3Com 3C16772 - OfficeConnect Web Site Filter User Manual Download

Page: 1 / 182

http://www.3com.com/

OfficeConnect

Internet Firewall
User Guide

OfficeConnect Internet Firewall 25 3C16770
OfficeConnect Internet Firewall DMZ 3C16771
OfficeConnect Web Site Filter 3C16772

Part No. DUA1677-0AAA03
Published June 2000

Summary of Contents for 3C16772 - OfficeConnect Web Site Filter

Page 1: ... com OfficeConnect Internet Firewall User Guide OfficeConnect Internet Firewall 25 3C16770 OfficeConnect Internet Firewall DMZ 3C16771 OfficeConnect Web Site Filter 3C16772 Part No DUA1677 0AAA03 Published June 2000 ...

Page 2: ...States government agency then this documentation and the software described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed solely at private expense Software is delivered as Commercial Computer Software as defined in DFARS 252 227 7014 June 1995 or as a commercial item as defined in FAR 2 101 a and as such is prov...

Page 3: ... from the Internet 22 Automatic IP Address Sharing and Configuration 22 2 INSTALLING THE HARDWARE Important Safety Information 23 Wichtige Sicherheitshinweise 24 Consignes Importantes de Sécurité 25 Before You Start 26 Stacking the Units Together 27 Securing the Internet Firewall with the Rubber Feet 27 Stacking the Internet Firewall with the Clip 27 Positioning the Internet Firewall 28 Securing t...

Page 4: ...nternet Firewall DMZ only 58 Setting up the DHCP Server 60 Viewing the DHCP Server Status 63 Diagnostic Tools 63 DNS Name Lookup 64 Find Network Path 65 Ping 66 Packet Trace 67 Technical Support Report 68 Filter Settings 69 Restricting the Web Features Available 70 Blocking Options 71 The OfficeConnect Web Site Filter 71 Specifying When Filtering Applies 72 Update Filter 73 Keywords 75 Custom List...

Page 5: ...e of Installing a Proxy Server 112 Specifying Intranet Settings 113 Installing the Internet Firewall to Protect the Intranet 114 Configuring the Internet Firewall to Protect the Intranet 115 Intranet Window Boxes and Controls 116 Static Routes 117 Static Routes Window Boxes and Controls 117 Setting up One to One NAT 118 5 THE OFFICECONNECT WEB SITE FILTER ACTIVATION What is the Web Site Filter 121...

Page 6: ...TIONAL DIRECT CONNECTION Introduction 135 Direct Connection Instructions 135 D IP PORT NUMBERS Introduction 137 Well Known Port Numbers 137 Registered Port Numbers 137 E EXAMPLE CONFIGURATIONS Introduction 139 Protecting an Existing Network with the Internet Firewall 25 140 Increasing the number of IP addresses available using NAT 146 Setting up the Internet Firewall 25 with an OfficeConnect 56K L...

Page 7: ...ICAL SUPPORT Online Technical Services 167 World Wide Web Site 167 3Com Knowledgebase Web Services 168 3Com FTP Site 168 3Com Facts Automated Fax Service 168 Support from Your Network Supplier 168 Support from 3Com 169 Returning Products for Repair 170 INDEX 3COM CORPORATION LIMITED WARRANTY ELECTROMAGNETIC COMPATIBILITY ...

Page 8: ......

Page 9: ... OfficeConnect Internet Firewall DMZ supports up to 100 users on the LAN In addition the OfficeConnect Internet Firewall DMZ has a Demilitarized Zone DMZ port Servers and workstations attached to this port are publicly accessible from the Internet but remain secure from Denial of Service DoS hacker attacks from the Internet If an Internet Firewall feature described in this guide applies only to th...

Page 10: ...How to Use This Guide Table 1 shows where to look for specific information in this guide Table 1 Where to find specific information If you are looking for Turn to A description of the Internet Firewall s features and example applications Chapter 1 A description of the Internet Firewall s front and back panel displays and connectors and installation information Chapter 2 A quick setup guide for the...

Page 11: ...n resetting the Internet Firewall Appendix G Information about obtaining Technical Support Appendix H Table 1 Where to find specific information continued If you are looking for Turn to Table 2 Notice Icons Icon Notice Type Description Information note Information that describes important features or instructions Caution Information that alerts you to potential loss of data or potential damage to ...

Page 12: ...nts information as it appears on the screen Commands The word command means that you must enter the command exactly as shown and then press Return or Enter Commands appear in bold Example To remove the IP address enter the following command SETDefault 0 IP NETaddr 0 0 0 0 The words enter and type When you see the word enter in this guide you must type something and then press Return or Enter Do no...

Page 13: ...ss that provides Internet access to individuals or organizations Internet Firewall Used in this guide to refer to both the OfficeConnect Internet Firewall 25 and the OfficeConnect Internet Firewall DMZ LAND Attack A type of DoS attack In a LAND attack a packet is sent that appears to come from the same address and port that it is sent to This can hang the machine to which it is sent Management Sta...

Page 14: ...ions no other clients can make genuine connections to that server UTC stands for Universal Time Co ordinated and is the standard time common to all places in the world It is also commonly referred to as GMT or World Time Web Site Filter Abbreviation for the OfficeConnect Web Site Filter Year 2000 Compliance For information on Year 2000 compliance and 3Com products visit the 3Com Year 2000 Web page...

Page 15: ...r Guide 15 Example OfficeConnect Internet Firewall User Guide Part Number DUA1677 1AAA02 Page 24 Do not use this e mail address for technical support questions For information about contacting Technical Support see Appendix H ...

Page 16: ...16 ABOUT THIS GUIDE ...

Page 17: ...low a private Local Area Network LAN to be securely connected to the Internet You can use the Internet Firewall to Prevent theft destruction and modification of data Filter incoming data for unsafe or objectionable content Log events which may be important to the security of your network The Internet Firewall has either two or three Ethernet ports depending on the model which are used to divide th...

Page 18: ...ted from hacker attacks Users on the secure LAN port can also access servers on the DMZ port Internet Firewall Security Functions Figure 1 and Figure 2 illustrate security functions on the Internet Firewall Users on the LAN have access to all resources on the Internet that are not blocked by any of the filters In Figure 2 computers on the LAN also have full access to devices on the DMZ Users on th...

Page 19: ...tures This section lists the features of the Internet Firewall Firewall Security The OfficeConnect Internet Firewall is preconfigured to monitor Internet traffic and detect and thwart Denial of Service DoS hacker attacks automatically DoS attacks include Ping of Death SYN Flood LAND Attack IP Spoofing ...

Page 20: ...et Figure 2 Internet Firewall DMZ Security Functions The Internet Firewall uses stateful packet inspection to determine if a data packet from the Internet is allowed through to the private LAN This is similar to algorithms implemented in more costly firewalls commonly used in large enterprises ...

Page 21: ...hackers may use the technologies to steal or damage data The Internet Firewall can block these potentially damaging applications from being downloaded from the Internet or allow them only from trusted sites See Filter Settings on page 69 for more information You can also use the optional OfficeConnect Web Site Filter to extend these filtering capabilities of your Internet Firewall It provides a li...

Page 22: ...ng and Configuration The Internet Firewall provides sharing of a single public IP address through Network Address Translation NAT It also provides simplified IP address administration using the Dynamic Host Configuration Protocol DHCP NAT automatically translates multiple IP addresses on the small business LAN to one public address that is sent out to the Internet It enables the Internet Firewall ...

