Professional Documents
Culture Documents
HUAWEI Agile Controller Full Product Datasheet 1 PDF
HUAWEI Agile Controller Full Product Datasheet 1 PDF
Guest Manager··················································································14
1.How to deliver consistent experience to different user terminals regardless of their locations?
2.How to configure user privileges, security, QoS, priority, and other network policies? On a traditional network, users can be
bound to physical interfaces, and the administrator manually configures policies on network devices closest to users. However,
manual configuration cannot adapt to changes of user locations. To meet requirements of mobile users, the network must support
dynamic resource allocation and policy configuration. That is, network resources and policies must be able to migrate with users.
3.How to deploy network security policies? On traditional networks, the boundaries between enterprise networks and the Internet
have security risks. Many enterprises deploy security devices such as firewalls at their network boundaries. However, with the
development of mobile services and diversified network attacks, the boundaries of security protection become blurred. The services
such as Wi-Fi, mobile terminals, and remote office, bring a large number of new security risks and internal attacks, such as, viruses,
Trojan horses, and advanced persistent threat (APT). In this case, traditional boundary protection measures become invalid.
Introduction to the Agile Controller 5
The Agile Controller is the core component of a next-generation network solution designed by Huawei for enterprise markets. It can be
deployed on agile campus networks, agile branches, agile wired area networks (WANs), and agile data centers to control policies for
accessing to these networks as well as interconnection between data centers. Following the centralized control principle of software-
defined networking (SDN), the Agile Controller dynamically schedules network and security resources on the entire network to allow
these resources to migrate with users. With the Agile Controller, networks will be more agile for services.
Data center
Finance, sales,
WAN/Internet
R&D
Internet:
Control f low Executive/employee
Service f low
WAN/Internet
Agile Controller
Headquarters:
Executive/employee/ Branch:
guest Executive/employee/
guest
Product Characteristics
Experience-centric Redefined Network
The Agile Controller shifts customers' attention from technologies, equipment, and connectivity to users, services, and user experience,
and freed customers from laborious manual configuration by providing natural-language network planning and automatic deployment.
• The Agile Controller applies the SDN's centralized control idea into campus networks. It can dynamically schedule and adjust network
and security resources on the entire campus network to meet requirements of frequently moving users, offering free mobility.
• The Agile Controller can flexibly adjust user rights, QoS policies, and security policies on the entire network. This dynamic policy
adjustment greatly reduces the service provisioning or network expansion period, allowing networks to keep in pace with fast
changing services.
• Using the Agile Controller, customers no longer need to pay attention to differences of various devices. They can use the natural
language to configure network policies and deliver the configurations to all network devices by one click on the Agile Controller.
• User-based QoS scheduling ensures preferential forwarding of VIP users' services when network resources are insufficient, delivering
good experience to VIP users.
6 Introduction to the Agile Controller
The Agile Controller implements united security, replacing single-point protection with network-wide protection.
• The Agile Controller collects logs from network devices, security devices, and service systems, and employs Big Data analytics to
discover potential attacks and threats that are difficult to detect through single-point protection.
• The Agile Controller virtualizes security devices into a security resource center. Traffic of users with certain characteristics is blocked or
redirected to the security resource center to defend against attacks.
• The Agile Controller provides comprehensive terminal security and desktop management functions, and has over 5000 predefined
terminal security policies, ensuring terminal access security.
• The Agile Controller provides various northbound and southbound interfaces and open APIs to make the forwarding plane
and control plane programmable. It can interoperate with service systems of customers to improve end-to-end operation and
maintenance efficiency, shorten new service provisioning time, and give customers a platform for innovation.
• The Agile Controller is seamlessly interoperable with mainstream cloud platforms, including Huawei FusionSphere, VMware vSphere,
OpenStack, and Microsoft Hyper-v. The good interoperability makes the Agile Controller an elastic, open platform integrating best
practices of various fields, allowing customers to flexibly define their networks based on service requirements.
• The Agile Controller can be deployed in centralized, distributed, and hierarchical modes, and is applicable to various networks.
• The Agile Controller supports various authentication modes and database backup to ensure high reliability and service continuity.
• The Agile Controller uses the Browser/Server (B/S) architecture and complies with the latest Huawei User Interface (UI) design
standards; therefore, it is easy to use.
Introduction to the Agile Controller 7
Product Components
The Agile Controller provides multiple service components for different application scenarios to meet diversified customer
requirements.
Component Description
Provides unified network access policies and supports multiple authentication methods such
as 802.1X, Portal, MAC address, and SACG authentication. This implements unified access
management on users from wired, wireless, or VPN networks.
Access Control Manager
Supports refined authorization based on the user identity, access time, access location, device
type, device source, and access mode. This ensures unified maintenance and management of all
terminals that access the enterprise network in various modes.
Provides full lifecycle guest management, including guest account application, approval,
distribution, authentication, auditing, and deregistration.
Supports various account application methods, including self-service application, WeChat, and
Guest Manager
QR code. In addition, the enterprise's employees can apply accounts for guests.
Allows users to customize guest account application and authentication pages and flexibly
pushes advertisements.
Works with Huawei agile switches and NGFWs to provide security group–based policies in
addition to the traditional NAC and implement unified policy deployment and automatic policy
synchronization. This ensures that users can have the same service experience when they move
Free Mobility Manager on the network.
Provides user group–based QoS policy configuration to ensure preferential forwarding of VIP
users' data traffic when network resources are insufficient, delivering good service experience
for VIP users.
Virtualizes physical security devices to shield the device models and locations, forming a security
resource center.
Service Orchestration Manager
Directs service flows to the security resource center based on service requirements to improve
use efficiency of physical resources and reduce costs.
Strictly controls network access from all terminal users and enforces security policies to the users
connected to the network.
Terminal Security Manager Supports terminal health check, employee behavior management and control, software
distribution, patch management, and asset management to ensure that terminals connected to
the network possess self-defense capabilities and comply with enterprise's security policies.
Manages logs and security events from network, security, and IT devices on the entire network
in a centralized manner.
Uses the Big Data correlation analysis technique to evaluate network security and identify risky
United Security Manager
assets and areas on the entire network.
Allows customers to take proactive defense measures so that they do not need to analyze or
trace the attack sources and network risks.
Access Control
Manager
Component Overview
With the Information and Communication Technologies (ICT) improvement, enterprise users want to access the network from every
corner in their offices. A large number of mobile staff and partners frequently use their own terminals (such as laptop computers) to
access the enterprise local area networks (LANs), which brings great challenges to the enterprise information security. Unauthorized
terminals may bring computer viruses to the enterprise networks and even obtain the enterprises' trade secrets, threatening the
network security. In addition, the maturity of WLAN technologies and popularization of intelligent terminals cause many enterprises to
allow their employees to access the enterprise intranets using intelligent BYOD terminals. The enterprises aim to improve employees'
work efficiency and reduce the cost and investment on mobile terminals. The application of WLAN technologies on enterprise networks
also brings great information security risks.
The Access Control component of the Huawei Agile Controller associates with network access control devices to control access to
enterprise networks from internal and external terminals. This component provides unified access control policies and flexibly manages
authentication and authorization polices to meet different service control requirements.
Access Control Manager 9
Component Characteristics
Comprehensive Admission Control Technologies, Applicable to Multiple Types of Networks
• The 802.1X function is enabled on a switch Applies to small-, medium-, and large-
or an AC. sized campus networks with high security
• It can implement Layer 2 isolation. requirements. The Access Control
802.1X authentication
• The maintenance is complex because there component can associate with Huawei all
are multiple authentication points. series switches, routers, WLAN devices,
• The switch must support 802.1X. and third-party standard 802.1X switches.
Hierarchical Department and User Management, Meeting the Requirements of Enterprises with Complex Organization
Seamless Interconnection with External Data Sources and Social Media Platforms
• Supports multiple authentication protocols, and connects to mainstream AD, LDAP, and RADIUS servers and dynamic token systems.
