advanced mde (see Advanced Mde f Keys and Hst Links Installatin n page 52), this check is nt perfrmed. 2 T install keys and hst links, click Install keys (see. figure 15 n page 51). If the buttn is unavailable, incnsistencies between the current and the new keys have been detected. Fr mre infrmatin n the incnsistencies, click Next. Depending n the incnsistency type, the crrespnding message will be displayed: If the key set cntains keys f anther ViPNet hst, r if the keys have a different frmat and in sme ther cases, a message will be displayed prviding details abut the incnsistency. Figure 17. Incnsistencies between the key set and the current keys n the hst are detected T refuse frm installing keys, click Cancel, and then, in the cnfirmatin windw, click Yes. Warning: If yu want t prceed with installatin, read infrmatin abut pssible cnsequences and cntact yur ViPNet netwrk administratr. Befre yu prceed with the installatin, we recmmend yu t clse the key setup prgram and decrypt yur Business Mail messages. Then, start the key setup prgram again. T cntinue installatin, select the I have read and agreed t the cnsequences which this installatin may result in check bx and click Next. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 58

59 If the chsen key set cannt be installed (fr example, if it is intended fr anther ViPNet prgram), an errr message will be displayed and further installatin will be impssible. Read infrmatin abut the incnsistency and click Clse. If yu cannt install the keys because f an incnsistency, cntact yur ViPNet netwrk administratr. 3 Finish the installatin prcess by fllwing instructins in Installing Keys and Hst Links fr One User (n page 50). Upn successful keys updating, start the ViPNet sftware. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 59

60 Uninstalling Keys and Hst Links Yu may need t remve ld keys and hst links when yu mve a ViPNet hst t anther cmputer (see Mving a ViPNet Hst t Anther Cmputer n page 46). T uninstall keys and hst links, finish wrking with the ViPNet Mnitr (see Finishing the Wrk with ViPNet Mnitr n page 71) and then, in Windws Cmmand Line, execute the cmmand: keysetup /clean /td <keys and hst links flder> Fr example: "C:\Prgram Files (x86)\inftecs\vipnet Crdinatr\keysetup" /clean / td "C:\Prgram Files (x86)\inftecs\vipnet Crdinatr" As a result, all keys and hst links will be remved frm the specified flder. If yu want t uninstall the keys f a specific ViPNet user s that ther users cntinue wrking n this ViPNet hst, specify this user keys flder. Fr example: "C:\Prgram Files (x86)\inftecs\vipnet Crdinatr\keysetup" /clean / td "C:\Prgram Files (x86)\inftecs\vipnet Crdinatr\user_0003" ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 60

61 What Shuld I D at Key Cmprmise? Key cmprmise is the lss f trust t the quality f infrmatin security prvided by the keys yu use (integrity, cnfidentiality, nn-repudiatin, and authenticity). Key cmprmise can be explicit and implicit: Explicit key cmprmise is revealed when the key is valid. The fact f implicit cmprmise is nt knwn t the users f the key. Implicit cmprmise is mst threatening. The main events leading t the key cmprmise are as fllws: 1 A key set file might have becme available t unauthrized persns. 2 An external device with user keys might have becme available t unauthrized persns. 3 The user passwrd r access t yur cmputer might have becme available t unauthrized persns. 4 Unauthrized persns might have gtten uncntrlled physical access t keys stred n the cmputer. 5 The ViPNet Mnitr sftware is nt installed n the cmputer cnnected t a netwrk, r the traffic prtectin is disabled. At this: there might be unauthrized persns in the lcal netwrk; n the edge f the lcal netwrk, there is n firewall r the firewall is disabled. 6 An emplyee having access t the keys was fired. 7 An incming dcument is signed by using a certificate specified in the CRL. 8 Yu d nt knw fr sure what has happened t external devices cntaining keys (fr example, a device with keys fails t wrk and it is pssible that the device has been damaged by a malicius user). A suspicin that there was an infrmatin leakage r that the infrmatin was mdified requires an investigatin whether a cmprmise tk place. If any f the abve-mentined events tk place: Stp wrking n yur hst and infrm yur ViPNet netwrk administratr abut the key cmprmise (r a suppsed key cmprmise). If nly the signature keys have been cmprmised, then stp using thse keys fr signing dcuments and infrm yur ViPNet netwrk administratr abut that. If yu suppse that sme unauthrized persns may knw the ViPNet user passwrd, but thse persns d nt have access t yur cmputer, then change yur passwrd and cntinue wrking. If ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 61

62 unauthrized persns can get access t yur cmputer, then the keys are cnsidered t be cmprmised. In a ViPNet netwrk managed with the ViPNet Administratr sftware, yur keys can be updated remtely by using a backup set f persnal keys. A backup set f persnal keys file (AAAA.pk, where AAAA is a ViPNet user identifier) is included in a key set and is stred in the user keys flder (see Installing Keys and Hst Links n page 49) when yu install the keys. If yur current persnal key is cmprmised, the Key and Certificatin Authrity administratr sends yu the new keys that are prtected by using anther variant f a persnal key. The administratr des nt need t transfer this persnal key via the netwrk because it is already included in the backup set f persnal keys. If during updating the backup set f persnal keys is nt fund during updating, specify the path t this file. If the backup set f persnal keys is missing r the passwrd is incrrect, cntact yur Key and Certificatin Authrity administratr t get a cpy f the backup set f persnal keys. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 62

63 4 Getting Started with ViPNet Crdinatr Starting ViPNet Mnitr 64 Finishing the Wrk with ViPNet Mnitr 71 ViPNet Mnitr Interface 72 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 63

64 Starting ViPNet Mnitr By default, ViPNet driver activates traffic prtectin at the Windws peratin system startup. Warning: Befre the user lgs n, ViPNet driver wrks accrding t the default prtected netwrk filters and public netwrk filters used in the previus sessin. Befre Windws OS is cmpletely laded, the ViPNet Mnitr lgn windw will be displayed. Lg n t ViPNet Mnitr by entering yur passwrd r with an authenticatin device (see User Lgn Mdes n page 66). T refuse frm starting ViPNet Mnitr, click Cancel. In this case, traffic prtectin will be disabled. Nte: T lg n t ViPNet Mnitr during Windws lading, yu can use the n-screen keybard. T d this, click and, n the menu, click On-Screen Keybard. If yu have clsed the prgram (see Finishing the Wrk with ViPNet Mnitr n page 71) r refused frm authenticatin n Windws startup, then, t start ViPNet Mnitr, yu shuld: 1 D ne f the fllwing: If yu use Windws 7, Windws Server 2008 R2 r an earlier versin f the Micrsft Windws perating system, n the Start menu, select All Prgrams > ViPNet > ViPNet Crdinatr > Mnitr. If yu use Windws 8 r Windws Server 2012 perating system, n the Start screen, pen the Apps list and select ViPNet > Mnitr. Nte: The prgram lcatin n the Start menu might have been changed at installatin. On the desktp, duble-click the prgram shrtcut (this shrtcut is displayed nly if the crrespnding ptin has been selected during the installatin). The lgn windw will be displayed. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 64

65 Figure 18. Lgging n t the prgram 2 Chse the lgn mde (see User Lgn Mdes n page 66) and, depending n yur chice, type the user passwrd r cnnect yur external strage device and type the PIN. If several ViPNet Crdinatr users wrk n yur cmputer and yu use a lgn mde that requires a passwrd, then, in the Name list, select yur user name. Figure 19. Chsing the user After yu enter all the required data, click OK. The main ViPNet Mnitr windw (see ViPNet Mnitr Interface n page 72) will be displayed. Starting ViPNet Crdinatr n Terminal Servers in Cnsle and Remte Sessins Terminal servers (fr example, Windws Server 2008) allw running several user sessins at nce. Fr security and fail-safety purpses, ViPNet Mnitr allws starting nly ne prgram instance. That is why successful ViPNet Mnitr start in ne terminal sessin will autmatically blck its start in any ther terminal sessin. T start ViPNet Mnitr in a remte sessin, make sure that remte prgram start is allwed: 1 Lg n t the prgram in the administratr mde (see Wrking in the ViPNet Hst Administratr Mde n page 247). 2 In the Administratr sectin, make sure that the Let Mnitr start in remte sessin check bx is selected. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 65

66 User Lgn Mdes There are three lgn mdes that yu can use in ViPNet Mnitr: Passwrd nly (n page 67). T lg n t the prgram, type yur user passwrd. Each time yu type the passwrd, a passwrd key is generated that is used t access yur persnal key. Passwrd n device (n page 68). T lg n t the prgram, cnnect yur external strage device and type the PIN. As a rule, it is suppsed that, if yu use this lgn mde, yur passwrd is stred n the device and yu d nt knw it. Hwever, if yu d knw yur user passwrd, yu can als lg n t the prgram in the Passwrd nly lgn mde. Thus, in case yur device breaks dwn, yu still can lg n t the prgram. If yu d nt knw yur passwrd, yu can ask yur ViPNet netwrk administratr fr it. Warning: The Passwrd n device lgn mde des nt meet all security requirements and is nt eliminated nly t prvide cmpatibility with earlier versins f ViPNet sftware. Due t this, if yu upgraded ViPNet Crdinatr t 4.x and this lgn mde is used, we recmmend yu t change this lgn mde t Passwrd nly r PIN and device. PIN and device. T lg n t the prgram, cnnect yur external strage device and type the PIN (and passwrd in sme cases). By default, the Passwrd nly lgn mde is set. In the administratr mde, yu can change the lgn mde (see Setting the User Lgn Mde n page 252). If the Passwrd n device r PIN and device lgn mde is set, yu shuld use an external strage device t lg n (see Supprted External Strage Devices n page 348). T use an external device fr user authenticatin, install drivers fr the device n yur cmputer and then write keys n this device. Yu can write keys n an external device when yu change the lgn mde r in the ViPNet Key and Certificatin Authrity prgram when yu create the key set (yu cannt wrk with external strage devices in ViPNet Netwrk Manager). Warning: If yu use the Passwrd n device r PIN and device lgn mdes and yur external device is discnnected, the cmputer will be blcked autmatically accrding t the settings cnfigured by the ViPNet hst administratr (see ViPNet Mnitr Advanced Settings n page 248). T cntinue wrking, yu shuld cnnect this device. In the scheme belw, the relatin between authenticatin factrs and device types is shwn. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 66

67 Figure 20. The scheme f interdependence between authenticatin factrs and lgn mdes Passwrd Only T lg n t the ViPNet Mnitr prgram by using nly a passwrd, in the lgn windw, d the fllwing: 1 In the Lgn Mde list, select Passwrd nly. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 67

68 Figure 21. Chsing the Passwrd nly lgn mde 2 If necessary, in the Name list, chse yur ViPNet user name. Nte: This list displays names f all users that have their keys installed n the hst (see Installing Keys and Hst Links n page 49). If n keys have been installed n the hst, then the list will be empty. 3 In the Passwrd bx, type yur passwrd. If yu need t save the passwrd in registry and the prgram settings (see Advanced Security Settings n page 251) allw it, select the crrespnding check bx. 4 Click OK. Passwrd n Device Warning: T prevent failures in the ViPNet sftware peratin, d nt use the Passwrd n device lgn mde. If yu have used this lgn mde, we recmmend yu t change it t Passwrd nly r PIN and device. T lg n t ViPNet Mnitr with a passwrd n a device, in the lgn windw, d the fllwing: 1 In the Lgn Mde list, select Passwrd n device. Figure 22. PIN and Device lgn mde 2 Cnnect the device where yur passwrd is stred. 3 In the Device list, chse the required external device. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 68

69 4 Type the PIN if necessary. Whether yu need t type the PIN r nt, depends n the type f yur external device (see. figure 20 n page 67). T save the PIN, select the crrespnding check bx. As a result, yu will nt need t type the PIN every time yu use the device. 5 Click OK. PIN and Device T lg n t the ViPNet Mnitr prgram using the device, in the lgn windw, d the fllwing: 1 In the Lgn Mde list, select PIN and device. Figure 23. PIN and Device lgn mde 2 Cnnect the external device. 3 If necessary, chse yur user name frm the list belw and, in the Passwrd bx, type yur passwrd. Whether yu need t type the passwrd r nt, depends n the type f yur external device (see. figure 20 n page 67). 4 In the Chse device list, chse the external device, where yur persnal key r the private key certificate is stred. 5 Type the PIN if necessary. Whether yu need t type the PIN r nt, depends n the type f yur external device. T save the PIN, select the crrespnding check bx. As a result, yu will nt need t type the PIN every time yu use the device. 6 In the T authenticate use list, chse: Certificate if yu want t lg n using yur certificate stred n yur device. In the list f certificates fund n yur device, chse the required ne. If yu encunter any difficulties while using the certificate fr authenticatin, see Cannt Lg On with a Certificate (n page 304). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 69

70 Nte: The fllwing requirements shuld be met if yu want t lg n using the certificate: Yur external device shuld have supprt fr the PKCS#11 standard. Yur certificate cnfrms with the RSA standard. The certificate is valid (its validity perid has nt expired). The certificate has nt been revked. The certificate is intended fr client authenticatin. The certificate's purpse is displayed in the Certificate windw, n the Details tab, in the Enhanced Key Usage field. The issuer's certificate is installed in the system stre Trusted Rt Certificatin Authrities. The key cntainer n the device cntains the private key crrespnding t the certificate. Persnal key if yu want t lg n using yur persnal key included in user keys and stred n yur device. 7 Click OK. Lgging On As Anther User If several users are registered n a ViPNet hst, yu can change the user withut exiting ViPNet Mnitr. T d this: 1 On the main menu, select File > Change User. The lgn windw will be displayed. 2 Chse the lgn mde (see User Lgn Mdes n page 66) and, depending n yur chice, type the user passwrd r cnnect yur external strage device and type the PIN. If several ViPNet Crdinatr users wrk n yur cmputer and yu use a lgn mde that requires a passwrd, then, in the Name list, select yur user name. Nte: The keys and hst links f the user (see Installing Keys and Hst Links n page 49), whse credentials are used t lg nt the prgram, shuld be installed n the hst. 3 Click OK. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 70

71 Finishing the Wrk with ViPNet Mnitr There are several ways t finish the wrk with ViPNet Crdinatr: 1 T minimize the main prgram windw, d ne f the fllwing: Click Clse at the tp right crner f the windw. Press Alt+F4. T maximize the windw, click the icn in the ntificatin area. 2 T clse the prgram, in the menu bar, click File > Exit r, in the ntificatin area, right-click the ViPNet Client icn and, n the cntext menu, chse Exit. T cnfirm the peratin, click Yes. Nte: After yu finish wrking with ViPNet Crdinatr, the ViPNet driver cntinues functining. The ViPNet driver filters IP traffic accrding t the filters defined in the integrated firewall settings. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 71

72 ViPNet Mnitr Interface The main ViPNet Mnitr windw is shwn in the figure belw: Figure 24. The main windw f ViPNet Crdinatr Mnitr The fllwing elements are marked with numbers in the figure: 1 The menu bar. 2 The tlbar. T shw r hide the tlbar, n the View menu, click Tlbar. Als, yu can add r remve tlbar buttns with the buttn. T change the rder f the tlbar buttns, use dragand-drp while pressing and hlding Alt. 3 The navigatin pane. Cntains the list f sectins where yu can cnfigure different prgram settings: The Private Netwrk sectin (selected by default) cntains the list f ViPNet hsts that were linked with the current hst in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. Fr mre details, see Wrking with the List f ViPNet Hsts (n page 74). The Netwrk Filters sectin. Cntains subsectins with IP traffic filters: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 72

73 In the Private Netwrk Filters subsectin, yu can cnfigure filtering rules fr encrypted traffic (see Creating Private Netwrk Filters n page 147). In the Tunneled Hsts Filters subsectin, yu can cnfigure tunneled IP addresses and the crrespnding filters (see Encrypting Traffic f Unprtected Hsts (Tunneling) n page 178). In the Frward Public Netwrk Filters subsectin, yu can cnfigure frward unencrypted traffic filters (see Creating Frward Public Netwrk Filters n page 151). In the Lcal Public Netwrk Filters subsectin, yu can cnfigure lcal unencrypted traffic filters. In the NAT subsectin, yu can cnfigure translatin rules fr unprtected hsts' IP addresses (see Cnfiguring Netwrk Address Translatin (NAT) n page 169). The Object Grups sectin cntains lists f bjects, which may be used when creating netwrk filters: ViPNet hsts grups, IP addresses grups, and thers (see Using Object Grups n page 133). The Netwrk Interfaces sectin cntains a list f netwrk interfaces present n the hst. Statistics and Event Lgs. Cntains subsectins: In the IP Packets Lg sectin, yu can search fr entries in the IP packets lg (see Wrking with the IP Packets Lg n page 222). In the Statistics sectin, yu can view statistical infrmatin abut IP packets filtering (see Viewing IP Packets Filtering Statistics n page 234). In the Cnfiguratins sectin, yu can manage ViPNet Mnitr cnfiguratins (see Managing ViPNet Mnitr Cnfiguratins n page 236). The Administratr sectin is displayed nly if yu are lgged n in the administratr mde. In this sectin, yu can perfrm advanced cnfiguratin f the prgram (see Wrking in the ViPNet Hst Administratr Mde n page 247). Nte: The number and rder f sectins displayed in the navigatin pane depends n the permissins level defined fr yur hst in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager (see Using ViPNet Mnitr with Restricted Interface n page 75). 4 The view pane. Displays the sectin selected in the navigatin pane (3). 5 The search bx. It is displayed in the Private Netwrk, Netwrk Filters, and Object Grups sectins. T search infrmatin within a sectin, in the search bx, type several characters f a hst's IP address, name, r sme ther parameter. In the Private Netwrk sectin, yu can search by the fllwing parameters: ViPNet hst name (displayed in the Private Netwrk sectin and in the ViPNet Hst Prperties dialg bx, n the Cmmn tab). Cmputer name (the ViPNet Hst Prperties dialg bx, the Cmmn tab). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 73

74 Hst alias (the ViPNet Hst Prperties dialg bx, the Cmmn tab). Real r virtual IP addresses (the ViPNet Hst Prperties dialg bx, the IP addresses tab, the IP addresses list). DNS name (the ViPNet Hst Prperties dialg bx, the IP addresses tab, the DNS name list). Hst ID (the ViPNet Hst Prperties dialg bx, the Cmmn tab). T clear the search bx, click Shw all. 6 The status bar. Displays the number f yur ViPNet netwrk, the IP addresses assigned t the hst, and the current cnfiguratin f the prgram. When yu change netwrk filters r bject grups, the status bar displays a message that the netwrk filters r bject grups are mdified, but the changes have nt been applied yet. 7 T shw r hide the status bar, n the View menu, click Status bar. The status bar is always displayed when netwrk filters r bject grups are mdified, even if yu previusly hid it. Wrking with the List f ViPNet Hsts The Private Netwrk (see ViPNet Mnitr Interface n page 72) sectin cntains the list f ViPNet hsts linked with the current hst in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. The clr f the hst name and an icn next t it indicate its hst type and current status: Table 3. ViPNet hst status indicatin Icn Hst name clr Grey Vilet Grey r vilet, bld Grey r vilet, bld Grey Vilet ViPNet hst status The client is ffline r its status is unknwn The client is nline A new client that has recently been linked with the current hst A new crdinatr that has recently been linked with the current hst The crdinatr is ffline r its status is unknwn The crdinatr is nline ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 74

75 Nte: T cnfigure the appearance f the Private Netwrk sectin, in the main ViPNet Mnitr windw, n the Service menu, click Optins and then g t the General sectin. T view the list and search fr ViPNet hsts mre easily, yu can grup hsts in flders in the Private Netwrk sectin: T create a new flder, in the main ViPNet Mnitr windw, in the navigatin pane r in the view pane, right-click Private Netwrk and, n the cntext menu, chse Create Flder. The new flder will appear in the navigatin pane and in the Private Netwrk sectin. T mve hsts t a flder, in the Private Netwrk sectin, select ne r several hsts and drag them t the required flder. T rename a flder, right-click it and, n the cntext menu, select Rename. T delete flders: Make sure that the flders yu need t remve d nt cntain any hsts. Otherwise, mve the hsts t ther flders. In the main ViPNet Mnitr windw, in the navigatin pane r in the Private Netwrk sectin, select ne r several flders. Press Delete r, n the cntext menu, click Delete. T search infrmatin within a sectin, in the search bx (see ViPNet Mnitr Interface n page 72), type several characters f a hst IP address, name r sme ther parameter. T view the hst's prperties duble-click its name. The ViPNet Hst Prperties dialg bx will be displayed, where yu can view general infrmatin abut the ViPNet hst and cnfigure access t the hst (see Cnfiguring Access t the Hsts f Yur ViPNet Netwrk n page 99). T check cnnectin t anther ViPNet hst, t send a Business Mail r chat message t ne r several hsts r t use sme ther features integrated in ViPNet Mnitr (see Integrated Cmmunicatin Tls n page 201), d ne f the fllwing: In the ViPNet hsts list, select the required hst and click the crrespnding buttn n the tlbx. On the ViPNet hst cntext menu, select the crrespnding menu item. Using ViPNet Mnitr with Restricted Interface The ViPNet netwrk administratr can restrict the ViPNet Mnitr prgram functinality and its settings n certain ViPNet hsts and set user permissins level fr each ViPNet hst in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. What is mre, yu can restrict the ViPNet Mnitr interface (see ViPNet Mnitr Advanced Settings n page 248) when lgged n in the ViPNet hst administratr mde. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 75

76 User interface restrictin means that certain user interface elements f the ViPNet Mnitr prgram becme unavailable, mst settings, netwrk filters, and ther parameters cannt be edited. When yu lg n as the ViPNet hst administratr, all restrictins are remved. In this dcument, ViPNet Mnitr functinality is described given that a user has maximum permissins. If any prgram features r settings are nt available, cntact yur ViPNet netwrk administratr. Fr mre infrmatin n user permissins, see the dcument ViPNet Authrities Classificatin. Supplement t ViPNet Dcumentatin. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 76

77 5 ViPNet Update System Abut ViPNet Update System 78 Autmatic Updating 79 Installing Updates Manually 80 Viewing the Installed Updates Lg 82 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 77

78 Abut ViPNet Update System ViPNet Update System helps yu t receive and install updates f the fllwing types: ViPNet Crdinatr upgrades frm ViPNet Administratr r ViPNet Netwrk Manager; keys and hst links updates frm ViPNet Administratr r ViPNet Netwrk Manager; security plicy updates frm ViPNet Plicy Manager. Yu can chse t install the updates autmatically r manually (see Installing Updates Manually n page 80). If yu cnfigure updates t be accepted and installed manually n a hst, infrmatin abut it is displayed in the ntificatin area when updates are received n the hst. Figure 25. Displaying updates in the ntificatin area The icn ViPNet Update System may be displayed in the ntificatin area as fllws: means that there is n infrmatin n new updates; means that new updates have arrived; means that the updates have been successfully installed; means that the updates have been successfully installed and yu need t restart yur cmputer. If yu cnfigure updates t be accepted and installed autmatically, ViPNet Update System perfrms updating quietly, withut ntificatins abut updating. The ViPNet Update System icn will nt be displayed in the ntificatin area, t. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 78

79 Autmatic Updating If yu want the updates t be installed autmatically n yur hst, d the fllwing: 1 Lg n as an OS administratr. If yu d nt have the administratr rights, yu cannt change the ViPNet Update System settings. 2 D ne f the fllwing: If yu use Windws 7, Windws Server 2008 R2 r an earlier versin f the Micrsft Windws perating system, n the Start menu, click All Prgrams > ViPNet > ViPNet Update System. If yu use Windws 8 r Windws Server 2012 perating system, n the Start screen, pen the Apps list and chse ViPNet > ViPNet Update System. 3 In the displayed windw, n the Optins tab, select the Install updates autmatically check bx. 4 If yu want the cmputer t be restarted autmatically upn the updating, when necessary, then select the crrespnding check bx. 5 T save the rule, click OK. Figure 26. Install updates autmatically ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 79

80 Installing Updates Manually If yu need t install updates n yur ViPNet hst manually, yu can disable autupdating. T d this (see. figure 26 n page 79): 1 Lg n as an OS administratr. If yu d nt have the administratr rights, yu cannt change the ViPNet Update System settings. 2 D ne f the fllwing: If yu use Windws 7, Windws Server 2008 R2 r an earlier versin f the Micrsft Windws perating system, n the Start menu, chse All Prgrams > ViPNet > ViPNet Update System. If yu use Windws 8 r Windws Server 2012 perating system, n the Start screen, pen the Apps list and chse ViPNet > ViPNet Update System. 3 In the ViPNet Update System windw, n the Optins tab, clear the Install updates autmatically check bx. 4 If yu want the cmputer t be restarted autmatically upn the updating, when necessary, then select the crrespnding check bx. 5 T save yur changes, click OK. If autupdating is disabled, then, after yu receive updates, install them manually: 1 In the ntificatin area, right-click the ViPNet Update System icn and, n the cntext menu, chse Available Updates. 2 In the displayed windw, check the list f updates (the nes that will be installed have their check bxes selected). If yu d nt need an update, clear the assciated check bx. Figure 27. Viewing the received updates 3 Click Install updates. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 80

81 4 If any ViPNet prgrams are running n yur cmputer, yu will be prmpted t exit them t cntinue the update prcess. Click Cntinue. The running ViPNet prgrams will be autmatically clsed, and the updating prcess will be cntinued. After yu run the setup prgram, the ViPNet Mnitr prgram is unladed frm the cmputer's memry and the updating prcess starts. In the ntificatin area, the crrespnding infrmatin is displayed. Figure 28. Displaying the new updates installing in the ntificatin area Warning: Upgrading the sftware may take a lng time. D nt disturb the prcess and d nt restart the cmputer befre the upgrading prcess is cmpleted. 5 If necessary, after the upgrade is cmpleted, restart yur cmputer. The crrespnding infrmatin is displayed in the ntificatin area. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 81

82 Viewing the Installed Updates Lg The installed updates are displayed in the update lg. T view the update lg, d the fllwing: 1 D ne f the flllwing: If yu use Windws 7, Windws Server 2008 R2 r an earlier versin f the Micrsft Windws perating system, n the Start menu, select All prgrams > ViPNet > ViPNet Update System. f yu use Windws 8 r Windws Server 2012 perating system, n the Start screen, pen the Apps list and select ViPNet > Update System. 2 Click the Update lg tab. Figure 29. Update lg ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 82

83 6 Cnnecting t a Prtected ViPNet Netwrk ViPNet Netwrk Cnnectin Prtcls 84 Principles f Establishing Cnnectins n a ViPNet Netwrk 86 Cnnecting withut a Firewall 89 Cnnecting via a Crdinatr 91 Cnnecting via a Firewall with Dynamic NAT 93 Cnnecting via a Firewall with Static NAT 96 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 83

84 ViPNet Netwrk Cnnectin Prtcls ViPNet hsts can be lcated inside any netwrk that supprts the IP prtcl. The means f cnnectin can be different: Ethernet, PPPE via xdsl, PPP via dial-up r ISDN, mbile access such as GPRS r UMTS, Wi-Fi devices, MPLS, r VLAN. The ViPNet sftware supprts varius prtcls in the link layer. IP prtcls f three types (IP/241, UDP, and TCP) are used t create VPN tunnels between ViPNet hsts and encapsulate traffic transferred ver ther IP prtcls. The IP/241 prtcl is used when ViPNet hsts cmmunicate with each ther in the same LAN segment and when these hsts are accessible by bradcast addresses. The IP/241 prtcl is mre efficient because it des nt have an 8-byte UDP header. When the riginal packet is encrypted, it is encapsulated int an IP packet with the 241 prtcl number. Figure 30. ViPNet hsts are in the same LAN segment If the ViPNet hsts are in different netwrk segments, the UDP prtcl is chsen autmatically, which allws IP packets t pass thrugh firewalls. Upn encryptin, the riginal packet is encapsulated in a UDP packet. Figure 31. ViPNet hsts cnnectin with a firewall If there is a NAT device n the IP packet s rute, dynamic r static address translatin rules shuld be cnfigured n this device. These rules allw UDP traffic exchange with ViPNet hsts. If yu cnfigure static NAT rules, yu shuld specify the ViPNet hst's prt. The default prt is 55777, but yu can specify any ther prt if necessary. If packets pass directly thrugh a crdinatr, the prt number f the hsts lcated behind this crdinatr is f n imprtance. As they pass thrugh a crdinatr, packets acquire the crdinatr s IP address and prt number. In sme cases yur ISP may have blcked UDP traffic and the ViPNet hsts cannt cmmunicate ver the UDP prtcl. Fr example, this may happen if yu are cnnecting t a ViPNet VPN frm a htel r sme ther public place. Then yu can redirect the whle IP traffic via a TCP tunnel, which has been cnfigured ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 84

85 n the cnnectin crdinatr f the hst that initiates the cnnectin. Yu may specify any prt when cnfiguring a TCP tunnel n a cnnectin server. By default, prt 443 is used. Figure 32. ViPNet hsts cnnect via a firewall (translating TCP traffic) On the cnnectin server, the received IP packets are retrieved frm the TCP tunnel and frwarded t the destinatin hst ver UDP. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 85

86 Principles f Establishing Cnnectins n a ViPNet Netwrk ViPNet clients can autmatically establish cnnectins t ther ViPNet hsts ver the shrtest accessible rutes. They use cnnectin servers t establish cmmunicatin. Clients receive infrmatin abut ther hsts, their access parameters, and status frm their IP addresses servers (see IP address server n page 382). By default, the IP addresses server and cnnectin server features are perfrmed by ne crdinatr. If necessary, yu can set anther crdinatr as the IP addresses server fr yur client. Clients detect cnnectin parameters autmatically by using cnnectin servers. Each crdinatr receives infrmatin abut ther hsts frm ther crdinatrs it is linked with. Crdinatrs may cnnect t an external netwrk in ne f the fllwing ways: Cnnecting t an external netwrk directly (see Cnnecting withut a Firewall n page 89). In this case, yu need t disable firewall. Cnnecting a crdinatr thrugh anther crdinatr (see Abut Cnnecting via a Crdinatr n page 91). Cnnecting via a firewall with dynamic NAT (see Abut Cnnecting via a Firewall with Dynamic Address Translatin n page 93). Cnnecting via a firewall with static NAT (see Abut Cnnecting via a Firewall with Static NAT n page 96). Tip: We recmmend yu t specify cnnectin parameters fr crdinatrs centrally in the ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager prgram. Client-t-client cnnectins are established in the fllwing way: Befre a client initiates cnnectin t anther hst, it shuld detect the access channel t its cnnectin server. If the client cmmunicates thrugh a NAT device, it maintains the channel with the cnnectin server by peridically sending IP packets t it. By default, IP packets are sent each 25 secnds. With mst NAT devices, it is usually sufficient t stay cnnected t the cnnectin server. If necessary, yu can mdify the frequency. After cnnectin between the client and its cnnectin server is established, the client initiates cnnectin t anther hst. It starts transferring test IP packets t a remte hst via the cnnectin server. At the same time, the client sends test IP packets t the cnnectin server f the remte hst and directly t the remte hst. If the test IP packets are received n the remte hst, the remte hst registers the cnnectin and begins t transfer respnse IP traffic directly. The client receives the respnse IP traffic frm the remte hst and begins t transfer its IP traffic t the remte hst directly, t. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 86

87 If the test IP packets pass nly till the remte hst's cnnectin server, the cnnectin server registers this cnnectin and sends the respnse IP packets f the remte hst t the client directly. In ther wrds, the client establishes either direct cnnectin with the remte hst, r via the remte hst's cnnectin server. If the client receives n respnse IP packets frm the remte hst r its cnnectin server, cmmunicatin ges n thrugh the client's cnnectin server. Figure 33. Cmminicatin between ViPNet hsts Thus, the ability t cmmunicate ver the shrtest rutes withut crdinatrs' participatin increases encrypted IP traffic exchange rate and reduces the lad n crdinatrs. Nte: The described wrkflw is applicable nly if ViPNet sftware versin nt earlier than 4.2.x is installed n all hsts cmmunicating with each ther. Mrever, ViPNet cnnectins have the fllwing peculiarities: If ruting is cnfigured fr hsts, then cnnectin between clients will be established in cmpliance with the rutes thrugh the gateways, but nt crdinatrs. If the remte hst des nt use a NAT device, the client's cnnectin server remembers that the cnnectin can be established directly. S, next time, if the remte hst's lcatin has nt changed, test IP packets will nt be sent, and the IP traffic exchange is perfrmed directly at nce. If clients are lcated behind devices with dynamic NAT, they can cmmunicate directly. This is pssible due t the ability f cnnectin servers t infrm clients abut IP addresses and prts, by which they can access ther hsts via NAT devices. The servers detect this data by the IP packets received frm clients. Taking this infrmatin int accunt clients send test IP packets t each ther using registered IP addresses and prts. If at least ne side receives the test IP packets, the clients begin t exchange all their traffic directly. In ther wrds, direct cnnectin will be established if at least ne NAT device allcates ne prt fr a hst each time this hsts sends IP packets t different IP addresses. Direct cmmunicatin between clients is impssible if their NAT devices allcate prts randmly each time IP packets are sent frm new IP addresses. That is hw the s-called symmetric NAT wrks. In this case, cnnectin between such clients will be established thrugh ne f their cnnectin servers. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 87

88 Direct cnnectin t the remte client lcated behind a device with dynamic NAT is pssible within 75 secnds (three timeuts r perids f IP packets sending) since the last cnnectin was brken. If a client is behind a static NAT device, yu need t fix the required UDP packets encapsulatin prt in the prgram ptins. Otherwise, the prt will be changed preventing the client frm cnnecting t ther hsts. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 88

89 Cnnecting withut a Firewall Abut Cnnecting withut a Firewall In case nne f the crdinatr's interfaces is behind a NAT device, in ther wrds, in case the crdinatr is accessible frm the ruted netwrk, chse this cnnectin type n the crdinatr. If the crdinatr must be accessible fr hsts n external netwrks, ne f its netwrk interfaces must have a public IP address. Figure 34. Cnnecting a crdinatr withut a firewall Cnfiguring Cnnectin withut a Firewall T cnfigure cnnectin withut a firewall: 1 In the main ViPNet Mnitr windw, n the Service menu, click Optins. 2 In the Optins dialg bx, click Private Netwrk. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 89

90 Figure 35. Cnnecting a crdinatr withut a firewall 3 Clear the Use external firewall check bx and then click OK. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 90

91 Cnnecting via a Crdinatr Abut Cnnecting via a Crdinatr T prtect the traffic f a particular LAN segment with a ViPNet crdinatr installed n its edge which functins as a firewall fr ViPNet clients f this lcal netwrk, yu can install the secnd ViPNet crdinatr n the edge f such a segment. Figure 36. Using a crdinatr as a firewall In this case, the crdinatr (see the figure abve) shuld be selected as a firewall fr the crdinatr. There shuld be n NAT devices between these tw crdinatrs. This type f cnnectin between crdinatrs is called a cascade cnnectin. As a result, fr these crdinatrs, encrypted traffic frm the internal netwrk segment will be ruted autmatically t bth lcal and glbal netwrks. Nte: Yu may invlve any number f crdinatrs in a cascade. Cnfiguring a Cnnectin T cnfigure a crdinatr's cnnectin via anther crdinatr: 1 In the main ViPNet Mnitr windw, n the Service menu, click Optins. 2 In the Optins dialg bx, select Private Netwrk. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 91

92 Figure 37. Cnnecting a crdinatr thrugh anther crdinatr 3 Select the Use external firewall check bx. 4 In the Netwrk adapter, behind which the firewall is lcated list, select the IP address f the netwrk interface that is cnnected t the crdinatr functining as a firewall. 5 In the Firewall type list, select Crdinatr. 6 In the Crdinatr list, select the crdinatr that will functin as a firewall. 7 Click OK. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 92

93 Cnnecting via a Firewall with Dynamic NAT Abut Cnnecting via a Firewall with Dynamic Address Translatin If there is a firewall n the edge f the lcal netwrk, and it is difficult t cnfigure static translatin rules n this firewall, yu can prtect IP traffic n the LAN, including cnnectins initiated frm external netwrks, by deplying a crdinatr with the dynamic NAT firewall type. A crdinatr with this cnnectin type must have a cnnectin server lcated in an external netwrk. The cnnectin server must be a ViPNet crdinatr, always accessible. Figure 38. Cnnecting via a firewall with dynamic NAT The cnnectin server must be accessible frm an external netwrk by a public IP address. The lcal netwrk crdinatr and remte hsts will be cnnected thrugh this crdinatr until direct cnnectin is established. Cnfiguring a Cnnectin T cnnect via a firewall with dynamic NAT: 1 In the main ViPNet Client windw, n the Service menu, click Optins. 2 In the Optins dialg bx, in the navigatin pane, click Private Netwrk. 3 Select the Use external firewall check bx. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 93

94 4 In the Firewall type list, select With dynamic NAT. Figure 39. Cnnecting a crdinatr via a firewall with dynamic NAT 5 In the Crdinatr t manage cnnectins with external hsts list, select the inbund cnnectins crdinatr. This crdinatr shuld be accessible either directly r thrugh a firewall with static address translatin. 6 T keep the cnnectin active, the client peridically sends UDP packets t its inbund cnnectins crdinatr. By default, the sending interval is 25 secnds. If necessary, yu can change this value in the Allwed time interval f IP traffic absence bx. The pll perid shuld nt exceed the sessin timeut fr the dynamic rule n the NAT device. 7 If yu want all inbund and utbund traffic t be ruted thrugh the inbund cnnectins crdinatr, select the Direct all traffic with external hsts thrugh the crdinatr check bx. Nte: If yu select this check bx, all the inbund and utbund traffic will be ruted thrugh the inbund cnnectins crdinatr. This can result in the substantial decrease f data exchange rate. 8 T save the settings, click Apply. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 94

95 If yu wrk with a DSL mdem and large packets cannt be transferred, yu can decrease the maximum segment size (MSS) value in the Optins windw, in the Private Netwrk > Additinal parameters sectin. Figure 40: Advanced ptins ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 95

96 Cnnecting via a Firewall with Static NAT Abut Cnnecting via a Firewall with Static NAT If there is a firewall perfrming static NAT n the edge f the lcal netwrk, yu shuld deply a crdinatr between this firewall and the hsts n the LAN. In this case, yu shuld set the cnnectin t be established via the firewall with static NAT. Use this crdinatr as the cnnectin server fr the clients n the LAN. Figure 41. Cnnecting a crdinatr via a firewall with static NAT Cnfiguring a Cnnectin T ensure crrect cnnectin with static NAT, the firewall address shuld be specified as the default gateway in the netwrk settings f the perating system. On a firewall, yu shuld cnfigure the fllwing static address translatin rules: Allw utging UDP packets frm the crdinatr t the external netwrk. Allw and frward incming UDP packets with the destinatin prt specified in yur crdinatr settings. T cnfigure cnnectin f a crdinatr via a firewall with static NAT: 1 In the main ViPNet Mnitr windw, n the Service menu, click Optins. 2 In the Optins dialg bx, select Private Netwrk. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 96

97 Figure 42. Cnnecting a client via a firewall with static NAT 3 Select the Use external firewall check bx. 4 In the Netwrk adapter, behind which the firewall is lcated list, select the IP address f the netwrk interface that is cnnected t the firewall. 5 In the Firewall type list, select With static NAT. 6 If necessary, in the UDP packets encapsulatin prt bx, change the prt number value. By default, the prt number is set. Yu shuld change the prt number if yu have several crdinatrs using the same firewall. Each f the crdinatrs shuld have its wn prt number. 7 If necessary, select the Use the fllwing external IP address fr access thrugh the firewall check bx and, in the External IP address list, select the required IP address. We recmmend yu t use this ptin nly if the firewall has several external IP addresses assigned t it, and yu need t rute incming packets thrugh a certain address regardless f the surce address (see Using an External IP Address t Access a Hst via a Firewall n page 97). 8 T save the settings, click Apply. Using an External IP Address t Access a Hst via a Firewall If an external IP address is nt specified, it is defined accrding t the IP packet attributes, in ther wrds, external hsts will send respnse IP packets t the IP address they have received the surce packet frm. If the Use the fllwing external IP address fr access thrugh the firewall check bx is selected, external hsts will send respnse packets t the address specified fr this hst, regardless f ther parameters f the packet. In ther wrds, the surce IP address will be ignred and replaced with the ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 97

98 fixed access IP address. Yu shuld manually cnfigure NAT rules n yur firewall t rute respnse IP packets t their destinatin. Warning: We recmmend yu t fix the external access IP address nly if the firewall has several external IP addresses and, fr sme reasn, yu need t rute all incming packets thrugh a certain firewall address. Cnsider the fllwing scenari. An IP packet has the fllwing parameters: Surce IP address: Destinatin IP address: When ging thrugh a firewall, the surce IP address will be translated t a public IP address f the firewall, fr example: If yu clear the Use the fllwing external IP address fr access thrugh the firewall check bx, the respnse IP packet will have the fllwing parameters: Surce IP address: Destinatin IP address: When the firewall receives the respnse packet, the destinatin address will be translated int If yu select the Use the fllwing external IP address fr access thrugh the firewall check bx and type in the External IP address bx, the respnse IP packet will have the fllwing parameters: Surce IP address: Destinatin IP address: On the firewall, yu shuld cnfigure NAT rules t rute such respnse IP packets t the destinatin hst lcal address ( ). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 98

99 7 Cnfiguring Access t the Hsts f Yur ViPNet Netwrk Virtual IP Addresses 100 Cnfiguring Access t ViPNet Hsts 102 Cnfiguring Access t ViPNet Hsts Tunneled by Anther Crdinatr 105 Cnfiguring Access IP Addresses Pririty fr a Crdinatr 107 Cnfiguring a TCP Tunnel 110 Using Aliases fr ViPNet Hsts 112 Viewing Infrmatin abut a ViPNet Hst 113 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 99

100 Virtual IP Addresses Abut Virtual IP Addresses Different lcal and ISPs' netwrks ften have IP addresses cnflicts. The virtual addresses technlgy allws yu t slve this prblem effectively when yu cnfigure prtected cnnectins. Yu can use virtual IP addresses t set access rules based n virtual IP addresses. Why d yu need it? It is cmmn knwledge, that, if an IP address is used t identify a user, yu shuld be cautius, because the IP address might be faked, which will threaten the security f cnnectin. Hwever, it is impssible t fake an IP address in a ViPNet netwrk. When the ViPNet driver receives a packet, it substitutes the real surce address with a respective virtual address, and then frwards it t an applicatin. Hwever, this happens nly if the packet is successfully decrypted using the sender's private keys, in ther wrds, after the sender's successful identificatin. This ensures that the recipient's IP address is nt faked and access t resurces is strngly delimited. Each ViPNet hst autmatically creates ne r mre virtual IP addresses fr every ViPNet hst and tunneled hst it is linked with. Each real address crrespnds t a virtual IP address. Thus, the number f virtual IP addresses depends n the number f real IP addresses and the number f tunneled IP addresses. Each hst has its wn list f virtual IP addresses fr ther hsts. All prgrams running n the netwrk may use these addresses t cnnect t the crrespnding hsts. The ViPNet driver translates the addresses when sending r receiving IP packets (including the packets f DNS, WINS, NetBIOS, SCCP, SIP, and ther services). By default, a ViPNet hst autmatically uses virtual addresses t cnnect t ther ViPNet hsts if they are inaccessible by bradcast IP addresses. Fr tunneled hsts, real IP addresses are used by default. If necessary, yu can frce yur ViPNet hst t see any ther ViPNet hsts by real r virtual addresses. General Principles f Assigning Virtual IP Addresses By default, the initial address fr the virtual addresses generatr is (subnet mask: ). Yu can change the initial address in the Optins dialg bx, in the Private Netwrk > Additinal parameters. Virtual IP addresses are assigned t ViPNet netwrk hsts and single tunneled hsts autmatically starting frm the specified initial IP address. By default, fr tunneled IP addresses ranges the initial virtual IP address is It can als be the IP address, whse first ctet is incremented by 1 in cmparisn t the IP address specified as the initial IP address fr the virtual IP addresses generatr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 100

101 Nte: A single tunneled IP address is an address explicitly defined in the ViPNet hst tunneling settings. Yu shuld take int accunt that ne f Internet address ranges is used fr generating virtual addresses by default. That's why an addresses cnflict may appear during the cmmunicatin f a ViPNet hst and an unprtected web resurce if the resurce's IP address cincides with the used virtual address. Yu will nt be able t cnnect t such a web resurce. T access the resurce, yu shuld either change the range f the assigned virtual addresses r wrk with the resurce via a prxy server. Yu can find the generated virtual IP addresses f ViPNet hsts in the ViPNet Hst Prperties dialg bx, n the IP addresses tab. Virtual IP addresses f the tunneled hsts are displayed in the ViPNet Hst Prperties dialg bx n the Tunnel tab f the crdinatr functining as a tunneling server fr these tunneled hsts. Virtual IP addresses f ViPNet hsts d nt depend n real IP addresses. They are bund t unique identifiers allcated t ViPNet hsts in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. Virtual IP addresses fr single tunneled hsts are bund t each real IP address f a tunneled hst. Virtual IP addresses stay assigned t ViPNet hsts and single tunneled hsts until netwrk hsts r tunneled hsts are deleted. Warning: T avid errrs at specifying initial virtual IP addresses, yu shuld take int accunt the fllwing requirements: The value f the first ctet shuld range frm 1 t 254. The value f the frth ctet shuld range frm 1 t 239. The value f the secnd and third ctets shuld range frm 0 t 255. When yu update hst links, change real IP addresses f any hst r add an IP address f a single tunneled hst, the virtual IP addresses generated will nt be changed. Newly added real IP addresses and IP addresses f tunneled hsts, as well as, newly added ViPNet hsts, get new unused virtual addresses. Yu can change virtual addresses, intended fr ranges f tunneled addresses when adding new ranges f tunneled addresses. If yu change the initial IP address fr the virtual IP addresses generatr, all virtual IP addresses will be created anew. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 101

102 Cnfiguring Access t ViPNet Hsts T link tw crdinatrs, n each f them, specify an IP address r a DNS name f the ther crdinatr. If yu have cnfigured the needed IP addresses and crdinatrs intercnnectin parameters in ViPNet Administratr r ViPNet Netwrk Manager, then yu d nt need t change any settings n a hst in ViPNet Mnitr. If n parameters were preset, then, n yur ViPNet hst, manually cnfigure the access t the ther crdinatr. T d this: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Private Netwrk. 2 In the Private Netwrk sectin, duble-click the hst yu are ging t cnnect t. 3 In the ViPNet Hst Prperties dialg bx, n the IP addresses tab, add the real IP address f the ViPNet hst t the list. A virtual IP address (see Virtual IP Addresses n page 100) will be autmatically assigned t this new address. If yu d nt knw the hst's IP address, yu can reslve it by the cmputer's name. T d this, click Reslve Hst Name/IP Address address by the specified name. and, in the displayed windw, search fr the required IP If the hsts are set t be visible by their real addresses, then, when yu add an IP address, it is autmatically checked fr cnflicts with ther IP addresses n the list r IP addresses f anther hst (including tunneled nes). This check helps yu t avid specifying the same IP address twice. If a cnflict f IP addresses is fund as a result f the check, yu will be ntified abut it. Reslve an IP addresses cnflict (see Cnflicting IP Addresses r DNS Names n page 308). Yu may check fr IP addresses cnflicts manually, t. T d this, click Check cnflicts. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 102

103 Figure 43. Specifying IP addresses fr a ViPNet hst 4 In the ViPNet hst's visibility IP addresses list, specify the type f addresses that will be used by yur hst t access this hst. By default, visibility IP addresses are chsen autmatically. If a cnflict between the real IP addresses and ther hsts' addresses n the netwrk is pssible, in the list, yu shuld select Virtual IP addresses. When yu change the visibility IP addresses, in the crdinatr prperties, yu will be prmpted t set the same visibility IP addresses fr all ViPNet hsts using this crdinatr as their cnnectin server. 5 If yu need t use a DNS name t access a ViPNet hst, select the Use DNS name check bx and add the hst's DNS name t the list. When yu add a DNS name, the check will be perfrmed fr cnflicts with DNS names already specified in the prgram. If a cnflict is detected, reslve it (see Cnflicting IP Addresses r DNS Names n page 308). Yu may als click Check cnflicts check the DNS names. t Yu may specify several DNS names fr a hst. When cnfiguring access parameters fr a crdinatr, n the IP Addresses tab, yu shuld add the DNS names f the hsts tunneled by this crdinatr t the DNS names list (see Cnfiguring Access t ViPNet Hsts Tunneled by Anther Crdinatr n page 105). Fr a client, the rder f the DNS names in the list des nt matter. Fr a crdinatr, yu shuld specify its DNS name n tp f the list, befre the DNS names f the tunneled hsts. Fr mre infrmatin n using the DNS service in a ViPNet netwrk, see Cnfiguring and Using DNS and WINS Services in ViPNet Netwrks (n page 114). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 103

104 6 If a firewall is used, n the Firewall tab, specify the firewall's IP address. If necessary, add mre firewall IP addresses. If several IP addresses fr access via a firewall are specified, yu can set the addresses pririty by using metrics (see Cnfiguring Access IP Addresses Pririty fr a Crdinatr n page 107). In the UDP prt bx, specify the prt number t access the crdinatr via a firewall. Figure 44. Cnfiguring access t a hst via a firewall 7 When cnfiguring access t a crdinatr, n the Firewall tab, in the Access prt fr TCP tunnel bx, yu can specify the prt fr cnnecting yur hst with the crdinatr ver TCP (via a TCP tunnel). We recmmend yu t specify the prt if it is nt specified in the crdinatr's prperties, but the TCP tunnel is established n the crdinatr. As a rule, the infrmatin abut the TCP access prt number is received n the hst autmatically, as sn as the TCP tunnel is established n the crdinatr. That's why, if the TCP access prt is specified in the crdinatr's prperties, yu shuld nt change it. 8 T save the settings, click Apply. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 104

