CVI SCAP Migration Guide

Page

Unrestricted

Documentation marked 'Confidential' is intended only for the parties on the distribution list and may not be supplied or made available to third parties without the express consent of SIX Group Ltd or the companies associated with SIX Group Ltd (referred to below as SIX Group Ltd). The information contained in this document is given without warranty, implies no obligation of any kind on the part of SIX Group Ltd and may be altered by SIX Group Ltd at any time without further notice. To the extent permitted by law, SIX Group Ltd accepts no liability whatsoever for any errors contained in this document. SIX Group Ltd is under no obligation whatsoever to draw attention to such errors. Technical documentation must be used only in conjunction with the correct software version and may be used and copied only in accordance with the terms of the licence. All software described in the technical documentation is supplied on the basis of a licence agreement and may be used or copied only in accordance with the terms of the said licence agreement.

© Copyright SIX Group Ltd, 06.2009. All rights reserved. All trademarks observed.

Eurex Repo / SecLend

CVI to SCAP Migration Guide

SWX-XRS-MAN-20100216/E, 16.02.2010

This manual provides a technical overview on how to migrate the VPN infrastructure from the CVI to the SCAP environment.

Eurex Repo / SecLend Page iii CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Introduction 16.02.2010

Unrestricted

Table of Contents

1 Introduction.........................................................................................................................................................1

1.1 Purpose & Scope .................................................................................................................................1 1.2 Definitions & Abbreviations ..................................................................................................................1 1.3 References...........................................................................................................................................1 1.4 Outstanding Issues ..............................................................................................................................2 1.5 Timescales...........................................................................................................................................2 1.6 Contact.................................................................................................................................................2

2 Technical Requirements .....................................................................................................................................3

2.1 Cisco VPN Clients................................................................................................................................3 2.1.1 Supported Cisco VPN Software Clients ..............................................................................3 2.1.2 Supported Cisco VPN Hardware Clients .............................................................................3

3 Connectivity Options...........................................................................................................................................3

4 Network & Firewall Considerations .....................................................................................................................4

4.1 SIX IPSec Endpoints for IPSec Hardware and Software Clients..........................................................4 4.2 DNS Servers without IPSec Tunnel Connection ..................................................................................4 4.3 DNS Servers with IPSec Tunnel Connection .......................................................................................5 4.4 NTP Server for Hardware and Software Clients...................................................................................5 4.5 Web Servers ........................................................................................................................................5 4.6 Eurex Repo / SecLend Application Servers .........................................................................................6 4.7 HTTP Proxy Server Exceptions ...........................................................................................................6

5 Migration in 3 Steps ............................................................................................................................................6

5.1 Step 1 – Get Old VPN Certificate Information ......................................................................................7 5.2 Step 2 – Contact Technical Helpdesk ..................................................................................................7 5.3 Step 3 – Set up New VPN Connection to the SCAP Environment .......................................................8

5.3.1 Cisco VPN Software Client..................................................................................................8 5.3.2 Cisco VPN 3002 Hardware Client .......................................................................................8 5.3.3 Cisco ASA 5505 Hardware Client .......................................................................................8

6 Connecting Eurex Repo / SecLend Application via New VPN Infrastructure ......................................................9

6.1 Adapt TradingClientGUI.config ............................................................................................................9 6.2 Update USP Proxy Configuration.........................................................................................................9

Appendix A – Connectivity Options..............................................................................................................................11

A.1 Connectivity Options ...............................................................................................................................11 A.1.1 Internet Connectivity .................................................................................................................11 A.1.2 Managed IP Services................................................................................................................12

Appendix B – How to Access the CVI Web..................................................................................................................12

B.1 Eurex Repo Sealed Envelope .................................................................................................................12 B.2 Accessing the CVI Public Web................................................................................................................13 B.3 Accessing the CVI Private Web ..............................................................................................................13

Eurex Repo / SecLend Page iv CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Introduction 16.02.2010

Unrestricted

Appendix C – Network Setup.......................................................................................................................................15

C.1 Network Setup with a Hardware or Software Client ................................................................................15 C.1.1 Ports Used for IP Traffic to Hardware or Software Clients........................................................16 C.1.2 SIX Swiss Exchange IPSec endpoints for IPSec Hardware and Software Clients ...................16

C.2 NTP Server for Hardware and Software Clients .....................................................................................17

Appendix D – Installation: Cisco VPN Software Client.................................................................................................17

D.1 Installation Checklist ...............................................................................................................................17 D.2 Basic Setup.............................................................................................................................................18

D.2.1 Cisco VPN Software Client Installation.....................................................................................18 D.2.1.1 Download Cisco VPN Software and Connection Entries ......................................18 D.2.1.2 Install Cisco VPN Client Software.........................................................................18 D.2.1.3 Import CA Root Certificate....................................................................................18 D.2.1.4 Reinstall the Cisco VPN Software Client ..............................................................19

D.3 IPSec Tunnel Setup................................................................................................................................19 D.3.1 Obtain Personal Certificate.......................................................................................................19 D.3.2 Import Connection Entry...........................................................................................................20 D.3.3 Import Personal Certificate .......................................................................................................21 D.3.4 Assign Certificate to Connection Entry .....................................................................................21 D.3.5 Check IPSec Tunnel.................................................................................................................21

Appendix E – Installation: Cisco VPN 3002 Hardware Client.......................................................................................22

E.1 Installation Checklist ...............................................................................................................................22 E.2 Basic Setup.............................................................................................................................................23

E.2.1 IPSec Tunnel Setup..................................................................................................................23 E.2.2 Check Software Version ...........................................................................................................23 E.2.3 Configure Group Authentication ...............................................................................................23 E.2.4 Establish VPN Connection........................................................................................................24 E.2.5 Download and Install CA Root Certificate.................................................................................24 E.2.6 Generate and Send Certificate Enrolment Request..................................................................24 E.2.7 Install Certificate and Check IPSec Tunnel...............................................................................25 E.2.8 Continuing Application Installation ............................................................................................26

E.2.8.1 DNS Configuration on Application PC...................................................................26

Appendix F – Installation: Cisco ASA 5505 Hardware Client .......................................................................................27

F.1 Installation Checklist ...............................................................................................................................27 F.2 Basic Setup .............................................................................................................................................27

