Teltone Gauntlet FAQs

  Overview
  EasyCIP
  Features
  System Architecture
  NERC CIP Compliance
  Gauntlet Labs
  SLSS Migration
  FAQ
  Reference
  Support
   Gauntlet Blog

Data Sheet
User Manual

How to Buy
Quote Request

Gauntlet System
Gauntlet Dial-up Gateway
Gauntlet IP Gateway—RuggedCom Router RX1100
Gauntlet VPC Client or Virtual Polling Controller
Gauntlet CCC Server or Command and Control Center

Click on a question to show answer; click again to hide answer. You may have to enable your browser to execute scripts.

Download pdf version

Gauntlet System

What is Gauntlet? The Teltone Gauntlet system provides secure IP, Dial-up and Serial-over-IP access to substation IEDs and other critical cyber assets, as well as economical and efficient phone line sharing. Gauntlet is comprised of four interrelated components:

The Gauntlet Dial-up Gateway, installed at the utility substation, is a secure version of the field-proven Substation Line Sharing Switch (SLSS).
The Gauntlet IP Gateway, installed at the utility substation, is a secure and substation hardened router/firewall/VPN security platform.
The Gauntlet VPC Client or Virtual Polling Controller, a software application for the user’s PC, is required for secure access to the Gateways.
The Gauntlet CCC Server or Command and Control Center, a server-based application, manages all Gateways and users for authorized accesses.

How does Gauntlet help power utilities meet NERC cyber security requirements? Gauntlet enables compliance with the latest NERC Critical Infrastructure Protection (CIP 002-009) standards by incorporating such key elements as user authorization, strong passwords, access records and logs, comprehensive reports, and electronic security perimeter access protection. To ensure compliance with future security and regulatory requirements, all Gauntlet components are remotely upgradeable. Teltone Gauntlet NERC compliance information.

Does the Gauntlet system affect routine access to substation IEDs? Is it compatible with my communications software? Gauntlet has little or no impact on IED access and communications. Authentication handshaking between a Gauntlet VPC Client and Gateway or Router may add a few seconds to the overall access time compared to accessing a device directly.

In-house and field testing with many common communications applications has demonstrated excellent compatibility; the Gauntlet VPC Client can be used without modifications to your existing software.

How does Gauntlet prevent hackers from eavesdropping on the authentication process between the Dial-up Gateway and Gauntlet VPC Client or Gauntlet CCC Server? Gauntlet employs a rolling code method (several billions of combinations) so that each authentication between the Gateway and the Gauntlet VPC Client or Gauntlet CCC Server is unique.

How does Gauntlet prevent hackers from eavesdropping or spoofing the authentication between the IP Gateway and Gauntlet VPC Client or Gauntlet CCC Server? Gauntlet utilizes SPA/Port knocking, thereby exposing no open ports to the network and preventing detection by port scanning systems. Gauntlet also employs a rolling code authentication method (several billions of combinations) so that each authentication between the Router and the Gauntlet VPC Client or Gauntlet CCC Server is unique.

What are the two-factor authentication capabilities of Gauntlet? Gauntlet uses two-factor authentication:

What you have (encrypted digital Security Package)
What you know (user name and password).

The Security Package is specific to each user and contains device authorizations for that one user. The Security Package is encrypted using AES and signed using a proprietary signature method. All Security Packages have an expiration, which is set by the CCC Server administrator.

Gauntlet supports both Windows Authentication and Gauntlet (forms-based) Authentication for Gauntlet Users. The authentication type is set on a user-by-user basis by the CCC Server administrator. Users must be set to use one method or the other – the same user cannot be configured to support both types of authentication.

For Windows Authentication, Gauntlet ties into Active Directory at the CCC Server as a conduit. Users must be connected to the AD Domain to be authenticated as a valid Windows user and be provided a Security Package based on the Windows credentials.
Once the Security Package has been obtained, the user can be disconnected (untethered) from the AD domain so long as the Security Package remains valid (e.g. unexpired, etc.).
To access the VPC Client, users must log into Windows, and those credentials are then used to decrypt the Security Package. The strength of the user password is controlled by the Active Directory administrator.
For Gauntlet Authentication, users must log in to the VPC Client directly. Users are presented with a VPC login page where they must provide a valid Gauntlet user name and password. These credentials are matched to the decrypted the Security Package.

