U.S. patent application number 10/721832 was filed with the patent office on 2004-10-07 for managing a virtual private network.
Invention is credited to Desroches, Melissa L., Milillo, James M., Poisson, Matthew W..
Application Number | 20040199624 10/721832 |
Document ID | / |
Family ID | 23094177 |
Filed Date | 2004-10-07 |
United States Patent
Application |
20040199624 |
Kind Code |
A1 |
Poisson, Matthew W. ; et
al. |
October 7, 2004 |
Managing a virtual private network
Abstract
Managing a virtual private network includes providing a
graphical user interface for displaying one or more virtual private
network subscribers and one or more computers offering virtual
private network functions. The graphical user interface is
programmed to display tunnels associated with either the
subscribers and/or the computers offering virtual private network
functions based on user input.
Inventors: |
Poisson, Matthew W.;
(Manchester, NH) ; Desroches, Melissa L.;
(Kingston, NH) ; Milillo, James M.; (Manchester,
NH) |
Correspondence
Address: |
DOCKET CLERK
P.O. DRAWER 800889
DALLAS
TX
75380
US
|
Family ID: |
23094177 |
Appl. No.: |
10/721832 |
Filed: |
November 25, 2003 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
10721832 |
Nov 25, 2003 |
|
|
|
09285424 |
Apr 2, 1999 |
|
|
|
6765591 |
|
|
|
|
Current U.S.
Class: |
709/223 |
Current CPC
Class: |
H04L 41/22 20130101;
H04L 41/0213 20130101; H04L 12/4641 20130101 |
Class at
Publication: |
709/223 |
International
Class: |
G06F 015/173 |
Claims
What is claimed is:
1. A method of managing a virtual private network, the method
comprising: providing a graphical user interface for displaying one
or more virtual private network subscribers and one or more
computers offering virtual private network functions, the graphical
user interface being programmed to display tunnels associated with
either the subscribers and/or the computers offering virtual
private network functions based on user input.
2. The method of claim 1, wherein the computers offering virtual
private network functions comprise extranet switches.
3. The method of claim 1, wherein the virtual private network
functions comprise tunneling.
4. The method of claim 1, wherein the virtual private network
functions comprise authentication.
5. The method of claim 1, wherein displaying subscribers and
computers comprises displaying a hierarchical tree that includes
the subscribers and the computers.
6.-15. (Canceled).
16. A method of managing a virtual private network, comprising:
providing a graphical user interface, the graphical user interface
operable for: displaying virtual private network elements, the
different elements being selectable by a user, displaying a palette
from a collection of palettes that provide virtual private network
sub-elements associated with the virtual private network elements,
the palette being displayed controlled by user selection of an
element, displaying a properties dialog from a collection of
properties dialogs that receive user input configuring the virtual
private network elements and/or sub-elements, the properties dialog
displayed being controlled by user selection of an element from the
display of virtual private network elements, and enabling a user
through the use of a wizard to configure one or more of the virtual
private network elements by interacting with a preprogrammed series
of dialogs which query the user for different sets of virtual
private network element characteristics.
17. The method of claim 16, wherein displaying virtual private
network elements comprises displaying a hierarchical tree that
displays both virtual private network elements and associated
virtual private network sub-elements.
18. The method of claim 16, wherein the virtual private network
elements comprise subscribers.
19. The method of claim 16, wherein the virtual private network
elements comprise computers offering virtual private network
functions.
20. The method of claim 19 wherein the computers comprise extranet
switches.
21. The method of claim 19, wherein the sub-elements comprise SNMP
properties.
22. The method claim 19, wherein the sub-elements comprise an
authentication technique.
23. The method of claim 16, wherein the sub-elements comprise
tunnels.
24. The method of claim 17, further comprising modifying a virtual
private network element listed in the hierarchical tree by dragging
and dropping a virtual private network element from a displayed
palette.