F.2.1 Cisco ASDM Setup ...................................................................................................................28 F.2.2 Check Software Version of ASDM ............................................................................................28 F.2.3 Cisco ASDM Installation on the ASA 5505 ...............................................................................28 F.2.4 Cisco ASDM Installation on the PC...........................................................................................29 F.2.5 IPSec Tunnel Setup ..................................................................................................................30 F.2.6 Check Software Version of ASA 5505 ......................................................................................30 F.2.7 Configure Group Authentication................................................................................................30 F.2.8 Configure DNS..........................................................................................................................31 F.2.9 Download and Install CA Root Certificate .................................................................................32 F.2.10 Generate and Send Certificate Enrolment Request ................................................................33 F.2.11 Install Certificate and Check IPSec Tunnel.............................................................................35 F.2.12 Continuing Application Installation ..........................................................................................37

F.2.12.1 DNS Configuration on Application PC.................................................................37

Eurex Repo / SecLend Page v CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Introduction 16.02.2010

Unrestricted

Appendix G – Infrastructure Service Provider (ISP) Contacts......................................................................................38

G.1 Internet Connectivity...............................................................................................................................38 G.2 Managed IP Services .............................................................................................................................38

Eurex Repo / SecLend Page 1 CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Introduction 16.02.2010

Unrestricted

1 Introduction

SIX Swiss Exchange will replace the current VPN infrastructure called Common VPN Infrastructure (CVI). This manual describes the steps needed to migrate from the Common VPN Infrastructure (CVI) to the SIX Common Access Portal (SCAP) infrastructure. Please note that the SIX Common Access Portal (SCAP) is based on CVI v4 and v5. Therefore the name CVI is sometimes used in relation with both, the old and the new environment.

1.1 Purpose & Scope

SIX Swiss Exchange aims for a standardisation of VPN access to its different services. Benefits of this standardisation for Participants are:

Higher number of carriers who offer lines to our systems.

Support of new VPN hardware client: ASA 5505 Client.

A high number of CVI certificates expire in February 2010 and have to be renewed. Since CVI v4 has different root certificates, a migration is required anyway.

Higher flexibility to increase/decrease bandwidth in a shorter time period.

1.2 Definitions & Abbreviations

Term/Abbreviation Explanation

CVI Common VPN Infrastructure

SCAP SWX Common Access Portal

SIX SIX Swiss Exchange

SSL Secure Socket Layer

SWXess SIX Swiss Exchange Trading Platform

SWX SWX Swiss Exchange. Former name of SIX Swiss Exchange

VPN Virtual Private Network

1.3 References

This document relates to the following documents:

Eurex Repo / SecLend Page 2 CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Introduction 16.02.2010

Unrestricted

Reference & Document Title Applicable Reference and Version

Location & Link

1 SCAP - SIX Connectivity Guide

SWX-SCAP-CNTY-GUID700/E https://www.swx.com/members/cvi/scap.html

2 Hardware and Software Requirements

SWX-XRS-HWSW-REQ107/E http://www.eurexrepo.com/publications/

1.4 Outstanding Issues

Routers can not be used for connections to Eurex Repo / SecLend.

SWXess connectivity options like Ethernet Service, Optical Link and Proximity Service can not be used for connections to Eurex Repo / SecLend.

Lines connected to SWXess can not be used for connecting to Eurex Repo / SecLend.

Tunnels established for SWXess can not be used for Eurex Repo / SecLend.

1.5 Timescales

The migration period will run for 3 months. After that, only connections to the SCAP environment will be accepted.

Please refer to the corresponding MSC Messages for specific dates. MSC Messages are published here: http://www.eurexrepo.com/support/news.html

A high number of CVI certificates expire in February 2010 and have to be renewed. SIX Swiss Exchange highly recommends to migrate before the expiry of the old certificate.

1.6 Contact

For further information about specific issues, please contact your Eurex Repo Technical Helpdesk:

Geneva: +41 58 854 2028

London: +44 20 7864 4334

Zurich: +41 58 854 2488

https://www.swx.com/members/cvi/scap.html�

http://www.eurexrepo.com/publications/�

http://www.eurexrepo.com/support/news.html�

Eurex Repo / SecLend Page 3 CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Technical Requirements 16.02.2010

Unrestricted

2 Technical Requirements

This chapter will give an overview of the requirements for the old CVI Infrastructure and the new SCAP infrastructure.

Please note that SIX Swiss Exchange does not provide any hardware equipment, only a software client kit and accompanying software for participants using the Cisco VPN 3002 or Cisco ASA 5505 Hardware Client.

2.1 Cisco VPN Clients

The following tables give an overview of the supported Cisco VPN Clients for the old CVI infrastructure and the new SCAP infrastructure.

2.1.1 Supported Cisco VPN Software Clients

Cisco VPN Software Client Type Old (CVI) New (SCAP)

Cisco VPN Software Client V5.0.03.0560



2.1.2 Supported Cisco VPN Hardware Clients

Cisco VPN Hardware Client Type Old (CVI) New (SCAP)

Cisco ASA 5505 Hardware Client V8.0(4)28, ASDM 6.2.3

Cisco VPN 3002 Hardware Client V4.7.2.P

Cisco VPN 3002 Hardware Client V4.7.2.x

Cisco VPN 3002 Hardware Client V4.1.7.J

3 Connectivity Options

For an overview and details of the different connectivity options, see A.1 Connectivity Options

If you have a Managed IP Service connection to Eurex Repo / SecLend, please contact your Infrastructure Service Provider (ISP) to determine the measures needed. You can find a list of contacts in Appendix G – Infrastructure Service Provider (ISP) Contacts.

Eurex Repo / SecLend Page 4 CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Network & Firewall Considerations 16.02.2010

Unrestricted

4 Network & Firewall Considerations

4.1 SIX IPSec Endpoints for IPSec Hardware and Software Clients

The table below gives the FQDN and IP addresses of the SIX Swiss Exchange IPSec endpoints for hardware and software clients for the old CVI infrastructure and the new SCAP infrastructure.

Old (CVI) New (SCAP)

Membertest Production Membertest and Production

Data Center A Data Center A Data Center B Data Center A Data Center B

vpnprod.swx.com 146.109.129.10 146.109.128.10

(virtual IP addresses)

vpn.swx.com 146.109.0.10

146.109.64.10 (virtual IP addresses)

vpntest.swx.com 146.109.129.40 (virtual IP address)

vpnprodsn.swx.com 146.109.129.10 (virtual IP address)

vpnprodht.swx.com 146.109.128.10 (virtual IP address)

vpnzs.swx.com 146.109.0.10 (virtual IP address)

vpnzh.swx.com 146.109.64.10 (virtual IP address)

vpntest1.swx.com 146.109.129.41

vpnprodsn1.swx.com 146.109.129.11

vpnprodht1.swx.com 146.109.128.11

vpnzs01.swx.com 146.109.0.11

vpnzh01.swx.com146.109.64.11

vpntest2.swx.com 146.109.129.42

vpnprodsn2.swx.com 146.109.129.12

vpnprodht2.swx.com 146.109.128.12

vpnzs02.swx.com 146.109.0.12

vpnzh02.swx.com146.109.64.12

4.2 DNS Servers without IPSec Tunnel Connection

The following table gives an overview of the DNS servers without IPSec connection of the old CVI infrastructure and the new SCAP infrastructure.

