Ushbu maqolada men hozirda eng kengaytiriladigan sxemani qanday tezda o'rnatishingiz mumkinligi haqida bosqichma-bosqich ko'rsatmalar bermoqchiman. Masofaviy kirish VPN kirishga asoslangan AnyConnect va Cisco ASA - VPN yuklarni muvozanatlash klasteri.
Kirish: Dunyo bo'ylab ko'plab kompaniyalar COVID-19 bilan bog'liq mavjud vaziyat tufayli o'z xodimlarini masofaviy ishlashga o'tkazishga harakat qilmoqda. Masofaviy ishlashga keng o'tish tufayli kompaniyalarning mavjud VPN shlyuzlariga yuk keskin oshadi va ularni o'lchash uchun juda tez qobiliyat talab etiladi. Boshqa tomondan, ko'plab kompaniyalar noldan masofadan ishlash kontseptsiyasini shoshilinch ravishda o'zlashtirishga majbur.
Korxonalarga xodimlar uchun qulay, xavfsiz va kengaytiriladigan VPN-dan foydalanishni tezda amalga oshirishga yordam berish uchun Cisco ko'p funksiyalarga ega AnyConnect SSL-VPN mijozi uchun 13 haftalik litsenziyalarni taqdim etadi. .
.
Men eng kengaytiriladigan VPN texnologiyasi sifatida VPN Load-Balancing klasterini joylashtirishning oddiy varianti bo'yicha bosqichma-bosqich ko'rsatmalar tayyorladim.
Quyidagi misol autentifikatsiya va avtorizatsiya algoritmlari nuqtai nazaridan juda oddiy bo'ladi, ammo bu tez boshlash uchun yaxshi variant bo'ladi (bu hozir ko'pchilikka etishmayapti) va unga chuqur moslashish imkoniyati joylashtirish jarayonida sizning ehtiyojlaringiz.
Qisqacha ma'lumot: VPN Load Balancing Cluster texnologiyasi o'z ma'nosida uzilish yoki klasterlash funktsiyasi emas; bu texnologiya masofaviy kirish VPN ulanishlarini yuklash uchun butunlay boshqa ASA modellarini (ma'lum cheklovlar bilan) birlashtirishi mumkin. Bunday klasterning tugunlari o'rtasida seanslar va konfiguratsiyalarning sinxronizatsiyasi mavjud emas, lekin klasterda kamida bitta faol tugun qolmaguncha VPN ulanishlarini avtomatik ravishda yuklash va VPN ulanishlarining nosozliklarga chidamliligini ta'minlash mumkin. Klasterdagi yuk VPN seanslari soni bo'yicha tugunlarning ish yukiga qarab avtomatik ravishda muvozanatlanadi.
Muayyan klaster tugunlarining nosozliklarga chidamliligi uchun (agar kerak bo'lsa) siz to'ldiruvchidan foydalanishingiz mumkin, shuning uchun faol ulanish faylning asosiy tuguni tomonidan qayta ishlanadi. Fayllarni o'zgartirish Load-Balancing klasterida nosozliklarga chidamliligini ta'minlash uchun zaruriy shart emas; tugun ishlamay qolganda, klasterning o'zi foydalanuvchi seansini boshqa jonli tugunga o'tkazadi, lekin ulanish holatini saqlamasdan, aynan nima faylni taqdim etadi. Shunga ko'ra, agar kerak bo'lsa, bu ikki texnologiya birlashtirilishi mumkin.
VPN Load-Balancing klasteri ikkitadan ortiq tugunni o'z ichiga olishi mumkin.
VPN Load-Balancing klasteri ASA 5512-X va undan yuqori versiyalarida qo'llab-quvvatlanadi.
VPN Load-Balancing klasteridagi har bir ASA sozlamalar bo'yicha mustaqil birlik bo'lgani uchun biz har bir alohida qurilmada barcha konfiguratsiya bosqichlarini alohida bajaramiz.
Berilgan misolning mantiqiy topologiyasi:
Dastlabki joylashtirish:
-
Biz rasmdan kerakli shablonlarning ASAv nusxalarini (ASAv5/10/30/50) joylashtiramiz.
-
Biz bir xil VLAN ga ICHKI/TAShQIRI interfeyslarni tayinlaymiz (tashqarida o'z VLANida, ICHKIDA o'z, lekin klaster ichida keng tarqalgan, topologiyaga qarang), bir xil turdagi interfeyslar bir xil L2 segmentida joylashgan bo'lishi muhim.
-
Litsenziyalar:
- O'rnatish vaqtida ASAv hech qanday litsenziyaga ega bo'lmaydi va 100kbit/s bilan cheklanadi.
- Litsenziyani o'rnatish uchun siz Smart-Account hisobingizda token yaratishingiz kerak: -> Smart dasturiy ta'minotni litsenziyalash
- Ochilgan oynada tugmani bosing Yangi token
- Ochilgan oynadagi maydon faol ekanligiga ishonch hosil qiling va katakchani belgilang Eksport tomonidan boshqariladigan funksiyalarga ruxsat bering... Ushbu faol maydonsiz siz kuchli shifrlash funksiyalaridan va shunga mos ravishda VPN-dan foydalana olmaysiz. Agar bu maydon faol bo'lmasa, faollashtirishni so'rash uchun hisob qaydnomangiz jamoasi bilan bog'laning.
- Tugmani bosgandan keyin Token yarating, biz ASAv uchun litsenziya olish uchun foydalanadigan token yaratiladi, uni nusxalash:
- Har bir joylashtirilgan ASAv uchun C, D, E bosqichlarini takrorlaymiz.
- Tokenni nusxalashni osonlashtirish uchun keling, telnetni vaqtincha yoqaylik. Keling, har bir ASA ni sozlaymiz (quyidagi misol ASA-1 sozlamalarini ko'rsatadi). tashqaridan telnet ishlamayapti, agar sizga haqiqatan ham kerak bo'lsa, xavfsizlik darajasini 100 dan tashqariga o'zgartiring, keyin uni qayta o'zgartiring.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !- Smart-Account bulutida tokenni ro'yxatdan o'tkazish uchun siz ASA-ga Internetga kirishni ta'minlashingiz kerak, .
Qisqasi, ASA kerak:
- HTTPS orqali Internetga kirish;
- vaqtni sinxronlashtirish (NTP orqali to'g'riroq);
- ro'yxatdan o'tgan DNS server;
- Biz telnet orqali ASA-ga boramiz va Smart-Account orqali litsenziyani faollashtirish uchun sozlashlarni amalga oshiramiz.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠ°Π±ΠΎΡΡ DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠΈΠ½Ρ ΡΠΎΠ½ΠΈΠ·Π°ΡΠΈΡ NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π½Π°ΡΠ΅ΠΉ ASAv Π΄Π»Ρ Smart-Licensing (Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΠΠ°ΡΠΈΠΌ ΠΏΡΠΎΡΠΈΠ»Π΅ΠΌ, Π² ΠΌΠΎΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ 100Π Π΄Π»Ρ ΠΏΡΠΈΠΌΠ΅ΡΠ°) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! Π ΡΠ»ΡΡΠ°Π΅ Π½Π΅ΠΎΠ±Ρ ΠΎΠ΄ΠΈΠΌΠΎΡΡΠΈ ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΡΡΡΠΎΠΈΡΡ Π΄ΠΎΡΡΡΠΏ Π² ΠΠ½ΡΠ΅ΡΠ½Π΅Ρ ΡΠ΅ΡΠ΅Π· ΠΏΡΠΎΠΊΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΉ Π±Π»ΠΎΠΊ ΠΊΠΎΠΌΠ°Π½Π΄: !call-home ! http-proxy ip_address port port ! ! ΠΠ°Π»Π΅Π΅ ΠΌΡ Π²ΡΡΠ°Π²Π»ΡΠ΅ΠΌ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ ΠΈΠ· ΠΏΠΎΡΡΠ°Π»Π° Smart-Account ΡΠΎΠΊΠ΅Π½ (<token>) ΠΈ ΡΠ΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>- Qurilma litsenziyani muvaffaqiyatli ro'yxatdan o'tkazganligini va shifrlash imkoniyatlari mavjudligini tekshiramiz:
-
Har bir shlyuzda asosiy SSL-VPNni sozlash
