Table Of Contents
Cisco Secure Telnet
System Design
Remote Access Methodology
Firewall Protection
Cisco Secure Telnet Design
Cisco Secure Telnet Structure
Cisco Secure Telnet Components
The Relay Server
Telnet Client
Telnet Server
Cisco Secure Telnet Applications
Cisco Secure Telnet Executables
Telnet Proxy
Command Line Syntax for tndconnect
Display All Options
Telnet Connector Program Structure
Terminate a Cisco Secure Telnet Session
Connect with the Telnet Daemon
Plan for a Windows NT Telnet Daemon
Cisco Secure Telnet Usage Scenario
Cisco Secure Telnet
This chapter provides a description and overview of Cisco Secure Telnet and contains the following topics:
•System Design
•Remote Access Methodology
•Firewall Protection
•Cisco Secure Telnet Design
•Cisco Secure Telnet Structure
•Cisco Secure Telnet Usage Scenario
Cisco Secure Telnet offers Cisco Service Engineers (CSE) transparent firewall access to Cisco CallManager servers on your site.
Cisco Secure Telnet works by enabling a Telnet client inside the Cisco Systems firewall to connect to a Telnet daemon behind your firewall. This secure connection allows remote monitoring and maintenance of your Cisco CallManager servers without requiring firewall modifications.
Note Cisco accesses your network only with your permission. You must provide a network administrator at your site to help initiate the process.
System Design
The Cisco Secure Telnet system design provides the basis for communication with any Cisco CallManager installations on your site.
These paragraphs describe each component and application, along with a scenario outlining how you can use them.
Remote Access Methodology
CSEs can use techniques other than Cisco Secure Telnet to provide remote connectivity to a customer site, but using other methods may impose unacceptable conditions.
Dial-in access requires installation of a dedicated phone line and modem at your site, so dial-in access may be impractical. Using Telnet directly can establish a TCP/IP connection, but it requires opening your firewall, which can compromise security and cause delays in service.
Firewall Protection
Virtually all internal networks use firewall applications to restrict outside access to internal host systems. These applications protect your network by restricting IP connections between the network and the public internet.
Firewalls work by automatically blocking TCP/IP connections initiated from the outside, unless the software is reconfigured to allow such access.
Corporate networks normally permit communication with the public Internet, but only if connections directed to outside hosts originate from inside the firewall.
Cisco Secure Telnet Design
Cisco Secure Telnet takes advantage of the fact that Telnet connections can easily be initiated from behind a firewall. Using an external proxy machine, the system relays TCP/IP communications from behind your firewall to a host behind another firewall at the Cisco Technical Assistance Center (TAC).
Using this relay server maintains the integrity of both firewalls while supporting secure communication between the shielded remote systems. (See Figure 6-1.)
Figure 6-1 Cisco Secure Telnet System
Cisco Secure Telnet Structure
The external relay server establishes the connection between your network and Cisco Systems by building a Telnet tunnel. This enables you to transmit the IP address and password identifier of your Cisco CallManager server to your CSE.
Note The password comprises a text string mutually agreed upon by your administrator and the CSE.
Your administrator starts the process by initiating the Telnet tunnel, which establishes a TCP connection from inside your firewall out to the relay server on the public Internet. The Telnet tunnel then establishes another connection to your local Telnet server, creating a two-way link between the entities.
Note The Telnet client at the Cisco TAC runs in compliance with systems running on Windows NT and Windows 2000, or with UNIX operating systems.
Once the Cisco CallManager at your site accepts the password, the Telnet client running at the Cisco TAC connects to the Telnet daemon running behind your firewall. The resulting transparent connection allows the same access as if the machine were being used locally.
Once the Telnet connection is stable, the CSE can implement all remote serviceability functionality to perform maintenance, diagnostic, and troubleshooting tasks on your Cisco CallManager server.
You can view the commands sent by the CSE and the responses issued by your Cisco CallManager server, but the commands and responses may not always be completely formatted. See the "Telnet Server" section for more information.
Cisco Secure Telnet Components
The following sections describe the Cisco Secure Telnet components.
The Relay Server
The Cisco relay server runs on the Windows NT platform. Because it is a node on the public Internet that is configured as a multiuser system, any Cisco customer using the Cisco Secure Telnet service can access it freely.
You can make the relay server a dedicated device, or during a pilot period, you may attach it on an as-needed basis.
The relay server resides outside the Cisco Systems firewall, but it comprises a secure and controlled system that Cisco Systems owns, manages, and operates.
Note If easy access to the Internet is not available to access the relay server, use a dial-in connection to an ISP that allows direct Internet access to its devices.
Telnet Client
The Telnet client runs at the Cisco site on a UNIX host or Windows NT system. It provides terminal emulation over TCP/IP, providing a remote shell allowing entry into the server at your site.
The Telnet client provides command line access to the Cisco CallManager host through the Cisco relay server.
Telnet Server
The Telnet server resides on your network and runs on the Cisco CallManager server. The Windows 2000 operating system runs on the Cisco CallManager server and supports execution of the text-based commands used on the local system.
The Telnet proxy, tndconnect, runs on the Cisco CallManager server and links your Telnet server to the Cisco relay server.
Note The tndconnect window running on the Windows 2000 system will display the commands and responses being issued between the Cisco TAC and your Cisco CallManager system. However, depending on its terminal type support, the Windows 2000 Telnet daemon may eliminate spaces between the elements.
Cisco Secure Telnet Applications
The Cisco Secure Telnet system comprises four software components.
1. The Telnet Daemon Connect (tndconnect) program runs on a Cisco CallManager server at your site.
2. The relay application (relayapp) program runs on the Cisco relay or "connect" server.
3. The Windows 2000 Telnet Daemon comprises Microsoft software that runs on the Cisco CallManager server at your site.
4. The standard Telnet client runs behind the firewall at the Cisco TAC.
Cisco Secure Telnet Executables
Invoke the tndconnect program command-line executable from a Windows 2000 command prompt window.
Remote serviceability users invoke the tndconnect program from a command window on the Cisco CallManager server. This program contacts the relayapp application on the relay server, which resides on the Internet.
After you invoke tndconnect at your site, the CSE uses Telnet to reach relayapp to gain access to your system. Logging into that system maps the Telnet sessions together, allowing technical support access to your site.
Each executable includes command line parameters, such as passwords and TCP ports, that control the operating characteristics of each program.
Telnet Proxy
The tndconnect program acts as a proxy that provides the connection from your site to an external application residing on the relay server.
If you use this connector program, you must specify certain command line parameters; some of these parameters are optional.
Command Line Syntax for tndconnect
The tndconnect program resides on your Cisco CallManager server at C:\Program Files\Cisco\Bin. Invoke it on a command line; for example:
tndconnect -host relayservername -password cisco -file connect.log -port 80
-verbose -noecho
Note You can terminate tndconnect by entering Control-C in the window.
The following list defines each of these parameters:
You must use the host argument because it defines the Domain Name System (DNS) name of target relay server. The CSE supplies you with that host name during the initial call.
-password <any 4+ character string>
You must use the password argument because it allows access to the relay server. CSE gives the password during the initial call.
All Telnet exchanges generate logs, allowing for later review. The -file parameter provides an opportunity to name the log files that provide an audit trail of startup and console activity. The system logs all activity to the command window.
If the -file argument is not used, the filename defaults to tndconnect.log.
-port <optional port number>
The port argument allows selection of a port on the relay server other than Telnet port 23, which is the default. You need this option in case the firewall at your site has blocked the Telnet port. For example, some servers might allow only HTTP transmissions through the firewall, in which case -port 80 could be used.
Use the verbose option if connectivity problems are anticipated. This parameter logs debug messages and program trace details to the log file as well as to the console window.
-target <optional DNS name of Cisco CallManager system>
Use this parameter only if tndconnect resides on a system other than the Cisco CallManager server; for example, a Telnet server at your site.
In this case, you would have to specify the DNS name of the Cisco CallManager system. If you do not use this argument, its value defaults to localhost.
Disable the echo of the relayed data to the console.
Display All Options
Invoke the tndconnect program with the /? argument on a command line to give information on the entire system.
tndconnect /?
This command returns information on all the command line options.
Telnet Connector Program Structure
The tndconnect program performs the tasks that provide the CSE with the ability to log in to your Cisco CallManager system.
Note If the Telnet daemon is not running when the program executes, tndconnect prints an error message on your console, and the command terminates.
When the tndconnect program starts, the command parser sets the values specified in the command line. If no specific parameters are set in the command line, the program uses default values, except for the -host
and -password
parameters. You must enter those values each time you start tndconnect.
When the CSE connects to the relay application, a signal instructs the tndconnect program to create TCP/IP structures and connect to the local Telnet daemon.
If the -target option is not used, tndconnect defaults to your local Telnet server.
Note You may have to add the name of the Cisco relay application server to the hosts file of the local system if DNS cannot locate it. If so, add a line with IP address and
hostname
to the file C:\WINNT\system32\drivers\etc\hosts to provide that hostname.
The tndconnect program sends the information to the Cisco relay server, where the CSE logs in. The CSE then provides the IP address and password of the Cisco CallManager and enters a return,
which prompts the appearance of a login screen. The CSE then logs in to the Cisco CallManager system using the password provided by the customer.
Terminate a Cisco Secure Telnet Session
Once a connection is established, a timer starts and eventually terminates the connection if no traffic is observed. The tunnel to your site established by tndconnect automatically terminates after 30 minutes of inactivity. If you deliberately disconnect, you must manually restart the Telnet Connector program each time you use it.
Any socket failure can also terminate the session as does closing the connection from either Cisco or the customer site. A close can occur when the CSE disconnects, the relay program ends, or if the Telnet daemon terminates. Termination may also occur if TCP detects connection failure, if either of the Telnet sessions closes, or if you terminate the tndconnect program by pressing Control-C.
When the connection terminates, the program terminates, and the program takes down the tunnel constructed between the Cisco CallManager Telnet server and the relay server.
Connect with the Telnet Daemon
Under the Cisco Secure Telnet system, the Telnet client and daemon comprise standard, unmodified components and exchange data just as they would if they connected directly.
Any system running Cisco CallManager must run the standard Windows 2000 Telnet daemon service. Because this program expects clients to connect into it, you need an additional software component, tndconnect, to both connect to the Telnet daemon and to establish a connection out of the corporate network and into the Telnet relay program. The Telnet daemon and tndconnect work together to provide an end-to-end connection through which Telnet session traffic may flow.
The Telnet server component can run as a service in the background on the Cisco CallManager Windows 2000 system. Responding to a connection request provides the primary function of the daemon. Once a Telnet session is established, you can execute command line programs.
All these considerations affect the choice of Telnet daemon software.
Plan for a Windows NT Telnet Daemon
Because both Telnet daemon and File Transfer Protocol (FTP) servers make up part of Windows 2000 standard features, you can logically use these connectivity methods for remote serviceability.
Cisco Secure Telnet Usage Scenario
You may want to activate Cisco Secure Telnet to call in problems that require diagnosis of a remote Cisco CallManager server by a CSE. The following sequence of events represents a common scenario.
Step 1 Configure the Windows 2000 Telnet daemon to allow Telnet access from UNIX hosts. You may use the Windows 2000 command tndadmn to set the operating characteristics of the Telnet daemon.
Note Make sure the local Telnet session works and that a suitable userid and password are chosen for the Cisco TAC to log in.
Step 2 The CSE gives you a one-time password and the DNS name of the Cisco relay server to use to open communications.
Step 3 If the Telnet daemon is not already running, you should start it by using the Windows 2000 System Control Panel, Services option.
Step 4 You run tndconnect to initiate a tunnel session between the Telnet Daemon and the Cisco relay server. The command-line syntax allows transmission of a one-time password, which acts as a correlator to the one supplied by the CSE upon connection to the relay server.
Note Tunnels allow secure transmission of data streams between networks, making the routing appear transparent. Create them by using software that communicates through the firewall protecting the destination network.
Step 5 After bit manipulation encrypts the one-time password for transmission, tndconnect transmits it to relayapp for identification.
When transmission is complete, your system is set up for Cisco TAC diagnostics. (You may observe the support engineer commands and responses in the tndconnect window.)
When the Cisco TAC engineer disconnects, the tndconnect program terminates.