25. A method of managing a virtual private network, comprising:
providing a graphical user interface, the graphical user interface
operable for: displaying a hierarchical tree that includes one or
more extranet switches, the one or more extranet switches being
selectable by a user; displaying a one of a palette from a
collection of palettes that provide groupings of extranet switch
attributes, the palette displayed being controlled by user
selection one of the extranet switches; displaying a one of a
collection of properties dialogs that collect information
associated with the extranet switch attributes, the properties
dialog displayed being controlled by user selection of an element;
and displaying a wizard that enables the user to configure one or
more of the extranet switches by interacting with a preprogrammed
series of dialogs which query the user for different sets of
virtual private network element characteristics.
Description
BACKGROUND
[0001] This invention relates particularly to managing a virtual
private network.
[0002] LANs (Local Area Networks), Intranets, and other private
networks interconnect user computers, file servers, e-mail servers,
databases, and other resources. Typically, organizations want to
offer remote access to private network resources to traveling
employees, employees working at home, and branch offices without
compromising the security of the private network.
[0003] Virtual private networks (a.k.a. Extranets) securely stitch
together remote private networks and remote computers using a
public network such as the Internet as a communication medium. Each
private network can connect to the public network via an extranet
switch such as the Contivity.TM. Extranet switch offered by
Nortel.TM. Networks. Extranet switches provide a variety of virtual
private network functions such as network packet tunneling and
authentication.
[0004] For configuring the functions provided by the switch,
Contivity.TM. switches offer a web-server and web-pages programmed
to configure the different virtual private network functions in
response to administrator interaction with the web-pages. By using
a browser to navigate to each virtual private network switch, one
after another, the administrator can configure the tunneling,
authentication, packet filtering, and other functions provided by
the switch. Management functions provided by the Contivity.TM.
switches are described in greater detail in the New Oak.TM.
Communications Extranet Access Switch Administrator's Guide.
SUMMARY OF THE INVENTION
[0005] In general, in one aspect, the invention features a method
of managing a virtual private network includes providing a
graphical user interface for displaying one or more virtual private
network subscribers and one or more computers offering virtual
private network functions. The graphical user interface is
programmed to display tunnels associated with either the
subscribers and/or the computers offering virtual private network
functions based on user input.
[0006] Embodiments may include one or more of the following
features. The computers offering virtual private network functions
comprise extranet switches. The virtual private network functions
can include tunneling and/or authentication. Displaying subscribers
and computers may include displaying a hierarchical tree that
includes the subscribers and the computers.
[0007] In general, in another aspect, the invention features a
graphical user interface for use in managing a virtual private
network. The graphical user interface includes a display of virtual
private network elements, the different elements being selectable
by a user, a collection of palettes that provide virtual private
network sub-elements associated with the virtual private network
elements, and a collection of properties dialogs that collect
information associated with virtual private network elements and/or
sub-elements. The palette and/or properties dialog displayed being
controlled by user selection of an element.
[0008] Embodiments may include one or more of the following
features. The display of virtual private network elements can be a
hierarchical tree. The hierarchical tree can display virtual
private network sub-elements associated with displayed virtual
private network elements. The virtual private network elements
comprise subscribers and/or computers (e.g., extranet switches)
offering virtual private network functions. The sub-elements can
include SNMP properties and/or authentication techniques. The
graphical user interface may permit an administrator to modify a
virtual private network element listed in the hierarchical tree by
dragging and dropping a virtual private network sub-element from a
displayed palette.
[0009] In general, in another aspect, the invention features a
graphical user interface for use in managing a virtual private
network. The graphical user interface includes a hierarchical tree
that includes different extranet switches, the different extranet
switches being selectable by a user, a collection of palettes that
provide groupings of extranet switch attributes, and a collection
of properties dialogs that collect information associated with the
extranet switch attributes, the properties dialog and/or the
platted being displayed can be controlled by user selection of an
element.
[0010] Advantages may include one or more of the following. The
graphical user interface enables an administrator to quickly view
and/or modify attributes of the extranet switches in a virtual
private network. The palette and properties dialogs provide
administrators with an intuitive method for configuring different
functions provided by the extranet switches. The graphical user
interface also enables an administrator to view virtual private
network information from different perspectives. For example, from
a perspective of services provided to different subscribers or from
a perspective of services provided by particular extranet
switches.
