CVI SCAP Migration Guide
Uploaded by
scribd1408CVI SCAP Migration Guide
Uploaded by
scribd1408Page
Eurex Repo / SecLend
CVI to SCAP Migration Guide
SWX-XRS-MAN-20100216/E, 16.02.2010 This manual provides a technical overview on how to migrate the VPN infrastructure from the CVI to the SCAP environment.
Unrestricted Documentation marked 'Confidential' is intended only for the parties on the distribution list and may not be supplied or made available to third parties without the express consent of SIX Group Ltd or the companies associated with SIX Group Ltd (referred to below as SIX Group Ltd). The information contained in this document is given without warranty, implies no obligation of any kind on the part of SIX Group Ltd and may be altered by SIX Group Ltd at any time without further notice. To the extent permitted by law, SIX Group Ltd accepts no liability whatsoever for any errors contained in this document. SIX Group Ltd is under no obligation whatsoever to draw attention to such errors. Technical documentation must be used only in conjunction with the correct software version and may be used and copied only in accordance with the terms of the licence. All software described in the technical documentation is supplied on the basis of a licence agreement and may be used or copied only in accordance with the terms of the said licence agreement. Copyright SIX Group Ltd, 06.2009. All rights reserved. All trademarks observed.
Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction
Page iii SWX-XRS-MAN-20100216/E 16.02.2010
Table of Contents
1 Introduction......................................................................................................................................................... 1 1.1 1.2 1.3 1.4 1.5 1.6 2 Purpose & Scope ................................................................................................................................. 1 Definitions & Abbreviations .................................................................................................................. 1 References........................................................................................................................................... 1 Outstanding Issues .............................................................................................................................. 2 Timescales........................................................................................................................................... 2 Contact................................................................................................................................................. 2
Technical Requirements ..................................................................................................................................... 3 2.1 Cisco VPN Clients................................................................................................................................ 3 2.1.1 Supported Cisco VPN Software Clients ..............................................................................3 2.1.2 Supported Cisco VPN Hardware Clients .............................................................................3
3 4
Connectivity Options........................................................................................................................................... 3 Network & Firewall Considerations ..................................................................................................................... 4 4.1 4.2 4.3 4.4 4.5 4.6 4.7 SIX IPSec Endpoints for IPSec Hardware and Software Clients.......................................................... 4 DNS Servers without IPSec Tunnel Connection .................................................................................. 4 DNS Servers with IPSec Tunnel Connection ....................................................................................... 5 NTP Server for Hardware and Software Clients................................................................................... 5 Web Servers ........................................................................................................................................ 5 Eurex Repo / SecLend Application Servers ......................................................................................... 6 HTTP Proxy Server Exceptions ........................................................................................................... 6
Migration in 3 Steps ............................................................................................................................................ 6 5.1 5.2 5.3 Step 1 Get Old VPN Certificate Information ...................................................................................... 7 Step 2 Contact Technical Helpdesk .................................................................................................. 7 Step 3 Set up New VPN Connection to the SCAP Environment ....................................................... 8 5.3.1 Cisco VPN Software Client.................................................................................................. 8 5.3.2 Cisco VPN 3002 Hardware Client ....................................................................................... 8 5.3.3 Cisco ASA 5505 Hardware Client ....................................................................................... 8
Connecting Eurex Repo / SecLend Application via New VPN Infrastructure ...................................................... 9 6.1 6.2 Adapt TradingClientGUI.config ............................................................................................................ 9 Update USP Proxy Configuration......................................................................................................... 9
Appendix A Connectivity Options.............................................................................................................................. 11 A.1 Connectivity Options ............................................................................................................................... 11 A.1.1 Internet Connectivity ................................................................................................................. 11 A.1.2 Managed IP Services................................................................................................................ 12 Appendix B How to Access the CVI Web.................................................................................................................. 12 B.1 Eurex Repo Sealed Envelope ................................................................................................................. 12 B.2 Accessing the CVI Public Web................................................................................................................ 13 B.3 Accessing the CVI Private Web .............................................................................................................. 13
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction
Page iv SWX-XRS-MAN-20100216/E 16.02.2010
Appendix C Network Setup ....................................................................................................................................... 15 C.1 Network Setup with a Hardware or Software Client ................................................................................ 15 C.1.1 Ports Used for IP Traffic to Hardware or Software Clients........................................................ 16 C.1.2 SIX Swiss Exchange IPSec endpoints for IPSec Hardware and Software Clients ................... 16 C.2 NTP Server for Hardware and Software Clients ..................................................................................... 17 Appendix D Installation: Cisco VPN Software Client................................................................................................. 17 D.1 Installation Checklist ............................................................................................................................... 17 D.2 Basic Setup............................................................................................................................................. 18 D.2.1 Cisco VPN Software Client Installation..................................................................................... 18 D.2.1.1 Download Cisco VPN Software and Connection Entries ...................................... 18 D.2.1.2 Install Cisco VPN Client Software.........................................................................18 D.2.1.3 Import CA Root Certificate.................................................................................... 18 D.2.1.4 Reinstall the Cisco VPN Software Client .............................................................. 19 D.3 IPSec Tunnel Setup................................................................................................................................ 19 D.3.1 Obtain Personal Certificate....................................................................................................... 19 D.3.2 Import Connection Entry........................................................................................................... 20 D.3.3 Import Personal Certificate ....................................................................................................... 21 D.3.4 Assign Certificate to Connection Entry ..................................................................................... 21 D.3.5 Check IPSec Tunnel................................................................................................................. 21 Appendix E Installation: Cisco VPN 3002 Hardware Client....................................................................................... 22 E.1 Installation Checklist ............................................................................................................................... 22 E.2 Basic Setup............................................................................................................................................. 23 E.2.1 IPSec Tunnel Setup.................................................................................................................. 23 E.2.2 Check Software Version ........................................................................................................... 23 E.2.3 Configure Group Authentication ............................................................................................... 23 E.2.4 Establish VPN Connection........................................................................................................ 24 E.2.5 Download and Install CA Root Certificate................................................................................. 24 E.2.6 Generate and Send Certificate Enrolment Request.................................................................. 24 E.2.7 Install Certificate and Check IPSec Tunnel............................................................................... 25 E.2.8 Continuing Application Installation ............................................................................................ 26 E.2.8.1 DNS Configuration on Application PC................................................................... 26 Appendix F Installation: Cisco ASA 5505 Hardware Client ....................................................................................... 27 F.1 Installation Checklist ............................................................................................................................... 27 F.2 Basic Setup ............................................................................................................................................. 27 F.2.1 Cisco ASDM Setup ................................................................................................................... 28 F.2.2 Check Software Version of ASDM ............................................................................................ 28 F.2.3 Cisco ASDM Installation on the ASA 5505 ............................................................................... 28 F.2.4 Cisco ASDM Installation on the PC........................................................................................... 29 F.2.5 IPSec Tunnel Setup .................................................................................................................. 30 F.2.6 Check Software Version of ASA 5505 ...................................................................................... 30 F.2.7 Configure Group Authentication................................................................................................ 30 F.2.8 Configure DNS.......................................................................................................................... 31 F.2.9 Download and Install CA Root Certificate ................................................................................. 32 F.2.10 Generate and Send Certificate Enrolment Request ................................................................ 33 F.2.11 Install Certificate and Check IPSec Tunnel............................................................................. 35 F.2.12 Continuing Application Installation .......................................................................................... 37 F.2.12.1 DNS Configuration on Application PC................................................................. 37
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction
Page v SWX-XRS-MAN-20100216/E 16.02.2010
Appendix G Infrastructure Service Provider (ISP) Contacts...................................................................................... 38 G.1 Internet Connectivity............................................................................................................................... 38 G.2 Managed IP Services ............................................................................................................................. 38
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction
Page 1 SWX-XRS-MAN-20100216/E 16.02.2010
Introduction
SIX Swiss Exchange will replace the current VPN infrastructure called Common VPN Infrastructure (CVI). This manual describes the steps needed to migrate from the Common VPN Infrastructure (CVI) to the SIX Common Access Portal (SCAP) infrastructure. Please note that the SIX Common Access Portal (SCAP) is based on CVI v4 and v5. Therefore the name CVI is sometimes used in relation with both, the old and the new environment.