105 Cnfiguring Access t ViPNet Hsts Tunneled by Anther Crdinatr If a ViPNet crdinatr shuld establish cnnectin t hsts tunneled by anther crdinatr, yu shuld cnfigure access parameters in ViPNet Mnitr. If parameters f tunneling have been cnfigured fr all crdinatrs in ViPNet Administratr r ViPNet Netwrk Manager, then yu d nt need t make any additinal settings. The ther crdinatrs' tunneled hsts becme autmatically accessible fr yur hst. If yu want t manually cnfigure yur hst's cnnectin with anther crdinatr's tunneled hsts, d the fllwing: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Private Netwrk. 2 In the Private Netwrk sectin, duble-click the crdinatr that tunnels the unprtected hst yu want t cnnect t. 3 In the ViPNet Hst Prperties dialg bx, n the Tunnel tab, select the Use IP addresses fr tunneling check bx and frm a list f tunneled hsts' IP addresses by using the crrespnding buttns. A virtual IP address (n page 389) will be autmatically allcated t every newly specified address. If yu d nt knw the hst's IP address, yu can reslve it by the cmputer's name. T d this, click Reslve Hst Name/IP Address by the specified name. and in the displayed windw, search fr the required IP address Nte: If yu need t specify a DNS name f a tunneled hst, add the DNS name t the DNS names list f the tunneling crdinatr (see Cnfiguring Access t ViPNet Hsts n page 102). Keep in mind that the crdinatr name registered n the DNS server shuld be n tp f the list. When yu add an IP address, it is autmatically checked whether this address cincides with anther IP address n the list r f anther hst (including tunneled nes). This check helps yu t avid specifying the same IP address twice. If a cinciding IP address is fund as a result f the check, yu will be ntified abut it. Reslve the IP addresses cnflict (see Cnflicting IP Addresses r DNS Names n page 308). Yu may check fr IP addresses cnflicts manually, t. T d this, click Check cnflicts. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 105

106 Figure 45. Tunneled hsts addresses 4 If there may be an IP addresses cnflict in subnetwrks, select the Use virtual IP addresses check bx. 5 If a tunneled hst is in the same subnetwrk as yur ViPNet hst and the ruting is nt specially cnfigured, make sure that the D nt tunnel the IP addresses f yur cmputer's sub netwrk check bx is selected. Otherwise, yu will nt be able t cnnect t the tunneled hst. 6 If yu d nt need the cnnectin t sme tunneled hsts t be prtected, select the D nt tunnel the fllwing IP addresses check bx and add the IP addresses f thse hsts t the list belw. 7 T save the settings, click Apply. The settings described in this sectin shuld be made n yur ViPNet hst fr all crdinatrs that tunnel the hsts yu need t cnnect t. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 106

107 Cnfiguring Access IP Addresses Pririty fr a Crdinatr If a crdinatr has several access IP addresses (fr example, each ne fr a different cmmunicatins channel), then, n anther ViPNet hst, yu can cnfigure pririties fr the channels yu use t cnnect t this crdinatr. If the channel with the highest pririty is unavailable, then the cmmunicatins channel will be selected accrding t the pririty specified fr ther channels. When the highest-pririty channel becmes available, the cnnectin will be established anew via this channel. Nte: This can be effective nly if the hst establishes cnnectin t the crdinatr via varius channels, fr example, acrss the Internet and a dedicated netwrk (in ther wrds, when the cnnectin is ruted via different gateways). Pririty f channels is defined by specifying a metric fr each access IP address f the crdinatr. By default, metrics are assigned autmatically. When assigning metrics, yu shuld stick t the fllwing rules: An IP address metric defines a delay (in millisecnds) befre sending test IP packets t detect the IP address accessibility. The cnnectin is established using the first address that appears t be accessible during the pll. The plling is perfrmed in the fllwing cases: At ViPNet Mnitr startup. When yu check cnnectin t the hst manually. Peridically. Yu can specify the plling interval n the crdinatr in the Optins dialg bx, in the Private Netwrk > Additinal Parameters sectin. By default, the interval f a crdinatr plling ther crdinatrs is 15 minutes; the interval f plling its crdinatr by a client is 5 minutes. The IP address with the least metric has the highest pririty. This address is always used t establish cnnectins if it is available. If metrics fr all access IP addresses are assigned autmatically, then the value f all metrics is 0. If metrics fr all access IP addresses are assigned autmatically, then the value f all metrics is 0. If fr sme IP addresses metrics are assigned manually, and fr thers autmatically, then the value f autmatic metrics is always 100 millisecnds greater than the maximum value f any manually assigned metric. The greater the difference between the least metric and ther metrics is, the less the chance is that the cnnectin will be established via a lw-pririty channel in case f a shrt-time failure. If the cnnectin is established via a lw-pririty channel, the hst will be able t switch t the highestpririty channel quicker, when it becmes available. If all metrics are equal, then the first channel via which yur hst will cnnect t the crdinatr will be selected. When the channel has been selected, availability f ther cmmunicatins channels is ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 107

108 checked nly when the cnnectin via the current channel is lst. The same mechanism is used if the cnnectin is established via the highest-pririty channel. If at least ne IP address metric is assigned manually, and its value is nt the highest ne, then the availability f ther cmmunicatins channels, including the ne with the highest pririty, will be checked as well. When the ViPNet Mnitr starts and when the cnnectin with the crdinatr is checked (see Checking Cnnectin t a ViPNet Hst n page 217), the availability f all cmmunicatins channels is always checked in rder t select the channel with the least metric. When a channel is selected, the current access IP address is displayed in the crdinatr's prperties windw, n tp f the list n the Firewall tab. T specify metrics fr access IP addresses f a crdinatr: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Private Netwrk. 2 In the Private Netwrk sectin, duble-click the crdinatr yu are ging t specify the access IP addresses pririty fr. 3 In the ViPNet Hst Prperties dialg bx, click the Firewall tab. 4 If necessary, cnfigure the firewall parameters fr the crdinatr (see Cnfiguring Access t ViPNet Hsts n page 102). 5 T specify a metric fr an IP address, select the address frm the list and click Edit. Figure 46. Specifying a metric 6 In the displayed windw, check the Set metrics check bx and, in the crrespnding bx, enter the metrics value in millisecnds (valid values range frm 1 t 9999). Then click OK. Cnsider the fllwing scenari. Suppse, a crdinatr has fur IP addresses allwing yu t access it via channels A, B, C, and D. Yu need t specify metrics fr these channels. Yu need t specify metrics fr these channels. Let the channels have the fllwing pririty: 1 A is the fastest and the mst secure channel. Shuld be used in the first place. 2 C and D are secure but slwer channels. Shuld be used if channel A is unavailable. 3 B is a less secure channel. Shuld be used last f all. T set the highest-pririty level fr channel A, specify the minimum metrics value fr it, fr example, 1. Specify the maximum metrics value (9999) fr channel B because using this channel is undesirable. Specify equal metrics fr channels C and D s that they d nt differ much frm the channel A metrics, fr example 500. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 108

109 With such metrics values, channel A will always be used if it is available. If channel A becmes unavailable r its traffic rate decreases, cnnectin t the crdinatr will be established via channel C r channel D. In case f emergency, when channels A, B, and C are all unavailable, channel B will be used. If cnnectin is established via channel B, C, r D, then yur hst will try t establish cnnectin via channel A when the plling perid is finished, n ViPNet Mnitr startup, r when the cnnectin t the crdinatr is checked. The less the plling perid is, the faster the channel will be switched in case f a failure and will then revert t a channel with a higher pririty. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 109

110 Cnfiguring a TCP Tunnel When clients cnnect t a ViPNet netwrk remtely, a prblem with transferring IP packets ver UDP may arise, because this prtcl is blcked by sme ISPs. T slve such a prblem, yu can set the clients t cmmunicate ver TCP by cnfiguring a TCP tunnel n the cnnectin servers f these clients. Nte: Yu can cnfigure a TCP tunnel nly n a crdinatr that is nt behind a firewall r is behind a firewall with static NAT (see Cnnecting t a Prtected ViPNet Netwrk n page 83). T cnfigure a TCP tunnel n a crdinatr: 1 In the main ViPNet Mnitr windw, n the Service menu, click Optins. 2 In the Optins dialg bx, in the navigatin pane, click Private Netwrk. Figure 47. Establishing a TCP tunnel 3 Select the Establish TCP tunnel check bx. 4 In the Access prt fr TCP tunnel bx, specify the prt number fr TCP packets cming frm ViPNet hsts. 5 T save the settings, click Apply. The TCP tunnel is cnfigured n the crdinatr. Infrmatin that the TCP tunnel has been set including the prt number fr transferring TCP packets is sent frm the cnnectin server t all its ViPNet hsts. Later, if the remte client cannt cnnect t ther ViPNet hsts ver UDP, it will autmatically establish cnnectin t hsts ver the TCP tunnel cnfigured n its cnnectin server. On the ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 110

111 cnnectin server, IP packets are retrieved frm the TCP tunnel and transferred t destinatin hsts ver UDP. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 111

112 Using Aliases fr ViPNet Hsts Fr cnvenience, yu can specify an alias fr any ViPNet hst in the Private Netwrk sectin. This alias will be displayed in the Private Netwrk sectin instead f the hst name. T find the hst in the list, yu can type the hst alias, as well as its name, in the search bx. T specify an alias fr a ViPNet hst: 1 In the main ViPNet Mnitr windw, in the navigatin pane, click Private Netwrk and select the hst, yu are ging t specify an alias fr. 2 In the ViPNet Hst Prperties dialg bx, n the Cmmn tab, in the Alias bx, type the name t be assigned t the hst. 3 Click OK. 4 Add aliases t ther ViPNet hsts if necessary. Nte: If yu have added an alias, but the name f the hst is still shwn in the list, enable the alias display ptin. T d this: In the main ViPNet Mnitr windw, n the Service menu, click Optins. In the Optins dialg bx, in the General sectin, select the Shw aliases fr ViPNet users check bx. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 112

113 Viewing Infrmatin abut a ViPNet Hst In sme cases, fr example, when rganizing access t a ViPNet hst r when there are prblems with access t a hst, the ViPNet netwrk administratr r technical supprt service may ask yu fr sme specific infrmatin abut the hst. T view the infrmatin abut a hst f anther ViPNet user: 1 In the main ViPNet Mnitr windw, in the navigatin pane, select Private Netwrk. In the view pane, duble-click the required ViPNet hst. 2 In the ViPNet Hst Prperties dialg bx, view the Cmmn tab cntents. 3 If necessary, cpy the required text t prvide the administratr r technical supprt service with the infrmatin. Nte: Yu can use the abve-described methd t view service infrmatin f a ViPNet hst nly if it is nt yur hst. T view the service infrmatin f yur ViPNet hst, in the main windw, in the navigatin pane, select ViPNet Crdinatr. T view the infrmatin abut yur ViPNet hst, in the main ViPNet Mnitr windw, n the File menu, click My ViPNet Hst Prperties. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 113

114 8 Cnfiguring and Using DNS and WINS Services in ViPNet Netwrks DNS and WINS Services 115 DNS and WINS Services in a ViPNet Netwrk 117 Prtected r Tunneled DNS r WINS Server 118 Unprtected DNS r WINS Server 120 Using a Prtected DNS Server t Wrk with Crprate Resurces Remtely 121 Using DNS Servers n Dmain Cntrllers 125 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 114

115 DNS and WINS Services Addresses cnsisting f digits are nt quite friendly t deal with. Sensible names that crrespnd t cmputers functins and lcatin are mre cnvenient. Fr peple, it is easier t remember a sensible name than a sequence f digits. Lcal netwrks and the Internet link a large number f cmputers, thus special name services have been intrduced t reslve numeric IP addresses int human-readable representatin. At present, there are tw main name services used in cmputer netwrks: DNS and WINS. DNS In TCP/IP netwrks, the Dmain Name Service System (DNS) is used t translate dmain names meaningful t humans int numeric identifiers assciated with netwrk equipment fr the purpse f lcating and addressing these devices wrldwide. Fr example, it translates the IP address int The figure belw illustrates hw DNS wrks (it shws hw an IP address can be reslved using an alphabetical dmain name). Figure 48. The general principle f the DNS service peratin A client requests a DNS server t find ut the IP address f the cmputer which has the dmain name. If the DNS server finds a match in its lcal database, it retrieves all the required infrmatin abut the hst fund. The retrieved infrmatin includes the IP address f the cmputer named This example illustrates a simple client-t-server request. In practice, the prcess f reslving an IP address frm a DNS name may require several DNS servers, cmplex requests and ther steps nt utlined in the abve-mentined figure. DNS uses a hierarchical naming system. A dmain name cnsists f ne r mre parts, technically called labels that are cnventinally cncatenated, and delimited by dts. The highest-level dmain name (the first part) is fixed and assigned in the Netwrk Infrmatin Center, NIC. Dmain names fr the ther levels are assigned n dmain name servers randmly. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 115

116 WINS WINS (Windws Internet Name Service) translates a cmputer s IP address t a NetBIOS name, and vice versa. Fr example, the IP address will be translated t HOST-A. WINS is the mst cnvenient means f NetBIOS name reslutin in ruted netwrks that use NetBIOS ver TCP/IP. Nte: NetBIOS (Netwrk Basic Input Output System) is a sessin layer prtcl allwing yu t wrk in lcal netwrks and prviding yur hst with access t lcal resurces as well as t the resurces f remte cmputers. NetBIOS sends bradcast packets, thus it des nt supprt transferring infrmatin via ruters. On the ther hand, imprvements in NetBIOS allw this system t perate ver ruting prtcls, such as IP and IPX. The WINS service simplifies NetBIOS name reslutin in ruted netwrks that use NetBIOS ver TCP/IP. The fllwing figure illustrates a typical situatin invlving WINS clients and servers. Figure 49. The general principle f the WINS service peratin In this example, the fllwing events take place: A WINS client, HOST-A, registers any f its lcal NetBIOS names with WINS-A, its cnfigured WINS server. If the HOST-A client des nt have access t the IP address f its WINS server, the client bradcasts its NetBIOS name annuncing its availability in the netwrk. When such an event ccurs, the lcal WINS server receives this bradcast message and registers the name and the crrespnding IP address cntained herein in its database. Anther WINS client, HOST-B, queries WINS-A t lcate the IP address fr HOST-A n the netwrk. WINS-A replies with the IP address fr HOST-A, WINS and DNS are bth name reslutin services fr TCP/IP netwrks. While WINS reslves names in the NetBIOS namespace, DNS reslves names in the DNS dmain namespace. DNS uses a hierarchical naming system. On the cntrary, WINS uses the peer naming system. WINS primarily supprts clients that run earlier versins f Windws and applicatins that use NetBIOS. Envirnments with sme cmputers using NetBIOS names and ther cmputers using dmain names are recmmended t use bth WINS and DNS services. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 116

117 DNS and WINS Services in a ViPNet Netwrk In a ViPNet netwrk, applicatins may use virtual IP addresses (n page 100) that d nt really exist in the netwrk and are unique fr each hst, which helps t avid addresses cnflicts. T prvide DNS and WINS services peratin in a ViPNet netwrk where virtual IP addresses are used, the ViPNet sftware autmatically prcesses IP packets f these services in a special way. Such prcessing is required in rder t prvide applicatins that request infrmatin frm DNS and WINS with the crrect infrmatin abut the IP addresses f prtected hsts (whether these addresses are real r virtual). If the ViPNet sftware is installed n a DNS (WINS) server r the server is tunneled by a crdinatr, yu d nt need t make advanced settings in the ViPNet sftware prvided that yu fllw certain rules (see Prtected r Tunneled DNS r WINS Server n page 118). Yu may specify DNS names fr ViPNet hsts manually, in ViPNet Mnitr n yur cmputer r in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. In this case, yu gain the fllwing advantages in using the DNS service: Prgrams can securely cmmunicate with remte ViPNet hsts via DNS names when yu use unprtected (public) DNS servers (see Unprtected DNS r WINS Server n page 120). Nw the ViPNet hst can cnnect t its crdinatr by the crdinatr's DNS name. Fr this, an IP address that des nt belng t the crdinatr (fr example, the address by which the crdinatr is accessible thrugh a NAT device) is published n a DNS server. If a crdinatr's access address is published n a public DNS server autmatically (by using the dynamic DNS, r DYN DNS, technlgy), yu can rganize secure access t the crdinatr whse access address is a dynamic IP address. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 117

118 Prtected r Tunneled DNS r WINS Server Usage Peculiarities Using a DNS r WINS server installed n a prtected r tunneled hst has the fllwing peculiarities: Yu shuld nt make any additinal settings in yur ViPNet sftware t prvide perability fr DNS r WINS services. If DNS (NetBIOS) names and crrespnding IP addresses f prtected and tunneled hsts are autmatically registered n yur DNS (WINS) server, the ViPNet technlgy ensures autmatic publicatin f the required real r virtual IP addresses f ViPNet and tunneled hsts. The ViPNet driver n the DNS (WINS) server (r n the crdinatr that tunnels this server) substitutes the address in the IP packet t a virtual r a real ne. If a prtected r a tunneled hst addresses a DNS (WINS) server, a ViPNet hst identifier is added t the respnse packet (the identifier f the destinatin prtected hst r f the tunneled hst's tunneling crdinatr). The ViPNet sftware n the surce ViPNet hst (r n the surce tunneled hst's tunneling crdinatr) detects whether the destinatin hst's access address is a real r a virtual ne. If an unprtected hst addresses a prtected DNS (WINS) server, the ViPNet sftware installed n the DNS (WINS) server r n its tunneling crdinatr prcesses the respnse packet s that the unprtected hst knws real IP addresses f prtected and tunneled hsts even if virtual IP addresses have been published fr them. Figure 50. Prtected r tunneled DNS server ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 118

119 Cnfiguratin Best Practices If yu use a DNS (WINS) server installed n a ViPNet r tunneled hst and yu need t publish virtual IP addresses, fllw these recmmendatins: If yu manually register ViPNet and tunneled hsts' IP addresses n a DNS (WINS) server, yu shuld specify their virtual r real addresses depending n which type f the addresses is displayed in bld in the ViPNet Mnitr prgram installed n the DNS (WINS) server r n the crdinatr tunneling this server. If a DNS (WINS) server is installed n a ViPNet hst, d nt place any tunneled hsts, which wuld cmmunicate with the server by DNS names, in this server's subnet. If the server is installed n a crdinatr, this requirement applies t the tunneled hsts f ther crdinatrs. If a DNS (WINS) server is tunneled by a crdinatr, d nt deply any tunneled hsts, which wuld cmmunicate with the server by DNS names, in this server's subnet. If yu need t deply any hsts in vilatin f these recmmendatins, n the ViPNet hsts, clear the D nt tunnel the IP addresses f yur cmputer's sub netwrk check bx, and n each f the tunneled hsts, add static rutes t the ViPNet hsts thrugh the tunneling crdinatr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 119

120 Unprtected DNS r WINS Server Cnfiguratin Best Practices If yu use an unprtected DNS server, yu shuld fllw these recmmendatins: If the external IP address used fr accessing the crdinatr frm this server may be changed and yu need the DNS server t access this crdinatr by its DNS name registered n the unprtected DNS server, n ViPNet hsts, in the ViPNet Mnitr settings, specify the DNS name fr this crdinatr. If ther ViPNet hsts are accessible frm yur ViPNet hst by virtual IP addresses and yu need t access these hsts by DNS names registered n the unprtected DNS server, then yu shuld specify these DNS names n yur ViPNet hst, in the ViPNet Mnitr settings. Any IP address (a real r a virtual ne) can be registered n the unprtected DNS server. The ViPNet technlgy ensures establishing and maintaining an encrypted cnnectin by the hst's virtual visibility address (see Visibility addresses n page 389) regardless f the published address's type. As we mentined earlier, even if the unprtected DNS server accesses ViPNet hsts by their real IP addresses, fr security purpses, it is imprtant that yu specify their DNS names n these hsts in ViPNet Mnitr. In all the described cases, yu may specify the ViPNet hsts' DNS names n each hst manually (see Cnfiguring Access t ViPNet Hsts n page 102), but we recmmend yu t specify the DNS names fr all hsts in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 120

121 Using a Prtected DNS Server t Wrk with Crprate Resurces Remtely Let's assume that yu are a remte user and yu cnnect t a ViPNet netwrk via the Internet. Yu may wrk at hme, in an Internet cafe, at a htel, r ther places where IP addresses and DNS r NetBIOS names are defined by an Internet prvider. Hwever, t wrk with many crprate business applicatins, yu need t use the DNS (WINS) server f the crprate netwrk. By using the crprate DNS (WINS) server yu can refer t the servers and ther hsts f the crprate netwrk using their names (nt IP addresses). Translating DNS (NetBIOS) names int IP addresses is perfrmed fr the addresses f bth a crprate netwrk and the Internet. Autmatic DNS (WINS) servers registratin The fllwing requirements shuld be met t access crprate resurces remtely: In the hsts system file that maps IP addresses t hst names, there must be n entries abut hsts f yur crprate netwrk. The path t the file is %systemrt%\system32\drivers\etc\ (by default, it is C:\Windws\System32\drivers\etc\). The crprate DNS (WINS) server's IP address shuld be specified in the OS netwrk settings. Warning: If the ViPNet hst is registered n bth crprate and public DNS servers, yu may encunter prblems accessing it. T slve this prblem, specify its DNS name in the hst's prperties n the IP address tab. Yu may set the address f the crprate DNS server manually in the cnnectin settings. But we recmmend yu t specify the addresses f the crprate DNS-servers centrally. T d this, the ViPNet netwrk administratr needs t list the hsts r tunneled resurces with the DNS servers in the ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager sftware. In this case, the list f the crprate DNS servers will be transferred t the ViPNet hsts as a part f their key sets. On the hsts, the ViPNet Mnitr prgram will define the current visibility IP addresses f the crprate DNS servers (either real r virtual) and will autmatically change the DNS servers' addresses in the settings f the netwrk interfaces f the cmputer. Cnsider the fllwing scenari. Yu are wrking in the main ffice n a laptp with the ViPNet Client sftware installed and cnnect t a prtected crprate DNS server by an IP address (fr example, ). Yu take yur laptp t anther ffice, and the DNS server f yur main ffice becmes accessible by anther IP address (fr example, ). Yu need t cnnect t the crprate resurces f the main ffice via the Internet. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 121

122 When yu register the DNS r WINS server, yu have t change the Windws netwrk settings n the laptp. It is incnvenient because yu will have t restre the settings when yu return t the main ffice. If the ViPNet hsts with the DNS servers are specified in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager, then yu d nt need t change the cnnectin settings manually. If, fr whatever reasn, the crprate DNS servers' addresses are nt specified in the ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager prgram, yu can set the list f the prtected DNS servers manually n the hst, fllwing the guidelines belw. Cnfiguring a DNS r WINS Servers List Manually If the list f the crprate DNS (WINS) servers was nt specified centrally in the ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager (see Autmatic DNS (WINS) servers registratin n page 121), yu can create such a list manually n yur hst. In this case, the ViPNet Mnitr prgram will als determine the current visibility IP addresses f crprate DNS servers and will autmatically change settings f yur cmputer's netwrk interfaces. T register a crprate DNS (WINS) server manually, perfrm the fllwing actins: 1 In any text editr (preferably Ntepad), create a blank text file DNS.TXT. 2 Add an entry abut the crprate DNS r WINS server t the file. Yu can learn hw t specify the infrmatin abut the server frm the later sectins in this chapter. The frmat f entries in the DNS.TXT file can be different depending n whether the crprate DNS r WINS server is installed n a prtected hst r is tunneled by the crdinatr. 3 Save the file t the \DATABASES\DNSWINSLIST subflder f the ViPNet sftware installatin flder (if there is n such a subflder, create it). Nte: T create and edit the DNS.TXT file, yu d nt need t clse the ViPNet Mnitr prgram. Yu may register multiple DNS (WINS) servers in the DNS.TXT file at nce. In this case, n all the laptp's netwrk interfaces, the DNS r WINS servers' IP addresses lists will be supplemented with the IP addresses these servers are currently accessible by. At the same time, in the netwrk interfaces settings, the IP addresses btained via DHCP r specified n netwrk interfaces manually will be saved if these IP addresses d nt belng t the servers specified in the DNS.TXT file. Nte: If the DNS r WINS servers in use are listed in the DNS.TXT file, then yu d nt need t specify the servers addresses in the Windws netwrk settings. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 122

123 Crprate DNS r WINS Server is Installed Right n the ViPNet Hst If yur crprate DNS (WINS) server is installed n a ViPNet hst, then in the DNS.TXT file, add the fllwing infrmatin: Fr a DNS server: [DNSLIST] ID00=<identifier>; Fr a WINS server [WINSLIST] ID00=<identifier>; where <identifier> is the hexadecimal identifier f the ViPNet hst with the DNS r WINS server installed, plus the netwrk number; Nte: T learn the hst identifier, in the main ViPNet Mnitr windw, in the Private Netwrk sectin, duble-click the ViPNet hst with the DNS r WINS server installed. The ViPNet Hst Prperties dialg bx will be displayed. On the Cmmn tab, in the first line, yu will find the ViPNet hst identifier. ID00 is the identifier f the string number. Any digits are valid after ID. In the fllwing sectin, yu will find an example f the DNS.TXT file (n page 124). Crprate DNS r WINS Server is Tunneled by a Crdinatr If yur crprate DNS (WINS) server is tunneled by a crdinatr, then in the DNS.TXT file, add the fllwing infrmatin: Fr a DNS server: [DNSLIST] ID00=<identifier>-<IP address>; Fr a WINS server [WINSLIST] ID00=<identifier>-<IP address>; where <identifier> is the hexadecimal identifier f the crdinatr tunneling the DNS r WINS server, plus the netwrk number; Nte: T learn the tunneling crdinatr's identifier, in the main ViPNet Mnitr windw, in the Private Netwrk sectin, duble-click the crdinatr. The ViPNet Hst Prperties dialg bx will be displayed. On the Cmmn tab, in the first line, yu will find the ViPNet hst identifier. ID00 is the identifier f the string number. Any digits are valid after ID. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 123

124 In such a case (when the DNS r WINS server is nt installed n a ViPNet hst), yu need t add the tunneling crdinatr's ViPNet hst identifier, then a dash, and then the DNS r WINS server's IP address. If there are a few DNS (WINS) servers tunneled by the same crdinatr, yu can enlist their IP addresses after the crdinatr's identifier, within the same line, dividing them with a semicln, withut spaces: ID00=<identifier>-<IP address 1>;<IP address 2>. Make sure that in the tunneled addresses list f this crdinatr these IP addresses are als specified. In the fllwing sectin, yu will find an example f the DNS.TXT file (n page 124). An Example f the DNS.TXT File The DNS.TXT file may have the fllwing frmat: [DNSLIST] ID00=000100CA ; ID01= b; ID02=000110bc ; ; ; [WINSLIST] ID00= b; ID01=000101fa ; ; ; Nte that ne DNS.TXT file may cntain entries fr DNS r WINS servers installed n ViPNet hsts as well as fr DNS r WINS servers tunneled by a crdinatr. The number f entries is nt limited. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 124

125 Using DNS Servers n Dmain Cntrllers If yur rganizatin uses the Active Directry service in the ViPNet netwrk, if there are DNS servers installed n ViPNet hsts, and if these servers synchrnize with each ther, then addressing dmain's hsts by DNS names may wrk incrrectly. T avid such prblems, fr each hst, yu shuld register the same address n all reserved DNS servers. Fllw ne f this methds: Place unprtected DNS servers behind a separate netwrk interface f the crdinatr and cnfigure tunneling f these servers by this crdinatr (see Crprate DNS r WINS Server is Tunneled by a Crdinatr n page 123). Other (bth prtected and unprtected) hsts that address the DNS servers must nt be behind the same interface f the crdinatr t avid cnflicts. If the hsts' IP addresses are registered n prtected DNS servers autmatically, the IP addresses that crrespnd t the hsts' visibility addresses n this crdinatr will be registered. If yu register the hsts' IP addresses n prtected DNS servers manually, n each DNS server, register the hsts' visibility addresses (virtual r real) displayed in ViPNet Mnitr n this crdinatr. The unprtected hsts that address a DNS server t request a ViPNet hst's IP address thrugh the tunneling crdinatr will receive the hst's real IP address. If yu cannt place all DNS servers behind the same crdinatr r if the DNS servers have ViPNet Client installed n them, either n the crdinatrs behind which the DNS servers are placed r in ViPNet Client n the servers, set the hsts (tunneled hsts, clients, and crdinatrs) registered n these DNS servers t be visible by their real IP addresses. T change the type f visibility addresses f all clients behind the crdinatr, it is enugh t change visibility addresses n ne f these clients in ViPNet Mnitr. As a result, yu will be prmpted t apply this setting n all ther clients behind this crdinatr autmatically. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 125

126 9 Cnfiguring the Integrated Firewall General Principles f Traffic Filtering 127 Netwrk Filters Overview 130 Using Object Grups 133 Creating Netwrk Filters 146 Restring Pre-defined Filters and Object Grups 155 The Example f Object Grups and Netwrk Filters Usage 156 Anti-spfing 159 Blcking IP Traffic 161 Disabling Traffic Prtectin 162 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 126

127 General Principles f Traffic Filtering All IP traffic passing thrugh ViPNet hsts is filtered. It can be divided int: unencrypted traffic; encrypted traffic (befre encryptin and after decryptin); tunneled traffic (befre encryptin and after decryptin). Figure 51. IP traffic types, t which the filtering rules are applied IP traffic frm unprtected hsts is mre likely t be hazardus t safety because in case f attack it is difficult t detect its surce and take measures t stp the attack. Bth encrypted and unencrypted traffic can be lcal r bradcast. Lcal IP traffic is inbund r utbund traffic f a certain hst (this hst is the destinatin r surce f the IP packets). Bradcast IP traffic is the exchange f IP packets whse destinatin IP r MAC address is a bradcast ne (the IP packets are addresses t all hsts f a certain netwrk segment). Mrever, the frward traffic may pass thrugh a crdinatr. A crdinatr is neither the sender, nt the receiver f frward IP packets, which pass thrugh the crdinatr t ther hsts. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 127

128 Figure 52. Types f encrypted and unencrypted IP traffic T cnfigure filtering rules crrectly, yu shuld be aware f the main principles f IP traffic filtering. All incming and utging IP packets, bth encrypted and unencrypted, are filtered in the fllwing sequence: 1 Verificatin accrding t the anti-spfing rules (see Anti-spfing n page 159). Nte: This verificatin is applied nly during the filtering f unencrypted IP traffic, including traffic between the tunneled hsts and the crdinatr. If an IP packet has an IP address allwed by the rule f anti-spfing, the packet is allwed. Otherwise, the packet is blcked. 2 Verificatin accrding t netwrk filters (see Netwrk Filters Overview n page 130). If the IP packet meets cnditins specified in the netwrk filters, this IP packet is allwed r blcked depending n the filter actin. If the IP packet des nt crrespnd t any f the filters, it is blcked. IP packets filtering is illustrated by the scheme belw: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 128

129 Figure 53. Traffic filtering levels Such a filtering methd ensures high-level prtectin and allws cnnectins nly t the required hsts ver the prtcls and prts yu specify. An IP packet is prcessed using netwrk filters until it is allwed r blcked be ne f them. As sn as the IP packet is allwed r blcked, all further filters are nt applied t it. If the IP packet is nt prcessed by any f the filters, it is blcked. Netwrk filters are applied t encrypted IP packets nly after they are successfully unencrypted and their surce hst is identified. In this case, IP addresses f the ViPNet hsts d nt have any impact. Nte: In ViPNet Crdinatr versin 3.2 and earlier, the filtering methd is defined by the security level yu chse. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 129

130 Netwrk Filters Overview Separate netwrk filters are created fr private netwrk, public netwrk, and tunneled hsts traffic. They functin as fllws: On a ViPNet hst, public netwrk filters allw r blck IP packets frm unprtected hsts. They may be created separately fr the lcal and fr the frward traffic. Nte: Unprtected hsts are cmputers where ViPNet sftware with the traffic encryptin functin is nt installed. Cmputers with the ViPNet CryptService and ViPNet Registratin Pint sftware installed are als cnsidered as unprtected hsts. Private netwrk filters allw yu t limit IP traffic exchange with the ViPNet hsts yur hst is linked with. Tunneled hsts filters define the rules fr IP packets transferred between tunneled hsts and the ViPNet hsts this crdinatr is linked with. All netwrk filters are divided int the fllwing categries: Filters accepted with security plicies (see Security plicy n page 385) frm the ViPNet Plicy Manager prgram. In the administratr mde, there is an ptin t exclude such filters frm netwrk filters lists (see ViPNet Mnitr Advanced Settings n page 248). Pre-defined and user-defined filters. In case yu upgraded ViPNet Mnitr frm 3.x t 4.x, yu d nt have pre-defined filters. Only the filters that have been cnfigured befre the upgrade are present n the netwrk filters lists (in the cnverted frmat). Default filters. Filters that have been accepted frm the ViPNet Plicy Manager have a higher pririty than the rest f the filters and are applied in the first place. Pre-defined and user-defined filters f the ViPNet Mnitr prgram have lwer pririty. With prper permissins, yu can edit r delete them at any time. Default filters are applied at the end f packet prcessing. This categry includes nly ne netwrk filter that is a blcking filter and des nt cincide with any f the filters frm the abve-mentined categries. Netwrk filters are applied in a special rder as in the scheme: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 130

131 Figure 54. The pririty f applying netwrk filters Yu can view the lists f netwrk filters in the view pane f the ViPNet Crdinatr Mnitr windw, in the Private Netwrk Filters, Tunneled Hsts Filters, Frward Public Netwrk Filters, and Lcal Public Netwrk Filters sectins. Figure 55. Private netwrk filters Netwrk filters have the fllwing peculiarities: In filters, the fllwing parameters are specified: Actin applied t IP packets. Filters can allw ( ) r blck ( ) IP packets that crrespnd t the specified parameters. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 131

132 IP packets surce and destinatin the filter is applied t. Prtcls ver which the IP packets are transferred. Schedule f applying a filter. T specify the filter parameters, yu can use bject grups (see Using Object Grups n page 133). User-defined filters affect bth new and earlier-created cnnectins. Thus, if the filter blcking the traffic f a certain cnnectin is added after this cnnectin has been established, then this cnnectin will be brken. Filters are applied t IP packets in the same rder they are n the list. If an IP packet is allwed r blcked by the first filter that specifies its parameters, the rest f the filters d nt affect this IP packet. In the ViPNet Mnitr prgram, the filters f different categries are displayed in the lists f the crrespnding grups. Their rder crrespnds t their pririty (see the previus scheme). Yu cannt change the rder f the filters received frm ViPNet Plicy Manager and the default filters. Yu can change the rder f the pre-defined filters and the user-specified filters with the buttns and. The filters yu cannt edit r delete are marked with. T change the filter actin, duble-click the filter and, in its prperties windw, in the General Optins sectin, select the required actin. T enable r disable a filter, select r clear the check bx near the filter's name. When netwrk filters are edited r new filters are created, the status bar displays a message that the filters are mdified, but have nt been applied yet. T apply the edited r created filters, click Apply all and, within 30 secnds, cnfirm saving the changes. If yu d nt want t save the changes, click Cancel. In this case, the previus filter settings will be restred. If necessary, yu may discard all changes and restre the pre-defined filters (see Restring Predefined Filters and Object Grups n page 155). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 132

133 Using Object Grups Object grups allw easier creatin f netwrk filters and NAT rules in ViPNet Mnitr. They unite several values f the same type. Yu may use an bject grup instead f separate bjects when yu cnfigure a filter r a rule. Object grups can be f several types: Figure 56. Types f bject grups Built-in bject grups cntain default bjects with unchangeable names, which yu may use in userdefined bject grups and in netwrk filters yu create t specify IP packets surce and destinatin. Built-in bject grups are nt displayed in grup lists. Yu cannt edit r delete them. Fr a list f builtin bject grups, see Built-in Object Grups (n page 134). Object grups created in the ViPNet Plicy Manager prgram and distributed with security plicies. They are nt available fr editing and using in the netwrk filters yu create, NAT rules, r user-defined bject grups. In ViPNet Mnitr, yu can just view the cntents f these grups. User-defined bject grups are created in the ViPNet Mnitr prgram by a ViPNet user. They als include sme default grups. Fr mre infrmatin n default grups, see User-Defined Object Grups Set by Default (n page 135). Object grups vary in their cntents, and yu may specify exceptins frm each grup's cntents. A grup's cntents and exceptins may include ther bject grups f the same categry r sme built-in bject grups. Yu can wrk with such grups in the ViPNet Crdinatr Mnitr windw, Object Grups sectin. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 133

134 Figure 57. Wrking with user-defined bject grups User-defined bject grups' types are: ViPNet Hsts, which is a grup f hsts in a private netwrk. Yu can use it in private netwrk filters and tunneled hsts filters. IP Addresses, which may include single IP addresses, IP addresses ranges, and DNS names. Yu can use it in NAT rules and netwrk filters (except fr private netwrk filters). Interfaces, which may include netwrk interfaces and their IP addresses. Yu can use it in netwrk filters nly n a crdinatr (except fr private netwrk filters). Prtcls, which may include prtcls and prts. Yu can use it in any filters and NAT rules. Schedules, which may include timing cnditins fr netwrk filters applicatin by time and day f the week. Yu can use it in any filters. Yu may create an bject grup f any categry. It is ratinal t grup the sets f bjects yu ften use. Fr mre infrmatin abut grup creatin, see Creating and Editing Object Grups (n page 136). Built-in Object Grups The table cntains a list f built-in bject grups with their values. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 134

135 Table 4. Built-in bject grups Object grup name All clients All crdinatrs All bjects Bradcast IP addresses Value All clients frm the hst links f the hst All crdinatrs frm the hst links f the hst A cllectin f all bjects belnging t a certain type in a grup. Yu can specify it nly as a part f anther grup f bjects. It allws yu t create grups including all bjects but sme exceptins All bradcast addresses Used fr creating bradcast filters My ViPNet hst Yur ViPNet hst Yu may specify it nly as a surce f IP packets fr utbund cnnectins r as a destinatin fr inbund cnnectins. Other hsts Any ViPNet hsts except fr yur hst Yu may specify it nly as a surce f IP packets fr inbund cnnectins r as a destinatin fr utbund cnnectins. Tunneled IP addresses All IP addresses tunneled by this crdinatr Grup IP addresses The IP addresses' range fr grup distributin ( ) Yu may specify it nly as a destinatin fr a lcal public cnnectin. User-Defined Object Grups Set by Default In ViPNet Crdinatr, there are sme preset bject grups. Default IP addresses grups: Public IP Addresses. This grup cntains all IP addresses except fr private IP addresses. Private IP Addresses. This grup cntains all IP addresses f lcal netwrks: ; ; Default prtcl grups: ViPNet Cluster is a grup where the UDP prtcl with the surce and destinatin prts 2060 is specified in cntents. It is used in the Service ViPNet packets private netwrk filter fr ViPNet Cluster. This prtcl grup and this filter are displayed nly if the ViPNet Cluster sftware is installed n yur hst. ViPNet Service is a grup where the UDP prtcl with the surce and destinatin prts 2046, 2048 and 2050 is specified in cntents. It is used in the Service ViPNet packets private netwrk filter. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 135

136 NetBIOS and WINS Service is a grup where the UDP prtcl with the surce and destinatin prts 137 and the UDP prtcl with the surce and destinatin prts 138 are specified in cntents. It is used in the Allw NetBIOS and WINS private netwrk and public netwrk filters. DHCP Service is a grup where tw UDP prtcls are specified in the cntents. One f them has the surce prt 67 and the destinatin prt 68. The ther ne has the surce prt 68 and the destinatin prt 67. It is used in the Allw DHCP private netwrk and public netwrk filters. Default schedules grups: Weekend days is a grup with a schedule where weekends (Saturday and Sunday) are specified. Wrk week is a grup with a schedule where wrking days (frm Mnday t Friday) are specified. Creating and Editing Object Grups T create a new bject grup: 1 In the main ViPNet Mnitr windw, in the navigatin pane, select Object Grups. 2 In the view pane, click the link crrespnding t the type f the bject grup yu are creating, r, in the navigatin pane, g t the crrespnding subsectin. 3 In the view pane, click Create. The bject grup prperties dialg bx will be displayed. Specify the new grup's parameters. 4 In the General Optins sectin, specify the name f the new bject grup. A grup name must be unique. 5 In the Cntents sectin, specify the cntents f the grup yu are creating. When yu are creating a grup f the fllwing type: ViPNet Hsts, specify the ViPNet hsts that shuld be included in this grup. Fr mre infrmatin, see Adding ViPNet Hsts (n page 140). Yu may als include built-in bject grups All crdinatrs and All clients (see Built-in Object Grups n page 134) int the ViPNet Hsts grup. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 136

137 Figure 58. Creating ViPNet hsts grup cntents IP Addresses, specify separate IP addresses, an IP addresses range r subnetwrk, r DNS names. Fr mre infrmatin, see Adding IP Addresses and DNS Names (n page 141). Figure 59. Creating IP addresses grup cntents Interfaces, specify an IP address f an interface r a grup f interfaces. Fr mre infrmatin abut adding netwrk interfaces' IP addresses, see Adding IP Addresses and DNS Names (n page 141). Yu may als include yur hst's available interfaces int a grup f interfaces. In this case, yu d nt have t specify their IP addresses; just select them n the Add menu. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 137

138 Figure 60. Creating interface grup cntents Prtcls, specify prtcls and, if necessary, prt numbers. Fr mre infrmatin, see Adding Prtcls (n page 142). Figure 61. Creating prtcls grup cntents Schedules, cmpse a schedule f days f the week r time ranges. Yu may use such schedules later t limit the length f netwrk filters actin. Fr mre infrmatin, see Adding Schedules (n page 143). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 138

139 Figure 62. Creating schedules grup cntents Nte: Each bject grup may include subgrups f bjects f the same type, in ther wrds, yu may nest grups f the same type (see Object Grups Nesting n page 144). Mrever, yu may add the All bjects system grup t any bject grup, fr example, when yu need t create a grup including all bjects but sme exceptins. 6 In the Exceptins sectin, specify exceptins frm the bject grup sectin, in ther wrds, the bjects that shuld nt be present in the bject grup. Fr example, t create a grup f prtected hsts cnsisting f all crdinatrs except fr ne, yu shuld add the built-in grup All crdinatrs t the cntents, and then specify that crdinatr as an exceptin. Yu may specify anther bject grup f the same type as an exceptin, t. Exceptins are created in the same way as bject grups' cntents. Nte: Yu d nt need t edit the Usage sectin. A list f filters using this bject grup is displayed there. When yu are creating a new bject grup, this sectin is empty. 7 Click OK t cmplete the task. As a result, the newly created grup will be displayed in the list f bject grups f the selected type. If yu create an bject grup and d nt specify its cntents, such a grup will be cnsidered empty. We d nt recmmend yu t use empty grups in netwrk filters, because the filters will nt be applied in that way. T edit grup prperties, select this grup in the crrespnding bject grup subsectin and dubleclick it r click Prperties. After yu edit general prperties f the grup r the items included in it, in the grup prperties dialg bx, click OK. T delete an bject grup, select it in the crrespnding subsectin and click Delete. Cnfirm grup deletin. If the bject grup yu are deleting is used by any netwrk filters r NAT rules r if it is nested in anther bject grup, yu will be prmpted abut it and it will nt be deleted. In this case, in the ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 139

140 message windw, click Shw Details and view, in which bjects this grup is used, then remve the grup frm these bjects and repeat deletin. Figure 63. An bject grup cannt be deleted T enable the created r mdified bject grups, in the bject grups sectin, click Apply all. In the displayed windw, within 30 secnds, cnfirm saving the changes. If yu d nt want t save the changes, click Cancel. Adding ViPNet Hsts Yu may add ViPNet hsts t hst grups cntents and exceptins r chse them as the surce and destinatin when creating private netwrk filters and tunneled hsts filters. T d this: When creating a hsts grup r a netwrk filter, yu may add the chsen set f ViPNet hsts. T d this, in the hsts grup prperties dialg bx r netwrk filter prperties dialg bx, in the crrespnding sectin, click Add and, n the menu, click ViPNet hst. In the new windw, in the list, select a hst r multiple hsts and click OK. Figure 64. Chsing ViPNet hsts As a result, the selected ViPNet hsts will be added t the grup r filter. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 140

141 When creating a hsts grup, yu may add a set f hsts f a certain ViPNet netwrk. T d this, in the crrespnding sectins f the grup prperties dialg bx, click Add and, n the menu, click ViPNet netwrk number. Type the number f the crrespnding netwrk number. As a result, all hsts f the selected netwrk will be added. When creating a hsts grup, yu may add a set f hsts whse names match a mask yu specify. T d this, in the crrespnding sectins f the grup prperties dialg bx, click Add and, n the menu, click ViPNet hst name template. Set a mask fr a hst name. Yu may set a mask in a standard way by using an asterisk (*) and a questin mark (?). As a result, all hsts whse names match the mask will be added. Adding IP Addresses and DNS Names Yu may add IP addresses r DNS names t the cntents and exceptins f IP addresses grups r specify them when defining the surce and destinatin in netwrk filters (except fr private netwrk filters) and NAT rules. Yu may add IP addresses t interface grups cntents and exceptins, t. In this case, yu add the IP addresses f netwrk interfaces. T add IP addresses in ne f the mentined cases: 1 In the IP addresses, netwrk filter r NAT rule grup prperties, in the crrespnding sectin, click Add and, n the menu, click IP Address r Range r in the interfaces, filter r rule grup prperties, when defining netwrk interfaces, click Interface with IP address. 2 In the displayed windw, d the fllwing: T add a certain IP address yu knw, click IP Address and, in the crrespnding bx, type this IP address. T add IP addresses within a subnet, click Subnet and, in the crrespnding bxes, type this subnet's address and mask. T set an IP addresses range, click IP addresses range and, in the crrespnding bxes, specify the beginning and the ending range addresses. Figure 65. Adding IP addresses ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 141

142 After yu type the required data, click OK. As a result, the specified IP address r IP addresses will be added. T add a DNS name, in the IP addresses grup prperties r netwrk filter prperties, in the crrespnding sectin, click Add and, n the menu, click DNS name. Type the DNS name and click OK. As a result, the DNS name will be added. Adding Prtcls Yu may add prtcls t the cntents f prtcls grups and their exceptins r specify them when creating any netwrk filter r NAT rule. T add prtcls in ne f the mentined cases, in the prtcls grup, netwrk filter, r NAT rule, in the crrespnding sectin, click Add and, n the menu, click: TCP/UDP Prtcl t add the TCP r UDP prtcl with the surce and destinatin prt numbers. In the displayed windw, d the fllwing: Depending n the prtcl yu want t add, under Prtcl, chse the crrespnding ptin. If necessary, specify surce prt numbers. T d this, select: All prts t specify all prts, which may be useful when, fr example, yu d nt knw the required prt number. Prt number t specify a certain prt number. In the crrespnding list, select the required number. Range t specify prt numbers range. In the crrespnding bxes, specify the start and the end range numbers. If necessary, set the destinatin prt in the same way. Figure 66. Adding the TCP r UDP prtcl After yu type the required data, click OK. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 142

143 ICMP message t add the ICMP prtcl. In the displayed windw, select the ICMP prtcl type and cde (if necessary) and click OK. IP prtcl t add ther prtcls. In the list, select the required prtcl r type the prtcl cde (if yu knw it) and click OK. Adding Schedules Yu may add netwrk filter schedules t the cntents and exceptins f schedule grups r set them when cnfiguring any netwrk filter (if yu want the filter t be enabled at certain time r in certain time ranges). T add a schedule in ne f the mentined cases: 1 In the schedules grup prperties r netwrk filter prperties, in the crrespnding sectin, click Add and, n the menu, click Time range. 2 In the displayed windw, cnfigure the schedule: Under Date when the filter will be enabled, set the time range when the netwrk filter will be enabled. Click ne f the fllwing ptins: Daily t enable the netwrk filter every day at the specified time. If yu need the filter t be enabled fr a certain time perid (fr example, fr tw weeks), select the crrespnding check bx and set the required time range. Weekly t enable the netwrk filter n certain days f the week. Select the crrespnding check bxes. Figure 67. Adding a schedule 3 After yu type the required data, click OK. As a result, a schedule with the specified parameters will be added. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 143

144 Object Grups Nesting Each bject grup may include subgrups f bjects f the same type, in ther wrds, yu may nest grups f the same type. Let's see in what cases yu may need this feature. Suppse there is an rganizatin uniting several departments: the finance department, the sales department, and the IT department. Each department has a certain number f emplyees and ViPNet hsts. Yu need t perfrm the fllwing tasks: 1 Allw any cnnectins t and frm the IT department. 2 Allw all staff f yur rganizatin t access the Internet. 3 Allw the Financial Department staff t access the CRM-system server, which is lcated in a separate netwrk segment. In all three cases, yu shuld cnfigure lcal public netwrk filters. When creating netwrk filters, yu must specify IP packets surce and destinatin IP addresses. If yu need t create mre than ne filter fr the same set f IP addresses, yu may add the IP addresses ne-by-ne r as an IP addresses range. But we recmmend that yu jin the frequently used IP address sets int grups, which yu can add as surces r destinatins fr as many netwrk filters as is needed, We recmmend that yu grup IP addresses in the fllwing way: 1 Fr every department, create an IP addresses grup that includes IP addresses f the department's hsts. 2 Create a cmmn grup that will include the departments' addresses grups. 3 By using the IP addresses grups fr the IT department and the financial department, create filters fr slving the tasks 1 and 3. By using the cmmn IP addresses grup, create a frward public netwrk filter and a surce NAT rule fr slving the task 2 (see Deplying a DMZ n page 197). Figure 68. Nested IP address grups Similarly, yu can use the nested hierarchy when gruping bjects f ther types. Fr example, if staff f different departments has t access different types f public resurces (web servers, FTP servers, mail servers, IP telephny), yu may use prtcl grups: 1 Create a prtcl grup fr each type f public resurces. 2 Fr every department, create a prtcls grup, which includes prtcl grups fr the resurces that have t be accessible fr the department's staff. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 144