To get a new Security Package, the user enters the Gauntlet user name and password and requests a new Security Package from the CCC Server. The connection between VPC and CCC is secured using SSL/HTTPS. Once the CCC Server has authenticated the user, it provides an encrypted Security Package specific to that user.

What is a Security Package? The Security Package is a digital certificate that contains username and password, gateway properties, lifetime properties, machine ID, and authorizations. The certificate is encrypted using AES encryption and is signed.

What management features are provided by the Gauntlet system? Teltone recognizes the importance of equipping a security system with powerful, user-friendly management features. The Gauntlet system includes:

On-demand or scheduled collection of call logs from all Dial-up and IP Gateways.
On-demand or scheduled passkey updates for all Gateways.
On-demand updates of Gateway firmware.
Automatic collection of Gauntlet VPC Client user logs when Security Packages are downloaded.
The Gauntlet CCC Server sends an email notification to the primary administrator if Gateways cannot be accessed after a predefined number of attempts (may indicate a down connection or a non-operative Gateway).

Can Gauntlet provide security protection in the reverse direction (IED calling out to data center)? No. User authentication is performed only on calls or connections into the substation, in order to protect IEDs and other devices. (“Inbound” – towards the data center – protection is not required by the NERC CIP standard.) Note that communication originating in the substation and sent via the Gauntlet Dial-up and IP Gateways is logged and are available in Gauntlet reports.

The firewall rules of the IP Gateway can be configured to control traffic leaving the substation as shown below. However, this traffic is not controlled or authenticated by Gauntlet.

Shorewall Policy Shorewall Rules

fw all ACCEPT ACCEPT net fw udp 20000

loc net ACCEPT ACCEPT net fw udp 30000

all all DROP Gauntlet net loc all

Gauntlet net fw tcp 10000

Does the Dial-up Gateway have an alarm feature and how does it help to deter hacker attacks? The Dial-up Gateway Lockout feature provides security protection against various attacks like repeated “brute force,” dictionary attacks and DoS (Denial of Service) attacks and others.

When the Dial-up Gateway cannot authenticate successive call attempts (definable up to 10), it suspends all access to secure ports and functions for up to 60 minutes. No indication of Lockout state is presented to the unauthorized caller. Lockout can be disabled by Gauntlet CCC Server administrator if desired.

In addition, the Dial-up Gateway provides relay contact closure and a visual indication (front panel alarm LED) under the following conditions:

No power to unit: relay contact closure only, front panel alarm LED is off
Unit internal self-test failure: defective unit
Port privacy time-out: IED off-hook exceeding 30 seconds without dialing

Can the Gateway call out to the Gauntlet CCC Server in the event of a lockout condition? The Dial-up Gateway cannot provide direct notification in the event of a lockout. However, alarm indication is given via status LED and relay, which can be monitored remotely utilizing SCADA or other technology. Alternatively, the Gauntlet CCC Server can be set up to status check all deployed Gateways on a routine basis.

Is Gauntlet compatible with remote client applications such as Citrix or Microsoft Terminal Server? Both environments may be supported in a future version of Gauntlet which can utilize multiple modems.

Gauntlet Dial-up Gateway

How does the Gauntlet Dial-up Gateway compare to the SLSS? The Dial-up Gateway is based on the SLSS platform and preserves many of its capabilities, as shown below:

Features

Gateway

SLSS

Standard (non-secured) port access

Using Polling Controller, standalone or Gauntlet VPC Client

Using Polling Controller, standalone or Gauntlet VPC Client

Secure port access

Passkey* protected – accessible by Gauntlet VPC Client only

Not supported

Remote security programming access

Passkey* protected – accessible by Gauntlet CCC Server only

Not supported

Remote basic programming access

Password or Passkey* protected

Password protected

Remote Aux Relay access

Password or Passkey* protected

Password protected

Daisy-chaining with multiple units

Two 8-port units for 15 ports

Two 8-port units for 15 ports or four 4-port units for 13 ports

Post Call Routing & Post Answer Transfer (Port Transfer)