1.1
Purpose & Scope
SIX Swiss Exchange aims for a standardisation of VPN access to its different services. Benefits of this standardisation for Participants are: Higher number of carriers who offer lines to our systems. Support of new VPN hardware client: ASA 5505 Client. A high number of CVI certificates expire in February 2010 and have to be renewed. Since CVI v4 has different root certificates, a migration is required anyway. Higher flexibility to increase/decrease bandwidth in a shorter time period.
1.2
Definitions & Abbreviations
Term/Abbreviation CVI SCAP SIX SSL SWXess SWX VPN Explanation Common VPN Infrastructure SWX Common Access Portal SIX Swiss Exchange Secure Socket Layer SIX Swiss Exchange Trading Platform SWX Swiss Exchange. Former name of SIX Swiss Exchange Virtual Private Network
1.3
References
This document relates to the following documents:
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction
Page 2 SWX-XRS-MAN-20100216/E 16.02.2010
Reference & Document Title 1 SCAP - SIX Connectivity Guide 2 Hardware and Software Requirements
Applicable Reference and Version SWX-SCAP-CNTY-GUID700/E SWX-XRS-HWSW-REQ107/E
Location & Link
https://www.swx.com/members/cvi/scap.html http://www.eurexrepo.com/publications/
1.4
Outstanding Issues
Routers can not be used for connections to Eurex Repo / SecLend. SWXess connectivity options like Ethernet Service, Optical Link and Proximity Service can not be used for connections to Eurex Repo / SecLend. Lines connected to SWXess can not be used for connecting to Eurex Repo / SecLend. Tunnels established for SWXess can not be used for Eurex Repo / SecLend.
1.5
Timescales
The migration period will run for 3 months. After that, only connections to the SCAP environment will be accepted. Please refer to the corresponding MSC Messages for specific dates. MSC Messages are published here: http://www.eurexrepo.com/support/news.html A high number of CVI certificates expire in February 2010 and have to be renewed. SIX Swiss Exchange highly recommends to migrate before the expiry of the old certificate.
1.6
Contact
For further information about specific issues, please contact your Eurex Repo Technical Helpdesk:
Geneva: London: Zurich: +41 58 854 2028 +44 20 7864 4334 +41 58 854 2488
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Technical Requirements
Page 3 SWX-XRS-MAN-20100216/E 16.02.2010
Technical Requirements
This chapter will give an overview of the requirements for the old CVI Infrastructure and the new SCAP infrastructure. Please note that SIX Swiss Exchange does not provide any hardware equipment, only a software client kit and accompanying software for participants using the Cisco VPN 3002 or Cisco ASA 5505 Hardware Client.
2.1
Cisco VPN Clients
The following tables give an overview of the supported Cisco VPN Clients for the old CVI infrastructure and the new SCAP infrastructure.
2.1.1
Supported Cisco VPN Software Clients
Cisco VPN Software Client Type Cisco VPN Software Client V5.0.03.0560 Cisco VPN Software Client V4.8.02.0010 Cisco VPN Software Client V4.6.02.0011 Old (CVI) New (SCAP)
2.1.2
Supported Cisco VPN Hardware Clients
Cisco VPN Hardware Client Type Cisco ASA 5505 Hardware Client V8.0(4)28, ASDM 6.2.3 Cisco VPN 3002 Hardware Client V4.7.2.P Cisco VPN 3002 Hardware Client V4.7.2.x Cisco VPN 3002 Hardware Client V4.1.7.J Old (CVI) New (SCAP)
Connectivity Options
For an overview and details of the different connectivity options, see A.1 Connectivity Options If you have a Managed IP Service connection to Eurex Repo / SecLend, please contact your Infrastructure Service Provider (ISP) to determine the measures needed. You can find a list of contacts in Appendix G Infrastructure Service Provider (ISP) Contacts.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Network & Firewall Considerations
Page 4 SWX-XRS-MAN-20100216/E 16.02.2010
Network & Firewall Considerations
4.1
SIX IPSec Endpoints for IPSec Hardware and Software Clients
The table below gives the FQDN and IP addresses of the SIX Swiss Exchange IPSec endpoints for hardware and software clients for the old CVI infrastructure and the new SCAP infrastructure.
Old (CVI) Membertest Data Center A Production Data Center A Data Center B vpnprod.swx.com 146.109.129.10 146.109.128.10 (virtual IP addresses) vpntest.swx.com 146.109.129.40 (virtual IP address) vpntest1.swx.com 146.109.129.41 vpntest2.swx.com 146.109.129.42 vpnprodsn.swx.com 146.109.129.10 (virtual IP address) vpnprodsn1.swx.com 146.109.129.11 vpnprodsn2.swx.com 146.109.129.12 vpnprodht.swx.com 146.109.128.10 (virtual IP address) vpnprodht1.swx.com 146.109.128.11 vpnprodht2.swx.com 146.109.128.12 New (SCAP) Membertest and Production Data Center A Data Center B
vpn.swx.com 146.109.0.10 146.109.64.10 (virtual IP addresses) vpnzs.swx.com 146.109.0.10 (virtual IP address) vpnzs01.swx.com 146.109.0.11 vpnzs02.swx.com 146.109.0.12 vpnzh.swx.com 146.109.64.10 (virtual IP address) vpnzh01.swx.com 146.109.64.11 vpnzh02.swx.com 146.109.64.12
4.2
DNS Servers without IPSec Tunnel Connection
The following table gives an overview of the DNS servers without IPSec connection of the old CVI infrastructure and the new SCAP infrastructure. These DNS servers resolve VPN Endpoints.
Data Center Data Center A Data Center A Data Center B Data Center B Old (CVI) 146.109.128.244 146.109.129.244 146.109.129.241 146.109.129.242 New (SCAP) 146.109.66.249 146.109.66.250 146.109.2.249 146.109.2.250
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Network & Firewall Considerations
Page 5 SWX-XRS-MAN-20100216/E 16.02.2010
4.3
DNS Servers with IPSec Tunnel Connection
The following table gives an overview of the DNS servers in IPSec connection tunnels in the old CVI infrastructure and the new SCAP infrastructure. These DNS servers resolve Eurex Repo / SecLend application servers.
