Filter
Top Products
EncrypTight Deployment Planning
30 EncrypTight User Guide
Connecting Multiple ETKMSs in an IP Network
Figure 10 shows two external ETKMSs located on different IP networks. Both ETKMSs are used as
primary ETKMSs in a large, dispersed network.
When the ETKMSs are managed in-line, the communications path between the devices must pass through
one or more PEPs and potentially one or more firewalls. By default, the Layer 3 PEPs pass all TLS
traffic (port 443) in the clear. Be sure that the Enable passing TLS traffic in the clear feature is enabled
for all PEPs which must pass TLS traffic. Enable this feature from the ETEMS Appliance editor.
Figure 10 In-line management of ETKMSs located on different IP networks
ETKMS to ETKMS Connections in Ethernet Networks
For in-line management when the ETKMSs are on different Ethernet networks, make sure that the
Enable passing TLS traffic in the clear feature is enabled on the Layer 2 PEPs.
If you need to pass additional traffic in the clear, such as routing protocols, you can route the
management communications using out-of-band connections or put your management traffic on a separate
VLAN.
If you choose to put the management traffic on a separate VLAN, you will need to create a Layer 2
policy to pass the VLAN tag in the clear. To prevent an interruption in management traffic, set the
policy’s key renewal/lifetime to zero, which means “do not expire or update.”
With out-of-band management, the management traffic between the ETKMSs is routed over a separate
network path through the ISP. When the communications path passes through any firewalls, be sure to
configure the firewall to pass TLS traffic. Figure 11 shows an out-of-band management scenario with the
external ETKMS connecting to another external ETKMS, with Layer 2 PEPs encrypting Ethernet data.