No transfer from non-secure to secure port – for security reasons

Full support

Lockout feature to deter hacking

Programmable

Not supported

Call Logging

For upload to the Gauntlet CCC Server

Not supported

Clock and calendar

Synchronized with the Gauntlet CCC Server

Not supported

Firmware upgrade

Remotely by the Gauntlet CCC Server

Not supported

Built-in V.90 modem for high speed access by the Server

Yes

Not supported

Front-panel LED indicators

Enhanced

Standard

Substation-hardened design**

Yes

Yes

* Functions that are passkey protected can only be accessed by the Server or Client
** Including powering (wide-range DC or AC), rack mounting, and IEEE C37.90 Surge Withstand Capabilities

Can any Dial-up Gateway port be protected from unauthorized access? Yes. Any port can be programmed by the Gauntlet CCC Server to require security authentication before granting access. However, it is recommended that Port 1 not be used for connection to an IED classified as a critical cyber asset. Port 1 is typically used for connection to a substation telephone and is physically cut through to the phone line by the Gateway during power loss.

What is the difference between “password” and “passkey” protection for the Dial-up Gateway?

Passkey
(Gateway)

Password
(Gateway & SLSS)

Number of digits

12 digits

3 to 8 digits

Transmission format

Hashed DTMF with randomization

Plain DTMF

Can be detected by eavesdropping

No

Yes

Can be entered manually

No – only as part of the authentication process with the Gauntlet CCC Server & Gauntlet VPC Client

Yes – using a DTMF telephone set

Generated & assigned by

Automatically by the Gauntlet CCC Server

Manually by User

Use to protect access of

Functions (Programming & Aux Relay) and Ports

Functions (Programming & Aux Relay)

What is the difference between a “security-ready” and a “security-enabled” Gateway?

Security-enabled: Once configured via the Gauntlet CCC Server, a security-enabled Gateway allows authorized Gauntlet VPC Client users to access devices connected to its secured serial ports (unsecured port access is unrestricted). NOTE: As of July 1, 2007, only the Security-enabled Gateway (model -12) is available.
Security-ready (discontinued model): A security-ready Gateway must be upgraded to security-enabled status before it can be configured by the Gauntlet CCC Server and its ports secured. This is done by purchasing an activation code, which is then programmed into the Gateway via the Gauntlet CCC Server.

Is it possible to remotely query a Dial-up Gateway to determine security-ready or
security-enabled status? Yes. While in Basic Programming mode (remotely accessed with correct password), the user issues a command, and then listens to the audio response. Refer to the Gauntlet Gateway manual for details.

Can my SLSS units be upgraded to Dial-up Gateways? Yes. Existing SLSS units can be returned to Teltone for upgrading. The upgrade (order number M-SECURE) only applies to SLSS units in working order returned to Teltone using the RMA process. Defective, out-of-warranty units will incur standard repair cost. Contact Teltone or a sales representative for ordering information.

How does Dial-up Gateway programming and configuration differ from the SLSS? In addition to supporting standard, programmable SLSS features (“Basic Programming”), the Gateway supports a new set of security features (“Security Programming”), such as setting passkeys for ports and functions. Details are listed below:

Programming Functions Access Methods Access Protection Accessible By

SLSS Basic Programming Local Physical and/or Password Local Users

Remote Password Remote Users

Gateway Basic Programming Local Physical and/or Password Local Users

Remote Password Remote Users

Passkey Gauntlet CCC Server*

Security Programming Remote Passkey Gauntlet CCC Server

* Supported in Gauntlet 1.1 and higher
Shaded areas apply to the Gateway only.

How does the Dial-up Gateway front panel differ from the SLSS?The Gateway adds three front panel status indicators:

Port LED short blink every 5 seconds: Port is secure (passkey protected) and is in idle (IED is on-hook).
Port LED short blink every 1.25 seconds: Lockout has been evoked.
Rippling through all 8 LEDs: Unit is in remote programming mode.

What call records are captured and stored in a Dial-up Gateway? The Gateway logs each call, generating a detailed call record which includes the following information:

Call start time: generated by the internal clock, in UTC (Coordinated Universal Time ) time zone independent format.
Call direction: inbound (from calling users and Gauntlet CCC Server) or outbound (from substation IEDs).
Call status: call to/from port number (1 to 8) or to function (Programming or Aux Relay); call to non-secure port that was either answered or not; call to secure port that was either authenticated, answered, while the unit was in Lockout, or not.
Call duration: in minutes, up to 4 hours and 15 minutes.
Clock status: whether the clock has been initialized to default value or has been set by the Gauntlet CCC Server. This allows the Server to adjust the start time of those call records the Gateway gathered prior to its clock being synchronized by the Server.

How many call log records can be stored?Over 5000 call records can be stored in the Dial-up Gateway non-volatile memory. Over-limit call records will overwrite the oldest records. Following a successful upload, the Gauntlet CCC Server clears the Gateway call record memory.

Is call logging available on security-ready Dial-up Gateways? Yes. Call logging is active on security-ready units; the last 5000+ records are retained. Records can be retrieved by the Gauntlet CCC Server only after the Gateway has been upgraded to security-enabled status. (Note that the security-ready Gateway, model -02, has been discontinued.)

How does the Dial-up Gateway keep track of time for the purpose of call logging? The Gateway internal clock/calendar is protected against power loss for a minimum of 24 hours. On startup following extended power loss, the clock is initialized to a pre-defined date, time and increment from the default, until set to “real” time by the Server. Call records with “non-real” start time are flagged. This allows the Server to adjust the time by the difference between “real” time and the time read from the Gateway prior to synchronization. In this way, all calls will display accurate time.

I replaced an in-service Dial-up Gateway with a spare, but it can’t be accessed by the Gauntlet CCC Server. Why? It is likely that the replacement Gateway was once an in-service unit at another location. As such, the Gauntlet CCC Server does not have the correct passkey and/or transfer code to access this unit. In this situation, the Gateway can first be reset to default via local programming access (see Gauntlet Dial-up Gateway manual for procedure). This operation is safeguarded by the requirements of physical connection and the valid unit serial number.

Where can I find the Dial-up Gateway serial number? The serial number is printed on the product ID label attached to the unit back panel.

Gauntlet IP Gateway — RuggedCom Router RX1100

Can the Gauntlet IP Gateway or RuggedCom Router RX1100 support both secure and non-secure devices? It is inadvisable from a security standpoint, as well as a violation of NERC CIP standards, to host both secure and non-secure devices on the same network. If support for non-secure devices is required, the secure and non-secure devices should be supported by separate physical or virtual networks with no interconnections.

The RuggedCom RX1100 integrated router/firewall/VPN supports Virtual Local Area Networks (VLANs). However, the Gauntlet system defines and controls only those devices on thesecure VLAN. For ultimate security, secure and non-secure devices should be supported by separate physical LANs .

Visit the RuggedCom website for more information about the RuggedCom RX1100 Router: www.ruggedcomgauntlet.com

How does the RuggedCom Router RX1100 differ from the RuggedCom RX1000 Router? The RuggedCom RX1000 integrated router/firewall/VPN is the base platform on which the RuggedCom Router RX1100 is built. The RuggedCom RX1100 uses the same hardware as the RX1000, but includes Gauntlet authentication software to provide NERC CIP compliance and integration with other Gauntlet components, as well as other software enhancements.

Visit the RuggedCom website for more information about the RuggedCom RX1000 Router: www.ruggedcomgauntlet.com

Which ports on the RuggedCom Router RX1100 are open to the Internet? The RuggedCom Router RX1100 exposes no open ports to the Internet. One port, designated by the Gauntlet CCC Server administrator, is always listening (passively) for a specially coded message and will respond to no other. Once the encoded message is received, a port is opened to complete the secure authentication with the sender.

What is the method used to secure devices behind a RuggedCom Router RX1100? The method used is a request/challenge/authentication sequence. A RuggedCom Router RX1100 will only respond to a request if a correct request is made – incorrect requests are logged and ignored. Correct requests are challenged; a valid response based on a Security Package downloaded from Gauntlet CCC Server by the Gauntlet VPC Client must be seen to gain access to a device. Invalid responses are logged and ignored.

Does the RuggedCom Router RX1100 support concurrent connections? The IP Gateway supports concurrent connections between multiple users and one or more protected devices.