Data Center Data Center A Data Center A Data Center B Data Center B Old (CVI) 172.31.5.157 172.31.4.157 172.29.0.140 172.29.0.139 New (SCAP) 146.109.55.251 146.109.55.252 146.109.39.251 146.109.39.252
4.4
NTP Server for Hardware and Software Clients
Please refer to C.2 NTP Server for Hardware and Software Clients
4.5
Web Servers
To access the SCAP public and private websites you need to have access to the following URLs:
Old (CVI) CVI Public Web login page: https://www.six-swiss-exchange.com/members/cvi/software_en.html
CVI Private Web via enrolment tunnel: http://www.mbt.cvi.swx.ch/prvweb/login (Membertest) http://www.prd.cvi.swx.ch/prvweb/login (Production) New (SCAP) SCAP Public Web login page (SSL): https://www.six-swiss-exchange.com/members/cvi/scap.html
SCAP Private Web (SSL): https://vpn.swx.com
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Migration in 3 Steps
Page 6 SWX-XRS-MAN-20100216/E 16.02.2010
4.6
Eurex Repo / SecLend Application Servers
The table below gives the FQDN and IP addresses of the Eurex Repo / SecLend application servers for the old CVI infrastructure and the new SCAP infrastructure.
Environment Membertest Old (CVI) www.mbt.erm.swx.ch rmtws.mbt.erm.swx.ch www1.mbt.erm.swx.ch rmtws1.mbt.erm.swx.ch www2.mbt.erm.swx.ch rmtws2.mbt.erm.swx.ch Production www.prd.erm.swx.ch rprws.prd.erm.swx.ch www1.prd.erm.swx.ch rprws1.prd.erm.swx.ch www2.prd.erm.swx.ch rprws2.prd.erm.swx.ch IP Address 172.29.1.61 172.29.1.62 172.29.1.62 172.29.1.61 172.31.4.180 172.31.5.180 172.31.5.180 172.31.4.180 New (SCAP) rmtws.pn.swx rmtws1.pn.swx rmtws2.pn.swx rprws.pn.swx rprws1.pn.swx rprws2.pn.swx IP Address 146.109.49.254 146.109.33.254 146.109.49.254 146.109.33.254 146.109.48.254 146.109.32.254 146.109.48.254 146.109.32.254
4.7
HTTP Proxy Server Exceptions
Access to the various online features provided by Eurex Repo / SecLend like: Member Page with Newsboard, Online Help and Statistics. (Membertest / Production) is not possible via a web-proxy server, due to the use of Cisco VPN Client. Therefore, for these specific websites, you need to ensure that you have disabled any potential HTTP proxy server on the client PC. The following HTTP proxy server exceptions have to be set in your webbrowser:
Old (CVI) *.swx.ch New (SCAP) *.pn.swx *.ps.swx (for application servers) (for SCAP Private Web)
Migration in 3 Steps
For the migration period you can run VPN connections to the old CVI environment and to the new SCAP environment in parallel. This allows you to set up the new VPN connections while the traders still connect via the old CVI environment. You do not have to inform us about your migration.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Migration in 3 Steps
Page 7 SWX-XRS-MAN-20100216/E 16.02.2010
5.1
Step 1 Get Old VPN Certificate Information
The sealed envelope containing the CVI Personal Certificate Download Information is still valid for your SCAP credentials. SIX Swiss Exchange will not send out the sealed envelopes again. The credentials for your current CVI certificates will automatically be renamed and migrated to SCAP. VPN Entrypoint ID and Username will change to a higher number, as illustrated below:
Old CVI Credentials in Sealed Envelope CVI Personal Certificate Download Information Environment: Participant Name: Membertest / Production Participant Full Name New SCAP Credentials The information from your sealed envelope is still valid. Only the VPN Entrypoint ID and the Username will change. You will get an e-mail from the technical helpdesk with these updates. See: 5.2 Step 2 Contact Technical Helpdesk
CVI Group Authentication Name: cvienvusr CVI Group Authentication Password:enrlpasswd VPN Entrypoint ID: Certificate Type: Username: Password: 123 0 ERMM01123 cvipassword
VPN Entrypoint ID: Certificate Type: Username: Password:
789 0 ERMM016789 cvipassword
Environment Membertest Production
Old CVI Certificate Name ERMM01abcd ERMP01abcd
IP Address 172.x.x.x 172.x.x.x
New SCAP Certificate Name ERMM01efgh ERMP01efgh
IP Address 10.x.x.x 10.x.x.x
Your current certificates will be renamed to a higher number and will get a different IP address (10.x.x.x) assigned. The certificate with the lowest number in the old CVI name will correspond to the one with the lowest number in the new SCAP name. Passwords will remain the same for the new certificates as for the corresponding old ones (see sealed envelope).
5.2
Step 2 Contact Technical Helpdesk
As soon as you have assembled all the VPN Entrypoint information, please contact the Eurex Repo Technical Helpdesk to get an e-mail with a list of your current and your new certificates (without passwords). If you do not remember your passwords you can request new sealed envelopes with the technical helpdesk.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Migration in 3 Steps
Page 8 SWX-XRS-MAN-20100216/E 16.02.2010
5.3
Step 3 Set up New VPN Connection to the SCAP Environment
You have to do a full enrolment process for each certificate to establish a connection to the new SCAP environment.
5.3.1
Cisco VPN Software Client To establish a Cisco VPN Software Client connection please refer to Appendix D Installation: Cisco VPN Software Client
5.3.2
Cisco VPN 3002 Hardware Client To establish a Cisco VPN 3002 Hardware Client connection please refer to Appendix E Installation: Cisco VPN 3002 Hardware Client
5.3.3
Cisco ASA 5505 Hardware Client To establish a Cisco ASA 5505 Hardware Client connection please refer to Appendix F Installation: Cisco ASA 5505 Hardware Client
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 9 SWX-XRS-MAN-20100216/E 16.02.2010
Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
As soon as you have set up the new VPN connections you can connect your Eurex Repo / SecLend trading applications via the new infrastructure. You only have to adapt either the TradingClientGUI.config file or the USP Proxy (Concentrator) registry files, depending on how you connect.
