Provisioning

Provisioning is only supported for oMG devices. For ALEOS and MG devices use the Configuration Template functionality.

The Provisioning menu allows for the configuration of VPNs and management tunnels on either a single gateway or groups of gateways. This mechanism is also used by fleet operators to implement PSK rotation for VPNs. On oMM 2.14.x, this feature is supported for oMG versions 3.8 through 3.14. On oMM 2.15 and above, this feature is supported for oMG versions 3.14.1 and above.

Note: if an oMM running version 2.14 detects an oMG with a version greater than 3.14, assistance from Support will be required for provisioning. In this case the system will display a message indicating this condition when provisioning is attempted. ¹

This provisioning system utilizes a hierarchy of configuration settings where by settings can be defined per group and either inherited or overridden by subgroups and/or individual gateways within those groups.

Note: top level groups don’t inherit any settings since there are no parent groups to inherit from.

Provisioning provides fleet operators with the flexibility to provision a fleet of gateways while retaining the ability to provide unique configuration settings for specific gateways or groups of gateways.

^{1. [All customers should upgrade to the latest version of the AMM as soon as possible.]}

Provisioning VPNs

VPN configurations are provisioned using the Config > Provisioning > VPNs menu.

Note: this functionality is for oMGs only.

In addition, fleet managers who use PSK rotation for VPNs (i.e. regularly change the PSK for VPN access to increase security) can use this provisioning feature to update gateways or groups of gateways with the new PSK credentials.

The VPN provisioning screen lists all VPN configurations for the currently selected item(s) in the Gateway Tree:

VPN Provisioning Listing Screen - Listing for a Selected Group

VPN Provisioning Listing Screen - Listing for a Selected Gateway

Note: A software version check is performed at the group level and any differences are highlighted as shown in the first figure above. <!– A group inherits the software version from the source gateway in the ‘set template config’ operation (see Setting the Template Configuration), and can be looked up from the Admin > Group menu. –>

The list contains the following columns:

Friendly Name: the name assigned to the VPN configuration.
Conformance (shown when a group is selected in the Gateway Tree): visually indicates if the configuration assigned to sub groups and gateways under the selected group conforms to the configuration assigned to the selected group:

All gateway(s) in the group inherit the configuration.

Some gateway(s) in the group inherit the configuration.

No gateway(s) in the group inherit the configuration.

Note: at the group level, hovering the mouse over the conformance bar provides details as to which gateways within the group that are not inheriting the VPN.

Inherits From Group (shown when a gateway is selected in the Gateway Tree): provides the two subfields listed below for inheritance:
- Enabled/Disabled Dropdown: when set to Enabled, the gateway will inherit the configuration from the parent group. When set to Disabled, the gateway will have its own configuration that does not inherit from that of the parent group (note though that the parent configuration will be used to create the initial configuration for the gateway). Note that this field is blank (i.e. doesn’t say enabled or disabled) when the VPN does not exist at group level and only exists at the gateway.
- Conformance Bar: visually indicates if the configuration assigned to the selected gateway conforms to the group from which it inherits.

Partially inherited from the parent group.

Adding and Editing VPN Configurations

Adding a VPN

To add a VPN configuration to a group or gateway:

1 Ensure the template configuration has been assigned to the group as described above in Setting the Template Configuration.

2 Select the group or gateway in the Gateway Tree.

3 Select the Config > Provisioning > VPNs menu.

4 Click Add.

5 Enter the required configuration fields:

Label: the name of the VPN configuration. The default label is automatically generated by the system. Note that this field cannot be changed once the VPN is created.
Server: the IP address of the VPN server.
Enterprise Network Subnets: a common-delimited list of enterprise subnets in CIDR notation to include.

6 (Optional) Click Show Advanced Config to display and edit additional VPN configuration fields. Defaults are provided for each advanced field.

7 (Optional) Override any settings specific to the selected item as described below in Overriding VPN Settings. Note that required settings vary between the group level and individual gateway level (e.g., interfaces and PSK). Certain fields may be optional at the group level but may be required at the gateway level for deployment.

Note: at the group level, only links and monitors that are common in all gateways within the group will be displayed as options.

8 (Optional) Click Attach a CSV file for importing. This allows for PSK credential information stored in a .csv file to be used for configuring one or more gateways in a group that require different PSKs. Using a .csv file allows these different PSKs to be defined in one file. Note that this option is not available when setting a configuration for a single gateway, nor does it apply settings at the group level.