System Built-in
Authentication Protocol AD LDAP RADIUS Token RADIUS Relay
Account
Depending on the
PAP YES YES YES YES
external system
Depending on the
CHAP YES NO NO NO
external system
Depending on the
EAP-PEAP-MSCHAPV2 YES YES NO NO
external system
Depending on the
EAP-MD5 YES NO NO NO
external system
Depending on the
EAP-TLS YES YES YES NO
external system
Depending on the
EAP-TTLS-PAP YES YES YES YES
external system
Depending on the
EAP-PEAP-GTC YES YES YES YES
external system
Intelligent Terminal Identification, Authentication Page Customization, Providing Permission Control for BYOD Terminals
• Provides up to 200 types of terminal identification templates, and supports multiple terminal identification modes, such as MAC
organizationally unique identifier (OUI), Dynamic Host Configuration Protocol (DHCP) Option, Hypertext Transfer Protocol (HTTP)
User-Agent, and Simple Network Management Protocol (SNMP).
• Allocates different service policies to terminals using the same account based on the terminal type, refining user permission control.
• Pushes authentication pages based on the terminal type, ensuring fine user experience.
• Allocates different service policies based on the terminal type, such as VLANs, ACLs, and bandwidth limits.
12 Access Control Manager
Operating Environment
Configuration requirements in scenarios with no more than 2000 users are as follows.
Configuration requirements in scenarios with more than 2000 users are as follows.
Deployment Scenarios
802.1X Access Control
switches and routers. The SACG device is connected to the Isolation domain
Area A
routing configured on the router. Filtered by the SACG, the traffic
Service server Service server
Auxiliary Devices
Ordering Information
Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Terminals of Access Control Function, Including 200 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 500 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 1000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 2000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 5000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 10000 Access Terminals License Optional
Agile Controller Terminals of Access Control Function, Including 50000 Access Terminals License Optional
Guest Manager
Component Overview
The maturity of WLAN technologies and popularization of intelligent terminals cause many enterprises to open their intranets for guests
and partners. In public areas (such as, shopping malls, hotels, exhibition halls, chain stores, scenic spots, business halls, and airport
lounges), a large number of users access the WLAN, bringing enormous advertisement chances.
The Guest Management component of the Huawei Agile Controller provides full lifecycle guest management, including guest account
application, approval, distribution, authentication, auditing, and deregistration. The component supports various account application
methods, including self-service application, WeChat, and QR code. In addition, the enterprise's employees can apply accounts for
guests. It also allows users to customize guest account application and authentication pages and flexibly pushes advertisements.
Guest Manager 15
Component Characteristics
Unified Management on Employees and Guests, Reducing Enterprises' Construction and IT O&M Costs
• The Access Control and Guest Management components can be deployed on the same server or separately.
Phase Options
• Employee application
Registration
• Self-help application
• Automatic approval
Approval • Administrator approval
• Approval by the receptionist
Portal Page Customization and Flexible Portal Page Pushing, Improving Enterprise Brand Image and Promoting Products
•Allows customers to customize login and registration pages that provide personalized information about enterprises, improving the
brand image of enterprises.
• Automatically redirects users to the pre-authentication page or the URL configured by the administrator after the users pass
authentication. This function is suitable for brand promotion.
• Pushes pages according to the location (SSID or associated AP), facilitating information push.
Approval by Scanning the QR Code, Zero-Input Guest Account Registration, Improving Guest Satisfaction
After the employee authorizes the guest, the guest account exists in the platform. The guest is
automatically switched to the desired page after being authenticated and can access the Internet.
• A combination of Portal and MAC address authentication is used for the first access, and MAC address authentication is used for
subsequent accesses.
Operating Environment
Configuration requirements in scenarios with no more than 2000 users are as follows.
Configuration requirements in scenarios with more than 2000 users are as follows.
