SonicWALL TELE3 SP Скачать руководство пользователя страница 110 | Manualshive

Страница: 110 / 210

background image

SonicWALL VPN Page 109

NAT Traversal Support

VPN

NAT Traversal

is an Internet Draft proposed to IETF (Internet Engineering Task Force)

to overcome problems faced when IPSec traffic is intended to pass through a NAT device.

NAT

Traversal

addresses the issue of UDP (User Datagram Protocol) encapsulation and addresses

the traffic problem by wrapping an IPSec packet inside a UDP packet when a NAT or NAPT
(Network Address Port Translator) device is detected between peers.
Encapsulation of the IPSec packet requires decapsulation of the IPSec packet. Since ESP-
protected packets are exchanged between IKE peers using one of three methods, gateway to
gateway, client to gateway, and client to client, the IKE peers must support the same method
of UDP encapsulation. IKE peers exchange a known value to determine if they both support

NAT

Traversal

. If the IKE peers agree, IKE probes or discovery payloads are used to

determine if a NAT or NAPT device is present. Only if a NAT or NAPT device is detected is UDP
encapsulation is used for IPSec packets.

NAT/NAT Traversal

devices use dynamic mappings where a private IP address and source

port (192.168.168.168:X) are temporarily bound to a shared public IP address and an unused
port (207.126.101.100:Y). This binding is dissolved after a period of inactivity (minutes or
seconds), enabling pool reuse.
IPSec VPNs protect traffic exchanged between authenticated endpoints, but authenticated
endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore,
to preserve a dynamic NAT binding for the life of an IPSec session, a 1-byte UDP is designated
as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the
NAT or NAPT device. The “keepalive” is silently discarded by the IPSec peer.

NAT Traversal

support is transparent, but log messages are generated by the SonicWALL

when a IPSec Security Gateway is detected behind a NAT/NAPT device. The following log
messages are found on the

View Log

tab:

•

Peer IPSec Gateway behind a NAT/NAPT device

•

Local IPSec Security Gateway behind a NAT/NAPT device

•

No NAT/NAPT device detected between IPSec Security

•

Peer IPSec Security Gateway doesn’t support VPN NAT Traversal

«
...
108
109
110
111
112
...
»

Содержание TELE3 SP

Страница 1: ...SONICWALL The TELE3 SP Administrator s Guide...

Страница 2: ...or Password 24 3 Managing Your SonicWALL TELE3 SP 25 Status 27 CLI Support and Remote Management 28 4 Logging and Alerts 30 SonicWALL Log Messages 31 Log Settings 32 Log Categories 34 Alert Categories...

Страница 3: ...9 Viewing Network Access Rules 70 Services 70 Windows Networking NetBIOS Broadcast Pass Through 71 Detection Prevention 71 Network Connection Inactivity Timeout 71 Add Service 72 Rules 73 Understandin...

Страница 4: ...wo SonicWALLs 135 Example of Manual Key Configuration for Two SonicWALLs 138 IKE Configuration for Two SonicWALLs 141 Example Linking Two SonicWALLs using IKE 144 VPN Third Party Digital Certificate S...

Страница 5: ...Description 175 SonicWALL TELE3 SP Back Panel 176 The SonicWALL TELE3 SP Back Panel Description 176 14 Troubleshooting Guide 178 The Link LED is off 178 A computer on the LAN cannot access the Interne...

Страница 6: ...turned to SonicWALL with transportation charges prepaid A Return Materials Authorization RMA number must be displayed on the outside of the package for the product being returned for replacement or th...

Страница 7: ...LL IP settings time and password Chapter 4 Logging and Alerting illustrates the SonicWALL logging alerting and reporting features Chapter 5 Content Filtering and Blocking describes SonicWALL Web conte...

Страница 8: ...Port Numbers offers information about IP port numbering Appendix E Configuring TCP IP Settings provides instructions for configuring your Management Station s IP address Appendix F Erasing the Firmwar...

Страница 9: ...partners and branch offices The SonicWALL TELE3 SP uses stateful packet inspection to ensure secure firewall filtering Stateful packet inspection is widely considered to be the most effective method...

Страница 10: ...omputers to access the Internet even if only one IP address has been provided by your ISP Network Access Rules The default Network Access Rules allow traffic from the LAN to the Internet and block tra...

Страница 11: ...gories You can select the information you wish to display in the SonicWALL event log You can view the event log from the SonicWALL Web Management Interface or receive the log as an e mail file Syslog...

Страница 12: ...ion Installation Wizard The SonicWALL Installation Wizard helps quickly install and configure the SonicWALL Online help SonicWALL help documentation is built into the SonicWALL Web Management Interfac...

Страница 13: ...There are three tabs other than Status in the General section Network Time Password Network Note The Network Settings change to the dial up ISP network settings when a WAN Failover occurs on the SP T...

Страница 14: ...hree numbers as the SonicWALL LAN IP Address for example 192 168 168 Multiple LAN Subnet Mask Support Note This feature does not replace or substitute configuring routes with the Routes tab in the Adv...

Страница 15: ...If you select NAT with DHCP Client NAT with PPPoE or NAT with L2TP Client mode the SonicWALL WAN IP address is assigned automatically If you select Standard mode the SonicWALL WAN IP Address is the sa...

Страница 16: ...e SonicWALL uses the DNS servers for diagnostic tests and for upgrade and registration functionality 6 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at...

Страница 17: ...icWALL 3 Enter your network subnet mask in the LAN Subnet Mask field The LAN Subnet Mask tells the SonicWALL which IP addresses are on your LAN Use the default value 255 255 255 0 if there are less th...

Страница 18: ...e changes to take effect If you enable Network Address Translation designate the SonicWALL LAN IP Address as the gateway address for computers on your LAN Consider the following example The SonicWALL...

Страница 19: ...sing Mode menu 2 Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for m...

Страница 20: ...ttings on your computers to obtain DNS name resolution In the WAN LAN Settings section of Network you can Renew and Release the SonicWALL WAN IP NAT Public Address lease When you click on Renew the So...

Страница 21: ...P assigns a specific IP address to you 8 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Restart the SonicWALL for the...

Страница 22: ...the date NTP Settings Network Time Protocol NTP is a protocol used to synchronize computer clock times in a network of computers NTP uses Coordinated Universal Time UTC to synchronize computer clock...

Страница 23: ...t locked out of the SonicWALL Warning The password cannot be recovered if it is lost or forgotten If the password is lost you must to reset the SonicWALL to its factory default state Go to Appendix F...

Страница 24: ...sensitive Enter the password exactly as defined and click Login Note All SonicWALLs are configured with the User Name admin and the default Password password The User Name is not configurable If you...

Страница 25: ...agement interface using HTTPS you may see the following information message Click Yes to continue the login process SSL is supported by Netscape 4 7 and higher as well as Internet Explorer 5 5 and hig...

Страница 26: ...nit Number of LAN IP addresses allowed with this license number of IP addresses that can be managed by the SonicWALL Registration code the registration code generated when the SonicWALL is registered...

Страница 27: ...of your SonicWALL It contains an overview of the SonicWALL configuration as well as any important messages Check the Status window after making changes to ensure that the SonicWALL is configured prope...

Страница 28: ...WALL Restore restores the factory default settings for all saved parameters with the exception of the password the LAN IP address and the subnet mask Status displays the information typically seen on...

Страница 29: ...log which displays potential security threats This log can be viewed with a browser using the SonicWALL Web Management Interface or it can be automatically sent to an e mail address for convenience a...

Страница 30: ...er List categories are shown below Descriptions of the categories are available at http www sonicwall com Content Filter categories html ActiveX Java Cookie or Code Archive blocked When ActiveX Java o...

Страница 31: ...PP Authentication successful successfully authenticated with the dial up server PPP PPP link established connection established over the modem to the dial up server PPP Dial Up Received new IP address...

Страница 32: ...ptures all log activity and includes every connection source and destination IP address IP service and number of bytes transferred The SonicWALL Syslog support requires an external server running a Sy...

Страница 33: ...elect WebTrends however you must have WebTrends software installed on your system Log Categories You can define which log messages appear in the SonicWALL Event Log All Log Categories are enabled by d...

Страница 34: ...are enabled by default Blocked Web Sites is disabled Attacks Log entries categorized as Attacks generate alert messages System Errors Log entries categorized as System Errors generate alert messages...

Страница 35: ...frequently accessed Web sites and the number of hits to a site during the current sample period The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites If leisure...

Страница 36: ...ell as content filtering using keywords N2H2 N2H2 is a third party content filter software package supported by SonicWALL You can obtain more information on N2H2 at http www n2h2 com If you select N2H...

Страница 37: ...tracking Web activities Select the Cookies check box to disable Cookies Known Fraudulent Certificates Digital certificates help verify that Web content and files originated from an authorized party E...

Страница 38: ...s to a blocked site is attempted The default message is Web Site blocked by SonicWALL Filter Any message including embedded HTML up to 255 characters long can be entered in this field URL List The URL...

Страница 39: ...download the URL List at a time when access to the Internet is at a minimum as downloading the URL List disrupts connectivity to the Internet Settings If you have enabled blocking by Filter Categorie...

Страница 40: ...s or keywords to be blocked or allowed Custom Filter You can customize your URL list to include Allowed Domains Forbidden Domains and Keywords By customizing your URL list you can include specific dom...

Страница 41: ...e the keyword has been removed a message confirming the update is displayed at the bottom of the browser window Note Customized domains do not have to be re entered when the Content Filter List is upd...

Страница 42: ...ustom and keyword lists The Log Only check box allows you to monitor inappropriate usage without restricting access Log and Block Access Select the check box and the SonicWALL blocks access to sites o...

Страница 43: ...access must be 192 168 168 168 iAccept html and the link for filtered access must be 192 168 168 168 iAcceptFilter html where the SonicWALL LAN IP Address is used instead of 192 168 168 168 Consent Ac...

Страница 44: ...ndow Add New Address The SonicWALL can be configured to enforce content filtering for certain computers on the LAN Enter the IP addresses of these computers in the Add New Address field and click Subm...

Страница 45: ...s are proven fraudulent then the SonicWALL blocks the Web content and the files that use these fraudulent certificates Known fraudulent certificates blocked by SonicWALL include two certificates issue...

Страница 46: ...entation for details on configuring N2H2 Internet Filtering for your network N2H2 Server Status This section displays the status of the N2H2 Internet Filtering Protocol IFP server you are using for In...

Страница 47: ...lue for timeout of the server is 5 seconds but you can enter a value between 1 and 10 seconds If the N2H2 server becomes unavailable select from the following two options Block traffic to all Web site...

Страница 48: ...as your source for content filtering Restrict Web Features Select any of the following applications to block Block ActiveX ActiveX is a programming language that embeds scripts in Web pages Malicious...

Страница 49: ...g by pointing their computer to the proxy server Check this box to prevent LAN users from accessing proxy servers on the WAN Don t Block Java ActiveX Cookies to Trusted Domains Select this option if y...

Страница 50: ...lter List Server Port Enter the UDP port number for the SonicWALL to listen for the Websense Enterprise traffic The default port number is 15686 User Name To enable reporting of users and groups defin...

Страница 51: ...d consult your Websense documentation for more information If Server is unavailable for 5 secs If the Websense Enterprise server becomes unavailable select from the following two options Block traffic...

Страница 52: ...perform several diagnostic tests There are four tabs in the Tools section Restart Preferences Firmware Diagnostic Restarting the SonicWALL Click Tools on the left side of the browser window and then c...

Страница 53: ...ve the SonicWALL settings and then retrieve them later for backup purposes SonicWALL recommends saving the SonicWALL settings when upgrading the firmware The Preferences window also provides options t...

Страница 54: ...file on your computer and retrieve it for later use 1 Click Export in the Preferences tab 2 Click Export again to download the settings file Then choose the location to save the settings file The fil...

Страница 55: ...t the SonicWALL for the settings to take effect Note The Web browser used to Import Settings must support HTTP uploads Microsoft Internet Explorer 5 0 and higher as well as Netscape Navigator 4 0 and...

Страница 56: ...Updating Firmware The SonicWALL has flash memory and can be easily upgraded with new firmware Current firmware can be downloaded from SonicWALL Inc Web site directly into the SonicWALL Note Firmware u...

Страница 57: ...lable memory ROM version Options and Upgrades SonicWALL VPN Network Anti Virus Note The SonicWALL Privacy Policy is available at http www sonicwall com corporate_info privacy html for additional infor...

Страница 58: ...0 and higher as well as Netscape Navigator 4 0 and higher is recommended When firmware is uploaded the SonicWALL settings can be erased Before uploading new firmware export and save the SonicWALL set...

Страница 59: ...vides a summary of the SonicWALL firmware upgrades subscription services and support offerings You can contact SonicWALL or your local reseller for more information about SonicWALL options and upgrade...

Страница 60: ...onicWALL then queries the DNS server and displays the result at the bottom of the screen Note You must define a DNS server IP address in the Network tab of the General section to perform a DNS Name Lo...

Страница 61: ...nd Network Path requires an IP address The SonicWALL DNS Name Lookup tool can be used to find the IP address of a host Ping The Ping test bounces a packet off a machine on the Internet back to the sen...

Страница 62: ...termine if a communications stream is being stopped at the SonicWALL or is lost on the Internet To interpret this tool it is necessary to understand the three way handshake that occurs for every TCP c...

Страница 63: ...282 00 a0 4b 05 96 4a To 204 71 200 74 80 02 00 cf 58 d3 6a Client sends a final ACK and waits for start of data transfer 6 TCP sent on WAN ACK From 207 88 211 116 1937 00 40 10 0c 01 4e To 204 71 200...

Страница 64: ...2 Enter the IP address of the remote host in the Trace on IP address field and click Start You must enter an IP address in the Trace on IP address field do not enter a host name such as www yahoo com...

Страница 65: ...his case number in all correspondence as it allows SonicWALL tech support to provide you with better service In the Tools section click the Diagnostic tab and then select Tech Support Report from the...

Страница 66: ...tic utility to assist in diagnosing and troubleshooting router connections on the Internet By using Internet Connect Message Protocol ICMP echo packets similar to Ping packets Trace Route can test int...

Страница 67: ...cWALL TELE3 SP Administrator s Guide A second window is displayed with each hop to the destination host By following the route you can diagnose where the connection fails between the SonicWALL and the...

Страница 68: ...he LAN The custom rules evaluate network traffic source IP address destination IP address IP protocol type and compare the information to rules created on the SonicWALL Network Access Rules take prece...

Страница 69: ...net Otherwise you are blocked from accessing that service By default the LAN Out check boxes are selected Note If an Alert Icon appears next to a LAN Out or LAN In check box a rule in the Rules window...

Страница 70: ...ers Randomize IP ID A Randomize IP ID check box is available to prevent hackers using various detection tools from detecting the presence of a SonicWALL appliance IP packets are given random IP IDs wh...

Страница 71: ...the IP protocol type 6 for TCP 17 for UDP or 1 for ICMP Note There can be multiple entries with the same name For example the default configuration has two entries labeled Name Service DNS for UDP por...

Страница 72: ...ervice in the list 2 Clear the Enable Logging check box 3 Click Modify Delete a Service To delete a service highlight the name in the list and click Delete Service If multiple entries with the same na...

Страница 73: ...custom Network Access Rules click Access on the left side of the browser window and then click the Rules tab Note Use extreme caution when creating or deleting Network Access Rules because you can di...

Страница 74: ...Chapter 10 Advanced of this manual Add A New Rule 1 Click Add New Rule to open the Add Rule window 2 Select Allow or Deny in the Action list depending upon whether the rule is intended to permit or bl...

Страница 75: ...eld The default value is 5 minutes 8 Do not select the Allow Fragmented Packets check box Large IP packets are often divided into fragments before they are routed over the Internet and then reassemble...

Страница 76: ...ule menu 7 Enter a value in minutes in the Activity Timeout in Minutes field 8 Do not select the Allow Fragmented Packets check box 9 If you want the Rule to have guaranteed bandwidth select Enable Ou...

Страница 77: ...ht of the rule To enable a disabled rule select the Enable check box The configuration is updated automatically and a message confirming the update is displayed at the bottom of the browser window Res...

Страница 78: ...on the Internet during business hours 1 Click Add New Rule in the Rules window to launch the Add Network Access Rule Web browser window 2 Select Deny from the Action menu 3 Select NNTP from the Servi...

Страница 79: ...tent is to allow a ping only to the SonicWALL enter the SonicWALL LAN IP Address in the Destination Addr Range Begin field 8 Select Always from the Apply this rule menu to ensure continuous enforcemen...

Страница 80: ...e 70 for instructions on adding Services to the SonicWALL Users Extensive modifications and additional features are available on the Users tab in the Access section of the Management interface User le...

Страница 81: ...nabling this check box allows unauthenticated DNS traffic to access the DNS server over a VPN tunnel with authentication enforcement Use this checkbox if you allow unauthenticated users to access the...

Страница 82: ...Capabilities By enabling this check box the user has limited local management access to the SonicWALL Management interface The access is limited to the following pages General Status Network Time Log...

Страница 83: ...an the session time set by the administrator The connection closes when the user exceeds the inactivity time out period or the maximum session time is exceeded If the connection is closed the user mus...

Страница 84: ...t Number for the RADIUS server 6 If there is a secondary RADIUS server enter the appropriate information in the Secondary Server section 7 Enter the RADIUS server administrative password or shared sec...

Страница 85: ...ver User Datagram Protocol UDP that allows network administrators to monitor the status of the SonicWALL Internet Security appliances and receive notification of any critical events as they occur on t...

Страница 86: ...P management system receiving the SNMP traps in the Host 1 through 4 fields Up to 4 addresses or hostnames can be specified Configuration of the Log Log Settings for SNMP Trap messages are generated o...

Страница 87: ...ly configured in this section 1 Enter a 16 character hexadecimal encryption key in the Encryption Key field Valid hexadecimal characters include 0 1 2 3 4 5 6 7 8 9 A B C D E and F An example of a val...

Страница 88: ...check box but the log in process into the SonicWALL Management interface slows down HTTPS Port Management A new feature allows you to configure the port used HTTPS authentication By configuring an al...

Страница 89: ...opies of the requested Web pages If it does not the proxy completes the request to the server on the Internet returning the requested information to the user and also saving it locally for future requ...

Страница 90: ...Click the Intranet tab at the top of the window 5 To bypass the Proxy Servers if a failure occurs select the Bypass Proxy Servers Upon Proxy Server Failure check box Note The Intranet settings tab is...

Страница 91: ...he LAN Ethernet port on the back of the SonicWALL to the network segment to be protected against unauthorized access 2 Connect the WAN Ethernet port on the back of the SonicWALL to the rest of the net...

Страница 92: ...computers on your LAN the computers not included are unable to send or receive data through the SonicWALL Specified address ranges are attached to the WAN link Select this option if it is easier to sp...

Страница 93: ...over to the modem occurs on the SP To add Static Route entries follow these instructions 1 Enter the destination network of the static route in the Dest Network field The destina tion network is the I...

Страница 94: ...y defining internal and external address ranges of equal length Once the relationship is defined the computer with the first IP address of the private address range is accessible at the first IP addre...

Страница 95: ...54 and a WAN IP address of 208 1 2 2 Also you own the IP addresses in the range 208 1 2 1 208 1 2 6 Note If you have only one IP address from your ISP you cannot use One to One NAT You have three web...

Страница 96: ...from the LAN you must use URLs like http 1921 168 1 10 to reach the web servers An IP address such as 192 168 1 10 on the LAN cannot be used in both public LAN server configurations and in public LAN...

Страница 97: ...e it is impossible to differentiate between types of network traffic it is also impossible to control which users or applications have priority on the network Applications can also require a specific...

Страница 98: ...s to run smoothly How does SonicWALL Bandwidth Management Work Bandwidth management works by allocating traffic to a class based upon application type source or destination addresses or a combination...

Страница 99: ...class a class can temporarily borrow bandwidth and send traffic until the maximum bandwidth allocated to the class is reached Spare bandwidth is allocated among the highest priority classes until no m...

Страница 100: ...traffic reply packets for traffic associated with an inbound Rule is managed based on the configuration for that Rule MTU Settings A network administrator may set the MTU Maximum Transmission Unit al...

Страница 101: ...your LAN To access the SonicWALL DHCP Setup window click DHCP on the left side of the browser window There are three tabs in the DHCP section Setup DHCP over VPN Status Setup Disable DHCP Server is t...

Страница 102: ...he ones specified in the SonicWALL Network section then select Specify Manually Enter your DNS Server addresses in the DNS Server 1 DNS Server 2 and DNS Server 3 fields The DNS servers are used by com...

Страница 103: ...ernet MAC address of your computer or server in the Ethernet Address field Then click Update When the SonicWALL has been updated a message confirming the update is displayed at the bottom of your Web...

Страница 104: ...te are configured for VPN tunnels for initial DHCP traffic as well as subsequent IP traffic between the sites The SonicWALL at the remote site Remote Gateway passes DHCP broadcast packets through its...

Страница 105: ...ecified servers 4 To delete DHCP servers click on the IP address of the DHCP server and click Delete DHCP Server The server is removed from the list of DHCP servers 5 To complete the configuration go...

Страница 106: ...tunnel when IP spoof detected the SonicWALL blocks any traffic across the VPN tunnel that is spoofing an authenticated user s IP address If you have any static devices however you must ensure that th...

Страница 107: ...the Static IP addresses from the pool of available IP addresses on the DHCP server so that the DHCP server does not assign these addresses to DHCP clients 10 Select LAN Devices not allowed to obtain...

Страница 108: ...shows the details on the current bindings IP and MAC address of the bindings along with the type of binding Dynamic Dynamic BootP or Static BootP To delete a binding which frees the IP address in the...

Страница 109: ...e SonicWALL demonstrates the configuration of SonicWALL Group VPN settings using the Group VPN Security Association Configuring VPN using Manual Key describes the configuration of a SonicWALL applianc...

Страница 110: ...UDP encapsulation is used for IPSec packets NAT NAT Traversal devices use dynamic mappings where a private IP address and source port 192 168 168 168 X are temporarily bound to a shared public IP add...

Страница 111: ...ion displays the Unique Firewall Identifier which defaults to the serial number of the SonicWALL appliance You can change the Identifier and use it for configuring VPN tunnels Enable VPN must be selec...

Страница 112: ...ration or Advanced Configuration Group Configuration Manual Key Configuration and IKE Configuration SonicWALL to SonicWALL are described in this chapter Advanced Configuration is available at the Soni...

Страница 113: ...e either Group VPN default or Add New SA If you select Add New SA a Name field is displayed that allows you to create a name for the SA such as Boston Office Corporate Site etc Select the type of secu...

Страница 114: ...ryption Authentication You can also select an encryption method from the Encryption Authentication for the VPN tunnel If you select IKE using Pre Shared Secret for your SA you can select from one of f...

Страница 115: ...d hexadecimal characters are 0 to 9 and a to f inclusive 0 1 2 3 4 5 6 7 8 9 a b c d e f The hexadecimal characters 0 to ff inclusive are reserved by the Internet Engineering Task Force IETF and are n...

Страница 116: ...k box if you are managing your IP address allocation from a central location Specify destination networks below Configure the destination networks for your VPN Security Association Click Destination N...

Страница 117: ...for traffic on the network segment between the two connections Interruption of the signal forces the tunnel to renegotiate the connection Require authentication of local users Selecting this check box...

Страница 118: ...LL routing table Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel Normally inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specif...

Страница 119: ...dular Exponentiation with different prime lengths as listed below If network connection speed is an issue select Group 1 If network security is an issue select Group 5 To compromise between speed and...

Страница 120: ...Certificates and Third Party Certificates Group VPN using IKE Pre shared Secret Group VPN using IKE Certificate s Manual Key IKE using Pre shared Secret IKE using Certificates1 Use Aggressive Mode 3 3...

Страница 121: ...configure remote VPN clients Group VPN is only available for VPN clients and it is recommended to use Authentication Service or XAUTH RADIUS in conjunction with the Group VPN for added security To ena...

Страница 122: ...IPSec packets for this SA Note It is not necessary to configure the Advanced Settings to get the VPN connection working between the SonicWALL and the VPN client You can configure the Advanced Settings...

Страница 123: ...at http www sonicwall com documentation html Group VPN Client Configuration To import the Group VPN security policy into the VPN Client use the following steps 1 Open the VPN Client Click File and the...

Страница 124: ...Click the sign next to Group VPN to reveal two sections My Identity and Security Policy Select My Identity to view the settings 5 Click Pre Shared Key to enter the Pre Shared Secret created in the Gro...

Страница 125: ...vpn center vpn setup html Verifying the VPN Tunnel as Active After the Group VPN Policy is active on the VPN Client you can verify that a secure tunnel is active and sending data securely across the...

Страница 126: ...Security Association menu Then select Manual Key from the IPSec Keying Mode menu 3 Enter a descriptive name that identifies the VPN client in the Name field such as the client s location or name 4 Ent...

Страница 127: ...k automatically updates the VPN configuration and opens the VPN Destination Network window 10 Enter 0 0 0 0 in the Range Start Range End and Destination Subnet Mask for NetBIOS broadcast fields 11 Cli...

Страница 128: ...y policy name Configuring VPN Security and Remote Identity 1 Select Secure in the Network Security Policy box on the right side of the Security Policy Editor window 2 Select IP Subnet in the ID Type m...

Страница 129: ...ent Identity To configure the VPN Client Identity click My Identity in the Network Security Policy window 1 Select None from the Select Certificate menu 2 Select the method used to access the Internet...

Страница 130: ...1 Select Security Policy in the Network Security Policy window 2 Select Use Manual Keys in the Select Phase 1 Negotiation Mode menu 3 Click the next to Security Policy and select Key Exchange Phase 2...

Страница 131: ...Encapsulation Protocol ESP check box 5 Select DES from the Encryption Alg menu 6 Select MD5 from the Hash Alg menu 7 Select Tunnel from the Encapsulation menu 8 Leave the Authentication Protocol AH ch...

Страница 132: ...ect Binary in the Choose key format menu 5 Enter the SonicWALL appliance 16 character Encryption Key in the ESP Encryption Key field 6 Enter the SonicWALL appliance 32 character Authentication Key in...

Страница 133: ...e Verifying the VPN Client Icon in the System Tray The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system The icon changes to reflect the current s...

Страница 134: ...al Key for Two SonicWALLs Click VPN on the left side of the SonicWALL browser window and then click the Configure tab 1 Select Manual Key from the IPSec Keying Mode menu 2 Select Add New SA from the S...

Страница 135: ...ed to encrypt data Fast Encrypt ESP ARCFour uses 56 bit ARCFour to encrypt data ARCFour is a secure encryption method and has little impact on the throughput of the SonicWALL Strong Encrypt ESP 3DES u...

Страница 136: ...6 7 8 9 a b c d e and f 1234567890abcdef1234567890abcdef is an example of a valid authentication key If you enter an incorrect authentication key an error message is displayed at the bottom of the bro...

Страница 137: ...ed at LAN select one of the three terminating points for the VPN tunnel 16 Click OK to close the Advanced Settings window Then click Update to update the SonicWALL Configuring the Second SonicWALL App...

Страница 138: ...n if NetBIOS broadcast support is enabled Leave the subnet mask field blank Click Update 11 Click Advanced Settings and select the features that apply to the SA Enable Windows Networking NetBIOS broad...

Страница 139: ...bnet mask field blank Click Update 11 Click Advanced Settings and select the features that apply to the SA Enable Windows Networking NetBIOS broadcast if the remote clients use Windows Network Neighbo...

Страница 140: ...Enter a descriptive name for the Security Association such as Palo Alto Office or NY Headquarters in the Name field 4 Enter the IP address of the remote SonicWALL in the IPSec Gateway Address field T...

Страница 141: ...S This encryption method is recommended for all but the most sensitive data Strong Encrypt ESP 3DES uses 168 bit 3DES Triple DES to encrypt data 3DES is considered an almost unbreakable encryption met...

Страница 142: ...d close the VPN Destination Network window Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window 14 Click Advanced Settings and select th...

Страница 143: ...N Configure window 3 Select IKE using pre shared secret from the IPSec Keying Mode menu 4 Because the SonicWALL TELE3 SP does not have a permanent WAN IP address the SonicWALL PRO 200 must authenticat...

Страница 144: ...lowing boxes that apply to your SA Use Aggressive Mode requires half of the main mode messages to be exchanged in Phase 1 of the SA exchange Enable Keep Alive if you want to maintain the current conne...

Страница 145: ...the same Shared Secret used in the Chicago Office SonicWALL PRO 200 into the SonicWALL TELE3 Shared Secret field 11 Click Add New Network to open the VPN Destination Network window and define the des...

Страница 146: ...ity by a trusted third party known as a Certificate Authority CA SonicWALL now supports third party certificates in addition to the existing Authentication Service The difference between third party c...

Страница 147: ...VPN SAs you must locate a source for a valid CA certificate from a third party CA service Once you have a valid CA certificate you can import it into the SonicWALL to validate your Local Certificates...

Страница 148: ...the same information as the CA Certificate Details section but a Status entry now appears in the details If a certificate is valid and ready to be used with a VPN Security Association the Status is Ve...

Страница 149: ...ress 3 The Subject Key type is preset as an RSA algorithm RSA is a public key cryptographic algorithm used for encrypting data 4 Select a Subject Key size from the from the Subject Key Size menu 5 Not...

Страница 150: ...You can select Distinguished Name E mail ID or Domain Name from the menu Then cut and paste the information from the Local Certificate into the text field 10 In the Destination Networks section selec...

Страница 151: ...g VPN clients to access LAN resources XAUTH authentication provides an additional layer of VPN security while simplifying and centralizing management XAUTH authentication allows many VPN clients to sh...

Страница 152: ...forwarded to a remote site via another VPN tunnel Normally inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located unde...

Страница 153: ...LAN network If no route is found the SonicWALL checks for a Default LAN Gateway If a Default LAN Gateway is detected the packet is routed through the gateway Otherwise the packet is dropped Testing a...

Страница 154: ...your computer for Windows Networking By configuring your computer for Windows Networking you are able to browse the remote network using Network Neighborhood Before logging into the remote network you...

Страница 155: ...Domain check box and enter the domain name provided by your administrator into the Windows NT domain text box Select Quick Logon under Network logon options section 4 Click on the Identification tab...

Страница 156: ...puter and use the Find tool in the Start menu Type in the IP address into the Computer Named text box and click Find Now To access the computer remotely double click on the computer icon in the box Ad...

Страница 157: ...cting to a computer across a SonicWALL VPN Use the Find Computer tool Create a LMHOSTS file in a local computer registry Configure a WINS Server to resolve a name to a remote IP address For more infor...

Страница 158: ...le certain security associations and still allow access by remote VPN clients The feature is useful if it is suspected that a remote VPN user connection has become unstable or insecure It can also tem...

Страница 159: ...ally consist of 16 or 32 characters The longer the key the more difficult it is to break the encryption Asymmetric vs Symmetric Cryptography Asymmetric and symmetric cryptography refer to the keys use...

Страница 160: ...Encapsulating Security Payload ESP ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets Encryption can be in the form of ARCFour similar to th...

Страница 161: ...characters long and is comprised of hexadecimal characters Valid hexadecimal characters are 0 to 9 and a to f inclusive 0 1 2 3 4 5 6 7 8 9 a b c d e f For example a valid key would be 1234567890abcde...

Страница 162: ...tly disrupt business activities Internet connections that provide access to critical resources for remote offices telecommuters and mobile workers Connection downtime can result in lower productivity...

Страница 163: ...lity pair must have the same firmware version installed Each SonicWALL in the High Availability pair must have the same upgrades and subscriptions enabled If the backup unit does not have the same upg...

Страница 164: ...WALL unit and wait for the diagnostics cycle to complete Configure all of the settings in the primary SonicWALL before configuring High Availability 3 Click High Availability on the left and begin con...

Страница 165: ...Trigger Level 6 Enter the Heartbeat Interval time in seconds Use a value between 3 seconds and 255 seconds This interval is the amount of time in seconds that elapses between heartbeats passed betwee...

Страница 166: ...nchronize with the backup an error message is displayed at the bottom of the screen An error message also appears on the Status tab To view the error message on the Status tab click General on the lef...

Страница 167: ...urs the backup SonicWALL assumes the primary SonicWALL LAN and WAN IP Addresses There are three primary methods to check the status of the High Availability pair the High Availability Status window E...

Страница 168: ...ackup SonicWALL is currently Active It is also possible to check the status of the backup SonicWALL by logging into the LAN IP Address of the backup SonicWALL If the primary SonicWALL is operating nor...

Страница 169: ...igh Availability pair For example when the backup SonicWALL takes over for the primary after a failure an E mail alert is sent indicating that the backup has transitioned from Idle to Active If the pr...

Страница 170: ...side of the browser window and then click Restart at the top of the window Click Restart SonicWALL then Yes to confirm the restart Once the active SonicWALL restarts the other SonicWALL in the High A...

Страница 171: ...icWALL Network Anti Virus offers a new approach to virus protection by delivering managed anti virus protection over the Internet By combining leading edge anti virus technology from macafee com with...

Страница 172: ...bilities detected and provides administrators with in depth expert guidance to quickly close up any security holes in a network This subscription based service offers vulnerability assessment scans th...

Страница 173: ...uarters branch offices and telecommuters from a central location SonicWALL GMS reduces staffing requirements speeds up deployment and lowers delivery costs by centralizing the management and monitorin...

Страница 174: ...to the SonicWALL TELE3 SP Modem Lights up when the modem has established a dial up connection There is are two Ethernet ports for the LAN and WAN connections Link Lights up when the Twisted Pair port...

Страница 175: ...damage or loss of data due to electrical storms power failures or power surges Reset Switch Erases the firmware and resets SonicWALL TELE3 SP to its factory clean state This can be necessary if the a...

Страница 176: ...nd connection fails or it can act as the primary connection to the Internet for the TELE3 SP Cooling Vents The SonicWALLTELE3 SP is convection cooled an internal fan is not necessary Do not block the...

Страница 177: ...authentication screen does not appear check for Ethernet connectivity problems Confirm that the computer without Internet access is assigned an IP address in the correct subnet Make sure that the Son...

Страница 178: ...t Click Refresh or Reload in the Web browser The changes can have occurred but the Web browser can be caching the old configuration Duplicate IP address errors Duplicate IP address errors occur when t...

Страница 179: ...nterfaces 2 10 100Base T ports 1 V 90 Modem port Dimensions 4 66 x 6 5 x 1 33 Weight 8 oz Concurrent Connections 6 000 Power 100V to 240V AC Console 1 Serial Port Mounting Wall Mountable Includes brac...

Страница 180: ...r of Nodes 10 3DES 168 bit Speed 20 Mbps Security Services Perfect Forward Secrecy Yes Vulnerability Scanning Optional Prevent Replay Attacks Yes Web Content Filtering Optional Group VPN Tunnel Yes Cu...

Страница 181: ...tors with years of experience in networking and Internet security They are also supported by the best in class tools and processes that ensure a quick and accurate solution to your problem Support Off...

Страница 182: ...help solve your problems or answer your questions quickly reducing your risk of Internet attack Knowledge Base Instant access to solutions and documentation provides answers to questions and solves p...

Страница 183: ...nicWALL Support 24X7 includes the repair or replacement of failing hardware returned to the SonicWALL factory Upon diagnosis of a hardware failure a SonicWALL technical specialist issues an RMA number...

Страница 184: ...d hardware not performing to documented specifications Web based support includes interactive communication with a SonicWALL technical specialist SonicWALL also provides general assistance regarding u...

Страница 185: ...ncluding locally recognized SonicWALL holidays Telephone and Web based Support SonicWALL provides technical assistance during standard coverage hours by telephone or through Web based support tools fo...

Страница 186: ...also includes technical support and software firmware updates for 90 days Coverage is provided during normal business hours Deliverables Coverage Hours Support is provided during standard business hou...

Страница 187: ...ort Tools Warranty Support provides access to SonicWALL s Web based support tools including FAQs documentation and Knowledge Base systems Availability This warranty applied to products sold in Europe...

Страница 188: ...rk and controls the flow of data from the network to the com puter The NIC has a port where the network cable is connected Network Types LAN stands for Local Area Network Local area refers to a networ...

Страница 189: ...nding IP addresses By using DNS a user can type in a computer name such as www sonicwall com instead of an IP address such as 192 168 168 168 to access a computer DHCP Dynamic Host Configuration Proto...

Страница 190: ...addresses A B and C Like a main business phone number that one can call and then be transferred through interchange numbers to an individual s extension number the different classes of IP addresses pr...

Страница 191: ...all network traffic more manageable it also introduces another level of complexity To communicate with a device on another network one must go through a gateway that connects the two networks Therefor...

Страница 192: ...on the LAN not the number of simultaneous connections to the Internet If you have fewer than the maximum number of computers or other devices on your LAN but it appears that the IP license limit is e...

Страница 193: ...esses or by programs executed by privileged users Many popular services such as Web FTP SMTP POP3 e mail DNS etc operate in this port range The assigned ports use a small portion of the possible port...

Страница 194: ...the SonicWALL From a Windows 95 or 98 computer do the following 1 From the Start list highlight Settings and then select Control Panel 2 Double click the Network icon in the Control Panel window 3 Dou...

Страница 195: ...Manually 3 Enter 192 168 168 200 in the IP address field 4 Enter the Subnet Mask address in the Subnet Mask field 5 Click OK Follow the SonicWALL Installation Wizard instructions to perform the initi...

Страница 196: ...TELE3 SP models use the small recessed button on the back of the unit for this procedure Erasing the Firmware for all Models 1 Turn off the SonicWALL and disconnect all cables to the network 2 Locate...

Страница 197: ...into the SonicWALL Steel Belted RADIUS from Funk Software Steel Belted RADIUS server version 3 0 from Funk Software supports pre configuration of vendor specific attributes in a vendor specific dictio...

Страница 198: ...tication takes place even if HTTPS is not available when logging into the SonicWALL management interface Select Allow PAP or CHAP when setting user passwords ACE Server from RSA The ACE Server version...

Страница 199: ...ogging into the SonicWALL management interface Internet Authentication Service on Microsoft Windows NT 2000 Server The RADIUS server used on Microsoft Windows NT and Windows 2000 servers is known as t...

Страница 200: ...indow Repeat Steps 5 through 11 for each privilege configured for a policy For further information refer to To configure vendor specific attributes for a remote access policy in the IAS help file With...

Страница 201: ...Page 200 SonicWALL TELE3 SP Administrator s Guide RADIUS Attributes Dictionary The following is the RADIUS dictionary in the format used with Funk Software s Steel Belted RADIUS server...

Страница 202: ...purposes not shown in this manual without the written consent of SonicWALL Inc could void the user s authority to operate this equipment FCC part 68 Telecom Information Repair Information According to...

Страница 203: ...alent type recommended by the manufacturer If for any reason the battery or SonicWALL Internet security appliance must be disposed of do so following the battery manufacturer s instructions Power Supp...

Страница 204: ...Appendices Page 203 Notes...

Страница 205: ...Page 204 SonicWALL TELE3 SP Administrator s Guide...

Страница 206: ...112 Certificate Authority Certificates 147 Certificate Revocation List 149 Certificates 112 Choose a diagnostic tool 61 Clear Log Now 33 Client Default Gateway 103 Cold Start Trap 87 Configuration 92...

Страница 207: ...ng 158 Ethernet 97 Event 30 Exporting the Settings File 55 F Factory Default 56 Failover Trigger 166 Failover Trigger Level 166 Fast Encrypt ESP ARCFour 136 142 Filter 38 Filter Block Action 43 Filter...

Страница 208: ...AT with PPPoE 19 26 Network 164 Network Access Rules 11 Network Address Translation NAT 11 Network Anti Virus 172 Network Configuration for High Availability Pair 164 Network Debug 35 158 Network Secu...

Страница 209: ...33 Syslog Server Support 12 System Errors 34 35 System Maintenance 34 T Tech Support Report 66 Tech Support Request Form 66 Temporary Lease Time 108 Third Party Digital Certificate 147 Time 28 Time of...

Страница 210: ...SonicWALL Inc 1160 Bordeaux Drive Sunnyvale CA 94089 1209 Tel 408 745 9600 Fax 408 745 9300 E mail info sonicwall com Web www sonicwall com Part 232 0000316 00 Rev A 06 02...

Отзывы:

Нет отзывов

Похожие инструкции для TELE3 SP

Бренд: CAME Страницы: 4

Бренд: Abocom Страницы: 1

Бренд: VAF instruments Страницы: 56

Бренд: Paradyne Страницы: 20

Compshere 3000 Series

Бренд: Paradyne Страницы: 2

Бренд: Pantech Страницы: 17

Бренд: Yamaha Страницы: 24

Бренд: Yamaha Страницы: 5

Бренд: mikroElektronika Страницы: 2

Бренд: Matrix Switch Corporation Страницы: 60

Бренд: B&B Electronics Страницы: 17

Бренд: Doremi Страницы: 15

Бренд: ZiLOG Страницы: 317

Бренд: ETAS Страницы: 84

Бренд: Dynamix Страницы: 102

Бренд: Intellinet Страницы: 2

MS-96 Vial Reader

Бренд: Microscan Страницы: 67

Бренд: H3C Страницы: 103

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды