Secure Computing SafeNet manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation Secure Computing SafeNet. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel Secure Computing SafeNet ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation Secure Computing SafeNet décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation Secure Computing SafeNet devrait contenir:
- informations sur les caractéristiques techniques du dispositif Secure Computing SafeNet
- nom du fabricant et année de fabrication Secure Computing SafeNet
- instructions d'utilisation, de réglage et d’entretien de l'équipement Secure Computing SafeNet
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage Secure Computing SafeNet ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles Secure Computing SafeNet et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service Secure Computing en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées Secure Computing SafeNet, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif Secure Computing SafeNet, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation Secure Computing SafeNet. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    VPN Administration Guide Revision A SafeNet/Soft-PK V ersion 5.1.3 Build 4 Sidewind er V ersi on 5.1 .0.02[...]

  • Page 2

    [...]

  • Page 3

    i Copy ri ght No ti ce This document an d the so ftware de scribed in it are copy righted . Under the co pyrigh t laws, n eithe r this docume nt nor this software may be copi ed, reprod uced, translated , or reduced to any elect ronic medium or machine -readable fo rm witho ut prior written author ization of Secure Com puting Co rporation. Co pyrig[...]

  • Page 4

    ii SECURE COMPU TING’ S AND I TS LICENSORS ENTIRE LIABILITY UN DER, FOR BREACH OF , OR ARISING OUT OF THIS AG REEMENT, IS LIMITED T O A REFUN D OF TH E PURCH ASE PRICE OF THE PRODUCT OR SERVICE THA T GA VE R ISE TO THE CLAIM. IN NO EVENT SHA LL SECURE COMPUTING OR I TS LICENSORS BE LIABLE FOR YOUR COST OF PROCURING SU BSTITUTE GOODS. IN NO EVE NT[...]

  • Page 5

    Table of Contents iii T ABLE OF C ONTENTS Preface: Abou t this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . v Who s hould read this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v How this g uide is organi zed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Where to find additio nal informa tion . .[...]

  • Page 6

    iv Table o f Cont ents Defining re mote client i dentities i n Sidewinder . . . . . . . . . . . 3 -13 Managing pre-shared keys (pas swords) . . . . . . . . . . . . . . . . . . 3 -14 Configur ing the VPN on the Side winder . . . . . . . . . . . . . . . . . . 3-15 Chap te r 4: Ins t a ll ing and Wo r king w ith So ft -PK . . . . . . . . 4-1 Soft-PK i[...]

  • Page 7

    P Pre fac e: Abou t th i s Gui d e v P REFACE About this Guid e This guide p rovides t he informatio n needed to set up conne ctions between remot e system s runni ng SafeNe t/Soft-P K ™ VPN cl i e n t software and sys tems on a networ k protected by Secu re Comput ing ’ s Sidewinde r firewall . SafeNet/So ft-PK is a Wind ows-compatible progr a[...]

  • Page 8

    P How this guid e is organized vi Pre fac e: Abou t th i s Gui d e How this guide is organized This guide cont ai ns the foll owin g ch apters . F inding information This guide is i n Acro bat (softc opy) format on ly and do es not co ntain an index . Howeve r , you can use Acrobat ’ s Fi nd feature to search for every instance o f any word or ph[...]

  • Page 9

    Where to find additional information Pre fac e: Abou t th i s Gui d e vii Viewing and printing this document on line When yo u view t his docum ent onli ne in PDF format, you may find that the sc reen im age s are blurry . If you nee d to see the imag e more clear ly, yo u can either enla rge it ( which may not e limina te the blurr iness) or you c[...]

  • Page 10

    Where to find additional info rmation viii Preface: A bout this Guid e T o co ntact Se cure Comput ing di rectly or inquire about o btaining a supp o r t co ntrac t , ref e r to our W eb site at www .sec urecom puting .com , and select “ Co ntact Us ." Or if you prefer , sen d us email at supp or t@secu recompu ting.com (be sure to i nc lud [...]

  • Page 11

    1 Getting Sta rted 1-1 1 C HAPTER 1 Ge t ti n g S t a r t e d About this chap te r This chapter p rovides an overvi ew of the Soft -PK ™ and Si dewinder Vir tual Private Network (V PN) enviro nment and d escribes t he require ments. I t inclu des a c hecklist t o guide you th rough t he basic steps to setu p and deploy a VP N. This chapter addres[...]

