Nokia Secure Access System Getting Started Guide. Version 3.0

Nokia Secure Access System Getting Started Guide Version 3.0 Part No. N450867004 Rev A Published November 2004

COPYRIGHT 2004 Nokia. All rights reserved. Rights reserved under the copyright laws of the United States. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19. IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. Nokia reserves the right to make changes without further notice to any products herein. TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders. 030114 2 Nokia Secure Access System Getting Started Guide

Nokia Contact Information Corporate Headquarters Web Site Telephone http://www.nokia.com 1-888-477-4566 or 1-650-625-2000 Fax 1-650-691-2170 Mail Address Nokia Inc. 313 Fairchild Drive Mountain View, California 94043-2215 USA Regional Contact Information Americas Nokia Inc. 313 Fairchild Drive Mountain View, CA 94043-2215 USA Tel: 1-877-997-9199 Outside USA and Canada: +1 512-437-7089 email: ipsecurity.na@nokia.com Europe, Middle East, and Africa Nokia House, Summit Avenue Southwood, Farnborough Hampshire GU14 ONG UK Tel: UK: +44 161 601 8908 Tel: France: +33 170 708 166 email: ipsecurity.emea@nokia.com Asia-Pacific 438B Alexandra Road #07-00 Alexandra Technopark Singapore 119968 Tel: +65 6588 3364 email: ipsecurity.apac@nokia.com Nokia Customer Support Web Site: Email: Americas https://support.nokia.com tac.support@nokia.com Europe Voice: 1-888-361-5030 or 1-613-271-6721 Voice: +44 (0) 125-286-8900 Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666 Asia-Pacific Voice: +65-67232999 Fax: +65-67232897 031014 Nokia Secure Access System Getting Started Guide 3

4 Nokia Secure Access System Getting Started Guide

Contents About This Guide.................................................. 7 Conventions This Guide Uses.......................................... 7 Notices.......................................................... 7 Web User Interface Conventions...................................... 7 Related Documentation............................................... 8 1 Installing the Nokia Secure Access System Gateway..................... 9 Nokia Secure Access System Requirements............................... 9 Server Requirements............................................... 9 Security Platforms............................................... 10 Operating System................................................ 10 Client Operating Systems.......................................... 10 Web Browser Requirements......................................... 11 Email Client Systems.............................................. 11 Installation Tasks Overview........................................... 11 Installing the Hardware............................................... 13 Initial Configuration.................................................. 13 About the Nokia IPSO Operating System............................... 13 Performing Initial Configuration....................................... 13 Configuring Nokia Network Voyager Settings............................ 14 Enabling Nokia Network Voyager Web Access with SSL................. 15 Installing the Nokia Secure Access Package.............................. 15 Determining If the Package Is Preinstalled.............................. 16 Initializing When the Package Is Preinstalled............................ 17 Installing the Package with Nokia Network Voyager....................... 17 Before you Start................................................. 17 Obtaining the Package............................................ 17 Transferring the Package with FTP.................................. 17 Installing or Upgrading the Package with Nokia Network Voyager.......... 18 Activating the Package with Nokia Network Voyager..................... 22 Installing the Package From the Command-Line Interface.................. 25 newpkg Options................................................. 26 Signing On to the Gateway as the Administrator........................... 27 Overview of the Configuration Menu.................................... 31 Configuring Nokia Secure Access System................................ 32 Authenticating the admin User....................................... 32 Nokia Secure Access System Getting Started Guide 5

Installing the License.............................................. 33 Configuring a User................................................ 37 Configuring a Group............................................... 39 Adding a User to a Group.......................................... 40 Configuring a Web Resource........................................ 41 Configuring Access Control Lists for a Web Resource................... 44 Specifying User Portal Settings...................................... 45 6 Nokia Secure Access System Getting Started Guide

About This Guide Welcome to Nokia Secure Access System. This guide is intended for the system administrator who installs and configures Nokia Secure Access System. This guide describes how to install Nokia Secure Access System software and get started with some example configuration procedures. For detailed gateway and configuration information, see the Nokia Secure Access System Configuration Guide v3.0. For an overview of the technologies that the Nokia Secure Access System uses, see the Nokia Secure Access System Technology Overview. Conventions This Guide Uses This document uses the following conventions. Notices Note Notes provide information of special interest or recommendations. Web User Interface Conventions Throughout this guide, a greater than sign (>), with spaces before and after the sign, is used to indicate navigation throughout the Web user interface menu by clicking menu options and links. For example, to configure a new user group, choose Users > User Configuration > New User Group. Note The globe icon indicates that the adjacent field (in yellow) supports Unicode encoding. Nokia Secure Access System Getting Started Guide 7

Note When you provide information in the Nokia Secure Access System configuration fields, click Save Settings before you select tabs or buttons to ensure that your changes are saved before you go to a new configuration page. Related Documentation For supporting documentation, check the Nokia Secure Access System v3.0 CD-ROM for the following documents: Nokia Secure Access System Release Notes v3.0 Nokia Secure Access System Technology Overview v3.0 Nokia Secure Access System Configuration Guide v3.0 Nokia Secure Access System User s Guide v3.0 8 Nokia Secure Access System Getting Started Guide

