Chapter 7 Configuring Centralized Management Groups

This chapter describes how to configure centralized management groups (CMG) using the administration GUI. Centralized management enables you to administer configurations on a group of Screens remotely.

The following information describes how to use the administration GUI. For an example of a CMG setup, see the SunScreen 3.2 Configuration Examples manual.

The following table lists the procedures in this chapter.

Table 7-1 Procedures for Centralized Management

"To Generate an IKE or SKIP Certificate on the Primary Screen"

"To Associate the IKE or SKIP Primary Screen's Certificate with the Primary Screen Object"

"To Put the IKE or SKIP Primary Screen's Certificate on the Secondary Screen"

"To Add the IKE or SKIP Primary Screen Object to the Secondary Screen"

"To Generate an IKE or SKIP Certificate for the Secondary Screen"

"To Modify the IKE or SKIP Secondary Screen Object"

"To Configure the Secondary Screen for Management by the Primary Screen"

"To Add the Secondary Screen's Certificate ID to the Primary Screen"

"To Add a Secondary Screen Object to the Primary Screen"

"To Define the Secondary Screen's Interfaces on the Primary Screen"

"To Add a New Address Group to the Primary Screen"

"To Configure the Primary Screen to Manage the Secondary Screens"

CMG Overview

A centralized management group is comprised of a primary Screen and a number of secondary Screens. The primary Screen, where all configuration objects reside, manages both itself and the centralized management group's secondary Screens. The primary Screen's function is to push policy configurations to the secondary Screens in the CMG. This capability enables you to manage many Screens effectively from one location.

To configure a centralized management group, you have to exchange certificate information between the CMG primary and secondary Screens, then add these certificates, along with the Admin IP address information and encryption algorithms for the respective Screens, to the Screen objects.

On the CMG primary Screen, you need to specify each interface present on any secondary Screen. These interface definitions should include the related Screen object to make them Screen-specific.

Finally, you must add packet filtering rules to both the primary and secondary Screens so the primary Screen can push its policy to the secondary Screens.

CMG Requirements

Many configurations require cluster members to pass through a firewall in order to communicate with the primary Screen. In these configurations, any firewall being traversed must contain packet filtering rules that allow certain traffic from the primary Screen to pass through its interfaces to the secondary Screen or Screens. These rules must include the following services:

• SKIP

• Certificate Discovery Protocol

• IPsec/IKE

---

Note -

Although SKIP and IPsec are different protocols and cannot interoperate (SKIP can communicate with any release of SKIP, but not with IPsec.) , you can have SKIP rules and IPsec rules on both machines as long as there is no host overlap. That is, you may set the secondary Screen up to use SKIP to encrypt all traffic between A and B and IPsec to encrypt all traffic between A and C. For this type of setup, the CMG primary Screen should have as its ADMIN_CERTIFICATE a certificate group containing one SKIP and one IKE certificate. Each secondary Screen will have as its ADMIN_CERTIFICATE either a SKIP or an IKE certificate and the appropriate encryption parameters.

---

CMG Configuration Tasks

The following steps outline the workflow in setting up a centralized management group (CMG). Detailed steps for each task are provided in the following sections.

1. Generate a certificate for the primary Screen (if needed.)

2. On the primary Screen, associate this Certificate with the primary Screen object.

3. Add the primary Screen certificate to the secondary Screen.

4. Add a Screen object for the primary Screen to the secondary Screen.

5. Generate a certificate for the secondary Screen (if needed.)

6. On the secondary Screen, modify the secondary Screen object.

7. Add new rules on the secondary Screen allowing it to be managed by the primary Screen, and activate the policy.

8. Add the secondary Screen certificate to the primary Screen.

9. Add a Screen object for the secondary Screen to the primary Screen.

10. Add a new address group on the primary Screen.

11. Define the secondary Screen's interfaces on the primary Screen.

12. Add new rules on the primary Screen allowing it to manage the secondary Screen.

13. On the primary Screen, activate the policy for the CMG.

Basic Centralized Management Procedure

1. Choose a policy in the Policies List page.

   

2. Click the Edit button.

   The Policy Rules page appears.