[0011] Other advantages of the invention will become apparent in
view of the following description, including the figures, and the
claims.
BRIEF DESCRIPTION OF THE DRAWINGS
[0012] FIG. 1 is a diagram illustrating bulk configuration of
multiple extranet switches.
[0013] FIG. 2 is a diagram of tunnels provided by configured
extranet switches.
[0014] FIG. 3 is a flow-chart of a process for bulk configuring
multiple extranet switches.
[0015] FIG. 4 is a diagram of a switch manager exporting
configuration information to multiple extranet switches.
[0016] FIGS. 5-13 are screenshots of a wizard that guides an
administrator through a bulk configuration process
[0017] FIG. 14 is a diagram illustrating importing information from
multiple extranet switches.
[0018] FIG. 15 is a diagram of a switch manager importing
information from an extranet switch.
[0019] FIGS. 16-20 are screenshots of extranet switch reports.
[0020] FIGS. 21-31 are screenshots of a graphical user interface
that enables an administrator to manage extranet switches in a
virtual private network.
[0021] FIG. 32 is a screenshot of a menu of links to web-pages
offered by an extranet switch.
[0022] FIGS. 33-39 are screenshots of web-pages offered by an
extranet switch.
DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0023] Introduction
[0024] An extranet switch manager provides administrators with a
tool that centralizes management of different extranet switches in
a virtual private network. The manager can bulk configure multiple
extranet switches, prepare reports describing the extranet
switches, provide convenient is access to individual switch
configuration mechanisms, and provide an intuitive representation
of virtual private network elements. The manager offers these
capabilities .to an administrator via an easy to use graphical user
interface (GUI). After an administrator enters IP (Internet
Protocol) addresses of extranet switches in a virtual private
network, the switch manager can quickly import and export data to
both view the current configuration and activity of the switches
and quickly alter the configuration of one or more switches.
[0025] Bulk Configuration of Multiple Extranet Switches
[0026] As shown in FIG. 1, a virtual private network 102 can
include private networks 106, 110 and/or remote computers 114 that
communicate over a public network 104. Each private network 106,
110 can connect to the public network 104 via an extranet switch
100a, 100b such as a Contivity.TM. Extranet Switch offered by
Nortel Networks. As shown, each extranet switch 100a, 100b has a
private interface that communicates with a private network 106, 110
and a public interface that communicates with the public network
104. Extranet switches 100a, 100b handle virtual private network
functions such as network packet tunneling and authentication. The
extranet switches 100a, 100b can also enforce packet filtering
rules, enforce hours of access, and perform other functions that
maintain a secure virtual private network. Many of these functions
may be included in a firewall or router. Hence, we use the term
"extranet switch" to generically refer to a system providing these
functions. As shown in FIG. 1, switch manager instructions 116
reside on a remote computer, however, the instructions 116 could
reside on any computer able to communicate with the extranet
switches 100a, 100b.
[0027] Each switch 100a, 110b can provide different tunneling
protocols (e.g., PPTP (Point-to-Point Tunneling Protocol), L2F
(Layer 2 Forwarding), L2TP (Layer 2 Tunnel Protocol), and IPSec (IP
Secure)), different encryption schemes, different authentication
mechanisms (e.g., internal or external LDAP (Lightweight Directory
Access Protocol) and RADIUS (Remote Authentication Dial-In User
Service)), and different packet filtering schemes (e.g., filtering
based on the direction of communication, the source and/or
destination of a packet, and/or the type of TCP (Transfer Control
Protocol) connection established). As shown in FIG. 1, switch
manager instructions 116 enable an administrator to quickly
configure multiple switches 100a, 100b to share a set of common
characteristics (e.g., the same authentication scheme and the same
tunneling protocols) by transmitting the same configuration
information 118a, 118b to each switch 100a, 100b.
