manualshive.com logo in svg

Sangfor IAM 2.1, User Manual, Page: 95 / 319

Share
Download
Sangfor IAM 2.1 User Manual Download Page 95

SANGFOR IAM v2.1 User Manual 

 

94 

same segment with IAM gateway device) will be blocked by the IAM gateway device. This [LAN 

Router List] will prevent the MAC address of the LAN router (in the list) from being blocked by 

the IAM gateway device. 

You can enter interface IP address or MAC address of the router (or layer 3 switch) that directly 

connects  to  the  LAN  interface  of  the  IAM  gateway  device.  The  IAM  gateway  device  will 

automatically distinguish the MAC address of the corresponding IP address. 

[Excluded  IP  List]:  Configures  the  IP  address(es)  that  will  not  be  defended  against  in  any  case, 

regardless  of  the  number  of  connections  and  high  frequency  of  sending  packets.  Generally,  the 

connections and frequency of sending packet of an IP address is limited; if any of the standards is 

reached, it will be regarded as DoS attack. 

[Max  New  TCP  Connections  Per  IP]:  Configures  the  maximum  TCP  connections  of  each  IP 

allowed by the IAM gateway device in one minute. If number of new TCP connections of an IP 

address  exceeds  the  limit  configured  herein,  the  IP  will  be  blocked  for  a  certain  time  ([Host 

Blocking Time After Attack is Detected]). 

[Max  Attack  Packets  Per  IP]:  Configures  the  maximum  packets  (including  SYN  packets,  ICMP 

packets  and  TCP/UDP  small  attack  packets)  of  each  IP  or  MAC  address  allowed  by  the  IAM 

gateway  device in  one second. If number of  them  exceeds the limit configured herein, the  IP or 

MAC address will be blocked for a certain time ([Host Blocking Time After Attack is Detected]). 

[Host Blocking Time After Attack is Detected]: Configures the time duration of blocking the host 

if the IAM gateway device detects that this host is initiating attacks; in unit of minutes. 

 

 

It  is  strongly  recommended  to  enable  the  anti-DoS  function,  which  will  enable  the  IAM 

gateway  device  to  efficiently  defend  attacks  initiated  by  external  networks  and  to  prevent 

traffic  congestion  caused  by  enormous  and  continuous  packets  that  are  sent  by  the 

virus-infected LAN PC. 

 

[LAN  Address  List]  is  also  recommended  to  be  configured.  This  configuration  will  help  to 

defend  against  attacks  initiated  by  masqueraded  IP  address.  Better  to  add  all  the  LAN 

segments to the list, for the data packets sent by the IP addresses outside the list will be then 

forwarded to the IAM gateway device and then be dropped. 

 

If  there  is  a  LAN  router  or  layer  3  switch,  please  DO  add  the  routing  device's  interface  IP 

Summary of Contents for IAM 2.1

Page 1: ...SANGFOR IAM v2 1 User Manual IAM 2 1 User Manual September 2010...

Page 2: ...ation and Management 13 1 5 Wiring Method of Standalone 13 1 6 Wiring Method of Redundant System 15 Chapter 2 Console 17 2 1 Web UI Login 17 2 2 IAM Gateway Configuration 18 Chapter 3 System Status 19...

Page 3: ...Ident Rule 59 4 3 Service 61 4 4 IP Group 62 4 5 Schedule 64 4 6 URL Group 65 4 7 White List Group 68 4 8 Keyword Group 69 4 9 File Type Group 70 4 10 Ingress Rule 71 4 11 SSL Certificate 80 Chapter...

Page 4: ...2 2 Web Filter 117 7 1 2 2 1 HTTP URL Filter 117 7 1 2 2 2 HTTPS URL Filter 120 7 1 2 2 3 Keyword Filter 122 7 1 2 2 4 File Type Filter 123 7 1 2 2 5 ActiveX Filter 126 7 1 2 2 6 Script Filter 130 7...

Page 5: ...1 POP3 Authentication 166 7 2 2 2 2 Network Environment 167 7 2 2 2 3 Configuration 167 7 2 2 3 WEB SSO 168 7 2 2 4 Proxy SSO 170 7 2 2 4 1 Proxy Authentication 170 7 2 2 4 2 Network Environment 170...

Page 6: ...ort 210 7 7 Online User 211 Chapter 8 Bandwidth Management 214 8 1 Bandwidth Status 214 8 1 1 Bandwidth Channel 215 8 1 2 Exclusion Policy 216 8 2 Bandwidth Settings 217 8 2 1 Bandwidth Channel 217 8...

Page 7: ...pter 13 Security 260 13 1 Gateway Antivirus 260 13 2 IPS 262 13 2 1 IPS Options 262 13 2 2 IPS Rules 264 13 3 VPN Settings 265 13 3 1 VPN Status 265 13 3 2 Basic Settings 266 13 3 3 User Management 26...

Page 8: ...3 3 12 2 VPN Interface 302 13 3 12 3 LDAP Server 303 13 3 12 4 Radius Server 304 13 3 13 Generate Certificate 305 Chapter 14 DHCP 306 14 1 DHCP Status 306 14 2 DHCP Settings 306 Chapter 15 Wizard 309...

Page 9: ...GFOR logo are the trademarks or registered trademarks of SANGFOR Technology Co Ltd All other trademarks used or mentioned herein belong to their respective owners This manual shall only be used as usa...

Page 10: ...URL group IP group service time schedule white list group keyword group file type group ingress rule and SSL certificate Chapter 5 Firewall How to configure the firewall rules of the IAM gateway as w...

Page 11: ...configuration starts from and how to configure the IAM gateway step by step Document Conventions Graphic Interface Conventions This manual uses the following typographical conventions for special ter...

Page 12: ...Note Indicates helpful suggestion or supplementary information Technical Support For technical support use the following methods Go to our official website http www sangfor com Go to our technical sup...

Page 13: ...the requirements on environment protection and the placement usage and discard of the product should comply with relevant national law and regulation 1 2 Power The SANGFOR IAM series device uses 110 2...

Page 14: ...interface is only for debugging by technicians The end users connect to the device via the network interfaces 1 4 Configuration and Management Before configuring the device please prepare a computer...

Page 15: ...icator will be lighted only for about one minute due to system loading when the device is starting and then go out indicating successful startup of the device If the ALARM indicator stays lighted duri...

Page 16: ...ailability mode HA the wiring to the external network and internal network should be as shown in the following figure Use standard RJ 45 Ethernet cable to connect the WAN1 interfaces of the two IAM ga...

Page 17: ...to connect the LAN interfaces of the two IAM gateway devices to a same switch and then connect the switch to the local area network switch with standard RJ 45 wire connecting it to the local area net...

Page 18: ...on can be avoided Having connected all the wires you can go on to configure the SANGFOR IAM gateway device through the WEB UI Detailed procedures are as described in the following chapters Configure a...

Page 19: ...o view the version information click the link View Version 2 2 IAM Gateway Configuration Logging in successfully you will face the following function modules left tree System Object Firewall IAM Bandw...

Page 20: ...tc 3 1 Running Status Running Status provides the real time status of the IAM gateway device including CPU usage Disk Usage Sessions WAN IP Flow Status as well as View Connection Ranking View Flow Ran...

Page 21: ...ink to view the connection information Enter an IP address and click the Search button and you can get the current connection information of this IP address For detailed configuration please refer to...

Page 22: ...crossing ISPs Gateway Antivirus License You can activate it to update the virus library of the antivirus module Application Ident URL Library License You can activate it to update the expiry time of...

Page 23: ...seen below which is a Configure button Click the Configure button to get into the next page and select the gateway mode to be switched to Click the Next button and finish the rest required configurat...

Page 24: ...ively that is of different network segments If WAN2 interface on the front panel of the IAM gateway device is not used you can define WAN2 interface as a LAN2 or DMZ2 If the LAN interface of the IAM g...

Page 25: ...riginal gateway and the LAN users no change to be made on the original gateway and the LAN users It seems the original gateway and the LAN server cannot feel the existence of the IAM device It is what...

Page 26: ...age is as shown below 3 4 2 1 Bridge Mode Multiple Interface Through bridging the interfaces of the IAM gateway device we can establish multiple interfaces for a bridge so as to create an environment...

Page 27: ...hen deployed to bridge R1 and R2 with S1 Environment 2 In order to enhance the stability of the network and reduce single node failure both the kernel switch and the router of local area network are i...

Page 28: ...orwarded from and being forwarded to In association with the settings of the firewall rules this item can allow or deny data transmission of certain direction Differences between Multi Interface and M...

Page 29: ...nd the router of local area network are in redundancy Both R1 and R2 use VRRP protocol When the host is down the alternate device enables the virtual IP and takes over the network Then we deploy the I...

Page 30: ...ection the data are forwarded to Click the Next button to get into the next page to configure the bridge as shown below Bridge Direction Indicates the direction of data transmission Bridge IP List Bas...

Page 31: ...faces of the device are being bridged the data of layer 2 and the layers above can be traversed This feature of the IAM gateway device enables the DHCP service and the IP MAC binding of the original g...

Page 32: ...mask and then click Add If you have enabled the functions that need to be redirected to the IAM gateway device such as anti virus function email filter ingress rule WEB authentication etc you have to...

Page 33: ...click Configure to enter the Select Gateway Mode page Select Bypass Mode and click the Next button then the following page appears IP Address Configures the IP address of the MANAGE interface DMZ inte...

Page 34: ...s are WAN addresses but regards the addresses in the Monitored Network Segment List as LAN addresses Access data sent to the Internet through these monitored addresses will be recorded or controlled H...

Page 35: ...d to be received by the PC and the server of the public network Many functions are not available in bypass mode such as VPN DHCP and Ingress rule etc Bypass mode IAM gateway mode mainly plays a monito...

Page 36: ...ce is down you need only disable the proxy service on the user s PC and to have it back into normal Typical topology of the single arm mode is as shown below failure will not disconnect the network Un...

Page 37: ...de the gateway configured in the local area network need no change keeping directing to its original gateway To have the IAM gateway device work in single arm mode you have to configure the WAN Optimi...

Page 38: ...he corresponding configuration page If you are to configure multiple IP addresses you can add the IP addresses that are to be bound click the Next button to get into the next page VLAN Enable or Disab...

Page 39: ...ce Displays the information of WAN interface It can be defined as the third external line as well as a LAN interface or DMZ interface Multiline Settings Displays the line selection policy selected Cli...

Page 40: ...or the synchronization between the IAM gateway devices The communication interface can be any network interface that can cross multicast packets to communication with each other It is recommended to u...

Page 41: ...e In addition to modifying the system time directly you can configure a Time Server to synchronize the time and select a local Time Zone The configuration page is as shown below Use System Time Click...

Page 42: ...w Administrator Name Type in a unique name for this administrator to distinguish it from others Description Type in a brief description for this administrator Password Configures the login password fo...

Page 43: ...common admin are divided according to functions module there are privileges on Device Management System Object Firewall IAM Bandwidth Management Delayed Email Audit Internet Access Audit Logs Trouble...

Page 44: ...he internal Data Center to view the logs of the selected group s The options of Data Center Privileges can be configured individually which are System Management Customized Report and Intelligent Repo...

Page 45: ...cally log out the console Operation Timeout If a page fails to open during this time interval the system will think it times out and will not try to open this page again Issue Console SSL Certificated...

Page 46: ...the configuration file will be backed up for 7 days Restore from the configuration file Click the Browse button select and upload a backed up configuration file and then click the Restore button to ha...

Page 47: ...ing the IAM gateway device will be automatically uploaded Auto Report System Error Select Enable and the anomaly information found during using the IAM gateway device will be automatically uploaded Au...

Page 48: ...et you then need to configure HTTP Proxy options in Server Settings provided there is HTTP proxy so as to ensure the IAM gateway device can access the Internet smoothly and update the corresponding ru...

Page 49: ...manually created policy The Policy Routing configuration page is as shown below Policy Routing List Displays the existing policy based routings If there are multiple applicable policy routings the up...

Page 50: ...umber Source Port Destination Port Configures the source port and destination port of the data packet on which this policy based routing is applied Target Line This target line is the outgoing line of...

Page 51: ...ne If you need the routing table of each ISP please contact the Customer Service of SANGFOR Having gained the routing table click the Browse button to upload the policy routing and then click the Impo...

Page 52: ...multiple segments to add return route Add return route for SNAT function for multiple segments If there are several LAN segments access Internet through the SANGFOR gateway device then you need to add...

Page 53: ...get access to the Internet through IAM gateway device IAM gateway device acting as the egress Since 192 168 2 X and the LAN interface 10 251 251 251 of IAM gateway device are of different segments IA...

Page 54: ...ificate can function as its ID when it registers on the SC Secure Center Management The Generate Certificate page is as shown below 3 16 High Availability High Availability configured the mode of the...

Page 55: ...and lock the Active Standby status Click Enable and the Active Standby status cannot be altered even though the primary node is down Please think it over to enable this function It is recommended to e...

Page 56: ...standby node will think the primary node got down and switch from Standby status to Active status automatically Click the Interface Detection button to enter the Network Interface Detection dialog and...

Page 57: ...kets etc which helps to identify P2P traffic quite well Application identification rule falls into internal rule and user defined rule The internal rules cannot be modified while the user defined rule...

Page 58: ...e values definition of the software such as P2P IM etc You can contact SANGFOR and apply for application identification rule packets to manually import the rules and you can analyze data packets by yo...

Page 59: ...he Export button and name the file and then finally confirm to export the internal rule cannot be exported Import Rule To import a rule click the Browse button and upload the rule extension of the rul...

Page 60: ...ateway device can access the Internet For the internal rules you can only alter the classification but not edit the policy or export the rule 4 2 Intelligent Ident Rule Intelligent Ident Rule mainly i...

Page 61: ...re encrypted To control and record the Skype data you have to configure it on the Edit Intelligent Ident Rule page of P2P Action put in another way you have to first enable P2P Action in the Intellige...

Page 62: ...Control First you need to define various services of the firewall in Object Service including the port and protocol applied next configure the filtering rules in Firewall Firewall Rules referring to t...

Page 63: ...it from others Click TCP UDP ICMP or Others to define the protocol to be applied check Add Port and type in a single port or a port range as shown below If it is Other protocol Protocol number 0 indic...

Page 64: ...estination IP group in IAM Access Control Policy page Access Control Service Control Click the Add button and the following Edit IP Group page pops up as shown below Name Names the newly created IP gr...

