ZyXEL Communications ZyWALL SSL 10 Скачать руководство пользователя страница 62

Страница: 62 / 102

ZyWALL SSL 10 Support Notes

UDP 500 (IKE) must be forwarded to ZyWALL to accept incoming VPN connection

from peer VPN gateway or client.

If Firewall is running on the same NAT router, make sure a firewall rule is configured to

allow IKE/IPSec (AH/ESP) traffic to pass-through.

VPN->VPN Rule (IKE) on ZyWALL

Configuration on Peer VPN gateway

Configuration on Local ZyWALL

VPN->VPN Rule (IKE) on ZyWALL

WAN->WAN1 or WAN2

On ZyWALL, enable “

NAT Traversal

” no matter if the front NAT router supports NAT

Traversal (IPSec pass-through) or not. With this option enabled, ZyWALL can detect if

it is placed behind NAT when peer VPN entity also support NAT Traversal function. If

yes, the IPSec traffic will be encapsulated in UDP packet to avoid traversal problem on

NAT routers.

Under

VPN->Gateway Policy-> Gateway Policy Information

configure the

private

IP address

as “

My Address

” on local ZyWALL gateway (behind NAT router).

Содержание ZyWALL SSL 10

Страница 1: ...ZyWALL SSL 10 Support Notes 1 All contents copyright c 2006 ZyXEL Communications Corporation ZyWALL SSL 10 Integrated SSL VPN Appliance Support Notes Revision 2 01 April 2007 ...

Страница 2: ...3 SSL VPN Solution 47 3 1 UTM Integration ZyWALL UTM ZyWALL SSL10 47 3 2 Seamless Integrate SSL VPN into your existing IPSec VPN 56 3 3 Integration SonicWALL ZyWALL SSL10 67 3 4 Integration Netscreen ZyWALL SSL10 71 3 5 Integration with NSA 2400 for file sharing 75 4 Best Practice Stronger Password Security 86 4 1 Using Two factor authentication solution to provide stronger FIPS 140 compliant secu...

Страница 3: ...om the ISP to connect to the Internet what can I do 97 A16 What is BOOTP DHCP 98 B Firmware Upgrade FAQ 99 B01 How to perform the firmware upgrade on ZyWALL SSL10 99 C Registration for Service Activation FAQ 99 C01 Why do I have to register 99 C02 In addition to registration what can I do with myZyXEL com 99 C03 How to activate the SSL VPN license 100 D SSL VPN FAQ 100 D01 Matrix table for the SSL...

Страница 4: ...ending on your current network topology we have two suggestions for the deployment of ZYWALL SSL 10 1 1 DMZ Zone 1 1 1 Deploy ZYWALL SSL 10 in DMZ zone To deploy the ZYWALL SSL 10 to a network environment people may ask where is the suggestion to put the device in the existing network If the environment matches the following two criteria put the SSL10 in DMZ zone is recommended y Customers who alr...

Страница 5: ...emote users could either access the main office s LAN resource or access the remote office s LAN resource via IPSec VPN tunnel after user pass the SSL authentication Since the SSL VPN traffic will be decrypted by ZyWALL SSL 10 the traffic could be further inspected by ZyWALL UTM or third party firewall which has security checking features like firewall Anti Virus IDP and etc In this way MIS admini...

Страница 6: ...owing tasks z Check ZyWALL UTM or 3rd party Firewall s setting 1 Configure the proper IP address for WAN LAN DMZ interfaces 2 Configure port 443 forwarding to ZyWALL SSL10 for SSL traffic 3 Change the system management port for HTTPS from 443 to others to avoid conflict with SSL VPN port forwarding z On ZyWALL SSL 10 using Wizard to setup the initial SSL VPN access network See the following step b...

Страница 7: ...nts copyright c 2006 ZyXEL Communications Corporation 2 Go to the GUI Network DMZ Port Roles define the port 4 belongs to DMZ zone 3 Go to the GUI Network WAN WAN1 configure the WAN IP address as a proper one ex 172 120 1 10 in this example ...

Страница 8: ...nts copyright c 2006 ZyXEL Communications Corporation 4 Go to the GUI Network LAN configure the LAN IP address as 192 168 1 1 Step2 Check if the Internet access is available on both LAN and DMZ network by ping from a LAN host and a DMZ host ...