145 3 Use the departments' prtcl grups fr creating lcal public netwrk filters and NAT rules that will allw the department's staff t access the Internet. Figure 69. Nested prtcl grups Nested bject grups are cnvenient fr use because, when the netwrk structure r security plicy changes, yu will need t make minimal changes in existing netwrk filters and bject grups. Fr example, when a department engages new emplyees, yu will need just t add IP addresses f their cmputers t the department's IP addresses grups. As a result, the new emplyees will be able t establish netwrk cnnectins accrding t the specified netwrk filters. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 145

146 Creating Netwrk Filters In the ViPNet Crdinatr prgram, yu can create the fllwing filters: Filters fr a private netwrk. tunneled hsts filters, frward public netwrk filters, Lcal filters fr a public netwrk. T create any f these filters: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Netwrk Filters and then click the type f filters yu are ging t create. 2 In the view pane, click Create. The netwrk filter prperties dialg bx will be displayed. Specify the new filter's parameters. 3 In the General Optins sectin, d the fllwing: In the crrespnding bx, type the filter's name. Specify the new filter's actin (blck r allw traffic) by clicking the crrespnding ptin under Actin. The default filter actin is Blck IP traffic. Figure 70. Specifying general parameters f a filter 4 In the Surces sectin, specify the IP packets' surce the filter actin will be applied t. 5 In the Destinatin sectin, specify the IP packets' destinatin the filter actin will be applied t. 6 In the Prtcls sectin, specify the prtcl yu want t filter with. In this case, nly the IP packets sent ver this prtcl will be prcessed with this filter. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 146

147 Figure 71. Adding prtcls while creating a filter 7 In the Schedule sectin, specify the filter schedule. Figure 72. Adding a schedule while creating a filter 8 T save the new filter's parameters, click OK. As a result, the newly created filter will be displayed in the view pane. The created filter will be enabled if yu have nt cleared the crrespnding check bx when specifying the filter's general parameters. T disable a netwrk filter, clear the check bx assciated with the filter's name. Netwrk filters are applied in the same rder as they are n the list. 9 T set the pririty f the created filter, change its psitin n the list with the buttns and. 10 T apply the created filter, click Apply all after yu cnfigure it. In the displayed windw, within 30 secnds, cnfirm saving the changes. Fr mre infrmatin abut creating filters f varius types, see the crrespnding sectins later in this dcument. Creating Private Netwrk Filters T create a filter fr encrypted traffic (see Netwrk Filters Overview n page 130): 1 In the navigatin pane f the main ViPNet Mnitr windw, select Netwrk Filters > Private Netwrk Filters. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 147

148 2 In the view pane, click Create and, in the displayed windw, cnfigure the new filter fr encrypted traffic. 3 In the General Optins sectin, specify the filter name and actin: blck r allw IP traffic. 4 In the Surces sectin, specify the surce f encrypted IP packets. T d this, add: One r several ViPNet hsts at nce (see Adding ViPNet Hsts n page 140). One r several ViPNet hst grups (if yu have created them) (see Creating and Editing Object Grups n page 136). The built-in bject grup My ViPNet hst. In this case the filter will be applied t utbund cnnectins f yur ViPNet hst. The built-in bject grup Other hsts. In this case the filter will be applied t inbund cnnectins f yur ViPNet hst. The built-in bject grups All crdinatrs and All clients (see Built-in Object Grups n page 134). If yu d nt specify a surce, then the filter will be applied t all IP packets sent by any prtected hsts and by yur hst as well. Figure 73. Specifying encrypted IP packets surce 5 In the Destinatin sectin, specify the destinatin f the prtected IP packets. T d this, add: One r several ViPNet hsts at nce (see Adding ViPNet Hsts n page 140). One r several ViPNet hst grups (if yu have created them) (see Creating and Editing Object Grups n page 136). The built-in bject grup My ViPNet hst. In this case, the filter will be applied t inbund cnnectins f yur ViPNet hst. The built-in bject grup Other hsts. In this case, the filter will be applied t utbund cnnectins f yur ViPNet hst. The built-in bject grups All crdinatrs and All clients (see Built-in Object Grups n page 134). The built-in bject grup Bradcast. In this case, the filter will be applied t bradcast packets. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 148

149 If yu specify Bradcast as a destinatin and My ViPNet hst r Other hsts as a surce (see earlier in this sectin), then filters will be created fr utging r incming bradcast IP packets respectively. If yu d nt specify the destinatin, then the filter will be applied t all IP packets sent t any ViPNet hsts and t yur hst as well. Figure 74. Specifying encrypted IP packets destinatin 6 In the Prtcls sectin, specify the prtcl yu want t filter with. 7 In the Schedules sectin, specify the filter schedule if necessary. 8 Click OK. As a result, the newly created filter will be displayed in the view pane. Creating Filters fr Tunneled Hsts T create a filter f traffic passed between the crdinatr's tunneled hsts and ViPNet hsts (see Netwrk Filters Overview n page 130): 1 In the main ViPNet Mnitr windw, in the navigatin pane, select Netwrk Filters > Tunneled Hsts Filters. 2 In the view pane, click Create and, in the displayed windw, cnfigure the new tunneled hsts' traffic filter. 3 In the General Optins sectin, specify the filter name and actin: blck r allw IP traffic. 4 In the Surces sectin, specify the tunneled traffic surce. If the surce is a tunneled hst, add: The hst's IP address r the address range, if there are several hsts (see Adding IP Addresses and DNS Names n page 141). A tunneled IP addresses grup (if created earlier) (see Creating and Editing Object Grups n page 136). The Tunneled IP addresses built-in bject grup (see Built-in Object Grups n page 134). If the surce is a ViPNet hst, add: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 149

150 One r several ViPNet hsts at nce (see Adding ViPNet Hsts n page 140). One r several ViPNet hst grups (if created earlier) (see Creating and Editing Object Grups n page 136). The built-in bject grups All crdinatrs and All clients. Nte: If the surce is a tunneled hst, yu may chse nly a ViPNet hst r ViPNet hsts as the destinatin, and vice versa. If yu d nt specify a surce hst, the filter will be applied t IP packets sent by any tunneled hst r any ViPNet hst, depending n the specified destinatin hsts. Figure 75. Setting the IP packets surce 5 Yu may specify an additinal netwrk interface that will receive tunneled IP packets frm the specified surces. T d this, select the Netwrk adapter check bx and add: An IP address r an IP addresses range f the interfaces (see Adding IP Addresses and DNS Names n page 141). One f available hst's interfaces. A grup f interfaces, if yu have created any (see Creating and Editing Object Grups n page 136). 6 In the Destinatin sectin, specify the destinatin f tunneled IP packets. If the surce is a tunneled hst, yu may chse nly a ViPNet hst r ViPNet hsts as the destinatin. If the surce is a ViPNet hst r a ViPNet hst grup, yu may chse nly a tunneled hst as the destinatin. Yu can add the destinatin in the same way as yu add the surce. If yu d nt specify a destinatin hst, the filter will be applied t IP packets sent t any tunneled hst r any ViPNet hst, depending n the specified surce hsts. 7 Yu may specify an additinal netwrk interface that will send tunneled IP packets t specified hsts. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 150

151 Figure 76. Setting cnnectin destinatin when creating a tunneled hsts filter 8 In the Prtcls sectin, specify the prtcl yu want t filter with (see. figure 71 n page 147). Yu may add the required prtcls (see Adding Prtcls n page 142) r prtcl grups if yu have created any (see Creating and Editing Object Grups n page 136). 9 In the Schedules sectin, specify the filter schedule (see. figure 72 n page 147). Yu may add a new schedule (see Adding Schedules n page 143) r a schedule grup if yu have created any (see Creating and Editing Object Grups n page 136). 10 Click OK. As a result, the newly created filter will be displayed in the view pane. Creating Frward Public Netwrk Filters With frward filters, yu can create filtering rules fr frward unencrypted IP packets passing thrugh a crdinatr (in ther wrds, fr the packets whse surce and destinatin addresses d nt match any f the crdinatrs' addresses). T create a filter fr frward unencrypted traffic: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Netwrk Filters > Frward Public Netwrk Filters. 2 In the view pane, click Create and, in the displayed windw, cnfigure the new frward public netwrk filter. 3 In the General Optins sectin, specify the filter name and actin: blck r allw IP traffic. 4 In the Surces sectin, specify the surce f frward IP packets. T d this, add: A surce IP address, a DNS name, r an IP addresses range if there are several IP addresses (see Adding IP Addresses and DNS Names n page 141). Surce IP addresses grups (if yu have created any) (see Creating and Editing Object Grups n page 136). If yu d nt specify a surce, then the filter will be applied fr frward IP packets sent t any unprtected hsts via the crdinatr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 151

152 Figure 77. Setting the frward IP packets surce 5 Yu may specify a netwrk interface that will receive frward IP packets frm the specified surces. T d this, select the Netwrk adapter check bx and add: An IP address r an IP addresses range f the interfaces (see Adding IP Addresses and DNS Names n page 141). One f available hst's interfaces. A grup f interfaces, if yu have created any (see Creating and Editing Object Grups n page 136). 6 In the Destinatin sectin, similarly, set the destinatin f the frward IP packets and, if needed, specify a netwrk interface that will send frward IP packets t specified hsts. If yu d nt specify a destinatin, then the filter will be applied fr all frward IP packets sent t any unprtected hst via the crdinatr. 7 In the Prtcls sectin, specify the prtcl yu want t filter with (see. figure 71 n page 147). Yu may add the required prtcls (see Adding Prtcls n page 142) r prtcl grups if yu have created any (see Creating and Editing Object Grups n page 136). 8 In the Schedules sectin, specify the filter schedule (see. figure 72 n page 147). Yu may add a new schedule (see Adding Schedules n page 143) r a schedule grup if yu have created any (see Creating and Editing Object Grups n page 136). 9 Click OK. As a result, the newly created filter will be displayed in the view pane. Fr an example f frward traffic filters, see Deplying a DMZ (n page 197). Creating Lcal Public Netwrk Filters T create a filter fr lcal unencrypted traffic (see Netwrk Filters Overview n page 130): 1 In the navigatin pane f the main ViPNet Mnitr windw, select Netwrk Filters > Lcal public netwrk filters. 2 In the view pane, click Create and, in the displayed windw, cnfigure the new filter fr unencrypted traffic. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 152

153 3 In the General Optins sectin, specify the filter name and actin: blck r allw IP traffic. 4 In the Surces sectin, specify the surce f unencrypted IP packets. T d this, add: A surce IP address, a DNS name, r an IP addresses range if there are several IP addresses (see Adding IP Addresses and DNS Names n page 141). Surce IP addresses grups (if yu have created any) (see Creating and Editing Object Grups n page 136). The built-in bject grup My ViPNet hst. In this case the filter will be applied t utbund unprtected cnnectins f yur hst. The built-in bject grup Other hsts. In this case the filter will be applied t inbund unprtected cnnectins f yur hst. If yu d nt specify a surce, then the filter will be applied t all IP packets sent by any unprtected hsts and by yur hst as well. Figure 78. Setting the unencrypted IP packets surce 5 Yu may specify a netwrk interface that will receive unencrypted IP packets frm the specified surces r send the unencrypted packets (if the surce is My ViPNet hst). T d this, select the Netwrk adapter check bx and add: An IP address r an IP addresses range f the interfaces (see Adding IP Addresses and DNS Names n page 141). One f available hst's interfaces. A grup f interfaces, if yu have created any (see Creating and Editing Object Grups n page 136). 6 In the Destinatin sectin, specify the destinatin f unencrypted IP packets. T d this, add: A destinatin IP address, a DNS name, r an IP addresses range if there are several IP addresses. Destinatin IP addresses grups, if yu have created any. The built-in bject grup My ViPNet hst. In this case, the filter will be applied t inbund unprtected cnnectins f yur hst. The built-in bject grup Other hsts. In this case, the filter will be applied t utging unprtected cnnectins f yur hst. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 153

154 The Bradcast IP addresses built-in bject grup, if yu want t add bradcast addresses. In this case, the filter will be applied t bradcast packets. The Grup IP addresses built-in bject grup. In this case, the filter will be applied t the packets sent via grup distributin. If yu d nt specify a destinatin, then the filter will be applied t all IP packets sent t any unprtected hst. Figure 79. Specifying the IP packets destinatin in the public netwrk 7 Yu may specify a netwrk interface that will send IP packets t specified hsts. 8 In the Prtcls sectin, specify the prtcl yu want t filter with (see. figure 71 n page 147). Yu may add the required prtcls (see Adding Prtcls n page 142) r prtcl grups if yu have created any (see Creating and Editing Object Grups n page 136). 9 In the Schedules sectin, specify the filter schedule (see. figure 72 n page 147). Yu may add a new schedule (see Adding Schedules n page 143) r a schedule grup if yu have created any (see Creating and Editing Object Grups n page 136). 10 Click OK. As a result, the newly created filter will be displayed in the view pane. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 154

155 Restring Pre-defined Filters and Object Grups If yu are nt ging t use the list f netwrk filters yu have created, yu can rll back t pre-defined filters. In this case, all lists f user-defined filters will be verwritten by the pre-defined nes. Pre-defined grup bjects will be restred t. T restre pre-defined filters and bject grups: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Netwrk Filters. 2 In the view pane, click Restre Netwrk Filters. 3 In the Delete Filters windw, cnfirm the peratin by clicking Yes. As a result, in all netwrk filters sectins f the prgram, under Custm Filters, yu will see nly predefined filters. In the Object Grups subsectins, nly pre-defined grups will be displayed. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 155

156 The Example f Object Grups and Netwrk Filters Usage Let's describe a typical bject grups and netwrk filters use case. Suppse there is a crprate mail server with ViPNet Mnitr installed. It is required that this mail server: Exchanges infrmatin with external mail servers. The emplyees wh wrk remtely receive and send messages thrugh the Internet. External mail servers and users send messages t yur mail server ver SMTP. Users receive the messages ver POP3 and IMAP. T rganize messages exchange with external mail servers and users and prvide the users with access t their mail thrugh the Internet, n a prtected mail server, create a netwrk filter that allws receiving and sending IP packets using prt 25 fr the TCP prtcl (the standard prt fr the SMTP prtcl), prts 110 and 143 fr the POP3 and IMAP prtcls respectively. Yu can create a prtcl grup including all the mentined prtcls. Yu can use this grup when yu create a netwrk filter. Besides, yu can use it again when yu create additinal filters fr yur mail server if necessary. T create a prtcl grup: 1 In the main ViPNet Mnitr windw, in the navigatin pane, select Object Grups > Prtcls. 2 In the view pane, click Create and, in the grup ptins windw, in the Cntents sectin, add all the required prtcls. 3 T add the SMTP prtcl, click Add and chse TCP/UDP, and then, in the TCP/UDP Prtcl windw, specify: prtcl TCP; surce prt All prts; destinatin prt 25-smtp. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 156

157 Figure 80. An example f an allwing rule fr SMTP 4 In the same way add POP3 and IMAP prtcls specifying prts 110 and 143 as a destinatin prt respectively. 5 Upn yu have added the prtcls, in the grup ptins windw, click OK. As a result, the prtcl grup will be created. Yu can use this grup when yu create a filter. Figure 81. The prtcls grup fr yur mail server T create a netwrk filter allwing yu t exchange messages with external servers and users, n the prtected server, d the fllwing: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Netwrk Filters > Lcal Public Netwrk Filters. 2 In the Lcal Public Netwrk Filters sectin, create a netwrk filter fr all IP addresses because yu cannt find ut IP addresses f external mail servers in advance and this filter shuld be applied t IP addresses f all users. T d that, in the view pane, click Create and, in the filter ptins windw, specify its parameters. 3 In the General Optins sectin, in the Actin list, click Allw IP traffic. 4 Fr the filter t be applied t all IP addresses, in the Surces and Destinatin sectins, d nt specify any parameters. 5 In the Prtcls sectin, click Add and chse Prtcl grup. Then, in the ptins windw, chse the prtcl grup created specially in advance. 6 Yu d nt need t create a schedule fr this filter. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 157

158 7 Click OK. The netwrk filter will be created. Thus, n a prtected mail server, messages exchange with external mail servers and emplyees will be allwed. The emplyees will have access t their mail thrugh the Internet. Figure 82. Allwing filter fr the SMTP, POP3, and IMAP prtcls ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 158

159 Anti-spfing ViPNet Crdinatr has an anti-spfing feature; in ther wrds, it blcks the incming IP packets whse surce IP addresses are invalid accrding t settings f the netwrk interface that receives them. Antispfing wrks nly fr unencrypted traffic, because the surce IP address des nt have any meaning fr encrypted traffic. Unencrypted IP packets are primarily verified by the anti-spfing system, and then they are prcessed by netwrk filters (see General Principles f Traffic Filtering n page 127). Fr each netwrk interface, anti-spfing rules define ranges f IP addresses frm which the incming IP packets are nt allwed. IP packets delivered frm the IP addresses f this range will be blcked. As the name implies, the main task f anti-spfing is t prtect yu frm the IP addresses spfing, which is a widely used type f netwrk attacks. When perfrming a spfing attack, a malicius user sends an IP packet t the cmputer attacked. The real surce address f this IP packet has been replaced with the IP address f the hst whse cmmunicatin with this crdinatr is allwed. Fr example, by using this kind f attack, a malicius user can send an unencrypted IP packet frm the Internet thrugh yur crdinatr, having attributed the packet with an IP address f the crdinatr's private netwrk as the surce address f the packet. Using anti-spfing rules allws yu t prevent such a situatin. We recmmend yu t enable anti-spfing rules n yur crdinatr t ensure a higher level f security fr yur ViPNet netwrk. By default, anti-spfing is disabled. T enable anti-spfing: 1 In the ViPNet Mnitr main windw, n the Service menu, click Optins. 2 In the Optins dialg bx, in the Manage IP Traffic sectin, select the Anti-spfing check bx. 3 Click Apply. Anti-spfing rules are created autmatically, based n the ViPNet hst's ruting table. If yu use cmplex ruting schemes (that include rute metrics r asymmetric rutes), the anti-spfing feature may functin incrrectly and shuld be disabled then. Anti-spfing rules are frmed nly fr unencrypted traffic in the fllwing way: Fr all interfaces except fr the default interface, surce IP addresses are blcked if they are nt registered as the allwed rutes f the interface that receives them. Fr the default interface, surce IP addresses are blcked if they are registered as the allwed rutes f ther interfaces. Suppse that a hst is using the fllwing ruting table: Table 5. A sample f a ruting table Netwrk address Netwrk mask Gateway address Interface Metrics On-link ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 159

160 Netwrk address Netwrk mask Gateway address Interface Metrics On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link In ur example, the ViPNet hst has fur netwrk interfaces. The netwrk interface with the IP address is a lpback interface and shuld nt be taken int accunt. As a result, n the basis f the ruting table given earlier, the fllwing anti-spfing rules set is generated: On the netwrk interface with the address, the nly incming IP packets allwed are /24 and On the netwrk interface with the address, the nly incming IP packets allwed are /24. On the netwrk interface with the address, all incming IP packets are allwed except fr thse frm /24, , and /24 IP addresses. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 160

161 Blcking IP Traffic In the ViPNet Mnitr prgram, yu can blck yur cmputer's IP traffic. In this case, yu will nt be able t cnnect t any prtected r unprtected hsts. T blck yur IP traffic: 1 In the ViPNet Mnitr prgram, enable traffic blcking in ne f the ways: On the ViPNet Crdinatr menu, chse Cnfiguratins > Blck IP Traffic. In the ntificatin area, right-click the prgram icn and chse Blck IP Traffic frm the menu. 2 If yu want traffic t be unblcked autmatically when a certain cnditin is met, then, in the Blck IP traffic windw: Select the Autmatically allw IP traffic check bx. Chse the cnditin frm the list belw the selected check bx: after the cmputer restart r in a certain perid f time. Figure 83. Blcking IP traffic 3 Click Blck IP Traffic. All encrypted and unencrypted traffic f yur cmputer will be blcked, and the ViPNet Mnitr icn in the ntificatin area will becme. 4 T enable traffic prtectin, n the ViPNet Crdinatr menu, chse Cnfiguratins > Allw IP traffic. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 161

162 Disabling Traffic Prtectin If necessary, yu can disable IP traffic prtectin in the ViPNet Crdinatr prgram. In this case, traffic prcessing and lgging will be disabled. Yu will nt be able t cnnect t ViPNet hsts. Warning: We strngly recmmend yu nt t wrk n a hst where traffic prtectin is disabled because such a hst is nt prtected against unauthrized access frm the netwrk. If yu want t disable traffic prtectin: 1 In the ViPNet Mnitr prgram, n the File menu, select Cnfiguratins > Disable Prtectin. 2 If yu want traffic prtectin t be enabled autmatically when a certain cnditin is met, then, in the Disable Prtectin windw: Select the Autmatically enable IP traffic prtectin check bx. Chse the cnditin frm the list belw the selected check bx: after the cmputer restart r in a certain perid f time. Figure 84. Disabling traffic prtectin 3 Click Disable prtectin. Traffic prtectin will be disabled, and the ViPNet Mnitr icn in the ntificatin area will becme. 4 T enable traffic prtectin, n the File menu, select Cnfiguratins > Enable prtectin. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 162

163 10 Applicatin Prtcls Prcessing Applicatin Prtcls Overview 164 Applicatin Prtcls Descriptin 166 Applicatin Prtcls Optins 167 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 163

164 Applicatin Prtcls Overview Functining f netwrk services, such as IP telephny, DNS, FTP and thers, is prvided by special applicatin prtcls. When yu use applicatin prtcls, IP-addresses are ften transferred in the bdy f an IP packet. Such behavir may lead t service inperability n prtected hsts, in case f using virtual IP addresses r NAT technlgies. Besides, t transfer data, sme prtcls may create additinal cmmunicatins channels (additinal t the main channel) n a randmly chsen prt. It is impssible t create an allwing rule fr IP packets whse destinatin prt is nt knwn befrehand, thus the cnnectin will be blcked. Applicatin prtcls prcessing slves these prblems and ensures that: The virtual IP address in the IP packet's bdy will be substituted with a real IP address if the virtual IP addresses technlgy is implemented. The substitutin f the prtected hst's IP address in an applicatin prtcl with a translated IP address, in case f using the NAT technlgy. Enabling an allwing netwrk filter fr cnnecting t a randm prt pened by the applicatin prtcl. Nte: In ViPNet Mnitr, yu can cnfigure applicatin prtcls prcessing ptins fr any kind f traffic: unencrypted, encrypted, r tunneled. Take int accunt that applicatin prtcls prcessing des nt autmatically allw establishing the cntrl cnnectin t unprtected hsts. The cntrl cnnectin t unprtected hsts is established in accrdance with the specified netwrk filters. Let's explain hw an applicatin prtcl is prcessed using the FTP prtcl as an example. When yu transfer a file frm an FTP client t an FTP server, tw TCP cnnectins are required accrding t the prtcl: a cntrl cnnectin that is established t send cmmands t the FTP server and receive respnse packets and an additinal cnnectin fr data transfer. Cnnectin between a client and a server can be established in ne f the tw mdes: active and passive. In the active mde, the client initiates a cntrl cnnectin frm a prt t prt 21 n the server. The server cnnects t the client using the prt number the cnnectin was initiated n and establishes a cnnectin fr data transfer. On the server, prt 20 is used. In the passive mde, after the cntrl cnnectin has been established, the server infrms the client abut the prt number ( ) that the client can use t establish cnnectin. Thus, in the active mde, the client shuld accept the cnnectin fr data transfer frm the server, while in the passive mde, the cnnectin fr data transfer is always initiated by the client. T establish the cntrl and additinal cnnectin, in bth active and passive FTP mdes, yu shuld cnfigure ViPNet Mnitr as fllws: Create a public netwrk filter (see Creating Lcal Public Netwrk Filters n page 152) that allws utbund cnnectin ver the TCP prtcl n prt 21 f the FTP server. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 164

165 T allw additinal cnnectin in the active mde, enable FTP prcessing, which means that the required traffic filtering will be enabled. Make sure the FTP prcessing is enabled. Yu d nt need t make any special settings t allw additinal cnnectin in the passive mde. Let's give ne mre example f prtcl prcessing cnsidering the SIP prtcl. The SIP prtcl is used fr rganizing, mdifying and terminating cnnectin sessins, such as multimedia cnferences, phne cnnectins, and streaming multimedia distributin. The initiating SIP client sends a request (fr example, an invitatin t jin a cnnectin sessin, respnse cnfirmatin, cnnectin sessin terminatin) t the receiving SIP client addressing it by its SIP identifier. Depending n the cnnectin establishment type, the request is either directed t the receiving client, r transferred via a SIP prxy server r a redirect server. The receiving client, depending n the received request type, sends a respnse (fr example, infrmatin abut a request prcessing errr, request received and being prcessed, request denied) t the client wh initiated the cnnectin. T establish a cnnectin sessin ver the SIP prtcl, yu shuld establish TCP and UDP cnnectins between SIP clients using prt T establish a cnnectin between SIP clients, make sure that the SIP prtcl prcessing is enabled, and create a public netwrk filter allwing fr inbund and utbund cnnectins via TCP and UDP prtcls, prt ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 165

166 Applicatin Prtcls Descriptin Nte: In ViPNet Crdinatr versin 3.2 and later, there is n web filtering and HTTP applicatin prtcl prcessing. In the ViPNet Mnitr prgram, yu can cnfigure prcessing parameters fr the fllwing applicatin prtcls: The FTP prtcl ensures file exchange between an FTP client and an FTP server. DNS (Dmain Name System) prvides translatin f DNS names int IP addresses. The H.323 prtcl allws using prgrams fr multimedia cnferencing in IP netwrks, including the Internet. SCCP (Skinny Client Cntrl Prtcl) ensures messages exchange between Skinny clients (wired and wireless Cisc IP telephnes) and the vice mail server Cisc Unity and Cisc CallManager. SIP (Sessin Initiatin Prtcl) allws establishing sessins t transfer vice and vide calls, as well as multimedia infrmatin. Nte: The list f applicatin prtcls supprted by the ViPNet Mnitr prgram is set by default, yu cannt add r remve prtcls frm the list. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 166

167 Applicatin Prtcls Optins Warning: Yu shuld disable the DPI (deep packet inspectin) functin n netwrk equipment (ruters, gateways) in netwrks, where applicatin prtcls are prcessed using ViPNet. The use f DPI may lead t malfunctin f the applicatins using the FTP, DNS, H.323, SCCP, and SIP prtcls. T cnfigure the parameters f prcessing applicatin prtcls fr unencrypted and encrypted traffic: 1 In the ViPNet Mnitr main windw, n the Service menu, click Optins. 2 In the Optins dialg bx, in the navigatin pane, click Applicatin Prtcls. Figure 85. Applicatin prtcls sectin In the Applicatin prtcls sectin, the supprted applicatin prtcls (see Applicatin Prtcls Descriptin n page 166) are listed. Nte: By default, mstly used netwrk prtcls and prts are specified fr all applicatin prtcls. The list f applicatin prtcls supprted by the ViPNet Mnitr prgram is set by default, yu cannt add r remve prtcls frm the list. 3 In the Applicatin Prtcls sectin, click the prtcl whse settings yu want t change and click Edit. 4 If necessary, in the Cnfiguring Applicatin Prtcl: <name f the selected prtcl> windw (the windw name depends n the applicatin prtcl chsen): T enable a netwrk prtcl, select the crrespnding check bx and specify prts. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 167

168 Nte: The applicatin prtcls prcessing settings must crrespnd t the settings specified in applicatins such as a web brwser, an FTP client, a SIP client, and thers. When yu enter prt numbers and number ranges, yu shuld divide them using cmmas. T disable a netwrk prtcl, clear the crrespnding check bx. T disable prcessing f an applicatin prtcl: Disable all netwrk prtcls. Cnfirm the peratin by clicking OK. Figure 86. Cnfiguring applicatin prtcls prcessing Upn finishing, click OK. Warning: We d nt recmmend yu t disable applicatin prtcls prcessing because it may interfere with applicatins peratin. 5 T save the settings, in the Applicatin Prtcls sectin, click Apply. 6 T restre the default settings, in the Applicatin Prtcls sectin, click By default. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 168

169 11 Cnfiguring Netwrk Address Translatin (NAT) Why D Yu Need NAT? 170 NAT in the ViPNet Technlgy 171 Creating Netwrk Address Translatin Rules 174 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 169

170 Why D Yu Need NAT? Netwrk address translatin (NAT) is a technlgy f mdifying netwrk address infrmatin fr the purpse f remapping a given address space t anther. The NAT technlgy regulatins are described in RFC Usually NAT is used t slve the fllwing tw prblems: When yu need t cnnect a lcal netwrk t the Internet, while the number f the lcal netwrk hsts exceeds the number f public IP addresses (see Public address n page 384) allcated by the Internet prvider. In this case, NAT ensures that lcal netwrks using private addresses (see Private address n page 383) can access the Internet. This is achieved by the surce IP address translatin (n page 172). T prvide access t private netwrk resurces fr public netwrk hsts. As a result f using the NAT technlgy, Internet users can access lcal netwrks with private address spaces by public IP addresses. This is achieved by the destinatin IP address translatin (n page 171). Yu can cnfigure NAT rules n a firewall, a cmputer standing n the brder f a LAN (internal netwrk) and a glbal (external) netwrk, fr example, the Internet. A firewall must have at least tw netwrk interfaces: An external interface with a public IP address that prvides access t the Internet. An internal interface with a private IP address. NAT is perfrmed fr the IP packets passing thrugh the firewall frm the internal t the external netwrk and back. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 170

171 NAT in the ViPNet Technlgy Warning: Netwrk address translatin (NAT) rules described in this sectin apply nly t unencrypted traffic. Encrypted traffic is prcessed by autmatic translatin mechanisms with parameters that cannt be changed. A crdinatr may perfrm NAT (see Netwrk addresses translatin (NAT) n page 382), if crrespnding rules are cnfigured (see Creating Netwrk Address Translatin Rules n page 174). On a crdinatr, yu may cnfigure NAT rules f the fllwing types: Destinatin address translatin sets a crrespndence between public IP addresses r prts and private IP addresses r prts f the internal netwrk. This kind f NAT is used when ne r mre internal hsts must be accessible frm the external netwrk by a static IP address (fr instance, web servers). Surce address translatin (masquerading) sets a crrespndence between a few private IP addresses f an internal netwrk and ne public address f their firewall. This type f NAT is perfrmed t prvide access t the Internet fr lcal netwrk cmputers with private IP addresses thrugh a firewall with nly ne public IP address. Thus, several lcal netwrk cmputers can use ne public IP address simultaneusly. Simultaneus surce and destinatin IP address translatin. This type f NAT prvides data transfer between tw segments f a netwrk, s that hsts f ne segment are available t hsts f the ther segment via the crdinatr's IP address (like in destinatin address translatin), while the packets received n hsts f each segment have the crdinatr's crrespnding netwrk interface as their surce address (like in surce address translatin). Thus, fr each segment, the ther segment's hsts' IP addresses will be invisible. T create a rule fr simultaneus translatin f surce and destinatin address, in the Netwrk Address Translatin (NAT) sectin, select bth Translate surce IP address t and Translate destinatin IP address t check bxes, and then specify the required parameters (see Creating Netwrk Address Translatin Rules n page 174). Fr sme applicatin prtcls (such as FTP, SIP) t perfrm crrectly when a client-t-server cnnectin is established with NAT, the ViPNet Crdinatr prgram perfrms additinal prcessing f traffic. The additinal prcessing is required fr translating the IP addresses that are transferred by sme applicatin prtcls within the bdy f the IP packets (see Applicatin Prtcls Prcessing n page 163). Destinatin IP Address Translatin Destinatin address translatin prvides access frm the Internet t internal servers lcated in yur prtected netwrk, which d nt have a public IP address. A destinatin IP address translatin rule sets a crrespndence between private IP addresses f lcal hsts and the crdinatr's public IP address. Accrding t the translatin rule, in IP packets' headers, public IP addresses (r IP addresses and prts) ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 171

172 are substituted with LAN private addresses. Therefre, external users can get access t LAN resurces by a public IP address. Figure 87. Access t internal resurces using destinatin NAT If there is a destinatin IP address translatin rule cnfigured fr the external IP address f a crdinatr, and an IP packet reaches this address, the fllwing ccurs: In a packet incming frm an external hst, the crdinatr translates the destinatin public IP address (the crdinatr's public IP address) int a lcal address, accrding t the cnfigured rule. Then, via the internal netwrk interface, the IP packet is sent t its destinatin hst. When, within the same sessin, respnse packets pass thrugh the crdinatr, it translates the addresses back. The packet's surce address (the lcal hst's IP address) is translated int the public IP address f the crdinatr's external interface. Then IP packets are sent t their destinatin hst n the Internet. Thus, when a packet is transferred t the Internet, it lks like bth its surce and destinatin have public IP addresses. Warning: If yu use destinatin NAT, nly an external hst can initiate cnnectin t a lcal hst. Fr yur lcal hst t access the Internet, bidirectinal NAT shuld be perfrmed; in ther wrds, in additin t the destinatin NAT rule, yu shuld cnfigure a surce NAT rule. Surce IP Address Translatin Surce netwrk address translatin in ViPNet ensures access t the Internet fr lcal netwrk cmputers. A surce IP address translatin rule sets a crrespndence between private IP addresses f lcal hsts and the crdinatr's public IP address. Accrding t a translatin rule, in IP packets' headers, LAN private addresses are substituted by public IP address. Therefre, hsts in a lcal netwrk may cnnect with hsts n the Internet by using their crdinatr's public IP address. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 172

173 Figure 88. Using surce NAT t rganize access t the Internet If there is a surce IP address translatin rule set fr the internal IP address f a crdinatr, frward IP packets frm the internal netwrk that pass thrugh the crdinatr are prcessed in the fllwing way: When yu send an IP packet frm yur lcal netwrk t the Internet, ViPNet Crdinatr intercepts it and, fr TCP and UDP prtcls, translates its surce IP address and (r) prt. If this packet is sent ver the ICMP prtcl, the surce IP address is translated and ther parameters are cached. During the translatin prcess, the surce private IP address is translated t the public IP address f the crdinatr's external netwrk interface, which prvides access t the glbal netwrk. On the Internet, this packet is transferred with a public surce address. Surce prt numbers (fr TCP and UDP) and cached packet attributes (fr ICMP) have unique values fr all utbund IP cnnectins f the crdinatr's external netwrk interface. Upn translatin, the IP packet is sent t its destinatin hst n the Internet. When respnse IP packets arrive, the crdinatr translates back the specified parameters. In ther wrds, when a respnse IP packet arrives, the crdinatr translates the specified destinatin address int the private address f the destinatin lcal netwrk hst. Translatin is perfrmed based n the unique prt numbers assigned t utging packets (fr TCP and UDP) and cached attributes f utging packets (fr ICMP). Fr the TCP and UDP prtcls, prt numbers are als translated t their true values. Then, the respnse packets are transferred thrugh the internal netwrk interface t their destinatin hst in the lcal netwrk. Nte: Fr all prtcls except fr TCP, UDP and ICMP, nly IP addresses are translated. Fr the prtcls with partial translatin, the surce IP address translatin will nt wrk if mre than ne LAN hst simultaneusly initiates a cnnectin with the same public IP address. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 173

174 Creating Netwrk Address Translatin Rules T create a NAT rule: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Netwrk Filters > NAT. 2 In the view pane, click Create. The NAT rule prperties dialg bx will be displayed. Specify the new rule's parameters. 3 In the General Optins sectin, specify the name f the new rule. Figure 89. Setting the name f a NAT rule 4 In the Surces sectin, set the surce f IP packets, addresses f which yu want t be translated. T d this, add: A surce IP address, a DNS name, r an IP addresses range if there are several IP addresses. Fr mre infrmatin, see Adding IP Addresses and DNS Names (n page 141). Surce IP addresses grups (if yu have created any) (see Creating and Editing Object Grups n page 136). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 174

175 Figure 90. Setting the IP packets surce 5 In the Destinatin sectin, set the destinatin f IP packets whse addresses shuld be translated. Yu can add the destinatin in the same way as yu add the surce (see the previus step). Figure 91. Setting the IP packets destinatin 6 In the Prtcls sectin, specify the prtcl fr translatin. In this case, IP addresses will be translated nly fr the IP packets sent ver this prtcl. Yu may add the required prtcls (see Adding Prtcls n page 142) r prtcl grups if yu have created any (see Creating and Editing Object Grups n page 136). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 175

176 Figure 92. Adding a prtcl when creating a translatin rule 7 In the Netwrk Address Translatin (NAT) sectin, set the parameters f surce and destinatin IP addresses translatin. If yu want t translate surce IP addresses fr utging IP packets, d the fllwing (see Surce IP Address Translatin n page 172): Under Surce translatin, select the Translate surce IP address t check bx. If yu want the surce IP address t be translated int the crdinatr's external interface IP address, which is determined autmatically, select IP address f the interface, which sends IP packets (defined autmatically). If yu want t set a different IP address that will replace the surce IP address f the utging packets, select Other IP address and, in the assciated bx, type the IP address. If yu want t translate destinatin IP addresses fr utging IP packets, d the fllwing (see Destinatin IP Address Translatin n page 171): Under Destinatin translatin, select the Translate destinatin IP address t check bx and, in the assciated bx, type the lcal destinatin hst's IP address that will be attributed t the IP packets received n the crdinatr. If yu want t change a prt, select the Translate destinatin prt t check bx and, in the assciated list, select the prt which will be attributed t the IP packets received n the crdinatr. The destinatin prt will be translated nly fr TCP and UDP prtcls. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 176

177 Figure 93. Cnfiguring netwrk addresses translatin 8 T save the new translatin rule's parameters, click OK. As a result, the newly created translatin rule will be displayed in the crrespnding filters list. The created rule will be enabled if yu have nt cleared the crrespnding check bx when specifying the filter's general parameters. T disable a translatin rule, clear the check bx assciated with the filter's name. 9 T set a rule's pririty, change its psitin in the list with the use f the and buttns. 10 T apply the created rule, click Apply all after yu cnfigure it. In the displayed windw, within 30 secnds, cnfirm saving the changes. Fr an example f translatin rules usage, see Deplying a DMZ (n page 197). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 177

178 12 Encrypting Traffic f Unprtected Hsts (Tunneling) Overview 179 Cnfiguring Tunneling 181 Cnfiguring Access t Tunneled Hsts frm an External Netwrk 184 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 178

179 Overview In crprate netwrks, there is ften a need t prtect data exchanged via insecure public netwrks. Yu may als need t prvide cmmunicatin between ViPNet hsts and unprtected hsts, n which the ViPNet sftware cannt be installed. Fr example, it is impssible t install the sftware n sme devices, such as VIP hardphnes and printers, and it may be undesirable t install ViPNet sftware n servers, such as SQL r DHCP servers. Figure 94. Secure access t a server In the described cases, yu shuld use tunnels. In ViPNet netwrks, tunneling is perfrmed by crdinatrs. IP traffic f a tunneled hst is ruted thrugh a crdinatr that filters and encrypts r decrypts IP packets and sends them t the destinatin hst. Frm this sectin, yu will learn hw t cnfigure a tunneling crdinatr. Fr infrmatin abut cnfiguring ViPNet hsts that shuld establish cnnectins t tunneled hsts, see Cnfiguring Access t ViPNet Hsts Tunneled by Anther Crdinatr (n page 105). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 179

180 Hw Tunneling Prtects Traffic When an unprtected hst is tunneled by a crdinatr, its traffic is prtected in the fllwing way: The unprtected hst sends unencrypted IP packets t the tunneling crdinatr. The crdinatr filters and encrypts the IP packets frm the tunneled hst, and then rutes the encrypted packets t the destinatin hst. The crdinatr that tunnels the destinatin hst decrypts the IP packets and passes them t the hst. Figure 95. Types f tunnels in a ViPNet netwrk In terms f the ViPNet technlgy, the rute frm hst 1 t hst 2 is called a half-tunnel, and the rute frm hst 1 t hst 3 is called a cmplete tunnel. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 180

181 Cnfiguring Tunneling T cnfigure tunneling f unprtected hsts by a crdinatr, d the fllwing: 1 In the ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager, fr this crdinatr, specify the maximal number f simultaneusly tunneled cnnectins. 2 Specify IP addresses f the unprtected hsts yu are ging t tunnel. 3 Cnfigure the crrespnding netwrk filters, if yu need t limit access t tunneled hsts. Yu can cnfigure the new filters directly n the crdinatr (see Creating Filters fr Tunneled Hsts n page 149) r send t the crdinatr in a crrespnding security plicy frm the ViPNet Plicy Manager prgram. There are tw ways t specify IP addresses f tunneled hsts: In the ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager prgram. In this case, after the new hst links are delivered t hsts, the tunneled hsts addresses will be transmitted bth t the tunneling crdinatr and t all clients cnnected with it. This methd has an advantage f specifying f IP addresses fr tunneling centrally. We recmmend yu t use this methd. Yu can use the secnd methd if yu need t cnfigure access t tunneled hsts just fr a few clients. In ViPNet Mnitr. In this case, the tunneled hsts' IP addresses have t be specified bth n the tunneling crdinatr (see Specifying Hsts t Be Tunneled n page 181) and n each hst that yu are planning t have an access t the tunneled hsts (see Cnfiguring Access t ViPNet Hsts Tunneled by Anther Crdinatr n page 105). If yu d nt specify the tunneled hsts' addresses n a hst, it will have n access t the tunneled hsts. Warning: We strngly recmmend that yu shuld chse ne methd t cnfigure tunneling and adhere t it later, when recnfiguring the netwrk. If yu switch between methds, the changes yu apply t tunneling settings in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager verride yur manual settings n crdinatrs and clients. Specifying Hsts t Be Tunneled T specify IP addresses f unprtected hsts yu want t be tunneled, n the tunneling crdinatr, d the fllwing: 1 In the main ViPNet Mnitr windw, n the Service menu, click Optins. 2 In the Optins dialg bx, select Tunneling. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 181

182 Figure 96. Добавление IP-адресов для туннелирования в ViPNet Crdinatr 3 Create a list f tunneled hsts' IP addresses by using the crrespnding buttns. Nte: If the IP addresses f cncurrently tunneled hsts field has the value 0, yu cannt edit the list f tunneled addresses. Als, yu can specify the number f cncurrently tunneled addresses fr a crdinatr in ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager. If yu d nt knw the hst's IP address, yu can reslve it by the cmputer's name. T d this, click Reslve Hst Name/IP Address address by the specified name. and, in the displayed windw, search fr the required IP When yu add an IP address, it is autmatically checked whether this address cincides with anther IP address n the list r f anther hst. This check helps yu t avid specifying the same IP address twice. If a check shws that IP addresses intersect, yu will be ntified abut it. Reslve the IP addresses intersectin (see Cnflicting IP Addresses r DNS Names n page 308). Yu may check fr IP addresses intersectin manually, t. T d this, click Check cnflicts. 4 Click OK. After yu specify tunneled IP addresses n the crdinatr, yu can create netwrk filters t limit access t the tunneled hsts by certain parameters. T allw access t the tunneled hsts fr ther ViPNet hsts n the netwrk, specify the tunneled IP addresses n each f the ViPNet hsts. Fr mre infrmatin abut cnfiguring access n a client, see the dcument ViPNet Client Mnitr. User's Guide, the Cnfiguring Access t Tunneled Hsts chapter. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 182

183 Settings Required n Tunneled Hsts Nte: We recmmend yu t place hsts that shuld be tunneled by a crdinatr behind a different netwrk interface f the crdinatr r behind a different crdinatr. This will make yur netwrk mre secure and easier t manage. T ensure crrect traffic ruting between tunneled hsts and ViPNet hsts: Tunneled hsts shuld be placed in the same ruted netwrk as the tunneling crdinatr. The IP packets yu send frm tunneled hsts t ViPNet hsts shuld be passed thrugh the tunneling crdinatr. T d this, d ne f the fllwing: On the tunneled hsts, specify the tunneling crdinatr as the default gateway. On the tunneled hsts, specify static rutes fr ViPNet hsts thrugh the tunneling crdinatr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 183

184 Cnfiguring Access t Tunneled Hsts frm an External Netwrk Using the ViPNet technlgy, yu can easily perfrm a cmmn task f prviding public netwrk hsts with access t tunneled hsts. Warning: The technlgy described is related nly t the cnnectins initiated by public netwrk hsts t tunneled nes. Thus, when a tunneled hst initiates a cnnectin t a public netwrk hst, this methd cannt be applied. Figure 97. Cnfiguring access t tunneled hsts frm an external netwrk Cnsider that yu need t rganize the access f branch ffice staff and remte users t tunneled servers lcated in headquarters. When yu rganize access t tunneled hsts frm an external netwrk, yu need t create a great number f ruting rules fr remte hsts visibility addresses in the netwrk segment between a crdinatr and tunneled hsts. T achieve this, yu shuld add a NAT rule t translate a public netwrk IP address f the surce t the tunneling crdinatr address. Accrding t the scheme abve, t enable access t tunneled hsts, yu shuld create a NAT rule t translate the surce IP address (see Destinatin IP Address Translatin n page 171) f hsts 2 and 3 t the internal crdinatr interface 1. T cnfigure the surce IP address translatin, d the fllwing: 1 On crdinatr 1, in the main ViPNet Mnitr windw, in the navigatin pane, select Netwrk Filters > NAT. 2 In the view pane, click Create. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 184

185 3 In the NAT rule prperties windw, in the Surces sectin, specify visibility addresses (n page 389) r their ranges fr hsts 2 and 3. 4 In the Netwrk Address Translatin (NAT) sectin, select the Translate surce IP address t check bx and chse Other IP address. Then specify the IP address f the crdinatr's internal netwrk interface that faces the tunneled hst. 5 Click OK. After yu have cnfigured the NAT rule, make sure the remte hsts can access the tunneled hsts. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 185

186 13 Cnfiguring the Open Internet Server Open Internet Technlgy Overview 187 Cnfiguring the Open Internet 190 Cnfiguring the Crdinatr Functining as the Open Internet Server 191 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 186

187 Open Internet Technlgy Overview T ensure high-level web access security, we recmmend yu t use the Open Internet technlgy. This technlgy allws yu t discnnect a user's cmputer frm the crprate netwrk and t prvide the user with secure access t web resurces. The Open Internet technlgy is implemented in the fllwing way: yu islate a virtual netwrk segment, which will be linked bth with the crdinatr functining as an Open Internet server and with ther hsts in the LAN. The access t the Internet is cntrlled by a prxy server, which may be lcated either n the Open Internet server r n a specially allcated cmputer. Warning: Fr security reasns, we d nt recmmend yu t install the prxy server and the Open Internet crdinatr n the same cmputer. A cnfiguratin where the prxy server is installed n an unprtected hst and is tunneled by the Open Internet crdinatr is mre secure. Figure 98. The Open Internet technlgy with a dedicated prxy server Clients cnnected with an Open Internet server can wrk nly in ne f the tw mdes: Wrking n the Internet. If yu want t access the Internet frm a hst, in the ViPNet Mnitr prgram n the hst, select the Open Internet cnfiguratin. In this cnfiguratin, cnnectins with any prtected hsts will be blcked, except fr the Open Internet crdinatr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 187

188 Figure 99. A scheme f wrk in the Open Internet cnfiguratin Wrking with hsts f yur prtected netwrk. If yu want t access hsts f yur LAN frm yur hst, in the hst's ViPNet Mnitr prgram select the any ther cnfiguratin, except fr the Open Internet cnfiguratin. In ther cnfiguratins, cnnectins with the Open Internet crdinatr will be blcked, and the Internet will be inaccessible. Figure 100. A scheme f wrk in the Main cnfiguratin (within a lcal netwrk) The Open Internet technlgy allws yu t slve several prblems at nce: yu can prvide the users f yur LAN with simple and secure access t the Internet frm their wrk cmputers withut extra effrts; ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 188

189 there is n need t create a special fixed netwrk fr the users f yur LAN t access the Internet. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 189

190 Cnfiguring the Open Internet T rganize secure web access with the Open Internet technlgy: 1 On a dedicated server, install the ViPNet Crdinatr prgram. 2 After the installatin is cmplete, deply the crdinatr key set with the Open Internet functin enabled. 3 Either n the same server where ViPNet Crdinatr is installed, r n a special server, install sftware that will functin as a prxy server at the applicatin layer. Warning: The ViPNet sftware may wrk incrrectly if it is installed n a cmputer with applicatin-layer prxy servers that additinally perfrm the netwrk address translatin (NAT) and firewall functins. A crdinatr may als be used as a firewall and fr NAT, and then it will cnflict with such a prxy server. If yur crdinatr als has a prxy server installed, yu must disable this prxy server's NAT and firewall services. Fr example, when yu install the WinGate sftware n a cmputer with ViPNet Crdinatr installed, we d nt recmmend yu t install the ENS (Extended Netwrk Services) driver that enables WinGate t perfrm NAT, ruting and firewall functins. 4 On the prxy server, cnfigure the clients' access t the Internet. 5 If the prxy server is installed n a separate cmputer, add it t the list f tunneled hsts f the Open Internet crdinatr (see Cnfiguring Tunneling n page 181). 6 On yur crdinatr, cnfigure the set f netwrk filters that prvide a safe access f hsts t the Internet (see Cnfiguring the Crdinatr Functining as the Open Internet Server n page 191). 7 Cnfigure the hsts that are allwed t access the Internet (see ViPNet Client Mnitr. User's Guide ). Warning: The crdinatr functining as an Open Internet server shuld be linked nly t the ViPNet hsts that are allwed t access the Internet ViPNet netwrk administratr sets the cnnectins f the hsts in ViPNet Netwrk Cntrl Center. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 190