What communication logs are captured and stored in a RuggedCom Router RX1100? The IP Gateway logs each connection, generating a detailed record which includes the following information:

Connection start time: generated by the internal clock, in UTC (Coordinated Universal Time) time zone independent format.
Connection direction: inbound (from Gauntlet VPC Client users and Gauntlet CCC Server) or outbound (from substation IEDs)
Connection status: The device contacted (internal IP address and port), caller location (Client/Server IP address), whether the connection was successfully authenticated or blocked, whether the IED responded, etc.
Connection duration: in minutes, up to 4 hours and 15 minutes.
Clock status: whether the clock has been initialized to default value or has been set by the Gauntlet CCC Server. This allows the Gauntlet CCC Server to adjust the start time of those connection records the IP Gateway gathered prior to its clock being synchronized by the Gauntlet CCC Server.

How many log records can be stored? The RuggedCom Router RX1100 can store over 100,000 log entries under normal circumstances. Following a successful upload to the Gauntlet CCC Server, the Server clears the IP Gateway log memory.

How does the IP Gateway ensure that connections are open only as long as needed? The IP Gateway monitors each secure connection. Upon session conclusion, the Gauntlet VPC Client will send a connection termination message to the IP Gateway, and the connection will be closed. The IP Gateway and Gauntlet VPC Client also maintain a heartbeat between each other, so that in the event that one side disappears (e.g. network failure, forced disconnect, etc.) the loss will be discovered and the connection closed.

Maximum connection and maximum idle time parameters can also be set at the RuggedCom Router RX1100 to further ensure that connectiosn are not mistakenly left open by the user.

What happens to open firewall connections in the event of power loss? All connections to secure devices through the firewall are transient. In the event that the IP Gateway loses power or is restarted, the Gateway returns to its baseline configuration as defined by the Gauntlet CCC Server administrator. All open connections are closed.

What is the difference between the RuggedCom Router RX1100 and other routers? The RuggedCom Router RX1100 is hardened for use in power utility substations, and includes security software and logging features designed to meet or exceed the NERC CIP requirements. The IP Gateway security software provides for specific access on a port-by-port basis. Access is authenticated using the Security Package provided to the authorized user, whose access to specific ports/devices is determined by the Gauntlet system administrator. Logs of all access attempts and other security related items are stored on the IP gateway until uploaded to the Gauntlet CCC Server. An authorized user may be given access to one or more IEDs (or none in some cases) on selected IP Gateways. Other routers require static rules that are not monitored and could be exploited.

What is the method used to secure ports on a RuggedCom Router RX1100? The user requires a valid Security Package downloaded from the Gauntlet CCC Server (via the Gauntlet VPC Client) in order to connect to the Gateway. The Gauntlet administrator determines which specific devices and ports he is authorized to access.

What devices can I connect to a RuggedCom Router RX1100? You can connect any network device to the IP Gateway. Gauntlet is protocol agnostic. All devices behind a RuggedCom Router RX1100 will be secured.

Can a user use dial-up to access a RuggedCom Router RX1100? Yes. Dial-up can be used to access the RuggedCom Router RX1100 in two ways:

The user calls in via modem to the corporate IP network using a secure connection. After authentication on the IP network, he connects to the substation RuggedCom Router RX1100, after which the IED port is opened by the Gauntlet software. He then uses the software program normally used to connect to the IED.
The user calls in via modem directly to the RuggedCom router RX1100, only if the IP Gateway has been provided with option M1: V90 modem in Slot S2. This connection is intended for accessing the RuggedCom Router RX1100 to review or change settings.

Where can I purchase a RuggedCom Router RX1100? The RuggedCom Router RX1100 is available from RuggedCom Inc. For information visit www.ruggedcomgauntlet.com

What happens if a user loses connectivity to a RuggedCom Router RX1100? On loss of connectivity, the open port/s in use are closed. Communication can be reestablished after the connectivity issues are resolved.

What configurations are available for the RuggedCom Router RX1100? Several configurations in mounting, power supply, number and type of interfaces are available. Contact RuggedCom for specifics.

Can a single device use multiple ports? Yes, a single substation device can be configured to use multiple IP ports with the same IP address.

Gauntlet VPC Client or Virtual Polling Controller

What is the Gauntlet VPC Client? The Gauntlet VPC Client is a Windows service and application that resides between the communication (polling) software and a voice-capable modem and/or the network. The Gauntlet VPC Client incorporates the sophisticated security authentication required for accessing secure Gateway and Router ports. It performs user validation (user name and password) and communicates with the Gauntlet CCC Server to obtain up-to-date Security Packages to access specific secure ports of specific Gateways.

