background image

 

142

 

STEP 4.

Select

 Remote Gateway-Fixed IP or Domain Name

 In 

To Destination

list and enter the IP Address.(Figure11-22)

 

 

 

Figure11-22 IPSec To Destination Setting 

 

STEP 5.

Select Preshare in

 Authentication Method

 and enter the 

Preshared 

Key

 (max: 100 bits) (Figure11-23)

 

 

 

Figure11-23 IPSec Authentication Method Setting 

 

STEP 6.

Select 

ISAKMP Algorithm

 in

 Encapsulation 

list. Choose the Algorithm

when setup connection. Please select ENC Algorithm (

3DES/DES/AES

), 

AUTH Algorithm (

MD5/SHA1

), and Group (

GROUP1, 2,5

). Both sides have 

to choose the same group. Here we select 3DES for ENC Algorithm, MD5 

for AUTH Algorithm, and GROUP1 for group. (Figure11-24)

 

 

 

 

Figure11-24 IPSec Encapsulation Setting

 

 

Summary of Contents for MH350

Page 1: ...MH350 Multi Homing Gateway User s Manual 2006 AboCom Systems Inc All rights reserved...

Page 2: ...ING 17 DATE TIME 22 MULTIPLE SUBNET 23 ROUTE TABLE 26 DDNS 32 HOST TABLE 34 LANGUAGE 35 CHAPTER 3 INTERFACE 36 LAN 41 WAN 42 DMZ 50 CHAPTER 4 ADDRESS 52 EXAMPLE 55 CHAPTER 5 SERVICE 62 CUSTOM 66 GROUP...

Page 3: ...111 CHAPTER 11 VPN 126 EXAMPLE 134 CHAPTER 12 POLICY 159 EXAMPLE 165 CHAPTER 13 ALERT SETTING 183 INTERNET ALERT 188 CHAPTER 14 ATTACK ALARM 192 INTERNAL ALARM 194 EXTERNAL ALARM 195 CHAPTER 15 LOG 1...

Page 4: ...4 CHAPTER 17 STATISTICS 227 WAN STATISTICS 229 POLICY STATISTICS 231 CHAPTER 18 STATUS 233 INTERFACE 234 AUTHENTICATION 236 ARPTABLE 237 DHCP CLIENTS 238...

Page 5: ...vileges of packets that pass through the MH350 and monitoring controls The System Administrators can manage monitor and configure MH350 settings But all configurations are read only for all users othe...

Page 6: ...strators Admin or Sub Admin The username of the main Administrator is Administrator with reading writing privilege Administrator also can change the system setting log system status and to increase or...

Page 7: ...n button to create a new Sub Administrator STEP 2 In the Add New Sub Administrator WebUI Figure 1 1 and enter the following setting Sub Admin Name sub_admin Password 12345 7 add the user or click Canc...

Page 8: ...ou want to edit and click on Modify in the Configure field STEP 2 The Modify Administrator Password WebUI will appear Enter the following information Password admin New Password 52364 Confirm Password...

Page 9: ...w permitted IPs Figure1 4 Figure1 3 Setting Permitted IPs WebUI Figure1 4 Complete Add New Permitted IPs To make Permitted IPs be effective it must cancel the Ping and WebUI selection in the WebUI of...

Page 10: ...ick Logout in System to protect the system while Administrator are away Figure1 5 Figure1 5 Confirm Logout WebUI STEP 2 Click OK and the logout message will appear in WebUI Figure1 6 Figure1 6 Logout...

Page 11: ...which manage the MH350 Click Browse and choose the latest software version file Click OK and the system will update automatically Figure1 7 Figure1 7 Software Update It takes 3 minutes to update softw...

Page 12: ...Configure Configure The Configure is according to the basic setting of the MH350 In this chapter the definition is Setting Date Time Multiple Subnet Route Table DHCP Dynamic DNS Hosts Table and Langu...

Page 13: ...rs or when emergency conditions occur It can be set from Settings Hacker Alert in System to detect Hacker Attacks Web Management WAN Interface The System Manager can change the port number used by HTT...

Page 14: ...the System Clock The administrator can configure the MH350 s date and time by either syncing to an Internet Network Time Server NTP or by syncing to your computer s clock GMT International Standard Ti...

Page 15: ...t department subnet 192 168 4 1 24 LAN 168 85 88 250 WAN 5 Accounting department subnet 192 168 5 1 24 LAN 168 85 88 249 WAN The first department R D department had set while setting interface IP the...

Page 16: ...S Domain Name The domain name that provided by DDNS WAN IP Address The WAN IP Address which the domain name corresponds to Define the required fields of Host Table Domain Name It can be set by System...

Page 17: ...em Settings to Client STEP 2 When the File Download pop up window appears choose the destination place where to save the exported file and click on Save The setting value of MH350 will copy to the app...

Page 18: ...gs from Client When the Choose File pop up window appears select the file to which contains the saved MH350 Settings then click OK Figure2 2 STEP 2 Click OK to import the file into the MH350 Figure2 3...

Page 19: ...tory Default Settings STEP 1 Select Reset Factory Settings in MH350 Configuration WebUI STEP 2 Click OK at the bottom right of the page to restore the factory settings Figure2 4 Figure2 4 Reset Factor...

Page 20: ...Enter SMTP server s IP address STEP 5 E Mail Address 1 Enter the e mail address of the first user to be notified STEP 6 E Mail Address 2 Enter the e mail address of the second user to be notified Opt...

Page 21: ...1 Reboot MH350 Click Reboot button next to Reboot MH350 Appliance STEP 2 A confirmation pop up page will appear STEP 3 Follow the confirmation pop up page click OK to restart MH350 Figure2 6 Figure2...

Page 22: ...GMT STEP 3 Enter the Server IP Name with which you want to synchronize STEP 4 Set the interval time to synchronize with outside servers Figure2 7 System Time Setting Click on the Sync button and then...

Page 23: ...NAT or Routing Mode by the IP address that set by the LAN user s network card Preparation MH350 WAN1 10 10 10 1 connect to the ISP Router 10 10 10 2 and the subnet that provided by ISP is 162 172 50 0...

