Datasheet
INTC-7816-01 02/2008 Page 11 of 18
Certain firewall platforms allow e-mails and/or SNMP traps to be generated and sent from the device
when certain firewall-related events occur. By following the standard change request procedure, the
Customer may request that IBM configure the firewall platform to deliver e-mails to a designated address,
or generate SNMP traps.
Such a configuration is subject to approval by IBM, which will not be unreasonably withheld. However,
among other reasons, a request will be denied if the configuration will have an adverse impact on the
ability of the platform to protect the network environment. As with other device configurations, changes to
the platform notification and alerting settings will be considered a policy change request.
2.3.3 VPN Support
The terms and conditions set forth in this section entitled “VPN Support” will apply only to Customers who
have contracted for the MSS for UTM Protection package.
The VPN feature allows supported server-based or client-based VPNs to be connected to the Agent and
helps to enable secure transmission of data across untrusted networks, via site-to-site communication.
The default configuration of this feature activates this capability on the managed Agent and includes the
initial configuration of up to two remote sites. After the initial configuration, each setup of a site-to-site
VPN is considered a policy change.
IBM will support static authentication methods for both site-to-site and client VPN configurations. Static
authentication also includes the use of the Customer’s existing radius authentication server
implementation. Certificate-based authentication is not currently supported as a part of the VPN service
configuration.
Site-to-Site VPNs
A site-to-site VPN is defined as a VPN created between the Agent and another supported encryption
device. Site-to-site VPNs provide help to secure connectivity for entire networks by building a tunnel
between the managed firewall platform and another compatible VPN endpoint. Site-to-site VPNs can be
established between:
● two IBM-managed VPN-capable Agents, or
● an IBM-managed endpoint and a non-IBM-managed endpoint. A one-time fee will be charged for
the initial configuration of a managed to unmanaged endpoint.
In the event problems with the VPN tunnel arise after setup, IBM will work with the Customer and vendor
contacts to identify, diagnose, and resolve performance and IBM-related issues.
Client VPNs
Client VPNs help to provide secure connectivity into a protected network, from a single workstation with
the appropriate client VPN software and access credentials. Client VPNs help to enable remote workers
to access internal network resources without the risk of eavesdropping or data compromise. For MSS for
UTM Customers, the allowed number of simultaneous client VPN connections is as follows:
● Standard level – up to 20
● Select level - up to 50
● Premium level – unlimited (within platform constraints)
IBM supports client VPN implementations through an enablement model. IBM will work with the
Customer to configure and test the first five client VPN users. Following successful connectivity for these
five users, it will be the Customer’s responsibility to perform user administration for individuals requiring a
client VPN connection. IBM will provide the Customer with a demonstration of the user management
capabilities of the deployed firewall platform (if applicable), and help to provide the appropriate access
levels and software required to complete the setup.
Client VPN solutions typically require the installation of a client VPN application onto the specific
workstations participating in the secured tunnel. The deployed Agent is designed to determine the
specific client VPN applications to be supported. Some client VPN applications may be available through
their respective vendors at no additional cost, while others are licensed per seat. The Customer is solely
responsible for the acquisition, installation, and associated costs therein of any required client VPN
software.
SSL VPNs
SSL VPNs are a type of client VPN, and each SSL VPN counts towards the client VPN allotment.