Use the Campus Network Portal (CNP)
On this page:
- Overview
- Manage netblocks/VLANs, hosts, and DNS records
- Firewall management
Overview
Data Center administrators use the Campus Network Portal (CNP) to add new netblocks/VLANs, manage hosts and DNS records, and request inbound network traffic firewall exceptions.
Manage netblocks/VLANs, hosts, and DNS records
From the "Hosts" page in the CNP, you can add new netblocks/VLANs and hosts, and manage their DNS records. The "Hosts" page works only with hosts within the Data Center; hosts outside the Data Center (or its security zone) can be added when you create a new firewall policy.
- Access the "Hosts" page: In the CNP menubar (at the top), click .
- Select the appropriate managing
group: You must have at least one existing ADS security group set up with members assigned (group members should not be nested within an ADS group). To manage netblocks/VLANs, hosts, host groups, or firewall policies in the CNP, you first select the ADS security group (managing group) with which they are associated:
- In the CNP menubar (at the top), select .
- On the right, near the top, under "ADS Group", click and then, select the appropriate group/entity.
- If prompted to verify your selection, click to continue.
If the "ADS Group" drop-down list does not include the proper group(s), email the Network Operations Center (NOC). The ADS groups were assigned during the VLAN/subnet creation process. A Campus Networks engineer will help you to verify that the group(s) and membership(s) are assigned properly.
- Request a new
netblock/VLAN: The ADS security group you select should have an associated netblock/VLAN in the IU Bloomington or IUPUI Data Center. If you do not already have a netblock/VLAN set up in one of the Data Centers, or if you need to create another one:
- In the CNP menubar (at the top), select .
- On the "Hosts" page, click (on the right, near the top), and then select .
- In the "Request New Netblock" window:
- Under "Virtual Domain", use the drop-down list to select the proper firewall security zone for your netblock/VLAN. To learn more about IU Data Center firewall security zones, see section 7.12 of the Data Center Standards.
- In the text boxes provided, enter the number of hosts you expect to need over the next five years, and a brief description of the group and/or the purpose for the netblock/VLAN.
- Under "Public or Private Address?", use the drop-down list to specify whether the netblock/VLAN will have public or private IP addresses.
- Click .
You will receive a FootPrints notification in email verifying your request has been received; a Campus Networks engineer will complete your request.
- Add a new host and DNS
registration:
Note:If you want to use a top- or second-level domain, send your request to
dns-admin@iu.edu
. For more, see DNS policies at IUOn the "Hosts" page, click
(on the right, near the top), and then select . Then:- In "Allocate new address" window, select the appropriate netblock/VLAN and IP address.
Note:IP addresses will be checked against subnets assigned to the selected ADS group. You cannot add an IP address that already exists in the system, nor add a host the selected ADS group does not manage.
- In the box provided, enter a hostname, and then use the
Note:If you don't see the domain you need in the pull-down menu, send your request to
dns-admin@iu.edu
.
drop-down to select a domain.
- Click .
Combined, the hostname and domain create the host's fully qualified domain name (FQDN). Your IP address and DNS assignment will be active within 30 minutes. Updates to the DNS servers occur at the top (#:00) of each hour as well as the middle (#:30) of each hour.
- In "Allocate new address" window, select the appropriate netblock/VLAN and IP address.
- View host details: On the "Hosts" page, all hosts and netblocks/VLANs currently managed by the selected managing group are listed:
- If you need help finding a particular entry, in the search box (under "Filter"), enter a hostname or IP address (or some segment of either).
- To view the details of a particular host, including associated firewall policies and DNS entries, click the host's entry in the "Hosts" table to open its "Hosts Details" page.
- Remove a DNS registration (A and PTR
record): Before submitting a request to remove a DNS registration, remove all associated firewall policies. Then, to send an automated request to remove the DNS records linked to a specific host:
- On the "Hosts" page, find the appropriate host, right-click its entry in the table, and then select .
- When prompted to confirm removal, type
yes
in the text box, and then click .
- Add a Canonical Name (CNAME) to an
existing DNS record: On the "Hosts" page, find the appropriate host, and then click its entry in the table to open its "Host Details" page. Then:
- On the "Host Details" page, click (on the right, near the top), and then select .
- In the "Add a CNAME DNS Record" window:
- Under "A Record", use the drop-down menu to select the host.
- Under "Alias", in the text box provided, enter an alias for the canonical domain.
- Use the drop-down list on the right to select the domain.
- Click .
Combined, the hostname and domain create the host's fully qualified domain name (FQDN). Your IP address and DNS assignment will be active at the top of the following hour.