What are Gauntlet VPC Client system requirements? The Gauntlet VPC Client runs on a standard desktop or laptop PC. To use the dial-up capability, the computer must have an available serial or USB (1.1 or higher) port, or PC card slot to accommodate a voice-capable modem. The PC also requires network connectivity, either dial-up or broadband, to access secure Router ports and get updated Security Packages from the Gauntlet CCC Server. The Gauntlet VPC Client is compatible with Windows 2000, Windows XP and Windows Vista.

What is a voice-capable modem and why is it required for dial-up access? In addition to standard data mode, a voice-capable modem can operate in voice mode commonly used for answering machine and voice mail applications. In voice mode, it has the capability of receiving DTMF tones, which Gauntlet uses as part of the security authentication process.

Can any voice modem be used with the Gauntlet VPC Client? No. Not all voice modems are compatible or work well with Gauntlet (Client and Server). A current list of qualified voice modems is available in the support area.

Do I need to remove my current modem to add the voice modem? No. You may continue to use your current modem for dial-up network access if needed. Additionally, you may find it more convenient to use your current modem to access SLSS units during the Gateway migration period.

Can the Gauntlet VPC Client be used to access SLSS units? Yes. The Gauntlet VPC Client is capable of accessing SLSS ports if the SLSS is configured to use DTMF acknowledgement tones (programming command *72#2# – see Gateway manual for details).

What prevents unauthorized users from using the Gauntlet VPC Client to poll the Gateways and Routers? Only users with Gauntlet VPC Client software and valid Security Packages can access Gateway secure ports, and only after the user has been validated through the login and password process.

What are Security Packages? Security Packages are generated by the Gauntlet CCC Server and include information such as user name and password, Gateway properties, Dial-up Gateway port transfer codes and passkeys, IP Gateway addresses and passkeys, and aging properties (time until expiration). Only users with valid Security Packages can access Gateway secure ports. Note that the Security Package is encrypted.

How does the user obtain Security Packages from the Gauntlet CCC Server? The user connects to the Gauntlet CCC Server at certain intervals to obtain up-to-date Security Packages. Connection details differ with each deployment. IP connectivity to the Gauntlet CCC Server via VPN, SSL, RAS or other methods is required. Consult your IT department or Teltone representative.

How are Security Packages protected from tampering? Security Packages are encrypted utilizing SHA1 protocol whenever they are stored, and SSL during the communication process.

Can a Gauntlet VPC Client user circumvent expiration of their Security Package by tampering with the PC clock? No. Since the validation process is in part executed by the Gateway, changing the PC time setting will only let the user call out; he will not be able to connect through the Gateway. Further, this user account will be flagged as suspect and be disabled. An administrator’s clearance is required to re-enable this user.

Does the Gauntlet VPC Client keep an audit log? Yes. The Gauntlet VPC Client maintains a detailed log of the following events:

Successful / failed user validation: includes time, date and user name.
Successful / failed call attempts: includes time, date, user name, phone number and port number of the Gateway.

How is the audit log uploaded to the Gauntlet CCC Server?The log is automatically uploaded each time the user connects to the Gauntlet CCC Server to acquire a new Security Package.

How is the transfer of Security Packages and audit log between the Gauntlet VPC Client and Server protected?When the Gauntlet CCC Server is configured to require a secure connection (which may use Secure Sockets Layer protocol), the Gauntlet VPC Client then uses the secure connection to communicate with Gauntlet CCC Server for downloading Security Packages, uploading audit logs, and other purposes.

What options are available to require strong authentication or complex passwords for Gauntlet VPC Client users? Gauntlet password policies enable conformance with NERC requirements (or stricter, if desired). By default, Gauntlet password settings are slightly more stringent than NERC requirements. Specifically, Gauntlet VPC Client passwords must contain at least one alphabetical character, one numeric digit, and one punctuation symbol, and be at least eight characters long. The default password expiration is set at two weeks. All parameters are configurable by the Gauntlet system administrator via Gauntlet CCC Server.

Are multiple users supported on the same PC/laptop? Yes, each user is issued a unique and private Security Package, enabling multiple users to share the same PC. The users share a single Gauntlet VPC Client installation.

