background image

14.1.2.11.1 Connection with Server 

 

 282

PFS is not recommended, but may be necessary for interoperability with other IPSEC
implementations.

With inbound connections, SX-GATE will accept connections without PFS only when
this option is set to "optional". An arbitrary Diffie-Hellman group is accepted when set to
any other value. If however SX-GATE initiates the connection, it will use the same DH
group which has been negotiated for phase 1 when set to "required". You can configure
a specific DH group if the "ESP proposals" list is not empty.

SHA2-256 96bit draft version

The default ESP hash truncation for sha2_256 is 128 bits. Some IPsec implementations
(Linux before 2.6.33, some Cisco routers) implement the draft version which stated 96
bits.

This  option  enables  using  the  draft  96  bits  version  to  interop  with  those
implementations.

Another workaround is to switch from sha2_256 to sha2_384 or sha2_512.

ESP proposals

The  phase  2  proposals  determine  acceptable  ciphers  and  hash-algorithms  for  the
actual data transmission.

If  no  proposals  have  been  entered  here,  all  proposals  SX-
GATE  supports  are  accepted.  As  initiator,  it  will  propose  all
combinations of AES128 and 3DES with SHA1 and MD5.

14.1.2.11.1-E

 Connection

Connection

Here you have to determine how the VPN connection will be established.

automatically

The VPN server of SX-GATE tries to contact the peer in order to establish a VPN
connection.  Of  course  it  will  also  respond  if  the  peer  contacts  SX-GATE.  This
option is not available if the peer has a dynamic IP address.

wait for incoming connection

Here, SX-GATE waits for the peer to establish the connection.

disabled

This setting will deactivate the corresponding VPN connection.

Summary of Contents for SX-GATE

Page 1: ...State 2016 12 13 V7 0 2 0 User Guide ...

Page 2: ...8 4 Start up 19 4 1 Prerequisites 19 4 2 Switching on and booting 20 4 3 Setting up SX GATE s IP address 21 4 3 1 Changing the IP address with the display 21 4 3 2 Changing the IP address with the web browser 22 4 4 Check the connection to SX GATE 23 5 First settings 24 5 1 Accessing the web administration interface 24 5 2 Basic configuration 25 6 Configuring computers in the LAN 26 6 1 Network pa...

Page 3: ...g 50 10 1 Log files 50 10 1 1 Settings 50 10 1 2 Search 52 10 2 Network 57 10 2 1 Status 57 10 2 2 Dial up 60 10 2 3 Tools 62 10 2 4 SNMP 66 10 3 Mail server 68 10 4 Web proxy 72 11 Definitions 74 11 1 IP objects 74 11 2 Protocols 78 11 3 Periods 80 11 4 URL filter lists 81 12 System 85 12 1 Setup 85 12 2 Services 93 12 3 User administration 101 12 3 1 Settings 102 12 3 2 Users 107 12 3 3 Groups 1...

Page 4: ...4 1 2 9 OpenVPN Server ovpns Per client setup 271 14 1 2 10 IPSec VPN ipsec 272 14 1 2 11 IPSec VPN ipsec Connections 275 14 1 2 11 1 Connection with Server 276 14 1 2 11 2 Connection with Client 284 14 1 2 11 3 Connection with XAuth Client 289 14 1 2 11 4 Connection with L2TP Client 294 14 2 Firewall 300 14 2 1 Settings 300 14 2 2 Policies 302 14 3 DHCP 318 14 4 DNS 324 14 4 1 Settings 324 14 4 2...

Page 5: ...P proxy 437 14 9 4 SOCKS proxy 439 14 10 HTTP server 441 14 11 FTP server 445 14 12 Virusscanner 446 14 13 Time server 451 15 Configuration of an L2TP IPSec VPN client 453 15 1 Microsoft Windows 453 15 1 1 Automatic configuration 454 15 1 2 Manual configuration 457 15 2 Mac OS X 473 15 3 Apple iPhone 474 16 Contact 477 17 SX GATE Support 478 18 Technical Specifications 479 19 CE Statement of Confo...

Page 6: ... All information and contacts are provided in chapter Contact p 477 1 1 Guidelines This manual s composed with great care and accuracy However XnetSolutions KG accepts absolutely no guarantee or liability regarding completeness and flawless content Since this device provides the same functionality as a router it is important that all settings are monitored and checked when first set up For instanc...

Page 7: ...ncludes software developed by Pedro Roque Marques This product includes software developed by Reuben Hawkins This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes data from The Université Toulouse 1 Capitole Blacklist UT1 maintained by Fabrice Prigent http dsi ut capitole fr blacklists available under the Creative Commons Attribution ShareAlike ...

Page 8: ...ducts that are named in this document are registered trademarks of their respective owners SX GATE is a registered trademark of XnetSolutions KG The naming of unlisted trademarks does not necessarily mean their free availability Copyright XnetSolutions KG ...

Page 9: ...es 9 2 Precautions and Guidelines Before you start to operate SX GATE please read through the following sections very carefully 2 1 Warning To prevent fire and electric shocks please keep this device away from rain and wet areas ...

Page 10: ...t while open under any circumstances since this may cause an electrical shock Furthermore serious damage may be caused to the device itself There are no parts inside the device which should be tampered with by non specialists Please refer to customer service with regard to upgrades or repairs ...

Page 11: ...y and use the power plug with moist or wet hands Keep the network cable away from heat and do not place any heavy objects on it If the device starts to emit smoke unusual noises or smells remove the power plug immediately and contact customer services ...

Page 12: ...eas with a high temperature more than 35 C or areas that are moist more than 90 and dusty Do not try and set up the device where vibrations may be present Use a flat surface otherwise the inside of the device will be prone to damage Keep SX GATE away from magnetic areas or areas that contain magnet e g Speakers ...

Page 13: ...ing Keep the carton with all the packaging material for later transportation If the device is exposed to extreme temperature fluctuations e g from a cold vehicle to a heated room wait approx 1 hour so it can become acclimatised This is advisable since condensation may have built up in the device which can cause serious damage ...

Page 14: ...Provided 14 3 2 Accessories Provided Check the packaging contents with the following list If any parts are missing please contact your dealer see chapter Contact p 477 SX GATE Internet Firewall Gateway Power cable 220V ...

Page 15: ...also via VLAN ADSL with PPP over ATM PPPoA via modem with PPtP to PPPoA Relay The connection to an ADSL dial up has to be set up via an external DSL modem A suitable modem will be provided by your ISP If a router with integrated DSL modem has been provided it is recommended to put the router into modem mode PPPoE passthrough We recommend to connect the DSL modem directly through an otherwise unuse...

Page 16: ... network interface is provided for an Internet connection The interface is called eth1 and may also be labeled with the acronyms DSL or WAN Connect this interface directly with the external router This might require a crossover network cable which is not included Alternatively you can connect via an additional switch Please use a dedicated switch and not the LAN switch in this case ...

Page 17: ...nected to your LAN via the first network interface of the system The interface is called eth0 and may also be labeled with the acronym LAN Connect this interface with an unused port of your LAN switch Make sure that you do not reverse the interfaces Confusing can result in SX GATE not being addressable ...

Page 18: ...e device to the power supply Please note that operation of the device is only possible at 230 volts alternating current AC We recommend to connect the device with an uninterruptible power supply UPS unit Otherwise in case of a sudden power failure the SX GATE configuration and respective hardware components could be affected ...

Page 19: ...e via web interface a computer device with a web browser like for example Microsoft Internet Explorer or Mozilla Firefox is required This device must be able to access SX GATEs LAN interface via network It might be necessary to temporarily change the device s IP configuration ...

Page 20: ... button on the front of the device The boot process takes about two minutes Please wait for this period before you continue Some SX GATE models include an LCD display in the front panel It indicates that the device is ready when the boot message is replaced by a status display ...

Page 21: ...you can assign 254 IP addresses in the range 192 168 0 1 to 192 168 0 254 to your LAN devices To change SX GATE s LAN IP the following options are available 4 3 1 Changing the IP address with the display Some SX GATE models have built in displays for status information Via the display you can also configure SX GATE s LAN IP address and network mask Press the Enter button to enter the IP Configurat...

Page 22: ...the computer for details If the computer optains its IP configuration automatically from a DHCP server you can connect the computer directly with the LAN port of SX GATE By default SX GATE acts as a DHCP server You might need a crossover network cable which is not included As an alternative you can place a network switch between SX GATE and the computer but please make sure that no other device is...

Page 23: ...uters operating system and enter the following command ping 192 168 0 254 If you have already changed SX GATE s IP address please replace 192 168 0 254 with its current IP If you receive an error message please check all settings and correct faulty entries Check the cabling and network ports Are the link LED on the switch and the network cards illuminated If a firewall is installed on your system ...

Page 24: ...receive a certificate warning please check the IP address you ve entered in the browser Also the address must start with https not with http Make sure the browser is not configured to use a proxy which might interfere with the connection In some cases a screen may appear asking for the SX GATE license key You should have received the key from your SX GATE dealer The key consists of 5 groups of cha...

Page 25: ...uestionmark icon or the titel of the option you re interested in to display the corresponding online help section If you still have to change SX GATE s LAN IP the wizard LAN integration will let you configure a new address Please note that right after you finish this wizard SX GATE will no longer be reachable using its old IP It s now time to reset your computer s IP address if you had to change i...

Page 26: ... full Internet access SX GATE s LAN IP has to be configured as the computer s default gateway router and DNS server If the system obtains its IP configuration automatically from a DHCP server these settings have to be configured in the DHCP server In a typical windows network the IP address of the Windows server instead of SX GATE s IP is configured as DNS Enter SX GATE s LAN IP as forwarder in th...

Page 27: ...rnet access without proxy configuration Open the proxy settings of the browser They can be found in different menus depending on the web browser used Look for network connection or LAN settings or refer to the browser s manual Enter the LAN IP of SX GATE and port 8080 as proxy In browsers used to configure SX GATE you should exclude SX GATE s LAN IP from proxy access It is also possible to use a p...

Page 28: ...ocklet s position within a dock or move it between the dock of the homepage and the permanently visible dock on the right On the top of each dock there s a multi column area Docklets dropped here will occupy the full width of the dock Drop the docklet below to place it in one of the columns with normal width The docklet positions and also the dock width are stored in a browser cookie Click the ico...

Page 29: ...o help text is available for this item 7 1 Getting started This docklet provides a checklist for SX GATE s initial basic setup Click on the texts to configure the corresponding subsystem or task When done close the docklet by clicking on the X icon in the top right hand corner so there s more space for the other docklets 7 2 Ressources This docklet shows a bar graph of the CPU load the system load...

Page 30: ... duplex mode full half whether the auto negotiation is enabled or not the current link status A or a white signal indicates that the system can t determine this value 7 9 Live log In the title bar of the live log you will find some additional icons which have not already been explained in the docklets section Click the additional icons to clear the view filter which lines you want to see and selec...

Page 31: ...his are all multipliers refering to the directly preceding character set or group The question mark makes it optional zero or once with an asterisk it may occur zero or more times with the plus sign at least once one or more times pipe symbol Means or The expression 19 20 would be suitable to filter the time to 7pm or 8pm circumflex dollar These characters represent the start and the end of a text...

Page 32: ...ing the password In cases of getting into trouble contact information can be deposed in the submenu Contact 8 1 Change password New password Here you can change your password which is required to access various services of SX GATE When typing the new password an asterisk will be displayed for every character To verify the new password you have to enter it twice ...

Page 33: ...rol if a copy of each mail will be delivered to your mailbox even when forwarding your mail to other addresses If the option is not checked your mailbox will not receive emails any longer If forwarding is not active this option is without effect 8 2 B SPAM filter If you enable at least one of the thresholds every incoming mail has to pass a SPAM mail filter before it is delivered to your mailbox A...

Page 34: ...f the mail is prefixed by the text SPAM and the SPAM score Deliver tagged emails to As an option SX GATE can deliver tagged SPAM mails into a separate SPAM folder This folder is accessible with SX GATE s web mailer or via IMAP folder Mail SPAM A POP3 client will not be able to open the SPAM folder Delete SPAM HAM after Mails from the SPAM and HAM folders are automatically deleted after the given n...

Page 35: ...il s subject Sender This will check the sender of the mail From header Recipient Use this option to match the recipient To header Message header Allows you to examine an arbitrary mail header Message body The actual contents of the email are analyzed when selecting this value Rule This setting differs from the previous ones It allows you to modify the score of SX GATE s builtin rules Accordingly y...

Page 36: ...core of every English email This will result in a significant increase of the probability that the score of English mails will exceed the configured SPAM filter thresholds 8 2 D SPAM lists Of course the SPAM mail filter will not achieve a hit ratio of 100 when classifying emails automatically Some SPAM mails will pass undetected It might even occur that a normal email is classified as SPAM by mist...

Page 37: ... rule for your mails The selected actions will apply to every email delivered to your mailbox In particular this affects also emails not addressed to you personally but to a distribution list group you re a member of When emails are forwarded to other addresses see tab Forwarding the settings will apply only if the option Keep copy of forwarded emails has been selected Vacation settings Choose fro...

Page 38: ...eature to automatically confirm email delivery No reply will be generated for emails which have been tagged as SPAM Please fill in the text message to be sent If there s no text no reply will be sent 8 2 F Folders It is possible to automatically distribute mails into different subfolders of your mailbox Access to these folders requires IMAP or Webmail POP3 does not support folders ...

Page 39: ...able to access web mail through the menu of SX GATE s administration interface They have to type in the direct URL https NAME_or_IP webmail Web mail requires that the browser is JavaScript enabled Cookies have to be accepted too Besides reading and writing emails the web mail client is able to automatically sort incoming emails Furthermore a simple personal address book and calendar are available ...

Page 40: ...e detailed information about your SX GATE Mail detailed ID card to Privacy statement Clicking on this button will send the contents of the detailed ID card to the displayed email address The included information will be stored and used solely for marketing and support of SX GATE The data will be made available to authorised SX GATE partners only You can have your details removed anytime by sending...

Page 41: ...eged to access the administration GUI has read only access to the details specified here 8 4 F Company Here you can find information about your company 8 4 G Administrator Here you can find the details of your SX GATE administrator 8 4 H Provider Here you can find the details of your SX GATE Internet Service Provider Get in touch with the provider if you should encounter problems with the Internet...

Page 42: ...rly and daily statistics are updated every 10 minutes All other graphs are generated daily at midnight Some details to the different topics Load avgerage The most important graph is the load statistics It shows the average count of processes ready for execution When 100 have been reached every moment in time a process is active Whenever values above 100 occur processes have to wait for resources t...

Page 43: ...nt default route determines the interface which is connected to the Internet Positive values indicate the data rate used by data packets received from the Internet The outgoing data rate is stated with negative values The scale refers to kilobyte per time An additional tab shows the transmitted amount of data per month A table gives you an overview of all available objects If there are more than 1...

Page 44: ...9 2 3 Bandwidth 44 can page through the entries or open the table in fullscreen mode Pick an entry by clicking either its title or the pencil icon to enter the detail view ...

Page 45: ...ll configuration will be counted Faked A ping or traceroute wasn t forwarded to the actual target system but answered by the SX GATE firewall Rejected The connection was denied The initiator was informed about that by a network control message Dropped The connection was denied The IP packet was discarded without notification of the sender 9 3 2 IDS IPS This menu offers statistics of the events det...

Page 46: ...ely The SPAM filter statistics is available for the user independent relay SPAM filter only The following terms are used in the statistics Sent Each mail successfully sent by the mailserver is counted in this column Discarded All mails blocked by the virus scanner are declared as discarded and are shown in this column In individual cases the figure can also include individual mails which had to be...

Page 47: ...request to the proxy If proxy authentication is activated a summary per user will also be shown For privacy reasons and also due to the large amount of data there s no list of requested addresses per source IP or user available However at Monitoring Log files the proxy s access log can be archived externally for further processing Please inform yourself about privacy regulations and laws which hav...

Page 48: ...ses are also listed If user authentication is enabled a user table will be included too Finally a ranking of source addresses per country is depicted The following terms are used in the statistics Hits Every single request sent to the web server counts as a hit A typical web page consists of several objects For instance to download an image which belongs to a page an additional request has to be s...

Page 49: ... following terms are used in the statistics Hits Every single request sent to the web server counts as a hit A typical web page consists of several objects For instance to download an image which belongs to a page an additional request has to be sent Files Not for every request a file is returned Sometimes the reply is a simple status or error code These requests are not counted here Pages Only th...

Page 50: ...S PATH FILENAME If you enter e g ftp admin secret 127 0 0 1 logs messages log SX GATE will connect to the FTP server 127 0 0 1 and login as user admin with password secret It will store the log as file messages log in the directory logs Specifying a path is optional However any subdirectory given in the URL must already exist on the server If you have to use an upstream FTP proxy to upload the fil...

Page 51: ...wing variables are available Y 4 figure year e g 2001 y 2 figure year e g 01 m Month from 01 to 12 d Day from 01 to 31 H Hour from 00 to 23 M Minute from 00 to 59 S Second from 00 to 59 U Week of the year Value from 00 to 53 w Day of the week 0 for Sunday to 6 for Saturday j Day of the year from 001 to 366 If for instance you specify the destination scp admin 127 0 0 1 logs messages U rbu the file...

Page 52: ...t in the system After that they will be automatically deleted Log file Please select a log file from the list first The following log files are available important messages Errors and other important messages from all modules of SX GATE The log will also contains some system messages generated during the booting procedure messages This log file contains further messages from different SX GATE modu...

Page 53: ...e TCP flags are shown The last column contains the MAC address of the sender IDS IPS Shows alerts logged by the Intrusion Detection and Prevention System IDS IPS The IDS IPS examines the contents of IP packets and compares them with a signature database Besides date and time the log will show you what happened to the packet The text Drop indicates that the corresponding IP packet has been discarde...

Page 54: ...nternet web server of SX GATE is running all requests will be recorded in this file WWW server messages Errors while accessing the Internet web server are logged in this file A typical problem is a request for a non existing document Intranet server messages If errors occur when trying to access the web server for the local intranet these will be logged here Debugging Debug messages generated by v...

Page 55: ...acter Enter to search for a dot to search for a dollar sign You can search for the month abbreviations Jun and Jul in the following ways Jun Jul Ju nl Ju n l Skip lines containing This option is complementary to the previous one Only those lines which do not include the given text will be displayed Search Press this button to actually start searching in the logs using the previously entered parame...

Page 56: ...10 1 2 Search 56 the left you can define filter expressions A detailed explanation can be found in the live log documentation ...

Page 57: ...E 10 2 1 B Interfaces Interface table On this screen you can find an overview of all physical interfaces of SX GATE Per interface there is also a packet counter for incoming RX and outgoing TX packets These can be useful to track down problems For instance a high carrier counter indicates a faulty physical network connection The network cable might be damaged or disconnected In the interface confi...

