NetPolicy Provisioner

User Guide
P/N D351008 R2

Important Notice

Important Notice
Allot Communications Ltd. ("Allot") is not a party to the purchase agreement under which NetEnforcer was purchased, and will not be liable for any damages of any kind whatsoever caused to the end users using this manual, regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise. SPECIFICATIONS AND INFORMATION CONTAINED IN THIS MANUAL ARE FURNISHED FOR INFORMATIONAL USE ONLY, AND ARE SUBJECT TO CHANGE AT ANY TIME WITHOUT NOTICE, AND SHOULD NOT BE CONSTRUED AS A COMMITMENT BY ALLOT OR ANY OF ITS SUBSIDIARIES. ALLOT ASSUMES NO RESPONSIBILITY OR LIABILITY FOR ANY ERRORS OR INACCURACIES THAT MAY APPEAR IN THIS MANUAL, INCLUDING THE PRODUCTS AND SOFTWARE DESCRIBED IN IT. Please read the End User License Agreement and Warranty Certificate provided with this product before using the product. Please note that using the products indicates that you accept the terms of the End User License Agreement and Warranty Certificate. WITHOUT DEROGATING IN ANY WAY FROM THE AFORESAID, ALLOT WILL NOT BE LIABLE FOR ANY SPECIAL, EXEMPLARY, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED PROFITS, OR LOST BUSINESS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Copyright
Copyright 1997-2010 Allot Communications. All rights reserved. No part of this document may be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into any other language without a written permission and specific authorization from Allot Communications Ltd.

Trademarks
Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation and to the owners' benefit, without intent to infringe. Allot and the Allot Communications logo are registered trademarks of Allot Communications Ltd. NOTE: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense. Changes or modifications not expressly approved by Allot Communication Ltd. could void the user's authority to operate the equipment.

NPP User Guide

iii

Important Notice

Version History
Doc Version
v2b1

Product
NPP

Date
26.04.10

iv

NPP User Guide

Table of Contents
Important Notice .......................................................................................................................... iii Table of Contents ........................................................................................................................... v Table of Figures .............................................................................................................................vi

CHAPTER 1: INTRODUCTION ......................................................................... 1-1

NetPolicy Provisioner................................................................................................................. 1-1 Deploying NPP ............................................................................................................................ 1-2 Enabling NPP ............................................................................................................................. 1-3

CHAPTER 2: NPP AND NETXPLORER........................................................... 2-1

Configuring Accounts in NetXplorer ....................................................................................... 2-1 Customizing the Header ............................................................................................................ 2-4

CHAPTER 3: NPP AND THE END USER ........................................................ 3-1

Logging in to NPP ...................................................................................................................... 3-1 Pipes and Virtual Channels....................................................................................................... 3-2 VCs in NPP ................................................................................................................................. 3-2 Adding and Defining Hosts........................................................................................................ 3-4 Deleting Hosts and VCs ............................................................................................................. 3-5 User Statistics and Graphs ........................................................................................................ 3-6

NPP User Guide

Table of Figures
Figure 1-1: Network Diagram ...................................................................................................... 1-2 Figure 1-2: NetXplorer Application Server Registration Dialog ................................................. 1-3 Figure 2-1: NetXplorer Navigation Pane NPP Accounts .......................................................... 2-1 Figure 2-2: Account Properties New Account, General tab ...................................................... 2-2 Figure 2-3: Account Properties New Account Dialog, Pipes Tab............................................. 2-2 Figure 2-4: Account Properties New Account Dialog, Users Tab ............................................ 2-3 Figure 2-5: Add User dialog......................................................................................................... 2-3 Figure 2-6: Account Properties New Account Dialog, Environment Tab ................................ 2-4 Figure 2-7: Account Properties dialog box .................................................................................. 2-5 Figure 3-1: NPP Login Screen ..................................................................................................... 3-1 Figure 3-2: NPP Account Pipes Page ........................................................................................... 3-2 Figure 3-3: NPP Virtual Channels in Pipe Page........................................................................... 3-3 Figure 3-4: NPP Insert Virtual Channels Page ............................................................................. 3-3 Figure 3-5: NPP Add Hosts Page ................................................................................................. 3-5 Figure 3-6: Delete Hosts Page ...................................................................................................... 3-5 Figure 3-7: Delete Virtual Channel Dialog .................................................................................. 3-5 Figure 3-8: NPP Main Screen ...................................................................................................... 3-6 Figure 3-9: NPP VC Statistics Graph ........................................................................................... 3-7