Gauntlet CCC Server or Command and Control Center

What is the Gauntlet CCC Server Command and Control Center? The Gauntlet CCC Server is a Microsoft .NET IIS Server application that operates with either an SQL 2000/2005 or MSDE/SQL Express database. Gauntlet administrators interact with the Gauntlet CCC Server via a web-based interface. The Gauntlet CCC Server performs a variety of tasks including:

Configure Dial-up and IP Gateways for secure operations: set secure ports with passkeys, etc.
Synchronize Dial-up and IP Gateway clocks for call logging
Upload call logs from Dial-up and IP Gateways
Upgrade security-ready Gateways to security-enabled
Upgrade Dial-up and IP Gateway firmware
Administer calling users equipped with Gauntlet VPC Client
Issue Security Packages to calling users
Collect Gauntlet VPC Client audit log from users

What are the Gauntlet CCC Server system requirements? The Gauntlet CCC Server runs on a standard server class PC. The computer needs to have network connectivity and, if dial-up Gateways are to be used, a minimum of two compatible, voice-capable modems. (Contact your Teltone or RuggedCom Inc. representative or sales department for a current list of approved modems.) The Gauntlet CCC Server is specifically designed to run under the Windows 2003 Server operating system – Standard or Enterprise versions.

What are the database requirements for the Gauntlet CCC Server? Two database engines are supported:

MSDE/SQL Express: free MS SQL server by Microsoft, included with the Gauntlet CCC Server application. Appropriate for smaller installations, it supports only backup/restore as a means for high availability.
SQL2000/2005: licensed version recommended for medium or large installations. Benefits include support for additional users, larger database and high availability features like replication and clustering (which requires some additional hardware and software). A license can be obtained from regular channels or Teltone Sales.

How is the Gauntlet CCC Server database protected from unauthorized access?The database is protected in the way that it’s installed and configured with the rest of the servers in the data center. Access to the PC and database is limited to authorized personnel and their activities are logged.

What are the ways to ensure high availability in the event of equipment failure? Two options are available, each with its own cost/benefit considerations:

Backup and restore: use any backup/restore utility compatible with MSDE or MS SQL. Upon system failure restore the latest backup to a new system. An easy and inexpensive solution to implement and the only one in this group which is compatible with MSDE. Downsides: the backup set gets stale quickly, the backup and restore processes are lengthy, and a server will need to be configured to match the one that is down.
Replication: a middle of the road solution. In this solution, as changes are made to the database, they are copied (replicated) to a standby server, which could also be performing other tasks. Should the main server go down, this server will have to be renamed or its IP entry in the DNS changed. This is a quick turnaround but requires human (may be remote) intervention. This solution is not supported by MSDE. A document describing how to configure this setup is available from Teltone. Note that some SQL licenses will allow for a “free” backup server. Please consult your IT department.

Do I need multiple Gauntlet CCC Server software licenses in a clustering setup using two or more servers?No. However, additional hardware and software is required per Windows & SQL requirements for clustering.

What is the scheduling mechanism for the Gauntlet CCC Server to access Dial-up and IP Gateways?Windows Scheduler is used to set up automated access to the Gateways for collecting call logs, updating passkeys, and performing firmware updates.

Our deployment includes hundreds of Gateways. How can I ensure that all Gateways are accessed by the Gauntlet CCC Server within a limited time frame?The Gauntlet CCC Server automated access engine supports the use of multiple modems. A single modem can be used to access up to sixty Gateways per hour; therefore, three modems could retrieve call records from a thousand Gateways within four hours.

What prevents someone using an unlicensed Gauntlet CCC Server installation from accessing Gateways and Routers?When the Gauntlet CCC Server initially accesses a Dial-up or IP Gateway set to factory defaults, the Gauntlet CCC Server reprograms the unit’s passkeys to randomly generated values. Without knowing these values (known only to the original installation of the Gauntlet CCC Server), a “rogue” Gauntlet CCC Server or Gauntlet VPC Client cannot access secure features on that Gateway.

Can a Security Package be moved from one machine to another and still be valic?No. The Security Package incorporates the machine ID as part of its encrypted credentials. If the Security Package is moved to another machine, the machine ID will no longer match and the Gauntlet VPC Client will be unable to decrypt the Security Package. The user must request a unique Security Package from each machine where they run the Gauntlet VPC Client.

Contact us for more info: 1-800-426-3926 or sales@teltone.com

All specifications subject to change without notice. Revised 12/7/07.