Black Box ET0010A User Manual
EncrypTight Deployment Planning
30
EncrypTight User Guide
Connecting Multiple ETKMSs in an IP Network
shows two external ETKMSs located on different IP networks. Both ETKMSs are used as
primary ETKMSs in a large, dispersed network.
When the ETKMSs are managed in-line, the communications path between the devices must pass through
one or more PEPs and potentially one or more firewalls. By default, the Layer 3 PEPs pass all TLS
traffic (port 443) in the clear. Be sure that the Enable passing TLS traffic in the clear feature is enabled
for all PEPs which must pass TLS traffic. Enable this feature from the ETEMS Appliance editor.
one or more PEPs and potentially one or more firewalls. By default, the Layer 3 PEPs pass all TLS
traffic (port 443) in the clear. Be sure that the Enable passing TLS traffic in the clear feature is enabled
for all PEPs which must pass TLS traffic. Enable this feature from the ETEMS Appliance editor.
Figure 10
In-line management of ETKMSs located on different IP networks
ETKMS to ETKMS Connections in Ethernet Networks
For in-line management when the ETKMSs are on different Ethernet networks, make sure that the
Enable passing TLS traffic in the clear feature is enabled on the Layer 2 PEPs.
Enable passing TLS traffic in the clear feature is enabled on the Layer 2 PEPs.
If you need to pass additional traffic in the clear, such as routing protocols, you can route the
management communications using out-of-band connections or put your management traffic on a separate
VLAN.
management communications using out-of-band connections or put your management traffic on a separate
VLAN.
If you choose to put the management traffic on a separate VLAN, you will need to create a Layer 2
policy to pass the VLAN tag in the clear. To prevent an interruption in management traffic, set the
policy’s key renewal/lifetime to zero, which means “do not expire or update.”
policy to pass the VLAN tag in the clear. To prevent an interruption in management traffic, set the
policy’s key renewal/lifetime to zero, which means “do not expire or update.”
With out-of-band management, the management traffic between the ETKMSs is routed over a separate
network path through the ISP. When the communications path passes through any firewalls, be sure to
configure the firewall to pass TLS traffic.
network path through the ISP. When the communications path passes through any firewalls, be sure to
configure the firewall to pass TLS traffic.
shows an out-of-band management scenario with the
external ETKMS connecting to another external ETKMS, with Layer 2 PEPs encrypting Ethernet data.