Page 58: ...s with a bad score may be blocked automatically In this case the remaining blocking time will be listed as well The score automatically decreases over time In particular when an IP address is blocked for a longer period of time it may occur that the score is 0 even though the IP is still blocked You can delete an IP along with its current score if it has been blocked by mistake If the same IP is b...

Page 59: ...connections which are currently active or at least routed Each line shows the following information ipsec Name of the corresponding ipsec interface Type Connection type Server Client or L2tp Name Connection name given in SX GATE s configuration section Peer The peer s current IP address if the tunnel is active ID Peer s ID local remote Net Local and remote end of the tunnel this connection refers ...

Page 60: ...ens by clicking on the tabs at the top 10 2 2 A Monitor 60 10 2 2 B ISDN 61 10 2 2 C ADSL 61 10 2 2 A Monitor Dial up connection monitor On this screen you can watch the status of ISDN and ADSL dial up connections The displayed information is updated every 3 seconds The following information is provided here Card Channel The ISDN adapters of SX GATE are numbered consecutively Counting starts with ...

Page 61: ...creen Interface Please select the respective interface here Dial now Click this button to trigger dialing of the selected interface Of course a number to call has to be configured in the settings of this interface Hang up now Click this button to hang up the ISDN connection of the selected interface if any 10 2 2 C ADSL If an ADSL interface exists you can manually hangup a connection or test the D...

Page 62: ...mand is very helpful It sends a small IP packet ICMP echo request to a specific address If a packet of type ICMP echo reply is returned the IP connections to this address is obviously ok Send ping to Here you can specify where to send the ping You can specify either an IP address or a DNS name If you enter a DNS name the name server of SX GATE must be running and name resolution must be working So...

Page 63: ...sly ok Send ping to Here you can specify where to send the ping You can specify either an IP address or a DNS name If you enter a DNS name the name server of SX GATE must be running and name resolution must be working Interface source IP To ping a link local address you have to select an interface When trying to ping through a VPN tunnel it can be necessary to use a specific source IP Packet size ...

Page 64: ...g to trace packets through a VPN tunnel it can be necessary to use a specific source IP DNS reverse lookup When enabled an attempt is made to resolve each hop s IP into a hostname Start traceroute Press this button to start the traceroute 10 2 3 D IPv6 Traceroute Traceroute is an other tool to test network connections In contrast to ping it also shows the path IP packets take towards their destina...

Page 65: ...or Type Select the type of information you are looking for A AAAA PTR IP address of a hostname or hostname of an IP address MX Mail server for the specified domain NS Name server for the specified domain SOA Meta information for the specified domain TXT Text information for the specified domain Using name server Here you can make a choice to which name server the request will be sent Usually name ...

Page 66: ...host to wake up Please enter the hardware address of the computer here The expected format is XX XX XX XX XX XX Each X must be a digit or a letter from A to F The delimiters may be colons dots hyphens or underscores Click Apply to save the mac address as default Interface Select the interface the target system is connected to 10 2 4 SNMP SNMP can be used to poll status information from SX GATE Ple...

Page 67: ...se use a rather long string consisting of upper and lower case characters digits and special characters At least 8 characters are required Privacy protocol Please select the cipher Contact This value serves for informational purposes only Location This value serves for informational purposes only ...

Page 68: ...In case of any problems the respective error message is displayed too Delete selected emails To delete specific mails from the queue please mark them in the list first Press this button to deleted all selected emails Neither the sender nor the recipient of the mail will be notified Delete all emails To delete all mails from the queue please click this button Senders and recipients won t be notifie...

Page 69: ... 3 C MIME filter quarantine Quarantined attachments You can download email attachments which have been quarantined by SX GATE s MIME filter here They will be deleted automatically when they are 30 days old Often attachments are quarantined which in fact contain a virus which was still unknown to the virus scanner at the time the mail arrived So quarantined attachments will be re scanned by the ins...

Page 70: ... mode emails may be retained A green arrow is shown for these mails Click the arrow to authorize delivery Click the dustbin icon to delete an email from the quarantine directory 10 3 D Mailboxes Local mailboxes Here you see a list of all inboxes of SX GATE s POP3 IMAP4 sever Apart from the account name the total size of the inbox is listed The next column gives the date and the time of the last mo...

Page 71: ...contents Please select the emails to be deleted In this list you can select those emails you want to delete by clicking in Finish For each email sender subject size and timestamp are displayed for your reference Delete selected mailbox Press this button to delete the mailbox which is selected in the list The contents of the mailbox at the time of execution will be deleted entirely The mailbox will...

Page 72: ... You ll see if access is allowed or not and the cause of the block 10 4 B Content filter Content filter quarantine A list is shown of cached downloads in descending order of their size This list contains username if web proxy user authentication is enabled client IP state of virus scanning filename and size of download and the server where the download came from The state of virus scanning can be ...

Page 73: ...tine 73 unknown yellow The virus scanner reported errors while scanning the file Virus red A virus has been found We suggest that files having a yellow or red state are scanned for viruses before accessing them on a workstation ...

Page 74: ...e type of object here Group Objects of this type represent an arbitrary amount of addresses It is also possible to nest objects by including other definitions DNS entry The name of this group is a DNS host name The list of IP addresses is updated automatically using DNS lookups The DNS information is updated after system restarts after changes in IP objects and at regular intervals as configured i...

Page 75: ...firewall rules Nesting is not possible Label DNS name Specify a name for the new network object here You can select it later in various configuration options The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 11 1 A Addresses 76 11 1 B IPv6 address 76 11 1 C IPv4 address 77 11 1 D Geolocation 77 11 1 E Usag...

Page 76: ...esolution are shown here If the information is already pretty old most likely the DNS record is no longer available 11 1 B IPv6 address Description This field serves for documentation only Routing prefix You can bind this object to a routing prefix Changes of the routing prefix are automatically reflected by this object If the selected routing prefix currently contains no address this object will ...

Page 77: ...in firewall rules only SX GATE includes a builtin database of all IP addresses associated with the respective country So this is not a DNS based solution Database updates are shipped as part of the SX GATE updates So the database is only as current as the release date of your SX GATE version Even though the database quality is very good it may well include wrong entries Description This field serv...

Page 78: ...ature 78 11 2 B Usage 79 11 2 A Protocol signature In multiple SX GATE configuration screens you will find protocol selection lists The firewall and the SOCKS proxy configuration are good examples The available choices for these selection lists are configured here There are already a couple of predefined protocols but it s also possible to add your own entries here There s no need to take the titl...

Page 79: ...u might want to select any For ICMP you can enter the ICMP message type here Only UDP and TCP use port numbers only ICMP knows about ICMP types For all other protocols you have to select any Dest port Here you have to enter the destination port which is used to access the requested application For ICMP you can enter the ICMP message code here Only UDP and TCP use port numbers only ICMP knows about...

Page 80: ...s by clicking New Entry below the table on the left Use the dustbin icon to delete entries Period nickname Specify a name for the new period here You can select it later on in the firewall configuration masks The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 11 3 A Specification 80 11 3 B Usage 80 11 3 A S...

Page 81: ...ames like e g _accept and _deny to indicate the intended use If access is denied a special page will be displayed to the user URLs listed in the Advertising database category are an exception If the URL includes a filename extension commonly used for images access will be diverted to a transparent image in order to hide advertising banners if detailed Access denied messages have been enabled A tab...

Page 82: ...cted as well The comparison is case insensitive The entries listed here will be compared with the destination of a request without performing any DNS lookups Therefore a blocked domain might still be accessible when using the corresponding IP address and vice versa 11 4 B Files Blocked file extensions The URL filter can grant or deny access to certain types of files based on the filename extension...

Page 83: ...here one can exchange files You will often find movies music and adult content that also violates copyright Blogs private sites web disks Blogs private homepages and private online storage Entertainment Hobby museums food fashion magazines events fan sites and many more External web based applications Web based text editors spreadsheet applications desktops and groupware German school project Deut...

Page 84: ...aphic content Also here only the address itself will be checked not the actual contents of the addressed Internet server Remove adult sites from search results Many search engines offer a filter mode removing adult sites from search results If access to this URL filter list is denied and the option is enabled filter mode will be enforced for most of the common search engines 11 4 F Usage This tabl...

Page 85: ...ou can modify the most important parameters of SX GATE s LAN interface Many other settings of SX GATE use these values as default setting Hostname Enter the hostname of SX GATE here Domain Insert the domainname for SX GATE here If your company already reserved or connected an Internet domain you should use this one Otherwise enter a name which is guaranteed not used in the Internet e g company int...

Page 86: ...sing this feature in order to clarify technical constraints Each cluster node has its own interface definitions The rest of the settings are configured on the backup node Use the Update configuration on master button to update the master s configuration Before the configuration can be transferred you have to upload the public ssh rsa key of the backup node to the master The cluster is monitored by...

Page 87: ... the backup node is performed Upload public ssh rsa key Here you import the public ssh rsa key of the backup node Synchronize automatically Configuration changes on the backup system must be propagated to the master A manual synchronization is started by clicking on Update configuration on master Enable the automatic update to ensure that no one forgets this step We recommend to enable automatic s...

Page 88: ...e or the use on the master node does not make sense private key of the SX GATE CA SSL proxy CA for inspecting SSL connections SX GATE administration 12 1 D Administration server certificate This certificate is needed for encrypted access to the administration GUI and the webmail client of SX GATE Use the reverse proxy to access the administration from the Internet The reverse proxy can limit acces...

Page 89: ... a certificate issued by an unknown CA No official certificate is required if Internet access to the administration server is as recommended handled by SX GATE s reverse proxy Import the certificate returned from external CA Select this option to install the certificate returned in response to a certificate request Make sure that the certificate is in PEM format Import a keypair You can import a k...

Page 90: ...like e g Windows XP before SP3 might only support keys with max 2048 bit and an SHA1 hash Create a certificate request On this screen you have to enter the certificate subject CN Issue the certificate to the address which is normally used to connect with the service from the Internet Usually this is the Internet DNS name of SX GATE You can also issue a wildcard certificate e g example com however ...

Page 91: ... certificate you just uploaded It will be installed in the next step Please read on at Select CA certificate file Please read on at Install certificate Select CA certificate file Now the certificate chain must be added to the certificate This may include one or more intermediate CAs The chain ends with the root CA All certificates must be in PEM format Please ask your CA for the required certifica...

Page 92: ...12 1 Setup 92 There s no way to restore a purchased certificate without backup ...

Page 93: ...u can see the current status of SX GATE network services Ethernet This service represents the network interfaces of SX GATE Since these are vital this service can only be restarted It is not possible to stop this service as otherwise even access to the web interface of SX GATE would be impossible IPv6 router advertisement This service is required to run SX GATE as IPv6 router ISDN This service con...

Page 94: ... IPSec L2TP connections When restarting this service all currently active L2TP sessions will be disconnected OpenVPN If you want to use OpenVPN based VPNs Virtual Private Networks this service must be started Restarting this service will terminate all currently active connections It is not possible to start this service if no ovpnc or ovpns interface has been configured yet Firewall The SX GATE fi...

Page 95: ... this server application Therefore it is crucial that this service is running in normal operation Mail server This service provides an SMTP mail server Internal clients as well as internal mail servers should relay outgoing emails via the SMTP server of SX GATE Use this service also for the delivery of incoming emails SX GATE can accept SMTP connections for incoming emails In combination with SX G...

Page 96: ...nticated and encrypted channels with the TCP forwarder Then TCP connections to usually internal servers can be opened using these channels The SSH TCP forwarder is available on port 2222 LDAP server This server is required to access SX GATE s LDAP address books The following settings are required in a mailclient for querying the LDAP addressbook Set the User Name Bind DN to cn LOGIN ou Users dc YO...

Page 97: ...e Simple Network Management Protocol The service is configured in menu Monitoring Network SNMP 12 2 C More servers The services listed below are often used quite infrequently To save system resources the corresponding server is not active permanently A meta server is monitoring the port corresponding to the respective application and will launch the server on demand Determine on this tab which ser...

Page 98: ...rotocol according to RFC 868 Daytime The system time is available on TCP port 13 too In contrast to the previous service the time is presented in human readable form 12 2 D System On this screen you can see the current status of some system services Logging The majority of SX GATE s components use this service to log various informational messages status reports or errors It is not advisable to di...

Page 99: ...ce keeps failing it will remain stopped and has to be restarted manually On a cluster master this will cause a failover until the service is either disabled or running again Cluster node This service is used for the clustering Menu System Setup tab Clustering Windows domain membership With this service SX GATE can join a Windows domain Currently this is only necessary for the web proxy NTLM authen...

Page 100: ...situations the service can be helpful for the local administrator too On the master node of a SX GATE cluster the SSH server is required for synchronizing the configuration SX GATE configuration The web administration interface of SX GATE is operated by this service Therefore it is not possible to stop it When restarting this service the browser will most likely report an error just after submitti...

Page 101: ... a later point in time However if the user is deleted completely the mail box will be deleted too Every group acts as a mail distributor As every local user must be member of system mail to get an email account emails addressed to this group will be delivered to every local user automatically To make this mail distributor available under a more common name e g staff add a new group with the reques...

Page 102: ...r the IP address of the Active Directory server which keeps the user information Usually this is the IP of the domain controller LDAP searchbase Specify the LDAP path used by SX GATE when binding to the Active Directory All relevant users and groups must be situated below this path in the LDAP hierarchy The simplest searchbase is the name of the Active Directory server e g ad example com But you c...

Page 103: ... by the Active Directory the password goes in here Use SSL encryption Enabling this option will encrypt all communication between SX GATE and Active Directory Check LDAP connection If at least the server address has been configured you can test the LDAP connection with this button Please press Apply to commit any changes you have made on this screen before starting the test ...

Page 104: ...SX GATE system groups in the Active Directory All direct and indirect user members of each selected group will become a member of the imported group on SX GATE The results of an hierarchical search in the group structure below the currently processed group will determine the indirect members The set of users which has been collected that way decides which users have to be available in the user adm...

Page 105: ... case automatically Users and groups which do not comply with the naming conventions of SX GATE won t be imported The name must begin with a letter and must consist of the letters a through z digits dots dashes and underscores In addition to the user and group structure the user s passwords can be imported too However this requires the installation of a library DLL on the windows domain controller...

Page 106: ...ic import With this parameter you can either disable the automatic synchronization or specify the interval between two imports Send import protocol An import log can be mailed to the administrator Please choose under which circumstances the log will be sent Test import With this button you can test if the expected user and group structure can be found in Active Directory Please press Apply to comm...

Page 107: ...omainc ontroller to activate the library 12 3 2 Users A table gives you an overview of all available objects If there are more than 10 entries a navigation bar will appear below the right bottom hand corner of the table where you can page through the entries or open the table in fullscreen mode Pick an entry by clicking either its title or the pencil icon to enter the detail view Add new objects b...

Page 108: ...16 12 3 2 J Web proxy 116 12 3 2 K SOCKS proxy 117 12 3 2 L SSH TCP Forwarding 118 12 3 2 M RAS settings 120 12 3 2 N Docklets 122 12 3 2 O Menu Statistics 122 12 3 2 P Menu Monitoring 122 12 3 2 Q Menu Definitions 122 12 3 2 R Menu System 123 12 3 2 S Menu Wizards 123 12 3 2 T Menu Modules 123 12 3 2 U User details 123 12 3 2 A Groups This mask will show you the group membership of the selected u...

Page 109: ...up are able to authenticate RAS connections to SX GATE This applies to direct ISDN dial in connections as well as to connections to SX GATE s IPSec and L2TP servers The user admin is always member of the system groups system mail and system admin Therefore these groups are not listed when admin has been selected 12 3 2 B Password On SX GATE there are two types of passwords The user password alread...

Page 110: ...e login name To map an additional email address to a user you can insert the respective local part of the address here The local part of an email address is the part before the character If for instance the login of a user is brown the email address brown example com corresponds to the user automatically To map the address charly brown example com to the same user you have to add the alias charly ...

Page 111: ...n can also be modified by the user himself at My Account Email options The user has to be member of group system admin to be able to access this menu If you enable at least one of the thresholds every incoming mail has to pass a SPAM mail filter before it is delivered to the mailbox of the selected user A SPAM mail is an unsolicited email usually with dubious origin The SPAM mail filter of SX GATE...

Page 112: ...ils to As an option SX GATE can deliver tagged SPAM mails into a separate SPAM folder This folder is accessible with SX GATE s web mailer or via IMAP folder Mail SPAM A POP3 client will not be able to open the SPAM folder Delete SPAM HAM after Mails from the SPAM and HAM folders are automatically deleted after the given number of days This feature does not depend on the previous option Mails will ...

Page 113: ...he selected score is accounted The following types of SPAM filter rules are available Subject The pattern is looked up in the email s subject Sender This will check the sender of the mail From header Recipient Use this option to match the recipient To header Message header Allows you to examine an arbitrary mail header Message body The actual contents of the email are analyzed when selecting this ...

Page 114: ...otential SPAM The majority of SPAM mails is written in English language Activate this switch to add some points to the SPAM score of every English email This will result in a significant increase of the probability that the score of English mails will exceed the configured SPAM filter thresholds 12 3 2 G SPAM lists SPAM filter whitelist If an email was identified as SPAM by mistake you can add the...

Page 115: ...ils The selected actions will apply to every email delivered to the user s mailbox In particular this affects also emails not addressed to the user personally but to a distribution list group the user is member of When emails are forwarded to other addresses see tab Mail forwarding the settings will apply only if the option User keeps copy of forwarded emails has been selected The settings on this...

Page 116: ...termine the autoreply s sender address No reply will be generated for emails which have been tagged as SPAM Please fill in the text message to be sent If there s no text no reply will be sent 12 3 2 I Mail folders It is possible to automatically distribute mails into different subfolders of the user s mailbox Access to these folders requires IMAP or Webmail POP3 does not support folders 12 3 2 J W...

Page 117: ...P HTTPS and FTP SX GATE offers dedicated proxy services SOCKS should not be used for these protocols Specialized proxies provide more features and better protocol support than a generic proxy Data transmitted via the SOCKS proxy is not checked by any virus scanner Also the integrity of the transported protocol is not verified By default the SOCKS proxy denys any connection request Rules have to be...

Page 118: ...experienced users might be fooled easier by man in the middle attacks In return an SSH forwarding is easier to configure and maintain The corresponding SX GATE SSH server is available on port 2222 A separate firewall rule might be necessary for the remote access over the internet Use the predefined protocol SSH FWD Using firewall DNAT rules it is possible to make the server appear on a different p...