- Delete a CNAME: On the "Hosts" page, find the appropriate host, and then click its entry in the table to open its "Host Details" page. Then:
- On the "Host Details" page, right-click the host, and then select .
- When prompted to confirm removal, type
yes
in the text box, and then click .
- Delete a host: On the "Hosts" page:
- Find the host you want to delete, right-click on its entry in the table, and then select .
- When prompted to confirm removal, type
yes
in the text box, and then click .
Firewall management
Web proxy policies are visible within CNP but are read-only. Continue to submit new requests via the form at https://telecom.iu.edu or changes to existing policies via email to noc@iu.edu
.
Following are instructions for using the Campus Network Portal (CNP) to set up and manage:
- Host groups (internal and external)
- Firewall policies (for your hosts and host groups)
For IU Data Center networking policies and standards, see the Data Center Standards. Section 7 is specific to Data Center firewall standards and guidelines.
Manage host groups
A host group is a collection of hostnames and/or IP addresses grouped together under one name. You can use host groups to simultaneously add multiple objects to a firewall policy. From the "Host Group" page in the CNP, you can create and manage internal (destination) and external (source) host groups:
- Access the "Host Group" page: In the CNP menubar (at the top), mouse over , then , and then select .
- Add internal host groups: Internal host groups comprise hosts managed by your group that reside inside the Data Center, behind the firewall. Internal host groups cannot be used as sources in UNTRUST-to-TRUST access policy rules.
To add an internal host group:
- On the "Host Group" page, click (on the right, near the top), and then select .
- In the "Host Group Details" window, enter a name for the host group. The name can have between 4 and 35 alphanumeric characters, plus hyphens and underscores, but may not include white spaces or special characters (such as
!
,@
,#
,$
,%
, or?
). - To add a host to the host group, under "Look up host", enter at least four characters from the host's hostname or IP address, find the host in the list of search results (which appears as you type), and then click the desired host. Once selected, the host will appear in the "Members as Host" field. To add another host to the host group, repeat this step.
To add other groups as members, click in the "Members as Host" window and select the host group name that you wish to add. You can only select Global Groups and your groups.
- When you are finished adding hosts to the host group, click .
The CNP will save your new host group and redirect you to its "Host Group Details" page. When you return to the "Host Group" page, the new host group will be listed in the "Internal Host Groups" table.
- Add external host groups External host groups comprise IP addresses that reside outside the Data Center firewalls. These may be free-form entries for any objects that reside either outside the Data Center firewall security zones or outside the IU network in general. External host groups cannot be used as destinations in UNTRUST-to-TRUST access policy rules.
To add an external host group:
- On the "Host Group" page, click (on the right, near the top), and then select .
- In the "External Host Group Details" window, enter a name for the host group. The name can have between 4 and 35 alphanumeric characters, plus hyphens and underscores, but may not include white spaces or special characters (such as
!
,@
,#
,$
,%
, or?
). - Under "IP Addresses", enter the IP addresses (for hosts and/or subnets) you want added to the group.
- When you are finished, click .
The CNP will save your new host group and redirect you to its "Host Group Details" page. When you return to your "Host Group" page, the new host group will be listed in the "External Host Groups" table.
- View host group details: On the "Host Group" page, all internal and external host groups managed by the selected ADS group are listed in two tables:
- For help finding a particular entry, in the search box (under "Filter"), enter all or part of the host group's name, and then press
Enter
orReturn
. - When you locate the desired host group, click its entry in the table to open its "Host Group Details" page.
- For help finding a particular entry, in the search box (under "Filter"), enter all or part of the host group's name, and then press
- Update host groups: On the "Host Group" page, find the host group you want to update, and then click its entry in the table to open its "Host Group Details" page. Then:
- On the "Host Group Details page", click (on the right, near the top), and then select .
- In the window that opens, add or delete host and/or host group members, and then click .
- Delete host groups: On the "Host Group" page, locate the host group you want to delete, right-click its entry in the table, and then:
- Select Note:Before you delete a host group, make sure you remove it from any firewall rules that reference it.
.
- When prompted to confirm removal, type
yes
in the text box, and then click .
- Select
Manage firewall policies
From the "Policy" page in the CNP, you can manage active firewall policies and create new ones:
- Access the "Policy" page: In the CNP menubar (at the top), mouse over , then , and then select .
- Add a new firewall policy: On the "Policy" page, click
- Under "Destination Firewall Zone", use the drop-down list to select the firewall security zone (virtual domain) in which your host resides. (If you are uncertain, you can find this information on the host's "Host Details" page (see Viewing hosts above).