vi

NPP User Guide

Chapter 1: Introduction
NetPolicy Provisioner
NetPolicy Provisioner (NPP) enables ISPs to quickly and easily define Accounts that enable their customers (the end users) to monitor and provision their traffic and their network's current behavior. Typically, when ISP customers (the end users) acquire bandwidth from ISPs, the bandwidth allocation is represented in the NetEnforcer/NetXplorer of the ISP as a Pipe or Virtual Channel. When customers want to monitor the traffic passing through their Pipe or Virtual Channel, NPP enables them to do this. Using the NPP interface, the service provider defines a view, which allows the monitoring and management of the traffic on Pipe or Virtual Channel. When defining an end users level of access, the NetXplorer administrator selects the view relevant to that customer, and then the end user will be given access to this data only. Using the NPP interface, the user defines a view, which allows monitoring and managing the traffic on his Pipe or Virtual Channel. When defining a view, the NetXplorer administrator selects the Pipe or Virtual Channel per user, and then the end user will be given access to this data. End users can access the view (or views) assigned to them by browsing to a unique URL. This URL is automatically created by NPP and designates an HTML index file from which a customer can access his views. After entering a user name and password, customers can also view the monitoring graphs of their Pipe or Virtual Channel, and obtain relevant and current traffic usage data. Allots NPP provides separate interfaces to manage the following aspects of Network management: ISP Administrator functions in the NetXplorer GUI End user Web interface and features

NPP User Guide

1-1

Figure 1-1: Network Diagram Wholesale bandwidth providers are interested in providing visibility and control for their own end-user/customers. Wholesale customers are interested to provide the following capabilities for their customers: Monitor and generate reports about their bandwidth usage Add and manage Virtual Channels inside their Pipe

Such services may be used as a differentiator and be provided free of charge to End Users or be charged as extra payment.

Deploying NPP
NPP may be deployed on the same server as NetXplorer or on a dedicated server. NPP is installed by default along with NetXplorer on the same server, but its functionality will not be enabled without the appropriate License key. Once installed and activated (by License key), a URL is automatically created by the NPP (http://<NPP-IP>/npp) and an HTML index file is created from which the end user can access their views. After logging in by entering a user name and password, end-users/customers with accounts properly configured by their ISP can view the monitoring graphs of their Pipe or Virtual Channel, and obtain relevant and current traffic usage data.
NOTE For information concerning installing NPP on a Windows or Linux Server, see the NetXplorer Installation Guide.

1-2

NPP User Guide

Enabling NPP
In order to be used, the NPP functionality must be enabled by entering the appropriate key in NetXplorer. This key may be entered at installation or at any time following. For more information concerning the NetXplorer Server contact Allot Customer Support at support@allot.com.
NOTE For information concerning installing NPP on a Windows or Linux Server, see the NetXplorer Installation Guide.

To enable NPP:
1.

Select Tools > NetXplorer Application Server Registration from the NetXplorer Menu bar. The NetXplorer Application Server Registration dialog box appears.

Figure 1-2: NetXplorer Application Server Registration Dialog

NPP User Guide

1-3

2. Enter the Registration Key and Serial Number which includes NPP

functionality provided by Allot to enable the NPP.

3. An Expiration Date will be generated automatically after clicking

Save.
4. Confirm that NPP is now listed as Enabled. The maximum number

of NPP Accounts is listed in the Server Registration.

1-4

NPP User Guide

Chapter 2: NPP and NetXplorer

Configuring Accounts in NetXplorer
Before using NPP, Accounts must be configured and individual users must be created and assigned to these Accounts. These users may then access their Accounts (on the NPP) using any web browser. To add an account:
1.

In the lower portion of the Navigation pane, click NPP Accounts.

Figure 2-1: NetXplorer Navigation Pane NPP Accounts

2.

In the Navigation pane, right-click the Accounts icon in the Navigation tree and select New Account from the popup menu. OR Select the Accounts icon in the Navigation tree and then select New Account from the Actions menu. OR Double-click the Accounts icon in the Navigation tree to open the Accounts Catalog. Right-click in the Accounts Catalog and select New Account from the popup menu. The Account Properties - New Account dialog is displayed.

NPP User Guide

2-1

Figure 2-2: Account Properties New Account, General tab

3.

In the General tab, make sure that the Enabled check box is selected to activate the account. Enter a name, description and email address for the account.

Figure 2-3: Account Properties New Account Dialog, Pipes Tab

4.

In the Pipes tab, select those Pipes that the users in this account will be able to have access to, and using the arrow keys move them from the Available Pipes list, to the Selected Pipes list. Only regular Pipes may be assigned to an NPP Account. No Pipes that were created by a Pipe Template or by a Service Plan may be managed via NPP. In addition, the following restrictions apply to VCs in Pipes assigned to an NPP Account:

No Host Catalog entry can be defined in the Internal Host field of the VC. A Host Catalog entry may be defined in the External Host field of the VC, but the end user will not be able to see or edit it. Any VC Templates or VCs with multiple rules in a Pipe will not be able to be edited by the NPP user, therefore it is recommended they not be used in Pipes assigned to NPP Accounts.

2-2

NPP User Guide

If a VC Template is assigned to the Pipe despite the fact that it cannot be edited by the end user, the number of instances should not be higher than the Maximum Allowed Number of Virtual Channels per Pipe, as defined in the Environment tab. In the Users tab, create users who will have access to the Account. Click Add to open the Add User dialog.

5.

Figure 2-4: Account Properties New Account Dialog, Users Tab

6.

Enter all information into the dialog and click OK. This will assign the new user to the Account. When this user logs into NPP from a web browser, this is the Account he will access.

Figure 2-5: Add User dialog

NPP User Guide

2-3

7.

In the Environment tab, define the maximum number of Virtual Channels that may be defined in each Pipe in this account.

Figure 2-6: Account Properties New Account Dialog, Environment Tab

8.

Click Save. The account is added to the Navigation tree and may be accessed by assigned users via NPP.
The Most Active External Hosts and Most Active Conversations graphs are only available if a Pipe is on a NetEnforcer series AC-400 or AC800.

NOTE

Customizing the Header

It is possible to set a custom header that the end user will see when they open their NPP Account.
NOTE Graphics used for the header should be stored as .jpg or .png files.

To customize the NPP Header

1.

Create a new folder under the following path on the NPP server:

NPP installed with NetXplorer (Windows)

C:\Allot\netxplorer\jboss-4.0.5\server\allot.

Remote NPP (Windows)

C:\Allot\npp\netxplorer\jboss-4.0.5\server\allot.

NPP installed with NetXplorer (Linux)

/opt/allot/netxplorer/jboss-4.0.5/server/allot.

Remote NPP (Linux)

/opt/allot/npp/netxplorer/jboss-4.0.5/server/allot.

2-4

NPP User Guide

2. 3. 4. 5.

Place the graphic file(s) you wish to use as the NPP logo that the end user sees in the new folder. Open NetXplorer and go to NPP Accounts in the Navigation Pane. Right click Accounts and select Properties from the drop down menu. The Accounts Properties dialog appears.

Figure 2-7: Account Properties dialog box

6. 7. 8.

Enter the URL you wish the header to open when clicked (optional). Enter the folder and file name for the graphics you wish to you use on the left side, center and right side of the header. Click OK to save the changes.

NPP User Guide

2-5

Chapter 3: NPP and the End User

Logging in to NPP
To login to NPP:
1. Log into NPP from any web browser at https://<IP ADDRESS>/npp, using

the IP Address you were given by your ISP.

Figure 3-1: NPP Login Screen

2. Login using your user name and password, which has already been

defined by the ISP in NetXplorer. The Account assigned to you by the ISP will open automatically.
3. After you successfully log into your Account, the main screen is

presented. The main screen presents the Pipes included in the Account, and allows you to either work with the VCs in the Pipes or generate monitoring graphs.

NPP User Guide

3-1

Figure 3-2: NPP Account Pipes Page An NPP Account user can configure and select the following items in the Accounts Pipe window: Virtual Channels Report time parameters Graph report types

Pipes and Virtual Channels

A Pipe provides a way of classifying traffic that enables you to divide the total bandwidth used by your account and then manage every Pipe as if it were an independent link. A Pipe can aggregate several Virtual Channels (VCs), acting like a container of Virtual Channels. When a new Pipe is assigned to your Account by your ISP, it always includes at least one Virtual Channel, the Fallback Virtual Channel. Individual Virtual Channels may be created in any Pipe assigned to the Account via NPP and typically are assigned to a specific Service (protocol or application), time of day, or Quality of Service.

VCs in NPP
Pipes are added to an Account by the ISP. Once your Account has been configured to access a certain Pipe, you can then create, delete and manage Virtual Channels in that Pipe.

3-2

NPP User Guide

To create and configure a New VC:

1.

After logging into NPP, click on the Virtual Channels link alongside the appropriate Account Pipe name. The Virtual Channels in Pipe screen is displayed.

Figure 3-3: NPP Virtual Channels in Pipe Page

2.

Click Insert, and the Insert Virtual Channel screen will appear.

Figure 3-4: NPP Insert Virtual Channels Page

3. 4.

Type in the Name of the new VC. Add and apply (or Delete) Hosts to (from) the VC account. Hosts are other computers or servers, and may be machines on your network or websites. Select a Service (From the list predefined by the ISP) whose traffic will be directed to this VC. A Service may be an application, such as Facebook, or an internet protocol, such as HTTP. Select a Time (From the list predefined by the ISP) when traffic will be directed to this VC. Choose an Access option (From the list predefined by the ISP). This typically determines if traffic that goes to this VC is accepted, dropped or rejected.

5.

6. 7.

NPP User Guide

3-3

8.

Select a Quality of Service (which has been named and configured by the ISP in advance) that will be applied to traffic in this VC. QoS typically defines the priority or bandwidth allowed to the VC. You can contact your ISP and have them name and configure a QoS catalog entry so that it appears in the Insert VC page.

NOTE

The list of QoS entries includes all QoS entries that have been configured on the system for all users, not only those you have requested.

9.

After you have chosen all your VC parameters, click Save to update the NPP Account configuration with the new VC.

You may edit or delete a VC in the Account Pipe, or insert and define additional VCs using the appropriate Edit and Delete links in the Virtual Channels in Pipe page.

Adding and Defining Hosts

You may define hosts to be assigned to the VCs that you create.
NOTE Ensure that IP addresses, address ranges and/or subnets have been configured and registered by the ISP before you start defining hosts.

Although you Add or Delete hosts in the Insert Virtual Channel page accessed from the Virtual Channels in Pipe page before preparing a report, you should add and define the host(s) you wish to choose from the Host drop-down list in the Insert Virtual Channel page To add and configure a new host:
1.

After logging into NPP, click on the Virtual Channel link alongside the appropriate Account Pipe name. The Virtual Channels in Pipe is displayed. subnet), click on the Add Host link in the Insert/Edit Virtual Channels page. The Add Hosts screen is displayed.

2. To add and define host(s) or their respective IP address (range or

3. Choose the required radio button option and type in the appropriate

name or IPs.
4. Click Apply to update the Host to the VC.

3-4

NPP User Guide

Figure 3-5: NPP Add Hosts Page

5. Click Close to update the Host drop-down list available in the

Insert Virtual Channels page and close the page.

Deleting Hosts and VCs

You can delete hosts from the Virtual Channels page To delete a host:
6. Click on the Delete Host link in the Virtual Channels page. The

Delete Hosts page is displayed.

7. Select the Host you wish to delete and click Delete. The host

details will be deleted from the list.

Figure 3-6: Delete Hosts Page VCs may be deleted from a Pipe on the Virtual Channels in Pipe page. To delete a VC:
1.

Select the VC to be deleted in the Virtual Channels in Pipe page and click the Delete link. A confirmation dialog is displayed.

Figure 3-7: Delete Virtual Channel Dialog

NPP User Guide 3-5

2. Click OK and the VC details will be deleted from the page.

User Statistics and Graphs

You may generate Graphs on any of the Pipes in your Account by selecting the graph name from the drop down Graphs menu in the Account Pipes page, and on VCs from the drop down Graphs menu in the Virtual Channels page. To see Graphs on your entire Account, select the graph name from the drop down Graphs menu next to All Pipes.

Figure 3-8: NPP Main Screen The following graphs are available: Statistics - displays the bandwidth consumed by the Pipe or Virtual Channel. Virtual Channel Distribution (available on the Pipe level only) indicates how the traffic on the Pipe is split between the Virtual Channels. Most Active Virtual Channels displays those Virtual Channels that are handling the most traffic. Most Active Protocols - displays those services, applications or protocols which you are using the most. Most Active Hosts - displays those hosts which are using the most traffic. Most Active Internal Hosts displays those hosts on your own network which are using the most traffic. Most Active External Hosts - displays those hosts outside of your network which are using the most traffic (Not available to all Accounts. Contact your ISP for more information).

3-6

NPP User Guide

Most Active Conversations - displays the individual connections that are using the most bandwidth (Not available to all Accounts. Contact your ISP for more information). In Packet Statistics - displays the bandwidth consumed by incoming packets. Out Packet Statistics - displays the bandwidth consumed by outgoing packets.

You may select the time range for the graph by clicking the appropriate link in the Graphs field (Mn, Hr, Dy, Wk, Mo or 6 Mo).

Figure 3-9: NPP VC Statistics Graph

NPP User Guide

3-7