Deployment Scenarios
A combination of Portal and MAC address authentication is enabled on the gateway. Terminals can use the web authentication to
access the network.
Portal switch
Guest Manager 19
Auxiliary Devices
Ordering Information
Item Remarks
Agile Controller Guest Management Function Mandatory
Agile Controller Guest Management Function, Including 200 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 500 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 1000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 2000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 5000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 1000 Guest Accounts Management License Optional
Agile Controller Guest Management Function, Including 50000 Guest Accounts Management License Optional
Free Mobility Manager
Component Overview
With the popularization of mobile office and BYOD applications, users in the headquarters and branches and on business trips want to
access the enterprise network. The physical locations of the terminals are no longer fixed, and users even process business using their
private terminals. How to ensure that different terminals accessing the network from different office locations can obtain the same
experience.
The Free Mobility component of the Huawei Agile Controller works with Huawei agile switches and NGFWs to provide security group-
based policies in addition to the traditional NAC and implement unified policy deployment and automatic policy synchronization. This
ensures that users can have the same service experience when they move on the network. The component also provides user group–
based QoS policy configuration to ensure preferential forwarding of VIP users' data traffic when network resources are insufficient,
delivering good service experience for VIP users.
Free Mobility Manager 21
Component Characteristics
Traditional VLAN/ACL Control Replaced by Policy Control based on Security Group, Greatly Improving Configuration Efficiency
• The policies on the entire network are planned in a unified manner and deployed through one click on the Agile Controller.
• Associates with switches, firewalls, and SVNs to ensure consistent service experience when users move on the entire network.
• Manages network-wide policies in a unified manner, flexibly adjusts policies, and delivers only the newly added policies.
Permission Control for Access Between User group and Resource Group, and Between User Groups
Operating Environment
The Free Mobility component can work properly only after the Access Control component is deployed. The operating environment of
the Free Mobility component is the same as that of the Access Control component.
Deployment Scenarios
The Free Mobility component has no special networking requirements, provided that there are reachable IP routes between the Agile
Controller server and the associated network devices. Generally, the component is deployed on data centers.
L2 SW L2 SW Internet access
Branch Branch
AR AR
Data center
WAN/Internet
Campus egress
NGFW/SVN
Agile Controller
Agile core
LSW
Server NMS
Agile aggregation
LSW
Converged access
LSW AP AP LSW
Free Mobility Manager 23
Auxiliary Devices
Ordering Information
Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Free Mobility Function Mandatory
Service Orchestration Manager
Component Overview
Traditional security solutions used on enterprise campus networks and data center networks define network borders and deploy
security devices such as firewall, anti-DDoS, antivirus (AV), intrusion prevention system (IPS), and data loss prevention (DLP) devices on
borders of different security levels. As the network scale expands, users connect to networks using more diversified access methods.
Traditional security deployment results in exponential increase of cost in this circumstance. In addition, many customers determine the
number of security devices they need to purchase based on two to five times the peak-hour rates. However, high-performance security
devices, such as firewalls, IPS, and anti-DDoS, have a low resource utilization, which is a waste of resources.
The Huawei Agile Controller Service Orchestration component virtualizes physical security devices to shield the device models and
locations. All security devices form a security resource center. The component directs service flows to the security resource center based
on service needs to improve use efficiency of physical resources and reduce costs.
Service Orchestration Manager 25
Component Characteristics
Resource Virtualization, Service Flow-based Resource Scheduling, Implementing In-depth Security Protection
Comprehensive Service Flow Management, Service Flow Defining Based on IP Address or 5-tuple Information of User Group
• Defines service flows based on the source and destination IP addresses, source and destination port numbers, and protocol.
• Defines service flows based on the source and destination user groups, source and destination port numbers, and protocol.
26 Service Orchestration Manager
• Service devices can be defined as firewall, virus wall, or online behavior management device.
• The administrator can set up a GRE tunnel between an orchestration device (switch) and a service device to redirect service traffic to
the specified service device for security monitoring.
Service Chain Creation Based on Service Flows, Providing Differentiated Security Policies for Different Services
• Configured service chain orchestration policies are displayed on the GUI, allowing administrators to rearrange service chains by
simply dragging service devices.
Operating Environment
The Service Orchestration component can work properly only after the Access Control component is deployed. The operating
environment of the Service Orchestration component is the same as that of the Access Control component.
Service Orchestration Manager 27
Deployment Scenarios
Three hardware parts are required to provide the service orchestration function:
• Agile Controller service server: functions as the service orchestration subsystem, which completes service logic configuration of
service chains.
• Orchestration device: must be a Huawei agile switch. The switch identifies service traffic and redirects the traffic to the service
devices in the sequence specified by the service chain. There must be reachable IP routes between the orchestration device and
service devices.
• Service device: processes the service flows redirected to it. The service and orchestration devices work at Layer 3, and are connected
through GRE tunnels. Service devices can be connected to the core router or the core or aggregation switch according to the
following principles:
Core layer: define service flows based on IP information to shorten the traffic transmission path.
Aggregation layer: define service flows based on user information if the customer can accept the circuitous transmission path.
Service chain 1
NMS center
Service chain 2
Firewall
Data center Online
behavior
management
Antivirus
Aggregation layer
Access layer
Internal public
Guest area Dept A Dept B area
Application layer
28 Service Orchestration Manager
Auxiliary Devices
Ordering Information
Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Free Mobility Function Mandatory
Agile Controller Service Orchestration Function Mandatory
Terminal Security Manager
Component Overview
Security health assessment on access terminals is a key indicator of an enterprise's security management. A large number of mobile
staff and partners frequently use their own terminals (such as laptop computers) to access the enterprise LANs, which brings great
challenges to the enterprise information security. Unauthorized terminals may bring computer viruses to the enterprise networks and
even obtain the enterprises' trade secrets, threatening the network security.
The Terminal Security Management component of the Huawei Agile Controller strictly controls network access from all terminal users
and enforces security policies to the users connected to the network. The component supports terminal health check, employee
behavior management and control, software distribution, patch management, and asset management to ensure that terminals
connected to the network possess self-defense capabilities and comply with enterprise's security policies.
30 Terminal Security Manager
Component Characteristics
Terminal Security Hardening, Ensuring that Access Terminals Meet Enterprise Requirements
• Has predefined more than 5000 terminal security policies, including weak password check, monitoring of unauthorized external
connections, web access monitoring, antivirus software monitoring, and mobile storage device monitoring.
• Provides different security rules based on user roles or departments.
Intelligent Patch Management System, Helping Terminal Users Rectify System Vulnerabilities and Improving Enterprise
Terminal Security
• Provides patches for the Microsoft Windows operating system, Microsoft SQL Server database, Microsoft Internet Explorer, and
Microsoft Office.
• Automatically downloads patches from the Microsoft website, and allows servers to connect to the Internet through an agent.
• Distributes files in any format, and automatically executes .exe or .msi files.
• Distributes software by department, operation type, IP address segment, terminal user, and time segment.
• Supports software distribution through fast downloading software to subnets.
Employee Terminal and Network Behavior Auditing, Reducing Risks of Information Leak
• Audits network behaviors, including unauthorized external connections, web access, and network traffic.
• Audits usage of peripheral devices, including USB installation and removable operations, USB file operations, and use of other
peripheral devices.
• Audits terminal files, including file creation, copying, renaming, and deletion.
• Audits terminal operations, for example, controls non-standard software, monitors programs and services, and prohibits read-only or
read-write drive.
Enterprise-level Asset Management, Preventing Employees from Changing Terminal Configurations and Reducing Risks of
Asset Loss
• Collects asset information, including the operating system, hardware and software list, hard disk serial number, and basic input
output system (BIOS) information.
• Generates asset reports and provides asset statistics and asset change analysis.
• Reports asset change alarms, and allows administrators to trace asset information continuously.