  • Page 12

    1 About Soft-PK & Sidewinder VPNs 1-2 Get ting St arted About Soft-P K & Sidewinder VPNs Soft -PK is secur ity so ftwar e for r emote PC us ers. It is d esigne d to provi de dat a pr i vacy betwee n remote us er s and a corpor ate network. Indu stry-standar d encryp tion and us er verif ication rou tines prot ect the data sent ov er the c o[...]

  • Page 13

    Requ irem ents Getting Sta rted 1-3 Requir ements T o configure VPN co mmunicat ion between Sidewin der and Soft-PK client s, your Si dewind er must be confi gured with the prop er VPN para meter se tting s and acces s rule s. In ad dition, dependi ng on your VPN con nection set up, you may also nee d to defi ne the proper digital c ertificates . T[...]

  • Page 14

    Requirements 1-4 Getti ng Start ed Soft-PK requiremen ts Each syst em on whic h Soft-PK wi ll be install ed must meet the require ments li sted in T able 1-2 . IMPORT ANT: A remote system must only run one VPN client . If a VPN client program such as S e c ur eClient was previo us ly installed on th e remote system, ens ure it is properly uninstal [...]

  • Page 15

    Roadmap t o deploying your VP Ns Getting Sta rted 1-5 Roadmap to deploying your VPNs Becaus e Se cu re Comp ut ing prod ucts prov i de network se curity, w e recommend that, as t he netwo rk adminis trator , you care fully ove rsee the in stallati on and c onfiguratio n of the Soft-PK clie nt(s). Se tting up VPN conn e ctions us i ng Soft-P K an d [...]

  • Page 16

    Roadmap to d eploying your V PNs 1-6 Getti ng Start ed Figur e 1- 2. VPN deployment over view Admin t asks per formed on Sidewinder system Admin t asks per forme d using Sof t-P K p rior to deplo ying t o en d users 1 — Satisfy Sidewinde r , network, & sys tem requ irements 6 — C onf igure the cer ti ficates and s ecurit y polic y(ies) f or[...]

  • Page 17

    Roadmap t o deploying your VP Ns Getting Sta rted 1-7 Soft-PK d eployment checklist Th e follo wing chec klist id entifi es each majo r step inv ol ved in th e setup an d deploym ent of yo ur Soft-PK s oftware (as s hown in Fig ure 1-2) . Y ou c an use th e checkl ist as a refer ence p oint an d mark of f each item as you com p let e it to ensure a[...]

  • Page 18

    Roadmap to d eploying your V PNs 1-8 Getti ng Start ed ❒ ISAKMP A CL en tr y : At a minimu m, you must define and enable an ACL entry that allows ISAKMP traffic from the Inter net to the Interne t burb on Si dewinder ( ex terna l IP addre ss of Si de winder ). ❒ Oth e r A CL ent ri es : Depending on where you terminate your VPN connections on S[...]

  • Page 19

    Roadmap t o deploying your VP Ns Getting Sta rted 1-9 5 — C onfigure the VPN c onnections on the Sidewinder ❒ Use Cobra to def ine the VPN secu rity association configurati on. See "Configu ring the VPN on the S idewinder" on page 3- 15 for details. ❒ Enable Extend ed Authentication. 6 — C onfigure the certificates an d security p[...]

  • Page 20

    Roadmap to d eploying your V PNs 1-10 Getting Started 8 — T roubleshoot any c onnection problems ❒ Use th e Soft-PK Log Viewer. See "Soft-PK Log Viewer" on page A-1. ❒ Use th e Soft-PK Connection Moni tor. See "Soft- PK Connection Moni tor" on page A-2 . ❒ Use Sidewin der comman ds . See "Sidewin der troub leshoot i[...]

  • Page 21

    2 Planning Your VPN Configurat ion 2- 1 2 C HAPTER 2 Planning Y our VPN Co n f i g u r a t i o n About this chap te r This chapter p rovides information t o help y ou unders tand key conce pts and opt ions t hat are invo lved i n a VPN c onnecti on. It addres ses the foll owing topi cs:  "Ident ifying basic VPN c onnecti on needs" on p[...]

  • Page 22

    2 Identifying basic VPN connection needs 2-2 Planning Your VPN Configuration Identifying b asic VPN connection needs Before you act ually begin confi guring yo ur Sidewinde r or wor k with Soft-PK, ensure you have an underst anding of the bas ic profile for your VP N co nnection s. Begin by doing t he follo wing:  List the r emote us er s that n[...]