These DNS servers resolve VPN Endpoints.

Data Center Old (CVI) New (SCAP)

Data Center A 146.109.128.244 146.109.66.249

Data Center A 146.109.129.244 146.109.66.250

Data Center B 146.109.129.241 146.109.2.249

Data Center B 146.109.129.242 146.109.2.250

Eurex Repo / SecLend Page 5 CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Network & Firewall Considerations 16.02.2010

Unrestricted

4.3 DNS Servers with IPSec Tunnel Connection

The following table gives an overview of the DNS servers in IPSec connection tunnels in the old CVI infrastructure and the new SCAP infrastructure.

These DNS servers resolve Eurex Repo / SecLend application servers.

Data Center Old (CVI) New (SCAP)

Data Center A 172.31.5.157 146.109.55.251

Data Center A 172.31.4.157 146.109.55.252

Data Center B 172.29.0.140 146.109.39.251

Data Center B 172.29.0.139 146.109.39.252

4.4 NTP Server for Hardware and Software Clients

Please refer to C.2 NTP Server for Hardware and Software Clients

4.5 Web Servers

To access the SCAP public and private websites you need to have access to the following URLs:

Old (CVI) CVI Public Web login page: https://www.six-swiss-exchange.com/members/cvi/software_en.html

CVI Private Web via enrolment tunnel: http://www.mbt.cvi.swx.ch/prvweb/login (Membertest)

http://www.prd.cvi.swx.ch/prvweb/login (Production)

New (SCAP) SCAP Public Web login page (SSL): https://www.six-swiss-exchange.com/members/cvi/scap.html

SCAP Private Web (SSL): https://vpn.swx.com

https://www.six-swiss-exchange.com/members/cvi/software_en.html�

http://www.mbt.cvi.swx.ch/prvweb/login�

http://www.prd.cvi.swx.ch/prvweb/login�

https://www.six-swiss-exchange.com/members/cvi/scap.html�

https://vpn.swx.com/�

Eurex Repo / SecLend Page 6 CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Migration in 3 Steps 16.02.2010

Unrestricted

4.6 Eurex Repo / SecLend Application Servers

The table below gives the FQDN and IP addresses of the Eurex Repo / SecLend application servers for the old CVI infrastructure and the new SCAP infrastructure.

Environment Old (CVI) IP Address New (SCAP) IP Address

www.mbt.erm.swx.ch rmtws.mbt.erm.swx.ch

172.29.1.61 172.29.1.62

rmtws.pn.swx 146.109.49.254146.109.33.254

www1.mbt.erm.swx.ch rmtws1.mbt.erm.swx.ch

172.29.1.62 rmtws1.pn.swx 146.109.49.254

Membertest

www2.mbt.erm.swx.ch rmtws2.mbt.erm.swx.ch

172.29.1.61 rmtws2.pn.swx 146.109.33.254

www.prd.erm.swx.ch rprws.prd.erm.swx.ch

172.31.4.180172.31.5.180

rprws.pn.swx 146.109.48.254146.109.32.254

www1.prd.erm.swx.ch rprws1.prd.erm.swx.ch

172.31.5.180 rprws1.pn.swx 146.109.48.254

Production

www2.prd.erm.swx.ch rprws2.prd.erm.swx.ch

172.31.4.180 rprws2.pn.swx 146.109.32.254

4.7 HTTP Proxy Server Exceptions

Access to the various online features provided by Eurex Repo / SecLend like: Member Page with Newsboard, Online Help and Statistics. (Membertest / Production) is not possible via a web-proxy server, due to the use of Cisco VPN Client. Therefore, for these specific websites, you need to ensure that you have disabled any potential HTTP proxy server on the client PC.

The following HTTP proxy server exceptions have to be set in your web-browser:

Old (CVI) New (SCAP)

*.swx.ch *.pn.swx (for application servers)

*.ps.swx (for SCAP Private Web)

5 Migration in 3 Steps

For the migration period you can run VPN connections to the old CVI environment and to the new SCAP environment in parallel. This allows you to set up the new VPN connections while the traders still connect via the old CVI environment. You do not have to inform us about your migration.


Unrestricted

5.1 Step 1 – Get Old VPN Certificate Information

The sealed envelope containing the “CVI Personal Certificate Download Information” is still valid for your SCAP credentials. SIX Swiss Exchange will not send out the sealed envelopes again.

The credentials for your current CVI certificates will automatically be renamed and migrated to SCAP. “VPN Entrypoint ID” and “Username” will change to a higher number, as illustrated below:

Old CVI Credentials in Sealed Envelope New SCAP Credentials

CVI Personal Certificate Download Information Environment: Membertest / Production Participant Name: Participant Full Name CVI Group Authentication Name: cvienvusr CVI Group Authentication Password:enrlpasswd VPN Entrypoint ID: 123 Certificate Type: 0 Username: ERMM01123 Password: cvipassword

The information from your sealed envelope is still valid. Only the VPN Entrypoint ID and the Username will change. You will get an e-mail from the technical helpdesk with these updates. See: 5.2 Step 2 – Contact Technical Helpdesk VPN Entrypoint ID: 789Certificate Type: 0Username: ERMM016789Password: cvipassword

Environment Old CVI Certificate Name IP Address New SCAP Certificate Name IP Address

Membertest ERMM01abcd 172.x.x.x ERMM01efgh 10.x.x.x

Production ERMP01abcd 172.x.x.x ERMP01efgh 10.x.x.x

Your current certificates will be “renamed” to a higher number and will get a different IP address (10.x.x.x) assigned. The certificate with the lowest number in the old CVI name will correspond to the one with the lowest number in the new SCAP name.

Passwords will remain the same for the new certificates as for the corresponding old ones (see sealed envelope).

5.2 Step 2 – Contact Technical Helpdesk

As soon as you have assembled all the VPN Entrypoint information, please contact the Eurex Repo Technical Helpdesk to get an e-mail with a list of your current and your new certificates (without passwords).