1 Installing the Nokia Secure Access System Gateway This section describes how to install the Nokia Secure Access gateway, including: Nokia Secure Access System Requirements Installation Tasks Overview Installing the Hardware Initial Configuration Installing the Nokia Secure Access Package Signing On to the Gateway as the Administrator Overview of the Configuration Menu Configuring Nokia Secure Access System Note Your Nokia appliance ships with the Nokia Secure Access System package installed. If the package is not installed, you can install it by using Nokia Network Voyager. For more information, see Installing the Package with Nokia Network Voyager on page 17. Nokia Secure Access System Requirements This section describes the hardware and software required to run Nokia Secure Access System, including security platforms, client operating systems, Web browsers and email client systems. Server Requirements This section describes the security platform and operating system requirements for the Nokia Secure Access System server. Nokia Secure Access System Getting Started Guide 9

Installing the Nokia Secure Access System Gateway Security Platforms The following Nokia IP security appliances support Nokia Secure Access System v3.0: Nokia IP130 Nokia IP350 Nokia IP380 Nokia IP1260 Note To run Nokia Secure Access System, the appliance must have at least 256 MB of RAM installed. For optimum performance, Nokia recommends that at least 512 MB be installed. Operating System The following versions of Nokia IPSO-SB support Nokia Secure Access System v3.0: v3.7 Build 34, 39, 41 v3.7.1 Build 7, 10, 12, 16 v3.8 Build 31, 34, 39 Client Operating Systems The following client operating systems are supported: Microsoft Windows operating systems: 98 SE ME and ME Pocket PC NTv4, 2000 with SP4 XP Home and Professional, with SP1 and SP2 CE Red Hat versions 7.3, 8.0, and 9.0 MAC OS X Note All operating systems must have the most current version of service packs applied to be supported. 10 Nokia Secure Access System Getting Started Guide

Installation Tasks Overview Web Browser Requirements Most SSL-capable Web browsers are compatible with Nokia Secure Access System, including the following: Microsoft Internet Explorer v5.5 and later Netscape v6.2 and later Mozilla v1.6 and later Firefox v0.8 and later Mac OS X Safari Email Client Systems The following is a list of supported email client systems for the Nokia Secure Access System: Microsoft Outlook 98, 2000, 2002, 2003 Outlook Express Lotus Notes client 5.0, 6.5, 6.0.2 Eudora Netscape Mozilla v1.6 and later Installation Tasks Overview Table 1 list the common tasks and steps for installing the Nokia Secure Access System. Table 1 Nokia Secure Access System Task Overview Check box Task overview Where to find information Install and connect the hardware Configure the appliance Configure Nokia IPSO Perform the initial configuration Configure Nokia Network Voyager settings Install the Nokia Secure Access System package Sign on to the gateway as an administrator Install the license Installing the Hardware on page 13 of this guide. Initial Configuration on page 13 of this guide. Installing the Nokia Secure Access Package on page 15 of this guide. Signing On to the Gateway as the Administrator on page 27 of this guide. Installing the License on page 33 of this guide. Nokia Secure Access System Getting Started Guide 11

Installing the Nokia Secure Access System Gateway Table 1 Nokia Secure Access System Task Overview (continued) Check box Task overview Where to find information Configure the server certificate Configure network settings (Listen on specific interfaces, encryption levels, and so on.) Configure logging (Syslog, SNMP) Specify user portal settings Configure users Configure groups Add a user to a group Configure Web resources Configuring file resources Configuring email resources Configuring authentication methods: Authenticating users at sign on Authenticating with external servers Configure client integrity scanning Configure advanced access control Nokia Secure Access System Configuration Guide v3.0 Nokia Secure Access System Configuration Guide v3.0 Nokia Secure Access System Configuration Guide v3.0 Specifying User Portal Settings on page 45 of this guide. Configuring a User on page 37 of this guide. Configuring a Group on page 39 of this guide. Adding a User to a Group on page 40 of this guide. Configuring a Web Resource on page 41 of this guide. Nokia Secure Access System Configuration Guide v3.0 Nokia Secure Access System Configuration Guide v3.0 Nokia Secure Access System Configuration Guide v3.0 Nokia Secure Access System Configuration Guide v3.0 Nokia Secure Access System Configuration Guide v3.0 12 Nokia Secure Access System Getting Started Guide

Installing the Hardware Installing the Hardware For information about how to install the hardware and how to physically connect your device to the network, see the documentation for your specific device. For example, if you are installing a Nokia IP350 security platform, see the installation guide included with your appliance. Initial Configuration This section describes how to perform initial configuration of the Nokia IP security appliance, and configuring Nokia Voyager settings. Note If your appliance was preconfigured, skip the following sections and proceed to Signing On to the Gateway as the Administrator on page 27. About the Nokia IPSO Operating System Nokia IP security platforms are based on the Nokia IPSO operating system. The Nokia Secure Access System software is installed as a package on the Nokia IPSO appliance. Configure your appliance before you install the Nokia Secure Access System package. For more information about configuring IPSO, see the Nokia Voyager Reference Guide. Performing Initial Configuration This section describes how to perform initial configuration of the Nokia IP security platform. The first time you supply power to your Nokia appliance, the initial configuration process begins. This process enables you to configure the network settings and provides access to the admin account. You can perform the initial configuration in two ways: You can configure a DHCP server to provide the initial configuration information the first time the appliance is started. You can perform the initial configuration manually by using a console connection. Connect the supplied null-modem cable (console cable) to the DB9 port labeled Console and connect the other end of the cable to a system running a terminal-emulation program. Specify the following information: Hostname of the appliance. Use a fully qualified domain name, such as gateway.example.com. Initial password for the administrator account. Username is admin. Nokia Secure Access System Getting Started Guide 13

Installing the Nokia Secure Access System Gateway IP address and netmask bit length for at least one network interface. Set the netmask bit-length input to the number of bits in the network mask. For example, for a network mask of 255.255.255.0, enter 24. Default route address. Note For information about how to configure the initial settings, see the IP series installation guide that is included with your appliance. Configuring Nokia Network Voyager Settings After you complete the initial configuration, you can access the Nokia Network Voyager configuration menu by using your Web browser. Nokia Network Voyager is an SSL-capable, Web-based element management interface to Nokia IP security platforms. Network Voyager is preinstalled on your appliance and is enabled through the Nokia IPSO operating system. With Network Voyager, you can manage, monitor, and configure the appliance from any authorized location within the network by using a Web browser. To access Nokia Network Voyager 1. Enter the URL of the appliance into your Web browser, by using either the appliance IP address or hostname (for example, http://gateway.example.com). 2. When prompted, authenticate to Network Voyager with the username admin and the password you specified during the initial configuration. 3. Configure the following appliance settings in Network Voyager: a. Click the Local Time Setup link in the System Configuration section to set the local time so that time stamps on logging messages are accurate. b. Set the default domain suffix, such as example.com. c. Click the DNS link in the System Configuration section. d. Specify a valid DNS server so that the gateway can resolve hostnames. The gateway Network Information System (NIS) client requires that DNS be configured to operate. Click the DNS link in the System Configuration section. 14 Nokia Secure Access System Getting Started Guide

Installing the Nokia Secure Access Package Enabling Nokia Network Voyager Web Access with SSL Secure Socket Layer (SSL) provides a secure way to connect to network appliances by using Nokia IPSO. Before you install Nokia Secure Access System, enable SSL Web access by using Network Voyager. To enable SSL Web access with Network Network Voyager 1. From the Nokia Network Voyager main page, select Security and Access Configuration. 2. From the Voyager Configuration page, select Voyager Web Access. 3. In Voyager Access, check that Allow Voyager Web access is set to Yes. By default, this is set to Yes. 4. Enter the number of the port to activate in the Voyager SSL port number text box. The default is 443. 5. Click the encryption level appropriate for your security needs. For example, 128-bit key or stronger. The default is none, which disables SSL. When you enter the encryption level, you are entering the minimum level of encryption you require. Encryption is stronger by default if your Web browser supports it. 6. Click Apply. Note Replace http:// with https:// in your browser window before you click Save because you are enabling a secured connection. 7. Click Save. IPSO includes a default sample certificate and private key for testing purposes only and do not provide a secure SSL connection. You must generate a certificate, and the private key associated with the certificate, to create a secure connection by using SSL. For more information, see the Nokia Network Voyager Reference Guide. Installing the Nokia Secure Access Package This section describes how to install the Nokia Secure Access System package on your appliance, including how to determine whether the package has been preinstalled, how to install the package from the command line, and performing initialization for both cases. Note If your system is preconfigured for use with Nokia Secure Access System, skip this section and continue to Signing On to the Gateway as the Administrator on page 27. Nokia Secure Access System Getting Started Guide 15

Installing the Nokia Secure Access System Gateway If you know that an earlier version of Nokia Secure Access System is installed on your appliance, see To install or upgrade the package with Nokia Network Voyager on page 19. Determining If the Package Is Preinstalled From Nokia Network Voyager, you can determine if the package is preinstalled on your appliance. If it is preinstalled it still needs to be activated. To determine if the package is preinstalled 1. From the Nokia Network Voyager main page, select System Configuration. 2. From the Voyager Configuration page, select Manage Installed Packages. The Manage Packages page opens. If the list of the installed packages includes a package named Nokia Secure Access System, activate the package. See Activating the Package with Nokia Network Voyager on page 22. If the list of installed packages does not include a package named Nokia Secure Access System, install the package. See Installing or Upgrading the Package with Nokia Network Voyager on page 18. 16 Nokia Secure Access System Getting Started Guide

Installing the Nokia Secure Access Package Initializing When the Package Is Preinstalled If the Nokia Secure Access System package is already installed on the appliance, it must be activated (turned on) and enabled before you sign on to the Nokia Secure Access System gateway. See Activating the Package with Nokia Network Voyager on page 22. Installing the Package with Nokia Network Voyager This section describes how to install the Nokia Secure Access System package by using Nokia Network Voyager, including what you need to know before you start the installation, using FTP to transfer the packing and installing and upgrading tasks. Before you Start Before you install the package with Nokia Network Voyager, do the following: Disable any other packages, including firewall and VPN packages before you install the Nokia Secure Access System package. Verify that Nokia IPSO v3.7, v3.7.1, or v3.8 is installed on your appliance. If your appliance is running an earlier version of Nokia IPSO, you can upgrade to a newer version by obtaining the Nokia IPSO installation file from http://support.nokia.com First, you should check for compatibility between Nokia IPSO and Nokia Secure Access System versions at https://support.nokia.com/register/productssupported.jsp#ems. Then, you can install this file by using Nokia Network Voyager. Obtaining the Package If the Nokia Secure Access System software package is not on your appliance, you can obtain the package from the Nokia support site at https://support.nokia.com. After you download the package, you can transfer the file to the opt/packages directory on the Nokia Secure Access System gateway. Transferring the Package with FTP After you download the nsas_3_0_0_<timestamp>.tgz package file, you can transfer the package to the appliance by using FTP, then install the package. To download the package with Nokia Network Voyager 1. Download the nsas_3_0_0_<timestamp>.tgz package file from the Nokia support site at https://support.nokia.com. 2. If the workstation on which you stored the package file does not allow FTP access, transfer the package file to a computer that you can access with FTP. 3. From the Nokia Network Voyager main page, select System Configuration. Nokia Secure Access System Getting Started Guide 17