Page 23: ...nformationen sorgfältig durch bevor Sie das Gerät einschalten AVERTISSEMENT Veuillez lire attentivement la section Consignes importantes de sécurité avant de mettre en route See Appendix A for information about the cable specifications for the OfficeConnect Internet Firewall and Appendix B for information about technical specifications Important Safety Information WARNING Warnings contain directio...

Page 24: ...th problem solving actions in this guide contact your supplier Disconnect the power adapter before moving the unit WARNING RJ 45 ports These are shielded RJ 45 data sockets They cannot be used as telephone sockets Only connect RJ 45 data connectors to these sockets Wichtige Sicherheitshinweise WARNHINWEIS Warnhinweise enthalten Anweisungen die Sie zu Ihrer eigenen Sicherheit befolgen müssen Alle A...

Page 25: ...nschlüsse Dies sind abgeschirmte RJ 45 Datenbuchsen Sie können nicht als Telefonanschlußbuchsen verwendet werden An diesen Buchsen dürfen nur RJ 45 Datenstecker angeschlossen werden Consignes Importantes de Sécurité AVERTISSEMENT Les avertissements présentent des consignes que vous devez respecter pour garantir votre sécurité personnelle Vous devez respecter attentivement toutes les consignes Nous...

Page 26: ...areil AVERTISSEMENT Ports RJ 45 Il s agit de prises femelles blindées de données RJ 45 Vous ne pouvez pas les utiliser comme prise de téléphone Branchez uniquement des connecteurs de données RJ 45 sur ces prises femelles Before You Start Your Internet Firewall comes with the following A power adapter for use with the Internet Firewall A Product Registration card for you to fill out and return Four...

Page 27: ...n a flat surface 2 Fit the clip across the top of the Internet Firewall as shown in Figure 3 picture 1 making sure that the longer sections of the fastening piece are pointing downwards 3 Align the fastening pieces over the slots found on each side of the unit 4 Push the clip down gently to secure it making sure that that fastening pieces snap into the slots on the unit To fit another unit 1 Rest ...

Page 28: ...facing upwards to prevent dust entering the cooling vents When wall mounting the Internet Firewall make sure that it is within reach of the power outlet You need two suitable screws Make sure that the wall you are going to use is smooth flat dry and sturdy Make two small diameter holes which are 142mm 5 6 in apart as a guide for the screws Fix the screws into the wall leaving their heads 3mm 0 21 ...

Page 29: ...wing LEDs Alert LED Orange alerts you to the following A failure in the self test the Internet Firewall runs when switched on Potential attacks on your network An attempt to access a restricted Web site A hacker attack or access to a restricted service On permanently indicates a problem Refer to Chapter 6 Power LED Green the unit is switched on Flashing self test is running WAN LAN and DMZ Interne...

Page 30: ... Panel The Internet Firewall 25 does not have a DMZ port The Internet Firewall rear panel contains the following Power Adapter socket Only use the power adapter supplied with the Internet Firewall Do not use any other adapter Reset Switch recessed LAN Port Use 10BASE T cable with RJ 45 connectors You can connect the Internet Firewall to any workstation or piece of equipment that has a 10BASE T por...

Page 31: ...uplink Unless you are configuring the Internet Firewall DMZ for intranet support devices on the WAN port are not directly accessible by users on the LAN Do not attach servers or any device other than the Internet access device to the WAN port Attaching the Internet Firewall to the Network Never connect two ports on the Internet Firewall to the same physical wire For example never connect the LAN a...

Page 32: ...n of its Ethernet port If it has an MDIX normal configuration then you can use a standard 10BASE T cable Otherwise you must use a crossover cable See Appendix A for more information about the cable pinouts 3 Connect the Ethernet port labeled LAN to the LAN If you are connecting the LAN port to a hub or switch using a standard 10BASE T cable make sure that the Uplink Normal switch for the LAN port ...

Page 33: ...ot see Chapter 6 for troubleshooting information The Internet Firewall is now attached to the network By default no traffic that originates from the Internet is allowed onto the LAN and all communications from the LAN to the Internet are allowed That is all inbound connections are blocked and all outbound connections are allowed You can now configure the Internet Firewall See the following chapter...

Page 34: ...34 CHAPTER 2 INSTALLING THE HARDWARE ...

Page 35: ...t Firewall on a label on the underside of the unit Initial Configuration using the Internet Firewall Wizard Please refer to the Quick Start Guide for information on how to connect to your Internet Firewall To access the Internet Firewall Wizard enter http 192 168 1 254 or http my 3com com in the address box of your Internet web browser The default configuration of the Internet Firewall is designed...

Page 36: ... Internet Firewall Wizard You need the following information about IP addressing on your network You may be able to obtain this information from the Internet Service Provider ISP that you use to connect your network to the Internet The following illustrates where this information is used IP Address for your Internet Gateway This is the address of your Internet Gateway which attaches the LAN to the...

Page 37: ...ends on whether you have decided to use the Internet Firewall as a DHCP server or to retain an existing DHCP server If you are using the Internet Firewall as a DHCP server you will now need to set all of the PCs on your network to obtain their IP address automatically If you are using an existing DHCP server then you will need to alter the Default Gateway address in your existing DHCP server confi...

Page 38: ...uploads for example Netscape version 4 or above or Internet Explorer version 4 or above If the browser does not support HTTP uploads you cannot use certain features such as updating the software and uploading pre configured settings The Internet Firewall has a default IP address 192 168 1 254 my 3com com which you use to access it when you set it up initially During this initial setup your managem...

Page 39: ... top of the browser window The Login dialog box is displayed Figure 7 Login dialog box b In the User Name field type the default user name admin c In the Password field type the default password password d Click Login Passwords are case sensitive Enter the password exactly as defined Make sure the Caps Lock key is not on The main screen of the management interface is displayed ...

Page 40: ...MZ subnet masks from a remote DHCP server on the WAN If you use a modem to connect to the Internet you may have to use this setting because some modem ISPs implement DHCP in their service This is the default setting Choose Standard if your network does not use private IP addresses or if you have IP addresses for each machine that requires access to the Internet Choose NAT Enabled if you want to us...

Page 41: ...gs on page 50 for more information about the Network Addressing Mode 4 Configure password settings a From the main screen see Figure 8 select Set Password A window similar to the following is displayed Figure 9 Change Administrator Password dialog box The security of the Internet Firewall depends on the secrecy of the administrator s password it is very important to change the password from the de...

Page 42: ...is displayed Figure 10 Set Date and Time dialog box b Type the time in 24 hour format c Click Update to send the configuration data to the Internet Firewall 6 Restart the Internet Firewall a Click Tools on the left side of the browser window b Select the Restart tab c Click Restart Internet Firewall d Click Yes to confirm the restart The Internet Firewall takes approximately 90 seconds to restart ...

Page 43: ...ystem 8 Review the status of the Internet Firewall a When the Internet Firewall has restarted log in again see step 2 using the new administrator password you set up in step 4 b From the Home screen select Unit Status A window similar to Figure 11 is displayed Figure 11 Unit Status window The Status window displays the current status of the Internet Firewall Any problems are listed in red text For...

Page 44: ... make a note of the registration code c On the main screen select Unit Status A message is displayed stating that the Internet Firewall is not registered d Type the registration code you were given into the text box next to the message and click Update The Internet Firewall is now registered You have now finished the initial setup for the Internet Firewall See Chapter 4 for further information abo...

Page 45: ...ou access these command functions using a Web browser to launch the management interface This chapter is divided into sections dedicated to the major windows and functions within the Web management interface Figure 12 illustrates the menu tree structure of the Internet Firewall Figure 12 Tree Diagram of menu structure ...

Page 46: ...all DMZ Any problems will be listed in red text For example if the Internet router was not contacted or the default password was not changed this would be listed Items listed in red require immediate corrective action General operation status messages such as enabled hacker attack protection filter list status and log settings are listed in black text To register your Internet Firewall enter your ...

Page 47: ... time common to all places in the world It is also commonly referred to as Greenwich Mean Time or World Time Many ISPs require firewall logs to be recorded to UTC or within a fraction of it as tracking hackers can be very difficult if reports of times are conflicting If you wish your Internet Firewall to get its date and time settings in this way check the Use NTP to set time automatically box Thi...

Page 48: ...heck the box labelled Automatically adjust clock for daylight saving changes You can also specify that UTC is used in your logs rather than the time in your location this may be a requirement of some ISPs If you wish to do this check the box labelled Display UTC in logs instead of local time To set the time manually 3Com recommends that you do this initially even is you have selected to set the ti...

Page 49: ... 1 In the Old Password box type the old password 2 In the New Password and Confirm New Password boxes type the new password 3 Click Update to send the configuration data to the Internet Firewall If you are setting the password for the first time the default password is password The password cannot be recovered if it is lost or forgotten If the password is lost you must reset the Internet Firewall ...

Page 50: ... to display the Network Settings window A window similar to that in Figure 16 is displayed Figure 16 Network Settings Window Network Addressing Mode The Network Addressing Mode drop down list contains three modes Choose Standard if you have IP addresses allocated by your ISP for each machine that requires access to the Internet Choose NAT Enabled if you want to use a single IP address for accessin...

Page 51: ...t for configuration and monitoring Choose a unique IP address from the LAN address range LAN Subnet Mask This value is used to determine what subnet an IP address belongs to An IP address has two components the network address and the host address For example consider the IP address 192 168 228 17 Assuming a Class C subnet mask of 255 255 255 0 is used the first three numbers 192 168 228 represent...

Page 52: ...because all the addresses on the LAN are invisible to the outside world In cases where a network uses invalid IP addresses or if addresses are in short supply NAT can be used to connect the LAN to the Internet without changing the IP addresses of computers and other devices on the LAN Remote authenticated access is not possible with NAT enabled When using IP addresses on a LAN which have not been ...

Page 53: ...oose a unique IP address from the LAN address range LAN Subnet Mask This value is used to determine what subnet an IP address belongs to An IP address has two components the network address and the host address For example consider the IP address 192 168 228 17 Assuming a Class C subnet mask of 255 255 255 0 is used the first three numbers 192 168 228 represent the Class C network address and the ...

Page 54: ...y the DNS Servers These servers are used by the Internet Firewall to lookup the addresses of machines used to download the Web Site Filter and for the built in DNS Lookup tool Type the required values and click Update to send the configuration data to the Internet Firewall You must restart the Internet Firewall for these changes to take effect When computers on the LAN are using address ranges not...

Page 55: ...ange LAN Subnet Mask This value is used to determine what subnet an IP address belongs to An IP address has two components the network address and the host address For example consider the IP address 192 168 228 17 Assuming a Class C subnet mask of 255 255 255 0 is used the first three numbers 192 168 228 represent the Class C network address and the last number 17 identifies a particular host on ...

Page 56: ...l to look up the addresses of machines used to download the Web Site Filter and for the built in DNS Lookup tool Type the required values and click Update to send the configuration data to the Internet Firewall You must restart the Internet Firewall for these changes to take effect When computers on the LAN are using address ranges not in the same subnet as the NAT Public IP Address use the Intern...

Page 57: ...Mask This value is used to determine what subnet an IP address belongs to An IP address has two components the network address and the host address For example consider the IP address 192 168 228 17 Assuming a Class C subnet mask of 255 255 255 0 is used the first three numbers 192 168 228 represent the Class C network address and the last number 17 identifies a particular host on this network For...

Page 58: ...ng DMZ Addresses Internet Firewall DMZ only The Internet Firewall provides security by preventing Internet users from accessing machines inside the LAN This security however also prevents users from reaching servers intended for public access such as a Web or e mail server which are crucial for effective Internet use In order to allow such services the Internet Firewall DMZ comes with a special De...

Page 59: ... addresses for the DMZ individually or as a range Type an individual address in the From Address box To enter a range of addresses such as the 51 IP addresses from 199 168 23 50 to 199 168 23 100 type the starting address in the From Address box and the ending address in the To Address box You can specify up to 64 address ranges Click Update to send the configuration data to the Internet Firewall ...

Page 60: ...management of IP client configurations including IP addresses gateway address DNS address and more Enable DHCP Server Click this check box to enable or disable the DHCP server This is disabled by default Leave the DHCP server disabled if there already is a DHCP server on the LAN or if manual addressing is used on the LAN computers Lease Time This is the amount of time that the IP address is leased...

Page 61: ...an IP address belongs to Domain Name Type the registered domain name for the network in the Domain Name box for example 3Com com If you do not have a Domain Name leave this blank DNS Servers A DNS Server translates human readable host names into the numeric IP addresses used by computers to route information to the correct machine You can use multiple DNS servers to improve performance and reliabi...

Page 62: ...igured when they boot Dynamic BootP clients are BootP clients that do not have an IP address assigned to their MAC address They are similar to DHCP clients with the exception that leases are not supported Delete Range To remove a range of addresses from the dynamic pool select it from the scrolling list of dynamic ranges and click Delete Range Static Entries Static addresses are used by machines t...

Page 63: ...current bindings IP and MAC address of the bindings Type of binding Dynamic Dynamic BootP or Static BootP To delete a binding which frees the IP address in the DHCP server select the binding from the list and then click Delete Figure 22 DHCP Server Status Window Diagnostic Tools The Internet Firewall has several tools built in which can help you solve network problems Click Network and then select...

Page 64: ... that returns the numerical IP address of a host name Select DNS Name Lookup from the Choose a diagnostic tool menu A window similar to that in Figure 23 is displayed Type the host name to lookup in the Look up the name box and click Go The Internet Firewall then queries the DNS server and displays the result at the bottom of the screen The IP address of at least one DNS Server must be present on ...

Page 65: ...ere is a problem with the configuration of the network or intranet settings Find Network Path also shows if the target node is behind a router and the Ethernet address of the target node or router Find Network Path also shows which router a node is using which can help isolate router configuration problems Select Find Network Path from the Choose a diagnostic tool menu A window similar to that in ...

Page 66: ...he Internet back to the sender This test shows if the Internet Firewall is able to contact the remote host If users on the LAN are having problems accessing services on the Internet try pinging the DNS server or other machine at the ISP s location If this test is successful try pinging devices outside the ISP This shows if the problem lies with the ISP s connection Select Ping from the Choose a di...

Page 67: ... Packet Trace Use the Packet Trace tool to track the status of a data packet or communications stream as it moves from source to destination This is a useful tool to determine if a packet or communications stream is being stopped at the Internet Firewall or is lost on the Internet Select Packet Trace from the Choose a diagnostic tool drop down list A window similar to that in Figure 26 is displaye...