Operating Environment
The Terminal Security Management component can work properly only after the Access Control component is deployed. The operating
environment of the Terminal Security Management component is the same as that of the Access Control component.
Terminal Security Manager 31
Deployment Scenarios
The networking of the Terminal Security Management component is similar to that of the Access Control component. Customers need
to install the dedicated NAC client of the Agile Controller before they can enable the terminal security management feature.
Auxiliary Devices
• Microsoft Windows XP
• Microsoft Windows Vista
Windows • Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows 8.1
Ordering Information
Item Remarks
Agile Controller Access Control Function Mandatory
Agile Controller Terminal Security Management Function Mandatory
Agile Controller Terminal Security Feature, Including 200 Terminals License Optional
Agile Controller Terminal Security Feature, Including 500 Terminals License Optional
Agile Controller Terminal Security Feature, Including 1000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 2000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 5000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 10000 Terminals License Optional
Agile Controller Terminal Security Feature, Including 50000 Terminals License Optional
32 United Security Manager
Component Overview
On traditional networks, the boundaries between enterprise networks and the Internet have security risks. Many enterprises deploy
security devices such as firewalls at their network boundaries. However, with the development of mobile services and diversified
network attacks, the boundaries of security protection become blurred. The services such as Wi-Fi, mobile terminals, and remote
office, bring a large number of new security risks and internal attacks, such as, viruses, Trojan horses, and APT. In this case, traditional
boundary protection measures become invalid.
The United Security component of the Huawei Agile Controller manages logs and security events from network, security, and IT devices
on the entire network in a centralized manner. The component uses the Big Data correlation analysis technique to evaluate network
security, detect security problems that cannot be detected through single-point protection, and identify Top N risky assets and areas
on the entire network. It allows customers to take proactive defense measures so that they do not need to analyze or trace the attack
sources and network risks.
United Security Manager 33
Component Characteristics
Unique Architectural Design, Re-defining Network Security from the Entire Network Perspective
③ Security situation
evaluation
②Big data correlation
analysis
Log collection
Security policy
takes effect
• Provides abundant built-in correlation rules for events. The events include the password guess attack, virus spread, attack in an area,
server DDoS attack, DMZ server penetration attack, and O&M violation (traversing the bastion host).
• Allows users to customize correlation rules, including basic statistics correlation, dynamic statistics correlation, multi-rule nesting
correlation, and multi-dimensional expansion correlation.
34 United Security Manager
• Divides the entire network into several areas and marks them with different colors based on the security view of the entire network.
• Identifies Top N risky assets on the entire network and evaluates the security level of the network, helping users quickly obtain the
network security status.
• Displays details of security events and suggestions, which can be referenced by administrators to address security issues.
United Security Manager 35
Operating Environment
Configuration requirements for a Unified Security server are as follows:
• Mongo DB
Database
• MySQL 5.5
Deployment Scenarios
The United Security component has no special networking requirements, provided that there are reachable IP routes between the Agile
Controller server and the associated network devices.
Network
Agile Controller
United Security server
Auxiliary Devices
• NGFW
• DDOS
Huawei security device • ASG
• NIP
• SVN
• Sx7 switches
Huawei network device • AR routers
• WLAN devices
Devices that support log collection through standard protocols, including the following:
• Syslog
• SNMP
• FTP/SFTP
Third-party device
• OPSEC
• ODBC
• Devices that support log collection through universal files and dedicated log collection
interfaces.
Ordering Information
Item Remarks
Agile Controller United Security Function Mandatory
Agile Controller United Security, Including 500 EPS License Optional
Agile Controller United Security, Including 1000 EPS License Optional
Agile Controller United Security, Including 2500 EPS License Optional
Agile Controller United Security, Including 5000 EPS License Optional
EPS: short for events per second, indicating the number of log events processed per second.
More Information
For more information about the Huawei Agile Controller, visit http://enterprise.huawei.com.
United Security Manager 37
Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved .
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei
Technologies Co., Ltd.
Trademark Notice
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.
General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information is
provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.