Page 119: ...k and copy the line Now proceed through the wizard on the SX GATE under Customize SX GATE RDP USB stick At the end you need to download the configurationfile config usr and the SSH Key key pem Those two files need to be copied to the cfg directory on the SX GATE RDP USB stick You should overwrite existing files The SX GATE RDP USB stick needs current Java RE version and the RDP client has to fit t...

Page 120: ... IPSec VPNs or ISDN dial in Send WoL upon dial in to Mac address If you enter the hardware address of some computers network card here SX GATE will send a Wake on LAN packet to it when the user logs in The expected format is XX XX XX XX XX XX Each X must be a digit or a letter from A to F The delimiters may be colons dots hyphens or underscores The WoL packet is sent on interface eth0 Assigned IP ...

Page 121: ...per RAS service if the user is allowed to use it and which IP is assigned Usually the same IP is used for all of the allowed services however it is also possible to assign different IPs The IP address which has been configured in the corresponding RAS interfaces will be ignored for this user L2TP IPSec VPN Use this control to determine if the currently selected user is accepted by SX GATE s L2TP s...

Page 122: ...s to the corresponding item from the Statistics menu These settings are only available for members of group system mail 12 3 2 P Menu Monitoring Activate the switches below to grant access to the corresponding item from the Monitoring menu These settings are only available for members of group system mail 12 3 2 Q Menu Definitions Activate the switches below to grant access to the corresponding it...

Page 123: ...stem mail 12 3 2 T Menu Modules Activate the switches below to grant access to the corresponding item from the Modules menu These settings are only available for members of group system mail 12 3 2 U User details The values on this tab are mostly exploratory For users with a local mailbox members of group system mail the details will be available as address book in SX GATE s web mailer and via LDA...

Page 124: ...he table in fullscreen mode Pick an entry by clicking either its title or the pencil icon to enter the detail view Add new objects by clicking New Entry below the table on the left Use the dustbin icon to delete entries Name of group Determine the name of the new group here Besides small letters and digits only dashes dots and underscores _ are allowed in group names The name must begin with a let...

Page 125: ...ocal user or group will not be removed automatically when the corresponding user or group is deleted SMTP Auth accepted SX GATE s mail server can be configured to relay mails to external recipients only for specific users SX GATE will accept logins only of those users who are member of a group with this option enabled Only members of group system mail actually have the necessary account to log in ...

Page 126: ...12 3 3 Groups 126 12 3 3 C Usage This table show in which settings the definition is used ...

Page 127: ...the root certificate which is sometimes also referred to as CA certificate There s no pre installed default CA certificate On a new SX GATE you have to create one first The CA certificate is used to sign all certificates issued by SX GATE As it is the root of the certificate trust chain any certificate based authentication relies on it Therefore the CA certificate is protected by a password which ...

Page 128: ...X GATE A CA certificate which was created by SX GATE will be valid for 20 years Generally it does not make sense to issue a new certificate long before the old one expires Except of course the privacy of the certificate can no longer be guaranteed Backup CA key pair The key pair of the SX GATE CA can be exported in PKCS 12 format to save a backup Please note that this export also contains the priv...

Page 129: ...d certificate CRL distribution point When issuing a new certificate a URL can be included which will always serve an up to date copy of the current CRL So a system which is trying to verify the certificate can access the current CRL itself When a new CRL has been issued you must not forget to copy it to the server Export certificate revocation list You can download the CRL in PEM format here Creat...

Page 130: ... authority CA which can be created here For security reasons the CA certificate is not saved along with the SX GATE backup Use the export function on this screen to download and save a password protected copy Export public key Here you can download the CA certificate s public key It should be installed in all browser clients Backup proxy key pair The key pair of SX GATE s proxy CA can be exported ...

Page 131: ...view Add new objects by clicking New Entry below the table on the left Use the dustbin icon to delete entries Name of certificate Here you have to specify a name for the certificate It is only used to identify the certificate so you can choose any appropriate name Export public key You can download the public key of the certificate here The file format is PEM The private key is not stored on SX GA...

Page 132: ...ificate subject CN If this certificate is to be used by a server program you should enter the DNS name or the Internet IP address of the system You can also issue a wildcard certificate e g example com For a user certificate you might want to enter the name or email address Subject alternativ names The certificate subject is a composition of all the data you entered before You can add an optional ...

Page 133: ...e Entering this screen the certificate will be signed and can be downloaded Create setup package Windows IPSec L2TP parameters Internet IP or servername of SX GATE Please enter the DNS name or IP address the client will use to connect with SX GATE Allow direct Internet access If this option is disabled there will be no direct Internet access for the client as soon as the VPN connection is establis...

Page 134: ...ith SX GATE OpenVPN server interface Please select the OpenVPN server interface the client is going to connect with Settings like protocol port number and encryption parameters in the client configuration will be set accordingly OpenVPN version on client The generated configuration file must fit the client version Windows OpenVPN setup Setup package for Windows OpenVPN This self extracting ZIP arc...

Page 135: ...e SX GATE with the required settings Setup for remote SX GATE Setup package for remote SX GATE This tar archive is intended to simplify the configuration of a VPN to an other SX GATE The archive consists of a PKCS 12 file with the private key its corresponding certificate and the CA certificate Also a config file with appropriate settings is included Import this file on the remote SX GATE iOS Exch...

Page 136: ... IP address or a certain DNS name you should supply it here Otherwise choose a name which is rather unambiguous Subject alternativ names The certificate subject is a composition of all the data you entered before You can add an optional alternative name to the subject Enter either the DNS name or the Internet IP of SX GATE It is not necessary to fill something in unless MacOS VPN clients are used ...

Page 137: ...d its configuration a client may refuse to connect if the server certificate does not include this attribute Signing certificate Entering this screen the certificate will be signed By pressing the Finish button the new VPN server key will be installed ...

Page 138: ...olders and also the webmail address book calendar and filtersettings A mail backup can become very large Uploading the backup may take a long time and even problems might occur Particularly if only a single user s mailbox is to be restored you should consider opening the mail backup file with an archiver which is able to handle ZIP files You can safely ignore warnings reported by the archiver You ...

Page 139: ...stored in any case provided the user itself is valid The first two conditions will make sure that disk storage is not wasted by the data of no longer existing users or of users which are no longer allowed to send mails The missing inbox will ensure that no new emails get lost which arrive by accident just after the restore process has been started When restoring a mail backup file containing multi...

Page 140: ... is not a backup of your system It is just for documentation 12 5 B System backup On this screen you can configure the backup of the system configuration system backup The settings of the user administration will not be included in this backup For security reasons the backup will not contain private keys Please refer to the tabs CA keys and Server keys to backup private keys Always keep these back...

Page 141: ...not be overwritten The following variables are available Y 4 figure year e g 2001 y 2 figure year e g 01 m Month from 01 to 12 d Day from 01 to 31 H Hour from 00 to 23 M Minute from 00 to 59 S Second from 00 to 59 U Week of the year Value from 00 to 53 w Day of the week 0 for Sunday to 6 for Saturday j Day of the year from 001 to 366 If for instance you specify the destination backup m d rbu the f...

Page 142: ...r secure copy the backup is transmitted unencrypted The backup file is always stored unencrypted on the target system So please make sure the file is protected Secure copy connections are authenticated using SX GATE s SSH RSA key Please configure the SSH server accordingly Login Enter the user name SX GATE has use to authenticate itself When storing the backup on a Windows network share you will u...

Page 143: ... day Thus the backup file will not be overwritten until next year Scheduled Use the automatic backup to make sure that it will not be forgotten Select when and how often the backup should be created Monthly backups will be created on the first day of each month Weekly updates will be made on Mondays You should check the backups regularly Test automatic userbackup Tries to transfer the current user...

Page 144: ...A key Please configure the SSH server accordingly It is not advisable to deliver the mailbackup by email especially if it will be sent to a local user If the mail stays in the local inbox for a while the size of the mailbackup might increase dramatically Login Enter the user name SX GATE has use to authenticate itself When storing the backup on a Windows network share you will usually have to spec...

Page 145: ...he backup file will not be overwritten until next year Scheduled Use the automatic backup to make sure that it will not be forgotten Select when and how often the backup should be created Monthly backups will be created on the first day of each month Weekly updates will be made on Mondays You should check the backups regularly Test automatic mailbackup Tries to transfer the current email storage t...

Page 146: ... in PKCS 12 format to save a backup Please note that this export also contains the private key which must remain completely secret 12 5 F Server keys Private keys are not part of the regular backups for security reasons Here you can export keys and certificates used by SX GATE services The backup files are password protected Deposit the backups at a safe place and make sure that the password requi...

Page 147: ...format to save a backup Please note that this export also contains the private key which must be kept secret There s no way to restore a purchased certificate without backup Backup der reverse proxy key pairs A table gives you an overview of all available objects If there are more than 10 entries a navigation bar will appear below the right bottom hand corner of the table where you can page throug...

Page 148: ...ntly installed release of SX GATE is shown here Update server To make the update procedure straightforward SX GATE can suggest which updates need to be installed next Enter the URL where SX GATE can download updates How do you want to update your SX GATE Please select the update method interactive recommended Choose this option to get an overview of all available updates first After confirmation t...

Page 149: ...lows you to see any message that was produced while installing the previous update If there were any problems the log might provide further information 10 days after the last access the log will be deleted automatically Schedule update Enter in the day and time when the update should be started At the specified point in time SX GATE will download and install all available updates one by one If the...

Page 150: ...12 6 Installed release 150 Confirm update Press Finish to complete the update procedure Select file Please select a valid update file for your SX GATE ...

Page 151: ...the respective option reboot SX GATE This option will re start the system Confirm by clicking on Finish It may take up to 5 minutes before SX GATE is in operation again power off SX GATE If this option is selected the system will be shut down and switched off After confirmation with Finish this can take up to 2 minutes ...

Page 152: ...characters When entering the new key please take care of ambiguous characters e g O or 0 If you received the new key via email use Copy and Paste to enter it License number Support IP This is the software license number of your device Hardware ID A SX GATE licence key always corresponds to one specific machine This ID identifies your SX GATE hardware Maximum number of users When the maximum number...

Page 153: ...ange the IP configuration of all those servers and workstations in your LAN which require direct access to the Internet The IP address of SX GATE has to be configured as gateway and as name server DNS on these computers Please make sure that the IP address of SX GATE is the only entry configured there and remove any additional entries Internet access with a web browser and the email communication ...

Page 154: ...in only the letters a through z digits and dashes Domain Insert the domainname for SX GATE here If your company already reserved or connected an Internet domain you should use this one Otherwise enter a name which is guaranteed not used in the Internet e g company internal to avoid domain conflicts The domain mentioned here has nothing to do with a Windows NT domain Intranet IP addresses Internal ...

Page 155: ...tivate this option if you want to use SX GATE as secondary DHCP server If you unnecessarily configure the DHCP server as a secondary the start up time or workstations will be longer If more than one primary DHCP servers is active the server that replies faster will assign the IP configuration Depending on the behaviour of the servers disruptions or interferences may occur In contrast to a primary ...

Page 156: ... Using the DHCP service is mainly recommended for the configuration of workstations or mobile computers These are added exchanged or removed more frequently Make sure that you specify enough dynamically assignable IP addresses If all addresses are assigned any additional network device won t be able to connect to your local IP network Save the changes Yet no changes have been made to the system co...

Page 157: ...have the following information at hand Otherwise ask your ISP Dial in number ISDN dial up only Login and password ISDN and ADSL dial up only IP address and netmask of router and for SX GATE Ethernet connection only IP of provider name server DNS Mail relay server of provider optional Proxy server of provider optional What type of Internet connection do you have router or cable modem Ethernet Pleas...

Page 158: ...ot necessary to configure the correct MSN for outgoing calls However if you do not know the MSN you should use 0 A PBX might reject outgoing calls using a misconfigured MSN however some accept the call if MSN 0 is used With Euro ISDN and a direct connection to the network of your telecommunications company you usually have to provide the phone number omitting the local area code as MSN On a PBX ho...

Page 159: ... determine when the DSL dial up connection has to be established and disconnected The dial up connection can be established automatically whenever data has to be transmitted to the Internet It will be disconnected when no data has been transmitted for a configurable period of time Alternatively you can decide to keep the connection permanently online Anytime the link is disconnected it will be ree...

Page 160: ...IP address p 160 Obtain IP from DHCP Internet via cable modem Please read on at Use proxy server of ISP p 162 IP address Use the second network card of SX GATE eth1 to establish the Internet connection via router This network card may not be used for any other purpose Link the Ethernet port of the external router directly with SX GATE by using a crossover cable Alternatively you can connect SX GAT...

Page 161: ...y use the LAN IP of SX GATE also as its external IP IP address of the router Enter the internal IP address of the router here Check the information you received from the provider It might have been named gateway Netmask of the transfer network Please enter here the corresponding network mask If the netmask that you have received from your provider is 255 255 255 252 there is no way that you can co...

Page 162: ...GATE can forward requests to a proxy server that is available from your provider If your provider does not have a proxy server or you do not want to use this one the web proxy of SX GATE will always connect directly to the requested destination address If your provider offers a caching proxy server its use can speed up Internet access In some cases it may be mandatory to use the proxy due to the s...

Page 163: ... servers and forward them to the mail server of the recipient or maybe an other relay server Direct connections are often preferred with leased lines as the delivery state of an email can be directly controlled at Monitoring Mail server However with dial up connections you can derive benefits from the relay server offered by your provider Some examples Due to the SPAM mail plague some mail server ...

Page 164: ...he mail server of the recipient If the relay server encounters problems when forwarding the mail it will either retry the delivery or notify the sender that the mail was undeliverable SMTP Auth login If the provider operating the relay server and the provider operating your Internet connection are different providers you usually have to authenticate when using the relay server With authentication ...

Page 165: ...ccess 165 SMTP Auth password Enter the SMTP Auth password here Save the changes Yet no changes have been made to the system configuration of SX GATE Press Finish to apply the changes you made or Cancel to dismiss them ...

Page 166: ...ovided this is enabled in the browser settings Note that it is still possible to configure browsers manually see previous option even if WPAD is on Browser setup method manually or centralized Please read on at Manual or centralized browser configuration p 166 automatically WPAD Please read on at Web Proxy Auto Discovery WPAD p 167 Manual or centralized browser configuration Manual browser configu...

Page 167: ...lso required that the workstation itself uses SX GATE as its DHCP server If a third party DHCP server is used the WPAD URL has to be deployed on that server Enter the URL http SX GATEs LAN IP 8000 proxy pac if you want to use SX GATE s predefined Proxy Autoconf file Enable WPAD via DNS Here you can enable a DNS based method The browser tries to download the file wpad dat from a server named wpad L...

Page 168: ...m proxy to be accepted by the proxy with automatic user authentication NTLM Here the user s current Windows domain authentication is used to automatically authorize proxy access The users will not be prompted for a login and password unless the browser doesn t support this authentication method In this case the credentials of an authorized Windows user have to be supplied With NTLM authentication ...

Page 169: ...ermanently the firewall policy must be modified for this Select operation mode of SX GATE web proxy with manual user authentication Please read on at Web proxy filters p 170 without user authentication Please read on at Web proxy filters p 170 transparent Please read on at Web proxy filters p 170 Windows settings ActiveDirectory server IP Please enter the IP address of the ActiveDirectory server I...

Page 170: ... filters URL filter For access restrictions a categorized database of internet addresses comes along with SX GATE Custom address lists can be defined too Furthermore it is possible to deny access to certain types of files based on its names Enable the filter with this switch Turn to menu Definitions URL filter lists to compile lists Then assign the lists to individual IP addresses or user groups i...

Page 171: ...f SX GATE has to be established e g ftp 192 168 0 254 2121 As login you have to enter the login on the remote server followed by an character and the address of the destination e g login ftp example com To use the proxy it must be configured in the FTP client or the connection must be established via port 2121 of SX GATE yes as transparent proxy The firewall policy of ethernet interface eth0 will ...

Page 172: ...ranted This includes anonymous as well as authenticated access FTP proxy will accept connections to any FTP servers and accounts Please read on at Save the changes p 173 FTP proxy destinations Destinations accepted by the FTP proxy Use this control to specify the accepted target FTP servers and its corresponding accounts If the list is empty the proxy will deny access to any server Account Enter t...

Page 173: ... on a specific FTP server Enter the server name e g ftp example com as Destination server select the topmost option Account but leave the input field empty Clicking on Add the new entry ftp example com will appear Access to a single account on a specific FTP server Specify the account and the server in the respective input fields and click Add The created rule will look like e g webmaster www exam...

Page 174: ...ains to configure the local email domains Emails for these domains can either be forwarded to an other mail server in your LAN or they can be delivered to mailboxes on SX GATE You can also activate some security mechanisms like the mail virusscanner Security and filter mechanisms like the mail virusscanner will be activated in mail filters Receiving emails from the Internet is configured with mail...

Page 175: ...en mode Pick an entry by clicking either its title or the pencil icon to enter the detail view Add new objects by clicking New Entry below the table on the left Use the dustbin icon to delete entries Email domain Please enter an email domain Mails to this domain are either going to be delivered to a local mailbox on SX GATE or forwarded to an internal mail server Domain type Deliver mail to Select...

Page 176: ...th the SX GATE webmail client To create additional users you have to change into the user administration after completing this wizard Create the required users there and assign them to group system mail Verify recipient Verify recipient addresses in advance When this option is enabled SX GATE will contact the internal mail server for every email it receives to verify if it is willing to accept a m...

Page 177: ...hange you might have to enable recipient filtering Since Exchange 2013 this requires an additional HubTransport connector in Exchange scoped for SX GATE s IP and granting anonymous access using LDAP Active Directory The requested recipient addresses will be looked up in an Active Directory attribute proxyAddresses The necessary parameters for LDAP access have to be configured in menu System User a...

Page 178: ...ser which has the required permissions Bind DN If the user is a member of Active Directory container users entering the user name e g searchuser is sufficient Otherwise you have to specify the complete DN here e g CN searchuser OU it DC ad DC example DC com In Microsoft s SBS you have to use a DN like e g cn searchuser OU SBSUsers OU Users OU MyBusiness DC example DC com Password If authentication...

Page 179: ... shown next SPAM filtering configuration configure common SPAM filter Please read on at Common SPAM filter p 179 individual SPAM filtering per SX GATE user mailbox Please read on at Individual SPAM filter p 179 skip SPAM filter configuration Please read on at Activate virus scanner p 182 Individual SPAM filter Individual SPAM filtering per SX GATE user mailbox must be configured in the user admini...

Page 180: ...available after selecting a specific menu option Tag an email as SPAM when it is scored more than If the score exceeds the threshold for tagging an email as SPAM the subject of the mail is prefixed by the text SPAM Furthermore the email will contain a brief summary of the tests leading to this score The original email is added as an attachment Delivering the original email as attachment is suppose...

