Академический Документы
Профессиональный Документы
Культура Документы
Page: 1/60
Project
Client Name
SSBS
Client Address
Abstract:
Document
Author
Noushad Thadathil
Network Engineer
+966 55 494 3953
Date
Confidentiality Notice:
This document contains valuable trade secrets and confidential information of SSBS,
and shall not be disclosed to any person, organization, or entity unless such
disclosure is subject to the provisions of written non-disclosure and proprietary rights
agreement or intellectual property license agreement approved by SSBS.
The distribution of this document does not grant any license in or rights in whole or in
part, to the content, the product, technology, or intellectual property described herein.
Page: 2/60
Issue
01
Name
Eng. Haris P Mohammed
Name
Mr.Syed Tahir
Mr.Shakkeer
Document Approval
Title
Initials/Sign
Project Manager
Document Distribution
Title
Infrastructure Manager
SSBS
Network Administrator
SSBS
Date
3 July 09
Company
Page: 3/60
Table of Contents
1 Introduction .. 05
a. Purpose of this Document ..... 05
b. Acknowledgment. 05
2 Deploy Cyberoam in Gateway mode 05
3 Accessing the Web Admin Console12
4 Upgrading Cyberoam firmware 14
5 Configuring Gateways16
6 Integration with Active Directory 16
7 Import Active Directory Groups 21
8 Clientless Single Sign on implementation 25
9 Parent Proxy Deployment 31
10 L2TP VPN 34
11 Configure MS Windows XP VPN Client for L2TP connection 37
12 High Availability(HA) 44
13 Backup and Restore Cyberoam 48
14 Site to Site VPN.. 51
15 Bill of Quantity... 60
16 Software Version Information.... 60
Page: 4/60
1. Introduction
1.a Purpose of this Document
This document is providing the as built documentation for the Cyberoam UTM
deployment. The documentation will help SSBS IT team in understanding and
administrating their new infrastructure.
1.b. Acknowledgment:
GBS would like to thank SSBS IT Infrastructure team for the dedication and team work
with GBS team, in addition to facilitation, cooperation & support which enables us to
achieve a successful implementation
2. Deploy Cyberoam in Gateway mode
Starting Network Configuration Wizard
Click Wizard button on the top right of the Dashboard to start Network Configuration Wizard and click Start.
Page: 5/60
Page: 6/60
Page: 7/60
Page: 8/60
Page: 9/60
Page: 10/60
Cyberoam will take time to restart, please wait for some time before clicking to access the Web Admin Console.
Note:
After changing the LAN IP address, you must use this IP address to reconnect to the web admin console. You might
also have to change the IP address of the management station to be on the same subnet as the new IP address.
This finishes the basic configuration of Cyberoam and now you are ready to use the Appliance.
Page: 11/60
HTTP log in
To open unencrypted login page, in the browsers Address box, type
http://<IP address of Cyberoam>
Page: 12/60
Screen Dashboard
Page: 13/60
Page: 14/60
Step 4. Upgrade
Once the upgrade file is uploaded successfully, log on to Console to upgrade the version.
Log on to Cyberoam Telnet Console.
Type 6 to upgrade from the Main menu and follow the on-screen instructions.
Successful message will displayed if upgraded successfully.
Repeat above steps if more than one upgrade is available. If more than one upgrade is available, please
upgrade in the same sequence as displayed on the Available Upgrades page.
Page: 15/60
5. Configuring Gateways
Basic load balancing consists of defining multiple gateways. During the installation, you have
already configured the IP address of the default Gateway. Apart from defining gateway,
configuration also consists of:
1. Assigning weight to each link
2. How to check for the link failure
3. What action to take in case of link failure
Add Gateway
Select System
Gateway
Manage Gateway(s)
Weight Displays weight assigned to the Gateway Used for load balancing and failover
x
On the ADS server:
Go to Start>Programs > Administrative Tools > Active Directory Users and Computers
Right Click the required domain and go to Properties tab
Search DN will be based on the FQDN. In the given example FQDN is SSBS.LAN and
Search DN will be DC=SSBS, DC=LAN
Page: 16/60
Page: 17/60
Page: 18/60
Specify TCP/IP port number in Port field. It is the port on which ADS server listens for the
authentication requests. On Cyberoam appliance, the default port for ADS traffic is 389. If your AD
server is using another port, specify port number in Port field.
Page: 19/60
Page: 20/60
Page: 21/60
Page: 22/60
If multiple custom containers are created, repeat the entire process for each container.
Step 3: Select Groups that are to be imported in Cyberoam. Use <Ctrl> + Click to select multiple
groups. All the groups (not imported and already imported groups in Cyberoam) created in AD are
displayed. * besides the group name indicates that the group is already imported to Cyberoam.
Use arrows to move groups across the group lists.
Page: 23/60
If user is the member of multiple AD groups, Cyberoam will decide the user group based on the
order of the groups defined in Cyberoam. Cyberoam searches Group ordered list from top to
bottom to determine the user group membership. The first group that matches is considered as the
Page: 24/60
group of the user and that group policies are applied to the user.
Re-ordering of groups to change the membership preference is possible using Wizard.
Check for Cyberoam Transparent Authentication Suite tab from Start > All Programs.
If installed successfully, Cyberoam Transparent Authentication Suite tab will be added.
Consider the below given hypothetical network example where single domain controller is
configured and follow the below given steps to configure Cyberoam Transparent Authentication:
Page: 25/60
Configure CTA Collector from CTA Collector Tab on Primary Domain Controller
Page: 26/60
If logoff detection settings is enabled and firewall is configured on the Workstation, please allow
the traffic to and from Domain controller. If ping is blocked, then Cyberoam will always detect user
as logged out.
Step 8. Configure Agent from CTA Agent Tab on Primary Domain Controller
Page: 27/60
Page: 28/60
Page: 29/60
Page: 30/60
Internet
Internal network (LAN or DMZ)
Page: 31/60
Step 1. Go to System > HTTP Proxy > Configure HTTP Proxy and configure Upstream proxy IP address and
communication port.
Page: 32/60
If parent proxy is deployed in DMZ, create DMZ to WAN and DMZ to DMZ firewall rule.
Page: 33/60
1.
2.
3.
4.
5.
6.
Page: 34/60
Allow Re-keying: No
Pass Data In Compressed Format: Yes
Perfect Forward Secrecy (PFS): No
Key life: 3600 secs
Action When Peer Is Not Active: Clear
Change other values as per your requirements.
Step 4. Create L2TP Connection from VPN L2TP Connection Create Connection with the following values:
Name: branch_1
Policy: l2tp_policy (created in step 3)
Action on Restart: Active
Authentication Type: Preshared key
Preshared key: specify as per your requirement
Local server: select WAN IP address of Cyberoam
Local ID: specify as per your requirement
Change other values as per your requirements.
Page: 35/60
Step 5. Activate connection from VPN L2TP Connection Manage Connection and click
against each connection
under Connection Status indicates that the connection is successfully activated. Once the connection is activated,
L2TP client can establish the connection.
Page: 36/60
Network Connections
Create a New
Page: 37/60
Page: 38/60
WAN IP address should be same as specified in Local server field under Local Network Details in L2TP Connection
Select Anyones use and click Next
7. Click Finish
Page: 39/60
8. If Windows Dialer does not open automatically, click Connection to open dialer
9. Click Properties
In Networking tab - select L2TP IPSec VPN as Type of VPN and click OK
Page: 40/60
In Security tab:
1) Select Advanced and click Settings and enable Unencrypted password (PAP) and click
OK
Page: 41/60
2) Click IPSec Settings and enable Use pre-shared key for authentication. Specify preshared
key and click OK
Page: 42/60
Page: 43/60
Before configuring HA
Points to be noted
DHCP & PPPoE High Availability (HA) cluster cannot be configured if any of the Cyberoam
Interfaces is dynamically configured using DHCP and PPPoE protocols.
Cyberoam upgrade - AutoUpgrade mode will automatically be disabled on both the cluster
appliances once High Availability (HA) cluster is configured. To upgrade HA cluster
appliances, HA mode is to be disabled and each appliance has to be upgraded individually.
HA Session failover AV Scanned sessions, VPN sessions, UDP, ICMP, multicast, and
broadcast sessions and Proxy traffic sessions are not maintained when HA cluster is
configured.
Masqueraded Connections In case of the following events from any of the HA cluster
appliances, all the masqueraded connections will be dropped:
Restart Management Service (RMS)
Execution of Network Configuration
Manual Synchronization
Page: 44/60
HA Load balancing Active-Active HA cluster does not load balance VPN sessions, UDP,
ICMP, multicast, and broadcast sessions. TCP traffic for Web Admin Console or Telnet
Console and VLAN traffic sessions are also not load balanced between the cluster
appliances.
Restore backup HA is to be disabled to restore backup.
Network Configuration Wizard will not allow to update the DMZ IP address which is
configured as dedicated HA link port
Before attempting to configure two Cyberoam appliances as a HA pair for Hardware Failover,
check the following requirements:
Both appliances in the HA cluster i.e. primary and Auxiliary appliances must have same
number of interfaces.
Both appliances in the HA cluster must have the same version installed.
You must have separate licenses for primary and auxiliary appliances. On both the
appliances same subscription modules should be enabled else these modules will not be
supported in the event of a failure of the Primary appliance. For example, if IDP module is
enabled at Primary appliance and not enabled on Auxiliary appliance then on failover when
Auxiliary appliance becomes Active, IDP policies will not be applicable.
Dedicated HA link port should be from the DMZ zone interface only and should have unique
IP address on both the appliances.
1. Select Firewall Create Rule and create Firewall rule with the following parameters
(for both the appliances):
Source: DMZ/Any Host
Destination: LOCAL/Dedicated HA link port
Service: HA Service
Action: Accept
2. Select User User Add User and add HA administrator
Make sure to select User Type as Administrator while creating HA Administrator as the Audit
log for the HA events will be logged under this username. HA events from the Audit log can
be identified with this name.
3. Select System HA Configure HA
4. Displays appliance key as the Primary Appliance Key. Auxiliary Appliance Key displayed
after HA is configured.
5. Select HA mode for the cluster. When configuring cluster, you must set all the members of
the HA cluster with the same HA mode.
Active-Active Select to configure a cluster for load balancing and failover HA. In active-active
mode both primary and auxiliary appliances processes traffic and monitors the status of the
other cluster appliance. The primary appliance controls load balancing among both the cluster
appliances.
Active-Passive Select to configure a cluster for failover HA. In active-passive mode the
primary appliance processes all connections. Auxiliary appliance passively monitors the
cluster status and remains synchronized with the primary appliance.
6. Specify HA link port. HA peers are physically connected using a crossover cable through this
port. You must use the same port as an HA link port on peer appliance also.
Cluster appliances use this link to communicate cluster information and to synchronize with
each other.
Page: 45/60
Dedicated HA link port should be from any of the DMZ zone interface only.
7. Specify HA Administrator username. Same as defined in step 2.
8. Specify IP address configured on the HA link port of the peer appliance.
9. Specify Administration Port of Peer appliance i.e. the peer appliance port on which the
access is allowed for administration purpose.
10. Specify Administration Port IP address of Peer appliance. Use this IP address to access
Web Admin Console of Peer appliance.
11. Select the ports to be monitored. Both the appliances will monitor their own ports and if any
of the monitored port goes down, appliance will remove itself from the cluster and failover will
occur.
12. Click Enable HA to enable HA
Before enabling HA, please make sure that firewall rule as specified in step 1 is created on peer
appliance also. The appliance from which HA is enabled will act as a primary appliance while the
peer appliance will act as auxiliary appliance.
If everything is cabled and configured properly and HA is enabled successfully:
As per the configuration mode, Active will be displayed for Primary appliance and Passive
or Active for Auxiliary appliance
Both the appliances will have the same configuration except the HA link port IP address.
Page: 46/60
Page: 47/60
Higher versions can not be restored on lower versions i.e. backup of version 9.5.3 build 22 can not be restored on
version 9.5.0 build 29
Backup of higher end appliances cannot be restored on lower end appliances i.e. from CR1500i on CR500i
Once the backup is taken successfully, you will be prompted to download and save the backup file.
Page: 48/60
If backup is to be restored onto another appliance, mail this saved backup file to the Administrator who is going to
restore this backup onto another appliance.
Step 2. Restore a configuration
Log on to the Web Admin Console of the Appliance onto which backup is to be restored.
Upload backup file
Upload backup file from System > Manage Data > Restore Data and specify name of the backup file to be uploaded
i.e. the backup file saved in step 2.
Page: 49/60
Page: 50/60
We will establish VPN connection from Damam branch to Bahrain branch therefore:
For Damam HO:
Cyberoam is the Local server.
Cisco Router is the Remote server.
For Bahrain branch:
Cisco Router is the Local server.
Cyberoam is the Remote server.
Network Diagram
Page: 51/60
1.
2.
3.
4.
Configuration Table
Please note: Phase 1 and Phase 2 parameters: Encryption algorithm, Authentication Algorithm and DH/PFS
Group must be same for both the peers Cyberoam and Cisco Router VPN servers.
Page: 52/60
Configuration
Parameters
IPSec Connection
(Net-to-Net)
Cyberoam
Cisco Router
192.168.110.0/24
Preshared Key p@ssw0rd
Cyberoam Configuration
Applicable to version: 9.5.8 onwards
Task list
1. Define VPN policy configure Phase 1 & Phase 2 parameters to authenticate the remote peer and establish a
secure connection
2. Define VPN connection parameters
Page: 53/60
Page: 54/60
SSBS-BHA#show running-config
Building configuration...
Current configuration : 5206 bytes
!
Page: 55/60
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SSBS-BHA
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 errors
!
no aaa new-model
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.119
ip dhcp excluded-address 10.0.0.191 10.255.255.254
!
ip dhcp pool ssbs-bh
!
ip domain name ssbs.com.bh
ip name-server 217.17.233.101
ip name-server 193.188.97.212
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key p@ssw0rd address 87.101.231.178
!
!
crypto ipsec transform-set SSBS esp-3des esp-md5-hmac
!
crypto map SSBS-DMM 1 ipsec-isakmp
description SSBS-DAMMAM
set peer 87.101.231.178
set transform-set SSBS
match address 190
!
log config
Page: 56/60
hidekeys
!
interface FastEthernet0/0
description $ INSIDE LAN $
ip address 10.0.0.138 255.0.0.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 77.69.141.243 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/3/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/3/0.1 point-to-point
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface Dialer0
Page: 57/60
Page: 58/60
CR-500i
03-CBS-BDL-0500-01
03-CFS-BDL-0500-01
03-CIP-BDL-0500-01
Description
Cyberoam UTM Device CR 500i
Serial No.
CO10001154
CO10001153
Page: 59/60
C015008850-S7DZWUWF
Antispam
C015008950-Y7H4I3AY
Page: 60/60