Page 24: ...Alias IP of LAN Interface Enter 162 172 50 1 Netmask Enter 255 255 255 0 WAN1 Enter Interface IP 10 10 10 1 and choose Routing in Forwarding Mode WAN2 Enter Interface IP 211 22 22 22 and choose NAT in...

Page 25: ...ccess to Internet by WAN2 If by WAN1 Routing mode then it cannot access to Internet by its virtual IP 162 172 50 xx it uses Routing mode through WAN1 The Internet Server can see your IP 162 172 50 xx...

Page 26: ...connects with ATUR to Internet WAN2 211 22 22 22 connects with ATUR to Internet LAN subnet 192 168 1 1 24 The Router1 which connect with LAN 10 10 10 1 support RIPv2 its LAN subnet is 192 168 10 1 24...

Page 27: ...0 Gateway Enter 192 168 1 252 Interface Select LAN Click OK Figure 2 10 Figure2 10 Add New Static Route1 STEP 2 Enter the following settings in Route Table in System function Destination IP Enter 192...

Page 28: ...following setting in Route Table in System function Destination IP Enter 10 10 10 0 Netmask Enter 255 255 255 0 Gateway Enter 192 168 1 252 Interface Select LAN Click OK Figure 2 12 Figure2 12 Add New...

Page 29: ...4 Adding successful At this time the computer of 192 168 10 1 24 192 168 20 1 24 and 192 168 1 1 24 can connect with each other and connect to Internet by NAT Figure 2 13 Figure 2 13 Route Table Setti...

Page 30: ...Range 1 Enter the starting and the ending IP address dynamically assigning to DHCP clients The default value is 192 168 1 2 to 192 168 1 254 it must be in the same subnet Client IP Address Range 2 En...

Page 31: ...tomatically Get DNS the DNS Server will lock it as LAN Interface IP Using Occasion When the system Administrator starts Authentication the users first DNS Server must be the same as LAN Interface IP i...

Page 32: ...ers Select service providers Automatically fill in the WAN 1 2 IP Check to automatically fill in the WAN 1 2 IP User Name Enter the registered user name Password Enter the password Domain name Enter Y...

Page 33: ...Unknown error If System Administrator had not registered a DDNS account click on Sign up then can enter the website of the provider If you do not select Automatically fill in the WAN IP and then you c...

Page 34: ...omain name of the server Virtual IP Address The virtual IP address respective to Host Table Click OK to add Host Table Figure2 17 Figure2 17 Add New Host Table To use Host Table the user PC s first DN...

Page 35: ...Language Select the Language version English Version Traditional Chinese Version or Simplified Chinese Version and click OK Figure2 18 Figure2 18 Language Setting WebUI 35...

Page 36: ...the Administrator can set up the IP addresses for the office network The Administrator may configure the IP addresses of the LAN network the WAN 1 2 network and the DMZ network The Netmask and gateway...

Page 37: ...t the WAN 1 2 utility rate automatically according to the downstream upstream of WAN For users who are using various download bandwidth Round Robin The MH350 distributes the WAN 1 2 download bandwidth...

Page 38: ...o Internet or not The testing ways are as following ICMP To test if the connection is successful or not by the Ping IP you set DNS To test if the connection is successful or not by checking Domain Nam...

Page 39: ...DMZ network The DMZ includes NAT Mode In this mode the DMZ is an independent virtual subnet This virtual subnet can be set by the Administrator but cannot be the same as LAN Interface Transparent Mode...

Page 40: ...s in this chapter No Suitable Situation Example Page Ex1 LAN Modify LAN Interface Settings 41 Ex2 WAN Setting WAN Interface Address 42 Ex3 DMZ Setting DMZ Interface Address NAT Mode 50 Ex4 DMZ Setting...

Page 41: ...N Interface WebUI The default LAN IP Address is 192 168 1 1 After the Administrator setting the new LAN IP Address on the computer he she have to restart the System to make the new IP address effectiv...

Page 42: ...e and click Modify in WAN1 Interface The setting of WAN2 Interface is almost the same as WAN1 The difference is that WAN2 has a selection of Disable The System Administrator can close WAN2 Interface b...

Page 43: ...Name can select from Assist Figure3 4 Setting time of seconds between sending alive packet Figure3 3 ICMP Connection Figure 3 4 DNS Service Connection test is used for MH350 to detect if the WAN can c...

Page 44: ...nt 3 Enter Password as the password 4 Select Dynamic or Fixed in IP Address provided by ISP If you select Fixed please enter IP Address Netmask and Default Gateway 5 Enter Max Downstream Bandwidth and...

Page 45: ...tion Figure3 6 Complete PPPoE Connection Setting If the connection is PPPoE you can choose Service On Demand for WAN Interface to connect automatically when disconnect or to set up Auto Disconnect if...

Page 46: ...click on Clone MAC Address to obtain MAC IP automatically 4 Hostname Enter the hostname provided by ISP 5 Domain Name Enter the domain name provided by ISP 6 User Name and Password are the IP distrib...

Page 47: ...Figure3 7 Dynamic IP Address Connection Figure3 8 Complete Dynamic IP Connection Setting 47...

Page 48: ...ovided by ISP 3 Enter DNS Server1 and DNS Server2 In WAN2 the connecting of Static IP Address does not need to set DNS Server 4 Enter Max Downstream Bandwidth and Max Upstream Bandwidth According to t...

Page 49: ...work Interface users will be able to ping the MH350 and enter the WebUI WAN network It may influence network security The suggestion is to Cancel Ping and WebUI after all the settings have finished An...

Page 50: ...de STEP 1 Click DMZ Interface STEP 2 Select NAT Mode in DMZ Interface Select NAT in DMZ Interface Enter IP Address and Netmask STEP 3 Select Ping and HTTP STEP 4 Click OK Figure3 11 Figure3 11 Setting...

Page 51: ...Transparent Mode in DMZ Interface Select DMZ_Transparent in DMZ Interface STEP 1 Select Ping and HTTP STEP 2 Click OK Figure3 12 Figure 3 12 Setting DMZ Interface Address Transparent Mode WebUI In WA...

Page 52: ...create a control policy for packets of different IP addresses he can first add a new group in the LAN Group or the WAN Group and assign those IP addresses into the newly created group Using group addr...

Page 53: ...should be set as 255 255 255 255 When correspond to several IP of a specific Domain Take 192 168 100 1 C Class subnet as an example it should be set as 255 255 255 0 MAC Address Correspond a specific...

Page 54: ...n Example Page Ex1 LAN Under DHCP circumstances assign the specific IP to static users and restrict them to access FTP net service only through policy 55 Ex2 LAN Group WAN Set up a policy that only al...

Page 55: ...ress and enter the following settings Click New Entry button Figure4 1 Name Enter Rayearth IP Address Enter 192 168 3 2 Netmask Enter 255 255 255 255 MAC Address Enter the user s MAC Address 00 B0 18...

Page 56: ...f Restricting the Specific IP to Access to Internet STEP 3 Complete assigning the specific IP to static users in Outgoing Policy and restrict them to access FTP net service only through policy Figure4...

Page 57: ...ically In LAN of Address function the MH350 will default an Inside Any address represents the whole LAN network automatically Others like WAN DMZ also have the Outside Any and DMZ Any default address...

Page 58: ...Setup a policy that only allows partial users to connect with specific IP External Specific IP STEP 1 Setting several LAN network Address Figure4 5 Figure4 5 Setting Several LAN Network Address 58...

Page 59: ...e 4 6 Enter the Name of the group Select the users in the Available Address column and click Add Click OK Figure 4 7 Figure4 6 Add New LAN Address Group Figure4 7 Complete Adding LAN Address Group The...

Page 60: ...ollowing settings in WAN of Address function Click New Entry Figure4 8 Enter the following data Name IP Address Netmask Click OK Figure4 9 Figure4 8 Add New WAN Address Figure4 9 Complete the Setting...

Page 61: ...P 4 To exercise STEP1 3 in Policy Figre4 10 4 11 Figure4 10 To Exercise Address Setting in Policy Figure4 11 Complete the Policy Setting The Address function really take effect only if use with Policy...

Page 62: ...can be added There are three sub menus under Service which are Pre defined Custom and Group The Administrator can simply follow the instructions below to define the protocols and port numbers for net...

Page 63: ...63 it takes only one control policy to achieve the same effect as the 50 control policies...

Page 64: ...VDO Live WAIS WINFRAME X WINDOWS etc UDP Service For example IKE DNS NTP IRC RIP SNMP SYSLOG TALK TFTP UDP ANY UUCP etc ICMP Service Foe example PING TRACEROUTE etc New Service Name The System Manager...

Page 65: ...ow external user to communicate with internal user by VoIP through policy VoIP Port TCP 1720 TCP 15325 15333 UDP 15325 15333 65 Ex2 Group Setting service group and restrict the specific users only can...

Page 66: ...ernal user by VoIP through policy VoIP Port TCP 1720 TCP 15328 15333 UDP 15328 15333 STEP 1 Set LAN and LAN Group in Address function as follows Figure5 1 5 2 Figure5 1 Setting LAN Address Book WebUI...

Page 67: ...ange the Client Port and set the Server Port as 1720 1720 Protocol 2 select TCP need not to change the Client Port and set the Server Port as 15328 15333 Protocol 3 select UDP need not to change the C...

Page 68: ...gested If the port numbers that enter in the two spaces are different port number then enable the port number under the range between the two different port numbers for example 15328 15333 And if the...

Page 69: ...6 Complete the Policy for External VoIP to Connect with Internal VoIP STEP 5 In Outgoing Policy complete the setting of internal users using VoIP to connect with external network VoIP Figure5 7 Figure...

Page 70: ...urce that provided by this group through policy Group HTTP POP3 SMTP DNS STEP 1 Enter the following setting in Group of Service Click New Entry Figure 5 8 Name Enter Main_Service Select HTTP POP3 SMTP...

Page 71: ...Figure5 9 Complete the setting of Adding Service Group If you want to remove the service you choose from Selected Service choose the service you want to delete and click Remove 71...

Page 72: ...ress function Setting an Address Group that can include the service of access to Internet Figure5 10 Figure5 10 Setting Address Book Group STEP 3 Compare Service Group to Outgoing Policy Figure5 11 Fi...

Page 73: ...e Administrator can set the start time and stop time or VPN connection in Policy or VPN By using the Schedule function the Administrator can save a lot of management time and make the network system m...

Page 74: ...access to Internet in a day STEP 1 Enter the following in Schedule Click New Entry Figure6 1 Enter Schedule Name Set up the working time of Schedule for each day Click OK Figure6 2 Figure6 1 Setting...

Page 75: ...STEP 2 Compare Schedule with Outgoing Policy Figure6 3 Figure6 3 Complete the Setting of Comparing Schedule with Policy The Schedule must compare with Policy 75...

Page 76: ...tream Bandwidth To configure the Guaranteed Bandwidth and Maximum Bandwidth QoS Priority To configure the priority of distributing Upstream Downstream and unused bandwidth The MH350 configures the ban...

Page 77: ...Figure7 2 the Flow After Using QoS Max Bandwidth 400Kbps Guaranteed Bandwidth 200Kbps 77...

Page 78: ...ximum Bandwidth according to the bandwidth range you apply from ISP Priority To configure the priority of distributing Upstream Downstream and unused bandwidth Guaranteed Bandwidth The basic bandwidth...

Page 79: ...79 We set up two QoS examples in this chapter No Suitable Situation Example Page Ex1 QoS Setting a policy that can restrict the user s downstream and upstream bandwidth 79...

Page 80: ...stream bandwidth STEP 1 Enter the following settings in QoS Click New Entry Figure7 3 Name The name of the QoS you want to configure Enter the bandwidth in WAN1 WAN2 Select QoS Priority Click OK Figur...

Page 81: ...Figure7 6 Complete Policy Setting When the administrator are setting QoS the bandwidth range that can be set is the value that system administrator set in the WAN of Interface So when the System Admi...

Page 82: ...figuring the Authentication you can control the user s connection authority The user has to pass the authentication to access to Internet The MH350 configures the authentication of LAN s user by setti...

Page 83: ...ntication If idle time exceeds the time you setup the authentication will be invalid The default value is 30 minutes URL to redirect when authentication succeed The user who had passes Authentication...

Page 84: ...z When the user connect to external network by Authentication the following page will be displayed Figure8 2 Figure8 2 Authentication Login WebUI 84...

