Manualshelf

User guide

ManualsBrandsAllied Telesis ManualsComputer equipmentAT-iMG634 - R2
361362363364365366367368369370
Security interfaces Security
4-61
iMG/RG Software Reference Manual (IPNetwork Functions)
Note: TCP session chaining must be always enabled if UDP session chaining is to be used. It's not possible
define a UDP session chaining without previously enabling TCP session chaining.
Disabling TCP session chaining also automatically disables UDP session chaining.
Note: For the majority of applications, you do not need to enable session chaining and should do so only if you
are certain that they are required: because NetMeeting is so commonly used, an apposite command-
macro is provided to create a NetMeeting trigger with minimal configuration requirements:security add
trigger <name> netmeeting . You do not have to set a port range or maximum activity interval for this
trigger; the security module automatically sets this for you.
4.2.3.1.3 CONFIGURING ADDRESS REPLACEMENT
If your device is configured as a NAT router, you may need to configure triggers for certain protocols to replace
the embedded binary IP addresses of incoming packets with the correct inside host IP addresses. This ensures
that addresses are translated correctly. To enable/disable binary address replacement, enter:
security set trigger <name> binaryaddressreplacement {enable|disable}
Once enabled, you can enable address replacement on TCP, UDP or both types of packet:
security set trigger <name> addressreplacement {none|tcp|udp|both}
4.2.3.1.4 CONFIGURING ADDRESS REPLACEMENT
By default, a trigger can only initiate a secondary session requested by the same host that initiated the primary
session. Certain applications, such as SSL, may initiate secondary sessions from different remote hosts. This is
called multihosting. To enable/disable multihosting, enter:
security set trigger <name> multihost {enable|disable}
The commands below allow you to determine the range of ports that a secondary session can use. In the
majority of cases, you do not need to configure the secondary port ranges because triggers will only open spe-
cific port numbers for secondary sessions within the range 1024 - 65535.
To configure a secondary port range, enter:
security set trigger <name> secondarystartport <portnumber> security
set trigger <name> secondaryendport <portnumber>
4.2.3.1.5 APPLICATION LEVEL GATEWAYS (ALGS)
Essentially, triggers and ALGs perform the same function; they deal with difficult applications that your NAT or
Firewall configuration cannot manage. However, certain applications prove too difficult for triggers and must be
handled by ALGs. The Security module is configured with ALGs for certain well-known applications (see table
below).
Security triggers can be configured to deal with some applications, but only when ALGs are not available