Page 65: ...et is accessible to it 4 5 Schedule Schedule defines the commonly used time periods mainly used as valid time or expiry time The defined schedule can be referenced by Firewall Firewall Rules and IAM A...

Page 66: ...le the selected time periods and then click the OK button to save the settings on this page 4 6 URL Group URL Group is created according to the URL library and can be referenced by URL Filter configur...

Page 67: ...t version of URL library was released at Update URL Library If the URL library cannot automatically update for it is disconnected to the Internet you can manually update the URL library Just click the...

Page 68: ...is built in with a large number of URL groups when it is delivered from the factory You can add a new URL into the URL library if necessary in addition to using the existing and built in URLs Name Nam...

Page 69: ...ck the OK button to save the settings 4 7 White List Group White List Group defines the domain name white list which can be referenced by Access Control Policy Edit Access Control Policy Web Filter Fi...

Page 70: ...on to save the settings 4 8 Keyword Group Keyword Group is used for configuring and classifying the keywords The Keyword Groups can be referenced by IAM Access Control Policy Edit Access Control Polic...

Page 71: ...s the needed file types File Type Group can be referenced by IAM Access Control Policy Edit Access Control Policy page Web Filter File Type Filter to control HTTP and FTP upload and download and can b...

Page 72: ...ules to be applied when users get access to the Internet The ingress rules are to ban the use of proxy software bind IP MAC address of three layers and monitor encrypted IM message and can be referenc...

Page 73: ...ANGFOR Customer Service Import Rule is corresponding to the Export button below the Ingress Rule List which can export the selected ingress rule file s of conf format while the Import button is used f...

Page 74: ...rules must be satisfied and All of the rules must be satisfied Action Select the action if the Matching Condition is satisfied Options are Deny Internet access and Submit report only Rule Type Define...

Page 75: ...LAN computer which is going to get access to the Internet through the IAM gateway device For instance if the LAN computers of an enterprise use the Microsoft Windows XP in order to prevent the LAN us...

Page 76: ...lect Operating System Version If no operating system version is selected this ingress rule will ban the user from accessing Internet First select operation version s and then click Enable to enable th...

Page 77: ...s page click the OK button to save the settings and add this ingress rule to the Ingress Rule List File ingress rule controls the files of the LAN computers who get access to the Internet through the...

Page 78: ...s the antivirus software on the LAN computer has lagged behind to be updated If the time is longer than the days configured here the IAM gateway device will take the corresponding operation Having com...

Page 79: ...s and Settings SINFOR Local Settings Temp Program C Program Files Registry ingress rule checks the Registry of the operating system of the LAN computer that gets access to the Internet through the IAM...

Page 80: ...shown in the figure above Check return result Not check return result Configures whether to check the execution results of the task script Return Result Timeout Configures the timeout for obtaining t...

Page 81: ...N PC as administrator to get access to the Internet Having completed configuring this page you have to click the OK button to save the settings and add the ingress rule to the Ingress Rule List The co...

Page 82: ...rtificate Differentiation of different certificates is inspected by MD5 value of the certificate If the MD5 value of a certification is different from others then it is regarded as another certificate...

Page 83: ...N LAN 5 1 1 LAN DMZ LAN DMZ configures the rule for data transmission fulfilled between LAN interface and DMZ interface The service can be all the services of certain protocol or a user defined servic...

Page 84: ...page pops up as shown in the following figure Firewall rules are to be matched from top to bottom If a rule is matched the rules below it will not to be matched therefore please arrange the rules in n...

Page 85: ...elow 5 1 3 WAN LAN WAN LAN page configures the rule communication between the LAN interface and the WAN interface By default Internet access through the LAN interface has no limitation while LAN acces...

Page 86: ...ce has some built in and frequently used firewall rules which default to let pass all the data packets from the external networks 5 1 4 VPN WAN VPN WAN configures the firewall filtering rule for data...

Page 87: ...rections between the interfaces are allowed The configuration page is as shown below For instance to allow the IP addresses 172 16 1 100 172 16 1 200 of a Branch VPN 172 16 0 0 24 to get access to the...

Page 88: ...n between the LAN1 interface LAN interface on the IAM gateway device and the LAN2 interface the idle WAN2 interface on the IAM gateway device or configures the communication among the IP addresses of...

Page 89: ...or configures the communication among the IP addresses of different segment that are bound with the DMZ interface The service can be all the services of certain protocol or a user defined service For...

Page 90: ...etwork interface or select All WAN interfaces to which the data packets are forwarded to Select Source Address All the IP addresses or a Specified subnet which can get access to the Internet through t...

Page 91: ...rotocol Options are All and Specified All indicates all the protocol on which the SNAT rule is applied Specified is selected and entered when the protocol and line applied are specified Having complet...

Page 92: ...eans all the source IP addresses while Specified indicates that the source addresses are the specified ones Destination Address Generally Specified interface address is selected If the WAN interface h...

Page 93: ...5 1 3 WAN LAN The configuration page is as shown below 5 3 Anti DoS DoS attack Denial of Service attack generally is implemented by forcing the server to reset or saturating the server with external c...

Page 94: ...ist may result in login failure to the console through the LAN interface in that case log in through the WAN interface The LAN Address List can be left blank but configuring it will enable the SANGFOR...

Page 95: ...st Blocking Time After Attack is Detected Max Attack Packets Per IP Configures the maximum packets including SYN packets ICMP packets and TCP UDP small attack packets of each IP or MAC address allowed...

Page 96: ...priate value to lower the possibility the computer being blocked by the IAM gateway device Configure the Max New TCP Connections Per IP as 1024 connections minute and Max Attack Packets Per IP as 512...

Page 97: ...of the front end router to the Static ARP List If the LAN PC has installed the Ingress Client then it can get the correct IP MAC address of the gateway and bind with it therefore we can make sure tha...

Page 98: ...this website for the first time will be cached by the IAM gateway device if a second LAN user wants to visit the same website the requested data basically the same with the data requested by the firs...

Page 99: ...le disk space for optimization Sessions Refreshes and displays the total current sessions every five minutes Memory Usage Displays the utilized memory by and the maximum available memory space for opt...

Page 100: ...ffic volume shows the external bandwidth saved by the IAM gateway device Flow speed Displays the flow speed of the data that are passing through the IAM WAN optimization module The information is disp...

Page 101: ...ercentage and times the cached data being matched hit by the requested data The information is displayed in Bar graph and Pie graph Hits may be counted by object or by byte Byte hit indicates the cach...

Page 102: ...d Instant Request Indicates the data requested by the LAN user for the first time or the request data that are not hit by the cached data No Cache Indicates the requested data that the extranet server...

Page 103: ...ings System Settings globally enables or disables the WAN optimization function as well as displays the Cache Usage information You can also clear the cache on this page WAN Optimization Globally enab...

Page 104: ...ectively Cache Usage Displays the utilized maximum memory space and disk space Click the Clear Cache button and it prompts whether to continue the operation as shown below If you confirm to clear the...

Page 105: ...AM gateway device will not update the cached objects within this time interval even though they have been updated by the server only after this time interval will the IAM gateway device update the cac...

Page 106: ...change in real time data of these websites need not be cached Restore Default Click this button to restore the factory default settings Having completed configuring this page you have to click the OK...

Page 107: ...o be cached When the websites specified in the list are visited related data will be cached regardless of visit frequency Enter the domain name or IP address or IP range into the list Restored Default...

Page 108: ...rol Policy mainly configures the policy controlling the LAN users to get access to the Internet It involves the configuration of Access Control Web Filter Email Filter SSL Management Application Audit...

Page 109: ...ted access control policy or policies Disable Click this button to disable the selected access control policy or policies Export Click this button to export the selected access control policy or polic...

Page 110: ...st to rename the policy as shown below Type the new name in the text box and then click the OK button to save the settings 7 1 1 Add Access Control Policy Under the default configuration page of Acces...

Page 111: ...escription for this access control policy Expiry Date Select Never expire or select Expired on and configure the date Status Configures the status of this policy itself Select Enable to enable this ac...

Page 112: ...ick the OK button to add one policy or multiple policies as shown below 7 1 2 Edit Access Control Policy Under the default configuration page of Access Control Policy click the name of a policy to ent...

Page 113: ...nd Reminder The followings are detailed introductions to each module 7 1 2 1 Access Control To facilitate network administrator to control the Internet activity of the LAN users SANGFOR IAM gateway de...

Page 114: ...inspected and then achieves control over certain application Application Control You have to check it to activate the rules configured under it as shown below Click the Add button to configure the app...

Page 115: ...with the application s configured above If several policies are associated adopt the default action of the next policy and continue matching downwards If multiple access control policies are associat...

Page 116: ...ot want to have the LAN users to browse WebPages during office hours you need to configure a service rule to deny HTTP service As to the detailed introductions to configuring the Destination IP Group...

Page 117: ...complete matching its rules or check this item and the data packets will continue to match the service rules of the access control policies followed Having completed configuring this page you have to...

Page 118: ...d then it needs to cooperate with ingress rule As to the detailed introduction to ingress rule please refer to Section 4 10 Ingress Rule 7 1 2 2 Web Filter Web Filter covers the configurations of HTTP...

Page 119: ...DISABLE Click this button to list all the valid URLs and hide all the invalid URLs Default Action Select Allow or Deny to configure the default action of the current access control policy to the HTTP...

Page 120: ...iguring this page you have to click the OK button to save the settings Advanced Filter Advanced Filter functions specifically for URL filtering of HTTP POST controlling the process of logging in or po...

Page 121: ...filter rules that are not in the above rule list This item functions in association with the valid URL s configured above Only allow login POST Select this item and it only allows login to WEBMAIL an...

Page 122: ...Ls Copy HTTP URL Filter Click this button and the HTTPS URL Filter page will copy the configurations in HTTP URL Filter Basic Filter page so as to create the same rules without configuring them one by...

Page 123: ...e filtering function for Search Engine and HTTP Upload Keyword Filter Check this item to activate the keyword filtering rules configured under it The configuration page is as shown below Search Engine...

Page 124: ...elected keyword s as Deny Disable Click this button to undo the Deny selection Having completed configuring this page you have to click the OK button to save the settings HTTP Upload HTTP Upload Confi...

Page 125: ...h BBS the access control policy will filter the limited file type s Upload Check this item to enable the function of filtering the to be uploaded file types Except checking the Upload item to achieve...

Page 126: ...ding MP3 or movie file the access control policy will filter these files Operating procedures are similar to those of Upload for details please refer to the related sections above The rules configured...

Page 127: ...h the help of ActiveX Filter rule Any ActiveX control will be required with signature and the untrusted plug in will be unable to be installed into the LAN computers In this way security of the local...

Page 128: ...eX control If the ActiveX control has no signature it will be filtered Block altered ActiveX Check this item and the access control policy will inspect whether the signature of the ActiveX control is...

Page 129: ...in it will be filtered It should be noted that the keyword configured here does not support wildcard characters length of each keyword within 64 bytes and total keywords within 32 Only Allow the Follo...

Page 130: ...ites Not filter ActiveX controls downloaded from the following websites You can add the websites among those in the white list group which will not be filtered The access control policy will not filte...

Page 131: ...e script filtering function and the built in internal rules will take effect functioning for controlling the illegal scripts SANGFOR IAM gateway device can filter JavaScript and VBScript Script Filter...

Page 132: ...mpleted configuring this page you have to click the OK button to save the settings 7 1 2 3 Email Filter 7 1 2 3 1 Send Receive Mail Email Filter mainly is used for limiting monitoring filtering the se...

Page 133: ...n will allow the LAN users to send or receive emails only through the email addresses with the vpn com cn suffix Deny emails containing the following keywords in title or content and Deny emails conta...

Page 134: ...m delay and audit whose suffix is vpn com cn Except the above settings you can also define the Mail size and Attachment number of the emails that should be audited Email contains the following keyword...

Page 135: ...er Address authentication must not be shorter than 3 characters otherwise the audited emails will fail to be audited 7 1 2 4 SSL Management SSL Management controls the LAN users to visit certain websi...

Page 136: ...allowed to be accessed This is what is called as the White list Deny expired certificate Check this item and it will verify whether the certificate has expired If it has expired the LAN user then cann...

Page 137: ...encrypted contents are to be audited or controlled one entry domain name per row If it is left blank no SSL application will be identified Control SSL transferred content Check this option and the SSL...

Page 138: ...payment etc 7 1 2 5 Application Audit Application Audit helps monitoring the Internet access information and records of the LAN users including configuration of Audit Option and Outgoing File Alarm 7...

Page 139: ...SANGFOR IAM v2 1 User Manual 138 Audit Option falls into the following aspects Application Behavior Audit Records all the behaviors of the LAN users on the Internet...

Page 140: ...page It is only applicable to the webpage containing the configured keyword s Enable Disable Select it to enable or disable the audit function over web content The audited items fall into Audit titles...

Page 141: ...Application Audit Audit all identifiable application behaviors All the options under Application Content Audit below are not included here If you want to record the chat content details through the e...

Page 142: ...rm All Alarm Encrypted Click it above below the file type list to configure the Alarm Option of the selected file type s Enable Disable Click it above below the file type list to configure whether to...

Page 143: ...al library and then click OK The access control policy will identify the application according to the features of this specific file type Customize file types extension ident Type the file type name i...

Page 144: ...x which are separated from each other with an English comma Set administrator email address for this policy Check this option and type the receiver of the alarm emails To successfully send the alarm e...

Page 145: ...m One log only records the detailed information of at most one file and the general alarm information of other file s If the outgoing file is delivered through email its eml format attachment will be...

Page 146: ...t access to the Internet through the IAM gateway device As to the configuration of a schedule please refer to Section 4 5 Schedule Max Online Duration Per Day Configures the online duration in unit of...

Page 147: ...ions of a single IP address reaches the threshold configured here the session connection request will be denied Having completed configuring this page you have to click the OK button to save the setti...

Page 148: ...the needed ingress rule s Delete Click it to delete the selected ingress rule s Having completed configuring this page you have to click the OK button to save the settings 7 1 2 8 Risk Ident Risk Ide...

Page 149: ...fied options are High Medium Low and Disable Outgoing Email Identification Configures the options to identify and block outgoing email anomaly Identification can be based on the number of same sized e...

Page 150: ...ion Sensitivity To have Outgoing Email Identification function work you have to enable Email Audit and configure the corresponding options For details please refer to Section 7 1 2 5 Application Audit...

Page 151: ...the list to remove a selected application from the list just click the application and then click the Delete button Reminder Time Configures the online time duration If a user uses up the allowed onli...

Page 152: ...ow speed exceeds certain Kbps the IAM gateway device will remind the user of it Type a value ranging 0 60 in the Statistics Period text box 0 but the averaged flow is not 0 indicates that the user wil...

Page 153: ...s continue to match the rules of the access control policies followed In other rule modules it takes the first rule as the final when matching the access control policy These rule modules include Acce...

Page 154: ...ptions The configuration page is as shown below 7 2 1 New User Authentication New User Authentication configures the default policy that is applicable to the users not included in the member list It c...

Page 155: ...v2 1 User Manual 154 Select All Inverse Click it to select the needed new user policy Move Up Move Down Click it to move up or move down the selected new user policy Add Click this button to add a new...

Page 156: ...st name as new user Automatically add the new user to the user list taking the host name of this user as its user name Get authenticated on server password required Authentication is made through the...

Page 157: ...ess control policy Taking the IP address as user name or taking host name as the user name requires the IAM gateway device binding at least with one IP address or MAC address of the user If the IAM ga...

Page 158: ...ork The configuration page is as shown below 7 2 2 1 Active Directory SSO When the host of the user logs in to the active directory server not for the first time it will automatically passing the WEB...

Page 159: ...e third one is to allocate SSO script by the domain controller and to send logon logoff information to the IAM gateway device The last SSO should have the help of a listening port to intercept the act...

Page 160: ...ill enable the user to logoff from the IAM gateway device when it is logging off 7 2 2 1 3 Configure Logon Script Program Logging in to the domain controller click Start Program Administrator Tool Man...

Page 161: ...SANGFOR IAM v2 1 User Manual 160 Right click the to be monitored directory in the pop up window and click Properties as shown below Select Group Policy and then Default Domain Policy as shown below...

Page 162: ...ser Manual 161 Then click User Configuration Windows Settings Scripts Logon Logoff in the pop up Group Policy Object Editor as shown below Double click Logon item and the Logon Properties dialog appea...

Page 163: ...SANGFOR IAM v2 1 User Manual 162 Click the Show Files button and a directory is opened Save the logon exe script file into this director and close the window...

Page 164: ...s close all the Group Policy Object Editor etc Having completed configuring the logon script you have to click Start Run and type the gpupdate and click the OK button to have the group policy configur...

Page 165: ...GFOR IAM v2 1 User Manual 164 Under the pop up Logoff Properties dialog click the Show Files button to open a directory and save the logoff script that is the logoff exe file And then close the direct...

Page 166: ...address 10 251 251 251 Then close the related configuration dialog page one by one Having completed configuring the logoff script you have to click Start Run and type the gpupdate and then click the O...

Page 167: ...ion is enabled and that the user logs in to the domain controller through its computer To use monitoring mode check Use monitoring mode and type the IP address and port of the domain controller in the...

Page 168: ...ironment of the POP3 authentication is as shown in the following figure If both the POP3 server and PC are in the local area network the authentication data will not be forwarded to the IAM gateway de...

Page 169: ...tication in IAM Authentication Options page Other Authentication Options and entitle the user s root group the privilege to access the POP3 server 7 2 2 3 WEB SSO Enable Web SSO Check this option to e...

Page 170: ...the user is identified as a success or a failure If you have checked Keyword indicating success and the keyword is contained in the return results of POST the authentication would be regarded as a su...

Page 171: ...then associate the IP address and the user according to the intercepted information of Proxy authentication 7 2 2 4 2 Network Environment Typical topology environment of Proxy authentication is as sh...

Page 172: ...ted over the network which helps to achieve single sign on Check If login data does not go through the device please set listening mirror port which should be idle and select an idle network interface...

Page 173: ...this list but have checked None for Authentication Method please refer to IAM Organization Structure Edit User page Advanced Settings User Attribute or Section 7 4 5 Edit User or some users have enab...

Page 174: ...e will be redirected to the user defined page Go to user ranking page If the LAN user gets authenticated successfully the Web page will be redirected to a ranking statistics page of the internal Data...

Page 175: ...anual 174 7 2 5 SNMP Option SNMP Option helps to achieve Internet access through binding MAC or binding IP and MAC address when a layer 3 switch exists in the networking environment The configuration...

Page 176: ...8 30 245 00 0f e2 59 0c 1f 1 3 6 1 2 1 3 1 1 2 public Having completed configuring the page you have to click the OK button to save the settings If you enable and configure SNMP Option the layer 3 swi...

Page 177: ...is excepted Check this option and the privileges of root group on various service and applications HTTP service excluded are also available for the users who have not yet gotten authenticated With Pa...

Page 178: ...installed automatically the user can also click the link Ingress Client to download and manually install the Ingress Client 7 3 Authentication Server Authentication Server Configures the third party...

Page 179: ...page appears as shown below Server Type Select the needed server to open the corresponding settings 7 3 1 LDAP LDAP server supports Microsoft SGtive Directory SUN LDAP and OPEN LDAP server You can sel...

Page 180: ...essary please turn to the system administrator of LDAP server for detailed configuration guide to this page Server Name can only contain English characters Otherwise you may fail to import the AD user...

Page 181: ...figuration guide to this page 7 3 3 POP3 POP3 server configuration page is as shown below You can configure the IP address Authentication port and Timeout for the POP3 server 7 4 Organization Structur...

Page 182: ...or subgroup Access Control Policy Displays the associated access control policy policies of the current root group subgroup or user No Sequence number of this member in the current group Type Type of...

Page 183: ...h Search Click this button and set the specific conditions to search for user s or user group s among the existing subgroup and users as shown below in this example it searches for all the subgroups a...

Page 184: ...nditions to find a needed group or user The advanced search conditions are Authentication Method Other Option and Sort By Search Click this button to have the matching subgroup s or user s displayed i...

Page 185: ...iguration page is as shown below Group Name Group Name List Configures the name or name list of the subgroup or subgroups Group Path Configures the path of parent group of the to be created subgroup I...

Page 186: ...oup button and follow the instructions to add subgroup For instance to add a subgroup for the 2222 you have to click 2222 on the left tree and then click the Add Subgroup button The hierarchic structu...

Page 187: ...ection Add User Click this button to add user s for the current group For detailed configuration please refer to the next section Multi Edit Click this button to edit the items that all of the selecte...

Page 188: ...configuration page of its upper level group Export Click it to export the structure or the members of the current group for the purpose of saving them The exported information includes the properties...

Page 189: ...nd import functions are only available for the subgroup members User members cannot be exported or imported like that for different users on the SANGFOR gateway cannot have a same name while group can...

Page 190: ...o the policy list As to the configuration of the access control policy please refer to Section 7 1 Access Control Policy Move Up Move Down Click it to move up or move down the selected access control...

Page 191: ...led introductions and notes please refer to Section 7 1 Access Control Policy 7 4 4 Edit User Under the Member List page click the Add User button to add user s The configuration page is as shown belo...

Page 192: ...ated user If Multiple users is selected you cannot configure the Display Time bind IP or MAC address or create DKEY authentication user The configuration page is as shown below Having completed config...

Page 193: ...is added successfully and the new user is listed in the Member List 7 4 5 Edit User Under the default configuration page of Member List click the name of a user to get into the configuration page of...

Page 194: ...device Options are Bind IP Bind MAC Bind both IP and MAC and No binding If No binding is selected you have to configure an authentication method Password Dkey or Only allow SSO You can click Format I...

Page 195: ...ange respectively Get from IP group Click it to select an already defined IP group as to the configuration of IP group please refer to the relevant part in Section 4 5 Schedule Clear List Click it to...

Page 196: ...e the device will scan and get the MAC addresses of these IP addresses Clear List Click it to clear all the MAC addresses in the list The local device scans the MAC addresses of the configured IP addr...

Page 197: ...owed as shown below To add IP MAC address you can directly enter the IP MAC address in the Binding text box or click Scan MAC address Scan MAC address Click it and select scan object Single IP IP rang...

Page 198: ...Binding No binding indicates not binding with any IP address or MAC address If this item is selected you then have to configure at least one Authentication Method The Authentication Method configurati...

Page 199: ...cture list the user groups Click OK to add the needed and selected user group Click Cancel to give up selecting the user group 7 4 5 3 Authentication Method Authentication Method includes four options...

Page 200: ...multiple Password authentication methods to verify a user Matching one of the authentication methods will have the user username get authenticated DKEY Indicates that the user s identity is verified...

Page 201: ...t to Write Dkey Click this button to generate the DKEY None Indicates that user need not enter the WEB username and password to get authenticated If this option is selected at least one of the binding...

Page 202: ...is user will get invalid If more than one Password authentication methods Custom password LDAP authentication RADIUS authentication and POP3 authentication are checked identity will be authenticated f...

Page 203: ...key if the DKEY is to prevent monitoring to generate the DKEY you must check Enable monitor free Dkey Enter the IP address of the IAM gateway device in the IE browser and press the Enter key and the I...

Page 204: ...ol policy for an individual user Under the Edit User default configuration page click Access Control Policy and the corresponding options appear as shown below The configuration of access control poli...

Page 205: ...other by a vertical bar including the case that the field is blank If one field has several values such as several IP addresses they are separated from each other by a comma Option Check When a user...

Page 206: ...rs according to Single IP IP range or Subnet Filling in the corresponding information you can click the Scan button and the host name IP and MAC addresses will be displayed in the Content table Or cli...

Page 207: ...domain server to the IAM gateway device and for realizing the automatic synchronization of the user and organization structure of the domain server Presently this function only supports MS SGtive Dir...

Page 208: ...iew Sync Report Click it to view the LDAP synchronization report Refresh Click it to refresh manually and view the synchronization status 7 6 1 Sync by LDAP Organization Structure Sync by LDAP organiz...

Page 209: ...e Select button to view the organization structure in unit of OU of the domain server and select a needed OU Filter Configures the filtering condition for synchronization according to the domain param...

Page 210: ...me Displays the time of the latest synchronization and whether it synchronized successfully Having imported successfully the organization structure and the users into the IAM gateway device the group...

Page 211: ...ifference that the selected and imported Import Remote Target are the security groups of the domain server 7 6 3 View Sync Report Each synchronization option of Active Directory will produce its own s...

Page 212: ...enerated Sync Status Displays whether it is a successful synchronization Clear Click this button to clear all the reports recorded Each synchronization mode supports maximum 10 synchronization policie...

Page 213: ...log out Block For Click it and configure the time You can block the selected online user to get online for some time Search Conditions Configures the filtering conditions on searching for user s Sear...

Page 214: ...locked user s including No Login Display Name Authentication Method Group IP Address Blocking form and Left Blocking Time Unblock Click this button to unblock the selected blocked user s Having been u...

Page 215: ...applications and limit the uplink downlink bandwidth as well Besides you can create specific policy according to the service user guaranteed bandwidth and maximum bandwidth Sub channel can also be bui...

Page 216: ...es what bandwidth channels are to be displayed Options are All and Running channels History Info Configures the time period during which the flow and speed statistics are made and displayed in the lis...

Page 217: ...idth Displays the guaranteed bandwidth that the IAM gateway allocates for the channel Max Bandwidth Displays the maximum bandwidth configured on the IAM gateway device Priority Displays the priority o...

Page 218: ...orresponding bandwidth channel s displayed in the bandwidth channel list 8 2 1 Bandwidth Channel SANGFOR IAM bandwidth management BM module offers bandwidth allocation function to configure assured ba...

Page 219: ...are matched from top to bottom 8 2 1 1 Add Bandwidth Channel Click the Add Parent Channel button and the Edit Bandwidth Channel configuration page appear as shown below Channel Name Type one more name...

Page 220: ...on is selected you need then select an Application Type and a specific Application If Website is selected you need then select a Website Type from the internal library If File is selected you need the...

Page 221: ...or Limited channel If the selected one is Guaranteed channel this policy will guarantee the user with the minimum bandwidth if the selected one is Limited channel this policy will limit the bandwidth...

Page 222: ...imit of uplink downlink bandwidth width or rate of this bandwidth channel Or select Limited channel and the following items appear as shown below Bandwidth Allocation Policy Configures the bandwidth f...

Page 223: ...heck the advanced option the external IP address node will be taken as one member of the LAN users nodes that is to say the Allocation Policy and Max Bandwidth Per IP will also be applied to the exter...

Page 224: ...th Channel to add a sub channel The rate configured and bandwidth calculated and allocated for the sub channel child channel are based on its parent channel the total bandwidth will never exceed that...

Page 225: ...he Edit Bandwidth Channel page and edit this bandwidth channel policy Enable Disable Delete Select one or more bandwidth channels and then click Enable Disable or Delete button to enable disable or de...

Page 226: ...flow from top to bottom To edit multiple bandwidth channels at the same time you have to first select the needed bandwidth channels and then select a template Click the Edit button and the configurati...

Page 227: ...figuration page is as shown below Click the Add button to enter the Exclusion Policy configuration page and add a new exclusion policy as shown below Name Type a name for this exclusion policy Applica...

Page 228: ...ndwidth configuration The configuration page is as shown below Bandwidth configuration can be in unit of Kbps and Mbps Under the Bridge mode the virtual line will be automatically enabled Maximum 4 vi...

Page 229: ...rtual line and the total bandwidth of the all the virtual lines must NOT be more than the total bandwidth of the physical line One IAM gateway device supports maximum 4 virtual lines The configuration...

Page 230: ...rnet devices connecting to the front end of the IAM gateway device and the gateway mode of the IAM gateway device is Bridge mode Multi Bridge Configure the virtual line rule s according to certain pol...

Page 231: ...ransmission options are All TCP UDP ICMP and Others Select TCP or UDP and then you have to configure LAN Port and WAN Port select Others and you have to configure Protocol Number LAN Port WAN Port Con...

Page 232: ...SANGFOR IAM v2 1 User Manual 231 Maximum 4 virtual lines are supported by one IAM gateway device Virtual Line configuration is only available for Bridge mode...

Page 233: ...gs and Sending Attempts Click Delayed Email Audit or Email Audit Policy the Edit Audit Policy configuration page appears as shown below Timeout Configures the timeout for audit It is 1 hour by default...

Page 234: ...nal Data Center 9 3 Unaudited Email Search By Select an object Group User or IP address Then click the Search button to have the matching unaudited emails listed Click Download to view the contents of...

Page 235: ...ion Ranking Connection Monitoring and Behavior Monitoring Flow Ranking Displays the real time flow information caused by the LAN users getting access to the Internet Connection Ranking Displays the nu...

Page 236: ...time flow information caused by the LAN users getting access to the Internet You can obtain the host name of an IP address and block the selected user s to get access to the Internet The page is as sh...

Page 237: ...ally refresh the data You can click Save Preference to save the settings and facilitate you to view your preferred statistics displayed by default next time Stop Refresh Click this button to have the...

Page 238: ...Blocked and then click the Search button To unblock a user just select the user and then click the Unblock button Click the Auto Update button and you will see that there is flow caused by the unblock...

Page 239: ...address has established with the external networks It only displays the top 200 connection rankings IP addresses Under the Connection Monitoring page enter an IP address and click the Search button t...

Page 240: ...system automatically delete the audit logs Options are Delete the audit logs that were generated _ days ago automatically When the size of logs exceeds _ of the partition delete the logs of the first...

Page 241: ...ing domain name ensure that the IAM gateway device can parse the domain name the IAM gateway should be able to access the Internet Data Sync Account Data Sync Password Enter the account name and passw...

Page 242: ...Web Port Configures the port through which the external Data Center provides WEB services Click the Enter External Data Center http IP PORT varies with IP address and port to enter the login interfac...

Page 243: ...you to log in to the internal Data Center of the IAM gateway device as the present user to search for the logs and make statistics in real time Click the Internal Data Center button to log in to the D...

Page 244: ...and search among massive data records in the Data Center will consume large resources it is recommended NOT to have the internal Data Center store large amount of data If your networking produces mas...

Page 245: ...configuration page is as shown below 11 1 System Logs System Logs displays the running information of each function module of the IAM gateway device With the help of these logs you can tell whether ea...

Page 246: ...5 define the display of the system logs as shown below Having completed defining the Display Options and Filter Options you have to click the OK button and then click the Refresh button to apply the n...

Page 247: ...packet for what reason so as to locate the configuration mistakes made on certain module or test whether some rules is taking effect or not The page is as shown below Check the Set Conditions to view...

Page 248: ...will the denied information be recorded Click Enable Drop List to enable the Drop list all the access control policies configured on the IAM gateway device are taking effect and the packets applicabl...

Page 249: ...ich caused faults such as network disconnection etc and therefore helps the network administrator to quickly correct the configurations Close Drop List Click this button to close the Drop list and dis...

Page 250: ...icy troubleshooting The configuration page is as shown below Capture Packets Configures the total number the packets to be captured Simple capture unknown flow Select this item and configure the condi...

Page 251: ...the Stop capturing button to have it stop capturing the data packets And then you will see a captured file with the file extension pcap in the Capture File List as shown below Click View to open the C...

Page 252: ...ails to view the detailed data loaded by the data packets as shown below Advanced TCPDUMP Select this item and configure the conditions such as network interface and TCPDUMP filter expression which he...

Page 253: ...l 252 Click the Delete button to delete a selected captured file or click Download to save the file into a specified file path of the local computer This captured file can be opened by the software su...

Page 254: ...arm function This is an overall switch for the alarm function only with which will the email alarm function take effect Alarm Events Includes Disk Space Alarm Bandwidth Alarm Attack Alarm Antivirus Al...

Page 255: ...ing the rules configured on the firewall module as the firewall module decides whether to allow or deny the data packet only according to the destination address and port To have the firewall module f...

Page 256: ...be detected however that will surely slower down the processing speed of the IAM gateway device It is recommended to fill in the IP addresses of some relevant proxies To ensure the data go through th...

Page 257: ...ebpages Select this option and it will not record URL in detail but only the root of the URL If you want to have it record the full URL DO NOT select this option Record all visited webpages Select thi...

Page 258: ...options are checked these two URL filter rules are of OR relationship That is to say if either of them is satisfied the URL will not be audited recorded A prefix matches a URL from the first characte...

Page 259: ...resses that are involved in the exclusion rule the firewall rule has higher priority As the IP address of IM instant message server may vary from time to time it is impossible to absolutely free the I...

Page 260: ...ponding prompt page will not pop up Edit Page There are codes of some pages provided by the IAM gateway device You can modify the codes to define the prompt page You are recommended to only modify the...

Page 261: ...the Iceland provider F PROT that has high detection rate and effectiveness The internal virus library of the IAM gateway device updates together with the virus library of F PROT generally in 1 2 days...

Page 262: ...ction gets expired the virus library can neither be updated automatically nor be updated manually though the antivirus function still works POP3 antivirus and SMTP antivirus is realized by the proxy f...

Page 263: ...nalyzing its true use and therefore decide whether to allow the data packets get into the local area network This section mainly introduces the parameters and the configuration of the intrusion protec...

Page 264: ...v2 1 User Manual 263 Defense Level There are three levels of defense rules provided by the SANGFOR IAM gateway device High Medium and Low Select a level according to the actual security need of your...

Page 265: ...ta transmission among WAN LAN and DMZ zones against attacks according to your case They are all enabled by default Defense ability of High Medium and Low is in descending order In general it is recomm...

Page 266: ...orresponding IPS rule If it happens that some legal and common applications are misjudged by the intrusion protection system select a lower defense level Procedures are select a rule and click the Edi...

Page 267: ...ow Stop Service Click this button to stop the VPN service temporarily 13 3 2 Basic Settings Basic Settings covers the VPN connection related configurations such as Webagent information MTU Minimum com...

Page 268: ...e the shared key and prevent illegal device from connecting in If it has multiple lines and the IP address es is static IP the format of Webagent can be IP1 IP2 port If the Webagent password gets lost...

Page 269: ...Indirectly connect If the Internet IP address can be obtained directly or the Internet users can access the VPN port of the IAM gateway device with DNAT destination translation function select Directl...

Page 270: ...er to enable hardware authentication DKey and virtual IP The default configuration page is as shown below Click the Check Dkey button to inspect whether the DKey has inserted into the USB port of the...

Page 271: ...t and save the users information of this IAM gateway device to the local computer You can decide whether to export it as Plaintext or as Cipher text The dialog is as shown below Click the New Group bu...

Page 272: ...group attributes User Group is only available when there is a user group existing please create user group first If Use Group Attribute is checked the Algorithm Enable My Network Places and LAN Privil...

Page 273: ...the data to be transmitted between the IAM gateway device and the user according to the selected algorithm This is a unique technology of SANGFOR VPN It will take the best advantage of the bandwidth i...

Page 274: ...nd configuration options to manage these nodes These configurations are available in Connection Management page Connection Management function is only necessary when the local device need connect to o...

Page 275: ...nnection Primary Webagent Secondary Webagent Type the primary and secondary Webagent of the to be connected VPN headquarters Click the Test button followed to check the availability of the Webagent Th...

Page 276: ...rters and the branch VPN apply different Internet service providers ISP and these different links cause frequent packet loss this option is recommended to be checked You can also configure the network...

Page 277: ...e IP completely the same with those fulfilled as a VPN headquarters LAN user For instance a mobile VPN user can visit any LAN computer of the VPN headquarters though its computer does not direct its g...

Page 278: ...pe the start IP and end IP The dialog is as shown below Click the Advanced button to open the Advanced Setting configuration dialog enter DNS WINS server address and the mask of virtual IP that is to...

Page 279: ...Use the following DNS server addresses otherwise the addresses configured in Advanced will not be allocated to the virtual network adapter of the mobile VPN user s computer 13 3 6 Multiline Settings...

Page 280: ...If your networking has multiple lines connecting to the external network check Enable Multiline and then add the line Click the New button to enter the Edit Multiline page and add a new line the confi...

Page 281: ...t is an ADSL or Dial up line the Testing DNS can be left blank As to the Preset Bandwidth the uplink and downlink bandwidth must be coherent to the actual bandwidth Under the default configuration pag...

Page 282: ...ion port etc For example the Branch1 172 16 1 0 24 need visit the FTP server IP 192 168 1 20 of its headquarters We are to configure a multiline routing policy so as to have the data packets from Bran...

Page 283: ...Settings configuration dialog configure the IP addressed and ports and select a protocol as shown below Protocol Select a protocol for data transmission In this example it is TCP Source IP Type a LAN...

Page 284: ...ts Under the Edit Multiline Routing Policy page select Bandwidth stacking and check the Advanced button to enter the Advanced Settings page as shown below Select the needed line for data transmission...

Page 285: ...ay device and the branch VPN users also need to visit other subnets of this network the VPN headquarters For example there are two subnets 192 200 100 x and 192 200 200 x We are to configure the Local...

Page 286: ...onfiguration function You can configure route for the VPN tunnels to achieve interconnection among different VPNs software hardware and establish a true web like VPN network The Tunnel Route default c...

Page 287: ...to the user that is used to establish the VPN connection with the headquarters that is the user selected in the VPN Settings Connection Management Edit Connection configuration dialog It determines t...

Page 288: ...Enable Tunnel Route and click the New button to add a route directing to the Shanghai branch as shown below Source Subnet Configures the network ID of the source subnet In this example it is 10 1 1 0...

Page 289: ...s the mask of the source subnet In this example it is 255 255 255 0 Destination Route User Configures the VPN device to which this tunnel route directs indicating the corresponding username selected i...

Page 290: ...Device List Device List can enable the SANGFOR IAM gateway device to connect with a peer VPN to establish a standard IPSec connection It is the first phase of negotiation of the standard VPN protocol...

Page 291: ...SANGFOR IAM v2 1 User Manual 290 Click the Advanced button to view the advanced settings The configuration dialog is as shown below...

Page 292: ...ser Manual 291 13 3 10 2 Security Option Security Option configures the parameters used for establishing standard IPSec connection This is the second phase of IPSec negotiation The configuration page...

Page 293: ...er device The policy includes the rules of Protocol AH or ESP Authentication Algorithm MD5 or SHA 1 and Encryption Algorithm DES 3DES or AES Click the New button and the Security Option appears as sho...

Page 294: ...h applies a different policy you then have to add the policy of each device to the security potion list i e create the corresponding policy for each device 13 3 10 3 Outbound Policy Outbound Policy co...

Page 295: ...Manual 294 13 3 10 4 Inbound Policy Inbound Policy configures the rule used for data transmission from the peer device to the local device Click the New button and the corresponding Policy Settings a...

Page 296: ...SANGFOR IAM v2 1 User Manual 295...

Page 297: ...source IP addresses allowed to connect in out by the local VPN device are those that are included in both the Source IP configured in the inbound outbound policy and the Source IP Range referenced by...

Page 298: ...ion dialog appears as shown below In this example the Office hours is the enabled time period which means the rule will take effect during this period if it has referenced this schedule Having complet...

Page 299: ...d with some encryption algorithms and authentication algorithms such as MD5 SHA 1 DES 3DES AES SANGFOR_DES You can also add some other authentication or encryption algorithms If necessary please conta...

Page 300: ...rvice so as to ensure the security of the VPN channels and achieve secure management Generally speaking there are two steps to configure the privilege of the user to access LAN service a create LAN se...

Page 301: ...ox and check the protocol in this example it is FTP service using TCP protocol Step 2 Click the New button to configure the IP ranges The configuration dialog is as shown below Source IP Fill in the s...

Page 302: ...ser Here you are just defining the LAN services After these configurations you have to go to Security VPN Settings User Management to create an account new user and then configure the LAN Privilege to...

Page 303: ...er 172 16 1 200 can only access the FTP server 192 168 1 20 and the requests initiated by other IP address of that local area network will be denied These configurations also disable the access reques...

Page 304: ...ity no such a physical interface is seen 13 3 12 3 LDAP Server The VPN service of SANGFOR IAM gateway supports LDAP authentication through a third party If you need to have a third party to fulfill LD...

Page 305: ...in server you can click the Advanced button to open the Advanced Settings dialog The configuration dialog is as shown blow Configure these settings according to your case 13 3 12 4 Radius Server The V...

Page 306: ...features of this device and is then encrypted Due to the uniqueness of the device hardware the corresponding certificate is also unique and cannot be counterfeited Through this way requiring authenti...

Page 307: ...d are Current status of DHCP service Allocated IP Addresses Host Name and MAC Address Click the Refresh button to refresh the status 14 2 DHCP Settings DHCP settings are detailed parameters of the DHC...

Page 308: ...neither of the DNS is configured no DNS will be allocated to the client end s computer WINS is up to your specific application being filled in or left blank DHCP IP Ranges Type the start IP and end I...

Page 309: ...that the DHCP IP ranges configured here must not conflict with the static IP addresses of other working LAN computers Generally the IP address in the DHCP IP range list must not be the IP address who...

Page 310: ...izard Configuration Wizard introduces the flow and steps of the basic configurations with link to configuring a specific module Just click the item in blue to directly get into the corresponding confi...

Page 311: ...teway restoration system In addition the gateway restoration system can be used to inspect the running state of the network interface and configuration of the routing as well as to modify the working...

Page 312: ...in the figure below Search It will automatically search for the SANGFOR gateway devices in the local area network as long as there is no routing devices between the local computer and the IAM gateway...

Page 313: ...ed for updating the kernel Firmware of IAM and the latter Restore Default Configuration for restoration of the default configuration These operations will update the key document of the device or will...

Page 314: ...please contact the technicians of SANGFOR for instructions Brief update procedures are Step1 Upload the corresponding update package to the Gateway Client Updater Step2 Log in to the Gateway Client Up...

Page 315: ...Update Update Firmware be clicked Download Please visit the SANGFOR official website www sangfor com to download the corresponding update package Tools Submenus are Ping Route Table ARP Table Network...

Page 316: ...lete Local Records as shown in the following figure View Gateway History View the update log of the IAM gateway device View Local Records View the update log of the local Gateway Client Updater Delete...

Page 317: ...the default configurations need to be restored log in to the device and click Update Restore Default Config To update the Firmware kernel of the SANGFOR gateway device please DO follow the instruction...

Page 318: ...t Transfer Protocol ICMP Internet Control Message Protocol IM Instant Message IP Internet Protocol IPS Intrusion Prevention System ISP Internet Service Provider LAN Local Area Network LDAP Lightweight...

Page 319: ...SANGFOR IAM v2 1 User Manual 318 UI User Interface URL Uniform Resource Locator VID VLAN ID VLAN Virtual Local Area Network...

Reviews:

No comments