1. Manuals
  2. Brands
  3. HP Manuals
  4. Server
  5. T5720 - Compaq Thin Client
  6. User manual

HP T5720 - Compaq Thin Client User Manual

Cisco vpn support for hp thin clients and blade pcs
Hide thumbs Also See for T5720 - Compaq Thin Client:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, User Manual
Cisco VPN Support for HP Thin Clients
and Blade PCs
Introduction......................................................................................................................................... 2
The Components.................................................................................................................................. 2
HP PC Client Computing Solutions ..................................................................................................... 2
Virtual Private Networks.................................................................................................................... 3
Cisco VPN Capabilities .................................................................................................................... 3
Implementation Prerequisites ................................................................................................................. 3
The Implementation .............................................................................................................................. 4
VPN Installation ............................................................................................................................... 4
Basic VPN Configuration .................................................................................................................. 4
VPN 3000 Appliance Settings ....................................................................................................... 5
End-Point Configuration .................................................................................................................... 8
Thin Client Firewall Exceptions ....................................................................................................... 8
Identifying required firewall modifications (Ports to open) .................................................................. 8
Firewall configuration ................................................................................................................... 9
Change Commitment to Enhances Write Filter (EWF)...................................................................... 13
SSL VPN Access............................................................................................................................. 13
Thin Client SSL Access ................................................................................................................ 13
Blade PC SSL Access .................................................................................................................. 18
IPSEC VPN Access ......................................................................................................................... 18
Software Installation ................................................................................................................... 18
Thin Client and Blade PC IPSEC Access ........................................................................................ 19
Appendix A - CISCO 3560 Switch Configuration................................................................................. 23
For more information.......................................................................................................................... 25
HP Links: ....................................................................................................................................... 25
CISCO VPN Links: ......................................................................................................................... 25
Sun Microsystems Links: .................................................................................................................. 25

Advertisement

Table of Contents
loading

Related Manuals for HP T5720 - Compaq Thin Client

Summary of Contents for HP T5720 - Compaq Thin Client

  • Page 1: Table Of Contents

    Cisco VPN Support for HP Thin Clients and Blade PCs Introduction............................2 The Components..........................2 HP PC Client Computing Solutions ..................... 2 Virtual Private Networks........................3 Cisco VPN Capabilities ........................3 Implementation Prerequisites ......................... 3 The Implementation ..........................4 VPN Installation ..........................4 Basic VPN Configuration ........................

  • Page 2: Introduction

    Introduction This white paper provides a reference implementation of layered security policy enforcement created by integrating HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs with SSL and IPSEC VPN solutions from Cisco. The combination of HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs provides a very robust, secure, and cost-effective computing solution that can be applied to any network.

  • Page 3: Virtual Private Networks

    Virtual Private Networks Advancements in computer networking have significantly changed the way people and organizations communicate and access information. Networks have become critical resources in many organizations, providing real-time communications and access, through both the Internet and enterprise intranets. As organizations take advantage of the benefits of making information available, they increasingly turn to virtual private networks (VPNs) to protect valuable proprietary information.

  • Page 4: The Implementation

    The Implementation VPN Installation This section covers use of a CISCO VPN 3000 appliances in conjunction with a CISCO layer 3 switch to ensure that thin clients and blade PCs meet configuration policy prior to connection with the trusted network segment. The network topology used in this reference implementation is found in Figure 1 below.

  • Page 5: Vpn 3000 Appliance Settings

    Access to the VPN3000 configuration screens is possible via serial port or via a WEB interface via the private Ethernet address. Screen captures for VPN3000 setup are shown below via the WEB console, although the terminal interface (serial port) was initially used to set 10.2.2.2 as the private interface address.
  • Page 6 2. From the initial VPN 3000 setup screen, click Configuration\Interfaces in the left panel. This brings up a graphical configuration window with hyperlinks to facilitate easy setup options. 3. Access private and public interface configuration options by clicking the appropriate links in the Interface column.
  • Page 7 4. The public interface window is shown in the following illustration. Select DHCP Client or Static IP Addressing, as appropriate for the public network. NOTE: For this reference implementation, the VPN 3000 concentrator has been assigned a static address of 10.1.1.1 and is connected via port #1 of a CISCO 3560, layer 3 switch. The physical switch has an internal address of 10.1.1.2 for routing within the switch.

  • Page 8: End-Point Configuration

    End-Point Configuration Thin Client Firewall Exceptions The HP t5720 XPe-based Thin Client is configured by default with the Sygate firewall actively blocking all ports except those required for basic Web browsing and RDP connections. The HP Compaq t5720 Thin Clients used in this reference white paper also had firewall port exceptions added for RGS, which accelerates graphics in a manner superior to RDP.