Page 68: ...e Trace on IP address box not a host name such as www 3Com com 3 Click Refresh to display the packet trace information 4 Click Stop to terminate the packet trace and Reset to clear the results Technical Support Report The Tech Support Report generates a detailed report of the Internet Firewall s configuration and status and saves it to the local hard disk You can then e mail this file to Technical...

Page 69: ... Figure 27 Tech Support Report Window Click Save Report to save the report as a text file to the local disk Filter Settings Click Filter and then select the Settings tab A window similar to that in Figure 28 is displayed ...

Page 70: ...hat you can choose to allow access to ActiveX ActiveX is a programming language that is used to embed small programs in Web pages It is generally considered an insecure protocol to allow into a network since it is possible for malicious programmers to write controls that can delete files compromise security or cause other damage Java Java is also used to embed small programs also called applets in...

Page 71: ... on the LAN Blocking Options The following is a list of the blocking options Log and Block Access When selected the Internet Firewall logs and blocks access to all sites on the Web Site Filter custom and keyword lists Log Only When selected the Internet Firewall logs and then allows access to all sites on the Web Site Filter custom and keyword lists Use this function to monitor inappropriate usage...

Page 72: ...mplete access to the Internet Similar policies could be enabled to allow employees complete access to the Internet after normal business hours Time of Day restrictions only apply to the Web Site Filter Custom Sites and Keywords Consent and Restrict Web Features such as ActiveX Java cookies and Web Proxy are not affected Always Block When selected Internet Filtering is always active and Time of Day...

Page 73: ...sses are used for all Internet filtering functions for several reasons There are two reasons for this Many blocked sites operate server pools where many machines service a single host name making it impractical and difficult to add and maintain the numerical addresses of every server in the pool Many sites included in the Web Site Filter regularly change the IP address of the server to try to bypa...

Page 74: ...iption is required If Filter List Not Loaded There are two radio buttons that determine what happens if the Filter List expires or if a download of a Filter List fails Block traffic to all websites except for Trusted Domains Select this option if only access to Trusted Domains should be available in the event of the Filter List expiring or a download failing See Setting up Trusted and Forbidden Do...

Page 75: ...etermined by the radio buttons described above Keywords Click Filter and then select the Keywords tab A window similar to that in Figure 30 is displayed Figure 30 Keywords Window You can block Web URLs that contain specified keywords This functions as a second line of defense against objectionable material For example if you specify the keyword XXX the following URL http www new site com xxx html ...

Page 76: ...ing check box and click Update To add a keyword in the Add Keyword box type the keyword to block and click Update To remove a keyword select it from the list and click Delete Keyword Custom List This function allows you to block specific web sites or restrict access to a list of approved web sites This is in addition to the Web Site Filter Click Filter and then select the Custom List tab A window ...

Page 77: ... the Internet Firewall To block a Web site which does not appear in the Web Site Filter type its host name such as www bad site com into the Forbidden Domains box Do not use the complete URL of the site that is do not include http All subdomains are blocked For example adding 3com com also blocks www 3com com my support com shop 3com com and so forth Click Update to send the update to the Internet...

Page 78: ...to display when a site is blocked When a user attempts to access a site that is blocked by the Web Site Filter a message is displayed on their screen The default message is Web Site Blocked by 3Com OfficeConnect Internet Firewall You can type any message including embedded HTML up to 255 characters long in this box For example if you type the following the Internet Firewall sends a descriptive mes...

Page 79: ...tlined in an organization s Acceptable Use Policy before you allow them to browse the Web any further Click Filter and then select the Consent tab A window similar to that in Figure 32 is displayed Figure 32 Consent Window Require Consent Click this check box to enable the Consent features Maximum Web usage In an environment where there are more users than computers such as a classroom or library ...

Page 80: ... create this page in HTML It may contain the text from or links to the Acceptable Use Policy AUP You must include in this page links to two pages contained in the Internet Firewall which when selected tell the Internet Firewall if the user wishes to have filtering enabled or disabled The link for unfiltered access must be 192 168 1 254 iAccept html The link for filtered access must be 192 168 1 25...

Page 81: ... page contained in the Internet Firewall which when selected tell the Internet Firewall that the user wishes to have filtering enabled The link must be 192 168 1 254 iAcceptFilter html Use the Web Address of the Internet Firewall instead of 192 168 1 254 These links are case sensitive Type the URL of this page in the Consent page URL Mandatory Filtering box and click Update to send the configurati...

Page 82: ...such as an attack on a server you can specify that this information is immediately e mailed either to the main e mail address used by the log or to a different address such as a paging service The Internet Firewall logs the following events Unauthorized connection attempts Blocked Web FTP and Gopher sites and blocked NNTP Newsgroups Blocked ActiveX and Java Blocked Cookies and Proxy attempts Attac...

Page 83: ...ion and review the log with an e mail client rather than with a Web browser Each log entry contains the date and time of the event and a brief message describing the event Some entries contain additional information Much of this information refers to the Internet traffic passing through the Internet Firewall TCP UDP or ICMP packets dropped These log messages describe all traffic blocked from the I...

Page 84: ...olence profanity b Partial nudity c Full nudity d Sexual acts e Gross depictions f Intolerance g Satanic cult h Drug culture i Militant extremist j Sex education k Gambling illegal l Alcohol tobacco See Chapter 5 for more information about these categories ActiveX Java or Code Archive blocked The IP addresses of the source machine and the destination server is shown When ActiveX or Java code is co...

Page 85: ...y true for SYN Flood attacks If the log message calls the attack possible or it only happens on an irregular basis then there is probably no attack in progress If the log message calls the attack probable contact the ISP to see if they can track down the source of the attack In either case the LAN and DMZ are protected and you do not need to take further steps Log Alert Settings Click Log and then...

Page 86: ...le for download See Upgrading the Software on page 96 for more information If there is a new software release an e mail notification is sent to this address Send Alerts To Alerts are events such as an attack which may warrant immediate attention When an event generates an alert a message is immediately sent to an e mail account or e mail pager Enter the e mail address for example username 3Com com...

Page 87: ...nd then clears the log Clear Log Now Deletes the contents of the log Send Log This pop up menu is used to configure the frequency of log messages being sent as e mail daily weekly or only when the log is full If the weekly or the daily option is selected specify a time of day when the e mail is to be sent If the weekly option is selected then also specify which day of the week the e mail is to be ...

Page 88: ...ocked by the Web Site Filter by keyword or for any other reason are generated This is enabled by default Blocked Java ActiveX and Cookies When enabled log messages showing Java ActiveX and Cookies which are blocked by the Internet Firewall are generated This is enabled by default User Activity When enabled log messages showing any successful or unsuccessful user logins will be generated This is en...

Page 89: ...dow see page 85 Attacks When enabled all log entries that are categorized as an Attack are generated as an alert message This is enabled by default System Errors When enabled all log entries that are categorized as a System Error are generated as an alert message This is enabled by default Blocked Web Sites When enabled all log entries that are categorized as a Blocked Web Site are generated as an...

Page 90: ...A window similar to that in Figure 35 is displayed Figure 35 Reports Window Start Data Collection By default the log analysis function is disabled Click Start Data Collection to begin log analysis When log analysis is enabled the button label changes to Stop Data Collection Reset Click Reset to clear the report statistics and begin a new sample period The sample period is also reset when data coll...

Page 91: ...Selecting Bandwidth Usage by IP Address from the Report to view drop down list displays a table showing the IP Address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period If using DHCP remember that the IP address assigned to a computer can change You may have to check the DHCP server logs to correctly identify which computer is listed...