[0028] Referring to FIG. 2, after being configured, the virtual
private network 102 permits secure communication between private
networks 106, 110. For example, a computer 112 on a first private
network 110 can securely send network packets to a computer 108 on
a second private network 106 by tunneling 120 through the public
network 104. An extranet switch 100a receiving a packet prior to
transmission over the public network 104 can provide a tunnel 120
by encrypting and/or encapsulating the network packet. Encryption
encodes packet contents to prevent computers on the public network
from reading the original contents. Encapsulation generates a new
packet addressed to the extranet switch 100b at the end of the
tunnel 120 and includes the original packet as the contents of the
new packet. By analogy, encapsulation is like placing a mail
envelope in a bigger envelope with a different mail address.
Encapsulation prevents computers on the public network 104 from
identifying the addresses of private network 106, 110
resources.
[0029] When the extranet switch 100b at the end of the tunnel 120
receives a packet, the extranet switch 100b can decrypt and
de-encapsulate the packet for delivery to its destination 108. The
second extranet switch 100b can also authenticate information
received from the first extranet switch 100b to make sure a
would-be intruder is not masquerading as a member of the virtual
private network 102.
[0030] As shown, a switch 100a can also provide tunnels for a
remote user 114 connected to the public network 104. For example,
an employee can access private network 110 resources by connecting
to an ISP (Internet Service Provider) and establishing a tunnel 122
with an extranet switch 100a. Again, the extranet switch 100a can
authenticate the identity of the remote user 114 to prevent
unauthorized access to the private network 110.
[0031] The extranet switch 100a can also connect tunnels. For
example, if so configured, the switch could connect 124 tunnels 120
and 122 to enable the remote user 114 to also access resources on
private network 106 via tunnels 122 and 120.
[0032] Referring to FIG. 3, switch manager instructions 116 receive
126 information specifying the configuration of multiple extranet
switches. The bulk configuration information can be specified by a
user, provided by a program that automatically configures switches,
or copied from configuration information of a previously configured
switch. After receiving 126 the configuration information, the
switch manager instructions 116 transmit 128 data and/or
instructions corresponding to the received configuration
information to the extranet switches. Each extranet switch
processes 130a, 130b the transmitted information to change its
configuration in accordance with the transmitted information.
[0033] Referring to FIG. 4, an extranet switch 100a, 100b includes
software and/or firmware instructions 130a, 130b that handle switch
functions. Such functions can include authentication 132a, tunnel
management 134a, packet filtering 136a, etc. Each switch 100a, 100b
can also include a script interface 138a that processes script
commands. For example, a script command of "call omSET using
("trustedFTPenabled" "ENABLED")" configures the switch to allow
processing of FTP (File Transfer Protocol) requests from trusted
computers.
[0034] In one implementation, switch manager instructions 116
include instructions for a graphical user interface 144 (GUI), a
script interface 140, and configuration 142 instructions that model
the extranet switches and coordinate the exchange of information
between the GUI 144 and the script interface 140. When a user
specifies bulk configuration information via the GUI 146, the
script interface 142 produces a script 118a, 118b that includes
script commands for configuring the switches in accordance with the
user specified information. Appendix A includes a sample
configuring script. In the implementation described above, the
switch manager 116 can export the configuration information 118a,
118b to extranet switches by transmitting the information 118a,
118b to a pre-determined switch directory via FTP (File Transfer
Protocol). The script interface 138a, 138b on the switches 100a,
100b detect and process the script upon its arrival.
[0035] The exporting technique described above is merely
illustrative and a wide variety of other techniques could be used
to coordinate communication between a computer executing switch
manager instructions 116 and the different extranet switches 100a,
100b. For example, the communication need not use FTP nor need the
information take the form of a script.
[0036] Referring to FIG. 5, the GUI provides a wizard (e.g., Bulk
Configure Extranet Switches) that enables an administrator to bulk
configure multiple extranet switches by interacting with a
preprogrammed series of dialogs. The dialogs query an administrator
for different sets of switch characteristics. The preprogrammed set
of dialogs reduces the chances an administrator will forget to
configure a particular set of switch characteristics.
[0037] Referring to FIG. 6, after invoking the bulk configuration
wizard, an administrator can select one or more extranet switches
to bulk configure. The manager will transmit configuration
information only to the selected switches.
[0038] Referring to FIG. 7, the wizard permits an administrator to
configure the selected switches to provide an account to a
particular administrator. Since a single administrator may be in
charge of all the switches in a virtual private network,
establishment of an identical administrator account on the
different switches enables the administrator to quickly login to
the different switches using the same id and password.
[0039] Referring to FIG. 8, each switch may be individually
configured to have a unique hostname (e.g., "NOC2000"). An
administrator can bulk configure different switches to have the
same DNS (domain name service) domain such as "myVPN.com". By
defining a common domain for multiple switches, an administrator
can thereafter refer to a particular switch by combining the domain
name and the hostname (e.g., "myVPN.com/NOC2000"). Primary and
backup DNS servers can translate the domain and hostname to a
particular IP (Internet Protocol) address. Thus, by specifying a
common domain, the administrator can identify a switch by a
memorable text entry instead of a more cryptic IP address (e.g.,
"255.255.68.28").
[0040] Referring to FIG. 9, an administrator can configure the
services offered by the switches. For example, the administrator
can enable or disable different tunnel protocols (e.g., IPSec,
PPTP, LT2P, and L2F). The GUI also gives the administrator the
ability to enable or disable tunneling sessions initiated from
within the private network served by a switch and tunneling
sessions initiated from a source outside the private network (e.g.,
"public" tunnels).
[0041] The administrator can also enable or disable different
communication protocols such as HTTP (HyperText Transfer Protocol),
SNMP (Simple Network Management Protocol), FTP (File Transfer
Protocol), and TELNET. Additionally, the manager gives the
administrator the ability to control the types of communication
allowed. For example, an administrator can enable or disable
tunnels between two extranet switches (e.g., branch to branch
communication), between two users tunneling to the same switch
(e.g., end user to end user), and between a user and a branch
office tunneling to the same switch.
[0042] Referring to FIG. 10, an administrator can bulk configure
the SNMP traps reported by the switches and the host computers that
will receive notification of the traps. SNMP traps allow an
administrator to react to events that need attention or that might
lead to problems. The switches allow the scripting of SNMP alerts
so that a combination of system variables can signal an SNMP trap.
The GUI permits the administrator to not only enable or disable
different types of traps, but also to provide the interval between
execution of the SNMP scripts.
[0043] Referring to FIG. 11, an administrator can also configure
RADIUS accounting performed by each selected switch. RADIUS is a
distributed security system that uses an authentication server to
verify dial-up connection attributes and authenticate connections.
RADIUS accounting logs sessions with records containing detailed
connection statistics. The administrator can enable and disable
RADIUS accounting, configure the switches to use internal or
external RADIUS servers, and specify how frequently RADIUS records
are stored. By configuring the switches in a virtual private
network to use the same RADIUS accounting methods, switch usage and
access can be easily compared between the different switches.
[0044] Referring to FIG. 12, if enabled, an administrator can bulk
configure the type of RADIUS authentication performed by the
switches. For example, as shown, the switches can offer AXENT
(AXENT OmniGuard/Defender), SecurID (Security Dynamics SecurID),
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol
encrypted), CHAP (Challenge Handshake Authentication Protocol),
and/or PAP (Password Authentication Protocol) authentication.
[0045] The administrator can also define a primary RADIUS server
and one or more alternate servers. The primary server receives all
RADIUS authentication inquiries unless it is out of service. In the
event that the Primary Server is unreachable, the Switch will query
the alternate RADIUS servers. By bulk configuring the servers used
to provide RADIUS authentication, administrators can quickly route
all RADIUS authentication requests to the same collection of RADIUS
servers.