  • Page 23

    Identifying authentication requirements Planning Your VPN Configurat ion 2- 3 Identifying authentica tion req uire me nts Determine h ow you will id entify and auth enticate t he partner s in your VPN. Sidewinder an d Soft-PK b oth su pport usin g digi tal cer tificates and pre -shared key VPN c onfiguratio ns. In a dditi on, when y ou use Sidewi n[...]

  • Page 24

    Identifyin g authent ication requiremen ts 2-4 Planni ng Your VPN Con figur ation If no t already done, de cide if you wil l use self -signed certif icates gener ated by Si dewinder or a pu blic/pr ivate CA s erver . T able 2-1. Sidewinder self-signed cert ificates v ersus CA-based cer tificates A closer look at self-signed certificates A VPN imple[...]

  • Page 25

    Identifying authentication requirements Planning Your VPN Configurat ion 2- 5 A closer look at CA-based certificates A VPN imple mented usin g CA-bas ed certific ates requ ires acces s to a private or public CA . Each end-p oint (c lient , firewall, etc.) in the V PN retains a private ke y file that is associated with a public certificate. In addit[...]

  • Page 26

    Identifyin g authent ication requiremen ts 2-6 Planni ng Your VPN Con figur ation Extended au th entica tio n In addit ion to the normal authent ication checks i nherent during t he negoti a t i o n proces s at the star t of every VPN associ a ti on, Exten de d Authe ntica tion go es one step fu rther by requi ring t he person request ing the VPN c[...]

  • Page 27

    Determining where you wil l terminate your VPNs Planning Your VPN Configurat ion 2- 7 Determining where you will termi nate you r VPNs Y ou c a n co nfigu r e a VPN s ec urity a s s ociati on on Si dewind er to terminat e in any bur b. For example, Figure 2-4 sh ows a VPN secu rity associat ion terminating i n the trus ted burb. It allows all n etw[...]

  • Page 28

    Determining where you wi ll terminate your VPNs 2-8 Planni ng Your VPN Con figur ation More about virtual burbs and VPNs Consid er a VPN a ssociatio n that is implemen ted with out th e use of a virtu al burb. No t only will VPN traffic m ix with no n-VPN tr affic, but there is n o wa y to enforce a diff e rent set of rul es for the VPN tr affi c. [...]

  • Page 29

    Understanding Sidewinder client ad dress pools Planning Your VPN Configurat ion 2- 9 Understanding Sidewinder client addre ss pools Y ou may choose to impl ement you r VP N us ing Sidewind er client address pools. Client ad dress pools are r eserved v irtual IP addres ses, recogniz ed as i nternal address es of th e trust ed netwo rk. Address es in[...]

  • Page 30

    Understanding Sidewinder client address pools 2-10 Planning Your V PN Confi gurati on  Addre ss of t he firewal l  Pro tec ted net work s The c lient do es not ne ed to de fine a virtual IP for use in the VPN connec tion , nor do th ey need to co ncern the mse lve s with DNS iss ues on the tr usted n etwork. In addit ion to simpli fying the c[...]

  • Page 31

    3 Configuring Sidewinder for Soft-PK Clients 3-1 3 C HAPTER 3 C onfiguring Side winder for Soft-PK Clients About this chap te r This chap ter provides a summary of Sidewinde r procedures associated with s etting up and co nfigurin g Soft-P K connecti ons in your netw ork. IMPORT ANT: Perform these pro cedures before you con figure your Soft-PK clie[...]

  • Page 32

    3 Enabling the VPN servers 3-2 Configuring Sid ewinder for Soft-PK Clients Enabling the VPN ser vers Before you confi gure a VPN ass ociation o n your Sidewi nder , you m ust first enable the Sidewinder ’ s EGD an d CMD server s. In a dditio n, you must en able the ISAKMP s erver and set it to liste n on th e Internet burb. Do the f o llow in g f[...]

  • Page 33

    Configuring ACL & proxies entries for VPN connections Configuring Sidewinder for Soft-PK Clients 3-3 C onfiguring ACL & pro xies entries for VPN connections Depend ing on wher e you dec ide to terminate your VPN tu nnel, you must ens ure that you have the approp riate ACL entrie s set up to allow ISAKMP traffic and allow/deny the appropriat[...]