If you do not remember your passwords you can request new sealed envelopes with the technical helpdesk.


Unrestricted

5.3 Step 3 – Set up New VPN Connection to the SCAP Environment

You have to do a full enrolment process for each certificate to establish a connection to the new SCAP environment.

5.3.1 Cisco VPN Software Client

To establish a Cisco VPN Software Client connection please refer to Appendix D – Installation: Cisco VPN Software Client

5.3.2 Cisco VPN 3002 Hardware Client

To establish a Cisco VPN 3002 Hardware Client connection please refer to Appendix E – Installation: Cisco VPN 3002 Hardware Client

5.3.3 Cisco ASA 5505 Hardware Client

To establish a Cisco ASA 5505 Hardware Client connection please refer to Appendix F – Installation: Cisco ASA 5505 Hardware Client

Eurex Repo / SecLend Page 9 CVI to SCAP Migration Guide SWX-XRS-MAN-20100216/E Connecting Eurex Repo / SecLend Application via New VPN Infrastructure 16.02.2010

Unrestricted

6 Connecting Eurex Repo / SecLend Application via New VPN Infrastructure

As soon as you have set up the new VPN connections you can connect your Eurex Repo / SecLend trading applications via the new infrastructure. You only have to adapt either the TradingClientGUI.config file or the USP Proxy (Concentrator) registry files, depending on how you connect.

6.1 Adapt TradingClientGUI.config

To connect a Eurex Repo / SecLend Trading Client GUI directly via the new SCAP infrastructure, you have to adapt the TradingClientGUI.config file with the new Eurex Repo / SecLend application servers.

Please note that you have to logon as a member of the administrator group to adapt the settings in the .TradingClientGUI.config file.

In the TradingClientGUI.config file (by default located “C:\Program Files\SWX Swiss Exchange\Eurex Repo Trading GUI [environment]”) change the following parameter:

For the Membertest environment: swx.ric.IPaddress = rmtws.pn.swx

For the Production environment: swx.ric.IPaddress = rprws.pn.swx

6.2 Update USP Proxy Configuration

If you connect your Trading Client GUI through a USP Proxy (Concentrator), you do not have to change the GUI settings but update the registry entries of the USP Proxy with the new Eurex Repo / SecLend application servers.

In our download section we will provide new registry files to configure your USP Proxy. Download the new registry files and execute the appropriate one (Membertest or Production).

Please note that you have to logon as a member of the administrator group to update the registry files.

SCAP_M01_USP_Proxy_config.reg (Configuration for Membertest M01 environment)

SCAP_M02_USP_Proxy_config.reg (Configuration for Membertest M02 environment)

SCAP_P01_USP_Proxy_config.reg (Configuration for Production P01 environment)

To connect the USP Proxy to the appropriate environment, proceed as follows:


Unrestricted

1. Stop both USP processes (USP-RPC and USP-BCT), by closing the DOS windows.

2. Execute the appropriate registry file for the Membertest or the Production environment. This will update the system registry.

3. Restart both USP processes using the desktop icons or restart the PC to automatically start the processes.

4. To reconnect the USP Proxy to the other environment, proceed as above in steps 1 - 3.


Unrestricted

Appendix A – Connectivity Options

A.1 Connectivity Options

There are two connectivity options: Internet or Managed IP Service.

A.1.1 Internet Connectivity

This connectivity option offers a simple and cost-effective solution designed to meet the needs of participants with low bandwidth requirements, such as participants with a low daily trading volume.

Participants order the service with an Internet Service Provider and handle all maintenance issues themselves. Please note that bandwidth availability can never be guaranteed for Internet connections

Establishing multiple IPSec tunnels by deploying multiple hardware or software clients is possible.


Unrestricted

A.1.2 Managed IP Services

This connectivity option is designed for participants who want to outsource their network activities e.g. monitoring. The monitoring is hosted by a Managed IP Service provider. However the procurement of the required hardware, setup and maintenance of the IPSec tunnel is the participant’s responsibility.

Providers with a POP at SIX that offer Managed IP service are:

BT Radianz

Deutsche Börse Systemes

Swisscom-Verizon

Appendix B – How to Access the CVI Web

B.1 Eurex Repo Sealed Envelope

You should have received a sealed envelope containing the “CVI Personal Certificate Download Information”. Below is an example using fictional values: This envelope contains important information for downloading your CVI Personal Certificate. You should have received a separate communication entitled "CVI - Common VPN Infrastructure Setup", which explains how to establish a VPN connection using the VPN details below. For further information, see the Eurex Repo Installation Guide or contact the Eurex Repo Technical Helpdesk. Eurex Repo Technical Helpdesk Zürich +41 (0)58 854 24 88 Geneva +41 (0)58 854 20 28 London +44 (0)20 7864 4334 E-Mail: [email protected] CVI Personal Certificate Download Information Environment: Production Participant Name: Participant Full Name CVI Group Authentication Name: cvienvusr CVI Group Authentication Password: enrlpasswd VPN Entrypoint ID: 123 Certificate Type: 0 Username: cviuser Password: cvipassword

mailto:[email protected]�


Unrestricted

B.2 Accessing the CVI Public Web

To access the CVI Public Web, proceed as follows (an Internet connection is required):

1. Start the browser and enter the following address to open the CVI Public Web login page: https://www.six-swiss-exchange.com/members/cvi/scap.html

2. Log in to the CVI Public Web with your Group Authentication Username [ ] and Password [ ] provided in the sealed envelope.

You are now logged in to the CVI Public Web (see figure below).

B.3 Accessing the CVI Private Web

To be able to access the CVI Private Web via SSL, you must be able to access the Internet.

1. Start the browser and enter the following address to open the SCAP login page: https://vpn.swx.com.

2. In the Security Alert dialog boxes, click Yes.

The “SCAP – SWX Common Access Portal” login page is displayed.

https://www.six-swiss-exchange.com/members/cvi/scap.html�



Unrestricted

3. Log in to SCAP using the Username [ A ] and Password [ B ] from the Sealed Envelope. The CVI Private Web login page is displayed.

4. Log in to the CVI Private Web with your VPN entrypoint account Username [ ] and Password [ ] provided in the sealed envelope.

You are now logged in to the CVI Private Web.


Unrestricted

Appendix C – Network Setup

C.1 Network Setup with a Hardware or Software Client

Hardware and software clients are connected through a point-to-point connection. They do not offer OSI layer 3 network redundancies. However, it is possible to setup manual network failover on the client upstream.


Unrestricted

C.1.1 Ports Used for IP Traffic to Hardware or Software Clients

The table below indicates what IP traffic must be permitted through which ports between the hardware or software client and the SIX IPSec endpoint.

Required for IP Protocol No. Name Port Purpose

IPSec IPSec Over UDP

IPSec Over TCP

17 UDP 500 IKE

50 IPSec None ESP

17 UDP 4500 IPSec via NAT-T

17 UDP 4501 IPSec via UDP

6 TCP 4501 IPSec via TCP

C.1.2 SIX Swiss Exchange IPSec endpoints for IPSec Hardware and Software Clients

The table below gives the FQDN and IP addresses of the SIX IPSec endpoints for hardware and software clients. Connecting with url request https://vpn.swx.com will load balance to one or the other datacenter.

Data Center A Data Center B

vpnzh.swx.com 146.109.64.10 (virtual IP address)

vpnzs.swx.com 146.109.0.10 (virtual IP address)

vpnzh01.swx.com 146.109.64.11

vpnzs01.swx.com 146.109.0.11

vpnzh02.swx.com 146.109.64.12

vpnzs02.swx.com 146.109.0.12



Unrestricted

C.2 NTP Server for Hardware and Software Clients

We recommend synchronizing your application system times with SIX Swiss Exchange time. Both hardware and software clients will be able to access the SIX Swiss Exchange Public NTP time server via the IPSec tunnel. The NTP server addresses are given below:

NTP Server Addresses

146.109.39.251 146.109.39.252 146.109.55.251 146.109.55.252

Appendix D – Installation: Cisco VPN Software Client

This section explains how to install the Cisco VPN Software Client as well as the associated configuration files and certificates.

D.1 Installation Checklist

A summary of the required steps is given in the table below, which can be used as a checklist:

Task Description Done

Basic Setup How to Set up a New Software Client

Download Software

Download Connection Entry and Root Certificate

Install Software

Enrolment

Import Root Certificate

Generate and Send Certificate Enrolment Request

Download Personal Certificate

Import Connection Entry

Import Root & Personal Certificate

Assign Certificate to Environment Connection Entry

IPSec Tunnel Setup

Check IPSec Tunnel


Unrestricted

D.2 Basic Setup

Please follow the official documentation from Cisco to complete the basic setup of the software client.

SIX provides four public DNS servers (without an IPSec tunnel) for participants who are using Managed IP Services and do not have DNS support:


146.109.66.249 146.109.2.249

146.109.66.250 146.109.2.250

These DNS can be entered when configuring the software client, they will resolve the hostname (vpn.swx.com) used by SCAP.

D.2.1 Cisco VPN Software Client Installation

D.2.1.1 Download Cisco VPN Software and Connection Entries

1. Access the CVI Public Website, as described above.

2. Download and save the following items:

Cisco VPN Tunnel Software

Connection entry file (SWX_CVI.pcf)

CVI Root Certificate (SWXVPNROOTCA.cer)

D.2.1.2 Install Cisco VPN Client Software

On your PC, you only need to install the Cisco VPN Software Client once. If the Cisco VPN software is already installed, proceed with section D.2.1.3 Import CA Root Certificate

Double click the Cisco VPN Software Client file you downloaded in the previous step and follow the prompts. After the installation is finished, you may be prompted to reboot the PC. Please do so before proceeding.

D.2.1.3 Import CA Root Certificate

1. Start the Cisco VPN Client (click the Start button, then point to All Programs, Cisco Systems VPN Client and click VPN Client).


Unrestricted

2. Select the Certificates tab in the VPN client, click the Import icon and click the Browse button to select the CA Root Certificate (SWXVPNROOTCA.cer) you downloaded before.

3. Do not specify any password in the various Password fields. Click the Import button to finish importing the certificate. A dialog box confirms the success of this operation. Click the OK button.

4. To display the CA Root Certificate in the VPN Client, select the Certificates menu and click on Show CA/RA Certificates to enable this option.

D.2.1.4 Reinstall the Cisco VPN Software Client

In case of any failures of the Cisco VPN Subsystem, it is advisable to reinstall the software.

Reinstallation is also necessary when a new NIC (network interface card) has been installed. The Cisco VPN Software Client will not automatically detect a new interface, resulting in an old and not functional setting of the Cisco Virtual Adapter. This makes it mandatory to reinstall the software.

When reinstalling, please note that all settings, connection entries as well as certificates are backed up and automatically re-imported upon installation of either the same, or a newer version of the Cisco VPN Software Client. It is strongly recommended to uninstall the software and reboot the system, prior to installation.

D.3 IPSec Tunnel Setup

This section describes the steps required to establish a connection.

D.3.1 Obtain Personal Certificate

1. Select the Certificates tab in the VPN client, click the Enroll icon. In the Certificate Enrolment window select File and enter the following parameters:

Parameter Value

File encoding Base-64

Filename A freely chosen filename having the .csr extension (e.g. c:\ERMP01xxxx.csr)

New Password A freely chosen password (minimum length 6 characters)


Unrestricted

2. Click the Next button. This will open a new Certificate Enrolment window. Enter the following parameters to generate the certificate request:

Parameter Value

Name (CN)* Username (provided in the sealed envelope [ ])

Department (OU) (Repo Production)

Department (OU) (Repo Membertest)

ermp01csw

ermm01csw

Company (O) Name of your company (neither umlauts nor special characters)

State (ST) The state where your company is located (without umlaut)

Country (C) Country two letter abbreviation as used in the internet (neither umlauts nor special characters)

E-Mail (E) Leave blank

IP Address Leave blank

Domain Leave blank

Fields marked with * should contain meaningful values. However, they are not validated.

3. Click the Enroll button to generate a certificate enrolment request. A dialog box confirms the success of this operation. Click the OK button.

4. Open the Certificate enrolment request file created in the previous step with a text editor, and copy the entire content with the delimiters to the clipboard.

5. Go to the Public CVI web as described and click the link Private CVI VPN Homepage (via SSL connection).

6. Click send request in the menu Certificate and paste the certificate into the provided form. Click Send to confirm.

7. On the next page, click download certificate in the menu Certificate, copy the generated certificate including the delimiters into a text file and save this file on the PC with a .cer extension (e.g. ERMP012345.cer).

D.3.2 Import Connection Entry

Select the Connection Entries tab in the VPN client, click the Import icon and select the connection entry file that you downloaded.


Unrestricted

By default, the connection entry is configured to use Transparent Tunnelling (IPSec over UDP). Depending on your network, you may be required to change the Transport settings.

D.3.3 Import Personal Certificate

1. Select the Certificates tab in the VPN client, click the Import icon and click the Browse button to select the personal certificate you downloaded.

The Import Password in the upper section is the one you entered before. It is strongly recommended to enter a New Password in the fields at the bottom of the dialog - if you do not enter a New Password, it will be blank and therefore your certificate will not be protected.

2. Click the Import button to finish importing the certificate.

D.3.4 Assign Certificate to Connection Entry

3. Select the Connection Entries tab in the VPN client, select the connection entry you imported and click the Modify icon.

4. Select the Authentication tab, select Certificate Authentication and in the Name drop down list, select the certificate you imported in the previous step.

By default, the connection entry is called SWX_CVI. You may wish to give the connection entry a more meaningful name. If so, please enter a new name in the Connection Entry field on this screen.

5. Click the Save button to store your changes.

D.3.5 Check IPSec Tunnel

1. If your VPN Client is still connected, click the Disconnect button.

2. Select the Connection Entry you have just imported & configured and click the Connect button.

3. Enter the password to authenticate your certificate (this is the password that you entered in the New Password field).

If you did not enter a new password when importing the certificate, then your password is blank i.e. click the OK button without entering a password.

4. If connection is successful, a dialog box appears with two buttons, Continue and Disconnect. Click the Continue button and the VPN Client minimises to the System Tray. You can double click System Tray to restore the application.


Unrestricted

Appendix E – Installation: Cisco VPN 3002 Hardware Client

This section explains how to configure the Cisco VPN 3002 Hardware Client, including enrolment and installation of the certificate.

E.1 Installation Checklist



Basic Setup How to setup a new hardware client

Configure Group Authentication

Establish VPN Connection

Download & Install SIX CA Root Certificate

Generate & Send Certificate Request

Retrieve and Install Personal Certificate

IPSec Tunnel Setup

Check IPSec Tunnel

The instructions in this section are based on using a browser to configure the hardware client. If you are using the Console Port, please see the Cisco documentation for the appropriate commands.


Unrestricted

E.2 Basic Setup

Please follow the official documentation from Cisco to complete the basic setup of the hardware client. SIX provides four public DNS for participants who are using Managed IP Services and do not have DNS support:


146.109.66.249 146.109.2.249

146.109.66.250 146.109.2.250

These DNS can be entered when configuring the hardware client, they will resolve the hostname (vpn.swx.com) used by SCAP.

E.2.1 IPSec Tunnel Setup

The following section shows step-by-step instructions for the Cisco 3002 Hardware Client configuration, enrolment and certificate handling.

E.2.2 Check Software Version

Check that the software version of your Cisco 3002 meets our recommendations listed in section 2.1.2 Supported Cisco VPN Hardware Clients. If it does not you should download the correct version from the CVI Public Web and apply it on your device.

E.2.3 Configure Group Authentication

Using a browser, connect and logon to the hardware client. From the menu, select Configuration > System > Tunneling Protocols > IPSec and enter the following parameters to enable group authentication:

Parameter Value

Remote Server vpn.swx.com

IPSec over TCP Choose the appropriate value for your network.

IPSec over TCP Port 4501 (if IPSec over TCP is selected)

Use Certificate Leave cleared

Certificate transmission Select “Identity certificate only”

Group Name Username (see [ A ] - neither umlauts nor special characters)


Unrestricted

Parameter Value

Group Password & Group Verify

Password (see [ B ])

Username and Password Leave both blank

E.2.4 Establish VPN Connection

Check the VPN Connection by selecting Monitoring > System Status from the menu. If the tunnel is not already connected (“No Tunnel Established” is displayed), click Connect Now. The displayed System Status should change and show that the tunnel has been established. Additionally, on the hardware client the LED labelled VPN should switch to green (via amber which shows that the connection is being initiated).

E.2.5 Download and Install CA Root Certificate


2. Click the link CVI Root Certificate and save the file on the PC (SWXVPNROOTCA.cer).

3. Switch back to the hardware client administration in the other browser window.

4. Upload the root certificate by selecting Administration > Certificate Management > Installation, clicking Install CA certificate, clicking Upload file from workstation and selecting the file you saved before).

5. Click Install to confirm.

E.2.6 Generate and Send Certificate Enrolment Request

1. Generate a certificate request by selecting Administration > Certificate Management > Enrolment, clicking Enroll via PKCS10 Request (Manual). Enter the following parameters to generate the certificate request:

Parameter Value

Common Name (CN) Username (provided in the sealed envelope [ C ])

Organizational Unit (OU) (Repo Production)

Organizational Unit (OU) (Repo Membertest)

ermp01chv

ermm01chv

Organisation (O) * Name of your company (neither umlauts nor special characters)

Locality (L) * The place where your company is located (neither umlauts nor special characters)


Unrestricted

Parameter Value

State/Province (SP) * The state or province where your company is located (neither umlauts nor special characters)

Country (C)* Country two letter abbreviation as used in the internet (neither umlauts nor special characters)

Subject Alternative Name (FQDN) Leave blank

Subject Alternative Name (E-Mail Address) * Leave blank

Key Size RSA 1024 bits

Fields marked with * should contain meaningful values. However, they are not validated.

2. Click Enroll to generate a certificate request and copy it to the clipboard.

3. Go to the Private CVI VPN Homepage (via SSL connection) as described above.

4. Click send request in the menu Certificate and paste the certificate into the provided form. Click Send to confirm.

E.2.7 Install Certificate and Check IPSec Tunnel

1. Using the PC browser, connect and logon to the hardware client.

2. Go to the Public CVI web as described before and click the link Private CVI VPN Homepage (via SSL connection).

3. Retrieve the certificate by clicking download certificate in the menu Certificate and copying the certificate with the delimiters belonging to your request.

4. Switch back to the hardware client administration in the other browser window.

5. Install the certificate by selecting Administration > Certificate Management > Installation and clicking Install certificate obtained via enrolment. Click Install for the appropriate request, choose Cut & Paste Text and paste the copied certificate with the delimiters into the provided form. Confirm by clicking Install. The Certificate Management page should now display the certificate under Identity Certificates.

One private certificate can be installed at a time only. Make sure, you delete the old one before installing a new one.

6. Switch from the pre-shared key (Group Authentication) to your installed certificate by selecting Configuration > System > Tunneling Protocols > IPSec, selecting the checkbox Use Certificate and confirming by clicking Apply. The LED labelled VPN will turn off.