  • Page 9: Firewall Configuration

    Firewall Configuration 1. Reboot the t5720 and log on using an account with administrator privileges. This ensures that the thin client is in a known, clean OS state. 2. In the System Tray, right-click the Sygate icon. 3. Select Advanced Rules. 4.
  • Page 10 8. Select a specific network interface card or the default, All network interface cards. 9. On the Applications tab, click Clear All to ensure no prior application is selected. 10. Scroll down and select Deterministic Networks. You could also click Browse and browse to c:\windows\system32\drivers\dne2000.sys to select the t5720 network driver.
  • Page 11 12. On the Ports and Protocols tab in the Protocol list, select UDP. 13. Type 8905,8906 in the Local field. 14. In the Traffic Direction list, select Both. 15. Click OK. 16. Next, let’s add a rule for VPN UDP traffic. First, in the Advanced Rules window, click Add. 17.
  • Page 12 19. In the Apply Rule to Network Interface field, ensure that the proper network interface card is selected. 20. On the Ports and Protocols tab in the Protocol list, select TCP. 21. Type 500,1562,8905,8906,62515 in the Remote field. 22. In the Traffic Direction list, select Both. 23.

  • Page 13: Change Commitment To Enhances Write Filter (Ewf)

    24. At this point, scroll down in Sygate Advanced Rules window to ensure that the two new VPM policies are defined and active. Change Commitment to Enhances Write Filter (EWF) At this point the Clean Access Agent is installed on the HP t5720 Thin Client. Note, however, that these image changes are not permanent.
  • Page 14 3. Log into WebVPN Services with valid VPN credentials. Valid credentials can be stored on an internal database on the VPN 300 concentrator or on an internal user database or they can be an external RADIUS authentication. For this reference implementation, we are using credentials stored on an internal user database on the VPN 3000 concentrator.
  • Page 15 5. Two windows are launched that allow access to Web sites and Web-enabled applications on the private interface. In this reference implementation, a few Web server URLs are pre- configured for one click access: VPN 3000 Configuration, Webmail and Benefit Access. This configuration.
  • Page 16 6. At this point, entering any allowed URL (http and/or https as configured on the VPN console via private interface) is allowed. To verify that the private network is accessible, type into the WebVPN Services window. This should launch the VPN 3000 https://10.2.2.2 manager Web page.
  • Page 17 8. JRE must be installed on the client. If it is not already configured, go to the Sun Microsystems Web site at http://www.sun.com/download/index.jsp to download the latest JRE. As of the writing of this white paper, the latest t5720-compatible JRE is the 6.2 release, as shown below. Download JRE and proceed with the installation instructions.

  • Page 18: Blade Pc Ssl Access

    Blade PC SSL Access Blade PC access from public interface to the Private network follows the same steps for thin clients. The exception is that there is no requirement to Commit write filter to ensure that JRE software is permanently added to the blade PC software image. Provided that JRE is installed with administrative privileges, the software is added to the image on the blade.

  • Page 19: Thin Client And Blade Pc Ipsec Access

    Thin Client and Blade PC IPSEC Access 1. Launch the CCA VPN client previously installed by clicking Start All Programs Cisco System VPN Client VPN Client, as shown below. 2. Click on New icon within the VPN Client status window.
  • Page 20 3. Type a name and host IP address for this connection (MyVPN and 10.1.1.1 for this reference implementation). Select Group Authentication as configured above and type the group name/password. NOTE: while group information is entered, authentication is still required from the user. If the group information is not provided here, the user is required to enter both group name/password and user name/password.
  • Page 21 5. Enter a username and password authorized to access VPN 3000 concentrator. As in the case of WebVPN above, the user is greeted with a configurable banner screen upon successful connection. For this reference, a simple VPN Connection Ac message is used. NOTE: this message provides an excellent opportunity to list policy restrictions governing the use of VPN and to allow the user to accept or deny those policies! 6.
  • Page 22 7. At this point, the internal network is fully accessible via IP tunnel. We can validate this initially by pinging an address from the private network. For this reference implementation, there is a Cisco NAC appliance at 10.3.3.3., so let’s make sure there is connectivity by opening a command prompt and directly pinging (shown below).

  • Page 23: Appendix A - Cisco 3560 Switch Configuration

    Appendix A – CISCO 3560 Switch Configuration Switch#show configuration Using 4021 out of 524288 bytes version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Switch no aaa new-model vtp mode transparent ip subnet-zero ip routing ip dhcp excluded-address 10.5.5.1 10.5.5.5 ip dhcp excluded-address 10.6.6.1 10.6.6.5...
  • Page 24 spanning-tree portfast interface FastEthernet0/10 description **CAS CLIENT INTERFACE** switchport access vlan 5 snmp trap mac-notification added spanning-tree portfast interface FastEthernet0/11 switchport access vlan 6 switchport mode access snmp trap mac-notification added spanning-tree portfast interface Vlan1 no ip address interface Vlan2 ip address 10.2.2.2 255.255.255.0 interface Vlan3 ip address 10.3.3.2 255.255.255.0...

  • Page 25: For More Information

    Sun Microsystems Links: http://www.sun.com/download/index.jsp • © 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

This manual is also suitable for:

Bladesystem bc2000 - blade pcBladesystem bc2500 - blade pcBladesystem bc2000Bladesystem bc2500

Table of Contents