Galileo International. Firewall & Proxy Specifications



Similar documents
Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Chapter 12 Supporting Network Address Translation (NAT)

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Firewall Defaults and Some Basic Rules

GPRS / 3G Services: VPN solutions supported

Galileo SSL Installation Guide Galileo SSL Client v

21.4 Network Address Translation (NAT) NAT concept

Connecting Remote Users to Your Network with Windows Server 2003

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

UIP1868P User Interface Guide

Virtual Private Networks Solutions for Secure Remote Access. White Paper

SIP Trunking Configuration with

GPRS and 3G Services: Connectivity Options

Configuring Network Address Translation (NAT)

Placing the BlackBerry Enterprise Server for Microsoft Exchange in a demilitarized zone

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

LinkProof And VPN Load Balancing

Source-Connect Network Configuration Last updated May 2009

Guideline for setting up a functional VPN

Pre-lab and In-class Laboratory Exercise 10 (L10)

Configuration Example

Windows XP VPN Client Example

AS/400e. TCP/IP routing and workload balancing

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Galileo Print Manager

Using Remote Desktop Software with the LAN-Cell

VPN. VPN For BIPAC 741/743GE

Creating a VPN with overlapping subnets

HOWTO: How to configure IPSEC gateway (office) to gateway

NETWORK SECURITY (W/LAB) Course Syllabus

Basic Network Configuration

Chapter 32 Internet Security

Table of Contents. Cisco Cisco VPN Client FAQ

Protecting the Home Network (Firewall)

Firewalls and Virtual Private Networks

Ford ANX Troubleshooting Procedure for use by Trading Partners

IP Router QUICK START GUIDE

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

VMware vcloud Air Networking Guide

Fireware Essentials Exam Study Guide

Virtual Private Networks

WAN Failover Scenarios Using Digi Wireless WAN Routers

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Firewall Firewall August, 2003

Creating a VPN Using Windows 2003 Server and XP Professional

Virtual Private Network and Remote Access Setup

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Understanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network

Innominate mguard Version 6

User Manual. Page 2 of 38

FortiVoice. Version 7.00 VoIP Configuration Guide

Virtual Private Networks

About Firewall Protection

VPN. Date: 4/15/2004 By: Heena Patel

Overview - Using ADAMS With a Firewall

Controlling Ashly Products From a Remote PC Location

Implementing and Managing Security for Network Communications

Configuring a BANDIT Product for Virtual Private Networks

Overview - Using ADAMS With a Firewall

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Using IPsec VPN to provide communication between offices

Cisco Which VPN Solution is Right for You?

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Technical White Paper

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

The BANDIT Device in the Network

z/os Firewall Technology Overview

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

VOIP NETWORK CONFIGURATION GUIDE RELEASE 6.10

ERserver. iseries. TCP/IP routing and workload balancing

Protocol Security Where?

What communication protocols are used to discover Tesira servers on a network?

SSL VPN. Virtual Private Networks based on Secure Socket Layer. Mario Baldi. Politecnico di Torino. Dipartimento di Automatica e Informatica

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

TALKSWITCH VOIP NETWORK TROUBLESHOOTING GUIDE

Networking Security IP packet security

Lab Configuring Access Policies and DMZ Settings

Terminal Server Router QUICK START GUIDE

Security Technology: Firewalls and VPNs

Firewall VPN Router. Quick Installation Guide M73-APO09-380

IPv6 Fundamentals: A Straightforward Approach

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Accessing Remote Devices via the LAN-Cell 2

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Networking TCP/IP routing and workload balancing

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

GregSowell.com. Mikrotik Security

Understanding the Cisco VPN Client

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Transcription:

Galileo International Technical Support Documentation Firewall & Proxy Specifications For Focalpoint, Viewpoint & Focalpoint Print Manager (GALILEO and APOLLO PRODUCTION SYSTEMS)

Copyright Copyright 2001 Galileo International. All rights reserved. Information in this document is subject to change without notice. The information described in this document is furnished to Galileo International subscribers, or their representatives, and is provided as is under a license agreement or nondisclosure agreement. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the subscriber s personal use without the written permission of Galileo International. Trademarks Apollo, Galileo, the Globe Device, Focalpoint Print Manager and Viewpoint are registered trademarks, trademarks or service marks of Galileo International in the United States and/or other countries. Galileo International may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. The furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property rights except as expressly provided in any written license agreement from Galileo.

Introduction This document will outline the typical configurations required by a firewall administrator to properly open ports for the Focalpoint, Viewpoint and Focalpoint Print Manager applications to talk to the computer reservation system (CRS). Galileo International provides this information as a guide for the end user. Configurations indicated in this document are the configurations for the subscriber s firewall ( inbound indicates traffic passing into the subscriber s network from the reservation system. Outbound indicates traffic passing out of the subscriber s network to the reservation system). Configuration of a firewall being placed between a subscriber location and the Galileo or Apollo systems is the responsibility of the subscriber to install and configure such device. It is strongly recommended that the subscriber or firewall administrator contact their respective firewall providers prior to making changes to support Galileo International products. Galileo International does not provide technical or help desk support in these types of configurations. To identify which reservation system you will be accessing, please contact your Travel Management Company or refer to your system access contract. In general Galileo International subscribers outside North America access the Galileo reservation system while North American subscribers access the Apollo reservation system. What is Focalpoint and Viewpoint? Interaction with the Galileo and Apollo systems are provided through two applications installed at the end user s workstation. Focalpoint is Galileo s proprietary terminal emulation program allowing the user to input cryptic formats to the host system to complete a travel reservation. Viewpoint provides a Graphical User Interface (GUI) to allow users to build a travel reservation in a simplified, Microsoft Windows based, point and click environment. When either form of user access to the CRS host is used, the requirements for customer firewalls are the same. What is Focalpoint Print Manager? Focalpoint Print Manager, commonly referred to as FPM or Print Manager, is a Windows based software product that manages host-printing functions (Ticket Printer, Invoice Printer and Back Office Interface (MIR). The PC that runs this software may be dedicated to this function or be installed on a workstation running Galileo s Focalpoint or Viewpoint reservation products. After a determined amount of time, the Focalpoint Print Manager will enter a sleep mode until a print image is sent and a wake-up established. For wake-up to successfully occur, the PC running the Print Manager software must have a static IP address and be mapped in the firewall. The Config Server will try to establish a successful TCP handshake with the TCP/IP address of Print Manager. If successful, a wake-up message will be sent and print documents will generate. Not all Galileo or Apollo subscribers use Focalpoint Print Manager. Firewall Administrators should check with their Travel Management Company to determine if this application will be used. Firewall & Proxy Specifications (rev. 02/28/02 APTS) 3

How do I determine my access type to Apollo/Galileo? Access to the CRS systems is provided via a dedicated TCP/IP circuit or via the Internet when using either the Nortel Extranet IPSec client or Microsoft PPTP VPN Protocol. This document will describe the firewall configuration for the following types of connection: TCP/IP Frame Relay: Galileo installs a dedicated TCP/IP Frame Relay or point-to-point circuit. Galileo will install and configure a site premise router to connect either to the Local Area Network or connected directly to a subscriber provided router. Internet/VPN: With a Internet Service Provider (ISP) connection to the Internet, a VPN tunnel is created using either the Nortel Extranet client or Microsoft PPTP VPN protocol. Galileo allows split tunneling in this configuration, which will allow the user to access the reservation service and Internet simultaneously. Customers using Galileo s FocalpointNet product will use this type of connection. Before proceeding with configuring your firewall, identify which connection type you will be using to access the Galileo or Apollo reservation system. Follow the configuration specifications on the following pages that apply to your connection type. What Galileo devices will you need to reach? Configuration Servers: (All Subscribers) Purpose: The Configuration Servers, referred to as Config Servers, authenticate the user by validating their access is via a known communication path as well as assigns the access to the Galileo or Apollo reservation system. Protocol Used: UDP (User Datagram Protocol / Protocol 17) / TCP/IP (Transmission Control Protocol/Internet Protocol / Protocols 4 & 6) IP Concentrators: (All Subscribers) Purpose: The IP Concentrators, referred to as IPCs, translate the TCP/IP packet into a format accepted by the Galileo or Apollo reservation system. Protocol Used: TCP/IP (Transmission Control Protocol/Internet Protocol / Protocols 4 & 6) VPN Switch: (Internet/VPN Subscribers Only) Purpose: The VPN Switch authenticates the VPN client, either Nortel Extranet or Microsoft PPTP, onto the Galileo or Apollo reservation system. Protocol Used: Based on the VPN client being used. Microsoft PPTP = GRE (General Routing Encapsulation / Protocol 47) Extranet IPSec = ESP (Encapsulation Security Payload / Protocol 50) and AH (Authentication Header / Protocol 51) Firewall & Proxy Specifications (rev. 02/28/02 APTS) 4

Configuring a Firewall for a dedicated TCP/IP circuit NOTE: This configuration should only be used when access to the reservation system is via a dedicated communication line provided by Galileo. If you are accessing the reservation system via the Internet, please refer to the instructions on page 6 Configuring a Firewall for access via the Internet/VPN. PROTOCOLS: TCP/IP (Protocols 6 & 4) UDP (Protocol 17) PORTS: (PAT-Port Address Translation is NOT permitted) Config Servers: 5067 / UDP Traffic / Outbound Only 5068 / UDP Traffic / Inbound Only 5069 / TCP Traffic / Inbound Only (FPM Requirement) Print Manager will receive all wake-up messages from the Galileo Config Server TCP/IP addresses: 57.8.81.13 or 57.8.81.113 IP Concentrators: 2748 / TCP Traffic / Outbound Only (Apollo system only) 2749 / TCP Traffic / Outbound Only (Galileo system only) 2750 / TCP Traffic / Outbound Only (VTF-IP Concentrators) IP FILTERING: Galileo International recommends filtering to the entire IP Subnet versus specific addresses. Galileo System: 57.8.81.0 Mask 255.255.255.0 Apollo System: 198.177.164.128 Mask 255.255.255.224 57.8.81.0 Mask 255.255.255.0 Specific IP Addresses: These addresses are subject to change without notice! Galileo System & Device Apollo in Canada Apollo System USA Config Servers 57.8.81.13 198.177.164.151 57.8.81.113 198.177.164.152 57.8.81.13 57.8.81.113 IP Concentrators 57.8.81.11 198.177.164.131 57.8.81.111 198.177.164.132 198.177.164.133 198.177.164.134 198.177.164.145 198.177.164.146 198.177.164.147 198.177.164.148 57.8.81.11 57.8.81.111 NOTE: Focalpoint Print Manager MUST be assigned a static IP address for the wake-up process to work properly. Firewall & Proxy Specifications (rev. 02/28/02 APTS) 5

Configuring a Firewall for Access via the Internet/VPN NOTE: This configuration should only be used when access to the reservation system is via a dial-up or dedicated Internet connection. If you are accessing the reservation system via a circuit provided by Galileo, refer to page 5 Configuring a Firewall for Dedicated TCP/IP Circuit. Follow the instructions based on the client you are using (PPTP or IPSec). PROTOCOLS: TCP/IP (Protocols 6 & 4) UDP (Protocol 17) PPTP: GRE (Protocol 47 mapped to port 1723) Microsoft PPTP VPN ONLY IPSec: ESP & AH (Protocols 50 & 51) Nortel Extranet client ONLY PORTS: (PAT-Port Address Translation is NOT permitted) PPTP Switch: IPSec Switch: Config Servers: 1723 / TCP Traffic / Outbound Only (Microsoft PPTP VPN ONLY. Not necessary for IPSec clients.) 500 / UDP Traffic / Outbound & Inbound (Nortel Extranet Client ONLY. Not necessary for PPTP clients. UDP Protocol 17 only on this port.) 5067 / UDP Traffic / Outbound Only 5068 / UDP Traffic / Inbound Only 5069 / TCP Traffic / Inbound Only (FPM Requirement) IP Concentrators: 2748 / TCP Traffic / Outbound Only (Apollo system only) 2749 / TCP Traffic / Outbound Only (Galileo system only) 2750 / TCP Traffic / Outbound Only (VTF-IP Concentrators) DNS SUPPORT: (Must be able to PING from the client workstation:) Microsoft PPTP VPN Client: PING vpn.galileo.com Nortel Extranet IPSec Client: PING fpnet.galileo.com IP FILTERING: (Must be able to ping after VPN established) Specific IP Addresses: These addresses are subject to change without notice! Device Galileo System Apollo System PPTP VPN Switch fpnetpptp.galileo.com Fpnetpptp.galileo.com 192.168.32.103 192.168.32.103 IPSec VPN Switch fpnetipsec.galileo.com fpnetipsec.galileo.com 192.168.32.105 192.168.32.105 Config Servers vpnipcs.galileo.com vpnipcs.galileo.com 172.20.200.2 172.20.200.2 IP Concentrators vpnipc.galileo.com vpnipc.galileo.com 172.20.200.1 172.20.200.1 Firewall & Proxy Specifications (rev. 02/28/02 APTS) 6

Frequently Asked Questions How do I know if my Firewall will support access to the Galileo and Apollo systems? Subscribers using a direct, dedicated connection to the Internet should not have problems providing the port and protocol settings addressed in this document can be supported. Internet/VPN access subscribers must be able to support the ports and protocols as well as support the VPN technologies of Microsoft PPTP or the Nortel Extranet IPSec client. My firewall performs port address translation. Will that be an issue? Yes, it will be an issue. The Focalpoint and Viewpoint authentication process will not function properly if Port Address Translation is used. Ether avoid performing PAT or establish another solution. My firewall performs NAT for the Local Area Network users and Internet Access is via a proxy server. Why can t I get Focalpoint or Viewpoint working correctly? The Focalpoint and Viewpoint authentication process allows for one and only one Network Address Translation mapped for both inbound and outbound traffic. Attempts have been unsuccessful with subscribers performing double-nating so Galileo strongly recommends either performing a single Address Translation or providing the user with another solution. My firewall is configured to the specifications in this document. One user can access the reservation system but subsequent users cannot. What is wrong? This is an indication that multiple users are sharing a single IP address. Access via the Galileo TCP/IP dedicated circuit is required to show a unique IP address when authenticating into the system. For this configuration, you are required to perform a onefor-one network address translation for each user. Internet/VPN subscribers are experiencing this problem due to a problem with validating multiple VPN sessions through a single address. Try assigning a one-for-one address translation for Internet access or use a proxy server to share a single Internet connection among several users. Do I have to open all the ports, protocols and IP addresses specified for my configuration? Failure to support one of the configuration requirements in this document will prevent authentication to the Galileo or Apollo reservation system. If policies or procedures prevent opening the ports, protocols or IP subnets as specified, it is recommended that another method of connection be used to access the reservation service. I have completed all the steps in configuring the firewall but still cannot get access to the reservation service. Where do I go for help? For liability reasons, Galileo International employees are not permitted to touch or configure Firewalls owned and maintain by a subscriber. The information included in this document is complete and accurate as of the date published. In the event you are still unable to access the reservation service, contact your vendor who provided the firewall or the firewall manufacture s technical support desk. Firewall & Proxy Specifications (rev. 02/28/02 APTS) 7

Why must the Focalpoint Print Manager be assigned a fixed or static IP address when installed in a dedicated TCP/IP site? The wake-up message generated from Galileo/Apollo will initiate an unsolicited IP packet to the Print Manager PC. For this to occur properly, the IP address must be fixed and identified during the initial authentication process. You indicate that the Focalpoint Print Manager requires TCP messages to be accepted on port 5069 for the wake-up to be successful. The firewall administrator must understand that the source TCP port is random, or from any to 5069. Focalpoint Print Manager must be able to receive a TCP handshake from the Galileo configuration servers and must be successful for the actual wake-up message to be sent. Since this handshake will be established on TCP port 5069t, port 5069 must be open inbound. To further secure a firewall, traffic from these messages will only be passed through the Galileo configuration servers 57.8.81.13 and 57.8.81.113. * Wake up message format is from Galileo Destination=5069 -- Source=ANY. * If your firewall application cares about inbound Source ports, select Inbound Source=ANY. Normally this is not needed. * Example Inbound Rule TCP Destination:5069 Source:Any 57.8.81.13 /113 My Travel Management Company uses a DOS based Print Server to issue travel documents. Do I need to open ports for that device too? No. The Focalpoint Print Servers use a different technology that does not require a wakeup message to be received. Standard Focalpoint or Viewpoint firewall configurations will be sufficient. The Print Manager is not waking up. What s wrong? The first test to perform is to bring the Print Manager up manually (refer to the instructions for Installing the Focalpoint Print Manager ). If documents print when the Print Manager is manually connected, then the problem most definitely is firewall or routing related. Please double check your firewall settings and make sure TCP traffic can pass inbound between 57.8.81.13 and 57.8.81.113 on TCP port 5069 to the specified Print Manager PC. If problems persist, please contact your Galileo or Apollo Account Representative to arrange for further technical assistance. Firewall & Proxy Specifications (rev. 02/28/02 APTS) 8

Special Configurations for Galileo Distribution Companies GALILEO CANADA SUBSCRIBERS ONLY LeisureLink Purpose: LeisureLink is a leisure booking product with instant access to the reservations systems of dozens of Canadian tour operators. Protocol Used: TCP/IP (Transmission Control Protocol/Internet Protocol / Protocols 4 & 6) / Standard HTML messages. Ports to be Open: 8180 / TCP Traffic / Outbound Only IP Filtering: TCP/IP Frame Relay Internet/VPN leisurelink.galileo.ca leisurelink.galileo.ca 167.125.255.210 172.20.200.28 Firewall & Proxy Specifications (rev. 02/28/02 APTS) 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information