7. Check the IPSec tunnel by selecting Monitoring > System Status from the menu. If the tunnel is not already connected (“No Tunnel Established” displayed), click Connect Now. The System Status displayed should


Unrestricted

change to show that the tunnel is established (“Tunnel Established to: …”).

E.2.8 Continuing Application Installation

Assuming you have successfully connected to the Cisco VPN Hardware Client as instructed in the preceding section, you have now completed the installation of the Cisco VPN Hardware Client.

However, before proceeding to install the application, one final step may be required:

E.2.8.1 DNS Configuration on Application PC

To access the application servers through the Cisco VPN Hardware Client, the client PC (which will run the application) needs to know the virtual IP address of the application servers in the tunnel. There are two different scenarios that have different requirements.

The client PC is directly attached to the Cisco VPN Hardware Client and the interface connecting the PC to the Cisco VPN Hardware Client is set to DHCP.

In this case, the Cisco Hardware Client can push the needed DNS via the DHCP protocol to the client and no further configuration is needed.

There is a device, e.g. firewall, located between the Cisco Hardware Client and the client PC or the interface connecting the PC to the Cisco VPN Hardware Client is not set to DHCP.

In this case, either the client PC or the respective DNS have to be configured to forward domain name requests for the application server’s name spaces, e.g. *pn.swx, to the DNS in the tunnel. The tunnel DNS can be reached using the IP addresses shown below.

Domain Name Servers in IPSec Connection Tunnel Data Center

146.109.39.251 Data Center B

146.109.39.252 Data Center B

146.109.55.251 Data Center A

146.109.55.252 Data Center A


Unrestricted

Appendix F – Installation: Cisco ASA 5505 Hardware Client

This section explains how to configure the Cisco ASA 5505 Hardware Client, including enrolment and installation of the certificate.

F.1 Installation Checklist



Basic Setup How to Setup a New Hardware Client

ASDM Setup Cisco ASDM Setup

Configure Group Authentication

Establish VPN Connection

Download & Install SIX CA Root Certificate

Generate & Send Certificate Request

Retrieve and Install Personal Certificate

IPSec Tunnel Setup

Check IPSec Tunnel

The instructions in this section are based on using both the Cisco ASDM and the Console Port.

F.2 Basic Setup

Please follow the official documentation from Cisco to complete the basic setup of the Hardware Client.

SIX Swiss Exchange provides four public DNS for participants who are using Managed IP Services and do not have DNS support:


146.109.66.249 146.109.2.249

146.109.66.250 146.109.2.250

These DNS can be entered when configuring the Hardware Client, they will resolve the hostname (vpn.swx.com) used by SCAP.


Unrestricted

F.2.1 Cisco ASDM Setup

The following section gives step-by-step instructions about installing and starting the Cisco ASDM tool.

F.2.2 Check Software Version of ASDM

Check that the software version of your Cisco ASDM meets our recommendations listed in section 2.1.2 Supported Cisco VPN Hardware Clients. If it does not you should download the correct version from the CVI Public Web and install it on the ASA 5505 as described below.

F.2.3 Cisco ASDM Installation on the ASA 5505

1. Copy the recommended ASDM version file (e.g. asdm-611.bin) to the Cisco ASA 5505. This can be done either via ASDM or via ftp, tftp,… Consult the official documentation from Cisco for the procedure.

2. Set the newly loaded ASDM file before you reboot with the following command:

ciscoasa> enable ciscoasa# configure terminal ciscoasa(conf)# asdm image disk0:/asdm-611.bin ciscoasa(conf)# exit ciscoasa# write memory

3. Reboot the ASA 5505:

ciscoasa> enable Password: ****** ciscoasa# reload

4. Validate that the new ASDM version is working.

5. On the ASA 5505, remove any versions of the ASDM except the recommended one. The content of Disk0:/ should look like this:

ciscoasa> enable Password: ****** ciscoasa# dir Directory of disk0:/ 2 drwx 4096 07:56:58 May 08 2008 log 64 -rwx 1868412 06:30:52 Sep 17 2007 securedesktop-asa-3.1.1.29-k9.pkg 65 -rwx 398305 06:31:04 Sep 17 2007 sslclient-win-1.1.0.154.pkg 7 drwx 4096 06:35:22 Sep 17 2007 crypto_archive 67 -rwx 14635008 07:40:38 May 08 2008 asa803-k8.bin 82 -rwx 7295568 08:43:16 Jun 05 2008 asdm-611.bin


Unrestricted

F.2.4 Cisco ASDM Installation on the PC

1. On the PC on which the configuration of the ASA 5505 will be performed, browse to https://<ASA5505 IP Address>/ (e.g. https://192.168.1.1).

2. Proceed with the Security Alert, click Yes.

3. Click Install ASDM Launcher and Run ASDM.

4. In the login window enter User Name and Password of the ASA 5505 and click OK. (Hint: default is blank for both)

5. Click Open.

6. The Cisco ASDM Launcher installation starts. Click Next.

7. Select the default Destination Folder or click Change. Click Next.

8. Click Install to begin the installation.

9. Click Finish to exit the installation wizard.

10. Start ASDM by clicking the Cisco ASDM Launcher icon located on the desktop.

11. In the Cisco ASDM Launcher login window enter the IP Address, Username and Password of the ASA 5505 and click OK. Make sure that the Run in Demo Mode option is not selected.

12. Accept the web site’s certificate by clicking Yes and by selecting Always trust content from this publisher.

https://192.168.1.1/�


Unrestricted

F.2.5 IPSec Tunnel Setup

The following section gives step-by-step instructions about Cisco ASA 5505 Hardware Client configuration, enrolment and certificate handling.

F.2.6 Check Software Version of ASA 5505

Check that the software version of your Cisco ASA 5505 meets our recommendations listed in section 2.1.2 Supported Cisco VPN Hardware Clients. If it does not, you must download the correct version from the CVI Public Web and apply it on your device via the ASDM tool. Before rebooting the Cisco ASA 5505, delete the file of the old version.

F.2.7 Configure Group Authentication

1. Using ASDM, connect and logon to the hardware client.

2. Go to the Configuration > Remote Access VPN > Easy VPN Remote pane.

3. Select Enable Easy VPN Remote.

4. In the Mode area, click Client mode.

5. In the Group Settings area, click Pre-shared Key and enter the following parameters:

a. In the Group Name field, enter the value of Username (see [ A ]).

b. In the Group Password and Confirm Group Password fields, enter the value of Password (see [ B ])

6. In the Easy VPN Server To Be Added area, enter vpn.swx.com in the field Name or IP Address and click Add.


Unrestricted

7. Click Apply.

8. Save the configuration by clicking Save.

F.2.8 Configure DNS

1. Go to the Configuration > Remote Access VPN > DNS pane.

2. In the DNS lookup area, make sure that both interfaces have the DNS Enabled parameter set to Yes. If not click Enable.

3. In the DNS Server Groups area, click Add and enter the following parameters:

a. In the Name field enter a name.

b. In the DNS Servers area, enter the IP address of the DNS Server in the field Server IP Address to Add and click Add. Perform this step for all IP Addresses listed in section 4 Network & Firewall Considerations and/or for the ones you are using.

c. Click OK.

4. Click Apply.


Unrestricted

F.2.9 Download and Install CA Root Certificate


2. Click the link CVI Root Certificate and save the file on the PC (SWXVPNROOTCA.cer).


4. Go to the Configuration > Remote Access VPN > Certificate Management > CA Certificates pane.

5. Click Add.

6. Click Install from a file. You can either type the pathname of the file that you saved in step 2 in the box or you can click Browse and navigate to the file.


Unrestricted

7. Click Install Certificate.

8. If the installation was successful, the following dialog box is displayed. Click OK.

F.2.10 Generate and Send Certificate Enrolment Request

1. Go to the Configuration > Remote Access VPN > Certificate Management > Identity Certificates pane.

2. Click Add.

3. Select the Add a new identity certificate option.


Unrestricted

4. Click New.

5. Select Enter new key pair name and type SWX-SCAP-PRD-key in the box.

6. In the Size box, select 1024.

7. Select General purpose.

8. Click Generate Now.

9. Click Select.

10. In the Certificate Subject DN dialog box, enter the following X509 attributes:

Attribute Value

Common Name (CN) Username (provided in the sealed envelope [ ])

Organizational Unit (OU) (Repo Production)

Organizational Unit (OU) (Repo Membertest)

ermp01chv

ermm01chv

Company Name (O) * Name of your company (neither umlauts nor special characters))

Location (L) * The place where your company is located (neither umlauts nor special characters))

State (St) * The state or province where your company is located (neither umlauts nor special characters))

Country (C)* Two-letter country abbreviation as used on the Internet (neither umlauts nor special characters))

To enter these attributes, proceed as follows for each attribute:

a. In the DN Attribute to be Added area, select an attribute from the Attribute pull-down menu.

b. In the Value box, type the correct value (see table above) and click Add.


Unrestricted

11. When you have entered all attributes, click OK.

12. Click Add Certificate

13. The Identity Certificate Request dialog box opens. You can either type the pathname of the file in the box or you can click Browse. Please note that the file extension has to be .csr.

14. Click OK.

15. Open the .csr file with your editor and copy the content to the clipboard.

16. Go to the Private CVI web as described above.

17. Click send request in the menu Certificate and paste the certificate into the form provided. Click Send to confirm.

F.2.11 Install Certificate and Check IPSec Tunnel

1. Go to the Public CVI web as described above.

2. Retrieve the certificate by clicking download certificate in the menu Certificate and copying the certificate with the delimiters belonging to your request.


4. Go to the Configuration > Remote Access VPN > Certificate Management > Identity Certificates pane.

5. Select the Identity Certificate and click Install.


Unrestricted

6. Select Paste the certificate data in base-64 format and paste it with the delimiters in the box.

7. Click Install Certificate.

8. If the import was successful, the following dialog box is displayed. Click OK.

9. Switch from the pre-shared key (Group Authentication) to your installed certificate. Go to the Configuration > Remote Access VPN > Easy VPN Remote pane.

10. In the Group Settings area, click X.509 Certificate and choose your certificate from the drop-down list.

11. Click Apply.

12. The LED on the hardware client labelled VPN will turn off.

13. Save the configuration by clicking Save.


Unrestricted

14. Start the tunnel as follows:

a. Go to Monitoring > VPN > Easy VPN Client > VPN Connection Status

b. Click "Connect"

c. Confirm Security Warning

d. Click "Connect Now"

e. Close Browser Window (hint: click "Refresh" to update status)

15. Please note that if for any reason the tunnel stops, it will not restart automatically. It has to be restarted manually as described above.

F.2.12 Continuing Application Installation

Assuming you have successfully connected to the Cisco ASA 5505 Hardware Client as instructed in the preceding chapter, you have now completed the installation of the Cisco ASA 5505 Hardware Client.

However, before proceeding to install the application, one final step may be required:

F.2.12.1 DNS Configuration on Application PC

To access the application servers through the Cisco ASA 5505 Hardware Client, the client PC (which will run the application) needs to know the virtual IP address of the application servers in the tunnel. There are two different scenarios that have different requirements.

The client PC is directly attached to the Cisco ASA 5505 Hardware Client and the interface connecting the PC to the Cisco ASA 5505 Hardware Client is set to DHCP.

In this case, the Cisco Hardware Client can push the needed DNS via the DHCP protocol to the client and no further configuration is needed.

There is a device, e.g. firewall, located between the Cisco Hardware Client and the client PC or the interface connecting the PC to the Cisco ASA 5505 Hardware Client is not set to DHCP.

In this case, either the client PC or the respective DNS have to be configured to forward domain name requests for the application server’s name spaces, e.g. *prd.erm.swx.ch, to the DNS in the tunnel. The tunnel DNS can be reached under the IP addresses given below.

Domain Name Servers in IPSec Connection Tunnel

Data Center

146.109.39.251 Data Center B


Unrestricted

146.109.39.252 Data Center B

146.109.55.251 Data Center A

146.109.55.252 Data Center A

To continue with the installation process, please refer to the application-specific installation guide.

Appendix G – Infrastructure Service Provider (ISP) Contacts

G.1 Internet Connectivity

Contact your Internet Service Provider.

G.2 Managed IP Services

Provider Officer Phone No. E-mail Scope

BT Radianz Harry Weder +41 44 543 18 33 [email protected] All countries

Deutsche Börse Systems

Tim Brackrock +49 69 2111 1690 [email protected] All countries

Swisscom-

Verizon

Thomas Rathgeb +41 44 294 82 88 [email protected] All countries

Andreas Ferrario +41 79 818 14 93 [email protected] All countries





Date post:	10-Oct-2014
Category:	Documents
Upload:	scribd1408
View:	82 times
Download:	1 times

CVI SCAP Migration Guide

Documents