Installing the Nokia Secure Access System Gateway 4. From the Voyager Configuration page, select Manage Installed Packages. The Manage Packages page opens. 5. From the Manage Packages page, select FTP and Install Packages. The FTP Packages page opens. 6. In the text boxes, provide the hostname or IP address of the FTP server and the directory path on that server (optional). Also, provide the username and the password for your account on the FTP server. 7. Click Apply. The FTP Packages page refreshes. A list of packages (.tgz files) found on the FTP server appears in the Site Listing panel. 8. Select the nsas_3_0_0_<timestamp>.tgz file. 9. Click Apply. The package is downloaded to the appliance. 10. Continue installing the Nokia Secure Access System package beginning with step 4 of To install or upgrade the package with Nokia Network Voyager. Installing or Upgrading the Package with Nokia Network Voyager This section describes how to install the package by using Nokia Network Voyager. Table 2 shows, by version number, which directory the package installs to on the appliance. These are some of the previous Nokia Secure Access System versions and their corresponding directory locations. Table 2 Package Version and Directory Version Directory 3.0 /opt/nsas-3.0.0 2.1 /opt/nsas-2.1.0 2.0 /opt/nsas-2.0.0 1.2 /opt/nsas-1.2.0 1.1 /opt/nsas-1.1.0 During the package upgrade, the new version of Nokia Secure Access System automatically imports the configuration from the previous package version. Once the package upgrade completes, the previous version of the package is deactivated (but not deleted), and the new package is activated. When you upgrade the package, the old package configuration is maintained. 18 Nokia Secure Access System Getting Started Guide

Installing the Nokia Secure Access Package To install or upgrade the package with Nokia Network Voyager 1. From the Nokia Network Voyager main page, select System Configuration. 2. From the Voyager Configuration page, select Manage Installed Packages. The Manage Packages page opens. 3. From the Manage Packages page, select FTP and Install Packages. The FTP Packages page opens. Nokia Secure Access System Getting Started Guide 19

Installing the Nokia Secure Access System Gateway 4. Select opt/packages/nsas_3_0_0_<timestamp>.tgz. If this option is not present in the list, see To download the package with Nokia Network Voyager on page 17. 5. Click Apply to unpack the package. Note The package is first unpacked to the /opt/tmp directory. This operation can take several seconds to complete. When the package is successfully unpacked, the Package Installation and Upgrade page refreshes and displays the package name, class, version, and description. On some platforms, you might see the message Timeout waiting for response from database server when completing this step. If this occurs, click Up to return to the Manage Packages page, then select FTP and Install Packages. The link to install and upgrade the package will be visible on the FTP Packages page. 6. To install the unpacked package, click the following link, located at the bottom left side of the screen. The Package Installation and Upgrade page opens. To install the package: a. Click Yes on the Install option. b. Ensure that the Upgrade option is set to No. 20 Nokia Secure Access System Getting Started Guide

Installing the Nokia Secure Access Package To upgrade the package: a. Click Yes on the Upgrade option. b. Ensure that the Install option is set to No. c. Select the Nokia Secure Access System version to upgrade. 7. Click Apply. The screen refreshes and indicates that the operation was successful. 8. To enable the package, click the following link located in the bottom left corner of the window: Click here to finish the initial configuration. If you are installing a package, the Nokia Secure Access page opens and begins to generate the random number seed. If you are upgrading the package, the Nokia Secure Access page opens. Note The Nokia Secure Access System page shows that the system is creating the random number seed. The page refreshes itself when the operation is complete. If the random number was already seeded, you do not see this page. The screen refreshes and shows package status. Nokia Secure Access System Getting Started Guide 21

Installing the Nokia Secure Access System Gateway If the package is enabled, select Click here to sign on to the Nokia Secure Access System. Continue to To authenticate at the Sign-on page on page 29. This link points to the gateway configuration system. You are taken directly to the gateway configuration system after you sign on to the gateway. If the package is disabled, continue to Activating the Package with Nokia Network Voyager on page 22. Activating the Package with Nokia Network Voyager Disable any other packages, including firewall and VPN packages, before you activate the Nokia Secure Access System package. This section describes how to activate the package with Nokia Network Voyager. To activate the Nokia Secure Access System package 1. From the Nokia Network Voyager main page, select System Configuration. The Voyager Configuration page opens. 2. From the Configuration page, select Manage Installed Packages. The Manage Packages page opens. 22 Nokia Secure Access System Getting Started Guide

Installing the Nokia Secure Access Package 3. In the Applications group, check that the Nokia Secure Access System package is set to On. 4. Click Apply. 5. Click Save. You do not need to reboot your system. The Nokia Secure Access System package is installed, activated, and enabled. Note During the installation, Nokia Network Voyager is moved off of port 80 (or 443), so that Nokia Secure Access System can use those ports. If you are not already on the Nokia Secure Access page (by following the link after you install the package), access this page from the Nokia Network Voyager main page by selecting Security and Access Configuration. The Voyager Configuration page opens and from there you can select Nokia Secure Access System. The Nokia Secure Access System page opens. Nokia Secure Access System Getting Started Guide 23

Installing the Nokia Secure Access System Gateway If the status is enabled, click the Click here to sign onto NSAS link and continue to To authenticate at the Sign-on page on page 29. If the status on this page shows as disabled, click: Click here to initialize the Nokia Secure Access System The resulting page advances you to the Nokia Network Voyager Web server on the new port, which is either 8080 or 8443. 6. If necessary, log on to Network Voyager again by using the username admin and the same administrator password as before. Note When cookie-based session management is enabled in Network Voyager, you can select Acquire Exclusive Configuration Lock when you log on to Network Voyager. If you acquire this lock before you install and enable the Nokia Secure Access System package, the lock does not clear when the Network Voyager Web server port switches from port 80 to 8080, or from port 443 to 8443. When you log on to Network Voyager after the port change, the error message Could not acquire exclusive configuration lock appears. If this occurs override the lock by clicking Log In with Advanced Options and select Yes for Override Locks Acquired by Other Users. The Nokia Secure Access System page now shows that the status is enabled. You can now sign on to the Nokia Secure Access System gateway. Continue to Signing On to the Gateway as the Administrator on page 27. 24 Nokia Secure Access System Getting Started Guide

Installing the Nokia Secure Access Package Installing the Package From the Command-Line Interface Disable any other packages, including firewall and VPN packages before you install the Nokia Secure Access System package. This section describes how to install and enable the Nokia Secure Access System package from the Command-Line Interface (CLI). You can install the package from the CLI by using the newpkg command. The newpkg command automatically extracts the package files into the /opt directory and activates the package. When you enter newpkg, the script guides you through the installation process. You can also specify command options, which are listed in Table 3 on page 26. Note Installing or upgrading the package by using the Nokia IPSO clish command is not supported. To access the CLI 1. Log on to the appliance by using a command-line connection (SSH, console, or Telnet) over a TCP/IP network. For example: telnet 10.5.189.21 2. Sign on by using the username admin, and use the admin password. To install the package from the CLI 1. From the command line, enter: newpkg -n/opt/packages/nsas_3_0_0_<timestamp>.tgz The following options appear: Load new package from: 1. Install from CD-ROM. 2. Install from anonymous FTP server. 3. Install from FTP server with username and password. 4. Install from local filesystem. 5. Exit new package installation. 2. Enter 4. The following response appears: End of new package installation cleaning up..done If the Network Voyager ports listed are different from 80 or 443, the Nokia Secure Access System package is installed, activated, and enabled. See Signing On to the Gateway as the Administrator on page 27. If you use the -i argument with the newpkg command, you must activate the package. See Activating the Package with Nokia Network Voyager on page 22. Nokia Secure Access System Getting Started Guide 25

Installing the Nokia Secure Access System Gateway newpkg Options Table 3 describes the options you can use with the newpkg command. The syntax of newpkg is: newpkg [-o path] [-m media_type] [-l user_name] [-s server_ipaddrs] [-p password] [-n path] Table 3 newpkg Options Option Description -d Print debug messages to the screen. -h Display help lines for command-line parameters. -i Install only (do not activate). -l user_name User name for FTP. -m media_type Media type. For example, FTP/CD-ROM/LOCAL or CDROM/AFTP/FTP/LOCAL. -n path Full path to new package. For example, /pub/current/xxx.tgz. -o path Full path to old package for upgrade. For example, /opt/xxx. -p password Password for FTP. -s server_ipaddr Server IP address if media type is FTP/AFTP. -v Verbose FTP. To upgrade the package from the CLI 1. From the command line, enter one of the following commands: newpkg -o /opt/nsas-<old-version> -n /opt/packages/ nsas_3_0_0_<timestamp>.tgz For example: newpkg -o /opt/nsas-1.3.0 -n/opt/packages/nsas_3_0_0_2004040514.tgz newpkg -o /opt/nsas-<old-version> -m ftp -l username -s ip.addr.of.ftp.server -p password -n /directory/location/ nsas_3_0_0_<timestamp>.tgz For example: newpkg -o /opt/nsas-1.3.0 -m ftp -l jsmith -s 10.10.22.23 -p password -n /eng/newbuilds/nsas_3_0_0_2004040514.tgz 26 Nokia Secure Access System Getting Started Guide

Signing On to the Gateway as the Administrator The -o option indicates the location, such as directory, of the old installed version to upgrade. The -n option indicates the location of the new file to install from and is an actual filename. 2. The following options appear: Load new package from: 1. Install from CD-ROM. 2. Install from anonymous FTP server. 3. Install from FTP server with username and password. 4. Install from local filesystem. 5. Exit new package installation. 3. Enter 4 or your applicable path. The following response appears: Do you want to upgrade from nsas-3.0.0 to nsas3.0.0? [ y/n] 4. Enter y. The following response appears: End of new package installation cleaning up..done Signing On to the Gateway as the Administrator After you install, activate, and enable the Nokia Secure Access System package, you can sign on to the gateway as the Administrator from the Sign-on page. To access the Sign-on page, either: Enter the gateway URL into your Web browser. or Click the link on the Nokia Secure Access System page in Nokia Network Voyager. To use Nokia Network Voyager to access the sign-on page 1. From the Network Voyager main page, click Security and Access Configuration. The Configuration page opens. Nokia Secure Access System Getting Started Guide 27

Installing the Nokia Secure Access System Gateway Note If Nokia Secure Access System does not appear in the links under the Security and Access Configuration heading, the package is not installed or activated. See Installing the Nokia Secure Access Package on page 15. 2. Click Nokia Secure Access System. The Nokia Secure Access System page opens. 3. Click the following link: Click here to sign on to the Nokia Secure Access System. 28 Nokia Secure Access System Getting Started Guide

Signing On to the Gateway as the Administrator This link points to the gateway configuration system. You are taken directly to the gateway configuration system after you sign on to the gateway, instead of seeing the portal page after you sign on. To authenticate at the Sign-on page 1. Enter username admin in the Username text box. At the gateway Sign-on page, authenticate to the gateway as the administrator. 2. Enter the administrator password in the Password text box. As an administrator, sign on by using the username admin and the same password you used to access Nokia Network Voyager or the Nokia IPSO CLI. Note The Sign-On page shows the currently enabled language for the user interface. By default, English is enabled. Nokia Secure Access System supports language packs that allow users to view the system in multiple languages. For more information, see the Nokia Secure Access System Configuration Guide v3.0. 3. Click Sign On. Note You can sign on by using a certificate only after you configure the gateway for certificate authentication. For details, see the Nokia Secure Access System Configuration Guide v3.0. Nokia Secure Access System Getting Started Guide 29

Installing the Nokia Secure Access System Gateway The Nokia Secure Access System configuration page opens. From the Nokia Secure Access System configuration pages, the administrator can manage and configure the Nokia Secure Access System gateway. 30 Nokia Secure Access System Getting Started Guide

Overview of the Configuration Menu Overview of the Configuration Menu After you install the Nokia Secure Access System on your appliance and sign on to the gateway as an Administrator, the main window opens. This section describes the Nokia Secure Access System user interface configuration menu. The left side of the main window displays a menu with the settings that you can configure, as described in Table 4. Table 4 Nokia Secure Access System Configuration Menu Menu Item General Global Properties Certificates Description Configure general gateway settings, including gateway logging, exporting and importing the gateway configuration file, entering and updating a new server license. You can also view a summary of the gateway status, and enable configuration sharing. Configure access control, network settings, the appearance of the user interface, enable language packs, configure Nokia Secure Workspace, configure Nokia Secure Connector client settings, SNMP, variables, client integrity scanning, and determine the method for downloading the JRE plugin.. Configure gateway server certificates and backend trusted CA certificates, including generating a new server certificate and importing an existing certificate. Nokia Secure Access System Getting Started Guide 31

Installing the Nokia Secure Access System Gateway Table 4 Nokia Secure Access System Configuration Menu (continued) Menu Item User Configuration Resources System Description Configure users, user groups, and authentication. Configure the resources available to the user through the gateway. Resources are divided into four types: Web HTTP and HTTPS servers. File FTP, Windows, and NFS file servers. Email POP, IMAP, and SMTP servers. Port-forwarding tunnel TCP and UDP traffic through the gateway, including support for Microsoft Exchange and other mail and groupware services. Nokia Network Voyager returns to the main Network Voyager page. Configuring Nokia Secure Access System This section covers all the configuration steps that you need to perform to successfully use the Nokia Secure Access System. Authenticating the admin User You can configure the gateway to authenticate the Nokia Secure Access System administrator either by using the same authentication scheme that the Nokia IPSO operating system for the appliance uses, or by using the gateway s configured authentication methods of the gateway. For instance, the administrator can sign on to the gateway by using a client certificate, or by using a password recognized by a RADIUS or NIS server. You can specify which scheme to use to authenticate the gateway administrator by setting the General properties on the admin user account. To configure the admin authentication scheme 1. From the configuration menu, choose User Configuration > Users. The Manage Users page opens. 2. Click the username of the admin user. The General Properties for the admin user page opens. 3. Choose one of the options for Admin User Authentication: Authenticate admin user by using the standard Nokia IPSO authentication. Authenticate admin user by using the general authentication methods. For information about general authentication methods, see the Nokia Secure Access System Configuration Guide v3.0. 32 Nokia Secure Access System Getting Started Guide

Configuring Nokia Secure Access System Installing the License This section describes how to install and configure the gateway license.you can use the Configure License page to install the license, upload a new license or view the current license. Upon initial installation of the Nokia Secure Access System, no license file is present on the gateway. If you do not have a license file, contact your Nokia sales representative or visit the Nokia License Center either at https://support.nokia.com/license or choose a link from the Configure License page. The License Center needs the following information: License Authentication Code (LAC) Host Identifier number appears as the Host Identifier on the Configure License page and matches the serial number located on the Nokia Secure Access gateway. Use the LAC and Host Identifier number to generate the license from the Nokia License Center. When you submit a purchase order to Nokia or your reseller for Nokia Secure Access System, the hardware is shipped from the factory. A License Authentication Code (LAC) is emailed to the email address on the purchase order and is usually received before the hardware. To generate the license from the Nokia License Center 1. From the configuration menu, choose General > License. From the Configure License page, copy the host identifier number to a clipboard, or write it down, because you need it in this procedure. Note The license generated with the LAC applies only to that hardware serial number and the license generated can only be used on that appliance. 2. From the Configure License page, click the License Center link https://support.nokia.com/ license. The Nokia License Center page opens. Nokia Secure Access System Getting Started Guide 33

Installing the Nokia Secure Access System Gateway 3. Log in to the License Center: Enter your login name and password. or Click Register if you are a first time visitor. If you are a first time visitor, your username and password is emailed to you after you complete the new user registration process. 4. Enter the LAC in the dialog box. Access this dialog box after you are logged in to the License Center with your username and password. 34 Nokia Secure Access System Getting Started Guide

Configuring Nokia Secure Access System 5. Click Generate Licenses. 6. Cut and paste the host identifier into the Nokia IPSO serial number field. You can obtain this number from the Nokia Secure Access System Configure License page. 7. Click Generate. The license is generated. 8. Enter the company name and user email address that the license is to be sent to. 9. Click Confirm. 10. To save the file, do one of the following: Click Save for File. or Copy and paste the information between Begin License and End License. The license is emailed to you. You might want to add the.lic extension when you name the license. Note Nokia recommends that you save your License Authentication Code (LAC). You might need it for emergency recovery. Nokia Secure Access System Getting Started Guide 35

Installing the Nokia Secure Access System Gateway To import the gateway license 1. From the configuration menu, choose General > License. The Configure License page opens. The current license information appears, including the host identifier, license file name, and features of the license. Upon initial installation of Nokia Secure Access System, no license file is present on the gateway. 2. To upload a new license, in the File Name text box enter the file name of the license file stored on your computer, or click Browse to locate the file. 3. Click Upload New License. The license is uploaded to the gateway and the Configure License page refreshes. The license feature details show the number of simultaneous users that the gateway supports, the expiration time of the license, and the license status. The license status is authenticated when the license is valid for the appliance, as identified by the Host Identifier. 36 Nokia Secure Access System Getting Started Guide

Configuring Nokia Secure Access System Configuring a User Use the User Configuration pages to add a new user to the gateway and to configure user properties. The following procedure is to add a locally defined user. A locally defined user is identified by the specified username, with all of the user s settings stored locally in the gateway configuration. However, a locally-defined user can be authenticated by using an authorization method that communicates with external authorization servers. To configure a user that authenticates to an external server, see the Nokia Secure Access System Configuration Guide v3.0. To add a new user 1. From the configuration menu, choose User Configuration > Users. The Manage Users page opens. 2. Click New User. The General Properties for User page opens. 3. Click Locally Defined and enter the Username. For example: jsmith Usernames can contain ASCII text, except: : + <space> Alphanumeric characters, as well as the hyphen (-) and underscore (_) characters are allowed. Unicode characters are not supported. For information about how to create an externally defined user and select an authentication method, see the Nokia Secure Access System Configuration Guide v3.0. Nokia Secure Access System Getting Started Guide 37

Installing the Nokia Secure Access System Gateway 4. Enter the full name of the user. For example: John Smith 5. Click Save Settings. The new user is added to the gateway users and appears in the list on the Manage Users page. The General Properties for User page opens. 6. Under Password-Based Authentication Methods, make sure that the Allow checkbox next to Local Password is checked (default). 7. Under Identification, click Set Local Password. The Local Password page opens. 8. Enter and confirm the password for the new user. The password must contain at least eight characters.the default is eight characters but this number is configurable. The password cannot contain spaces, colons, or control characters. For information about how to change the password, see the Nokia Secure Access System Configuration Guide v3.0. 9. Click Save Settings. The user is now configured to access the gateway. 38 Nokia Secure Access System Getting Started Guide

Configuring Nokia Secure Access System Configuring a Group Use the General Properties for User Group page to add a new user group to the gateway and associate members with that particular group. The administrator can define user groups and configure how users are assigned to those groups. Group memberships can be used to help manage access control and also determine which resource links are seen on a user s portal page. To add a new user group 1. From the configuration menu, choose User Configuration > User Groups. The Manage User Groups page opens. 2. Click New User Group. The General Properties for User Group page opens. 3. Enter the Group Name and Description for the new group. For example: Finance in the Group Name text box and Finance Department in the Description text box. Group names can contain ASCII text, except: \ { } [ ] : < > & # + The yellow fields allow UTF-8 Unicode. UTF-8 Unicode is used for usernames, descriptions, portal link text, and portal messages. For more information about Unicode, see the Nokia Secure Access System Configuration Guide v3.0. 4. Click Save Settings. Nokia Secure Access System Getting Started Guide 39

Installing the Nokia Secure Access System Gateway Adding a User to a Group Use the User Group pages to add a new user group to the gateway and associate users with that group. To add a user to a group 1. From the configuration menu, choose User Configuration > Users. The Manage Users page opens. 2. Click the name of the user from the Username list box. For example: jsmith. The General Properties for User page opens. 3. Click Edit List in User Group Memberships. The Edit User Groups page opens. 4. Select the groups to add, then click Add. For example: Finance. 5. Click Save Settings. The new group is added to the Users General Properties page. Note You can also assign users to groups from the General page for that group by editing the member list. 40 Nokia Secure Access System Getting Started Guide