   

To Generate an IKE or SKIP Certificate on the Primary Screen

If you selected remote administration during SunScreen installation, a certificate was automatically generated for the Screen, using the primary Screen's hostname with a .admin suffix. You can use this certificate to configure centralized management; you do not need to generate a new certificate.

If you did not select remote administration during SunScreen installation, perform the following steps on the primary Screen to generate a new certificate:

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select Certificate from the Type list.

   

3. (SKIP only) Select Generate SKIP UDH from the Add New list.

   The certificate dialog box appears with options for the type of key to generate. The default value for the type is highest available.

   

4. (SKIP only) Type the name of the CMG's primary Screen (with the suffix .admin) in the Name field of the Certificate dialog box.

   In this example, boss is the primary CMG Screen's host name.

5. (SKIP only) Click the Generate New UDH button.

   Once generated, the Certificate ID field contains the Certificate Identifier for the CMG's primary Screen. You use the name of the Certificate Object (as specified in the Name field) to configure the secondary Screen.

6. (IKE only) Select Generate IKE Certificate from the Add New list.

   The certificate dialog box appears with options for the type of key to generate. The default value for the type is highest available.

   

7. (IKE only) Type the name of the CMG's primary Screen (with the suffix .admin) in the Name field of the Certificate dialog box.

   In this example, boss is the primary CMG Screen's host name.

8. Fill in the remainder of the fields as called out in "To Generate an IKE Certificate".

9. (IKE only) Click the Generate button.

   The IKE certificate is generated. You use the name of the Certificate Object (as specified in the Name field) to configure the secondary Screen.

10. Click the OK button.

To Associate the IKE or SKIP Primary Screen's Certificate with the Primary Screen Object

Perform the following steps on the primary Screen:

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select Screen from the Type list.

   

3. Click the Search button.

   The results area now contains the name of the CMG's primary Screen.

4. Select the name of the CMG's primary Screen in the Results area.

   Information about the Screen appears in the Details field

5. Click the Edit button.

   The Screen dialog box appears.

   

6. Click the Primary/Secondary tab.

   Be sure the IP address of the primary Screen appears in the Administrative IP Address field. If it is not present, provide it now.

   

7. Type the name of the CMG Primary's Certificate name (the Primary name with the suffix .admin) in the Administration Certificate field of the Primary/Secondary page.

   This action associates the certificate with the CMG's primary Screen.

8. Click the OK button.

To Put the IKE or SKIP Primary Screen's Certificate on the Secondary Screen

Perform the following steps on the secondary Screen:

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select Certificate from the Type list.

   

3. (SKIP only) Select Associate SKIP Certificate from the Add New list.

   The Certificate dialog box appears.

   

4. (SKIP only) Type the primary Screen name (with .admin suffix) in the Name field.

5. (SKIP only) In the Certificate ID field, type the Certificate ID of the primary Screen.

6. (IKE only) Select Associate IKE Certificate from the Add New List.

   The certificate dialog box appears.

   

7. (IKE only) Type the primary Screen name (with .admin suffix) in the Name field.

8. (IKE only) In the Distinguished Name field, type the Distinguished Name of the primary Screen.

9. Click the OK button.

To Add the IKE or SKIP Primary Screen Object to the Secondary Screen

Perform the following steps on the secondary Screen:

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select Screen from the Type list.

   

3. Click the Add New button.

   The Screen dialog box appears with the Miscellaneous tab selected.

   

4. Type the name of the CMG's primary Screen in the Name field.

5. Click the Primary/Secondary tab.

   Be sure the IP address of the primary Screen appears in the Administrative IP Address field. If it is not present, provide it now.

6. Type the name of the CMG Primary's Certificate name (the Primary name with the suffix .admin) in the IKE or SKIP Administration Certificate field of the Primary/Secondary page.

7. Click the OK button.

To Generate an IKE or SKIP Certificate for the Secondary Screen

---

Note -

If you selected Remote Administration during SunScreen installation, a certificate was automatically generated for the Screen. This certificate has a name containing the primary Screen's hostname with a .admin suffix. You can use this certificate to configure Centralized Management; you do not have to generate a new certificate.

---

Perform the following steps on the secondary Screen:

1. (IKE only) Follow the steps in "To Generate an IKE Certificate".

2. (SKIP only) Follow the steps in "To Generate SKIP UDHs Certificates".

To Modify the IKE or SKIP Secondary Screen Object

Perform the following steps on the secondary Screen:

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select Screen from the Type list.

   

3. Click the Search button.

4. Select the name of the CMG's secondary Screen from the Results area.

5. Click the Edit button.

   The Screen dialog box appears.

6. Select the Primary/Secondary tab in the Screen dialog box.

   

7. Select Secondary from the High Availability pulldown.

   

8. If not present, type the administration IP address of the CMG's secondary Screen in the Administration IP Address field.

9. (IKE only) Type the secondary Screen certificate name in the IKE Administration Certificate field.

   In this example, the name is efs-u5.admin.

10. (SKIP only) Type the secondary Screen certificate name in the SKIP Administration Certificate field.

    In this example, the name is efs-u5.admin.

11. Click the OK button.

To Configure the Secondary Screen for Management by the Primary Screen

Perform the following steps from the CMG secondary Screen.

---

Note -

The configuration changes in this step allow the primary Screen to download a policy to the secondary Screen. Once a policy is downloaded, the changes are no longer in effect. To download additional policies, see "To Configure the Primary Screen to Manage the Secondary Screens".

---

1. Execute the steps in "Basic Centralized Management Procedure".

2. Click the Packet Filtering tab of the Policy Rules area.

   The policy rules that are currently defined for this policy are displayed.

3. Click the Add New button in the Policy Rules area.

   The Rule Definition dialog box appears.

   

4. Type 1 for the Rule Index.

   This index will make the rule the first rule that gets enforced. You must place this rule before any other rule that could conflict with it. If you do not place it first, the primary Screen may not be able to manage the secondary Screen.

5. Fill in the following fields with real values for your configuration (values are provided for this example):

   Screen

   efs-u5

   Service

   certificate discovery (SKIP only)

   Source

   boss

   Destination

   efs-u5

   Action

   ALLOW

   You can leave default values in all the other fields.

6. Click the OK button.

7. (SKIP only) Repeat Steps 2 through 6 using a Service of skip instead of certificate discovery

8. Verify that the rule definitions are correct.

   The packet filtering rules should look like those in the following figure:

   

9. Create address groups for each interface on the secondary Screen:

   1. From the Type list in the Common Objects area, select Address.

   2. Select New Group from the Add New list.

   3. Type the name of the address group that you wish to use (bos_le0 for example).

   4. Add the address objects to the Include and Exclude lists.

      ---

      Note -

      If the objects you need to make the appropriate group are not present, you may press Cancel. Follow the instructions in "To Add a Group of Addresses" to create the necessary objects, then return to this section and start again at Step a.

      ---

   5. Click the OK button.

10. Define each interface on the secondary Screen as follows:

    1. Select Interface from the Type list.

       

    2. Select New from the Add New list.

       The Interface Definition window appears.

       

    3. Fill in the Interface, Type, Address Group, and Screen fields.

    4. Click the OK button.

To Add the Secondary Screen's Certificate ID to the Primary Screen

Perform the following steps on the primary Screen:

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select Certificate from the Type list.

   

3. Select Associate SKIP Certificate from the Add New list.

   The Certificate dialog box appears.

   

4. Type the secondary Screen name (with .admin suffix) in the Name field.

   

5. In the Certificate ID field, type the Certificate ID of the CMG's secondary Screen.

6. Click the OK button.

To Add a Secondary Screen Object to the Primary Screen

Although SunScreen EFS 3.0 and 3.1 primary Screens can push rules to 3.2 secondary Screens, they can only do so using the functionality of the primary Screen's software release. A SunScreen primary Screen, however, can manage SunScreen EFS Version 3.0 and 3.1 secondary Screens effectively. If in doubt, install the latest software release on the primary Screen.

Perform the following steps on the primary Screen:

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select Screen from the Type list.

   

3. Click the New button.

   The Screen dialog box appears with the Miscellaneous tab selected.

4. Type the name of the CMG's secondary Screen in the Name field then click the Primary/Secondary tab.

   

5. Select the primary Screen object name by selecting it from the Primary Name list.

   This action tells the secondary Screen the name of its primary Screen.

6. Be sure the IP address of the secondary Screen appears in the Administrative IP Address field.

7. Type the CMG secondary certificate name (the Secondary name with the suffix .admin) in the Administration Certificate field of the Primary/Secondary page.

8. To edit either the SKIP or IKE parameters, click the appropriate Edit button.

9. Click the OK button.

To Add a New Address Group to the Primary Screen

Perform the following steps on the primary Screen:

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select Address from the Type list.

   

3. Select New Group from the Add New list.

   The Address dialog box appears.

   

4. Type the name of the Address Group.

   In this example, you create the Address Group efs-u5_le0 to be used for the interface definition on the secondary Screen.

5. Select the name of the secondary Screen from the Screen list.

   In this example, the Screen name is efs-u5.

6. Click the OK button.

   Select the address objects to include and exclude from this address group. If the required object is not listed, click the Cancel button and follow the instructions in "To Add a Group of Addresses". After you create the required objects, return to this section and start again.

To Define the Secondary Screen's Interfaces on the Primary Screen

Perform the following steps on the primary Screen:

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select Interface from the Type list.

   

3. Select New from the Add New list.

   The Interface Definition dialog box appears.

   

4. Define the interfaces of the secondary Screen:

   The interface definition for efs-u5_le0 is shown in this figure. You must define each of the secondary Screen's interfaces on the primary Screen as follows, and each definition must contain one of the following:

   Interface

   The actual interface name on the secondary Screen

   Type

   STEALTH, ROUTING, or ADMIN

   Screen

   Screen name as defined in the Screen object

   Address Group

   Valid addresses for this interface

   The Interface Definition dialog box is now identical on both screens.

5. Click the OK button.

To Configure the Primary Screen to Manage the Secondary Screens

Perform this task on the CMG primary Screen. It adds policy rules to allow the primary Screen to pass management traffic through the secondary Screen's interfaces.

1. Execute the steps in "Basic Centralized Management Procedure".

2. Select the Packet Filtering tab of the Policy Rules area.

   The policy rules that are currently defined for this policy are displayed.

3. Click the Add New Rule button in the Policy Rules area.

   The Rule Definition dialog box appears.

   

4. Type 1 for the Rule Index.

   ---

   Note -

   This index makes this rule the first rule that gets enforced. You must place this rule before any other rule that could conflict with it. If you do not place it first, the primary Screen may not be able to manage the secondary Screen.

   ---

5. Fill in the following fields with real values for your configuration (values are provided for this example):

   Screen

   efs-u5

   Service

   certificate discovery (SKIP only)

   Source

   boss

   Destination

   efs-u5

   Action

   ALLOW

   You can leave default values in all the other fields.

6. Click the OK button.

7. (SKIP only) Repeat Steps 1 through 5 using a service of skip instead of certificate discovery.

8. Verify that the rule definitions are correct.

   The packet filtering rules should look like the following:

   

9. Create address groups for each interface on the secondary Screen using the instructions in "To Add a New Address Group to the Primary Screen".

10. Define each of the secondary Screens's interfaces using the instructions in "To Define the Secondary Screen's Interfaces on the Primary Screen".

11. From the primary Screen, activate the policy to push it to all the CMG secondary Screens.

---

Note -

Be sure to activate the policy on the secondary Screen first so it will be able to receive the pushed policy from the primary Screen.

---