manualshive.com logo in svg

Planet Networking & Communication CS-2001, User Manual

The "Planet Networking & Communication CS-2001" user manual is available for free download from our website, providing step-by-step instructions and comprehensive information about operating and setting up your device. Enhance your user experience with our user-friendly manual, available at manualshive.com, ensuring easy access to all the necessary information.

Share
Download
background image

CS-2001 UTM Content Security Gateway User’s Manual 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

UTM Content Security 

Gateway 

 

CS-2001 

 

 

 

User’s Manual

 

 

Summary of Contents for CS-2001

Page 1: ...CS 2001 UTM Content Security Gateway User s Manual 0 UTM Content Security Gateway CS 2001 User s Manual ...

Page 2: ...ither implied or expressed with respect to the quality performance merchantability or fitness for a particular purpose PLANET has made every effort to ensure that this User s Manual is accurate PLANET disclaims liability for any inaccuracies or omissions that may have occurred Information in this User s Manual is subject to change without notice and does not represent a commitment on the part of P...

Page 3: ...interference and 2 this Device must accept any interference received including interference that may cause undesired operation R TTE Compliance Statement This equipment complies with all the requirements of DIRECTIVE 1999 5 EC OF THE EUROPEAN PARLIAMENT AND THE COUNCIL OF 9 March 1999 on radio equipment and telecommunication terminal Equipment and the mutual recognition of their conformity R TTE T...

Page 4: ...rity Gateway serial number and MAC address Any error messages that displayed when the problem occurred Any software running when the problem occurred Steps you took to resolve the problem on your own Revision User s Manual for PLANET UTM Content Security Gateway Model CS 2001 Rev 1 0 Dec 2010 PartNo EM CS2001v1 ...

Page 5: ... 2 Date Time 52 2 3 Multiple Subnet 53 2 4 Route Table 67 2 5 DHCP 71 2 6 DDNS 76 2 7 Host Table 78 2 8 SNMP 79 2 9 Language 81 Interface 82 Chapter 3 Interface 83 3 1 Example 91 Policy Object 130 Chapter 4 Address 131 4 1 Example 134 Chapter 5 Service 142 5 1 Example of Pre defined 144 5 2 Example of Service Group 148 Chapter 6 Schedule 152 6 1 Example 154 Chapter 7 QoS 156 7 1 Example 158 Chapte...

Page 6: ...il Notice 446 12 5 Queued Mail 449 12 6 Mail Signatures 451 Chapter 13 Anti Spam 453 13 1 Example 464 Chapter 14 Anti Virus 533 14 1 Example 536 Chapter 15 Mail Reports 557 15 1 Statistics 566 15 2 Logs 567 Web Filter 569 Chapter 16 Configuration 570 16 1 Example 577 Chapter 17 Reports 594 17 1 Statistics 599 17 2 Logs 603 IDP 604 Chapter 18 Configuration 605 Chapter 19 Signatures 610 19 1 Example...

Page 7: ...7 Logs 751 27 1 Traffic 759 27 2 Event 763 27 3 Connection 765 27 4 Viruses 767 27 5 Application Blocking 771 27 6 Concurrent Sessions 773 27 7 Quota 776 27 8 Log Backup 779 Chapter 28 Accounting Reports 782 28 1 Flow Analysis 788 28 2 Today s Top Chart 789 28 3 Historical Top Chart 796 Chapter 29 Traffic Grapher 797 29 1 WAN Traffic 799 29 2 Policy Based Traffic 803 Chapter 30 Diagnostic Tools 80...

Page 8: ...7 32 1 Interface 817 32 2 System Info 819 32 3 Authentication 821 32 4 ARP Table 822 32 5 Sessions Info 825 32 6 DHCP Clients 827 ...

Page 9: ...8 Quick Installation Guide ...

Page 10: ...s serial port for checking network interface setting and can reset to factory setting Ethernet Port 1 2 3 4 can be set as a LAN Port Connects to the Intranet WAN Port Connects to the perimeter router DMZ Port The demilitarized zone DMZ is a physical subnet for securing the Local Area Network It allows the externals users to access the company s external network Power Indicator HDD Indicator Consol...

Page 11: ...onnected to other network device Blink to indicates there is traffic on the port LED2 Orange Steady on indicates the port is connected at 1000Mbps speed Green Steady on indicates the port is connected at 100Mbps speed Off The LED off to indicate the port is connected at 10Mbps speed ...

Page 12: ...11 CS 2001 Topology Figure2 Topology of the CS 2001 ...

Page 13: ...witch and launch a browser e g IE or Firefox to access the management interface address which is set to http 192 168 1 1 by default Step 2 You will be prompted for user name and password when accessing the management interface both of user name and password are admin by default Figure3 Typing the User Name and Password ...

Page 14: ...Overview of Functions Configuration Panel Displays the data or configurable settings of the corresponding item selected on the Menu Panel Figure4 The CS 2001 User Interface Note 1 For your reference you may configure your management address based on the available subnet ranges below 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 ...

Page 15: ...rd will appear to guide you through setting some of the basic settings required System Configuration Installation Wizard Figure5 The Install Wizard Step 5 Select the language for the user interface and the default character encoding Figure6 Selecting the Language and Default Character Encoding ...

Page 16: ...r if the LAN interface was changed to 172 16 0 1 subnet mask 255 255 255 0 the IT administrator must configure each PC in the subnet using an available IP address from this subnet Setting Select Port1 LAN1 Interface Select LAN LAN Interface Mode Select NAT Routing Mode Fill in the IPAddress and Netmask fields Figure7 Interface Settings Important 1 Note Once the LAN interface is changed please ente...

Page 17: ...onfigure theWAN Interface please refer to your ISP for the settings Setting Select Port2 WAN1 Interface Select WAN Connection Mode Select the required mode Configure the remaining settings Figure8 The WAN Settings ...

Page 18: ...17 Step 8 Tick the Synchronize to an NTP Server box to ensure the system is provided with the accurate time Figure9 Time Settings Step 9 Enable Outgoing Figure10 Enabling an Outgoing Policy ...

Page 19: ...figure all LAN PC addresses within the same domain as the LAN interface address which is also the default gateway address for the LAN Or simply by using the DHCP to enable LAN PCs to obtain IP addresses users may have Internet access right after configuring DHCP To configure any network policies please go to Policy Object and Policy Step 10 Provide the following CS 2001 interface information to LA...

Page 20: ...19 Step 11 Settings complete Figure13 Installation Wizard Completed ...

Page 21: ...cations configuring the Syslog settings configuring the Web management port configuring the Proxy settings configuring the max number of items shown per page etc Chapter 2 Date Time Synchronizes the time between the system and the device Multiple Subnets For Adding the multiple subnets to facilitate the internal network s distribution Routing Table Assigns a gateway for packets going to specific d...

Page 22: ...bject Address LAN Groups LAN IPs WAN IPs and DMZ IPs Chapter 4 LAN Group WAN WAN Group DMZ DMZ Group Service Pre defined Defines and classifies services Chapter 5 Custom Group Schedule Settings Schedules the network s usage Chapter 6 QoS Settings Allocates downstream upstream bandwidth for each WAN Chapter 7 Authentication Settings Authenticates internal users using RADIUS POP3 or LDAP or local au...

Page 23: ... Configures the max virus spam mail scanning size tags for unscanned mail IP address or domain name for Web mail notice storage time of quarantined logs etc Chapter 12 Mail Domains Filtering emails from different domain names and identifying the direction Account Manager Manages the user accounts and enables them to access the Personal Email Viewer Mail Relay Sends the scanned emails to the design...

Page 24: ...rom accessing specific URLs via HTTP MIME Script and blocks the transferring of specific file extension via FTP or HTTP Blacklist Category File Extension MIME Script Group Reports Settings Provides the statistics in the form of logs and charts The statistics can be sent to the designated recipient periodically Chapter 17 Statistics Logs IDP Configuration Settings Updating the signature definitions...

Page 25: ...pplication blocking etc Chapter 22 Incoming WAN to DMZ LAN to DMZ DMZ to WAN DMZ to LAN LAN to LAN DMZ to DMZ Anomaly Flow IP Settings Configuring the traffic threshold per IP enabling the anomaly flow IP blocking e mail alert notification core switch port blocking anomaly traffic user warning message detection excluded IP etc Chapter 23 Virus infected IP Displays a list of IP addresses detected a...

Page 26: ...on Blocking For checking the application blocking log Concurrent Sessions For checking the concurrent sessions log Quota For checking the quota log Accounting Reports Settings Monitors web site access service traffic etc statistics of internal and external users Chapter 28 Flow Analysis Today s Top Chart Historical Top Chart Traffic Grapher WAN Traffic Displays the usage statistics from the WAN in...

Page 27: ...plays the auth user list ARP Table Displays a list of all current IP and MAC addresses that have accessed the network Sessions Info Displays outbound sessions established from internal users DHCP Clients Displays a list of all current users who have obtained their IP address via DECO ...

Page 28: ...27 System ...

Page 29: ...01 It covers the subjects of Admin Permitted IPs Software Update and Logout The complete administrative authority lies in the hands of the IT administrator Other than the IT administrator any other administrator also known as sub administrator is only granted with the permission to monitor the system status ...

Page 30: ...vilege of reading writing and viewing That means the main IT administrator is able to view and change the system configuration logs and accounts The sub administrator is granted with view and read write privileges They are permitted to view and read system configuration sometimes even report and logs Password New Password Confirm Password Add or modify the password of main administrator or sub adm...

Page 31: ... a new sub administrator Enter the Sub Admin Name and Password Enter the password again in the Confirm Password field Click OK Figure 1 1 Adding New Sub Admin Note 1 The newly created administrator will be a main administrator if the Permit write access and Permit view access to logs reports have been enabled Otherwise they will be a sub administrator ...

Page 32: ...as below Figure 1 2 Click the Modify button of the admin you want to modify Enter the original password in the Password field and then enter the new password in the New Password field Enter the new password again in the Confirm Password field Click OK Figure 1 2 Modifying Admin Password ...

Page 33: ...the IP address Enter the netmask 255 255 255 255 indicates one IP Address Select Ping HTTP and HTTPS for Service Click OK Figure 1 3 Adding New Permitted IPs Important 1 For Permitted IPs to be effective the IT administrator must cancel the Ping HTTP and HTTPS selections under Network Interface 2 Configure the Permitted IPs before the cancellation of HTTP and HTTPS otherwise the management interfa...

Page 34: ... Logout 1 3 1 Logging out the System Step 1 Click Logout to protect the system from any unauthorized modification while being away Figure 1 4 1 5 Figure 1 4 The Logout Screen Figure 1 5 Confirming to Log Out ...

Page 35: ...34 Step 2 Click OK and then the logout message appears Figure 1 6 Figure 1 6 The Logout Message ...

Page 36: ...o update the software Figure 1 7 Figure 1 7 Updating the Software Important 1 It takes about 3 minutes to run through the update process and will reboot after the update During the update please do not turn off the power disconnect the Internet or close the management interface due to the possibility of causing system errors It is strongly recommended to run the update from within the internal net...

Page 37: ...36 Chapter 2 Configuration Configuration includes the following system settings System Settings Date Time Multiple Subnets Route Table DHCP Dynamic DNS Host Table SNMP and Language ...

Page 38: ... Any of the setting files saved on the device may be exported to a local computer Hard Disk Formatting The IT administrator may format the built in hard disk Name Settings Type your company name and name the device in the corresponding fields Email Notification Settings Any alerts or notifications from the device can be emailed to the designated recipient Syslog Message Settings Sends monitoring l...

Page 39: ...38 device can block their IP address for the specified amount of time This helps to prevent any unauthorized tampering of the device ...

Page 40: ... displays per page Configures the default character encoding Terms in Date Time Synchronization Settings The date and time settings can be configured by either synchronizing to an Internet Network Time Server NTP or synchronizing to the local computer GMT Greenwich Mean Time GMT is the international standard time Daylight Saving Time Setting If applicable in your region the device s system clock c...

Page 41: ...able routers and constructs a topology map of the network OSPF establishes and maintains neighbor relationships in order to exchange routing updates with other routers OSPF uses path cost as its basic routing metric Border Gateway Protocol is the core routing protocol of the Internet It maintains a table of IP networks or prefixes which designate network reachability among autonomous systems AS It...

Page 42: ...ting protocols they are also more complex more memory intensive and place a greater load on the CPU 2 Dynamic routing protocols depend on the location of the router in the Autonomous Sytstem AS There are two classifications IGP Interior Gateway Protocol Examples include RIP IGRP EIGRP OSPF and IS IS are interior gateway protocols EGP Exterior Gateway Protocol Uses a simple tree topology but posses...

Page 43: ...orm x y where x and y are 16 bit numbers Numbers of the form 0 y are exactly the old 16 bit AS numbers 1 y numbers and 65535 65535 are reserved and the remainder of the space is available for allocation Static Routing Provides a static route based on the IT adminisrator s configuration or a default route Provides IPv4 or IPv6 ...

Page 44: ...ain name registered at the DDNS service provider WAN IP The real IP address that the domain name corresponds to Terms in Host Table Host Name It is a user definable setting LAN users may access the host corresponding to the host name IP Version The network protocol used by the host table namely IPv4 or IPv6 Virtual IPAddress The IP addresses that host names correspond to They either reside in LAN ...

Page 45: ...ult it has not been widely accepted SNMPv3 resolved the problems associated with the previous two versions Not only does it provide encryption but also the agent is able to authenticate the NMS and provide message integrity to ensure that a packet hasn t been tampered with In addition it can provide access control based upon a permission list Security Mode SNMP defines three authentication and pri...

Page 46: ...45 Auth Password The NMS uses this password to access information from the CS 2001 Privacy Protocol Supports the cipher Data Encryption Standard DES that is based on a 56 bit Symmetric key algorithm ...

Page 47: ...46 Privacy Password The NMS uses this password to access information from the CS 2001 ...

Page 48: ... click next to Export System Settings under the System Settings section Step 2 Click Save in the File Download window and then assign a storage folder After that click Save in the Save As window to complete exporting the system settings Figure 2 1 Figure 2 1 Exporting the Configuration File ...

Page 49: ...System Settings under the System Settings section Next in the Choose File window select the configuration file and then click Open Figure 2 2 Step 2 Click OK to confirm importing the file Figure 2 3 Figure 2 2 Selecting the Configuration File to Import Figure 2 3 Confirming to Import the Configuration File ...

Page 50: ...ive Step 1 Under System Configuration Settings tick Reset to factory default settings and Format the inbuilt hard disk under the Hard Disk Formatting section Figure 2 4 Figure 2 4 Resetting the Device to Factory Default Step 2 Click OK in the lower right corner to execute the procedure ...

Page 51: ... Type the sender address Required for some ISPs SMTP Server Type the IP address of SMTP server Email Address 1 Type the email address of the first user to be notified Email Address 2 Type the email address of the second user to be notified Step 3 Click OK in the lower right corner to complete configuration Figure 2 5 Figure 2 5 Enabling the Email Alert Notification Note 1 Click the Send Now button...

Page 52: ...ration Settings Under the Device Reboot section click Reboot next to To reboot the system click Step 2 A confirmation dialogue box will appear asking Are you sure you want to reboot the system Step 3 Click OK to reboot or Cancel to cancel Figure 2 6 Figure 2 6 Rebooting the CS 2001 ...

Page 53: ... Type the IP address of Internet time server in the NTP Server IP Hostname field Set an interval time to update system clock Click OK Figure 2 7 The System Clock Settings Note 1 Click Sync next to To synchronize system clock with this computer click to synchronize the system clock with the time on the IT administrator s PC 2 Assist Me provides help setting hours offset from GMT and NTP Server IP N...

Page 54: ...y the local ISP is 162 172 50 0 24 Packets traveling to an external network via Port2 which has a private IP address of 10 10 10 1 map to the real IP address 162 172 50 1 using NAT This allows the signiature definition file to be updated via the Internet Configure port 3 as WAN2 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet Step 1 Under System Configur...

Page 55: ... not on the same Interface You may go to Policy LAN to LAN and create a policy select Inside Any for both Source Address and Destination Address to enable LAN to LAN connection Or You may go to Policy DMZ to DMZ and create a policy select DMZ Any for both Source Address and Destination Address to enable DMZ to DMZ connection ...

Page 56: ... Figure 2 10 Click on Port 2 s Modify button For Interface Type select WAN and enter all the relevant settings provided by your ISP For WAN NAT Redirection select A designated IP and then enter 162 172 50 1 Figure 2 10 Configuring the WAN Settings ...

Page 57: ...56 Step 3 Under Policy Object Address LAN set as below Figure 2 11 Figure 2 11 Address Settings for the LAN ...

Page 58: ...Subnet1 Action Tick Port 3 WAN2 Click on Advanced Settings For Port3 WAN2 select Automatic Click on OK Figure 2 12 Click on New Entry Source Address Select the LAN subnet LAN1_Subnet2 Action Tick the required WAN port Port 2 WAN1 Select Routing Port 3 WAN2 Select Automatic Click OK Figure 2 13 2 14 Figure 2 12 The First Outgoing Policy Settings ...

Page 59: ...58 Figure 2 13 The Second Outgoing Policy Settings ...

Page 60: ...59 Figure 2 14 Policy Settings Completed ...

Page 61: ...te 1 The LAN subnet 192 168 1 x 24 is only able to gain access to the Internet via WAN2 using NAT Therefore PC s in that subnet which contain private IP addresses are unable to access the Internet via WAN1 using routing 2 The LAN subnet 162 172 50 x 24 can access the Internet via WAN 1 using routing or alternatively via WAN 2 using NAT ...

Page 62: ...onfigure Port3 as WAN2 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet Step 1 Go to System Configuration Multiple Subnet and set as below Click on New Entry Fill in the Name field Interface Select Port1 LAN1 IP Version Select IPv4 IPAddress Type 192 168 100 1 Netmask Type 255 255 255 0 Tick the VLAN ID checkbox and type in 10 into the VLAN ID field Click...

Page 63: ...62 Figure 2 16 First Multiple Subnet Setting ...

Page 64: ...ternet or communication amongst the VLANs 2 When the PCs subnets or IP addresses are not on the same Interface You may go to Policy LAN to LAN and create a policy select Inside Any for both Source Address and Destination Address to enable LAN to LAN connection Or You may go to Policy DMZ to DMZ and create a policy select DMZ Any for both Source Address and Destination Address to enable DMZ to DMZ ...

Page 65: ...64 Step 2 Go to Policy Object Address LAN and set as below Figure 2 19 Figure 2 19 Address Settings for the LAN ...

Page 66: ... Figure 2 20 Figure 2 20 LAN Group Settings Step 4 Go to Policy Outgoing set as below Click on New Entry Source Address Select the name of the LAN addresses VLAN_Group Click OK Figure 2 21 2 22 Figure 2 21 Applying the LAN Group to the Policy Figure 2 22 Policy Completed ...

Page 67: ...66 Step 5 The internal network s VLAN Figure 2 23 Figure 2 23 The Completed Mulitple Subnet VLAN Settings ...

Page 68: ...AN has the subnet 192 168 10 x 24 connected to Router 1 10 10 10 1 with RIPv2 The LAN interface connected to Router 1 is 192 168 1 252 Port 2 is set as WAN 1 61 11 11 11 and is connected to the Internet via the ATUR Port 3 is set as WAN 2 211 22 22 22 and is connected to the Internet via the ATUR Company B is using Router 2 10 10 10 2 with RIPv2 with the subnet 192 168 20 x 24 connected to it A le...

Page 69: ...N1 Click OK Figure 2 24 Click on New Entry IP Version Select IPv4 IPAddress Type 192 168 20 0 Netmask 255 255 255 0 Gateway 192 168 1 252 Interface LAN1 Click OK Figure 2 25 Click on New Entry IP Version Select IPv4 IPAddress Type 10 10 10 0 Netmask 255 255 255 0 Gateway 192 168 1 252 Interface LAN1 Click OK Figure 2 26 2 27 Figure 2 24 Static Route Settings Figure 2 25 Static Route Settings ...

Page 70: ...ant 1 To enable the LAN to LAN connection go to Policy LAN to LAN and create a policy select Inside Any for both Source Address and Destination Address To enable the DMZ to DMZ connection go to Policy DMZ to DMZ and create a policy select DMZ Any for both Source Address and Destination Address ...

Page 71: ...192 168 20 x 24 and 192 168 1 x 24 can now communicate with each other In addition these subnets may also access the Internet using real IP addresses assigned from the CS 2001 device s NAT mechanism Figure 2 28 Figure 2 28 The Routing Table ...

Page 72: ...o Internal PCs Step 1 Go to System Configuration DHCP and set as below Figure 2 29 Tick Enable DHCP Relay From DHCP Relay Interface select the interface In DHCP Server IP enter the IP address of the DHCP server Click OK to complete the settings Figure 2 29 DHCP Relay Settings ...

Page 73: ...72 Note 1 When Enable DHCP Relay Support is enabled internal PCs can obtain an IP address from the server through the specified interface WAN1 2 3 4 5 6 or VPN WAN1 2 3 4 5 6 of the CS 2001 ...

Page 74: ...erver 1 WINS Server 2 Type an IP address as WINS Server 2 Leased Time Type a lease time for the allocated IP addresses 24 hours is the default Configure the following settings for the LAN or DMZ subnet IPv4 Range 1 Type the IP address range The default range is from 192 168 1 2 to 192 168 1 254 Note The IP address range must reside in the same subnet IPv4 Range 2 Type the second IP address range N...

Page 75: ...74 Figure 2 30 DHCP Settings ...

Page 76: ...lly is intended for LAN users whom access the Internet via the device s authentication mechanism LAN users need to configure their Preferred DNS server address to be the same as the LAN interface address of the CS 2001 in Internet Protocol TCP IP Properties ...

Page 77: ...ssword and Hostname accordingly Click OK Figure 2 32 Figure 2 31 Configuring the Dynamic DNS Settings Figure 2 32 Configuring the Dynamic DNS Settings Note 1 The meaning of the symbols used in DDNS are as follows Symbol Meaning Successful Connection Failed Connection Connected 2 If you do not have a DDNS account you may first select a desirable service provider from the pull down menu and then cli...

Page 78: ...77 3 You may configure the WAN IP by either ticking the Automatically checkbox or simply specifying it in the WAN IP field ...

Page 79: ... Type the virtual IP address that the host name corresponds to in the Virtual IPAddress field Click OK Figure 2 33 Host Table Settings Note 1 Host Table requires LAN users to configure their Preferred DNS server in Internet Protocol TCP IP Properties to be the same as the LAN or DMZ interface address This is the same IP address as the LAN user s default ...

Page 80: ...on Type the geographic location of this device By default it is Taipei Taiwan Community Type a screen name By default it is public Contact Person Type the email address of the contact person By default it is root public Description Type a description for the device By default it is UTM Appliance Click OK Settings completed From now on the IT administrator will be kept up to date with the device s ...

Page 81: ...k Enable SNMP trap alerts SNMP Trap Recipient Address Type the IP address of the SNMP Trap recipient Port Type the port number of SNMP Trap Default value 162 Click OK The IT administrator may now install a SNMP Trap client to receive alerts from the CS 2001 Figure 2 35 SNMP Trap Settings Note 1 The IT administrator may test the SNMP trap by clicking on ...

Page 82: ...81 2 9 Language 2 9 1 Changing the Language Step 1 Under System Configuration Language you may change the language of the user interface Figure 2 36 Figure 2 36 The Language Settings ...

Page 83: ...82 Interface ...

Page 84: ...ure the connection parameters separately for LAN WAN and DMZ interfaces as well as to assign multiple network interfaces into a group based on your topology plan In this chapter it will be covering the functionality and application of Settings Interface and Interface Group ...

Page 85: ...ds Round Robin E venly di stributes t he dow nloading s essions t o e ach WAN port For multiple Internet connections at the same speed By Traffic Distributes the downloading sessions by traffic By Session Distributes the outward sessions by the setting of Saturated Connections By Packet Distributes the downloading sessions by the amount of packet By Source IP For services that require using the sa...

Page 86: ...parent Routing Provides internal users with direct access to the Internet due to being in the same subnet range IPv4 Settings Internet Protocol version 4 IPv4 is the fourth revision in the development of the Internet Protocol IP and it is by far the most widely deployed Internet Layer protocol IPv4 addresses are written in dot decimal notation which consists of the four octets of the address expre...

Page 87: ...t are communicating with IPv6 over an IPv4 infrastructure When the IPv4 compatible address is used as an IPv6 destination the IPv6 traffic is automatically encapsulated with an IPv4 header and sent to the destination using the IPv4 infrastructure IPv4 mapped addresses The IPv4 mapped address 0 0 0 0 0 FFFF w x y z or FFFF w x y z is used to represent an IPv4 only node to an IPv6 node for example f...

Page 88: ... can be used across the Internet and have the following format 010 FP 3 bits TLA ID 13 bits Reserved 8 bits NLA ID 24 bits SLA ID 16 bits InterfaceID 64 bits Multicast address An identifier for a set of interfaces typically belonging to different nodes A packet sent to this address is delivered to all the interfaces identified by the address The multicast address types supersede the IPv4 broadcast...

Page 89: ... HTTP When ticked the management interface is available for access via HTTP protocol HTTPS When ticked the management interface is available for access via HTTPS protocol Connection Type As Interface Type set to WAN It has three connection types namely Static IP Address Leased Line User Dynamic IP Address Cable Modem User PPPoE ADSL Dial Up User Service Detection The test for the validity of Inter...

Page 90: ...tes The device may be configured to automatically disconnect when idle for a period of time upon using PPPoE connection The time unit is minute enter a number from 1 to 99 999 inclusive as the basis of disconnection or 0 to stay connected Connection Type As Interface Type set to DMZ Please refer to Connection Type As Interface Type set to LAN Saturated Connections Determines the amount of sessions...

Page 91: ...rom one another Note This requires at least a WAN port with a static IP and a LAN or DMZ running Transparent Bridging mode Allows your LAN or DMZ network traffic to be routed to an external network by modifying address contents in the IP header to be valid in the address realm into which the traffic is routed to ...