If provided, the values defined in the file will override the value in the Pre-shared Key field for each gateway listed in the .csv file. The Attach CSV dialog provides the following fields:

Template (top right corner): generates a blank CSV file which can be populated with VPN PSK information (see VPN CSV).
Select a CSV file: allows for a populated CSV file to be selected and attached to the configuration. The values in this .csv file will override those on the configuration screen. Once selected, a list of gateways will be displayed indicating which gateways will be affected and excluded by the settings being imported. Click on oMG(s) will be updated and oMG(s) excluded to display the respective list:

These lists provide a summary of which gateways the CSV file contains a configuration for.

Attach: attaches the selected .csv file to the configuration.

9 Verify the deploy state by hovering the mouse over the box in the top left corner of the title. This will display a popup indicating if deployment can take place:

Clicking Detail displays additional information about issues impacting deployment.

10 Click Save to save the configuration to the group or gateway. The new VPN will be listed on the VPN provisioning listing screen. If a configuration conflict exists (e.g., due to a configuration version mismatch), the Deploy screen will be displayed which can be used to rectify the problem (e.g., to update gateways with the latest configuration files). For more information see Deployment.

Note: when ‘Save’ is clicked at the group level, all changes on the group are applied to gateways within the group as long as the fields modified are not overridden at the gateway.

Note that info bubbles are provided beside each field which can be clicked on to display popup help about the respective field:

Editing an existing VPN

To edit an existing VPN configuration, select the group or gateway whose configuration is to be edited, select Config > Provisioning > VPNs, click on the name of the VPN under the Friendly Name column and edit the fields as described above for adding a VPN.

Overriding VPN settings

When editing a specific gateway, the left hand column of the configuration editing screen indicates if each value inherits from or overrides the setting from the parent group’s configuration:

Example of Inheritance Indicators on Configuration fields.

To change whether a setting inherits or overrides from the parent group, click on the indicator and select the respective option:

Specifying Whether or not to Inherit or Override Settings from a Parent Group.

Inherit value from parent group: specifies that the setting from the parent group’s configuration should be used.
Assign a custom value and override parent group: specifies that the parent group’s configuration setting should be overridden. Selecting this option allows the input field to be modified for some settings, while other settings will be taken from the configuration stored on the selected gateway.

Note: syntax checking is performed by the AMM on most fields before a configuration can be saved.

To obtain contextual information about the meaning of the various field labels, click the diagram icon on the top left corner to display a network diagram:

Button to Obtain Contextual Information.

Once all settings have been made, click Deploy configuration to gateways if the changes should be deployed, and then click Save to save and deploy the changes.

Multi-VPN Provisioning Restrictions and Behaviours

oMG 3.14 and up allows for the configuration of multiple VPNs per WAN link. The AMM will only allow provisioning of multiple VPNs on oMGs running 3.14 and higher and will enforce the following rules when provisioning VPNs:

If a VPN is added/edited at the gateway level on a gateway older than 3.14, and if the WAN link already has an IPsec VPN, then the VPN configuration cannot be saved.
If a VPN is added/edited at the group level, some gateways in the group are older than 3.14, and if the WAN link on those gateways already has an IPsec VPN, then the VPN configuration will not be saved on those gateways.
Copying a configuration from one gateway to another is not restricted or monitored. This means for example, if a 3.14 VPN configuration (which may or may not have multi-VPN) is copied to a 3.13 gateway, then the VPN behavior on the 3.13 gateway will be undefined/unknown.

Provisioning Management Tunnels

Management Tunnel configurations are provisioned using the Config > Provisioning > Management Tunnel menu. This allows fleet operators to assign Management Tunnel settings to either a single gateway or group of gateways.

Note: this functionality is for oMGs only.

To edit a VPN configuration to a group or gateway:

Ensure the template configuration has been assigned to the group as described above in Setting the Template Configuration.
Select the group or gateway in the Gateway Tree.
Select the Config > Provisioning > Management Tunnel menu.
Edit the Server field to specify the fully qualified domain name of Management Tunnel server address.
(Optional) Click Show Advanced Config to display and edit the AMM Tunnel IP field.
(Optional) Override any settings specific to the selected item as described below in Overriding Management Tunnel Settings.
Click Save to save the configuration to the group and deploy it to the selected gateway(s). If a configuration conflict exists (e.g., due to a configuration version mismatch), the Deploy screen will be displayed which can be used to rectify the problem (e.g., to update gateways with the latest configuration files). For more information see Deployment).