Configuring Nokia Secure Access System Configuring a Web Resource Use the Manage Web Resources page to add a Web Resource to the user or user group portal page. By configuring Web resources and access control lists, the administrator can define exactly what Web servers a user can access. To add a Web resource to the user portal page 1. From the configuration menu, choose Resources > Web. The Manage Web Resources page opens. 2. Click New Resource. The Properties for Web Resource page opens. 3. Enter the Identification information, including Resource Name, Description, Portal Link Text, and check the check box to specify that pass-through link credentials should be used. For example, Nokia in the Resource Name text box and Nokia Web site in the Description text box. Resource names can contain ASCII text, with the following exceptions: \ { } [ ] : < > & # + The Portal Link Text is the text for the hyperlink to the Web Resource as seen on the user portal. For example, you can configure the link text for the resource named Nokia as Go to the Nokia Web site. Nokia Secure Access System Getting Started Guide 41

Installing the Nokia Secure Access System Gateway 42 Nokia Secure Access System Getting Started Guide

Configuring Nokia Secure Access System 4. Enter the base URL. The base URL specifies the backend Web server (or directory) that corresponds to the Web resource. The base URL must begin with either http:// or https://. The base URL specifies where the level of access starts. Include the trailing slash, as the following example shows: http://www.nokia.com/ 5. Enter the portal link URL. The portal URL must be more specific than the base URL and provides the exact link that is displayed when the user clicks the portal link text. For example:, if the base URL provides access to http://www.nokia.com/, the portal URL can direct them to http://www.nokia.com/welcome.html/ and display the welcome page. 6. Specify Citrix Nfuse settings: a. If the base URL is for a Citrix Nfuse Classic Web server, check the check box to specify that the Web resource is a Citrix Web server. b. Specify the access control settings: Do not perform access control on connections to MetaFrame servers (default). Use the Global Rules to perform access control on connections to MetaFrame servers. 7. Specify the proxy settings. You can configure Web resources to use: No proxy the gateway communicates directly with the Web server. No proxy is the default setting. The default HTTP proxy you can define the default HTTP or HTTPS proxy settings from the Resources > Web > Proxies page. A specific HTTP or HTTPS proxy if you select this option, enter the IP address and port number of the proxy server. 8. Check the check box to allow pass-through credentials for this Web Resource. This means that the user does not have to authenticate a second time to this resource if their authentication method has pass-through credentials enabled, and this resource uses the same authentication credentials. Nokia Secure Access System Getting Started Guide 43

Installing the Nokia Secure Access System Gateway 9. Specify Client-side cookie handling. Default setting is do not allow cookie information from this resource to be sent to the browser. 10. Specify logging. Check the check box to: Enable debug logging for this resource. Enable auditing messages for this resource. (default). 11. Click Save Settings. Additional tabs for Access Control appear. Use the Simple Access Control tab to apply rules to the new resource. Configuring Access Control Lists for a Web Resource Use the Simple Access Control pages to configure access control lists (ACLs) and select which user groups are allowed or denied access to the Web resource. To configure ACLs for a Web resource 1. From the General Properties Web Resource page, click the Access Control Simple tab. The Simple Access Control page for the resource opens. 2. Specify the user groups that are allowed access to the resource by selecting the groups from the All Users Group list, then click Add to move those groups to the Allow Users Group list. For example: Finance. 3. Select the default action. The default setting of the default action is DENY. 44 Nokia Secure Access System Getting Started Guide

Configuring Nokia Secure Access System 4. To add a resource link to the portal, check Add portal link to this resource for each allowed group. 5. Click Save Settings. The ACL is saved with rules that reflect the allowed user groups for this resource. For information about advanced access control lists, see the Nokia Secure Access System Configuration Guide v3.0. Specifying User Portal Settings Access the user portal pages to specify user portal properties for the Web resource. These settings determine the list of resources on the Main Page of the user portal. For instance, if you configure a Web resource in the portal settings, the user sees a link to the defined resource from the user portal page. Note You can also put the users in a group and configure the group portal. To configure user portal settings 1. From the configuration menu, choose User Configuration > Users. The Manage Users page opens. 2. Click the username. For example: jsmith. The General Properties for User page opens. 3. Click the Portal tab. The Portal Properties for User page opens. Nokia Secure Access System Getting Started Guide 45

Installing the Nokia Secure Access System Gateway 4. Check the Use combined settings of User Groups check box (default). The user s portal settings now include the portal settings of all user groups to which the user belongs. For more information about user and group settings, see the Nokia Secure Access System Configuration Guide v3.0. 5. Specify the Resource settings. a. To add a Web resource, click Edit List for Web Resources. b. Select the resource to add, then click Add. For example: Nokia. c. Click Save Settings. d. Click Return to Portal Properties. 46 Nokia Secure Access System Getting Started Guide

Configuring Nokia Secure Access System 6. Check the Enable text box for typing destination URLs (default). This action places a check box on the user portal that allows the user to enter the URL. 7. Click Save Settings. The Web Resource is added to the user portal. You can access the gateway Web resources by clicking the Web resource links from the Resources page in the user portal. An example of the user portal page follows. For information about how to configure file, email, or port-forwarding resources, see the Nokia Secure Access System Configuration Guide v3.0. Note When the administrator is viewing the Nokia Secure Access System configuration page, they can access their own portal page by clicking the Home link in the upper tool bar on the Nokia Secure Access System configuration page. In a user portal, this link is titled Main. Nokia Secure Access System Getting Started Guide 47

Installing the Nokia Secure Access System Gateway 48 Nokia Secure Access System Getting Started Guide