Page 92: ...ubnets one using Transparent Routing the other one using NAT Routing for the LAN users to access the Internet 107 3 1 6 Deploying the CS 2001 between the Gateway and the LAN LAN1 and DMZ1 connecting LAN1 to the user s PC using NAT Routing mode and then connecting DMZ1 to user s PC using Transparent Bridging mode 111 3 1 7 Deploying CS 2001 between the Gateway and LAN LAN1 and DMZ1 for LAN Users an...

Page 93: ...Type Select NAT Routing for Connection Type Enter the IPv4 Address and Netmask Tick Ping HTTP and HTTPS Click OK Figure 3 1 Modifying the LAN Interface Note 1 The LAN subnet is configured as 192 168 1 x 24 by default After modifying the LAN subnet LAN PCs subnet must be modified as well for the LAN users to access the Web UI 2 Do not disable HTTP and HTTPS before configuring the settings under Sys...

Page 94: ... the Alive Indicator Site IP Figure 3 2 If DNS is selected enter the DNS IPAddress and the Domain Name Figure 3 3 Enter the Keepalive Frequency seconds Figure 3 2 ICMP Detection Figure 3 3 DNS Detection Important 1 Service Detection is used for detecting the WAN connection Thus the Alive Indicator Site IP the DNS IPAddress and the Domain Name should be connected continuously to maintain the detect...

Page 95: ...IP Address automatically Click the Clone MAC Address button to get the MAC Address if required Enter the Username if required Enter the Domain Name if required Enter the Max Downstream Bandwidth and the Max Upstream Bandwidth Tick the Ping HTTP and HTTPS Click OK Figure 3 7 PPPoE ADSL Dial Up User Figure 3 8 Enter the Account Name Enter the Password IPAddress Obtained from ISP Via select Dynamic E...

Page 96: ...95 Figure 3 4 Configuring the Static IPAddress Figure 3 5 Setting Completed ...

Page 97: ...96 Figure 3 6 Configuring the Dynamic IPAddress Figure 3 7 Setting Completed ...

Page 98: ...97 Figure 3 8 Configuring the PPPoE Figure 3 9 Setting Completed ...

Page 99: ...001 Web UI from external network The access from the external network might affect the network security thus it is suggested to disable Ping HTTP and HTTPS after the configuration If the IT administrator needs to access the Web UI from the external network he or she may configure a Permitted IP under System Administration Permitted IPs ...

Page 100: ...2 168 20 x 24 User s PCs will connect to WAN1 61 11 11 11 to access the Internet Configure Port3 as LAN2 192 168 2 1 NAT Routing IP address range 192 168 2 x 24 User s PCs will connect to WAN1 61 11 11 11 to access the Internet You may create the policy to establish the connection between LAN1 and LAN2 Step 1 Go to Network Interface and then set as below Figure 3 10 Click Port2 s Modify button Sel...

Page 101: ...100 Figure 3 10 Configuring the LAN Interface ...

Page 102: ...then set as below Figure 3 11 Click Port3 s Modify button Select LAN for Interface Type Select NAT Routing for Connection Type Enter the IPv4 Address and the Netmask Tick Ping HTTP and HTTPS Click OK Figure 3 11 Configuring the LAN Interface ...

Page 103: ...rs will connect to WAN1 61 11 11 11 and use WAN1 s IP address to access the Internet You may create the policy to establish the connection between LAN1 and LAN2 Figure 3 12 Figure 3 12 The Deployment of LAN using NAT Routing Mode ...

Page 104: ...AN1 61 11 11 11 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet LAN users 192 168 1 100 will connect to WAN1 61 11 11 11 and use WAN1 s IP address to access the Internet Configure Port3 as DMZ1 Transparent Routing to connect to the web server Using WAN1 s IP address 61 11 11 12 Step 1 Go to Network Interface and then set as below Figure 3 13 Click Port1 s Modify butt...

Page 105: ...104 Figure 3 13 Configuring the LAN Interface ...

Page 106: ...rt3 s Modify button Select DMZ for Interface Type Select Transparent Routing for Connection Type Tick Ping HTTP and HTTPS Click OK Figure 3 14 DMZ Interface Settings Note 1 WAN Interface must uses the static IP then Transparent Routing can be selected for DMZ Interface settings ...

Page 107: ...nnect to the web server 61 11 11 12 to access the network resource The LAN users may connect to WAN1 61 11 11 11 and use WAN1 s IP address to access the Internet Figure 3 15 Figure 3 15 The Deployment of DMZ Using Transparent Routing Mode ...

Page 108: ... 1 2 and connect it to the gateway s LAN Specify a static route then packets that sent to 192 168 2 x 24 will be sent to WAN1 Configure Port2 as LAN1 Transparent Routing and connect it to the LAN PCs IP range 192 168 1 x 24 default gateway 192 168 1 1 LAN PCs may use the original IP to access the Internet Configure Port3 as LAN2 192 168 2 1 NAT Routng IP range 192 168 2 x 24 and connect it to the ...

Page 109: ...ing for Connection Type Tick Ping HTTP and HTTPS Click OK Figure 3 16 Configuring the LAN Interface Step 2 Go to Network Interface and then set as below Figure 3 17 Click Port3 s Modify button Select LAN for Interface Type Select NAT Routing for Connection Type Enter the IPv4 Address and the Netmask Tick Ping HTTP and HTTPS Click OK Figure 3 17 LAN I ...

Page 110: ...tep 3 LAN1 users 192 168 1 x 24 and LAN2 users 192 168 2 x 24 may use their original IP addresses to access the Internet via the CS 2001 You may create the policy to establish the connection between LAN1 and LAN2 Figure 3 18 ...

Page 111: ...110 Figure 3 18 The deployment of LAN Using Transparent Routing and NAT Routing ...

Page 112: ...range 172 16 x x 16 Configure Port1 as LAN1 192 168 1 1 NAT Routing IP range 192 168 1 x 24 and connect it to the user s PC default gateway 192 168 1 1 PCs will connect to WAN1 172 16 1 12 and use WAN1 s IP address to access the Internet Configure Port2 as WAN1 172 16 1 12 and connect it to gateway s LAN Configure Port3 as DMZ1 using Transparent Bridging mode and connect it to PCs IP range 172 16 ...

Page 113: ...onnection Type Enter the IPv4 Address and the Netmask Tick Ping HTTP and HTTPS Click OK Figure 3 19 LAN Interface Settings Step 2 Under Network Interface set as below Figure 3 20 Click Port3 s Modify button Select DMZ for Interface Type Select Transparent Bridging for Connecion Type Tick Ping HTTP and HTTPS Click OK Figure 3 20 DMZ Interface Settings ...

Page 114: ...113 Step 3 Go to Network Interface Group and then set as below Figure 3 21 Configure Port2 WAN1 and Port3 WAN2 as Group1 Click OK Figure 3 21 Configuring the Interface Group ...

Page 115: ...DMZ may use the original address to access the Internet through CS 2001 PCs on LAN will connect to WAN1 172 16 1 12 and use WAN1 s IP address to access the Internet Figure 3 22 Figure 3 22 The Deployment of DMZ Using Transparent Bridging Mode ...

Page 116: ...s the Internet through CS 2001 s WAN1 Configure the default gateway as CS 2001 s WAN1 172 16 1 12 Packets pass through the CS 2001 will use WAN1 172 16 1 12 or WAN2 211 22 22 22 to access the Internet Load Balancing PCs in LAN 192 168 1 x 24 Configure the default gateway as CS 2001 s LAN1 192 168 1 1 Packets pass through CS 2001 will use WAN1 172 16 1 12 or WAN2 211 22 22 22 to access the Internet...

Page 117: ... subnets in LAN for the PCs to access the Internet through the original firewall PCs in DMZ may using the original IP address to access the Internet through CS 2001 s WAN1 Figure 3 24 Figure 3 24 The Deployment of DMZ Using Transparent Bridging 03 ...

Page 118: ...S 2001 and DMZ 192 168 2 1 24 and 192 168 3 1 24 Connect the two subnets to WAN1 s firewall and WAN2 s firewall individually Then the packets from the two subnets will be sent to WAN1 or WAN2 according to the default gateway settings Figure 3 25 Figure 3 25 The Deployment of DMZ Using Transparent Bridging Mode 04 ...

Page 119: ...ansparent mode Configure Port1 as WAN1 192 168 1 2 and connect it to the gateway s LAN Configure Port2 as LAN1 Transparent Bridging mode and connect to the LAN PCs IP range 192 168 1 x 24 default gateway 192 168 1 1 LAN PCs may uses the original IP address to access the Internet Configure Port3 as WAN2 61 11 11 12 and connect to the gateway s DMZ Configure Port4 as DMZ1 Transparent Bridging mode a...

Page 120: ...ace and then set as below Figure 3 26 Click Port1 s Modify button Select WAN for Interface Type Select the Connection Type Configure the connection settings Tick Ping HTTP and HTTPS Click OK Figure 3 26 Configuring the WAN Interface ...

Page 121: ...terface set as below Figure 3 27 Click Port2 s Modify button Select LAN for Interface Type Select Transparent Bridging for Connection Type Tick Ping HTTP and HTTPS Click OK Figure 3 27 LAN Settings Using Transparent Bridging Mode ...

Page 122: ...ace and then set as below Figure 3 28 Click Port3 s Modify button Select WAN for Interface Type Select the Connection Type Configure the connection settings Tick Ping HTTP and HTTPS Click OK Figure 3 28 Configuring the WAN Interface ...

Page 123: ... Bridging Step 5 Go to Network Interface Group and then set as below Figure 3 30 Configure Port1 WAN1 and Port2 LAN1 as Group 1 Configure Port3 WAN2 and Port4 DMZ1 as Group2 Click OK Figure 3 30 Interface Group Settings Important 1 Then the CS 2001 may operate as two individual switches Port1 WAN1 and Port2 LAN1 connect to the LAN Port3 WAN2 and Port4 DMZ1 connect to the DMZ The PCs under two diff...

Page 124: ... connecting to Port2 LAN1 will use 192 168 1 x 24 to access the Internet Users on Port4 DMZ1 will use the IP address that distributed by the ISP to access the Internet Figure 3 31 Figure 3 31 Interface Group Deployment ...

Page 125: ... access the Internet Configure Port2 as LAN1 192 168 1 1 NAT Routing IP range 192 168 1 x 24 and connect it to the PCs under sales department default gateway 192 168 1 1 PCs will connect to WAN1 61 11 11 11 and use WAN1 s IP address to access the Internet Configure Port3 as LAN2 Transparent Bridging IP range 192 168 1 x 24 and connect it to the PCs under support department default gateway 192 168 ...

Page 126: ...Interface and set as below Figure 3 32 Click Port1 s Modify button Select WAN for Interface Type Select the Connection Type Configure the connection settings Tick Ping HTTP and HTTPS Click OK Figure 3 32 WAN Interface Settings ...

Page 127: ...nection Type Enter the IPv4 Address and the Netmask Tick Ping HTTP and HTTPS Click OK Figure 3 33 LAN Interface Settings Step 3 Go to Network Interface and set as below Figure 3 34 Click Port3 s Modify button Select LAN for Interface Type Select Transparent Bridging for Connection Type Tick Ping HTTP and HTTPS Click OK Figure 3 34 LAN Interface Settings ...

Page 128: ... LAN1 and Port3 LAN2 as Group 1 Click OK Figure 3 35 Interface Group Settings Note 1 Then users on the same subnet may be divided into different interface according to their departments For example Port2 LAN1 connects to PCs under sales department and Port3 LAN2 connects to PCs under support department ...

Page 129: ...epartment LAN2 are on 192 168 1 x 24 They will connect to WAN1 and use WAN1 s IP address 61 11 11 11 to access the Internet You may create the policy to establish the connection between LAN1 and LAN2 Figure 3 36 Figure 3 36 The Deployment of LAN Using NAT Routing Mode ...

Page 130: ...129 ...

Page 131: ...130 Policy Object ...

Page 132: ... network in which an IP address resides it can be categorized into three kinds namely a LAN IP address WAN IP address or DMZ IP address Each of the three can be organized into an address group comprising several addresses Simply by applying the address group to a policy the IT administrator may easily manage a group of users with merely one policy Note 1 It is recommended to configure some desirab...

Page 133: ...255 255 to represent the single IPv4 address that you entered in IP Address As an example to represent the subnet from a class C IPv4 address such as 192 168 100 1 enter 255 255 255 0 into the Netmask field Prefix Length Enter 128 to represent a single IPv6 address To represent an IPv6 subnet for example 21DA D3 0 2F3B 2AA FF FE28 9C5A with a prefix of 1DA D3 0 2F3B then Prefix length should be se...

Page 134: ...During an outward session in order to take advantage of policy based routing PBR the device will designate the most appropriate route based upon the destination address 2 To quickly create the settings under Policy Object Address LAN DMZ you may click Assist Me to automatically obtain data from Monitor Status ARP Table Sessions Info ...

Page 135: ...ple No Settings Scenario Page 4 1 1 LAN Using DHCP to Grant Only FTP Access to a LAN User with Specific IP Address 135 4 1 2 LAN WAN Group Creating a Policy for Certain Users to Connect to a Specific IP Address 138 ...

Page 136: ...ther IP Netmask or IP Range IP Version Select IPv4 or IPv6 Type the IP address of the user in the IPAddress field e g 192 168 3 2 Netmask Type 255 255 255 255 denotes a single IP address as specified in the IPAddress field Type the MAC address of the user in the MAC Address field e g 00 B0 18 25 F5 89 Select the Interface from the Interface drop down list Click OK Figure 4 2 Figure 4 1 Adding a LA...

Page 137: ...the user s MAC address 3 To assign the IP address to the MAC go to System Configuration DHCP and configure the settings under the Assign a Static IPAddress section 4 By default three address settings namely Inside_Any Outside_Any and DMZ_Any appear separately under Policy Object Address LAN WAN DMZ Each of the settings represents all the IP addresses from its network 5 Configuring Policy Object Ad...

Page 138: ...ep 2 Go to Policy Outgoing and configure as below Figure 4 3 Source Address Select the source address Service Select FTP Click OK Figure 4 4 Figure 4 3 The Outgoing Policy Settings Figure 4 4 Policy Completed ...

Page 139: ...8 4 1 2 Creating a Policy for Certain Users to Connect to a Specific IP Address Step 1 Create several addresses under Policy Object Address LAN Figure 4 5 Figure 4 5 The Creation of Several LAN Addresses ...

Page 140: ... for the group Select group members from the Available address column on the left and then click Add Click OK Figure 4 7 Figure 4 6 Grouping LAN Addresses Figure 4 7 An Added LAN Group Note 1 Configuring Policy Object Address WAN Group DMZ Group can be done in a similar manner to Policy Object Address LAN Group ...

Page 141: ...gure as below Figure 4 8 Click New Entry Name Designate a name for the group Address Type Select IP Netmask IP Version Select IPv4 IPAddress Input the WAN IP address Click OK Figure 4 9 Figure 4 8 Configuring the WAN Address Figure 4 9 Settings Completed ...

Page 142: ...ure 4 10 Source Address Select the LAN address group Destination Address Select the WAN destination address Click OK Figure 4 11 Figure 4 10 The Policy Settings Figure 4 11 The Completed Policy Settings Note 1 Address must be applied to a policy to take effect ...

Page 143: ...n TCP and UDP services Custom Allows customization of the port numbers and their associated TCP and UDP services Note 1 Policy Object Service Group provides a convient means to manage a group of different services For example a single IP address may access five different services from a server e g HTTP FTP SMTP POP3 and Telnet If the services are not grouped into one under Policy Object Service Gr...

Page 144: ...etc Services using the UDP protocol DNS IKE IMAP NFS NTP PC Anywhere RIP SNMP SYSLOG TALK TFTP UDP Any UUCP etc Name The name for the customized service Protocol The protocol used for communication between two devices TCP and UDP are the two most frequently seen protocols among others Client Port The port number of the client user s PC which is used for connecting to the CS 2001 It is recommended ...

Page 145: ...oIP Technology to Communicate with LAN Users Using VoIP Port Numbers of TCP 1720 TCP 15328 15333 and UDP 15328 15333 Step 1 Go to Policy Object Address LAN Group and configure the following settings Figure 5 1 5 2 Figure 5 1 Address Settings for the LAN Figure 5 2 An Added LAN Group ...

Page 146: ...n row number 3 select TCP for the protocol Leave the Client Port on the default setting Server Port set as 15328 15333 Click OK Figure 5 4 Figure 5 3 Adding a Custom Service Figure 5 4 The Added Custom Service Note 1 Normally the port number setting for the client port falls between 0 and 65535 It is recommended to adhere to the range mentioned above when configuring the client port number 2 Both ...

Page 147: ...Figure 5 5 Using the Pre defined Service Settings Step 4 Go to Policy Incoming and configure as below Figure 5 6 Destination Address Select the virtual server setting configured in the previous step Service Select the pre defined service Click OK Figure 5 7 Figure 5 6 Configuring an Incoming Policy Figure 5 7 The Completed Settings ...

Page 148: ...ddress Select the LAN group Service Select the custom service Action Select Port1 WAN1 Click OK Figure 5 9 Figure 5 8 The Outgoing Policy for VoIP Figure 5 9 The Completed Settings Note 1 Service needs to be applied to a Virtual Server setting and then a Policy to take effect ...

Page 149: ...in Internet Services HTTP POP3 SMTP and DNS Step 1 Go to Policy Object Service Group and set as below Figure 5 10 Group Name Type a name for the service group Select HTTP POP3 SMTP and DNS services from the Available Services column on the left and then click Add Click OK Figure 5 11 Figure 5 10 The Settings for Service Group ...

Page 150: ...149 Figure 5 11 The Added Service Group ...

Page 151: ...re only permitted to access certain services Figure 5 12 Figure 5 12 The Added LAN Group Step 3 Under Policy Outgoing set as below Figure 5 13 Select the defined LAN group for Source Address Select the defined service for Service Click OK Figure 5 14 Figure 5 13 Applying the Group Service to a Policy ...

Page 152: ...151 Figure 5 14 The Completed Policy Settings ...

Page 153: ...Schedule Schedule is used for regulating the activation time of policies With its help the IT administrator may determine a specific period of time for each policy to take effect saving time on system administration ...

Page 154: ...ule Type Two modes are provided Recurring Based upon a weekly schedule with configurable start and end periods for each of the seven days in a week One Time Provides a start and stop time for a single specific date based upon the year month day hour and minute ...

Page 155: ...Policy Object Schedule Settings set as below Figure 6 1 Type the name Mode Select either Recurring or One Time Use the drop down menus to select the required start and end time for each day of the week Click OK Figure 6 2 Figure 6 1 Schedule Settings Figure 6 2 The Completed Schedule Settings ...

Page 156: ...Step 2 Under Policy Outgoing set as below Figure 6 3 Select the pre defined schedule for Schedule Click OK Figure 6 4 Figure 6 3 Applying the Schedule to the Policy Figure 6 4 The Completed Policy Settings ...

Page 157: ... accessing the Internet via the CS 2001 When applied with a Policy it ensures users are allocated suitable amounts of bandwidth Figure 7 1 7 2 Figure 7 1 The Network with no QoS Figure 7 2 Applying QoS to the Network Max Bandwidth 400Kbps Guaranteed Bandwidth 200Kbps ...

Page 158: ...bandwidth of the total downstream bandwidth Upstream Bandwidth Determines the guaranteed bandwidth and maximum bandwidth of the total upstream bandwidth Priority Specifies the priority that upstream and downstream bandwidth gets allocated G Bandwidth Specifies the minimum guaranteed amount of bandwidth M Bandwidth Specifies the maximum amount of bandwidth ...

Page 159: ...Bandwidth Step 1 Under Policy Object QoS Settings set as below Figure 7 3 Click New Entry Type the Name accordingly Configure the bandwidth of Port 2 WAN1 and Port 3 WAN2 Select the priority for this QoS setting Click OK Figure 7 4 Figure 7 3 Configuring the QoS Settings ...

Page 160: ...159 Figure 7 4 The Completed QoS Settings ...

Page 161: ...160 Step 2 Under Policy Outgoing set as below Figure 7 5 Select the pre configured QoS setting Click OK Figure 7 6 ...

Page 162: ...161 Figure 7 5 Applying QoS to a Policy ...

Page 163: ...uring QoS the available bandwidth range such as guaranteed bandwidth and maximum bandwidth is predefined under Interface WAN Thus when configuring Maximum Downstream Bandwidth and Maximum Upstream Bandwidth under Interface WAN an appropriate range needs to be set ...

Page 164: ...r 8 Authentication Authentication regulates users access to the Internet CS 2001 offers five authentication modes namely User Group RADIUS POP3 and LDAP adding flexibility to your choice of authentication method ...

Page 165: ...ord modification The authenticated users may change the password by themselves Deny multi login if auth user has login When enabled once a user has logged in with his her own authentication account no other user is permitted to log in to the same account Successful Authentication Redirect URL Authenticated user can be redirected to the designated web site by assigning its address to this field Lea...

Page 166: ...165 Figure 8 1 Authentication Management Settings ...

Page 167: ...n appears after a user attempts to access a web site Figure 8 2 Figure 8 2 The Authentication Login Screen An authenticated user will be redirected to the designated web site Figure 8 3 Figure 8 3 The User Being Redirected to a Website ...

Page 168: ...ion Confirm Password The confirmation of password Force the user to change their password at their next login The authenticated users must change their password at their next login The account s authentication is valid through The time of the account s authentication RADIUS Server Shared Secret The password used for authentication using a RADIUS server Enable 802 1x RADIUS Server Authentication Wh...

Page 169: ...require to be authenticated Figure 8 4 Figure 8 4 Authenticated Users Created Note 1 The IT administrator may export the Authentication user list for safe keeping and restore the list if needed 2 To use authentication LAN users must configure their Preferred DNS server in Internet Protocol TCP IP Properties to be the same as the LAN interface address of CS 2001 ...

Page 170: ...oup set as below Figure 8 5 Click New Entry Group Name Type a name for the group Select group members from the Available Authentication User column on the left and then click Add Settings completed Figure 8 5 Configuring the Authenticated User Group ...

Page 171: ...tgoing and configure as below Figure 8 6 Authentication Select the group name that was configured in the previous step Click OK Figure 8 7 Figure 8 6 Apply the Authentication to a Policy Figure 8 7 The Completed Policy Settings ...

Page 172: ...me and password to the corresponding fields in the login screen Figure 8 8 Figure 8 8 The Authentication Login Screen Step 5 To end an authenticated session you may click on the Login button in the window that popped up after authentication Or simply log onto http Management Address Authentication Port Number logout html to logout Figure 8 9 Figure 8 9 The Authentication Logout Screen ...

Page 173: ...The Configuration of Windows Server 2003 Built in RADIUS Server Step 1 Go to Start Settings Control Panel Add Remove Programs and then click Add Remove Windows Components on the left Step 2 In the Windows Components Wizard window select Networking Services and then double click on it Figure 8 10 Figure 8 10 The Windows Components Screen ...

Page 174: ...1 Figure 8 11 Selecting the Internet Authentication Service Step 4 Go to Start Settings Control Panel Administrative Tools Internet Authentication Service and then click it Figure 8 12 Figure 8 12 The Path of Internet Authentication Service on the Start Menu ...

Page 175: ...tep 5 Right click RADIUS Clients and then click New RADIUS Client Figure 8 13 Figure 8 13 Adding a RADIUS Client Step 6 Type a name and the client address namely the management address of CS 2001 Figure 8 14 ...

Page 176: ...175 Figure 8 14 Typing a Friendly Name and the Management Address ...

Page 177: ...e the Shared secret and Confirm shared secret as same as that of the CS 2001 under Policy Object Authentication RADIUS Figure 8 15 Figure 8 15 Selecting the Client Vendor and Entering the Password Step 8 Right click Remote Access Policies and then click New Remote Access Policy Figure 8 16 ...

Page 178: ...177 Figure 8 16 Adding a Remote Access Policy ...

Page 179: ...178 Step 9 Select Use the wizard to set up a typical policy for a common scenario and then type a name in the Policy name field Figure 8 17 Figure 8 17 Configuring and Naming the Policy ...

Page 180: ...179 Step 10 Select Ethernet Figure 8 18 Figure 8 18 Selecting the Access Method ...

Page 181: ...180 Step 11 Select User Figure 8 19 Figure 8 19 Selecting User or Group Access Step 12 Select MD5 Challenge from the drop down list Figure 8 20 Figure 8 20 Selecting an Authentication Method ...

Page 182: ...181 Step 13 Right click the newly added policy name and then click Properties Figure 8 21 Figure 8 21 Configuring the Properties of a Policy ...

Page 183: ...182 Step 14 Select Grant remote access permission and then remove the existing settings Next click Add Figure 8 22 Figure 8 22 Configuring the RADIUS Properties ...

Page 184: ... Select Service Type to add Figure 8 23 Figure 8 23 Select the Attribute Type Step 16 Select Authenticate Only and Framed from the Available types and then click Add Figure 8 24 Figure 8 24 Adding the Service Type ...

Page 185: ...184 Step 17 Click on the Edit Profile then click the IP tab and then tick Server settings determine IP address assignment Figure 8 25 Figure 8 25 Configuring the IP Setting ...

Page 186: ...the Authentication tab Tick Microsoft Encrypted Authentication version 2 MS CHAP v2 Microsoft Encrypted Authentication MS CHAP Encrypted authentication CHAP and Unencrypted authentication PAP SPAP Figure 8 26 Figure 8 26 Configuring the Authentication Settings ...

Page 187: ...186 Step 19 Click on the Edit Profile click the Advanced tab and then click Add Figure 8 27 Figure 8 27 Configuring the Advanced Settings ...

Page 188: ...187 Step 20 Select Framed Protocol and click Add Figure 8 28 Figure 8 28 Adding the Attribute ...

Page 189: ...rotocol select PPP from the Attribute value drop down list Figure 8 29 Figure 8 29 Attribute Setting 1 Step 22 For Service Type select Framed from the Attribute value drop down list Figure 8 30 Figure 8 30 Attribute Setting 2 ...

Page 190: ...s then select Computer Management Figure 8 31 Figure 8 31 Selecting Computer Management on the Start Menu Step 24 In the left column go to Computer Management Local System Tools Local Users and Groups Users and then right click it After that click New User Figure 8 32 ...

Page 191: ...190 Figure 8 32 Adding a User ...

Page 192: ... RADIUS server Figure 8 33 Figure 8 33 The RADIUS Server Settings Note 1 You may click Test Connection to detect the connection between CS 2001 and RADIUS server Step 27 Under Policy Object Authentication Group select RADIUS Server from the Available Authentication User column and then click Add Figure 8 34 Figure 8 34 Adding RADIUS User to an Authenticated Group ...

Page 193: ...ication to a Policy Figure 8 36 The Completed Policy Settings Step 29 The authentication login screen will appear in the web browser with which a LAN user tries to surf the Internet Internet access will be available after applying the valid user name and password to the corresponding fields in the login screen Figure 8 37 Figure 8 37 The Authentication Login Screen ...

Page 194: ...Object Authentication POP3 set as below Figure 8 38 Figure 8 38 The POP3 Server Settings Note 1 You may click Test Connection to test the connection between CS 2001 and the POP3 server Step 2 From Policy Object Authentication Group select POP3 User from the Available Addresses column and then click Add Figure 8 39 ...

Page 195: ...194 Figure 8 39 Adding POP3 User to an Authenticated Group ...

Page 196: ... in a Policy Figure 8 41 A Policy with POP3 Authentication Step 4 The authentication login screen appears in the web browser when a LAN user tries to access the Internet Internet access will be available after applying the valid user name and password to the corresponding fields in the login screen Figure 8 42 Figure 8 42 The Authentication Login Screen ...

Page 197: ...dows Server 2003 Built in LDAP Server The Configuration of the LDAP Server from Windows Server 2003 Step 1 Go to Start Settings Control Panel Administrative Tools Manage Your Server Step 2 In the Manage Your Server window click Add or remove a role Figure 8 43 Figure 8 43 Managing Your Server ...

Page 198: ... In the Preliminary Steps window click Next Figure 8 44 Figure 8 44 Preliminary Steps Step 4 In the Server Role window select Domain Controller Active Directory and click Next Figure 8 45 Figure 8 45 Server Role ...

Page 199: ...e Summary of Selections window click Next Figure 8 46 Figure 8 46 Summary of Selections Step 6 In the Active Directory Installation Wizard window click Next Figure 8 47 Figure 8 47 Active Directory Installation Wizard ...

Page 200: ... Compatibility window click Next Figure 8 48 Figure 8 48 Operating System Compatibility Step 8 In the Domain Controller Type window select Domain controller for a new domain then click Next Figure 8 49 Figure 8 49 Domain Controller Type ...

Page 201: ... select Domain in a new forest and click Next Figure 8 50 Figure 8 50 Creating a New Domain Step 10 In the New Domain Name window enter the Full DNS name for new domain and then click Next Figure 8 51 Figure 8 51 Specifying the New Domain Name ...

Page 202: ...etBIOS name and then click Next Figure 8 52 Figure 8 52 The NetBIOS Domain Name Step 12 In the Database and Log Folders window specify the pathname of the Database folder and the Log folder and then click Next Figure 8 53 Figure 8 53 The Database and Log Folders ...

Page 203: ...ion and then click Next Figure 8 54 Figure 8 54 The Shared System Volume Step 14 In the DNS Registration Diagnostics window select I will correct the problem later by configuring DNS manually Advanced and then click Next Figure 8 55 Figure 8 55 DNS Registration Diagnostics ...

Page 204: ...2003 operating systems and then click Next Figure 8 56 Figure 8 56 Permissions Step 16 In the Directory Services Restore Mode Administrator Password window enter the Restore Mode Password and Confirm password and then click Next Figure 8 57 Figure 8 57 The Directory Services Restore Mode Administrator Password ...

Page 205: ...204 Step 17 In the Summary window click Next Figure 8 58 Figure 8 58 The Summary Step 18 Settings completed Figure 8 59 Figure 8 59 Settings Completed ...

Page 206: ...tory Users and Computers Figure 8 60 Figure 8 60 Navigating to Active Directory Users and Computers on the Menu Step 20 In the Active Directory Users and Computers window right click Users and then go to New User Figure 8 61 Figure 8 61 Adding an Active Directory User ...

Page 207: ...indow apply your information to the fields and then click Next Figure 8 62 Figure 8 62 New Object User Settings Step 22 In the New Object User window enter the password and then click Next Figure 8 63 Figure 8 63 New Object User Settings ...

Page 208: ...4 Figure 8 64 User Successfully Created Step 24 Go to Policy Object Authentication LDAP and then refer to figure below to configure Figure 8 65 Figure 8 65 LDAP Server Settings Note 1 You may click Test to detect the connection between CS 2001 and LDAP server ...

Page 209: ...208 Step 25 Go to Policy Object Authentication Group then add LDAP User Figure 8 66 Figure 8 66 Adding the LDAP User ...

Page 210: ...thentication in a Policy Figure 8 68 A Policy with LDAPAuthentication Step 27 The authentication login screen appears in the web browser when a LAN user tries to access the Internet Internet access will be available after applying the valid user name and password to the corresponding fields in the login screen Figure 8 69 Figure 8 69 The Authentication Login ...

Page 211: ...Blocking Application Blocking regulates the control of Instant Messenger Login File Transfer over IM Peer to Peer Sharing Multimedia Streaming Web Based Mail Online Gaming VPN Tunneling Remote Controlling and Other Applications ...

Page 212: ... Skype Google Talk Gadu Gadu Rediff WebIM and Alisoft File Transfer over IM Regulates file transfers for MSN Yahoo ICQ AIM QQ Google Talk and Gadu Gadu Peer to Peer Sharing Regulates the online usage of eDonkey eMule BitTorrent WinMX Foxy KuGoo AppleJuice AudioGalaxy DirectConnect iMesh MUTE Thunder5 GoGoBox QQDownload Ares Shareaza BearShare Morpheus Limewire and Kazaa Multimedia Streaming Regula...

Page 213: ...212 VPN Tunneling Regulates the online usage of VNN Client Ultra Surf Tor Hamachi HotSpot Shield and FreeGate Remote Controlling Regulates the online usage of TeamViewer VNC and Remote Desktop ...

Page 214: ...213 9 1 Example No Example Scenario Page 9 1 1 IM Regulating the Use of IM Software Messaging and File Transferring 214 9 1 2 P2P Regulating the Use of P2P Software Downloading and Uploading 217 ...

Page 215: ...ep 1 Go to Policy Object Application Blocking Settings and set as below Figure 9 1 Click New Entry Type a name in the Name field Select Instant Messaging Login and File Transfer over IM then tick Select All for both Click OK Figure 9 2 Figure 9 1 Regulating the Use of IM Software ...

Page 216: ...215 Figure 9 2 Settings Completed ...

Page 217: ...er Policy Outgoing set as below Figure 9 3 Application Blocking Select the name of the Application Blocking setting Click OK Figure 9 4 Figure 9 3 Applying IM Blocking to a Policy Figure 9 4 A Policy with IM Blocking ...

Page 218: ...g and Uploading Step 1 Under Policy Object Application Blocking Settings set as below Figure 9 5 Click New Entry Type a name in the Name field Select Peer to Peer Sharing and tick Select All Click OK Figure 9 6 Figure 9 5 Regulating the Use of P2P Software ...

Page 219: ...218 Figure 9 6 Settings Completed ...

Page 220: ...locking Note 1 P2P software occupies significant network bandwidth resources adversly affecting other users Policy Object Service can block the port number that P2P software uses however this port number is variable and can be modified by users Therefore the IT administrator must use the Peer to Peer Application settings located under Policy Object Application Blocking Setting to successfully bloc...

Page 221: ... to one mapping to provide any service ports 0 65535 Port Mapping Uses Port Address Translation PAT to map different services ports of a real IP address to the private IP addresses of internal servers Services may also be shared amongst multiple internal servers to provide load balancing ensuring external service requests with an efficient and uninterrupted service Virtual IP Group Provides groupi...

Page 222: ...en 8080 must be appended to a web site page address such as http www yahoo com 8080 Scheduling Algorithm Round Robin In this mode sessions are allocated to the internal servers by means of a round robin cycle This improves overall efficiency and prevents the entire load being placed on just a single server Backup Mode When the main server ceases to function the sessions will then be allocated to t...

Page 223: ... 15321 15333 and UDP 15321 15333 231 10 1 4 Port Mapping Using Multiple Virtual Servers to Provide HTTP POP3 SMTP and DNS Services through the Regulation of a Policy 236 Prerequisite Setup Note IP address used as example only Apply to a local ISP for two ADSL lines with static IP addresses Configure Port1 as LAN1 192 168 1 1 NAT Routing Mode and connect to the LAN 192 168 1 x 24 Configure Port2 as...

Page 224: ...licy Object Address LAN set as below Figure 10 1 Figure 10 1 Configuring the Address Settings Step 3 Under Policy Object Virtual Server Mapped IPs set as below Click New Entry Enter a name for the Mapped IP address in the Name field WAN IP Select Port2 WAN1 then type 61 11 11 12 in the field or click Assist Me to select an IP address Mapped IPs Select Port1 LAN1 and type 192 168 1 100 in the field...

Page 225: ...r group called Mail_Service comprising the services for enabling the server to send emails Figure 10 3 Figure 10 3 Group Settings Step 5 Under Policy Incoming set as below Figure 10 4 Select the defined mapped IP for Destination IP Select Mail_Service for Service Click OK Figure 10 5 Figure 10 4 Configuring the Incoming Policy Figure 10 5 The Completed Policy Settings ...

Page 226: ...ring an Outgoing Policy Figure 10 7 The Completed Policy Settings Important 1 To enable the LAN to LAN connection go to Policy LAN to LAN and create a policy select Inside Any for both Source Address and Destination Address To enable the DMZ to DMZ connection go to Policy DMZ to DMZ and create a policy select DMZ Any for both Source Address and Destination Address ...

Page 227: ...r Providing Multiple Services Note 1 It is strongly recommended not to select ANY for Service when configuring a policy especially when using a Mapped IP This is because of the possibility of hackers being able to use some of the services as a means to hack into server ...

Page 228: ...g Server Real IP Select Port3 WAN2 and type 211 74 99 122 into the field or click Assist Me to select an IP address Service select HTTP 80 WAN Port Change 80 into 8080 Scheduling Algorithm Select Round Robin Interface Select Port1 LAN1 IP of Virtual Server 1 Enter 192 168 1 101 or you may click on Assist Me IP of Virtual Server 2 Enter 192 168 1 102 or you may click on Assist Me IP of Virtual Serv...

Page 229: ...228 Figure 10 9 Setting Virtual IP Figure 10 10 The Completed Virtual IP Settings ...

Page 230: ...e the HTTP port number has been changed into 8080 in this example then 8080 must be appended to the web page address such as http www yahoo com 8080 Important 1 To enable the LAN to LAN connection go to Policy LAN to LAN and create a policy select Inside Any for both Source Address and Destination Address To enable the DMZ to DMZ connection go to Policy DMZ to DMZ and create a policy select DMZ An...

Page 231: ...230 Step 4 Settings completed Figure 10 13 Figure 10 13 Multiple Servers Hosting a Single Website ...

Page 232: ... UDP 15321 15333 Step 1 Configure internal VoIP user with the IP address 192 168 1 100 Step 2 Under Policy Object Address LAN set as below Figure 10 14 Figure 10 14 The Address Settings Step 3 Create a VoIP service under Policy Object Service Custom Figure 10 15 Figure 10 15 The Completed Custom Service ...

Page 233: ...e Select the custom service setting External Port No Will be automatically set to the customized service Scheduling Algorithm Select Round Robin Interface Select Port1 LAN1 IP of Virtual Server 1 Enter 192 168 1 100 or click Assist Me to select an IP addresss Click OK Figure 10 17 Figure 10 16 Setting Virtual IP Figure 10 17 The Completed Virtual IP Settings Note 1 The External Port No can only be...

Page 234: ...ing set as below Figure 10 18 Destination IP Select the vitual server setting Service Select the custom service setting Click OK Figure 10 19 Figure 10 18 Applying the Service to the Policy Figure 10 19 The Completed Policy Setting ...

Page 235: ...1 Figure 10 20 Setting an Outgoing Policy Figure 10 21 The Completed Settings Important 1 To enable the LAN to LAN connection go to Policy LAN to LAN and create a policy select Inside Any for both Source Address and Destination Address To enable the DMZ to DMZ connection go to Policy DMZ to DMZ and create a policy select DMZ Any for both Source Address and Destination Address ...

Page 236: ...235 Step 7 A VoIP session created between an internal and external user Figure 10 22 Figure 10 22 The Completed VoIP Setup ...

Page 237: ...n the LAN And then configure their preferred DNS server addresses as that of the external DNS server Step 2 Under Policy Object Address LAN LAN Group set as below Figure 10 23 10 24 Figure 10 23 Address Settings Figure 10 24 A Created Group Address Step 3 In Policy Object Service Group group the necessary services of providing HTTP POP3 SMTP and DNS services And then create a group containing the ...

Page 238: ...237 Figure 10 25 A Created Group Service ...

Page 239: ...t No Will be automatically set to the customized service Scheduling Algorithm Select Round Robin Interface Select Port1 LAN1 IP of Virtual Server 1 Enter 192 168 1 101 or you may click on Assist Me IP of Virtual Server 2 Enter 192 168 1 102 or you may click on Assist Me IP of Virtual Server 3 Enter 192 168 1 103 or you may click on Assist Me IP of Virtual Server 4 Enter 192 168 1 104 or you may cl...

Page 240: ... Incoming and then set as below Figure 10 28 Select the virtual server setting for Destination IP Select Main_Service for Service Click OK Figure 10 29 Figure 10 28 Configuring an Incoming Policy Figure 10 29 Policy Completed ...

Page 241: ... Figure 10 31 Figure 10 30 Configuring an Outgoing Policy Figure 10 31 Policy Completed Important 1 To enable the LAN to LAN connection go to Policy LAN to LAN and create a policy select Inside Any for both Source Address and Destination Address To enable the DMZ to DMZ connection go to Policy DMZ to DMZ and create a policy select DMZ Any for both Source Address and Destination Address ...

Page 242: ...241 Step 7 Settings completed Figure 10 32 Figure 10 32 Settings Completed ...

Page 243: ...rprise with an encrypted network communication method By allowing the enterprise to utilize the Internet as a means of transferring data across the network it forms one of the most effective and secure options for enterprises to adopt in comparison to other methods Note 1 To create a secure VPN connection the settings of IPSec Autokey PPTP Server or PPTP Client must be applied to the Trunk setting...

Page 244: ...ion Key Management Protocol ISAKMP provides the way to create the Security Association SA between two PCs The SA can access the encoding between two PCs and the IT administrator can assign of which key size or Pre Shared Key String and algorithm to use The SA comes in many connection ways for instance use the ISAKMP SA between two PCs and assign an ENC algorithm DES triple DES 40 bit DES or not us...

Page 245: ...thentication Header guarantees connectionless integrity and data origin authentication of IP datagrams ESP Encapsulating Security Payload The Encapsulated Security Payload provides confidentiality and integrity protection to IP datagrams ...

Page 246: ...thm is an instant and convenient alternative for connection It is merely a simple replacement for ESP Encapsulating Security Payload without any cryptograph protection SHA1 Secure Hash Algorithm 1 The SHA1 is a revision of SHA Secure Hash Algorithm It has improved the shortcomings of SHA By producing summary hash values it can achieve an algorithm up to 160 bits MD5 Algorithm MD5 Message Digest Al...

Page 247: ...ct the Subnet Mask addresses Specify the IP address or domain name of the destination gateway in Remote Gateway Fixed IP or Domain Name Specify the subnet and mask addresses in the Subnet Mask fields Type a word string as Pre Shared Key String in the Pre Shared Key String field Click OK The device will automatically finish other related but necessary settings and create a corresponding policy for ...

Page 248: ...cy Note 1 One Step IPSec uses default settings listed below on most configurations to simplify the procedure of creating a VPN connection with IPSec encryption Mode Main mode Authentication Method Pre Shared Key ISAKMP Algorithm DES MD5 Group1 IPSec Algorithm DES MD5 The corresponding policies for the VPN connection will be created accordingly ...

Page 249: ...d then click Next Figure 11 6 Create a policy for VPN connection Click Next when finished Figure 11 7 Create a VPN Trunk Click Next when finished Figure 11 8 Select the VPN Figure 11 9 Click Finish Figure 11 10 Setting completed Figure 11 11 11 12 Figure 11 6 Selecting a Connection Method Figure 11 7 A Policy for VPN Connection Figure 11 8 A VPN Trunk Setting ...

Page 250: ...249 Figure 11 9 Applying Available VPN Trunk to the Policy Figure 11 10 Setting Completed Figure 11 11 An Outgoing Policy Completed Figure 11 12 An Incoming policy Completed ...

Page 251: ...erface address of the remote gateway IPSec Algorithm It displays the algorithm that the VPN connection currently employed Configuration Click Modify to modify the setting or click Remove to remove the setting Figure 11 13 Figure 11 13 IPSec Autokey Screen Note 1 By default CS 2001 will create an IPSec VPN connection using Dead Peer Detection If Remote Gateway Fixed IP or Domain Name has been speci...

Page 252: ...logged in PPTP client user Client IP It displays the IP address of clients using PPTP connection to log in to PPTP server Uptime It displays the duration of the connection between client and server Configuration Click Modify to modify the settings or click Remove to remove the settings Figure 11 14 Figure 11 14 PPTP Server Screen Note 1 By default CS 2001 will create a PPTP VPN connection using Ec...

Page 253: ...o log in to PPTP server Encryption It determines whether to use encryption on the connection between client and server Uptime It displays the duration of the connection between client and server Configuration Click Modify to modify the setting or click Remove to remove the setting Figure 11 15 Figure 11 15 PPTP Client Screen Note 1 By default CS 2001 will create a PPTP VPN connection using Echo Re...

Page 254: ...er Source Subnet The IP address of source subnet Destination Subnet The IP address of destination subnet Tunnel It displays of which VPN trunk it includes such as IPSec PPTP Server or PPTP client Configuration Click Modify to change the configuration of VPN trunk click Remove to remove the setting click Pause to suspend the setting click Enable to resume the setting Figure 11 16 Figure 11 16 VPN T...

Page 255: ...ote the name has to be exclusive from any other Group Member The groups that are subject to the VPN Trunk rule Configuration Click Modify to change the configuration of VPN trunk click Remove to remove the setting Figure 11 17 Figure 11 17 VPN Trunk Screen ...

Page 256: ...001 Devices An Aggressive Mode Example 319 11 1 4 IPSec Autokey Using Two CS 2001 Devices to Connect Outbound Load Balance with IPSec VPN Using GRE IPSec Package Algorithm 334 11 1 5 IPSec Autokey Establishing an IPSec VPN Connection by Three CS 2001 Devices 352 11 1 6 PPTP Using Two CS 2001 Devices to Establish PPTP VPN Connection Outbound Load Balancing 374 11 1 7 PPTP Using Two CS 2001 Devices ...

Page 257: ...192 168 20 1 IP address range 192 168 20 x 24 Configure Port2 as WAN1 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet Multiple subnet 192 168 85 1 IP address range 192 168 85 x 24 This example uses two CS 2001 devices to establish VPN connection between A Company and B Company For A Company set as below Step 1 Go to Policy Object VPN IPSec Autokey and th...

Page 258: ...257 Step 3 Select Remote Gateway Static IP or Hostname for Remote Settings and enter the management address of B Company Figure 11 20 Figure 11 20 Remote Settings ...

Page 259: ...roup Figure 11 22 Figure 11 22 Encryption and Data Integrity Algorithms Settings Step 6 Select Use both algorithms below the IPSec Algorithm or tick Use authentication algorithm only If ticked Use both algorithms please select 3DES for Encryption Algorithm and MD5 for Authentication Algorithm Figure 11 23 Figure 11 23 IPSec Algorithm Settings Step 7 Select Group 1 for PFS Key Group Enter 3600 in t...

Page 260: ...Local Settings Select LAN Local IP Netmask Type 192 168 10 0 as A Company s subnet address and 255 255 255 0 as Mask Remote Settings Tick Remote IP Netmask Remote IP Netmask Type 192 168 85 0 as B Company s subnet address and 255 255 255 0 as Mask Tunnel Select IPSec tunnel and then add it to the right column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 27 ...

Page 261: ...ttings Figure 11 27 VPN Trunk Created Step 10 Under Policy Outgoing set as below Figure 11 28 Select the defined trunk for VPN Trunk Click OK Figure 11 29 Figure 11 28 Configuring a Policy with VPN Trunk Figure 11 29 Policy Created ...

Page 262: ... Creating an Incoming Policy with VPN Trunk Figure 11 31 An Incoming Policy with VPN Trunk Note 1 Under Policy Object VPN IPSec Autokey if Remote Gateway or Client Dynamic IP is selected under Remote Settings then Aggressive mode must be selected for Mode and the MY ID field and the Peer ID field must be completed for the connection ...

Page 263: ...Autokey and then click New Entry Figure 11 33 Figure 11 33 IPSec Autokey Screen Step 3 Type IPSec_tunnel2 in the Name field and then select Port2 WAN1 for WAN Interface Figure 11 34 Figure 11 34 Name and WAN Interface Settings Step 4 Select Remote Gateway Static IP or Hostname for Remote Settings and enter the management address of A Company Figure 11 35 Figure 11 35 Remote Settings ...

Page 264: ...re 11 37 Encryption and Data Integrity Algorithms Settings Step 7 Select Use both algorithms below the IPSec Algorithm or tick Use authentication algorithm only If ticked Use both algorithms please select 3DES for Encryption Algorithm and MD5 for Authentication Algorithm Figure 11 38 Figure 11 38 IPSec Algorithm Settings Step 8 Under the Advanced Settings optional section select Group 1 for PFS Ke...

Page 265: ...Type a name Local Settings Check LAN Local IP Netmask Type 192 168 85 0 as B Company s subnet address and 255 255 255 0 as Mask Remote Settings Select Remote IP Netmask Remote IP Netmask Type 192 168 10 0 as A Company s subnet address and 255 255 255 0 as Mask Tunnel Select IPSec_tunnel2 and then add it to the right column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 42 ...

Page 266: ...265 Figure 11 41 VPN Trunk Settings Figure 11 42 VPN Trunk Created ...

Page 267: ...icy Outgoing click New Entry and then set as below Figure 11 43 Select the defined Trunk for VPN Trunk Click OK Figure 11 44 Figure 11 43 Using VPN Trunk in an Outgoing Policy Figure 11 44 An Outgoing Policy with VPN Trunk ...

Page 268: ...y Incoming click New Entry and then set as below Figure 11 45 Select the defined trunk for VPN Trunk Click OK Figure 11 46 Figure 11 45 Creating an Incoming Policy with VPN Trunk Figure 11 46 An Incoming Policy with VPN Trunk ...

Page 269: ...268 Step 13 Settings completed Figure 11 47 Figure 11 47 Deployment of IPSec VPN ...

Page 270: ...to access the Internet B Company uses a PC running Windows 2000 IP address 211 22 22 22 This example is to establish VPN connection between A Company and B Company For A Company set as below Step 1 Under Policy Object VPN IPSec Autokey click New Entry Figure 11 48 Figure 11 48 IPSec Autokey Screen Step 2 Enter ipsec1 in the Name field and then select Port2 WAN1 for WAN Interface Figure 11 49 Figur...

Page 271: ... MD5 for Authentication Algorithm select Group 2 for Group Figure 11 52 Figure 11 52 ISAKMPAlgorithm Settings Step 6 Select Use both algorithms below the IPSec Algorithm or tick Use authentication algorithm only If ticked Use both algorithms please select 3DES for Encryption Algorithm and MD5 for Authentication Algorithm Figure 11 53 Figure 11 53 IPSec Algorithm Settings Step 7 Select Group 1 for ...

Page 272: ... Under Policy Object VPN Trunk set as below Figure 11 56 Name Type a name Local Settings Select LAN Local IP Netmask Type 192 168 10 0 as A Company s subnet address and 255 255 255 0 as Mask Remote Settings Select Remote Client Tunnel Select ipsec1 and then add it to the right column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 57 ...

Page 273: ...272 Figure 11 56 VPN Trunk Settings Figure 11 57 VPN Trunk Created ...

Page 274: ...3 Step 10 Under Policy Outgoing set as below Figure 11 58 Select the defined trunk for VPN Trunk Click OK Figure 11 59 Figure 11 58 Creating an Outgoing Policy with VPN Trunk Figure 11 59 Policy Completed ...

Page 275: ...4 Step 11 Under Policy Incoming set as below Figure 11 60 Select the defined trunk for VPN Trunk Click OK Figure 11 61 Figure 11 60 Creating an Incoming Policy with VPN Trunk Figure 11 61 Policy Completed ...

Page 276: ... Start Run on the Start menu in Windows 2000 Figure 11 62 Figure 11 62 Selecting Run on the Start Menu Step 2 In the Open field of the Run window type mmc Figure 11 63 Figure 11 63 Typing mmc to Lunch the Microsoft Management Console Application ...

Page 277: ... Snap in Figure 11 64 Figure 11 64 Selecting Add Remove Snap in on the Console Menu Step 4 In the Add Remove Snap in window click Add Then in the Add Standalone Snap ins window select IP Security Policy Management and add it Figure 11 65 Figure 11 65 Adding the IP Security Policy Management ...

Page 278: ...277 Step 5 Select Local Computer and then click Finish Figure 11 66 Figure 11 66 Selecting Local Computer Step 6 Settings completed Figure 11 67 Figure 11 67 Settings Completed ...

Page 279: ...ht click the IP Security Policies on Local Machine and then click Create IP Security Policy Figure 11 68 Figure 11 68 Creating an IP Security Policy Step 8 Click Next Figure 11 69 Figure 11 69 Security Policy Wizard ...

Page 280: ...Description and then click Next Figure 11 70 Figure 11 70 Name and Description Settings Step 10 Disable Activate the default response rule and then click Next Figure 11 71 Figure 11 71 Disable the Activate the Default Response Rule ...

Page 281: ...n the IP Security Policy Wizard window tick Edit properties and click Finish Figure 11 72 Figure 11 72 Settings Completed Step 12 In the VPN_B Properties window disable Use Add Wizard and then click Add Figure 11 73 ...

Page 282: ...281 Figure 11 73 VPN_B Properties ...

Page 283: ...the New Rule Properties window click Add Figure 11 74 Figure 11 74 New Rule Properties Step 14 In the IP Filter List window disable Use Add Wizard Change the Name into VPN_B WAN TO LAN and then click Add Figure 11 75 ...

Page 284: ...283 Figure 11 75 Adding an IP Filter ...

Page 285: ...5 255 255 to the fields After that select A specific IP Subnet for Destination address and then type 192 168 10 0 as A Company s subnet address and 255 255 255 0 as subnet mask Note Do not tick Mirrored Also match packets with the exact opposite source and destination addresses Figure 11 76 Figure 11 76 Filter Properties Settings Step 16 Settings completed Figure 11 77 ...

Page 286: ...285 Figure 11 77 IP Filter Added ...

Page 287: ...ndow click Filter Action tab and then tick Require Security Next click Edit Figure 11 78 Figure 11 78 Selecting Filter Action Step 18 In the Require Security Properties window tick Session Key Perfect Forward Secrecy on the bottom Figure 11 79 ...

Page 288: ...287 Figure 11 79 Ticking the Session Key Perfect Forward Secrecy ...

Page 289: ... 19 Select the security method Custom None 3DES MD5 and then click Edit Figure 11 80 Figure 11 80 Selecting a Security Method to Edit Step 20 Select Custom for expert users and then click Settings Figure 11 81 ...

Page 290: ...289 Figure 11 81 Modifying Security Method ...

Page 291: ...on algorithm Tick Generate a new key every and enter 28800 in the seconds field and then click OK to return to the New Rule Properties window Figure 11 82 Figure 11 82 Customizing Security Method Step 22 In the New Rule Properties window click Connection Type tab and tick All network connections Figure 11 83 ...

Page 292: ...291 Figure 11 83 Selecting the Connection Type ...

Page 293: ...l endpoint is specified by this IPAddress and then enter 61 11 11 11 as the WAN IP address of A Company Figure 11 84 Figure 11 84 Tunnel Setting Step 24 In the New Rule Properties window click Authentication Methods tab Next select the method Kerberos and then click Edit on the right Figure 11 85 ...

Page 294: ...293 Figure 11 85 Authentication Methods Settings ...

Page 295: ...294 Step 25 Select Use this string to protect the key exchange preshared key and then enter the preshared key 123456789 in the field Figure 11 86 Figure 11 86 Preshared Key Settings ...

Page 296: ...295 Step 26 Click Apply and then click Close to close the window Figure 11 87 Figure 11 87 Authentication Methods Settings ...

Page 297: ...296 Step 27 Settings completed Figure 11 88 Figure 11 88 Settings Completed ...

Page 298: ...297 Step 28 In the VPN_B Properties window disable Use Add Wizard click Add to create the second IP security rule Figure 11 89 Figure 11 89 VPN_B Properties Settings ...

Page 299: ...298 Step 29 In the New Rule Properties window click Add Figure 11 90 Figure 11 90 Clicking Add to Add an IP Filter ...

Page 300: ...299 Step 30 In the IP Filter List window disable Use Add Wizard Change the Name into VPN_B LAN TO WAN and then click Add Figure 11 91 Figure 11 91 Adding an IP Filter ...

Page 301: ...s and 255 255 255 0 as subnet mask After that select A specific IP Address for Destination address and then type 211 22 22 22 as B Company s WAN IP address and 255 255 255 255 as subnet mask Note Do not enable Mirrored Also match packets with the exact opposite source and destination addresses Figure 11 92 Figure 11 92 Filter Properties Settings ...

Page 302: ...301 Step 32 Settings completed Figure 11 93 Figure 11 93 IP Filter Added ...

Page 303: ...window click Filter Action tab tick Required Security and then click Edit Figure 11 94 Figure 11 94 Filter Action Settings Step 34 In the Require Security Properties window tick Session key Perfect Forward Secrecy on the bottom Figure 11 95 ...

Page 304: ...303 Figure 11 95 Ticking the Session Key Perfect Forward Secrecy ...

Page 305: ... Step 35 Select the security method Custom None 3DES MD5 and then click Edit Figure 11 96 Figure 11 96 Security Methods Settings Step 36 Select Custom for expert users and then click Settings Figure 11 97 ...

Page 306: ...305 Figure 11 97 Modifying Security Method ...

Page 307: ...d select MD5 for Integrity algorithm and 3DES for Encryption algorithm Tick Generate a new key every and type 28800 in the seconds field and then click OK to return to the New Rule Properties window Figure 11 98 Figure 11 98 Customizing Security Method ...

Page 308: ...307 Step 38 In the New Rule Properties window click Connection Type tab and tick All network connections Figure 11 99 Figure 11 99 Selecting the Connection Type ...

Page 309: ...w Rule Properties window click Tunnel Setting tab After that tick The tunnel endpoint is specified by this IPAddress and then type 211 22 22 22 as the WAN IP address of B Company Figure 11 100 Figure 11 100 Tunnel Settings ...

Page 310: ...09 Step 40 In the New Rule Properties window click Authentication Methods tab Next select the method Kerberos and then click Edit on the right Figure 11 101 Figure 11 101 Authentication Methods Settings ...

Page 311: ...310 Step 41 Select Use this string to protect the key exchange preshared key and then enter the preshared key 123456789 in the field Figure 11 102 Figure 11 102 Preshared Key Settings ...

Page 312: ...311 Step 42 Click Apply and then click Close to close the window Figure 11 103 Figure 11 103 New Authentication Method Created ...

Page 313: ...312 Step 43 Settings completed Figure 11 104 Figure 11 104 Settings Completed ...

Page 314: ...313 Step 44 In the VPN_B Properties window click General tab and then click Advanced Figure 11 105 Figure 11 105 General Settings of VPN_B Properties ...

Page 315: ...click Methods Figure 11 106 Figure 11 106 Key Exchange Settings Step 46 Click Move up or Move down to arrange the order of selected item Move the item IKE 3DES MD5 to the top and then click OK Figure 11 107 Figure 11 107 Rearranging the Order of Security Methods ...

Page 316: ...ep 47 Settings completed Figure 11 108 Figure 11 108 IPSec VPN Settings Completed Step 48 Right click VPN_B and move to Assign and then click it Figure 11 109 Figure 11 109 Assigning a Security Rule to VPN_B ...

Page 317: ...anel on the Start menu and then click it Figure 11 110 Figure 11 110 Selecting Control Panel on the Start Menu Step 50 In the Control Panel window double click Administrative Tools Figure 11 111 Figure 11 111 Double Clicking Administrative Tools ...

Page 318: ...ols window double click Services Figure 11 112 Figure 11 112 The Services Window Step 52 In the Services window right click IPSec Policy Agent and move to Restart and then click it Figure 11 113 Figure 11 113 Restarting IPSec Policy Agent ...

Page 319: ...318 Step 53 Settings completed Figure 11 114 Figure 11 114 Deployment of IPSec VPN Using CS 2001 and Windows 2000 ...

Page 320: ...168 20 x 24 Configure Port2 as WAN1 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet This example uses two CS 2001 devices to establish VPN connection between A Company and B Company using aggressive mode For A Company set as below Step 1 Go to Policy Object VPN IPSec Autokey and then click New Entry Figure 11 115 Figure 11 115 IPSec Autokey Screen Step 2...

Page 321: ...320 and enter the management address of B Company Figure 11 117 Figure 11 117 Remote Settings ...

Page 322: ...ct DH 2 for Key Group Figure 11 119 Figure 11 119 Encryption and Data Integrity Algorithms Settings Step 6 Select Use both algorithms below the IPSec Algorithm or tick Use authentication algorithm only If ticked Use both algorithms please select 3DES for Encryption Algorithm and MD5 for Authentication Algorithm Figure 11 120 Figure 11 120 IPSec Algorithm Settings Step 7 Select Group 1 for PFS Key ...

Page 323: ... Peer ID Settings The ID will be the same as the WAN IP if you leave the field blank MY ID and Peer ID should be different and be choosen from an IP address not currently being used by something else such as 11 11 11 11 22 22 22 22 The symbol should be added before the ID such as 123a abcd1 Step 9 Settings completed Figure 11 123 Figure 11 123 IPSec Autokey Settings Completed ...

Page 324: ...ny s subnet address and 255 255 255 0 as Mask Remote Settings Select Remote IP Netmask Remote IP Mask Type 192 168 20 0 as B Company s subnet address and 255 255 255 0 as Mask Tunnel Select ipsec1 and then add it to the right column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 125 Figure 11 124 VPN Trunk Settings Figure 11 125 VPN Trunk Created ...

Page 325: ...ck New Entry and then set as below Figure 11 126 Select the defined trunk from the VPN Trunk drop down list Click OK Figure 11 127 Figure 11 126 Configuring an Outgoing Policy with VPN Trunk Figure 11 127 An Outgoing Policy with VPN Trunk ...

Page 326: ...ck New Entry and then set as below Figure 11 128 Select the defined trunk from the VPN Trunk drop down list Click OK Figure 11 129 Figure 11 128 Configuring an Incoming Policy with VPN Trunk Figure 11 129 An Incoming Policy with VPN Trunk ...

Page 327: ...terface Figure 11 131 Figure 11 131 Name and WAN Interface Settings Step 3 Remote Settings Select Remote Gateway Static IP or Hostname and then enter the management address of A Company Figure 11 132 Figure 11 132 Remote Settings Step 4 Select Pre Shared Key for Authentication Method and enter a Pre Shared Key String The maximum length of Pre Shared Key String is 103 characters Figure 11 133 Figur...

Page 328: ...ep 5 Below Encryption and Data Integrity Algorithms select 3DES for Encryption Algorithm select SHA1 for Authentication Algorithm select DH 2 for Key Group Figure 11 134 Figure 11 134 ISAKMPAlgorithm Settings ...

Page 329: ...r PFS Key Group Enter 3600 in the ISAKMP SA Lifetime field and 28800 in the IPSec SA Lifetime field Figure 11 136 Figure11 136 Advanced Settings of IPSec Autokey Step 8 Select Aggressive mode for Mode enter abc123 in the My ID field and then enter 11 11 11 11 in the Peer ID field Figure 11 137 Figure 11 137 Mode Settings Step 9 Settings completed Figure 11 138 Figure 11 138 IPSec Autokey Settings ...

Page 330: ...ype 192 168 20 0 as B Company s subnet address and 255 255 255 0 as Mask Remote Settings Select Remote IP Netmask Remote IP Netmask Type 192 168 10 0 as A Company s subnet address and 255 255 255 0 as Mask Tunnel Select ipsec2 and then add it to the right column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 140 Figure 11 139 VPN Trunk Settings ...

Page 331: ...330 Figure 11 140 VPN Trunk Created ...

Page 332: ...Policy Outgoing click New Entry and then set as below Figure 11 141 Select the defined trunk for VPN Trunk Click OK Figure 11 142 Figure 11 141 Configuring an Outgoing Policy with VPN Trunk Figure 11 142 Policy Completed ...

Page 333: ...Policy Incoming click New Entry and then set as below Figure 11 143 Select the defined trunk for VPN Trunk Click OK Figure 11 144 Figure 11 143 Configuring an Incoming Policy with VPN Trunk Figure 11 144 Policy Completed ...

Page 334: ...333 Step 13 Settings completed Figure 11 145 Figure 11 145 Deployment of IPSec VPN Using Aggressive Mode ...

Page 335: ...e ATUR to access the Internet B Company Configure Port1 as LAN1 192 168 20 1 IP range 192 168 20 x 24 Configure Port2 as WAN1 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet Configure Port3 as WAN2 211 33 33 33 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet Two IPSec VPN connections are created between A Company s WAN port...

Page 336: ...gs Select Remote Gateway Static IP or Hostname and enter the management address of B Company WAN port 1 Figure 11 148 Figure 11 148 Remote Settings Step 4 Select Pre Shared Key for Authentication Method and enter the Pre Shared Key String Figure 11 149 Figure 11 149 Authentication Method Settings Step 5 Below Encryption and Data Integrity Algorithms select 3DES for Encryption Algorithm select MD5 ...

Page 337: ...d 28800 in the IPSec SA Lifetime field and then select Main Mode for Mode Figure 11 152 Figure 11 152 Advanced Settings of IPSec Autokey Step 8 For GRE Tunnel Settings type 192 168 50 100 in the Local Endpoint Address field and 192 168 50 200 in the Remote Endpoint Address field Note The local IP and the remote IP must be configured in the same class C network Figure 11 153 Figure 11 153 GRE IPSec...

Page 338: ...elect Port3 WAN2 for the WAN Interface Figure 11 156 Figure 11 156 Name and WAN Interface Settings Step 12 Remote Settings Select Remote Gateway Static IP or Hostname and then type B Company s IP address in the field Figure 11 157 Figure 11 157 Remote Settings Step 13 Select Pre Shared Key for Authentication Method and enter the Pre Shared Key String Figure 11 158 Figure 11 158 Authentication Meth...

Page 339: ... MD5 for Authentication Algorithm Figure 11 160 Figure 11 160 IPSec Algorithm Settings Step 16 Select Group 1 for PFS Key Group Enter 3600 in the ISAKMP SA Lifetime field and 28800 in the IPSec SA Lifetime field and then select Main Mode for Mode Figure 11 161 Figure 11 161 Advanced Settings of IPSec Autokey Step 17 For GRE Tunnel Settings type 192 168 60 100 in the Local Endpoint Address field an...

Page 340: ...al Settings Select LAN Local IP Netmask Type 192 168 10 0 as A Company s subnet address and 255 255 255 0 as Mask Remote Settings Select Remote IP Netmask Remote IP Netmask Type 192 168 20 0 as B Company s subnet address and 255 255 255 0 as Mask Tunnel Select VPN_01 and VPN_02 and then add them to the right column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 165 ...

Page 341: ...340 Figure 11 164 VPN Trunk Settings Figure 11 165 VPN Trunk Created ...

Page 342: ...Policy Outgoing click New Entry and then set as below Figure 11 166 Select the defined trunk for VPN Trunk Click OK Figure 11 167 Figure 11 166 Configuring an Outgoing Policy with VPN Trunk Figure 11 167 Policy Completed ...

Page 343: ...ng click New Entry and then set as below Figure11 168 Select the defined trunk for VPN Trunk Click OK Figure 11 169 Figure 11 168 Configuring an Incoming Policy with VPN Trunk Figure 11 169 An Incoming Policy with VPN Trunk Completed ...

Page 344: ...ngs Step 3 For Remote Settings select Remote Gateway Static IP or Hostname and enter the management address of A Company WAN pot 1 Figure 11 172 Figure 11 172 Remote Settings Step 4 Select Pre Shared Key for Authentication Method and enter the Pre Shared Key String Figure 11 173 Figure 11 173 IPSec Algorithm Settings Step 5 Below Encryption and Data Integrity Algorithms select 3DES for Encryption ...

Page 345: ...344 Figure 11 174 ISAKMPAlgorithm Settings ...

Page 346: ...he ISAKMP SA Lifetime field and 28800 in the IPSec SA Lifetime field and then select Main Mode for Mode Figure 11 176 Figure 11 176 Advanced Settigs of IPSec Autokey Step 8 For GRE Tunnel Settings type 192 168 50 200 in the Local Endpoint Address field and 192 168 50 100 in the Remote Endpoint Address field Note The local IP and the remote IP must be configured in the same class C network Figure 1...

Page 347: ...ettings Step 13 Select Pre Shared Key for Authentication Method and enter the Pre Shared Key String Figure 11 182 Figure 11 182 Authentication Method Settings Step 14 Below Encryption and Data Integrity Algorithms select 3DES for Encryption Algorithm select MD5 for Authentication Algorithm select DH 1 for Key Group Figure 11 183 Figure 11 183 ISAKMPAlgorithm Settings Step 15 Select Use both algori...

Page 348: ...e Figure 11 185 Figure 11 185 Advanced Settings of IPSec Autokey Step 17 For GRE Tunnel Settings type 192 168 60 200 in the Local Endpoint Address field and 192 168 60 100 in the Remote Endpoint Address field Note The local IP and the remote IP must be configured in the same class C network Figure 11 186 Figure 11 186 GRE Tunnel Settings Step 18 Settings completed Figure 11 187 Figure 11 187 IPSec...

Page 349: ...net address and 255 255 255 0 as Mask Remote Settings Select Remote IP Netmask Remote IP Netmask Type 192 168 10 0 as A Company s subnet address and 255 255 255 0 as Mask Tunnel Select VPN_01 and VPN_02 and then add them to the right column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 189 Figure 11 188 VPN Trunk Settings Figure 11 189 VPN Trunk Created ...

Page 350: ...y Outgoing click New Entry and then set as below Figure 11 190 Select the defined trunk for VPN Trunk Click OK Figure 11 191 Figure 11 190 Using VPN Trunk in an Outgoing Policy Figure 11 191 An Outgoing Policy with VPN Trunk ...

Page 351: ...cy Incoming click New Entry and then set as below Figure 11 192 Select the defined trunk for VPN Trunk Click OK Figure 11 193 Figure 11 192 Using VPN Trunk in an Incoming Policy Figure11 193 An Incoming Policy with VPN Trunk ...

Page 352: ...351 Step 22 Settings completed Figure 11 194 Figure 11 194 Deployment of IPSec VPN Using GRE IPSec ...

Page 353: ...ccess the Internet B Company Configure Port1 as LAN1 192 168 20 1 IP range 192 168 20 x 24 Configure Port2 as WAN1 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet C Company Configure Port1 as LAN1 192 168 30 1 IP range 192 168 30 x 24 Configure Port2 as WAN1 121 33 33 33 and connect it to the ADSL Termination Unit Remote to access the Internet This examp...

Page 354: ...nd the Interface Step3 Under the Remote Settings section select the Remote Gateway Static IP or Hostname and then fill the blank Figure 11 197 Figure 11 197 Configuring the Static IP or Hostname Step4 Select Pre Shared Key for Authentication Method and then enter the Pre Shared Key String Figure 11 198 Figure 11 198 Configuring the Authentication Method Step5 Under the ISAKMPAlgorithm section sele...

Page 355: ...ithm Figure 11 200 Figure 11 200 Configuring the IPSec Algorithm Step7 Under the Advanced Settings optional section select GROUP 1 for PFS Key Group enter 3600 in the ISAKMP SA Lifetime field enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode Figure 11 201 Figure 11 201 Configuring the PFS Key Group ISAKMP SA Lifetime IPSec SA Lifetime and Mode ...

Page 356: ...e in the Name field Local Settings select LAN Enter the local subnet and the mask Under the Remote Settings section select Remote IP Netmask and then enter the local subnet and the mask Move the VPN_01 from the Available Tunnels column to the Selected Tunnels column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 204 Figure 11 203 Configuring the First Trunk ...

Page 357: ... and the Interface Step12 Under the Remote Settings section select Remote Gateway Static IP or Hostname and then fill the field Figure 11 207 Figure 11 207 Configuring the Remote Gateway Fixed IP or Domain Name Step13 Select Pre Shared Key for Authentication Method and then enter the Pre Shared Key String Figure 11 208 Figure 11 208 Configuring the Authentication Method Step14 Under the ISAKMPAlgo...

Page 358: ...357 1 for Key Group Figure 11 209 Figure 11 209 Configuring ISAKMPAlgorithm ...

Page 359: ...PSec Algorithm Step16 Under the Advanced Settings Optional section select GROUP 1 for PFS Key Group enter 3600 in the ISAKMP SA Lifetime field enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode Figure 11 211 Figure 11 211 Configuring the PFS Key Group ISAKMP SA Lifetime IPSec SA Lifetime and Mode Step17 Policy created Figure 11 212 Figure 11 212 Policy Created ...

Page 360: ...IP address and the Mask in the Local IP Netmask field Under the Remote Settings section select Remote IP Netmask and then enter the subnet and the mask Move the VPN_02 from the Available Tunnels to the Selected Tunnels Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 214 Figure 11 213 Configuring the Second Trunk Figure 11 214 The Second Trunk Created ...

Page 361: ...ld Move the IPSec_VPN_Trunk_01 LAN and IPSec_VPN_Trunk_02 LAN from the Available Trunks column to the Selected Trunks column Click OK Figure 11 216 Figure 11 215 Configuring the Trunk Group Figure 11 216 Trunk Group Created Important 1 Under Policy Object VPN Trunk B Company and C Company s subnet should be on A Company s subnet ...

Page 362: ...going click New Entry and then set as below Figure 11 217 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 218 Figure 11 217 Configuring the Outgoing Policy with VPN Trunk Figure 11 218 Policy Created ...

Page 363: ...oming click New Entry and then set as below Figure 11 219 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 220 Figure 11 219 Configuring an Incoming Policy with VPN Trunk Figure 11 220 Policy Created ...

Page 364: ...mote Settings section select Remote Gateway Static IP or Hostname and then enter A Company s IP Figure 11 223 Figure 11 223 Configuring the Remote Settings Step 4 Select Pre Shared Key for Authentication Method and then enter the Pre Shared Key String Figure 11 224 Figure 11 224 Configuring the Authentication Method Step 5 Under the ISAKMP Algorithm section select 3DES for Encryption Algorithm sel...

Page 365: ... IPSec Algorithm Step 7 Under the Advanced Settings optional section select GROUP 1 for PFS Key Group enter 3600 in the ISAKMP SA Lifetime field enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode Figure 11 227 Figure 11 227 Configuring the PFS Key Group ISAKMP SA Lifetime IPSec SA Lifetime and Mode Step 8 Setting completed Figure 11 228 Figure 11 228 IPSec Setting Comple...

Page 366: ...ect LAN Local IP Netmask Enter the subnet and the mask Under the Remote Settings section select Remote IP Netmask and then enter the subnet and mask Move VPN_01 from the Available Tunnels column to the Selected Tunnels column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 230 Figure 11 229 Configuring the Trunk Figure 11 230 Setting Completed ...

Page 367: ...he New Entry button and then set as below Figure 11 231 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 232 Figure 11 231 Configuring an Outgoing Policy with VPN Trunk Figure 11 232 A Policy with VPN Trunk Created ...

Page 368: ...he New Entry button and then set as below Figure 11 233 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 234 Figure 11 233 Configuring an Incoming Policy with VPN Trunk Figure 11 234 A Policy with VPN Trunk Created ...

Page 369: ...Remote Settings section select Remote Gateway Static IP or Hostname and then enter A Company s IP in the field Figure 11 237 Figure 11 237 Configuring the Remote Settings Step 4 Select Pre Shared Key for Authentication Method and then enter the Pre Shared Key String Figure 11 238 Figure 11 238 Configuring the Authentication Method Step 5 Under the ISAKMPAlgorithm section select 3DES for Encryption...

Page 370: ...ng the IPSec Algorithm Step 7 Under the Advanced Settings optional section select GROUP 1 from the PFS Key Group drop down list Enter 3600 in the ISAKMP SA Lifetime field and then enter 28800 in the IPSec SA Lifetime field Figure 11 241 Figure 11 241 Configuring the PFS Key Group ISAKMP SA Lifetime IPSec SA Lifetime and Mode Step 8 Setting completed Figure 11 242 Figure 11 242 Setting Completed ...

Page 371: ... Company s subnet mask 192 168 30 3 255 255 255 0 in the field Under the Remote Settings section type A Company s subnet mask 192 168 0 0 255 255 255 0 in the field Move VPN_02 from the Available Tunnels column to the Selected Tunnels column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 244 Figure 11 243 Configuring the Trunk Figure 11 244 Setting Completed ...

Page 372: ...icy Outgoing click New Entry and then set as below Figure 11 245 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 246 Figure 11 245 Configuring an Outgoing Policy Figure 11 246 Policy Completed ...

Page 373: ...icy Incoming click New Entry and then set as below Figure 11 247 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 248 Figure 11 247 Configuring an Incoming Policy Figure 11 248 Setting Completed ...

Page 374: ...373 Step 12 Setting completed Figure 11 249 Figure 11 249 The Deployment of IPSec VPN ...

Page 375: ...the ADSL Termination Unit Remote ATUR to access the Internet B Company Configure Port1 as LAN1 192 168 20 1 IP range 192 168 20 x 24 Configure Port2 as WAN1 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet Configure Port3 as WAN2 211 33 33 33 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet A Company s WAN port 1 and B Compan...

Page 376: ...disconnect if idle for type 0 Enter the Client IP IP Range Click OK Figure 11 250 Enabling the PPTP Server Note 1 The IT administrator may enable or disable the external users to access the Internet via the CS 2001 device when they establish a VPN connection with the CS 2001 device 2 Auto disconnect if idle for if the VPN connection is idle for the defined times it will be disconnected automatical...

Page 377: ... Server and then set as below Click the New Entry button Figure 11 251 Type PPTP_01 in the Username field Type 123456789 in the Password field Select IP Range under Client IP s assigned from Click OK Figure 11 252 Click the New Entry again Figure 11 253 Type PPTP_02 in the Username field Type 987654321 in the Password field Tick IP Range under Client IP s assigned from Click OK Figure 11 254 Figur...

Page 378: ...377 Figure 11 253 Configuring the Second PPTP Server ...

Page 379: ...378 Figure 11 254 Second PPTP Server Completed ...

Page 380: ...bnet mask 192 168 10 0 255 255 255 0 in the field Under the Remote Settings section type B Company s subnet mask 192 168 20 0 255 255 255 0 in the field Move PPTP_Server_PPTP_01 from the Available Tunnels column to the Selected Tunnels column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 256 Figure 11 255 Configuring the Trunk Figure 11 256 Setting Completed ...

Page 381: ...el to establish the PPTP VPN connection Step 4 Go to Policy Outgoing click New Entry and then set as below Figure 11 257 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 258 Figure 11 257 Configuring an Outgoing Policy with VPN Trunk Figure 11 258 Settings Completed ...

Page 382: ...ming click New Entry and then set as below Figure 11 259 Select the defined VPN from the VPN Trunk drop down list Click OK Figure 11 260 Figure 11 259 Configuring an Incoming Policy with VPN Trunk Figure 11 260 Settings Completed ...

Page 383: ...erver IP or Hostname field Click Encryption Select Port2 WAN1 for Interface Click OK Figure 11 262 Click OK again Figure 11 263 Enter PPTP_02 in the User Name field Enter 987654321 in the Password field Enter A Company s WAN2 IP address in the Server IP or Hostname field Click Encryption Select Port3 WAN2 for Interface Click OK Figure 11 264 Figure 11 261 Configuring the First PPTP Client Figure 1...

Page 384: ...ing Completed Figure 11 264 Second PPTP Client Setting Completed Note 1 When CS 2001 PPTP Client establish VPN connection with Windows PPTP Server NAT with PPTP Client must be selected for the PCs under CS 2001 to access to Windows PPTP server ...

Page 385: ...55 255 255 0 in the Local IP Netmask field Under the Remote Settings section select Remote IP Netmask and then enter A Company s subnet mask 192 168 10 0 255 255 255 0 Move PPTP_Client_PPTP_01 61 11 11 11 and PPTP_Client_PPTP_02 61 22 22 22 from the Available Tunnels column to the Selected Tunnels column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 266 Figure 11 265 Configuring the Tr...

Page 386: ...385 Figure 11 266 Settings Completed Note 1 When Remote IP Netmask is selected for Remote Settings the number of the PPTP_Client tunnel should be configured according to the number of WAN ...

Page 387: ... to Policy Outgoing and then set as below Figure 11 267 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 268 Figure 11 267 Configuring an Outgoing Policy Figure 11 268 Setting Completed ...

Page 388: ...cy Incoming click New Entry and then set as below Figure 11 269 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 270 Figure 11 269 Configuring an Incoming Policy Figure 11 270 Settings Completed ...

Page 389: ...388 Step 5 Settings completed Figure 11 271 Figure 11 271 The Deployment of PPTP VPN ...

Page 390: ... as WAN1 61 11 11 11 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet B Company Configure Port1 as LAN1 192 168 20 1 IP range 192 168 20 x 24 Configure Port 2 as WAN1 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet This example is to use two CS 2001 devices to establish VPN connection between A Company and B Company For A Co...

Page 391: ...nd then set as below Figure 11 272 Click Modify Click Enable PPTP Click Encryption Tick Allow Internet access via and then select the port Auto disconnect if idle for type 0 Enter the Client IP IP Range Click OK Figure 11 272 Enabling the PPTP Server ...

Page 392: ... then set as below Figure 11 273 Type PPTP_Connection in the Username field Type 123456789 in the Password field Under Client IP s assigned from click IP Range Click OK Figure 11 274 Figure 11 273 Configuring the PPTP Server Connection Figure 11 274 Setting Completed ...

Page 393: ...any s WAN1 IP address in the Server IP or Hostname field Click Encryption Select Port2 WAN1 for Interface Tick NAT with PPTP Client Click OK Figure 11 276 Figure 11 275 Configuring PPTP Connection Figure 11 276 Setting Completed Note 1 When CS 2001 PPTP Client establish VPN connection wih the CS 2001 PPTP Server NAT with PPTP Client must be selected for CS 2001 PPTP Client users to access the Inte...

Page 394: ...mpany s subnet mask 192 168 20 0 255 255 255 0 in the Local IP Netmask field Under Remote Settings select Remote IP Netmask and then enter A Company s subnet mask Move PPTP_Client_PPTP_Connection 61 11 11 11 from the Available Tunnels column to the Selected Tunnels column Click OK Figure 11 278 Figure 11 277 Configuring theTrunk Figure 11 278 Setting Completed ...

Page 395: ...low Figure 11 279 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 280 Figure 11 279 Configuring an Outgoing Policy Figure 11 280 Setting Completed Note 1 In this example B company s Trunk settings only need to be applied to Policy Outgoing ...

Page 396: ...395 Step 4 Setting Completed Figure 11 281 Figure 11 281 Deployment of PPTP VPN Connection ...

Page 397: ...CS 2001 Configure Port1 as LAN1 192 168 10 1 IP range 192 168 10 x 24 Configure Port2 as WAN1 61 11 11 11 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet B Company uses a PC running Windows 2000 IP address 211 22 22 22 This example is to establish VPN connection by one CS 2001 device and one PC running Windows 2000 For A Company set as below ...

Page 398: ...ct if idle for enter 0 Enter the Client IP IP Range Click OK Figure 11 282 Enabling the PPTP Server Note 1 The IT administrator may enable or disable the external users to access the Internet via the CS 2001 device when they establish a VPN connection to the CS 2001 PPTP Server 2 Auto disconnect if idle for if the VPN connection is idle for the specified minutes it will be disconnected automatical...

Page 399: ...ternal user must establish the PPTP VPN connection to the CS 2001 via IPSec VPN Step 2 Go to Policy Object VPN PPTP Server click New Entry and then set as below Figure 11 283 Type PPTP_Connection in the Username field Type 123456789 in the Password field Select IP Range under Client IP s assigned from Click OK Figure 11 284 Figure 11 283 Configuring the PPTP Server Connection Figure 11 284 Setting...

Page 400: ...pe A Company s subnet mask 192 168 10 0 255 255 255 0 in the Local IP Netmask field Under Remote Settings select Remote Client Move PPTP_Server_PPTP_Connection from the Available Tunnels column to the Selected Tunnels column Tick Enable NetBIOS Broadcast over VPN Click OK Figure 11 286 Figure 11 285 Configuring the Trunk Figure 11 286 Setting Completed ...

Page 401: ...400 Note 1 If the external users want to connect to the IPSec VPN subnet the Local IP Netmask must be configured as the IPSec VPN subnet ...

Page 402: ...icy Outgoing click New Entry and then set as below Figure 11 287 Select the defined trunk from the VPN Trunk drop down list Click OK Figure 11 288 Figure11 287 Configuring an Outgoing Policy Figure 11 288 Setting Completed ...

Page 403: ...ming click New Entry and then set as below Figure 11 289 Select the defined Trunk from the VPN Trunk drop down list Click OK Figure 11 290 Figure 11 289 Configuring an Incoming Policy with VPN Trunk Figure 11 290 Setting Completed ...

Page 404: ... click on My Network Places and then click Properties Figure 11 291 Figure 11 291 Selecting Properties on the Shortcut Menu of My Network Places Step 2 In the Network and Dial up Connections window double click Make New Connection Figure 11 292 ...

Page 405: ...404 Figure 11 292 Double Clicking on Make New Connection ...

Page 406: ...n Information window specify the country region area code and phone system accordingly and then click OK Figure 11 293 Figure 11 293 Local Information Settings Step 4 In the Phone And Modem Options window click OK Figure 11 294 ...

Page 407: ...406 Figure 11 294 Phone and Modem Options ...

Page 408: ...Figure 11 295 Figure 11 295 Network Connection Wizard Step 6 In the Network Connection Type window select Connect to a private network through the Network and then click Next Figure 11 296 Figure 11 296 Select the Connect to a private network through the Internet ...

Page 409: ...name or IP address in the blank field and then click Next Figure 11 297 Figure 11 297 Destination Address Settings Step 8 In the Connection Availability window select For all users and then click Next Figure 11 298 Figure 11 298Connection Availability Settings ...

Page 410: ...409 Step 9 In the Completing the New Connection Wizard window type a Connection Name and then click Finish Figure 11 299 Figure 11 299 New Connection Created ...

Page 411: ...ser Name Type PPTP_Connection Password Enter 123456789 Tick Save Password Click Connect The Connecting Virtual Private Connection dialogue box appears Figure 11 301 Connection created Figure 11 302 Figure 11 300 Virtual Private Connection Window Figure 11 301 Creating a PPTP VPN Connection ...

Page 412: ...411 Figure 11 302 PPTP VPN Connection Successfully Connected ...

Page 413: ...412 Step 11 Settings completed Figure 11 303 Figure 11 303 Deployment of PPTP VPN ...

Page 414: ...413 Mail Security ...

Page 415: ...ail configuration refers to the processing basis of mail services In this chapter it will be covering the functionality and application of Settings Mail Domains Account Manager Mail Relay Mail Notice Queued Mail and Mail Signatures ...

Page 416: ...nscanned emails by adding a warning message It allows you to tag spam email s subject or virus infected emails with warning message The Subject and Content of the Mail Notice The IT administrator may configure the subject and content of the mail notice The system will send the mail notice by default if this part is left blank Go to Mail Security Configuration Settings and then set as below Storage...

Page 417: ...416 Tag virus infected emails with Virus Type the subject and the content of the mail notice Click OK Figure 12 1 ...

Page 418: ...417 Figure 12 1 Configuring the Settings of Mail Security ...

Page 419: ...zed subject and message Figure 12 2 Figure 12 2 A Notice Shows Customized Subject and Message An unscanned email is highlighted with a warning message Unscanned Figure 12 3 Figure 12 3 An Unscanned Email Shows a Warning Message ...

Page 420: ... subject tagged with warning message Figure 12 4 Figure 12 4 The Spam Mail s Subject Tagged with Spam The virus mail s subject tagged with warning message Figure 12 5 Figure 12 5 The Virus Mail s Subject Tagged with Virus ...

Page 421: ...arning Settings The email account will be added in the local mail server automatically once it is proved valid by the mail server The accounts can be imported from LDAP server Terms in Queued Mail Queued Mail Shows the status of queued mail ...

Page 422: ...Mail Domains to Filter Emails Step 1 Apply to a local ISP for several domain names planet com tw supportplanet com tw testplanet com tw and virtualplanet com tw for instance to provide mail service The mapped IP address is 172 19 100 164 ...

Page 423: ... the Domain Name field Figure 12 8 Click OK to complete the first entry Figure 12 9 12 10 Click the New Entry button again to create the second entry Type testplanet com tw in the Domain Name field Enter the mapped IP address Click OK and then modify the domain Figure 12 11 12 12 Click the New Entry button and then add a domain alias Type virtualplanet com tw in the Domain Name field Figure 12 13 ...

Page 424: ...423 Figure 12 8 Modifying the First Entry Figure 12 9 Typing the Domain Alias Figure 12 10 Settings Completed Figure 12 11 Creating the Second Entry ...

Page 425: ...424 Figure 12 12 The Second Entry Completed Figure 12 13 Modifying the Second Entry Figure 12 14 Typing the Domain Alias Figure 12 15 Settings Completed ...

Page 426: ...planet com tw will be stored in the same storage location the internal account joe will be able to retrieve them by logging in to either account The user logs in alex testplanet com tw or alex virtualplanet com tw is able to receive this mail It can be concluded that however many aliases a domain has whether emails are sent to the domain itself or any of the aliases the recipient will be able to r...

Page 427: ...01 filters any emails passing through by verifying with the mail server that the recipients account exists Select Import from LDAP server and configure the settings Click OK The CS 2001 device will firstly require the account lists from the LDAP server Step2 Go to Mail Security Configuration Account Manager export the account list and save the file Click the Export button Click Save in the File Do...

Page 428: ...file window locate the file and then click the Open button Figure 12 16 Click the Import button In the Import Mail Account window select the file type and then click the OK button In the confirmation window click OK to complete the import Figure 12 17 Figure 12 16 Selecting the File to be Imported Figure 12 17 The Confirmation Window ...

Page 429: ...Click the Add button Enter the account information Figure 12 18 Click the OK button Figure 12 19 To remove the account select the account and then click the Remove button Click the OK button in the confirmation window Figure 12 20 Figure 12 18 Adding an Account Figure 12 19 Account Added ...

Page 430: ...ther to relay the email by varifying the account with the LDAP accounts list The MAF 1000 queries the LDAP server for the list every 30 minutes 3 The Quarantine Storage Time field under the Add New Account section is the storage time of the scanned incoming outgoing emails Under Mail Security Configuration Settings the Storage Time of Quarantined Logs under the Log Storage Time section is the stor...

Page 431: ... s and then click Enable Personal Email Viewer Click OK in the confirmation window Figure 12 21 If you do not permit the user to access the Personal Email Viewer select the account s and then click Disable Personal Email Viewer Click OK in the confirmation window Figure 12 22 Figure 12 21 Giving a User the Permission to Access Web Mail Figure 12 22 Disabling a User from Accessing Web Mail ...

Page 432: ... HTTP port 8080 or HTTPS port 1443 in the address field of a Web browser Figure 12 23 Type the account name and the password Select the mail domain from the drop down list Click the Login button The account will be authenticated with the designated mail server Figure 12 23 The Webmail Login Page ...

Page 433: ...gure user preferences during their first login Click Continue Figure 12 24 Configure the User Preferences accordingly Figure 12 25 Click Save Settings completed Figure 12 26 Click Continue Figure 12 24 The Greeting Message Shown upon First Login ...

Page 434: ...433 Figure 12 25 The User Preferences Settings Figure 12 26 User Preferences Settings Completed ...

Page 435: ...434 Step 3 Below shows the CS 2001 s user friendly web based mailbox Figure 12 27 Figure 12 27 The Web Mail User Interface ...

Page 436: ...s Click the Whitelist button under the User Preference section Click the New button Enter share2k01 yahoo com tw in the Email Address Domain Name field Select From form the Direction drop down list Click the OK button Figure 12 28 Click the New Entry button again Enter share2k01 yahoo com tw in the Email Address Domain Name field Select To from the Direction drop down list Click the OK button Figu...

Page 437: ...436 Figure 12 29 Creating the Second Entry of Whitelist Figure 12 30 Settings Completed ...

Page 438: ...ew button Type yahoo in the Email Address Domain Name field Select From from the Direction drop down list Click the OK button Figure 12 31 Click the New button again Enter yahoo in the Email Address Domain Name field Select To from the Direction drop down list Click the OK button Figure 12 32 Settings completed Figure 12 33 Figure 12 31 Creating the First Entry of Blacklist ...

Page 439: ...438 Figure 12 32 Creating the Second Entry of Blacklist Figure 12 33 Blacklist Created ...

Page 440: ...will be rated as a spam mail Step 4 When joe planet com tw sends emails to both share2k01 yahoo com tw and share2k003 yahoo com tw share2k01 yahoo com tw will receive the emails from joe planet com tw Emails sent to share2k003 yahoo com tw will be rated as spam mail Only share2k01 yahoo com tw will receive emails from joe planet com tw whereas share2k003 yahoo com tw receives none as a result of e...

Page 441: ...ermination Unit Remote ATUR to access the Internet Configure Port3 as DMZ1 Transparent Routing and connect it to the mail server IP address 61 11 11 12 Map the registered domain name supportplanet com tw used here only as an example to the mail server IP address by creating a MX record In order to relay emails to recipients in supportplanet com tw refer to the steps below to configure Step 1 Go to...

Page 442: ...Z1 If the recipient is an internal user supportplanet com tw the email will be recorded under Mail Security Mail Reports Logs Inbound SMTP after filtering If the recipient is an external user the email will be recorded under Mail Security Mail Reports Logs Outbound SMTP after filtering 2 Given that a valid internal account sends an email to the extenal recipient upon the activation of SMTP authent...

Page 443: ...arent Routing mode and connect it to the mail server LAN IP 172 16 1 13 mapping to the WAN IP 61 11 11 11 Map the registered domain name supportplanet com tw used here as an example only to the mail server IP address by creating a MX record In order to relay emails to third party recipients refer to the steps below to configure Step 1 Go to Mail Security Configuration Mail Domains and then set as ...

Page 444: ...ew Entry Figure 12 37 Select Sender s IPAddress Type the IP Address and the Netmask Click OK Click New Entry again Figure 12 38 Select Sender s IPAddress Enter the IP Address and the Netmask Click OK Figure 12 37 The First Entry of Mail Relay Figure 12 38 The Second Entry of Mail Relay ...

Page 445: ...MZ1 Transparent Routing mode and connect it to the mail server IP address 61 11 11 12 Branch s WAN Interface 211 22 22 22 Map the registered domain name supportplanet com tw used here as an example only to the mail server IP address by creating a MX record In order to relay emails from branch s employees to third party recipients via headquarters mail server refer to the steps below to configure S...

Page 446: ...445 Step 2 Go to Mail Security Configuration Mail Relay and then set as below Figure 12 40 Select Sender s IPAddress Enter the IP Address and the Netmask Click OK Figure 12 40 Mail Relay Settings ...

Page 447: ...ls from the Mail Notice An Outlook Exparess Example Step 1 All the accounts are listed under Mail Security Configuration Mail Notice but only accounts in the Selected Accounts column will be notified Figure 12 41 Figure 12 41 Selecting Accounts to be Notified ...

Page 448: ...elect 12 00 for 4th Time Select 16 00 for 5th Time Select 20 00 for 6th Time Select HTML for Mail Type In the Send as field type an email address to appear as the notification sender To cancel the email notification for certain users choose the users from Selected Accounts and then click Remove To ensure new accounts are automatically added to the Selected Accounts column tick Add newly created ac...

Page 449: ...ignated accounts won t receive any notifications 4 IT administrators can use the Select All button or the Invert All button to select accounts from the list and then click Add or Remove to either allow or disallow them from receiving mail notices 5 If Send Mail Notice on weekends is disabled mail notices will not be issued on weekends but will be issued according to the first scheduled time on the...

Page 450: ...curity Configuration Settings and then set as below Max Lifetime of Queued Mail 4 hour When the delivery has failed the system will keep trying to resend the email to the recipient periodically within the storage time Figure 12 43 Figure 12 43 Specifying the Storage Time of an Email ...

Page 451: ...at caused failed deliveries are obtainable and the email can be resent by clicking Resend Emails in the queue will be periodically resent until the delivery is successful or the Max lifetime of Queued Mail has been exceeded To stop queued emails from delivery tick the corresponding checkboxes then click or click simply to remove them all Figure 12 44 Emails Being Processed Figure 12 45 A Failed De...

Page 452: ...ail Security Configuration Mail Signatures and then set as below Tick Add signatures to all outgoing messages Type the message to be shown in the text field Click OK to complete the settings Figure 12 46 Figure 12 46 Mail Signature Settings ...

Page 453: ...452 Step 2 Any email sent from the CS 2001 will now have the signature message appended to the body of the email for the recipient to view Figure 12 47 Figure 12 47 Email with the Mail Signatures ...

Page 454: ...ger be disturbed by large influxes of spam The Anti Spam mechanism prevents the users from wasting their time on searching for business emails amongst the spam It also lowers the risk of accidentally deleting business emails when deleting spam ...

Page 455: ... the first time Verify sender s IP with Real Time Block List Compares the sender s IP address to the blacklist on the server Enable Bayesian filtering Compares the email header to the Bayesian database Enable Sender Policy Framework SPF Checks whether the sender s IP address is identical with the one specified in the DNS SPF record Enable DomainKey Verifies the domain of an email sender and the me...

Page 456: ...und spam mail is deliver In addition you may also store the spam in the quarantine Go to Mail Security Anti Spam Settings and then set as below The threshold score to classify mail as spam is select 5 Tick Add score tag to the subject line Tick Deliver the email as normal under the Spam Actions Sending section Click OK Figure 13 2 Figure 13 2 Anti Spam Settings ...

Page 457: ...3 An Email s Subject Tagged with the Score Terms in Personal Rule Search Used for searching for individual emails Used for retrieving quarantined emails Whitelist Specifies permitted email addresses Blacklist Specifies prohibited email addresses Terms in Global Rule Rule Name The name for an inspection rule ...

Page 458: ... spam or ham Item Uses email attributes such as header body attachment name size mailcommand From and mailcommand To to examine whether an email is spam or not The email header can be subdivided into received envelope to from to Cc Bcc subject sender reply to errors to message ID date and header for spam inspection Condition When item is set to header body attachment name mailcommand From or mailc...

Page 459: ...458 joe typed as a pattern it means emails from whosever email account contained the word joe will be considered as spam or ham ...

Page 460: ...Using Importing Spam emails can be imported onto the device for training purposes to increase the inspection accuracy Ham Training Using Importing Ham emails can be imported onto the device for training purposes to increase the inspection accuracy Spam Training Using Forwarded Mail IT administrator may designate a separate email account for reporting spam emails Through the help of users spam emai...

Page 461: ... at sign indicates an account name while the other side denotes the host name or domain name For instance when sending an email from an email application a DNS query will be made to retrieve the MX record from the domain name This will return a list of host names of mail exchange servers The email will be sent to the host name with the highest preference number If no MX records could be retrieved ...

Page 462: ...s enables user to view and compose emails MTA Mail Transfer Agent Email delivery and retrieval are done by a MTA It allows users to Receive emails from other hosts As long as user has an account on the MTA then the user will be able to receive emails Sent out emails If the user is authorized he or she will be able to send out emails Retrieve emails from the mail server MDA Mail Delivery Agent It d...

Page 463: ...mails dedicated to external accounts it will automatically forward them to the destination address This functionality is called Relay If a remote MTA receives emails sent from the local MTA its MDA will distribute them by the account names Receiving emails User uses MTA and MDA to check emails If there is a new email it will be moved to the inbox of the user s MUA application on the local computer...

Page 464: ... Open Relay To avoid this nowadays most mail servers preserve the Relay functionality to the local MTA Only the local MTA can utilize relay to receive emails that were specified for its internal accounts Nevertheless there is a drawback in using relay Since relay normally only allows email from certain trusted mail servers with specified IPs or segments emails from other unspecified mail servers w...

Page 465: ...Z under Transparent Mode 474 13 1 3 Deploying CS 2001 in between Gateway and Mail Server and Filtering Spam with Global Rule Mail Server Is Deployed in DMZ under Transparent Mode 486 13 1 4 Improving Bayesian Filtering Accuracy by Training Spam Filtering Ham Filtering An Outlook Express Example 500 13 1 5 Improving Bayesian Filtering Accuracy by Training Spam Filtering Ham Filtering 521 ...

Page 466: ...ng mode and connect to the mail server IP address 61 11 11 12 Step 1 To enable internal users to receive emails from an external mail server configure the setting of Preferred DNS Server in Internet Protocol TCP IP Properties on local computer Note the DNS server can be any external DNS server please decide which to use on your own Step 2 To enable external users to receive emails from internal ma...

Page 467: ...Z set as below Figure 13 4 Figure 13 4 Creating an Address Setting Corresponding to the Mail Server Step 4 Under Policy Object Service Group set as below Figure 13 5 Figure 13 5 Creating Service Groups to Include the POP3 SMTP or DNS Services ...

Page 468: ...467 Step 5 Go to Policy Outgoing and then set as below Figure 13 6 Select the defined group Mail_Service_02 from the Service drop down list Tick POP3 for Anti Spam Click OK Figure 13 7 ...

Page 469: ...468 Figure 13 6 Configuring an Outgoing Policy with Group Service and POP3 Anti Spam ...

Page 470: ...469 Figure 13 7 Policy Created ...

Page 471: ...lect the defined rule from the Destination Address drop down list Select the defined service group Mail_Service_01 from the Service drop down list Tick POP3 for Anti Spam Click OK Figure 13 9 Figure 13 8 Creating a WAN To DMZ Policy with Service and POP3 Anti Spam ...

Page 472: ...471 Figure 13 9 Policy Created ...

Page 473: ...o WAN and then set as below Figure 13 10 Select the defined group from the Source Address drop down list Select the defined service group Mail_Service_02 from the Service drop down list Tick POP3 for Anti Spam Click OK Figure 13 11 ...

Page 474: ...473 Figure 13 10 Creating a DMZ to WAN Policy with Group Service and POP3 Anti Spam ...

Page 475: ...474 Figure 13 11 Policy Created ...

Page 476: ...475 Step 8 Under Mail Security Anti Spam Settings set as below Figure 13 12 Figure 13 12 Anti Spam Filter Settings and Action Settings ...

Page 477: ...mail as normal under the Spam Actions Receiving section is selected by default and can not be disabled In addition you may tick Store the email in the quarantine to store the email in the quarantine Global Rule Whitelist or Blacklist can be used as criteria to filter spam The list of filtered spam cannot be obtained by means of Mail Notice Step 9 When receiving an email from an external mail accou...

Page 478: ...477 joe supportplanet com tw CS 2001 will filter the email for spam ...

Page 479: ... range 61 11 11 10 to 61 11 11 14 Configure Port3 as WAN2 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet IP range 211 22 22 18 to 211 22 22 30 Configure Port4 as DMZ1 Transparent Routing mode and connect it to the mail server IP address 61 11 11 12 Step 1 Set up a mail server in DMZ name it as supportplanet com tw configure its IP address as 61 11 11 12...

Page 480: ...479 Step 3 Go to Policy Object Service Group and then set as below Figure 13 15 Figure 13 15 Creating Service Groups to Include POP3 SMTP and DNS Service ...

Page 481: ...s below Figure 13 16 Select the defined rule from the Destination Address drop down list Select the defined rule Mail_Service_01 from the Service drop down list Select SMTP for Anti Spam Click OK Figure 13 17 Figure 13 16 Creating a WAN to DMZ Policy ...

Page 482: ...481 Figure 13 17 Policy Created ...

Page 483: ...2 Step 5 Under Policy DMZ To WAN set as below Figure 13 18 Select the defined rule for Source Address Select the defined service Mail_Service_02 for Service Select SMTP for Anti Spam Click OK Figure 13 19 ...

Page 484: ...483 Figure 13 18 Creating a DMZ to WAN Policy ...

Page 485: ...484 Figure 13 19 Policy Created ...

Page 486: ...p 7 Go to Mail Security Anti Spam Settings and then set as below Figure 13 21 Figure 13 21 Anti Spam Settings Note 1 When Delete the email is selected Deliver the email as normal and Store the email in the quarantine will be disabled Any spam mail will be be deleted directly The logs are shown under Mail Security Mail Reports Logs ...

Page 487: ...ccount field Select To for Direction Click OK Figure 13 23 Click New Entry Type joe supportplanet com tw in the Mail Account field Select From for Direction Click OK Figure 13 24 Click New Entry Type joe supportplanet com tw in the Mail Account field Select To for Direction Click OK Figure 13 25 13 26 Figure 13 22 Creating the First Entry on Whitelist Figure 13 23 Creating the Second Entry on Whit...

Page 488: ... 13 25 Creating the Fourth Entry on Whitelist Figure 13 26 Whitelist Setting Completed Note 1 Whitelist can be exported as a file for archive and editing purpose which can be used for restoring the list later on ...