  • Page 34

    Managing Sidewinder self-signed certs 3-4 Config uring Sidewinder for Sof t-PK Clien ts Mana ging Sidewinder self- sign ed cer ts If yo u are us ing Si dewind er to gen erate c ertific ates, use the f ollowi ng procedu re to create and expor t self-signed cer tificates that ide ntify the firew a ll and each re mote clie nt. TIP: T ypically , a VPN [...]

  • Page 35

    Managing Sidewinder self-signed certs Configuring Sidewinder for Soft-PK Clients 3-5 3. Specif y the fol lowing Firewall Cer t ificate settin gs. 4. Click Ad d t o add t he cer tificate to the Cert ificates li st. 5. Click Cl os e to return to th e F irewall Ce r tifica te window . Expo r t the fire wall certificate (fo r lat er transfer to each c [...]

  • Page 36

    Managing Sidewinder self-signed certs 3-6 Config uring Sidewinder for Sof t-PK Clien ts Cr eating & exporting r emote certifica te(s ) Use the f o llowin g proced ure on Si de winde r to crea te a self-s igned certific ate file (wit h its em bedded pub lic key) and a private key fi le for each of yo ur Soft- PK c lie nts. Once a pair of cert if[...]

  • Page 37

    Managing Sidewinder self-signed certs Configuring Sidewinder for Soft-PK Clients 3-7 3. Specif y the fol lowing Re mote Cer tificate settings. 4. Click Ad d t o add t he cer tificate to the Cert ificates li st. Fie ld Setting Certificate Name Specify a name for the remote certific ate. Distinguished Name Spec ify a set of data that identifies the c[...]

  • Page 38

    Managing Sidewinder self-signed certs 3-8 Config uring Sidewinder for Sof t-PK Clien ts 5. Click Cl os e to return to th e previous window . Conv er ting the cer tificate file/private key file pair to pkcs12 format 6. T o star t the PK CS1 2 utility on the Sidewin der , from the command line, enter the fol lowing command: pkcs12_util The util ity w[...]

  • Page 39

    Managing CA-based certificates Configuring Sidewinder for Soft-PK Clients 3-9 Mana ging CA- based cer tificates If yo u are using a CA to au thorize certifi cates, use the follo wing proced ures to de fin e the CA, re qu est the fir ew a l l an d C A certific ates, and de f i ne the re m o te ide nt ities of e ach clie nt with in Sidew in der (need[...]

  • Page 40

    Managing CA-based certificates 3-10 Configur ing Sidewi nder for Soft-PK Client s 6. Click Ex por t to save the CA ce r tificate to a file fo r later impor tat ion into client system(s). Each user must then use Soft-PK to import the CA cer t if ica te you obt ain ed fo r them . Note: Y ou can have the user request the CA certificate from the CA usi[...]

  • Page 41

    Managing CA-based certificates Configuring Sidewinder for Soft-PK Clients 3-11 2. Spec ify the firewall cer tific ate infor mati on. 3. Click Ad d to send the enrollment request. IMPORT AN T: After you send the enrollment request, the CA administrator must issue the cer t ificate before you can continue. 4. On the Firewall Cer tif icates tab, click[...]

  • Page 42

    Managing CA-based certificates 3-12 Configur ing Sidewi nder for Soft-PK Client s Deter minin g ident ifyin g i nfor m ation f or clie nt cer ti fic ates Define t he identif ying info rmation that wil l be us ed for each remote client certific ate. Typica lly, th ese are th e values entered in the Disti nguished Nam e (DN) fie lds when de fining a [...]

  • Page 43

    Managing CA-based certificates Configuring Sidewinder for Soft-PK Clients 3-13 Definin g remote clie nt identitie s in Sidewinde r When us ing CA-b ased cert ificates, y ou must defi ne an ide ntity "templat e" in Sidewi nd er that matc he s all possib le cl ient iden ti ties used by the remote entiti e s in your VPN. T o defi ne re mote [...]

  • Page 44

    Managing pre-shared keys (passwords) 3-14 Configur ing Sidewi nder for Soft-PK Client s Mana ging p re - shared keys (pass words) When usi ng pre-shared keys (pass words), you must define an identit y "templat e" in Sidewi nd er that matc he s all possib le cl ient iden ti ties used by the remote entiti e s in your VPN. T o defi ne re mot[...]

  • Page 45

    Conf i g uring the VPN on the Si dewin d e r Configuring Sidewinder for Soft-PK Clients 3-15 C onfiguring the VPN on the Sidewinder Create a VPN se curity as sociation for a Tu n n e l VPN usi ng the newl y create d cert ificates. Do th e following from th e Sidewi nder Cobra inter fac e: 1. Select VPN Configura tion -> Security Associations . C[...]

  • Page 46

    Configuring the V PN on the Sidewinder 3-16 Configur ing Sidewi nder for Soft-PK Client s Local Netw ork/IP Specify the network names or IP addresses to use as the destination for the client(s) in the VPN. Click the New button to specify the IP Address / H ostname and Number of bit s in Netm ask . The value specified identifies the ne twork portion[...]

  • Page 47

    Conf i g uring the VPN on the Si dewin d e r Configuring Sidewinder for Soft-PK Clients 3-17 3. Select the A uth enti catio n tab . Choose the authenticati on method appropria te for y our config uration . Figure 3- 9. Sidewinder Secur ity Associations Proper ties, Authentication tab  If you s elected Single C er tificate (F igure 3-10), specify[...]

  • Page 48

    Configuring the V PN on the Sidewinder 3-18 Configur ing Sidewi nder for Soft-PK Client s  If you selected Ce rtif ica te & C ertif ica t e Au thor ity ( F igure 3- 11), specif y the f ollowing CA cer tificate opt ions. Figure 3-11. "Cer tificate & Certificat e Authority" opt ions T able 3-3. Cer tificate + C ert ificate Author[...]

  • Page 49

    Conf i g uring the VPN on the Si dewin d e r Configuring Sidewinder for Soft-PK Clients 3-19  If you selected Password (F igu r e 3-12) , spec i fy the f ollow ing password options. Figure 3-12. "Password" opt ions T abl e 3-4. Password options Save your setting s! 4. Click Ad d to save the settings . 5. Click Cl os e . TIP: For typica[...]

  • Page 50

    Configuring the V PN on the Sidewinder 3-20 Configur ing Sidewi nder for Soft-PK Client s[...]

  • Page 51

    4 Installing and Working with Soft-PK 4-1 4 C HAPTER 4 Installing and W ork ing with Soft-PK About this chapter This chapter in cludes Soft-PK inst allation notes. It also d escribes t he basic So ft-PK procedu res for m anaging ce rtificat es and cr eating a custo mized S oft-P K secu rity policy for your remo te clie nts. IMPORT ANT: A s network [...]

  • Page 52

    4 Soft-PK ins tall ation notes 4-2 Installing and Working with Soft-PK Soft-PK installation notes Note the followin g about installi ng, removing , or upgr ading Soft-PK softwar e. Y ou can customize the User W ork sheet .doc file locate d on th e produc t CD to sp e cify deta i led inst allati on instru ctions to yo ur end users. (See Chapter 5 fo[...]

  • Page 53

    Starting Soft-PK Installing and Working with Soft-PK 4-3 Sta rt ing Sof t-P K Soft-P K star ts automati cally each time the co mputer on whi ch it reside s is sta rted. I t runs t ransparent ly at all t imes behi nd all ot her software ap plications including the Win dows login . The Soft-PK i con in the taskbar chan ges color and image to indi cat[...]

  • Page 54

    Starting Soft-PK 4-4 Install ing and Workin g with Soft-PK Activ a ting/Deactiv ating So f t-PK The Soft -PK user interface d efines the securit y mode and the act ion Soft- PK takes when it det ects packet s of various protocol s and various desti nation s. Onc e confi gu red, user s nee d to access th e user int erfac e only to vi e w or modify t[...]

  • Page 55

    Starting Soft-PK Installing and Working with Soft-PK 4-5 About t he Soft-PK progr am options This sec t io n provid es a br ie f descr ip ti on of the Sof t -PK main prog ram option s. Use Sof t -PK ’ s compreh ensive onli ne help for deta iled info rm ation .  Certifica te Manager The Cert ificat e Ma n ager allo ws you to req ues t , import [...]

  • Page 56

    Managing certificates on Soft-PK 4-6 Install ing and Workin g with Soft-PK Mana ging certificates on Soft-PK If yo u are using digita l certificat e authen ticatio n in you r VPN, you shoul d provi de your en d u sers wi th the inf orma t ion an d f i les nee d ed to set up the ne cessar y certi ficates o n their So ft-PK clie nt. This secti on pro[...]