- Keyinchalik, biz SSH va ASDM orqali kirishni sozlaymiz:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! ΠΠΎΠ΄Π½ΠΈΠΌΠ΅ΠΌ ΡΠ΅ΡΠ²Π΅Ρ HTTPS Π΄Π»Ρ ASDM Π½Π° ΠΏΠΎΡΡΡ 445 ΡΡΠΎΠ±Ρ Π½Π΅ ΠΏΠ΅ΡΠ΅ΡΠ΅ΠΊΠ°ΡΡΡΡ Ρ SSL-VPN ΠΏΠΎΡΡΠ°Π»ΠΎΠΌ ! vpn-demo-1(config)# http server enable 445 !- ASDM ishlashi uchun avval uni cisco.com dan yuklab olishingiz kerak, mening holimda bu quyidagi fayl:
- AnyConnect mijozi ishlashi uchun har bir mijoz ish stoli OS uchun (Linux/Windows/MAC-dan foydalanish rejalashtirilgan) har bir ASA-ga rasmni yuklab olishingiz kerak, sizga fayl kerak bo'ladi. Headend Deployment Package Sarlavhada:
- Yuklab olingan fayllar, masalan, FTP serveriga yuklanishi va har bir alohida ASAga yuklanishi mumkin:
- Biz SSL-VPN uchun ASDM va Self-Signed sertifikatini sozlaymiz (ishlab chiqarishda ishonchli sertifikatdan foydalanish tavsiya etiladi). Klasterning o'rnatilgan FQDN Virtual manzili (vpn-demo.ashes.cc), shuningdek har bir klaster tugunining tashqi manzili bilan bog'liq har bir FQDN tashqi DNS zonasida OUTSIDE interfeysining IP manziliga (yoki) hal qilinishi kerak. udp/443 portni yo'naltirish (DTLS) va tcp/443(TLS) ishlatilsa, xaritalangan manzilga. Sertifikatga qo'yiladigan talablar bo'yicha batafsil ma'lumot bo'limda ko'rsatilgan Sertifikatni tasdiqlash hujjatlar.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA- ASDM ishlashini tekshirish uchun portni ko'rsatishni unutmang, masalan:
- Keling, asosiy tunnel sozlamalarini bajaramiz:
- Biz korporativ tarmoqqa tunnel orqali kirish imkoniyatini yaratamiz va Internetni to'g'ridan-to'g'ri ulaymiz (ulanayotgan xostda xavfsizlik choralari mavjud bo'lmaganda eng xavfsiz usul emas, virusli xost orqali kirib, korporativ ma'lumotlarni chiqarish mumkin, variant. split-tunnel-policy tunnelall tunnelga barcha xost trafigiga ruxsat beradi. Shunga qaramasdan Split-tunnel VPN shlyuzini bo'shatish va xost Internet-trafigini qayta ishlamaslik imkonini beradi)
- Biz tunnelda 192.168.20.0/24 quyi tarmog'idan (10 dan 30 tagacha manzillar havzasi (1-tugun uchun)) manzillari bilan xostlarni chiqaramiz. Klasterdagi har bir tugun o'z VPN puliga ega bo'lishi kerak.
- ASA-da mahalliy yaratilgan foydalanuvchi bilan asosiy autentifikatsiyani amalga oshiramiz (bu tavsiya etilmaydi, bu eng oddiy usul), autentifikatsiyani orqali amalga oshirgan ma'qul. LDAP/RADIUS, yoki yaxshiroq, galstuk bog'lang Ko'p faktorli autentifikatsiya (MFA), masalan Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !- (iPLAJIB): Yuqoridagi misolda biz masofaviy foydalanuvchilarni autentifikatsiya qilish uchun xavfsizlik devoridagi mahalliy foydalanuvchidan foydalandik, bu albatta laboratoriyadan tashqari kam foyda keltiradi. Men autentifikatsiya qilish uchun sozlashni qanday tezda moslashtirishga misol keltiraman RADIUS server, masalan, ishlatiladi Cisco Identity Services Engine:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !Ushbu integratsiya nafaqat autentifikatsiya protsedurasini AD katalog xizmati bilan tez birlashtirishga, balki ulangan kompyuterning ADga tegishli ekanligini aniqlashga, u korporativ yoki shaxsiy qurilma ekanligini tushunishga va ulangan kompyuterning holatini baholashga imkon berdi. qurilma.
- Korporativ tarmoqning mijoz va tarmoq resurslari o'rtasidagi trafik xalaqit bermasligi uchun Transparent NAT ni sozlaymiz:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp- (ixtiyoriy): Mijozlarimizni ASA orqali Internetga ta'sir qilish uchun (foydalanayotganda tunnelall variantlari) PAT-dan foydalanib, shuningdek, ular ulangan joydan bir xil OUTSIDE interfeysi orqali chiqish uchun quyidagi sozlamalarni o'rnatishingiz kerak.
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !- Klasterdan foydalanishda ichki tarmoq foydalanuvchilarga qaytariladigan trafikni qaysi ASA ga yo'naltirishini tushunishga imkon berish juda muhim, buning uchun mijozlarga berilgan marshrutlarni /32 manzillarni qayta taqsimlash kerak.
Ayni paytda biz klasterni hali sozlaganimiz yo'q, lekin bizda allaqachon FQDN yoki IP orqali alohida ulanishingiz mumkin bo'lgan ishlaydigan VPN shlyuzlari mavjud.
Biz birinchi ASA ning marshrutlash jadvalida ulangan mijozni ko'ramiz:
Bizning butun VPN klasterimiz va butun korporativ tarmog'imiz mijozimizga boradigan yo'lni bilishi uchun biz mijoz prefiksini dinamik marshrutlash protokoliga qayta taqsimlaymiz, masalan, OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTEEndi biz mijozga ikkinchi ASA-2 shlyuzidan marshrutga egamiz va klaster ichidagi turli VPN shlyuzlariga ulangan foydalanuvchilar, masalan, foydalanuvchi tomonidan talab qilingan resurslardan qaytib keladigan trafik kelishi kabi, korporativ dasturiy telefon orqali bevosita muloqot qilishlari mumkin. kerakli VPN shlyuzida:
-
Keling, Load-Balancing klasterini o'rnatishga o'tamiz.
192.168.31.40 manzili Virtual IP sifatida ishlatiladi (VIP - barcha VPN mijozlari dastlab unga ulanadi), bu manzildan Cluster Master kamroq yuklangan klaster tuguniga REDIRECT qiladi. Ro'yxatdan o'tishni unutmang oldinga va teskari DNS yozuvlari har bir klaster tugunining har bir tashqi manzili/FQDN uchun ham, VIP uchun ham.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#- Biz ikkita ulangan mijoz bilan klasterning ishlashini tekshiramiz:
- ASDM orqali avtomatik yuklab olinadigan AnyConnect profili bilan mijozning tajribasini yanada qulayroq qilaylik.
Biz profilni qulay tarzda nomlaymiz va u bilan guruh siyosatimizni bog'laymiz:
Keyingi mijoz ulanishidan so'ng, ushbu profil avtomatik ravishda yuklab olinadi va AnyConnect mijoziga o'rnatiladi, shuning uchun ulanishingiz kerak bo'lsa, uni ro'yxatdan tanlashingiz kifoya:
ASDM dan foydalanganimiz uchun biz ushbu profilni faqat bitta ASAda yaratdik, klasterdagi qolgan ASAlar bo'yicha qadamlarni takrorlashni unutmang.
xulosa: Shunday qilib, biz tezda yukni avtomatik muvozanatlash bilan bir nechta VPN shlyuzlari klasterini joylashtirdik. Klasterga yangi tugunlarni qo'shish oson, yangi ASAv virtual mashinalarini o'rnatish yoki apparat ASA'larini qo'llash orqali oddiy gorizontal miqyosga erishish. Funksiyalarga boy AnyConnect mijozi yordamida xavfsiz masofaviy ulanish imkoniyatlarini sezilarli darajada oshirishi mumkin Durum (davlat baholashi), markazlashtirilgan kirishni boshqarish va buxgalteriya tizimi bilan birgalikda eng samarali foydalaniladi Identity Services Engine.
Manba: www.habr.com