This document provides instructions for configuring VPN connections on an Endian UTM Appliance. It describes how to set up OpenVPN servers and clients for remote access and site-to-site VPNs. It also covers configuring IPsec VPNs, though the document recommends OpenVPN where possible. Details are provided on client and server configuration options for OpenVPN like authentication methods, network settings, and advanced options.
Denovolab ( www.denovolab.com ) is a SIP switching solution that is extremely high performance. Suitable for call center, wholesales termination, carrier services.
Denovolab ( www.denovolab.com ) is a SIP switching solution that is extremely high performance. Suitable for call center, wholesales termination, carrier services.
Denovolab ( www.denovolab.com ) is a SIP switching solution that is extremely high performance. Suitable for call center, wholesales termination, carrier services.
Denovolab ( www.denovolab.com ) is a SIP switching solution that is extremely high performance. Suitable for call center, wholesales termination, carrier services.
In this presentation, we will discuss how AirGroup configurations have changed to support hierarchical configuration in release 8.2. AirGroup configs will now be profile based and can be applied at any node. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-AirGroup-profiling-changes-across-8-1-amp-8-2/td-p/417153
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another VLAN using a
router.
VLANs divide broadcast domains in a LAN environment. Whenever hosts in one VLAN need to
communicate with hosts in another VLAN, the traffic must be routed between them. This is known as
inter-VLAN routing. On Catalyst switches it is accomplished by creating Layer 3 interfaces (Switch virtual
interfaces (SVI)).
In this presentation, we will discuss how Virtual Switching Framework (VSF) allows supported switches connected to each other through Ethernet connections (copper or fibre) to behave like a single chassis switch. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Controllerless-Networks/Technical-Webinar-Virtual-Switching-Framework-ArubaOS-Switch/td-p/445696
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
In this presentation, we will discuss how AirGroup configurations have changed to support hierarchical configuration in release 8.2. AirGroup configs will now be profile based and can be applied at any node. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Wireless-Access/Technical-Webinar-AirGroup-profiling-changes-across-8-1-amp-8-2/td-p/417153
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another VLAN using a
router.
VLANs divide broadcast domains in a LAN environment. Whenever hosts in one VLAN need to
communicate with hosts in another VLAN, the traffic must be routed between them. This is known as
inter-VLAN routing. On Catalyst switches it is accomplished by creating Layer 3 interfaces (Switch virtual
interfaces (SVI)).
In this presentation, we will discuss how Virtual Switching Framework (VSF) allows supported switches connected to each other through Ethernet connections (copper or fibre) to behave like a single chassis switch. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Controllerless-Networks/Technical-Webinar-Virtual-Switching-Framework-ArubaOS-Switch/td-p/445696
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
EW Consultants India is a Risk Advisory Services Firm offering wide range of services for Business, ERP and IT Risk domains. Our objective is to reduce clients cost of compliance. We offer Audit outsourcing services.
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC Cohesive Networks
Use this VNS3 set up guide to get started in the Amazon Cloud (AWS) VPC public cloud environments.
About VNS3:
VNS3 delivers cloud networking and NFV functionality for virtual and cloud environments. The VNS3 virtual network security appliance includes a router, switch, stateful firewall, VPN support (IPsec and SSL), and protocol redistributor, and extensible NFV optimized for all major cloud providers. VNS3 cloud networks are configured and managed through the VNS3 Manager web-based UI or resetful API.
VNS3 is available in: Amazon Web Services EC2, Amazon Web Services VPC, Microsoft Azure, CenturyLink Cloud, Google Compute Engine (GCE), Rackspace, IBM SoftLayer, ElasticHosts, Verizon Terremark vCloud Express, InterRoute, Abiquo, Openstack, Flexiant, Eucalyptus, Abiquo, HPE Helion, VMware (all formats), Citrix, Xen, KVM, and more.
VNS3 supports most IPsec data center solutions, including: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, Vyatta, and any IPsec device that supports IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5, and most importantly NAT-Traversal standards.
Cohesive Networks Support Docs: VNS3 Configuration Guide Cohesive Networks
Get started with VNS3 virtual networking devices.Configure VNS3 for the first time from the web-based UI.
Once you log in to VNS3, you can customize your device and network setup, including:
generate clientpacks, peering VNS3 Controllers in a mesh, IPsec configurations with VNS3 Controllers, IPsec configuration with remove devices, client server connection options, overlay client server configurations, and how to review your VNS3 and overlay network configurations.