  • Page 57

    Managing certificates on Soft-PK Installing and Working with Soft-PK 4-7 Set tin g up C A-b ased ce r tifi cates If you a r e using CA -base d digital ce rtific a t es, as a dm inistr ator , do the following . 1. If not already d one, request and export the CA root certificate . See "Defin ing a CA to use and obtai ning the CA root cer t"[...]

  • Page 58

    Managing certificates on Soft-PK 4-8 Install ing and Workin g with Soft-PK Requesting a person al certificate from a CA on user ’ s behalf 1. Select Start -> P rog rams - > SafeNet /Soft- PK -> C ertifica te Mana ger (or right cl ick the SafeNet ico n and selec t Cer tificate M anager). 2. Click the My Cer tificates tab. 3. Click Re qu e[...]

  • Page 59

    Managing certificates on Soft-PK Installing and Working with Soft-PK 4-9 TIP: Y ou should selec t th e ne w certificate and cli c k Verify to validate it. Exporting a personal certificate 14 . In the My Certificates tab , select a personal cer tificat e. 15. Click Expor t . The Export Cer tificate and P rivate Key dialog box appears. 16. In t he Fi[...]

  • Page 60

    Managing certificates on Soft-PK 4-10 Installin g and W orking with So ft-PK Figure 4- 4. Soft-PK Certificat e Mana ge r: C A Cer tificate s tab, Import CA Certific ate 4. Inser t th e disk ette contain ing th e self-si gned fi rewall or cer tificate f ile. 5. Fro m t h e Fi l es o f t yp e : field , select All F iles (*. *) an d then navi gate to [...]

  • Page 61

    Managing certificates on Soft-PK Installing and Working with Soft-PK 4-11 Importing a personal certificate into Soft-PK Use th e f o llowin g proce d ure to i m po rt a perso n al certif i cate into the Soft-PK s ystem. T his pro cedure is done at the client system and assumes Soft- PK is already installe d . Note: This procedure is summarized on t[...]

  • Page 62

    Managing certificates on Soft-PK 4-12 Installin g and W orking with So ft-PK Note: Y ou mu st pr ovide this password to th e end user so the y can la ter imp ort this certif icate file. 8. Click Im por t . A prompt appears to confirm you want to import the sele ct ed P erso nal Certific at e . Figure 4- 9. Ve r i f i c a t i o n w i n d o w 9. Clic[...]

  • Page 63

    Co nfig uri ng a sec uri ty p olic y o n th e So ft- PK Installing and Working with Soft-PK 4-13 C onfiguring a security policy on the Soft-PK As an administr ator , you ca n configur e end us er secur ity po licies on your So ft-PK syst em, save t hem to a diskett e, and dist ribute them to your u sers. Y our en d users then simply im port t he se[...]

  • Page 64

    Configuring a security policy on the Soft-PK 4-14 Installin g and W orking with So ft-PK 4. Star t defi ning a new p oli c y . Sele c t Ed it -> A dd -> C o nne ction to c reate a new p oli c y . Fig ure 4-1 1. Soft- PK: Secu rity P oli cy Editor 5. Speci fy a descript ive name fo r th e conn ection. ( The name "SecureVP N" is used [...]

  • Page 65

    Co nfig uri ng a sec uri ty p olic y o n th e So ft- PK Installing and Working with Soft-PK 4-15 — Click on the Edit Name button, in the windo w that appears (F igur e 4-12, enter the Distinguished Name infor matio n. Inpu t all fiel ds from the F irewa ll Cer tificat e and click OK . Figure 4- 12. S of t-PK: Ed it Distinguished Name window to sp[...]

  • Page 66

    Configuring a security policy on the Soft-PK 4-16 Installin g and W orking with So ft-PK a. Select the authen tication method for thi s connection.  If usin g share d passw ord: Click Pre-Shar ed Key and enter the shared password.  If usi ng digita l cer tificates : Sele ct the personal cer tificate previously imported from the dro p-down lis[...]

  • Page 67

    Co nfig uri ng a sec uri ty p olic y o n th e So ft- PK Installing and Working with Soft-PK 4-17 12. Specify the Key Exch ange settings. Select Key Exchan g e (Phase 2) -> Proposal 1 . Fig ure 4-1 6. Soft -PK: K ey E xch ange (Pha se 2) -> Pr oposa l 1 fiel ds  SA Life : Se lect Unspecified to default t o Sidewinder settings.  Compressi[...]

  • Page 68

    Configuring a security policy on the Soft-PK 4-18 Installin g and W orking with So ft-PK[...]

  • Page 69

    5 Deployi n g S oft -PK to Your End Us e rs 5- 1 5 7 C HAPTER 5 Deplo ying Soft- PK to Y our End U sers About this chapter This chapt er su mmariz es the final p reparati on steps for deploy ing th e Soft-PK s oftware, digit al certifi cate files, and secur ity policy to your end use rs. It is based on a workshe et that yo u edit an d send to each [...]

  • Page 70

    5 Overview 5-2 Deploying Soft-PK to Your End Users Ove r vie w Y ou should de ploy the Soft-PK ins tallation prog ram with a customized securit y policy and the necessary digital c ertificat es. Custom instal lations are designed to make it easy to manage co rp orate secur ity po licies for ten s, hundr eds, or thousa nds of e nd user s. Along wi t[...]

  • Page 71

    Overview Deployi n g S oft -PK to Your End Us e rs 5- 3 Pri or to cus tomiz ing th e works heet, take a f ew minu tes t o or ganiz e the f iles and information y ou need to depl oy to y our end users. T able 5-1. Organize the files/software fo r each client (end u ser) Copy th e Soft-PK software, c ertificate file, pers onal certi ficate file , and[...]

  • Page 72

    Customizing the user worksheet 5-4 Deploy ing Soft-P K to Yo ur End Users C ustomizing the user w ork sheet This sectio n provi des summ ary inform ation abou t each se ction i n the defa ult UserW ork sheet.doc file . Specifyi ng dial-up network inst ruction s Figure 5-2 s hows th e text in the initial UserWorksheet .doc file that pertains to sett[...]

  • Page 73

    Customizing the user workshee t Deployi n g S oft -PK to Your End Us e rs 5- 5 Specifyi ng cer tificate impor t/request instruc tions Figure 5-4 s hows th e text in the initial UserWorksheet .doc file that pertains to digit al cer tificates. The de fault text covers a basic instruc t ion s for importing cert ificate files fro m a disk you provide. [...]

  • Page 74

    Customizing the user worksheet 5-6 Deploy ing Soft-P K to Yo ur End Users Specifyi ng securit y polic y instruc tions Figure 5-5 s hows th e text in the initial UserWorksheet .doc file that pertains to the Soft- PK se cu ri ty policy. The defaul t te xt covers a basic instruc tions for import ing a secu rity p olicy from a disk y ou provid e. Chang[...]

  • Page 75

    A Troubleshooting A- 1 A A PPENDIX A T roubleshooting About this append ix This app en dix provide s a summar y of tr oub leshoot ing tech niques available for resolv ing Soft-PK and Sidewind er VPN con nection problems . This append i x add resses the fol lowing topic s:  "Soft-PK Lo g Viewe r" o n page A-1  "Soft - P K Connec[...]

  • Page 76

    A Soft-PK Connection Monitor A-2 Troubleshooting The f ollowi ng summ arize s the t asks you can perform. Soft-PK Co nn e c t io n Moni tor The Connec tion Monitor dis plays statis tical and diag nostic informatio n for eac h active c onnection in the se curity p olicy. Th is utilit y is design e d to display the actual securi ty po licy setti n gs[...]

  • Page 77

    Soft-PK Connection Monitor Troubleshooting A- 3 Y ou will see an icon to the le ft of the connect ion name:  A key indi cates th at the co nnectio n has a P hase 2 IP Sec SA, or both a Phase 1 an d Phase 2 SA. When there is a single Phase 1 SA to a gateway that is protecti ng multip le Phase 2 SAs, t here will be a singl e Phase 1 conn ection wi[...]

  • Page 78

    Sidewinder troubleshooting commands A-4 Troub leshootin g that the se l ec ted conne cti on has es tabl i shed SAs.  T o view Aut he nticati on (Phase 1) secu rity asso ci ations neg ot iat ed by IK E, click t he Phase 1 tab.  T o view K e y Excha ng e (Phas e 2) se curity a sso ciation s n egotiat ed by IPS e c, click th e Phas e 2 tab. Side[...]

  • Page 79

    [...]

  • Page 80

    Part Numbe r: 86-09350 37-A Software V ersion : Soft-PK 5.1. 3 Build 4 and Sideiwnder 5 .1.0.02 Product n ames used within are tra demarks of their respe ctive own ers. Copyri ght © 2001 Secure Co mputing Co rporation. All rights reserved.[...]