SafeConnect Layer 3 Integration

Layer 3 Integration Guide

Learn the steps required to integrate SafeConnect into a customer Layer 3 network environment and validate the integration with a test policy. Note that this page only provides the minimum requirements needed to achieve network integration.

Add a Layer 3 switch/router to SafeConnect

To access the SafeConnect UI, navigate to the link below and login with SafeConnect Admin credentials (admin/admin is the default username and password).
https://x.x.x.x:8443/manage

images/download/attachments/7187346/image2018-12-17_14-42-45.png
SafeConnect Login

Once logged into the SafeConnect UI, the network integration options are located under Configuration Manager.

Once logged into Configuration Manager, click on Routers/Switches under Enforcement Setup in the left pane.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/265584688/worddava605fb33354581257db7e70fcc0adf5e.png
Configuration Manager Menu

In the right pane, click on the New Connection button.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/265584688/worddav3ceb04f63245eaf369ff5b4152969935.png

Click on the edit button to enter a Label, Description, IP address and credentials for SafeConnect to login to the router. For the “Enforcer” field, select your system’s IP address from the drop down list.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/265584688/worddav9594cfa9cae9dce03c36110d1bdd8a6e.png
CoreSwitch

Optional Fields if Full Configuration Access is Default

The Configuration Prompt fields and second set of passwords are only required if a network admin has to type “enable” and a second password to login. If full configuration access is enabled by default with the credentials entered, then those three fields must be blank.
After the credentials have been entered, select the appropriate vendor from the Connection Type drop down list. If an Exit Delay or Measured Commit option is available, it is recommended to select that option for optimum performance.

Leave the State as disabled and then click Save changes.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/265584688/worddav009057d469da2da64f01c8938a65fac8.png
RouterSSHSession

Verify SafeConnect/Router Connection

To verify the connection, click the Verify Connectivity and Configuration button. The text box should display a successful login and the addition of a test IP to the configuration (example output below):

images/impulsepoint.atlassian.net/wiki/download/thumbnails/265584688/worddav0b94deee25ef3e73fb83491641caa6d3.png

If there is no output or an error message indicating “No router is open for this IP”, double check for access-lists (including VTY ACLs), firewall rules or other issues that would prevent the SafeConnect system IP from connecting to the router. A manual connection attempt using a terminal emulator is also a valuable tool when troubleshooting issues specifically related to credentials.
After a successful test, change the connection state to Enabled and click Save changes.

images/impulsepoint.atlassian.net/wiki/download/thumbnails/265584688/worddavc6341ac555964fe2721cc28b907b6990.png

Once enabled, the connection should display a green checkmark.

images/download/attachments/7187346/image2018-11-29_14-10-47.png
Connection Enabled

Apply SafeConnect script to Layer 3 switch/router

Now that the Layer 3 switch/router has been added to SafeConnect and connectivity from SafeConnect to the router has been verified, a script must be applied to the switch/router to complete the integration setup.

Example scripts are provided in SafeConnect Layer 3 Network Integration Scripts. The scripts are designed to be cut and paste. Locate the appropriate script for the make/model, fill in the variables in the script with the appropriate information and apply the script.

This concludes the steps required for Layer 3 integration. To test the integration, proceed to the Configure Identity for Unmanaged Devices section.