For additional help, please contact Cohesive Networks Support: https://cohesive.net/support/support-contacts
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
This document is to help a new user set up the network when deploying a 3-node Cloudian storage cluster in your data center for use with the Cloudian HyperStore Hybrid Cloud Service from AWS Marketplace.
VPNBee firewall/VPN/load balancer from Gayatri Hitech based on OpenBSD pfGirish Venkatachalam
VPNBee is a firewall/UTM appliance based on OpenBSD pf. It employs technologies for ISP load balancing, server load balancing, VPN setup between branch offices, traffic shaping and QoS, IP packet filtering, sniffing, captive portal and so on.
Cohesive Networks Support Docs: VNS3 AdministrationCohesive Networks
Get started with VNS3
Learn how to customize your VNS3 device and network setup. This guide will walk you through how to change your username and passwords, set up VNS3 Firewalls, take VNS3 Snapshots for backup and recovery, Upgrade your VNS3 license, configure other routes in your network, enable SNMP support, and even reset factory defaults.
For additional help, please contact Cohesive Networks Support: https://cohesive.net/support/support-contacts
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud Cohesive Networks
Use this VNS3 set up guide to get started in CenturyLink Cloud environments.
About VNS3:
VNS3 delivers cloud networking and NFV functionality for virtual and cloud environments. The VNS3 virtual network security appliance includes a router, switch, stateful firewall, VPN support (IPsec and SSL), and protocol redistributor, and extensible NFV optimized for all major cloud providers. VNS3 cloud networks are configured and managed through the VNS3 Manager web-based UI or resetful API.
VNS3 is available in: Amazon Web Services EC2, Amazon Web Services VPC, Microsoft Azure, CenturyLink Cloud, Google Compute Engine (GCE), Rackspace, IBM SoftLayer, ElasticHosts, Verizon Terremark vCloud Express, InterRoute, Abiquo, Openstack, Flexiant, Eucalyptus, Abiquo, HPE Helion, VMware (all formats), Citrix, Xen, KVM, and more.
VNS3 supports most IPsec data center solutions, including: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, Vyatta, and any IPsec device that supports IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5, and most importantly NAT-Traversal standards.
Do you get too many visitors on the website, getting maximum hits on your site may crash your site, your site may get stuck or it may go through a downtime? How to avoid such instances?
Cohesive Networks Support Docs: VNS3 Configuration for AWS EC2 ClassicCohesive Networks
Use this VNS3 set up guide to get started in the Amazon Cloud (AWS) EC2 public cloud environments. Note: this guide is for AWS customers who are able to launch AMIs outside of VPC (using AWS before 2009)
About VNS3:
VNS3 delivers cloud networking and NFV functionality for virtual and cloud environments. The VNS3 virtual network security appliance includes a router, switch, stateful firewall, VPN support (IPsec and SSL), and protocol redistributor, and extensible NFV optimized for all major cloud providers. VNS3 cloud networks are configured and managed through the VNS3 Manager web-based UI or resetful API.
VNS3 is available in: Amazon Web Services EC2, Amazon Web Services VPC, Microsoft Azure, CenturyLink Cloud, Google Compute Engine (GCE), Rackspace, IBM SoftLayer, ElasticHosts, Verizon Terremark vCloud Express, InterRoute, Abiquo, Openstack, Flexiant, Eucalyptus, Abiquo, HPE Helion, VMware (all formats), Citrix, Xen, KVM, and more.
VNS3 supports most IPsec data center solutions, including: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, Vyatta, and any IPsec device that supports IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5, and most importantly NAT-Traversal standards.
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks
VNS3 Setup Guides for Popular Security Appliances (IPsec Configuration Instructions)
Learn how to set up VNS3 with SSG IPsec devices to get the most out of your VNS3 virtual network device.
Cohesive Networks Support Docs: VNS3 Configuration for GCE Cohesive Networks
Use this VNS3 set up guide to get started in Google Cloud and GCE environments.
About VNS3:
VNS3 delivers cloud networking and NFV functionality for virtual and cloud environments. The VNS3 virtual network security appliance includes a router, switch, stateful firewall, VPN support (IPsec and SSL), and protocol redistributor, and extensible NFV optimized for all major cloud providers. VNS3 cloud networks are configured and managed through the VNS3 Manager web-based UI or resetful API.
VNS3 is available in: Amazon Web Services EC2, Amazon Web Services VPC, Microsoft Azure, CenturyLink Cloud, Google Compute Engine (GCE), Rackspace, IBM SoftLayer, ElasticHosts, Verizon Terremark vCloud Express, InterRoute, Abiquo, Openstack, Flexiant, Eucalyptus, Abiquo, HPE Helion, VMware (all formats), Citrix, Xen, KVM, and more.
VNS3 supports most IPsec data center solutions, including: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, Vyatta, and any IPsec device that supports IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5, and most importantly NAT-Traversal standards.
Cohesive Networks Support Docs: Welcome to VNS3 3.5 Cohesive Networks
Welcome to VNS3 version 3.5+
See what's new in the latest public release of VNS3. This guide will walk through the changes to the web-based UI, API, and container plugin system in the new release.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Monitoring Java Application Security with JDK Tools and JFR Events
The endian vpn menu
1. The VPN Menu
Select VPN from the menu bar at the top of the screen.
Virtual private networks (VPNs) allow networks to connect directly to each other over potentially unsafe networks
such as the internet. All network traffic through the VPN connection is transmitted securely, inside an encrypted
tunnel, hidden from prying eyes. Such a configuration is called a Gateway-to-Gateway VPN. Similarly, a single computer
somewhere on the internet can use a VPN tunnel to connect to a trusted LAN. The remote computer, sometimes called
a Road Warrior, appears to be directly connected to the trusted LAN while the VPN tunnel is active.
Endian UTM Appliance can create VPNs based on the IPsec protocol supported by most operating systems and network
equipment, as well as VPNs based on the OpenVPN service.
Unfortunately, the tools needed to set up IPsec vary greatly among different systems, may be complicated to use or may
have interoperability issues. Therefore, Endian recommends OpenVPN in situations where there is no need to support an
existing IPsec infrastructure. Endian UTM Appliance includes a user friendly OpenVPN client for Microsoft Windows,
Linux and MacOS X.
Following is a list of links that appear in the submenu on the left side of the screen and that allow setting up VPNs of
any of the types mentioned:
•OpenVPN server - set up the OpenVPN server so that clients (be it Road Warriors or other Endian UTM
Appliances in a Gateway-to-Gateway setup) can connect to your GREEN zone through a VPN tunnel
•OpenVPN client (Gw2Gw) - set up the client-side of a Gateway-to-Gateway setup between two or more Endian
UTM Appliances
•IPsec - set up IPsec-based VPN tunnels
Each link will be explained individually in the following sections.
OpenVPN server
Select VPN from the menu bar at the top of the screen, then select OpenVPN server from the submenu on the left side of
the screen.
Server configuration
In this panel you can enable the OpenVPN server and define the in which zone it should run.
OpenVPN server enabled
Click this to make sure the OpenVPN server is started.
Bridged
If you want to run the OpenVPN server in one of the existing zones check this box. .. note:
If the OpenVPN server is not bridged you must set the
firewall rules in the VPN firewall to make sure clients
can access any zone - unless you do not want them to.
VPN subnet
This option is only available if you disable bridged mode, which allows you to run the OpenVPN server in its
own subnet that can be specified here.
Bridge to
If bridged mode has been selected here you can choose to which zone the OpenVPN server should be bridged.
Dynamic IP pool start address
2. The first possible IP address in the network of the selected zone that should be used for the OpenVPN clients.
Dynamic IP pool end address
The last possible IP address in the network of the selected zone that should be used for the OpenVPN clients.
Note
Traffic directed to this IP pool has to be filtered using the VPN firewall.
Click on Save to save the settings and start the OpenVPN service. The first time the service is started a new (self-
signed) certificate for this OpenVPN server is generated. Click on the Download CA certificate link to download it. You
will need it later when setting up the clients.
The following panel shows a list of currently connected clients, once OpenVPN is up and running. It is possible to kill
and ban connections. The difference between killing and banning is that banned users are not able to reconnect after
their connection has been killed.
Accounts
This panel contains the list of OpenVPN accounts.
Cick on Add account to add an account. The following parameters can be specified for each account:
Account information
Username
user login name
Password / Verify password
specify password (twice)
Client routing
Direct all client traffic through the VPN server
if you check this, all the traffic from the connecting client (regardless of the destination) is routed through
the uplink of the Endian UTM Appliance that hosts the OpenVPN server. The default is to route traffic with
a destination that is not part of any of the internal Endian zones (such as internet hosts) through the
client’s uplink
Don’t push any routes to client
(advanced users only) normally, when a client connects, tunneled routes to networks that are accessible via
VPN are added to the client’s routing table - check this box if you do not want this to happen and are
prepared to manipulate your clients’ routing tables manually
Networks behind client
only needed if you want to use this account as client in a Gateway-to-Gateway setup: enter the networks
behind this client you would like to push to the other clients
Push only these networks
add your own network routes to be pushed to the client here (overrides all automatically pushed routes)
Custom push configuration
Static ip addresses
normally, dynamic IP addresses are assigned to clients, you can override this here and assign a static
address
Push these nameservers
3. assign nameservers on a per-client basis here
Push domain
assign search domains on a per-client basis here
Note
In all of these fields, addresses and networks must be given in CIDR notation (e.g. 192.168.0.0/24).
Click the Save button to save the account settings. You can at any moment disable/enable, edit or delete accounts by
clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).
If you are planning to have two or more branch offices connected through a Gateway-to-Gateway VPN it is good advice
to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone
with the 192.168.1.0/24 subnet while the other branch uses192.168.2.0/24. This way, correct routes will be assigned in a
fully automatic way and you do not have to deal with pushing custom routes.
Advanced
Use this panel to change advanced settings. Among other things, certificate-based authentication (as opposed to
password-based) can be set up in this section.
The first section has some generic settings regarding the server:
Port / Protocol
port 1194 / protocol UDP are the default OpenVPN settings. It is a good idea to keep these values as they
are - if you need to make OpenVPN accessible via other ports (possibly more than one), you can use port
forwarding (see Firewall, Port Forwarding). A use case for setting TCP as the protocol is when you want to
access the OpenVPN server through a third-party HTTP proxy.
Block DHCP responses coming from tunnel
check this if you’re getting DHCP responses from the LAN at the other side of the VPN tunnel that conflict
with your local DHCP server
Don’t block traffic between clients
the default is to isolate clients from each other, check this if you want to allow traffic between different
VPN clients In the second section you can change the global push options.
Push these networks
if enabled, the routes to the specified networks are pushed to the connected clients
Push these nameservers
if enabled, the specified nameservers are pushed to the connected clients
Push domain
if enabled, the specified search domains are pushed to the connected clients
Note
All addresses and network addresses must be given in CIDR notation (such as 192.168.0.0/24).
The third section lets you specify the authentication method:
Endian UTM Appliance‘s default method is PSK (username/password). If you want to use this method, you do not have to
change the settings here.
4. The Download CA certificate link lets you download the certificate for this OpenVPN server as it is needed by the clients
(this is the public certificate, which is used to verify the authenticity of the server). Furthermore, the Export CA as
PKCS#12 file link lets you download the certificate in PKCS#12 format (keep it private!), which can be imported into any
OpenVPN server that you wish to use as a fall back server.
Finally, should this system be a fallback system, you can upload the PKCS#12 file that you exported from your primary
server (leave “Challenge password” empty if the file came from an Endian UTM Appliance).
If you would rather use a X.509-certificate-based method here (either certificate only or certificate plus password),
things get a bit more complicated. It is assumed (and required) that you use an independent certificate authority (CA) for
this purpose. It is neither possible nor desired to host such a certificate authority on Endian UTM Appliance.
You need to generate and sign certificates for the server and for every client using your certificate authority. The
certificates type must be explicitly specified and be one of “server” and “client” (“netscape certificate type” field).
The server certificate file in PKCS#12 format must be uploaded in this section (specify the “Challenge password” if you
supplied one to the certificate authority before or during the creation of the certificate).
The client certificates need to have the common name fields equal to their OpenVPN user names.
Warning
If you use certificate-only authentication a client that has a valid certificate can connect even if there is no
corresponding OpenVPN user account!
You can also upload a revocation list, in case you lost a client certificate and hence have revoked it on your CA.
VPN client download
Click on the link to download the Endian VPN client for Microsoft Windows, MacOS X and Linux from Endian Network.
OpenVPN client (Gw2Gw)
Select VPN from the menu bar at the top of the screen, then select OpenVPN client (Gw2Gw) from the submenu on the
left side of the screen.
In this section you can set up the client side of a Gateway-to-Gateway VPN connection. You have two possibilities to
create OpenVPN client connections. You can either click on guilabel:Add tunnel configuration to enter information about
the OpenVPN server you want to connect to (there can be more than one) or you, if you have an OpenVPN Access
Server, you can import the client settings from there by clicking Import profile from OpenVPN Access Server.
Add tunnel configuration
Connection name
just a label for this connection
Connect to
the remote OpenVPN server’s fully qualified domain name and port (such as efw.example.com:port) - the
port is optional and defaults to 1194
Upload certificate
if the server is configured to use PSK authentication (password/username), you must upload the server’s
host certificate (the one you get from the Download CA certificate link at the server). Otherwise, if you use
certificate-based authentication, you must upload the server’s PKCS#12 file (you can get it from the Export
CA as PKCS#12 file link on the server (advanced section of the OpenVPN submenu).
PKCS#12 challenge password
5. specify the “Challenge password” if you supplied one to the certificate authority before or during the
creation of the certificate
Username / Password
if the server is configured to use PSK authentication (password/username) or certificate plus password
authentication, give the username and password of the OpenVPN server account here
Remark
your comment
Click on Advanced tunnel configuration to see more options:
Fallback VPN servers
Specify one or more (one per line) fallback OpenVPN servers in the
form efw.example.com:port:protocol (port and protocol are optional and defautl to 1194 and udp
respectively). If the connection to the main server fails, a fallback server will take over.
Device type
Choose here whether you want to you use a TAP or a TUN device. This setting must be equal to the OpenVPN
server setting to which you want to connect.
Connection type
This field is not available if TUN has been selected as Device type - in this case the connection type is always
“routed”. “routed” (the client firewall acts as a gateway to the remote LAN) or “bridged” (as if the client
firewall was part of the remote LAN). Default is “routed”.
Bridge to
This field is not available if TUN has been selected as Device type. Select the zone to which this client
connection should be bridged.
Block DHCP responses coming from tunnel
Check this if you are getting DHCP responses from the LAN at the other side of the VPN tunnel that conflict
with your local DHCP server
NAT
Check this if you want to hide the clients connected through this Endian UTM Appliance behind the firewall’s
VPN IP address. Doing so will prevent incoming connection requests to your clients.
Protocol
UDP (default) or TCP Set to TCP if you want to use a HTTP proxy (next option).
.
HTTP proxy
If your Endian UTM Appliance can access the internet only through an upstream HTTP proxy it is still
possible to use it as an OpenVPN client in a Gateway-to-Gateway setup. However, you must use the TCP
protocol for OpenVPN on both sides. Fill in the HTTP proxy account information in these text fields: proxy
host (such as proxy.example.com:port, where port defaults to 8080), username and password. You can even
use a forged user agent string if you want to camouflage your Endian UTM Appliance as a regular web
browser.
Click the Save button to save the tunnel settings. You can at any moment disable/enable, edit or delete tunnels from the
list by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).
Once you have configured your connection you will find a new section when editing the connection at the bottom of the
page. In this section called TLS authentication it is possible to add a TLS key file to be used for the connection.
6. TLS key file
Here you can upload the key file.
MD5
If you have uploaded a TLS key file here you will see the MD5 checksum of the file.
Direction
This field is usually set to 0 on servers and therefore to 1 on clients. Set the value to 1 unless you know
what you are doing.
Import profile from OpenVPN Access Server
If you want to import an OpenVPN client configuration from an OpenVPN Access Server you must provide the following
information.
Connection name
Here you set the name for the client connection.
Access Server URL
Here you specify the URL of the OpenVPN Access Server.
Note
Note that Endian UTM Appliance only supports XML-RPC configuration of the OpenVPN Access Server. Typically a URL
will therefore look like: https://<SERVERNAME>/RPC2.
Username
The username used to connect to the Access Server.
Password
The password used to connect to the Access Server.
Verify SSL certificate
If this checkbox is ticked and the server is running on an SSL encrypted connection the SSL certificate will be
checked for validity. Should the certificate not be valid the connection will be closed immediately. You might
need to disable this feature if you are using a self-signed certificate.
Remark
A comment to be able to distinguish the connection.
After clicking the Import profile button the new client configuration will be stored just like a manually created
connection.
IPsec
Select VPN from the menu bar at the top of the screen, then select IPsec from the submenu on the left side of the screen.
IPsec (IP Security) is a generic standardized VPN solution. As opposed to OpenVPN encryption and authentication are
already done on the OSI layer 3 as an extension to the IP protocol. Therefore IPsec must be implemented in the IP stack
which is part of the kernel. Since IPSec is a standardized protocol it is compatible to most vendors that implement IPsec.
Compared to OpenVPN IPsec’s configuration and administration is usually quite difficult due to its complexity. Because of
its design some situations are even impossible to handle, whereas they work well with OpenVPN, especially if you have to
cope with NAT. However, Endian UTM Appliance implements an easy to use adminstration interface that supports
7. different authentication methods. We strongly encourage you to use IPSec only if you need to because of interoperability
purposes. Use OpenVPN wherever you can, especially if you have to work with NAT.
In the Global settings section you can set the main parameters for your IPsec configuration. The values you can set are:
Local VPN hostname/IP
Here you can enter the external IP (or a fully qualified domain name) of your IPsec host.
Enabled
By ticking this checkbox you enable IPsec.
VPN on ORANGE
If this is enabled it is possible for a user to connect to the VPN from the ORANGE zone.
VPN on BLUE
If this is enabled it is possible for a user to connect to the VPN from the BLUE zone.
Override default MTU
If you want to override the default maximum transmission unit you can specifiy the new value here. Usually
this is not needed.
Debug options
Ticking checkboxes in this section will increase the amount of data that is logged to /var/log/messages.
In the Connection status and control section you can see a list of accounts and their connection status. The list shows
Name, Type, Common name, Remark and Status of each connection. By clicking on the icons in the Actions column you can
perform various actions as described in the icon legend below the list. You can add a connection by clicking on the Add
button. A page will open and you can choose whether you want to add a Host-to-Net Virtual Private Network or a
Net-to-Net Virtual Private Network. Submit your choice by clicking on the Add button. On the next page you can specify
the details for this connection (you will also see this page when editing an existing connection). You can configure the
network parameters in the first section of the page:
Name
the name of this connection
Enabled
if checked, this connection is enabled
Interface
this is only available for host-to-net connections and specifies to which interface the host is connecting
Local subnet
the local subnet in CIDR notation, e.g. 192.168.15.0/24
Local ID
an ID for the local host of the connection
Remote host/IP
the IP or fully qualified domain name of the remote host
Remote subnet
this is only available for net-to-net connections and specifies the remote subnet in CIDR notation, e.g.
192.168.16.0/24
8. Remote ID
an ID for the remote host of this connection
Dead peer detection action
what action should be performed if a peer disconnects
Remark
a remark you can set to remember the purpose of this connection later
Edit advanced settings
tick this checkbox if you want to edit more advanced settings
In the Authentication section you can configure how authentication is handled.
Use a pre-shared key
Enter a pass phrase to be used to authenticate the other side of the tunnel. Choose this if you wish a simple
Net-to-Net VPN. You can also use PSKs while experimenting in setting up a VPN. Do not use PSKs to
authenticate Host-to-Net connections.
Upload a certificate request
Some roadwarrior IPSec implementations do not have their own CA. If they wish to use IPSec’s built in CA,
they can generate what a so called certificate request. This partial X.509 certificate must be signed by a
CA. During the certificate request upload, the request is signed and the new certificate will become available
on the VPN’s main web page.
Upload a certificate
In this case, the peer IPSec has a CA available for use. Both the peer’s CA certificate and host certificate
must be included in the uploaded file.
Upload PKCS12 file - PKCS12 file password
Choose this option to upload a PKCS12 file. If the file is secured by a password you must also enter the
password in the text field below the file selection field.
Generate a certificate
You can also create a new X.509 certificate. In this case, complete the required fields. Optional fields are
indicated by red dots. If this certificate is for a Net-to-Net connection, the User’s Full Name or System
Hostname field must contain fully qualified domain name of the peer. The PKCS12 File Password fields ensure
that the host certificates generated cannot be intercepted and compromised while being transmitted to the
IPSec peer.
If you have chosen to edit the advanced settings of this connection, a new page will open after you hit the Save button.
In this page you can set Advanced connection settings.
Warning
Unexperienced users should not change the settings here:
IKE encryption
Here you can specify which encryption methods should be supported by IKE (Internet Key Exchange).
IKE integrity
Here you can specifiy which algorithms should be supported to check the integrity of packets.
9. IKE group type
Here you can specify the IKE group type.
IKE lifetime
Here you can specify how long IKE packets are valid.
ESP encryption
Here you can specify which encryption methods should be supported by ESP (Encapsulating Security
Payload).
ESP integrity
Here you can specify which algorithms should be supported to check the integrity of packets.
ESP group type
Here you can specify the ESP group type.
ESP key lifetime
Here you can specify how long an ESP key should be valid.
IKE aggressive mode allowed
Check this box if you want to enable IKE aggressive mode. You are encouraged NOT to do so.
Perfect Forward Secrecy
If this box is checked perfect forward secrecy is enabled.
Negotiate payload compression
Check this box, if you want to use payload compression.
Finally save the settings by clicking on the Save button.
Back on the main IPsec page you can generate new certificates and upload existing CA certificates in the Certificate
authorities section. To upload a new certificate you have to provide a name in the CA name field. Then click on browse
and select the certificate file before clicking the Upload CA certificatebutton. To generate new root and host
certificates just click on the Generate root/host certificates button. You will see a new page where you can enter the
required information. If you already created certificates and want to create new certificates you must click on
the Reset button. Please note that by doing this not only the certificates but also certificate based connections will be
erased.
If you want to generate new root and host certificates some information has to be entered. The fields are described
below:
Organization name
The organization name you want to use in the certificate. For example, if your VPN is tying together schools
in a school district, you may want to use something like “Some School District.”
Endian UTM Appliance hostname
This is used to identify the certificate. Use a fully qualified domain name or the firewall’s RED IP address.
Your email address
Here you can enter your email address.
Your department
Here you can enter a department name.
10. City
Here you can enter the name of your town or your city.
State or province
Here you can enter the name of the state or province you are living in.
Country
Choose your country here.
Subject alt name
Here you can specify an alternative hostname for identification.
The certificates are created after clicking on the Generate root/host certificates button.
If you already created certificate somewhere else earlier you can upload a PKCS12 file in the lower section of the page
instead of generating new certificates.
Upload PKCS12 file
Open the file selection dialog and select your PKCS12 file here.
PKCS12 file password
If the file is password protected you must enter the password here.
You can upload the file by clicking on the Upload PKCS12 file button.
Creating a Net-To-Net VPN with IPsec using certificate authentication We have two firewalls A and B, where firewall
A is our certification authority. Firewall A - RED IP: 123.123.123.123, GREEN IP: 192.168.15.1/24 Firewall B - RED IP:
124.124.124.124, GREEN IP: 192.168.16.1/24
The following steps have to be performed on firewall A:
1.In the VPN, IPsec menu enable IPsec and specify 123.123.123.123 as Local VPN hostname/IP.
2.After saving click on the Generate host/root CA certificate button (unless you already generated these
certificates before) and compile the form.
3.Download the host certificate and save it as fw_a_cert.pem.
4.In the Connection status and control section click on the Add button.
5.Select Net-to-Net.
6.Enter 124.124.124.124 in the Remote host/IP field, 192.168.15.0/24 as Local subnet and 192.168.16.0/24 as
Remote subnet.
7.In the Authentication section select Generate a certificate and compile the form, make sure to set a password.
8.After saving, download the PKCS12 file and save it as fw_a.p12.
The following steps have to be performed on firewall B:
1.In the VPN, IPsec menu enable IPsec and specify 124.124.124.124 as Local VPN hostname/IP.
2.After saving click on the Generate host/root CA certificate button (if you already generated them earlier you
must Reset the previous certificates).
3.Do not compile anything in the first section! Instead upload the fw_a.p12 file and enter the password you set on
firewall A.
4.Click on Add in the Connection status and control section.
5.Select Net-To-Net.
6.Enter 123.123.123.123 in the Remote host/IP field, 192.168.16.0/24 as Local subnet and 192.168.15.0/24 as
Remote subnet.
7.Select Upload a certificate and upload the fw_a_cert.pem you have created on firewall A.