6.1
Adapt TradingClientGUI.config
To connect a Eurex Repo / SecLend Trading Client GUI directly via the new SCAP infrastructure, you have to adapt the TradingClientGUI.config file with the new Eurex Repo / SecLend application servers. Please note that you have to logon as a member of the administrator group to adapt the settings in the .TradingClientGUI.config file. In the TradingClientGUI.config file (by default located C:\Program Files\SWX Swiss Exchange\Eurex Repo Trading GUI [environment]) change the following parameter: For the Membertest environment: swx.ric.IPaddress For the Production environment: swx.ric.IPaddress
= rmtws.pn.swx = rprws.pn.swx
6.2
Update USP Proxy Configuration
If you connect your Trading Client GUI through a USP Proxy (Concentrator), you do not have to change the GUI settings but update the registry entries of the USP Proxy with the new Eurex Repo / SecLend application servers. In our download section we will provide new registry files to configure your USP Proxy. Download the new registry files and execute the appropriate one (Membertest or Production). Please note that you have to logon as a member of the administrator group to update the registry files. SCAP_M01_USP_Proxy_config.reg (Configuration for Membertest M01 environment) SCAP_M02_USP_Proxy_config.reg (Configuration for Membertest M02 environment) SCAP_P01_USP_Proxy_config.reg (Configuration for Production P01 environment)
To connect the USP Proxy to the appropriate environment, proceed as follows:
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 10 SWX-XRS-MAN-20100216/E 16.02.2010
1. Stop both USP processes (USP-RPC and USP-BCT), by closing the DOS windows. 2. Execute the appropriate registry file for the Membertest or the Production environment. This will update the system registry. 3. Restart both USP processes using the desktop icons or restart the PC to automatically start the processes. 4. To reconnect the USP Proxy to the other environment, proceed as above in steps 1 - 3.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 11 SWX-XRS-MAN-20100216/E 16.02.2010
Appendix A Connectivity Options
A.1 Connectivity Options
There are two connectivity options: Internet or Managed IP Service.
A.1.1 Internet Connectivity This connectivity option offers a simple and cost-effective solution designed to meet the needs of participants with low bandwidth requirements, such as participants with a low daily trading volume. Participants order the service with an Internet Service Provider and handle all maintenance issues themselves. Please note that bandwidth availability can never be guaranteed for Internet connections Establishing multiple IPSec tunnels by deploying multiple hardware or software clients is possible.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 12 SWX-XRS-MAN-20100216/E 16.02.2010
A.1.2 Managed IP Services This connectivity option is designed for participants who want to outsource their network activities e.g. monitoring. The monitoring is hosted by a Managed IP Service provider. However the procurement of the required hardware, setup and maintenance of the IPSec tunnel is the participants responsibility. Providers with a POP at SIX that offer Managed IP service are: BT Radianz Deutsche Brse Systemes Swisscom-Verizon
Appendix B How to Access the CVI Web
B.1 Eurex Repo Sealed Envelope
You should have received a sealed envelope containing the CVI Personal Certificate Download Information. Below is an example using fictional values:
This envelope contains important information for downloading your CVI Personal Certificate. You should have received a separate communication entitled "CVI - Common VPN Infrastructure Setup", which explains how to establish a VPN connection using the VPN details below. For further information, see the Eurex Repo Installation Guide or contact the Eurex Repo Technical Helpdesk. Eurex Repo Technical Helpdesk Zrich +41 (0)58 854 24 88 Geneva +41 (0)58 854 20 28 London +44 (0)20 7864 4334 E-Mail: [email protected] CVI Personal Certificate Download Information Environment: Participant Name: CVI Group Authentication Name: CVI Group Authentication Password: VPN Entrypoint ID: Certificate Type: Username: Password: Production Participant Full Name cvienvusr enrlpasswd 123 0 cviuser cvipassword
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 13 SWX-XRS-MAN-20100216/E 16.02.2010
B.2 Accessing the CVI Public Web
To access the CVI Public Web, proceed as follows (an Internet connection is required): 1. Start the browser and enter the following address to open the CVI Public Web login page: https://www.six-swiss-exchange.com/members/cvi/scap.html 2. Log in to the CVI Public Web with your Group Authentication Username [ ] and Password [ ] provided in the sealed envelope.
You are now logged in to the CVI Public Web (see figure below).
B.3 Accessing the CVI Private Web
To be able to access the CVI Private Web via SSL, you must be able to access the Internet. 1. Start the browser and enter the following address to open the SCAP login page: https://vpn.swx.com. 2. In the Security Alert dialog boxes, click Yes. The SCAP SWX Common Access Portal login page is displayed.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 14 SWX-XRS-MAN-20100216/E 16.02.2010
3.
Log in to SCAP using the Username [ A ] and Password [ B ] from the Sealed Envelope. The CVI Private Web login page is displayed.
4.
Log in to the CVI Private Web with your VPN entrypoint account Username [ ] and Password [ ] provided in the sealed envelope.
You are now logged in to the CVI Private Web.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 15 SWX-XRS-MAN-20100216/E 16.02.2010
Appendix C Network Setup
C.1 Network Setup with a Hardware or Software Client
Hardware and software clients are connected through a point-to-point connection. They do not offer OSI layer 3 network redundancies. However, it is possible to setup manual network failover on the client upstream.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 16 SWX-XRS-MAN-20100216/E 16.02.2010
C.1.1 Ports Used for IP Traffic to Hardware or Software Clients The table below indicates what IP traffic must be permitted through which ports between the hardware or software client and the SIX IPSec endpoint.
IP Protocol No. Name Port Purpose Required for IPSec IPSec Over UDP IPSec Over TCP
17 50 17 17 6
UDP IPSec UDP UDP TCP
500 None 4500 4501 4501
IKE ESP IPSec via NAT-T IPSec via UDP IPSec via TCP
C.1.2 SIX Swiss Exchange IPSec endpoints for IPSec Hardware and Software Clients The table below gives the FQDN and IP addresses of the SIX IPSec endpoints for hardware and software clients. Connecting with url request https://vpn.swx.com will load balance to one or the other datacenter.
Data Center A vpnzh.swx.com 146.109.64.10 (virtual IP address) vpnzh01.swx.com 146.109.64.11 vpnzh02.swx.com 146.109.64.12 Data Center B vpnzs.swx.com 146.109.0.10 (virtual IP address) vpnzs01.swx.com 146.109.0.11 vpnzs02.swx.com 146.109.0.12
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 17 SWX-XRS-MAN-20100216/E 16.02.2010
C.2 NTP Server for Hardware and Software Clients
We recommend synchronizing your application system times with SIX Swiss Exchange time. Both hardware and software clients will be able to access the SIX Swiss Exchange Public NTP time server via the IPSec tunnel. The NTP server addresses are given below:
NTP Server Addresses 146.109.39.251 146.109.39.252 146.109.55.251 146.109.55.252
Appendix D Installation: Cisco VPN Software Client
This section explains how to install the Cisco VPN Software Client as well as the associated configuration files and certificates.
D.1 Installation Checklist
A summary of the required steps is given in the table below, which can be used as a checklist:
Task Basic Setup Enrolment Description How to Set up a New Software Client Download Software Download Connection Entry and Root Certificate Install Software Import Root Certificate IPSec Tunnel Setup Generate and Send Certificate Enrolment Request Download Personal Certificate Import Connection Entry Import Root & Personal Certificate Assign Certificate to Environment Connection Entry Check IPSec Tunnel Done
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 18 SWX-XRS-MAN-20100216/E 16.02.2010
D.2 Basic Setup
Please follow the official documentation from Cisco to complete the basic setup of the software client. SIX provides four public DNS servers (without an IPSec tunnel) for participants who are using Managed IP Services and do not have DNS support:
Data Center A 146.109.66.249 146.109.66.250 Data Center B 146.109.2.249 146.109.2.250
These DNS can be entered when configuring the software client, they will resolve the hostname (vpn.swx.com) used by SCAP.
D.2.1 Cisco VPN Software Client Installation
D.2.1.1 Download Cisco VPN Software and Connection Entries 1. Access the CVI Public Website, as described above. 2. Download and save the following items: Cisco VPN Tunnel Software Connection entry file (SWX_CVI.pcf) CVI Root Certificate (SWXVPNROOTCA.cer) D.2.1.2 Install Cisco VPN Client Software On your PC, you only need to install the Cisco VPN Software Client once. If the Cisco VPN software is already installed, proceed with section D.2.1.3 Import CA Root Certificate Double click the Cisco VPN Software Client file you downloaded in the previous step and follow the prompts. After the installation is finished, you may be prompted to reboot the PC. Please do so before proceeding.
D.2.1.3 Import CA Root Certificate 1. Start the Cisco VPN Client (click the Start button, then point to All Programs, Cisco Systems VPN Client and click VPN Client).
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 19 SWX-XRS-MAN-20100216/E 16.02.2010
2.
Select the Certificates tab in the VPN client, click the Import icon and click the Browse button to select the CA Root Certificate (SWXVPNROOTCA.cer) you downloaded before. Do not specify any password in the various Password fields. Click the Import button to finish importing the certificate. A dialog box confirms the success of this operation. Click the OK button. To display the CA Root Certificate in the VPN Client, select the Certificates menu and click on Show CA/RA Certificates to enable this option.
3.
4.
D.2.1.4 Reinstall the Cisco VPN Software Client In case of any failures of the Cisco VPN Subsystem, it is advisable to reinstall the software. Reinstallation is also necessary when a new NIC (network interface card) has been installed. The Cisco VPN Software Client will not automatically detect a new interface, resulting in an old and not functional setting of the Cisco Virtual Adapter. This makes it mandatory to reinstall the software. When reinstalling, please note that all settings, connection entries as well as certificates are backed up and automatically re-imported upon installation of either the same, or a newer version of the Cisco VPN Software Client. It is strongly recommended to uninstall the software and reboot the system, prior to installation.
D.3 IPSec Tunnel Setup
This section describes the steps required to establish a connection.
D.3.1 Obtain Personal Certificate 1. Select the Certificates tab in the VPN client, click the Enroll icon. In the Certificate Enrolment window select File and enter the following parameters:
Parameter File encoding Filename New Password Value Base-64 A freely chosen filename having the .csr extension (e.g. c:\ERMP01xxxx.csr) A freely chosen password (minimum length 6 characters)
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 20 SWX-XRS-MAN-20100216/E 16.02.2010
2. Click the Next button. This will open a new Certificate Enrolment window. Enter the following parameters to generate the certificate request:
Parameter Name (CN)* Value Username (provided in the sealed envelope [ ]) ermp01csw ermm01csw Name of your company (neither umlauts nor special characters) The state where your company is located (without umlaut) Country two letter abbreviation as used in the internet (neither umlauts nor special characters) Leave blank Leave blank Leave blank
Department (OU) (Repo Production) Department (OU) (Repo Membertest) Company (O) State (ST) Country (C)
E-Mail (E) IP Address Domain
Fields marked with * should contain meaningful values. However, they are not validated. 3. Click the Enroll button to generate a certificate enrolment request. A dialog box confirms the success of this operation. Click the OK button.
4.
Open the Certificate enrolment request file created in the previous step with a text editor, and copy the entire content with the delimiters to the clipboard. Go to the Public CVI web as described and click the link Private CVI VPN Homepage (via SSL connection). Click send request in the menu Certificate and paste the certificate into the provided form. Click Send to confirm. On the next page, click download certificate in the menu Certificate, copy the generated certificate including the delimiters into a text file and save this file on the PC with a .cer extension (e.g. ERMP012345.cer).
5. 6. 7.
D.3.2 Import Connection Entry Select the Connection Entries tab in the VPN client, click the Import icon and select the connection entry file that you downloaded.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 21 SWX-XRS-MAN-20100216/E 16.02.2010
By default, the connection entry is configured to use Transparent Tunnelling (IPSec over UDP). Depending on your network, you may be required to change the Transport settings.
D.3.3 Import Personal Certificate 1. Select the Certificates tab in the VPN client, click the Import icon and click the Browse button to select the personal certificate you downloaded. The Import Password in the upper section is the one you entered before. It is strongly recommended to enter a New Password in the fields at the bottom of the dialog - if you do not enter a New Password, it will be blank and therefore your certificate will not be protected. 2. Click the Import button to finish importing the certificate.
D.3.4 Assign Certificate to Connection Entry 3. 4. Select the Connection Entries tab in the VPN client, select the connection entry you imported and click the Modify icon. Select the Authentication tab, select Certificate Authentication and in the Name drop down list, select the certificate you imported in the previous step.
By default, the connection entry is called SWX_CVI. You may wish to give the connection entry a more meaningful name. If so, please enter a new name in the Connection Entry field on this screen. 5. D.3.5 Check IPSec Tunnel 1. If your VPN Client is still connected, click the Disconnect button. 2. 3. Select the Connection Entry you have just imported & configured and click the Connect button. Enter the password to authenticate your certificate (this is the password that you entered in the New Password field). Click the Save button to store your changes.
If you did not enter a new password when importing the certificate, then your password is blank i.e. click the OK button without entering a password. 4. If connection is successful, a dialog box appears with two buttons, Continue and Disconnect. Click the Continue button and the VPN Client minimises to the System Tray. You can double click System Tray to restore the application.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 22 SWX-XRS-MAN-20100216/E 16.02.2010
Appendix E Installation: Cisco VPN 3002 Hardware Client
This section explains how to configure the Cisco VPN 3002 Hardware Client, including enrolment and installation of the certificate.
E.1 Installation Checklist
A summary of the required steps is given in the table below, which can be used as a checklist:
Task Basic Setup IPSec Tunnel Setup Description How to setup a new hardware client Configure Group Authentication Establish VPN Connection Download & Install SIX CA Root Certificate Generate & Send Certificate Request Retrieve and Install Personal Certificate Check IPSec Tunnel Done
The instructions in this section are based on using a browser to configure the hardware client. If you are using the Console Port, please see the Cisco documentation for the appropriate commands.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 23 SWX-XRS-MAN-20100216/E 16.02.2010
E.2 Basic Setup
Please follow the official documentation from Cisco to complete the basic setup of the hardware client. SIX provides four public DNS for participants who are using Managed IP Services and do not have DNS support:
Data Center A 146.109.66.249 146.109.66.250 Data Center B 146.109.2.249 146.109.2.250
These DNS can be entered when configuring the hardware client, they will resolve the hostname (vpn.swx.com) used by SCAP.
E.2.1 IPSec Tunnel Setup The following section shows step-by-step instructions for the Cisco 3002 Hardware Client configuration, enrolment and certificate handling.
E.2.2 Check Software Version Check that the software version of your Cisco 3002 meets our recommendations listed in section 2.1.2 Supported Cisco VPN Hardware Clients. If it does not you should download the correct version from the CVI Public Web and apply it on your device.