[0046] Referring to FIG. 13, switches may use LDAP authentication
in addition to or in lieu of RADIUS authentication. An external
LDAP Server such as the Netscape Directory Server can store remote
access profiles. The switch queries the LDAP Server for access
profile, information when a user attempts to establish a tunnel
connection. The Master LDAP Server is the primary server to process
queries. Should the Master server become unavailable, the switch
attempts to initiate a connection with the Slave servers. Bulk
configuring different switches to use the same LDAP servers both
eases the burden of switch management on the administrator and
reduces the likelihood the administrator will inadvertently specify
a different LDAP hierarchy on different switches.
[0047] After completing the bulk configuration wizard, the manager
stores the specified configuration information, but does not
transmit the information until the administrator specifically
exports the configuration data. This provides administrators with a
safeguard against accidentally bulk configuring the switches with
unintended characteristics.
[0048] Reporting Capabilities
[0049] Referring to FIG. 14, in addition to configuring multiple
extranet switches 100a, 100b, switch manager instructions 116 can
also produce reports describing the extranet switches 100a, 100b in
a virtual private network 102. As shown, the extranet switches
100a, 100b can transmit configuration, capacity, and activity
information for inclusion in a report.
[0050] Referring to FIG. 15, switch manager instructions 116 can
transmit a script 152a, 152b that includes script commands
requesting current switch 100a, 100b information. For example, a
script command of "call omGET using ("security.trustedFTPenabled")"
requests information describing whether an extranet switch 100a,
100b is currently configured to accept FTP (File Transfer Protocol)
requests from a trusted computer. Appendix B includes a sample
script requesting information from a Contivity.TM. switch.
[0051] The switch 100a, 100b script interface 138a, 138b processes
the script commands 128 and produces a file 150a, 150b including
the requested information. The script interface 138a, 138b on the
switch 100a, 100b can store the file in a pre-determined directory.
The switch manager instructions 116 can then use FTP to retrieve
the information 150a, 150b.
[0052] Again, a wide variety of other techniques could enable the
switches 100a, 100b to communicate with the switch manager
instructions 116. Additionally, instead of the request/response
model described above, the switches 100a, 100b could schedule
periodic execution of a script and/or periodic transmission of the
switch information 150a, 150b.
[0053] Referring to FIG. 16, the switch manager GUI can provide a
menu of different reports that can be produced for selected
extranet switches. The manager prepares the report by analyzing
and/or including data imported from the different extranet
switches.
[0054] Referring to FIG. 17, a first report can display different
static attributes of the selected switches such as DNS details.
[0055] Referring to FIG. 18, a security report displays the
security configurations of the selected switches such as the
enabling/disabling of different tunneling and communication
protocols. The security report can also list changes made to the
selected switch configurations when such changes occurred (not
shown). The report can also include information summarizing failed
access attempts to the switches (not shown). This report enables an
administrator to quickly view the different security configurations
and any troublesome security statistics.
[0056] Referring to FIG. 19, a capacity report shows the current
total capacity of tunnels that selected switches can provide and
the total number of subscribers and/or users configured to use the
switch. This report provides a simple but useful gauge of tunnel
capacity. Based on the capacity report, an administrator can decide
whether to add more subscribers to an available tunnel pool or to
increase the size of tunnel pool, for example, by upgrading or
adding an extranet switch.
[0057] Referring to FIG. 20, a trending report displays the number
of tunnels for each tunnel technology provided by the different
extranet switches over a user-specified amount of time. The report
allows subscribers to select any number of currently defined
switches or services.
[0058] Custom Views
[0059] Referring to FIG. 21, the switch manager GUI eases
administration of a virtual private network extranet switches by
collecting information about the entire network in a single
display. As shown, the switch manager GUI displays configuration
information imported from one or more extranet switches (e.g., via
the import mechanism described in conjunction with FIG. 15). The
GUI uses a split screen display that includes a navigation pane 200
listing different virtual private network switches 202, subscribers
204, and other information such as periodic scheduling 206 of
management functions and scripts 208 that can perform these
functions. As shown, the listing uses a hierarchical tree to.
display the virtual private network elements (e.g., an extranet
switch). Each element can be the parent of one more sub-elements.