Page 489: ...13 28 13 29 Figure 13 27 Creating the First Entry on Blacklist Figure 13 28 Creating the Second Entry on Blacklist Figure 13 29 Blacklist Setting Completed Note 1 Blacklist can be exported as a file for archive and editing purpose which can be used for restoring the list later on 2 The Mail Account field of both Whitelist or Blacklist can be a complete email address or a word string containing wil...

Page 490: ...re2k003 yahoo com tw only Joe will receive it Emails that sent to Steve will be classified as spam and quarantined Step 11 When an internal account at supportplanet com tw sends an email to both share2k01 yahoo com tw and share2k003 yahoo com tw If the sender is joe supportplanet com tw then both of them will be receiving the email from Joe But if the sender is someone other than Joe steve support...

Page 491: ...Configure Port3 as WAN2 Configure Port4 as DMZ1 Transparet Routing mode and connect it to the mail server LAN IP 172 16 1 13 WAN IP 61 11 11 11 Step 1 Setup a mail server in DMZ name it as supportplanet com tw configure its IP address as 172 16 1 13 and then use an external DNS server to resolve domain names Step 2 Under Policy Object Address DMZ set as below Figure 13 30 Figure 13 30 Address Sett...

Page 492: ...491 Figure 13 31 Creating Service Groups ...

Page 493: ... below Figure 13 32 Select the defined DMZ for Destination Address Select the defined service Mail_Service_01 for Service Select SMTP for Anti Spam Click OK Figure 13 33 Figure 13 32 Creating a WAN to DMZ Policy with Service and SMTPAnti Spam ...

Page 494: ...493 Figure 13 33 Policy Completed ...

Page 495: ...4 Step 5 Under Policy DMZ To WAN set as below Figure 13 34 Select the defined DMZ for Source Address Select the defined service Mail_Service_02 for Service Select SMTP for Anti Spam Click OK Figure 13 35 ...

Page 496: ...495 Figure 13 34 Creating a DMZ to WAN Policy with Service and SMTPAnti Spam ...

Page 497: ...496 Figure 13 35 Policy Created ...

Page 498: ...Mail Domain Settings Step 7 Under Mail Security Configuration Mail Relay set as below Figure 13 37 Figure 13 37 Mail Relay Settings Note 1 Mail Relay relays emails that sent to a specific domain to the destination mail server It also allows external users to send emails via internal email accounts ...

Page 499: ...der Mail Security Anti Spam Settings set as below Figure 13 38 Figure 13 38 Anti Spam Settings Note 1 An email that meets a Global Rule will be processed based on the corresponding Action setting of the Global Rule ...

Page 500: ...in the Pattern field Click Next In the second row select To for Item select Contains for Condition and then type share2k01 in the Pattern field Click Next In the Third row select From for Item select Contains for Condition and then type joe in the Pattern field Click Next In the fourth row select To for Item select Contains for Condition and then type joe in the Pattern field Figure 13 39 Click OK...

Page 501: ...00 Note 1 The Action setting of a Global Rule will be unavailable if Classification selected as Ham Non Spam It is because normal emails do not need any additional process before sending to the recipient ...

Page 502: ...ck OK Figure 13 42 Figure 13 41 Configuring the Second Global Rule Figure 13 42 Second Global Rule Completed Note 1 When Classification is set to Spam one of the following associated actions must be selected Quarantine Delete Deliver or Same as spam settings 2 The priority of spam filtering criteria from high to low is Greylist Whitelist in Personal Rule Blacklist in Personal Rule Global Rule Whit...

Page 503: ...igure 13 43 shows the header of an email To view header click to select any email in your Outlook Express then right click it and move to Properties on the shortcut menu After a window appeared click the Details tab for header information Figure 13 43 Figure 13 43 Detailed Information of an Email ...

Page 504: ...mails that sent to Steve will be classified as spam and quarantined Step 12 When an internal account at supportplanet com tw sends an email to both share2k01 yahoo com tw and share2k003 yahoo com tw If the sender is joe supportplanet com tw then both of them will receive the email from Joe But if the sender is someone other than Joe steve supportplanet com tw for instance then only share2k01 will ...

Page 505: ... Express Example To train spam filtering Step 1 In Outlook Express create a new folder named Spam Mail Right click Local Folders and then select New Folder Figure 13 44 In the Create Folder window type Spam Mail in the Folder name field and then click OK Figure 13 45 Figure 13 44 Creating a New Folder ...

Page 506: ...505 Figure 13 45 Naming the Folder as Spam Mail ...

Page 507: ... move the spam to the Spam Mail folder In Inbox select all the spam right click them and then move to Move to Folder on shortcut menu Figure 13 46 Select Spam Mail folder in the Move window and then click OK Figure 13 47 Figure 13 46 Moving Spam Emails ...

Page 508: ...507 Figure 13 47 Selecting the Spam Mail Folder ...

Page 509: ...e it easier importing spam messages onto CS 2001 for spam filtering training Click the Spam Mail folder Figure 13 48 In the upper left corner click File point to Folder and then click Compact Figure 13 49 Figure 13 48 Selecting the Spam Mail Folder ...

Page 510: ...509 Figure 13 49 Compacting the Spam Mail Folder ...

Page 511: ...der to CS 2001 device for training use Right click Spam Mail folder and then click Properties on shortcut menu Figure 13 50 In the Spam Mail Properties window copy the pathname Figure 13 51 Figure 13 50 Selecting the Properties of the Spam Mail Folder ...

Page 512: ...511 Figure 13 51 Copying the Pathname of the Spam Mail Folder ...

Page 513: ...l from field Click the lower right OK to import the folder the spam filtering will be trained on schedules Figure 13 52 Figure 13 52 Importing Spam Emails for Spam Filtering Training Important 1 The file for spam filtering training can be any database file It has no limitation in file extension yet it has to be in ASCII format 2 When importing a pst file Outlook must be closed before proceeding ...

Page 514: ...been compressed and uploaded to CS 2001 they are of no use any longer In the Spam Mail folder select all emails right click them and then click Delete on shortcut menu Figure 13 53 All spam emails have been deleted Figure 13 54 Figure 13 53 Selecting All Spam Emails to Delete ...

Page 515: ...d To train ham filtering Step 7 In Outlook Express create a new folder called Ham Mail Right click Local Folders and then select New Folder Figure 13 55 In the Create Folder window type Ham Mail in the Folder name field and then click OK Figure 13 56 ...

Page 516: ...515 Figure 13 55 Creating a New Folder Figure 13 56 Naming the Folder as Ham Mail ...

Page 517: ...ve normal emails to the Ham Mail folder In Inbox select all the hams right click them and then move to Move to Folder on shortcut menu Figure 13 57 Select Ham Mail folder in the Move window and then click OK Figure 13 58 Figure 13 57 Moving Normal Emails ...

Page 518: ...517 Figure 13 58 Selecting the Ham Mail Folder ...

Page 519: ...easy of importing normal email messages onto CS 2001 for ham filtering training Click the Ham Mail folder Figure 13 59 In the upper left corner click File point to Folder and then click Compact Figure 13 60 Figure 13 59 Selecting the Ham Mail Folder ...

Page 520: ...519 Figure 13 60 Compacting the Ham Mail Folder ...

Page 521: ...er to CS 2001 device for training use Right click the Ham Mail folder and then click Properties on shortcut menu Figure 13 61 In the Ham Mail Properties window copy the pathname Figure 13 62 Figure 13 61 Selecting the Properties of the Ham Mail Folder ...

Page 522: ...521 Figure 13 62 Copying the Pathname of the Ham Mail Folder ...

Page 523: ...the Ham Training Using Importing section Paste the pathname of the Ham Mail folder to the Import ham mail from field Click lower right OK to import the folder the ham filtering will be trained on schedules Figure 13 63 Figure 13 63 Importing Normal Emails for Ham Filtering Training ...

Page 524: ...pressed and uploaded to CS 2001 they are of no use any longer In the Ham Mail folder select all normal emails right click them and then click Delete on shortcut menu Figure 13 64 All normal emails have been deleted Figure 13 65 Figure 13 64 Selecting All Normal Emails to Delete ...

Page 525: ...524 Figure 13 65 All Normal Emails Have Been Deleted ...

Page 526: ...thering spam emails Step 2 On you mail server create an email account such as ham supportplanet com tw for gathering normal emails Step 3 In Mail Security Anti Spam Training configure the Spam Training Using Forwarded Mail setting according to the relevant information of spam supportplanet com tw POP3 Server Type supportplanet com tw Enter the user name and the password Click OK ...

Page 527: ...e Ham Training Using Forwarded Mail setting according to the relevant information of ham supportplanet com tw POP3 Server Enter the user name and the password Click OK Figure 13 66 Figure 13 66 Email Accounts Used for Gathering Normal Spam Messages and Training ...

Page 528: ...ox select all spam emails right click any of the selected emails and then click Forward As Attachment on shortcut menu Figure 13 67 In the New Message window type spam supportplanet com tw in the To field type Spam in the Subject field leave out the message content and then click Send Figure 13 68 Figure 13 67 Selecting All the Spam Emails ...

Page 529: ...528 Figure 13 68 Forwarding the Selected Spam Emails as Attachment ...

Page 530: ...x select all normal emails right click any of the selected emails and then click Forward As Attachment on shortcut menu Figure 13 69 In the New Message window type ham supportplanet com tw in the To field type Ham in the Subject field leave out the message content and then click Send Figure 13 70 Figure 13 69 Selecting All the Normal Emails ...

Page 531: ...530 Figure 13 70 Forwarding the Selected Normal Emails as Attachment ...

Page 532: ...531 Step 7 CS 2001 will retrieve emails in spam supportplanet com tw and ham supportplanet com tw periodically and use them for training on schedules Figure 13 71 Figure 13 71 Training Schedule Settings ...

Page 533: ...532 ...

Page 534: ...533 Chapter 14 Anti Virus Due to its inbound and outbound email anti virus scanning capabilities CS 2001 guards against the extensive damage that virus infections can inflict on your business ...

Page 535: ...uration Settings must be configured for the CS 2001 to access the Internet SMTP Options For a virus infected email sent from a user Virus emails sent from an external user to the internal mail server or sent from internal user to external user can be deleted delivered to the recipient deliver an email notification istead or stored in the quarantine POP3 Options For a virus infected email sent to a...

Page 536: ...535 Figure 14 1 Anti Virus Settings Note 1 Three virus scanning modes available for users are ClamAV Sophos and ClamAV Sophos ...

Page 537: ... No Scenario Page 14 1 1 Filtering Out the Virus Emails on Mail Server the Virus Emails on Mail Server 536 14 1 2 Using CS 2001 as a Gateway to Filter Out Virus Emails Mail Server Is Deployed in LAN under NAT Mode 547 ...

Page 538: ...t it to the mail server IP address 61 11 11 12 Step 1 To enable internal users to receive emails from external mail server use an external DNS server to resolve domain names Please decide which external DNS server to use on your own Step 2 To enable external users to receive emails from internal mail server configure as below 1 Deploy the mail server in DMZ 2 Type 61 11 11 12 in the IPAddress fiel...

Page 539: ...538 Step 4 Go to Policy Object Service Group set as below Figure 14 3 Figure 14 3 Creating Service Groups to Include the POP3 SMTP and DNS Services ...

Page 540: ...539 Step 5 Under Policy Outgoing set as below Figure 14 4 Select the defined service Mail_Service_02 for Service Select POP3 for Anti Virus Click OK Figure 14 5 ...

Page 541: ...540 Figure 14 4 Creating an Outgoing Policy with Service and POP3 Anti Virus Figure 14 5 Policy Created ...

Page 542: ... below Figure 14 6 Select the defined DMZ for Destination Address Select the defined service Mail_Service_01 for Service Select POP3 for Anti Virus Click OK Figure 14 7 Figure 14 6 Creating a WAN to DMZ Policy with Service and POP3 Anti Virus ...

Page 543: ...542 Figure 14 7 Policy Created ...

Page 544: ...43 Step 7 Under Policy DMZ To WAN set as below Figure 14 8 Select the defined DMZ for Source Address Select the defined service Mail_Service_02 for Service Select POP3 for Anti Virus Click OK Figure 14 9 ...

Page 545: ...544 Figure 14 8 Creating a DMZ to WAN Policy with Service and POP3 Anti Virus ...

Page 546: ...545 Figure 14 9 Policy Created ...

Page 547: ...546 Step 8 Go to Mail Security Anti Virus Settings and then set as below Figure 14 10 Figure 14 10 Anti Virus Settings ...

Page 548: ...nder the POP3 Options section the functionality Deliver the email to the recipient is enabled by default and can not be disabled Another alternative handling method is Store the email in the quarantine Step 9 When receiving emails from an external mail account such as js1720 ms21 pchome com tw CS 2001 will scan emails for viruses Step 10 When an external user receiving emails from an internal acco...

Page 549: ...Unit Remote ATUR to access the Internet IP range 61 11 11 10 to 61 11 11 14 Configure Port3 as WAN2 211 22 22 22 and connect it to the ADSL Termination Unit Remote ATUR to access the Internet IP range 211 22 22 18 to 211 22 22 30 Configure Port4 as DMZ1 Step 1 Setup a mail server in LAN name it as supportplanet com tw configure its IP address as 192 168 2 12 and then use an external DNS server to ...

Page 550: ...549 Figure 14 13 Creating Service Groups to Include POP3 SMTP and DNS Service Step 4 Under Policy Object Virtual Server Port Mapping set as below Figure 14 14 Figure 14 14 Port Mapping Settings ...

Page 551: ...Figure 14 15 Select the defined virtual server for Destination Address Select the defined service Mail_Service_01 for Service Select SMTP for Anti Virus Click OK Figure 14 16 Figure 14 15 Creating an Incoming Policy with Service and SMTPAnti Virus ...

Page 552: ...551 Figure 14 16 Policy Completed ...

Page 553: ...tep 6 Under Policy Outgoing set as below Figure 14 17 Select the defined LAN address for Source Address Select the defined service Mail_Service_02 for Service Select SMTP for Anti Virus Click OK Figure 14 18 ...

Page 554: ...553 Figure 14 17 Creating an Outgoing Policy with Service and SMTPAnti Virus ...

Page 555: ...554 Figure 14 18 Settings Completed ...

Page 556: ...rus Settings and then set as below Figure 14 20 Figure 14 20 Anti Virus Settings Note 1 When Delete the virus mail is selected virus infected emails will be deleted immediately upon detection Other options Deliver the email to the recipient and Store the email in the quarantine will be disabled to be selected Logs are shown under Mail Security Mail Reports Logs ...

Page 557: ...stored in the quarantine The regular mail from share2k003 yahoo com tw will be sent to joe supportplanet com tw Step 10 When Joe an internal user at supportplanet com tw sends emails to the recipients at yahoo com tw The virus mail sent to share2k01 yahoo com tw will be stored in the quarantine The regular mail sent to share2k003 yahoo com tw will be sent to the recipient ...

Page 558: ...557 Chapter 15 Mail Reports CS 2001 provides you with email reports in the form of statistics and logs presenting you with a thorough insight into the email activities of the business ...

Page 559: ...ing of Periodic Report and then select Yearly report Monthly report Weekly report and Daily report Click OK Figure 15 1 The designated recipient will receive the reports on schedules Figure 15 2 Under the History Report Shceduling Settings tick a desired period and specify a date for it Click Mail Report The designated recipients will receive reports on schedules Note 1 Periodic report schedule Ye...

Page 560: ...559 Figure 15 2 Periodical Report Sent as an Attachment ...

Page 561: ...h icon and then set as below Enable the searching duration and then specify a period of time Type the keyword in the Recipient field Select All for Attachment Select All for Attribute Select All processes for Process Click Search Figure 15 3 To store the searching results in the local computer click the Download Report button To export the searched emails click the Export Mail button ...

Page 562: ...cific Log Note 1 How to open an mbx file exported from quarantined or archived emails on your local computer Convert the mbx file into an eml file with an mbx2eml application e g IMAPSize and then run Outlook Express to open the eml file ...

Page 563: ...ick it Figure 15 26 In the mbox2eml window click the Select mbox files to convert button locate the mbx file click Open and then click Convert to start converting the file into an eml file Figure 15 27 15 28 15 29 Run Outlook Express to open the eml file Figure 15 30 ...

Page 564: ...563 Figure 15 26 Navigating to Tools Mbox2eml on the Menu Bar Figure 15 27 Locating the mbx File to be Converted ...

Page 565: ...564 Figure 15 28 Converting the mbx File into an eml File Figure 15 29 File Conversion Completed ...

Page 566: ...565 Figure 15 30 Clicking and Dragging the eml File into Outlook Express to Open It ...

Page 567: ...s Statistics shows a comprehensive statistical report Step 2 In the upper left corner click Day for a daily statistics report click Week for a weekly statistics report click Month for a monthly statistics report click Year for an annual statistics report ...

Page 568: ...567 15 2 Logs Step 1 Under Mail Security Mail Reports Logs it shows how emails are processed ...

Page 569: ...568 The symbols used in Logs Attribute Symbol Description Regular Spam Virus Unscanned Process Symbol Description Deleted Notified Delivered Stored Retrieved Attachment ...

Page 570: ...569 Web Filter ...

Page 571: ... IT administrator may enter the complete URL or a URL in combination with a wildcard Category The IT administrator may block websites based upon their classification This feature requires activation please contact your distributor for pricing details File Extensions To block the specific file extensions downloaded or uploaded via HTTP or FTP MIME Scritp To block the access to Window Popup Microsof...

Page 572: ...rowser can display a customizable notification message Storage Lifetime of Logs Provides a setting to specify the storage time required to keep the URL Blocking logs The logs may be stored in the designated remote storage device HTTP FTP Virus Scanning The HTTP FTP file size that is less than the defined value will be scanned Go to Web Filter Configuration Settings and then set as below Browse the...

Page 573: ...572 Figure 16 1 Web Filter Settings Note 1 Before enabling syslog please configure the syslog setting under System Configuration Settings ...

Page 574: ...er tries to access the blocked web page Figure 16 2 Figure 16 2 The Alert Message Terms in Whitelist Name The name of the Whitelist URL Specifies permitted URLs The asterisk character allows any website Terms in Blacklist Name The name of the Blacklist ...

Page 575: ...ng specific management Note 1 The checking procedure performed on each website is in the following order Whitelist Blacklist Category Group Terms in Extension Name The name of the Extension Predefined File Extensions Select All Blocking the file with the default extension of attachment transferred via HTTP or FTP protocol Custom File Extensions Select All Blocking the file with the defined extensi...

Page 576: ...ary content and text in character sets other than ASCII In addition it is also be used for communication protocols like HTTP MIME defines the format of e mail Content Type the header indicates the type of the message content consisting of type and subtype Type Text Format the text message Multipart Combine different type messages into one Application Transfer application or binary content Message ...

Page 577: ...mpeg application octet stream application pdf application msword Important 1 To apply the Whitelist Blacklist Category File Extensions and MIME Script to the Policy those rules need to be added in the Group first ...

Page 578: ...ng User s Access to Specific Websites Using Blacklist and Whitelist 577 16 1 2 Category File Extensions MIME Script Group Regulating User s access to Specific Website Downloading or Uploading Specific File Extension via HTTP or FTP or the Access to Specific MIME Types Script Types 583 ...

Page 579: ...e name in the Name field In the URL field type the keyword of the URL such as yahoo Click OK Figure 16 3 Click New Entry again Type the name in the Name field In the URL fIield type the keyword of URL such as google Click OK Figure 16 4 16 5 Figure 16 3 Configuring the First Rule of Whitelist Figure 16 4 Configuring the Second Rule of Whitelist Figure 16 5 The Whitelist Completed ...

Page 580: ...o Web Filter Configuration Blacklist and then set as below Figure 16 6 Type the name in the Name field In the URL field enter Click OK Figure 16 7 Figure 16 6 Configuring Blacklist Figure 16 7 The Blacklist Completed Note 1 Blacklist can be exported as a file for storage which can be used for restoring the list later on ...

Page 581: ...and then set as below Figure 16 8 Type the name in the Name field Move the Whitelist from the Available Whitelists column to the Selected Whitelists column Move the Blacklist from the Available Blacklists column to the Selected Blacklists column Click OK Figure 16 9 ...

Page 582: ...581 Figure 16 8 Group Settings for URL Blocking ...

Page 583: ...582 Figure 16 9 The Completed Group Settings ...

Page 584: ...w Figure 16 10 Select the defined group from the Web Filter drop down list Click OK Figure 16 11 By applying this policy only websites containing yahoo or google in the domain name will be permitted Figure 16 10 Policy Setting for URL Blocking Figure 16 11 Policy Created ...

Page 585: ...ccess to Specific MIME Types Script Types Step 1 Go to Web Filter Configuration Category click New Entry and then set as below Figure 16 12 Type the name in the Name field Select the category such as Anti Social and Illegal Pornographic and Abusive Gaming and Gambling Click OK Figure 16 13 Figure 16 12 Category Blocking Settings ...

Page 586: ...585 Figure 16 13 The Completed Category Settings ...

Page 587: ...ect All types of file extensions Click OK Figure 16 15 Figure 16 14 Blocking the Specific File Extension Figure 16 15 Setting Completed Note 1 Under Web Filter Configuration File Extensions the user may add the extension to be blocked Click Modify and then click New Entry Figure 16 16 Type the extenstion in the field Click OK Figure 16 17 16 18 ...

Page 588: ...587 Figure 16 16 Adding a New Extension Figure 16 17 Typing a New Extension Figure 16 18 File Extension Added ...

Page 589: ...ions section tick Window Popup Microsoft ActiveX Java Applet and Web Cookie Move the MIME type from the Available MIME Types column to the Selected MIME Types column Click OK Figure 16 20 Figure 16 19 Configuring the MIME Script Figure 16 20 MIME Script Setting Completed Note 1 Under Web Filter Configuration MIME Script users may configure the MIME Type to be blocked ...

Page 590: ...ick Modify and then click Add Figure 16 21 Enter the MIME Types in the field Click OK Figure 16 22 16 23 Figure 16 21 Configuring the MIME Type Figure 16 22 Adding the MIME Types Figure 16 23 MIME Type Added ...

Page 591: ...gure 16 24 Type the name in the Name field Select the defined category from the Category drop down list Select the defined rule from the Upload Blocking drop down list and the Download Blocking drop down list Select the defined rule from the MIME Script drop down list Click OK Figure 16 25 ...

Page 592: ...591 Figure 16 24 Configuring the URL Group ...

Page 593: ...592 Figure 16 25 Setting Completed ...

Page 594: ...o Policy Outgoing click New Entry and then set as below Figure 16 26 Select the defined group from the Web Filter drop down list Click OK Figure 16 27 Figure 16 26 Configuring the Policy Figure 16 27 Policy Completed ...

Page 595: ...594 Chapter 17 Reports Reports delivers the IT administrator with detailed statistics and logs regarding the access of websites made by users ...

Page 596: ...ngs under Web Filter Reports Settings Under the Periodic Report section tick Enable the mailing of Periodic Report and then select Yearly report Monthly report Weekly report and Daily report Click OK Figure 17 1 The recipient will receive the reports based upon the schedule Figure 17 2 Note 1 Schedule for periodic report Yearly report is produced at 00 00 hours on January 1st of every year Monthly...

Page 597: ...596 Figure 17 2 A Daily Report Sent through an Email Message ...

Page 598: ...ailable searching criteria are time source IP address website file rule and action MIME Script Available searching criteria are time source IP address website rule and action Go to Web Filter Reports Logs click the Search icon to start a search Enable the searching duration and specify a period of time to search within Select All for Category Select All for Status Click Search Figure 17 3 Click Do...

Page 599: ...orts can be sorted by the time source IP website class or action 2 Under Web Filter Reports Logs the download and the upload report can be sorted by the time source IP website class and action 3 Under Web Filter Reports Logs the MIME Script report can be sorted by time source IP website rule and action ...

Page 600: ...charts derived from daily statistics click on Week for bar charts derived from weekly statistics click on Month for bar charts derived from monthly statistics click on Year for bar charts derived from yearly statistics Step 3 You can see the reports of the specific date by select the date from the Date drop down list or you can see the reports organized by the specific type by select the type from...

Page 601: ...600 Step 4 Below it shows the statistics report Figure 17 15 Y axis indicates the amount of scanned URL X axis indicates the time ...

Page 602: ...601 ...

Page 603: ...602 Figure 17 15 Statistics Report ...

Page 604: ...603 17 2 Logs Step 1 Under Web Filter Reports Logs there it shows the URL blocking logs Figure 17 16 Figure 17 16 URL Blocking Logs ...

Page 605: ...604 IDP ...

Page 606: ...hapter 18 Configuration In order to protect your network from various security threats the device produces timely alerts and blocking mechanisms based upon anomaly flows and the inspection of packet contents ...

Page 607: ...ck on Test Connection to check the connection to the designated IDP definition server 2 Once the Proxy Server is deployed the proxy settings under System Configuration Settings must be configured for the CS 2001 to access the Internet IDP Logging Setting Configures the storage time of the IDP logs and deletes the logs when the time is expired Store the IDP logs in the remote server Go to System Co...

Page 608: ... 60 in the Storage Lifetime field Click OK Figure 18 1 Figure 18 1 IDP Settings Note 1 To enable Syslog the IT administrator must configure the Syslog Message Settings under System Configuration Settings first ...

Page 609: ...administrator will receive both an email notification and a NetBIOS Notification Also a corresponding log will be available under IDP IDP Reports Logs Figure 18 2 18 3 Figure 18 2 An Email Notification Figure 18 3 A NetBIOS Notification ...

Page 610: ...609 Note 1 The IDP log is generated upon the Log setting under IDP Signatures Anomaly Pre defined Custom ...

Page 611: ...he device ensures that legitimate network traffic remains secure and undisturbed To deal with different forms of attacks three types of signatures are provided Anomaly Detects suspicious packets and anomaly flows based upon definitions from the latest signature file version Pre defined Detects suspicious packets and anomaly flows based upon pre defined definitions from the latest signature file ve...

Page 612: ...es are syn flood udp flood icmp flood portscan and http insptct Figure 19 1 You may specify the action taken upon the detection of an anomaly flow Available actions are Pass Drop and Reject Available Alert are Log and Alert Figure 19 1 Anomaly Settings ...

Page 613: ...c MySQL NetBIOS NNTP Oracle Policy POP2 POP3 Porn RPC Rservices Scan Shellcode SMTP SNMP Spyware SQL Telnet TFTP Web CGI Web Client Web Coldfusion Web Frontpage Web IIS Web Misc Web PHP X11 and other Figure 19 2 You may specify the action taken upon the detection of an anomaly flow Available actions are Pass Drop Reject Log and Alert ...

Page 614: ...613 Figure 19 2 Pre Defined Settings ...

Page 615: ...are processed according to the Default Settings for Each Risk Level settings under IDP Configuration Settings However after the settings under IDP Configuration Settings the user may go to IDP Signatures Pre defined to modify the process of each signature individually ...

Page 616: ...estination IP Netmask The IP address of the victim Destination Port The port number of the victim Range 0 65535 Risk Level Define the risk level Process Determines the action to take against hostile packets Action Generates the logs and sends the alert to the IT administrator Option Determines the detection according to the packet s direction Determines the detection according to the packet s text...

Page 617: ...xample 19 1 1 Adopting Packets Inspection along with Custom and Pre Defined Signatures to Detect and Prevent the Intrusion Step 1 Under IDP Configuration Settings set as below Figure 19 3 Figure 19 3 IDP Settings ...

Page 618: ...617 Step 2 Go to IDP Signatures Anomaly and then set as below Figure 19 4 Enable the signatures and configure the settings Click OK Figure 19 4 Anomaly Settings ...

Page 619: ...618 Step 3 Under IDP Signatures Pre defined set as below Figure 19 5 Select the signatures Click OK Figure 19 5 Pre Defined Settings ...

Page 620: ...n Protocol Type the Source Port No Type the Destination Port No Select High for Risk Level Select Drop for Process Tick Log and Alert for Action Tick Ignore Packet direction and Ignore letter case for Advanced Options Type the content pattern in the field Click OK Figure 19 7 Figure 19 6 Custom Signature Settings Figure 19 7 Custom Signature Completed ...

Page 621: ...t Pattern field or convert it to hexadecimal ASCII code and then paste it into the field E g the word cracks can also be converted to 63 72 61 63 6b 73 Step 5 Go to Policy Outgoing and set as below Figure 19 8 Select Enabled for IDP Click OK Figure 19 9 ...

Page 622: ...621 Figure 19 8 Applying the IDP to the Policy ...

Page 623: ...622 Figure 19 9 Policy Created ...

Page 624: ...623 Chapter 20 IDP Report CS 2001 provides you with a comprehensive IDP report in both statistics and logs With the help of them you could have a clear view of network security status ...

Page 625: ...igure the settings under IDP IDP Report Settings as below Tick Enable the mailing of Periodic Report and then select Yearly report Monthly report Weekly report and Daily Report Click OK Figure 20 1 The recipient will receive the reports based on the schedule Figure 20 2 Note 1 Schedule for periodic report Yearly report is produced once a year at 00 00 hours on January 1 Monthly report is produced ...

Page 626: ...625 Figure 20 2 Periodic Report Received ...

Page 627: ...P IDP Reprots Logs click the Search icon and then set as below Enable searching duration and specify a period of time Type a keyword from the attack event in the Event field Select All for Interface Select All for Risk Level Click Search Note 1 Logs IDP IDP Reports Logs can be sorted by Time Event Interface Aattacker IP Victim IP or Action ...

Page 628: ... IDP Reports Statistics to view a full scale IDP report in statistics Step 2 In the upper left corner click Day to see the daily statistics report click Week to see the weekly statistics report click Month to see the monthly statistics report click Year to see the yearly statistics report ...

Page 629: ...628 20 2 Logs Under IDP IDP Reports Logs it shows the IDP status Note 1 The symbol used in Logs Process Symbol Description Allow Drop Reject Risk Level Symbol Description High Risk Medium Risk Low Risk ...

Page 630: ...629 Web VPN SSL VPN ...

Page 631: ... days the demand for secure remote connections is increasing To meet this demand SSL VPN provides the best solution By using SSL VPN from a standard browser clients can transfer data securely through its SSL security protocol without the need to install any software or hardware ...

Page 632: ... The DES encryption key is 56 bits long on the contrary AES keys can be 128 192 or 256 bits long Terms in Settings Web VPN SSL VPN Client Configuration Configures the Protocol Client IP address range Encryption algorithm Server port Assigns DNS server addresses to clients or WINS server addresses to client Set subnet of server that can be accessed by the client user Note 1 The SSL VPN IP address r...

Page 633: ...632 Hardware Auth The IT administrator may enable the PCs listed under Web VPN SSL VPN Hardware Auth by adding them to the Selected Hardware column under Web VPN SSL VPN Settings ...

Page 634: ...and password Once the IT administrator has moved the user to the Accepted User list located under Web VPN SSL VPN Hardware Auth any subsequent SSL VPN connection attempts will authenticate the user based on their hardware and not by a username and password Terms in Status Auth Name The authentication name of the client user Computer Name The computer name of the client user Real IP The real IP of ...

Page 635: ...nnection settings for External Clients Step 1 Go to Interface WAN activate the HTTPS function Figure 21 2 Figure 21 2 WAN Interface Step 2 Go to Policy Object Authentication Account Group and then set as below Figure 21 3 21 4 Figure 21 3 User Entries ...

Page 636: ...635 Figure 21 4 User Group Entries ...

Page 637: ... Client IP address netmask Select the Encryption Algorithm and the Communication Protocol Enter the Server Port No Configure the Available Subnets Click OK Figure 21 6 Click New Entry Figure 21 7 Type the name in the Name field Select the authentication account group from the drop down list Click OK Figure 21 8 Figure 21 5 Web VPN SSL VPN Settings ...

Page 638: ...637 Figure 21 6 Web VPN SSL VPN Setting Completed ...

Page 639: ...638 Figure 21 7 Web VPN SSL VPN Authentication Settings Figure 21 8 Web VPN SSL VPN Authentication Completed ...

Page 640: ...Incoming and then set as below Figure 21 9 Select the defined Web VPN SSL VPN from the VPN Trunk drop down list Click OK Figure 21 10 Figure 21 9 Configuring an Incoming Policy with Web VPN SSL VPN Figure 21 10 Policy Created ...

Page 641: ...11 11 sslvpn or https 61 11 11 11 webvpn Click Yes in the Security Alert window Figure 21 11 Click Yes in the Warning Security window Figure 21 12 Click Yes in the Warning Security window again Figure 21 13 Select the language and then enter the username and the password Figure 21 14 Click OK Figure 21 15 21 16 Figure 21 11 Security Alert Window ...

Page 642: ...641 Figure 21 12 Warning Security Window ...

Page 643: ...642 Figure 21 13 Warning Security Window Figure 21 14 The Authentication Window Figure 21 15 Web VPN SSL VPN Connection ...

Page 644: ...643 Figure 21 16 Web VPN SSL VPN Connection Established ...

Page 645: ...s the connection status Figure 21 17 Figure 21 17 Web VPN SSL VPN Connection Status Step 7 Under Web VPN SSL VPN Hardware Auth it displays the connection status between the CS 2001 and the users Figure 21 18 Figure 21 18 The Authentication User List ...

Page 646: ...N SSL VPN Settings and then set as below Figure 21 19 Click Modify Move the hardware from the Available Hardware column to the Selected Hardware column Click OK Figure 21 20 Figure 21 19 Configuring Authentication User Group ...

Page 647: ...646 Figure 21 20 Setting Completed Step 9 When a user establishes an SSL VPN connection through the CS 2001 their hardware can be directly authenticated without the need for a username and password ...

Page 648: ...the device will perform the following If the user s hardware information is added under Web VPN SSL VPN Settings the user will be able to establish a SSL VPN connection If the user s hardware information is not added under Web VPN SSL VPN Settings then the user will not be able to establish a SSL VPN connection 3 If hardware authentication is disabled then the user will need to authenticate using ...

Page 649: ...648 Figure 21 22 Installing Java Runtime Environment Plug in ...

Page 650: ...649 Policy ...

Page 651: ...cessed by configuring these items The IT administrator can customize the policy based on the source address source port destination address and destination port of a packet According to the attribute of a packet the policy setting is categorized into Outgoing The packet is from the LAN and heading to the WAN The IT administrator can customize the policy for outgoing packets Incoming The packet is ...

Page 652: ...ckets DMZ to DMZ The packet is from the DMZ and heading to the DMZ IT administrators can customize the policy for DMZ to DMZ packets Note 1 CS 2001 only processes packets accepted from the policy Therefore wherever the connection is made regardless of the network type LAN WAN or DMZ there must be policies respectively configured for these networks 2 CS 2001 adopts VPN trunk in policy to manage the...

Page 653: ...ee the table below Symbol Meaning Description Schedule Activated as per the configured scheduled time Authentication User Authentication user activated Traffic Log Traffic log activated Statistics Statistics activated IDP IDP activated Content Content Blocking activated Application Blocking Application blocking activated Anti Virus Anti Spam Mail Archiving Auditing Anti Virus Anti Spam Mail Archiv...

Page 654: ...653 VPN Trunk This is where you apply the policy to regulate the session packets of IPSec or PPTP VPN ...

Page 655: ...sions managed by the policy such as Protocol Port Source IP Destination IP etc To see the logs click the Log icon Statistics When enabled there will be a chart drawn from the statistics of traffic flow Web Filter It can restrict the use of HTTP or FTP protocol Application Blocking It can block the use of Instant Messenger Peer to Peer Sharing Video Audio Application Webmail Game Application Tunnel...

Page 656: ...ax Bandwidth per Source IP can ensure that every LAN user accesses bandwidth fairly Max Concurrent Sessions Per It determines the maximum number of concurrent sessions of each IP address If the amount of sessions exceeds the set value new sessions will not be created Max Concurrent Sessions It determines the maximum number of concurrent sessions of a policy If the amount of sessions exceeds the se...

Page 657: ...Network Interface the NAT selection for Connection Type is used for transferring all the WAN packets s IP address The NAT selection for Connection Type under Policy is used for transferring the IP on the specific subnet Pause When modifications are required on existing settings such as Address and QoS you may temporarily disable the policy so as to modify the policy Priority When accessing packets...

Page 658: ...licy to Limit the Bandwidth Daily Total Traffic Amount and Maximum Concurrent Sessions of an Incoming Session to a FTP Server A NAT Mode Example 676 22 1 6 WAN to DMZ DMZ to WAN LAN to DMZ Creating a Policy to Enable LAN WAN Users to Have Email Access A Transparent Mode Example 679 Prerequisite Setup Configure Port1 as LAN1 192 168 1 1 NAT Routing mode and connect it to the LAN which is using 192 ...

Page 659: ...ernet Access of LAN Users Step 1 Go to Policy Outgoing and then set as below Figure 22 1 Enable the Packet Logging Enable the Traffic Grapher Click OK Figure 22 2 Figure 22 1 Enabling Packet Logging and Traffic Grapher Figure 22 2 Setting Completed ...

Page 660: ...resh interval from the drop down list to obtain the up to date session information Click any Source IP or Destination IP for sessions accessed through the IP address that you click on For details of all sessions accessed through CS 2001 go to Monitoring Logs Traffic on the main menu Figure 22 4 Figure 22 3 Traffic Log Filtered Screen ...

Page 661: ...660 Figure 22 4 Traffic Shown in Log Screen ...

Page 662: ...661 Step 3 Under Monitoring Traffic Grapher Policy Based Traffic the traffic flow is displayed in graphics giving you an instant insight of traffic status Figure 22 5 ...

Page 663: ...662 ...

Page 664: ...663 Figure 22 5 Statistics Screen ...

Page 665: ...ific Web Sites Step 1 Go to Web Filter Configuration Whitelist Blacklist File Extensions MIME Scritp Group and then set as below Figure 22 6 22 7 22 8 22 9 22 10 Figure 22 6 Whitelist Settings Figure 22 7 Blacklist Settings Figure 22 8 File Extensions Settings ...

Page 666: ...665 Figure 22 9 MIME Script Settings Figure 22 10 Group Settings ...

Page 667: ...s below Figure 22 11 22 12 Figure 22 11 Application Blocking Settings Figure 22 12 Setting Completed Note 1 Script blocking is used for blocking certain functional features of a web site such as Java cookie and so on One of the examples using these is stock exchange web sites ...

Page 668: ... 2 Application Blocking is used for blocking Instant Messenger Peer to Peer Application Video Audio Application Webmail Game Application Tunnel Application Remote Control Application and other application ...

Page 669: ...668 Step 3 Go to Policy Object Address WAN WAN Group and then set as below Figure 22 13 22 14 Figure 22 13 WAN Interface Setting Figure 22 14 WAN Group Setting ...

Page 670: ...4 Go to Policy Outgoing and then set as below Figure 22 15 Select the defined group from the Destination Address field Select Deny All for Action Click OK Figure 22 15 Creating an Outgoing Policy to Deny Access ...

Page 671: ... Application Blocking drop down list Click OK Figure 22 17 Figure 22 16 Applying Application Blocking to the Policy Figure 22 17 Policy Created Note 1 The Deny ALL feature of a policy can block the packets that meet the criteria The IT administrator can adjust the order of this policy to the first rank so as to stop LAN users from accessing specific IP address ...

Page 672: ...22 18 Figure 22 18 Shcedule Settings Step 2 Go to Policy Object Authentication Account Group and then set as below Figure 22 19 Figure 22 19 Authentication Setting Step 3 Go to Policy Outgoing and then set as below Figure 22 20 Select the defined group from the Authentication drop down list Select the defined rule from the Schedule drop down list Click OK Figure 22 21 ...

Page 673: ...672 Figure 22 20 Applying the Schedule and Authentication to the Policy Figure 22 21 Policy Completed ...

Page 674: ... Control a LAN PC with Remote Control Software pcAnywhere Step 1 Set up a computer to be remotely controlled its IP address is 192 168 1 2 Step 2 Under Policy Object Virtual Server Port Mapping set as below Figure 22 22 Figure 22 22 Virtual Server Settings ...

Page 675: ...Figure 22 23 Select the defined Virtual Server for Destination Address Select PC Anywhere 5629 5632 for Service Click OK Figure 22 24 Figure 22 23 Creating an Incoming Policy to Enable LAN PC to be Remotely Controlled Figure 22 24 Policy Completed ...

Page 676: ...3 2 The DMZ subnet addresses range from 192 168 3 1 24 Step 2 Under Policy Object Virtual Server Port Mapping set as below Figure 22 25 Figure 22 25 Virtual Server Settings Note 1 To avoid exposing your networks to hackers it is strongly recommended not to select ANY for Service when configuring an incoming policy or WAN to DMZ policy Step 3 Go to Policy Object QoS Settings and then set as below F...

Page 677: ...m the Destination Address drop down list Select FTP 18 21 from the Service drop down list Select the defined rule from the QoS drop down list Enter 100 in the Max Concurrent Sessions field Type 100000 in the Traffic Quota Per Day field Click OK Figure 22 28 Figure 22 27 Creating a WAN to DMZ Policy ...

Page 678: ...677 Figure 22 28 A WAN to DMZ Policy Created ...

Page 679: ... in DMZ Next point it to the external DNS server and then set its IP address to 61 11 11 12 Step 2 Under Policy Object Address DMZ set as below Figure 22 29 Figure 22 29 Mail Server Settings in Address Step 3 Under Policy Object Service Group set as below Figure 22 30 Figure 22 30 A Group Service with DNS POP3 and SMTP Services ...

Page 680: ...lect the defined DMZ rule for Destination Address Select the defined service for Service Click OK Figure 22 32 Figure 22 31 A WAN to DMZ Policy for Granting Email Access to WAN Users Figure 22 32 A WAN to DMZ Policy for Granting Email Access to WAN Users Completed ...

Page 681: ...elect the defined DMZ entry for Destination Address Select the defined service for Service Click OK Figure 22 34 Figure 22 33 A LAN to DMZ Policy for Granting Email Access to LAN User Figure 22 34 A LAN to DMZ Policy for Granting Email Access to LAN User Completed ...

Page 682: ...2 35 Select the defined rule for Source Address Select the defined rule for Service Click OK Figure 22 36 Figure 22 35 A DMZ to WAN Policy for Granting Email Access to WAN User Figure 22 36 A DMZ to WAN Policy for Granting Email Access to WAN User Completed ...

Page 683: ...682 Anomaly Flow IP ...

Page 684: ... an anomaly traffic flow is detected CS 2001 will take action to block the flow of packets This protection ensures that the network remains operational and consequently the business s revenue generating opportunities are left undisturbed ...

Page 685: ...oS Attacks Step 1 Go to System Configuration Settings and then configure the settings under the Email Notification Settings section Step 2 Go to System Configuration SNMP and then configure the settings under the SNMP Trap Settings section Figure 23 1 Figure 23 1 SNMP Trap Settings ...

Page 686: ...lt value is 60 Tick Enable E Mail Alert Notification Tick Enable SNMP trap alerts Tick Enable NetBIOS notification and then type the Administrator s IPAddress Click OK Figure 23 2 Anomaly Flow IP Setting Note 1 Detection Excluded IP can be used for excluding specific IPs from detection 2 Users whose PCs emit anomaly traffic flows can receive a customizable message in their browser to alert them ab...

Page 687: ...tBIOS broadcast to both the victim user and IT administrator to warn about the attack Figure 23 3 Figure 23 3 Virus Infected IPAddresses Step 5 If running SNMP Trap Watcher you will be informed of an anomaly flow or attack if any as long as SNMP trap alerts is enabled in System Configuration SNMP Figure 23 7 Figure 23 7 Alerts Received by the SNMP Client Software ...

Page 688: ...rus CS 2001 limits virus infected users bandwidth to a minimum in order to oblige users to take action to remove virus Note The alert message merely appears to virus infected users at the very first time to open a web browser after the infection Figure 23 8 Figure 23 8 An Alert Message Shown to a Virus Infected User ...

Page 689: ...688 Advance ...

Page 690: ...s uninterrupted access for external users to the company s servers If one WAN link fails incoming traffic will be redirected to another WAN link In addition inbound flows can be distributed to each port according to the regulated weighting and priority of each port ensuring the quality of the connection ...

Page 691: ...ress 66 218 71 84 But with the help of a DNS server acting as an intermediary the website address is mapped to the IP address Enable DNS Zone Allows users to activate DNS for inbound balancing Figure 24 1 Figure 24 1 Inbound Balancing DNS Settings DNS Zone Configuration Register nu net tw used here as an example only as the domain name Supposing the following IP address range were applied for 61 1...

Page 692: ...ss host23 nu net tw A 61 11 11 14 host5 nu net tw CNAME host23 nu net tw Table 24 2 Domain Name CNAME Mapping Table The table above indicates that host5 nu net tw alias is mapping to host23 nu net tw domain name Thus ping host5 nu net tw and then you ll get the result of 61 11 11 14 Mail eXchanger MX MX also known as Mail eXchanger is a type of DNS record especially designed for mail services Tabl...

Page 693: ... is required to be replaced then simply by changing the DNS MX record will allow the mail service to remain in operation When an email is received from a different domain the mail server will check if the sender s mail server IP is on the SPF list or not AAAA IPv6 Like IPv4 A Address AAAA IPv6 is used for mapping up IP addresses and domain names IPv6 is designed to succeed IPv4 It has a larger add...

Page 694: ...693 pointer records of the reverse database this IP address is stored as the domain name 12 11 11 61 in addr arpa pointing back to its designated hostname ...

Page 695: ...r DNS lookup functions normally The process is as follows C nslookup host1 nu net tw forward DNS lookup Server dns hinet net Address 168 95 1 1 Name host1 nu net tw Address 61 11 11 12 C nslookup 61 11 11 12 reverse DNS lookup Server dns hinet net Address 168 95 1 1 Name host1 nu net tw Address 61 11 11 12 The result points out that 61 11 11 12 points to host1 nu net tw Load Balancing Mode Round R...

Page 696: ...s Requirements for setting up a name server are as follows Register nu net tw as a domain name Set the primary name server as 61 11 11 11 and domain name as dns1 nu net tw Set the secondary name server as 211 22 22 22 and domain name as dns2 nu net tw Apply to a local ISP for two fixed T1 or ADSL connections Servers required for address resolution Web Server www nu net tw Mail Server mail nu net t...

Page 697: ...696 Note 1 The DNS must point to the fixed IPs ...

Page 698: ...tute if the primary DNS server develops a fault by allowing the domain name to remain functioning According to table 24 6 use nslookup command to verify the result of forward DNS lookup and reverse DNS lookup C nslookup nu net tw Server dns hinet net Address 168 95 1 1 Name nu net tw Addresses 61 11 11 11 211 22 22 22 look up for Address Forward DNS lookup C nslookup 61 11 11 11 Server dns hinet n...

Page 699: ... server 61 11 11 11 switch to your DNS server Default Server web nu net tw Address 61 11 11 11 www nu net tw look up for real domain name forward DNS lookup Server web nu net tw Address 61 11 11 11 Name web nu net tw the real domain name that www nu net tw corresponds to Addresses 61 11 11 11 211 22 22 20 corresponding IP addresses of web nu net tw Aliases www nu net tw CNAME of web nu net tw From...

Page 700: ...t priority allocation the system will restart the weight priority distribution again This is how the load balancing mechanism can allocate the visitors to the web server www nu net tw in a round robin fashion according to the weighted and priority values As seen from table 24 8 the lower the priority value the higher priority it gets For example the user A wants to send an email to mary mail nu ne...

Page 701: ... has to correspond to the static IP Apply for two static IP ADSL lines Configure Port1 as LAN1 192 168 1 1 NAT Routing mode and connect it to the LAN which is using 192 168 1 x 24 Configure Port2 as WAN1 61 11 11 11 IP range 61 11 11 10 to 61 11 11 14 Configure Port3 as WAN2 211 22 22 22 IP range 211 22 22 18 to 211 22 22 30 Apply for a domain name e g supportplanet com tw select your own domain n...

Page 702: ...Address for DNS Record Type Type www in the Host Name field Real IPAddress select WAN1 and then enter 61 11 11 11 in the field Select Round Robin for Load Balancing Mode Click OK Click New Entry again Figure 24 4 Select A Address for DNS Record Type Type www in the Host Name field For Real IPAddress select WAN2 and then type 211 22 22 22 For Load Balancing Mode select Backup and then select WAN1 f...

Page 703: ...702 Figure 24 3 The First Inbound Balance Configuration ...

Page 704: ...om tw 2 indicates fully qualified domain name FQDN For example if www is entered in the Hostname field then it will be www supportplanet com tw If www supportplanet com tw is entered and plus a in the end then it will be www supportplanet com tw supportplanet com tw 3 Before enabling reverse lookup make sure the IP class is Class A Class B or Class C If not please apply to the ISP for the reverse ...

Page 705: ...704 Step 2 Go to Policy Object Virtual Server Port Mapping and then set as below Figure 24 6 24 7 Figure 24 6 Server 1 Settings Figure 24 7 Server 2 Settings ...

Page 706: ...ress select Virtual Server IP Web_Server 61 11 11 11 For Service select HTTP 80 Click OK Click New Entry Figure 24 9 For Destination Address select Virtual IP Web_Server 211 22 22 22 For Service select HTTP 80 Click OK Figure 24 10 Figure 24 8 Configuring the First Settings of an Incoming Policy Settngs ...

Page 707: ...706 Figure 24 9 Configuring the First Settings of an Incoming Policy Settings Figure 24 10 The Completed Policy Settings ...

Page 708: ...707 Step 4 Settings complete If WAN 1 goes down WAN 2 ensures user s access to the web server remains uninterrupted Figure 24 11 Figure 24 11 Web Server Backup Deployment ...

Page 709: ...ess for DNS Record Type Type www in the Host Name field For Real IPAddress type 61 11 11 11 and select WAN1 from the drop down list For Load Balancing Mode select Round Robin Click OK Select 1 for Weight and 1 for Priority Click New Entry Figure 24 14 Select A Address for DNS Record Type Type www in the Host Name field For Real IPAddress type 211 22 22 22 and select WAN2 from the drop down list Se...

Page 710: ...709 Figure 24 13 The First Inbound Balance Settings Figure 24 14 The Second Inbound Balance Configuration Figure 24 15 Setting Completed ...

Page 711: ...710 Step 2 Go to Policy Object Virtual Server Port Mapping and then set as below Figure 24 16 24 17 Figure 24 16 Server 1 Settings Figure 24 17 Server 2 Settings ...

Page 712: ...fined rule Virtual IP Web_Server 61 11 11 11 for Destination Address Select HTTP 80 for Service Click OK Click New Entry Figure 24 19 Select the defined rule Virtual IP Web_Server 211 22 22 22 for Destination Address Select HTTP 80 for Service Click OK Figure 24 20 Figure 24 18 Configuring the First Policy Settings ...

Page 713: ...712 Figure 24 19 Configuring the Second Policy Settings Figure 24 20 Policy Completed ...

Page 714: ...m tw A 211 22 22 22 2 2 Table 24 9 Web Server Weight and Priority Settings The weight and priority values will distribute their access as below The 1st user accesses the server via 61 11 11 11 The 2nd user accesses the server via 211 22 22 22 The 3rd user accesses the server via 211 22 22 22 Round Robin priority distribution cycle finished The 4th user accesses the server via 61 11 11 11 Round Rob...

Page 715: ...714 cycle restarted The 5th user accesses the server via 211 22 22 22 The 6th user accesses the server via 211 22 22 22 ...

Page 716: ... then select WAN1 from the drop down list For Load Balancing Mode select Round Robin Click OK Select 1 for Weight and select 1 for Priority Click OK Figure 24 24 Select A Address for DNS Record Type Type web in the Host Name field For Real IPAddress type 211 22 22 22 in the field and then select WAN2 from the drop down list Select Round Robin for Load Balancing Mode Click OK Select 2 for Weight an...

Page 717: ...716 Figure 24 23 The First Inbound Balance Settings Figure 24 24 The Second Inbound Balance Settings Figure 24 25 CNAME Alias Settings ...

Page 718: ...717 Figure 24 26 Completed CNAME Alias Settings ...

Page 719: ...718 Step 2 Go to Policy Object Virtual Server Port Mapping and then set as below Figure 24 27 24 28 Figure 24 27 Server 1 Settings Figure 24 28 Server 2 Settings ...

Page 720: ...ned rule Virtual IP Web_Server 61 11 11 11 for Destination Address Select HTTP 80 for Service Click OK Click New Entry Figure 24 30 Select the defined rule Virtual IP Web_Server 211 22 22 22 for Destination Address Select HTTP 80 for Service Click OK Figure 24 31 Figure 24 29 Incoming Policy Settings ...

Page 721: ...720 Figure 24 30 Configuring the Second Policy Settings Figure 24 31 Adding the Second Policy ...

Page 722: ...portplanet com tw A 211 22 22 22 2 2 www supportplanet com tw CNAME web supportplanet com tw Table 24 10 The Web Servers Weight Priority and CNAME Settings Based on the weight and priority the WAN distribution will be as follows The 1st user accesses the server via 61 11 11 11 The 2nd user accesses the server via 211 22 22 22 The 3rd user accesses the server via 211 22 22 22 Round Robin priority d...

Page 723: ...2 The 4th user accesses the server via 61 11 11 11 Round Robin priority distribution cycle has restarted The 5th user accesses the server via 211 22 22 22 The 6th user accesses the server via 211 22 22 22 ...

Page 724: ... Robin for Load Balancing Mode Click OK Select 1 for Weight and select 1 for Prioirty Click New Entry Figure 24 35 Select A Address for DNS Record Type Type main in the Host Name field For Real IPAddress type 211 22 22 22 in the field and select WAN2 from the drop down list Select Round Robin for Load Balancing Mode Click OK Select 2 for Weight and select 2 for Priority Click New Entry again Figur...

Page 725: ...724 Figure 24 34 The First Inbound Balance Settings Figure 24 35 The Second Inbound Balance Settings Figure 24 36 The MX Mail eXchanger Settings ...

Page 726: ...725 Figure 24 37 MX Mail eXchanger Settings Completed ...

Page 727: ...726 Step 2 Go to Policy Object Virtual Server Port Mapping and then set as below Figure 24 38 24 39 24 40 24 41 Figure 24 38 The First Setting of Server Figure 24 39 The Second Setting of Server ...

Page 728: ...727 Figure 24 40 The Third Setting of Server Figure 24 41 The Fourth Setting of Server ...

Page 729: ...irtual IP Mail_Server_SMTP 61 11 11 11 for Destination Address Select SMTP 25 for Service Click OK Click New Entry Figure 24 44 Select the defined rule Virtual IP Mail_Server_POP3 211 22 22 22 for Destination Address Select POP3 110 for Service Click OK Click New Entry Figure 24 45 Select the defined rule Virtual IP Mail_Server_SMTP 211 22 22 22 from the Destination Address Select SMTP 25 for Serv...

Page 730: ...729 Figure 24 43 The Second Policy Settings Figure 24 44 The Third Policy Settings ...

Page 731: ...730 Figure 24 45 The Fourth Policy Settings Figure 24 46 Policy Completed ...

Page 732: ...et com tw A 211 22 22 22 2 2 mail supportplanet com tw MX main supportplanet com tw Table 24 11 The MX Server s Weight and Priority Settings When a user connects to mail supportplanet com tw they will be directed to the real mail server named main supportplanet com tw As per the weight and priority values they will be distributed to the following WAN links in the order below The 1st user accesses ...

Page 733: ...he server via 211 22 22 22 Round Robin priority distribution cycle finished The 4th user accesses the server via 61 11 11 11 Round Robin priority distribution cycle has restarted The 5th user accesses the server via 211 22 22 22 The 6th user accesses the server via 211 22 22 22 ...

Page 734: ...n operate in active standby mode The master device active device maintains a synchronization with the backup device standby device Once the master device fails the backup device will seamlessly take over the operations The High Availability mechanism effectively prevents any loss of data to your business ...

Page 735: ...device will serve as the master or backup Data Transmission Port Management IPAddress Configures the IP address and port for executing the synchronization between the master device and the backup device Backup Status Displays the status of the master device and the backup device ...

Page 736: ... 168 1 x 24 Configure Port2 as WAN1 61 11 11 11 and connect it to the ADSL Termination Unit Remote to access the Internet IP range 61 11 11 10 to 61 11 11 14 Configure Port3 as WAN2 211 22 22 22 and connect it to the ADSL Termination Unit Remote to access the Internet IP range 211 22 22 18 to 211 22 22 30 Configure Port4 as DMZ1 Transparent Routing mode ...

Page 737: ...736 Step 1 Assign one CS 2001 device as the master and connect it to the same switch that the LAN is connected to Figure 25 1 Figure 25 1 The Deployment of the Master Device under High Availability Mode ...

Page 738: ...737 Step 2 Using the master device configure the following High Availability settings under Network Interface Figure 25 2 Figure 25 2 The IPAddress for the LAN Interface ...

Page 739: ... under Advance High Availability Settings Tick Enable High Availability HA For HA Mode select Active from the drop down list For HA Port select Port1 from the drop down list Type the IP address in the Management IPAddress field Click OK Figure 25 3 Figure 25 3 The Master Device Settings ...

Page 740: ...t and DMZ port must be different from Master device s After the configuration turn on the device Figure 25 4 The master device will daily synchronize itself with the backup device The Backup device s Management IPAddress will be assigned according to the Master device s setting while synchronization Figure 25 4 The High Availability Deployment ...

Page 741: ...1 device can be changed The capacity of the new disk should be larger than or equal to the capacity of the original one to avoid synchronization errors To synchronize the data of Backup device and Master device It is recommended to change the disk of the Backup device first and then change the disk of the Master device after synchronization 3 After deployment the master device will operate Once th...

Page 742: ... process of being renewed the session will disconnect IPSec VPN Connections the IT administrator needs to set the Keepalive IPAddress under Policy Object VPN Trunk so that a VPN session can be re established without delay druing backup PPTP VPN Connections during backup the connection will disconnect and the remote user will need to re establish the connection ...

Page 743: ...th the network s switch to provide instant monitoring of the internal network s status When the device detects an anomaly traffic flow it will block the flow and provide information to help the IT administrator to resolve the problem before it slow down the entire network ...

Page 744: ...number that the system can use to telnet into the switch Username The username that the system can use to telnet into the switch Password The password that the system can use to telnet into the switch MAC Address Format The MAC address pattern that can be recognized by a switch Listed below are four commonly seen patterns XX XX XX XX XX XX XX XX XX XX XX XX XXXXXXXXXXXX XXXXXX XXXXXX Blocking Comm...

Page 745: ...iew the IP MAC addresses that the switch is blocking Note 1 When the system detects the internal anomaly flow the switch will use the following variables to block IP MAC address unblock already blocked IP MAC addresses and view IP MAC addresses _ip_ indicates a blocked IP address _mac_ indicates a blocked MAC address _port_ indicates one of the switch ports ...

Page 746: ...ample 26 1 1 Quickly Isolating Any Anomaly Flow in the Internal Network by Utilizing the Core and Edge Switch Step 1 Go to Anomaly Flow IP Settings and set as below Figure 26 2 Figure 26 2 Anomaly Flow IP Settings ...

Page 747: ...d Enter the port number username and password to establish a telnet connection with the switch Click OK Figure 26 4 Click the View button to view the core switches blocking commands Click the Modify button to modify the core switches connection settings Click the Remove button to delete the core switches connection settings Clicking on the Remove Blocked Address link to remove a IP or MAC address ...

Page 748: ...747 Figure 26 4 Core Switch Settings Completed ...

Page 749: ...below Figure 26 9 Type the name in the Name field Select IPv4 from the IP Version drop down list Fill the IPAddress field and the Community String field Click OK Figure 26 10 Figure 26 9 Connection Settings for the Core Switch Figure 26 10 Completed Connection Settings for the Core Switch ...

Page 750: ...ble Using SNMP the CS 2001 can obtain the MAC addresses of any packets that pass through the edge switch Note 1 Under Advance Co Defense System Edge Switch every port number from on the edge switch can be assigned with a description by clicking on Details ...

Page 751: ...750 Monitoring ...

Page 752: ...tes who when what and where that a configuration is being modified Connection Logs comprehensively record all connection related data such as VPN PPPoE SMTP POP3 etc providing the IT administrator with an instant insight when any connection issues arise Virus Logs show the detected viruses from your HTTP Webmail and FTP packets processed through the CS 2001 Application Blocking Logs provide detail...

Page 753: ...iod of time for storing or deleting when expired You may enable email log syslog message SNMP Trap alerts accordingly Terms in Traffic Search Available search criteria are date policy priority source IP destination IP and port number Under Monitoring Logs Traffic click Search and then set as below Enable the searching duration and then specify a period of time to search within Select All for Polic...

Page 754: ...753 Figure 27 1 Searching for a Specific Log ...

Page 755: ...754 Figure 27 2 Downloading the Search Results ...

Page 756: ...name IP address event type and event log with detailed content Under Monitoring Logs Events click Search and then set as below Enable the search duration and then specify a period of time to search within Click Search Figure 27 3 Figure 27 3 Searching for a Specific Log ...

Page 757: ...c Available search criteria are date and keyword Web VPN Available search criteria are date and keyword SMTP Inbound Available search criteria are date IP address sender recipient status and detail SMTP Outbound Available search criteria are date IP address sender recipient status and detail POP3 Available search criteria are date IP address user name status and detail Under Monitoring Logs Connec...

Page 758: ...757 Figure 27 4 Searching for a Specific Log ...

Page 759: ...Available search criteria are date source IP and keyword Under Monitoring Logs Application Blocking click Search and then set as below Terms in Concurrent Sessions Search Available search criteria are date and IP address Under Monitoring Logs Concurrent Sessions click Search and then set as below Terms in Quota Search Available search criteria are date and source IP Under Monitoring Logs Quota cli...

Page 760: ...ls and Port Numbers Used during an Access to CS 2001 Step 1 Go to Policy DMZ To WAN and set as below Figure 27 5 Enable the Packet Logging Click OK Figure 27 6 Figure 27 5 A Policy with Traffic Log Figure 27 6 A Policy with Traffic Log Completed ...

Page 761: ...nitoring Logs Traffic it shows the traffic status of a policy Figure 27 7 Figure 27 7 Traffic Log Step 3 Click any Source IP or Destination IP you will see of which protocols and ports it used and its traffic Figure 27 8 ...

Page 762: ...761 Figure 27 8Monitoring the Traffic Flow of Each IPAddress ...

Page 763: ...762 Step 4 To clear the logs click the Clear button and then click OK in the confirmation window Figure 27 9 Figure 27 9 Deleting all the Traffic Log ...

Page 764: ...ewing System History Access and the Status of WAN Step 1 Under Monitoring Logs Events there it shows the system history access and the status of WAN Figure 27 10 Click the icon for details Figure 27 11 Figure 27 10 Event Logs ...

Page 765: ...764 Figure 27 11 Specific Details of a History Event ...

Page 766: ...Connection Logs of WAN Interface Step 1 Under Monitoring Logs Connections it shows the logs of PPPoE Dynamic IP Address DHCP PPTP Server PPTP Client IPSec Web VPN SMTP Inbound SMTP Outbound and POP3 Figure 27 12 Figure 27 12 Connection Logs ...

Page 767: ...766 Step 2 To delete the logs click the Clear button and then click OK in the confirmation window Figure 27 13 Figure 27 13 Deleting all the Connection Logs ...

Page 768: ...Viewing the Detected Viruses from Internal Users Using HTTP Web Mail FTP Protocol to Transfer Files Step 1 Go to Policy Outgoing and then set as below Figure 27 14 For Anti Virus tick HTTP Webmail and FTP Click OK Figure 27 15 ...

Page 769: ...768 Figure 27 14 A Policy with HTTP WebMail and FTP ...

Page 770: ...769 Figure 27 15 Policy Completed ...

Page 771: ... Under Monitoring Logs Viruses it shows the logs of detected virus from the Internal users using HTTP WebMail and FTP protocol to transfer files Step 3 To delete the logs click the Clear button and then click OK ...

Page 772: ...ocking 27 5 1 Viewing the Logs Step 1 Under Policy Outgoing set as below Figure 27 16 Select the defined application blocking Click OK Figure 27 17 Figure 27 16 A Policy with Application Blocking Figure 27 17 Policy Completed ...

Page 773: ...ws the logs of applicatons that have been blocked Figure 27 18 Figure 27 18 Application Blocking Logs Step 3 To delete the logs click the Clear button and then click OK from the confirmation window Figure 27 19 Figure 27 19 Deleting the Application Blocking Logs ...

Page 774: ... 6 1 Viewing the Logs of Concurrent Sessions that have been Exceeded the Configured Value Step 1 Go to Policy Outgoing and then set as below Figure 27 20 Enter a value in the Max Concurrent Sessions per IP field Click OK Figure 27 21 ...

Page 775: ...774 Figure 27 20 A Policy with Limitation of Concurrent Sessions ...

Page 776: ...ted Step 2 Under Monitoring Logs Concurrent Sessions it shows the logs of the concurrent sessions that have exceeded the configured value Step 3 To delete the logs click the Clear button and then click OK in the confirmation window ...

Page 777: ...776 27 7 Quota 27 7 1 Viewing the Logs of Quota that Has Been Reached Step 1 Go to Policy Outgoing and then set as below Figure 27 22 Type a value in the Quota per Source IP field Click OK Figure 27 23 ...

Page 778: ...777 Figure 27 22 A Policy with Limitation of Quota per Source IP ...

Page 779: ...3 Policy Completed Step 2 Under Monitoring Logs Quota it shows the logs of the quota that have reached the configured value Step 3 To delete the logs click the Clear button and then click OK in the confirmation window ...

Page 780: ... Enable email notifications and then configure the related settings Figure 27 24 Tick Enable syslog messages and then configure the related settings Figure 27 25 Figure 27 24 Enabling Email Notifications Figure 27 25 Enabling Syslog Messages Step 2 Go to System Configuration SNMP and then set as below Figure 27 26 Figure 27 26 SNMP Trap Settings ...

Page 781: ...780 Step 3 Go to Monitor Log Settings and then set as below Figure 27 27 Figure 27 27 Monitoring Settings ...

Page 782: ...strator when the files size reaches 300KB 2 When syslog message is enabled the logs will be delivered to the designated remote device 3 When SNMP trap alerts is enabled the logs can be delivered to a PC installed with SNMP Trap software Figure 27 29 Figure 27 29 Sending SNMP Trap Alert ...

Page 783: ...rough the device providing the IT administrator with detailed statistical reports and charts Flow Analysis displays the real time traffic from the source IP and the traffic of each service Today Top N displays the traffic from the source IP destination IP and service in the day History Top N displays the certain duration of historic traffic from the source IP destination IP and service ...

Page 784: ...e Storage period field Click OK Figure 28 1 Figure 28 1 Accounting Report Settings Terms in Flow Analysis Source IP Displays the real time traffic from the source IP Source IP indicates the source IP of the traffic Traffic indicates the traffic from the source IP Provides the total traffic of all source IP and the traffic of individual source IP Service Displays the real time traffic of services S...

Page 785: ...on IP Provides the total traffic of all destination IP and the traffic of the individual destination IP Service Indicates the certain period of traffic of the services in the day Service indicates the protocol and port number of the services Traffic Indicator indicates the upload and download traffic Provides the total traffic of all services and the traffic of individual service Historical Top Ch...

Page 786: ...785 Figure 28 2 Searching for the Specific Log ...

Page 787: ...786 Figure 28 3 Downloading the Accounting Reports ...

Page 788: ...787 Figure 28 4 Deleting the Accounting Reprots ...

Page 789: ...788 28 1 Flow Analysis Step 1 Under Monitoring Accounting Reports Flow Analysis it shows the traffic of source IP and service through CS 2001 Figure 28 5 Figure 28 5 Flow Analysis ...

Page 790: ... 28 2 Today s Top Chart Step 1 Under Monitoring Accounting Reports Today s Top Chart it shows the traffic from the source IP destination IP and the traffic of service through CS 2001 in the day Figure 28 6 ...

Page 791: ...790 Figure 28 6 Today Top N ...

Page 792: ...l The left one is the start time slider the right one is the end time slider Once you adjust the time interval the Service IP accounting report the Destination IP accounting report and the Service accounting report will be refreshed according to the new time interval Figure 28 7 ...

Page 793: ...792 Figure 28 7 Today Top N Report according to the Time Interval ...

Page 794: ...ny source IP a pop up window will show its destination IP and service Figure 28 8 Figure 28 8 The Destination IP and Service Step 4 By clicking any Destination IP a pop up window will show its source IP and service Figure 28 9 ...

Page 795: ...794 Figure 28 9 The Source IP and Service ...

Page 796: ...795 Step 5 By clicking any service it will show its source IP and destination IP Figure 28 10 Figure 28 10 The Source IP and Destination IP ...

Page 797: ... Chart Step 1 Under Monitoring Accounting Reports Historical Top Chart you may see the traffic of the source IP destination IP and service of the certain duration by specifying the date Figure 28 11 Figure 28 11 History Top N ...

Page 798: ...w across the WAN interfaces and packets managed by policies WAN Traffic provides upstream and downstream traffic flow statistics of all packets passing through the WAN interfaces based on their corresponding policies Policy Based Traffic provides upstream and downstream traffic flow statistics of all packets passing through the WAN interfaces based on their corresponding policies ...

Page 799: ...rly Days Statistics charts are presented based on data collected daily Weeks Statistics charts are presented based on data collected weekly Months Statistics charts are presented based on data collected monthly Years Statistics charts are presented based on data collected every year Bits sec Bytes sec Utilization Total The IT administrator can modify the unit display from the chart s vertical axis...

Page 800: ...e unit of minute Click Hours for statistic charts in the time unit of hour Click Days for statistic charts in the time unit of day Click Weeks for statistic charts in the time unit of week Click Months for statistic charts in the time unit of month Click Years for statistic charts in the time unit of year Figure 29 1 Figure 29 1 Different Time Units for Statistics Note 1 The WAN statistics is a su...

Page 801: ...800 Step 2 Statistic charts Figure 29 2 Vertical axis indicates network stream Horizontal axis indicates time ...

Page 802: ...801 ...

Page 803: ...802 Figure 29 2 The Network Stream Chart Note 1 You may configure the time duration to search for the statistics in a certain period of time ...

Page 804: ...r statistic charts in the time unit of minute Click Hours for statistic charts in the time unit of hour Click Days for statistic charts in the time unit of day Click Weeks for statistic charts in the time unit of week Click Months for statistic charts in the time unit of month Click Years for statistic charts in the time unit of year Figure 29 3 Figure 29 3 The Policy Statistics List Note 1 If the...

Page 805: ...804 Step 2 Statistics charts Figure 29 4 Vertical axis indicates network traffic Horizontal axis indicates time ...

Page 806: ...805 ...

Page 807: ...806 Figure 29 4 Viewing the Policy Statistics Chart Note 1 You may see the statistics of a certain time by using the time searching ...

Page 808: ...807 Chapter 30 Diagnostic Tools The device provides ping and traceroute utilities to help diagnose network issues with particular external nodes ...

Page 809: ... or Domain name in the Destination IP Domain name field In Packet size configure the size of each packet 32 Bytes by default In Count configure the quantity of packets to send out 4 by default In Wait time specify the duration to wait between successive pings 1 second by default Select the interface from the Interface drop down list Click OK Figure 30 2 Figure 30 1 Ping Settings ...

Page 810: ... LAN IP address in the Interface field Enter the IP address that is under the same subnet range in the Destination IP Domain name field When the VPN connection is established between the local subnet and remote subnet the following method can be employed to test the packet transfer between the two subnets Figure 30 3 ...

Page 811: ...810 Figure 30 3 Ping Results for a VPN Connection ...

Page 812: ...4 In Destination IP Domain name enter the destination address for the packets In Packet size configure the size of each packet 40 Bytes by default In Max Time to Live enter the maximum number of hops 30 by default In Wait time specify the duration to wait between successive pings 2 seconds by default In Interface select the interface that the packets will originate from Click OK Figure 30 5 Figure...

Page 813: ...812 Figure 30 5 Traceroute Results ...

Page 814: ...pture the packet content for debugging figure 30 6 In interface drop list selects which one of interface is going to capture the packet In capture time list choose hong long will be the captured time Filll in the Host IP and Netmask you would like to filter Configure the filtering rule Click Start then wait for the captured period the result will display on the filed Figure 30 6 Packet Caputre Res...

Page 815: ...wake on LAN supported PC can be remotely turned on by a wake up packet sent from the CS 2001 By utilizing remote control software such as VNC Terminal Service or PC Anywhere a remote user may remotely wake up a computer and access it ...

Page 816: ...d is 00 0C 76 B7 96 3B Step 2 Under Monitoring Wake On LAN Settings click New Entry and then set as below Enter the name in the field Enter 00 0C 76 B7 96 3B in the MAC Address field Click OK Figure 31 1 Figure 31 1 Wake on LAN Setting Step 3 Click WakeUp to start up the PC Figure 31 2 Figure 31 2 Clicking WakeUp to Start up the PC ...

Page 817: ...rmation Interface shows the status of each interface System Info shows the utilization of CPU hard disk and memory Authentication records the use of any authentication usage for the CS 2001 ARP Table records all the ARP tables of host PCs that have connected to CS 2001 Sessions Info It records all the sessions sending or receiving packets over CS 2001 DHCP Clients It records the status of IP addre...

Page 818: ...r of sessions connected to the device 3 Forwarding Mode displays the interface connection mode 4 WAN Connection shows the WAN interface connection status 5 DnS UpS kbps shows the maximum downstream upstream bandwidth set for the WAN interface can be configured under Network Interface WAN 6 Downstream Traffic the percentage of downstream traffic to each WAN interface 7 Upstream Traffic the percenta...

Page 819: ...he WAN gateway address 12 DNS 1 the DNS 1 server address from the ISP 13 DNS 2 the DNS 2 server address from the ISP 14 Rx Packets Errors shows the quantity of received packets and the amount of error packets for each interface 15 Tx Packets Errors shows the quantity of sent packets and the amount of error packets for each interface 16 Ping HTTP HTTPS shows whether the user can ping the device s i...

Page 820: ...819 32 2 System Info Step 1 Under Monitoring Status System Info it shows the current system information such as CPU utilization hard disk utilization and memory utilization Figure 32 3 ...

Page 821: ...820 Figure 32 3 System Information ...

Page 822: ...he authentication status of the device Figure 32 4 Figure 32 4 The Authentication Status Note 1 IPAddress displays the authenticated user s IP address 2 Authentication User Name the user s authenticated login name 3 Login Time the user s login time year month day hour minute second ...

Page 823: ... To prevent any network packet errors the Static ARP Table must coordinate with the Anti ARP virus software When these two function together they provide a fixed mapping between the IP address and the MAC address 6 The Anti ARP virus software can be downloaded by clicking on the Download button Once downloaded proceed with the following Figure 32 6 The program can be executed immediately to start ...

Page 824: ...823 Figure 32 6 Downloading the Anti ARP Virus Software Figure 32 7 The Result of Executng the Anti ARP Virus Software ...

Page 825: ...824 Figure 32 8 The Anti ARP Virus Software will Automatically Run when the System Startups ...

Page 826: ...825 32 5 Sessions Info Step 1 Under Monitoring Status Sessions Info it provides a list of all the sessions that have connected to the device Figure 32 9 Figure 32 9 System Sessions ...

Page 827: ...826 Step 2 By clicking on any source IP it shows the port number and the traffic Figure 32 10 Figure 32 10 The System Info ...

Page 828: ...device s DHCP server Figure 32 11 Figure 32 11 The DHCP Clients Note 1 NetBIOS Name the computer s network identification name 2 IPAddress the computer s IP address 3 MAC Address the MAC address that the dynamic IP maps to 4 Leased Time the start time and the end time of the dynamic IP year month day hour minute second ...

Reviews:

No comments

Related manuals for CS-2001

ABB COM600 series Product Manual preview
COM600 series
Brand: ABB Pages: 20
ABB COM600 series Configuration Manual preview
COM600 series
Brand: ABB Pages: 66
ABB ARM600 Product Manual preview
ARM600
Brand: ABB Pages: 16
ABB AWIN GW120 Quick Setup Manual preview
AWIN GW120
Brand: ABB Pages: 2
ABB COM600 series Owner'S/Operator'S Manual preview
COM600 series
Brand: ABB Pages: 44
BAB TECHNOLOGIE 12000 Documentation preview
12000
Brand: BAB TECHNOLOGIE Pages: 39
Patton 1000 Getting Started Manual preview
1000
Brand: Patton Pages: 181
Ubisys G1 Assembly And Commissioning Instructions preview
G1
Brand: Ubisys Pages: 51
Karel GT20 Technical Reference And User'S Manual preview
GT20
Brand: Karel Pages: 17
Patton electronics 1400 Series Specification Sheet preview
1400 Series
Brand: Patton electronics Pages: 2
Yeastar Technology TA Series How To Connect preview
TA Series
Brand: Yeastar Technology Pages: 14
Yeastar Technology TA Series Installation Manual preview
TA Series
Brand: Yeastar Technology Pages: 17
ICP DAS USA GT-541 User Manual preview
GT-541
Brand: ICP DAS USA Pages: 33
Safeline GL1 Quick Manual preview
GL1
Brand: Safeline Pages: 76
D-Link DG-102S Quick Install Manual preview
DG-102S
Brand: D-Link Pages: 12
D-Link DG-102S Quick Start Manual preview
DG-102S
Brand: D-Link Pages: 8
D-Link DVG?6001G Quick Manual preview
DVG?6001G
Brand: D-Link Pages: 2
D-Link DG-104S User Manual preview
DG-104S
Brand: D-Link Pages: 59

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

ABB AEG Acer Asus Beko Black & Decker Bosch Brother Candy Canon Cisco Craftsman D-Link DeWalt Dell Electrolux Emerson Epson Frigidaire Fujitsu GE HP Haier Hitachi Honeywell Huawei Husqvarna JVC Kenmore Kenwood KitchenAid LG Lenovo Makita Miele Mitsubishi Electric Motorola NEC Nikon Nokia Panasonic Philips Pioneer Samsung Sanyo Sharp Siemens Sony TP-Link Toshiba Whirlpool Xiaomi Yamaha Zanussi Load more brands