Page 181: ...ilter as well as to the users personal SPAM filter The latter must be enabled individually in the user administration of SX GATE Do not activate these features when your internet connection is a rather expensive dial up link Depending on the actual configuration even an internal email might trigger an Internet connection Thus the dial up link will be online frequently which results in high expense...

Page 182: ...servers will be scored too Enable Razor2 distributed spam filter network This feature will calculate a fuzzy checksum of some parts of an email and send it to Razor2 servers in the Internet TCP port 2703 Razor2 provides a database with the checksums of known SPAM In case of a match the SPAM score of the mail is increased The amount depends on the reputation of those who reported the SPAM mail to t...

Page 183: ...tion even if you are already using virusscanners Usually a virusscanner can detect a virus only if its signature is already known Filtering attachments with filename extensions often used by viruses can defang a virus which is yet unknown to the virusscanner You could also activate this component to enforce local policies which deny sending or receiving emails in certain file formats incoming and ...

Page 184: ...ial up line with fixed IP and callback SX GATE can be addressed anytime by any mail server in the Internet In these cases you might receive incoming emails directly with the SMTP protocol If in doubt please ask your provider how you receive incoming emails How does SX GATE receive emails from the Internet by polling a POP or ETRN server Please read on at Servers p 185 direct SMTP delivery Please r...

Page 185: ...server In these cases you should specify the appropriate IP address and select the corresponding option when adding a firewall rule This will ensure that only those servers can establish a SMTP connection to SX GATE who really have to Save the changes Yet no changes have been made to the system configuration of SX GATE Press Finish to apply the changes you made or Cancel to dismiss them Servers SX...

Page 186: ...ble as e g the dial up line is offline the mail server of the provider keeps the mail in a queue Just after the dial up line connects again SX GATE used the ETRN command to trigger a new delivery attempt of all waiting mails Protocol used to access this server POP3 Please read on at Single drop accounts p 186 APOP Please read on at Single drop accounts p 186 IMAP Please read on at Single drop acco...

Page 187: ...up Typically for this scenario a single drop account exists for every employee on the mail server of the provider and a multi drop account exists for all unknown addresses The contents of the multi drop account is then delivered to a certain local user or distributor e g info If SX GATE retrieves emails in multi drop mode an attempt will be made to re construct the original recipient from the cont...

Page 188: ...ocal domain When retrieving emails from the mailboxes listed here an attempt will be made to reconstruct the original recipient from the contents of the email The email will then be delivered to the recognised recipient If SX GATE was not able to deduce the original recipient the email will be delivered to the administrator instead Although it is possible to specify multiple multi drop mailboxes p...

Page 189: ...ify the period of time after which SX GATE will re attempt to deliver queued mails If the available datarate of your Internet connection is rather low you should choose a rather long period Otherwise repeatedly failing emails could use up datarate considerably Moreover a long interval is advisable if your Internet connection is charged by data volume Scheduled mail retrieval Schedule for polling P...

Page 190: ...ed between SX GATE and the L2TP IPSec client Besides the possibility of using the stronger certificate based authentication VPN will encrypt every L2TP packet and ensure the authenticity of all data packets Recapitulating when an L2TP client communicates with a device inside the LAN between the client and SX GATE the payload is embedded in L2TP which in turn is embedded in IPSec packets Any router...

Page 191: ...e You can add an optional alternative name to the subject Enter either the DNS name or the Internet IP of SX GATE It is not necessary to fill something in unless MacOS VPN clients are used MacOS clients expect the server certificate to contain a subject alternative name It must contain the server address as configured in the MacOS client Key strength Old systems like e g Windows XP before SP3 migh...

Page 192: ...ight no longer work Although it is basically possible to have more than one trusted CA on SX GATE you can specify only one to keep it more simple If anyhow the certificates of the peers have been issued by different CAs you have to make a decision which of them is to be the trusted CA For all other connections you have to stick to the other authentication mode which requires the import of the peer...

Page 193: ...ch The switch will set the port of the tunnel s local end to 0 L2TP IP addresses IP addresses assigned to L2TP clients Insert the IP addresses which SX GATE will assign to the peers The IPs must no be in use elsewhere If possible you should enter IPs from the network the L2TP client wants to connect with This network has to be directly connected to SX GATE The number of IP addresses specified here...

Page 194: ...ver the clients have to authenticate themselves with login and password Only members of the SX GATE group system ras are able to do so This control shows you to which users this right has been granted and which users are not able to connect To add or remove several users at a time you can select multiple entries from the respective list Hold down the CTRL key while selecting a user to accomplish t...

Page 195: ...all the reverse tunnel might be the only option to grant access for technical support Via Internet incoming With this option the wizard will help you to modify the firewall policy of SX GATE so that technical support can connect via Internet using Secure Shell Furthermore the wizard allows you to disable or delete the relevant firewall rules Via ISDN dial in Technical support can use a direct ISDN...

Page 196: ...ocumentation or ask the person who s in charge of the PBX The SX GATE ISDN card must be connected to a plug providing an ISDN S0 bus Point to multipoint is assumed however technical support can enable point to point mode ISDN protocol First of all select the appropriate D channel protocol If the SX GATE ISDN card is connected directly to a socket of your telephone company then all over Europe you ...

Page 197: ...ort numbers may already be entered by default In this case you might see almost identical entries some of them with the prefix 0 This call prefix might be necessary when SX GATE is connected to a PBX If you know for sure whether you need to dial the prefix 0 or not you should delete the improper entry Verify incoming calls Accept incoming calls for calling numbers You can store particular numbers ...

Page 198: ... insert or delete the required rules here If there are no rules in the list no inbound SSH connections will be accepted If SX GATE is protected by one or more upstream firewalls the policy of these firewalls will have to allow incoming Secure Shell connections too Please ask technical support for their IP address and the correct port range to insert Save the changes Yet no changes have been made t...

Page 199: ...at the top 14 1 1 A General 199 14 1 1 B ISDN 201 14 1 1 C IPSec Parameters 202 14 1 1 D VPN Certificate 202 14 1 1 E Trusted VPN CA 205 14 1 1 A General IPv6 This setting enables or disables SX GATE s IPv6 support Router mode Select this option if SX GATE should advertise itself as an IPv6 router in your network Host mode If SX GATE is used as e g proxy or mail relay server in a DMZ this option s...

Page 200: ...luster configuration as source IP Finally sync the new rule to the master fallback on failure When this option is activated the system will switch automatically to the configured interface whenever the Internet connection is interrupted An ADSL connection is considered broken if the PPP connection is down For other interface types ping is used to check if the servers from a customizable list of ad...

Page 201: ...DN hangup several minutes after ADSL has been tested successfully Fallback mail notification Notifications about a fallback will be sent to this email address Alive check using ping to SX GATE checks the connection by regularly pinging the addresses from this list You can select IP objects too however only IP addresses will be used and networks will be ignored 14 1 1 B ISDN ISDN protocol Here you ...

Page 202: ...hey are passed on to the encryption stage Choose a value which is low enough so that no in transit fragmentation of the encrypted packets is necessary Note however that a lower MTU reduces the throughput Non unique IDs When disabled a new connection will terminate an existing connection with the same ID This is important for dial up clients with dynamic IP addresses as it will clean up broken conn...

Page 203: ...ther SX GATE Import VPN server key pair Select file Please select the PKCS 12 file or the setup archive containing the PKCS 12 file The import password is required to open the PKCS 12 file Check VPN server certificate Please check the contents of the PKCS 12 file and the contents of the currently installed certificate Depending on the authentication mode the installation of the new certificate mig...

Page 204: ...rface will be created the IPSec service will be started and other configuration option will be changed as required If an IPSec connection with the same name exists it will be replaced Issue local VPN server certificate With this function you can issue or renew the certificate of SX GATE s own VPN server The new certificate will be signed by the SX GATE CA and is valid for up to 6 years Issue new V...

Page 205: ...gned By pressing the Finish button the new VPN server key will be installed Backup key pair The key pair can be exported in PKCS 12 format to save a backup Please note that this export also contains the private key which must be kept secret There s no way to restore a purchased certificate without backup 14 1 1 E Trusted VPN CA Certificate based authentication usually implies checking if the prese...

Page 206: ... been deleted VPN connections will no longer be accepted if the presented X 509 certificate was issued by the formerly trusted CA As an exception a connection will still be accepted if the public key of the peer was imported into SX GATE for authentication purposes Import certificate revocation list Here you can install the recent certificate revocation list CRL of the trusted CA A CRL offer the p...

Page 207: ... GATE are numbered consecutively starting with 0 Thus the interface eth2 refers to the third Ethernet adapter VLAN 802 1Q vlan VLAN interfaces are logical network interfaces which tag frames according to the IEEE 802 1Q standard A VLAN interface must be assigned to an ethernet adapter The interface number of the created VLAN corresponds to its VLAN tag Acceptable values are 1 through 4094 Packets ...

Page 208: ...e an OpenVPN server instance with an individual setup Usually a single server instance is sufficient as it can handle multiple clients IPSec VPN ipsec Interfaces of this type are logical interfaces An ipsec interface has to be associated with an other interface This will add VPN functionality to this host interface You can create up to four ipsec interfaces numbered 0 to 3 Only ipsec0 supports hos...

Page 209: ...ary network interface eth0 a static IP is mandatory So this setting is not available for eth0 automatic IP DHCP For example if a cable modem is used to connect SX GATE with the Internet the IP address might be assigned dynamically by DHCP Select the corresponding option in this case Dual Stack Lite DS Lite This option is only available if IPv6 is enabled With DS Lite your Internet connection is IP...

Page 210: ...dress of the interface eth0 must be changed at System Setup The IP address assigned here may not be part of an IP subnet which has already been assigned to an other Ethernet or VLAN interface IPv4 netmask Here you have to specify the netmask corresponding to the IP address IPv4 default gateway Simplifying things a default gateway is a router linking to the Internet If such a router is connected to...

Page 211: ...x length ist 64 With prefix lengths greater than 64 some IPv6 features like e g SLAAC no longer work Use large prefixes only when you understand the implications IPv6 default gateway If a router is attached to the current interface which provides Internet connectivity you can enter its IP address here You can either enter a global address or a link local address fe80 IPv6 privacy extension RFC3041...

Page 212: ...he SX GATE firewall to accept the network on this interface Enter the IP address of the router as gateway The router s IP address must always be part of the same IP network as the IP of SX GATE The remote network in contrast must address a different network Use the special value 0 0 0 0 if the gateway IP is assigned with DHCP Rules for specific protocols or sources come into play if multiple inter...

Page 213: ...nt to all network devices by multicast Router preference The preference value can influence which router a client selects if it has multiple routers to choose from Some devices ignore this option or must be configured to consider it Send router advertisements to If you decided that router advertisements should be sent by unicast to individual clients only you have to configure the clients link loc...

Page 214: ...thout domain can be configured with RA But this extension is also not widely supported yet Published routes You can use router advertisements to announce routes to individual IPv6 prefixes Some devices ignore this option or must be configured to consider it 14 1 2 1 D Bandwidth management QoS For bandwidth management you have to fill in the available bandwidth Uplink and downlink may be different ...

Page 215: ...ovider guaranteed Quality of Service bandwidth management is often very expensive so inbound bandwidth managment is an option despite of its limitations Inbound bandwidth management reduces the available bandwidth by up to 20 It requires that an adequate amount of the inbound data volume is covered by TCP connections Quality of Service QoS for Voice over IP VoIP For VoIP the latency time i e the t...

Page 216: ...Enter the net bandwidth of the codec to be used Take the codec with the largest bandwidth if different codecs are in use When calculating the total required bandwidth the system will automatically take the IP overhead into account Lower bandwidth consumption causes more overhead Max number of calls via IPSec Enter the expected maxium number of simultaneous calls over VPN on this interface It is us...

Page 217: ...sses with lower priority The minimum bandwidth is assigned as follows The bandwidth required for VoIP according to the configuration is reserved and subtracted from the total available bandwidth Of the remaining bandwidth 10 goes to empty TCP ACK packets 50 to packets with high priority and 20 to packets with normal and low priority respectively Inbound traffic shaping treats all non TCP packets a...

Page 218: ...ocessed by inbound packets from port 80 by outbound bandwidth management The double arrow combines both directions External IP network Viewed from the perspective of the selected interface you can enter a remote address here This corresponds to the destination IP of outbound packets and the source IP of inbound packets Priority Select the priority for matching packets 14 1 2 1 F Dynamic DNS With d...

Page 219: ... have to specify the server which accepts and processes the IP address update messages This server may be different to the webserver of the dynamic DNS provider Update URL Here you have to specify the update URL aka direct URL for updating the dynamic IP address The URL may have the placeholders host ipaddr username and password that will be substituted by the dynamic DNS name the IP address the u...

Page 220: ...tant rulesets are always enabled The rulesets on this tab may be added as appropriate Web server attacks Enables specific rules to detect attacks against web and FTP servers Mail server attacks Enables specific rules to detect attacks against SMTP IMAP4 and POP3 servers Internet server attacks Enables specific rules to detect attacks against other typical internet services like DNS or SIP VoIP LAN...

Page 221: ... enables a list of IP addresses which belong to dubious organizations or the Tor anonymization network 14 1 2 1 J Ethernet If autonegotiation of network link parameters fails you can switch to manual configuration Not all network card drivers support a manual configuration Speed Please select the required network device speed Duplex Please select the required duplex mode 14 1 2 1 K Info Descriptio...

Page 222: ...anual IP If this option is selected all IPv6 parameters have to be configured manually Router advertisements will be ignored automatic IP SLAAC DHCPv6 Choose this option and SX GATE will automatically determine its IPv6 configuration based on the router advertisements it receives 14 1 2 2 A IP addresses IPv4 address Specify the IPv4 address that the corresponding SX GATE interface should use as it...

Page 223: ...resses of different networks if multiple IP subnets share the same physical Ethernet IPv6 address Enter an IPv6 address for this interface If the address is based on a delegated prefix please add an entry of type IPv6 address in menu Definitions IP objects which refers to the prefix IPv6 prefix length The IPv6 prefix length is the equivalent to IPv4 netmasks The typical prefix length ist 64 With p...

Page 224: ... considering only the packet s destination but also extended rules which include source addresses protocol and port numbers policy based routing Static routes must be added if there are other networks which are not directly connected to the network card but can be addressed via a router Specify the network address and the netmask of this remote network this will automatically instruct the SX GATE ...

Page 225: ...ectivity for the whole network Router advertisements will be sent to a list of manually configured clients enabled Select this option and router advertisements will be sent to all network devices by multicast Router preference The preference value can influence which router a client selects if it has multiple routers to choose from Some devices ignore this option or must be configured to consider ...

Page 226: ...is purpose too DNS suffix DNSSL The DNS suffix for resolving host names without domain can be configured with RA But this extension is also not widely supported yet Published routes You can use router advertisements to announce routes to individual IPv6 prefixes Some devices ignore this option or must be configured to consider it 14 1 2 2 D Bandwidth management QoS For bandwidth management you hav...

Page 227: ...provider guaranteed Quality of Service bandwidth management is often very expensive so inbound bandwidth managment is an option despite of its limitations Inbound bandwidth management reduces the available bandwidth by up to 20 It requires that an adequate amount of the inbound data volume is covered by TCP connections Quality of Service QoS for Voice over IP VoIP For VoIP the latency time i e the...

Page 228: ...d Enter the net bandwidth of the codec to be used Take the codec with the largest bandwidth if different codecs are in use When calculating the total required bandwidth the system will automatically take the IP overhead into account Lower bandwidth consumption causes more overhead Max number of calls via IPSec Enter the expected maxium number of simultaneous calls over VPN on this interface It is ...

Page 229: ...lasses with lower priority The minimum bandwidth is assigned as follows The bandwidth required for VoIP according to the configuration is reserved and subtracted from the total available bandwidth Of the remaining bandwidth 10 goes to empty TCP ACK packets 50 to packets with high priority and 20 to packets with normal and low priority respectively Inbound traffic shaping treats all non TCP packets...

Page 230: ...n the port signature of the selected protocol has to be applied Let s take the HTTP protocol as an example The arrow means the HTTP port 80 is on the external side So outbound bandwidth management will process packets to port 80 inbound bandwidth management packets from port 80 With you will get the opposite Packets to port 80 are processed by inbound packets from port 80 by outbound bandwidth man...

Page 231: ...0 14 1 2 3 J Dynamic DNS 242 14 1 2 3 K Info 243 Type of line With this control you enable leased line capabilities for the selected interface To connect an ISDN leased line to SX GATE a dedicated ISDN card is required First of all the D channel protocol must have been assigned correctly to determine which ISDN card is used for the leased line Please refer to Modules Network Settings if this has n...

Page 232: ... intended for dial in of single device e g PC An attempt will be made to integrate the user transparently into the local network using proxy ARP Here the user s allocated IP address must be a free IP address from one of the networks which are directly connected to SX GATE no authentication Here SX GATE will refuses to authenticate itself and it will not require the peer to authenticate A typical e...

Page 233: ...the list contains more than one number and the dialed number does not respond the next number will be called After the last number from the list dialing will continue with the first number again If no connection was established after 5 attempts per number dialing will be aborted until triggered again If SX GATE is connected to a PBX the phone number might have to be prefixed e g by a 0 Own MSN EAZ...

Page 234: ...lling the numbers specified as Numbers to dial B channel callback with SX GATE accepting an incoming call authenticating the user and then triggering the call back is not supported SX GATE calls back If this option is selected an acceptable incoming call will be rejected Then a call is triggered to the numbers listed at Numbers to dial peer calls back Selecting this option SX GATE will expect a ca...

Page 235: ...oming calls on this interface Callers that have disabled the transmission of the caller ID will be assigned 0 as caller ID 14 1 2 3 D Idle hangup Length of a charge unit To optimise the idle hangup of the ISDN connection please insert the duration of a charge unit Hangup right before next charge unit if idle for If no more data is transferred during the time stated here the line will be automatica...

Page 236: ...n t want to define The current statistics of the connection are displayed too The counters will start to increase as soon as the IP connection has been established completely If for instance the ISDN connection succeeds but the login at the provider fails the ISDN connection will not be detected Email warning after connection time These limits will apply to the total time of the current connection...

Page 237: ...h lines In general the provider charges extra fees for the second line as well Trigger 2nd channel when Whenever the specified bandwidth is used for the given period of time the second ISDN channel is added to the Internet link 14 1 2 3 G Routing Policy Routing On this tab you can configure static routing entries You can add conventional routes considering only the packet s destination but also ex...