An administrator can view a listed element in more detail by
expanding the tree (e.g., clicking on the "-" or "+" next to an
element). The tree display enables an administrator to quickly
find, add, remove, and configure different virtual private network
extranet switches.
[0060] As shown, the display also provides a tabbed dialog control
210 that provides more information and management options for a
virtual private network element currently selected in the
navigation pane 200 (e.g. "Configuration Data" 212). The control
210 includes dialogs for adding new elements to the tree from a
palette 214, for viewing and altering properties 216 of a selected
element, for a list of wizards 218 that perform tasks frequently
used with a selected element or sub-element, and a list of network
links 222 that enable an administrator to manually configure an
individual extranet switch. By providing management options
corresponding to an element selected in the navigation pane 200,
the GUI presents only a relevant subset of a wide s variety of
different management features at a given moment.
[0061] Referring to FIGS. 22-26, the GUI enables an administrator
to quickly view and modify the configuration of any particular
switch in the virtual private network from within a single
application. For example, as shown, an administrator can quickly
add a new subscriber 226 to the virtual private network. Briefly, a
subscriber is any entity that uses a virtual private network
service (e.g., a tunnel protocol). For example, service providers
typically use the same extranet switch to provide virtual private
network services to different organizations. In this case, each
organization could be considered a subscriber. Subscribers can also
be individual users.
[0062] As shown in FIG. 22, after selecting the "Configuration
Data" element 212, a palette tab presents different
elements/sub-elements that can be added to the selected virtual
private network element 212. A new subscriber 226 can be added by
dragging-and-dropping the subscriber 224 palette selection onto the
"Configuration Data" element 212. As shown in FIG. 23, the
administrator can rename the new subscriber 226. As shown in FIG.
24, by selecting the new subscriber 226, selecting the "palette"
tab 214, and dragging a "VPN Service" 228 (e.g., a tunnel) from the
palette onto the new subscriber 226, the administrator can also
configure a switch or switches to offer a particular tunneling
protocol.
[0063] As shown in FIG. 25, the administrator can name the tunnel,
define the tunneling technology used by the tunnel (e.g., L2TP),
and enter the tunnel starting and ending points which, as shown,
are extranet switches.
[0064] As shown in FIG. 26, after configuring different subscribers
and switches, the GUI provides an administrator with a variety of
different methods of looking at a virtual private network. For
example, as shown, by expanding a subscriber 232 an administrator
can quickly see shortcuts to the extranet switches 236, 238
offering tunnels for subscriber use. Alternatively, as shown in
FIG. 27, the administrator can view the tunneling technologies
offered by a particular switch 240 by using the navigation pane 200
to select the switch's tunnel element 242. The properties dialog
244 displays the configuration of the different tunneling
technologies.
[0065] The different presentations of the data (e.g., subscriber
based and switch based) described above enable the administrator to
both ensure that subscribers are adequately served and that
individual switches are configured as desired.
[0066] Referring to FIGS. 28-29, the process described above (i.e.,
selecting an element from the tree and using the tabbed dialog to
view and modify the element's characteristics) can be used to
configure a variety of virtual private network characteristics. For
example, by selecting a switch 240 from the navigation pane 200,
the administrator can view and modify the switch's 240
characteristics. As shown in FIG. 28, an administrator can add
RADIUS Authentication 244 to a switch 240 by dragging-and-dropping
the RADIUS Authentication Server palette selection 242 onto the
selected switch 240. As shown in FIG. 29, the administrator can
then set different RADIUS authentication settings for the switch
244. An administrator can use a similar technique to add and/or
configure SNMP (Simple Network Management Protocol) settings,
switch interfaces to private and/or public networks, Ethernet
settings, IPX (Internetwork Packet Exchange) settings, and other
extranet switch features displayed in the switch palette. Appendix
C includes screenshots of the different palette elements and their
properties that can be used to configure an extranet switch.
[0067] The alterations to the switches, for example, adding RADIUS
authentication to a switch, while immediately is represented to the
administrator, is not exported until explicitly requested by the
administrator. Again, this gives the administrator a chance to
avoid unintended modifications.