Page 85: ...sing Authentication Figure8 3 Figure8 3 Connecting to the Appointed Website After Authentication If the user ask for authentication positively can enter the LAN IP by the Authentication port number An...

Page 86: ...86 Auth User Name The user account for Authentication you want to set Password The password when setting up Authentication Confirm Password Enter the password that correspond to Password...

Page 87: ...es in this chapter No Suitable Situation Example Page Ex1 Auth User Auth Group Setting specific users to connect with external network only before passing the authentication of policy Adopt the built...

Page 88: ...ication of policy Adopt the built in Auth User and Auth Group Function STEP 1 Setup several Auth User in Authentication Figire8 4 Figure8 4 Setting Several Auth Users WebUI To use Authentication the D...

Page 89: ...ication function and enter the following settings Click New Entry Name Enter laboratory Select the Auth User you want and Add to Selected Auth User Click OK Complete the setting of Auth User Group Fig...

Page 90: ...STEP 3 Add a policy in Outgoing Policy and input the Address and Authentication of STEP 2 Figure8 6 8 7 90 Figure8 6 Auth User Policy Setting Figure8 7 Complete the Policy Setting of Auth User...

Page 91: ...to Internet Figure8 8 STEP 5 If the user does not need to access to Internet anymore and is going to logout he she can click LOGOUT Auth User to logout the system Or enter the Logout Authentication W...

Page 92: ...ey words and met character and Script Blocking The access authority of Popup ActiveX Java Cookies P2P Blocking The authority of sending files by eDonkey eMule Bit Torrent IM Blocking To restrict the a...

Page 93: ...Java Blocking Prevent Java packets Cookies Blocking Prevent Cookies packets eDonkey Blocking Prevent users to deliver files by eDonkey and eMule BitTorrent Blocking Prevent users to deliver files by B...

Page 94: ...94 Sub name file Blocking Prevent users to deliver specific sub name file by http All Type Prevent users to send the Audio Video types and sub name file etc by http protocol...

Page 95: ...trict the Internal Users to access to Script file of Website 98 Ex3 P2P Blocking Restrict the Internal Users to access to the file on Internet by P2P 100 Ex4 IM Blocking Restrict the Internal Users to...

Page 96: ...nt to open up in URL String While adding you must enter the symbol in front of the complete domain name or key word that represents to open these website to enter For example www kcg gov tw or gov 2 A...

Page 97: ...ring function Click New Entry URL String Enter yahoo and click OK Click New Entry URL String Enter google and click OK Click New Entry URL String Enter and click OK Complete setting a URL Blocking pol...

Page 98: ...icy Setting STEP 3 Complete the policy of permitting the internal users only can access to some specific website in Outgoing Policy function Figure9 3 Figure9 3 Complete Policy Settings Afterwards the...

Page 99: ...ebsite STEP 1 Select the following data in Script of Content Blocking function Select Popup Blocking Select ActiveX Blocking Select Java Blocking Select Cookies Blocking Click OK Complete the setting...

Page 100: ...mplete the policy of restricting the internal users to access to Script file of Website in Outgoing Policy Figure9 6 Figure9 6 Complete Script Blocking Policy Setting The users may not use the specifi...

Page 101: ...e on Internet by P2P STEP 1 Select the following data in P2P of Content Blocking function Select eDonkey Blocking Select BitTorrent Blocking Select WinMX Blocking Click OK Complete the setting of P2P...

Page 102: ...e on Internet by P2P in Outgoing Policy Figure9 9 Figure9 9 Complete P2P Blocking Policy Setting P2P Transfer will occupy large bandwidth so that it may influence other users And P2P Transfer can chan...

Page 103: ...d audio by Instant Messaging STEP 1 Enter as following in IM Blocking of Content Blocking function Select MSN Messenger Yahoo Messenger ICQ Messenger QQ Messenger and Skype Click OK Complete the setti...

Page 104: ...function Figire9 11 Figure9 11 Add New IM Blocking Policy STEP 3 Complete the policy of restricting the internal users to send message files audio and video by instant messaging in Outgoing Policy Fi...

Page 105: ...some specific sub name file from http or ftp protocol directly STEP 1 Enter the following settings in Download of Content Blocking function Select All Types Blocking Click OK Complete the setting of D...

Page 106: ...14 Figure9 14 Add New Download Blocking Policy Setting STEP 3 Complete the Outgoing Policy of restricting the internal users to access to video audio and some specific sub name file by http protocol...

Page 107: ...0 s Virtual Server function can solve this problem A Virtual Server has set the real IP address of the MH350 s WAN network interface to be the Virtual Server IP Through the Virtual Server function the...

Page 108: ...he external users cannot connect to its private IP Address directly The user must connect to the MH350 s WAN subnet s Real IP and then map Real IP to Private IP of LAN by the MH350 It is a one to one...

Page 109: ...rt Number The service name that provided by the Virtual Server External Service Port The WAN Service Port that provided by the virtual server If the service you choose only have one port and then you...

Page 110: ...hrough policy by Virtual Server Take Web service for example 113 Ex3 Virtual Server The external user use VoIP to connect with VoIP of LAN VoIP Port TCP 1720 TCP 15328 15333 UDP 15328 15333 116 Ex4 Vi...

Page 111: ...is External DNS Server STEP 2 Enter the following setting in LAN of Address function Figure10 1 Figure10 1 Mapped IP Settings of Server in Address STEP 3 Enter the following data in Mapped IP of Virtu...

Page 112: ...same time Figure10 3 Figure10 3 Service Setting STEP 5 Add a policy that includes settings of STEP3 4 in Incoming Policy Figure10 4 Figure10 4 Complete the Incoming Policy STEP 6 Add a policy that inc...

Page 113: ...apped IP Figure10 6 Figure10 6 A Single Server that Provides Several Services by Mapped IP Strong suggests not to choose ANY when setting Mapped IP and choosing service Otherwise the Mapped IP will be...

Page 114: ...gle service to provide service through policy by Virtual Server Take Web service for example STEP 1 Setting several servers that provide Web service in LAN network which IP Address is 192 168 1 101 19...

Page 115: ...stance Click OK Figure10 7 Figure10 7 Virtual Server Real IP Setting Click New Entry Service Select HTTP 80 External Service Port Change to 8080 Load Balance Server1 Enter 192 168 1 101 Load Balance S...

Page 116: ...Virtual Server Policy Setting In this example the external users must change its port number to 8080 before entering the Website that set by the Web server STEP 4 Complete the setting of providing a...

Page 117: ...5328 15333 STEP 1 Set up VoIP in LAN network and its IP is 192 168 1 100 STEP 2 Enter the following setting in LAN of Address function Figure10 11 Figure10 11 Setting LAN Address WebUI STEP 3 Add new...

Page 118: ...ick New Entry Service Select Custom Service VoIP_Service External Service Port From Service Custom Load Balance Server1 Enter 192 168 1 100 Click OK Complete the setting of Virtual Server Figure10 14...

Page 119: ...TEP4 Figure10 15 Figure10 15 Complete the Policy includes Virtual Server Setting STEP 6 Enter the following setting of the internal users using VoIP to connect with external network VoIP in Outgoing P...

Page 120: ...xternal internal user using specific service to communicate with each other by Virtual Server Figure10 17 Figure10 17 Complete the Setting of the External Internal User using specific service to commu...

Page 121: ...rvers that provide several services in LAN network Its network card s IP is 192 168 1 101 192 168 1 102 192 168 1 103 192 168 1 104 and the DNS setting is External DNS server STEP 2 Enter the followin...

Page 122: ...STEP 3 Group the service of server in Custom of Service Add a Service Group for server to send e mail at the same time Figure10 20 Figure10 20 Add New Service Group 122...

Page 123: ...P Enter 211 22 22 23 click Assist for assistance Click OK Figure10 21 Figure10 21 Virtual Server Real IP Setting Click New Entry Service Select Group Service Main_Service External Service Port From Se...

Page 124: ...STEP 3 Figure10 23 Figure10 23 Complete Incoming Policy Setting STEP 6 Add a new policy that includes the settings of STEP2 3 in Outgoing Policy It makes server can send e mail to external mail serve...

Page 125: ...STEP 7 Complete the setting of providing several services by Virtual Server Figure10 25 Figure10 25 Complete the Setting of Providing Several Services by Several Virtual Server 125...

Page 126: ...system manager can create a VPN connection using Autokey IKE Autokey IKE Internet Key Exchange provides a standard method to negotiate keys between two security gateways Also set up IPSec Lifetime an...

Page 127: ...stablishment of Security Associations SAs Main Mode This is another first phase of the Oakley protocol in establishing a security association but instead of using three packets like in aggressive mode...

Page 128: ...last for the next 20 to 30 years NULL Algorithm It is a fast and convenient connecting mode to make sure its privacy and authentication without encryption NULL Algorithm doesn t provide any other saf...

Page 129: ...he VPN name to identify the IPSec Autokey definition The name must be the only one and cannot be repeated Gateway IP The WAN interface IP address of the remote Gateway IPSec Algorithm To display the A...

Page 130: ...Chart Meaning Not be applied Disconnect Connecting User Name Display the PPTP Client user s name when connecting to PPTP Server Client IP Display the PPTP Client s IP address when connecting to PPTP...

Page 131: ...erver IP or Domain Name Display the PPTP Server IP addresses or Domain Name when connecting to PPTP Server Encryption Display PPTP Client and PPTP Server transmission whether opens the encryption auth...

Page 132: ...The name must be the only one and cannot be repeated Source Subnet Displays the Source Subnet Destination Subnet Displays the Destination Subnet IPSec PPTP Displays the Virtual Private Network s IPSec...

Page 133: ...e set up two VPN examples in this chapter No Suitable Situation Example Page Ex1 IPSec Autokey Setting IPSec VPN connection between two MH350 133 Ex2 PPTP Setting PPTP VPN connection between two MH350...

Page 134: ...a VPN connection with Company B 192 168 20 100 for downloading the sharing file The Default Gateway of Company A is the LAN IP of the MH350 192 168 10 1 Follow the steps below STEP 1 Enter the default...

Page 135: ...ey max 100 bits Figure11 8 Figure11 8 IPSec Authentication Method Setting STEP 5 Select ISAKMP Algorithm in Encapsulation list Choose the Algorithm when setup connection Please select ENC Algorithm 3D...

Page 136: ...make sure the encapsulation way for data transmission Figure11 10 Figure11 10 IPSec Algorithm Setting STEP 7 After selecting GROUP1 in Perfect Forward Secrecy enter 3600 seconds in ISAKMP Lifetime ent...

Page 137: ...137...

Page 138: ...e Subnet Mask Enter 192 168 10 0 255 255 255 0 To Destination Select To Destination Subnet Mask To Destination Subnet Mask Enter 192 168 20 0 255 255 255 0 IPSec PPTP Setting Select VPN_A Select Show...

Page 139: ...igure11 15 Authentication User Select All_NET Schedule Select Schedule_1 QoS Select QoS_1 Tunnel Select IPSec_VPN_Tunnel Click OK Figure11 16 Figure11 15 Setting the VPN Tunnel Outgoing Policy Figure1...

Page 140: ...Incoming Policy Figure11 17 Schedule Select Schedule_1 QoS Select QoS_1 Tunnel Select IPSec_VPN_Tunnel Click OK Figure11 18 Figure11 17 Setting the VPN Tunnel Incoming Policy Figure11 18 Complete the...

Page 141: ...of System Configure function Figure11 19 Figure11 19 Multiple Subnet Setting STEP 2 Enter the default IP of Gateway of Company B s MH350 192 168 20 1 and select IPSec Autokey in VPN Click New Entry Fi...

Page 142: ...y max 100 bits Figure11 23 Figure11 23 IPSec Authentication Method Setting STEP 6 Select ISAKMP Algorithm in Encapsulation list Choose the Algorithm when setup connection Please select ENC Algorithm 3...

Page 143: ...make sure the encapsulation way for data transmission Figure11 25 Figure11 25 IPSec Algorithm Setting STEP 8 After selecting GROUP1 in Perfect Forward Secrecy enter 3600 seconds in ISAKMP Lifetime ent...

Page 144: ...ource Subnet Mask Enter 192 168 20 0 255 255 255 0 To Destination Select To Destination Subnet Mask To Destination Subnet Mask Enter 192 168 10 0 255 255 255 0 IPSec PPTP Setting Select VPN_B Select S...