- Under "Source Zone", use the drop-down list to choose either
Note:By default, to permit users on the IU network to access the internet, the firewall allows all outbound TRUST-to-UNTRUST traffic. Consequently, you do not need to create policies that allow traffic from the TRUST source zone.
or . The default
source zone represents all IP addresses external to your firewall security zone.
- Under "Destination Zone", use the drop-down list to choose either or . The default destination zone represents the hosts within your security zone (your hosts in the Data Center).
- Under "New Source Hosts", enter IP addresses for any external hosts and/or subnets to which the policy should apply:
- IP addresses must be properly formatted.
- For multiple IP addresses, enter one address per line.
- To apply the policy to all external hosts, enter
0.0.0.0
.
- To indicate TRUST zone hosts to which the policy should apply, under "Look up host", enter at least four characters of a hostname or IP address to find and select a host you added previously (in the instructions above).
Note:Only hosts in the selected destination firewall zone will be available. If you cannot find a particular host, make sure the proper destination firewall zone is selected.
- Under "Source Host Groups" and "Destination Host Groups", click inside the
- Add external host groups you created previously (using the instructions above) as source host groups.
- Add internal host groups, including global groups (such as instructions above), as destination host groups. ), as well any you created previously (using the
fields to select the host group(s) to which the policy should apply. For access control policies in which the source zone is UNTRUST, you can:
- To add ports (services) to which the policy should apply:
- Under "Protocol", use the drop-down list to select the protocol you wish to add. (To allow HTTP, select .)
- Under "Source Port", keep the default value ( unless your service specifically calls for restricting the source port.
- Under "Destination Port", enter the destination port you want opened to your server. (To allow HTTP, enter
80
.) - Click .
Repeat this process for any additional ports (services) to which the policy should apply.
Note:To remove a port (service), click to select the table entry (to select multiple entries, useCtrl
-click in Windows orCommand
-click in macOS), and then click . - When you are finished entering policy information, click . If your group uses the approval process, this will forward the request to your manager for approval.
(on the right, near the top), and then select . Then, in the "Policy Details" window:
- View policy details: On the "Policy" page, all firewall policies managed by the selected ADS group are listed in a table:
- For help finding a particular entry, in the search box (under "Filter"), enter all or part of the policy's name, and then press
Enter
orReturn
. - To view a policy's details, click its entry in the table to open its "Policy Details" page.
Policy details available here include the policy's ID number, firewall zone (virtual domain), and source and destination zones, the action (for example,
Accept
,Deny
, orReject
) taken on rules that match the requisite criteria, the status (whether or not the policy is enabled, and the hosts and hosts groups with which the policy is associated.
- For help finding a particular entry, in the search box (under "Filter"), enter all or part of the policy's name, and then press
- Update an existing policy: On the "Policy" page, click the desired policy to open its "Policy Details" page, and then:
- Click (on the right, near the top), and then select .
- Make the desired modifications (adding or removing hosts, host groups, and ports), and then click .
- Delete a policy: On the "Policy" page:
- Find the policy you want to delete, right-click on its entry, and then select .
- When prompted to confirm removal, type
yes
in the text box, and then click . If your group is using the approval process, this will forward the request to your manager for approval.
- Firewall policy change request approval
process: By default, all firewall policy requests require approval from the managing ADS group's designated approver(s). All of the managing group's approvers are notified anytime a firewall policy change request is submitted. Approvers can review and act on firewall policy change requests in the CNP:
- In the CNP menubar (at the top), mouse over , and then select .
- Under "Pending Policy Requests", right-click a request, and then select whether to approve or deny the policy change. (Alternatively, left-click a request to open its "Policy Details" page and view the full details of the request.)
- An approved firewall policy change request generates a FootPrints ticket for the Campus Networks firewall engineer. FootPrints will send an automatic reply to the approver, confirming the request was received.
- The firewall engineer will follow up with the submitter via the FootPrints ticket.
Approvers are assigned during the initial netblock/VLAN creation, and must be full-time faculty or staff members. To request a change to your group's firewall approver list, email the Network Operations Center (NOC).
To opt out of the firewall policy change request approval process, your director must email a request to the Network Operations Center (NOC) that specifies the managing group(s) that should be permitted to override the approval process. If you opt out, firewall policy change requests will be forwarded directly to the Campus Networks firewall engineer.
This is document bebg in the Knowledge Base.
Last modified on 2019-01-07 12:49:20.