[0068] Referring to FIGS. 30-31, beyond viewing and modifying
switch characteristics, an administrator can use the GUI to
organize information for easy access and identification of
different elements. For example, as shown in FIG. 30, an
administrator can drag a folder 250 from the palette onto an
element. The administrator can rename the dragged folder 252 (e.g.,
to "Subscribers") and drag-and-drop different subscribers into the
folder 252. As shown in FIG. 31, a similar technique enables an
administrator to organize different switches into different
groupings such as switches using LDAP 254 for authentication and
switches using RADIUS 256.
[0069] Integrated Access to a Switch's Configuration Mechanisms
[0070] As previously described, an extranet switch such as the
Contivity.TM. switch can include a web-server and different network
pages (e.g., HTML (HyperText Markup Language) documents) that
enable an administrator to individually configure an extranet
switch. By navigating to a switch web-server, an administrator can
view and/or modify a switch's configuration.
[0071] Referring to FIG. 32, the GUI can present a menu 260 of
network links (e.g., link 268) to web-pages offered by a selected
extranet switch 270. As shown, the menu 260 includes a description
of the link 272 and a corresponding URL (Universal Resource
Locator) identifying a web-page offered by a switch. As shown, the
URL includes designation of a communication protocol (e.g., HTTP
(HyperText Transfer Protocol) 262, an IP address 264, and the
location of a particular page at the specified IP address 268. When
a user selects a link from the menu 260, the switch manager can
transmit an HTTP request for the selected URL. Alternately, the
switch manager can instantiate or call a network browser and pass
the selected URL. The GUI prepares each URL in the menu 260 by
prepending a switch's IP address 264 to a predefined set of
web-page locations 266.
[0072] By providing the link menu in conjunction with the
navigation pane 200, administrators can quickly access a desired
page on any particular switch and can also quickly access the same
page (e.g., the users page) on a variety of different switches, one
after another. Additionally, the menu 260 obviates the need to
remember the different extranet switch URLs or expend the time
needed to navigate through any menu provided by the switch itself
which necessitates potentially long waits for information to be
transmitted to the switch manager.
[0073] As shown, the web-pages include pages that control how a
switch handles users (FIG. 33), branch offices (FIG. 34) , packet
filters (FIG. 35), groups of users (FIG. 36), access hours (FIG.
37), and other information such as a menu that tailors a web-based
configuration session (FIG. 39). Descriptions of the functions of
these different web-pages is described in the New Oak
Communications Extranet Access Switch Administrators Guide, pages
82-138 of which are incorporated by reference herein.
[0074] Other Embodiments
[0075] The embodiments described above should not be considered
limiting. For example, one of skill in the art could quickly
construct a switch manager that perform the functions described
above using different GUI controls or a different arrangement of
GUI controls.
[0076] Additionally, the techniques described here are not limited
to any particular hardware or software configuration; they may find
applicability in any computing or processing environment. The
techniques may be implemented in hardware or software, or a
combination of the two. Preferably, the techniques are implemented
in computer programs executing on programmable computers that each
include a processor, a storage medium readable by the processor
(including volatile and non-volatile memory and/or storage
elements), at least one input device, and one or more output
devices. Program code is applied to data entered using the input
device to perform the functions. described and to generate output
information. The output information is applied to one or more
output devices.
[0077] Each program is preferably implemented in a high level
procedural or object oriented programming language to communicate
with a computer system however, the programs can be implemented in
assembly or machine language, if desired. In any case, the language
may be a compiled or interpreted language.
[0078] Each such computer program is preferable stored on a storage
medium or device (e.g., CD-ROM, hard disk or magnetic diskette)
that is readable by a general or special purpose programmable
computer for configuring and operating the computer when the
storage medium or device is read by the computer to perform the
procedures described in this document. The system may also be
considered to be implemented as a computer-readable storage medium,
configured with a computer program, where the storage medium so
configured causes a computer to operate in a specific and
predefined manner.
[0079] Other embodiments are within the scope of the following
claims.
* * * * *