Page 92: ...rt command to the Internet Firewall The restart takes about 90 seconds during which time the Internet Firewall cannot be reached from the Web browser and all network traffic through it is halted If you have changed the IP settings of the Internet Firewall you must alter the IP settings of the management station accordingly You may have to restart the management station depending on its operating s...

Page 93: ...ure 37 is displayed Figure 37 Configuration Window Use the Configuration tab to specify where the settings for the Internet Firewall are saved to and retrieved from for backup purposes You can also restore the default settings from the Configuration tab 3Com recommends that you back up the Internet Firewall settings The Administration password is not saved in this process ...

Page 94: ...ndow similar to that in Figure 38 is displayed Figure 38 Export Window Choose the location to save the settings file This should be saved as Filename exp This defaults to internetfirewall exp The process may take up to a minute Reloading the Settings After exporting a settings file you can import it back to the Internet Firewall Click Import A window similar to that in Figure 39 is displayed ...

Page 95: ...or the settings to take effect see page 92 Make sure that the Web browser supports HTTP uploads If it does not you cannot import the saved settings Note that this will not change the password for the unit Restore Factory Defaults Click Restore to clear all configuration information and restore the Internet Firewall to its factory state Clicking Restore does not change the Internet Firewall s Web A...

Page 96: ...he Internet Firewall s settings before uploading new software and then import them again after the upgrade has been completed The Internet Firewall checks to see if new software is available for download on a weekly basis If there is a new software release an e mail notification is sent to the address in the Send log to box Click Tools and then select the Upgrade tab A window similar to that in Fi...

Page 97: ...e Send email when new firmware is available check box 2 Click Update To load the new firmware 1 Click Upload Firmware Now A window similar to that in Figure 41 is displayed Figure 41 Save Settings Window 2 Click Yes if you have saved the settings A window similar to that in Figure 42 is displayed ...

Page 98: ...rts HTTP uploads When uploading the firmware to an Internet Firewall it is important not to interrupt the Web browser by closing the window clicking a link loading a new page or removing the power to the Internet Firewall If the Internet Firewall is interrupted this way it may result in the Internet Firewall not responding to attempts to log in If your Internet Firewall does not respond see Append...

Page 99: ...ble showing the defined Network Access Rules Rules are sorted from the most specific at the top to the most general at the bottom At the bottom of the table is the Default rule The Default rule is all IP services You can create rules to override the behavior of the Default rule For example the Default rule allows users on the LAN to access all Internet services including NNTP News However LAN acce...

Page 100: ...ht of the check box there is a Custom Rule in the Rules tab section that modifies the behavior of the listed Network Access Rule The LAN In column is not displayed if NAT is enabled DMZ In If you are using the Internet Firewall DMZ when this check box is cleared access to the protocol is not permitted from the Internet to the DMZ When the service is selected users on the Internet can access all ho...

Page 101: ... security risks You can increase the timeout interval if users frequently complain of dropped connections in applications such as Telnet and FTP Click Update to send the configuration data to the Internet Firewall You must restart the Internet Firewall for these changes to take effect Adding a Service If a protocol is not listed in the Services window you can add the service Click Policy and then ...

Page 102: ... single service Up to 128 entries are supported To add support for a well known service by name 1 Select the name of the service from the Add a known service drop down list 2 Click Add The new service appears in the list box to the right along with its numeric protocol description Note that some well known services add more than one entry to the list box To add a custom service 1 From Add a known ...

Page 103: ...on of the service Policy Rules Network Access Rules evaluate network traffic s source IP address destination IP address and IP protocol type to decide if the IP traffic is allowed to pass through the firewall Custom rules take precedence and may override the Internet Firewall s default state packet inspection The ability to define Network Access Rules is a very powerful tool Using custom rules it ...

Page 104: ...rule The following are examples of intent for rules This rule will restrict all IRC access from the LAN to the Internet This rule will allow a remote Lotus Notes server to synchronize over the Internet to an internal Notes server Is the intent of the rule to allow or deny traffic What is the flow of the traffic from the LAN to the Internet or from the Internet to the LAN List which IP services wil...

Page 105: ...l this rule allow Internet users access to resources on the LAN in a manner that may create an undue security vulnerability For example if NetBIOS ports UDP 137 138 139 are allowed from the Internet to the LAN Internet users may be able to connect to PCs with file sharing enabled Does this rule conflict with any existing rules Once you have answered these questions to add rules you type the inform...

Page 106: ...t the Network Access Rule s destination port LAN WAN or DMZ if appropriate from the Ethernet menu If there are IP address restrictions on the destination of the traffic such as limiting Telnet to a remote site type the starting and ending IP addresses of the range in the Addr Range Begin and Addr Range End respectively If all IP addresses are affected type in the Addr Range Begin box Understanding...

Page 107: ...t LAN from the Source Ethernet list 4 Since all computers on the LAN are to be affected enter in the Source Addr Range Begin box 5 Select WAN from the Destination Ethernet menu 6 Since the intent is to block access to all NNTP servers enter in the Destination Addr Range Begin box 7 Click Add Rule Block Access to Specific Users This example shows how to create a rule which blocks a certain range of...

Page 108: ...net list 4 Enter the starting IP address of the ISP s network in the Source Addr Range Begin box and the network s ending IP address in the Source Addr Range Begin box 5 Select WAN from the Destination Ethernet list 6 Since the intent is to allow a ping only to the Internet Firewall enter the Internet Firewall s Web Address in the Destination Addr Range Begin box 7 Click Add Rule User Privileges T...

Page 109: ...ontains a list of all currently defined users In addition there is an entry at the top of the list labeled New User To add a new user 1 Highlight the Add New User entry 2 In the User Name box type the user s login name 3 In the Password and Confirm Password boxes enter the user s password It is important to use a password that could not be guessed by someone else Avoid using names of friends famil...

Page 110: ... same as typing Password To change a user s password or privileges 1 Highlight the name in the scrollable box 2 Make the changes 3 Click Update User To delete a user highlight the name and click Remove User Establishing an Authenticated Session Authenticated Sessions allow a user on the Internet to access the LAN without restrictions or allow a user on the LAN to access the Internet without restri...

Page 111: ...es the request to the server Returns the requested information to the user Saves it locally to fulfill future requests Because of this a proxy can improve Internet response and lessen the load on the Internet link For example suppose a school is using the Internet for a research project A student requests a certain Web page and then sometime later a second student requests the same page Instead of...

Page 112: ...ter the IP address of the proxy in the Proxy Web Server Address box and the proxy s IP port in the Proxy Web Server Port box Click Update to send the configuration data to the Internet Firewall Example of Installing a Proxy Server The following example describes how to install a proxy on the WAN port Installing a proxy on the WAN When you install a proxy server on the WAN port it is important to r...

Page 113: ...hen select the Proxy Relay tab b Configure the Web proxy relay See Automatic Proxy Forwarding on page 111 for more information Web traffic is directed to the proxy which fulfills all requests without reconfiguring all the Web browsers on the LAN Specifying Intranet Settings In some cases it is desirable to prevent access to certain resources by unauthorized users on the LAN For example a school s ...

Page 114: ...tect the intranet Installing the Internet Firewall to Protect the Intranet 1 Connect the Ethernet port labeled LAN on the back of the Internet Firewall to the network segment that will be protected against unauthorized access 2 Connect the Ethernet port labeled WAN on the back of the Internet Firewall to the rest of the network Devices connected to the WAN port do not have firewall or Web Site Fil...

Page 115: ...ines You can do this in two ways Inclusively by specifying which machines are members of the segment with restricted access Exclusively by specifying which machines are not members of the segment with the restricted access Using the inclusive method you specify the IP addresses of the machines which are connected to the Internet Firewall s LAN port Use this method in cases such as a small accounti...

Page 116: ...t Window Boxes and Controls Internet Firewall s WAN link is connected directly to the Internet router Use this setting if the Internet Firewall is protecting the entire network This is the default setting Specified address ranges are attached to the LAN link Select this when it is easier to specify which devices are on the LAN If a machine s IP address is not specified all communications through t...

Page 117: ...Window Use static routes if the LAN is segmented into subnets either for size or practical considerations For example you can create a subnet which only contains an organization s graphic design shop isolating it from traffic on the rest of the LAN Static Routes Window Boxes and Controls LAN The IP Address and Subnet on the Internet Firewall s LAN port are shown at the top of the window Configure ...

Page 118: ...lid external addresses to internal addresses hidden by NAT Machines with an internal address may be accessed at the corresponding external valid IP address To create this relationship between internal and external addresses define internal and external address ranges of equal length Once you have defined that relationship the machine with the first internal address is accessible at the first IP ad...

Page 119: ...Address Correspondence in One to One NAT LAN Address Corresponding WAN Address Accessed Through 192 168 1 1 209 19 28 16 Inaccessible NAT Public IP Address 192 168 1 2 209 19 28 17 Accessed at 209 19 28 17 192 168 1 16 209 19 28 31 Accessed at 209 19 28 31 192 168 1 33 No corresponding valid IP address Inaccessible except as Public LAN Server 192 168 1 255 No corresponding valid IP address Inacces...

Page 120: ...dress of the public address range being mapped in the Public Range Begin box This address is assigned by the ISP Range Length Type the number of IP addresses for the range The range length may not exceed the number of valid IP address You can add up to 64 ranges To map a single address use a Range Length of 1 Click Update Restart the Internet Firewall for changes to take effect One to One NAT does...

Page 121: ...he 3Com OfficeConnect Web Site Filter is provided as a 12 month subscription and can be automatically updated weekly to ensure that the filter keeps pace with the ever changing Internet The OfficeConnect Internet Firewall 25 and Internet Firewall DMZ are provided with a one month subscription free of charge The 3Com OfficeConnect Web Site Filter uses the CyberNOT list which is licensed from The Le...

Page 122: ...ny or all portions of the human genitalia Please note The Partial Nudity and Full Nudity categories do not include sites containing nudity or partial nudity of a non prurient nature For example web sites for publications such as National Geographic or Smithsonian Magazine or sites hosted by museums such as the Guggenheim the Louvre or the Museum of Modern Art Sexual Acts Pictures descriptive text ...

Page 123: ...gal use of drugs for entertainment Includes substances used for other than their primary purpose to alter the individual s state of mind such as glue sniffing This category does not include material about the use of illegal drugs when they are legally prescribed for medicinal purposes e g drugs used to treat glaucoma or cancer Militant Extremist Pictures or text advocating extremely aggressive and...

Page 124: ... infringement computer hacking phreaking using someone s phone lines without permission and software piracy Also includes text advocating gambling relating to lotteries casinos betting numbers games on line sports or financial betting including non monetary dares and 1 900 type numbers Alcohol Tobacco Pictures or text advocating the sale consumption or production of alcoholic beverages or tobacco ...

Page 125: ... serial number 4 In the Activation Key box type the key supplied with the Web Site Filter 5 Click Activate After a short while a message confirming the subscription s activation is displayed in the Web browser window The Internet Firewall s serial number is printed on the bottom of the firewall and is also displayed at the top of the Status window in the Web management interface Each subscription ...

Page 126: ...126 CHAPTER 5 THE OFFICECONNECT WEB SITE FILTER ACTIVATION ...

Page 127: ...ing Make sure that all equipment is switched on Switch off the Internet Firewall wait approximately 5 seconds and then switch it back on Wait for the Power LED to stop flashing approximately 90 seconds The contents of the log are lost when doing this Potential Problems The following is a list of problems you may experience with your OfficeConnect Internet Firewall Power LED Not Lit Check the power...

Page 128: ... on and off Make sure the wiring follows the 10BASE T specification See Pinout Diagrams on page 131 for more information Try replacing the cable with a known good cable Is it the correct cable Try using a standard 10BASE T or crossover cable instead If the problem is on the LAN or DMZ port try setting the Uplink Normal switch to the alternative position Ethernet Connection is Not Functioning If th...

Page 129: ...rity reasons the Internet Firewall sends a slightly different Authentication page each time you log in to the management interface If the password you use does not allow access to the Internet Firewall it might be because the browser is displaying a cached copy of the page instead of the current page If you cannot remember the correct password you can reset the Internet Firewall See Appendix G Res...

Page 130: ...f the Internet Firewall does not save the changes that you make make sure that you click Update before moving to another window or tab or all changes are lost Duplicate IP Address Errors Are Occurring If there are duplicate IP address errors after you have installed the Internet Firewall Try restarting the router or LAN machines Make sure the LAN is not connected to the WAN port on the Internet Fi...

Page 131: ...he OfficeConnect Internet Firewall supports the following cable types and maximum lengths 10BASE T Twisted Pair Maximum cable length of 100 m 327 86 ft Pinout Diagrams Table 5 shows the pinouts connections for RJ 45 Figure 52 shows the pinout connections for twisted pair cable Table 5 RJ 45 Pinouts Pin Function 1 RD 2 RD 3 TD 4 5 6 TD 7 8 ...

Page 132: ...132 APPENDIX A CABLE SPECIFICATIONS AND PINOUT DIAGRAM Figure 52 Twisted Pair Pinouts ...

Page 133: ... 185 x 54 mm 9 12 x 7 3 x 2 1in Weight 870 g 1 9 lbs Standards Functional ISO 8802 3 IEEE 802 3 Safety UL 1950 EN 60950 CSA 22 2 950 IEC 950 EMC EN 55022 Class B EN 50082 1 FCC Part 15 Class B ICES 003 Class B VCCI Class B CNS 13438 Class A Environmental EN 60068 IEC 68 Category 5 screened cables must be used to ensure compliance with the Class B requirements of this standard The use of unscreened...

Page 134: ...134 APPENDIX B TECHNICAL SPECIFICATIONS AND STANDARDS See Electromagnetic Compatibility on page 182 for conditions of operation ...

Page 135: ...d from the factory with a default password It is critical to change this password during the initial configuration of the firewall Unfortunately the default password can only provide limited protection the first time the administrator s password is set In principle an individual inside the network could capture all network transmissions and then perform mathematical analyses to discover the new Ad...

Page 136: ... adapter other than the one supplied with the Internet Firewall 4 Wait for the Power LED to stop flashing This takes approximately 90 seconds 5 Follow the initial configuration steps as described in Chapter 3 6 Disconnect the management station from the Internet Firewall and reconnect it to the main Ethernet network In some cases you may have to restart the management station after reconnecting it...

Page 137: ...n only be used by system processes or by programs executed by privileged users Many popular services such as Web FTP SMTP POP3 e mail DNS and so forth operate in this range The assigned ports use a small portion of the possible port numbers For many years the assigned ports were in the range 0 255 Recently the range for the assigned ports managed by the IANA has been expanded to the range 0 1023 R...