Page 238: ... uncertain Outbound bandwidth uplink Enter the uplink bandwidth For asymmetric connections this is usually the lower value Bandwidth management will then process all outbound packets on this interface The direction of the corresponding connection inbound or outbound doesn t matter Inbound bandwidth downlink Enter the downlink bandwidth For asymmetric connections this is usually the higher value Ba...

Page 239: ...he codec defines the compression of a VoIP call The more compression is applied the less bandwidth is consumed however also the quality decreases The following table shows the net bandwidth required by commonly used codecs Some codecs are used at different bandwidths In this case the maximum bandwidth is given Codec max bandwidth bit s G 711 64000 G 722 64000 G 722 1 32000 G 723 1 6400 G 726 40000...

Page 240: ...width of the link must not be exceeded Bitrate of the codec used in IPSec Enter the net bandwidth of the codec to be used Take the codec with the largest bandwidth if different codecs are in use When calculating the total required bandwidth the system will automatically take the IP and the IPSec overhead into account Lower bandwidth consumption causes more overhead 14 1 2 3 I Priorities Use this f...

Page 241: ...rity rule to specific local IPs usually requires two rules to catch both in and outbound packets For inbound packets you would enter a SX GATE IP for outbound packets the internal IP of the LAN client or the server addressed with DNAT Direction Decide in which direction the port signature of the selected protocol has to be applied Let s take the HTTP protocol as an example The arrow means the HTTP...

Page 242: ... the new dynamic IP address This is because the DNS servers used to resolve the hostname might have cached the old entry The maximum period of time Time To Live TTL the DNS record can be cached is configured by the dynamic DNS provider Please refer to the provider for further information Dynamic DNS is offered by many different providers Some offer this service for free others charge for it Protoc...

Page 243: ... to specify the password for the dynamic DNS account Check update Check live if DynDNS update is working 14 1 2 3 K Info Description This field serves for documentation only 14 1 2 4 ISDN HDLC RawIP isdn The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 14 1 2 4 A Connection 244 14 1 2 4 B ISDN parameters ...

Page 244: ...interface isdn0 is always 172 18 0 1 14 1 2 4 B ISDN parameters Numbers to dial Enter here the number that is to be dialed If no number is specified then outgoing calls via this interface are not possible If the list contains more than one number and the dialed number does not respond the next number will be called After the last number from the list dialing will continue with the first number aga...

Page 245: ...back If you want to use D channel callback on this interface select the requested direction With D channel callback an incoming call is detected but not accepted so it won t be charged Then the callback is initiated calling the numbers specified as Numbers to dial B channel callback with SX GATE accepting an incoming call authenticating the user and then triggering the call back is not supported S...

Page 246: ...ended access control Here you can determine if this interface will accept calls from any caller or only if a specific caller ID is sent Accept calls from Enter the list of numbers of acceptable caller IDs for incoming calls on this interface Callers that have disabled the transmission of the caller ID will be assigned 0 as caller ID 14 1 2 4 D Idle hangup Length of a charge unit To optimise the id...

Page 247: ...r Specify the network address and the netmask of this remote network this will automatically instruct the SX GATE firewall to accept the network on this interface Rules for specific protocols or sources come into play if multiple internet links are available One could for instance direct web traffic via an ADSL link while all the other traffic like emails and VPN uses an SDSL line The evaluation o...

Page 248: ...ing of data packets waiting to be transmitted ususally has to be done on the sending side of the Internet link Only there it can be done in a reliable way After all the packet has already been transmitted on the receiver side However Internet connectivity with provider guaranteed Quality of Service bandwidth management is often very expensive so inbound bandwidth managment is an option despite of ...

Page 249: ...the expected maxium number of simultaneous calls on this interface It is used to calculate the overall bandwidth that needs to be reserved for VoIP traffic The value 0 will disable this feature The total bandwidth of the link must not be exceeded Bitrate of the codec used Enter the net bandwidth of the codec to be used Take the codec with the largest bandwidth if different codecs are in use When c...

Page 250: ...the IP and the IPSec overhead into account Lower bandwidth consumption causes more overhead 14 1 2 4 H Priorities Use this feature to determine the priority of outgoing data packets A proportional minimum bandwidth is assigned to each priority class Unused bandwidth of a class will be used by classes with lower priority The minimum bandwidth is assigned as follows The bandwidth required for VoIP a...

Page 251: ...d packets the internal IP of the LAN client or the server addressed with DNAT Direction Decide in which direction the port signature of the selected protocol has to be applied Let s take the HTTP protocol as an example The arrow means the HTTP port 80 is on the external side So outbound bandwidth management will process packets to port 80 inbound bandwidth management packets from port 80 With you ...

Page 252: ...e provider assigns both an IPv4 and an IPv6 address The IPv4 address may be an internal IP address according to RFC 1918 which is then translated by the provider Carrier Grade NAT Dual Stack Lite DS Lite With DS Lite your Internet connection is IPv6 only IPv4 packets are tunneled via the IPv6 connection to a specific gateway of your provider This is where the IPv4 packet will get its final sender ...

Page 253: ...X GATE you can establish an Internet connection with UMTS GPRS Login Insert the login here that SX GATE uses to sign on to the peer For UMTS connections it is not always necessary to enter credentials It depends on the provider Password Enter the password here that is used when the peer asks SX GATE to authenticate with PAP or CHAP APN Please ask your UMTS provider for the Access Point Name PIN If...

Page 254: ...s are used to connect with the DSL modem Please ask your provider for the correct VLAN ID Idle hangup Here you can determine when the DSL dial up connection has to be established and disconnected The dial up connection can be established automatically whenever data has to be transmitted to the Internet It will be disconnected when no data has been transmitted for a configurable period of time Alte...

Page 255: ... The IPv6 prefix length is the equivalent to IPv4 netmasks The typical prefix length ist 64 but your provider might have told you a higher value IPv6 privacy extension RFC3041 A dynamic IPv6 address derived with SLAAC is based on the hardware address of the network card So it can be tracked worldwide easily Enable this option and SX GATE will add a temporary random address which is preferred IPv6 ...

Page 256: ...e precedence over rules with protocol These in turn have a higher priority than rules with a source Within source and destination rules are sorted by descending netmasks The evaluation order of overlapping protocol specifications is not defined 14 1 2 5 D Bandwidth management QoS For bandwidth management you have to fill in the available bandwidth Uplink and downlink may be different ADSL Leave em...

Page 257: ...of the inbound data volume is covered by TCP connections Quality of Service QoS for Voice over IP VoIP For VoIP the latency time i e the time it takes for a voice packet to travel from sender to recipient is very important Hence SX GATE s traffic shaper optimizes delivery of VoIP data packets with a special quality of service module In order to be recognized as VoIP packet a data packet needs to b...

Page 258: ...ing the total required bandwidth the system will automatically take the IP overhead into account Lower bandwidth consumption causes more overhead Max number of calls via IPSec Enter the expected maxium number of simultaneous calls over VPN on this interface It is used to calculate the overall bandwidth that needs to be reserved for VoIP traffic The value 0 will disable this feature Wenn enabled Vo...

Page 259: ...width 10 goes to empty TCP ACK packets 50 to packets with high priority and 20 to packets with normal and low priority respectively Inbound traffic shaping treats all non TCP packets as high priority Priorization of connections Use this list to assign a higher or lower priority to specific data packets If more than one rule matches the priority of the topmost rule will be used The following inputs...

Page 260: ...ns External IP network Viewed from the perspective of the selected interface you can enter a remote address here This corresponds to the destination IP of outbound packets and the source IP of inbound packets Priority Select the priority for matching packets 14 1 2 5 F Dynamic DNS With dynamic DNS it is possible to address a device which it is connected to the Internet with a dynamic IP address Us...

Page 261: ...ere you have to specify the server which accepts and processes the IP address update messages This server may be different to the webserver of the dynamic DNS provider Update URL Here you have to specify the update URL aka direct URL for updating the dynamic IP address The URL may have the placeholders host ipaddr username and password that will be substituted by the dynamic DNS name the IP addres...

Page 262: ... will be generated In addition the interface will be disabled To enable a stopped interface you have to restart the corresponding service Leave the input fields blank for all those limits you don t want to define The current statistics of the connection are displayed too The counters will start to increase as soon as the IP connection has been established completely If the ADSL connection succeeds...

Page 263: ...o this command will not restart a disabled interface You have to restart the corresponding service at System Services 14 1 2 5 H Ethernet If autonegotiation of network link parameters fails you can switch to manual configuration Not all network card drivers support a manual configuration Speed Please select the required network device speed Duplex Please select the required duplex mode 14 1 2 5 I ...

Page 264: ...s which SX GATE will assign to the peers If these IP addresses belong to the IP range of one of the networks which are directly connected to SX GATE a proxy ARP entry will be added as well With this the remote device will become a member of the network The number of IP addresses specified here will determine the maximum number of concurrent L2TP connections You can add a block of addresses by ente...

Page 265: ... multi subnetted networks WINS 2 Here you can enter a secondary WINS server 14 1 2 6 C Info Description This field serves for documentation only 14 1 2 7 OpenVPN Client ovpnc The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 14 1 2 7 A OpenVPN Server 265 14 1 2 7 B Authentication 267 14 1 2 7 C Encryption ...

Page 266: ...bute so don t choose this option if the server uses such a certificate certificate usage server If this option is selected the connection will be established only if the server presents a certificate which contains a keyUsage attribute with a value of digitalSignature plus either keyEncipherment or keyAgreement In addition an extendedKeyUsage attribute with the value TLS Web Server Authentication ...

Page 267: ... configuration file this connection s configuration parameters are adjusted as necessary The imported key and the certificates are not included in SX GATE s backups Please keep the file you use for import as a backup Make sure it is protected as it includes a private key 14 1 2 7 C Encryption Hash algorithm Please select the hash algorithm configured on the server for authentication of the individ...

Page 268: ...nel 268 14 1 2 8 B Encryption 270 14 1 2 8 C DHCP options 270 14 1 2 8 D Info 270 14 1 2 8 A VPN Tunnel Wrapper protocol OpenVPN can either wrap the actual data in UDP or in TCP packets UDP is the recommended protocol Switch to TCP if the individual situation requires it You might want to add a second OpenVPN server interface and select the other protocol in there The client can then choose the pr...

Page 269: ...ses 4 2 number of connections With a netmask of 255 255 255 0 this yields 256 4 2 62 connections IPv6 transfer network This parameter determines the IPv6 pool assigned to clients The network you configure here must not be used otherwise We recommend spending a full 64 address block however smaller address blocks may be used here If you are running multiple OpenVPN server interfaces they all must a...

Page 270: ...ct the transmissions This setting corresponds to the OpenVPN configuration parameters cipher and if applicable keysize All ciphers use CBC mode 14 1 2 8 C DHCP options Assign DNS server With this setting you will determine which name server the client will use Secondary DNS If required you can enter an additional name server here WINS 1 Here you can specify the primary WINS server WINS is required...

Page 271: ...it here Assigned IPv4 transfer network In the OpenVPN server interface configuration an IP range has been reserved for the dynamic allocation of transfer networks to clients If you need to assign a specific IPv4 transfer network i e a static IPv4 address you can define it here With the IP address you enter here you actually select a four IP address transfer network The client will get the third IP...

Page 272: ...red by topic You can change between the different screens by clicking on the tabs at the top 14 1 2 10 A Common settings 272 14 1 2 10 B Dynamic peer setup 273 14 1 2 10 C Priorities 273 14 1 2 10 D Info 275 14 1 2 10 A Common settings Host interface Here you can select the interface which is linked to the ipsec interface This adds VPN functionality to the host interface You can operate an arbitra...

Page 273: ...m length of the preshared key depending on the cipher and hash algorithm are Encryption Hash Characters 3DES MD5 SHA1 14 AES 128 SHA2 256 22 AES 256 SHA2 512 43 IKE proposals phase 1 A phase 1 proposal combines a cipher with a hash algorithm and a Diffie Hellman group It is used to secure the communication between two IKE servers If no proposals have been entered here all proposals the SX GATE can...

Page 274: ...ions Protocols Local IP network Viewed from the perspective of the selected interface you can enter a local address here This corresponds to the source IP of outbound packets before SNAT and the destination IP of inbound packets before DNAT When SNAT or DNAT is involved restricting a priority rule to specific local IPs usually requires two rules to catch both in and outbound packets For inbound pa...

Page 275: ...bin icon to delete entries Connection with First of all you have to decide which type VPN connection you want to add Server A server can have either a static or a dynamic IP address Typically you want to establish a VPN connection with a network which is situated behind the server In this case the server is in fact a VPN gateway For each server you have to add a connection of its own Client A clie...

Page 276: ...ate name 14 1 2 11 1 Connection with Server The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 14 1 2 11 1 A VPN Tunnel 276 14 1 2 11 1 B Authentication 278 14 1 2 11 1 C Phase 1 280 14 1 2 11 1 D Phase 2 281 14 1 2 11 1 E Connection 282 14 1 2 11 1 F Commands 283 Peer has Use this control to determine if t...

Page 277: ...rks The VPN connection will be established with the networks you specify here To add a connection to a single host you have to supply its IP If no local networks have been specified the target of the VPN connections will be the SX GATE itself Tunnel SX GATE remote server If you have specified local or remote networks there will be no VPN connection between SX GATE itself with its external IP and t...

Page 278: ...s method Whenever the peer changes its certificate e g after expiration the new public key has to be imported before the VPN connection can be reestablished The administration effort will increase with the number of peers A certificate is only valid for a certain period of time e g 1 year Certificate by CA This is the commonly used and recommended way for certificate based authentication The peer ...

Page 279: ...ith PSK If a peer with static IP has been configured its external IP is expected as ID In case the peer uses a different IP e g because it is situated behind a NAT router a hostname FQDN or an email address USER FQDN as its ID you must supply it here For a peer with dynamic IP it makes sense to configure a static ID on the peer and configure this ID here This reduces the risk that the wrong party ...

Page 280: ...data i e a Distinguished name DN is expected as the peer s ID It is not possible to enter an IP address or DNS name as ID here This setting must be adjusted whenever the peer changes its ID e g because it received a new certificate and the new certificate s DN differs from the old one Import public key Here you can specify the public key of the peer If the peer s certificate was issued by the loca...

Page 281: ...ly for 120 seconds the connection is terminated In case of a peer with static IP address SX GATE tries to negotiate a new connection The peer needs to support DPD according to RFC3706 if you want to use this feature In case of an expensive dialup connection e g ISDN using DPD can become pretty expensive Data is sent every 30 seconds so the connection will stay online all the time IPComp compressio...

Page 282: ...s option enables using the draft 96 bits version to interop with those implementations Another workaround is to switch from sha2_256 to sha2_384 or sha2_512 ESP proposals The phase 2 proposals determine acceptable ciphers and hash algorithms for the actual data transmission If no proposals have been entered here all proposals SX GATE supports are accepted As initiator it will propose all combinati...

Page 283: ...e the gateway If SX GATE and the peer are members of the same network segment please select the corresponding option 14 1 2 11 1 F Commands Action This control allows you to manually change the connection state Whenever the IPSec service is restarted e g when altering the setup the default connection state as configured on tab Connection is restored Re establish connection If applicable the connec...

Page 284: ...works have been specified the target of the VPN connections will be SX GATE itself Tunnel SX GATE Client If you have specified local networks there will be no VPN connection between SX GATE itself with its external IP and the client Activate this option to add this connection Virtual IP Mode Config The IPSec extension mode config lets you assign an IP address to the client to be used for connectio...

Page 285: ...ient must be imported on SX GATE Drawback of this method Whenever the peer changes its certificate e g after expiration the new public key has to be imported before the VPN connection can be reestablished The administration effort will increase with the number of peers A certificate is only valid for a certain period of time e g 1 year If you still want to use this option please create a similar c...

Page 286: ...ttempt of the peer to establish a VPN connection with SX GATE A client with dynamic IP which identifies itself by its IP must provide an option to set a static ID Otherwise it is not identifiable by ID Remote ID with CA based authentication Limit access to this connection to a single peer by entering the peer s ID If you don t know the peer s ID you can find it in the logs after an attempt of the ...

Page 287: ...is still alive The check is only performed when the link is idle If there s no reply for 120 seconds the connection is terminated In case of a peer with static IP address SX GATE tries to negotiate a new connection The peer needs to support DPD according to RFC3706 if you want to use this feature In case of an expensive dialup connection e g ISDN using DPD can become pretty expensive Data is sent ...

Page 288: ...ed This setting will deactivate the corresponding VPN connection Routing gateway For proper setup of the routing table you have to provide the gateway If SX GATE and the peer are members of the same network segment please select the corresponding option 14 1 2 11 2 F Commands Action This control allows you to manually change the connection state Whenever the IPSec service is restarted e g when alt...

Page 289: ...ec To enable mode config please supply an IP address range to be assigned to the clients The number of IP addresses determines the maximum number of simultaneously connected clients In addition it is possible to assign user specific XAuth addresses in the user administration A user with an individual IP does not claim an address from the pool configured here thus increasing the number of possible ...

Page 290: ...alid for a certain period of time e g 1 year If you still want to use this option please create a similar connection for each client and import the corresponding certificate any certificate signed by trusted CA This is the commonly used and recommended way for certificate based authentication The client is accepted if it presents a certificate which has been issued by a Certificate Authority CA wh...

Page 291: ...t is not identifiable by ID Remote ID with CA based authentication Limit access to this connection to a single peer by entering the peer s ID If you don t know the peer s ID you can find it in the logs after an attempt of the peer to establish a VPN connection with SX GATE Certificate data i e a Distinguished name DN is expected as the peer s ID It is not possible to enter an IP address or DNS nam...

Page 292: ...connection will stay online all the time Perfect forward secrecy Perfect forward secrecy PFS for phase 2 enhances the security of a VPN connection An intruder who manages to access the preshared key or the private key of a VPN will not be able to decrypt a recorded VPN session when PFS is active Setting PFS to optional is not recommended but may be necessary for interoperability with other IPSEC i...

Page 293: ...routing table you have to provide the gateway If SX GATE and the peer are members of the same network segment please select the corresponding option 14 1 2 11 3 F Commands Action This control allows you to manually change the connection state Whenever the IPSec service is restarted e g when altering the setup the default connection state as configured on tab Connection is restored Wait for inbound...

Page 294: ...s to be kept secret and a corresponding public key which does not have to be protected In contrast authentication by preshared key can be compared to a simple password authentication Both peers have to know this key which of course has to remain secret This method is however a bad choice for client connections as every connection which involves dynamic IPs has to use the same preshared key specifi...

Page 295: ... certificates will become invalid However a CA certificate is usually valid for a longer period of time e g 10 years Preshared key Using this setting the peer will be authenticated by a preshared key All connections with dynamic IPs involved must use the same key Therefore it is configured along with the settings of the ipsec interface and not with the connection specific settings Remote ID with P...

Page 296: ...ecify the public key of the client If the client s certificate was issued by the local SX GATE CA you can copy it from there Otherwise you have to import it from a file in PEM format You have to import the public key of the client itself and not the public key of the issuing Certification Authority CA 14 1 2 11 4 B Phase 1 The IKE proposals configured for peers with dynamic IP will always apply 14...

Page 297: ...als determine acceptable ciphers and hash algorithms for the actual data transmission If no proposals have been entered here all proposals SX GATE supports are accepted 14 1 2 11 4 D Connection Connect Here you can enable or disable the VPN connection wait for incoming connection Here SX GATE waits for the peer to establish the connection disabled This setting will deactivate the corresponding VPN...

Page 298: ...nd for this bug You can disable the workaround with this switch SX GATE then treats the XP client as if it were directly connected to the Internet without NAT router using a valid IP address This was the behaviour of SX GATE up to and including version 5 1 Disable the workaround if the same internal IP address was assigned to multiple XP clients by their respective NAT router All of them will then...

Page 299: ...setup the default connection state as configured on tab Connection is restored Wait for inbound connections All established connections will be closed SX GATE waits for the peers to re establish the connection Disable connections Abort all connections For the time being it will not be possible to re connect ...

Page 300: ...within the same interface Only Ethernet and VLAN interfaces with Classification Trustlevel LAN high in the firewall configuration will be considered 14 2 1 B Intrusion Detection The Intrusion Detection System IDS of SX GATE analyses IP packets to detect potential security violations The IP header information as well as the actual payload is examined The analysis is based on a signature database Th...

Page 301: ... Local networks Some IDS rules distinguish between internal and external IP addresses Here you configure which addresses are considered to be internal Static IPs of Internet interfaces are automatically appended to the list Additional IPS rules against Web server attacks Enables specific rules to detect attacks against web and FTP servers Additional IPS rules against mail server attacks Enables sp...

Page 302: ...o be defined in the right place In the following explanation the term incoming interface refers to the interface through which the initial packet of a connection is received by SX GATE The outgoing interface is the interface through which a connection s initial packet leaves SX GATE towards its destination There are four kinds of connections DNAT in DNAT also known as portforwarding changes the de...

Page 303: ...cil icon to enter the detail view The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 14 2 2 A General 305 14 2 2 B DNAT 305 14 2 2 C Transp proxy 308 14 2 2 D SX GATE 310 14 2 2 E SX GATE 311 14 2 2 F SX GATE 313 14 2 2 G SNAT 314 14 2 2 H Options 316 Classification Trustlevel Use this control to define the...

Page 304: ... access the administration frontend with your browser The console will then be the only way to modify SX GATE s configuration Internet none Typically this option is used for interfaces connected to the Internet By default access from the Internet to SX GATE is denied The same applies to direct connections from systems in the LAN to the Internet To allow specific connections from the Internet to SX...

Page 305: ...stricted LAN high Choose this option to activate the least restrictive policy By default only direct internet access is limited for the respective networks Access to all other types of interfaces is granted To impose limitations here change to the option RAS medium 14 2 2 A General Description This field serves for documentation only Default policies The following table shows and partly even lets ...

Page 306: ... to group related entries Rules are evaluated in the given order The first match applies Hence more specific rules have to be moved above more general rules So e g a rule for a certain individual IP address must be moved above a rule which refers to the same protocol but an arbitrary IP address The following inputs are available Active Use this control to enable or disable a rule at any time Selec...

Page 307: ...re a rule for multiple individual clients or networks define a new group in menu Definitions IP objects or select an entry from the list of available groups You must not enter an address here if a dynamic IP is assigned to SX GATE to IP Please enter the new destination address here This may be an IP of SX GATE except 127 0 0 1 or likewise the IP of any other system Even for discard rules an addres...

Page 308: ...ctions of all clients connected to the selected interface regardless of source or destination IP To redirect connections only if specific addresses are involved you have to configure rules on tab DNAT instead As an example the redirection to SX GATE s web proxy will give you an idea which firewall rules are associated with the respective switches Let s assume SX GATE s IP address is 192 168 0 254 ...

Page 309: ...onnections to an Internet IP on TCP port 110 via SX GATE s POP3 proxy port 8110 port 25 SMTP to Enable this option to intercept direct SMTP connections to the Internet and redirect them to a service on SX GATE From the technical point of view the destination IP of connections to port 25 will be replaced by SX GATE s IP mail relay server Select this option to redirect the connection to SX GATE s ma...

Page 310: ... or disable a rule at any time Select date and time to configure a temporary firewall rule which is active until that point of time has been reached Log You can enable logging with this switch For TCP connections only the initial packet will be written to the log For all other IP protocols every packet is logged You should enable logging only for diagnostic purposes or for rules which are not used...

Page 311: ...ld will be included in the log if logging is enabled for this rule 14 2 2 E SX GATE Forwarding rules Any source destination A new entry is created by filling out the input fields and clicking on Add Select an existing entry and click Copy to use it as a template You can edit entries by clicking on the underlined items With Remove you can discard the currently selected line The Up and Down buttons ...

Page 312: ...denying a connection SX GATE can either silently discard the IP packet or reject it with an administratively prohibited ICMP reply message The latter indicates the reason for the connection failure to the sender Dest If you leave these fields blank the rule will apply to any destination IP To grant access to a single server only please enter its IP address To give access to a whole network specify...

Page 313: ...ntry and click Copy to use it as a template You can edit entries by clicking on the underlined items With Remove you can discard the currently selected line The Up and Down buttons help you to group related entries Rules are evaluated in the given order The first match applies Hence more specific rules have to be moved above more general rules So e g a rule for a certain individual IP address must...

Page 314: ...efinitions IP objects or select an entry from the list of available groups DoS If you like you can also activate the Denial of Service protection by the dynamic firewall For TCP the value refers to the maximum number of connections per source IP For all other protocols you specify the number of packets per source IP Comment Use this field for documentation Up to 14 characters from this field will ...

Page 315: ...ld enable logging only for diagnostic purposes or for rules which are not used frequently Otherwise your log files may grow rapidly Protocol Select one of the protocols from the list Each protocol represents a set of IP protocol and port definitions You will find the details in menu Definitions Protocols This is also where you can extend the list with your own protocol definitions Source zone Use ...

Page 316: ...dividual clients or networks define a new group in menu Definitions IP objects or select an entry from the list of available groups Comment Use this field for documentation Up to 14 characters from this field will be included in the log if logging is enabled for this rule 14 2 2 H Options Automatic blocking of suspicious IPs dynamic firewall The firewall continuously registers connection attempts ...

Page 317: ... that SX GATE itself is the destination of the traceroute If SX GATE is used as a firewall protecting a network with Internet IP addresses e g a DMZ this feature can be used to hide the internal network structure and the actually active servers to a certain extend ...

Page 318: ...indows parameters 320 14 3 E Custom options 321 14 3 F Dynamic IPv6 ranges 321 14 3 G Static IPv6 addresses 322 14 3 H DHCPv6 network parameters 322 14 3 A Dynamic IPv4 ranges Dynamically assigned IP ranges Here you can specify the IP addresses which SX GATE will assign to devices requesting an IP by DHCP Please make sure that none of the addresses entered here is already statically assigned to a ...

Page 319: ...s that the primary DHCP server is not available and will thus assign an IP address Please make sure that the IP address ranges assigned by the primary and the secondary DHCP servers do not overlap As the primary server is not aware of the existence of a secondary overlapping may result in a conflict 14 3 B Static IPv4 addresses Statically assigned IPv4 addresses In this screen you can direct the D...

Page 320: ...e SX GATE DHCP Server will assign this IP address as primary name server DNS 2 Optionally you can enter a secondary name server It will be considered by the clients whenever the primary DNS is not available or answers with a delay You can specify your provider s DNS server for example or a DNS server within your LAN 14 3 D Windows parameters The settings on this screen are useful for Microsoft Win...

Page 321: ...cast packets by Windows clients 14 3 E Custom options Custom DHCP options To meet specific demands you can define your own options here 14 3 F Dynamic IPv6 ranges Dynamically assigned IP range Here you can specify the IP addresses which SX GATE will assign to devices requesting an IP by DHCP Please make sure that none of the addresses entered here is already statically assigned to a device in the ...

Page 322: ...pter of one of the devices listed here is replaced the MAC address of the device will change Adjust the corresponding entry accordingly If the device is actually a router you can even assign an IPv6 prefix for distribution further downstream SX GATE will automatically configure the required route for the prefix The prefix must not overlap with other local networks In particular the IPv6 address as...

Page 323: ...ss as primary name server DNS 2 Optionally you can enter a secondary name server It will be considered by the clients whenever the primary DNS is not available or answers with a delay You can specify your provider s DNS server for example or a DNS server within your LAN ...

Page 324: ... order of their speed of response If you do not specify any name server here SX GATE will always forward queries to the so called root name servers In this case name resolution will usually take considerably longer Use specified forwarding name servers only This option allows you to control whether SX GATE is allowed to send queries to the Internet root name servers when the provider DNS is not av...

Page 325: ...DNSSec This will increase memory CPU and network bandwidth consumption Deny answers with private IPs Enable this switch to prevent DNS rebinding attacks Forwarding of DNS answers with private IPs from the networks 10 0 0 0 8 172 16 0 0 12 192 168 0 0 16 fe80 10 and fc00 7 will be denied Log all DNS queries With this switch you can log every request processed by the SX GATE DNS This can be especial...

Page 326: ... with the same priority for the same domain the client will choose a random entry On failure it will try the next address NS Defines a name server for a domain Specify the domain in the first and the name of the DNS in the second field If multiple entries are defined for the same domain the client will make a random selection If the corresponding DNS is not available it will try the next address S...

Page 327: ... address Some examples Class A 10 0 0 0 255 0 0 0 10 in addr arpa Input 10 Class B 10 5 0 0 255 255 0 0 5 10 in addr arpa Input 10 5 Class C 10 5 0 0 255 255 255 0 0 5 10 in addr arpa Input 10 5 0 If your provider made a so called classless in addr arpa delegation according to RFC 2317 you might have to enter something different here Keep in mind that the actual zone name differs from the name you...

Page 328: ...SX GATE s role for the DNS zone Master The entries in the zone file have to be configured on SX GATE in this case SX GATE is the start of authority SOA for this zone Slave In this mode SX GATE mirrors the contents of a DNS zone The contents cannot be modified on SX GATE To be able to perform zone transfers the address of the master name server has to be supplied on tab Access control Forward In co...

Page 329: ...the mail server for a domain Enter the mail domain the part behind the of an email address in the first field In the second field you have to specify the hostname of a mail server You can use absolute or relative names in both input fields The number specifies the priority The MX entry with the lowest priority will be tried first If the corresponding mail server is not available the mail servers w...

Page 330: ...e have been updated and therefore a zone transfer is required The serial number will be incremented automatically by SX GATE after each modification Nevertheless you can influence the serial number by specifying a value yourself If the local serial number is lower than on the mirrors it can cause inconsistencies Check the serials especially after restoring a backup 14 4 2 1 C NS Specify all author...

Page 331: ... you have to declare the zone to be public by activating this switch To enable DNS requests from the Internet to the SX GATE name server you most likely have to modify the firewall policy to accept incoming packets on port 53 for the protocols UDP and TCP Allow zone transfer for IP If this zone has to be mirrored by secondary name servers you have to add their IP addresses here SX GATE will accept...

Page 332: ...one transfers the address of the master name server has to be supplied on tab Access control Forward In contrast to the previous options SX GATE is not authoritative for the zone but rather forwards queries to an other name server 14 4 2 2 A Entries Userdefined entries Here you can define entries for the selected zone To specify NS records for the zone itself please use the tab specifically provid...

Page 333: ... the client will make a random selection If the corresponding DNS is not available it will try the next address Automatically add missing PTR entries All addresses which have not been mapped to hostnames by manually specifying a PTR record can be supplemented automatically This feature is not available for class A zones using hostname This option will determine the hostname of the automatically ad...

Page 334: ...the serials especially after restoring a backup 14 4 2 2 C NS Specify all authoritative primary and secondary name server for the selected zone This will add the respective NS records to the zone file Use the absolute addressing scheme with a trailing dot e g ns example com 14 4 2 2 D Access control Master This option is only available when SX GATE acts as a secondary server slave for this zone Pl...

Page 335: ...queries will be permitted Please refer to Modules DNS Settings tab Client access 14 4 2 3 IPv6 reverse lookup zone The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 14 4 2 3 A Entries 336 14 4 2 3 B SOA 336 14 4 2 3 C NS 337 14 4 2 3 D Access control 337 14 4 2 3 E Forwarders 338 Type Please select SX GATE...

Page 336: ...ame server for a reverse lookup zone In the first field you have to fill in the zone for which you want to add a NS record Enter the name relative to the currently selected zone If you have to specify more than one number keep in mind that you have to enter them in reversed order separated by dots If for example you want to delegate a nameserver for 2001 db8 0 1 64 in zone 2001 db8 0 you have to t...

Page 337: ...the serials especially after restoring a backup 14 4 2 3 C NS Specify all authoritative primary and secondary name server for the selected zone This will add the respective NS records to the zone file Use the absolute addressing scheme with a trailing dot e g ns example com 14 4 2 3 D Access control Master This option is only available when SX GATE acts as a secondary server slave for this zone Pl...

Page 338: ...e of the IPs listed here 14 4 2 3 E Forwarders Forward queries to name server Queries to the currently selected zone will be forwarded to the name servers you enter here This allows you to resolve individual address ranges via a custom DNS instead of using the ISP s DNS or the Internet root servers Only clients which are allowed to send recursive queries will be permitted Please refer to Modules D...

Page 339: ...lboxes POP3 port 110 Access to the inbox is not encrypted from the beginning However if the mail client supports the appropriate protocol extensions an encrypted connection can be negotiated POP3 encrypted port 995 Inbox access is encrypted from the beginning IMAP4 Port 143 Connections to this service are not encrypted from the beginning However if the mail client supports the appropriate protocol...

Page 340: ...specify the name of IP of a mail relay server smarthost here outgoing emails will always be forwarded to this server The relay server is responsible for further delivery This setting will not affect emails addressed to domains which SX GATE delivers to local mailboxes or forwards to specific internal mail servers Using a relay server is recommended if you are connected to the Internet via a dial u...

Page 341: ...not possible to use different credentials depending on the sender of the mail As a rule a mail relay server will insist on authentication if it is not operated by your Internet access provider In this case we recommend that you insert the relay server of the ISP over which you are connected to the Internet It is recommended to use the mail relay server offered by your Internet access provider Usua...

Page 342: ...mum period of time a mail will wait in the queue until the next attempt to deliver it is made Process send queue on Internet dial in Activate this option if SX GATE is directly connected to the Internet using an ISDN PPP or ADSL dial up link Each time a new dial up connection is established an attempt is made to deliver the emails waiting in the queue If SX GATE has no direct PPP dial up Internet ...

Page 343: ...p on the outbound connection s source IP In case of dynamic lookup SX GATE will always use its hostname as configured in System Setup for connections via device eth0 SX GATE sends mails with domain SX GATE generates emails like e g status reports or notifications With this control you can determine the sender domain which will be used by SX GATE in these mails 14 5 2 C PGP SMIME The PGP SMIME filt...

Page 344: ...hese cases Local IP addresses With this control you can define which IP addresses are considered to be local Unless restricted by other options only the addresses included here will be able to relay mails to the Internet offhand You should never grant this right to any IP You can also use this feature to allow Internet mails only for some systems while all others may only send internal mails Here ...

Page 345: ...firmation to send it If the user agrees the mail program will return an email indicating that the mail has been opened to the sender Most mail programs can be configured to always ignore or always send disposition notifications Enable this options and SX GATE will remove those headers from inbound mail requesting for an MDN So an administrator can suppress MDNs regardless of the actual settings in...

Page 346: ...IMAP server If the internal mail server refuses delivery the mail is usually silently discarded using SMTP This is the most simple approach which works with almost all mail servers For each inbound mail SX GATE opens an SMTP connection to the internal mail server and The received sender and recipient addresses are forwarded to it Depending on the replies of the internal mail server the sender is t...

Page 347: ... it e g due to an invalid recipient address or the queue time limit has expired setting Return mail as undeliverable if mail cannot be sent within on tab Delivery parameters SMTP port for verification Address verification can use a different port than the actual mail delivery Test LDAP connection With this button you can test if email addresses can be found in Active Directory Emails to unknown lo...

Page 348: ... GATE the envelop from and the source IP of every email is logged Search in the log for the line which contains the source information of an email from from provides the envelope from and the source IP of the SMTP connection is listed as relay For emails which have been retrieved from a POP server by the SX GATE mail client the source IP of the connection is always SX GATE itself 127 0 0 1 localho...

Page 349: ...ery attempt has to be started for the remaining recipients Maximum permitted size of an email The SMTP protocol was not designed for the transmission of lots of megabytes of data Therefore many mail servers will only accept mails up to a certain size or will terminate the transfer after a certain period of time Thus it is highly recommend that also the SX GATE SMTP mail server imposes a reasonable...

Page 350: ...ls Fill in the email address which will receive a copy of every inbound email You may use the same address as for outbound email The recipient will be added after the mail passed the virusscan module Hence infected emails won t be included in the archive Both the attachment and the relay SPAM filter might modify the original mail before it is forwarded to the archive recipient If the relay SPAM fi...

Page 351: ... email which violates one of these checks will already be rejected before the actual payload is being transmitted Protection against automated mailers Many SPAM and virus mails are distributed by rather simple routines trying to deliver as many emails as possible in a very short time This protective function makes use of this fact Normally a mail server sends a greeting message as soon as a new co...

Page 352: ...e IPs of incoming connections Often home PCs are abused for SPAM delivery Many of these fail to pass the reverse DNS check Neither authenticated nor local connections will be affected by this check Mails retrieved from a POP3 server won t be tested either for existance Select this mode to reject emails if no reverse DNS entry exists forward confirmed A reverse DNS entry must exist here too but in ...

Page 353: ...tradicts the purpose of defeating SPAM However DNS might also report a temporary problem resolving the sender domain e g name server unreachable There are two different behaviours depending on whether the SX GATE mail client has been enabled in the configuration or not If it is not used the SX GATE mail server will refuse delivery with a temporary error Depending on its configuration the sending m...

Page 354: ...ill collect the sender and the recipient address of an incoming email It will then terminate the connection with a temporary error The actual contents of the email have not been transmitted at that stage Usually the instance trying to deliver an incoming email is a mail relay server and not the senders s mail client program Hence the sender of an email will not become aware of the delay As SX GATE...

Page 355: ...uiltin whitelist of servers known to perform no retransmissions emails retrieved from POP servers authenticated connections SMTP auth Working method This switch will enable greylisting As described above greylisting is useful if incoming mails are directly delivered with SMTP Hence for at least one local domain the Internet DNS mail exchanger MX must point to SX GATE s external IP address Any back...

Page 356: ...to the sender So the number of mails to process will almost double which may have a significant impact on the whole infrastructure Even worse in case of a SPAM mail the non delivery report is often sent to a faked or non existent address which leads to even more annoyance SX GATE s particular greylisting mode can help to reduce the amount of non delivery reports as every mail which has been addres...

Page 357: ...nitiated by a local user initial submissions of a remote user will be deferred Therefore it is crucial to manually add important sender and recipient addresses to Recipient whitelist and Recipient whitelist respectively Explain the prospective delays to the local users as the delays will particularly hit in the early stages always active This setting enables pure greylisting Each inbound mail will...

Page 358: ...ist module will always accept emails if the connection s source IP is whitelisted It is also possible to insert email addresses of individual senders or a complete email domain To whitelist all the emails from the example com domain please enter example com Keep in mind that the sender address of an email can be faked easily Greylisting will check the envelope address only Recipient whitelist To m...

Page 359: ...tion Accepted hosts The SPF filter checks inbound emails only So it won t check emails received from IPs from the list Local IP addresses in menu Modules Mail Server SMTP settings on tab Relay control Also authenticated emails and emails composed with SX GATE s webmail client will not be checked SPF can only be effective if inbound emails are delivered directly to SX GATE with SMTP Particularely i...

Page 360: ... scanned A functional virusscanner must be installed on SX GATE if you want to use this feature The virus scanner licenses are not included with SX GATE and must be purchased separately Further information about supported or already installed scanners can be found in the menu Modules Virusscanner The installation of a virusscanner also has to be made there If a virus is found the infected email wi...

Page 361: ...ailable via menu Monitoring Mail server Quarantined attachments will be re scanned by the installed virus scanners after each signature update Note that quarantined items will be deleted without further notice after 30 days Activating this filter in addition to the virusscanner absolutely makes sense A virusscanner can only detect known viruses or viruses which can be identified due to certain wel...

Page 362: ...ecome the more time consuming one if he often has to unquarantine attachments and forward them to the recipients because each attachment has to be downloaded and forwarded manually retain email Here the whole email is quarantined A notification email will be sent to all recipients If Quarantine mode for inbound emails is enabled following the link of an email which has been sent to multiple recipi...

Page 363: ...ant when SX GATE will check for new signatures but that updated signatures are actually available earliest after In addition to a re scan with updates virus scanner patterns an email must have been quarantined for the configured amount of time before access is granted to receipients If several hours have been configured it is likely that multiple re scans with updates virus patterns take place Mai...

Page 364: ...been configured Only those attachments ending with one of the filename extensions listed here will be accepted All other attachments will be quarantined It makes no difference if you specify an extension as e g pdf pdf or pdf All three formats refer to the extension pdf SX GATE tests each attachment if its filename ends with a dot followed by one of stated extensions These are compared case insens...

Page 365: ...e mode for inbound emails is set to remove attachment The options Defang HTML messages and Remove redundant HTML parts below Tag faked mails from own domain in menu Modules Mail Server SMTP settings on tab Receiving filters Outbound emails Disclaimer in the domain configuration below menu Modules Mail Server Domains Please keep in mind that this option provides a simple way for an attacker to bypa...

Page 366: ...eferences and any link target will become unusable Remove redundant HTML parts Some mail programs can be configured to send the contents of every email twice as plain text and in HTML Both parts are denoted as alternative contents multipart alternative The recipient s mail client will choose according to its capabilities and configuration which part it is going to display To automatically remove t...

Page 367: ...ntifying typical phrases and other attributes indicating an unsolicited email SX GATE contains a database of checks to perform and all matches result in a score which in turn allows filtering emails Characteristics indicating a SPAM mail will add a value to the score while other characteristics indicating that it s not a SPAM mail will subtract a certain value The higher the final score the more l...

Page 368: ... relay mode you have to enable at least one of the thresholds In this mode it examines every incoming email while passing the SX GATE mail server It is not possible to assign different thresholds to different users To differentiate incoming from outgoing emails SX GATE will consider the source IP address of the respective SMTP connection In menu Modules Mail Server SMTP settings on tab Relay contr...

Page 369: ...PAM filter There will be no notification and it is not possible to undelete the email The email is lost irrecoverable To avoid loss of important emails you should be very carefully when activating this option You should select a value which is rather to high than to low Please note that automatically deleting email may be subject to legal constraints or might even be prohibited by law 14 5 3 I SPA...

Page 370: ...s searching for such a sequence of any length is rather time consuming an asterisk matches no more than 30 characters The pattern a d will match e g ad a_d and abcd Question mark Any single character is matched by a question mark If for instance a d is looked up a_d is a hit In contrast ad and abcd do not apply _ Underscore An underscore matches any amount of whitespace characters i e spaces tabs ...

Page 371: ...can be queried Each single hit will be rated with a rather moderate value However when multiple lists indicate potential SPAM it will have considerable impact on the SPAM score The reliability of the lists depends on how the entries have been collected Choose which level of quality will be considered few Select this option if you want to include only verified SPAM sources Particularly automaticall...

Page 372: ...E webmailer must be used to access the mail account In the user administration there s an option which makes SX GATE deliver SPAM into the SPAM folder The folder will be created automatically if necessary We recommend that you enable this option The webmailer offers a button for learning unrecognized SPAM After learning the SPAM will be moved to the SPAM folder When inside the SPAM folder there s ...

Page 373: ...e probability that the score of English mails will exceed the configured SPAM filter thresholds Use Userdefined SPAM checks to change the score of this setting In the user administration you can even change it individually for every local account The rule ID is UNWANTED_LANGUAGE_BODY As this rather drastic measure affects all users they all should agree upon its activation Charsets from the Far Ea...

Page 374: ...ase the value of this email address for SPAM mail senders and in turn more and more SPAM will be sent to this address without modification With this option the original contents will be forwarded A break down of the score will be added to the headers of the mail Always add detailed report Email which haven t been classified as SPAM will also include a detailed break down of the SPAM score when thi...

Page 375: ...ient In contrast to the previous option encrypted communication is also enforced on incoming mails SX GATE will not accept an unencrypted incoming mail from the corresponding address If an outgoing mail cannot be delivered encrypted it will bounce back to the sender as undeliverable denied on communication with server client Also with this option you have to enter the IP address or the DNS name no...

Page 376: ...s the required functions to obtain a certificate from a public certification authority CA Finally you can reinstall a certificate backup here Choose action Please select what you want to do There are different ways to get a new certificate Create a new selfsigned certificate A self signed certificate is especially useful while testing In most cases it s also sufficient as long as the service is no...

Page 377: ...you have to enter the certificate subject Later this information will be presented to any user connecting with this service for inspection CN Issue the certificate to the address which is normally used to connect with the service from the Internet Usually this is the Internet DNS name of SX GATE You can also issue a wildcard certificate e g example com Subject alternativ names Most clients also co...

Page 378: ...sh Certificate request Entering this screen a certificate request will be generated on SX GATE Select certificate file Here you can import the certificate you received back from the certificate authority Make sure it is in PEM format Check certificate Check the certificate you just uploaded It will be installed in the next step Please read on at Select CA certificate file Select PKCS 12 file Selec...

Page 379: ...deleted it will no longer be possible to verify the identity of other mail servers Please delete all entries with enabled verification on tab General 14 5 5 Domains A table gives you an overview of all available objects If there are more than 10 entries a navigation bar will appear below the right bottom hand corner of the table where you can page through the entries or open the table in fullscree...

Page 380: ...ic You can change between the different screens by clicking on the tabs at the top 14 5 5 A Local domain 381 14 5 5 B Mail server 381 14 5 5 C Virtual recipients 382 14 5 5 D Mailrouting 383 14 5 5 E Sender addresses 384 14 5 5 F Provider relay 384 14 5 5 G Disclaimer 385 Deliver to SX GATE mailbox Mails addressed to a domain of this type will be delivered to a user mailbox or group of SX GATE to ...

Page 381: ...mple net like mails to example com you would first add example com as extended domain with distribution rules then add example net and make it an alias of example com Process domain just like Enter the new domain which is to replace the original recipient domain 14 5 5 B Mail server Forward emails to SX GATE will forward all mails with a recipient address in the currently selected domain to the ma...

Page 382: ...s along with the new destination in this list It is also possible to refuse delivery As destination you can specify an arbitrary internal or external email address If you enter a complete email address of a local recipient including the domain part further mappings may be applied to it Check this screen in the corresponding domain If you redirect to an internal address without domain e g the name ...

Page 383: ...sually forwarded to your provider s mail relay server or directly to the mail server of the recipient Mailrouting allows you to determine per recipient address to which mail server SX GATE has to forward an email Routing of specific recipient addresses With entries in this area you can route emails for a specific recipient to a non default mail server If necessary you can also change the recipient...

Page 384: ...he actual sender enter DOMAIN e g example com The local part before the character is not modified in this case Any sender address mapping configured for the rewritten address or in the rewritten domain is ignored 14 5 5 F Provider relay Relay server for sender domain In exceptional cases it might be necessary to send outbound emails via different relay servers depending on the sender domain Some e...

Page 385: ...mail 14 5 5 G Disclaimer The boilerplate entered here will be appended to every outbound email passing SX GATE s mail server The distinction between inbound and outbound email is based on the values in Local IP addresses from menu Modules Mail Server SMTP settings on tab Relay control Authenticated emails and emails composed with SX GATE s webmail client are also outbound Manual line feeds can be ...

Page 386: ...ion can help to save fees On the other hand it is not recommended to use this option if the dial up connection is almost permanently online The same applies if the Internet connection is rarely used Deliver unknown recipients from multi drop mailboxes to Emails with an unknown recipient which have been collected from a multi drop mailbox will be delivered to this address 14 6 2 Servers A table giv...

Page 387: ...m a mailbox and have SX GATE deliver it to the recipient deduced from the headers of the mail multi drop APOP APOP is similar to POP3 except for a different way to authenticate IMAP Some POP servers use a very short connection idle timeout Switching to IMAP might be a solution in this case ETRN ESMTP ETRN is a command of the ESMTP protocol It might be used if SX GATE is connected to the Internet w...

Page 388: ... To deduce the original recipient of an email retrieved from a multi drop mailbox the email headers are scanned for email addresses with the correct domain Here you can select which header will be scanned The default Received is not very reliable however it is almost always available Please check your emails if on of the other headers give you better results With Received also the following header...

Page 389: ...rate this with an example Imagine the domain example org is listed here In an email the address test www example org has been found As a listed domain always matches any subdomain as well this is indeed a hit So test is deduced as the original recipient s name Now let s assume the specification of the multi drop account contains example com as recipient address Therefore the email will now be forw...

Page 390: ...he mailboxes will be cleaned up regularly Retrieve new messages only If this option is enabled retrieved mails won t be deleted from the POP server Messages which have been marked as seen will be ignored and kept on the POP server Max number of messages per connection With this parameter you can limit the amount of mails retrieved in a single poll If the mailbox on the POP server contains more mes...

Page 391: ...14 6 2 Servers 391 14 6 2 E ETRN Call ETRN for domain An ETRN command will be send to the respective ETRN server for each of the domains listed here ...

Page 392: ...E LDAP authentication 396 14 7 1 F Authentication options 398 14 7 1 G PAC file 399 14 7 1 H Destination ports 400 14 7 1 I ICAP 400 14 7 1 J Size limits 401 14 7 1 K Provider proxy 401 14 7 1 L Proxy selection 402 14 7 1 M Cache parameters 403 14 7 1 N Advanced 405 Proxy authentication Activate this feature if you want to give Internet access only to authenticated users There are multiple options...

Page 393: ...n method 14 7 1 A Client access Proxy access for source IP addresses Use this option to grant proxy access to specific client IP addresses only Accept transparent proxy access It is possible to access the SX GATE web proxy in transparent mode This allows the redirection of HTTP requests to port 80 of an internet web server to the web proxy So clients can use the proxy without modification of the b...

Page 394: ...nificant with downloads of some extent The download time of standard web site content is often in the range of a few milliseconds The value which can be specified here determines the maximum period of time between two subsequent requests of a user to account them as one contiguous session This value will always be added to the download time The total of these values is the time spent Overlapping t...

Page 395: ...inistration is not required for logging in However if you wish to use the URL filter you may need to add some or all users on SX GATE Otherwise it would not be possible to grant individual rights to certain user groups Authorized users Select which users are authorized to use the proxy Join Windows domain SX GATE needs a machine trust account in the Windows domain to be able to perform NTLM authen...

Page 396: ... not required for logging in However if you wish to use the URL filter you may need to add some or all users on SX GATE Otherwise it would not be possible to grant individual rights to certain user groups Windows domain Please enter your windows domain here Furthermore you have to create a file with the name proxyauth on the NETLOGON share of your primary domain controller PDC This file must exclu...

Page 397: ...4 0 Please be aware that the ActiveDirectory search requires read permissions If there s no read access to a user object it will not be possible to log on as this user MS ActiveDirectory CN If the user object is to be identified with the CN attribute select this option In the Microsoft Active Directory the CN attribute corresponds to the user object name which immutable Using this attribute as the...

Page 398: ...he login for the LDAP account here You must state the complete distinguished name DN of the LDAP account e g CN proxyuser CN users DC ad DC example DC com 14 7 1 F Authentication options This tab is not available if proxy authentication is off No authentication required for access to Specify domain names or IP addresses if you want to grant unauthenticated access to these destinations The specific...

Page 399: ...in hostnames without a domain Use the following settings to add further exceptions Connection to destination domain Use this list to configure by domain whether the browser should use the proxy or connect directly The order of the entries is important Note that you can as well enter individual IP addresses However there s no DNS resolution so this will only affect connections where an explicit IP ...

Page 400: ...d The contents of connections which have been established with the CONNECT method will not be scanned by the virusscanning proxy Neither the virusscanner nor the tag filter will be applied Deny CONNECT to IP addresses There is software e g many peer to peer clients which abuses the CONNECT method to bypass firewall restrictions However often these clients won t request a connection to a hostname b...

Page 401: ... uploads This setting limits the size of POST and PUT requests These request types are used to transmit files or form parameters Maximum size of downloads This setting limits the size of objects that can be downloaded via the proxy In general the addressed server informs the client in advance of the size of the download Therefore an error message can be returned immediately However if the size of ...

Page 402: ...d them Also encrypted https connections may not be cached ISP proxy login If necessary the SX GATE web proxy can log on to the provider proxy Provide the required credentials in the corresponding fields If authentication is not required these fields should remain blank 14 7 1 L Proxy selection Target specific upstream proxies If requests to particular domains or IP addresses need to be forwarded t...

Page 403: ...rver if the object was modified since it has been cached If yes it will be refreshed When SX GATE begins to send this type of requests depends linearly on the last time the file was modified on the web server However as an upper limit SX GATE will check for modifications after 7 days on FTP servers and 3 days on HTTP servers If the cache runs out of disk space expired objects and the least recentl...

Page 404: ...ou might encounter temporary severe performance loss No caching for objects from To keep SX GATE from caching objects from certain sites you can enter the respective addresses here The specification of a domain includes all subdomains So if e g the domain example com is found in the list caching of objects from www example com and ftp example com is also disabled By adding a new address objects fr...

Page 405: ...nonymous FTP servers the server requests an arbitrary email address as password The address sent by the SX GATE web proxy when accessing such a server can be determined here 14 7 2 URL filter The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 14 7 2 A Policy 406 14 7 2 B Options 407 14 7 2 C Database 408 14...

Page 406: ...eriods in menu Definitions Periods A rule can be valid either within or outside the selected period Source IP network Select an IP object or enter an IP or network with corresponding netmask to limit the rule to specific source addresses Leave empty if the rule should apply regardless of the client IP A is displayed in the table in this case Group A rule can be limited to certain users by selectin...

Page 407: ...rowser s address bar Message Access denied Except for requests denied by database category Advertising an error message is delivered to the browser if the URL filter denies access There are several different options for this message Simple If this option is selected only a brief message indicating that access is denied will be shown Detailed To get more detailed information you can select this opt...

Page 408: ...e probably fails to meet higher demands as e g required by educational organizations commercial You need to purchase a license to use this commercial database Please contact your SX GATE dealer Update daily at This database can be updated daily Please enter the time when you want to update Leave this field empty to disable automatic updates To use the commercial database you need a valid login and...

Page 409: ...d in web search engine results This feature can only be used if you don t use a parent proxy Update database now Press this button to immediately update the database 14 7 3 Content filter The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 14 7 3 A General 410 14 7 3 B Virusscan 411 14 7 3 C Tag filter 413 1...

Page 410: ...n port 8081 With virusscan enabled actually two chained proxies run on SX GATE The virusscanning proxy accepts connections on TCP port 8080 and forwards them to the proxy cache on port 8081 By default direct connections to port 8081 will not be accepted Enable this option and configure a client to use proxy port 8081 to always bypass virusscanning and tagfiltering This option should only be enable...

Page 411: ...ges or the virusscan as a whole Tag filter If the tag filter is active some web sites can become unusable Disable tag filtering for problematic sites by adding them to the list without checking the tag filter checkbox Content Type If this switch is not checked both Verify content type and Content type filter are disabled for the given server Break SSL For privacy reasons you might want to exclude ...

Page 412: ...older when clicking the right mouse button while pointing to an FTP link This will initiate a direct FTP download bypassing the web proxy If direct FTP access has been allowed in the firewall the corresponding downloads will not be scanned for viruses However if direct FTP access is not permitted in the firewall downloads using this feature will fail Forward password protected files unscanned This...

Page 413: ...n be stated as the maintype or the subtype to match any value e g html If a document corresponds to one of the content types listed here it will be edited by the tag filter This component will scan only those files which have been downloaded via the virusscanning proxy of SX GATE The virusscanning proxy has to be enabled It is not possible to scan the contents of encrypted connections unless the o...

Page 414: ...mation mark To find filtered object embed or applet tags you will have to look for bject mbed or pplet respectively You can append the following values to the list Class IDs Class IDs can be found in object tags classid attributes It consists of the string clsid followed by a structured combination of digits and letters The following example is used to include Adobe Flash object classid clsid d27c...

Page 415: ...ou can specify a list of content types Corresponding documents will be filtered by the proxy To add an entry use the format maintype subtype where an asterisk can be stated as the maintype or the subtype to match any value e g video for any video format This component will scan only those files which have been downloaded via the virusscanning proxy of SX GATE The virusscanning proxy has to be enab...

Page 416: ...they want to access Connections to server listed on tab General in Trusted servers incl subdomains will not be broken open Block unknown CA What should the proxy do when it encounters a server certificate which is either self signed or has been issued by a CA which is unknown to SX GATE When disabled the proxy will issue a self signed certificate for the server so the browser will show a warning a...

Page 417: ... be checked using OCSP Only revoked certificates will block connections yes block on errors Revocation status of certificates will be checked using OCSP In addition to revoked certificates connections will also be blocked if query errors like connecting failure to the OCSP responder occur ...

Page 418: ...o be granted in SX GATE s firewall configuration The well known HTTPS port 443 is already used by SX GATE s administration web server Hence a different port must be used here e g 44300 Possibly also the well known port 80 for HTTP is already in use Please check in menu System Services on tab Server if the service HTTP server is enabled If this is the case port 80 can not be used by the reverse pro...

Page 419: ...his port authenticated https With this setting the clients are required to authenticate themselves with a certificate issued by SX GATE s CA 14 8 1 A General The reverse proxy can be used in two different ways As a mediator which forwards requests to internal web servers and as a load balancer distributing requests in front of a server farm The settings on this screen control how the reverse proxy...

Page 420: ... characters or the order of its components is not correct permissive A lot of non standard compliant characters will be accepted as part of an URL when selecting this option Choose it as a last resort if the more restrictive options do not work for you If access to the backend is still denied you will have to disable the syntax check Microsoft optimized Some violations of the standard have to be a...

Page 421: ...o access a web services running on the same hostname which is not using encryption The browser will enforce the secure connection for the number of days configured The special value 0 can be used to clear this setting ahead of time but this of course requires the browser to visit the site again without facing any certificate related problems Leave empty if the reverse proxy shall not insert a Stri...

Page 422: ...the certificate returned in response to a certificate request Make sure that the certificate is in PEM format Import a keypair You can import a key pair private and public key from a PKCS 12 file here Use this option e g to reinstall the keys from a backup Please select what you want to do Create a new selfsigned certificate Please read on at Issue self signed certificate p 422 Create a certificat...

Page 423: ...service from the Internet Usually this is the Internet DNS name of SX GATE You can also issue a wildcard certificate e g example com however wildcard certificates are usually much more expensive If both the pure reverse proxy feature and the loadbalancer option of the reverse proxy are to be used you might want to consider issuing a wildcard certificate If e g the hostname internal example com is ...

Page 424: ...t CA certificate file Please read on at Install certificate Select CA certificate file Now the certificate chain must be added to the certificate This may include one or more intermediate CAs The chain ends with the root CA All certificates must be in PEM format Please ask your CA for the required certificates Appended CA certificate The uploaded certificate is appended to the certificate chain Pl...

Page 425: ...e is now ready to be installed Import certificate revocation list Here you can install the recent certificate revocation list CRL of the trusted CA A CRL offer the possibility to invalidate a certificate already before it expires This is useful if for example an employee leaves the company and access has to be denied Please import the CRL file in PEM format The CRL must have been issued by the tru...

Page 426: ...no proper host header will be rejected This makes unauthorized access more difficult The configuration options in this menu are structured by topic You can change between the different screens by clicking on the tabs at the top 14 8 2 A Microsoft IIS services 426 14 8 2 B SX GATE services 429 14 8 2 C Backend servers 429 14 8 2 D Load balancing 431 14 8 2 A Microsoft IIS services The reverse proxy...

Page 427: ...ation Please take account of Microsoft s technical specifications As a backend server IIS must internally be running on port 443 encrypted or 80 no encryption External clients must contact SX GATE s reverse proxy on port 443 encrypted IIS running Exchange services Enter the IP address of the Microsoft Internet Information Server ISS offering Exchange services Access to OWA Enable this option to gr...

Page 428: ...the Reverse Proxy The certificate must not be expired it has to present the correct server name and it must have been issued by a certificate authority the Outlook PC trusts To our knowledge reverse proxy authentication using client certificates is not supported by Outlook Access with MAPI over HTTP Outlook clients starting with 2010 SP2 2013 SP1 and 2016 can connect with Exchange servers running ...

Page 429: ... to SX GATE s webmail client To access webmail with a browser you have to append webmail to the URL e g https www example com webmail Access to SX GATE admin GUI This switch enables access to the SX GATE administration GUI via reverse proxy To direct a web browser to the administration GUI riabconf en has to be appended to the URL e g https www example com riabconf en URLs which start with riabcon...

Page 430: ...ns a popup window to prompt for the required credentials With Basic Authentication the browser will send login and password more or less in plaintext Therefore only encrypted connections HTTPS to the reverse proxy should be used if you enable this feature Check if authentication is required by the backend servers If the backend credentials are prompted on a form which is embedded in the web pages ...

Page 431: ... have any effect if a userdefined backend server for path is configured 14 8 2 D Load balancing Configure multiple backend server for the same URL path on tab Backend servers and SX GATE will act as a load balancer for the corresponding requests Basically a load balancer distributes requests to several backends serving the same contents and applications SX GATE s reverse proxy chooses a random bac...

Page 432: ...e sent to the same backend server It does not matter whether the backend or SX GATE s reverse proxy requested the authentication URL parameter Select this option if a session id is passed along with every request as value of a specific URL parameter Enter the name of the respective parameter The parameter part of an URL starts with a question mark Parameters are separated by characters and have th...

Page 433: ...ison to a firewall policy which allows straight through FTP connections proxied connections have several advantages There s no direct IP connection between the FTP client and the FTP server Restricting the accepted FTP sites prevents abuse Security is enhanced by validity checks of the transmitted commands and the optional virusscan of downloads By default the FTP proxy will deny access to any ser...

Page 434: ...e used instead Allowed FTP servers Use this control to specify the accepted target FTP servers and its corresponding accounts If the list is empty the proxy will deny access to any server Account Enter the login for the target FTP server here Use ftp to grant access for anonymous FTP If you leave the input field empty the FTP proxy will accept logins to any account on the FTP server Destination se...

Page 435: ...nned for viruses Uploads will not be scanned A functional virusscanner must be installed on SX GATE if you want to use this feature The virus scanner licenses are not included with SX GATE and must be purchased separately Further information about supported or already installed scanners can be found in the menu Modules Virusscanner The installation of a virusscanner also has to be made there Accep...

Page 436: ...m period of time a local IP phone will be unreachable after an IP change To configure this scenario you have to configure the internal IP address of SX GATE as the outbound proxy in the SIP phones Ask your VoIP provider about the username password and the name of the registrar server Local registrar SX GATE s SIP proxy can also act as a simple registrar An appropriate DNS entry must point to the e...

Page 437: ...fied here must be connected to the SX GATE interface eth0 14 9 3 POP3 SMTP proxy The POP3 SMTP proxy allows users to retrieve mails from any POP3 server and to send mails via any SMTP server on the Internet and still benefit from SX GATE s anti virus and anti SPAM capabilities Purpose of the proxy is to provide access to individual private mail accounts The regular business mail should be processe...

Page 438: ...nfigured in the client as the proxy doesn t know the value configured on the client Virusscan When enabled SX GATE will perform a virus check on emails downloaded with POP3 or sent by SMTP via the proxy A functional virusscanner must be installed on SX GATE if you want to use this feature The virus scanner licenses are not included with SX GATE and must be purchased separately Further information ...

Page 439: ...t are not able to use other proxies or firewall NAT rules you can use the generic SOCKS proxy Supported protocols are SOCKS4 and SOCKS5 With the help of a SOCKS wrapper application nearly every networking application should be able to use the SOCKS proxy Some programs even provide builtin SOCKS support For protocols like e g HTTP HTTPS and FTP SX GATE offers dedicated proxy services SOCKS should n...

Page 440: ...ions the SOCKS proxy will accept First select the desired protocol Specify a single IP address or a network address with its corresponding netmask if you want to restrict the acceptable source or destination IPs Protocols are defined in menu Definitions Protocols Non UDP and TCP protocol signatures will be ignored 14 9 4 B Client access Proxy access for source IP addresses SX GATE s SOCKS proxy wi...

Page 441: ...ne the server name of the intranet web server You might have to add this name to the DNS The intranet server is addressed by the name you configure here or by the LAN IP address Web Proxy Auto Discovery domain Most browsers are able to automatically detect the web proxy configuration using Web Proxy Auto Discovery WPAD The browser needs to download a config file from a web server One of the method...

Page 442: ... Use the predefined user www as login Enable WWW server With this switch you can activate the Internet web server If it is not checked only the intranet service for the local networks is available Most likely the firewall policy has to be modified to grant access to the web server for clients in the Internet Open the HTTP port 80 In addition the web server is not enabled by default Start it at Sys...

Page 443: ... at Definitions IP objects Windows workgroup or domain Please enter the name of your Windows workgroup or domain here Do not confuse the windows domain with your Internet domain Intranet share enabled Use this switch to enable the network share intranet This share can be used to update the contents of SX GATE s intranet server You have to connect to this share as user intranet The corresponding pa...

Page 444: ...er www The corresponding password is specified in the menu Modules HTTP server WWW CGI share enabled Use this switch to enable the network share wwwcgi This share can be used to update the CGI scripts of SX GATE s web server You have to connect to this share as user www The corresponding password is specified in the menu Modules HTTP server 14 10 D Advanced Email address of administrator Anytime t...

Page 445: ... to leave the respective base directory Anonymous access SX GATE allows you to share files using the integrated anonymous FTP server You can maintain the corresponding directory via FTP using the login name ftpadmin FTP clients which are connected to the FTP server as anonymous user will not be able to leave the base directory of this service Anonymous file upload to directory incoming If you want...

Page 446: ... option if only error conditions should be reported It is highly recommended to activate notification even on apparently successful updates The system cannot detect every error condition automatically 14 12 B Avira The Avira virus scanner for SX GATE can be purchased exclusively from SX GATE dealers The available license depends on the number of users and will only cover the installation of the sc...

Page 447: ...ime notify the administrator by mail before the license expires Software updates of the F Secure virus scanners will be installed along with the regular SX GATE updates Currently installed version You can find detailed information about the currently installed F Secure scanner here Furthermore a selftest of the scanner will be performed every time you enter this screen The status OK indicates that...

Page 448: ... between the manufacturer of SX GATE and McAfee The scanner is supported according to our state of knowledge Thus especially with new versions of the scanner problems might occur As far as we know the McAfee scanners have to be licensed per user It does not matter on how many systems the scanner is installed The number of users who draw benefits from the scanner is decisive Please refer to the ter...

Page 449: ...s might become available by mirroring a different directory from the signature server Use active FTP Please use this option if you experience problems while updating signatures Update signatures now Press this button to immediately update the McAfee signatures Currently installed version You can find detailed information about the currently installed McAfee scanner here Furthermore a selftest of t...

Page 450: ...nly have to upload the new key file here Although the scan engine will be updated along with the regular SX GATE updates you can also update the engine by simply uploading the archive with the new release here Kaspersky Also the installation of the Kaspersky scanner requires a special archive rin In addition you also have to install the Kaspersky license key file here This file has the filename ex...

Page 451: ...ol To synchronise the system time of older Windows systems before Windows 2000 you have to activate the SX GATE service Windows shares Then issue the command NET TIME SET SX GATE IP YES on the DOS prompt of a windows machine to synchronise its time You can add this command to the login script of your domain controller or to the autoexec batch file of the workstations to synchronise automatically I...

Page 452: ...is domain represents a number of public NTP servers When resolving the DNS hostname a random server is selected If at least one hostname from the pool ntp org domain has been specified SX GATE will contact at least three pool servers Verify time servers Use this function to verify that all configured time servers are available The current system time of SX GATE will not be modified Change to tab S...

Page 453: ...ndows 2000 the Mircosoft patch Q818043 has to be applied Preshared Key authentication is not supported with Windows 2000 The SX GATE VPN server should be already configured It is highly recommended to use SX GATE s wizard L2TP IPSec VPN from the Wizards menu If you are using X 509 certificates for authentication please make sure to have the required key and certificate files at hands On the last s...

Page 454: ...g a new certificate This package contains all the files which are necessary for doing an automatic import of the certificates and also configures the connection for you Manual configuration You have to configure all the necessary parameters yourself If you are using certificates for authentication you will have to import them 15 1 1 Automatic configuration As described in chapter System Certificat...

Page 455: ...e g the Windows version is too old all the necessary files for a manual configuration will be copied into the user s home directory Then the Connection Manager Administration Kit is used to configure the VPN connection All there is to do is selecting if the connection should be available to all users or only for the current user ...

Page 456: ...15 1 1 Automatic configuration 456 Now the Connection Manager is opened Simply enter username and password and connect to SX GATE ...

Page 457: ...enticated by certificates you can skip the description of the certificate import X 509 certificate Please read on at Setup management console p 457 passphrase preshared key Please read on at Connection setup p 464 Setup management console Select Run from the Windows Start menu Open the Management Console by typing mmc and pressing OK ...

Page 458: ...15 1 2 Manual configuration 458 Select Add Remove Snap in from the File menu Click Add for a list of available snap ins Select the snap in Certificates and insert it with Add ...

Page 459: ...2 Manual configuration 459 It is crucial to select Computer account as managed account type Proceed with Next The snap in has to manage certificates on the local Computer Press Finish to add the new snap in ...

Page 460: ...vailable snap ins With OK the computer is prepared to import the VPN key Import certificate Open the folders Console Root and Certificates Local Computer from the tree view Right click the Personal item and select All Tasks Import from the context menu ...

Page 461: ...ion 461 Leave the welcome screen by clicking Next Select the PKCS 12 file p12 which contains the required certificates and the private key Proceed with Next You will now be prompted for the password protecting the PKCS 12 file ...

Page 462: ...to protect the PKCS 12 file s private key Do not confuse this password with the CA password which has to be provided everytime a new certificate is signed Press Next On the next screen it is very important to pick Automatically select the certificates store based on the type of certificate ...

Page 463: ...t imported should appear in folder Certificates below Personal Double click the certificate and inspect it The certificate icon on top of the dialog box must not be crossed out If it is crossed out it is invalid and you will not be able to establish the VPN connection You will find some reasons on the next page The certificate import is complete ...

Page 464: ...f the CA which issued the client s certificate If not it has to be imported Ask your CA for their certificate If you are using SX GATE s builtin CA to issue certificates the CA certificate will be imported automatically as it is part of the PKCS 12 file CA certificate is expired or not valid yet Open the CA certificate with a double click and verify its period of validity Connection setup From the...

Page 465: ...l configuration 465 Next will let you choose the type of connection Pick Virtual Private Network connection and continue with Next Supply a descriptive name for the connection e g your company s name and click Next ...

Page 466: ...SX GATE s external internet IP address as VPN server Next will finish the basic connection setup It s recommended to let the wizard create a shortcut to this connection on your desktop Connection settings Now start the lately added connection ...

Page 467: ...onnecting you still have to adjust some settings by clicking Properties Change to tab Networking The type of VPN must be set to L2TP IPSec VPN On tab Security select the option Advanced custom settings and click the Settings button next to it ...

Page 468: ...allow the use of Unencrypted Password PAP Although a security warning will pop up when pressing OK these settings are safe PAP authentication is performed after the IPSec tunnel has been established Its encryption will protected the transmission of the PAP password ...

Page 469: ... have to set it up on your Windows system How do you authenticate X 509 certificate Please read on at Connect p 470 preshared key Please read on at Preshared Key p 469 Preshared Key If the IPSec connection is authenticated using a preshared key you have to click IPSec Settings now Check Use pre shared key for authentication and specify the same key you configured on SX GATE ...

Page 470: ...OK Specify the login and password of a member of the SX GATE group system ras Press Connect to establish the L2TP connection with SX GATE Use e g ping to test if the remote network is reachable If a dial up connection is used for internet access make sure it has been started beforehand ...

Page 471: ... However getting an IPSec log in Windows XP is quite easy It has to be enabled in the registry first Select Run from the Windows Start Menü Open the program regedit Select folder HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services PolicyAgent Create a new subfolder named Oakley by selecting the menu item Edit New Key Change into the Oakley folder you just created Insert a new entry by clicking Ed...

Page 472: ... debug oakley log SystemRoot is the Windows base directory In case you encounter problems in the L2TP stage you will find further information in SX GATE s log PPP If you are not able to find the cause of the problem by inspecting the three logs stated above please send a cut out of one connection attempt to technical support ...

Page 473: ...15 2 Mac OS X 473 15 2 Mac OS X Please read on at p 473 Please read on at p 473 Please read on at p 473 Please read on at p 473 ...

Page 474: ... SX GATE to authentication using Preshared key Otherwise configure a second connection which is basically a copy of the connection for certificate based authentication just using Preshared key for authentication You will find the connections in menu Modules Network below the ipsec interface usually ipsec0 As the iPhone acts just like Mac OS X it is necessary to enable MacOS and iPhone compatibilit...

Page 475: ... to SX GATE Please make sure that the user already exists on SX GATE and is a member of SX GATE s system ras group If you like you can enter the user s password otherwise you will be asked for it everytime you start the connection Enter your Pre Shared Key in the Secret field and activate de activate the Send all Traffic Switch depending on your needs Save your settings and click on the connection...

Page 476: ...15 3 Apple iPhone 476 ...

Page 477: ...r of ways Support hotline 49 0 7032 95596 21 Mon Thu 9 12 o clock 13 17 o clock Fri 9 12 o clock 13 16 o clock Support email support xnetsolutions de Postal address XnetSolutions KG Benzstraße 32 D 71083 Herrenberg Germany Internet http www xnetsolutions de ...

Page 478: ...om 9 to 12 o clock and from 13 to 17 o clock an Fridays from 9 to 12 o clock and from 13 to 16 o clock Support hotline SX GATE 49 0 7032 95596 21 E Mail Support SX GATE support xnetsolutions de Further support such as an extensive knowledge base and FAQs can be found at http www xnetsolutions de Updates can be achieved at http update sx gate de Please have the following information at hand with an...

Page 479: ... NIC 2x 1000 100 10 Mbit LAN 2x 10 100 Mbit LAN RJ45 ISDN adapter optional one port Interfaces 1x 9 pin RS 232 1x VGA rear 2x USB front 2x USB rear Processor P4 2 8 GHz Memory 512 MB RAM max 2 GB Hard drive 80 GB optional 2x 60 GB RAID Power 250 watts ATX Power consumption 50 Watt Size 426 x 379 x 43 5 mm Package size 565 x 505 x 160 mm General Policies EN 60950 UL 1950 VDE 0805 1950 VDE 0805 ...

Page 480: ...19 CE Statement of Conformity 480 19 CE Statement of Conformity This device fulfils all needs of the European General Policies Electro magnetic acceptability 89 336 EWG and Low voltage policy 73 23 EWG ...

Reviews: