Manage iSCSI Security
Applies To: Windows Server 2008 R2
There are several levels of iSCSI security available with Storage Manager for SANs. The basic level is based on the Challenge Handshake Authentication Protocol (CHAP). CHAP is a protocol that is used to authenticate the peer of a connection and is based upon the peers sharing a secret (a security key that is similar to a password). IP security (IPsec) is a protocol that enforces authentication and data encryption at the IP packet layer, which provides an added level of security.
This feature enables you to perform a select subset of the tasks that relate to iSCSI configuration and administration. You can also perform these and other tasks using the Microsoft iSCSI Initiator, which is included in Windows Server 2008 in Administrative Tools. Additionally, vendors of networking and storage solutions provide similar tools to perform iSCSI configuration and administration tasks. For more information about iSCSI, see http://go.microsoft.com/fwlink/?LinkId=102299.
You must choose the security level that best fits the security policies of your organization:
One-way CHAP authentication. With this level of security, only the target authenticates the initiator. The secret is set just for the target and all initiators that want to access that target need to use the same secret to start a logon session with the target.
Mutual CHAP authentication. With this level of security, the target and the initiator authenticate each other. A separate secret is set for each target and for each initiator in the storage area network (SAN).
IPsec. With this level of security, all IP packets sent during data transfers are encrypted and authenticated. A common key is set on all IP portals, allowing all peers to authenticate each other and negotiate packet encryption. For more information, see IPsec (http://go.microsoft.com/fwlink/?linkid=93520).
At a minimum, use one-way CHAP authentication between iSCSI initiators and targets.
The level of security that you can set for a storage subsystem depends on the hardware manufacturer. Not all subsystems support all levels of iSCSI security. You should contact your hardware manufacturer to verify what level of security is supported.
For more information about iSCSI, see http://go.microsoft.com/fwlink/?LinkId=93543.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To manage iSCSI security
In the console tree, click LUN Management.
In the Actions pane, click Manage iSCSI Security.
To configure one-way CHAP authentication, in the Manage iSCSI Security dialog box, configure the following settings on the Targets tab:
If you want to configure different CHAP secrets for different targets, in the list of targets, select a target that you want to set the CHAP secret for, and click Set Secret.
To use the same CHAP secret for a group of targets, select the targets from the list and click Set Secret.
In the Set Secret dialog box, type and confirm the target CHAP secret.
Optionally, select Remember secret on local initiator if you want to automatically pass the new secret to the local initiator.
To set the new secret, click OK.
To configure mutual CHAP authentication, you must first configure one-way CHAP authentication by following step 3. Then, enter the following configuration on the Local Initiator tab:
Type and confirm the CHAP secret for the local initiator.
Under mutual CHAP authentication, the initiator will only be able to log on to targets that know the initiator secret. To share the initiator secret with the targets that the server needs to access, in the list of targets, select each target that you want to authenticate on the initiator.
To set the new secret for the local initiator and to share it with the selected targets, click Apply Secret.
To configure IPsec, in the Manage iSCSI Security dialog box, configure the following settings on the Portals tab:
If you want to use different IPsec keys for different portals, in the list of portals, select a portal and click Set IPsec Key.
To use the same IPsec key for a group of portals, select the portals from the list, and click Set IPsec Key.
In the Set IPsec Key dialog box, type and confirm a new IPsec key.
Optionally, select Remember the IPsec key on local initiator if you want to automatically pass the new key to the local initiator.
To set the new IPsec key, click OK.
When you are done configuring iSCSI security, click Close.