Page 138: ...138 APPENDIX D IP PORT NUMBERS The Registered Ports are in the range 1024 65535 Visit http www normos org ietf rfc rfc1700 txt for a list of IP port numbers ...

Page 139: ...ormation in the rest of this manual and also how some of the more advanced features can be set up and be beneficial to you The examples themselves are hypothetical and so you should not try using any of the IP addresses except the default IP addresses of the Internet Firewall and LAN Modem or phone numbers given below as they will not work However the theory behind the examples still applies when ...

Page 140: ...o activate at the same time that you set up the Internet Firewall 25 This one year subscription is additional to the 30 day free subscription supplied with the Internet Firewall The IP addresses are in the range 172 16 54 10 to 172 16 54 25 inclusive and these addresses are statically assigned and not provided by DHCP The router address for the ISP is 172 16 54 1 and the subnet mask is 255 255 255...

Page 141: ...ectly to one PC from which you intend to manage the Internet Firewall 25 the management station If the Internet Firewall 25 is connected directly to one PC then this reduces the risk of another user on the network configuring the Internet Firewall 25 before you have changed the default password 2 Assuming that you are managing the Internet Firewall 25 from the PC with address 172 16 54 15 either b...

Page 142: ...sword password Passwords are case sensitive d Click Login 5 When you have logged in successfully the main screen of the management interface for the Internet Firewall 25 is displayed From here configure the unit a Click Set Password b In the Old Password box type password and then type the new password twice Passwords are case sensitive and you cannot recover a lost password from the Internet Fire...

Page 143: ...a LAN subnet mask of 255 255 255 0 c In the WAN Router Address field type 172 16 54 1 as supplied by the ISP d In the DNS Server 1 field type 172 16 54 253 and click Update The settings are updated and the Home screen is displayed 8 Disable access to the NNTP newsgroup and IRC Internet Relay Chat protocols The Internet Firewall 25 has a default set of access rules that allow most basic Internet ac...

Page 144: ...net Firewall 25 restarts c Restore the IP address and subnet mask of your management station to 172 16 58 15 subnet mask 255 255 255 0 and reboot if required 10 When the Internet Firewall 25 has restarted make sure that you can access the Internet Enter http www 3Com com internetfirewall to see if you can access the registration site for the Internet Firewall If this does not work see Chapter 6 fo...

Page 145: ...the IP address of the mail server to send out logs and alerts To find out the IP address a Click Network on the button bar and select the Diagnostics tab b From the drop down list select DNS Name Lookup c When the page has reloaded in the text box type the address of the mailserver in this example mail 3com com and click Go d When the IP address of the mail server is displayed make a note of it 14...

Page 146: ...cess is selected and click Block all categories Click Update Increasing the number of IP addresses available using NAT In this example you also have 16 IP addresses assigned statically by the ISP However the Internet access requirements for the 16 PCs are as follows 10 PCs are ordinary workstations where Internet access is only required for research e mail and the like Three PCs are Internet serve...

Page 147: ...e Internet Firewall DMZ so that the servers are accessible from the Internet but are protected from attacks The server access can be logged and monitored All the other PCs are on the LAN port and so cannot be accessed from the Internet unless you specifically enable this There are no special Internet access requirements such as blocking IRC or NNTP 1 Switch off the cable modem and connect the WAN ...

Page 148: ...uses NAT so to make sure that the same subnet is used change the TCP IP settings for the network card refer to the user guide for your operating system for further instructions on how to do this a For the IP address settings for the IP address type 192 168 1 200 and for the subnet mask type 255 255 255 0 b For the Gateway settings delete any existing entries and then type 192 168 1 254 c For the D...

Page 149: ...one from the drop down list at the top of the screen If you can t find your city use one with the correct offset from GMT all are covered c Here you want to use Network Time Protocol to set the Firewall time so that the date and time are set by an atomic clock and are hence highly accurate Check the box marked Use NTP to set time automatically d Type in the current date and time in 24 hour format ...

Page 150: ...istration form and make a note of the registration code that you are given on completion 11 Set up access to the server machines connected to the DMZ ports Run the Internet Firewall DMZ management interface as in step 4 a Click Network and then select the DMZ Addresses tab Make sure that the DMZ PC addresses that you use are on the same subnet as the WAN router and that you enter them into the Int...

Page 151: ...P address that you want to appear on the WAN side 172 20 54 212 d In the Range Length box type 3 because there are 3 PCs that you want to be visible on the Internet Click Update Table 6 shows how the addresses are translated One to One NAT does not change the way the firewall functions work Access to machines on the LAN from the Internet is only allowed when you have set Network Access Rules or es...

Page 152: ...provide dial up connectivity and an Internet Firewall 25 for security In this example you have an account with an ISP for the dial up connection This account offers one IP address configured dynamically You have the following information about the ISP DNS server addresses 10 201 80 7 and 10 201 80 8 Dial up number 555 987654 Account login name myaccount Password mypassword In this example you are ...

Page 153: ...res the Internet Firewall before you have changed the default password 2 Switch on the Internet Firewall 25 and check the LEDS a Wait for the Power LED to stop flashing approximately 90 seconds b Make sure that the orange Alert LED is also out when the Power LED stops flashing If the Alert LED comes on or the Power LED keeps flashing see Chapter 6 for troubleshooting information 3 Reconfigure the ...

Page 154: ...ate and time The Internet Firewall 25 relies on this for logs reports and updates to the content filter list a Click Set Date Time on the Home screen b Select your time zone from the drop down list at the top of the screen If you can t find your city use one with the correct offset from GMT all are covered c All other boxes should be unchecked this ensures that NTP does not set the firewall time h...

Page 155: ...heck box is selected and in the Client Default Gateway box type the Web address for the Internet Firewall 25 192 168 1 254 d Enter the IP addresses for the DNS servers into the DNS Server 1 and DNS Server 2 boxes 10 201 80 7 10 201 80 8 e Enter a range of addresses for the Internet Firewall 25 to issue to the PCs Make sure that the range includes as many addresses as there are PCs 192 168 1 201 th...

Page 156: ... 192 168 1 230 You do not need to change any other settings Click Update 12 Set up the web filtering so that users of the network can only access addresses on the domain 3Com com a Click Filter and then select the Custom List tab b In the Trusted Domains area Add Domain box type 3com com c Make sure that the Disable all web traffic except for Trusted Domains check box is selected and then click Up...

Page 157: ...www 3com com internetfirewall b Complete the registration form and make a note of the registration code c On the Home screen select Unit Status A message is displayed stating that the Internet Firewall 25 is not registered d Type the registration code you were given into the text box next to the message and click Update The Internet Firewall 25 is now registered ...

Page 158: ...158 APPENDIX E EXAMPLE CONFIGURATIONS ...

Page 159: ...added to provide these services TCP stands for Transmission Control Protocol In TCP IP TCP works with IP to ensure the integrity of the data traveling over the network TCP IP is the protocol of the Internet IP Addressing To become part of an IP network a network device must have an IP address An IP address is a unique number that differentiates one device from another on the network to avoid confu...

Page 160: ...IP addressing it is necessary to always use the entire number when communicating with other devices There are three classes of IP addresses A B and C Like a main business phone number that one can call and then be transferred through interchange numbers to an individual s extension number the different classes of IP addresses provide for varying levels of interchanges or subnetworks and extensions...

Page 161: ...igns local IP address numbers Subnet Mask As mentioned in IP Address on page 160 the IP addressing system allows creation of subnetworks or interchanges and device numbers or extensions within those subnetworks These numbers are created using a mathematical device called a subnet mask A subnet mask like the IP address is a set of four numbers in dotted decimal notation Subnet masks typically take ...

Page 162: ...rty In complex networks with many subnetworks gateways keep traffic from traveling between different subnetworks unless addressed to travel there While this helps to keep overall network traffic more manageable it also introduces another level of complexity To communicate with a device on another network the message must go through a gateway that connects the two networks Therefore users need to k...

Page 163: ...ple due to a lost password then you must completely reset your Internet Firewall CAUTION The reset procedure described below not only deletes all the settings from your Internet Firewall but also erases the current copy of the firmware from the unit For this reason 3Com recommends that you save your firewall settings on a regular basis and that you also have a copy of the latest firmware available...

Page 164: ...d the firmware erased Reloading the Firmware Even when the firmware has been erased you can use a basic web management interface to get the Internet Firewall up and running again The Internet Firewall reverts to its default IP address of 192 168 1 254 after a complete reset so you must reconfigure your chosen management station to an IP address in the same subnet to access the management interface...

Page 165: ...ect a firmware file type in the full file and path name of the firmware image that you want to upload to the unit Use the Browse button to locate the file if you are not sure of its location 3 Once you have located the file click Upload to upload the firmware This process takes approximately one minute Once complete the firewall restarts automatically and the message shown in Figure 54 is displaye...

Page 166: ...ce you have logged into the management interface you may upload your saved settings file as described in Saving and Restoring Configuration Settings on page 93 Note that the administrator password is not uploaded and is still password once the upload is complete Make sure that you change this password to increase the security of the unit If you do not have a saved settings file you must set up the...

Page 167: ...wide product support 24 hours a day 7 days a week through the following online systems World Wide Web site 3Com Knowledgebase Web Services 3Com FTP site 3Com FactsSM Automated Fax Service World Wide Web Site To access the latest networking information on the 3Com Corporation World Wide Web site enter this URL into your Internet browser http www 3com com This service provides access to online suppo...

Page 168: ... anonymous Password your Internet e mail address You do not need a user name and password with Web browser software such as Netscape Navigator and Internet Explorer 3Com Facts Automated Fax Service The 3Com Facts automated fax service provides technical articles diagrams and troubleshooting instructions on 3Com products 24 hours a day 7 days a week Call 3Com Facts using your Touch Tone telephone 1...

Page 169: ...en you contact 3Com for assistance have the following information ready Product model name part number and serial number A list of system hardware and software including revision levels Diagnostic error messages Details about recent configuration changes if applicable Here is a list of worldwide technical telephone support numbers Country Telephone Number Asia Pacific Rim Australia Hong Kong India...

Page 170: ...enmark Finland France Germany Hungary Ireland Israel Italy Netherlands Norway Poland Portugal South Africa Spain Sweden Switzerland U K 0800 297468 0800 71429 800 17309 0800 113153 0800 917959 0800 1821502 00800 12813 1800 553117 1800 9453794 1678 79489 0800 0227788 800 11376 00800 3111206 0800 831416 0800 995014 900 983125 020 795482 0800 55 3072 0800 966197 Latin America Argentina Brazil Chile C...

Page 171: ...ers select option 2 and then option 2 Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy Netherlands Norway Poland Portugal South Africa Spain Sweden Switzerland U K 0800 297468 0800 71429 800 17309 0800 113153 0800 917959 0800 1821502 00800 12813 1800553117 1800 9453794 1678 79489 0800 0227788 800 11376 00800 3111206 0800 831416 0800 995014 900 983125 020 795482 0800 55 3...

Page 172: ......

Page 173: ...rvice 91 BCIQ statement 182 blocking categories 71 84 broadband modems 22 C cable modem Internet Firewall using with cable modem 35 cable specifications 131 Categories tab 69 clock setting 47 code archive blocking 84 configuration examples 139 saving and restoring 93 Confirm New Password box 41 consent 79 URL 80 conventions notice icons About This Guide 11 cookies 21 71 CSA statement 182 current s...

Page 174: ...firmware e mail notification 97 loading 97 lost 163 reloading 164 uploading 97 forbidden domains 77 front panel 29 G gateway default 162 H hardware warranty information 179 hardware installing 27 I IANA 137 ICMP packets 83 initial configuration 38 installing hardware 27 proxy server on WAN 112 using the clip 27 using the rubber feet 27 Internet filtering 21 121 filtering overview 73 restricting ac...

Page 175: ...lic IP address 54 with DHCP Client option 40 network addressing mode 50 settings 50 network access rules 21 103 creating 104 examples 107 hierarchy 106 Network Address Translation See NAT network protocols See protocols network supplier support 168 networks introduction 159 new password setting 41 NNTP blocking access 99 notification of new firmware 97 O OfficeConnect modem 152 old password changi...

Page 176: ...y functions 18 extending 21 self diagnostic tests 33 166 services adding 101 deleting 103 setting admin password 49 clock 47 settings reloading 94 siting the Internet Firewall 28 software warranty information 179 software upgrading 96 specifications cable 131 technical 133 specified addresses attaching to the LAN 116 attaching to the WAN 116 stacking units 27 static routes LAN settings 117 specify...

Page 177: ...rs advanced 21 deleting 110 Internet 18 LAN 18 using an OfficeConnect modem 152 V VCCI statement 182 View Log tab 83 W wall mounting the Internet Firewall 28 WAN LED 30 port 17 31 warranty information 179 warranty service additional 180 obtaining 180 Web features restricting 70 web management interface access lost 163 web proxy relay configuring 113 web proxy disabling 71 Web Site Filter 121 activ...

Page 178: ...178 INDEX ...

Page 179: ...be at 3Com s option and expense to refund the purchase price paid by Customer for any defective software product or to replace any defective media with software which substantially conforms to applicable 3Com published specifications Customer assumes responsibility for the selection of the appropriate applications program and associated reference materials 3Com makes no warranty or representation ...

Page 180: ... ninety 90 day period begins on the date of Customer s product purchase The telephone technical support is available from 3Com from 9 a m to 5 p m local time Monday through Friday excluding local holidays Telephone technical support is limited to the 3Com products designated above and may include assistance with installation product specific configuration and identification of equipment problems P...

Page 181: ...NY REMEDY PROVIDED HEREIN SHALL FAIL OF ITS ESSENTIAL PURPOSE DISCLAIMER Some countries states or provinces do not allow the exclusion or limitation of implied warranties or the limitation of incidental or consequential damages for certain products supplied to consumers or the limitation of liability for personal injury so the above limitations and exclusions may be limited in their application to...

Page 182: ...orrect the interference by one or more of the following measures Reorient the receiving antenna Relocate the equipment with respect to the receiver Move the equipment away from the receiver Plug the equipment into a different outlet so that equipment and receiver are on different branch circuits Consult the dealer or an experienced radio television technician for help BCIQ STATEMENT VCCI STATEMENT...

Search results

Summary of Contents for 3C16772 - OfficeConnect Web Site Filter

Reviews:

Related manuals for 3C16772 - OfficeConnect Web Site Filter

Brands by name

Popular brands

3Com 3C16772 - OfficeConnect Web Site Filter, User Manual

Search results

Summary of Contents for 3C16772 - OfficeConnect Web Site Filter

Reviews:

Related manuals for 3C16772 - OfficeConnect Web Site Filter

Brands by name

Popular brands