background image

 

 

 

176

 

Step3.

In 

Policy 

Æ

 Incoming

 , add the new policy include Step 2 ( The virtual 

server setting

 

 

 

Complete the virtual server setting in the policy 

 

If the external user want to link to the homepage provided by the web server

then the user has to 

modify the port into 8080.

 

 

Step4

Make the virtual server can provide the single service to external. 

 

.

 

 

Use the virtual server instead of many internal server to provide the single service 

Содержание BM-2101

Страница 1: ...Bandwidth Management Gateway BM 2101 User s Manual...

Страница 2: ...Manual is subject to change without notice and does not represent a commitment on the part of PLANET PLANET assumes no responsibility for any inaccuracies that may be contained in this User s Manual...

Страница 3: ...service please take a moment to gather the following information Internet Monitor serial number and MAC address Any error messages that displayed when the problem occurred Any software running when th...

Страница 4: ...2 2 Permitted IPs 13 2 3 System Log Out 14 2 4 Software Update 15 Chapter 3 Configure 16 3 1 Setting 21 3 2 Date Time 27 3 3 Multiple Subnet 28 3 4 Route Table 32 3 5 DHCP 36 3 6 DDNS 38 3 7 Host Tab...

Страница 5: ...P 122 Chapter 10 Content Blocking 147 10 1 URL 150 10 2 Script 153 10 3 Download 155 10 4 Upload 157 Chapter 11 IM P2P Blocking 159 11 1 Example 162 Chapter 12 Virtual Server 167 12 2 Example 171 Poli...

Страница 6: ...Statistics 253 17 1 WAN 255 17 2 Policy 257 Chapter 18 Diagnostic 259 18 1 Ping 260 18 2 Traceroute 263 Chapter 19 Wake On Lan 265 19 1 Example 266 Chapter 20 Status 267 20 1 Interface 270 20 1 System...

Страница 7: ...bandwidth levels for inbound and outbound traffic in each class The administrator can also define three priority levels for each policy to ensure high priority packets receive the maximum available b...

Страница 8: ...Z 1 x 10 100Base TX Auto MDI MDI X 1 x 10 100Base TX Auto MDI MDI X Console 1 x RS 232 DB 9 H W Watch Dog Auto reboot when detecting system fail Software Maximum Controlled Bandwidth 100Mbps Maximum C...

Страница 9: ...SYN Attack Detect ICMP Flood Detect UDP Flood Detect Ping of Death Attack Detect Tear Drop Attack Detect IP Spoofing Attack Filter IP Route Option Detect Port Scan Attack Detect Land Attack Virus Infe...

Страница 10: ...me relevant settings In this Chapter the system administration will be defined as the management of the MIS engineer Permitted IPs System Log Out and Software Update Chief administrator configures and...

Страница 11: ...herwise the other chief admin can modify its privilege to be the sub admin but can not be deleted The BM 2101 appliance still force to reserve a chief admin Privilege Chief administrator has the Write...

Страница 12: ...add the settings Sub Admin name sub_admin Password 12345 Confirm Password 12345 If select Write Access and View Log Privilege the new sub admin becomes chief admin Step3 Click OK for the user to log...

Страница 13: ...nd to the Configure Modify Step2 In Modify Admin Password enter the following information Password admin New Password 52364 Confirm Password 52364 Step3 Click OK to change the password or click Cancel...

Страница 14: ...rvice Check Ping HTTP and HTTPS Click OK Compelte adding Permitted IPs Add new Permitted IPs Complete add new Permitted IPs To activate Permitted IPs click Interface LAN WAN and DMZ to uncheck Ping HT...

Страница 15: ...Logged icon at the upper right of the WebUI The MIS engineer can log out the system anytime to prevent the other person change the setting through other PC Confirm to log out Step2 Click OK It shows...

Страница 16: ...BM 2101 appliance Click Browse Choose File select the latest update file and open it Click OK to run automatic software update Firmware update It takes 3 minutes to run software update then the system...

Страница 17: ...gu ur re e The configuration here is about the basic operating settings of the BM 2101 appliance In this Chaper it will be defined as Setting Date Time Multiple Subnet Route Table DHCP Dynamic DNS Ho...

Страница 18: ...iance anywhere via Web UI In addition the MIS engineer can change the used port number in BM 2101 s remote management Set up the idle timeout as the MIS engineer log into the BM 2101 appliance The BM...

Страница 19: ...setting Administration Packet Logging After enabled this function the system will record the source or destination packet information of BM 2101 in Monitor Log Traffic for the MIS engineer to query Da...

Страница 20: ...ment Dep 192 168 4 1 24 Internal 168 85 88 250 External Accounting Dep 192 168 5 1 24 Internal 168 85 88 249 External R D Dep has already been set up in Interface configurations so set up the reservei...

Страница 21: ...Dynamic DNS Domain Name The domain name that the MIS engineer applied from the DDNS provider WAN IP The real IP which the domain name correspond to Host Table Host Name Customized by the MIS engineer...

Страница 22: ...ation click near Export System Setting to Client Step2 In File Download window click Save Then choose the destination location to save the exported file Finally click Save for BM 2101 to copy the conf...

Страница 23: ...Setting from Client Step2 In Choose File window select the previously saved settings and click Open Step3 Click Open and a confirmation dialogue box pop out Step4 Click the OK to import the configura...

Страница 24: ...Step1 In Setting Bandwidth Management Gateway Configuration select Restore Factory Setting Step2 Click OK to restore the default settings Restore to factory setting...

Страница 25: ...r s email address Required by some ISP Step4 SMTP Server Enter the IP address of the SMTP server Step5 E mail Address 1 Enter the first e mail address to receive the notification Step6 E mail Address...

Страница 26: ...ail Test to test if e mail address 1 and e mail address 2 can receive the notification or not If the MIS engineer want to send the mails via the authentication then he must Enable SMTP Server Authenti...

Страница 27: ...2101 appliance Click Reboot near Reboot Bandwidth Management Gateway Appliance Step2 It shows the confirm dialogue of Are you sure to reboot Step3 Click OK to restart or click Cancel to terminate the...

Страница 28: ...correct option Step3 Enter the time server s IP address in Server IP Name Step4 Enter the update time Set system clock Click Sync near Synchronize system clock with this client to synchronize the BM 2...

Страница 29: ...ternet via the multiple subnet NAT or Routing mode Preparations Connect the BM 2101 appliance WAN 1 10 10 10 1 to the ISP s Router 10 10 10 2 The segment is 162 172 50 0 24 Distributed by the ISP Conn...

Страница 30: ...terface select LAN Alias IP of Interface enter 162 172 50 1 Netmask enter 255 255 255 0 WAN 1 10 10 10 1 Forwarding Mode select routing WAN 2 211 22 22 22 Forwarding Mode select NAT Click OK Complete...

Страница 31: ...if the LAN IP is 192 168 1 xx Use the NAT Mode to connect to the network As regulated in Policy one can only connect to network via WAN2 If use Routing mode via WAN 1 an virtual IP can t be usd to con...

Страница 32: ...Multiple Subnet deployment BM 2101 Interface WAN1 IP 10 10 10 1 WAN2 IP 211 22 22 22 LAN Port IP 192 168 1 1 LAN Port Multiple Subnet 162 172 50 1...

Страница 33: ...11 11 to ATUR and link to network Connect WAN 2 211 22 22 22 to ATUR and link to network LAN segment is192 168 1 1 24 LAN Router1 10 10 10 1 supporting RIPv2 the LAN segment is 192 168 10 1 24 Company...

Страница 34: ...nter 255 255 255 0 Gateway Enter 192 168 1 252 Interface Select LAN Click OK Add new static route 1 Step2 In Configure Route Table Destination IP Enter 192 168 20 1 Netmask Enter 255 255 255 0 Gateway...

Страница 35: ...Step3 In Configure Route Table Destination IP Enter 10 10 10 0 Netmask Enter 255 255 255 0 Gateway Enter 192 168 1 252 Interface Select LAN Click OK Add new static route 3...

Страница 36: ...l The BM 2101 appliance can translate the virtual IP to real IP Therefore the LAN subnet PC 192 168 10 1 24 192 168 20 1 24 and 192 168 1 1 24 can communicate to each other via the BM 2101 appliance R...

Страница 37: ...r the IP Address distributed to WIN server 2 LAN Interface Client IP range 1 Enter the first starting and ending IP addresss the default value is 192 168 1 2 to 192 168 1 254 it must be at the same do...

Страница 38: ...ng When the LAN network adaptor set to Automatically Get DNS The DNS Server will auto lock the LAN interface IP Note When enabled the Authentication the first DNS server must correspond to the LAN int...

Страница 39: ...from the drop down menu Select Automatically and select a WAN interface to correspond from the menu User Name and Password Enter the applied name and password Domain Name Enter the applied domain nam...

Страница 40: ...the DDNS account then he can choose the proper DDNS supplier click Sign up and then it will display the registeration web page If the MIS engineer do not select Automatically correspond to the WAN int...

Страница 41: ...al IP Address enter the host name that correspond to the virtual IP address Click OK Complete Host Table setting Host table setting Use the Host Table of the BM 2101 appliance the first DNS Server in...

Страница 42: ...etting is Taipei Taiwan Community Can customize the settings Default setting is public Contact Person Can customize the settings Default setting is root public Description Can customize the settings D...

Страница 43: ...the port number Default value 162 Click OK Complete the SNMP Trap setting The MIS engineer can use the SNMP Trap software and receive the alarm notification from the BM 2101 appliance it will send th...

Страница 44: ...3 9 Language Step1 In Configure Language to select the language Click OK Select language...

Страница 45: ...ce e The so called interface included the LAN and WAN of the BM 2101 appliance In Interface the MIS engineer can set the IP address netmask gateway address and define the WAN and LAN IP address all de...

Страница 46: ...ust the usage of WAN depends on the downstream and upstream status Suitable for the user who use different downstream bandwidth Round Robin Forced to use the 1 1 cycling distribution of network downlo...

Страница 47: ...he WAN interface priority by balance mode choice Service To test if the WAN can work or not The testing includes two parts ICMP Ping the IP to see if the connection can work DNS Use the domain name to...

Страница 48: ...the DMZ in the BM 2101 appliance The DMZ includes two modes NAT The DMZ is an isolated virtual domain but it can not be at the same segment as LAN TRANSPARENT The DMZ and WAN interface are both in the...

Страница 49: ...e Application Environment Example 1 LAN Modify the LAN interface address Example 2 WAN Set the WAN interface address Example 3 DMZ Set the DMZ interface address NAT mode Example 4 DMZ Set the DMZ inte...

Страница 50: ...setting The default LAN interface address is 192 168 1 1 After the MIS engineer has modified the LAN IP address he has to set the PC to obtain the latest IP then use the modified LAN interface IP addr...

Страница 51: ...ace WAN click Modify of WAN 1 WAN 2 Interface s settings are almost the same as WAN 1 setting The difference is that WAN 2 has the additional Disable function The MIS engineer can use this function to...

Страница 52: ...me Or click Assist Sets the interval seconds during the packets transferring per seconds ICMP test DNStest Both of the two connection test is the standard to see if the WAN can work properly The testi...

Страница 53: ...assword 4 Select Dynamic or Fixed in IP Address provided by ISP It depends on the user s network status click Fixed option please enter the IP address Netmask and Default Gateway 5 Enter Max Downstrea...

Страница 54: ...Complete PPPoE setting If use the PPPoE the MIS engineer can set the WAN interface auto connect when it disconnect it is recommended enable this function or set the WAN interface disconect as idle Not...

Страница 55: ...ess 4 User Name Require by the ISP to enter the provided user name 5 Domain Name Require by the ISP to enter the provided domain name 6 Username and Password The IP machenism of DHCP authentication Ac...

Страница 56: ...Complete to set the Dynamic IP address...

Страница 57: ...IP Address 2 Enter IP Address Netmask and Default Gateway 3 Enter DNS Server 1 or DNS Server 2 4 Enter Max Downstream Bandwidth and Max Upstream According to the bandwidth applied by the user 5 Selec...

Страница 58: ...ing Ping HTTP and HTTPS in WAN interface the user can ping the BM 2101 appliance and its WebUI This action may cause the network security problem It s recommended do not selet the Ping HTTP and HTTPS...

Страница 59: ...T Mode Step1 In Interface DMZ Step2 In DMZ Interface select NAT mode In DMZ Interface select NAT from the drop down menu Enter the value in IP Address and Netmask Step3 Select Ping HTTP and HTTPS Step...

Страница 60: ...ect Transparent Mode In DMZ Interface select DMZ_ Transparent Mode from the drop down menu Step3 Select Ping HTTP and HTTPS Step4 Click OK Select DMZ transparent mode The MIS engineer has to set the s...

Страница 61: ...ss Basically the IP address can divided into three types internal IP address WAN IP address and DMZ IP address The MIS can apply the different IP address packets filtering rules to the same policy he...

Страница 62: ...255 255 Correspond to many IP address in a specific domain For example IP Address 192 168 100 1 in C Class segment the setting must be 255 255 255 0 MAC Address Mapped the MAC address to its IP addres...

Страница 63: ...ample 1 LAN When use the DHCP to distribute the static IPaddress to the specific user and limit the user can only access the FTP resources through policy Example 2 LAN Group and WAN To set the policy...

Страница 64: ...olicy Step1 In Address LAN make the setting as following Click New Entry Name enter the user s identified name Rayearth IP Address enter the user s IP 192 168 3 2 Netmask enter 255 255 255 255 MAC Add...

Страница 65: ...sources through specific service Step3 In Policy Outgoing to complete the settings to appointed the static IP to the specific user and limit the user can only accessing FTP resources through Policy Co...

Страница 66: ...address In Address LAN the BM 2101 appliance will automatically set an Inside_Any Address it represents the whole LAN The WAN or DMZ also has its Outside_Any and DMZ_Any default address setting to rep...

Страница 67: ...To set the policy which allow part of users connect to the remote static IPaddress Step1 Set many LAN address Set many LAN address...

Страница 68: ...following Click New Entry To set the group Name In available address select the user in the group and click Add Click OK Group the LAN address Complete to group the LAN address In Address WAN Group a...

Страница 69: ...Step3 In Address WAN add the setting as following Click New Entry Enter the remote static IP information Name IP Netmask Click OK Set the WAN address Complete to set the WAN address...

Страница 70: ...Step4 To apply Step 1 3 to Policy Apply the address setting in policy Complete the policy setting The Address function works by apply it to policy...

Страница 71: ...port is 0 to 65535 In this chapter we will introduce the three common use services for example Pre defined Custom and Group The MIS engineer can define the Protocol and port number in every network ap...

Страница 72: ...NS NTP IRC RIP SNMP SYSLOG TALK TFTP UDP ANY UUCP ICMP service for example PING TRACEROUTE Service name The MIS engineer can define the service name Protocol The Protocol that is made of the communica...

Страница 73: ...user communicate to LAN user via the network phone through policy VoIP port number TCP 1720 TCP 15328 15333 UDP 15328 15333 Example 2 Group To group the services and limit the specific user accessing...

Страница 74: ...user communicate to LAN user via the network phone through policy VoIP port number TCP 1720 TCP 15328 15333 UDP 15328 15333 Step1 In Address LAN and LAN Group add the following setting LAN address se...

Страница 75: ...g reserve the default value Server Port enter the value of 1720 1720 Protocol 2 select TCP Client Port s setting reserve the default value Server Port enter the value of 15328 15333 Protocol 3 select...

Страница 76: ...Service function To enter the the port number in the client port if the MIS engineer have to enter two different port number in server port then enter the range of 15328 15333 To enter the same port...

Страница 77: ...l server Step4 Apply Virtual Service to Policy Incoming Complete to set the incoming VoIP policy Step5 In Policy Outgoing to complete the Outgoing VoIP setting Complete to set the outgoing VoIP policy...

Страница 78: ...ces provided by the Group through Policy Object Group HTTP POP3 SMTP DNS Step1 In Service Group add the new setting as following Click New Entry Set the Name to be the default name of Main_Service In...

Страница 79: ...Complete the service group setting If the MIS engineer want to remove the group service then he can choose the Selected service and click Remove...

Страница 80: ...Step2 In Address LAN Group to set the LAN group which can only access the specific service LAN group setting Step3 Apply Service Group to Policy Outgoing Policy setting...

Страница 81: ...and the process time period in Schedule In other words the MIS engineer can select the specific time period to transfer the data packets by policy management How to use Sehedule The MIS engineer can...

Страница 82: ...work data everyday through the policy management Step1 In Schedule add the new setting as following Click New Entry Set the Schedule Name Use the drop down menu to select the time period everyday Clic...

Страница 83: ...Step2 Apply schedule setting to Policy Outgoing Complete to apply the schedule setting to policy The Schedule setting must apply into Policy...

Страница 84: ...h Downstream Bandwidth Can set the G Bandwidth and M Bandwidth Upstream Bandwidth Can set the G Bandwidth and M Bandwidth QoS Priority Can set the QoS priority of upstream and downstream bandwidth The...

Страница 85: ...The used QoS Flow M Bandwidth 400 Kbps G Bandwidth 200Kbps...

Страница 86: ...th and guarantee bandwidth of upstream bandwidth QoS Priority To set the unuse upstream and downstream bandwidth in QoS priority G Bandwidth The basic bandwidth in QoS The policy which applied to the...

Страница 87: ...ndwidth and Downstream Bandwidth Step1 In QoS add the new setting as following Click New Entry In Name to set the QoS name In WAN 1 2 enter the parameter of limited bandwidth To select the QoS Priorit...

Страница 88: ...Outgoing to apply the QoS Setting in Step 1 Set the QoS policy Complete to set the QoS policy When the MIS engineer setting the QoS he must use the correct upstream and downstream bandwidth range set...

Страница 89: ...tion by authentication The user has to pass the authentication to connect the network The BM 2101 appliance provided 4 authentication modes The User and User Group built in others are RADIUS POP3 and...

Страница 90: ...Re Login after user login successfully When the LAN user connect to the WAN through the authentication The available authentication time depends on the time limit if over the default time setting the...

Страница 91: ...z To add the settings in the authenticaion management Authentication management...

Страница 92: ...l redirect to the assigned web site If the user want to require the authentication then he can enter the BM 2101 s LAN interface IP and the authenticaion port number in the URL address then shows the...

Страница 93: ...ADIUS server 802 1x RADIUS The authentication between the BM 2101 appliance and RADIUS server which included the wireless network Search Distinguished Name The identify name of LDAP server LDAP Filter...

Страница 94: ...S To plan the user connect to the WAN through the authenticaton in policy To use the WAN RADIUS server Windows 2003 Server built in authentication Example 3 POP3 To plan the user connect to the WAN th...

Страница 95: ...by policy To use the built in user and user group authentication Step1 In Authentication User to add the Authentication User Name Set the authentication user The user s DNS server must correspond to...

Страница 96: ...tting as following Click New Entry Name enter laboratory Click Add to add the available authentication user to the selected authentication user in the same user group Click OK Complete the user group...

Страница 97: ...Step3 In Policy Outgoing add a new policy and apply the Step 1 2 into the new policy setting Authentication user policy setting Complete the policy setting...

Страница 98: ...rk via the BM 2101 appliance To create the IPSec VPN connection via the authentication Step5 If the remote user want to logout click Logout Auth User in Auth User Logout window The logout window will...

Страница 99: ...US server Windows 2003 Server built in authentication Windows 2003 RADIUS Server Deployment Step1 Click Start Control Panel Add Remove Programs select Add Remove Windows Components then it shows the W...

Страница 100: ...Step3 Select Internet Authentication Service Add new network authentication service components...

Страница 101: ...Step4 Click Start Control Panel Administrative Tools select Network Authentication Service Select network authentication service...

Страница 102: ...Step5 Right click RADIUS Clients New RADIUS Client Add new RADIUS client...

Страница 103: ...Step6 Enter the Name and Client Address It is the same as BM 2101 IP address Add New RADIUS client name and IP address setting...

Страница 104: ...Step7 Select RADISU Standard enter the Shared secret and Confirm Shared secret It must be the same setting as RADIUS in BM 2101 Add new RADIUS client vendor and shared secret...

Страница 105: ...Step8 Right click on Remote Access Policies New Remote Access Policy Add new romote access policies...

Страница 106: ...Step9 Select Use the wizard to set up a typical policy for a common scenario and enter the Policy name Add new romote access policies and policy name...

Страница 107: ...Step10 Select Ethernet The way to add new romote access policy...

Страница 108: ...Step11 Select User Add new romote access policy user and group...

Страница 109: ...Example 2 Authentication Step12 Select MD5 Challenge The authentication of add new romote access policy...

Страница 110: ...Step13 Right click on the Radius Properties The network authentication service setting...

Страница 111: ...Step14 Select Grant remote access permission and Remove the original setting then click Add The RADIUS properties settings...

Страница 112: ...Step15 Add Service Type Add new RADIUS properties attribute...

Страница 113: ...Step16 Add Authenticate Only from the left side Add RADIUS properties service type...

Страница 114: ...Step17 Click Edit Profile select Authentication and check Unencrypted authentication PAP SPAP Edit RADIUS service type dial in property...

Страница 115: ...Step18 Add Auth User click Start Setting Control Panel Administrative Tools select Computer Management Enter computer management...

Страница 116: ...Step19 Right click on Users select New User Add new user Step20 Complete the Windows 2003 RADIUS Server Settings...

Страница 117: ...P Port and Shared Secret The setting must be the same as RADIUS server The RADIUS server setting Click Test it can detect if the BM 2101 and RADIUS server can real working Step22 In Authentication Use...

Страница 118: ...Step23 In Policy Outgoing apply the Authentication Group RADIUS included in Step22 to add the new policy To add the RADIUS authentication policy Complete the RADIUS authentication policy setting...

Страница 119: ...connect to the network via the browser it will show the authentication window Enter the user name and password click OK then link to the network through the BM 2101 Link to the network through the au...

Страница 120: ...policy To use the WAN POP3 server authentication Step1 In Authentication POP3 add the new settin as following POP3 server setting Click Test it can detect if the BM 2101 and POP3 server can real worki...

Страница 121: ...Step3 In Policy Outgoing apply Step2 The authentication group in to the policy The POP3 server authentication in policy setting Complete the POP3 server authentication in policy setting...

Страница 122: ...o connect to the network via browser it will show the authentication window Enter the user name and password click OK then link to the network through the BM 2101 appliance Link to the network through...

Страница 123: ...P server Windows 2003 Server built in authentication Windows 2003 LDAP Server Deployment Step1 Click Start Program Administrative Tools Manage MIS engineer Server Step2 In Manage MIS engineerr Server...

Страница 124: ...Step3 In Preliminary Steps window click Next The Preliminary steps Web UI...

Страница 125: ...Step4 In Server Role window select Active Directory and click Next The server role window...

Страница 126: ...Step5 In Summary of Selections window click Next The summary of selections window...

Страница 127: ...Step6 In Active Directory Installation Wizard window click Next Active directory installation wizard...

Страница 128: ...Step7 In Operating System Compatibility window click Next The operating system compatibility window...

Страница 129: ...Step8 In Domain Controller Type window select Domain controller for a new domain click Next The domain controller type window...

Страница 130: ...Step9 In Create New Domain window select Domain in a new forest click Next Create new domain window...

Страница 131: ...Step10 In New Domain Name window enter the Full DNS name for new domain click Next The new domain name window...

Страница 132: ...Step11 In NetBIOS Domain Name window enter the Domain NetBIOS name click Next The NetBIOS domain name window...

Страница 133: ...Step12 In Database and Log Folders window enter the routes of Database folder and Log folder click Next The database and log folder window...

Страница 134: ...Step13 In Shared System Volume window enter the Folder location click Next The shared system volume window...

Страница 135: ...Step14 In DNS Registration Diagnostics window select I will correct the problem later by configuring DNS manually Advanced click Next The DNS registration diagnostics window...

Страница 136: ...Step15 In Permissions window select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems click Next The permissions window...

Страница 137: ...tep16 In Directory Services Restore Mode Administrator Password window enter the Restore Mode Password and Confirm password click Next The directory services restore mode administrator password window...

Страница 138: ...Step17 In Summary window click Next The summary window...

Страница 139: ...Step18 Complete the Active Directory installation wizard Complete the active directory installation wizard...

Страница 140: ...Step19 Click Start Programs Administrative Tools Active Directory Users and Computers Enable active directory users and computers...

Страница 141: ...Step20 In Active Directory Users and Computers window right click on the Users select New User Add new active directory user...

Страница 142: ...Step21 In New Object User window enter the settings click Next Add new object user setting 1...

Страница 143: ...Step22 In New Object User window enter the password click Next The new object user setting 2...

Страница 144: ...mplete to add the user Complete to add the object user Step24 In Authentication LDAP enter the following setting The LDAP server setting Click Test it can detect if the BM 2101 and LDAP server can rea...

Страница 145: ...Step25 In Authentication User Group add LDAP User Add new LDAP user...

Страница 146: ...Step26 In Policy Outgoing apply Step25 the authentication group in to the policy setting The LDAP server authentication in policy setting Complete the LDAP server authentication in policy setting...

Страница 147: ...ser want to connect to the network it will show the authentication window Enter the user name and password click OK then link to the network through the BM 2101 appliance Link to the network through t...

Страница 148: ...web site through the complete domain name keywords and wildcards and 2 Script The access competency of popup ActiveX Java cookie in the blocking URL 3 Download To limit the competency of downloading t...

Страница 149: ...ck the ActiveX packets from the web site Java Can block the Java packets from the web site Cookie Can block the cookie packets from the web site Audio and Video Types Can limit the user to transfer th...

Страница 150: ...e Example 2 Script To limit the LAN user to access the script data in the web site Example 3 Download To limit the LAN user to download the extension files video and audio files in the intenet through...

Страница 151: ...ll enter the complete Domain Name or Keywords in to the URL blocking setting and add the symbol which reresents permitted to enter For example www kcg gov tw or gov 2 Complete all the setting of opene...

Страница 152: ...locking URL add the following setting Click New Entry URL String enter yahoo Click OK Click New Entry URL String enter google Click OK Click New Entry URL String enter Click OK Complete the URL settin...

Страница 153: ...ng setting in policy Step3 In Policy Outgoing complete the setting to permit the user can only access the data in specific web site through the policy Completer the URL content blocking setting in pol...

Страница 154: ...LAN user to access the script data in the web site Step1 In Content Blocking Script select the following setting Select Popup Select ActiveX Select Java Select Cookie Click OK Complete the script set...

Страница 155: ...the LAN user accessing the script data in the web site through the policy Complete the script content blocking settings The user can not use the specific function in the web site For example JAVA cook...

Страница 156: ...ser to download the extension files video and audio files in the intenet through http or ftp Step1 In Content Blocking Download set the following settings Select ALL Types Click OK Complete the downlo...

Страница 157: ...in to the policy The download content block setting in policy Step3 In Policy Outgoing complete the settings to limit the LAN user to transfer the video and audio files and specific extention files i...

Страница 158: ...upload the extension files video and audio files in the intenet through http or ftp Step1 In Content Blocking Upload Blocking set the following settings Select ALL Types Blocking Click OK Complete th...

Страница 159: ...gs in to the policy The upload content block setting in policy Step3 In Policy Outgoing complete the settings to limit the LAN user to upload the video and audio files and specific extention files in...

Страница 160: ...M and P2P software by using IM P2P Blocking function 1 IM Set the login privilege of MSN Messenger Yahoo Messenger ICQ Messenger QQ Messenger and Skype Messenger 2 P2P Set the use privilege of eDonkey...

Страница 161: ...tantly System will show the update time and version of IM P2P signature definitions IM Blocking Set the login privilege of MSN Messenger Yahoo Messenger ICQ Messenger QQ Messenger and Skype Messenger...

Страница 162: ...We set two examples No Range Environment Ex 1 IM Limit internal user transfer messages files and media files by IM software Ex 2 P2P Limit internal user access internet resources by P2P software...

Страница 163: ...ware Step1 In IM P2P Blocking Setting add the following settings Click New Entry Enter the Name called IM_Blocking Select MSN Messenger Yahoo Messenger ICQ Messenger QQ Messenger and Skype Messenger C...

Страница 164: ...applied to IM blocking setting Set the policy applied to IM blocking setting Step3 In Policy Outgoing complete the policy setting of limit internal user to transfer messages files and media files Com...

Страница 165: ...ocking Setting add the following settings Click New Entry Enter the Name of P2P_Blocking Select eDonkey Bit Torrent WinMX Foxy KuGoo AppleJuice AudioGalaxy DirectConnect iMesh MUTE and Thunder 5 Click...

Страница 166: ...cy applied to P2P blocking setting Set the policy applied to P2P blocking Step3 In Policy Outgoing complete the policy setting of limit internal user to access internet resources by P2P software Compl...

Страница 167: ...Use P2P will seriously occupy network bandwidth and it can change its service port So the MIS engineer not only set the service port in Service but also need to set IM P2P Blocking P2P Blocking...

Страница 168: ...l server also includes the features called One to Many map function It means one real IP address can map to the private IP address in four LAN servers which provide the same service It is because the...

Страница 169: ...the IP mapped function The difference is that the virtual server use the one to many IP mapped That means one real IP address mapped to 1 4 LAN private IP address The virtual server also provide the...

Страница 170: ...ervice The service provided by the virtual server WAN Port The external port provided by the virtual server If the selected service using only single port then the MIS engineer can change its external...

Страница 171: ...For example use the web service Example 3 Virtual Server The external user use the VoIP to communicate to the internal user VoIP service port TCP 1720 TCP 15328 15333 UDP 15328 15333 Example 4 Virtual...

Страница 172: ...adapter IP setting is 192 168 1 100 and the DNS setting correspond to the WAN DNS server Step2 In Address LAN add the following settings The server setting in address Step3 In Virtual Server Mapped I...

Страница 173: ...to external Fig 11 3 The service group setting Step5 In Policy Incoming add the new policy included Step 3 Step 4 Complete the incoming setting in policy Step6 In Policy Outgoing add the new policy i...

Страница 174: ...es to external Set up the single server environment which provided the multiple services via IP mapped When the MIS engineer set the IP mapped by policy it is strongly recommended not to select ANY in...

Страница 175: ...the internal server which only provide single service by policy management For example use the web service Step1 To set up many LAN server which provide the web service The IP address are 192 168 1 10...

Страница 176: ...ist to select Click OK Click New Entry Service select HTTP 80 External service port enter 8080 Load Balance Server 1 enter 192 168 1 101 Load Balance Server 2 enter 192 168 1 102 Load Balance Server 3...

Страница 177: ...erver setting in the policy If the external user want to link to the homepage provided by the web server then the user has to modify the port into 8080 Step4 Make the virtual server can provide the si...

Страница 178: ...VoIP service port TCP 1720 TCP 15328 15333 UDP 15328 15333 Step1 To set the LAN VoIP its IP address is 192 168 1 100 Step2 In Address LAN add the new following setting The LAN address setting Step3 I...

Страница 179: ...ce External Service Port auto set From Service Custom Load Balance Server 1 enter 192 168 1 100 Click OK Complete the virtual server setting The virtual server real IP setting The virtual server setti...

Страница 180: ...new policy included Step4 The virtual server setting Complete the virtual server setting in policy Step6 In Policy Outgoing complete the setting of LAN user use VoIP to communicate to external user Co...

Страница 181: ...ake the virtual server provide the communication service between the internal and external user The deployment of using the communication service between the internal and external user via the virtual...

Страница 182: ...ts network adapter IP address are 192 168 1 101 192 168 1 102 192 168 1 103 192 168 1 104 and the DNS is correspond to the external DNS server Step2 In Address LAN and LAN Group add the new following...

Страница 183: ...Real IP enter 211 22 22 23 Or click Assist to select Click OK Click New Entry Service select Group Service Main_ Service External Service Port auto set From Service Group Load Balance Server enter the...

Страница 184: ...4 The virtual server setting Complete the incoming setting in policy Step6 In Policy Outgoing add the new policy included Step2 Step3 to make the server can send the e mail to external mail server via...

Страница 185: ...Step7 Make the virtual server provide multiple service to external Deployment of using the virtual server instead of many internal server which provide multiple service to external...

Страница 186: ...in data transmission by policy management How to use the Policy The BM 2101 can divide the Policy into 6 function depends on the data packets in different source address The MIS engineer can easy to...

Страница 187: ...twork packets and services 6 DMZ To WAN The source IP is in DMZ and the destination IP is in WAN The MIS engineer can set the DMZ To WAN policy included the network packets and services All the packet...

Страница 188: ...tem default setting or choose the Policy Object Service Custom to use the custom setting Option Use the icon to display as the option enabled Icon Name Definition Schedule Enable the schedule autorun...

Страница 189: ...qualified packets can go through WAN1 WAN2 PERMIT WAN1 To permit the qualified Packets can pass by WAN1 PERMIT WAN2 To permit the qualified Packets can pass by WAN2 PERMIT VPN Trunk To permit the VPN...

Страница 190: ...y policy management Quota Per Day To allocate the max flow MBytes Sec in everyday NAT When the packets pass through the LAN DMZ from external the packets source IP will change into the BM 2101 s LAN D...

Страница 191: ...itted the authenticated user can access the network resources on specific time Example 4 Incoming The external user use the remote control software to control the internal PCs For example pcAnywhere E...

Страница 192: ...al user link to the network use traffic log statistics and quota per session Step1 In Policy Outgoing add the following settings Click New Entry Select Traffic Log Select Statistics In Quota Per Sessi...

Страница 193: ...nitor packets through the policy In Traffic Log Filtered window click the drop down menu at the upper left to select the Refresh frequency In Traffic Log Filtered click the IP address displayed in the...

Страница 194: ...Traffic Log Web UI...

Страница 195: ...Step4 In Monitor Statistics Ploicy it shows the traffic statistics through the policy Traffic statistics...

Страница 196: ...cify network resources For example the static IP and content blocking Step1 In Content Blocking URL Script P2P IM Download Upload add the following settings Content blocking setting 12 7 Script settin...

Страница 197: ...IM setting Download setting...

Страница 198: ...cookie market exchange web site 3 The Peer to Peer application policy can limit the user to use the Peer to Peer applicatoin for example eDonkey BT WinMX 4 The IM policy can limit the user to use the...

Страница 199: ...Step2 In Address WAN and WAN Group add the following settings Set the WAN IP to block Group the WAN The MIS engineer can customize to group the address and apply it to policy...

Страница 200: ...licy Outgoing add the following settings Click New Entry Destination Address select WAN _Group set in Step2 Use the IP to block Action WAN Port select DENY ALL Click OK Set the policy included blockin...

Страница 201: ...Step4 In Policy Outgoing add the following settings Click New Entry Select Content Blocking Click OK To set the content blocking policy...

Страница 202: ...e network resources Complete to set the policy to deny users access the network resources The DENY action can block the packets correspond to the policy The MIS engineer can move the policy to first p...

Страница 203: ...ic time Step1 In Schedule add the following settings Add new schedule Step2 In Authentication User and User Group add the following settings The authentication user group setting The MIS engineer can...

Страница 204: ...User select laboratory Schedule select WorkingTime Click OK To set the authentication and schedule policy Step4 Complete the setting to permitte the user can access the network resources on specific t...

Страница 205: ...trol software to control the internal PCs For example pcAnywhere Step1 To set up a LAN PC remoted by the external PC the server virtual IP is 192 168 1 2 Step2 In Virtual Server Server 1 add the follo...

Страница 206: ...Address select Virtual Server 1 61 11 11 12 Service select PC Anywhere 5631 5632 Click OK To set the policy of LAN PC remoted by the external PC Step4 Complete to set the policy of LAN PC remoted by...

Страница 207: ...the server virtual IP is 192 168 3 2 The DMZ interface address is 192 168 3 1 24 Step2 In Virtual Server Server 1 add the following settings Set the virtual server correspond to FTP server In Policy...

Страница 208: ...ion Address select Virtual Server 1 61 11 11 12 Service select FTP 21 Qos select FTP_QoS MAX Concurrent Sessions enter 100 Quota Per Day enter 100000 Mbytes Click OK Add new policy Step5 Limit users a...

Страница 209: ...Step1 In DMZ to set a mail server and the IP is 61 11 11 12 The DNS set to correspond to the external DNS server Step2 In Address DMZ add the following settings To set the mail server correspond to th...

Страница 210: ...settings Click New Entry Destination Address select Mail_Server Service select E mail Click OK To set the WAN To DMZ mail service policy Step5 Complete to set the WAN To DMZ mail service policy Comple...

Страница 211: ...settings Click New Entry Destination Address select Mail_Server Service select E mail Click OK To set the LAN To DMZ mail service policy Step7 Complete to set the LAN To DMZ mail service policy Comple...

Страница 212: ...settings Click New Entry Destination Address select Mail_Server Service select E mail Click OK To set the DMZ To WAN Mail service policy Step9 Complete to set the DMZ To WAN mail service policy Comple...

Страница 213: ...I IP P When the BM 2101 received the intrusion packets from hackers the internal PC will block this abnormal packets in it to prevent the Company s network be paralyzed In this chapter we will make th...

Страница 214: ...all the IP and the total SYN packets Pkts Sec pass through the BM 2101 If over the setting value then BM 2101 will define it to be attacked SYN Flood Threshold Per Source IP Define every source IP an...

Страница 215: ...the total ICMP flow from every source IP if over the setting value then BM 2101 will keep blocking Detect UDP Flood Can detect the UDP data packes sent from hacker and use the Broadcast to send to eve...

Страница 216: ...k them Detect Tear Drop Attack Can detect the IP data packets which pretent the normal data packets but actually this kind of packets contain the mount of data packes which can let the system crash ho...

Страница 217: ...the message in Virus infected IP and Attack Events If the MIS engineer enable the function in System E mail alert notification then the BM 2101 will automatically send the notification to the MIS eng...

Страница 218: ...infected is default is 100 sessions sec Select Enable Virus infected IP Blocking Blocking Time 60 seconds Select Enable E Mail alert notification Select Enable Snmp Trap Alert Notification Select Enab...

Страница 219: ...anomaly flow IP and Dos Anti Attack Enable Co Defense System then the BM 2101 can send the defense message to the assigned Switch Model Add Non detected IP these specific IP is not controlled this fun...

Страница 220: ...ttack packets it will show the message in Anomaly Flow IP Viru infected IP Or send the Net BIOS Notification to the MIS and virus infected PC Anomaly flow IP and Virus infected IP Send the NetBIOS Ale...

Страница 221: ...Send the NetBIOS Alert Notification to the MIS engineer...

Страница 222: ...the BM 2101 will send the mail notice to the MIS engineer Step4 If enable the SNMP SNMP Trap then the Bandwidth Management Gateway will show the message on the SNMP Trap client software The SNMP Trap...

Страница 223: ...101 will show the alert message at first time If the virus infected user can not solve the problem then the BM 2101 will restrict the virus infected user and it will make the link speed slow and will...

Страница 224: ...Step6 Enable the Anomaly Flow Attack Event then the BM 2101 shows the attack information in detail Anomaly Flow IP attack event...

Страница 225: ...onnection record all the BM 2101 connecting information MIS engineer can easily to know the status depends on the connecting information when the problems happened How to use Monitor Traffic MIS engin...

Страница 226: ...ccess the internal and external resources via BM 2101 Example 2 Event View the status of MIS engineer log into BM 2101 pocess the managemnt and external interface Example 3 Connection View the externa...

Страница 227: ...to access the internal and external resources via BM 2101 Step1 Policy DMZ To WAN add the following settings Traffic setting in policy Step2 Policy DMZ To WAN com lete the traffic setting in policy p...

Страница 228: ...Step3 Monitor Traffic it shows the packets traffic through policy The traffic log Web UI...

Страница 229: ...Step4 Click Source IP or Destination IP in Fig 14 3 it shows the Protocol Port and Traffic information The IP address traffic log Web UI...

Страница 230: ...Step5 Click Clear it shows the confirm window then click OK All the records will be deleted in BM 2101 Delete all the traffic log...

Страница 231: ...Step6 Click Clear it shows the confirm window then click OK All the records will be deleted in BM 2101 Delete all the traffic log...

Страница 232: ...to the BM 2101 appliance Step1 Monitor Event it shows the status of MIS enginer log into BM 2101 to process the management and external interface Step2 Click Download File Download Save Step3 Click Cl...

Страница 233: ...5 3 Connection View the external interface connection record as process the bandwidth management Step1 Monitor Connection it shows the external interface connection status in BM 2101 Connection record...

Страница 234: ...Step2 Click Download File Download Save Save the connection log files...

Страница 235: ...Step3 Click Clear it shows the confirm window then click OK All the records will be deleted in BM 2101 Delete all the connection log files...

Страница 236: ...Step1 System Configure enable E mail Alert Notification and enter the e mail settings E mail setting Step2 Monitor Backup enable log mail support Click OK Log mail configuration Select Enable E mail L...

Страница 237: ...p3 Monitor Backup Syslog setting Select Enable Syslog Messages Enter the IP in Syslog host IP address Enter the Syslog receive Prt number in Syslog host Port Click OK Complete the setting Syslog setti...

Страница 238: ...use Accounting Report to view all the internal and external user s network accssing activities Includes the policy and VPN Accounting Report can record user s upstream downstream first packet last pa...

Страница 239: ...and outbound information in BM 2101 Accounting Report includes Outbound and Inbound Outbound Accounting Report Account report can record any downstream upstream service traffic used by LAN and DMZ use...

Страница 240: ...ort can record the service traffic used by LAN or DMZ user via BM 2101 Inbound Accounting Report Account report can record any service downstream upstream traffic used from external user to LAN or DMZ...

Страница 241: ...Site Display the LAN and DMZ server accounting report Service Accounting report can record the service traffic used from external user to LAN or DMZ server via BM 2101...

Страница 242: ...to access LAN or DMZ user via BM 2101 Upstream The percentage of user s traffic and total upstream from LAN or DMZ user to access external server via BM 2101 First Packet Record the first packet from...

Страница 243: ...Outbound accounting report...

Страница 244: ...Outbound use information...

Страница 245: ...xternal server Source IP It means the LAN or DMZ user s IP address to access the external server Downstream The percentage of traffic and total downstream traffic from external server to access LAN or...

Страница 246: ...Outbound site accounting report...

Страница 247: ...AN or DMZ user to access external server Downstream It means the percentage of traffic and total downstream traffic from external server to access LAN or DMZ user via BM 2101 Upstream It means the per...

Страница 248: ...ccess external user via BM 2101 Downstream The percentage of user s traffic and total downstream from external user to access LAN or DMZ server via BM 2101 First Packet Record the first packet from ex...

Страница 249: ...Inbound user accounting report...

Страница 250: ...Inbound user information...

Страница 251: ...AN or DMZ server Source IP It means the external user s IP address to access the LAN or DMZ server Downstream The percentage of traffic and total downstream traffic from external user to access LAN or...

Страница 252: ...Inbound site accounting report...

Страница 253: ...e external user to access LAN or DMZ server Downstream It means the percentage of traffic and total downstream traffic from external user to access LAN or DMZ server via BM 2101 Upstream It means the...

Страница 254: ...s pass through the WAN interface and traffic log in upstream downstream Policy statistics it includes all the upstream downstream packets pass through the Policy and traffic log in upstream downstream...

Страница 255: ...ect the time unit 1 Minute Refresh the statistics charts every minute 2 Hour Refresh the statistics charts every hour 3 Day Refresh the statistics charts every day 4 Week Refresh the statistics charts...

Страница 256: ...AN statistics will enabled when enable the WAN interface Step2 Statistics WAN select the WAN to view MIS engineer can click Minute to view the statistic charts results in every minute Click Hour to vi...

Страница 257: ...Step3 Statistic charts Ordinate Network flow Horizontal ordinate Time hour minute View the WAN flow...

Страница 258: ...Policy Step2 Statistics Policy select the policy to view MIS engineer can click Minute to view the statistic charts results in every minute Click Hour to view the statistic charts results in every hou...

Страница 259: ...Step3 Network flow statistic charts Ordinate Network flow Horizontal ordinate Time hour minute View the policy statistics charts...

Страница 260: ...Chapter 18 D Di ia ag gn no os st ti ic c The MIS engineer can set the BM 2101A proactivly send the packets Ping and Traceroute to detects the status of WAN interface...

Страница 261: ...s to specific address to detects the status of WAN interface Enter the Destination IP Domain name Enter the Packet size Default setting is 32 Bytes Enter Count value Default setting is 4 Enter Wait ti...

Страница 262: ...Ping results...

Страница 263: ...101A LAN interface IP and enter the remote LAN IP which can send or receive packets via VPN in to Destination IP Domain name coulumn Use the following method to detect the VPN status of local 192 168...

Страница 264: ...ss by traceroute command to detects the status of WAN interface Enter the Destination IP Domain name Enter the Packet size Default setting is 40 Bytes Enter the MAX Time to Live Default setting is 30...

Страница 265: ...Traceroute results...

Страница 266: ...2101 appliance to start up the internal PCs by sending packets which included the network bootable network adapter and can additionally use the remote monitor software such as VNC Terminal Service and...

Страница 267: ...e monitored and its MAC is 00 30 4F B7 96 3B Step2 In Wake on Lan Setting add the following settings Click New Entry Name enter josh MAC Address enter 00 30 4F B7 96 3B Click OK Set the internal PC to...

Страница 268: ...he all the interface status in BM 2101 2 System Info It shows the CPU utilization memory utilization and ramdisk utilization 3 Authentication It records the authentication information in BM 2101 4 ARP...

Страница 269: ...Sessions Info Search To search the record depends on the Policy No Source IP Destination IP and Port in BM 2101 Add the following settings 1 Policy select All Policy 2 NO select ALL 3 Click Search...

Страница 270: ...Search the specific record...

Страница 271: ...TTP and HTTPS Forwarding Mode It shows the interface connection mode WAN Connection It shows the WAN interface connection status DnS UpS kbps It shows the maximium downstream upstream bandwidth in WAN...

Страница 272: ...The interface information...

Страница 273: ...hows the real system information CPU Utilization The CPU utilization in BM 2101 HardDisk Utilization The hard disk utilization in BM 2101 Memory Utilization The memory utilization in BM 2101 RamDisk U...

Страница 274: ...The system information...

Страница 275: ...represents the authenticated user IP address Authentication User Name It represents the authenticated login name used by authentication user Login Time It represents the user s login time year month d...

Страница 276: ...ation of Net BIOS name IP address MAC address and interface Net BIOS Name The PC s network identification name IP Address The PC s IP address MAC Address The computer s network adapter identification...

Страница 277: ...packets pass through BM 2101 Step2 Click Source IP or DestinationIP It shows the traffic staistics by user s IP host name or domain name to access the network resources of pop up window Use the IP ad...

Страница 278: ...PC s network identification name of IP address distributed by DHCP server IP Address The PC s dynamic IP address distributed by DHCP server MAC Address The computer s dynamic IP address mapped to MAC...

Отзывы: