Secure ASE Communication: Difference between revisions

From wiki.comcert.com
Jump to navigation Jump to search
VisualWikitext
No edit summary
No edit summary
Line 4: Line 4:
== Solution ==
== Solution ==


 
Before secure communication can be configured, unsecure IP communication (Telnet) must be established between the ASE and TruView Central. If this is not allowed by your company's security policy, these steps must be completed in the lab.


Enabling secure communication between the ASE, PAC and TruView Central should be the same for all ASEs running firmware version 6.9 or higher. This procedure has been tested on ASE Series 1900 and Series 400.
Enabling secure communication between the ASE, PAC and TruView Central should be the same for all ASEs running firmware version 6.9 or higher. This procedure has been tested on ASE Series 1900 and Series 400.


Connect to the ASE
*Connect to the ASE  


Telnet (tcp/23) Serial port (8N1, 19200)
Telnet (tcp/23) Serial port (8N1, 19200)


Login to ASE 
*Login to ASE   


Default credentials admin/visual
Default credentials admin/visual


Before secure communication can be configured, unsecure IP communication (Telnet) must be established between the ASE and TruView Central. If this is not allowed by your company's security policy, these steps must be completed in the lab.
*Enter the security dialog and enter the settings as follows.  


Check for security command and enter the settings as follows. You can add Host Address Security at a later stage. Be prepared to set a passcode. For security reasons, this should be different from the login password.
You can add Host Address Security at a later stage. Be prepared to set a passcode. For security reasons, this should be different from the login password.
<pre>CRT-DEV-ASE007> sec
</pre>


{| border="1" cellpadding="1" cellspacing="1" style="width: 500px;"
{| border="1" cellpadding="1" cellspacing="1" style="width: 1264px;"
|-
|-
| '''Parameter'''
| style="width: 249px;" | '''Parameter'''
| '''Value'''
| style="width: 93px;" | '''Value'''
| '''Remarks'''
| style="width: 905px;" | '''Remarks'''
|-
|-
| Security Level
| style="width: 249px;" | Security Level
| Partial
| style="width: 93px;" | Partial
| -
| style="width: 905px;" | -
|-
|-
| SSL TCP Port
| style="width: 249px;" | SSL TCP Port
| 2359
| style="width: 93px;" | 2359
| -
| style="width: 905px;" | This is the port for secure communication between ASE and TruView Central with the exception of Putty. &nbsp;You may choose any port except tcp/22.
|-
|-
| Change Management Passcode
| style="width: 249px;" | Change Management Passcode
| Y
| style="width: 93px;" | Y
| -
| style="width: 905px;" | -
|-
|-
| Enter Management Passcode
| style="width: 249px;" | Enter Management Passcode
| <passcode>
| style="width: 93px;" | <passcode>
| -
| style="width: 905px;" | -
|-
|-
| Change Host Address Security Table
| style="width: 249px;" | Change Host Address Security Table
| None
| style="width: 93px;" | None
| Can be added later
| style="width: 905px;" | Can be added later
|}
|}


Line 50: Line 52:
<pre>CRT-DEV-ASE007> sh sec
<pre>CRT-DEV-ASE007> sh sec


     Security Level:         Partial
     Security Level:           Partial
     SSL TCP Port&nbsp;:           2359
     SSL TCP Port:             2359
     Management passcode:     None
     Management passcode:     None
     Pending passcode:       Ready
     Pending passcode:         Ready
     Remote Console Protocol: SSH
     Remote Console Protocol: SSH
     Host Address Security:   Disabled
     Host Address Security:   Disabled


     Host Address Security Table: EMPTY
     Host Address Security Table: EMPTY
</pre>
</pre>


Check the setttings and notice that the field Managent Passcode reads <span style="background-color:#FFFF00;">None</span>. This is expected.
*Locate and run&nbsp;IPTool&nbsp;located on TruView Central.
 
&nbsp;


Locate and run&nbsp;IPTool&nbsp;located on TruView Central. IPTool is an unsupported utility for use by Fluke Networks&nbsp;technical support.
IPTool is an unsupported utility for use by Fluke Networks&nbsp;technical support.
<pre>C:\Program Files (x86)\Fluke Networks\Visual Performance Manager Server\iptool.exe</pre>
<pre>C:\Program Files (x86)\Fluke Networks\Visual Performance Manager Server\iptool.exe</pre>


From IPTool fetch any command for appflows or voip data by entering the passcode you have chosen in the previous step.
*From IPTool fetch any command for appflows or voip data by entering the passcode you have chosen in the previous step.  
*Click '''TFTP GET''' in the top left corner of the windows and enter the ASE's settings per this example.
 
<IPToolTFTPGet>


Click '''TFTP GET''' in the top left corner of the windows and enter the ASE's settings per this example.
Click '''Go'''. The results you get are irellevant at this time. The procedure enables secure communication on&nbsp;the ASE.


<IPToolTFTPGet>
<TFTPResponseDecode>


Click Go. The results you get are irellevant at this time. The procedure enables secure communication on&nbsp;the ASE.
At this stage, you may login to the ASE using SSH (tcp/22). Putty is located on TruView Central. For security reasons, only Putty on TruView Central can be used to connect securely to the ASE. &nbsp;In future releases this restriction will be lifted.


&nbsp;
<TVCPuttyConfiguration>


&nbsp;
<TVCPutty>

Revision as of 18:07, 3 September 2017

Introduction

Solution

Before secure communication can be configured, unsecure IP communication (Telnet) must be established between the ASE and TruView Central. If this is not allowed by your company's security policy, these steps must be completed in the lab.

Enabling secure communication between the ASE, PAC and TruView Central should be the same for all ASEs running firmware version 6.9 or higher. This procedure has been tested on ASE Series 1900 and Series 400.

  • Connect to the ASE

Telnet (tcp/23) Serial port (8N1, 19200)

  • Login to ASE 

Default credentials admin/visual

  • Enter the security dialog and enter the settings as follows.

You can add Host Address Security at a later stage. Be prepared to set a passcode. For security reasons, this should be different from the login password. 

CRT-DEV-ASE007> sec
Parameter Value Remarks
Security Level Partial -
SSL TCP Port 2359 This is the port for secure communication between ASE and TruView Central with the exception of Putty.  You may choose any port except tcp/22.
Change Management Passcode Y -
Enter Management Passcode <passcode> -
Change Host Address Security Table None Can be added later

Check the setttings and notice that the field Managent Passcode reads None. This is expected. 

CRT-DEV-ASE007> sh sec

    Security Level:           Partial
    SSL TCP Port:             2359
    Management passcode:      None
    Pending passcode:         Ready
    Remote Console Protocol:  SSH
    Host Address Security:    Disabled

    Host Address Security Table: EMPTY
  • Locate and run IPTool located on TruView Central.

IPTool is an unsupported utility for use by Fluke Networks technical support. 

C:\Program Files (x86)\Fluke Networks\Visual Performance Manager Server\iptool.exe
  • From IPTool fetch any command for appflows or voip data by entering the passcode you have chosen in the previous step.
  • Click TFTP GET in the top left corner of the windows and enter the ASE's settings per this example.

<IPToolTFTPGet>

Click Go. The results you get are irellevant at this time. The procedure enables secure communication on the ASE.

<TFTPResponseDecode>

At this stage, you may login to the ASE using SSH (tcp/22). Putty is located on TruView Central. For security reasons, only Putty on TruView Central can be used to connect securely to the ASE.  In future releases this restriction will be lifted.

<TVCPuttyConfiguration>

<TVCPutty>

Retrieved from "https://wiki.comcert.com/index.php?title=Secure_ASE_Communication&oldid=1609"