E.2.3 Configure Group Authentication Using a browser, connect and logon to the hardware client. From the menu, select Configuration > System > Tunneling Protocols > IPSec and enter the following parameters to enable group authentication:
Parameter Remote Server IPSec over TCP IPSec over TCP Port Use Certificate Certificate transmission Group Name Value vpn.swx.com Choose the appropriate value for your network. 4501 (if IPSec over TCP is selected) Leave cleared Select Identity certificate only Username (see [ A ] - neither umlauts nor special characters)
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 24 SWX-XRS-MAN-20100216/E 16.02.2010
Parameter Group Password & Group Verify Username and Password
Value Password (see [ B ]) Leave both blank
E.2.4 Establish VPN Connection Check the VPN Connection by selecting Monitoring > System Status from the menu. If the tunnel is not already connected (No Tunnel Established is displayed), click Connect Now. The displayed System Status should change and show that the tunnel has been established. Additionally, on the hardware client the LED labelled VPN should switch to green (via amber which shows that the connection is being initiated).
E.2.5 Download and Install CA Root Certificate 1. Access the CVI Public Website, as described above. 2. 3. 4. Click the link CVI Root Certificate and save the file on the PC (SWXVPNROOTCA.cer). Switch back to the hardware client administration in the other browser window. Upload the root certificate by selecting Administration > Certificate Management > Installation, clicking Install CA certificate, clicking Upload file from workstation and selecting the file you saved before). Click Install to confirm.
5.
E.2.6 Generate and Send Certificate Enrolment Request 1. Generate a certificate request by selecting Administration > Certificate Management > Enrolment, clicking Enroll via PKCS10 Request (Manual). Enter the following parameters to generate the certificate request:
Parameter Common Name (CN) Value Username (provided in the sealed envelope [ C ]) ermp01chv ermm01chv Name of your company (neither umlauts nor special characters) The place where your company is located (neither umlauts nor special characters)
Organizational Unit (OU) (Repo Production) Organizational Unit (OU) (Repo Membertest) Organisation (O) * Locality (L) *
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 25 SWX-XRS-MAN-20100216/E 16.02.2010
Parameter State/Province (SP) *
Value The state or province where your company is located (neither umlauts nor special characters) Country two letter abbreviation as used in the internet (neither umlauts nor special characters) Leave blank Leave blank RSA 1024 bits
Country (C)*
Subject Alternative Name (FQDN) Subject Alternative Name (E-Mail Address) * Key Size
Fields marked with * should contain meaningful values. However, they are not validated. 2. 3. 4. Click Enroll to generate a certificate request and copy it to the clipboard. Go to the Private CVI VPN Homepage (via SSL connection) as described above. Click send request in the menu Certificate and paste the certificate into the provided form. Click Send to confirm.
E.2.7 Install Certificate and Check IPSec Tunnel 1. Using the PC browser, connect and logon to the hardware client. 2. 3. Go to the Public CVI web as described before and click the link Private CVI VPN Homepage (via SSL connection). Retrieve the certificate by clicking download certificate in the menu Certificate and copying the certificate with the delimiters belonging to your request. Switch back to the hardware client administration in the other browser window. Install the certificate by selecting Administration > Certificate Management > Installation and clicking Install certificate obtained via enrolment. Click Install for the appropriate request, choose Cut & Paste Text and paste the copied certificate with the delimiters into the provided form. Confirm by clicking Install. The Certificate Management page should now display the certificate under Identity Certificates. One private certificate can be installed at a time only. Make sure, you delete the old one before installing a new one. 6. Switch from the pre-shared key (Group Authentication) to your installed certificate by selecting Configuration > System > Tunneling Protocols > IPSec, selecting the checkbox Use Certificate and confirming by clicking Apply. The LED labelled VPN will turn off. Check the IPSec tunnel by selecting Monitoring > System Status from the menu. If the tunnel is not already connected (No Tunnel Established displayed), click Connect Now. The System Status displayed should
4. 5.
7.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 26 SWX-XRS-MAN-20100216/E 16.02.2010
change to show that the tunnel is established (Tunnel Established to: ). E.2.8 Continuing Application Installation Assuming you have successfully connected to the Cisco VPN Hardware Client as instructed in the preceding section, you have now completed the installation of the Cisco VPN Hardware Client. However, before proceeding to install the application, one final step may be required:
E.2.8.1 DNS Configuration on Application PC To access the application servers through the Cisco VPN Hardware Client, the client PC (which will run the application) needs to know the virtual IP address of the application servers in the tunnel. There are two different scenarios that have different requirements. The client PC is directly attached to the Cisco VPN Hardware Client and the interface connecting the PC to the Cisco VPN Hardware Client is set to DHCP.
In this case, the Cisco Hardware Client can push the needed DNS via the DHCP protocol to the client and no further configuration is needed. There is a device, e.g. firewall, located between the Cisco Hardware Client and the client PC or the interface connecting the PC to the Cisco VPN Hardware Client is not set to DHCP.
In this case, either the client PC or the respective DNS have to be configured to forward domain name requests for the application servers name spaces, e.g. *pn.swx, to the DNS in the tunnel. The tunnel DNS can be reached using the IP addresses shown below.
Domain Name Servers in IPSec Connection Tunnel 146.109.39.251 146.109.39.252 146.109.55.251 146.109.55.252 Data Center Data Center B Data Center B Data Center A Data Center A
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 27 SWX-XRS-MAN-20100216/E 16.02.2010
Appendix F Installation: Cisco ASA 5505 Hardware Client
This section explains how to configure the Cisco ASA 5505 Hardware Client, including enrolment and installation of the certificate.
F.1 Installation Checklist
A summary of the required steps is given in the table below, which can be used as a checklist:
Task Basic Setup ASDM Setup IPSec Tunnel Setup Description How to Setup a New Hardware Client Cisco ASDM Setup Configure Group Authentication Establish VPN Connection Download & Install SIX CA Root Certificate Generate & Send Certificate Request Retrieve and Install Personal Certificate Check IPSec Tunnel Done
The instructions in this section are based on using both the Cisco ASDM and the Console Port.
F.2 Basic Setup
Please follow the official documentation from Cisco to complete the basic setup of the Hardware Client. SIX Swiss Exchange provides four public DNS for participants who are using Managed IP Services and do not have DNS support:
Data Center A 146.109.66.249 146.109.66.250 Data Center B 146.109.2.249 146.109.2.250
These DNS can be entered when configuring the Hardware Client, they will resolve the hostname (vpn.swx.com) used by SCAP.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 28 SWX-XRS-MAN-20100216/E 16.02.2010
F.2.1 Cisco ASDM Setup The following section gives step-by-step instructions about installing and starting the Cisco ASDM tool.
F.2.2 Check Software Version of ASDM Check that the software version of your Cisco ASDM meets our recommendations listed in section 2.1.2 Supported Cisco VPN Hardware Clients. If it does not you should download the correct version from the CVI Public Web and install it on the ASA 5505 as described below.
F.2.3 Cisco ASDM Installation on the ASA 5505 1. Copy the recommended ASDM version file (e.g. asdm-611.bin) to the Cisco ASA 5505. This can be done either via ASDM or via ftp, tftp, Consult the official documentation from Cisco for the procedure. 2. Set the newly loaded ASDM file before you reboot with the following command:
ciscoasa> enable ciscoasa# configure terminal ciscoasa(conf)# asdm image disk0:/asdm-611.bin ciscoasa(conf)# exit ciscoasa# write memory
3. Reboot the ASA 5505:
ciscoasa> enable Password: ****** ciscoasa# reload
4. Validate that the new ASDM version is working. 5. On the ASA 5505, remove any versions of the ASDM except the recommended one. The content of Disk0:/ should look like this:
ciscoasa> enable Password: ****** ciscoasa# dir Directory of disk0:/ 2 drwx 4096 64 -rwx 1868412 3.1.1.29-k9.pkg 65 -rwx 398305 1.1.0.154.pkg 7 drwx 4096 67 -rwx 14635008 82 -rwx 7295568 07:56:58 May 08 2008 06:30:52 Sep 17 2007 06:31:04 Sep 17 2007 06:35:22 Sep 17 2007 07:40:38 May 08 2008 08:43:16 Jun 05 2008 log securedesktop-asasslclient-wincrypto_archive asa803-k8.bin asdm-611.bin
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 29 SWX-XRS-MAN-20100216/E 16.02.2010
F.2.4 Cisco ASDM Installation on the PC 1. On the PC on which the configuration of the ASA 5505 will be performed, browse to https://<ASA5505 IP Address>/ (e.g. https://192.168.1.1). 2. 3. 4. 5. Proceed with the Security Alert, click Yes. Click Install ASDM Launcher and Run ASDM. In the login window enter User Name and Password of the ASA 5505 and click OK. (Hint: default is blank for both) Click Open.
6. The Cisco ASDM Launcher installation starts. Click Next. 7. 8. Select the default Destination Folder or click Change. Click Next. Click Install to begin the installation.
9. Click Finish to exit the installation wizard. 10. Start ASDM by clicking the Cisco ASDM Launcher icon located on the desktop. 11. In the Cisco ASDM Launcher login window enter the IP Address, Username and Password of the ASA 5505 and click OK. Make sure that the Run in Demo Mode option is not selected.
12. Accept the web sites certificate by clicking Yes and by selecting Always trust content from this publisher.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 30 SWX-XRS-MAN-20100216/E 16.02.2010
F.2.5 IPSec Tunnel Setup The following section gives step-by-step instructions about Cisco ASA 5505 Hardware Client configuration, enrolment and certificate handling.
F.2.6 Check Software Version of ASA 5505 Check that the software version of your Cisco ASA 5505 meets our recommendations listed in section 2.1.2 Supported Cisco VPN Hardware Clients. If it does not, you must download the correct version from the CVI Public Web and apply it on your device via the ASDM tool. Before rebooting the Cisco ASA 5505, delete the file of the old version.
F.2.7 Configure Group Authentication 1. Using ASDM, connect and logon to the hardware client. 2. 3. 4. 5. Go to the Configuration > Remote Access VPN > Easy VPN Remote pane. Select Enable Easy VPN Remote. In the Mode area, click Client mode. In the Group Settings area, click Pre-shared Key and enter the following parameters: a. b. 6. In the Group Name field, enter the value of Username (see [ A ]). In the Group Password and Confirm Group Password fields, enter the value of Password (see [ B ])
In the Easy VPN Server To Be Added area, enter vpn.swx.com in the field Name or IP Address and click Add.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 31 SWX-XRS-MAN-20100216/E 16.02.2010
7. 8. F.2.8 Configure DNS
Click Apply. Save the configuration by clicking Save.
1. Go to the Configuration > Remote Access VPN > DNS pane. 2. 3. In the DNS lookup area, make sure that both interfaces have the DNS Enabled parameter set to Yes. If not click Enable. In the DNS Server Groups area, click Add and enter the following parameters: a. b. In the Name field enter a name. In the DNS Servers area, enter the IP address of the DNS Server in the field Server IP Address to Add and click Add. Perform this step for all IP Addresses listed in section 4 Network & Firewall Considerations and/or for the ones you are using. Click OK.
c. 4.
Click Apply.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 32 SWX-XRS-MAN-20100216/E 16.02.2010
F.2.9 Download and Install CA Root Certificate 1. Access the CVI Public Website, as described above. 2. 3. 4. 5. 6. Click the link CVI Root Certificate and save the file on the PC (SWXVPNROOTCA.cer). Using ASDM, connect and logon to the hardware client. Go to the Configuration > Remote Access VPN > Certificate Management > CA Certificates pane. Click Add. Click Install from a file. You can either type the pathname of the file that you saved in step 2 in the box or you can click Browse and navigate to the file.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 33 SWX-XRS-MAN-20100216/E 16.02.2010
7. 8.
Click Install Certificate. If the installation was successful, the following dialog box is displayed. Click OK.
F.2.10 Generate and Send Certificate Enrolment Request 1. Go to the Configuration > Remote Access VPN > Certificate Management > Identity Certificates pane. 2. 3. Click Add. Select the Add a new identity certificate option.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 34 SWX-XRS-MAN-20100216/E 16.02.2010
4. 5. 6. 7.
Click New. Select Enter new key pair name and type SWX-SCAP-PRD-key in the box. In the Size box, select 1024. Select General purpose.
8. 9.
Click Generate Now. Click Select.
10. In the Certificate Subject DN dialog box, enter the following X509 attributes:
Attribute Common Name (CN) Value Username (provided in the sealed envelope [ ]) ermp01chv ermm01chv Name of your company (neither umlauts nor special characters)) The place where your company is located (neither umlauts nor special characters)) The state or province where your company is located (neither umlauts nor special characters)) Two-letter country abbreviation as used on the Internet (neither umlauts nor special characters))
Organizational Unit (OU) (Repo Production) Organizational Unit (OU) (Repo Membertest) Company Name (O) * Location (L) * State (St) *
Country (C)*
To enter these attributes, proceed as follows for each attribute: a. b. In the DN Attribute to be Added area, select an attribute from the Attribute pull-down menu. In the Value box, type the correct value (see table above) and click Add.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 35 SWX-XRS-MAN-20100216/E 16.02.2010
11. When you have entered all attributes, click OK. 12. Click Add Certificate 13. The Identity Certificate Request dialog box opens. You can either type the pathname of the file in the box or you can click Browse. Please note that the file extension has to be .csr.
14. Click OK. 15. Open the .csr file with your editor and copy the content to the clipboard. 16. Go to the Private CVI web as described above. 17. Click send request in the menu Certificate and paste the certificate into the form provided. Click Send to confirm.
F.2.11 Install Certificate and Check IPSec Tunnel 1. Go to the Public CVI web as described above. 2. Retrieve the certificate by clicking download certificate in the menu Certificate and copying the certificate with the delimiters belonging to your request. Using ASDM, connect and logon to the hardware client. Go to the Configuration > Remote Access VPN > Certificate Management > Identity Certificates pane. Select the Identity Certificate and click Install.
3. 4. 5.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 36 SWX-XRS-MAN-20100216/E 16.02.2010
6.
Select Paste the certificate data in base-64 format and paste it with the delimiters in the box.
7. 8. 9.
Click Install Certificate. If the import was successful, the following dialog box is displayed. Click OK. Switch from the pre-shared key (Group Authentication) to your installed certificate. Go to the Configuration > Remote Access VPN > Easy VPN Remote pane.
10. In the Group Settings area, click X.509 Certificate and choose your certificate from the drop-down list.
11. Click Apply. 12. The LED on the hardware client labelled VPN will turn off. 13. Save the configuration by clicking Save.
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 37 SWX-XRS-MAN-20100216/E 16.02.2010
14. Start the tunnel as follows: a. Go to Monitoring > VPN > Easy VPN Client > VPN Connection Status b. Click "Connect" c. Confirm Security Warning d. Click "Connect Now" e. Close Browser Window (hint: click "Refresh" to update status) 15. Please note that if for any reason the tunnel stops, it will not restart automatically. It has to be restarted manually as described above. F.2.12 Continuing Application Installation Assuming you have successfully connected to the Cisco ASA 5505 Hardware Client as instructed in the preceding chapter, you have now completed the installation of the Cisco ASA 5505 Hardware Client. However, before proceeding to install the application, one final step may be required:
F.2.12.1 DNS Configuration on Application PC To access the application servers through the Cisco ASA 5505 Hardware Client, the client PC (which will run the application) needs to know the virtual IP address of the application servers in the tunnel. There are two different scenarios that have different requirements. The client PC is directly attached to the Cisco ASA 5505 Hardware Client and the interface connecting the PC to the Cisco ASA 5505 Hardware Client is set to DHCP.
In this case, the Cisco Hardware Client can push the needed DNS via the DHCP protocol to the client and no further configuration is needed. There is a device, e.g. firewall, located between the Cisco Hardware Client and the client PC or the interface connecting the PC to the Cisco ASA 5505 Hardware Client is not set to DHCP.
In this case, either the client PC or the respective DNS have to be configured to forward domain name requests for the application servers name spaces, e.g. *prd.erm.swx.ch, to the DNS in the tunnel. The tunnel DNS can be reached under the IP addresses given below.
Domain Name Servers in IPSec Connection Tunnel 146.109.39.251 Data Center
Data Center B
Unrestricted
Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure
Page 38 SWX-XRS-MAN-20100216/E 16.02.2010
146.109.39.252 146.109.55.251 146.109.55.252
Data Center B Data Center A Data Center A
To continue with the installation process, please refer to the applicationspecific installation guide.
Appendix G Infrastructure Service Provider (ISP) Contacts
G.1 Internet Connectivity
Contact your Internet Service Provider.
G.2 Managed IP Services
Provider BT Radianz Deutsche Brse Systems SwisscomVerizon Andreas Ferrario +41 79 818 14 93 [email protected] All countries Officer Harry Weder Tim Brackrock Thomas Rathgeb Phone No. +41 44 543 18 33 +49 69 2111 1690 +41 44 294 82 88 E-mail [email protected] [email protected] [email protected] Scope All countries All countries All countries
Unrestricted
You might also like
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life4/5 (6129)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreFrom EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are4/5 (1148)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On It4.5/5 (933)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersFrom EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy Answers4.5/5 (361)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceFrom EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race4/5 (954)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaFrom EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America4.5/5 (278)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyFrom EverandThe World Is Flat 3.0: A Brief History of the Twenty-first Century3.5/5 (2283)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryFrom EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story3.5/5 (692)
- GMCE Firmware Release Notes: Revision HistoryNo ratings yetGMCE Firmware Release Notes: Revision History34 pages
- Toaz - Info Netnumen U31 r18 v1210040 Alarm Handling Reference PRNo ratings yetToaz - Info Netnumen U31 r18 v1210040 Alarm Handling Reference PR42 pages
- Fieldserver Fs-8700-146 KNX: Driver ManualNo ratings yetFieldserver Fs-8700-146 KNX: Driver Manual15 pages
- Hacking - How To Hack, Penetrati - Alex Wagner PDF100% (1)Hacking - How To Hack, Penetrati - Alex Wagner PDF77 pages
- C Tibco R 7. R D: Onfiguring THE Endezvous X Outing AemonNo ratings yetC Tibco R 7. R D: Onfiguring THE Endezvous X Outing Aemon4 pages
- Website: Vce To PDF Converter: Facebook: Twitter:: 350-701.vceplus - Premium.Exam.102QNo ratings yetWebsite: Vce To PDF Converter: Facebook: Twitter:: 350-701.vceplus - Premium.Exam.102Q30 pages
- SSH Password Guessing: Linux Compromise and ForensicsNo ratings yetSSH Password Guessing: Linux Compromise and Forensics6 pages
- 12RG-S8600E Series Switch RGOS Configuration Guide, Release 11.0 (4) B8 - Specifications and LimitationsNo ratings yet12RG-S8600E Series Switch RGOS Configuration Guide, Release 11.0 (4) B8 - Specifications and Limitations13 pages
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreFrom EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On It
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersFrom EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceFrom EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureFrom EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
- The Emperor of All Maladies: A Biography of CancerFrom EverandThe Emperor of All Maladies: A Biography of Cancer
- The Yellow House: A Memoir (2019 National Book Award Winner)From EverandThe Yellow House: A Memoir (2019 National Book Award Winner)
- The Little Book of Hygge: Danish Secrets to Happy LivingFrom EverandThe Little Book of Hygge: Danish Secrets to Happy Living
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaFrom EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyFrom EverandThe World Is Flat 3.0: A Brief History of the Twenty-first Century
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)From EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryFrom EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
- Team of Rivals: The Political Genius of Abraham LincolnFrom EverandTeam of Rivals: The Political Genius of Abraham Lincoln
- On Fire: The (Burning) Case for a Green New DealFrom EverandOn Fire: The (Burning) Case for a Green New Deal
- The Unwinding: An Inner History of the New AmericaFrom EverandThe Unwinding: An Inner History of the New America
- Toaz - Info Netnumen U31 r18 v1210040 Alarm Handling Reference PRToaz - Info Netnumen U31 r18 v1210040 Alarm Handling Reference PR
- Hacking - How To Hack, Penetrati - Alex Wagner PDFHacking - How To Hack, Penetrati - Alex Wagner PDF
- C Tibco R 7. R D: Onfiguring THE Endezvous X Outing AemonC Tibco R 7. R D: Onfiguring THE Endezvous X Outing Aemon
- Website: Vce To PDF Converter: Facebook: Twitter:: 350-701.vceplus - Premium.Exam.102QWebsite: Vce To PDF Converter: Facebook: Twitter:: 350-701.vceplus - Premium.Exam.102Q
- SSH Password Guessing: Linux Compromise and ForensicsSSH Password Guessing: Linux Compromise and Forensics
- 12RG-S8600E Series Switch RGOS Configuration Guide, Release 11.0 (4) B8 - Specifications and Limitations12RG-S8600E Series Switch RGOS Configuration Guide, Release 11.0 (4) B8 - Specifications and Limitations