Page 145: ...cy Figure11 30 Authentication User Select All_NET Schedule Select Schedule_1 QoS Select QoS_1 Tunnel Select IPSec_VPN_Tunnel Click OK Figure11 31 Figure11 30 Setting the VPN Tunnel Outgoing Policy Fig...

Page 146: ...Incoming Policy Figure11 32 Schedule Select Schedule_1 QoS Select QoS_1 Tunnel Select IPSec_VPN_Tunnel Click OK Figure11 33 Figure11 32 Setting the VPN Tunnel Incoming Policy Figure11 33 Complete the...

Page 147: ...STEP 13 Complete IPSec VPN Connection Figure11 34 Figure 11 34 IPSec VPN Connection Deployment 147...

Page 148: ...Company A WAN IP 61 11 11 11 LAN IP 192 168 10 X Company B WAN IP 211 22 22 22 LAN IP 192 168 20 X This example takes two MH350 as flattop Suppose Company B 192 168 20 100 is going to have VPN connec...

Page 149: ...of VPN function in the MH350 of Company A Select Modify and enable PPTP Server Select Encryption Client IP Range Enter 192 44 75 1 254 Idle Time Enter 0 Figure11 35 Figure11 35 Enable PPTP VPN Server...

Page 150: ...ion in the MH350 of Company A Select New Entry Figure11 36 User Name Enter PPTP_Connection Password Enter 123456789 Client IP assigned by Select IP Range Click OK Figure11 37 Figure 11 36 PPTP VPN Ser...

Page 151: ...sk Enter 192 168 10 0 255 255 255 0 To Destination Select To Destination Subnet Mask To Destination Subnet Mask Enter 192 168 20 0 255 255 255 0 IPSec PPTP Setting Select PPTP_Server_PPTP_Connection S...

Page 152: ...igure11 40 Authentication User Select All_NET Schedule Select Schedule_1 QoS Select QoS_1 Tunnel Select PPTP_VPN_Tunnel Click OK Figure11 41 Figure11 40 Setting the VPN Tunnel Outgoing Policy Figure11...

Page 153: ...Incoming Policy Figure11 42 Schedule Select Schedule_1 QoS Select QoS_1 Tunnel Select PPTP_VPN_Tunnel Click OK Figure11 43 Figure11 42 Setting the VPN Tunnel Incoming Policy Figure11 43 Complete the V...

Page 154: ...ttings in PPTP Client of VPN function in the MH350 of Company B Click New Entry Button Figure11 44 User Name Enter PPTP_Connection Password Enter123456789 Server IP or Domain Name Enter 61 11 11 11 Se...

Page 155: ...sk Enter 192 168 20 0 255 255 255 0 To Destination Select To Destination Subnet Mask To Destination Subnet Mask Enter 192 168 10 0 255 255 255 0 IPSec PPTP Setting Select PPTP_Client_PPTP_Connection S...

Page 156: ...igure11 48 Authentication User Select All_NET Schedule Select Schedule_1 QoS Select QoS_1 Tunnel Select PPTP_VPN_Tunnel Click OK Figure11 49 Figure11 48 Setting the VPN Tunnel Outgoing Policy Figure11...

Page 157: ...Incoming Policy Figure11 50 Schedule Select Schedule_1 QoS Select QoS_1 Tunnel Select PPTP_VPN_Tunnel Click OK Figure11 51 Figure11 50 Setting the VPN Tunnel Incoming Policy Figure11 51 Complete the V...

Page 158: ...158 STEP 5 Complete PPTP VPN Connection Figure11 52 Figure 11 52 PPTP VPN Connection Deployment...

Page 159: ...applications are able to pass through the MH350 How to use Policy The device uses policies to filter packets The policy settings are source address destination address services permission packet log p...

Page 160: ...The system manager can set all the policy rules of DMZ to LAN packets in this function 6 DMZ to WAN The source IP is in DMZ network the destination is in WAN network The system manager can set all th...

Page 161: ...Port Control actions to permit or reject packets that delivered between LAN network and WAN network when pass through MH350 See the chart and illustration below Chart Name Illustration Permit all WAN...

Page 162: ...tion User Schedule Enable the policy to automatically execute the function in a certain time Content Blocking Enable Content Blocking QoS Enable QoS Traffic Log Record all the packets that go through...

Page 163: ...plus connection cannot be set successfully QoS Setting the Guarantee Bandwidth and Maximum Bandwidth of the Policy the bandwidth is shared by the users who correspond to the Policy Move Every packet t...

Page 164: ...mple 166 Ex3 Outgoing Only allow the users who pass Authentication to access to Internet in particular time 171 Ex4 Incoming The external user control the internal PC through remote control software T...

Page 165: ...the internal users Take Logging Statistics and Alarm Threshold for example STEP 1 Enter the following setting in Outgoing Policy Click New Entry Select Logging Select Statistics Click OK Figure12 1 Fi...

Page 166: ...s and Alarm Threshold in Outgoing Policy Figure12 2 Figure12 2 Complete Policy Setting STEP 3 Obtain the information in Traffic of Log function if you want to monitor all the packets of the MH350 Figu...

Page 167: ...STEP 4 To display the traffic record that through Policy to access to Internet in Policy Statistics of Statistics function Figure12 4 Figure12 4 Statistics WebUI 167...

Page 168: ...for example STEP 1 Enter the following setting in URL Blocking Script Blocking P2P Blocking IM Blocking and Download Blocking in Content Blocking function Figure12 5 12 6 12 7 12 8 12 9 Figure12 5 URL...

Page 169: ...file of Website Java Cookies etc 3 P2P Blocking can restrict the Internal Users to access to the file on Internet by P2P eDonkey BT 4 IM Blocking can restrict the Internal Users to send message files...

Page 170: ...WAN Group of Address function Figure12 10 12 11 Figure12 10 Setting the WAN IP that going to block Figure12 11 WAN Address Group The Administrator can group the custom address in Address It is more co...

Page 171: ...e following setting in Outgoing Policy Click New Entry Destination Address Select WAN_Group that set by STEP 2 Blocking by IP Action WAN Port Select Deny Click OK Figure12 12 Figure12 12 Setting Block...

Page 172: ...ntent Blocking Policy STEP 5 Complete the setting of forbidding the users to access to specific network Figure12 14 Figure12 14 Complete Policy Setting Deny in Policy can block the packets that corres...

Page 173: ...n Schedule function Figure12 15 Figure12 15 Add New Schedule STEP 2 Enter the following in Auth User and Auth User Group in Authentication function Figure12 16 Figure12 16 Setting Auth User Group The...

Page 174: ...t laboratory Schedule Select WorkingTime Click OK Figure12 17 Figure12 17 Setting a Policy of Authentication and Schedule STEP 4 Complete the policy rule of only allows the users who pass authenticati...

Page 175: ...ftware Take pcAnywhere for example STEP 1 Set up a Internal PC controlled by external user and Internal PC s IP Address is 192 168 1 2 STEP 2 Enter the following setting in Virtual Server1 of Virtual...

Page 176: ...r1 61 11 11 12 Service Select PC Anywhere 5631 5632 Click OK Figure12 20 Figure12 20 Setting the External User Control the Internal PC Policy STEP 4 Complete the policy for the external user to contro...

Page 177: ...is192 168 3 1 24 STEP 2 Enter the following setting in Virtual Server1 of Virtual Server function Figure12 22 Figure12 22 Setting up Virtual Server Corresponds to FTP Server When using the function o...

Page 178: ...Service Select FTP 21 QoS Select FTP_QoS MAX Concurrent Sessions Enter 100 Click OK Figure12 24 Figure12 24 Add New Policy STEP 5 Complete the policy of restricting the external users to access to in...

Page 179: ...ddress as 61 11 11 12 The DNS setting is external DNS Server STEP 2 Add the following setting in DMZ of Address function Figure12 26 Figure12 26 the Mail Server s IP Address Corresponds to Name Settin...

Page 180: ...Address Select Mail_Server Service Select E mail Click OK Figure12 28 Figure12 28 Setting a Policy to access Mail Service by WAN to DMZ STEP 5 Complete the policy to access mail service by WAN to DMZ...

Page 181: ...ddress Select Mail_Server Service Select E mail Click OK Figure12 30 Figure12 30 Setting a Policy to access Mail Service by LAN to DMZ STEP 7 Complete the policy to access mail service by LAN to DMZ F...

Page 182: ...ddress Select Mail_Server Service Select E mail Click OK Figure12 32 Figure12 32 Setting the Policy of Mail Service by DMZ to WAN STEP 9 Complete the policy access to mail service by DMZ to WAN Figure...

Page 183: ...d attacks from hackers and the internal PC sending large DDoS attacks The Internal Alert and External Alert will start on blocking these packets to maintain the whole network In this chapter we will h...

Page 184: ...ing one and then the device will determine it as an attack SYN Flood Threshold Blocking Time Per Source IP Seconds When the MH350 determines as being attacked it will block the attacking source IP add...

Page 185: ...broadcasting your network is experiencing an UDP attack UDP Flood Threshold Total Pkts Sec The System Administrator can enter the maximum number of UDP packets per second that is allow to enter the ne...

Page 186: ...on to detect the port scans hackers use to continuously scan networks on the Internet to detect computers and vulnerable ports that are opened by those computers Detect Tear Drop Attack Select this op...

Page 187: ...TCP header is marked Enable this function to detect such abnormal packets After System Manager enable External Alert if the MH350 has detected any abnormal situation the alarm message will appear in E...

Page 188: ...hreshold sessions of infected Blaster per Source IP the default value is 30 Sessions Sec Select Enable Blaster Blocking and enter the Blocking Time the default time is 60 seconds Select Enable E Mail...

Page 189: ...in the Internal Alarm in Attack Alarm or send NetBIOS Alert notification to the infected PC Administrator s PC Figure16 2 16 3 16 4 If the Administrator starts the E Mail Alert Notification in Settin...

Page 190: ...Figure16 4 NetBIOS Alert Notification to Administrator s PC 190...

Page 191: ...Figure16 5 E mail Virus Alert 191...

Page 192: ...to maintain the whole network External Alarm When MH350 detects attacks from hackers it writes attacking data in the External Alarm file and sends an e mail alert to the Administrator to take emergenc...

Page 193: ...xamples in the chapter No Suitable Situation Example Page Ex 1 Internal Alarm To record the DDoS attack alarm from internal PC 192 Ex 2 External Alarm To record the attack alarm about Hacker attacks t...

Page 194: ...rd the DDoS attack alarm from internal PC STEP 1 Select Internal Alarm in Attack Alarm when the device detects DDoS attacks and then can know which computer is being affected Figure17 1 Figure17 1 Int...

Page 195: ...arm To record the attack alarm about Hacker attacks the MH350 and Intranet STEP 1 Select the following settings in External Alert in Alert Setting function Figure17 2 Figure17 2 External Alert Setting...

Page 196: ...STEP 2 When Hacker attacks the MH350 and Intranet select External Alarm in Attack Alarm function to have detailed records about the hacker attacks Figure17 3 Figure17 3 External Alarm WebUI 196...

Page 197: ...d for each control policy Event Log record the contents of System Configurations changes made by the Administrator such as the time of change settings that change the IP address used to log in etc Con...

Page 198: ...ort that users use to access to Internet or Intranet by MH350 197 Ex 2 Event Log To record the detailed management events such as Interface and event description of MH350 of the Administrator 202 Ex 3...

Page 199: ...ss to Internet or Intranet by MH350 STEP 1 Add new policy in DMZ to WAN of Policy and select Enable Logging Figure18 1 Figure18 1 Logging Policy Setting STEP 2 Complete the Logging Setting in DMZ to W...

Page 200: ...STEP 3 Click Traffic Log It will show up the packets records that pass this policy Figure18 3 Figure18 3 Traffic Log WebUI 200...

Page 201: ...Click on a specific IP of Source IP or Destination IP in Figure18 3 it will prompt out a WebUI about Protocol and Port of the IP Figure18 4 Figure18 4 The WebUI of detecting the Traffic Log by IP Addr...

Page 202: ...ick on Download Logs and select Save in File Download WebUI And then choose the place to save in PC and click OK the records will be saved instantly Figure18 5 Figure18 5 Download Traffic Log Records...

Page 203: ...STEP 6 Click Clear Logs and click OK on the confirm WebUI the records will be deleted from the MH350 instantly Figure18 6 Figure18 6 Clearing Traffic Log Records WebUI 203...

Page 204: ...iled management events such as Interface and event description of MH350 of the Administrator STEP 1 Click Event log of LOG The management event records of the administrator will show up Figure18 7 Fig...

Page 205: ...lick on Download Logs and select Save in File Download WebUI And then choose the place to save in PC and click OK the records will be saved instantly Figure18 8 Figure18 8 Download Event Log Records W...

Page 206: ...STEP 3 Click Clear Logs and click OK on the confirm WebUI the records will be deleted from the MH350 Figure18 9 Figure18 9 Clearing Event Log Records WebUI 206...

Page 207: ...Connection Log To Detect Event Description of WAN Connection STEP 1 Click Connection in LOG It can show up WAN Connection records of the MH350 Figure18 10 Figure18 10 Connection records WebUI 207...

Page 208: ...on Download Logs and select Save in File Download WebUI And then choose the place to save in PC and click OK the records will be saved instantly Figure18 11 Figure18 11 Download Connection Log Record...

Page 209: ...STEP 3 Click Clear Logs and click OK on the confirm WebUI the records will be deleted from the MH350 instantly Figure18 12 Figure18 12 Clearing Connection Log Records WebUI 209...

Page 210: ...igrue18 13 Figure18 13 E mail Setting WebUI STEP 2 Enter Log Backup in Log select Enable Log Mail Support and click OK Figure18 14 Figure18 14 Log Mail Configuration WebUI After Enable Log Mail Suppor...

Page 211: ...settings in Syslog Settings Select Enable Syslog Messages Enter the IP in Syslog Host IP Address that can receive Syslog Enter the receive port in Syslog Host Port Click OK Complete the setting Figure...

Page 212: ...Report Administrator can use this Accounting Report to inquire the LAN IP users and WAN IP users and to gather the statistics of Downstream Upstream First packet Last packet Duration and the Service...

Page 213: ...Accounting Report and Inbound Accounting Report Outbound Accounting Report It is the statistics of the downstream and upstream of the LAN WAN and all kinds of communication network services Source IP...

Page 214: ...ng report will be shown when WAN user uses MH350 to connect to LAN Service Server Source IP The IP address used by WAN users who use MH350 Destination IP The IP address used by LAN service server who...

Page 215: ...erver which uses MH350 to LAN user Upstream The percentage of upstream and the value of each LAN user who uses MH350 to WAN service server First Packet When the first packet is sent to WAN service ser...

Page 216: ...Figure19 1 Outbound Source IP Statistics Report 216...

Page 217: ...server which uses MH350 to LAN user Upstream The percentage of upstream and the value of each LAN user who uses MH350 to WAN service server First Packet When the first packet is sent from WAN service...

Page 218: ...Figure19 2 Outbound Destination IP Statistics Report 218...

Page 219: ...Downstream The percentage of downstream and the value of each WAN service server who uses MH350 to connect to LAN user Upstream The percentage of upstream and the value of each LAN user who uses MH350...

Page 220: ...Outbound Services Statistics Report Figure19 4 According to the downstream upstream report of the selected TOP numbering to draw the Protocol Distribution chart Press to return to Accounting Report w...

Page 221: ...s MH350 to LAN service server Upstream The percentage of Upstream and the value of each LAN service server who uses MH350 to WAN users First Packet When the first packet is sent from WAN users to LAN...

Page 222: ...Figure19 5 Inbound Top Users Statistics Report 222...

Page 223: ...to LAN service server Upstream The percentage of Upstream and the value of each LAN service server who uses MH350 to WAN users First Packet When the first packet is sent from WAN users to LAN service...

Page 224: ...Figure19 6 Inbound Destination IP Statistics Report 224...

Page 225: ...rver Downstream The percentage of downstream and the value of each WAN user who uses MH350 to LAN service server Upstream The percentage of upstream and the value of each LAN service server who uses M...

Page 226: ...Figure19 7 Inbound Services Statistics Report Figure19 8 According to the downstream upstream report of the selected TOP numbering to draw the Protocol Distribution chart 226...

Page 227: ...Interface Policy Statistics The statistics of Downstream Upstream packets and Downstream Upstream traffic record that pass Policy In this chapter the Administrator can inquire the MH350 for statistic...

Page 228: ...r can know which Policy is the Policy Statistics belonged to Time To detect the statistics by minutes hours days months or years Bits sec Bytes sec Utilization Total The unit that used by Y Coordinate...

Page 229: ...nction of WAN Interface When enable WAN Interface it will enable WAN Statistics too STEP 2 In the Statistics window find the network you want to check and click Minute on the right side and then you w...

Page 230: ...STEP 3 Statistics Chart Figure20 2 Y Coordinate Network Traffic Kbytes Sec X Coordinate Time Hour Minute Figure20 2 To Detect WAN Statistics 230...

Page 231: ...the Statistics in Policy first STEP 2 In the Statistics WebUI find the network you want to check and click Minute on the right side and then you will be able to check the Statistics chart every minute...

Page 232: ...STEP 3 Statistics Chart Figure20 4 Y Coordinate Network Traffic Kbytes Sec X Coordinate Time Hour Minute Day Figure20 4 To Detect Policy Statistics 232...

Page 233: ...tmask Default Gateway DNS Server Connection and its IP etc Interface Display all of the current Interface status of the MH350 Authentication The Authentication information of MH350 ARP Table Record al...

Page 234: ...f the Interface Ping WebUI To display whether the users can Ping to the MH350 from the Interface or not or enter its WebUI Forwarding Mode The connection mode of the Interface Connection Status To dis...

Page 235: ...Figure21 1 Interface Status 235...

Page 236: ...it will display the record of login status Figure21 2 IP Address The authentication user IP Auth User Name The account of the auth user to login Login Time The login time of the user Year Month Day H...

Page 237: ...Address and the Interface information which is connecting to the MH350 Figure21 3 NetBIOS Name The identified name of the network IP Address The IP Address of the network MAC Address The identified n...

Page 238: ...CP Clients that are connected to the MH350 Figure21 4 IP Address The dynamic IP that provided by DHCP Server MAC Address The IP that corresponds to the dynamic IP 238 Leased Time The valid time of the...

Reviews: