Sangfor IAM 2.1 страница 96 Скачать руководство пользователя

Страница: 96 / 319

SANGFOR IAM v2.1 User Manual

(that directly connects to the IAM gateway device) to the [LAN Router List], so that the

MAC address of this interface is excluded from the anti-DoS rule and from being blocked.

Generally, if the WAN interface of the IAM gateway device connects to any firewall or router,

the interface IP address of this routing device should be added into the [LAN Router List].



By default, the [Max New TCP Connections Per IP] in one minute of an IAM gateway device

anti-DoS module is 1024, and the [Max Attack Packets Per IP] is 300. If the local area

network is virus-infected and sending enormous packets, resulting in disconnection of the

network, it is recommended to modify [Max New TCP Connections Per IP] to 512 and [Max

Attack Packets Per IP] to a smaller value, and then the defense against the LAN

virus-infected computers can be more efficient.



As the download software Thunder allows massive connections, and thus features like DoS

attack. Because of this feature, the IAM gateway device may block the LAN PC that is

running Thunder software. To solve this problem, you can set an appropriate value to lower

the possibility the computer being blocked by the IAM gateway device. Configure the [Max

New TCP Connections Per IP] as 1024 connections/minute and [Max Attack Packets Per IP]

as 512 packets/second.

5.4.

ARP Protection

ARP spoofing is a common LAN virus. The infected computer keeps sending fake (or spoofed)

message (broadcast packets) to the local area network (LAN), and thus interrupts and stops the

normal communication among the LAN devices, or even stops the overall traffic of the local area

network.

Defense against ARP spoofing is fulfilled through the ARP protection function of IAM gateway

device in association with the Ingress Client installed in the LAN PC. After installing the Ingress

Client, the Ingress Client will communicate with the IAM gateway device to get the correct

IP/MAC information of the gateway device and bind with it. The IAM gateway device will refuse

to receive the ARP request or response that features attack, so as to protect the ARP cache of the

local IAM gateway device and get immune from ARP spoofing.

However, if the user related to access control policy is bound with an IP/MAC address(es), the

IAM gateway device will take the bound ones (in [Organization Structure] > [Edit User] page >

[Advanced Settings] > [User Attribute]) as the final IP/MAC address(es).

Содержание IAM 2.1

Страница 1: ...SANGFOR IAM v2 1 User Manual IAM 2 1 User Manual September 2010...

Страница 2: ...ation and Management 13 1 5 Wiring Method of Standalone 13 1 6 Wiring Method of Redundant System 15 Chapter 2 Console 17 2 1 Web UI Login 17 2 2 IAM Gateway Configuration 18 Chapter 3 System Status 19...

Страница 3: ...Ident Rule 59 4 3 Service 61 4 4 IP Group 62 4 5 Schedule 64 4 6 URL Group 65 4 7 White List Group 68 4 8 Keyword Group 69 4 9 File Type Group 70 4 10 Ingress Rule 71 4 11 SSL Certificate 80 Chapter...

Страница 4: ...2 2 Web Filter 117 7 1 2 2 1 HTTP URL Filter 117 7 1 2 2 2 HTTPS URL Filter 120 7 1 2 2 3 Keyword Filter 122 7 1 2 2 4 File Type Filter 123 7 1 2 2 5 ActiveX Filter 126 7 1 2 2 6 Script Filter 130 7...

Страница 5: ...1 POP3 Authentication 166 7 2 2 2 2 Network Environment 167 7 2 2 2 3 Configuration 167 7 2 2 3 WEB SSO 168 7 2 2 4 Proxy SSO 170 7 2 2 4 1 Proxy Authentication 170 7 2 2 4 2 Network Environment 170...

Страница 6: ...ort 210 7 7 Online User 211 Chapter 8 Bandwidth Management 214 8 1 Bandwidth Status 214 8 1 1 Bandwidth Channel 215 8 1 2 Exclusion Policy 216 8 2 Bandwidth Settings 217 8 2 1 Bandwidth Channel 217 8...

Страница 7: ...pter 13 Security 260 13 1 Gateway Antivirus 260 13 2 IPS 262 13 2 1 IPS Options 262 13 2 2 IPS Rules 264 13 3 VPN Settings 265 13 3 1 VPN Status 265 13 3 2 Basic Settings 266 13 3 3 User Management 26...

Страница 8: ...3 3 12 2 VPN Interface 302 13 3 12 3 LDAP Server 303 13 3 12 4 Radius Server 304 13 3 13 Generate Certificate 305 Chapter 14 DHCP 306 14 1 DHCP Status 306 14 2 DHCP Settings 306 Chapter 15 Wizard 309...

Страница 9: ...GFOR logo are the trademarks or registered trademarks of SANGFOR Technology Co Ltd All other trademarks used or mentioned herein belong to their respective owners This manual shall only be used as usa...

Страница 10: ...URL group IP group service time schedule white list group keyword group file type group ingress rule and SSL certificate Chapter 5 Firewall How to configure the firewall rules of the IAM gateway as w...

Страница 11: ...configuration starts from and how to configure the IAM gateway step by step Document Conventions Graphic Interface Conventions This manual uses the following typographical conventions for special ter...

Страница 12: ...Note Indicates helpful suggestion or supplementary information Technical Support For technical support use the following methods Go to our official website http www sangfor com Go to our technical sup...

Страница 13: ...the requirements on environment protection and the placement usage and discard of the product should comply with relevant national law and regulation 1 2 Power The SANGFOR IAM series device uses 110 2...

Страница 14: ...interface is only for debugging by technicians The end users connect to the device via the network interfaces 1 4 Configuration and Management Before configuring the device please prepare a computer...

Страница 15: ...icator will be lighted only for about one minute due to system loading when the device is starting and then go out indicating successful startup of the device If the ALARM indicator stays lighted duri...

Страница 16: ...ailability mode HA the wiring to the external network and internal network should be as shown in the following figure Use standard RJ 45 Ethernet cable to connect the WAN1 interfaces of the two IAM ga...

Страница 17: ...to connect the LAN interfaces of the two IAM gateway devices to a same switch and then connect the switch to the local area network switch with standard RJ 45 wire connecting it to the local area net...

Страница 18: ...on can be avoided Having connected all the wires you can go on to configure the SANGFOR IAM gateway device through the WEB UI Detailed procedures are as described in the following chapters Configure a...

Страница 19: ...o view the version information click the link View Version 2 2 IAM Gateway Configuration Logging in successfully you will face the following function modules left tree System Object Firewall IAM Bandw...

Страница 20: ...tc 3 1 Running Status Running Status provides the real time status of the IAM gateway device including CPU usage Disk Usage Sessions WAN IP Flow Status as well as View Connection Ranking View Flow Ran...

Страница 21: ...ink to view the connection information Enter an IP address and click the Search button and you can get the current connection information of this IP address For detailed configuration please refer to...

Страница 22: ...crossing ISPs Gateway Antivirus License You can activate it to update the virus library of the antivirus module Application Ident URL Library License You can activate it to update the expiry time of...

Страница 23: ...seen below which is a Configure button Click the Configure button to get into the next page and select the gateway mode to be switched to Click the Next button and finish the rest required configurat...

Страница 24: ...ively that is of different network segments If WAN2 interface on the front panel of the IAM gateway device is not used you can define WAN2 interface as a LAN2 or DMZ2 If the LAN interface of the IAM g...

Страница 25: ...riginal gateway and the LAN users no change to be made on the original gateway and the LAN users It seems the original gateway and the LAN server cannot feel the existence of the IAM device It is what...

Страница 26: ...age is as shown below 3 4 2 1 Bridge Mode Multiple Interface Through bridging the interfaces of the IAM gateway device we can establish multiple interfaces for a bridge so as to create an environment...

Страница 27: ...hen deployed to bridge R1 and R2 with S1 Environment 2 In order to enhance the stability of the network and reduce single node failure both the kernel switch and the router of local area network are i...

Страница 28: ...orwarded from and being forwarded to In association with the settings of the firewall rules this item can allow or deny data transmission of certain direction Differences between Multi Interface and M...

Страница 29: ...nd the router of local area network are in redundancy Both R1 and R2 use VRRP protocol When the host is down the alternate device enables the virtual IP and takes over the network Then we deploy the I...

Страница 30: ...ection the data are forwarded to Click the Next button to get into the next page to configure the bridge as shown below Bridge Direction Indicates the direction of data transmission Bridge IP List Bas...

Страница 31: ...faces of the device are being bridged the data of layer 2 and the layers above can be traversed This feature of the IAM gateway device enables the DHCP service and the IP MAC binding of the original g...

Страница 32: ...mask and then click Add If you have enabled the functions that need to be redirected to the IAM gateway device such as anti virus function email filter ingress rule WEB authentication etc you have to...

Страница 33: ...click Configure to enter the Select Gateway Mode page Select Bypass Mode and click the Next button then the following page appears IP Address Configures the IP address of the MANAGE interface DMZ inte...

Страница 34: ...s are WAN addresses but regards the addresses in the Monitored Network Segment List as LAN addresses Access data sent to the Internet through these monitored addresses will be recorded or controlled H...

Страница 35: ...d to be received by the PC and the server of the public network Many functions are not available in bypass mode such as VPN DHCP and Ingress rule etc Bypass mode IAM gateway mode mainly plays a monito...

Страница 36: ...ce is down you need only disable the proxy service on the user s PC and to have it back into normal Typical topology of the single arm mode is as shown below failure will not disconnect the network Un...

Страница 37: ...de the gateway configured in the local area network need no change keeping directing to its original gateway To have the IAM gateway device work in single arm mode you have to configure the WAN Optimi...

Страница 38: ...he corresponding configuration page If you are to configure multiple IP addresses you can add the IP addresses that are to be bound click the Next button to get into the next page VLAN Enable or Disab...

Страница 39: ...ce Displays the information of WAN interface It can be defined as the third external line as well as a LAN interface or DMZ interface Multiline Settings Displays the line selection policy selected Cli...

Страница 40: ...or the synchronization between the IAM gateway devices The communication interface can be any network interface that can cross multicast packets to communication with each other It is recommended to u...

Страница 41: ...e In addition to modifying the system time directly you can configure a Time Server to synchronize the time and select a local Time Zone The configuration page is as shown below Use System Time Click...

Страница 42: ...w Administrator Name Type in a unique name for this administrator to distinguish it from others Description Type in a brief description for this administrator Password Configures the login password fo...

Страница 43: ...common admin are divided according to functions module there are privileges on Device Management System Object Firewall IAM Bandwidth Management Delayed Email Audit Internet Access Audit Logs Trouble...

Страница 44: ...he internal Data Center to view the logs of the selected group s The options of Data Center Privileges can be configured individually which are System Management Customized Report and Intelligent Repo...

Страница 45: ...cally log out the console Operation Timeout If a page fails to open during this time interval the system will think it times out and will not try to open this page again Issue Console SSL Certificated...

Страница 46: ...the configuration file will be backed up for 7 days Restore from the configuration file Click the Browse button select and upload a backed up configuration file and then click the Restore button to ha...

Страница 47: ...ing the IAM gateway device will be automatically uploaded Auto Report System Error Select Enable and the anomaly information found during using the IAM gateway device will be automatically uploaded Au...

Страница 48: ...et you then need to configure HTTP Proxy options in Server Settings provided there is HTTP proxy so as to ensure the IAM gateway device can access the Internet smoothly and update the corresponding ru...

Страница 49: ...manually created policy The Policy Routing configuration page is as shown below Policy Routing List Displays the existing policy based routings If there are multiple applicable policy routings the up...

Страница 50: ...umber Source Port Destination Port Configures the source port and destination port of the data packet on which this policy based routing is applied Target Line This target line is the outgoing line of...

Страница 51: ...ne If you need the routing table of each ISP please contact the Customer Service of SANGFOR Having gained the routing table click the Browse button to upload the policy routing and then click the Impo...

Страница 52: ...multiple segments to add return route Add return route for SNAT function for multiple segments If there are several LAN segments access Internet through the SANGFOR gateway device then you need to add...

Страница 53: ...get access to the Internet through IAM gateway device IAM gateway device acting as the egress Since 192 168 2 X and the LAN interface 10 251 251 251 of IAM gateway device are of different segments IA...

Страница 54: ...ificate can function as its ID when it registers on the SC Secure Center Management The Generate Certificate page is as shown below 3 16 High Availability High Availability configured the mode of the...

Страница 55: ...and lock the Active Standby status Click Enable and the Active Standby status cannot be altered even though the primary node is down Please think it over to enable this function It is recommended to e...

Страница 56: ...standby node will think the primary node got down and switch from Standby status to Active status automatically Click the Interface Detection button to enter the Network Interface Detection dialog and...

Страница 57: ...kets etc which helps to identify P2P traffic quite well Application identification rule falls into internal rule and user defined rule The internal rules cannot be modified while the user defined rule...

Страница 58: ...e values definition of the software such as P2P IM etc You can contact SANGFOR and apply for application identification rule packets to manually import the rules and you can analyze data packets by yo...

Страница 59: ...he Export button and name the file and then finally confirm to export the internal rule cannot be exported Import Rule To import a rule click the Browse button and upload the rule extension of the rul...

Страница 60: ...ateway device can access the Internet For the internal rules you can only alter the classification but not edit the policy or export the rule 4 2 Intelligent Ident Rule Intelligent Ident Rule mainly i...

Страница 61: ...re encrypted To control and record the Skype data you have to configure it on the Edit Intelligent Ident Rule page of P2P Action put in another way you have to first enable P2P Action in the Intellige...

Страница 62: ...Control First you need to define various services of the firewall in Object Service including the port and protocol applied next configure the filtering rules in Firewall Firewall Rules referring to t...

Страница 63: ...it from others Click TCP UDP ICMP or Others to define the protocol to be applied check Add Port and type in a single port or a port range as shown below If it is Other protocol Protocol number 0 indic...

Страница 64: ...estination IP group in IAM Access Control Policy page Access Control Service Control Click the Add button and the following Edit IP Group page pops up as shown below Name Names the newly created IP gr...

Страница 65: ...et is accessible to it 4 5 Schedule Schedule defines the commonly used time periods mainly used as valid time or expiry time The defined schedule can be referenced by Firewall Firewall Rules and IAM A...

Страница 66: ...le the selected time periods and then click the OK button to save the settings on this page 4 6 URL Group URL Group is created according to the URL library and can be referenced by URL Filter configur...

Страница 67: ...t version of URL library was released at Update URL Library If the URL library cannot automatically update for it is disconnected to the Internet you can manually update the URL library Just click the...

Страница 68: ...is built in with a large number of URL groups when it is delivered from the factory You can add a new URL into the URL library if necessary in addition to using the existing and built in URLs Name Nam...

Страница 69: ...ck the OK button to save the settings 4 7 White List Group White List Group defines the domain name white list which can be referenced by Access Control Policy Edit Access Control Policy Web Filter Fi...

Страница 70: ...on to save the settings 4 8 Keyword Group Keyword Group is used for configuring and classifying the keywords The Keyword Groups can be referenced by IAM Access Control Policy Edit Access Control Polic...

Страница 71: ...s the needed file types File Type Group can be referenced by IAM Access Control Policy Edit Access Control Policy page Web Filter File Type Filter to control HTTP and FTP upload and download and can b...

Страница 72: ...ules to be applied when users get access to the Internet The ingress rules are to ban the use of proxy software bind IP MAC address of three layers and monitor encrypted IM message and can be referenc...

Страница 73: ...ANGFOR Customer Service Import Rule is corresponding to the Export button below the Ingress Rule List which can export the selected ingress rule file s of conf format while the Import button is used f...

Страница 74: ...rules must be satisfied and All of the rules must be satisfied Action Select the action if the Matching Condition is satisfied Options are Deny Internet access and Submit report only Rule Type Define...

Страница 75: ...LAN computer which is going to get access to the Internet through the IAM gateway device For instance if the LAN computers of an enterprise use the Microsoft Windows XP in order to prevent the LAN us...

Страница 76: ...lect Operating System Version If no operating system version is selected this ingress rule will ban the user from accessing Internet First select operation version s and then click Enable to enable th...

Страница 77: ...s page click the OK button to save the settings and add this ingress rule to the Ingress Rule List File ingress rule controls the files of the LAN computers who get access to the Internet through the...

Страница 78: ...s the antivirus software on the LAN computer has lagged behind to be updated If the time is longer than the days configured here the IAM gateway device will take the corresponding operation Having com...

Страница 79: ...s and Settings SINFOR Local Settings Temp Program C Program Files Registry ingress rule checks the Registry of the operating system of the LAN computer that gets access to the Internet through the IAM...

Страница 80: ...shown in the figure above Check return result Not check return result Configures whether to check the execution results of the task script Return Result Timeout Configures the timeout for obtaining t...

Страница 81: ...N PC as administrator to get access to the Internet Having completed configuring this page you have to click the OK button to save the settings and add the ingress rule to the Ingress Rule List The co...

Страница 82: ...rtificate Differentiation of different certificates is inspected by MD5 value of the certificate If the MD5 value of a certification is different from others then it is regarded as another certificate...

Страница 83: ...N LAN 5 1 1 LAN DMZ LAN DMZ configures the rule for data transmission fulfilled between LAN interface and DMZ interface The service can be all the services of certain protocol or a user defined servic...

Страница 84: ...page pops up as shown in the following figure Firewall rules are to be matched from top to bottom If a rule is matched the rules below it will not to be matched therefore please arrange the rules in n...

Страница 85: ...elow 5 1 3 WAN LAN WAN LAN page configures the rule communication between the LAN interface and the WAN interface By default Internet access through the LAN interface has no limitation while LAN acces...

Страница 86: ...ce has some built in and frequently used firewall rules which default to let pass all the data packets from the external networks 5 1 4 VPN WAN VPN WAN configures the firewall filtering rule for data...

Страница 87: ...rections between the interfaces are allowed The configuration page is as shown below For instance to allow the IP addresses 172 16 1 100 172 16 1 200 of a Branch VPN 172 16 0 0 24 to get access to the...

Страница 88: ...n between the LAN1 interface LAN interface on the IAM gateway device and the LAN2 interface the idle WAN2 interface on the IAM gateway device or configures the communication among the IP addresses of...

Страница 89: ...or configures the communication among the IP addresses of different segment that are bound with the DMZ interface The service can be all the services of certain protocol or a user defined service For...

Страница 90: ...etwork interface or select All WAN interfaces to which the data packets are forwarded to Select Source Address All the IP addresses or a Specified subnet which can get access to the Internet through t...

Страница 91: ...rotocol Options are All and Specified All indicates all the protocol on which the SNAT rule is applied Specified is selected and entered when the protocol and line applied are specified Having complet...

Страница 92: ...eans all the source IP addresses while Specified indicates that the source addresses are the specified ones Destination Address Generally Specified interface address is selected If the WAN interface h...

Страница 93: ...5 1 3 WAN LAN The configuration page is as shown below 5 3 Anti DoS DoS attack Denial of Service attack generally is implemented by forcing the server to reset or saturating the server with external c...

Страница 94: ...ist may result in login failure to the console through the LAN interface in that case log in through the WAN interface The LAN Address List can be left blank but configuring it will enable the SANGFOR...

Страница 95: ...st Blocking Time After Attack is Detected Max Attack Packets Per IP Configures the maximum packets including SYN packets ICMP packets and TCP UDP small attack packets of each IP or MAC address allowed...

Страница 96: ...priate value to lower the possibility the computer being blocked by the IAM gateway device Configure the Max New TCP Connections Per IP as 1024 connections minute and Max Attack Packets Per IP as 512...

Страница 97: ...of the front end router to the Static ARP List If the LAN PC has installed the Ingress Client then it can get the correct IP MAC address of the gateway and bind with it therefore we can make sure tha...

Страница 98: ...this website for the first time will be cached by the IAM gateway device if a second LAN user wants to visit the same website the requested data basically the same with the data requested by the firs...

Страница 99: ...le disk space for optimization Sessions Refreshes and displays the total current sessions every five minutes Memory Usage Displays the utilized memory by and the maximum available memory space for opt...

Страница 100: ...ffic volume shows the external bandwidth saved by the IAM gateway device Flow speed Displays the flow speed of the data that are passing through the IAM WAN optimization module The information is disp...

Страница 101: ...ercentage and times the cached data being matched hit by the requested data The information is displayed in Bar graph and Pie graph Hits may be counted by object or by byte Byte hit indicates the cach...

Страница 102: ...d Instant Request Indicates the data requested by the LAN user for the first time or the request data that are not hit by the cached data No Cache Indicates the requested data that the extranet server...

Страница 103: ...ings System Settings globally enables or disables the WAN optimization function as well as displays the Cache Usage information You can also clear the cache on this page WAN Optimization Globally enab...

Страница 104: ...ectively Cache Usage Displays the utilized maximum memory space and disk space Click the Clear Cache button and it prompts whether to continue the operation as shown below If you confirm to clear the...

Страница 105: ...AM gateway device will not update the cached objects within this time interval even though they have been updated by the server only after this time interval will the IAM gateway device update the cac...

Страница 106: ...change in real time data of these websites need not be cached Restore Default Click this button to restore the factory default settings Having completed configuring this page you have to click the OK...

Страница 107: ...o be cached When the websites specified in the list are visited related data will be cached regardless of visit frequency Enter the domain name or IP address or IP range into the list Restored Default...

Страница 108: ...rol Policy mainly configures the policy controlling the LAN users to get access to the Internet It involves the configuration of Access Control Web Filter Email Filter SSL Management Application Audit...

Страница 109: ...ted access control policy or policies Disable Click this button to disable the selected access control policy or policies Export Click this button to export the selected access control policy or polic...