Страница 9: ...add one rule to forward port 443 traffic to the ZyWALL SSL 10 192 168 3 2 Step5 Go to the GUI ADVANCED REMOTE MGMT WWW change the ZyWALL UTM s HTTPS management port number from port 443 to another port number ex 10443 This is to make sure all HTTPS traffic via port 443 will be forwarded to ZyWALL SSL 10 But if IT staff needs to access the ZyWALL UTM by HTTPS they can use https IP_address 10443 whi...

Страница 10: ...forwarding rule 443 to a web server We would suggest to utilize another WAN IP address of ZyWALL UTM device for ZyWALL SSL10 s access For example if you have configured WAN1 IP forward port 443 to another web server ex 192 168 3 10 We could use WAN2 interface ex IP address is 10 59 1 30 to forward 443 to ZyWALL SSL10 as following figure ...

Страница 11: ...HTTP cache after perform the tasks If you are using your PC to configure ZyWALL SSL 10 without any security concern leave it just as default I am connecting via my own computer Otherwise choose I am connecting via Public computer instead Note2 Please ensure you turn on JavaScript and ActiveX control setting on your browser 2 Then press Yes button to accept the system alert 3 If you are the first t...

Страница 12: ...munications Corporation But if it s not your first time to configure ZyWALL SSL 10 the system will login to Advanced Setup page Click the Wizard icon on the right top of page after successfully login 4 Choose the default Install on Gateway s DMZ Port and press Next button ...

Страница 13: ...ZyWALL SSL 10 Support Notes 13 All contents copyright c 2006 ZyXEL Communications Corporation ...

Страница 14: ...XEL Communications Corporation 5 Then choose Static for the device s WAN IP assignment for this example Configure the IP address setting as shown below Press Next button 6 We create one SSL VPN user for this example Enter the username and password Press Next button ...

Страница 15: ...ht mark in blue color the VPN network is as the destination you plan to allow SSL VPN users to access to as the LAN zone The Remote users IP address pool means the IP address will be assigned to the remote SSL VPN users from the device in full tunnel mode Note2 The remote users IP address pool should be different than VPN network Like in this example we use 192 168 1 0 24 for VPN network and remot...

Страница 16: ...ess Next button then 9 It will give you a summery for the ZyWALL SSL 10 s WAN IP setting Press Activate SSL VPN License button to register the device s information to myZyXEL com However if you want to activate SSL VPN license later press Finish button Note Please make sure the Internet access is available before pressing activate SSL VPN license since the system will send the registration informa...

Страница 17: ...r the necessary information to register your user account the device and get ten SSL VPN node licenses after registering successfully Press Finished button to submit the information Then you will complete the registration and initial setup Simulate a Internet host to access ZyWALL SSL 10 via the ZyWALL ...

Страница 18: ...S ex https 172 120 1 10 The ZyWALL SSL10 login page will be shown Enter the username password we just created ex sharno 1234 in this example It allows the PC_A to access internal resource But after it successfully login the remote user will see empty in the Application and File Sharing list as below Besides the user will find his PC got a PPP IP address ex 192 168 1 200 in the PC s network connect...

Страница 19: ...ol to access the internal application server if he knows how to access For example a FTP server IP is 192 168 1 240 He can open the FTP tool ex CuteFTP to access the server If IT stuff would like to pre configure some access links for remote user s quick view he needs further configuration Please refer to chapter 2 for the detail ...

Страница 20: ... 10 at the network gateway and also perform the NAT feature to translate the private IP address to public See following figure to show you the topology for example The network topology is used to illustrate this application We used one ZyWALL as main office s gateway which is connected to the branch office s ZyWALL The ZyWALL SSL 10 is put at behind the main office s gateway Remote users could eit...

Страница 21: ...mplete the following tasks z On ZyWALL SSL 10 using Wizard to setup the initial SSL VPN access network See the following step by step configuration Configuration on ZyWALL SSL 10 1 Login ZyWALL SSL 10 GUI default username is admin password is 1234 Press Login button Note1 Depending on if you want to clean the HTTP cache after perform the tasks If you are using your PC to configure ZyWALL SSL 10 wi...

Страница 22: ...s Corporation Note2 Please ensure you turn on JavaScript and ActiveX control setting on your browser 2 Then press Yes button to accept the system alert 3 If you are the first time to configure ZyWALL SSL 10 the following page will be shown Choose Setup Wizard button to enter wizard ...

Страница 23: ...ZyXEL Communications Corporation But if it s not your first time to configure ZyWALL SSL 10 the system will login to Advanced Setup page Click the Wizard icon on the right top of page after successfully login 4 Choose Install as New Gateway and press Next button ...

Страница 24: ...atic for the device s WAN IP assignment Configure the IP address setting as shown below Press Next button 6 Configure the LAN IP assignment and the DHCP setting Press Next button It will pop up a warning message to remind you the LAN IP address will be changed Your LAN PC needs to release and renew a new IP address from DHCP ...

Страница 25: ...ZyWALL SSL 10 Support Notes 25 All contents copyright c 2006 ZyXEL Communications Corporation 7 In this example we create one SSL VPN user as the figure below Press Next button ...

Страница 26: ...1 In this example we have the IP arrangement as shown in the picture below The right mark in blue color the VPN network is as the destination you plan to allow SSL VPN users to access to as the LAN zone The Remote users IP address pool means the IP address will be assigned to the remote SSL VPN users from the device in Full Tunneling mode Note2 The remote users IP pool should be different than the...

Страница 27: ... WAN IP setting Press Activate SSL VPN License button to register the device s information to myZyXEL com However if you want to activate SSL VPN license later press Finish button Note Please make sure the Internet access is available before pressing activate SSL VPN license since the system will send the registration information to http www myZyXEL com ...

Страница 28: ...o submit the information Then you will complete the registration and initial setup It allows a remote user to use test 1234 to connect to internal But when a remote user successful login he will see empty in the Application and File Sharing list since it needs further configuration To configure more users or groups and to specify a certain application for remote user s access please refer to the a...

Страница 29: ...ulfill the vary access application requirement Application Diagram Background A company has daily operation with travel employee sales and outside partner They will use SSL VPN to access the internal system to gather necessary information for business operation The company already deployed a Microsoft AD server for user management and authentication and the ZyWALL SSL10 also used this server for u...

Страница 30: ...d also checking or updating the file to the internal network for developing and sharing By ZyWALL SSL 10 object based configuration design the IT engineer can plan and deploy this application more effective 2 1 External Authentication ZyWALL SSL10 can smoothly deploy in a network environment which already had a central user database like Microsoft Activate Directory RADIUS or LDAP available User d...

Страница 31: ...ion block including the Server Type address and port The next block is the Advance Configuration this part is more complicated to setup The AD detail parameters are configured in this section and this information is confidential for data protect purpose and you may consult with AD administrator for these parameters Remember to click OK button to save the configuration 2 1 2 User Group configuratio...

Страница 32: ...lease switch to User Group configuration page and click add icon to add a new user group Add the RD group because the group member had pre configured in the AD server thus choose the option of Group in the AAA server Click OK to save the configuration Follow the same steps to add the Sales group ...

Страница 33: ...tions Corporation Finally adding the outsider group We can check the user group general page and found the three groups already settled 2 2 Objects Configuration 2 2 1 SSL Application Object Please switch to Object SSL Application and click the Add icon to add a new application ...

Страница 34: ...the Web Application from drop down menu and fill in the web application display name and address The Display Name is the name show up in the user personal portal right after user login The address field is for web server address and port For example our web server uses IP 192 168 1 10 and port 8080 and then we should type http 192 168 1 10 8080 The ZyWALL SSL10 will access server port 80 or port 4...

Страница 35: ...tom their own application via setting portal and port The Address field is the application server IP address File Sharing Select the File Sharing from drop down menu and fill in the display name and address The Display Name is the name show up in the user personal portal right after user login The Address field is the file sharing server IP address and the Shared Folder is used to specific the sha...

Страница 36: ...ZyWALL SSL 10 Support Notes 36 All contents copyright c 2006 ZyXEL Communications Corporation ...

Страница 37: ...rporation 2 2 2 VPN Network Object Please switch to Object VPN Network and click the Add icon to add a new VPN network Fill in the Name for this VPN network and the network address and the netmask For example we have one subnet called RD_subnet and address is 192 168 2 0 255 255 255 0 ...

Страница 38: ...ferent user group privileges We must apply the most strict security policy to the user group that has the full access right to internal network Below I list the endpoint security requirement matrix table for this scenario outsider sales RD Check Windows Version ν ν ν Check Windows Service Pack Version ν ν ν Check Windows Auto Update ν ν Check Personal Firewall Name ν Check Personal Firewall Versio...

Страница 39: ...olicy The outsider means people who are not our company s employee but they still need to access the company s internal network resource for business cooperation In order to secure our network we will limit their application type in Web application only and checks if their windows version and service pack follow our policy ...

Страница 40: ...eed to get the latest info from company like the price or partner list update It is not secure to get this kind of business confidential data via Email or normal web connection Thus we hope they can access our internal network via SSL tunnel We will define more end point security requirements because sales are not only allowed to access web application also some internal resources ...

Страница 41: ...ack to company internal network to gather the critical information like coding or debugging in case urgent The endpoint security requests more checking items to well protect the internal network We will check the windows version and service pack for OS level and check the client security like personal firewall antivirus software and signature update ...

Страница 42: ...network Thus the client can use this private IP address to talk with the host in the VPN network and vice versa Please switch to Object Private IP Pool and click the Add icon to add a new private IP pool Private IP Pool configuration Fill in the Name for this Private IP Pool network and the network address and the netmask For example we have one subnet called SSL_client and the address is subnet 1...

Страница 43: ... together to form up different SSL Policies according to different user group s access privilege and security requirement We must assign the SSL policy to a specific user group and then choose the endpoint security type and SSL applications which includes web application application file sharing and VPN network Outsider SSL Policy Switch to SSL configuration page and add a new SSL policy for outsi...

Страница 44: ...nications Corporation They are only allowed to use the web application Quick_Order and we won t assign them an internal VPN network Sales SSL Policy Add another new SSL policy for sales The sales use the endpoint security object sales that we configured in previous section ...

Страница 45: ...ernal VPN network RD SSL Policy Add another new SSL policy for RD The RD uses the endpoint security object RD that we configured in previous section RD can use the most internal application like security telnat connection SSH and VPN network They are allowed to use the internal Linux server with SSH and file sharing server NAS We also assign them an internal VPN network and they will use the prede...

Страница 46: ...licies in the Policy list table after we complete the three SSL policies The list also shows the policy name user group SSL application s and VPN network Later on user can add new policy or edit existing policy in this page Now we already finished the SSL environment setup and the remote user can start to enjoy the internal resource with highly security protect ...

Страница 47: ...s reach internal network even though they secure the network gateway with access control rules and apply all the latest service pack or signature update on server hosts The reason is usually because user s notebook may access Internet from home or from some unsecured place The virus may infect user s notebook because you think you just open a normal file The intrusion may be injected to your noteb...

Страница 48: ...nal resources via ZyWALL SSL10 Although ZyWALL SSL 10 can provide security checking for those trusted users some virus or intrusions may still be able to reach the internal network through those trusted PCs without the user aware of it IT staff would like to enable Anti Virus IDP inspection functions on ZyWALL UTM device for SSL VPN traffic Configuration information in this example ...

Страница 49: ...s remote management port for HTTPS to avoid conflict 4 Register the device and enable the AV IDP functions See the following step by step configuration Configuration on ZyWALL SSL10 Please refer to the chapter one to configure ZyWALL SSL10 in DMZ mode Configuration on ZyWALL UTM Step1 Create port forwarding rule 1 Go to the GUI menu ADVANCED NAT Port Forwarding add one rule to forward port 443 tra...

Страница 50: ...that you will get the result as following figure Step3 Change the remote management port on ZyWALL UTM 1 Switch to menu ADVANCED REMOTE MGMT WWW change the ZyWALL UTM s HTTPS management port number from port 443 to another port number ex 10443 This is to make sure all HTTPS traffic via port 443 will be forwarded to ZyWALL SSL 10 But when IT staff needs to access the ZyWALL UTM by HTTPS they can us...

Страница 51: ...you have configured a port forwarding rule 443 to a web server we suggest to utilize another WAN IP address of ZyWALL UTM device for ZyWALL SSL10 s access For example if you have to configure WAN1 IP forward port 443 to another web server ex 192 168 3 10 We could use WAN2 interface ex IP address is 10 59 1 30 to forward 443 to ZyWALL SSL10 as following figure ...

Страница 52: ...er its best performance IDP AV License Activation In Registration page register your account if you already have an account exist in myZyXEL com then all you have to do is first select Existing myZyXEL com account and enter your username password and select IDP AV 3 months trial version to activate The ZyWALL UTM has IDP Intrusion Detection Prevention service which will inspect all traffic going t...

Страница 53: ...ected accordingly so that the FTP file upload download traffic can be protected from the virus infection And the system can give a warning to IT staff if a virus is found 3 For HTTP service check all check boxes that traffic sending to LAN and DMZ interfaces to be protected accordingly so that the Web surfing traffic can be protected from virus infection And the Log can give a warning to IT staff ...

Страница 54: ...pyright c 2006 ZyXEL Communications Corporation Note Remember to make sure the AV signatures are most updated thereby the ZyWALL UTM AV engine can stay in the best status The update can be done manually or automatically The AV signature update page ...

Страница 55: ...ZyWALL SSL 10 Support Notes 55 All contents copyright c 2006 ZyXEL Communications Corporation ...

Страница 56: ...ith it That is all the traffic to the remote access also need to be authenticated and pass the end point security checking by ZyWALL SSL 10 Application Diagram Background Story ZyCompany implements two ZyWALL devices in main office and in remote branch office IT staff would like to establish the IPSec VPN between two offices Furthermore they would like to deploy the SSL VPN solution for remote use...

Страница 57: ... Pool 192 168 1 200 192 168 1 250 y WAN Address 172 120 1 10 y DMZ Address 192 168 3 1 24 y LAN Address 192 168 1 1 24 y WAN Address 172 120 2 10 y LAN Address 192 168 9 1 24 To achieve this we have to complete the following tasks z Configure the ZyWALL SSL 10 in DMZ mode by using Wizard z On two ZyWALL devices 1 Configure IPSec VPN settings 2 Configure NAT port forwarding policy 3 Configure Secur...

Страница 58: ...office and the LAN network of the remote office VPN Configuration on two ZyWALL devices Configure VPN rules if ZyWALLs with Static WAN IPAddress This section describes an example configuration ZyWALL with static WAN IP address If ZyWALL is used as Internet gateway and public IP address is assigned on ZyWALL s WAN interface ZyWALL uses this public WAN IP address for terminating the VPN tunnels from...

Страница 59: ...ntent of identify Configure ZyWALL with Dynamic WAN IPAddress This section describes an example configuration ZyWALL with dynamic WAN IP address If ZyWALL uses PPPoE or Ethernet DHCP for its Internet connection WAN IP address is dynamically assigned by ISP Since ZyWALL has no idea about its WAN IP address before it is assigned it is difficult impossible to use WAN IP Address for My Address in Gate...

Страница 60: ...ote Gateway Address on peer VPN gateway 7 Both DNS and E mail can be used as the Local ID Peer ID for authentication Note If Hi Available HA for incoming VPN HA is necessary enable the HA option while configure the DDNS entry under DNS DDNS ZyWALL will update its DDNS entry with another WAN interface when the specified WAN interface is not available Therefore the next coming VPN connection will go...

Страница 61: ...ure of VPN connection By far the easiest way to combine IPSec and NAT is to completely avoid these problems by locating IPSec endpoints in public address space This can be accomplished in two ways 1 Perform NAT on a device located behind IPSec gateway 2 Use an IPSec gateway for both IPSec VPN and NAT Internet Access However in some situation it is inevitable to locate IPSec gateway in public IP ad...

Страница 62: ...iguration on Peer VPN gateway Configuration on Local ZyWALL VPN VPN Rule IKE on ZyWALL WAN WAN1 or WAN2 3 4 5 6 3 On ZyWALL enable NAT Traversal no matter if the front NAT router supports NAT Traversal IPSec pass through or not With this option enabled ZyWALL can detect if it is placed behind NAT when peer VPN entity also support NAT Traversal function If yes the IPSec traffic will be encapsulated...

Страница 63: ...SSL VPN traffic on the ZyWALLA 1 Go to the GUI menu ADVANCED NAT Port Forwarding add one rule to forward port 443 traffic to the ZyWALL SSL 10 192 168 3 2 2 Go to the GUI ADVANCED REMOTE MGMT WWW change the ZyWALL UTM s HTTPS management port number from port 443 to another port number ex 10443 This is to make sure all HTTPS traffic via port 443 will be forwarded to ZyWALL SSL 10 But when IT staff ...

Страница 64: ...t forwarding rule 443 to a web server We would suggest to utilize another WAN IP address of ZyWALL UTM device for ZyWALL SSL10 s access For example if you have configured WAN1 IP forward port 443 to another web server ex 192 168 3 10 We could use WAN2 interface ex IP address is 10 59 1 30 to forward 443 to ZyWALL SSL10 as following figure ...

Страница 65: ...llow the SSL VPN traffic to be forwarded to ZyWALL SSL10 at DMZ network Thus we Drop all traffic except SSL traffic from WAN to DMZ network The exception is configured at the next step 2 2 Switch to Rule Summary page and select the packet direction from WAN to DMZ then insert a dedicate rule to allow any host to access the ZyWALL SSL10 via service type HTTPS port 443 3 ZyWALL also can inspect pack...

Страница 66: ... Notes 66 All contents copyright c 2006 ZyXEL Communications Corporation available in IDP AV and AS General configuration page Used the check box to decide if the traffic from WAN to DMZ needs to be inspected by scan engine ...

Страница 67: ...l SSL VPN access network z Configure on 3rd party s Firewall 1 Configure the proper IP address for WAN LAN DMZ interfaces 2 Configure port 443 forwarding to ZyWALL SSL10 for SSL traffic 3 Change the system management port for HTTPS from 443 to others to avoid conflict with SSL VPN port forwarding See the following step by step configuration Configuration on ZyWALL SSL10 Please refer to the chapter...

Страница 68: ... s port1 LAN 2 Login SonicWALL s web GUI form the LAN PC Go to menu Network Interface setup WAN LAN DMZ to the proper setting as in the example Step2 Add one firewall rule to allow SSL traffic from WAN to DMZ 1 Go to menu Firewall Access Rules and click Add button Configure it as following figure Create the service SSL for TCP port 443 traffic Then you will see the rule is created as follow ...

Страница 69: ...0 will be forwarded to the ZyWALL SSL10 Step4 Go to menu System Administration change the HTTPS Port for management from port 443 to another port number ex 10443 This is to make sure all HTTPS traffic via port 443 will be forwarded to ZyWALL SSL 10 But if IT staff needs to access the SonicWALL by HTTPS they can use https IP_address 10443 which the IP_address might be SonicWALL s LAN DMZ or WAN IP ...

Страница 70: ...10 Support Notes 70 All contents copyright c 2006 ZyXEL Communications Corporation Step5 Access https 172 120 1 10 from an Internet PC s IE browser The ZyWALL SSL10 s login page will be displayed for your to login ...

Страница 71: ...rd to setup the initial SSL VPN access network z Configure on 3rd party s Firewall 1 Configure the proper IP address for WAN LAN DMZ interfaces 2 Configure port 443 forwarding to ZyWALL SSL10 for SSL traffic 3 Change the system management port for HTTPS from 443 to others to avoid conflict with SSL VPN port forwarding See the following step by step configuration Configuration on ZyWALL SSL10 Pleas...

Страница 72: ...tscreen s trust port2 2 Login Netscreen s web GUI form the LAN PC Go to menu Network Interface setup untrust for WAN trust for LAN to the proper settings as in the example Step2 Create a virtual IP and setup the port forwarding for SSL traffic 1 In the menu Network Interface click Edit on the untrust interface 2 Choose the VIP on the top and choose Same as the untrusted interface IP address Click ...

Страница 73: ...10 will be forwarded to the ZyWALL SSL10 Click OK button after it s done Step3 Add one firewall rule to allow SSL traffic from WAN to ZyWALL SSL10 1 Go to menu Policies choose from Untrust to Trust zone and click the New button at the top corner 2 Configure it as shown in the figure in red shape below Other settings just leave it as default and click Advanced button then ...

Страница 74: ...another port number ex 10443 This is to make sure all HTTPS traffic via port 443 will be forwarded to ZyWALL SSL 10 But if IT staff needs to access the Netscreen by HTTPS they still can use https IP_address 10443 which the IP_address might be Netcreen s LAN or WAN IP address depending on your management setting Apply the setting then Step5 Access https 172 120 1 10 from an Internet PC s IE browser...

Страница 75: ...nfiguration information in this example To achieve this we have to complete the following tasks z Configure on NSA 2400 1 Create a user 2 Create a quota for the user 3 Define the file path for the file sharing z Configure on ZyWALL SSL 10 1 Using Wizard to setup the initial SSL VPN access network 2 Configure the application for file sharing z Configure on ZyWALL UTM 1 Enable port 443 service HTTPS...

Страница 76: ...eate a user 1 Go to GUI menu Sharing Users click Add a New Local User to add user Tom with the limited quota here we limit his quota as 200MB Enter the user s information as follow Leave other settings as default Apply the setting then 2 Go to menu Sharing Shares press Add a New Share button Enter the sharing information and give full access to the user Tom See following figure Press Apply button ...

Страница 77: ...t c 2006 ZyXEL Communications Corporation Note It s better to path by click the Browse button For example create Tom folder under the path volume1 Step2 Test if it does work by link to NSA 2400 s IP address from your PC via IE browser as following figure ...

Страница 78: ...figure SSL setting for file sharing 1 Login to ZyWALL SSL10 2 Create one username in menu User Group Ex Tom 1234 3 Go to menu Object SSL Application choose the type File Sharing and configure other information as below Click OK button 4 Go to menu SSL modify the existed setting which we created via Wizard just now Check the available user Tom and the SSL application Tom folder we just created Clic...

Страница 79: ...ents copyright c 2006 ZyXEL Communications Corporation Configuration on ZyWALL UTM Step1 Create port forwarding rule 4 Go to the GUI menu ADVANCED NAT Port Forwarding add one rule to forward port 443 traffic to the ZyWALL SSL 10 192 168 3 2 ...

Страница 80: ... WAN1 to DMZ is permitted by default as following figure However if you found it s Reject or Drop you need to create one exception rule in Rule Summary Choose packet direction WAN1 to DMZ and press Insert button to enter the information After that you will get the result as following figure Step3 Change the remote management port on ZyWALL UTM 1 Switch to menu ADVANCED REMOTE MGMT WWW change the Z...

Страница 81: ... they can use https IP_address 10443 which the IP_address could be the ZyWALL s LAN or DMZ or WAN IP address depending on server access setting Note However if you have configured a port forwarding rule 443 to a web server we suggest to utilize another WAN IP address of ZyWALL UTM device for ZyWALL SSL10 s access For example if you have to configure WAN1 IP forward port 443 to another web server e...

Страница 82: ... and DMZ Click Apply button 2 Switch to menu Network DMZ to enable Windows Networking NetBIOS over TCP IP Allow between DMZ and WAN1 and Allow between DMZ and LAN Click Apply button Step5 Create one static route for Full tunnel mode access Only for Full tunnel mode users and when they need to access internal application servers by themselves That is access those server NOT through ZyWALL SSL10 por...

Страница 83: ... The access will be Remote user client ZyWALL UTM s WAN ZyWALL UTM s DMZ ZyWALLSSL10 s WAN ZyWALL UTM s LAN However the packet will be returned from ZyWALL UTM s LAN ZyWALL UTM s WAN Remote user client So the routing information is added for the returned packets to force the traffic goes back via original path ZyWALL UTM s LAN ZyWALLSSL10 s WAN ZyWALL UTM s DMZ ZyWALL UTM s WAN Remote user client ...

Страница 84: ...Communications Corporation 3 You will enter the portal continue to click three times Yes button and one time continue button 4 Then switch to File Sharing by click the button at the top 5 Click the Tom folder icon it will bring you to the NSA 2400 s login page as below ...

Страница 85: ...ZyWALL SSL 10 Support Notes 85 All contents copyright c 2006 ZyXEL Communications Corporation 6 Enter the username and password you will get the ...

Страница 86: ... token kits User needs to enter not only the username and password but also the numbers generated from a trusted token Without entering a valid number from token user will always fail to log in 4 1 Using Two factor authentication solution to provide stronger FIPS 140 compliant security SSL10 Authenex To achieve the scenario we need to complete following tasks y Configure the ZyWALL SSL10 to use ex...

Страница 87: ...reate a group by clicking the add icon 2 In this example we create the group testzywall and choose the member from the AAA server as following figure Click OK Step2 Create a File Sharing 1 Go to GUI Object SSL Application create one application rule by clicking the add icon 2 Choose type with File_Sharing and fill out the FTP server s IP address as following Fill out the file server information as...

Страница 88: ...AAA server 1 Go to GUI System AAA Server choose RADIUS for the server type and fill out the other information as following Click OK then Step3 Create a SSL policy 1 Go to GUI SSL Policy create a SSL policy by clicking the add icon Check the user and the file sharing application that we just created Click Ok ...

Страница 89: ...erver via http IP address 8080 asas where the IP address is the server s IP address you can reach from your network If you access the server from the same host you could use localhost or 127 0 0 1 for the IP address After the IP address append with 8080 asas where the 8080 is the server s default port number Login the server by type the password you set ...

Страница 90: ...t the ZyWALL SSL10 s information as following figure Click Add button then Note It s mandatory to set 11 for the field of RADIUS Attribute to ensure the communication properly between ZyWALL SSL10 and the Authenex server 3 Go to Manage Users Add User create a user guest and binds it with the group testzywall and the resource zywallssl10 we just created Click Add button ...

Страница 91: ...1 All contents copyright c 2006 ZyXEL Communications Corporation Then edit the user and check the Assign only Users A Keys option Click Update User button 4 Go to Manage A Keys Assign A Keys Bind a certain token s A key to the user ...

Страница 92: ... Keys Search A Keys search the user to make sure the setting is done as following figure 6 Restart the service by choose your PC s Start Authenex ASAS_3 0 Restart Authenex Radius Server Access from a remote user 1 Login to ZyWALL SSL10 by typing the username password and the six number generated from your token ...

Страница 93: ...SSL 10 Support Notes 93 All contents copyright c 2006 ZyXEL Communications Corporation 2 After successful login you could see the file sharing link from the interface Double click it to access the file server ...

Страница 94: ...rnet port to use the ZyWALL The ZyWALL has two Ethernet ports LAN port and WAN port You should connect the computer to the LAN port and connect the external modem to the WAN port If the ISP uses PPPoE Authentication you need the user account to enter in the ZyWALL A03 What is PPPoE PPPoE stands for Point to Point Protocol over Ethernet that is an IETF draft standard specifying how a computer inter...

Страница 95: ... not You can also check your ISP or the information sheet given by the ISP Please choose PPPoE as the encapsulation type in the ZyWALL if you are using PPPoE service provided by your ISP A07 Why does my Internet Service Provider use PPPoE PPPoE emulates a familiar Dial Up connection It allows your ISP to provide services using their existing network configuration over the broadband connections Bes...

Страница 96: ...work They are not intended to be recognized on the Internet The real IP from ISP instead can be recognized or pinged by another real IP on the internet The ZyWALL Internet Access Sharing Router works like an intelligent router that route between the virtual IP and the real IP A12 How does e mail work through the ZyWALL It depends on what kind of IP you have Static or Dynamic If your company has a ...

Страница 97: ...ternet IP address from ISP automatically The ZyWALL s DHCP server allows it to automatically assign IP and DNS addresses to the clients on the local LAN A14 How do I used the reset button more over what field of parameter will be reset by reset button You can used a sharp pointed object insert it into the little reset hole beside the power connector Press down the reset button and hold down for ap...

Страница 98: ...WAN MAC To clone the MAC from the PC you need to enter that PC s IP in WAN menu of the ZyWALL web configurator 2 Your ISP checks the Host Name Some ISPs take advantage of the host name message in a DHCP packet such as home to do the authentication When first installing the ISP s tech people configure the host name as the Computer Name of the PC in the Networking settings When the ZyWALL is attache...

Страница 99: ...After activating it will allow up to 10 users to login via SSL connection 2 If you purchased iCard for a security service you must activate the security service from within myZyXEL com You could upgrade the license to allow up to 25 users to login via SSL connection C02 In addition to registration what can I do with myZyXEL com 1 Access firmware and security service updates 2 Get ZyWALL alerts on ...

Страница 100: ...se Proxy Mode Choose Web Application type or File Sharing type in GUI menu SSL application Port Forwarding Mode Choose Application type in GUI menu SSL application Full Tunnel Mode Network Extension Mode Configure in GUI menu VPN network and Private IP Pool Or configure SSL VPN via Wizard D02 Why cannot some web pages displayed correctly There are some notes when you are using Reverse Proxy mode 1...

Страница 101: ...Group first If no any user or group matched it will check the external database which is defined in AAA server E EPC End Point Check FAQ E1 What is EPC on ZyWALL SSL10 EPC stands for End Point Check a k a EPS End Point Security The EPC is a centrally managed method of monitoring and maintaining client system security It will verify that the client PC is compliant with security policy defined by ad...

Страница 102: ...ems include 1 General checks Windows platform only Operating system service pack versions Security patches Browser versions Application versions and patch versions Personal Firewalls versions active inactive Anti Virus software versions active inactive Rogue processes 2 Customizable checks Windows platform only Registry entries File system entries Process table entries 3 Session Information Protec...

Результаты поиска

Содержание ZyWALL SSL 10

Отзывы:

Бренды по названию

Популярные бренды

ZyXEL Communications ZyWALL SSL 10, Поддержка заметок

Результаты поиска

Содержание ZyWALL SSL 10

Отзывы:

Бренды по названию

Популярные бренды