191 Cnfiguring the Crdinatr Functining as the Open Internet Server A crdinatr wrking as an Open Internet server has t have netwrk filters cnfigured that prvide a safe access f hsts t the Internet. T d this, we recmmend yu t delete all filters that are present n the crdinatr and t create new filters listed belw (see Creating Netwrk Filters n page 146). Yu can als send the new filters t the crdinatr in a crrespnding security plicy by using the ViPNet Plicy Manager prgram. On the Open Internet server, cnfigure the fllwing netwrk filters: If a prxy server is installed directly n the crdinatr, create the fllwing netwrk filters in the rder given in the table. Table 6. Netwrk filters yu shuld set when the prxy server is installed n a crdinatr Filter descriptin Surce Destinatin Prtcls Actin In the Private Netwrk Filters sectin Allw the service ViPNet packets Allw incming cnnectins with prxy server All All UDP: frm 2046 t 2046 TCP: TCP: frm 2047 t 2047 ICMP 8 Other hsts All TCP: <prt f access t prxy server> Allw Allw Blck ther prtected cnnectins All All All Blck In the Lcal Public Netwrk Filters subsectin Blck pen cnnectins utging frm the internal netwrk <internal interface>:all All All Blck Allw DHCP All All DHCP Service Allw Allw NetBIOS and WINS All All NetBIOS and WINS Service Allw ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 191

192 Filter descriptin Surce Destinatin Prtcls Actin Allw utging cnnectins with hsts in the Internet <external interface>:my ViPNet hst All All Allw In the Frward Public Netwrk Filters subsectin Blck the frward cnnectins All All All Blck If a prxy server is installed n a cmputer ther than the crdinatr and is tunneled by the crdinatr, create the fllwing netwrk filters in the rder given in the table. Table 7. Netwrk filters yu shuld set when the prxy server is installed n separate cmputer Filter descriptin Surce Destinatin Prtcls Actin In the Private Netwrk Filters sectin Allw the service ViPNet packets All All UDP: frm 2046 t 2046 TCP: TCP: frm 2047 t 2047 ICMP 8 Allw Blck ther prtected cnnectins All All All Blck In the Lcal Public Netwrk Filters subsectin Blck pen cnnectins utging frm the internal netwrk <internal interface>:all All All Blck Allw DHCP All All DHCP Service Allw Allw NetBIOS and WINS All All NetBIOS and WINS Service Allw In the Tunneled Hsts Filters sectin Allw clients' <clients> <prxy All Allw cnnectins with prxy server> server Nte: Here, the term internal interface means the netwrk interface f a crdinatr, which is cnnected t the lcal netwrk with clients. The term external interface means the netwrk interface f a crdinatr which, is cnnected t the Internet. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 192

193 14 ViPNet Crdinatr User Scenaris Using a DHCP Server n a ViPNet Netwrk 194 Deplying a DMZ 197 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 193

194 Using a DHCP Server n a ViPNet Netwrk Variants f DHCP Server Deplyment The DHCP prtcl ensures that cmputers receive IP addresses frm their IP addresses server and ther netwrk parameters autmatically. When ViPNet hsts use a DHCP server, the netwrk may have fllwing features: The DHCP server and the prtected hsts may be lcated: In the same subnetwrk. In different subnetwrks separated by a firewall. Suppse that a crdinatr is used as a firewall. In this case, yu shuld make sme advanced settings (see Deplying a DHCP Server and Clients in Different Subnetwrks n page 196) n the crdinatr. The DHCP server may be: A prtected hst (with the ViPNet Client r ViPNet Crdinatr sftware installed n it). A tunneled hst (see Encrypting Traffic f Unprtected Hsts (Tunneling) n page 178). An unprtected hst. Any f the abve-listed DHCP server deplyment variants allws ViPNet hsts t use the server fr receiving their netwrk parameters autmatically. T establish cnnectin between prtected hsts and a DHCP server, make sure that n yur crdinatr hst (in the ViPNet Crdinatr prgram) and n the clients (in the ViPNet Client prgram) the fllwing ptins are cnfigured: In the Private Netwrk Filters sectin, the filter allwing fr the DHCP traffic has t be turned n. In the Lcal Public Netwrk Filters sectin, the filter allwing fr the DHCP traffic has t be turned n, t. If the prtected hsts and the DHCP server are deplyed in different subnetwrks, then n the crdinatr functining as a firewall, yu shuld make sme advanced settings. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 194

195 Figure 101. A DHCP server fr frward traffic In the Frward Public Netwrk Filters sectin, create a filter with fllwing parameters: Table 8. Frward Filter fr a DHCP server Descriptin Surce Destinatin Prtcls Actin Allw DHCP All All UDP: frm 67 t 68 Allw UDP: frm 68 t 67 On a crdinatr, yu need t cnfigure the Windws peratin system s that the DHCP messages culd be transferred between the tw netwrks (see Deplying a DHCP Server and Clients in Different Subnetwrks n page 196). These settings affect the ViPNet sftware. If the DHCP server is tunneled by a crdinatr, filters have t be enabled that allw cnnectins between prtected and tunneled hsts. Figure 102. A tunneled DHCP server ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 195

196 Deplying a DHCP Server and Clients in Different Subnetwrks If a DHCP server and its clients are deplyed in different subnetwrks: 1 If yu need t tunnel the DHCP server, specify the DHCP server IP address t tunnel. Nte: Tunneling f a DHCP server ensures that the clients that get their IP addresses frm this server cnnect t it via an encrypted channel. 2 On the crdinatr, install and cnfigure the DHCP Relay Agent. Fr the infrmatin n cnfiguring DHCP Relay Agent, g t the Micrsft web site Warning: A DHCP Relay Agent is used in Windws Server 2003 and Windws Server 2008 perating systems. T deply a DHCP Relay Agent, n the crdinatr d the fllwing (using standard Windws means): 1 Run the Ruting and Remte Access Service (RRAS). 2 Install a DHCP Relay Agent. 3 Cnfigure the DHCP Relay Agent. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 196

197 Deplying a DMZ The Purpse f a DMZ In a basic scheme f a DMZ (demilitarized zne) (n page 381) with ne firewall, the netwrk is divided int tw segments: The prtected segment. Hsts frm this segment are allwed t establish utbund cnnectins with hsts n the Internet and in the DMZ, but are frbidden t accept inbund cnnectins frm the Internet and frm the DMZ. The DMZ segment. Hsts frm this segment are allwed t establish bth inbund and utbund cnnectins with hsts n the Internet. Frm the prtected segment, nly the inbund cnnectins are allwed. In a DMZ, servers and services accessible t external users (Internet users) are usually deplyed. Netwrk segmentatin prevents access frm an external netwrk t the hsts f the internal netwrk that are nt intended t be public servers; thus, the DMZ scheme ensures a higher security level in yur LAN. Figure 103. Traffic flw in a DMZ scheme Abve, yu can see a DMZ deplyment scheme. Here, a crdinatr functins as a firewall with the NAT functin and has at least three netwrk interfaces: 1 A lcal interface cnnected t the prtected netwrk segment. 2 A lcal interface cnnected t the DMZ segment. 3 An external interface (ne r mre) cnnected t the Internet. Outbund cnnectins may be established in the fllwing directins: frm the prtected segment t the DMZ. frm the prtected segment t the Internet. frm the Internet t the DMZ and back. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 197

198 The netwrk segmentatin and traffic limitatin allw yu t rganize external access t public servers and services in yur LAN, keeping the ther hsts f the LAN prtected against attacks frm the utside. Even if a malicius user gets cntrl ver the DMZ segment, he r she will nt be able t access the ther LAN segment. Cnfiguring ViPNet Crdinatr Cnfiguring the ViPNet Crdinatr sftware t functin as a firewall n the DMZ edge includes: Creating frward filters fr all the allwed traffic directins. Cnfiguring IP addresses translatin rules t rganize the access f lcal hsts t the Internet and f external hsts t the public segment. Enabling the Blck all cnnectins except f allwed filter n the crdinatr. By default, this filter is enabled. Cnfiguring Frward Filters T cnfigure filtering rules which allw the traffic between LAN segments and the Internet in specified directins, d the fllwing: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Netwrk Filters > Frward Public Netwrk Filters. 2 On the view pane, create the fllwing netwrk filters (see Creating Netwrk Filters n page 146): A filter allwing the utbund cnnectins frm the prtected segment t the DMZ. A filter allwing the utbund cnnectins frm the prtected segment t the Internet. A filter allwing the cnnectins between the DMZ and the Internet in bth directins. The parameters fr the frward filters that yu need t create are listed in a table belw. Netwrk interfaces numbers are given in accrdance with the scheme (see. figure 103 n page 197) presented abve. Table 9. Frward filters fr making a DMZ Filter descriptin Surce Destinatin Prtcls Actin Allw cnnectins <internal interface <DMZ segment <prtcls f Allw frm the prtected (1)> addresses> cnnectin with segment with the the DMZ DMZ servers> Allw cnnectins frm the prtected <internal interface (1)> <external interface (3)> TCP: 80, TCP: 443, and s n Allw segment with the Internet ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 198

199 Filter descriptin Surce Destinatin Prtcls Actin Allw cnnectins frm the DMZ with <DMZ segment addresses> <external interface (3)> TCP: 80, TCP: 443, and s n Allw the Internet Allw cnnectins frm the Internet with the DMZ <external interface (3)> <DMZ segment addresses> <prtcls f cnnectin with the DMZ Allw servers> Tip: If needed, yu can schedule filters' actins. Fr example, yu can permit yu emplyees t access the Internet frm 9 a.m. t 18 p.m. n weekdays. Cnfiguring NAT Rules T rganize access t the Internet fr lcal netwrk hsts and access t the DMZ segment frm the Internet, n the crdinatr, cnfigure netwrk addresses translatin rules (see Cnfiguring Netwrk Address Translatin (NAT) n page 169). T d this: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Netwrk Filters > NAT. 2 In the NAT sectin, create a surce IP address translatin rule (see Surce IP Address Translatin n page 172) which allws lcal hsts t access the Internet. In the Optins fr Netwrk Address Translatin (NAT) Rule windw, cnfigure the fllwing parameters: In the Destinatin sectin, set the pl f public IP addresses (see Public address n page 384) by selecting the Public IP addresses grup. This is a ViPNet Mnitr default grup. In the Netwrk Address Translatin (NAT) sectin, select the Translate surce IP address t check bx and then select IP address f the interface, which sends IP packets (defined autmatically). In the Surces and Prtcls sectins there is n need t set any parameters. 3 Create destinatin IP address translatin rules (see Destinatin IP Address Translatin n page 171), which prvide the access f external hsts t the servers lcated in the DMZ. Fr every server, cnfigure a separate rule by setting the fllwing parameters in the Optins fr Netwrk Address Translatin (NAT) Rule windw: In the Surces sectin, set the pl f public IP addresses by selecting the Public IP addresses grup. This is a ViPNet Mnitr default grup. In the Destinatin sectin, set the external IP address f a crdinatr, which will accept requests t servers lcated in the DMZ segment. In the Prtcls sectin, set the prtcls and the prts fr the access t the server. In the Netwrk Address Translatin (NAT) sectin, select Translate destinatin IP address t and in the text bx type the private IP address f a server lcated in the DMZ, t which yu want the requests t be frwarded. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 199

200 Access Prtcls and Prts fr Varius Server Types T access a web server, allw the fllwing prtcls and prts: TCP 80 (HTTP); TCP 443 (HTTPS). T access a mail server, allw the fllwing prtcls and prts: TCP 25 (SMTP) fr sending messages; TCP 110 (POP3) fr receiving messages. T access an FTP server, allw the TCP prtcl, prt 21. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 200

201 15 Integrated Cmmunicatin Tls Overview (Integrated Tls) 202 Encrypted Instant Messaging 203 File Exchange 208 External Prgrams 214 Viewing Web Resurces f a ViPNet Hst 215 Shared Hst Resurces Overview 216 Checking Cnnectin t a ViPNet Hst 217 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 201

202 Overview (Integrated Tls) The ViPNet Mnitr sftware includes the fllwing set f additinal tls t facilitate a rapid and secure data transfer: Exchanging encrypted chat and cnference messages. File Exchange. Starting external prgrams. Opening a web resurce n this ViPNet hst. Viewing Shared Netwrk Resurces. Checking cnnectin t anther ViPNet hst. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 202

203 Encrypted Instant Messaging ViPNet netwrk users can chat with ther ViPNet users r take part in a cnference with several users: Yu can start a chat with ne r many users simultaneusly. Nte that ther cunterparts will receive yur messages, but will nt receive each ther's messages. T start a chat, in ViPNet Mnitr, in the navigatin pane, select Private Netwrk. Then, in the view pane, chse ne r several hsts. On the hsts' cntext menu, click Chat r n the tlbar, click Chat. Yu can start a cnference with mre than ne user, s that all the cunterparts wuld receive each ther's messages and respnd t them. This is the essential difference between the chat and the cnference. T start a cnference, in ViPNet Mnitr, in the navigatin pane, chse Private Netwrk. Then, in the view pane, select several hsts. On the hsts' cntext menu, click Organize Cnference r n the tlbar, click Cnference (by default, this buttn is hidden). Yu can exchange instant messages in several messaging sessins at the same time. If yu receive a message which des nt belng t any messaging sessin, a new sessin is created. All messages in a sessin, incming and utging, are written t the sessin lg. If yu send a message in a certain sessin, the respnse message yu receive will belng t the same sessin and will be saved t the same lg. If necessary, yu can save the sessin lg as a text file. During a chat sessin, yu can send files and messages t ther ViPNet users. Nte: If Encrypted Instant Messaging is unavailable n yur ViPNet hst, ask yur ViPNet netwrk administratr t allw yu using this cmpnent. Interface f the Encrypted Instant Messaging Prgram In the Encrypted Instant Messaging prgram, yu receive and send messages in the Encrypted Instant Messaging windw shwn in the figure belw: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 203

204 Figure 104. The main windw f the Encrypted Instant Messaging prgram The fllwing elements are marked with numbers in the figure: 1 The menu bar. 2 The tlbar. T add r remve buttns displayed n the tlbar, n the View menu, click Custmize Tlbar. 3 The Send message t pane. Cntains the list f recipients the current messaging sessin is established with. After sending a message, the status f the message with each recipient is displayed using the fllwing character symbls: S the message has been sent, but nt delivered. D the message has been delivered, and a ntificatin is displayed n the recipient's screen. R the message has been read by the recipient. T the message has been read and the recipient is ging t answer. Sent messages are numbered in the rder f their sending. The clumns with message statuses are displayed in the reverse rder (this means that the first character symbl frm the left identifies the status f the mst recent message). Messages are nly sent t the selected participants. 4 The search bx. Type a name r several characters in the search bx t filter the list f recipients in the Sessins pane r t find a message by a certain wrd in the Sessin lg pane. The lines cntaining the symbls yu enter will be highlighted with the yellw clr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 204

205 5 The Message pane. Use this pane t type new messages. 6 The Sessin lg pane. Displays the message histry (lg) f the current sessin. 7 The Sessins pane. Cntains a list f active sessins and buttns fr switching between them. The fllwing table explains the purpse f the Sessins pane clumns: Clumn Descriptin The sessin status: The clumn is blank. The sessin is pen and all messages have been prcessed. The sessin is pen and there are new messages. The sessin has been clsed by the initiatr but there are unread messages (yu will see this icn nly if the ther user has initiated a clsed sessin). The sessin has been clsed by the initiatr (yu will see this icn nly if anther user initiated the clsed sessin). # Participants New Nt read The sessin number. The names f the sessin participants. The number f new (unprcessed) messages. The field is blank if there are n new messages. The number f unread messages. The field is blank if there are n unread messages. If there are unread messages amng the new messages, items in the list fr that sessin appear in bld. Date f the last chat message The date and time f the latest sessin message Belw the active sessins list, yu can see the buttns and, Use them t switch between the listed sessins. The viewing sessin histry remembers 10 last sessins that have been viewed lnger than 5 secnds. Sending Messages T send instant messages: 1 If the Encrypted Instant Messaging windw is clsed, pen it by clicking Applicatins > Chat. In the Encrypted Instant Messaging windw, all the earlier messaging sessins will be pened. 2 T start a new chat r a cnference, in the Encrypted Instant Messaging windw, d the fllwing: On the Sessin menu, select New, then click Chat r Cnference. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 205

206 In the Chse ViPNet Hst windw, select the hsts, with users f which yu want t chat r t start a cnference. Then, click Select. A new messaging sessin will pen. If yu specify nly ne ViPNet hst, with which a messaging sessin has been already started, this sessin will be pen instead f a new ne. Nte: T start a new chat r a cnference, yu can als select the hsts in the Private Netwrk sectin and, n the hsts' cntext menu, click the crrespnding ptin (see Encrypted Instant Messaging n page 203). 3 In the Encrypted Instant Messaging windw, select the sessin, t which yu want t send new messages. 4 On the Message pane, enter the text f the message. 5 Click Send r press F5. Tip: Yu can cnfigure the actin that ccurs upn pressing Enter in the Message pane: sending a message r just creating a new line. T d this, in ViPNet Mnitr, n the Sessin menu, click Optins. The Optins dialg bx will be displayed. In the Chat sectin, under Shrtcut Keys, chse Ctrl+Enter: Send Message, Enter: Carriage Return r the ppsite ptin. Receiving Messages By default, when a message is received, the icn is displayed in the ntificatin area, and the text f the message is displayed in the pp-up windw abve the icn. T read new messages, d ne f the fllwing: Click the icn in the ntificatin area. In the Encrypted Instant Messaging windw, n the tlbar, click Read new. Yu can change the way yu get ntified f a new message. T d this: 1 In the main ViPNet Mnitr windw, n the Service menu, click Optins. 2 In the Optins dialg bx, in the Chat sectin, select r clear the fllwing check bxes: Display new message ntificatin always n tp. Ntify abut a new message using a flashing icn in the ntificatin area. Display new message ntificatin always n tp. Shw new messages in a separate windw. If the Shw new messages in a separate windw check bx is selected, then, upn receiving new messages, the New Messages windw will be displayed. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 206

207 Figure 105. New messages are displayed in a separate windw In the New Messages windw, the list f the new messages in the rder f their delivery is displayed. By using the keys n the right f the windw, yu can accept a message (then it will be saved in the sessin lg), reply t a message, r delete it. Stp Exchanging Instant Messages T clse an instant messaging sessin: 1 In the Encrypted Instant Messaging windw, in the Sessins pane, select the sessin yu are ging t clse. 2 If yu want t save the sessin lg as a text file, right-click the sessin and, n the cntext menu, select Save As and specify the file fr saving the lg. 3 D ne f the fllwing: On the Sessin menu, click Clse. Press F8. n the tlbar, click Clse. 4 After yu clse the sessin, it will nt be displayed in the Sessins pane. T clse the Encrypted Instant Messaging prgram, d ne f the fllwing: On the Sessin menu, click Clse. Click Clse. Nte: Later, when yu repen the Encrypted Instant Messaging windw, all current sessins will be restred. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 207

208 File Exchange With File Exchange, ViPNet netwrk users can send each ther files ver a prtected VPN channel. There are n restrictins n the size and type f the files yu exchange. The integrity f these files is prvided. If a file was crrupted in the exchange prcess, it will be autmatically deleted. Nte: Fr the files received frm the cmputers where earlier versins f the ViPNet sftware are installed, n integrity check is perfrmed. In the File Exchange windw (see. figure 106 n page 209), the Integrity nt verified status is displayed fr such files. Yu shuld decide whether yu want t use such a file. Yu can start the File Exchange prgram frm ViPNet Mnitr interface, frm the Windws cntext menu, r frm the Encrypted Instant Messaging prgram. Nte: If File Exchange is unavailable n yur ViPNet hst, ask yur ViPNet netwrk administratr t allw yu File Exchange. File Exchange Prgram Interface T view the files sent and received by file exchange, pen the File Exchange prgram windw. T d this, in the main ViPNet Mnitr windw, n the Applicatins menu, click File Exchange. The File Exchange prgram windw is displayed every time yu send r receive files. The File Exchange prgram windw is shwn in the figure belw. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 208

209 Figure 106. The File Exchange windw The fllwing elements are marked with numbers in the figure: 1 The menu bar. 2 The tlbar. The tlbar allws yu t send a new file, t view the received files r delete a file frm the list. T add r remve buttns displayed n the tlbar, n the View menu, click Custmize Tlbar. 3 Filtering the file list. There are three mdes f viewing the list f files: All files. Received files. Sent files. 4 The Received Files grup. In this grup, the files received frm ther ViPNet hsts are displayed. 5 The Sent files grup. In this grup, the files sent t ther ViPNet hsts are displayed. 6 A link t the flder where the file is stred. Sending a File frm the ViPNet Mnitr Prgram T send a file using the ViPNet Mnitr prgram: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Private Netwrk. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 209

210 2 In the Private Netwrk sectin, select the ViPNet hst yu are ging t send a file t. T select several hsts, hld the Ctrl key while clicking the required hst names ne by ne. T narrw the list f netwrk hsts, in the Private Netwrk sectin, in the search bx, start typing the name f the hst yu are searching fr. 3 D ne f the fllwing: On the tlbar, click Send. Right-click the hst and, n the cntext menu, select Send File. 4 In the Open windw, specify files r flders yu are ging t send and click Open. The files chsen will be sent t the destinatin hst. Warning: The name length f the file yu are sending (including the path) shuld nt exceed 130 characters. When yu send a flder: The flder name (including the path) length shuld nt exceed 31 characters and cannt cntain the exclamatin mark. The length f the embedded flders and files names shuld nt exceed 31 characters. If the abve-described restrictins are vilated, the errr message will be displayed, and files and flders will nt be sent. 5 The File Exchange (see. figure 106 n page 209) windw displaying infrmatin abut the files yu have sent and their state will be displayed. 6 As sn as the files yu have sent are delivered t the recipient, yu receive a delivery ntificatin. T disable ntificatin, in the message bx, select the D nt shw me this message again check bx. Nte: T cnfigure ntificatin, in the main ViPNet Mnitr windw, n the Service menu, click Optins, and then select the File Exchange sectin. Sending a File frm the Windws Cntext Menu T send a file t a ViPNet user: 1 In Windws Explrer, chse the file yu are ging t send. T select several files, hld the Ctrl key while clicking the required hst names ne by ne. 2 Right-click ne f the files chsen and, n the cntext menu, select Send file t ViPNet user. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 210

211 Warning: The name length f the file yu are sending (including the path) shuld nt exceed 130 characters. When yu send a flder: The flder name (including the path) length shuld nt exceed 31 characters and cannt cntain the exclamatin mark. The length f the embedded flders and files names shuld nt exceed 31 characters. If the abve-described restrictins are vilated, the errr message will be displayed, and files and flders will nt be sent. 3 In the File Exchange: Chse ViPNet Hst windw, select ne r several recipients. Use the search bar t narrw the hsts list. Figure 107. Chsing the recipients 4 When yu have selected the recipients, click Select. The files will be sent t the hsts selected. 5 The File Exchange (see. figure 106 n page 209) windw displaying infrmatin abut the files yu have sent and their state will be displayed. 6 As sn as the files yu have sent are delivered t the recipient, yu receive a delivery ntificatin. T disable ntificatin, in the message bx, select the D nt shw me this message again check bx. Nte: T cnfigure ntificatin, in the main ViPNet Mnitr windw, n the Service menu, click Optins, and then select the File Exchange sectin. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 211

212 Files Exchange in the Instant Messaging Sessin T send files frm the Encrypted Instant Messaging prgram: 1 In the Encrypted Instant Messaging windw, in the Sessins pane, select the sessin whse participants shuld receive yur file. 2 In the Send message t pane, select the participants and, n the tlbar, click File. 3 In the displayed windw, specify files yu are ging t send and click Open. The chsen files will be sent t the sessin participants. Warning: The name length f the file yu are sending (including the path) cannt exceed 130 characters. If the abve-described restrictin is vilated, the errr message will be displayed, and files will nt be sent. 4 The File Exchange (see. figure 106 n page 209) windw displaying infrmatin abut the files yu have sent and their status will be displayed. 5 As sn as the files yu have sent are delivered t the recipients, yu receive a delivery ntificatin. T disable ntificatin, in the message bx, select the D nt shw me this message again check bx. Nte: T cnfigure ntificatin, in the main ViPNet Mnitr windw, n the Service menu, click Optins, and then select the File Exchange sectin. Receiving Files When yu receive a file frm anther ViPNet user: 1 The ntificatin and the prgram icn are displayed in the Windws ntificatin area. Figure 108. Ntificatin abut received files Nte: T cnfigure ntificatin, in the main ViPNet Mnitr windw, n the Service menu, click Optins, and then select the File Exchange sectin. In the File Exchange windw, n the File menu, click Optins. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 212

213 2 T view the received files, in the Windws ntificatin area, click the File Exchange prgram icn. The File Exchange windw (see. figure 106 n page 209) will be displayed. 3 In the File Exchange windw, in the Received files list, chse the required file and d ne f the fllwing: In the File Name clumn, click the file name. On the tlbar, click Received. A flder cntaining the file yu have selected will be pened in a new windw. T view the files received frm a certain ViPNet hst: 1 In the main ViPNet Mnitr windw, in the navigatin pane, select Private Netwrk. 2 In the Private Netwrk sectin, select the ViPNet hst yu received the files frm and, n the tlbar, click Received. A flder, cntaining the files frm the ViPNet hst yu have selected, will be pened in a new windw. Nte: If, in the Prtected Netwrk sectin, yu have selected mre than ne ViPNet hst and clicked Received, the flder cntaining the subflders with files received frm the selected ViPNet hsts will pen. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 213

214 External Prgrams ViPNet Client and ViPNet Crdinatr sftware allws launching external prgrams, such as: Micrsft Prtrait. VNC Viewer. Remte Desktp Cnnectin. Radmin Viewer. Fr mre details n wrking with Radmin Viewer, VNC Viewer and Remte Desktp Cnnectin, see Starting a Remte Access Prgram (n page 240). By means f external prgrams yu can use different services n the Internet, fr example, remte access t yur cmputer desktp. All the traffic f external prgrams in the ViPNet netwrk is securely encrypted. T interact with anther ViPNet hst using an external prgram: 1 In the main ViPNet Mnitr windw, in the navigatin pane, select Private Netwrk. 2 In the Private Netwrk sectin, right-click the required hst and, n the cntext menu, chse External prgrams, and then select the required prgram. The external prgram selected will be launched autmatically in a secure mde. The user f the selected hst will be prmpted t cnfirm the start f the prgram n the cmputer. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 214

215 Viewing Web Resurces f a ViPNet Hst If any web server r web applicatin is installed n the same cmputer as ViPNet Client r ViPNet Crdinatr, ther ViPNet users can establish a prtected (encrypted) cnnectin t this cmputer. Only thse ViPNet hsts that are allwed t cnnect t the hsts with a server installed will be able t access this web server. This feature allws yu t implement the prtected Internet prtal idea. In this prtal, yu can integrate varius applicatins CRM, CMS, database-driven applicatins, and many mre. T establish such a cnnectin: 1 In the main ViPNet Mnitr windw, in the navigatin pane, select Private Netwrk. 2 In the Private Netwrk sectin, select the hst with the prtected Internet prtal and d ne f the fllwing: On the tlbar, click Web. Right-click the selected hst and, n the cntext menu, click Open Web Resurce n this ViPNet hst. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 215

216 Shared Hst Resurces Overview The Explre shared netwrk place service allws yu t access shared netwrk resurces frm yur ViPNet hst. Secure cnnectin is established. T view a shared resurce: 1 In the main ViPNet Mnitr windw, in the navigatin pane, select Private Netwrk. 2 In the Private Netwrk sectin, select the required hst and either: n the tlbar, click Explre, r right-click the selected hst and, n the cntext menu, select Explre Shared Netwrk Place. As a result, netwrk resurces available n the selected hst will be displayed in a new Windws Explrer windw. Yu can view shared netwrk resurces f nly ne ViPNet hst at a time. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 216

217 Checking Cnnectin t a ViPNet Hst In the ViPNet Mnitr prgram, yu can check the current status (accessible, unreachable, activity) f the ViPNet hsts in the Private Netwrk sectin. T check cnnectin t a hst, yu shuld use the ViPNet sftware versin r later. T check cnnectin t ne r several ViPNet hsts and get infrmatin abut their status: 1 In the navigatin pane f the main ViPNet Mnitr windw, select Private Netwrk. 2 In the Private Netwrk sectin, select the ViPNet hst yu need t check cnnectin t. T select several hsts, hld the Ctrl key while clicking the required hst names ne by ne. 3 D ne f the fllwing: On the tlbar, click Cnnectin. Press F5. Right-click ne f the selected hsts and, n the cntext menu, select Check Cnnectin. The Check Cnnectin windw cntaining infrmatin abut the selected hsts will be displayed. The Check Cnnectin windw is shwn in the figure belw: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 217

218 Figure 109. Check cnnectin windw The fllwing elements are marked with numbers in the figure: 1 The menu bar. 2 The tlbar. T add r remve buttns displayed n the tlbar, n the View menu, click Custmize Tlbar. 3 The main pane. Cntains the list f hsts yu have selected t check cnnectin t. The clr and the backgrund f a ViPNet hst name crrespnd t its current status: Hst name clr ViPNet hst status Vilet The hst is available, but it has been inactive within the last 15 minutes. Black with a green backgrund Black The hst is available and has been active within the last 15 minutes. The hst is nt cnnected t the netwrk at the mment. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 218

219 T view mre detailed infrmatin abut the hst status in a separate windw, d ne f the fllwing: Duble-click the required hst. Select the hst frm the list and, n the tlbar, click Status. Select the hst frm the list and press F3. The ViPNet hst prperties windw will be displayed. Figure 110. Detailed infrmatin abut the selected hst status In the Check Cnnectin windw, yu can send a Business Mail r chat message t ne r several hsts r perfrm sme ther actin available in the Private Netwrk sectin. T d that, right -click the required hst and, n the cntext menu, click the crrespnding cmmand. 4 The main pane clumns. In the Status clumn, the hst netwrk status is indicated. Yu can see pssible statuses in the fllwing table. Status Accessible ViPNet cnnectin established but ViPNet [Mnitr] is inaccessible Unreachable Descriptin There is a full-fledged cnnectin t the hst. ViPNet Mnitr is nt active n the hst, but the hst itself is available via a prtected channel. In this case, integrated cmmunicatin tls will be unavailable (such as Encrypted Instant Messaging, File Exchange and thers), but yu will be able t view shared resurces and web resurces f the hst, as well as cnnect t the hst via the remte desktp. There is n cnnectin with this hst. In the Last time f user activity clumn, yu can see the time f the last hst activity. T srt the list by a particular clumn, click the clumn heading. Yu can als add r remve clumns using the cntext menu. 5 The search bx. Allws yu t filter the hsts list in the main pane (3). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 219

220 6 The hst prperties pane. Cntains detailed infrmatin abut the hst chsen frm the main pane (3). 7 The status bar. Nte: By default, the tlbar (2), search bx (5), hst prperties pane (6), and status bar (7) are nt displayed in the Check Cnnectin windw. Fr these interface elements t be displayed, n the View menu, select the crrespnding check bxes. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 220

221 16 ViPNet Hsts Management Wrking with the IP Packets Lg 222 Viewing IP Packets Filtering Statistics 234 Viewing Infrmatin abut the Crdinatr, Its Wrking Time, and the Number f Cnnectins 235 Managing ViPNet Mnitr Cnfiguratins 236 Starting a Remte Access Prgram 240 Wrking in the ViPNet Hst Administratr Mde 247 Start and Abnrmal Terminatin Optins 256 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 221

222 Wrking with the IP Packets Lg In the IP Packets Lg sectin, yu can generate an IP packets registratin lg accrding t varius search ptins. This feature allws yu t mnitr all the inbund and utbund cnnectins f a certain hst. Cnfiguring IP Packets Search Optins T view the IP packets lg: 1 In the main ViPNet Mnitr windw, in the navigatin pane, expand Statistics and Events Lgs and select IP Packets Lg. Figure 111. Cnfiguring the IP packets lg search ptins 2 In the IP Packets Lg sectin, specify the fllwing search ptins: When IP packets were registered (within the last 24 hurs, within the last hur, specified time interval). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 222

223 The number f the lg entries displayed. By default, the Shw n mre than check bx is selected and the number f displayed entries is 100. If yu clear the check bx, all entries that match the search criteria will be displayed. In the Netwrk interface list, select the crdinatr interface, thrugh which the searched IP packets passed. In the IP traffic type list, chse: All IP traffic t view all entries abut all IP packets. Tunneled t view entries abut the IP packets registered in tunneled cnnectins. Prtected frwarded t view entries abut the encrypted IP packets that passed thrugh the crdinatr perfrming as a ruter. The surce and destinatin are ViPNet hsts. In this case, the crdinatr itself is neither a surce, nr a destinatin f the packets. Open frwarded is similar t the Prtected frwarded ptin, but in this case, the surce and destinatin are unprtected hsts (hsts that d nt have ViPNet sftware installed and at the same time are nt tunneled by a crdinatr). Prtected lcal t view entries abut the encrypted IP packets, fr which the selected netwrk interface f yur crdinatr is a surce r a destinatin. Open lcal t view entries abut the unencrypted IP packets, fr which the selected netwrk interface f yur crdinatr is a surce r a destinatin. In the Event list, specify a certain event type r event types grup, which ViPNet Mnitr will assign t each IP packet (see Events Tracked by the ViPNet Sftware n page 340). Under Hst <1>, specify the IP address (r IP address range) f the cmputer r the name f the ViPNet hst that will be the first party t the cnnectin (IP packets surce r destinatin). Under Hst <2>, specify the IP address (r IP address range) f the cmputer r the name f the ViPNet hst that is the ther party t the cnnectin. Nte: It is useful t specify bth values (IP address and ViPNet hst) if the ther hst has several IP addresses and yu need t get infrmatin nly abut cnnectins with a certain IP address f the chsen hst. In the Prtcl list, chse the prtcl used t transfer the IP packets yu need t view. If there is n required prtcl n the list, click the Brwse buttn windw, select the required prtcl. and, in the Prtcl List Under IP packet parameters: In the Directin list, chse the directin f transferring the IP packets yu need t view (All, Incming, Outging). In the Address type list, specify t what kind f addresses the IP packets were sent (Any, Unicast, Bradcast, Multicast). In the Surce list, select the cnnectin party that will be the IP packets surce. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 223

224 In the Translatin list, specify if it is needed t display entries abut IP packets prcessed accrding t the NAT rules set n the crdinatr. T restre the default search ptins, click Parameters by default. 3 T apply the search criteria, click Search. Nte: If yu search fr the packets by using the default criteria, nt mre than 100 entries abut the IP packets registered within the last hur will be displayed. Viewing Search Results When, in the IP Packets Lg sectin, yu click Search, the search fr the packets matching the specified criteria is perfrmed. The search results are displayed in the Viewing IP Packets Registratin Lg windw. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 224

225 Figure 112. Viewing the IP packets lg (Crdinatr) The fllwing is marked with numbers in the figure: 1 The menu bar. 2 The tlbar. T add r remve buttns displayed n the tlbar, n the View menu, click Custmize Tlbar. 3 The main pane. Cntains the list f lg entries crrespnding t the specified search criteria. T view mre detailed infrmatin abut the chsen IP packet in a separate windw, in the Viewing IP Packets Registratin Lg, n the tlbar, click Inf. T find the name f the sender r recipient f the chsen IP packet, n the tlbar, click Name r right-click the entry and, n the cntext menu, click Reslve Name. 4 The main pane clumns. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 225

226 T srt the list by a particular clumn, click the clumn heading. Yu can als add r remve clumns using the cntext menu. See the detailed descriptin f the clumns in the table belw: Clumn name Event type Descriptin Event types are indicated with the fllwing icns: means that the IP packets are blcked. means that the IP packets are allwed. means that a service event type has been assigned t these IP packets. Packet type Packet types are indicated with the fllwing icns: means a frward IP packet. means a lcal IP packet. means a tunneled IP packet. Packet Attributes IP packets prperties are indicated with the fllwing icns: means unencrypted incming IP packets. means unencrypted utging IP packets. means encrypted incming IP packets. means encrypted utging IP packets. Start time Date and time when the entry fr a grup f ne-type packets was created (when the first packet in a grup was registered). Fr mre infrmatin abut lgging ne-type packet events registered within a specified time interval, see Cnfiguring the IP Packets Lg. End time The end f the time interval within which IP packets f the same type were registered. If the interval has nt elapsed yet, this clumn indicates the time when the latest IP packet f the type was registered. If sme mre IP packets f the type will be registered, the value f the parameter will be changed. Surce Surce ID Surce IP address Surce prt Destinatin Destinatin ID Destinatin IP ViPNet hst name (fr ViPNet hsts) r IP address and cmputer name (fr pen hsts) f the packet surce. ViPNet hst name f the IP packet surce (nly fr encrypted packets). If the packet is unencrypted, this clumn is blank. IP address and cmputer name f the IP packet surce. IP packet surce prt number. ViPNet hst name (fr ViPNet hsts) r IP address and cmputer name (fr unprtected hsts) f the IP packet recipient. ViPNet hst name f the IP packet recipient (nly fr encrypted packets). If the IP packet is addressed t an unprtected hst, this clumn is blank. IP address and cmputer name f the IP packet recipient. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 226

227 address Destinatin prt (ICMP Type/Cde) Prtcl Event Cunter Size IP packet destinatin prt number. Prtcl used t establish the cnnectin. The event crrespnding t this entry. Yu can find the events descriptin in the Events Tracked by the ViPNet Sftware (n page 340) appendix. The number f ne-type IP packets gruped in ne entry within a certain perid f time. The size (in bytes) f all IP packets gruped in ne entry. 5 The IP packets prperties pane. Cntains detailed infrmatin abut the entry chsen n the main pane (3). 6 The status bar. Displays the IP packet r IP packets grup size (in bytes), the entry number, and the ttal number lg entries. If, in the main pane (3), several entries are chsen, the ttal size f all IP packets assciated with thse entries will be displayed n the status bar. Tip: Yu can find ut the ttal size f IP traffic prcessed by yur ViPNet hst chsing t display all entries in the IP packets registratin lg. In the Viewing IP Packets Registratin Lg windw, press Ctrl+A t select all entries. On the status bar, the ttal size f all the IP packets fund will be displayed. Viewing the IP Packets Lg in Yur Web Brwser r Micrsft Excel T exprt the generated IP packets lg, in the Viewing IP Packets Registratin Lg windw, n the File menu, click ne f the fllwing: View as HTML dcument. Yur IP packets lg will be pened in yur default brwser. In the address bar, yu can see the full path t the file. View as XLS dcument. Yur IP packets lg will be pened in Micrsft Excel (the prgram shuld be installed n yur cmputer). In Micrsft Excel, use Save as t save the lg file as a table. Chsing IP Packets t View In the IP packets registratin lg, yu can highlight the fllwing types f packets: bradcast IP packets; IP packets assciated with service events; IP packets within the same sessin which started when the cnnectin between the tw hsts was established; ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 227

228 IP packets sent t r received frm the same IP addresses regardless f the IP traffic directin and cnnectin prt. Nte: A sessin is all IP packets transferred between hst 1 and hst 2. If cnnectin is established ver TCP r UDP, then prt are taken int accunt as well. Fr example, all IP packets sent frm hst 1 t hst 2 ver HTTP (IIS is installed n hst 2, and hst 1 pens a web page frm this IIS) are cnsidered t be within the same sessin. Hwever, if hst 1 tries t dwnlad a file frm hst 2 via FTP (in ther wrds, dwnlad a file frm the FTP server installed n hst 2), IP packets related t this cmmunicatin will be cnsidered t belng t anther sessin. T highlight IP packets: 1 In the Viewing IP Packets Registratin Lg windw, right-click a lg entry. 2 On the cntext menu, click: Highlight IP Packets with the Same IP Addresses t select all IP packet entries cntaining the same IP addresses as the IP packet yu right-click. Highlight IP Packets within the Same Sessin t select all IP packet entries f the same sessin as the IP packet yu right-click. Highlight Bradcast IP Packets t select all bradcast IP packet entries. Highlight Service IP Packets t select all IP packet entries assciated with service events. 3 T cancel selectin, n the cntext menu, click Remve Selectin. Calculating Traffic Vlume Yu can use the IP packets lg t calculate the ttal size f the IP packets that match yur search criteria. T d this: 1 In the Viewing IP Packets Registratin Lg windw, select the required lg entries. Yu can select all entries at nce by pressing Ctrl+A. 2 On the status bar, the ttal size f all the IP packets fund will be displayed. Best Practices f Encrypted and Unencrypted Cnnectins Analysis Fr cnvenient analysis f unprtected cnnectins in the IP packets lg, we recmmend yu t set the fllwing parameters: 1 In the Viewing IP Packets Registratin Lg windw, right-click any f the clumns headings. 2 On the cntext menu, click Select Clumns. 3 T analyze: unencrypted traffic: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 228

229 In the Select Clumns windw, chse the fllwing clumns t be displayed in the lg: Surce IP address, Destinatin IP address. In the Select Clumns windw, hide the fllwing clumns: Surce, Surce ID, Destinatin, and Destinatin ID. encrypted cnnectins: In the Select Clumns windw, chse the fllwing clumns t be displayed in the lg: Surce ID, Destinatin ID. In the Select Clumns windw, hide the fllwing clumns: Surce IP address, Destinatin IP address. 4 T save the settings and clse the windw, click OK. T discard the changes and clse the windw, click Cancel. Creating a Netwrk Filter When Viewing the IP Packets Lg If yu need t allw sme IP packets frm blcked cnnectins r blck sme IP packets frm allwed cnnectins, yu shuld cnfigure a special netwrk filter fr such IP packets when yu are viewing cnnectins in the IP packets lg. T d this: 1 In the Viewing IP Packets Registratin Lg windw, right-click the entry abut the blcked cnnectin yu want t allw r the allwed cnnectin yu want t blck. 2 On the cntext menu, click Create Filter. Depending n the selected cnnectin's type, ne f the fllwing windws will be displayed: with ptins fr creating a public netwrk filter, if unencrypted IP packets were transferred within the cnnectin; with ptins fr creating a private netwrk filter, if encrypted IP packets were transferred within the cnnectin; with ptins fr creating a public frward netwrk filter, if frward IP packets were transferred within the cnnectin; with ptins fr creating a tunneled hsts filter, if tunneled IP packets were transferred between the crdinatr's tunneled hsts and prtected hsts within the cnnectin. 3 In the windw's sectins, yu can see autmatically defined netwrk filter parameters, which have been taken frm the crrespnding cnnectin's lg entry. If necessary, recnfigure the search ptins (see Creating Lcal Public Netwrk Filters n page 152). 4 In the netwrk filter's prperties windw, click OK. As a result, the filter yu created will be displayed in the netwrk filters list. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 229

230 Viewing the IP Packets Lg Archive The IP packets lg can be archived t ptimize the IP packets search and use disk space efficiently. A new archive is created when the size f the current IP packets lg exceeds the value f the Maximum IP packets lg size ptin. If the value is set t 0, the IP packets lg is nt archived. T view the IP packets lg archive: 1 In the main ViPNet Mnitr windw, in the IP Packets Lg sectin, chse IP Packets Lg Archive and select the archive belnging t the required perid f time. Nte: If the IP Packets Lg Archive subsectin is nt displayed, then n archive has been created by the system. 2 Set the search criteria fr the lg archive (see Cnfiguring IP Packets Search Optins n page 222). 3 The search results will be displayed in the Viewing IP Packets Registratin Lg windw. Tip: T delete an archive, in the IP Packets Lg Archive subsectin, select ne r several archives and press Delete r click Delete n the cntext menu. Viewing the IP Packets Lg f Anther Hst If yu wrk in the hst administratr's mde, yu can view the IP packets registratin lg f anther ViPNet hst yu have link with. T d this: 1 Lg n t ViPNet Mnitr in the ViPNet hst administratr mde (see Wrking in the ViPNet Hst Administratr Mde n page 247). 2 In the main ViPNet Mnitr main windw, in the navigatin pane, select IP Packets Lg. 3 In the ViPNet hst list, chse a hst, whse lg yu are ging t view. If there is n the required hst n the list, click the Brwse buttn required hst. and, in the Chse ViPNet Hst windw, select the 4 After yu chse the hst whse lg yu need t view, cnnectin t this hst is established. In case the cnnectin is established successfully, the name f the selected hst is displayed in the ViPNet hst list. T cancel the cnnectin, click Cancel. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 230

231 Nte: If, n the ViPNet hst yu are requesting IP packets lg frm, the ViPNet sftware f versin earlier than 3.0 is installed, yur search ptins will be significantly limited. This happens because the IP packets lg frmat has changed in versin 3.0. If the search ptins are limited, yu are infrmed abut that with a crrespnding message. Keep in mind, that if yu view the IP packets lg f anther ViPNet hst, the search ptins will be the same as thse used n that hst. This means that if yu wrk n a crdinatr and decide t view the IP packets lg f a client, yu will be able t define nly the search ptins available fr clients. 5 Set the search criteria (see Cnfiguring IP Packets Search Optins n page 222) and click Search. Cnfiguring IP Packets Lgging T cnfigure the IP packets lg settings: 1 In the ViPNet Mnitr main windw, n the Service menu, click Optins. 2 In the Optins dialg bx, in the navigatin pane, click IP Packets Lg. Figure 113. Cnfiguring the IP packets lg 3 Specify values fr the fllwing parameters: In the Maximum IP packets lg size bx, type r select the maximum lg file size (1 MB by default). If yur current IP packets lg file size exceeds the value specified, the lg entries are mved t the lg archive in chrnlgical rder. T disable lgging, set the value t 0. Entries abut newly registered IP packets will nt be added t the lg. Hwever, the entries created befre the value has been set t 0 will be saved. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 231

232 The first time the lg is archived, in the main ViPNet Mnitr windw, in the navigatin pane, the Archive sectin is created. Figure 114. Viewing the IP packets lg archive In the Maximum IP packets archive lg size bx, type r select the maximum size f the archive (10 MB by default). If the lg archive size exceeds the specified value, lder entries will be deleted frm the archive. T disable archiving, set the value t 0. Hwever, the data archived befre the value has been set t 0 will be saved. In the Lg list, chse what IP packets shuld be lgged: All IP packets r blcked IP packets nly. In the Lg IP packets f the same type in the same lg entry every bx, specify the time interval in minutes. When the specified time interval is ver, a new entry fr a certain type f IP packets will be created in the lg. The underlying mechanism is as fllws: when a packet with certain attributes (IP address, prtcl, prt, and s n) is registered, a new entry is created fr it. Within the specified time interval, IP packets with the same IP address, prt, prtcl, and ther attributes are registered, but new lg entries are nt created fr them. Yu can see the number f such packets in the Cunter clumn f the Viewing IP Packets Registratin Lg windw. When the specified time expires, a new entry will be created fr the next IP packet even if sme f its attributes match the already created entry. If yu receive a packet f anther type, a new entry is created fr this packet in the lg. After a new entry is created, the time cunt starts again fr the IP packets with the same attributes. This mechanism is the same fr all IP packets being registered. The Start time and End time clumns display the mment when ne-type IP packets registratin in ne entry has begun r ended respectively. This mechanism allws yu t decrease the IP packets lg size significantly while maintaining its infrmatin value. The lnger time interval yu specify, the smaller the IP packets lg size is. Hwever, the accuracy f the lg decreases prprtinally (yu cannt define the time f IP packets registratin precisely). If yu set the value f the packets registratin interval parameter t 0, then an entry will be created fr each registered IP packet. Hwever, as a result, the lg size may grw significantly. We recmmend yu t set the 0 value nly fr a shrt perid f time and nly fr testing purpses. The ViPNet driver can stre n mre than 10,000 lg entries. When the lg size reaches this limit, lder entries are rewritten with newer nes. If yur IP traffic exchange is intensive, yu may lse sme infrmatin. Besides, traffic prcessing may slw dwn, because ViPNet Mnitr increases the lad n CPU. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 232

233 Select the Lg bradcast IP packets check bx fr the bradcast IP packets t be registered in yur IP packets lg. Make sure that the Fr TCP cnnectins lg nly remte server prt check bx is selected. In this case, the TCP prtcl IP packets will be gruped accrding t the server prt regardless f the client prt. 4 T save the settings, click Apply. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 233

234 Viewing IP Packets Filtering Statistics T view IP packets statistics, in the main ViPNet Mnitr windw, in the navigatin pane, click Statistics and Event Lgs > Statistics. In the Statistics sectin, yu can find infrmatin abut the number f incming and utging IP packets that have been allwed r blcked in accrdance with the specified traffic filters. This infrmatin may be useful when yu cnfigure ViPNet Mnitr fr the first time. T reset the IP packets statistics, click Clear. T view the IP packets statistics n ne f the crdinatr's interfaces, in the Netwrk adapter list, chse the required interface. Figure 115. Viewing IP packets statistics ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 234

235 Viewing Infrmatin abut the Crdinatr, Its Wrking Time, and the Number f Cnnectins T get infrmatin abut the ViPNet netwrk yur crdinatr belngs t, abut the user wh lgged n, abut cnnectins, and mre, in the main ViPNet Mnitr windw, select ViPNet Crdinatr. Figure 116. Viewing additinal infrmatin abut a crdinatr ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 235

236 Managing ViPNet Mnitr Cnfiguratins A cnfiguratin is a cmbinatin f all ViPNet Mnitr prgram settings. In the Cnfiguratins sectin, yu can create several additinal cnfiguratins and enable the required ne at any mment. Using several cnfiguratins can be useful in the fllwing case. Suppse that accrding t the cmpany's security plicy yu cannt wrk with lcal resurces and the Internet at the same time. Then yu need t create tw cnfiguratins: ne cnfiguratin shuld allw yu t wrk n the Internet and blck access t the lcal netwrk, and the secnd cnfiguratin shuld allw yu t wrk n the lcal netwrk and blck access t the Internet. Anther way is regular recnfiguring f private netwrk cnnectin. In this case, it will be cnvenient if yu create a few cnfiguratins with different private netwrk cnnectin parameters. This way yu will nt need t change the settings every time. Chsing the required cnfiguratin will be enugh. On the first prgram startup, the Main cnfiguratin is created. It cntains default settings. Yu cannt rename r delete this cnfiguratin. In ViPNet Mnitr, yu can manage cnfiguratins in the fllwing ways: 1 T add a new cnfiguratin, in the main ViPNet Mnitr windw, in the navigatin pane, right-click Cnfiguratins and, n the cntext menu, click Create Cnfiguratin. Figure 117. Creating a new cnfiguratin The New cnfiguratin element will be displayed in the cnfiguratins list. Nte: In the administratr mde, yu can create a prgram cnfiguratin fr any f the users registered n this hst. In this mde, yu can see all the cnfiguratins created in the prcess f wrk with the prgram, and the cnfiguratins are gruped by user names. 2 T rename the cnfiguratin, right-click its name and, n the cntext menu, click Rename. 3 T enable a cnfiguratin, right-click its name and, n the cntext menu, click Lad This Cnfiguratin. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 236

237 Nte: Yu can lad the required cnfiguratin either frm the main ViPNet Crdinatr menu File > Cnfiguratins, r frm the cntext menu f the prgram icn in the ntificatin area. 4 If yu change any settings in the current cnfiguratin (fr example, create new netwrk filters, change sme prgram settings), then yu can save these changes in any ther existing cnfiguratin, except fr the main cnfiguratin. T d this, right-click that cnfiguratin and, n the menu, select Save Current Cnfiguratin. Cnfirm saving yur changes by clicking Yes. In the current cnfiguratin, all changes are saved autmatically. If yu have created multiple cnfiguratins and the Chse cnfiguratin n every startup check bx is selected in the prgram settings, then the cnfiguratins list windw will be displayed at ViPNet Mnitr startup. Figure 118. Chsing ne f the cnfiguratins at the prgram startup T lad ne f the cnfiguratins, chse it frm the list and click OK. If the windw is displayed but n cnfiguratin is chsen within 30 secnds, the main cnfiguratin is chsen autmatically. If yu have multiple cnfiguratins, which are used at different perids f time, fr yur cnvenience, yu may schedule switching between these cnfiguratins autmatically (see Scheduling Cnfiguratin Change n page 237). Scheduling Cnfiguratin Change If yu wrk with multiple cnfiguratins in ViPNet Mnitr, and each cnfiguratin must be laded at certain time, yu may cnfigure switching between the cnfiguratins autmatically. Fr example, this is cnvenient if yu need t switch a cnfiguratin fr wrking n the Internet at the same time regularly. In ther cases we recmmend yu t switch cnfiguratins manually. Yu can schedule cnfiguratin change nly if there are mre than tw cnfiguratins created. The main cnfiguratin des nt cunt and yu cannt schedule it. The main cnfiguratin is laded autmatically. It is enabled when ther cnfiguratins are nt. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 237

238 Warning: When yur schedules cincide, we d nt guarantee that yur cnfiguratins can be switched autmatically. We recmmend yu t be careful when scheduling cnfiguratin change and t see t that the cnfiguratins d nt cincide. T schedule switching cnfiguratins: 1 In the main ViPNet Mnitr windw, in the navigatin pane, right-click Cnfiguratins r a certain created cnfiguratin and, n the cntext menu, click Cnfigure Schedule. 2 In the Cnfigure Scheduled Cnfiguratin Change windw, select the Use schedule t lad cnfiguratins check bx and add the required cnfiguratins t the list. When yu are adding a cnfiguratin, in the Schedule Optins windw, specify the fllwing ptins: in the Effective frm list, the time when the cnfiguratin will be laded; in the Duratin list, the time perid during which the cnfiguratin will be enabled after lading (the number f hurs); under Recurrence, the week days when the cnfiguratin will be laded. Figure 119. Setting a schedule fr changing cnfiguratins 3 Click OK. As a result, cnfiguratin change will be scheduled. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 238

239 Figure 120. Scheduled cnfiguratins T stp autmatic switching f cnfiguratins, in the Cnfigure Scheduled Cnfiguratin Change windw, clear the crrespnding check bx. T cnfigure ntificatin befre every scheduled cnfiguratin change, in the prgram ptins, in the General > Warnings sectin, select the Ntify befre perfrming scheduled cnfiguratin change check bx. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 239

240 Starting a Remte Access Prgram ViPNet Mnitr allws yu t get access t a remte ViPNet hst using external prgrams like Remte Administratr (Radmin), VNC r Remte Desktp Cnnectin. A ViPNet hst administratr may need remte access t a ViPNet hst if it is hard t access the cmputer physically. A user may need remte access t a ViPNet hst deplyed n a cmputer in the ffice t wrk n it frm hme. T start a remte access prgram: 1 In the main ViPNet Mnitr windw, in the navigatin pane, select Private Netwrk. 2 Right-click the remte hst yu need t get access t and, n the cntext menu, click External Prgrams, then chse the prgram yu need t start. Figure 121. Starting an external prgram On the External Prgrams menu, yu can select nly a prgram installed n yur cmputer (see Installing Third-Party Sftware fr Remte Management n page 241). Mrever, the selected hst shuld have a nn-zer IP address and it shuld have the crrespnding server sftware installed, cnfigured, and running (fr example, Radmin Server, VNC Server). Nte: If yu use the Remte Desktp prgram, yu d nt need t install the server sftware. Remte Desktp allws yu t access any ViPNet hst with Windws OS remtely. If all the requirements are satisfied, the cnnectin windw is displayed. If the cnnectin is established, yu will be prmpted t enter the passwrd t get access t the hst selected. After yu successfully enter the passwrd, a windw shwing yu the remte hst's desktp will be displayed. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 240

241 Nte: Keep in mind that in rder t establish cnnectin t a ViPNet hst, yu shuld cnfigure the remte access sftware crrectly. Fr example, if yu use the Remte Desktp prgram, n the hst yu are cnnecting t, adjust the fllwing settings: In the system prperties, allw remte access t the cmputer. Add the external user accunt t the list f remte users. Installing Third-Party Sftware fr Remte Management If yu want t cnnect t ViPNet hsts remtely with a third-party prgram, such as Remte Administratr (Radmin), VNC, r Remte Desktp Cnnectin, make sure that this prgram is installed n yur cmputer. Yu can dwnlad these prgrams' distributin kits frm the fllwing web pages: Remte Administratr frm the Radmin web page The Remte Administratr package includes client and server cmpnents. VNC frm the RealVNC web page The VNC package includes client and server cmpnents. Remte Desktp Cnnectin frm the Micrsft web page The Remte Desktp Cnnectin prgram is installed by default in the fllwing perating systems: Windws XP, Windws Server 2003, Windws Vista, Windws Server 2008, Windws 7, and Windws 8. Yu can establish cnnectins frm cmputers running any versin f these perating systems. But yu can access nly cmputers running Crprate, Prfessinal, and Ultimate versins. Fr mre infrmatin, see the Micrsft web page Cnfiguring a Terminal Server fr Remte Management Wrking in a terminal sessin (fr example, when cnnecting t a server via Remte Desktp Cnnectin), yu may cme acrss a prblem that, upn clsing the terminal sessin, the ViPNet Mnitr applicatin is autmatically unladed frm the remte server s cache and IP traffic prtectin is disabled. On crdinatrs, such a behavir may result in cnnectin failures fr all ViPNet hsts using this crdinatr as a firewall r an IP addresses server. The prblem ccurs, if the terminal server is cnfigured t unlad all user applicatins when the terminal sessin is clsed. The figure belw displays the ptins cnfigured in the Terminal Services Cnfiguratin snap-in resulting in unwanted ViPNet Mnitr unlading. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 241

242 Figure 122. A terminal server is cnfigured incrrectly T slve the prblem, yu shuld set all the values t default by clearing all the Override user settings check bxes. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 242

243 Figure 123. A terminal server is cnfigured crrectly Nte: In Windws Server 2008 R2, terminal services are called Remte Desktp Services. Cnfiguring Autlgn fr the Operating System and ViPNet Mnitr When yu administer remte cmputers r cmputers with restricted physical access, after restart, yu ften need t perfrm autmatic lgn t the perating system and start ViPNet Mnitr autmatically. This might be prblematic as the ViPNet user passwrd is required befre the perating system and ViPNet driver startup. T cnfigure the autlgn feature fr the system and autmatic start fr ViPNet Mnitr: 1 Cnfigure the autlgn settings fr the Windws perating system (see Cnfiguring Autlgn fr the Windws OS n page 244). 2 In ViPNet Mnitr: Set the prgram t use the saved passwrd when lgging n. T d that, lg n t ViPNet Mnitr in the ViPNet hst administratr mde (see Wrking in the ViPNet Hst Administratr Mde n page 247). On the Service menu, click Security Service Settings. In the Security ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 243

244 Service Settings dialg bx, click the Administratr tab and select the Allw passwrd saving in registry check bx (see Advanced Security Settings n page 251). Nte: On a remte hst, the Passwrd nly lgn mde shuld be used (see User Lgn Mdes n page 66). Enable desktp lcking at ViPNet Mnitr startup (see Start and Abnrmal Terminatin Optins n page 256) in rder t prevent an unauthrized user frm wrking n the cmputer. Warning: Yu must have Windws OS administratr rights t cnfigure these settings. If necessary, yu can cnfigure the settings remtely. As a result, the perating system and ViPNet driver will be started autmatically. Cnfiguring Autlgn fr the Windws OS T cnfigure the autlgn feature fr the Windws OS: 1 Press Win+R. If yu are using the Windws XP r Server 2003 perating system, n the Start menu, select Run. 2 In the Run windw, in the Open bx, type the cntrl userpasswrds2 cmmand and click OK. If yu are using the Windws Vista, Server 2008 r Windws 7 perating system, yu can als execute the netplwiz cmmand. 3 In the User Accunts dialg bx: On the Users tab, in the list, chse the user whse credentials yu are ging t use t lg nt the perating system and clear the Users must enter a username and passwrd t use this cmputer check bx. The chsen user shuld belng t the Administratrs grup (shuld be registered as a cmputer administratr). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 244

245 Figure 124. Cnfiguring autmatic lgn fr the Windws perating system On the Advanced tab, clear the Require users t press Ctrl+Alt+Delete check bx. Figure 125. Advanced cnfiguring f autmatic lgn fr the Windws perating system ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 245

246 Nte: If yur cmputer belngs t sme dmain, this ptin may be unavailable because f the grup security plicy. In this case, t cnfigure autmatic lgn t the perating system, yu will need t edit the registry manually. Editing registry entries incrrectly can lead t prblems in perating system perfrmance. Thus, t ensure security, create a backup cpy f the registry. This will allw yu t restre the registry in case f a failure. If the Users must enter a username and passwrd t use this cmputer check bx is missing r unavailable, then, in the HKEY_LOCAL_MACHINE\SOFTWARE\Micrsft\Windws NT\CurrentVersin\Winlgn sectin, specify the fllwing parameter values: AutAdminLgn 1 ( true ). This parameter is required t enable autlgn fr the perating system. If the parameter is set t 0, autlgn is disabled. DefaultDmainName the name f the dmain yur cmputer belngs t. DefaultUserName the name f the user whse credentials yu are ging t use t lg n t the system autmatically. DefaultPasswrd a user passwrd. If yu d nt assign any value t this parameter, the AutAdminLgn parameter value is then autmatically set t 0 ( false ) disabling the autlgn feature. If the specified parameters are missing, create them manually using a string value (REG_SZ). If the Require users t press Ctrl+Alt+Delete check bx is missing r unavailable, brwse t the fllwing registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Micrsft\Windws\CurrentVersin\Pl icies\system. Then set the Disablecad parameter t 1 ( true ). If the specified parameter is missing, create it manually using the Dwrd type. Click Apply. 4 In the Autmatically Lg On windw, type the passwrd and click OK. Figure 126. The system autlgn windw As a result, at the next cmputer startup, the user accunt yu have chsen will be used t lg n t the perating system autmatically (yu will nt need t type the passwrd and press Ctrl+Alt+Delete). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 246

247 Wrking in the ViPNet Hst Administratr Mde Yu can lg n t ViPNet Mnitr in the ViPNet hst administratr mde. In this mde, yu will get access t the fllwing features and settings: The Administratr sectin, displayed in the navigatin pane f the main windw, that allws yu t cnfigure advanced parameters n the hst (see ViPNet Mnitr Advanced Settings n page 248). The event lg cntaining entries abut security level changes and ther activities f the user and administratr (see Viewing the Event Lg n page 253). An pprtunity t view the IP packets lg f a certain ViPNet hst (see Viewing the IP Packets Lg f Anther Hst n page 230). An pprtunity t view and edit the ViPNet Mnitr prgram cnfiguratins (see Managing ViPNet Mnitr Cnfiguratins n page 236) created by all users n the hst. If yu lg n as an administratr, all restrictins precnditined by yur permissins level will be ignred. T lg n as an administratr: 1 D ne f the fllwing: In the ViPNet Mnitr main windw, n the File menu, click Lg in as Administratr. In the main ViPNet Client windw, n the Service menu, click Security Service Settings. In the Security Service Settings dialg bx, n the Administratr tab, click Administratr lgn. 2 In the Administratr Lgn windw, type yur ViPNet hst administratr passwrd. Figure 127. Typing the ViPNet hst administratr passwrd 3 Click OK. If the passwrd yu have typed is crrect, the prgram will restart and all additinal settings will becme available. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 247

248 Warning: In a ViPNet netwrk managed with the ViPNet Administratr sftware, the hst administratr passwrd is defined in the ViPNet Administratr Key and Certificatin Authrity prgram. In a ViPNet netwrk managed with the ViPNet Netwrk Manager prgram, the hst administratr passwrd is stred in the ViPNet_a.txt file lcated in the flder, in which the key sets are stred. ViPNet Mnitr Advanced Settings When yu lg n t ViPNet Mnitr in the ViPNet hst administratr mde, the Administratr sectin becmes accessible in the main windw, in the navigatin pane. In this sectin, yu can cnfigure a number f advanced prgram settings. T cnfigure the advanced settings: 1 Lg n t the prgram in the ViPNet hst administratr mde (see Wrking in the ViPNet Hst Administratr Mde n page 247). 2 In the navigatin pane f the main ViPNet Mnitr windw, select Administratr. Figure 128. Cnfiguring advanced prgram settings when yu wrk with the prgram as an administratr 3 T change the ViPNet Mnitr prgram settings, fllw the guidelines f these sectins: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 248

249 Restricting User Interface (n page 249) Prgram Startup Optins (n page 249) Cmputer Lcking Settings (n page 250) Traffic Prtectin Optins (n page 251) 4 T save the settings, click Apply. T discard changes, click Cancel. Restricting User Interface If yu want t restrict the user's ability f mdifying the ViPNet Mnitr parameters and t hide the navigatin pane, in the Administratr (see ViPNet Mnitr Advanced Settings n page 248) sectin, select the Restrict user interface check bx. Nte: If the special permissins level 3 is specified fr the hst, then this check bx is selected by default, and yu cannt clear it. If this check bx is selected, then the fllwing restrictins are enabled in the ViPNet Mnitr prgram: In the main ViPNet Mnitr windw, nly the view pane with the ViPNet hsts list is available. On the File menu, the Cnfiguratins and Change User cmmands are unavailable, while the Change User Passwrd and Change Lgn Mde cmmands are available. Yu may change a passwrd nly t a randm passwrd based n a passphrase. The Service menu is unavailable. Because f that, yu cannt edit, save, and restre ViPNet Mnitr settings and Security Service settings. Yu cannt start the transprt mdule ViPNet MFTP by using the Applicatins menu. Prgram Startup Optins If yu want t cnfigure additinal parameters f the ViPNet Mnitr prgram startup, in the Administratr (see ViPNet Mnitr Advanced Settings n page 248) sectin, d the fllwing: If yu d nt want ViPNet sftware t prtect traffic after the Windws OS startup, select the D nt secure IP traffic befre Windws lgn check bx. In this case, n Windws OS startup, ViPNet user authenticatin r ViPNet Mnitr autmatic startup is nt perfrmed. Thus, this cmputer will be unprtected. Fr enabling the traffic prtectin, yu can manually start the ViPNet Mnitr prgram. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 249

250 Nte: We d nt recmmend yu t select this check bx n any crdinatrs, n the clients with a dynamic IP address, and n the clients that cnnect t the hsts with a dynamic IP address. If yu want t prevent ther users (having accunts n the cmputer) frm starting ViPNet Mnitr when they access this cmputer remtely (fr example, using Remte Desktp), clear the Allw Mnitr t be started in the remte sessin check bx. By default, the check bx is selected. This check bx is available nly if the sftware fr remte sessins is installed n this cmputer. Nte: Only ne ViPNet Mnitr instance can be started n the cmputer. If the prgram has been started in ther user's sessin, in Windws Task Manager, end the Mnitr.exe prcess and then start the ViPNet Mnitr prgram. If yu want the traffic prtectin t be enabled, but the ViPNet Mnitr prgram nt t start, at Windws OS startup, then select the D nt launch Mnitr after Windws lgn check bx. This means that after the Windws OS startup nly ViPNet driver will be launched and this cmputer will be prtected frm netwrk attacks. If yu want t restrict user frm starting Windws OS withut lading ViPNet Mnitr, select the Require ViPNet lgin befre Windws lgn check bx. In this case, in the ViPNet Mnitr lgn windw, the Cancel buttn will be unavailable. Nte: If the D nt secure IP traffic befre Windws lgn check bx is selected, the Require ViPNet lgin befre Windws lgn check bx is ignred. Cmputer Lcking Settings If needed, in the Administratr (see ViPNet Mnitr Advanced Settings n page 248) sectin, in the Lck this Cmputer grup, yu can change the cmputer lcking settings. By default, in the ViPNet Mnitr prgram, the idle cmputer autmatic lcking is enabled. If yu d nt use yur muse r keybard fr the time specified, the current lcking mde is applied autmatically. If needed, in the When yur cmputer is idle fr bx, set the time f autmatic lcking (by default, it is set t 15 minutes). T enable autmatic cmputer lcking, in this bx, set value 0. In the ViPNet Mnitr prgram, the autmatic cmputer lcking upn detaching the user authenticatin device is enabled by default. If yu want t disable it, clear the When yu discnnect yur authenticatin device check bx. Cmputer is lcked upn detaching the user authenticatin device nly when yu use the Passwrd n Device r PIN and device lgn mde (see User Lgn Mdes n page 66). If yu use a Smartcard Athena (see External Strage Devices n page 347) device, autmatic blcking will nt wrk. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 250

251 T cntinue wrking after yur cmputer has been autmatically lcked, yu need t cnnect the device, type the Windws user passwrd, and type the PIN and passwrd (if necessary) withut changing the lgn mde. Warning: T unlck yur cmputer, cnnect the exact device that yu used previusly t lg nt the prgram and use the same lgn mde. If yu cnnect anther device r chse anther lgn mde, yu will nt be able t unlck yur cmputer. Traffic Prtectin Optins If needed, in the Administratr (see ViPNet Mnitr Advanced Settings n page 248) sectin, yu can specify additinal IP traffic prtectin ptins. ViPNet sftware autmatically blcks the incming IP packets, if their sending and receiving time difference exceeds a specified interval. This ptin affects the hsts linked with yur cmputer (these hsts are displayed in the Private Netwrk sectin). If needed, in the Maximum time perid between sending and receiving an IP packet bx, set the prper time interval in minutes (120 minutes by default). Warning: As a result, IP packets frm hsts whse system time is set incrrectly may be blcked. If needed, yu can cancel the effect f the security plicies received frm the ViPNet Plicy Manager prgram. T d this, in the Security plicy grup, clear the Apply security plicies received frm ViPNet Plicy Manager check bx. Fr instance, yu can cancel security plicies t temprarily disable invalid netwrk filters sent t the hst by mistake. If yu clear the Apply security plicies received frm ViPNet Plicy Manager check bx, the actin f accepted security plicies is canceled (netwrk filters received with the security plicies are hidden and their actin is canceled), and yur hst ntifies the hst with ViPNet Plicy Manager that it will nt accept any new security plicies. If yu select the Apply security plicies check bx again, the previusly applied security plicies are reapplied and yur hst starts receiving new security plicies frm ViPNet Plicy Manager. Advanced Security Settings After yu lg n in the ViPNet hst administratr mde (see Wrking in the ViPNet Hst Administratr Mde n page 247), yu can cnfigure advanced settings in the Administratr sectin as well as the fllwing parameters in the Security Service Settings dialg bx, n the Administratr tab: Allw passwrd saving in registry, in ther wrds, allw the ViPNet hst user t select the Save passwrd check bx when lgging n t ViPNet Mnitr. If this check bx is selected, yur user ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 251

252 passwrd is stred in the Windws registry and will be entered autmatically next time yu lg n next time yu run ViPNet Crdinatr. Nte: This parameter is set by the ViPNet netwrk administratr in ViPNet Netwrk Manager r ViPNet Administratr. This parameter is transferred t a hst within a key set r a keys and hst links update. The hst administratr may select r clear the Allw passwrd saving in registry check bx, and this change will be effective till the next keys and hst links updating. Next time yu update keys and hst links, the check bx will be cleared r selected as set by the ViPNet netwrk administratr in the netwrk management sftware. Autmatically lg n t ViPNet allws yu t lg n t ViPNet Mnitr withut cnfirming yur ViPNet user passwrd in the lgn windw. If this check bx is selected, at the prgram startup, n the current hst, the lgn windw will nt be displayed and yu will lg nt ViPNet Mnitr autmatically. This happens in the fllwing cases: when yu use the Passwrd nly lgn mde if the passwrd has been saved t the registry, in ther wrds, if the Allw saving passwrd in registry check bx has been selected, and, in the lgn windw, the crrect user passwrd has been entered and the Save passwrd check bx has been selected; when yu use the Passwrd and device r PIN and device lgn mde if the authenticatin mde has been attached t yur cmputer and, in the lgn windw, the crrect PIN has been entered and the Save PIN check bx has been selected. Enable external certificates. This feature allws yu t use certificates nt nly frm yur persnal stre (r ViPNet internal stre), but als frm the system stre. This may be required in case yu use a cryptgraphic service prvider f anther vendr (fr example, CryptPr) tgether with the ViPNet sftware, as well as certificates issued in external Certificatin Authrities (utside a ViPNet netwrk). Trust nly ViPNet CA administratrs' certificates. If yu clear this check bx, at the certificate validatin, the prgram will search fr the rt certificate nt nly in the ViPNet internal stre, but als in the Trusted Rt Certificatin Authrities and Intermediate Certificatin Authrities system stres. Ignre the absence f the Certificate Revcatin Lists (CRLs). We recmmend yu t select this check bx if yu use certificates issued by external certificatin authrities (nt belnging t the ViPNet netwrk) because there may be n data n CRLs in thse certificates. Setting the User Lgn Mde The lgn mde defines which credentials yu need t use t lg n t ViPNet Mnitr. T change the lgn mde: 1 Lg n t the prgram in the ViPNet hst administratr mde (see Wrking in the ViPNet Hst Administratr Mde n page 247). 2 In the Security Service Settings dialg bx, click the Keys tab, and then click Change. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 252

253 3 In the Lgn Mde windw, chse a suitable lgn mde. T find mre abut the available lgn mdes, see User Lgn Mdes (n page 66). Nte: The Passwrd n Device mde is unavailable, because it des nt meet up-tdate security requirements anymre. If yu chse authenticatin by a certificate, cnnect the external device t the cmputer and select the prper certificate in the list f certificates fund n the device. If yu encunter any difficulties while using the certificate fr authenticatin, see Cannt Lg On with a Certificate (n page 304). If yu chse authenticatin by a persnal key, cnnect the external device t the cmputer in rder t save yur persnal key (see Keys in ViPNet Sftware n page 338) n the device. When saving the persnal key (the prtectin key (n page 384)) n an external strage device, mind the fllwing. If yu use digital signing and encryptin in third-party applicatins (fr example, in Micrsft Office), we strngly recmmend yu t save the key cntainer (n page 382) t the same device. Otherwise, digital signing and encryptin in third-party applicatins will be impssible because there will be n access t the prtectin key. Yu can mve the key cntainer frm the current flder t anther flder n a disk, but yu will have t enter yur passwrd every time yu perfrm digital signing and (r) encryptin in a third-party applicatin. Warning: If yu wrk in the PIN and device lgn mde and the external device is discnnected, yur cmputer may be lcked autmatically, depending n the settings made in the ViPNet hst administratr mde (see ViPNet Mnitr Advanced Settings n page 248). T cntinue wrking, yu shuld cnnect this device. If necessary, yu can change the parameters f autmatic cmputer lcking and IP traffic blcking. 4 Click OK. On the Keys tab, under Lgn, the Lgn mde and Strage type bxes values will change accrding t the lgn mde yu have selected. On a ViPNet netwrk managed with the ViPNet Administratr sftware, a lgn mde als can be set by the ViPNet netwrk administratr in the ViPNet Key and Certificatin Authrity prgram. If the administratr sets that the user shuld use a certificate fr authenticatin, then the user has t give an external device with a certificate and a private key t his administratr fr registering. At the same time, the cnditins given in the nte in the Device sectin have t be met. After the new authenticatin mde has been assigned t a user, the administratr sends a hst keys update t the user's hst. After accepting this update, the user will be able t authenticate by using nly the selected mde. Viewing the Event Lg In the event lg, the fllwing changes in ViPNet Mnitr settings are lgged: Changing netwrk filters. User lgn and lgut. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 253

254 Administratr lgn. Lading anther cnfiguratin. Other events. This infrmatin allws the administratr t cntrl the security. T view the event lg: 1 Lg n t the prgram in the ViPNet hst administratr mde (see Wrking in the ViPNet Hst Administratr Mde n page 247). 2 In the navigatin pane f the main ViPNet Mnitr windw, select Administratr. 3 In the Administratr sectin, click Event lg. Figure 129. Viewing the event lg 4 T view the event lg in the HTML r XLS frmat, in the Event lg windw, right-click any entry and, n the cntext menu, click View as HTML dcument r View as XLS dcument. Nte that, t view XLS files, yu shuld have the Micrsft Excel prgram installed n yur cmputer. Infrmatin abut the lgged events is presented in the table belw: Clumn Date and time User name Event Descriptin Time f the event. The event initiatr. Pssible events: User lgn. User lgut. Administratr mde (lgn in the ViPNet hst administratr mde). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 254

255 Clumn Descriptin User lgn denied (user name is nt identified) displayed when a user passwrd has been typed incrrectly three times. Administratr lgn denied (user name is nt identified) displayed when an administratr passwrd has been typed incrrectly three times. Tech restart. The prgram restarts after updates are accepted. Tech restart. The prgram restarts after abnrmal terminatin. Change user. Anther user registered n this ViPNet hst, lgs nt the prgram. Change cnfiguratin. In the Cnfiguratins sectin, anther cnfiguratin is chsen. Change filter. A netwrk filter has been created, edited r deleted. Switching the Blck all prtcls except IP, ARP functin n and ff. Yu can select r clear the Blck all prtcls except IP, ARP check bx, in the Optins dialg bx, in the General sectin. Switching the Lck Desktp n startup functin n and ff. Yu can select r clear the Lck Desktp n startup check bx in the Optins dialg bx, in the Start and abnrmal terminatin sectin. Change NAT rule. A netwrk address translatin rule has been created, edited r deleted. Change NAT rule rder. NAT rules pririty has been changed. Enabling r disabling f anti-spfing. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 255

256 Start and Abnrmal Terminatin Optins T cnfigure ViPNet Mnitr start and abnrmal terminatin: 1 In the ViPNet Mnitr main windw, n the Service menu, click Optins. 2 In the Optins dialg bx, in the navigatin pane, select General > Start and abnrmal terminatin. 3 If yu d nt want the cnfiguratin (see Managing ViPNet Mnitr Cnfiguratins n page 236) selectin dialg bx t appear n every startup, clear the Chse cnfiguratin n every startup check bx. When ViPNet Mnitr starts, the last used cnfiguratin will be laded. If ViPNet Mnitr has nly ne cnfiguratin, the cnfiguratin dialg bx will nt be shwn even if the Chse cnfiguratin n every startup check bx is selected. 4 If yu want t lck yur cmputer when ViPNet Mnitr starts, select the Lck desktp check bx. T unlck the cmputer after the prgram starts, enter the ViPNet hst user passwrd. This feature helps t prevent unauthrized access t the cmputer if its perating system is restarted and the user passwrd is saved in the registry. ViPNet Mnitr will take all the actins required t prtect yur cmputer. 5 If yu d nt want ViPNet Mnitr t restart after abnrmal terminatin autmatically, clear the Restart Mnitr applicatin after abnrmal terminatin check bx (it is selected by default). 6 If yu want Windws t restart after system failures autmatically, select the Use WatchDg check bx, and then, in the Restart after bx, specify the time interval (in secnds). The WatchDg service tracks ViPNet Mnitr perability. If the prgram's perability decreases due t a system failure, WatchDg will restart the OS. We recmmend yu t use this service n remte cmputers, which are difficult t access. Nte: The WatchDg feature is nt supprted in 64-bit perating systems. Security Service Settings The peratins described in this sectin can be perfrmed in the Security Service Settings dialg bx. T pen this dialg bx, n the Service menu, click Security Service Settings. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 256

257 Changing a User Passwrd We recmmend yu t change a user passwrd every 3 mnths. Generally, mst rganizatins have a security plicy, which prescripts hw ften the passwrd shuld be changed. Yu shuld change yur user passwrd in the fllwing cases: The validity perid f yur passwrd has expired (in case this perid is limited). On yur ViPNet hst, yu receive keys updates cntaining a new user passwrd frm ViPNet Key and Certificatin Authrity r ViPNet Netwrk Manager. In this case, the message It is recmmended t change yur passwrd is displayed, hwever the passwrd will nt be changed autmatically. Thus, yu will need t change the passwrd manually. If a key cntainer is prtected nt with a passwrd, but with a persnal user key, the passwrd t the key cntainer will be identical t the user passwrd. That is why, if yu need t change a key cntainer passwrd (see Changing the Cntainer Passwrd n page 296), yu shuld change the user passwrd. Mrever, we recmmend yu t change the user passwrd after the keys and hst links installatin when yu are lgging n t the ViPNet prgram. This will increase security f yur passwrd, as it will be unknwn t the ViPNet netwrk administratr. T change yur user passwrd: 1 In the Security Service Settings dialg bx, click the Passwrd tab. Figure 130. Changing the current user passwrd 2 Under Passwrd Type, chse the type f yur new passwrd: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 257

258 User-defined is a passwrd created by yurself (see Setting a User-Defined Passwrd n page 258); Randm passwrd, based n a passphrase is a passwrd generated autmatically frm a phrase accrding t the specified parameters (see Setting a Randm Passwrd n page 258); Randm numeric is a passwrd generated autmatically frm the specified number f digits (see Setting a Randm Numeric Passwrd n page 259). 3 Click Change passwrd. Yur further actins depend n the passwrd type yu have chsen and are described in the crrespnding sectins. 4 If yu need t limit the passwrd validity perid, select the Enable passwrd expiry check bx and specify the desired perid in days. 5 Click OK. Setting a User-Defined Passwrd T change yur current user passwrd t a user-defined ne: 1 On the Passwrd (see. figure 130 n page 257) tab, chse User-Defined. 2 Click Change passwrd. 3 In the Change Passwrd windw, type yur new passwrd (n shrter than 6 characters) and cnfirm it. Pay attentin t the case and keybard layut. Warning: Yur passwrd must nt cntain mre than 31 symbls. Such a passwrd cannt be used in current versins f ViPNet sftware. This limitatin is due t the existing algrithm f transferring yur passwrd t the cryptgraphic service prvider. Accrding t this algrithm, the passwrd length cannt exceed 31 symbls. 4 Click OK. Next time yu start ViPNet Mnitr Client, yu need t type yur new passwrd. Setting a Randm Passwrd T change the current passwrd int a randm passwrd based n a passphrase: 1 On the Passwrd tab (see. figure 130 n page 257), chse Randm passwrd, based n a passphrase and specify the new passwrd parameters: In the Dictinary list, select a language fr a passphrase. In the Wrds in a passphrase list, select the desired number f wrds (3, 4, 6 r 8) in a passphrase. The mre wrds yu chse, the lnger and mre secure the passwrd will be. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 258

259 In the Symbls frm a wrd list, select the number f characters (3 r 4) that will be taken frm the beginning f each wrd in a passwrd phrase t frm a new passwrd. In the Passwrd length field, the number f characters in a user passwrd will be autmatically displayed n the basis f the specified parameters. Warning: Yur passwrd must nt cntain mre than 31 symbls. Such a passwrd cannt be used in current versins f ViPNet sftware. This limitatin is due t the existing algrithm f transferring yur passwrd t the cryptgraphic service prvider. Accrding t this algrithm, the passwrd length cannt exceed 31 symbls. 2 Click Change passwrd. 3 Fllw the instructins in the Digital Rulette windw. Nte: If, within the current sessin, the digital rulette has already launched nce, the windw will nt be displayed. Figure 131. Digital Rulette 4 Remember the passwrd and (r) the passphrase displayed in the Change Passwrd windw. If necessary, chse anther passwrd and passphrase accrding t the parameters specified. T d that, click Next Passwrd. Click OK. Nw, at ViPNet Mnitr startup, yu shuld type the specified number f initial characters frm each wrd in a passphrase withut spaces using the Latin keybard layut. Fr example, if the passphrase is sailr cnceals srcerer, and 3 initial characters f each wrd shuld be used, then the passwrd is saicnsr. Setting a Randm Numeric Passwrd T change yur current user passwrd int a randm numeric passwrd: 1 On the Passwrd (see. figure 130 n page 257) tab, chse Randm numeric and, in the Number f digits bx, specify the passwrd length. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 259

260 Warning: Yur passwrd must nt cntain mre than 31 symbls. Such a passwrd cannt be used in current versins f ViPNet sftware. This limitatin is due t the existing algrithm f transferring yur passwrd t the cryptgraphic service prvider. Accrding t this algrithm, the passwrd length cannt exceed 31 symbls. 2 Click Change passwrd. 3 T cntinue, fllw the instructins in the Digital Rulette windw (see. figure 131 n page 259). Nte: If, within the current sessin, the digital rulette has already launched nce, the windw will nt be displayed. 4 Remember the PIN displayed in the Change Passwrd windw. If necessary, change this PIN int sme ther PIN cntaining the number f digits specified. T d that, click Next PIN cde. Click OK. When yu start ViPNet Mnitr next time as this user, yu shuld enter the PIN. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 260

261 Cnfiguring Encryptin Yu can cnfigure encryptin fr utbund traffic. T d this: 1 In the Security Service Settings dialg bx, click the Encryptin tab. Figure 132. Cnfiguring encryptin 2 In the Encryptin algrithm list, chse the algrithm that will be used t encrypt utging messages. Outbund traffic encryptin will be perfrmed in accrdance with the chsen algrithm. If yu manage yur ViPNet netwrk in ViPNet Netwrk Manager versin 4.3 r later r ViPNet Administratr versin r later, then the ViPNet netwrk administratr can select anther encryptin algrithm. The newly selected algrithm will be applied n hsts after updating keys and hst links n them. 3 Click OK. Nte: In this windw, yu may als specify the keys that shuld be used fr encrypting the service data transferred via integrated ViPNet tls. By chsing encryptin keys yu restrict access f users wh wrk n ne hst t the encrypted service infrmatin. Yu can use this feature nly if ne f the rles VPN client, Business mail, CryptService, r ViPNet SDK is assigned t the hst. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 261

262 Managing External Strage Devices External strage devices can be used in ViPNet Mnitr fr authenticatin (when yu use the Passwrd and device and PIN and device lgn mdes) and fr key cntainer strage (see Wrking with a Key Cntainer n page 294). T manage external devices: 1 Click the Devices tab. Figure 133. Managing external strage devices 2 Cnnect the device t yur cmputer. Nte: T use an external device, yu need t cnnect it and install the required drivers. Yu can find the list f cmpatible strage devices and basic infrmatin n hw t use them in Supprted External Strage Devices (n page 348). Names f the currently cnnected devices are displayed in the Cnnected devices list, while the names f the key cntainers stred n the selected device are displayed in the Key cntainers fund n the device list. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 262

263 Nte: Cntainers created in ViPNet Key and Certificatin Authrity are named sgn_cnt. When user keys arrive n yur ViPNet hst, a new cntainer is named as sgn_cnt<sequence rder f the previus cntainer + 1> (fr example, sgn_cnt1, sgn_cnt2, and s n). 3 Click Devices types t specify the types f devices yu need t scan fr key cntainers. In the Cnfiguring the Devices List windw, select the devices types and click OK. Nte: By default, all check bxes in the Cnfiguring the Devices List windw are selected. If yu clear the check bxes crrespnding t the devices yu d nt need, yu can fasten the prgram wrk a little. Fr example, if a card reader nt required in the ViPNet sftware is attached t yur cmputer, clearing the crrespnding check bx disables plling this device and speeds up peratin f digital signature functins. 4 If necessary, initialize the selected device (see External Device Initializatin n page 263). 5 If necessary, change the user PIN r administratr PIN fr the selected device (see Changing a Device PIN n page 264). 6 If necessary, click View t view and (r) edit the prperties f the key cntainer stred n the cnnected device (see Wrking with a Key Cntainer n page 294). 7 If yu d nt want t use a cntainer stred n the device t lg nt the ViPNet sftware, select the cntainer frm the list, then click Delete. External Device Initializatin External device initializatin is required when yu need t erase all data n the device. T initialize the cnnected device: 1 Make sure that the device yu are ging t initialize des nt cntain any imprtant infrmatin. If necessary, cpy the infrmatin frm the external device t anther device r hard disk. 2 On the Devices tab (see. figure 133 n page 262), in the Cnnected devices list, select the required device. 3 Click Initialize. 4 In the message windw warning yu abut deleting all data frm the device, click Yes. 5 In the Initializatin windw, type the device administratr PIN. 6 If necessary, change the user PIN. T d that, type a new PIN and cnfirm it in the crrespnding bxes. 7 Click OK. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 263

264 Figure 134. External device initializatin Nw the cnnected device is initialized. Changing a Device PIN Device PIN change may be required when the passwrd expires accrding t the crprate security plicy r by ther reasns regulated. T change the user PIN r administratr PIN (depending n the permissins level) fr the cnnected device: 1 Click Change PIN. 2 In the Change PIN windw, select the PIN yu need t change. 3 In the Type ld PIN bx, type the current PIN. In the ther tw bxes, type yur new PIN and then click OK. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 264

265 Figure 135. Changing a PIN fr a device Nw yu need t use the new PIN t access the device. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 265

266 Cnfiguring the ViPNet CSP Prgram The ViPNet CSP prgram is a part f the ViPNet Crdinatr sftware. ViPNet CSP is a cryptgraphic service prvider, which calls cryptgraphic functins via the Micrsft CryptAPI 2.0 interface. This allws yu t perfrm cryptgraphic peratins in Micrsft applicatins and ther prgrams using Micrsft CryptAPI. ViPNet CSP prgram allws yu t wrk with the key cntainers (see Key cntainer n page 382) and external strage devices (n page 347). T cnfigure ViPNet CSP r specify the settings f certificates' autmatic installatin in the system stre, d the fllwing: 1 In the Security Service Settings dialg bx, click the Cryptprvider tab. Figure 136. Cnfiguring cryptgraphic service prvider parameters 2 T cnfigure ViPNet CSP, click Cnfigure CSP. The ViPNet CSP Settings windw will be displayed, in which yu can d the fllwing: Cnfigure the cryptprvider's parameters. Operate n key cntainers. Cnfigure parameters f wrking with external devices: set types f devices that will be searched fr key cntainers; initialize a device r change its PIN cde. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 266

267 Fr mre infrmatin abut cnfiguring and using ViPNet CSP, see the dcument ViPNet CSP. User s Guide. 3 If necessary, specify the certificates and CRLs that shuld be installed in the system stre autmatically (see Installing Certificates in a Stre Autmatically n page 274) by selecting the crrespnding check bxes: current user certificate, t install the current certificate int the Windws system stre. ViPNet Certificatin Authrity certificates, t install int the system stre the issuers' certificates (rt certificates) received with keys updates frm ViPNet Key and Certificatin Authrity r ViPNet Netwrk Manager. ViPNet Certificate Revcatin Lists, t install int the system stre the certificate revcatin lists received with keys updates frm ViPNet Key and Certificatin Authrity r ViPNet Netwrk Manager. 4 T save the settings, click OK. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 267

268 17 Wrking with Certificates and Keys Viewing Certificates in the Certificate Manager Windw 269 Managing Certificates 273 Wrking with a Key Cntainer 294 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 268

269 Viewing Certificates in the Certificate Manager Windw This feature is helpful when yu need t get detailed infrmatin abut a certificate: its purpse, issuer, fields, invalidity reasn, and mre. In ViPNet Crdinatr, yu can view the fllwing certificate types: current user certificates, private user certificates (see Viewing Persnal Certificates n page 270), trusted rt certificates (see Viewing Trusted Rt Certificates n page 271), issued certificates (see Viewing Issued Certificates n page 271). Yu can see the main infrmatin abut a certain certificate in the Certificate dialg bx, n the General tab: the certificate purpse r (fr invalid certificates) the reasn fr the certificate invalidity; certificate subject (the public key wner) name; certificate issuer's name; certificate validity perid; the validity perid f the private key crrespnding t the current certificate; infrmatin abut certificate plicies, displayed when yu click Issuer Statement. Nte: In ViPNet netwrks managed with the ViPNet Administratr sftware, the Issuer Statement buttn is available nly if the usage plicies have been assigned t the certificate at its issuing in the ViPNet Administratr KCA sftware. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 269

270 Figure 137. Viewing general infrmatin abut a certificate Viewing Persnal Certificates T view yur persnal certificates: 1 In the Security Service Settings dialg bx, click the Signature tab and click Certificates. The Certificate Manager windw will be displayed, s that yu can view infrmatin abut all yur persnal certificates and the certificates installed in the perating system certificates stre. All thse certificates have been installed. Nte: The certificates installed in the perating system certificates stre are displayed nly if in the Security Service Settings dialg bx, n the Administratr tab, yu select the Enable external certificates (see Advanced Security Settings n page 251) check bx. 2 If yu need t acquire mre detailed infrmatin abut any f the certificates, select the certificate name and click Prperties r duble-click the name f the certificate. The Certificate dialg bx will be displayed allwing yu t view the infrmatin abut the persnal certificate chsen. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 270

271 Viewing Trusted Rt Certificates T view trusted rt certificates: 1 In the Security Service Settings dialg bx, click the Signature tab and click Certificates. 2 In the Certificate Manager dialg bx, click the Trusted Rt Certificates tab. 3 If yu need t acquire mre detailed infrmatin abut any f the certificates, select the certificate name and click Prperties r duble-click the name f the certificate. The Certificate dialg bx will be displayed allwing yu t view infrmatin abut the rt certificate chsen. Viewing Issued Certificates T view issued certificates: 1 In the Security Service Settings dialg bx, click the Signature tab and click Issued Certificates. The Certificate Manager windw will be displayed allwing yu t view the infrmatin abut the certificates issued in ViPNet Key and Certificatin Authrity. These certificates are issued based n the renewal requests r n the ViPNet Key and Certificatin Authrity administratr's initiative, but have nt been installed yet. 2 If yu need t acquire mre detailed infrmatin abut any f the certificates, select the certificate name and click Prperties r duble-click the name f the certificate. The Certificate dialg bx will be displayed allwing yu t view infrmatin abut the issued certificate chsen. Viewing the Certificatin Path T view the chain f certificatin authrities (see Certificatin path n page 379) a certain certificate is trusted by: 1 Open the Certificate dialg bx fr a certificate yu need t view the trust chain fr. 2 Click the Certificatin Path tab. On this tab, yu can see the certificates representing the hierarchy f certificatin authrities that issued the certificate, yu have displayed the Certificate dialg bx fr. Yu can als view the status f thse certificates. 3 If yu need t acquire mre detailed infrmatin abut any f the certificates, select the certificate name and click Prperties r duble-click the name f the certificate. The Certificate dialg bx will be displayed allwing yu t view infrmatin abut the certificate chsen. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 271

272 Viewing Certificate Fields and Printing a Certificate T view the fields f a certain certificate: 1 Open the Certificate dialg bx fr the certificate, fields f which yu want t view. 2 Click the Details tab. By default, the list f all the certificate fields is displayed n this tab. 3 T limit the number f fields yu are viewing, chse the fields grup in the Shw list: Versin 1 Fields Only t view all the fields except fr extensins; Extensins Only t view additinal fields f a certificate that cnfrms t the X.509 standard, versin 3; Nte: The Private key validity perid field is displayed if the certificate validity perid is lnger than ne year. If the certificate validity perid is mre than a year, then the private key validity perid is ne year exactly. Critical Extensins Only t view nly thse extensins that are reprted as critical by the issuer; Prperties Only t view the parameters that are nt certificate fields. Such parameters are assigned t a certificate when it is kept in the system stre f a hst. 4 Chse the required field and view its value in the lwer part f the dialg bx. T send the certificate t a printer set by default n yur hst, click Print. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 272

273 Managing Certificates ViPNet Crdinatr functinality f managing certificates presented in the Security Service Settings dialg bx is described in the table belw. Functinality Installing certificates in a stre. Yu can install certificates in a stre manually, r it can be autmatically dne. Changing the current certificate. Yu can chse anther certificate (frm the user's valid persnal certificates) as the current ne. Private key and certificate renewal. Yu can cnfigure parameters f ntificatin abut the validity perid f the current certificate and the crrespnding private key. Yu can als generate a request t renew this certificate and the crrespnding private key, if necessary. Installing a certificate. T start using a certificate that arrived n yur ViPNet hst, yu shuld install it first. Yu can cnfigure parameters f autmatic certificate installatin r install certificates manually. Reference Installing Certificates in a Stre Autmatically (n page 274) Installing Certificates in a Stre Manually (n page 275) Changing the Current Certificate (see Chsing Certificates fr Current Usage n page 281) Cnfiguring Ntificatin That a Private Key and a Certificate Have Expired (n page 283) Prcedure f Renewing a Private Key and a Certificate (n page 284) Chsing Certificates fr Current Usage (see Installing Certificates in Cntainers n page 289) Installing a Certificate Autmatically (n page 289) Installing a Certificate Manually (n page 289) Installing RSA Certificates (n page 278) Wrking with certificate requests. Yu can view the current state f certificate requests created by the current user, as well as delete unnecessary requests. Wrking with Certificate Requests (n page 290) Viewing a Certificate Request (n page 290) Deleting a Certificate Request (n page 291) Exprting a certificate. Depending n the purpse f using a certificate utside yur ViPNet hst, yu can exprt the certificate t varius file frmats. Exprting a Certificate (n page 291) ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 273

274 Installing Certificates in a Stre Installing certificates in a stre allws yu t use these certificates in such external applicatins as Windws Live Mail, Micrsft Outlk, Micrsft Wrd, and s n. Yu can install a certificate int a system stre r int a ViPNet Crdinatr stre (the D_STATION subflder f the transprt flder). Yu can install certificates autmatically r manually. Warning: If a certificate is installed in the Windws Vista r Windws Server 2008 OS stre, yu shuld start ViPNet Crdinatr as a system administratr. T d that, n the cntext menu, chse Run as Administratr. Installing Certificates in a Stre Autmatically The installatin f certificates starts autmatically if tw cnditins are met: certificates (the current certificate f a user, a rt certificate and certificates revcatin lists) are absent frm the stre; in the Security Service Settings dialg bx, n the Cryptprvider tab, in the Autmatically install int the system stre sectin, all the check bxes are selected. Nte: In the autmatic mde, the certificates are installed int the stre f the current user. Keep in mind that the rt certificate autmatic installatin may take cnsiderable time, depending n the ViPNet prgram that yu use: ViPNet Mnitr plls fr parameters five minutes after it starts and, after that, every tw hurs. When the Security Service Settings dialg bx is pen, the plling interval will be 10 t 15 minutes. ViPNet Business Mail and ViPNet CryptService have a 30 t 60 minutes parameters' plling interval. Yu d nt need t d anything when the current certificate and a CRL are installed autmatically (if the abve mentined cnditins are met). When a rt certificate is installed autmatically: 1 In the Installing Rt Certificate windw: Nte: The Installing Rt Certificate windw is displayed nly when there is n rt certificate fund in the Windws certificate stre. This happens in the fllwing cases: When, after the ViPNet hst cnfiguratin setup, the ViPNet sftware starts fr the first time. When yu receive the renewed current certificate cntaining the new rt certificate. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 274

275 t install the certificate autmatically, click OK; t cancel the autmatic installatin f a rt certificate and ther certificates, select the Disable autmatic installatin f certificates check bx, and then click OK. Nte: In the Security Service Settings dialg bx, n the Cryptprvider tab, in the Autmatically install int system stre sectin, the check bxes will be cleared as well. Figure 138. Installing a rt certificate 2 If autmatic installatin f certificates has nt been canceled, in the windw allwing yu t add a certificate t a stre, validate the certificate and click Yes. Figure 139. Validating a rt certificate As a result, the rt certificate will be installed in the certificates stre f the current user. Installing Certificates in a Stre Manually T wrk with prtected dcuments, yu need a private key and a crrespnding certificate. Yu can install the key and certificate as a single cntainer r as a certificate and a key cntainer separately. If yu have a private key and yu need t generate a certificate based n this key (r renew an existing certificate), make a certificate request t the Certificatin Authrity. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 275

276 Warning: T wrk with prtected dcuments, except fr the user certificate, yu need t install the rt certificate and CRL int the system certificate stre. Yu can install a certificate separately and assciate it with a private key. T install a certificate int a user's stre: 1 Open the Certificates dialg bx fr the certificate yu are ging t install int the stre (see Viewing Certificates in the Certificate Manager Windw n page 269). 2 Click Install Certificate. 3 In the certificates installatin wizard, n the start page, click Next. 4 On the Chse the certificate stre page, specify the stre t install yu certificate in and click Next. Figure 140. Chsing a certificate stre Nte: We recmmend yu t install a certificate int the stre f the current user in rder t encrypt, decrypt, and sign files, as well as t get access t prtected resurces using a web brwser. In the machine cmputer's stre, install the certificates that will be used by services n this cmputer. If yu use ViPNet CSP n a web server t get access t prtected resurces, yu need t install a certificate int the stre. If yu cannt install a certificate int the stre, lg nt the system as an administratr. 5 On the Ready t install this certificate page: Check if the parameters have been cnfigured crrectly. If necessary, click Back t return t the previus page f the wizard and cnfigure the parameters in a different way. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 276

277 Figure 141. The certificate is ready fr installatin If the certificate is stred in a file separately frm the private key, select the Chse cntainer with yur private key check bx. Nte: The Chse cntainer with yur private key check bx is ptinal. If yu d nt select the check bx,, after the wizard cmpletes the peratin, yu will need t specify the private key cntainer lcatin. Click Next. 6 If the Chse cntainer with yur private key check bx is selected and the cntainer is nt fund r is unavailable, then, in the ViPNet CSP Key Cntainer Initializatin windw, specify the key cntainer lcatin: a flder n a disk; a device (yu will need t specify its parameters and a PIN). Nte: T use an external device, yu need t cnnect it and install the required drivers. Yu can find the list f cmpatible strage devices and basic infrmatin n hw t use them in Supprted External Strage Devices (n page 348). Then click OK. 7 In the D yu want t stre bth the certificate and the private key in the same cntainer? message windw, click Yes t stre the certificate in the key cntainer, r N t keep the certificate as a separate file. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 277

278 Tip: It is cnvenient t stre a certificate in a key cntainer if yu are ging t exprt and install the cntainer nt anther cmputer. 8 If the Chse cntainer with yur private key check bx is selected and the cntainer is available, in the ViPNet CSP Key Cntainer Passwrd windw, in the Passwrd bx, type the passwrd t access the cntainer and click OK. Nte: The ViPNet CSP Key Cntainer Passwrd windw is nt displayed if yu have previusly saved the passwrd and selected the D nt shw this windw again check bx. 9 On the Cmpleting the Certificates Installatin Wizard page, click Finish. As a result, the certificate is installed int the selected certificate stre. In case n private key has been fund when installing the certificate, yu shuld install the key cntainer crrespnding t this certificate (see Installing a New Key Cntainer and Changing the Key Cntainer with the Current Certificate n page 299). Installing RSA Certificates In ViPNet netwrks, RSA certificates are distributed in PFX cntainers and are installed in a special way. If yu want t use an RSA certificate in ViPNet Crdinatr, yur ViPNet netwrk administratr shuld send yu a *.pfx file with an RSA certificate. He can either send this file t yur hst with key set updates, r prvide yu with a key set that includes a *.pfx file. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 278

279 Warning: Yu will nt be able t create certificate renewal requests fr RSA certificates in ViPNet Crdinatr. Within several minutes after yur ViPNet hst receives the key set updates, r after yu manually install the new key set (*.dst file), a windw prmpting yu t install the new certificate will be displayed. Figure 142: Installing an RSA public key certificate T install the certificate, d the fllwing: 1 In the displayed Security Service Alert windw, select Install certificate, and click OK. 2 In the displayed windw, enter the passwrd that was set fr yur ViPNet hst in ViPNet Administratr Key and Certificatin Authrity, and click OK. Figure 143. Entering a passwrd t install an RSA public key certificate If the entered passwrd is crrect, yur certificate will be installed in ViPNet Crdinatr. The issuer certificate and the CRL will als be installed frm the PFX cntainer. If the passwrd that yu have entered is nt the passwrd that was set fr yur ViPNet hst in ViPNet Administratr Key and Certificatin Authrity, the certificate will nt be installed, and the *.pfx file will be autmatically cpied t the ViPNet Crdinatr installatin flder, t the user keys subflder \user_aaaa\key_disk\dm (where AAAA is a hexadecimal identifier f a ViPNet user withut the netwrk number). In this case, yu will be able t install the certificate manually, using the *.pfx file. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 279

280 Nte: Fr ViPNet Crdinatr t be able t imprt an RSA certificate frm the perating system certificate stre, in the Security Service Settings windw, n the Administratr tab, the Enable certificates frm the strage f yur perating system check bx shuld be selected. T manually imprt the certificate t ViPNet Crdinatr frm the *.pfx file, d the fllwing: 1 In Windws Explrer, pen the flder cntaining the.pfx file. 2 Start the Certificate Imprt Wizard by duble-clicking the *.pfx file and fllw the instructins in the wizard. Figure 144. Starting the certificate imprt wizard 3 When the wizard prmpts yu t enter the passwrd fr the private key, enter the passwrd that was set fr yur ViPNet hst in ViPNet Administratr Key and Certificatin Authrity. 4 On the last page f the wizard, click Finish t imprt the certificate t yur perating system certificate stre. 5 In ViPNet Crdinatr, select Service > Security Service Settings. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 280

281 Figure 145. Installing a certificate 6 In the pened windw, n the Signature tab, click Change and select the certificate that yu want t use. If yu want t view infrmatin abut the certificate befre installatin, click Prperties. Figure 146. Selecting a certificate 7 Click OK t install the certificate in ViPNet Crdinatr. Chsing Certificates fr Current Usage If yu have ne r mre valid persnal certificates, yu can use ne f them as the current ne. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 281

282 Warning: Yu need t chse a certificate as a current ne when yu receive a new certificate tgether with user keys. If yu received a renewed certificate issued by a user request as part f user keys, t start using the certificate, yu shuld select it as the current ne. T chse a valid persnal certificate as the current ne: 1 In the Security Service Settings dialg bx, n the Signature tab, click Change. If yu have at least ne valid certificate, the Select Certificate windw will be displayed, s that yu can view infrmatin abut all yur persnal certificates and the certificates installed in the system certificates stre. Nte: The certificates installed in the perating system certificates stre are displayed nly if in the Security Service Settings dialg bx, n the Administratr tab, yu select the Enable external certificates (see Advanced Security Settings n page 251) check bx. If yu have n valid persnal certificate, the Yu have n valid certificates with the valid private key message bx is displayed. 2 In the Select Certificate windw, select the required certificate and click Prperties if yu need t view infrmatin abut this certificate. Then click OK. Nte: Only a valid persnal certificate that has been installed successfully can be used as a current certificate. If a persnal certificate has been published, but has nt been installed, then install it (see Installing Certificates in Cntainers n page 289) and, after that, set it as the current certificate. If all the described peratins are cmpleted successfully, the certificate is set as the current ne. On the Keys (see. figure 156 n page 295) tab, in the Signature grup bx, the data f the keys cntainer cntaining the selected certificate is updated. Renewing a Private Key and a Certificate Public key certificate and private key validity perid is limited. That is why yu shuld renew them n a regular basis. When yu renew a certificate, the crrespnding private key is renewed as well. Yu shuld renew a certificate and the crrespnding private key in the fllwing cases: The public key certificate expired. Certificate validity perid may be up t 5 years. The private key expired. Private key validity perid is 1 year (if the crrespnding certificate validity perid is mre than 1 year) r equal t the certificate validity perid (if the certificate validity perid is less than 1 year). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 282

283 It is required that yu receive a certificate with mdified data abut its subject (title, department and s n) r with additinal attributes, extensins added. Fr example, fr using a certificate fr a digital dcument wrkflw, yu may need t add sme specific usage plicies t it. Thereby, yu shuld renew yur public key certificate and private key at least yearly. Yu can renew a certificate and a private key nt nly frm ViPNet Crdinatr (the Security Service Settings dialg bx), but als frm its cmpnent, the ViPNet CSP prgram (see the dcument ViPNet CSP. User's Guide ). Nte: If a private key expires, but the crrespnding public key certificate is still valid, yu can create a certificate renewal request. The request will be signed using the private key, but the signature will be invalid. It will nt be used fr authenticatin purpses, but nly fr the request integrity verificatin. In this case, yu will need t validate the request integrity accrding t the regulatins set in yur Certificatin Authrity. If bth a private key and a certificate expire, yu will nt be able t create a renewal request. In this case, a new certificate may be issued nly n the ViPNet Key and Certificatin Authrity administratr's initiative. If yu d nt have a private key, yu cannt create a certificate request. Cnfiguring Ntificatin That a Private Key and a Certificate Have Expired By default, ViPNet Crdinatr starts ntifying yu 15 days befre a certificate r a private key expires. T change ntificatin settings: 1 In the Security Service Settings dialg bx, click the Signature tab. In the Current certificate bx, yu can see the certificate validity perid. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 283

284 Figure 147. Viewing infrmatin abut the current certificate and cnfiguring ntificatin abut private key and certificate expiratin 2 Select r clear the Ntify the user when the certificate is ging t expire (1-30 days) check bx. If yu select the check bx, in the bx n the right, type r select the number f days (frm 1 t 30). Prcedure f Renewing a Private Key and a Certificate Several days befre a certificate r a private key expires, d the fllwing: If ntificatin abut the certificate and private key expiratin is enabled: If the number f days specified is left befre the expiratin, the crrespnding message is displayed. Figure 148. A certificate and private key expiratin message ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 284

285 In the windw infrming yu abut the certificate expiratin, chse Send certificate renewal request and click OK. The Certificate Renewal Wizard windw will be displayed. Nte: Yu can als pen the signature parameters tab r send a certificate renewal request later. If the private key expires, in the message windw, select Open signature settings, then click OK. In the Security Service Settings dialg bx, n the Signature tab, click Renew Certificate. If ntificatin abut the certificate and private key expiratin is disabled: In the Security Service Settings dialg bx, g t the Signature tab. On the Signature (see. figure 147 n page 284) tab, click Renew Certificate. The Certificate Renewal Wizard windw will be displayed. T generate and send a renewal request: 1 On the start page f the Certificate Renewal Wizard, click Next. Figure 149. The start page f the certificate renew wizard 2 On the Public key page: 2.1 Specify the key and certificate purpse: if yu are ging t use the certificate nly fr signing, select Signature; if yu are ging t use them bth fr signing and encryptin, select Signature and encryptin. 2.2 Specify public key parameters accrding t the table belw: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 285

286 Figure 150. Selecting public key parameters 2.3 Click Next. 3 On the Private Key Cntainer page, specify the lcatin, where a private key cntainer will be stred: a flder n a disk; a device (yu will need t specify its parameters and a PIN). Nte: T use an external device, yu need t cnnect it and install the required drivers. Yu can find the list f cmpatible strage devices and basic infrmatin n hw t use them in Supprted External Strage Devices (n page 348). Then click Next. Figure 151. Specifying the key cntainer lcatin ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 286

287 4 On the Certificate Validity Perid page, specify the required certificate validity perid in any f the ways suggested and click Next. Figure 152. Specifying the certificate validity perid 5 On the Ready t Create Certificate Request page: Make sure that the parameters yu have cnfigured n previus pages are crrect. If yu need t make any changes in the parameters, click Back t return t the required page. If yu need t get a printed versin f the request, make sure that the Print request infrmatin check bx is selected. The request will be printed using the default printer. Otherwise, clear the check bx. Then click Next. 6 If the digital rulette windw is displayed, fllw the instructins. Nte: If, within the current sessin, the digital rulette has already launched nce, the windw will nt be displayed. 7 On the Cmpleting the Certificate Renew Wizard page, click Finish. As a result, the certificate renewal request will be sent t ViPNet Key and Certificatin Authrity. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 287

288 Nte: The ViPNet Key and Certificatin Authrity request timeut may vary significantly depending n the prgram ptins set. If yu cnfigure Key and Certificatin Authrity t prcess certificate requests autmatically, the timeut will nt exceed 5 minutes. If the administratr prcesses the requests manually, there is n specific timeut. Fr mre infrmatin, see ViPNet Key and Certificatin Authrity. Administratr s Guide. If the certificate renewal request is satisfied in the ViPNet Key and Certificatin Authrity, a new certificate will arrive n the hst. The issued certificate will be autmatically installed and set as the currently used certificate immediately after it is received in the fllwing cases: In the Security Service Settings dialg bx, n the Signature tab, the Autmatically install certificates issued n the initiative f Key and Certificatin Authrity administratr check bx is selected. The key cntainer with the private key crrespnding t the certificate is available. Warning: If the private key cntainer is stred in a flder n the hard drive, it is always available. If the cntainer is stred n a remvable drive, it is available prvided that the drive is cnnected and its PIN is saved. In the Certificate Manager dialg bx, the status f yur request will change t certificate installed (see Viewing a Certificate Request n page 290). Figure 153. The request status in case the certificate has been installed If the certificate has arrived, but has nt been installed autmatically, yur request's status will be apprved. In this case, install the certificate manually (see Installing a Certificate Manually n page 289). If the certificate renewal request is declined in ViPNet Key and Certificatin Authrity, a new certificate will nt be issued. Yur request's status will change t rejected. In case f rejectin, cntact yur ViPNet Key and Certificatin Authrity administratr fr details. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 288

289 Installing Certificates in Cntainers T start using a certificate yu received tgether with updates frm ViPNet Key and Certificatin Authrity, yu shuld install the certificate t a cntainer where the crrespnding private key is stred. Installing a Certificate Autmatically T install certificates received frm ViPNet Key and Certificatin Authrity autmatically, make sure that in the Security Service Settings dialg bx, n the Signature tab, the Autmatically install certificates, issued by user's request and Autmatically install certificates issued n the initiative f Key and Certificatin Authrity administratr check bxes are selected. If these check bxes are selected, the certificates will be installed autmatically within an hur since the mment yu receive them. A certificate issued n yur request can be installed autmatically nly if the crrespnding key cntainer is available. Otherwise, it can be installed nly manually (see Installing a Certificate Manually n page 289). Warning: If a key cntainer is stred in a flder n yur hard drive, it is always available. If the cntainer is stred n a remvable drive, it is available prvided that the drive is cnnected and its PIN is saved. When a certificate issued n the initiative f the ViPNet Key and Certificatin Authrity administratr is being installed, the Security Service Alert windw with the crrespnding ntificatin is displayed (see Certificate Issued n the Administratr's Initiative Has Been Installed n page 318). Installing a Certificate Manually Yu shuld install the certificates yu receive frm ViPNet Key and Certificatin Authrity manually in the fllwing cases: If the check bxes allwing fr autmatic certificate installatin are cleared. If the crrespnding key cntainer was unavailable during an attempt t install the certificate autmatically. T install a received certificate manually: 1 In the Security Service Settings dialg bx, click the Signature tab and click Issued Certificates. 2 In the Certificate Manager dialg bx, n the Issued Certificates tab, select the received certificate yu need t install and click Install. As a result, the installed certificate will be displayed in the Certificate Manager dialg bx, n the Persnal Certificates tab. If yu are ging t use the certificate fr digitally signing, set it as the current ne (see Chsing Certificates fr Current Usage n page 281). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 289

290 Wrking with Certificate Requests Yu can wrk with certificate requests in the Certificate Manager, n the Certificate Requests tab. T pen the Certificates Manager windw: 1 In the Security Service Settings dialg bx, click the Signature tab. 2 Click Certificate Requests. Viewing a Certificate Request T view detailed infrmatin abut a certificate request: 1 In the Certificate Manager dialg bx, n the Certificate Requests tab, select the required certificate and click Prperties r duble-click this request. 2 In the Certificate Request windw, lk thrugh the detailed infrmatin n the tabs with the crrespnding names. If necessary, click Print t print the request (with the printer used by default n the hst). T save the request as a file with the *.txt extensin, click Cpy t file. Figure 154: Viewing detailed infrmatin abut a certificate request ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 290

291 Deleting a Certificate Request T delete a certificate request: 1 In the Certificate Manager dialg bx, n the Certificate Requests tab, select the required certificate (r several certificates hlding the Ctrl key) and click Delete. 2 Cnfirm the peratin by clicking Yes. Infrmatin abut the request will be deleted. The deleted request will nt be displayed n the Certificate Requests tab. Exprting a Certificate In the ViPNet sftware, yu can exprt a user certificate int varius frmats. It depends n the exprt purpse, which exprt frmat yu shuld chse. Yu may need t exprt a certificate fr the fllwing purpses: creating a backup cpy f the certificate; cpying the certificate t use it n anther cmputer; sending the certificate t anther user t establish encrypted messaging; printing the certificate. T exprt a certificate int a file f a certain frmat: 1 Open the Certificates dialg bx fr the certificate yu are ging t exprt (see Viewing Certificates in the Certificate Manager Windw n page 269). 2 G t the Details tab and click Cpy t File. 3 On the start page f the Certificate Exprt Wizard, click Next. Tip: If yu want the wizard t skip the first page next time, select the D nt shw this page again check bx n this page. 4 On the Exprt file frmat page, chse ne f the frmats suggested (see Certificate Exprt Frmats n page 292), and then click Next. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 291

292 Figure 155. Chsing the file frmat 5 On the Exprt file name page, specify the full path t the file yu are creating, and then click Next. 6 On the Cmpleting the Certificate Exprt Wizard page, make sure that yu have cnfigured the exprt parameters crrectly, and then click Finish. 7 In the The exprt has been cmpleted successfully message, click OK. Certificate Exprt Frmats When yu chse the file frmat yu want t use t stre the exprted certificate, keep in mind the fllwing: When yu exprt certificates n a Windws OS cmputer, PKCS #7 is preferable, primarily because this frmat preserves the chain f certificatin authrities (certificatin path). Sme applicatins require the DER Encded Binary frmat r the Base64 Encded frmat. That is why yu shuld take int accunt the requirements f an envirnment (an applicatin r an perating system), where yu're imprting the certificate t. A certificate can be viewed and printed in the text and HTML frmats. Belw yu can find details n each f the certificate exprt frmats supprted by the ViPNet sftware: The Cryptgraphic Message Syntax Standard (PKCS #7) The PKCS #7 frmat allws yu t mve a certificate r the whle certificatin chain frm ne cmputer t anther r frm a cmputer t an external device. PKCS #7 files usually have the.p7b extensin, and they are cmpatible with the ITU-T X.509 standard. The attributes allwed in the PKCS #7 frmat include cuntersignatures t be assciated with a signature. PKCS #7 als allws arbitrary attributes, such as signing time, t be authenticated alng with the cntent f a message. Fr details n PKCS#7, see the RSA Labs web page DER Encded Binary X.509 DER (Distinguished Encding Rules) fr ASN.1, as defined in ITU-T Recmmendatin X.509, is a subset f Basic Encding Rules (BER) (Basic Encding Rules) fr ASN.1. Bth BER and DER prvide a ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 292

293 platfrm-independent methd fr encding such bjects as certificates and messages, used fr transfer between devices and applicatins. The mst f applicatins use DER t encde a certificate, as the certificate (certificate request infrmatin) must be encded using DER and digitally signed. DER certificate files have the.cer extensin. Fr mre infrmatin, see the ITU-T Recmmendatin X.509, Infrmatin Technlgy Open Systems Intercnnectin The Directry: Authenticatin Framewrk dcument n the Internatinal Telecmmunicatin Unin (ITU) web site Base64 Encded X.509 This is an encding methd develped fr use with Secure/Multipurpse Internet Mail Extensins (S/MIME) which is a ppular, standard methd fr transferring binary attachments ver the Internet. Base64 encdes files int ASCII text frmat, making crruptin less likely as the files are sent thrugh Internet gateways, while S/MIME prvides sme cryptgraphic security services fr electrnic messaging applicatins, including nn-repudiatin f rigin using digital signatures, privacy and data security using encryptin, authenticatin, and message integrity. The MIME (Multipurpse Internet Mail Extensins, specificatin RFC 1341 and successrs) defines a mechanism fr encding arbitrary binary infrmatin fr transmissin by . Fr mre infrmatin, see the RFC 2633 S/MIME Versin 3 Message Specificatin, 1999 n the Internet Engineering Task Frce (IETF) web site HTML Yu can view and print these files in any web brwser, Micrsft Office applicatins, and ther prgrams supprting HTML (hypertext markup language). Text files ANSI-encded files that yu can view and print in any text editr. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 293

294 Wrking with a Key Cntainer A key cntainer cntains a private key (n page 383) and a certificate (see Public key certificate n page 384) crrespnding t the private key. In the ViPNet Crdinatr sftware, wrking with a key cntainer, yu can perfrm the fllwing peratins: Installatin (see Installing a New Key Cntainer and Changing the Key Cntainer with the Current Certificate n page 299). Yu may need t install a new key cntainer r change the key cntainer which cntains the current certificate in the fllwing cases: If the certificate des nt crrespnd t the private key stred in the cntainer (fr instance, due t the certificate being stred apart frm the private key). A key cntainer can be installed tgether with the certificate (see Installing Certificates in a Stre n page 274) r separately (see Installing a New Key Cntainer and Changing the Key Cntainer with the Current Certificate n page 299) (fr example, in case the private key is stred in the cntainer and the certificate has been created ViPNet Administratr Key and Certificatin Authrity based n the user request). If a key cntainer was created in a third-party applicatin r mved frm anther cmputer. Changing and deleting the cntainer passwrd (see Changing the Cntainer Passwrd n page 296). We recmmend that yu use the same passwrd t a key cntainer fr n lnger than ne year. When this perid expires, yu shuld set a new passwrd t the cntainer. Yu may need t delete the saved passwrd t a key cntainer in case the passwrd strage cnditins and (r) yur crprate security regulatins have changed s that yu may nt stre the passwrd n yur cmputer anymre. Deleting the private key stred in the cntainer. Yu may need t delete a private key frm a key cntainer in the fllwing cases: yu d nt need this private key anymre, fr example, if its validity perid has expired; the certificate crrespndent t this private key is cmprmised r revked. Changing the lcatin f the cntainer (see Mving a Key Cntainer n page 300). Yu may need t mve the current key cntainer t ther lcatin in the fllwing cases: The cntainer lcatin has been changed, fr example, in case it is nt safe t keep the key cntainer in the frmer lcatin. When yu change the lgn mde t PIN and device, if yu use third-party applicatins fr digitally signing and encryptin and if the key cntainer is nt stred n an external authenticatin (see Setting the User Lgn Mde n page 252) device at the mment. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 294

295 Warning: If yu wrk in a ViPNet netwrk managed with the ViPNet Administratr sftware, yu can perfrm these peratins nly if yu have permissin t use a signature. Yur ViPNet netwrk administratr assigns this permissin t yur hst in the ViPNet Administratr Netwrk Cntrl Center sftware. T wrk with a key cntainer (n page 382): 1 G t the Keys tab. Figure 156. Transferring the key cntainer 2 Under Signature, click ne f the fllwing buttns: View, fr lking thrugh the detailed infrmatin abut the cntainer yu use and t change the cntainer prperties: changing a passwrd (see Changing the Cntainer Passwrd n page 296); deleting a passwrd (see Deleting a Passwrd t a Key Cntainer, If the Passwrd Is Stred n a Cmputer n page 298); verifying that the private key crrespnds t the certificate (see Verifying a Key Cntainer n page 298); deleting a private key. Install cntainer, fr installing a new cntainer and changing the currently used cntainer (see Installing a New Key Cntainer and Changing the Key Cntainer with the Current Certificate n page 299). Transfer, fr changing the path t the cntainer (see Mving a Key Cntainer n page 300). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 295

296 Nte: In the Signature grup bx, infrmatin abut private key crrespnding t the current certificate is displayed. When a new key cntainer is installed (see Installing a New Key Cntainer and Changing the Key Cntainer with the Current Certificate n page 299), infrmatin abut the current certificate displayed n the Signature tab is changed autmatically. Changing the Cntainer Passwrd We recmmend that yu use the same passwrd t a key cntainer fr n lnger than ne year. When this perid expires, yu shuld set a new passwrd. T change the key cntainer passwrd: 1 In the Security Service Settings dialg bx, click the Keys (see. figure 156 n page 295) tab, and then click View. 2 In the Cntainer Prperties windw, click Change Passwrd. Figure 157. Cntainer prperties windw 3 If the message Passwrd fr this cntainer can nly be changed n the Passwrd tab in the Security Service Settings is displayed, click OK, then clse the Cntainer Prperties windw and change the user (see Changing a User Passwrd n page 257) passwrd. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 296

297 Figure 158. A message infrming that yu cannt change the passwrd t the cntainer Nte: This message is displayed when the keys cntainer is prtected with a persnal user key (nt a passwrd). Thus, yu can change the cntainer passwrd nly by changing the user passwrd as well. 4 If the user keys cntainer has been created in the ViPNet Registratin Pint prgram r transferred (see Mving a Key Cntainer n page 300) frm the user keys flder (by default, C:\Prgram Files (x86)\inftecs\<vipnet prgram name>\user_<user_id>\key_disk\dm) t a different flder, then, after yu click Change passwrd, the Change passwrd dialg bx will appear. In the Change passwrd dialg bx, type the current cntainer passwrd, then click OK. Nte: If yu have previusly selected the Save passwrd check bx, then the Change Passwrd windw will nt be displayed. 5 In the ViPNet CSP Key Cntainer Passwrd windw, type the new passwrd and cnfirm it. Click OK. Figure 159. Changing the cntainer passwrd Warning: Yur passwrd shuld nt cntain mre than 31 symbls. Passwrds with length abve 31 symbls cannt be used in current versins f the ViPNet applicatins. This limitatin is due t the existing algrithm f transferring the passwrd t the cryptgraphic prvider. The cntainer passwrd is changed. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 297

298 Deleting a Passwrd t a Key Cntainer, If the Passwrd Is Stred n a Cmputer Yu may need t delete the saved passwrd t a key cntainer in case the passwrd strage cnditins and (r) yur crprate security regulatins have changed s that yu may nt stre the passwrd n yur cmputer anymre. T remve the previusly saved passwrd: 1 In the Security Service Settings dialg bx, click the Keys tab (see. figure 156 n page 295), and click View. 2 In the Cntainer prperties windw (see. figure 157 n page 296), click Delete Saved Passwrd. The previusly saved passwrd will be remved. Then yu shuld enter the passwrd every time yu access the key cntainer. Verifying a Key Cntainer Yu can verify a key cntainer t make sure that the cntainer file has nt been mdified, that the certificate and private key in the cntainer crrespnd t each ther, and that yu can use them t wrk with prtected dcuments. T verify a cntainer: 1 In the Cntainer Prperties windw, n the Keys tab (see. figure 156 n page 295), click View. 2 In the Cntainer Prperties windw, Click Check. 3 In the ViPNet CSP Key Cntainer Passwrd windw, type the passwrd t access the cntainer and click OK. If yu want t save the passwrd in rder t access the cntainer withut typing it every time, select the Save passwrd check bx. Figure 160. Typing the cntainer passwrd ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 298

299 4 Then the data fragment signed with the private key will be created, and the digital signature will be verified using the public key certificate. Thus, the private key validity and its cmpatibility with the certificate stred in the cntainer will be verified. Nte: Yu can verify a key cntainer nly if it cntains a certificate crrespnding t the private key. A certificate may be missing frm a key cntainer, when it is stred separately. A certificate is stred separately frm a key cntainer if the certificate renewal request has been generated in the ViPNet CSP sftware. If the renewal request has been generated in anther prgram, the certificate will be autmatically saved t the crrespnding key cntainer. When the private key is verified, the certificate validity (its validity perid, presence in CRL, and s n) is nt verified. Installing a New Key Cntainer and Changing the Key Cntainer with the Current Certificate Yu may need t install a new key cntainer r change the key cntainer which cntains the current certificate in the fllwing cases: if, while installing the certificate t the system stre r t the ViPNet Crdinatr stre (see Installing Certificates in a Stre n page 274), n crrespnding private key was fund (fr instance, due t string the certificate as a file separate frm the private key; that is, nt in the key cntainer); if the cntainer was generated in anther applicatin r mved frm anther cmputer. Nte: Yu can install r change nly a cntainer with keys generated in ViPNet sftware f a versin nt earlier than 3.2.x. T install a new key cntainer r change the currently used cntainer: 1 In the Security Service Settings dialg bx, click the Keys (see. figure 156 n page 295) tab, and then click Install cntainer. 2 In the ViPNet CSP Key Cntainer Initializatin windw, specify the key cntainer lcatin. a flder n a disk; a device (yu will need t specify its parameters and a PIN). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 299

300 Figure 161. The key cntainer initializatin frm an external device Click OK. 3 In the Select Certificate windw, click OK. As a result, the private key and the certificate stred in the selected cntainer will be set current. The infrmatin abut the certificate stred in the cntainer installed will be displayed n the Signature tab. Mving a Key Cntainer Yu may need t mve the current key cntainer if yu need t change the path t the cntainer, fr example, if it is cnsidered insecure t cntinue string the keys in the previus lcatin. Nte: Yu can mve nly a cntainer with keys generated in ViPNet sftware f a versin nt earlier than 3.2.x. Yu cannt mve a key cntainer t a device that perfrms hardware encryptin. T change yur key cntainer lcatin: 1 In the Security Service Settings dialg bx, click the Keys tab (see. figure 156 n page 295), and click Transfer. 2 In the ViPNet CSP Key Cntainer Initializatin windw, specify the key cntainer new lcatin: a flder n a disk; a device (yu will need t specify its parameters and a PIN). Nte: T use an external device, yu need t cnnect it and install the required drivers. Yu can find the list f cmpatible strage devices and basic infrmatin n hw t use them in Supprted External Strage Devices (n page 348). As a result, the key cntainer will be mved t the specified lcatin. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 300

301 A Trubleshting ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 301

302 Cllecting Infrmatin fr Trubleshting When trubleshting t ur technical supprt service, yu usually need t prvide specific infrmatin abut the cmputer where yur ViPNet sftware is installed. Based n this infrmatin, technical supprt wrkers can find ut the surce f yur prblem and hw t slve it. Yu can gather the infrmatin abut yur cmputer with the lumpdiag utility, which is part f the ViPNet Crdinatr sftware. T wrk with the utility, yu need OS administratr rights n yur cmputer. The utility gathers infrmatin abut yur cmputer (fr example, abut the perating system, cryptgraphic envirnment, and s n) regardless f whether ViPNet Crdinatr is functinal. Nte: N persnal infrmatin is gathered by the utility. Inftecs prtects yur cnfidential infrmatin, takes all measures t prevent unauthrized access t it, and des nt divulge yur persnal data. With this utility, yu can cllect the required infrmatin in ne archive r save it t the \SysEnv flder, which is autmatically created in ViPNet Crdinatr installatin flder. T get help n using the utility, in Windws Cmmand Line, type lumpdiag -h, where h is the key t call Help. T cllect infrmatin, in the cmmand line, type: lumpdiag -a [<archive file>], where: -a launches the prcess f cllecting infrmatin n yur cmputer; <archive file> is the path t a file where infrmatin cllected by the utility will be archived. If yu d nt specify the <archive file> parameter, the cllected infrmatin will be stred t the \SysEnv subflder f the ViPNet Client installatin flder (by default, it is c:\prgram Files (Prgram Files (х86))\inftecs\vipnet Client). If the \SysEnv flder already exists, yu will be prmpted t allw its cntents rewriting. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 302

303 Cmmn Issues Cannt Validate the Setup File's Signing Certificate On a cmputer running under Windws XP r Windws Vista, when yu are installing ViPNet Crdinatr, a security service alarm may be displayed infrming yu that the certificate, with which this setup file has been signed, cannt be validated. Figure 162. Cannt validate a certificate This may happen if the rt certificate r any certificate frm the certificate path is absent r invalid. Yu may slve this prblem in ne f the fllwing ways: Click D nt Install t cancel the setup, then install the perating system update KB (r install all updates fr the current versin f yur perating system). As a result, the certificate path will be updated and yu will be able t verify the certificate, with which the setup file has been signed. After yu cmplete the update, start ViPNet Crdinatr setup anew. If necessary, yu may install the prgram withut updating yur perating system. In this case, in the security service alarm windw, click Install. Cannt Install ViPNet Crdinatr in the Silent Mde If yu install the prgram in the silent mde n a cmputer running Windws XP r Windws Vista, yu may see that the installatin prcess is nt ging well, fr example: n prgram shrtcut appears n yur desktp even a few minutes after yu start the installatin. A reasn fr that may be that the setup file's signing certificate cannt be validated r that the rt certificate r any certificate in the certificatin path is absent r invalid. T slve the prblem, install the perating system update KB (r just install all available updates fr the current versin f yur OS). As a result, the certificatin path will be updated and yu will be able ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 303

304 t validate the signing certificate fr the setup file. After yu cmplete the updating prcess, start the installatin anew. Cannt Start the Prgram The ViPNet Mnitr prgram may have been manually uninstalled r remved frm the cmputer. Make sure that ViPNet Mnitr is installed. If necessary, reinstall the prgram r cntact yur ViPNet netwrk administratr. Incrrect Passwrd r User Keys Nt Fund In this case the fllwing message is displayed: Figure 163. Wrng passwrd message If yu get the message: Check that Caps Lck is nt accidentally enabled. Check that the input language is chsen crrectly. The indicatr in the lgn windw shws yu the currently selected language. If yu need t type a randmly generated passwrd, select the English input language. The user keys might be installed in a flder different frm the default user keys flder. In this case, in the lgn windw, t the right f the Setup buttn, click Keys Flder, and then specify the path t yur user keys flder., chse ViPNet Hst If the perating system has nt been laded yet, in the lgn windw, click Cancel. After the perating system is laded, start ViPNet Mnitr and specify the path t the user keys flder. Cannt Lg On with a Certificate If yu cannt lg n t ViPNet Crdinatr by using the certificate and its crrespnding private key, which are stred n an external device, this may be caused by the fllwing: The certificate des nt supprt the RSA standard. The external device des nt supprt the PKCS#11 standard. Yu can check whether yur device supprts this standard in External Strage Devices (n page 347). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 304

305 The selected certificate is utdated. If yu select an utdated certificate, a crrespnding message is displayed. In this case, deliver yur certificate t the administratr f yur certificatin authrity fr renewal. The selected certificate is present in the certificate revcatin list, which is installed in the hst's strage. If yu select an utdated certificate, a crrespnding message is displayed. In this case, cntact yur certificatin authrity administratr. The certificate des nt have the client authenticatin purpse. The certificate's purpse is displayed in the Certificate dialg bx, n the Details tab, in the Enhanced Key Usage field. In this case, ask that yur certificatin authrity administratr issues a new certificate fr yu. The issuer's certificate is nt installed in the system stre Trusted Rt Certificatin Authrities. In this case, get the issuer's certificate frm yur certificatin authrity administratr and install it t the crrespnding system strage. T d this, duble-click the certificate and fllw the instructins f the certificate installatin wizard. Cannt Save the Passwrd If yu want t allw the saving f the passwrd, lg n t ViPNet Mnitr in the ViPNet hst administratr mde (see Wrking in the ViPNet Hst Administratr Mde n page 247). Cannt Cnnect t the Internet Yur cnnectin t the Internet may be blcked by public netwrk filters r the hst's traffic may be blcked. Make sure that netwrk filters allwing cnnectins with addresses required are cnfigured prperly and that the hst's IP traffic is nt blcked (check that n the File > Cnfiguratins menu, the Blck IP Traffic cmmand is displayed). Cannt Cnnect t a ViPNet Hst Pssible reasns are: The cmputer is switched ff r ViPNet Mnitr is nt running n the hst. There are n keys required t establish cnnectin t the hst. Cntact yur ViPNet netwrk administratr. Yur cmputer is nt physically cnnected t the netwrk r has n access t the Internet. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 305

306 Cannt Address a Dmain Hst by Its DNS Name If yur rganizatin uses the Active Directry service in its ViPNet netwrk and prtected dmain cntrllers with synchrnized DNS servers are deplyed n different ViPNet hsts r tunneled by different crdinatrs, ther ViPNet hsts that address these DCs may experience prblems with IP addresses reslving. In this case, fllw the instructins in Using DNS Servers n Dmain Cntrllers (n page 125). Cannt Cnnect t an Unprtected Hst n a Lcal Netwrk Pssible reasns are: The IP address f the unprtected hsts is included in the prtected hsts' addresses list. In such a case, the ViPNet driver tries t send an encrypted IP packet t an unprtected hst, and cnnectin fails. T eliminate this prblem, yu need t delete the IP address f the unprtected hst frm the prtected hsts' addresses list. The filters fr wrking in the public netwrk are cnfigured incrrectly. T wrk in Micrsft netwrks crrectly, make sure that the required public netwrk filters are enabled and prperly cnfigured. Cannt Establish Cnnectin ver the SSL Prtcl Prbably, the failure f ne f the ViPNet Crdinatr cmpnents led t the cnnectin prblem. T slve this prblem, fllw the instructins described in Cannt Start the MSSQLSERVER Service (n page 309). Cannt Establish Cnnectin ver the PPPE Prtcl Cnnectin ver the PPPE prtcl may be blcked by the ViPNet Mnitr prgram. T slve this prblem: 1 In the ViPNet Mnitr main windw, n the Service menu, click Optins. 2 In the Optins dialg bx, in the navigatin pane, click Manage IP Traffic. 3 Clear the Blck all prtcls except IP, ARP check bx. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 306

307 4 Click OK. Traffic frm Tunneled Hsts Can't Pass thrugh a Crdinatr Yu may have such a prblem when tunneled hsts are in the same lcal subnet as the crdinatr. On the crdinatr's netwrk interface, behind which the tunneled hsts are placed, there is a default gateway specified. When the traffic frm the tunneled hsts, addressed t remte ViPNet hsts, reaches the crdinatr, this crdinatr sends ICMP 5 messages t the tunneled hsts (ver TCP/IP), infrming the tunneled hsts that they shuld send the traffic directly t the gateway specified n the crdinatr. As a result, the tunneled hsts stp sending the traffic t the crdinatr and start sending it directly t the default gateway. Figure 164. Blcking ICMP 5 traffic fr tunneled traffic t pass T slve this prblem, n the crdinatr, blck utbund ICMP 5 traffic. T d this, in ViPNet Crdinatr Mnitr, create public netwrk filters, blcking such traffic. We als recmmend yu t create similar private netwrk filters. Nte: If yu install ViPNet Crdinatr n the cmputer fr the first time (and nt upgraded the prgram frm an earlier versin), these filters are already created by default as pre-defined private and public netwrk filters (see Netwrk Filters Overview n page 130). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 307

308 There is a Hst Registered n the Netwrk with the Identifier that Cincides with Yur Hst's Identifier In this case: In the events lg, the event 95 (see Blcked IP Packets n page 341) is registered. All the IP traffic is blcked. In ViPNet Mnitr, the fllwing ntificatin is displayed: Figure 165. Ntifying that there is a hst n the netwrk with the identifier that cincides with the ne f yur hst T slve this prblem, yu will need t delete yur hst's duplicate frm the ViPNet Netwrk (delete its current keys frm it r install new keys n it). Then restart yur cmputer. Cnflicting IP Addresses r DNS Names When yu add an IP address r a DNS name in rder t cnfigure access t a ViPNet hst r a tunneled hst, the new address may ccasinally cincide with a previusly specified IP address r a DNS name f anther hst. Then, the fllwing message will be displayed: Figure 166. A cnflict f IP addresses r DNS names has been detected A cnflict f IP addresses r DNS names may als be detected during the check that yu start by clicking Check cnflicts. In this case, the fllwing message will be displayed: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 308

309 Figure 167. A cnflict f IP addresses r DNS names has been detected after a check Yu may reslve a cnflict by ding the fllwing: remve the duplicate IP address r DNS name frm the ther hst's parameters; cancel adding the IP address r DNS name in the first case r remve it frm the current hst's list in the secnd case. Yu may als ignre the cnflict (in the first case, the specified IP address r DNS name will be added); in the secnd case, yu may stp checking fr cnflicts. Cannt Start the MSSQLSERVER service Prbably, the failure f ne f the ViPNet Crdinatr cmpnents led t the cnnectin prblem. T slve this prblem: 1 Use the cmmand line t execute the fllwing cmmand: regsvr32 /u C:\Windws\System32\itcssp.dll. 2 Rename the itcssp.dll file lcated in the C:\Windws\System32 flder as yu like. If the ViPNet CSP prgram cmpatible with 64-bit perating systems has been installed n yur cmputer, the C:\Windws\SysWOW64 flder cntains the itcssp.dll file as well, and yu shuld rename it, t. 3 Restart yur cmputer. Cannt Change Settings f the ViPNet Mnitr Prgram Yu may be unable t change ViPNet Mnitr settings fr ne f the fllwing reasns: The permissins level restricts yur activity n the hst. Only a user with the maximum permissins level may change ViPNet Mnitr settings. Cntact yur ViPNet netwrk administratr fr advancing yur permissins level in the ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager prgram. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 309

310 The user interface has been restricted (see Wrking in the ViPNet Hst Administratr Mde n page 247) after lgging n in the ViPNet hst administratr mde. Ask the administratr t disable the user interface restrictin. Cannt Use a Hardware Randm Numbers Generatr If yu need t use a hardware randm numbers generatr in the ViPNet sftware: 1 On the cmputer where yu will use the hardware randm numbers generatr, depending n its perating system, d ne f the fllwing: In Windws Vista and later versins f Windws OS, create the fllwing flder: C:\PrgramData\inftecs\ViPNet CSP. In Windws XP r Windws Server 2003, create the fllwing flder: C:\Dcuments and Settings\All Users\Applicatin Data\inftecs\ViPNet CSP. 2 In this flder, create a text file cntaining the fllwing lines: [Cmmn] EnableCspSupprt=Yes [Devices] RandmNumberGeneratrType=<generatr type> 3 Specify the randm numbers generatr type yu are ging t use as the value f the RandmNumberGeneratrType parameter. Here are the pssible values : bi means the digital rulette (used in the ViPNet sftware by default). tkenjava means etken PRO (Java). 4 Save the file and rename it t csp_cnfig.ini. At the next randm numbers generatr startup, the specified generatr will be used. Failures in the Wrk f Third-Party Prgrams Peculiarities f the ViPNet sftware wrk may affect the perability f sme third-party prgrams. T eliminate the cnflict f ViPNet sftware and third-party prgrams, apply sme changes t the Windws system registry: 1 Press the keys cmbinatin Win+R. 2 In the Run windw, type regedit and click OK. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 310

311 Warning: D nt change any parameters in the system registry except fr Flags. Any undesired change may lead t malfunctin f yur cmputer. 3 In HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Cntrl\inftecs\PatchEngine, set the Flags parameter value t 0. 4 Restart yur cmputer. If the prblem has nt been slved, cntact Inftecs technical supprt. Checking the Status f Accepted Updates In case yu are nt sure whether the required updates have been accepted n a crdinatr and what is their prgress, yu can use a file where all updating events are lgged. T d this: 1 In the ViPNet Crdinatr installatin flder (by default, C:\Prgram Files\inftecs\ViPNet Crdinatr\), find the \CCC\lg\update.lg file. 2 Open the file in a text editr prgram and find the entries abut the required updates. Here is an example f the update.lg file: Nw is Tue Sep 01 14:19: Key upgrade dne. Updated files C:\Prgram Files\inftecs\ViPNet Crdinatr\ccc\key\abn_06f2\353a5237 \ABN_06F2.KE Update time Update type is keys updating. Status successful. Nw is Mn Oct 02 13:33: Address bk upgrade dne. Updated files C:\Prgram Files\inftecs\ViPNet Crdinatr \EXTNET.DOC C:\Prgram Files\inftecs\ViPNet Crdinatr \IPLIRADR.DOC Update type is hst links updating. Status successful. Unable t Apply the Sftware Update Received frm the Netwrk Cntrl Center One f the pssible causes is that the installatin prgram was unable t shut dwn sme f ViPNet cmpnents (fr example, sme f them are running n anther user sessin). In this case, d the fllwing: 1 Rebt the cmputer that was unable t upgrade. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 311

312 2 Resend the update frm ViPNet Administratr Netwrk Cntrl Center r ViPNet Netwrk Manager and accept it n the hst. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 312

313 Security Service Alerts Security service alerts are intended t infrm yu in time abut yur passwrd, current certificate and certificates revcatin list validity perids, and abut installing a certificate issued n the Certificatin Authrity administratr's initiative. The passwrd, current certificate and private key statuses are verified every 5 minutes. Passwrd Expired A message infrming yu abut user passwrd expiratin is displayed in the fllwing cases: If, in the Security Service Settings dialg bx, n the Passwrd tab (see. figure 130 n page 257), the Enable passwrd expiry check bx is selected and the validity perid is specified. If the message is displayed, the specified validity perid is ver. If new user keys with a new user passwrd have been received frm ViPNet Key and Certificatin Authrity. In such a case, the passwrd is nt changed autmatically. Yu need t change it manually (see Changing a User Passwrd n page 257). Figure 168. The user passwrd expiratin message If such a message is displayed: 1 Chse ne f the suggested actins: Change passwrd t specify a new passwrd accrding t the settings n the Passwrd tab (see. figure 130 n page 257) f the Security Service Settings dialg bx; Open passwrd settings t pen the Passwrd tab (see. figure 130 n page 257) f the Security Service Settings dialg bx, where yu can set passwrd parameters and then change the passwrd; ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 313

314 Ntify me again in fr the message t be displayed again in a specified time perid (10 minutes, 1 hur, 6 hurs, 1 day, 1 week); Remind me at next ViPNet user lgn fr the message t be displayed again at the next ViPNet Crdinatr startup. 2 Click OK. Current Certificate is Invalid r Nt Fund A message infrming yu that the current certificate is nt fund r is invalid is displayed in the fllwing cases: If the current certificate is nt fund r is invalid, but ther valid persnal certificates have been fund. In such a case, yu can set ne f the certificates as the current ne by selecting Chse anther certificate as yur current ne. If n valid persnal certificate is fund. In this case, cntact yur Certificatin Authrity administratr t get a new certificate. Warning: Yu cannt sign digital dcuments until the new certificate is received and installed. Figure 169. A message infrming yu that the current certificate is invalid If such a message is displayed: 1 Chse ne f the fllwing: Chse anther certificate as yur current ne t set anther valid persnal certificate as the current ne in the Select certificate windw. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 314

315 Nte: This ptin is available if ther valid persnal certificates are fund in the user's certificates strage. Change yur ptins n the Signature tab t pen the Signature tab f the Security Service Settings dialg bx, where yu can manage certificates. Ntify me again in fr the message t be displayed again in a specified time perid (10 minutes, 1 hur, 6 hurs, 1 day, r 1 week). Remind me at next ViPNet user lgn fr the message t be displayed again n the next ViPNet Crdinatr startup. 2 Click OK. Current Private Key r the Crrespnding Certificate Validity Perid is Ging t Expire A message infrming yu, that the validity perid f the private key r its crrespnding certificate is expired, is displayed in the fllwing cases: If the private key r its crrespnding certificate is ging t expire, and n current certificate renewal requests have been fund (r the last renewal request has been apprved, but the certificate cannt be set as the current ne). In this case, yu can create a certificate renewal request (see Prcedure f Renewing a Private Key and a Certificate n page 284). T d this: if the certificate expires, select Send certificate renew request; if the private key expires, select Change yur ptins n the Signature tab, and then, in the Security Service Settings dialg bx, n the Signature tab, click Renew Certificate. If the private key r its crrespnding certificate is ging t expire and the last certificate renewal request has been rejected r is being prcessed by the ViPNet Key and Certificatin Authrity. In this case, cntact yur ViPNet netwrk administratr and, if necessary, create anther renewal request fr the current certificate. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 315

316 Figure 170. A certificate and private key expiratin message If such a message is displayed: 1 Depending n the message type, chse ne f the fllwing: Chse anther certificate as yur current ne t set anther valid persnal certificate as the current ne in the Select certificate windw. Send certificate renew request t create a request fr renewing yur certificate with the certificate renewal wizard (see Prcedure f Renewing a Private Key and a Certificate n page 284). Change yur ptins n the Signature tab t pen the Signature tab f the Security Service Settings windw, where yu can manage certificates. Ntify me again in fr the message t be displayed again in a specified time perid (10 minutes, 1 hur, 6 hurs, 1 day, r 1 week). Remind me at next ViPNet user lgn fr the message t be displayed again at the next ViPNet Crdinatr startup. 2 Click OK. Current Private Key Expired A message infrming yu abut the private key validity perid expiratin is displayed: If the private key is ging t expire, and n current certificate renewal requests have been fund (r the last renewal request has been apprved, but the certificate cannt be set as the current ne). In this case, yu can select Open security settings t pen the Security Service Settings dialg bx, the Signature tab. On the Signature tab, click the crrespnding buttn t renew the current certificate (see Prcedure f Renewing a Private Key and a Certificate n page 284). Remember that in ViPNet Key and Certificatin Authrity such a request will nt be prcessed autmatically, but will be kept until the administratr prcesses it. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 316

317 Warning: The request created is signed with the private key crrespnding t the current certificate. Hwever, this signature is nt used t prve authenticatin, but nly t verify integrity. Such requests have the Nt signed status (see Viewing a Certificate Request n page 290). If the private key validity perid has expired and the last certificate renewal request has been rejected r is being prcessed by the ViPNet Crdinatr. In this case, cntact yur ViPNet netwrk administratr and, if necessary, create anther renewal request fr the current certificate. Figure 171. The private key expiratin message If such a message is displayed: 1 Chse ne f the fllwing: Change yur ptins n the Signature tab t pen the Signature tab f the Security Service Settings dialg bx, where yu can manage certificates. Ntify me again fr the message t be displayed again in a specified time perid (10 minutes, 1 hur, 6 hurs, 1 day, r 1 week). Remind me at next ViPNet user lgn fr the message t be displayed again at the next ViPNet Crdinatr startup. 2 Click OK. Valid Certificate Revcatin List Nt Fund A message, infrming yu that n valid certificate revcatin list is fund, is displayed in the fllwing cases: if n CRL is fund in the user stre r the CRL has expired; ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 317

318 if, in the Security Service Settings dialg bx, n the Administratr tab, the Ignre the absence f the Certificate Revcatin Lists (CRLs) (see Advanced Security Settings n page 251) check bx is cleared. Figure 172. A valid certificate revcatin list is nt fund If such a message is displayed: Cntact yur ViPNet netwrk administratr t get a new certificate revcatin list. Select ne f the ptins: Ntify me again in fr the message t be displayed again in a specified time perid (10 minutes, 1 hur, 6 hurs, 1 day, 1 week). Remind me at next ViPNet user lgn fr the message t be displayed again at the next ViPNet Crdinatr startup. Then click OK. Certificate Issued n the Administratr's Initiative Has Been Installed A message ntifying yu that a certificate issued n the ViPNet Key and Certificatin Authrity administratr's initiative will be displayed n the fllwing cnditins: In the Security Service Settings dialg bx, n the Signature tab (see. figure 147 n page 284), the Autmatically install certificates issued n the initiative f Key and Certificatin Authrity administratr check bx is selected. Yu have nt requested a certificate renewal, but yu receive updates generated by the ViPNet Key and Certificatin Authrity administratr cntaining a new user certificate and a private key. When this message is displayed: 1 Select ne f the ptins: ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 318

319 Change yur ptins n the Signature tab t pen the Security Service Settings dialg bx, the Signature tab (see. figure 147 n page 284), t view the current certificate details r manage certificates. Send certificate renew request t enrll fr renewing the current certificate using the certificate renewal wizard (see Prcedure f Renewing a Private Key and a Certificate n page 284). Yu shuld request fr certificate renewal nly in case yur crprate security plicy prhibits usage f a private key generated nt persnally by yu, but n the administratr's wrkstatin. As a result, yu will receive a certificate crrespnding t a private key generated n yur cmputer. 2 Click OK. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 319

320 B Keys and Certificates ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 320

321 Cryptgraphy Overview Cryptgraphy allws yu t slve three main tasks: ensuring data cnfidentiality; data integrity cntrl; ensuring data authenticity (nn-repudiatin). The first task is slved by means f symmetric encryptin algrithms. T slve the secnd and third tasks, yu need t use asymmetric encryptin algrithms and digital signature. In this sectin, yu will find a brief descriptin f encryptin algrithms based n symmetric and asymmetric keys and digital signature. Yu will als find here sme examples f these algrithms usage in sme infrmatin systems (the examples are nt based n the ViPNet technlgy). Symmetric Encryptin In symmetric encryptin and decryptin algrithms, the same cryptgraphic key is used. S that bth the recipient and the sender culd read the surce data (r data f anther type), they all need t knw the algrithm key. The scheme belw shws the prcess f symmetric encrypting and decrypting. Figure 173. Encryptin and decryptin using a symmetric key Due t using ne key fr encryptin and decryptin, symmetric encryptin algrithms can prcess a significant lad f data in a shrt perid f time. Mrever, symmetric encryptin algrithms are simpler in cmparisn t asymmetric nes. Thus, symmetric algrithms are used t encrypt large data arrays. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 321

322 T encrypt data using a symmetric algrithm, a cryptgraphic system uses a symmetric key. The key length (usually in bits) depends n the encryptin algrithm and prgram that uses this algrithm. Using a symmetric key, a surce text (pen) is transfrmed int an encrypted text (clsed). Then, the encrypted text is transferred t its recipient. If the recipient knws the symmetric key used t encrypt the text, the recipient can transfrm the encrypted text int the surce text. Nte: In practice, a symmetric key shuld be transferred t its recipient in a secure way. Usually a symmetric pair-wise key is created, which is then delivered t a recipient in persn. Then, randm (sessin) symmetric keys are used fr encryptin. They are encrypted using the pair-wise key and transferred tgether with the encrypted text via different cmmunicatins channels. The infrmatin security can be threatened if the symmetric pair-wise key is intercepted. In such a case, malicius users can decrypt all the infrmatin encrypted using this key. Asymmetric Encryptin Asymmetric encryptin algrithms use tw mathematically assciated keys: a public key and a private key. A public key is used fr encryptin, a private key is used fr decryptin. A public key can be distributed freely. A private key is wned nly by the user wh creates an asymmetric keys pair. A private key must be kept secret t eliminate its interceptin. Encryptin based n asymmetric keys is much slwer than the ne based n symmetric keys, because tw different keys are used fr encryptin and decryptin and the encryptin algrithm is mre cmplex. Any user can transfer infrmatin encrypted with a public key t the recipient wning a private key. Only the encrypted infrmatin recipient wns bth keys. Thus, nly the recipient has access t the private key required t decrypt the infrmatin. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 322

323 Figure 174. Encryptin and decryptin using an asymmetric key Nte: It is very rare that nly an asymmetric encryptin algrithm is used. Typically, the data are encrypted using a symmetric algrithm, and then nly the symmetric key is encrypted using the asymmetric encryptin algrithm. Such a cmbinatin f cryptgraphic algrithms is cnsidered further in this chapter (see Cmbining Symmetric and Asymmetric Encryptin n page 323). Cmbining Symmetric and Asymmetric Encryptin In mst prgrams, symmetric and asymmetric encryptin algrithms are cmbined t take advantage f each methd s strengths. When symmetric and asymmetric encryptin algrithms are cmbined: The surce text is encrypted using a symmetric encryptin algrithm. The advantage f a symmetric algrithm is high encryptin rate. The symmetric key (used t encrypt the surce text) is encrypted using an asymmetric encryptin algrithm. Then it is transferred t the recipient. An asymmetric algrithm ensures that nly the intended recipient wh wns the private key can decrypt the symmetric key. The figure belw shws the encryptin prcess when symmetric and asymmetric encryptin algrithms are cmbined. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 323

324 Figure 175. Encryptin using a cmbined algrithm 1 The sender retrieves the recipient s public key frm a trusted repsitry. 2 The sender generates a symmetric key and uses this key t encrypt the surce data. 3 The symmetric key is encrypted using the recipient s public key t prevent the symmetric key frm being intercepted during transmissin. 4 The encrypted symmetric key and encrypted data are transferred t the intended recipient. 5 The recipient uses his r her private key t decrypt the encrypted symmetric key. 6 The recipient decrypts the encrypted data with the symmetric key and gets the surce data. Cmbining a Hash Functin and an Asymmetric Algrithm f a Digital Signature A digital signature prtects data in the fllwing way: The data is signed using a hash functin used t define the surce data hash sum. Using a hash sum allws yu t determine whether the surce data have been mdified in any way. The hash sum is signed digitally s that the user wh has signed it can be identified. Mrever, the digital signature ensures nn-repudiatin, because nly ne user can wn the private key crrespnding t the digital signature used. Nn-repudiatin means that the authr cannt deny the fact, that he r she has signed the dcument. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 324

325 Mst applicatins that supprt digital signing use a cmbinatin f an asymmetric singing algrithm and a hash functin. A hash functin prvides a mechanism t determine whether the surce data have been mdified in any way. Whereas a digital signature ensures that the resulting hash functin is nt mdified and allws yu t identify the data sender. The scheme belw illustrates the usage f a hash functin and an asymmetric algrithm fr digital signing. Figure 176. The usage f a hash functin and an asymmetric algrithm fr digital signing 1 The sender creates a file with a surce message. 2 The sender's sftware calculates the hash sum f the surce message. 3 The hash sum is encrypted using the sender's private key. 4 The surce message and the encrypted hash functin are transferred t the recipient. Nte: If yu sign the surce message digitally, this message is nt encrypted. The message can be mdified, but any changes will make the hash sum, transferred tgether with it, invalid. 5 The recipient decrypts the hash sum f the message using the sender's public key. The public key can be transferred with the message r retrieved frm a secure repsitry. 6 The recipient uses the same hash functin as the sender t calculate the hash sum f the message. 7 The calculated hash sum is cmpared t the hash sum received frm the sender. If the hash sums are different, this means that the message r the hash sum has been mdified during transmissin. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 325

326 Public Key Certificates Overview Definitin and Scpe A public key certificate is used in public key cryptgraphy where different keys are used fr the direct and reverse cnversin: A private key is used t generate a digital signature (see Digital signature n page 380) and decrypt a message. A private key is kept in secret, it is nt distributed. A public key is used t verify a digital signature and t encrypt a message. A public key is knwn t all parties f the data exchange prcess and may be distributed via unprtected cmmunicatin channels. Thus, public key cryptgraphy ensures the fllwing peratins: Signing a message generating a digital signature, attaching it t a message, and verifying f the digital signature by the message recipient; Encryptin encrypting a dcument s that the recipient can decrypt it. The public and private keys cmplement each ther, as nly the private key wner can sign the data, as well as decrypt the data encrypted with the public key crrespnding t the wner's private key. This system wrks quite similarly t the mailbx n the crner f a street: everyne can put a letter in the bx, in ther wrds, encrypt, but nly a persn with a private key can retrieve letters, in ther wrds, decrypt. As a public key is freely distributed, there is a risk that a malicius user substitutes the public key f ne f the users and claims his r her identity. T ensure trust fr public keys, special certificatin authrities are established. A certificatin authrity functins as a third party trusted by bth parties and verifies public keys f each user with its wn digital signature. In ther wrds, a certificatin authrity certifies the public keys. A public key certificate (further a certificate) is a digital dcument verified with the digital signature f a certificatin authrity and used t cnfirm that a certain public key belngs t a certain user. Nte: In spite f the fact that messages are prtected with a public key, specialists use such wrd expressins as sign using a certificate, encrypt using a certificate. A certificate cntains a public key and a list f ptinal fields f the user (the certificate wner). The ptinal fields include: certificate wner's and issuer's names, certificate number, certificate validity number, public key purpse (digital signature, encryptin), and s n. Certificate structure and prtcls f use are regulated by internatinal standards (see Structure n page 328). There are the fllwing types f certificates: A user certificate. It is used fr encryptin f utging messages and verifying a digital signature by the recipient. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 326

327 An issuer's certificate. The current user certificate is issued based n the issuer's certificate. Besides cmmn functins f a user certificate, an issuer's certificate allws yu t verify all the certificates signed using the private key crrespnding t this certificate. A rt certificate. It is a self-signed issuer's certificate, the tp ne in a certificate chain (see Certificatin path n page 379). There is n certificate yu can verify a rt certificate with, that is why yu shuld abslutely trust the surce f this certificate. A crss certificate. It is a certificate f a certificatin authrity administratr issued by anther certificatin authrity administratr. Thus, the Issuer and Subject values are different and are related t different certificatin authrities. Crss certificates are used t establish trust relatinships f certificatin authrities with each ther. Depending n a trust mdel established between the certificatin authrities (see PKI in Public Key Cryptgraphy n page 330), a crss certificate can be used either as an issuer's certificate (in a hierarchical mdel), r t verify certificates f ther netwrk users (in a distributed mdel). Figure 177. Types f certificates Using the crrespnding rt certificate, each user can verify a certificate issued by a certificatin authrity and use its cntents. If certificate verificatin with use f a certificate trust chain, starting with the rt certificate, cnfirms that the certificate is legal, functinal, has nt expired and has nt been revked, this certificate is cnsidered valid. The dcuments that are signed with a valid certificate and have nt been changed since the mment f signing are cnsidered valid as well. Thus, public key cryptgraphy and public key infrastructure (see PKI in Public Key Cryptgraphy n page 330) ensure encryptin and signing messages digitally. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 327

328 By means f encryptin, cnfidential infrmatin can be transferred via unencrypted cmmunicatin channels. A digital signature ensures: Authenticity, meaning that yu can unambiguusly identify the sender. In cmparisn t paper wrkflw, a digital signature is analgical t a handwritten signature f the sender. Integrity, meaning that infrmatin is prtected frm unauthrized mdificatin bth when being stred and during transfer. Nn-repudiatin, meaning that the sender cannt deny an actin he r she cmmitted. In cmparisn t paper wrkflw, this is analgical t shwing a passprt befre perfrming an actin. Structure Fr a digital certificate t be useful, it has t be structured in an understandable and reliable way s that the infrmatin within the certificate can be easily retrieved and understd. Fr example, passprts fllw a similar structure allwing peple t easily understand the infrmatin in a type f passprt that they may never have seen befre. In the same way, as lng as digital certificates are standardized, they can be read and understd regardless f wh issued the certificate. One f the public key certificate frmats is defined by the Internatinal Telecmmunicatins Unin (ITU) recmmendatins X.509 ISO/IEC , and in the RFC 3280 Certificate & CRL Prfile dcument by the Internet Engineering Task Frce (IETF). At present, versin 3 f X.509 is the mst used ne, which allws yu t specify certificate extensins s that yu can add sme infrmatin t the certificate (abut security plicy, key usage, cmpatibility, and s n). A certificate cntains data elements accmpanied with a digital signature f a certificate issuer. A certificate cntains mandatry and ptinal fields. Mandatry fields include: versin f the X.509 standard, certificate serial number, algrithm identifier f the issuer's signature, algrithm identifier f the wner's signature, issuer's name, validity perid, wner s public key, certificate wner s name. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 328

329 Nte: The wner f a certificate is an entity that cntrls a private key crrespnding t a certain public key. An end user r a certificatin authrity can be the wner f a certificate. Optinal fields include: issuer's unique identifier, wner s unique identifier, certificate extensins. Figure 178. The structure f a certificate that meets the requirements f the X.509 standard, versins 1, 2, and 3 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 329

330 Figure 179. An example f a certificate that meets the requirements f the X.509 standard, versin 3 PKI in Public Key Cryptgraphy Certificates require a functining infrastructure t manage the certificates in the envirnment they are ging t be used in. It allws yu t verify the authenticity f the dcument digital signature. PKI manages certificate lifecycle. It is respnsible fr issuing and string certificates, creating their backup cpies, printing certificates, crss certificatin, prviding certificate revcatin lists, and autmatic certificates renewal when their validity perid is ver. The PKI technlgy is based n the cncept f a trust relatinship. The main PKI management cmpnent is a certificatin authrity (CA). A certificatin authrity serves t register users, issue certificates, stre them, issue CRLs and maintain them. In a ViPNet netwrk, a certificatin authrity issues certificates generated by user requests in a special prgram (fr example, ViPNet CSP r ViPNet Client) r autmatically (in the prcess f creating a ViPNet user). If the number f users in a netwrk is great, several certificatin authrities will be created. Trust relatinship between the certificatin authrities can be based n the distributed r hierarchical mdel. In a hierarchical mdel f trust relatinship, certificatin authrities are rganized in a tree-like structure, at the rt f which lies the rt certificatin authrity. The rt certificatin authrity issues the crss-certificates t its subrdinate certificatin authrities, prviding that the public keys issued by subrdinate certificatin authrities are trusted. Every superir certificatin authrity delegates the right t issue certificates t its subrdinate certificatin authrities in the same way. As a result, trust t a public key certificate f every certificatin authrity is based n its verificatin using the key f a superir certificatin authrity. The certificate f a rt certificatin authrity (see Rt certificate n page 384) is self-signed. Administratrs f ther certificatin authrities d nt have rt certificates f their wn. T establish trust relatinships, they create crss-certificate requests t their superir certificatin authrities. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 330

331 Figure 180. The hierarchical mdel f trust relatinship In a crss-certified mesh, all certificatin authrities are equal: every certificatin authrity administratr has his wn rt (self-signed) certificate. In this mdel, trust relatinship between certificatin authrities is established by means f mutual crss certificatin, which means that bth certificatin authrities issue crss-certificates fr each ther. Mutual crss-certificatin is perfrmed between all the certificatin authrities pairwise. As a result, in each certificatin authrity, crss-certificates issued fr administratrs f ther certificatin authrities are added t the rt certificate. T sign user certificates, each certificatin authrity cntinues t use its rt certificate, while t verify certificates f ther netwrk users, it uses an issued crss-certificate f anther certificatin authrity. This is pssible, because a crss-certificate fr a trusted certificatin authrity is issued with the use f its rt certificate and cntains data abut its public key. That is why there is n need t re-issue user certificates in the netwrk frm which the request was sent. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 331

332 Figure 181. The crss-certified mesh If yu knw the hierarchical structure and type f trust relatinship between certificatin authrities, yu can definitely learn whether a user is the wner f this public key. Encrypting Dcuments Using Certificates The sender can encrypt a dcument using the recipient's public key, s the dcument can be decrypted nly by the recipient. In this case, the recipient's certificate is used t encrypt a dcument. Encrypting 1 A dcument is created. 2 A public key is retrieved frm the recipient's certificate. 3 A ne-time symmetric sessin key (n page 385) is generated. 4 The signed dcument is encrypted using the sessin key. 5 The sessin key is encrypted using a key that has been generated ver the Diffie Hellman prtcl (n page 380) using the recipient's public key. 6 The encrypted sessin key is appended t the encrypted dcument. 7 The dcument is sent. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 332

333 Figure 182. The prcess f encrypting a message Decrypting 1 A dcument is received. 2 Encrypted cntents and an encrypted sessin key are retrieved frm the dcument. 3 The recipient's private key is retrieved frm the key cntainer. 4 The sessin key is decrypted using the recipient's private key. 5 The dcument is decrypted with the decrypted sessin key. 6 The unencrypted dcument is available t the recipient. Figure 183. The prcess f decrypting a message ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 333

334 Signing Digital Dcuments Using Certificates The sender uses a private key t sign a dcument; this private key crrespnds t a certain public key specified in a certificate. The recipient verifies the digital signature (n page 380) appended t the dcument and retrieves the public key frm the sender's certificate. Signing 1 A dcument is created. 2 The hash value f the dcument is calculated. The hash functin f the dcument is used when a digital signature is being generated n the sender's side, as well as when the digital signature is being verified n the recipient's side. 3 The sender's private key is retrieved frm the sender's key cntainer. 4 A digital signature is generated based n the hash value using the sender s private key. 5 The digital signature is appended t the dcument. 6 The encrypted dcument is sent. Figure 184. The prcess f signing a dcument Verifying a Digital Signature 1 A dcument is received. 2 A digital signature cntaining an encrypted hash value is retrieved frm the dcument. 3 The hash value f the dcument is calculated. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 334

335 4 The sender's public key is retrieved frm the sender's certificate. 5 The digital signature is decrypted using the sender's public key. 6 The decrypted hash value f the digital signature is cmpared with the hash value f the dcument calculated n receipt. 7 If the values match, the dcument digital signature is valid. If the values d nt match (in ther wrds, the received dcument has been changed since the mment f signing), the dcument digital signature is invalid. Als, a digital signature is cnsidered invalid when the sender's certificate is expired, revked, crrupted r signed by a certificatin authrity yu d nt trust. Figure 185. The prcess f signature verificatin Signing and Encrypting Digital Dcuments Using Certificates Signing and Encrypting 1 A dcument is created. 2 The hash value f the dcument is calculated. 3 The sender's private key is retrieved frm the sender's key cntainer. 4 The recipient's public key is retrieved frm the recipient's certificate. 5 A digital signature is generated based n the hash value using the sender s private key. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 335

336 6 The digital signature is appended t the dcument. 7 A ne-time symmetric sessin key (n page 385) is generated. 8 The signed dcument is encrypted using the sessin key. 9 The sessin key is encrypted using a key that has been generated ver the Diffie Hellman prtcl (n page 380) using the recipient's public key. 10 The encrypted sessin key is appended t the encrypted message. 11 The dcument is sent. Figure 186. The prcess f signing and encrypting a dcument Decrypting and Verifying 1 A dcument is received. 2 Encrypted cntents and an encrypted sessin key are retrieved frm the dcument. 3 The recipient's private key is retrieved frm the key cntainer. 4 The sessin key is decrypted using the recipient's private key. 5 The dcument is decrypted with the decrypted sessin key. 6 A digital signature cntaining an encrypted hash value is retrieved frm the dcument. 7 The hash value f the dcument is calculated. 8 The sender's public key is retrieved frm the sender's certificate. 9 The digital signature is decrypted using the sender's public key. 10 The decrypted hash value f the digital signature is cmpared with the hash value f the dcument calculated n receipt. 11 If the values match, the dcument digital signature is valid. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 336

337 If the values d nt match (in ther wrds, the received dcument has been changed since the mment f signing), the dcument digital signature is invalid. Als, a digital signature is cnsidered invalid when the sender's certificate is expired, revked, crrupted r signed by a certificatin authrity yu d nt trust. 12 The unencrypted dcument is available t the recipient. Figure 187. The prcess f decrypting and validating a dcument ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 337

338 Keys in ViPNet Sftware In the ViPNet technlgy, a cmbinatin f symmetric and asymmetric encryptin algrithms is implemented. Table 10. Cryptgraphic algrithms used by the ViPNet sftware Cryptgraphic algrithms Using symmetric keys IP traffic encryptin Business Mail messages encryptin Applicatin and service envelpes encryptin Using asymmetric keys Creatin and verificatin f digital signatures Encryptin in third-party applicatins using the ViPNet cryptgraphic service prvider Symmetric Keys in ViPNet Sftware Symmetric algrithms are used t encrypt infrmatin and cntrl its integrity. A symmetric key is created fr each ViPNet hsts pair in the ViPNet Key and Certificatin Authrity r ViPNet Netwrk Manager sftware. This allws thse hsts exchange encrypted data with each ther. Thus, a matrix f symmetric keys is created. This matrix cntains data n all the symmetric keys created fr all ViPNet hsts. The matrix is encrypted s nly the ViPNet Key and Certificatin Authrity r ViPNet Netwrk Manager sftware has access t it. Transfer symmetric keys nly ver secure channels (the key sets fr hst cnfiguratin setup must be delivered by hand). If malicius users btain the symmetric keys, the entire security system will be cmprmised. Symmetric exchange keys are used t encrypt IP traffic, Business Mail messages, applicatin and service envelpes. Figure 188. Exchange keys usage T prvide higher security and prtectin fr the exchange keys, the fllwing mechanism is used: exchange keys are encrypted using prtectin keys; ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 338

339 prtectin keys are encrypted using persnal keys; persnal keys are encrypted using passwrd keys. Figure 189. Prtectin f exchange keys n a ViPNet hst When creating a ViPNet netwrk structure, in ViPNet Administratr r ViPNet Netwrk Manager, the ViPNet netwrk administratr creates a key set file (*.dst) fr each ViPNet hst user. A key set file is required fr installing keys and hst links n hsts. They cntain user keys (a persnal key and digital signature keys), keys allwing t exchange infrmatin with ther hsts (exchange keys), hst links required t establish cnnectin t ther hsts and the inftecs.re registratin file. ViPNet keys update is perfrmed by yur ViPNet netwrk administratr. Nte: Yu can send a request fr renewing a digital signature certificate. T d that, in the Security Service Settings dialg bx, g t the Signature tab and click Renew Certificate. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 339

340 C Events Tracked by the ViPNet Sftware All the events are divided int grups and subgrups. The hierarchical scheme f the grups is presented n the fllwing figure: Figure 190. Events gruping in the IP packets registratin lg ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 340

341 Blcked IP Packets Table 11. The events f the All IP packets/blcked IP packets/ip packets blcked by Private Netwrk filters grup Event number Event name Event descriptin 1 the key fr the ViPNet hst nt fund 2 message authenticatin cde is incrrect 3 IP packet blcked by Private Netwrk filter There is n key t establish cnnectin with the user, whse identifier is specified in the IP packet. The prtected data r unencrypted infrmatin f the cryptgraphic system has been mdified. Accrding t the filtering settings, an incming encrypted packet r an utging unencrypted packet intended fr encrypting is blcked. 4 significant time difference Time difference between the mment f sending and the mment f receiving an IP packet is mre than the time perid specified in the settings. 7 unknwn encryptin methd The encryptin methd, whse cde is specified in the incming packet, is nt supprted. 8 crrupted IPLIR header Attributes f an unencrypted packet are nt valid. 9 unknwn ViPNet hst identifier The identifier f the packet surce is unknwn. 13 IP packet TTL (time-t-live) expired 14 received IP packet is intended fr anther ViPNet hst A packet is deleted because the limit fr its presence in the netwrk has been exceeded. An IP packet addressed t anther hst is received. 15 t many IP packet fragments Mre than the pssible number f fragmented IP packets is being prcessed at the same time. 16 yur license fr tunnel IPaddress has been exceeded This event is lgged nly n a tunneling crdinatr. The crdinatr received IP packets frm mre hsts than it is allwed by the license. 17 invalid IP address An IP packet with an incrrect r unknwn IP address has been received. The mst pssible reasn this event appears is that an encrypted IP packet has arrived at the crdinatr. This packet is intended fr the tunneled hst registered n this crdinatr, but the IP address f the recipient hst is missing frm the tunneled hsts addresses list. 18 unknwn destinatin IP address The packet's destinatin IP address is missing r unknwn. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 341

342 19 ViPNet hsts addresses cnflict detected 70 Frwarded IP packet blcked by prtected netwrk filter The hst specified as the packet's surce is nt its real surce. This event may take place nly n the crdinatr with the Linux OS installed. The IP packet is blcked by the filtering rule fr frward unencrypted traffic. Table 12. The events f the All IP packets/blcked IP packets/ip packets blcked by public netwrk filters grup Event number Event name Event descriptin 22 nn-encrypted IP Packet frm netwrk nde 23 nn-encrypted bradcast IP Packet netwrk nde An unencrypted IP packet is received frm a prtected surce hst. An unencrypted bradcast IP packet is received frm a prtected surce hst. 24 unregistered IP Packet ViPNet service traffic is unencrypted. 30 lcal IP packet blcked by Public Netwrk filter 31 frwarded IP packet blcked by Public Netwrk filter 32 bradcast IP packet blcked by Lcal Public Netwrk filter 33 IP packet blcked by antispfing filter 37 IP packet is blcked by tunnel filter 39 IP packet is blcked by default filters when launching perating system The packet is blcked by the a lcal public netwrk filter r n filter can be applied t the packet. This event is lgged nly n a crdinatr. The packet is blcked by the a frward public netwrk filter r n filter can be applied t the packet. The packet is blcked by a lcal public netwrk filter fr bradcast traffic r n filter can be applied t the packet. This event is lgged nly n a crdinatr. A crrespnding filter is fund in the anti-spfing table. This event is lgged nly n a crdinatr. The packet is blcked by the filter fr tunneled hsts r n filter can be applied t the packet. At the system startup, the IP packet has been blcked by the default filters. Table 13. The events f the All IP packets/blcked IP packets/ip packets blcked by ther reasns grup Event number Event name Event descriptin 80 IP packet's header t shrt The size f the IP packet is less than the minimal pssible ne. 81 invalid IP prtcl versin Only versin 4 f the IP prtcl is supprted. 82 incrrect IP header length The length f the IP packet header is less than the minimal valid ne. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 342

343 83 incrrect IP packet length The length f the IP packet is less than the ne specified in the IP prtcl header. 84 IP packet checksum incrrect The checksum value f the IP packet is nt the same as the ne specified in the packet. 85 TCP header t shrt The length f the TCP header is less than the minimal valid ne. 86 UDP header t shrt The length f the UDP header is less than the minimal valid ne. 87 defragmentatin prcess failed 88 the surce address cannt be a bradcast address 89 defragmentatin prcess failed 90 nt enugh resurces fr crypt-prcessing An errr ccurred at the incming IP packet defragmentatin attempt. A bradcast address f the sender is specified in the packet. An errr ccurred at the incming IP packet defragmentatin attempt. A key fr encrypting r decrypting a packet cannt be created because there are nt enugh resurces fr the cryptgraphic service prvider. If the errr repeats, cntact Inftecs technical supprt. Prbably, yu will need t update the driver versin s that it requires less hardware resurces r use a mre pwerful cmputer. 91 IP packet acquired during the ViPNet driver initializatin All IP packets were blcked during the driver initializatin. 92 IP packet size t large The size f an IP packet is limited t 48 KB. 93 IP packet defragmentatin timed ut 95 duplicate ViPNet hst identifier fund 97 IP packet blcked by SQL filter 101 rute fr frwarded IP packet nt fund 103 maximal number f cnnectins is exceeded Nt all IP packet fragments were received within a certain time perid. On the netwrk, there is a hst with the identifier that cincides with the ne f yur hst, but with a different IP address The cnnectin is blcked by the Micrsft SQL filter This event is lgged nly n a crdinatr. There is n rule fr a frward IP packet in the ruting table. The number f cnnectins established exceeds the maximal valid number accrding t crdinatr settings. 104 cnnectin already exists If the attributes f utging IP packets fr the cnnectin yu are establishing are similar t already existing nes, the cnnectin is blcked. 105 can nt allcate dynamic prt fr addresses translatin rule This event is lgged nly n a crdinatr. N prt can perfrm dynamic address translatin (fr example, there are n prts in the pull). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 343

344 111 exchange key nt fund There is n key fr cnnectin with the recipient's hst. 112 message authenticatin cde f nn-encrypted IP packets versin 4.2 crrupted Message authenticatin cde value fr frwarded unencrypted traffic is incrrect. 113 unknwn surce ID The identifier f the frwarded unencrypted traffic surce hst is nt knwn. 115 failed t find the rute fr IP packet Fr sme reasn, the rute cannt be fund in the ruting table. 116 netwrk adapter nt fund The IP packet cannt be sent, because the netwrk adapter is nt fund. 117 failed t reslve MAC address using IP address The recipient's MAC address cannt be reslved using the IP address. 118 failed t encrypt IP packet An errr ccurred while encrypting an utging IP packet addressed t a prtected hst. 119 incrrect IPLIR header frmat 120 incnsistent infrmatin abut ViPNet hst access parameters An encrypted IP packet f unknwn frmat is received. An errr ccurred while sending an IP packet t a prtected hst. 121 ViPNet cluster errr This event may take place nly n a ViPNet cluster. An internal errr n a cluster. 122 unknwn data-link prtcl An IP packet, sent via an unknwn prtcl, is received. Nte: In Windws Server 2003 and later versins f Windws, the events 82 and 89 are nt lgged in the IP packets lg, because the OS blcks the crrespnding IP packets autmatically. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 344

345 Service Events and Allwed IP Packets Events Table 14. Events f the All IP packets/all allwed IP packets/allwed encrypted IP packets grup Event number Event name Event descriptin 40 encrypted IP packet allwed An encrypted IP packet has been allwed. 41 encrypted bradcast IP packet allwed 44 encrypted frwarded IP packet ruted and its IP address changed 45 encrypted (decrypted) packet frm tunneled hst An encrypted bradcast IP packet has been allwed. This event is lgged nly n a crdinatr. An IP packet is directed t anther hst by means f changing its recipient's address. This event is lgged nly n a crdinatr. An IP packet addressed t a tunneled hst has been encrypted r decrypted. Table 15. Events f the All IP packets/all allwed IP packets/allwed nn-encrypted IP packets grup Event number Event name Event descriptin 60 nn-encrypted IP packet allwed 61 nn-encrypted bradcast IP packet allwed 62 nn-encrypted frwarded IP packet allwed 63 IP packet is allwed by tunnel filter 64 IP packet is allwed by default filters when launching perating system A lcal IP packet is allwed by a public netwrk filter. A bradcast IP packet is allwed by a public netwrk filter. This event is lgged nly n a crdinatr. A frward IP packet is allwed by a public netwrk filter. This event is lgged nly n a crdinatr. An IP packet frm a tunneled hst is allwed by a filter. At the system startup, the IP packet has been allwed by the default filters. Table 16. Events f the All IP packets/service events grup (additinal infrmatin fr IP packets registered in the lg) Event number Event name Event descriptin ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 345

346 42 IP address f the ViPNet hst changed 46 ViPNet hst access parameters changed 48 ViPNet hst's IP address is registered frm bradcast IP packet 49 ViPNet hst parameters cntrlling access t this hst frm external netwrk changed 110 new ViPNet hst IP address is registered n the DNS server 114 the name is nt registered n DNS (WINS) server The ViPNet driver detected that the IP address f a hst r its access parameters had changed, s the driver updated the hst's ruting tables. If access parameters are changed, the event is registered nly fr the hsts that d nt wrk via a firewall with static r dynamic NAT. The ViPNet driver detected that the parameters fr accessing the hst frm an external netwrk had changed, s the driver updated the hst's ruting tables. The event is registered fr the hsts that wrk via a firewall with static r dynamic NAT. T register IP addresses and prts, the attributes f the IP packet (befre they were mdified by the ViPNet driver) are used. The hst sends bradcast IP packets. Infrmatin that access parameters t yur hst via a public netwrk have been changed. T register IP addresses and prts, infrmatin abut recipient and surce hsts is used. A message frm a DNS server is received infrming that an IP address (specified in the sender's IP address field) is registered fr the hst whse name is specified in the surce field. A message frm a DNS server is received infrming that the DNS name f the prtected hst is nt registered n this DNS server. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 346

347 D External Strage Devices Overview External strage devices are designed fr string key cntainers (see Key cntainer n page 382) that yu can use fr authenticatin, digital signing (see Digital signature n page 380), r ther purpses. On an external device, yu can stre keys created using different encryptin algrithms in ViPNet sftware r third-party prgrams. Maximum number f key cntainers stred n a device depends n the device's memry space. ViPNet sftware supprts tw authenticatin methds invlving external strage devices (see User Lgn Mdes n page 66): ViPNet user's persnal key stred n an external device with the fllwing limitatins: Each external strage device can be used fr authenticatin f nly ne ViPNet user. Each external strage device can be used fr authenticatin f ne ViPNet user n several ViPNet hsts. If yu use this authenticatin methd, then stre yur digital signature keys (created in a certificatin authrity using ViPNet sftware) and the persnal key n ne external strage device. Certificate with its private key stred n an external device. Yu can request fr the certificate in Windws dmain and stre the crrespnding key cntainer n yur external strage device that supprts PKCS#11. Yu can perfrm all the required cnfiguring cncerning key cntainers and external strage devices in the ViPNet CSP prgram. Make sure that yu have installed the drives required fr yur external device. Befre yu stre keys n yur device, make sure that the device is frmatted. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 347

348 Supprted External Strage Devices In the table belw, yu can find the list f devices supprted by the ViPNet sftware. Fr each external device, the table cntains descriptin, cnditins, peratin specifics, and infrmatin n PKCS#11 standard supprt. Nte: PKCS#11 (als knwn as Cryptki) is ne f the PKCS standards (Public Key Cryptgraphy Standards cryptgraphic standards f public keys) develped by the RSA Labratries cmpany. The standard defines the API interface independent f the platfrm and intended fr the wrk with cryptgraphic devices f identificatin and data strage. Table 17. Supprted external devices Device name in ViPNet CSP Device name and type Requirements PKCS#11 supprt etken Aladdin etken PRO (Java), etken PRO persnal The PKI Client sftware f the 5.1 versin r later shuld be installed n the cmputer. Yes electrnic keys, etken PRO (Java), etken PRO smart cards by Aladdin Cmpany Nte: Yu can use etken PRO SmartCard with any standard PC/SC-cmpatible USB card reader. ibuttn Aladdin ibuttn (Dallas) electrnic keys f the A reader device must be cnnected t the cmputer. N DS1993, DS1994, DS1995, and DS1996 types The 1-Wire Drivers sftware versin 3.20 r 4.0.3, which ensures data exchange with ibuttn, shuld be installed n the cmputer. Smartcard Athena Smartcards with memry f the I2C (ASE M4) type, synchr cards The ASEDrive III PRO-S reader by Athena cmpany is used t prcess data n a smart card. N with a 2/3 bus and prtected memry meeting the requirements f the Drivers f the 2.6 versin shuld be installed n the cmputer. ISO (ASE MP42) standard Siemens CardOS CardOS/M4.01a, CardOS V4.3B, CardOS Siemens CardOS API V5.0 and later shuld be installed n the cmputer. Yes V4.2B, CardOS V4.2B DI, CardOS V4.2C, and CardOS V4.4 smart cards by Ats (Siemens) ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 348

349 Nte: Fr each device, the list f supprted perating systems is available n the manufacturer's fficial web page. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 349

350 E Recmmendatins n Prviding Cmpatibility f the ViPNet Crdinatr Sftware with Third-Party Prgrams ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 350

351 Cmpatibility f the ViPNet Sftware and the Hyper-V Technlgy Hyper-V is a virtualizatin system implemented in Micrsft Windws Server 2008 (64 bit). Hyper-V has a peculiarity: t prvide access f virtual machines t an external netwrk, yu shuld allcate ne f the physical netwrk interfaces n the cmputer fr this purpse. This interface will be cnnected t the virtual Hyper-V switch. In the hst's perating system, a virtual interface with the same prperties will be created instead f this interface. Fr the virtual netwrk interfaces (and interfaces in the hst's perating system) t be cnnected crrectly t the external netwrk, n the physical interface used fr this cnnectin, yu shuld disable all the services and prtcls, except fr the Virtual Netwrk Switch prtcl. When ViPNet Mnitr is installed n a cmputer with a 64-bit perating system, the Iplir lightweight Filter (х64 editin) service (in ther wrds, the ViPNet netwrk driver) is started n all the netwrk interfaces f the cmputer. This driver encrypts, decrypts and filters the incming and utging IP packets n the netwrk interface and may have a negative effect n the perfrmance f the Hyper-V virtual netwrk. T ensure that the virtual netwrk and the ViPNet sftware in the hst's perating system are functining crrectly, yu shuld disable the Iplir lightweight Filter (х64 editin) service in the settings f the physical netwrk interface cnnected t the virtual Hyper-V netwrk. Figure 191. Cnfiguring a physical interface cnnected t a virtual Hyper-V netwrk ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 351

352 F Versin Histry This chapter describes new functinality f the ViPNet Crdinatr sftware. What's New in Versin 4.3 This sectin cntains a brief descriptin f changes made t ViPNet Crdinatr 4.3 and its new features. Fr details, see New Features in ViPNet Client and ViPNet Crdinatr 4.x. Supplement t ViPNet Dcumentatin. Restring pre-defined filters and bject grups In versin 4.3, yu can restre the pre-defined netwrk filters. Thus, yu can discard all user-defined filters and rll back t the initial state. Pre-defined bject grups will be restred t. Centralized management f encryptin algrithms and saving a passwrd t the registry In versin 4.3, the passwrd saving feature and an encryptin algrithm are set accrding t the settings received within the keys and hst links update. Such updates are created in netwrk management sftware (ViPNet Netwrk Manager r ViPNet Administratr) that supprt centralized management f thse parameters. A user r a hst administratr can still change the settings, but this change will be effective until the next update is installed. What's New in Versin 4.2 This sectin cntains a brief descriptin f changes made t ViPNet Crdinatr 4.1 and its new features. Fr details, see New Features in ViPNet Client and ViPNet Crdinatr 4.x. Supplement t ViPNet Dcumentatin. Cnfiguring a TCP tunnel ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 352

353 In ViPNet Crdinatr 4.x, yu can cnfigure a TCP tunnel fr cmmunicatin between ViPNet clients n external netwrks with ther ViPNet clients in case the UDP prtcl is blcked by the ISP when yu try t cnnect t external netwrks. Figure 192. Cnfiguring a TCP tunnel in ViPNet Crdinatr The infrmatin abut the created TCP tunnel and the cnfigured prt number is sent ut t all the clients, fr which this crdinatr is a cnnectin server. Later, if the remte client cannt cnnect t ther ViPNet hsts ver UDP, it will autmatically establish cnnectin t the hsts ver the TCP tunnel cnfigured n its cnnectin server. On the cnnectin server, IP packets are retrieved frm the TCP tunnel and transferred t destinatin hsts ver UDP. Nte that yu can cnfigure a TCP tunnel nly n a crdinatr that is nt behind a firewall r is behind a firewall with static NAT. Changes in the certificate renewal wizard The methd f transferring a certificate renewal request in a file became unnecessary. The crrespnding ptin has been remved frm the certificate renewal wizard. In ViPNet Key and Certificatin Authrity 4.x, *.sk files received directly frm a user cannt be prcessed. Nw yu can transfer a generated certificate renewal request t ViPNet Key and Certificatin Authrity nly via the ViPNet MFTP transprt mdule. Mrever, the ptin f chsing the mde f waiting fr the renewed certificate frm ViPNet Key and Certificatin Authrity in real time has been abandned, as well as the ptin f installing the renewed certificate immediately upn receiving it. Bth abandned ptins culd cause errrs in the prcess f a renewed certificate's installatin in sme cases. Nw the certificate can be installed withut such errrs. It is installed autmatically if, in the Security Service Settings dialg bx, n the Signature tab, yu select the Autmatically install certificates, issued by user's request check bx. Changes in ViPNet Update System ntificatins In versin 4.2, if autmatic installatin f updates is chsen, then ViPNet Update System perates silently, withut displaying ntificatins. If manual installatin f updates is chsen, then the crrespnding infrmatin is displayed in the ntificatin area when updates arrive n the hst. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 353

354 In the earlier versins, the ViPNet Update System icn is always displayed in the ntificatin area. In versin 4.2, the icn is displayed nly when yu are required t perfrm sme actins, fr example, t restart the cmputer after updates were installed r t accept updates if manual installatin f updates has been chsen. Als, in versin 4.2, yu can call the ViPNet Update System windw frm the Start menu. Safer start f ViPNet SafeDisk-V T increase the sensitive infrmatin prtectin, the start f the ViPNet SafeDisk-V prgram is perfrmed differently. Nw, if IP traffic prtectin is disabled in ViPNet Mnitr, ViPNet SafeDisk-V will nt start. And the ther way ut, when ViPNet SafeDisk-V is running, yu cannt disable the traffic prtectin. New ptins fr Encrypted Instant Messaging In Encrypted Instant Messaging 4.2, new features have been added. Nw yu can: search fr the required sessin amng all active sessins by a certain wrd r a part f the wrd; easily switch between the sessins; view the date and time f the latest message frm a sessin participant; send files within a chat sessin; check cnnectin with the selected user. Figure 193. New instant messaging features n a crdinatr Als, in versin 4.x, when yu exit the Encrypted Instant Messaging, all pen sessins are saved. When yu start the prgram next time, they are restred. In earlier versins, when yu exit the prgram, all the current messaging sessins are clsed withut autmatical saving. Ntifying abut changes in bject grups, netwrk filters, r NAT rules In versin 4.2, when yu add r edit an bject grup, a netwrk filter, r a NAT rule, in the main windw, in the status bar, a ntificatin is displayed prmpting that the grup, filter, r rule was being edited, but the changes have nt been applied yet. The message will be displayed in the status bar until yu click Apply and cnfirm the changes within 30 secnds. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 354

355 Figure 194. Ntificatin abut changing bject and netwrk filters grups What's New in Versin 4.1 This sectin cntains a brief descriptin f changes made t ViPNet Crdinatr 4.0 and its new features. Disabling the Windws firewall n the first ViPNet Crdinatr startup When yu install ViPNet Crdinatr 4.1, the standard Windws firewall remains enabled. It is disabled autmatically nly when yu run the prgram fr the first time. This ensures uninterrupted prtectin f yur cmputer in the netwrk deplyment prcess. Yu will nt be ntified abut the firewall disabling. In 3.2.x versins, the firewall is disabled right after ViPNet Crdinatr is installed. New signature algrithms In ViPNet Mnitr 4.1, mre algrithms are supprted fr signing keys generatin. On-screen keybard fr lgn In versin 4.1, yu may lg n t ViPNet Mnitr during Windws lading by using the n-screen keybard. T d this, click and, n the menu, click On-Screen Keybard. An easier way t cnfigure cnnectin between a crdinatr and an external netwrk via a firewall with NAT (netwrk addresses translatin) In ViPNet Crdinatr Mnitr 3.2.x, when yu cnfigure cnnectin between a ViPNet crdinatr and an external netwrk via a firewall with static r dynamic NAT, yu have t specify a netwrk interface, via which the cnnectin will be established (in the Netwrk adapter, behind which the firewall is lcated list). In ViPNet Crdinatr Mnitr 4.1, yu shuld specify the interface nly if yu need all respnse packets frm external netwrk hsts t be sent t a certain firewall's address (the Use the fllwing external IP address fr access thrugh the firewall check bx). If the firewall perfrms dynamic NAT r if it perfrms static NAT withut fixing the IP address, yu d nt have t cnfigure this parameter anymre. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 355

356 Figure 195. Specifying an adapter fr the firewall in versin 4.x What's New in Versin 4.0 This sectin cntains a brief descriptin f changes made t ViPNet Crdinatr 4.0 and its new features. Fr details, see New Features in ViPNet Client and ViPNet Crdinatr 4.x. Supplement t ViPNet Dcumentatin. Centralized management f ViPNet hsts' security plicies is supprted In ViPNet Mnitr, yu can apply netwrk filters and IP addresses translatin rules created in ViPNet Plicy Manager. A new frmat f netwrk filters and IP addresses translatin rules In versin 4.0, a new frmat f netwrk filters and IP addresses translatin rules (see Cnfiguring the Integrated Firewall n page 126) is used, which allws yu t apply security plicies created in ViPNet Plicy Manager. When the prgram is upgraded t a new versin, filters and rules are fully cnverted, and there is n need fr the user t take any additinal actins. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 356

357 Figure 196. Viewing netwrk filters in ViPNet Crdinatr Mnitr Security levels cncept rejected In versin 4.0, security levels are nt used. T cnfigure the security level needed, yu can create netwrk filters r assign a crrespnding permissins level t a user. ViPNet sftware installatin uses the MSI technlgy Fr ViPNet Mnitr 4.0, an MSI installatin package has been develped, which allws yu t install the prgram by using Micrsft System Center r a cmmand line prgram. ViPNet CSP setup The ViPNet CSP prgram may be installed frm a separate installatin file r tgether with the ViPNet Client and ViPNet Crdinatr prgrams versin 4.0. In any case, ViPNet CSP is installed as a separate applicatin, which makes its upgrading simple and independent f the ViPNet Client and ViPNet Crdinatr prgrams upgrading. Nw the cryptgraphic service prvider can be cnfigured nly in the ViPNet CSP prgram. In ViPNet Mnitr, n the Cryptprvider tab, yu may pen nly the settings windw f ViPNet CSP. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 357

358 Figure 197. Cnfiguring the cryptgraphic service prvider The ViPNet KeySetup prgram In versin 4.0, the cnfiguratin setup prgram is n lnger used. The KeySetup prgram allws yu t perfrm all scenaris f installing and updating keys n a ViPNet hst (see Installing Keys and Hst Links n page 49). User lgn mdes In ViPNet Mnitr versin 4.0, when using an external device fr authenticatin (PIN and device mde), yu can be authenticated by either yur persnal key (as in versin 3.2.x) r yur certificate (see User Lgn Mdes n page 66). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 358

359 Figure 198. Using a device fr user authenticatin The Passwrd n device mde will nt be supprted in later versins. In versin 4.0, we recmmend that yu chse ther lgn mdes (see Setting the User Lgn Mde n page 252). If the users are authenticated by their passwrds, then, fr anther user t lg n, he r she nly needs t select a prper username frm a list withut specifying the user keys flder. Figure 199. Authenticating a user by a passwrd ViPNet Update System In ViPNet Mnitr versin 4.0, all updates (namely sftware, hst links, keys updates and security plicy updates created in ViPNet Plicy Manager) are received and installed by the ViPNet Update System. The ViPNet Update System features a user-friendly graphical interface fr wrk with the received updates. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 359

360 Figure 200. The list f updates received When yu receive updates, yu are infrmed abut them. Figure 201. Displaying new updates in the ntificatin area Creating IP packet filters In ViPNet Mnitr versin 4.0, yu can create filters bth allwing and blcking right in the IP packets lg. Therefre, the Blcked IP Packets sectin was remved frm the interface. Nw yu can perfrm all actins with the IP packets in the IP Packets Lg sectin. Switching cnfiguratins autmatically In ViPNet Mnitr versin 4.x, yu can switch between prgram cnfiguratins autmatically. If yu wrk with several prgram cnfiguratins and yu switch between them at certain mments f time, yu may schedule autmatic change f cnfiguratins. Restricted user interface In ViPNet Mnitr versin 4.0, yu can restrict the user interface (see ViPNet Mnitr Advanced Settings n page 248) which is the same as t assign the 3rd permissins level t a hst. Thus, if the hst has the 3rd permissins level, the check bx allwing yu t restrict the interface is nt available. Desktp lcking and IP traffic blcking In ViPNet Mnitr 4.0, yu may lck the cmputer by standard Windws OS means. Nw yu can blck all IP traffic (any cnnectins with prtected and unprtected hsts will be blcked) and disable traffic prtectin (stp traffic prcessing, IP packets lgging, and disable the intrusin detectin system). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 360

361 Figure 202. Restricting user's interface and special permissins level 3 Anti-spfing T ensure a higher level f security fr yur ViPNet netwrk, n the ViPNet Crdinatr, versin 3.2.x, yu need t cnfigure the anti-spfing. In versin 4.0, yu nly need t enable anti-spfing (n page 159). N cnfiguring is required. When yu enable anti-spfing, the crrespnding filters are created autmatically based n the hst's ruting table. Creating Filters fr Tunneled Hsts In ViPNet Mnitr 3.2.x, yu can cnfigure IP addresses fr tunneling in the Tunneled Hsts sectin by clicking IP addresses and adding the addresses. In versin 4.x, yu shuld add tunneled hsts' IP addresses in the Tunneling sectin f the crdinatr prperties dialg bx. Als, in this sectin, the allwed number f simultaneusly tunneled hsts is displayed. Cnfiguring Netwrk Interfaces In ViPNet Mnitr versin 4.0, in the Netwrk Interfaces sectin, yu can nly view a list f netwrk interfaces present n the hst. T set the required security level, create the crrespnding filters and specify the required interfaces in their settings. In versin 4.0, yu d nt need t cnfigure antispfing. Integratin with the ViPNet SafeDisk-V prgram In versin 4.0, yu d nt need t cnfigure anti-spfing. When yu start ViPNet SafeDisk-V 4.2, ViPNet Client is restarted and many ptins becme unavailable fr editing. Fr security purpses yu cannt als lg n as anther user and exit frm ViPNet Client. Changes in terminlgy and interface Table 18. Main changes in terminlgy and interface Change bject Versin 3.2.x Versin 4.0 ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 361

362 Terms Traffic Filtering Rules Netwrk Filters Exprt Settings Imprt Settings Save Settings Restre Settings Menu bar Starting the Business Mail, Applicatin Cntrl, File Exchange, MFTP sftware cmpnents Netwrk Filters Managing IP traffic Lcking yur cmputer Can be started by clicking the crrespnding buttns in the main ViPNet Mnitr windw General and Intrusin Detectin sectins f the Optins dialg bx A buttn in the main windw f the prgram Revised Can be started frm the Applicatins menu Filters are nw similarly displayed in the ViPNet Mnitr and the ViPNet Plicy Manager prgrams IP traffic is managed in a separate Manage IP Traffic sectin f the Optins dialg bx The buttn has been remved Dcumentatin and Help update Dcumentatin and Help shipped tgether with the ViPNet Crdinatr sftware have been updated t reflect the changes in the prgram features. What's New in Versin This sectin cntains a brief descriptin f changes made t ViPNet Mnitr and its new features. Ntificatin f blcked IP packets In ViPNet Mnitr, yu can receive ntificatins f IP packets blcked by the integrated firewall. If yu want t enable the ntificatin, in the Optins dialg bx, in the General > Warnings sectin, select the Ntify abut blcked IP packets check bx. Fixed errrs in the ViPNet Crdinatr prgram The errr which caused Windws XP SP3 t crash is fixed. The failure t check cnnectin t a hst with an earlier versin f ViPNet sftware is fixed. Changes in wrking with public key certificates Outdated algrithms f creating and verifying digital signatures are nt supprted any mre. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 362

363 The errrs f plling the certificate revcatin list distributin pints are fixed. The qualified certificate request errrs are fixed. Fixed errrs in the ViPNet Cluster sftware The errr which caused cluster elements t switch rles arbitrarily is fixed. The number f bradcast IP packets sent by cluster elements is decreased. What's New in Versin This sectin cntains a brief descriptin f changes made t ViPNet Mnitr and its new features. Fr details, see New Features in ViPNet Client and ViPNet Crdinatr 3.2. Supplement t ViPNet Dcumentatin. A new view f infrmatin abut blcked IP packets Nw yu cannt cnfigure receiving ntificatins n IP packet blcking. Yu cannt specify a time perid within which the IP packets have been blcked, t. The list f blcked IP packets nw displays the IP packets blcked since the prgram startup r the last clearing f the list. Figure 203. Viewing blcked IP packets in ViPNet Crdinatr The ViPNet Cluster prgram has been imprved Time n ViPNet Cluster ndes is synchrnized in anther way nw. Oppsite t the previus versins, all cluster ndes nw synchrnize the system time with the delegate nde, and nt the master nde. Thanks t this, the time n a ViPNet Cluster hst can be synchrnized with an external surce nw, such as an NTP server. Dcumentatin and Help update Dcumentatin and Help shipped tgether with the ViPNet Crdinatr sftware have been updated t reflect the changes in the prgram functinality. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 363

364 What's New in Versin This sectin cntains a brief descriptin f changes made t ViPNet Mnitr and its new features. Fr details, see New Features in ViPNet Client and ViPNet Crdinatr 3.2. Supplement t ViPNet Dcumentatin. Cmpatibility with third-party sftware Full cmpatibility f ViPNet sftware with Lumensin Device Cntrl, Cisc Security Agent, Kaspersky Administratin Kit, and MSDE 2000 has been implemented. Imprved multicre prcessr supprt Parallel IP packets prcessing in multicre systems has been ptimized. Due t timely IP packets prcessing and sending the received data in right rder, multimedia streaming rate and quality have increased. Autmatic traffic ruting if yur ViPNet hst has several netwrk interfaces r yu use several cmmunicatins channels Nw IP traffic ruting des nt depend n hsts visibility addresses. As a result, the rute fr an IP packet n a ViPNet hst with several netwrk interfaces, as well as the channel used t transfer the IP packet (if several cmmunicatins channels are used), is autmatically figured ut. Mre applicatin prtcls can be prcessed in ViPNet Mnitr nw Mre applicatin prtcls can be prcessed in ViPNet Mnitr with the specified parameters. Infrmatin abut IP packets blcked within a specified time perid is displayed Nw yu can chse whether infrmatin abut IP packets blcked within the last hur, the last 24 hurs, r within a specified time perid shuld be displayed. Private netwrk filters display and encrypted traffic filtering rules cnfiguratin have been changed Nw yu can find infrmatin abut all filters in the main windw, in the Netwrk Filters sectin. Figure 204. Navigatin pane sectins in ViPNet Crdinatr Mnitr f versins 3.1 and 3.2 The visual appearance f private and public netwrk filters has been synchrnized, as well as the actins yu can d with the filters. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 364

365 Figure 205. The visual appearance f private and public netwrk filters in ViPNet Mnitr 3.2 and pssible actins with the filters Autmatic Lgn T ViPNet Crdinatr Lgn withut the necessity t cnfirm ViPNet user passwrd in the lgn windw has been implemented. Yu can cnfigure autlgn nly in the administratr mde n the Administratr tab f the Security Service Settings dialg bx. If the Autmatically lg n t ViPNet check bx is selected, at ViPNet Mnitr startup, n the current hst, the lgn windw will nt be displayed and yu will lg nt ViPNet Crdinatr autmatically. Figure 206. Cnfiguring autlgn in ViPNet Crdinatr Certificates are autmatically received and installed if they have been issued by the administratr withut a user request Yu can autmatically receive and install the certificates issued by the administratr in ViPNet Key and Certificatin Authrity withut a user request. If this ptin is enabled, receiving thse certificates and installing them des nt require any user actin. After such a certificate has been installed, yu will be ntified abut it (see Certificate Issued n the Administratr's Initiative Has Been Installed n page 318). ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 365

366 Figure 207. The certificates issued by the administratr withut a user request will be installed autmatically New key setup prgram has been develped The new key setup prgram is intended fr wrking with key sets created in ViPNet Administratr Key and Certificatin Authrity, versins 2.8 and 3.x, and in ViPNet Netwrk Manager, versins 2.x and 3.0. The new setup prgram ffers enhanced functinality and a user-friendly interface. Warning: Fr ViPNet netwrks managed with the ViPNet Administratr sftware, we d nt recmmend yu t use the ViPNet KeySetup prgram n the hsts where several ViPNet users have been registered r several prgrams using ViPNet keys have been installed. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 366

367 Figure 208. The new ViPNet KeySetup prgram Cryptgraphic service prvider ViPNet CSP has been imprved The fllwing features f ViPNet CSP have been imprved: TLS supprt in Windws 7 OS; cmpatibility with 64-bit perating systems; encryptin and digital signature in Micrsft Office ViPNet Applicatin Cntrl has been imprved The fllwing features have been intrduced in ViPNet Applicatin Cntrl: cmpatibility with 64-bit perating systems; wrk in several sessins. T prvide better user experience, sme terms and graphical user interface element labels cntaining thse terms have been changed ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 367

368 Change bject Sectin name in the main ViPNet Crdinatr Mnitr windw Sectin in the main ViPNet Crdinatr Mnitr windw Dialg bx name Befre the change, in versins 3.1.x Tunneled Hsts Autcmplete Access Rule (a dialg bx called frm the Private Netwrk sectin) After the change, in versin 3.2 Tunneled Hsts Filters N sectin ViPNet Hst Prperties Terms Access rule Rule One f the Service menu items Interface used t cnfigure applicatin prtcls Cntext menu f items in the Blcked IP Packets sectin f the main windw The Blcked IP Packets sectin f the Optins dialg bx Prtcl filter Applicatin Prtcls Settings The Applicatin Prtcls Settings dialg bx It is the same as the cntext menu f items in the Private Netwrk and Public Netwrk sectins Optins used fr setting up ntificatins abut blcked IP packets Filter N menu item The Applicatin Prtcls sectin in the Optins dialg bx Anther cntext menu Optins used fr setting a time perid within which the IP packets yu search fr were blcked Dcumentatin and Help update Dcumentatin and Help shipped tgether with the ViPNet Crdinatr sftware have been updated t reflect the changes in the prgram functinality. What's New in Versin This sectin cntains a brief descriptin f changes made fr ViPNet Mnitr and its new features. Cntrl ver ViPNet Cluster applicatins health has been implemented Nw yu can cntrl perability f applicatins installed n a ViPNet cluster and specially cnfigured t wrk n it. This ensures a high level f fail safety and accessibility f the applicatins when they are running. Yu can adjust the applicatin mnitring settings in the ViPNet Cluster Mnitr prgram. Fr mre infrmatin, see ViPNet Cluster. Administratr s Guide. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 368

369 Figure 209. Cnfiguring applicatins perability mnitring in ViPNet Cluster Mnitr Sme terms and graphical user interface element labels cntaining thse terms have been changed Old term Signature keys cntainer, private key cntainer, public key cntainer Distributin key set Key disk New term Key cntainer Key set User keys The graphical user interface f ViPNet Client and ViPNet Crdinatr as well as dcumentatin and help files t all prducts have been updated due t the changes in terminlgy. ViPNet Crdinatr dcumentatin has been cmplemented A user wrkflw n ViPNet Crdinatr backup and disaster recvery has been added t the ViPNet Crdinatr Mnitr administratr s guide. Dcumentatin and Help in ther lcalizatins German, Spanish and French lcalizatins have been reviewed fr applicability t match the current Russian versin. English dcumentatin and Help files have been updated. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 369

370 What's New in Versin This sectin cntains a brief descriptin f changes made fr ViPNet Mnitr and its new features. Lck cmputer feature mdificatin The Lck cmputer feature has changed: nw the standard Windws functinality is used. Autmatic hst prtectin when yu detach a user authenticatin device User authenticatin device cntrl has been implemented. Nw, when the authenticatin device is discnnected, yur cmputer is autmatically lcked and the IP traffic is blcked. Yu can change blcking ptins by chsing nly t blck IP traffic r nly t lck yur desktp, r yu can refuse frm using this feature. Figure 210. Lck when yu discnnect yur authenticatin device ptins Restrictin n the number f lg entries abut blcked IP packets The blcked IP packets entries number cntrl has been implemented. The number f lg entries abut blcked IP packets has been limited t 300 IP addresses and nt mre than 30 entries n each prt f each IP address. Infrmatin displayed in the blcked IP packets sectin is updated every time yu pen r refresh the sectin. As sn as the limit is exceeded, the ldest entries are verwritten with newer nes. The IP packets lg exprted t ther applicatins becmes mre detailed ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 370

371 The list f IP packets attributes included in the exprted IP packets lg has been extended. Yu can find infrmatin abut all IP packets attributes nw when viewing the IP packets lg in a web brwser r Micrsft Excel. Detailed infrmatin abut the number f items in Business Mail flders The number f items in Business Mail flders is displayed in a different way nw. When, in the flders pane f the main Business Mail windw, yu select a flder, the ttal number f items in this flder and its subflders is displayed. Besides, fr the Inbx flder, the number f unread messages will be displayed; fr the Sent Items flder, the number f s undelivered will be displayed. A previusly selected item in a Business Mail flder is shwn when yu return t the flder When yu navigate frm ne Business Mail flder t anther, the item selectin is remembered and restred when yu return t this flder. Fr example, if, in the s pane, in the Inbx flder, yu select an item and then navigate t sme ther flder, the same item will be displayed (regardless f its psitin n the messages list) and selected when yu return t the Inbx flder. Imprved search in Business Mail search in the search windw f the ViPNet Business Mail prgram has been imprved. When yu pen the Find windw, the fcus is mved t the Archive list, and, in the Search in bx, the currently pened flder is set by default. Imprved incming autprcessing The fllwing changes have been intrduced t the incming autprcessing in this versin: If a list f senders is specified in a rule, the incming s whse sender is included in the list are prcessed using this rule. If a list f users whse digital signatures shuld be verified is specified in a rule, the incming e- mails whse attachments are signed by a user in the list are prcessed using this rule (if the signature is valid). Blank incming s are nt cpied t disk (the blank.txt file is nt created when there is n text in an bdy). GUI implementatin f enabling and disabling the cryptgraphic service prvider ViPNet CSP has changed In the Security Service Settings dialg bx, n the Cryptprvider tab, the Enable/Disable ViPNet CSP check bx was replaced with the Enable/Disable buttn, and a message is displayed in case f insufficient user permissins. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 371

372 Figure 211. ViPNet CSP enable and disable buttn ViPNet Mnitr is nw cmpatible with Netwrk Lgn 5.1 Cmpatibility f ViPNet Mnitr with etken Netwrk Lgn 5.1 is implemented. Yu can lg nt ViPNet Mnitr when the Netwrk Lgn 5.1 etken is used. Imprved Help The interface f the Help has been mdified, the reference infrmatin is presented mre clearly. Dcumentatin and Help in ther lcalizatins Spanish dcumentatin and Help lcalizatin has been released. German and French dcumentatin and Help lcalizatins have been updated t match the Russian versin. English dcumentatin and Help files have been updated. What's New in Versin This sectin cntains a brief descriptin f changes made fr ViPNet Mnitr and its new features. N restrictins n remte ViPNet sftware startup The default value f the Let Mnitr start in remte sessin ptin has been changed. Nw, by default, yu are allwed t start ViPNet Mnitr remtely. Service messaging and IP address annuncements between hsts have been ptimized The number f service messages and IP address annuncements between hsts has decreased drastically. Nw infrmatin abut hst statuses and parameters is sent nly t thse ViPNet hsts that really need it. T decrease the messages number, they are aggregated during a specified time perid. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 372

373 Supprt fr the DHCP prtcl when yu wrk using the Open Internet cnfiguratin The technlgy used when a ViPNet hst cnnects t the Internet that is a public pen netwrk has changed. Nw, when yu wrk with the Open Internet cnfiguratin, the prtected DHCP server can assign IP addresses t the hsts. Supprt fr a cluster n 64-bit perating systems Nw the ViPNet Cluster sftware is supprted by the crdinatrs with 64-bit perating systems. Extended supprt fr the centralized mnitring system ViPNet StateWatcher A mnitring agent has been implemented, which allws cllecting mre detailed infrmatin abut ViPNet hst statuses. Nw yu can analyze ViPNet MFTP and ViPNet Business Mail perfrmance, the number and ttal size f queued envelpes, a list f the addresses tunneled by the crdinatr, ttal incming and utging traffic n each netwrk interface, CPU usage, memry and disk space usage, event entries frm the Windws system lg and OS applicatins lg. Imprved prtectin against incrrect keys installatin r update n ViPNet hsts Cntrl f key set (*.dst file) and hst type (client r crdinatr) match has been implemented. Nw yu can install r update nly a key set created fr the same applicatin (ViPNet Client r ViPNet Crdinatr) that is installed n yur cmputer. Dcumentatin and Help in ther lcalizatins German and French dcumentatin and Help lcalizatins have been released. What's New in Versin This sectin cntains a brief descriptin f changes made t ViPNet Mnitr and its new features. Mre cmprehensive lgn mde names The names f user lgn mdes have been changed t: Passwrd nly. Passwrd n device. PIN and device. Figure 212. Lgn mdes rename Optins lcatin has been ptimized ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 373

374 The prgram ptins previusly lcated in the navigatin pane have been cmbined with ther settings. Figure 213. Private netwrk ptins lcatin change Nw all ptins are cllected in ne dialg bx displayed by Service > Optins. ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 374

375 Figure 214. Private netwrk ptins in versin 3.1.x A supplementary way f checking cnnectin t a ViPNet hst Nw yu can check cnnectin t a ViPNet hst right in the encrypted messaging sessin with this hst. Right-click the hst and, n the cntext menu, click Check Cnnectin. An easier way f viewing status infrmatin fr several ViPNet hsts at a time When yu check cnnectin t several ViPNet hsts at a time, instead f several separate windws, nly ne windw cntaining infrmatin abut the required hsts statuses is displayed. Figure 215. Checking cnnectin t several ViPNet hsts at nce Detailed infrmatin abut hst accessibility The messages displayed when yu check cnnectin t a hst nw als include a special message displayed when the hst is accessible in the netwrk but the ViPNet sftware installed n it is disabled. Easier file sending ViPNet Crdinatr Mnitr 4.3. Administratr's Guide 375

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation ViPNet VPN in Cisc Envirnment Supplement t ViPNet Dcumentatin 1991 2015 Inftecs Americas. All rights reserved. Versin: 00121-04 90 02 ENU This dcument is included in the sftware distributin kit and is

More information

Deployment Overview (Installation):

Deployment Overview (Installation): Cntents Deplyment Overview (Installatin):... 2 Installing Minr Updates:... 2 Dwnlading the installatin and latest update files:... 2 Installing the sftware:... 3 Uninstalling the sftware:... 3 Lgging int

More information

MaaS360 Cloud Extender

MaaS360 Cloud Extender MaaS360 Clud Extender Installatin Guide Cpyright 2012 Fiberlink Cmmunicatins Crpratin. All rights reserved. Infrmatin in this dcument is subject t change withut ntice. The sftware described in this dcument

More information

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

SBClient and Microsoft Windows Terminal Server (Including Citrix Server) SBClient and Micrsft Windws Terminal Server (Including Citrix Server) Cntents 1. Intrductin 2. SBClient Cmpatibility Infrmatin 3. SBClient Terminal Server Installatin Instructins 4. Reslving Perfrmance

More information

ViPNet Coordinator HW/VA 3.3. Administrator's Guide

ViPNet Coordinator HW/VA 3.3. Administrator's Guide ViPNet Crdinatr HW/VA 3.3 Administratr's Guide 1991 2014 Inftecs. All rights reserved. Versin: 00079-06 32 01 ENU This dcument is included in the sftware distributin kit and is subject t the same terms

More information

ViPNet CSP 4.0. User's Guide

ViPNet CSP 4.0. User's Guide ViPNet CSP 4.0 User's Guide 1991 2013 Inftecs. All rights reserved. Versin: 00106-01 34 01 ENU This dcument is included in the sftware distributin kit and is subject t the same terms and cnditins as the

More information

Serv-U Distributed Architecture Guide

Serv-U Distributed Architecture Guide Serv-U Distributed Architecture Guide Hrizntal Scaling and Applicatin Tiering fr High Availability, Security, and Perfrmance Serv-U Distributed Architecture Guide v14.0.1.0 Page 1 f 16 Intrductin Serv-U

More information

HOWTO: How to configure SSL VPN tunnel gateway (office) to gateway

HOWTO: How to configure SSL VPN tunnel gateway (office) to gateway HOWTO: Hw t cnfigure SSL VPN tunnel gateway (ffice) t gateway Hw-t guides fr cnfiguring VPNs with GateDefender Integra Panda Security wants t ensure yu get the mst ut f GateDefender Integra. Fr this reasn,

More information

Junos Pulse Instructions for Windows and Mac OS X

Junos Pulse Instructions for Windows and Mac OS X Juns Pulse Instructins fr Windws and Mac OS X When yu pen the Juns client fr the first time yu get the fllwing screen. This screen shws yu have n cnnectins. Create a new cnnectin by clicking n the + icn.

More information

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, 2014. Infoblox NIOS Page 1 of 8

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, 2014. Infoblox NIOS Page 1 of 8 McAfee Enterprise Security Manager Data Surce Cnfiguratin Guide Data Surce: Infblx NIOS September 2, 2014 Infblx NIOS Page 1 f 8 Imprtant Nte: The infrmatin cntained in this dcument is cnfidential and

More information

TaskCentre v4.5 File Transfer (FTP) Tool White Paper

TaskCentre v4.5 File Transfer (FTP) Tool White Paper TaskCentre v4.5 File Transfer (FTP) Tl White Paper Dcument Number: PD500-03-22-1_0-WP Orbis Sftware Limited 2010 Table f Cntents COPYRIGHT 1 TRADEMARKS 1 INTRODUCTION 2 Overview 2 FEATURES 2 GLOBAL CONFIGURATION

More information

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE. 2015 Savision B.V. savision.com All rights reserved.

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE. 2015 Savision B.V. savision.com All rights reserved. Rev 7.5.0 Intrductin 2 LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE 2015 Savisin B.V. savisin.cm All rights reserved. This manual, as well as the sftware described in it, is furnished under license and

More information

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1 Preparing t Deply Reflectin : A Guide fr System Administratrs Versin 14.1 Table f Cntents Table f Cntents... 2 Preparing t Deply Reflectin 14.1:... 3 A Guide fr System Administratrs... 3 Overview f the

More information

NETWRIX CHANGE NOTIFIER

NETWRIX CHANGE NOTIFIER NETWRIX CHANGE NOTIFIER FOR ACTIVE DIRECTORY, EXCHANGE AND GROUP POLICY QUICK-START GUIDE Prduct versin: 7.5.873 February 2014 February 2014. Legal Ntice The infrmatin in this publicatin is furnished fr

More information

Helpdesk Support Tickets & Knowledgebase

Helpdesk Support Tickets & Knowledgebase Helpdesk Supprt Tickets & Knwledgebase User Guide Versin 1.0 Website: http://www.mag-extensin.cm Supprt: http://www.mag-extensin.cm/supprt Please read this user guide carefully, it will help yu eliminate

More information

This guide is intended for administrators, who want to install, configure, and manage SAP Lumira, server for BI Platform

This guide is intended for administrators, who want to install, configure, and manage SAP Lumira, server for BI Platform Hw T install SAP Lumira, server n SAP BusinessObjects BI platfrm Distributed Install Applies t: SAP Lumira, server versin fr the SAP BusinessObjects BI platfrm Summary This guide is intended fr administratrs,

More information

Installation Guide Marshal Reporting Console

Installation Guide Marshal Reporting Console Installatin Guide Installatin Guide Marshal Reprting Cnsle Cntents Intrductin 2 Supprted Installatin Types 2 Hardware Prerequisites 2 Sftware Prerequisites 3 Installatin Prcedures 3 Appendix: Enabling

More information

Serv-U Distributed Architecture Guide

Serv-U Distributed Architecture Guide Serv-U Distributed Architecture Guide Hrizntal Scaling and Applicatin Tiering fr High Availability, Security, and Perfrmance Serv-U Distributed Architecture Guide v15.1.2.0 Page 1 f 20 Intrductin Serv-U

More information

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall Implementing iflder Server in the DMZ with iflder Data inside the Firewall Nvell Cl Slutins AppNte www.nvell.cm/clslutins JULY 2004 OBJECTIVES The bjectives f this dcumentatin are as fllws: T cnfigure

More information

Mobile Device Manager Admin Guide. Reports and Alerts

Mobile Device Manager Admin Guide. Reports and Alerts Mbile Device Manager Admin Guide Reprts and Alerts September, 2013 MDM Admin Guide Reprts and Alerts i Cntents Reprts and Alerts... 1 Reprts... 1 Alerts... 3 Viewing Alerts... 5 Keep in Mind...... 5 Overview

More information

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1 Imprved Data Center Pwer Cnsumptin and Streamlining Management in Windws Server 2008 R2 with SP1 Disclaimer The infrmatin cntained in this dcument represents the current view f Micrsft Crpratin n the issues

More information

WatchDox for Windows User Guide

WatchDox for Windows User Guide WatchDx fr Windws User Guide Versin 3.9.7 Cnfidentiality This dcument cntains cnfidential material that is prprietary WatchDx. The infrmatin and ideas herein may nt be disclsed t any unauthrized individuals

More information

AvePoint High Speed Migration Supplementary Tools

AvePoint High Speed Migration Supplementary Tools AvePint High Speed Migratin Supplementary Tls User Guide Issued April 2016 1 Table f Cntents Intrductin... 3 MD5 Value Generatr Tl... 3 Azure Data Uplad Tl... 3 Dwnlading and Unpacking the Tl... 4 Using

More information

Installation Guide Marshal Reporting Console

Installation Guide Marshal Reporting Console INSTALLATION GUIDE Marshal Reprting Cnsle Installatin Guide Marshal Reprting Cnsle March, 2009 Cntents Intrductin 2 Supprted Installatin Types 2 Hardware Prerequisites 3 Sftware Prerequisites 3 Installatin

More information

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor ACTIVITY MONITOR Real Time Mnitr Emplyee Activity Mnitr This pwerful tl allws yu t track any LAN, giving yu the mst detailed infrmatin n what, hw and when yur netwrk users perfrmed. Whether it is a library

More information

Table of Contents. About... 18

Table of Contents. About... 18 Table f Cntents Abut...3 System Requirements...3 Hw it Wrks...4 Abut... 4 Hw SFA Admin Prtects Data... 4 Hw SFA User Wrks with Prtected Data... 4 Sandbxed Sessin Restrictins... 4 Secure File Access User

More information

CallRex 4.2 Installation Guide

CallRex 4.2 Installation Guide CallRex 4.2 Installatin Guide This dcument describes hw t install CallRex 4.2. It cvers the fllwing: CallRex 4.2 Cmpnents. Server Prerequisites. Perfrming the Installatin. Changing the Accunt Used by CallRex

More information

Outlook Web Access Training Light Version: Using a browser other than Internet Explorer 6.0 or later. A NWOCA Training Session

Outlook Web Access Training Light Version: Using a browser other than Internet Explorer 6.0 or later. A NWOCA Training Session Outlk Web Access Training Light Versin: Using a brwser ther than Internet Explrer 6.0 r later A NWOCA Training Sessin 1 Lg On T Lg On t yur OutLk Web Access accunt, either: G t this URL: https://dwa.nwca.rg

More information

Configuring SSL and TLS Decryption in ngeniusone

Configuring SSL and TLS Decryption in ngeniusone Cnfiguring SSL and TLS Decryptin in ngeniusone The cnfigure SSL Decryptin feature supprts real-time capture f ASI and ASR traffic flws as well as decding f Secure Scket Link (SSL) and Transprt Layer Security

More information

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide ROSS RepliWeb Operatins Suite fr SharePint SSL User Guide Sftware Versin 2.5 March 18, 2010 RepliWeb, Inc., 6441 Lyns Rad, Ccnut Creek, FL 33073 Tel: (954) 946-2274, Fax: (954) 337-6424 E-mail: inf@repliweb.cm,

More information

Instructions for Configuring a SAFARI Montage Managed Home Access Expansion Server

Instructions for Configuring a SAFARI Montage Managed Home Access Expansion Server Instructins fr Cnfiguring a SAFARI Mntage Managed Hme Access Expansin Server ~ Please read these instructins in their entirety befre yu begin. ~ These instructins explain hw t add a SAFARI Mntage Managed

More information

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers) Firewall/Prxy Server Settings t Access Hsted Envirnment Client firewall settings in mst cases depend n whether the firewall slutin uses a Stateful Inspectin prcess r ne that is cmmnly referred t as an

More information

TaskCentre v4.5 Send Message (SMTP) Tool White Paper

TaskCentre v4.5 Send Message (SMTP) Tool White Paper TaskCentre v4.5 Send Message (SMTP) Tl White Paper Dcument Number: PD500-03-17-1_0-WP Orbis Sftware Limited 2010 Table f Cntents COPYRIGHT 1 TRADEMARKS 1 INTRODUCTION 2 Overview 2 FEATURES 2 GLOBAL CONFIGURATION

More information

Blue Link Solutions Terminal Server Configuration How to Install Blue Link Solutions in a Terminal Server Environment

Blue Link Solutions Terminal Server Configuration How to Install Blue Link Solutions in a Terminal Server Environment Blue Link Slutins Terminal Server Cnfiguratin Hw t Install Blue Link Slutins in a Terminal Server Envirnment Prepared by: Darren Myher April 9, 2002 Table f Cntents Backgrund... 2 Applicatin Server mde

More information

ScaleIO Security Configuration Guide

ScaleIO Security Configuration Guide ScaleIO Security Cnfiguratin Guide 1 Intrductin This sectin prvides an verview f the settings available in ScaleIO t ensure secure peratin f the prduct: Security settings are divided int the fllwing categries:

More information

2. When logging is used, which severity level indicates that a device is unusable?

2. When logging is used, which severity level indicates that a device is unusable? Last updated by Admin at March 3, 2015. 1. What are the mst cmmn syslg messages? thse that ccur when a packet matches a parameter cnditin in an access cntrl list link up and link dwn messages utput messages

More information

Client Application Installation Guide

Client Application Installation Guide Remte Check Depsit Client Applicatin Installatin Guide Client Applicatin Installatin Guide Table f Cntents Minimum Client PC Requirements... 2 Install Prerequisites... 4 Establish a Trust t the Web Server...

More information

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn SlarWinds Technical Reference Preparing an Orin Failver Engine Installatin Intrductin t the Orin Failver Engine... 1 General... 1 Netwrk Architecture Optins and... 3 Server Architecture Optins and... 4

More information

ReCrystallize.com cviewserver Crystal Reports Scheduler Top Issues and Solutions Page 1

ReCrystallize.com cviewserver Crystal Reports Scheduler Top Issues and Solutions Page 1 ReCrystallize.cm cviewserver Crystal Reprts Scheduler Tp Issues and Slutins Page 1 Remember that there are tw applicatins cviewserver which is the Windws Service running in the backgrund n the server and

More information

STIOffice Integration Installation, FAQ and Troubleshooting

STIOffice Integration Installation, FAQ and Troubleshooting STIOffice Integratin Installatin, FAQ and Trubleshting Installatin Steps G t the wrkstatin/server n which yu have the STIDistrict Net applicatin installed. On the STI Supprt page at http://supprt.sti-k12.cm/,

More information

SMART Active Directory Migrator 9.0.2. Requirements

SMART Active Directory Migrator 9.0.2. Requirements SMART Active Directry Migratr 9.0.2 January 2016 Table f Cntents... 3 SMART Active Directry Migratr Basic Installatin... 3 Wrkstatin and Member Server System... 5 Netwrking... 5 SSL Certificate... 6 Service

More information

GETTING STARTED With the Control Panel Table of Contents

GETTING STARTED With the Control Panel Table of Contents With the Cntrl Panel Table f Cntents Cntrl Panel Desktp... 2 Left Menu... 3 Infrmatin... 3 Plan Change... 3 Dmains... 3 Statistics... 4 Ttal Traffic... 4 Disk Quta... 4 Quick Access Desktp... 4 MAIN...

More information

Microsoft Certified Database Administrator (MCDBA)

Microsoft Certified Database Administrator (MCDBA) Micrsft Certified Database Administratr (MCDBA) 460 hurs Curse Overview/Descriptin The MCDBA prgram and credential is designed fr individuals wh want t demnstrate that they have the necessary skills t

More information

A Beginner s Guide to Building Virtual Web Servers

A Beginner s Guide to Building Virtual Web Servers A Beginner s Guide t Building Virtual Web Servers Cntents Intrductin... 1 Why set up a web server?... 2 Installing Ubuntu 13.04... 2 Netwrk Set Up... 3 Installing Guest Additins... 4 Updating and Upgrading

More information

AvePoint Privacy Impact Assessment 1

AvePoint Privacy Impact Assessment 1 AvePint Privacy Impact Assessment 1 User Guide Cumulative Update 2 Revisin E Issued February 2015 Table f Cntents Table f Cntents... 2 Abut AvePint Privacy Impact Assessment... 5 Submitting Dcumentatin

More information

Click Studios. Passwordstate. RSA SecurID Configuration

Click Studios. Passwordstate. RSA SecurID Configuration Passwrdstate RSA SecurID Cnfiguratin This dcument and the infrmatin cntrlled therein is the prperty f Click Studis. It must nt be reprduced in whle/part, r therwise disclsed, withut prir cnsent in writing

More information

Pexip Infinity and Cisco UCM Deployment Guide

Pexip Infinity and Cisco UCM Deployment Guide Intrductin Pexip Infinity and Cisc UCM Deplyment Guide The Cisc Unified Cmmunicatins Manager (CUCM) is a SIP registrar and call cntrl device. This guide describes hw t integrate a single Pexip Infinity

More information

CNS-205: Citrix NetScaler 11 Essentials and Networking

CNS-205: Citrix NetScaler 11 Essentials and Networking CNS-205: Citrix NetScaler 11 Essentials and Netwrking Overview The bjective f the Citrix NetScaler 11 Essentials and Netwrking curse is t prvide the fundatinal cncepts and skills necessary t implement,

More information

Ten Steps for an Easy Install of the eg Enterprise Suite

Ten Steps for an Easy Install of the eg Enterprise Suite Ten Steps fr an Easy Install f the eg Enterprise Suite (Acquire, Evaluate, and be mre Efficient!) Step 1: Dwnlad the eg Sftware; verify hardware and perating system pre-requisites Step 2: Obtain a valid

More information

BackupAssist SQL Add-on

BackupAssist SQL Add-on WHITEPAPER BackupAssist Versin 6 www.backupassist.cm 2 Cntents 1. Requirements... 3 1.1 Remte SQL backup requirements:... 3 2. Intrductin... 4 3. SQL backups within BackupAssist... 5 3.1 Backing up system

More information

Connector for Microsoft Dynamics Installation Guide

Connector for Microsoft Dynamics Installation Guide Micrsft Dynamics Cnnectr fr Micrsft Dynamics Installatin Guide June 2014 Find updates t this dcumentatin at the fllwing lcatin: http://g.micrsft.cm/fwlink/?linkid=235139 Micrsft Dynamics is a line f integrated,

More information

PBX Remote Line Extension using Mediatrix 4104 and 1204 June 22, 2011

PBX Remote Line Extension using Mediatrix 4104 and 1204 June 22, 2011 PBX Remte Line Extensin using Mediatrix 4104 and 1204 June 22, 2011 Prprietary 2011 Media5 Crpratin Table f Cntents Intrductin... 3 Applicatin Scenari... 3 Running the Unit Manager Netwrk Sftware... 4

More information

WatchDox Server. Administrator's Guide. Version 3.8.5

WatchDox Server. Administrator's Guide. Version 3.8.5 WatchDx Server Administratr's Guide Versin 3.8.5 Cnfidentiality This dcument cntains cnfidential material that is prprietary WatchDx. The infrmatin and ideas herein may nt be disclsed t any unauthrized

More information

Release Notes. Dell SonicWALL Email Security 8.0 firmware is supported on the following appliances: Dell SonicWALL Email Security 200

Release Notes. Dell SonicWALL Email Security 8.0 firmware is supported on the following appliances: Dell SonicWALL Email Security 200 Email Security Dell SnicWALL Email Security 8.0 SnicOS Cntents System Cmpatibility... 1 Enhancements in Email Security 8.0... 3 Knwn Issues... 13 Reslved Issues... 13 Upgrading t Email Security 8.0...

More information

System Business Continuity Classification

System Business Continuity Classification System Business Cntinuity Classificatin Business Cntinuity Prcedures Infrmatin System Cntingency Plan (ISCP) Business Impact Analysis (BIA) System Recvery Prcedures (SRP) Cre Infrastructure Criticality

More information

Mobile Deployment Guide For Apple ios

Mobile Deployment Guide For Apple ios Fr Apple ios Cpyright This dcument is prtected by the United States cpyright laws, and is prprietary t Zscaler Inc. Cpying, reprducing, integrating, translating, mdifying, enhancing, recrding by any infrmatin

More information

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008 Exercise 5 Server Cnfiguratin, Web and FTP Instructins and preparatry questins Administratin f Cmputer Systems, Fall 2008 This dcument is available nline at: http://www.hh.se/te2003 Exercise 5 Server Cnfiguratin,

More information

CSC IT practix Recommendations

CSC IT practix Recommendations CSC IT practix Recmmendatins CSC Healthcare 28th January 2014 Versin 3 www.csc.cm/glbalhealthcare Cntents 1 Imprtant infrmatin 3 2 IT Specificatins 4 2.1 Wrkstatins... 4 2.2 Minimum Server with 1-5 wrkstatins

More information

ACTIVITY MONITOR. Live view of remote desktops. You may easily have a look at any user s desktop.

ACTIVITY MONITOR. Live view of remote desktops. You may easily have a look at any user s desktop. Web Develpment Offshre Develpment Outsurcing SEO ACTIVITY MONITOR This pwerful tl allws yu t track any LAN, giving yu the mst detailed infrmatin n what, hw and when yur netwrk users perfrmed. Whether it

More information

ABELMed Platform Setup Conventions

ABELMed Platform Setup Conventions ABELMed Platfrm Setup Cnventins 1 Intrductin 1.1 Purpse f this dcument The purpse f this dcument is t prvide prspective ABELMed licensees and their hardware vendrs with the infrmatin that they will require

More information

User Manual Brainloop Outlook Add-In. Version 3.4

User Manual Brainloop Outlook Add-In. Version 3.4 User Manual Brainlp Outlk Add-In Versin 3.4 Cntent 1. Summary... 3 2. Release Ntes... 3 2.1 Prerequisites... 3 2.2 Knwn Restrictins... 4 3. Installatin and Cnfiguratin... 4 3.1 The installatin prgram...

More information

Configuring an Email Client for your Hosting Support POP/IMAP mailbox

Configuring an Email Client for your Hosting Support POP/IMAP mailbox Cnfiguring an Email Client fr yur Hsting Supprt POP/IMAP mailbx This article lists the email settings and prt numbers fr pp and imap cnfiguratins, as well as fr SSL. It cntains instructins fr setting up

More information

Uninstalling and Reinstalling on a Server Computer. Medical Director / PracSoft

Uninstalling and Reinstalling on a Server Computer. Medical Director / PracSoft Uninstalling and Reinstalling n a Server Cmputer Medical Directr / PracSft This guide describes the prcess fr uninstalling and then reinstalling Medical Directr, PracSft, and/r SQL Instances n a cmputer

More information

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008 Exercise 5 Server Cnfiguratin, Web and FTP Instructins and preparatry questins Administratin f Cmputer Systems, Fall 2008 This dcument is available nline at: http://www.hh.se/te2003 Exercise 5 Server Cnfiguratin,

More information

Adobe Sign. Enabling Single Sign-On with SAML Reference Guide

Adobe Sign. Enabling Single Sign-On with SAML Reference Guide Enabling Single Sign-On with SAML Reference Guide 2016 Adbe Systems Incrprated. All Rights Reserved. Prducts mentined in this dcument, such as the services f identity prviders Micrsft Active Directry Federatin,

More information

Information Services Hosting Arrangements

Information Services Hosting Arrangements Infrmatin Services Hsting Arrangements Purpse The purpse f this service is t prvide secure, supprted, and reasnably accessible cmputing envirnments fr departments at DePaul that are in need f server-based

More information

Configuring BMC AREA LDAP Using AD domain credentials for the BMC Windows User Tool

Configuring BMC AREA LDAP Using AD domain credentials for the BMC Windows User Tool Cnfiguring BMC AREA LDAP Using AD dmain credentials fr the BMC Windws User Tl Versin 1.0 Cnfiguring the BMC AREA LDAP Plugin fr Dmain Username and Passwrds Intrductin...3 LDAP Basics...4 What is LDAP and

More information

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010 OntariMD Inc. Electrnic Medical Recrds SPECIFICATION Hspital Reprt Manager Cnnectivity Requirements DRAFT Date: September 30, 2010 Versin: 1.0 2007-2010 OntariMD Inc. All rights reserved HRM EMR Cnnectivity

More information

TECHNICAL BULLETIN. Title: Remote Access Via Internet Date: 12/21/2011 Version: 1.1 Product: Hikvision DVR Action Required: Information Only

TECHNICAL BULLETIN. Title: Remote Access Via Internet Date: 12/21/2011 Version: 1.1 Product: Hikvision DVR Action Required: Information Only Title: Remte Access Via Internet Date: 12/21/2011 Versin: 1.1 Prduct: Hikvisin DVR Actin Required: Infrmatin Only The fllwing steps will guide yu thrugh the steps necessary t access yur Hikvisin DVR remtely

More information

HarePoint HelpDesk for SharePoint. For SharePoint Server 2010, SharePoint Foundation 2010. User Guide

HarePoint HelpDesk for SharePoint. For SharePoint Server 2010, SharePoint Foundation 2010. User Guide HarePint HelpDesk fr SharePint Fr SharePint Server 2010, SharePint Fundatin 2010 User Guide Prduct versin: 14.1.0 04/10/2013 2 Intrductin HarePint.Cm (This Page Intentinally Left Blank ) Table f Cntents

More information

Webalo Pro Appliance Setup

Webalo Pro Appliance Setup Webal Pr Appliance Setup 1. Dwnlad the Webal virtual appliance apprpriate fr yur virtualizatin infrastructure, using the link yu were emailed. The virtual appliance is delivered as a.zip file that is n

More information

Cloud Services Frequently Asked Questions FAQ

Cloud Services Frequently Asked Questions FAQ Clud Services Frequently Asked Questins FAQ Revisin 1.0 6/05/2015 List f Questins Intrductin What is the Caradigm Intelligence Platfrm (CIP) clud? What experience des Caradigm have hsting prducts like

More information

In addition to assisting with the disaster planning process, it is hoped this document will also::

In addition to assisting with the disaster planning process, it is hoped this document will also:: First Step f a Disaster Recver Analysis: Knwing What Yu Have and Hw t Get t it Ntes abut using this dcument: This free tl is ffered as a guide and starting pint. It is des nt cver all pssible business

More information

Readme File. Purpose. Introduction to Data Integration Management. Oracle s Hyperion Data Integration Management Release 9.2.

Readme File. Purpose. Introduction to Data Integration Management. Oracle s Hyperion Data Integration Management Release 9.2. Oracle s Hyperin Data Integratin Management Release 9.2.1 Readme Readme File This file cntains the fllwing sectins: Purpse... 1 Intrductin t Data Integratin Management... 1 Data Integratin Management Adapters...

More information

CenterPoint Accounting for Agriculture Network (Domain) Installation Instructions

CenterPoint Accounting for Agriculture Network (Domain) Installation Instructions CenterPint Accunting fr Agriculture Netwrk (Dmain) Installatin Instructins Dcument # Prduct Mdule Categry 2257 CenterPint CenterPint Installatin This dcument describes the dmain netwrk installatin prcess

More information

Licensing Windows Server 2012 for use with virtualization technologies

Licensing Windows Server 2012 for use with virtualization technologies Vlume Licensing brief Licensing Windws Server 2012 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents This

More information

Password Reset for Remote Users

Password Reset for Remote Users 1 Passwrd Reset fr Remte Users Curin prvides a cmpnent fr the PasswrdCurier Passwrd Prvisining System that manages the lcal passwrd cache in cnjunctin with self-service passwrd reset activities. The slutin

More information

Introduction to Mindjet MindManager Server

Introduction to Mindjet MindManager Server Intrductin t Mindjet MindManager Server Mindjet Crpratin Tll Free: 877-Mindjet 1160 Battery Street East San Francisc CA 94111 USA Phne: 415-229-4200 Fax: 415-229-4201 mindjet.cm 2013 Mindjet. All Rights

More information

Instant Chime for IBM Sametime Quick Start Guide

Instant Chime for IBM Sametime Quick Start Guide Instant Chime fr IBM Sametime Quick Start Guide Fall 2014 Cpyright 2014 Instant Technlgies. All rights reserved. Cpyright and Disclaimer This dcument, as well as the sftware described in it, is furnished

More information

Aras Innovator Internet Explorer Client Configuration

Aras Innovator Internet Explorer Client Configuration Aras Innvatr Internet Explrer Client Cnfiguratin Aras Innvatr 9.3 Dcument #: 9.3.012282009 Last Mdified: 6/10/2011 Aras Crpratin ARAS CORPORATION Cpyright 2011 All rights reserved Aras Crpratin 300 Brickstne

More information

Connecting to Email: Live@edu

Connecting to Email: Live@edu Cnnecting t Email: Live@edu Minimum Requirements fr Yur Cmputer We strngly recmmend yu upgrade t Office 2010 (Service Pack 1) befre the upgrade. This versin is knwn t prvide a better service and t eliminate

More information

FUJITSU Software ServerView Suite ServerView PrimeCollect

FUJITSU Software ServerView Suite ServerView PrimeCollect User Guide - English FUJITSU Sftware ServerView Suite ServerView PrimeCllect Editin February 2015 Cmments Suggestins Crrectins The User Dcumentatin Department wuld like t knw yur pinin f this manual. Yur

More information

Implementing SQL Manage Quick Guide

Implementing SQL Manage Quick Guide Implementing SQL Manage Quick Guide The purpse f this dcument is t guide yu thrugh the quick prcess f implementing SQL Manage n SQL Server databases. SQL Manage is a ttal management slutin fr Micrsft SQL

More information

AvePoint Perimeter 1.6. Administrator Guide

AvePoint Perimeter 1.6. Administrator Guide AvePint Perimeter 1.6 Administratr Guide Issued May 2016 Table f Cntents What s New in this Guide... 10 Abut AvePint Perimeter... 11 AvePint Perimeter Pr Features... 11 Licensing AvePint Perimeter... 11

More information

Release Notes. Dell SonicWALL Email Security 7.4.3 firmware is supported on the following appliances: Dell SonicWALL Email Security 200

Release Notes. Dell SonicWALL Email Security 7.4.3 firmware is supported on the following appliances: Dell SonicWALL Email Security 200 Release Ntes Email Security Dell SnicWALL Email Security 7.4.3 SnicOS Cntents System Cmpatibility... 1 Enhancements in Email Security 7.4.3... 2 Knwn Issues... 3 Upgrading t Email Security 7.4.3... 4 Related

More information

User Guide. Sysgem SysMan Remote Control. By Sysgem AG

User Guide. Sysgem SysMan Remote Control. By Sysgem AG Sysgem SysMan Remte Cntrl User Guide By Sysgem AG Sysgem is a registered trademark f Sysgem AG. Other brands and prducts are registered trademarks f their respective hlders. 2012 Sysgem AG, Lavaterstrasse

More information

Ensuring end-to-end protection of video integrity

Ensuring end-to-end protection of video integrity White paper Ensuring end-t-end prtectin f vide integrity Prepared by: Jhn Rasmussen, Senir Technical Prduct Manager, Crprate Business Unit, Milestne Systems Date: May 22, 2015 Milestne Systems Ensuring

More information

Licensing Windows Server 2012 R2 for use with virtualization technologies

Licensing Windows Server 2012 R2 for use with virtualization technologies Vlume Licensing brief Licensing Windws Server 2012 R2 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 R2 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents

More information

The Relativity Appliance Installation Guide

The Relativity Appliance Installation Guide The Relativity Appliance Installatin Guide February 4, 2016 - Versin 9 & 9.1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

More information

FOCUS Service Management Software Version 8.5 for Passport Business Solutions Installation Instructions

FOCUS Service Management Software Version 8.5 for Passport Business Solutions Installation Instructions FOCUS Service Management Sftware fr Passprt Business Slutins Installatin Instructins Thank yu fr purchasing Fcus Service Management Sftware frm RTM Cmputer Slutins. This bklet f installatin instructins

More information

E-Biz Web Hosting Control Panel

E-Biz Web Hosting Control Panel 1 f 38 E-Biz Web Hsting Cntrl Panel This dcument has been created t give yu a useful insight in t the Hsting Cntrl Panel available with E-Biz hsting services. Please nte: Optins available are dependent

More information

How to put together a Workforce Development Fund (WDF) claim 2015/16

How to put together a Workforce Development Fund (WDF) claim 2015/16 Index Page 2 Hw t put tgether a Wrkfrce Develpment Fund (WDF) claim 2015/16 Intrductin What eligibility criteria d my establishment/s need t meet? Natinal Minimum Data Set fr Scial Care (NMDS-SC) and WDF

More information

How To Install Fcus Service Management Software On A Pc Or Macbook

How To Install Fcus Service Management Software On A Pc Or Macbook FOCUS Service Management Sftware Versin 8.4 fr Passprt Business Slutins Installatin Instructins Thank yu fr purchasing Fcus Service Management Sftware frm RTM Cmputer Slutins. This bklet f installatin

More information

Remote Setup and Configuration of the Outlook Email Program Information Technology Group

Remote Setup and Configuration of the Outlook Email Program Information Technology Group Remte Setup and Cnfiguratin f the Outlk Email Prgram Infrmatin Technlgy Grup The fllwing instructins will help guide yu in the prper set up f yur Outlk Email Accunt. Please nte that these instructins are

More information

Aras Innovator Internet Explorer Client Configuration

Aras Innovator Internet Explorer Client Configuration Aras Innvatr Internet Explrer Client Cnfiguratin Aras Innvatr 9.1 Dcument #: 9.1.009032008 Last Mdified: 3/17/2009 Aras Crpratin ARAS CORPORATION Cpyright 2009 All rights reserved Aras Crpratin 300 Brickstne

More information

LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide

LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide LgMeIn Rescue Web SSO via SAML 2.0 LgMeIn Rescue Web SSO via SAML 2.0 Cnfiguratin Guide 02-19-2014 Cpyright 2015 LgMeIn, Inc. 1 LgMeIn Rescue Web SSO via SAML 2.0 Cntents 1 Intrductin... 3 1.1 Dcument

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004J Payment Card Industry (PCI) Patch Management (prpsed) 01.1 Purpse The purpse f the Patch

More information

Integrating With incontact dbprovider & Screen Pops

Integrating With incontact dbprovider & Screen Pops Integrating With incntact dbprvider & Screen Pps incntact has tw primary pints f integratin. The first pint is between the incntact IVR (script) platfrm and the custmer s crprate database. The secnd pint

More information

Systems Support - Extended

Systems Support - Extended 1 General Overview This is a Service Level Agreement ( SLA ) between and the Enterprise Windws Services t dcument: The technlgy services the Enterprise Windws Services prvides t the custmer. The targets

More information

Hardware Requirements

Hardware Requirements Pre-Installatin Checklist Management Cnsle Prir t Installatin: Verify hardware meets requirements Install prerequisite sftware and verify functinality Hardware Requirements CPU: 2.0 GHz r higher; Dual

More information