Страница 110: ...st to rename the policy as shown below Type the new name in the text box and then click the OK button to save the settings 7 1 1 Add Access Control Policy Under the default configuration page of Acces...

Страница 111: ...escription for this access control policy Expiry Date Select Never expire or select Expired on and configure the date Status Configures the status of this policy itself Select Enable to enable this ac...

Страница 112: ...ick the OK button to add one policy or multiple policies as shown below 7 1 2 Edit Access Control Policy Under the default configuration page of Access Control Policy click the name of a policy to ent...

Страница 113: ...nd Reminder The followings are detailed introductions to each module 7 1 2 1 Access Control To facilitate network administrator to control the Internet activity of the LAN users SANGFOR IAM gateway de...

Страница 114: ...inspected and then achieves control over certain application Application Control You have to check it to activate the rules configured under it as shown below Click the Add button to configure the app...

Страница 115: ...with the application s configured above If several policies are associated adopt the default action of the next policy and continue matching downwards If multiple access control policies are associat...

Страница 116: ...ot want to have the LAN users to browse WebPages during office hours you need to configure a service rule to deny HTTP service As to the detailed introductions to configuring the Destination IP Group...

Страница 117: ...complete matching its rules or check this item and the data packets will continue to match the service rules of the access control policies followed Having completed configuring this page you have to...

Страница 118: ...d then it needs to cooperate with ingress rule As to the detailed introduction to ingress rule please refer to Section 4 10 Ingress Rule 7 1 2 2 Web Filter Web Filter covers the configurations of HTTP...

Страница 119: ...DISABLE Click this button to list all the valid URLs and hide all the invalid URLs Default Action Select Allow or Deny to configure the default action of the current access control policy to the HTTP...

Страница 120: ...iguring this page you have to click the OK button to save the settings Advanced Filter Advanced Filter functions specifically for URL filtering of HTTP POST controlling the process of logging in or po...

Страница 121: ...filter rules that are not in the above rule list This item functions in association with the valid URL s configured above Only allow login POST Select this item and it only allows login to WEBMAIL an...

Страница 122: ...Ls Copy HTTP URL Filter Click this button and the HTTPS URL Filter page will copy the configurations in HTTP URL Filter Basic Filter page so as to create the same rules without configuring them one by...

Страница 123: ...e filtering function for Search Engine and HTTP Upload Keyword Filter Check this item to activate the keyword filtering rules configured under it The configuration page is as shown below Search Engine...

Страница 124: ...elected keyword s as Deny Disable Click this button to undo the Deny selection Having completed configuring this page you have to click the OK button to save the settings HTTP Upload HTTP Upload Confi...

Страница 125: ...h BBS the access control policy will filter the limited file type s Upload Check this item to enable the function of filtering the to be uploaded file types Except checking the Upload item to achieve...

Страница 126: ...ding MP3 or movie file the access control policy will filter these files Operating procedures are similar to those of Upload for details please refer to the related sections above The rules configured...

Страница 127: ...h the help of ActiveX Filter rule Any ActiveX control will be required with signature and the untrusted plug in will be unable to be installed into the LAN computers In this way security of the local...

Страница 128: ...eX control If the ActiveX control has no signature it will be filtered Block altered ActiveX Check this item and the access control policy will inspect whether the signature of the ActiveX control is...

Страница 129: ...in it will be filtered It should be noted that the keyword configured here does not support wildcard characters length of each keyword within 64 bytes and total keywords within 32 Only Allow the Follo...

Страница 130: ...ites Not filter ActiveX controls downloaded from the following websites You can add the websites among those in the white list group which will not be filtered The access control policy will not filte...

Страница 131: ...e script filtering function and the built in internal rules will take effect functioning for controlling the illegal scripts SANGFOR IAM gateway device can filter JavaScript and VBScript Script Filter...

Страница 132: ...mpleted configuring this page you have to click the OK button to save the settings 7 1 2 3 Email Filter 7 1 2 3 1 Send Receive Mail Email Filter mainly is used for limiting monitoring filtering the se...

Страница 133: ...n will allow the LAN users to send or receive emails only through the email addresses with the vpn com cn suffix Deny emails containing the following keywords in title or content and Deny emails conta...

Страница 134: ...m delay and audit whose suffix is vpn com cn Except the above settings you can also define the Mail size and Attachment number of the emails that should be audited Email contains the following keyword...

Страница 135: ...er Address authentication must not be shorter than 3 characters otherwise the audited emails will fail to be audited 7 1 2 4 SSL Management SSL Management controls the LAN users to visit certain websi...

Страница 136: ...allowed to be accessed This is what is called as the White list Deny expired certificate Check this item and it will verify whether the certificate has expired If it has expired the LAN user then cann...

Страница 137: ...encrypted contents are to be audited or controlled one entry domain name per row If it is left blank no SSL application will be identified Control SSL transferred content Check this option and the SSL...

Страница 138: ...payment etc 7 1 2 5 Application Audit Application Audit helps monitoring the Internet access information and records of the LAN users including configuration of Audit Option and Outgoing File Alarm 7...

Страница 139: ...SANGFOR IAM v2 1 User Manual 138 Audit Option falls into the following aspects Application Behavior Audit Records all the behaviors of the LAN users on the Internet...

Страница 140: ...page It is only applicable to the webpage containing the configured keyword s Enable Disable Select it to enable or disable the audit function over web content The audited items fall into Audit titles...

Страница 141: ...Application Audit Audit all identifiable application behaviors All the options under Application Content Audit below are not included here If you want to record the chat content details through the e...

Страница 142: ...rm All Alarm Encrypted Click it above below the file type list to configure the Alarm Option of the selected file type s Enable Disable Click it above below the file type list to configure whether to...

Страница 143: ...al library and then click OK The access control policy will identify the application according to the features of this specific file type Customize file types extension ident Type the file type name i...

Страница 144: ...x which are separated from each other with an English comma Set administrator email address for this policy Check this option and type the receiver of the alarm emails To successfully send the alarm e...

Страница 145: ...m One log only records the detailed information of at most one file and the general alarm information of other file s If the outgoing file is delivered through email its eml format attachment will be...

Страница 146: ...t access to the Internet through the IAM gateway device As to the configuration of a schedule please refer to Section 4 5 Schedule Max Online Duration Per Day Configures the online duration in unit of...

Страница 147: ...ions of a single IP address reaches the threshold configured here the session connection request will be denied Having completed configuring this page you have to click the OK button to save the setti...

Страница 148: ...the needed ingress rule s Delete Click it to delete the selected ingress rule s Having completed configuring this page you have to click the OK button to save the settings 7 1 2 8 Risk Ident Risk Ide...

Страница 149: ...fied options are High Medium Low and Disable Outgoing Email Identification Configures the options to identify and block outgoing email anomaly Identification can be based on the number of same sized e...

Страница 150: ...ion Sensitivity To have Outgoing Email Identification function work you have to enable Email Audit and configure the corresponding options For details please refer to Section 7 1 2 5 Application Audit...

Страница 151: ...the list to remove a selected application from the list just click the application and then click the Delete button Reminder Time Configures the online time duration If a user uses up the allowed onli...

Страница 152: ...ow speed exceeds certain Kbps the IAM gateway device will remind the user of it Type a value ranging 0 60 in the Statistics Period text box 0 but the averaged flow is not 0 indicates that the user wil...

Страница 153: ...s continue to match the rules of the access control policies followed In other rule modules it takes the first rule as the final when matching the access control policy These rule modules include Acce...

Страница 154: ...ptions The configuration page is as shown below 7 2 1 New User Authentication New User Authentication configures the default policy that is applicable to the users not included in the member list It c...

Страница 155: ...v2 1 User Manual 154 Select All Inverse Click it to select the needed new user policy Move Up Move Down Click it to move up or move down the selected new user policy Add Click this button to add a new...

Страница 156: ...st name as new user Automatically add the new user to the user list taking the host name of this user as its user name Get authenticated on server password required Authentication is made through the...

Страница 157: ...ess control policy Taking the IP address as user name or taking host name as the user name requires the IAM gateway device binding at least with one IP address or MAC address of the user If the IAM ga...

Страница 158: ...ork The configuration page is as shown below 7 2 2 1 Active Directory SSO When the host of the user logs in to the active directory server not for the first time it will automatically passing the WEB...

Страница 159: ...e third one is to allocate SSO script by the domain controller and to send logon logoff information to the IAM gateway device The last SSO should have the help of a listening port to intercept the act...

Страница 160: ...ill enable the user to logoff from the IAM gateway device when it is logging off 7 2 2 1 3 Configure Logon Script Program Logging in to the domain controller click Start Program Administrator Tool Man...

Страница 161: ...SANGFOR IAM v2 1 User Manual 160 Right click the to be monitored directory in the pop up window and click Properties as shown below Select Group Policy and then Default Domain Policy as shown below...

Страница 162: ...ser Manual 161 Then click User Configuration Windows Settings Scripts Logon Logoff in the pop up Group Policy Object Editor as shown below Double click Logon item and the Logon Properties dialog appea...

Страница 163: ...SANGFOR IAM v2 1 User Manual 162 Click the Show Files button and a directory is opened Save the logon exe script file into this director and close the window...

Страница 164: ...s close all the Group Policy Object Editor etc Having completed configuring the logon script you have to click Start Run and type the gpupdate and click the OK button to have the group policy configur...

Страница 165: ...GFOR IAM v2 1 User Manual 164 Under the pop up Logoff Properties dialog click the Show Files button to open a directory and save the logoff script that is the logoff exe file And then close the direct...

Страница 166: ...address 10 251 251 251 Then close the related configuration dialog page one by one Having completed configuring the logoff script you have to click Start Run and type the gpupdate and then click the O...

Страница 167: ...ion is enabled and that the user logs in to the domain controller through its computer To use monitoring mode check Use monitoring mode and type the IP address and port of the domain controller in the...

Страница 168: ...ironment of the POP3 authentication is as shown in the following figure If both the POP3 server and PC are in the local area network the authentication data will not be forwarded to the IAM gateway de...

Страница 169: ...tication in IAM Authentication Options page Other Authentication Options and entitle the user s root group the privilege to access the POP3 server 7 2 2 3 WEB SSO Enable Web SSO Check this option to e...

Страница 170: ...the user is identified as a success or a failure If you have checked Keyword indicating success and the keyword is contained in the return results of POST the authentication would be regarded as a su...

Страница 171: ...then associate the IP address and the user according to the intercepted information of Proxy authentication 7 2 2 4 2 Network Environment Typical topology environment of Proxy authentication is as sh...

Страница 172: ...ted over the network which helps to achieve single sign on Check If login data does not go through the device please set listening mirror port which should be idle and select an idle network interface...

Страница 173: ...this list but have checked None for Authentication Method please refer to IAM Organization Structure Edit User page Advanced Settings User Attribute or Section 7 4 5 Edit User or some users have enab...

Страница 174: ...e will be redirected to the user defined page Go to user ranking page If the LAN user gets authenticated successfully the Web page will be redirected to a ranking statistics page of the internal Data...

Страница 175: ...anual 174 7 2 5 SNMP Option SNMP Option helps to achieve Internet access through binding MAC or binding IP and MAC address when a layer 3 switch exists in the networking environment The configuration...

Страница 176: ...8 30 245 00 0f e2 59 0c 1f 1 3 6 1 2 1 3 1 1 2 public Having completed configuring the page you have to click the OK button to save the settings If you enable and configure SNMP Option the layer 3 swi...

Страница 177: ...is excepted Check this option and the privileges of root group on various service and applications HTTP service excluded are also available for the users who have not yet gotten authenticated With Pa...

Страница 178: ...installed automatically the user can also click the link Ingress Client to download and manually install the Ingress Client 7 3 Authentication Server Authentication Server Configures the third party...

Страница 179: ...page appears as shown below Server Type Select the needed server to open the corresponding settings 7 3 1 LDAP LDAP server supports Microsoft SGtive Directory SUN LDAP and OPEN LDAP server You can sel...

Страница 180: ...essary please turn to the system administrator of LDAP server for detailed configuration guide to this page Server Name can only contain English characters Otherwise you may fail to import the AD user...

Страница 181: ...figuration guide to this page 7 3 3 POP3 POP3 server configuration page is as shown below You can configure the IP address Authentication port and Timeout for the POP3 server 7 4 Organization Structur...

Страница 182: ...or subgroup Access Control Policy Displays the associated access control policy policies of the current root group subgroup or user No Sequence number of this member in the current group Type Type of...

Страница 183: ...h Search Click this button and set the specific conditions to search for user s or user group s among the existing subgroup and users as shown below in this example it searches for all the subgroups a...

Страница 184: ...nditions to find a needed group or user The advanced search conditions are Authentication Method Other Option and Sort By Search Click this button to have the matching subgroup s or user s displayed i...

Страница 185: ...iguration page is as shown below Group Name Group Name List Configures the name or name list of the subgroup or subgroups Group Path Configures the path of parent group of the to be created subgroup I...

Страница 186: ...oup button and follow the instructions to add subgroup For instance to add a subgroup for the 2222 you have to click 2222 on the left tree and then click the Add Subgroup button The hierarchic structu...

Страница 187: ...ection Add User Click this button to add user s for the current group For detailed configuration please refer to the next section Multi Edit Click this button to edit the items that all of the selecte...

Страница 188: ...configuration page of its upper level group Export Click it to export the structure or the members of the current group for the purpose of saving them The exported information includes the properties...

Страница 189: ...nd import functions are only available for the subgroup members User members cannot be exported or imported like that for different users on the SANGFOR gateway cannot have a same name while group can...

Страница 190: ...o the policy list As to the configuration of the access control policy please refer to Section 7 1 Access Control Policy Move Up Move Down Click it to move up or move down the selected access control...

Страница 191: ...led introductions and notes please refer to Section 7 1 Access Control Policy 7 4 4 Edit User Under the Member List page click the Add User button to add user s The configuration page is as shown belo...

Страница 192: ...ated user If Multiple users is selected you cannot configure the Display Time bind IP or MAC address or create DKEY authentication user The configuration page is as shown below Having completed config...

Страница 193: ...is added successfully and the new user is listed in the Member List 7 4 5 Edit User Under the default configuration page of Member List click the name of a user to get into the configuration page of...

Страница 194: ...device Options are Bind IP Bind MAC Bind both IP and MAC and No binding If No binding is selected you have to configure an authentication method Password Dkey or Only allow SSO You can click Format I...

Страница 195: ...ange respectively Get from IP group Click it to select an already defined IP group as to the configuration of IP group please refer to the relevant part in Section 4 5 Schedule Clear List Click it to...

Страница 196: ...e the device will scan and get the MAC addresses of these IP addresses Clear List Click it to clear all the MAC addresses in the list The local device scans the MAC addresses of the configured IP addr...

Страница 197: ...owed as shown below To add IP MAC address you can directly enter the IP MAC address in the Binding text box or click Scan MAC address Scan MAC address Click it and select scan object Single IP IP rang...

Страница 198: ...Binding No binding indicates not binding with any IP address or MAC address If this item is selected you then have to configure at least one Authentication Method The Authentication Method configurati...

Страница 199: ...cture list the user groups Click OK to add the needed and selected user group Click Cancel to give up selecting the user group 7 4 5 3 Authentication Method Authentication Method includes four options...

Страница 200: ...multiple Password authentication methods to verify a user Matching one of the authentication methods will have the user username get authenticated DKEY Indicates that the user s identity is verified...

Страница 201: ...t to Write Dkey Click this button to generate the DKEY None Indicates that user need not enter the WEB username and password to get authenticated If this option is selected at least one of the binding...

Страница 202: ...is user will get invalid If more than one Password authentication methods Custom password LDAP authentication RADIUS authentication and POP3 authentication are checked identity will be authenticated f...

Страница 203: ...key if the DKEY is to prevent monitoring to generate the DKEY you must check Enable monitor free Dkey Enter the IP address of the IAM gateway device in the IE browser and press the Enter key and the I...

Страница 204: ...ol policy for an individual user Under the Edit User default configuration page click Access Control Policy and the corresponding options appear as shown below The configuration of access control poli...

Страница 205: ...other by a vertical bar including the case that the field is blank If one field has several values such as several IP addresses they are separated from each other by a comma Option Check When a user...

Страница 206: ...rs according to Single IP IP range or Subnet Filling in the corresponding information you can click the Scan button and the host name IP and MAC addresses will be displayed in the Content table Or cli...

Страница 207: ...domain server to the IAM gateway device and for realizing the automatic synchronization of the user and organization structure of the domain server Presently this function only supports MS SGtive Dir...

Страница 208: ...iew Sync Report Click it to view the LDAP synchronization report Refresh Click it to refresh manually and view the synchronization status 7 6 1 Sync by LDAP Organization Structure Sync by LDAP organiz...

Страница 209: ...e Select button to view the organization structure in unit of OU of the domain server and select a needed OU Filter Configures the filtering condition for synchronization according to the domain param...

Страница 210: ...me Displays the time of the latest synchronization and whether it synchronized successfully Having imported successfully the organization structure and the users into the IAM gateway device the group...

Страница 211: ...ifference that the selected and imported Import Remote Target are the security groups of the domain server 7 6 3 View Sync Report Each synchronization option of Active Directory will produce its own s...

Страница 212: ...enerated Sync Status Displays whether it is a successful synchronization Clear Click this button to clear all the reports recorded Each synchronization mode supports maximum 10 synchronization policie...

Страница 213: ...log out Block For Click it and configure the time You can block the selected online user to get online for some time Search Conditions Configures the filtering conditions on searching for user s Sear...

Страница 214: ...locked user s including No Login Display Name Authentication Method Group IP Address Blocking form and Left Blocking Time Unblock Click this button to unblock the selected blocked user s Having been u...

Страница 215: ...applications and limit the uplink downlink bandwidth as well Besides you can create specific policy according to the service user guaranteed bandwidth and maximum bandwidth Sub channel can also be bui...

Страница 216: ...es what bandwidth channels are to be displayed Options are All and Running channels History Info Configures the time period during which the flow and speed statistics are made and displayed in the lis...

Страница 217: ...idth Displays the guaranteed bandwidth that the IAM gateway allocates for the channel Max Bandwidth Displays the maximum bandwidth configured on the IAM gateway device Priority Displays the priority o...

Страница 218: ...orresponding bandwidth channel s displayed in the bandwidth channel list 8 2 1 Bandwidth Channel SANGFOR IAM bandwidth management BM module offers bandwidth allocation function to configure assured ba...

Страница 219: ...are matched from top to bottom 8 2 1 1 Add Bandwidth Channel Click the Add Parent Channel button and the Edit Bandwidth Channel configuration page appear as shown below Channel Name Type one more name...

Страница 220: ...on is selected you need then select an Application Type and a specific Application If Website is selected you need then select a Website Type from the internal library If File is selected you need the...

Страница 221: ...or Limited channel If the selected one is Guaranteed channel this policy will guarantee the user with the minimum bandwidth if the selected one is Limited channel this policy will limit the bandwidth...

Страница 222: ...imit of uplink downlink bandwidth width or rate of this bandwidth channel Or select Limited channel and the following items appear as shown below Bandwidth Allocation Policy Configures the bandwidth f...

Страница 223: ...heck the advanced option the external IP address node will be taken as one member of the LAN users nodes that is to say the Allocation Policy and Max Bandwidth Per IP will also be applied to the exter...

Страница 224: ...th Channel to add a sub channel The rate configured and bandwidth calculated and allocated for the sub channel child channel are based on its parent channel the total bandwidth will never exceed that...

Страница 225: ...he Edit Bandwidth Channel page and edit this bandwidth channel policy Enable Disable Delete Select one or more bandwidth channels and then click Enable Disable or Delete button to enable disable or de...

Страница 226: ...flow from top to bottom To edit multiple bandwidth channels at the same time you have to first select the needed bandwidth channels and then select a template Click the Edit button and the configurati...

Страница 227: ...figuration page is as shown below Click the Add button to enter the Exclusion Policy configuration page and add a new exclusion policy as shown below Name Type a name for this exclusion policy Applica...

Страница 228: ...ndwidth configuration The configuration page is as shown below Bandwidth configuration can be in unit of Kbps and Mbps Under the Bridge mode the virtual line will be automatically enabled Maximum 4 vi...

Страница 229: ...rtual line and the total bandwidth of the all the virtual lines must NOT be more than the total bandwidth of the physical line One IAM gateway device supports maximum 4 virtual lines The configuration...

Страница 230: ...rnet devices connecting to the front end of the IAM gateway device and the gateway mode of the IAM gateway device is Bridge mode Multi Bridge Configure the virtual line rule s according to certain pol...

Страница 231: ...ransmission options are All TCP UDP ICMP and Others Select TCP or UDP and then you have to configure LAN Port and WAN Port select Others and you have to configure Protocol Number LAN Port WAN Port Con...

Страница 232: ...SANGFOR IAM v2 1 User Manual 231 Maximum 4 virtual lines are supported by one IAM gateway device Virtual Line configuration is only available for Bridge mode...

Страница 233: ...gs and Sending Attempts Click Delayed Email Audit or Email Audit Policy the Edit Audit Policy configuration page appears as shown below Timeout Configures the timeout for audit It is 1 hour by default...

Страница 234: ...nal Data Center 9 3 Unaudited Email Search By Select an object Group User or IP address Then click the Search button to have the matching unaudited emails listed Click Download to view the contents of...

Страница 235: ...ion Ranking Connection Monitoring and Behavior Monitoring Flow Ranking Displays the real time flow information caused by the LAN users getting access to the Internet Connection Ranking Displays the nu...

Страница 236: ...time flow information caused by the LAN users getting access to the Internet You can obtain the host name of an IP address and block the selected user s to get access to the Internet The page is as sh...

Страница 237: ...ally refresh the data You can click Save Preference to save the settings and facilitate you to view your preferred statistics displayed by default next time Stop Refresh Click this button to have the...

Страница 238: ...Blocked and then click the Search button To unblock a user just select the user and then click the Unblock button Click the Auto Update button and you will see that there is flow caused by the unblock...

Страница 239: ...address has established with the external networks It only displays the top 200 connection rankings IP addresses Under the Connection Monitoring page enter an IP address and click the Search button t...

Страница 240: ...system automatically delete the audit logs Options are Delete the audit logs that were generated _ days ago automatically When the size of logs exceeds _ of the partition delete the logs of the first...

Страница 241: ...ing domain name ensure that the IAM gateway device can parse the domain name the IAM gateway should be able to access the Internet Data Sync Account Data Sync Password Enter the account name and passw...

Страница 242: ...Web Port Configures the port through which the external Data Center provides WEB services Click the Enter External Data Center http IP PORT varies with IP address and port to enter the login interfac...

Страница 243: ...you to log in to the internal Data Center of the IAM gateway device as the present user to search for the logs and make statistics in real time Click the Internal Data Center button to log in to the D...

Страница 244: ...and search among massive data records in the Data Center will consume large resources it is recommended NOT to have the internal Data Center store large amount of data If your networking produces mas...

Страница 245: ...configuration page is as shown below 11 1 System Logs System Logs displays the running information of each function module of the IAM gateway device With the help of these logs you can tell whether ea...

Страница 246: ...5 define the display of the system logs as shown below Having completed defining the Display Options and Filter Options you have to click the OK button and then click the Refresh button to apply the n...

Страница 247: ...packet for what reason so as to locate the configuration mistakes made on certain module or test whether some rules is taking effect or not The page is as shown below Check the Set Conditions to view...

Страница 248: ...will the denied information be recorded Click Enable Drop List to enable the Drop list all the access control policies configured on the IAM gateway device are taking effect and the packets applicabl...

Страница 249: ...ich caused faults such as network disconnection etc and therefore helps the network administrator to quickly correct the configurations Close Drop List Click this button to close the Drop list and dis...

Страница 250: ...icy troubleshooting The configuration page is as shown below Capture Packets Configures the total number the packets to be captured Simple capture unknown flow Select this item and configure the condi...

Страница 251: ...the Stop capturing button to have it stop capturing the data packets And then you will see a captured file with the file extension pcap in the Capture File List as shown below Click View to open the C...

Страница 252: ...ails to view the detailed data loaded by the data packets as shown below Advanced TCPDUMP Select this item and configure the conditions such as network interface and TCPDUMP filter expression which he...

Страница 253: ...l 252 Click the Delete button to delete a selected captured file or click Download to save the file into a specified file path of the local computer This captured file can be opened by the software su...

Страница 254: ...arm function This is an overall switch for the alarm function only with which will the email alarm function take effect Alarm Events Includes Disk Space Alarm Bandwidth Alarm Attack Alarm Antivirus Al...

Страница 255: ...ing the rules configured on the firewall module as the firewall module decides whether to allow or deny the data packet only according to the destination address and port To have the firewall module f...

Страница 256: ...be detected however that will surely slower down the processing speed of the IAM gateway device It is recommended to fill in the IP addresses of some relevant proxies To ensure the data go through th...

Страница 257: ...ebpages Select this option and it will not record URL in detail but only the root of the URL If you want to have it record the full URL DO NOT select this option Record all visited webpages Select thi...

Страница 258: ...options are checked these two URL filter rules are of OR relationship That is to say if either of them is satisfied the URL will not be audited recorded A prefix matches a URL from the first characte...

Страница 259: ...resses that are involved in the exclusion rule the firewall rule has higher priority As the IP address of IM instant message server may vary from time to time it is impossible to absolutely free the I...

Страница 260: ...ponding prompt page will not pop up Edit Page There are codes of some pages provided by the IAM gateway device You can modify the codes to define the prompt page You are recommended to only modify the...

Страница 261: ...the Iceland provider F PROT that has high detection rate and effectiveness The internal virus library of the IAM gateway device updates together with the virus library of F PROT generally in 1 2 days...

Страница 262: ...ction gets expired the virus library can neither be updated automatically nor be updated manually though the antivirus function still works POP3 antivirus and SMTP antivirus is realized by the proxy f...

Страница 263: ...nalyzing its true use and therefore decide whether to allow the data packets get into the local area network This section mainly introduces the parameters and the configuration of the intrusion protec...

Страница 264: ...v2 1 User Manual 263 Defense Level There are three levels of defense rules provided by the SANGFOR IAM gateway device High Medium and Low Select a level according to the actual security need of your...

Страница 265: ...ta transmission among WAN LAN and DMZ zones against attacks according to your case They are all enabled by default Defense ability of High Medium and Low is in descending order In general it is recomm...

Страница 266: ...orresponding IPS rule If it happens that some legal and common applications are misjudged by the intrusion protection system select a lower defense level Procedures are select a rule and click the Edi...

Страница 267: ...ow Stop Service Click this button to stop the VPN service temporarily 13 3 2 Basic Settings Basic Settings covers the VPN connection related configurations such as Webagent information MTU Minimum com...

Страница 268: ...e the shared key and prevent illegal device from connecting in If it has multiple lines and the IP address es is static IP the format of Webagent can be IP1 IP2 port If the Webagent password gets lost...

Страница 269: ...Indirectly connect If the Internet IP address can be obtained directly or the Internet users can access the VPN port of the IAM gateway device with DNAT destination translation function select Directl...

Страница 270: ...er to enable hardware authentication DKey and virtual IP The default configuration page is as shown below Click the Check Dkey button to inspect whether the DKey has inserted into the USB port of the...

Страница 271: ...t and save the users information of this IAM gateway device to the local computer You can decide whether to export it as Plaintext or as Cipher text The dialog is as shown below Click the New Group bu...

Страница 272: ...group attributes User Group is only available when there is a user group existing please create user group first If Use Group Attribute is checked the Algorithm Enable My Network Places and LAN Privil...

Страница 273: ...the data to be transmitted between the IAM gateway device and the user according to the selected algorithm This is a unique technology of SANGFOR VPN It will take the best advantage of the bandwidth i...

Страница 274: ...nd configuration options to manage these nodes These configurations are available in Connection Management page Connection Management function is only necessary when the local device need connect to o...

Страница 275: ...nnection Primary Webagent Secondary Webagent Type the primary and secondary Webagent of the to be connected VPN headquarters Click the Test button followed to check the availability of the Webagent Th...

Страница 276: ...rters and the branch VPN apply different Internet service providers ISP and these different links cause frequent packet loss this option is recommended to be checked You can also configure the network...

Страница 277: ...e IP completely the same with those fulfilled as a VPN headquarters LAN user For instance a mobile VPN user can visit any LAN computer of the VPN headquarters though its computer does not direct its g...

Страница 278: ...pe the start IP and end IP The dialog is as shown below Click the Advanced button to open the Advanced Setting configuration dialog enter DNS WINS server address and the mask of virtual IP that is to...

Страница 279: ...Use the following DNS server addresses otherwise the addresses configured in Advanced will not be allocated to the virtual network adapter of the mobile VPN user s computer 13 3 6 Multiline Settings...

Страница 280: ...If your networking has multiple lines connecting to the external network check Enable Multiline and then add the line Click the New button to enter the Edit Multiline page and add a new line the confi...

Страница 281: ...t is an ADSL or Dial up line the Testing DNS can be left blank As to the Preset Bandwidth the uplink and downlink bandwidth must be coherent to the actual bandwidth Under the default configuration pag...

Страница 282: ...ion port etc For example the Branch1 172 16 1 0 24 need visit the FTP server IP 192 168 1 20 of its headquarters We are to configure a multiline routing policy so as to have the data packets from Bran...

Страница 283: ...Settings configuration dialog configure the IP addressed and ports and select a protocol as shown below Protocol Select a protocol for data transmission In this example it is TCP Source IP Type a LAN...

Страница 284: ...ts Under the Edit Multiline Routing Policy page select Bandwidth stacking and check the Advanced button to enter the Advanced Settings page as shown below Select the needed line for data transmission...

Страница 285: ...ay device and the branch VPN users also need to visit other subnets of this network the VPN headquarters For example there are two subnets 192 200 100 x and 192 200 200 x We are to configure the Local...

Страница 286: ...onfiguration function You can configure route for the VPN tunnels to achieve interconnection among different VPNs software hardware and establish a true web like VPN network The Tunnel Route default c...

Страница 287: ...to the user that is used to establish the VPN connection with the headquarters that is the user selected in the VPN Settings Connection Management Edit Connection configuration dialog It determines t...

Страница 288: ...Enable Tunnel Route and click the New button to add a route directing to the Shanghai branch as shown below Source Subnet Configures the network ID of the source subnet In this example it is 10 1 1 0...

Страница 289: ...s the mask of the source subnet In this example it is 255 255 255 0 Destination Route User Configures the VPN device to which this tunnel route directs indicating the corresponding username selected i...

Страница 290: ...Device List Device List can enable the SANGFOR IAM gateway device to connect with a peer VPN to establish a standard IPSec connection It is the first phase of negotiation of the standard VPN protocol...

Страница 291: ...SANGFOR IAM v2 1 User Manual 290 Click the Advanced button to view the advanced settings The configuration dialog is as shown below...

Страница 292: ...ser Manual 291 13 3 10 2 Security Option Security Option configures the parameters used for establishing standard IPSec connection This is the second phase of IPSec negotiation The configuration page...

Страница 293: ...er device The policy includes the rules of Protocol AH or ESP Authentication Algorithm MD5 or SHA 1 and Encryption Algorithm DES 3DES or AES Click the New button and the Security Option appears as sho...

Страница 294: ...h applies a different policy you then have to add the policy of each device to the security potion list i e create the corresponding policy for each device 13 3 10 3 Outbound Policy Outbound Policy co...

Страница 295: ...Manual 294 13 3 10 4 Inbound Policy Inbound Policy configures the rule used for data transmission from the peer device to the local device Click the New button and the corresponding Policy Settings a...

Страница 296: ...SANGFOR IAM v2 1 User Manual 295...

Страница 297: ...source IP addresses allowed to connect in out by the local VPN device are those that are included in both the Source IP configured in the inbound outbound policy and the Source IP Range referenced by...

Страница 298: ...ion dialog appears as shown below In this example the Office hours is the enabled time period which means the rule will take effect during this period if it has referenced this schedule Having complet...

Страница 299: ...d with some encryption algorithms and authentication algorithms such as MD5 SHA 1 DES 3DES AES SANGFOR_DES You can also add some other authentication or encryption algorithms If necessary please conta...

Страница 300: ...rvice so as to ensure the security of the VPN channels and achieve secure management Generally speaking there are two steps to configure the privilege of the user to access LAN service a create LAN se...

Страница 301: ...ox and check the protocol in this example it is FTP service using TCP protocol Step 2 Click the New button to configure the IP ranges The configuration dialog is as shown below Source IP Fill in the s...

Страница 302: ...ser Here you are just defining the LAN services After these configurations you have to go to Security VPN Settings User Management to create an account new user and then configure the LAN Privilege to...

Страница 303: ...er 172 16 1 200 can only access the FTP server 192 168 1 20 and the requests initiated by other IP address of that local area network will be denied These configurations also disable the access reques...

Страница 304: ...ity no such a physical interface is seen 13 3 12 3 LDAP Server The VPN service of SANGFOR IAM gateway supports LDAP authentication through a third party If you need to have a third party to fulfill LD...

Страница 305: ...in server you can click the Advanced button to open the Advanced Settings dialog The configuration dialog is as shown blow Configure these settings according to your case 13 3 12 4 Radius Server The V...

Страница 306: ...features of this device and is then encrypted Due to the uniqueness of the device hardware the corresponding certificate is also unique and cannot be counterfeited Through this way requiring authenti...

Страница 307: ...d are Current status of DHCP service Allocated IP Addresses Host Name and MAC Address Click the Refresh button to refresh the status 14 2 DHCP Settings DHCP settings are detailed parameters of the DHC...

Страница 308: ...neither of the DNS is configured no DNS will be allocated to the client end s computer WINS is up to your specific application being filled in or left blank DHCP IP Ranges Type the start IP and end I...

Страница 309: ...that the DHCP IP ranges configured here must not conflict with the static IP addresses of other working LAN computers Generally the IP address in the DHCP IP range list must not be the IP address who...

Страница 310: ...izard Configuration Wizard introduces the flow and steps of the basic configurations with link to configuring a specific module Just click the item in blue to directly get into the corresponding confi...

Страница 311: ...teway restoration system In addition the gateway restoration system can be used to inspect the running state of the network interface and configuration of the routing as well as to modify the working...

Страница 312: ...in the figure below Search It will automatically search for the SANGFOR gateway devices in the local area network as long as there is no routing devices between the local computer and the IAM gateway...

Страница 313: ...ed for updating the kernel Firmware of IAM and the latter Restore Default Configuration for restoration of the default configuration These operations will update the key document of the device or will...

Страница 314: ...please contact the technicians of SANGFOR for instructions Brief update procedures are Step1 Upload the corresponding update package to the Gateway Client Updater Step2 Log in to the Gateway Client Up...

Страница 315: ...Update Update Firmware be clicked Download Please visit the SANGFOR official website www sangfor com to download the corresponding update package Tools Submenus are Ping Route Table ARP Table Network...

Страница 316: ...lete Local Records as shown in the following figure View Gateway History View the update log of the IAM gateway device View Local Records View the update log of the local Gateway Client Updater Delete...

Страница 317: ...the default configurations need to be restored log in to the device and click Update Restore Default Config To update the Firmware kernel of the SANGFOR gateway device please DO follow the instruction...

Страница 318: ...t Transfer Protocol ICMP Internet Control Message Protocol IM Instant Message IP Internet Protocol IPS Intrusion Prevention System ISP Internet Service Provider LAN Local Area Network LDAP Lightweight...

Страница 319: ...SANGFOR IAM v2 1 User Manual 318 UI User Interface URL Uniform Resource Locator VID VLAN ID VLAN Virtual Local Area Network...

Результаты поиска

Содержание IAM 2.1

Отзывы:

Похожие инструкции для IAM 2.1

Бренды по названию

Популярные бренды

Sangfor IAM 2.1, Руководство пользователя

Результаты поиска

Содержание IAM 2.1

Отзывы:

Похожие инструкции для IAM 2.1

Бренды по названию

Популярные бренды