Check Point Safe@Office Internet Security Appliance User Guide Version 8.
COPYRIGHT & TRADEMARKS Copyright © 2008 SofaWare, All Rights Reserved. No part of this document may be reproduced in any form or by any means without written permission from SofaWare. Information in this document is subject to change without notice and does not represent a commitment on part of SofaWare Technologies Ltd. SofaWare, Safe@Home and Safe@Office are trademarks, service marks, or registered trademarks of SofaWare Technologies Ltd.
modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program).
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7.
Do not expose the appliance to extreme high or low temperatures. Do not disassemble or open the appliance. Failure to comply will void the warranty. Do not use any accessories other than those approved by Check Point. Failure to do so may result in loss of performance, damage to the product, fire, electric shock or injury, and will void the warranty. Route power supply cords where they are not likely to be walked on or pinched by items placed on or against them.
Contents Contents About This Guide .................................................................................................................................ix Introduction...........................................................................................................................................1 About Your Check Point Safe@Office Appliance..............................................................................1 Safe@Office 500 Product Family ....................................
Contents Using the Safe@Office Portal...........................................................................................................79 Logging Out ......................................................................................................................................84 Configuring the Internet Connection ................................................................................................85 Overview........................................................................
Contents Configuring High Availability .........................................................................................................239 Overview.........................................................................................................................................239 Configuring High Availability on a Gateway .................................................................................242 Sample Implementation on Two Gateways.................................................
Contents Setting Your Security Policy ............................................................................................................351 The Safe@Office Firewall Security Policy.....................................................................................351 Default Security Policy ...................................................................................................................353 Setting the Firewall Security Level......................................................
Contents Using Software Updates..................................................................................................................546 Updating the Firmware Manually ...................................................................................................549 Using Subscription Services .............................................................................................................551 Connecting to a Service Center.........................................................
Contents Configuring RADIUS Attributes ....................................................................................................657 Using Remote Desktop......................................................................................................................661 Overview.........................................................................................................................................661 Workflow ....................................................................
Contents Using Network Printers ....................................................................................................................733 Overview.........................................................................................................................................733 Setting Up Network Printers ...........................................................................................................734 Configuring Computers to Use Network Printers .........................
About Your Check Point Safe@Office Appliance About This Guide To make finding information in this guide easier, some types of information are marked with special symbols or formatting. Boldface type is used for command and button names. Note: Notes are denoted by indented text and preceded by the Note icon. Warning: Warnings are denoted by indented text and preceded by the Warning icon.
About Your Check Point Safe@Office Appliance Chapter 1 Introduction This chapter introduces the Check Point Safe@Office appliance and this guide. This chapter includes the following topics: About Your Check Point Safe@Office Appliance .......................................1 Safe@Office 500 Product Family ................................................................2 Product Features ...........................................................................................2 Wireless Features..........
Safe@Office 500 Product Family integrated VPN capabilities, the Safe@Office appliance allows teleworkers and road warriors to securely connect to the office network, and enables secure interconnection of branch offices.
Product Features Concurrent Firewall 8,000 Connections Hardware Features 4-Port LAN Switch WAN Port 10/100 Mbps Ethernet, 10/100 Mbps ADSL2+ — ADSL2, ADSL2+, T.1413 G.DMT ADSL Standards (G.992.1) G.Lite (G.992.2) Either: ANNEX A (ADSL over POTS) Or: ANNEX B (ADSL over ISDN) DMZ/WAN2 Port 10/100 Mbps Dialup Backup With external serial / USB modem Console Port (Serial) Print Server — USB 2.
Product Features SmartDefense™ (IPS) Network Address Translation (NAT) Four Preset Security Policies Anti-spoofing Voice over IP Support SIP, H.323 Instant Messenger Blocking / Monitoring P2P File Sharing Blocking / Monitoring Port-based and Tag- * based VLAN Port-based Security * (802.
Product Features VPN Server with SecuRemote, L2TP OfficeMode and RADIUS Support Site-to-Site VPN Gateway Route-based VPN Backup VPN Gateways Remote Access VPN SecuRemote (Included) Client IPSEC Features Hardware-accelerated DES, 3DES, AES, MD5, SHA-1, Hardware Random Number Generator (RNG), Internet Key Exchange (IKE), Perfect Forward Secrecy (PFS), IPSEC Compression, IPSEC NAT Traversal (NAT-T), IPSEC VPN Pass-through Networking Supported Internet Connection Methods Static IP, DHCP, PPPoE, PPTP, S
Product Features Dead Internet Connection Detection (DCD) WAN Load Balancing Backup Internet Connection DHCP Server, Client, and Relay DNS Server MAC Cloning Network Address Translation (NAT) Rules Static Routes, Source Routes, and ServiceBased Routes Ethernet Cable Type Recognition DiffServ Tagging * Automatic Gateway * Failover (HA) Dynamic Routing 6 * Check Point Safe@Office User Guide
Product Features Management Central Management Local Management SMP HTTP / HTTPS / SSH / SNMP / Serial CLI Remote Desktop Integrated Microsoft Terminal Services Client Local Diagnostics Ping, WHOIS, Packet Sniffer, Status Monitor, Traffic Monitor, My Tools Computers Display, Connection Table Display, Network Interface Monitor, VPN Tunnel Monitor, Routing Table Display, Event Log, Security Log NTP Automatic Time Setting Rapid Deployment Hardware Specifications Power 100/110/120/210/220/230VAC (Line
Wireless Features Wireless Features Table 2: Safe@Office Wireless Features Feature Safe@Office 500W / Safe@Office 500W ADSL Wireless Protocols 802.11b (11 Mbps), 802.11g (54 Mbps), Super G (108 Mbps)** Wireless Security VPN over Wireless, WEP, WPA2 (802.11i), WPAPersonal, WPA-Enterprise, 802.
Optional Security Services Optional Security Services The following subscription security services are available to Safe@Office owners by connecting to a Service Center: • Firewall Security and Software Updates • Web Filtering • Email Antivirus and Antispam Protection • VStream Embedded Antivirus Updates • Dynamic DNS Service • VPN Management • Security Reporting • Vulnerability Scanning Service These services require an additional purchase of subscription.
Getting to Know Your Safe@Office 500 Appliance Getting to Know Your Safe@Office 500 Appliance Package Contents The Safe@Office 500 package includes the following: • Safe@Office 500 Internet Security Appliance • Power supply • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9); model SBX-166LHGE-5 only Network Requirements • 10BaseT or 100BaseT Network Interface Card installed on each computer • CAT 5
Getting to Know Your Safe@Office 500 Appliance Rear Panel All physical connections (network and power) are made via the rear panel of your Safe@Office appliance. Figure 1: Safe@Office 500 SBX-166LHGE-5 Appliance Rear Panel Figure 2: Safe@Office 500 SBX-166LHGE-6 Appliance Rear Panel The following table lists the Safe@Office 500 appliance's rear panel elements. Table 3: Safe@Office 500 Appliance Rear Panel Elements Label Description PWR A power jack used for supplying power to the unit.
Getting to Know Your Safe@Office 500 Appliance Label Description RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (7 seconds). Resets the Safe@Office appliance to its factory defaults, and resets your firmware to the version that shipped with the Safe@Office appliance.
Getting to Know Your Safe@Office 500 Appliance Front Panel The Safe@Office 500 appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 3: Safe@Office 500 Appliance Front Panel For an explanation of the Safe@Office 500 appliance’s status LEDs, see the following table.
Getting to Know Your Safe@Office 500 Appliance LED State Explanation LINK/ACT On, 100 Off 10 Mbps link established for the corresponding port LINK/ACT On, 100 On 100 Mbps link established for the corresponding port VPN Serial 14 LNK/ACT Flashing Data is being transmitted/received Off No VPN activity Flashing (Green) VPN activity On (Green) VPN tunnels established, no activity Off No Serial port activity Flashing (Green) Serial port activity Check Point Safe@Office User Guide
Getting to Know Your Safe@Office 500W Appliance Getting to Know Your Safe@Office 500W Appliance Package Contents The Safe@Office 500W package includes the following: • Safe@Office 500W Internet Security Appliance • Power supply • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9); model SBXW-166LHGE-5 only • Two antennas • USB extension cable Network Requirements • 10BaseT or 100BaseT Network Interf
Getting to Know Your Safe@Office 500W Appliance Rear Panel All physical connections (network and power) are made via the rear panel of your Safe@Office appliance. Figure 4: Safe@Office 500W SBXW-166LHGE-5 Appliance Rear Panel Figure 5: Safe@Office 500W SBXW-166LHGE-6 Appliance Rear Panel The following table lists the Safe@Office 500W appliance's rear panel elements. Table 5: Safe@Office 500W Appliance Rear Panel Elements Label Description PWR A power jack used for supplying power to the unit.
Getting to Know Your Safe@Office 500W Appliance Label Description RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (7 seconds). Resets the Safe@Office appliance to its factory defaults, and resets your firmware to the version that shipped with the Safe@Office appliance.
Getting to Know Your Safe@Office 500W Appliance Label Description ANT 1/ Antenna connectors, used to connect the supplied wireless antennas . ANT 2 Front Panel The Safe@Office 500W appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 6: Safe@Office 500W Appliance Front Panel For an explanation of the Safe@Office 500W appliance’s status LEDs, see the following table.
Getting to Know Your Safe@Office 500W Appliance Table 6: Safe@Office 500W Appliance Status LEDs LED State Explanation PWR/SEC Off Power off Flashing quickly (Green) System boot-up, or rapid deployment in progress Flashing slowly (Green) Establishing Internet connection Flashing (Red) Hacker attack blocked, or error occurred during rapid deployment process LAN 1-4/ On (Green) Normal operation On (Red) Error Flashing (Orange) Software update in progress LINK/ACT Off, 100 Off Link is down
Getting to Know Your Safe@Office 500 ADSL Appliance LED State Explanation Serial Off No Serial port activity Flashing (Green) Serial port activity Off No USB port activity Flashing (Green) USB port activity Off No WLAN activity Flashing (Green) WLAN activity USB WLAN Getting to Know Your Safe@Office 500 ADSL Appliance Package Contents The Safe@Office 500 ADSL package includes the following: • Safe@Office 500 ADSL Internet Security Appliance • Power supply • CAT5 Straight-through Eth
Getting to Know Your Safe@Office 500 ADSL Appliance Network Requirements • 10BaseT or 100BaseT Network Interface Card installed on each computer • CAT 5 STP (Category 5 Shielded Twisted Pair) Straight Through Ethernet cable for each attached device • An ADSL line suitable for your appliance model: • • • For Annex A ADSL models, an ADSL over POTS line (regular telephone line) • For Annex B ADSL models, an ADSL over ISDN line (digital line) A splitter with a micro-filter, installed on all the jacks c
Getting to Know Your Safe@Office 500 ADSL Appliance Label Description RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (7 seconds). Resets the Safe@Office appliance to its factory defaults, and resets your firmware to the version that shipped with the Safe@Office appliance.
Getting to Know Your Safe@Office 500 ADSL Appliance Label Description DMZ/ A dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) WAN2 computer or network. Alternatively, can serve as a secondary WAN port or as a VLAN trunk. LAN 1-4 Local Area Network switch: Four Ethernet ports (RJ-45) used for connecting computers or other network devices. Front Panel The Safe@Office 500 ADSL appliance includes several status LEDs that enable you to monitor the appliance’s operation.
Getting to Know Your Safe@Office 500 ADSL Appliance LED LAN 1-4/ State Explanation On (Green) Normal operation On (Red) Error LINK/ACT Off, 100 Off Link is down LINK/ACT On, 100 Off 10 Mbps link established for the DMZ/WAN2 corresponding port LINK/ACT On, 100 On 100 Mbps link established for the corresponding port DSL VPN Serial USB 24 LNK/ACT Flashing Data is being transmitted/received Link Off Link is down Link Flashing Establishing ADSL connection Link On ADSL connection estab
Getting to Know Your Safe@Office 500W ADSL Appliance LED State Explanation Flashing (Green) USB port activity Getting to Know Your Safe@Office 500W ADSL Appliance Package Contents The Safe@Office 500W ADSL package includes the following: • Safe@Office 500W ADSL Internet Security Appliance • Power supply • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9) • Two antennas • USB extension cable •
Getting to Know Your Safe@Office 500W ADSL Appliance Network Requirements • 10BaseT or 100BaseT Network Interface Card installed on each computer • CAT 5 STP (Category 5 Shielded Twisted Pair) Straight Through Ethernet cable for each attached device • An ADSL line suitable for your appliance model: • • For Annex A ADSL models, an ADSL over POTS line (regular telephone line) • For Annex B ADSL models, an ADSL over ISDN line (digital line) A splitter with a micro-filter, installed on all the jacks co
Getting to Know Your Safe@Office 500W ADSL Appliance Table 9: Safe@Office 500W ADSL Appliance Rear Panel Elements Label Description PWR A power jack used for supplying power to the unit. Connect the supplied power supply to this jack. RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (7 seconds).
Getting to Know Your Safe@Office 500W ADSL Appliance Label Description DSL An RJ-11 ADSL port used for connecting the integrated ADSL modem to an ADSL line. A splitter with a micro-filter is usually required when connecting this port to the phone jack. If unsure, check with your ADSL service provider. Before connecting this port to the line, make sure that you are using the correct Safe@Office model for your phone line: Annex A for POTS (regular) phone lines, and Annex B for ISDN (digital) phone lines.
Getting to Know Your Safe@Office 500W ADSL Appliance Table 10: Safe@Office 500 ADSL Appliance Status LEDs LED State Explanation PWR/SEC Off Power off Flashing quickly (Green) System boot-up, or rapid deployment in progress Flashing slowly (Green) Flashing (Red) Establishing Internet connection Hacker attack blocked, or error occurred during rapid deployment process LAN 1-4/ On (Green) Normal operation On (Red) Error LINK/ACT Off, 100 Off Link is down LINK/ACT On, 100 Off 10 Mbps link esta
Contacting Technical Support LED State Explanation VPN Off No VPN activity Flashing (Green) VPN activity On (Green) VPN tunnels established, no activity Off No Serial port activity Flashing (Green) Serial port activity Off No USB port activity Flashing (Green) USB port activity Off No WLAN activity Flashing (Green) WLAN activity Serial USB WLAN Contacting Technical Support In case of a problem with your Safe@Office appliance, see http://www.sofaware.com/support.
Introduction to Information Security Chapter 2 Safe@Office Security This chapter explains the basic security concepts on which Safe@Office security is based. This chapter includes the following topics: Introduction to Information Security ..........................................................31 The Safe@Office Firewall..........................................................................
Introduction to Information Security • Commercial companies store information about their revenues, business and marketing plans, current and future product lines, information about competitors, and so on. Just as the type of information may differ from organization to organization, the form in which it is stored may vary.
Introduction to Information Security Information Security Challenges The challenges of information security can be divided into the following areas: • Confidentiality and Privacy - Ensuring that only the intended recipients can read certain information • Authentication - Ensuring that information is actually sent by the stated sender • Integrity - Ensuring that the original information was not altered and that no one tampered with it • Availability - Ensuring that important information can be access
Introduction to Information Security In order for a security policy be effective, it must be accompanied by the following measures: • Awareness - A security policy must be accompanied by steps taken to increase the employees' awareness of security issues. If employees are unaware of a security policy rule and the reason for it, they are likely to break it. • Enforcement - To enforce a security policy, an organization can take various measures, both human and electronic.
Introduction to Information Security Computer and Network Security A great deal of an organization's existing information is processed and stored electronically by single (standalone) computers or computer networks. Therefore, an attack on an organization's computers or computer networks can result in extensive information theft or abuse.
Introduction to Information Security Since computer and network security has become a central part of information and general security, security managers must either have an understanding of computers and networking, or work closely with network administrators and network security specialists. Network Security and the Small Business Network security has been and continues to be a major concern for large, enterprise-sized organizations.
The Safe@Office Firewall The Safe@Office Firewall What Is a Firewall? The most effective way to secure an Internet link is to put a firewall between the local network and the Internet. A firewall is a system designed to prevent unauthorized access to or from a secured network. Firewalls act as locked doors between internal and external networks: data that meets certain requirements is allowed through, while unauthorized data is not.
The Safe@Office Firewall Old Firewall Technologies Older firewall technologies, such as packet filtering and application-layer gateways, are still in use in some environments. It is important to familiarize yourself with these technologies, so as to better understand the benefits and advantages of the Check Point Stateful Inspection firewall technology. Packet Filters Historically implemented on routers, packet filters filter user-defined content, such as IP addresses.
The Safe@Office Firewall Application-layer gateways have the following advantages and disadvantages: Table 12: Application-Layer Gateway Advantages and Disadvantages Advantages Disadvantages Good security Poor performance Full application-layer awareness Limited application support Poor scalability (breaks the client/server model) Check Point Stateful Inspection Technology Invented by Check Point, Stateful Inspection is the industry standard for network security solutions.
The Safe@Office Firewall Packet State and Context Information To track and act on both state and context information for an application is to treat that traffic statefully.
The Safe@Office Firewall Table 13: Establishment of Passive FTP Connection Step Channel Description Source Type 1 CMD TCP Destination Source Destination Port Client initiates a FTP C> PASV command to client 1023 Server responds FTP with data port server TCP Port FTP server 21 21 FTP client C FTP server P FTP client D the FTP server on port 21 2 CMD information P > 1023 3 Data Client initiates data FTP D> connection to client 1023 Server FTP P acknowledges server
The Safe@Office Firewall The following diagram demonstrates the establishment of a Passive FTP connection through a firewall protecting the FTP server.
The Safe@Office Firewall Table 14: Firewall Technologies and Passive FTP Connections Firewall Technology Action Packet Filter Packet filters can handle outbound FTP connections in either of the following ways: • By leaving the entire upper range of ports (greater than 1023) open. While this allows the file transfer session to take place over the dynamically allocated port, it also exposes the internal network. • By shutting down the entire upper range of ports.
The Safe@Office Firewall Firewall Technology Action Stateful Inspection A Stateful Inspection firewall examines the FTP application-layer Firewall data in an FTP session. When the client initiates a command session, the firewall extracts the port number from the request. The firewall then records both the client and server's IP addresses and port numbers in an FTP-data pending request list.
Before You Install the Safe@Office Appliance Chapter 3 Installing and Setting Up Safe@Office This chapter describes how to properly set up and install your Safe@Office appliance in your networking environment. This chapter includes the following topics: Before You Install the Safe@Office Appliance .........................................45 Appliance Installation.................................................................................59 Wall Mounting the Safe@Office Appliance......................
Before You Install the Safe@Office Appliance Windows Vista Checking the TCP/IP Installation 1. Click Start > Control Panel. The Control Panel window appears. 2. 46 Under Network and Internet, click View network status and tasks.
Before You Install the Safe@Office Appliance The Network Sharing Center screen appears. 3. In the Tasks pane, click Manage network connections.
Before You Install the Safe@Office Appliance The Network Connections screen appears. 4. Double-click the Local Area Connection icon. The Local Area Connection Status window opens. 5. 48 Click Properties.
Before You Install the Safe@Office Appliance The Local Area Connection Properties window opens. 6. Check if Internet Protocol Version 4 (TCP/IPv4) appears in the list box and if it is properly configured with the Ethernet card installed on your computer. TCP/IP Settings 1. In the Local Area Connection Properties window, double-click the Internet Protocol Version 4 (TCP/IPv4) component, or select it and click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties window appears. 2.
Before You Install the Safe@Office Appliance Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically. If for some reason you need to assign a static IP address, select Specify an IP address, type in an IP address in the range of 192.168.10.129-254, enter 255.255.255.0 in the Subnet Mask field, and click OK to save the new settings. (Note that 192.168.
Before You Install the Safe@Office Appliance 2. Double-click the Network and Dial-up Connections icon. The Network and Dial-up Connections window appears. 3. Right-click the opens.
Before You Install the Safe@Office Appliance The Local Area Connection Properties window appears. 4. 52 In the above window, check if TCP/IP appears in the components list and if it is properly configured with the Ethernet card installed on your computer. If TCP/IP does not appear in the Components list, you must install it as described in the next section.
Before You Install the Safe@Office Appliance Installing TCP/IP Protocol 1. In the Local Area Connection Properties window click Install. The Select Network Component Type window appears. 2. Select Protocol and click Add. The Select Network Protocol window appears. 3. Choose Internet Protocol (TCP/IP) and click OK. TCP/IP protocol is installed on your computer.
Before You Install the Safe@Office Appliance TCP/IP Settings 1. In the Local Area Connection Properties window, double-click the Internet Protocol (TCP/IP) component, or select it and click Properties. The Internet Protocol (TCP/IP) Properties window opens. 2. Click the Obtain an IP address automatically radio button. Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically.
Before You Install the Safe@Office Appliance Mac OS Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple Menus -> Control Panels -> TCP/IP. The TCP/IP window appears. 2. Click the Connect via drop-down list, and select Ethernet. 3. Click the Configure drop-down list, and select Using DHCP Server. 4. Close the window and save the setup.
Before You Install the Safe@Office Appliance Mac OS-X Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple -> System Preferences. The System Preferences window appears. 2. 56 Click Network.
Before You Install the Safe@Office Appliance The Network window appears. 3. Click Configure.
Before You Install the Safe@Office Appliance TCP/IP configuration fields appear. 4. Click the Configure IPv4 drop-down list, and select Using DHCP. 5. Click Apply Now.
Appliance Installation Appliance Installation Installing Non-ADSL Models To install the Safe@Office appliance 1. Verify that you have the correct cable type. For information, see Network Requirements on page 15. 2. Connect the LAN cable: a. 3. Connect one end of the Ethernet cable to one of the appliance's LAN ports. b. Connect the other end to PCs, hubs, or other network devices. Connect the WAN cable: a. Connect one end of the Ethernet cable to the appliance's WAN port. b. 4.
Appliance Installation Figure 12: Typical Connection Diagram Installing ADSL Models To install the Safe@Office appliance 1. Verify that you have the correct cable type. For information, see Network Requirements on page 15. 2. Connect the LAN cable: a. 3. Connect one end of the Ethernet cable to one of the appliance's LAN ports. b. Connect the other end to PCs, hubs, or other network devices. Connect the ADSL cable: a. Connect one end of the telephone cable to the appliance's DSL port. b.
Appliance Installation 4. service. Check with your service provider whether a micro-filter is required at your location. To use the appliance with a non-ADSL connection, or with an existing ADSL modem, connect an Ethernet cable: a. Connect one end of the Ethernet cable to the appliance's DMZ/WAN2 port. b. 5. Connect the other end of the cable to an external cable modem, DSL modem, or office network. Connect the power supply to the appliance's power socket, labeled PWR. 6.
Appliance Installation Cascading Your Appliance The Safe@Office appliance protects all computers and network devices that are connected to its LAN and DMZ ports. If desired, you can increase the appliance's port capacity by cascading hubs or switches. To cascade the Safe@Office appliance to a hub or switch 1. Connect a standard Ethernet cable to one of the appliance's LAN ports or to its DMZ/WAN2 port.
Wall Mounting the Safe@Office Appliance Connecting the Appliance to Network Printers In models with a print server, you can connect network printers. To connect network printers 1. Connect one end of a USB cable to one of the appliance's USB ports. If needed, you can use the provided USB extension cord. 2. Connect the other end to a printer or a USB 2.0 hub. Warning: Verify that the USB devices' power requirement does not exceed the appliance's USB power supply capabilities.
Wall Mounting the Safe@Office Appliance 3. Mark two drill holes on the wall, in accordance with the following sketch: 4. Drill two 3.5 mm diameter holes, approximately 25 mm deep. 5. Insert two plastic conical anchors into the holes. Note: The conical anchors you received with your Safe@Office appliance are suitable for concrete walls. If you want to mount the appliance on a plaster wall, you must use anchors that are suitable for plaster walls. 6.
Securing the Safe@Office Appliance against Theft Your Safe@Office appliance is wall mounted. You can now connect it to your computer. Securing the Safe@Office Appliance against Theft The Safe@Office appliance features a security slot to the rear of the right panel, which enables you to secure your appliance against theft, using an anti-theft security device. Note: Anti-theft security devices are available at most computer hardware stores.
Securing the Safe@Office Appliance against Theft While these parts may differ between devices, all looped security cables include a bolt with knobs, as shown in the diagram below: Figure 15: Looped Security Cable Bolt The bolt has two states, Open and Closed, and is used to connect the looped security cable to the appliance's security slot. To install an anti-theft device on the Safe@Office appliance 1.
Setting Up the Safe@Office Appliance 5. Thread the anti-theft device's pin through the bolt’s holes, and insert the pin into the main body of the anti-theft device, as described in the documentation that came with your device. Setting Up the Safe@Office Appliance After you have installed the Safe@Office appliance, you must set it up using the steps shown below. When setting up your Safe@Office appliance for the first time after installation, these steps follow each other automatically.
Setting Up the Safe@Office Appliance Logging in to the Safe@Office Portal and setting up your password Initial Login to the Safe@Office Portal on page 71 Configuring an Internet connection Using the Internet Wizard on page 86 Setting the time on your Safe@Office appliance Setting the Time on the Appliance on page 699 Setting up a wireless network (wireless appliances only) Configuring a Wireless Network on page 263 Installing the Product Key Upgrading Your Software Product on page 685 Setting up subsc
Setting Up the Safe@Office Appliance To access the Setup Wizard 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Safe@Office Setup Wizard.
Setting Up the Safe@Office Appliance The Safe@Office Setup Wizard opens with the Welcome page displayed.
Initial Login to the Safe@Office Portal Chapter 4 Getting Started This chapter contains all the information you need in order to get started using your Safe@Office appliance. This chapter includes the following topics: Initial Login to the Safe@Office Portal......................................................71 Logging in to the Safe@Office Portal ........................................................74 Accessing the Safe@Office Portal Remotely Using HTTPS .....................
Initial Login to the Safe@Office Portal The initial login page appears. 2. Type a password both in the Password and the Confirm password fields. Note: The password must be five to 25 characters (letters or numbers). Note: You can change your username and password at any time. For further information, see Changing Your Password on page 639. 3. 72 Click OK.
Initial Login to the Safe@Office Portal The Safe@Office Setup Wizard opens, with the Welcome page displayed. 4. Configure your Internet connection using one of the following ways: • Internet Wizard The Internet Wizard is the first part of the Setup Wizard, and it takes you through basic Internet connection setup, step by step. For information on using the Internet Wizard, see Using the Internet Wizard on page 86.
Logging in to the Safe@Office Portal Logging in to the Safe@Office Portal Note: By default, HTTP and HTTPS access to the Safe@Office Portal is not allowed from the WLAN, unless you do one of the following: • Configure a specific firewall rule to allow access from the WLAN. See Using Rules on page 360. Or • Enable HTTPS access from the Internet. See Configuring HTTPS on page 691. To log in to the Safe@Office Portal 1. Do one of the following: • Browse to http://my.firewall.
Logging in to the Safe@Office Portal The login page appears. 2. Type your username and password. 3. Click OK.
Logging in to the Safe@Office Portal The Welcome page appears.
Accessing the Safe@Office Portal Remotely Using HTTPS Accessing the Safe@Office Portal Remotely Using HTTPS You can access the Safe@Office Portal remotely (from the Internet) through HTTPS. HTTPS is a protocol for accessing a secure Web server. It is used to transfer confidential user information. If desired, you can also use HTTPS to access the Safe@Office Portal from your internal network.
Accessing the Safe@Office Portal Remotely Using HTTPS To avoid seeing this dialog box again, install the certificate of the destination Safe@Office appliance. If you are using Internet Explorer 6, do the following: a. Click View Certificate. The Certificate dialog box appears, with the General tab displayed. b. Click Install Certificate. The Certificate Import Wizard opens. c. Click Next. d. Click Next. e. Click Finish. f. Click Yes. g. Click OK. The Security Alert dialog box reappears. h.
Using the Safe@Office Portal Using the Safe@Office Portal The Safe@Office Portal is a Web-based management interface, which enables you to manage and configure the Safe@Office appliance operation and options. The Safe@Office Portal consists of three major elements. Table 15: Safe@Office Portal Elements Element Description Main menu Used for navigating between the various topics (such as Reports, Security, and Setup). Main frame Displays information and controls related to the selected topic.
Using the Safe@Office Portal Main Menu The main menu includes the following submenus. Table 16: Main Menu Submenus This Does this… Welcome Displays general welcome information. Reports Provides reporting capabilities in terms of appliance status, traffic submenu… monitoring, active computers, established connections, and more. Logs Provides a general event log displaying appliance events, and a security event log displaying firewall events.
Using the Safe@Office Portal This Does this… Help Provides context-sensitive online help. Logout Allows you to log out of the Safe@Office Portal. submenu… Main Frame The main frame displays the relevant data and controls pertaining to the menu and tab you select. These elements sometimes differ depending on what model you are using. The differences are described throughout this guide.
Using the Safe@Office Portal Status Bar The status bar is located at the bottom of each page. It displays the fields below, as well as the date and time. Table 17: Status Bar Fields This field… Displays this… Internet Your Internet connection status. The connection status may be one of the following: • Connected. The Safe@Office appliance is connected to the Internet. • Connected – Probing OK. Connection probing is enabled and has detected that the Internet connectivity is OK.
Using the Safe@Office Portal This field… Displays this… Service Displays your subscription services status. Center Your Service Center may offer various subscription services. These include the firewall service and optional services such as Web Filtering and Email Antivirus. Your subscription services status may be one of the following: • Not Subscribed. You are not subscribed to security services. • Connection Failed. The Safe@Office appliance failed to connect to the Service Center.
Logging Out Logging Out Logging out terminates your administration session. Any subsequent attempt to connect to the Safe@Office Portal will require re-entering of the administration password. To log out of the Safe@Office Portal • Click Logout in the main menu. The Login page appears.
Overview Chapter 5 Configuring the Internet Connection This chapter describes how to configure and work with a Safe@Office Internet connection. This chapter includes the following topics: Overview ....................................................................................................85 Using the Internet Wizard ..........................................................................86 Using Internet Setup .................................................................................
Using the Internet Wizard You can configure your Internet connection using any of the following setup tools: • Setup Wizard. Guides you through the Safe@Office appliance setup step by step. The first part of the Setup Wizard is the Internet Wizard. For further information on the Setup Wizard, see Setting Up the Safe@Office Appliance on page 67. • Internet Wizard. Guides you through the Internet connection configuration process step by step.
Using the Internet Wizard Configuring an Ethernet-Based Connection on NonADSL Models To configure an Ethernet-Based connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Click Internet Wizard. The Internet Wizard opens with the Welcome page displayed. 3. Click Next.
Using the Internet Wizard The Internet Connection Method dialog box appears. 4. Select the Internet connection method you want to use for connecting to the Internet. If you are uncertain regarding which connection method to use contact your xDSL provider. Note: If you selected PPTP or PPPoE, do not use your dial-up software to connect to the Internet. 5. Click Next. If you chose PPPoE, continue at Using a PPPoE Connection on page 89. If you chose PPTP, continue at Using a PPTP Connection on page 91.
Using the Internet Wizard Using a PPPoE Connection If you selected the PPPoE (PPP over Ethernet) connection method, the PPP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears.
Using the Internet Wizard 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish. Table 18: PPPoE Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. This field can be left blank.
Using the Internet Wizard Using a PPTP Connection If you selected the PPTP connection method, the PPP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish.
Using the Internet Wizard Table 19: PPTP Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. Server IP Type the IP address of the PPTP modem. Internal IP Type the local IP address required for accessing the PPTP modem. Subnet Mask Select the subnet mask of the PPTP modem. Using a Cable Modem Connection No further settings are required for a cable modem connection.
Using the Internet Wizard Using a Static IP Connection If you selected the Static IP connection method, the Static IP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish.
Using the Internet Wizard Table 20: PPPoE Connection Fields In this field… Do this… IP Address Type the static IP address of your Safe@Office appliance. Subnet Mask Select the subnet mask that applies to the static IP address of your Safe@Office appliance. Default Gateway Type the IP address of your ISP’s default gateway. Primary DNS Server Type the IP address of your ISP's primary DNS server. Secondary DNS Server Type the IP address of your ISP's secondary DNS server. This field is optional.
Using the Internet Wizard Configuring an Ethernet-Based Connection on ADSL Models Note: In ADSL models, an Ethernet-based connection is made on the DMZ/WAN2 port. To configure an Ethernet-based connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Click Internet Wizard. The Internet Wizard opens with the Welcome page displayed. 3. Click Next. The Internet Connection Port dialog box appears. 4.
Using the Internet Wizard The Internet Connection Method dialog box appears. 6. Select the Internet connection method you want to use for connecting to the Internet. 7. Click Next. If you chose PPPoE, continue at Using a PPPoE Connection on page 89. If you chose PPTP, continue at Using a PPTP Connection on page 91. If you chose Cable Modem, continue at Using a Cable Modem Connection on page 92. If you chose Static IP, continue at Using a Static IP Connection on page 93.
Using the Internet Wizard Configuring a Direct ADSL Connection To configure a direct ADSL connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Click Internet Wizard. The Internet Wizard opens with the Welcome page displayed. 3. Click Next. The Internet Connection Port dialog box appears. 4. Click Use the ADSL port. The ADSL Connection Settings dialog box appears.
Using the Internet Wizard 5. Do one of the following: • To automatically fill in the supported ADSL settings for your ISP, do the following: 1) Click Search by country and ISP. The ADSL Configuration Assistant opens. 2) In the Country drop-down list, select your country. 3) In the ISP / Telco drop-down list, select your ISP or telephone company. The ADSL Configuration Assistant closes, and the fields are filled in with the correct values for your ISP. • 6.
Using the Internet Wizard The Internet Connection Method dialog box appears. 7. Select the Internet connection method you want to use for connecting to the Internet. 8. Click Next. If you chose PPPoE or PPPoA, continue at Using a PPPoE or PPPoA Connection on page 101. If you chose Static IP, continue at Using a Static IP Connection on page 93. If you chose DHCP, continue at Using a DHCP Connection on page 94.
Using the Internet Wizard Table 21: ADSL Connection Fields In this field… Do this… DSL Standard Select the standard to support for the DSL line, as specified by your ISP. This can be one of the following: VPI Number • ADSL2 • ADSL2+ • Multimode • T.1413 • G.lite • G.DMT Type the VPI number to use for the ATM virtual path, as specified by your ISP. VCI Number Type the VCI number to use for the ATM virtual circuit, as specified by your ISP.
Using the Internet Wizard Using a PPPoE or PPPoA Connection If you selected the PPPoE (PPP over Ethernet) or PPPoA (PPP over ATM) connection method, the PPP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4.
Using Internet Setup Table 22: PPPoE Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Using Internet Setup Internet Setup allows you to manually configure your Internet connection. For information on configuring bridged Internet connections, see Adding Internet Connections to Bridges on page 233. To configure the Internet connection using Internet Setup 1.
Using Internet Setup The Internet page appears. 2. Next to the desired Internet connection, click Edit.
Using Internet Setup The Internet Setup page appears. 3. Do one of the following: • To configure an ADSL connection using the internal ADSL modem, continue at Configuring a Direct ADSL Connection on page 105. This option is available in ADSL models only. 104 • To configure an Ethernet-based connection, continue at Configuring an Ethernet-Based Connection on page 114. • To configure a Dialup connection, continue at Configuring a Dialup Connection on page 125.
Using Internet Setup Configuring a Direct ADSL Connection 1. In the Port drop-down list, select ADSL. 2. Do one of the following: • To automatically fill in the supported ADSL settings for your ISP, do the following: 1) Click Search by country and ISP. The ADSL Configuration Assistant opens. 2) In the Country drop-down list, select your country. 3) In the ISP / Telco drop-down list, select your ISP or telephone company. The ADSL Configuration Assistant closes.
Using Internet Setup Using a PPPoA (PPP over ATM) Connection 1. 106 Complete the fields using the relevant information in Internet Setup Fields on page 127.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds.
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using an EoA (Ethernet over ATM) Connection 1. 108 Complete the fields using the relevant information in Internet Setup Fields on page 127.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a PPPoE (PPP over Ethernet) Connection 1. 110 Complete the fields using the relevant information in Internet Setup Fields on page 127.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds.
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using an IPoA (IP over ATM) Connection 1. 112 Complete the fields using the relevant information in Internet Setup Fields on page 127.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Configuring an Ethernet-Based Connection 1. In the Port drop-down list, do one of the following: • To configure an Ethernet-based connection through the WAN port, select WAN. • To configure an Ethernet-based connection through the DMZ/WAN2 port, select WAN2. This option is available in non-ADSL models only. • To configure an Ethernet-based connection through a LAN port, select the desired LAN port. This option is available with the Power Pack license only.
Using Internet Setup Using a LAN Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 127.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a Cable Modem Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 127.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a PPPoE Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 127.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a PPTP Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 127.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds.
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using a Telstra (BPA) Connection Use this Internet connection type only if you are subscribed to Telstra® BigPond™ Internet. Telstra BigPond is a trademark of Telstra Corporation Limited. 1. Complete the fields using the relevant information in Internet Setup Fields on page 127.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Configuring a Dialup Connection Note: To use this connection type, you must first set up the dialup modem. For information, see Setting Up Modems on page 136. 1. In the Port drop-down list, do one of the following: • To configure a Dialup connection on the Serial port (using a connected RS232 modem), select Serial. • To configure a Dialup connection on a USB port (using a connected USB modem), select USBModem1. The Connection Type field displays Dialup. 2.
Using Internet Setup New fields appear, depending on the check boxes you selected. 3. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Configuring No Connection 1. In the Port drop-down list, select None. The fields disappear. 2. Click Apply. Table 23: Internet Setup Fields In this field… Do this… ADSL Link Settings DSL Standard Select the standard to support for the DSL line, as specified by your ISP. VPI Number Type the VPI number to use for the ATM virtual path, as specified by your ISP. VCI Number Type the VCI number to use for the ATM virtual circuit, as specified by your ISP.
Using Internet Setup In this field… Do this… Service Type your service name. If your ISP has not provided you with a service name, leave this field empty. Authentication Specify the authentication method to use for PPP connections, by Method selecting one of the following: Server IP • Auto. If possible, use CHAP; otherwise, use PAP. This is the default. • PAP • CHAP If you selected PPTP, type the IP address of the PPTP server as given by your ISP.
Using Internet Setup In this field… Do this… When no higher Select this option to specify that the appliance should only establish a priority connection connection in the following cases: is available • When no other connection exists, and the Safe@Office appliance is not acting as a Backup appliance. If another connection opens, the appliance will disconnect. For information on configuring the appliance as a Backup or Master, see Configuring High Availability on page 239.
Using Internet Setup In this field… Do this… IP Address Type the static IP address of your Safe@Office appliance. Subnet Mask Select the subnet mask that applies to the static IP address of your Safe@Office appliance. Default Gateway Type the IP address of your ISP’s default gateway. Name Servers Obtain Domain Clear this option if you want the Safe@Office appliance to obtain an IP Name Servers address automatically using DHCP, but not to automatically configure automatically DNS servers.
Using Internet Setup In this field… Do this… Traffic Shaper Shape Upstream: Select this option to enable Traffic Shaper for outgoing traffic. Then type Link Rate a rate (in kilobits/second) slightly lower than your Internet connection's maximum measured upstream speed in the field provided. It is recommended to try different rates in order to determine which one provides the best results. For information on using Traffic Shaper, see Using Traffic Shaper on page 251.
Using Internet Setup In this field… Do this… Advanced External IP If you selected PPTP, type the IP address of the PPTP client as given by your ISP. If you selected PPPoE, this field is optional, and you do not have to fill it in unless your ISP has instructed you to do so. MTU This field allows you to control the maximum transmission unit size. As a general recommendation you should leave this field empty.
Using Internet Setup In this field… Do this… Load Balancing Load Balancing If you are using WAN load balancing, type a value indicating the amount Weight of traffic that should be routed though this connection relative to the other connection. For example, if you assign the primary connection a weight of 100, and you assign the secondary connection a weight of 50, twice as much traffic will be routed through the primary connection as through the secondary connection.
Using Internet Setup In this field… Do this… Dead Connection Detection Probe Next Hop Select this option to automatically detect loss of connectivity to the default gateway. If you selected LAN, this is done by sending ARP requests to the default gateway. If you selected PPTP, PPPoE, or Dialup, this is done by sending PPP echo reply (LCP) messages to the PPP peer. By default, if the default gateway does not respond, the Internet connection is considered to be down.
Using Internet Setup In this field… Do this… Connection Probing While the Probe Next Hop option checks the availability of the next hop Method router, which is usually at your ISP, connectivity to the next hop router does not always indicate that the Internet is accessible. For example, if there is a problem with a different router at the ISP, the next hop will be reachable, but the Internet might be inaccessible. Connection probing is a way to detect Internet failures that are more than one hop away.
Setting Up Dialup Modems In this field… Do this… 1, 2, 3 If you chose the Ping Addresses connection probing method, type the IP addresses or DNS names of the desired servers. If you chose the Probe VPN Gateway (RDP) connection probing method, type the IP addresses or DNS names of the desired VPN gateways. You can clear a field by clicking Clear. Setting Up Dialup Modems You can use a connected modem as a primary or secondary Internet connection method.
Setting Up Dialup Modems Setting Up an RS232 Modem Note: Your RS232 dialup modem and your Safe@Office appliance's Serial port must be configured for the same speed. By default, the appliance's Serial port's speed is 57600 bps. For information on changing the Serial port's speed, refer to the Embedded NGX CLI Reference Guide. To set up an RS232 dialup modem 1. Connect an RS232 dialup modem to your Safe@Office appliance's serial port.
Setting Up Dialup Modems 3. Next to Serial, click Edit. The Port Setup page appears. 4. 138 In the Assign to Network drop-down list, select Dialup.
Setting Up Dialup Modems New fields appear. 5. Complete the fields using the information in Dialup Fields on page 140. 6. Click Apply. 7. To check that that the values you entered are correct, click Test. The page displays a message indicating whether the test succeeded. 8. Configure a Dialup Internet connection on the Serial port. See Using Internet Setup on page 102.
Setting Up Dialup Modems Table 24: RS232 Dialup Fields In this field… Do this… Modem Type Select the modem type. You can select one of the predefined modem types or Custom. If you selected Custom, the Installation String field is enabled. Otherwise, it is filled in with the correct installation string for the modem type. Initialization String Type the installation string for the custom modem type. If you selected a standard modem type, this field is read-only.
Setting Up Dialup Modems Setting Up a USB Modem Warning: Before attaching a USB modem, ensure that the total power drawn by all connected USB devices does not exceed 2.5W per port (0.5A at 5V). If the total current consumed by a port exceeds 0.5A, a powered USB hub must be used, to avoid damage to the gateway. To set up a USB modem 1. Connect a USB-based modem to one of your Safe@Office appliance's USB ports. For information on locating the USB ports, see Introduction on page 1. 2.
Setting Up Dialup Modems 3. Next to USB, click Edit. The USB Devices page appears. If the Safe@Office appliance detected the modem, the modem is listed on the page. If the modem is not listed, check that you connected the modem correctly, then click Refresh to refresh the page. 4. 142 Next to the modem, click Edit.
Setting Up Dialup Modems The USB Modem Setup page appears. 5. Complete the fields using the information in USB Dialup Fields on page 144. 6. Click Apply. 7. To check that that the values you entered are correct, click Test. The page displays a message indicating whether the test succeeded. 8. Configure a Dialup Internet connection on the USB port. See Using Internet Setup on page 102.
Setting Up Dialup Modems Table 25: USB Dialup Fields In this field… Do this… Modem Type Select the modem type. You can select one of the predefined modem types or Custom. If you selected Custom, the Installation String field is enabled. Otherwise, it is filled in with the correct installation string for the modem type. Initialization String Type the installation string for the custom modem type. If you selected a standard modem type, this field is read-only.
Viewing Internet Connection Information In this field… Do this… PIN Type the Personal Identification Number (PIN) code that you received with your cellular SIM card, if required by your modem. The PIN code is usually 4 digits long. Warning: Entering an incorrect PIN code may cause your SIM card to be blocked. Viewing Internet Connection Information You can view information on your Internet connection(s) in terms of status, duration, and activity. To view Internet connection information 1.
Viewing Internet Connection Information The Internet page appears. For an explanation of the fields on this page, see the following table. 2. To view activity information for a connection, mouse-over the information icon next to the desired connection. A tooltip displays the number of bytes sent and received bytes through the connection. 3. 146 To refresh the information on this page, click Refresh.
Viewing Internet Connection Information Table 26: Internet Page Fields Field Description Status Indicates the connection’s status. Duration Indicates the connection duration, if active. The duration is given in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds IP Address Your IP address. Enabled Indicates whether or not the connection is enabled.
Enabling/Disabling the Internet Connection Enabling/Disabling the Internet Connection You can temporarily disable an Internet connection. This is useful if, for example, you are going on vacation and do not want to leave your computer connected to the Internet. If you have two Internet connections, you can force the Safe@Office appliance to use a particular connection, by disabling the other connection. The Internet connection’s Enabled/Disabled status is persistent through Safe@Office appliance reboots.
Using Quick Internet Connection/Disconnection Using Quick Internet Connection/Disconnection By clicking the Connect or Disconnect button (depending on the connection status) on the Internet page, you can establish a quick Internet connection using the currently-selected connection type. In the same manner, you can terminate the active connection. The Internet connection retains its Connected/Not Connected status until the Safe@Office appliance is rebooted.
Configuring WAN Load Balancing Configuring WAN Load Balancing If your network is prone to congestion, for example in large offices which include multiple active clients and/or servers, you can increase the amount of available bandwidth by configuring WAN load balancing.
Configuring WAN Load Balancing ensure full utilization of both Internet connections, the ratio between the connections' load balancing weights should reflect the ratio between the connections' bandwidths. Note: To ensure continuous Internet connectivity, if one of the Internet connections fails, all traffic will be routed to the other connection. To configure WAN load balancing 1. Configure the desired load balancing weight for both the primary and secondary Internet connections.
Configuring Network Settings Chapter 6 Managing Your Network This chapter describes how to manage and configure your network connection and settings. This chapter includes the following topics: Configuring Network Settings..................................................................153 Using the Internal DNS Server.................................................................182 Using Network Objects ............................................................................
Configuring Network Settings Configuring the LAN Network To configure the LAN network 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. 154 Click Edit in the LAN network’s row.
Configuring Network Settings The Edit Network Settings page for the LAN network appears. 3. In the Mode drop-down list, select Enabled. The fields are enabled. 4. If desired, change your Safe@Office appliance’s internal IP address. See Changing IP Addresses on page 156. 5. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 157. 6. If desired, configure a DHCP server. See Configuring a DHCP Server on page 158. 7. Click Apply. A warning message appears. 8. Click OK.
Configuring Network Settings Changing IP Addresses If desired, you can change your Safe@Office appliance’s internal IP address, or the entire range of IP addresses in your internal network. To change IP addresses 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit. The Edit Network Settings page appears. 3. To change the Safe@Office appliance’s internal IP address, enter the new IP address in the IP Address field.
Configuring Network Settings • If your computer is configured to obtain its IP address automatically (using DHCP), and the Safe@Office DHCP server is enabled, restart your computer. Your computer obtains an IP address in the new range. • Otherwise, manually reconfigure your computer to use the new address range using the TCP/IP settings. For information on configuring TCP/IP, see TCP/IP Settings on page 54.
Configuring Network Settings • If you chose to enable Hide NAT, it is enabled. Configuring a DHCP Server By default, the Safe@Office appliance operates as a DHCP (Dynamic Host Configuration Protocol) server. This allows the Safe@Office appliance to automatically configure all the devices on your network with their network configuration details. Note: The DHCP server only serves computers that are configured to obtain an IP address automatically.
Configuring Network Settings Enabling/Disabling the Safe@Office DHCP Server You can enable and disable the Safe@Office DHCP Server for internal networks. To enable/disable the Safe@Office DHCP server 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit. The Edit Network Settings page appears. 3. From the DHCP Server list, select Enabled or Disabled. 4. Click Apply. A warning message appears. 5. Click OK.
Configuring Network Settings Configuring the DHCP Address Range By default, the Safe@Office DHCP server automatically sets the DHCP address range. The DHCP address range is the range of IP addresses that the DHCP server can assign to network devices. IP addresses outside of the DHCP address range are reserved for statically addressed computers. If desired, you can set the Safe@Office DHCP range manually. To configure the DHCP address range 1. Click Network in the main menu, and click the My Network tab.
Configuring Network Settings The DHCP IP range fields appear. 4. 2) In the DHCP IP range fields, type the desired DHCP range. Click Apply. A warning message appears. 5. Click OK. A success message appears 6. If your computer is configured to obtain its IP address automatically (using DHCP), and either the Safe@Office DHCP server or another DHCP server is enabled, restart your computer. Your computer obtains an IP address in the new DHCP address range.
Configuring Network Settings Configuring DHCP Relay You can configure DHCP relay for internal networks. Note: DHCP relay will not work if the appliance is located behind a NAT device. To configure DHCP relay 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit. The Edit Network Settings page appears. 3. 162 In the DHCP Server list, select Relay.
Configuring Network Settings The Automatic DHCP range check box is disabled, and new fields appear. 4. In the Primary DHCP Server IP field, type the IP address of the primary DHCP server. 5. In the Secondary DHCP Server IP field, type the IP address of the DHCP server to use if the primary DHCP server fails. 6. Click Apply. A warning message appears. 7. Click OK. A success message appears 8.
Configuring Network Settings Configuring DHCP Server Options If desired, you can configure the following custom DHCP options for an internal network: • Domain suffix • DNS servers • WINS servers • Default gateway • NTP servers • VoIP call managers • TFTP server and boot filename • Avaya, Nortel, and Thomson IP phone configuration strings To configure DHCP options 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2.
Configuring Network Settings The DHCP Server Options page appears. 4. Complete the fields using the relevant information in the following table.
Configuring Network Settings New fields appear, depending on the check boxes you selected. 5. Click Apply. 6. If your computer is configured to obtain its IP address automatically (using DHCP), restart your computer. Your computer obtains an IP address in the DHCP address range.
Configuring Network Settings Table 27: DHCP Server Options Fields In this field… Do this… Domain Name Type a default domain suffix that should be passed to DHCP clients. The DHCP client will automatically append the domain suffix for the resolving of non-fully qualified names. For example, if the domain suffix is set to "mydomain.com", and the client tries to resolve the name “mail”, the suffix will be automatically appended to the name, resulting in “mail.mydomain.com”.
Configuring Network Settings In this field… Do this… Automatically assign Clear this option if you do not want the DHCP server to pass the default gateway current gateway IP address to DHCP clients as the default gateway's IP address. Normally, it is recommended to leave this option selected. The Default Gateway field is enabled. Default Gateway Type the IP address to pass to DHCP clients as the default gateway, instead of the current gateway IP address.
Configuring Network Settings In this field… Do this… Nortel IP Phone To enable Nortel IP phones to receive their configuration, type the phone's configuration string. Thomson IP Phone To enable Thomson IP phones to receive their configuration, type the phone's configuration string. Configuring a DMZ Network In addition to the LAN network, you can define a second internal network called a DMZ (demilitarized zone) network.
Configuring Network Settings The Ports page appears. 3. 170 Next to the DMZ/WAN2 port, click Edit.
Configuring Network Settings The Port Setup page appears. 4. In the Assign to network drop-down list, select DMZ. 5. Click Apply. A warning message appears. 6. Click OK. 7. Click Network in the main menu, and click the My Network tab. The My Network page appears. 8. In the DMZ network's row, click Edit. The Edit Network Settings page appears. 9. In the Mode drop-down list, select Enabled. The fields are enabled. 10.
Configuring Network Settings Note: The DMZ network must not overlap other networks. 11. In the Subnet Mask drop-down list, select the DMZ’s internal network range. 12. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 157. 13. If desired, configure a DHCP server. See Configuring a DHCP Server on page 158. 14. Click Apply. A warning message appears. 15. Click OK. A success message appears.
Configuring Network Settings Note: OfficeMode requires either Check Point SecureClient or an L2TP client to be installed on the VPN clients. It is not supported by Check Point SecuRemote. When OfficeMode is not supported by the VPN client, traditional mode will be used instead. To configure the OfficeMode network 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the OfficeMode network's row, click Edit. The Edit Network Settings page appears. 3.
Configuring Network Settings Configuring VLANs Your Safe@Office appliance allows you to partition your network into several virtual LAN networks (VLANs). A VLAN is a logical network behind the Safe@Office appliance. Computers in the same VLAN behave as if they were on the same physical network: traffic flows freely between them, without passing through a firewall. In contrast, traffic between a VLAN and other networks passes through the firewall and is subject to the security policy.
Configuring Network Settings The Safe@Office appliance supports the following VLAN types: • Tag-based In tag-based VLAN you use one of the gateway’s ports as a 802.1Q VLAN trunk, connecting the appliance to a VLAN-aware switch. Each VLAN behind the trunk is assigned an identifying number called a “VLAN ID”, also referred to as a "VLAN tag". All outgoing traffic from a tag-based VLAN contains the VLAN's tag in the packet headers.
Configuring Network Settings • Port-based Port-based VLAN allows assigning the appliance's LAN ports to VLANs, effectively transforming the appliance's four-port switch into up to four firewall-isolated security zones. You can assign multiple ports to the same VLAN, or each port to a separate VLAN. Port-based VLAN does not require an external VLAN-capable switch, and is therefore simpler to use than tag-based VLAN. However, port-based VLAN is limited by the number of appliance LAN ports.
Configuring Network Settings • Wireless Distribution System (WDS) links In wireless Safe@Office models, you can extend the primary WLAN's coverage area, by creating a Wireless Distribution System (WDS). A WDS is a system of access points that communicate with each other wirelessly, without any need for a wired backbone. WDS is usually used together with bridge mode to connect the networks behind the access points. To create a WDS, you must add WDS links between the desired access points.
Configuring Network Settings Adding and Editing Port-Based VLANs To add or edit a port-based VLAN 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • To add a VLAN, click Add Network. • To edit a VLAN, click Edit in the desired VLAN’s row. The Edit Network Settings page for VLAN networks appears. 3. In the Network Name field, type a name for the VLAN. 4. In the Type drop-down list, select Port Based VLAN.
Configuring Network Settings 5. In the Mode drop-down list, select Enabled. The fields are enabled. 6. In the IP Address field, type the IP address of the VLAN network's default gateway. Note: The VLAN network must not overlap other networks. 7. In the Subnet Mask field, type the VLAN's internal network range. 8. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 157. 9. If desired, configure a DHCP server. See Configuring a DHCP Server on page 158. 10. Click Apply.
Configuring Network Settings Adding and Editing Tag-Based VLANs To add or edit a tag-based VLAN 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • To add a VLAN, click Add Network. • To edit a VLAN, click Edit in the desired VLAN’s row. The Edit Network Settings page for VLAN networks appears. 3. In the Network Name field, type a name for the VLAN. 4. In the Type drop-down list, select Tag Based VLAN.
Configuring Network Settings 11. Click Apply. A warning message appears. 12. Click OK. A success message appears. 13. Click Network in the main menu, and click the Ports tab. The Ports page appears. 14. In the DMZ/WAN2 drop-down list, select VLAN Trunk. 15. Click Apply. The DMZ/WAN2 port now operates as a VLAN Trunk port. In this mode, it will not accept untagged packets. 16. Configure a VLAN trunk (802.1Q) port on the VLAN-aware switch, according to the vendor instructions.
Using the Internal DNS Server 4. In the desired VLAN’s row, click Erase. A confirmation message appears. 5. Click OK. The VLAN is deleted. Using the Internal DNS Server The Safe@Office appliance includes an internal DNS server, which can resolve DNS names for hosts defined as network objects. Each host is assigned a DNS name in the format .
Using the Internal DNS Server Enabling the Internal DNS Server To enable the internal DNS server 1. Click Setup in the main menu, and click the DNS Server tab. The DNS Server page appears. 2. Select the Enable the Internal DNS Server check box.
Using the Internal DNS Server The Domain Name Suffix field appears. 3. 184 In the Domain Name Suffix field, type the desired domain name suffix.
Using Network Objects Using Network Objects You can add individual computers or networks as network objects. This enables you to configure various settings for the computer or network represented by the network object. You can configure the following settings for a network object: • Static NAT (or One-to-One NAT) Static NAT allows the mapping of Internet IP addresses or address ranges to hosts inside the internal network.
Using Network Objects • Assign the network object's IP address to a MAC address Normally, the Safe@Office DHCP server consistently assigns the same IP address to a specific computer. However, if the Safe@Office DHCP server runs out of IP addresses and the computer is down, then the DHCP server may reassign the IP address to a different computer. If you want to guarantee that a particular computer's IP address remains constant, you can reserve the IP address for use by the computer's MAC address only.
Using Network Objects Adding and Editing Network Objects You can add or edit network objects via: • The Network Objects page This page enables you to add both individual computers and networks. • The My Computers page This page enables you to add only individual computers as network objects. The computer's details are filled in automatically in the wizard. To add or edit a network object via the Network Objects page 1. Click Network in the main menu, and click the Network Objects tab.
Using Network Objects 2. Do one of the following: • To add a network object, click New. • To edit an existing network object, click the Edit icon next to the desired computer in the list. The Safe@Office Network Object Wizard opens, with the Step 1: Network Object Type dialog box displayed. 3. Do one of the following: • 4. 188 To specify that the network object should represent a single computer or device, click Single Computer.
Using Network Objects The Step 2: Computer Details dialog box appears. If you chose Single Computer, the dialog box includes the Reserve a fixed IP address for this computer option. If you chose Network, the dialog box does not include this option. 5. Complete the fields using the information in the tables below. 6. Click Next.
Using Network Objects The Step 3: Save dialog box appears. 7. Type a name for the network object in the field. 8. Click Finish. To add or edit a network object via the My Computers page 1. 190 Click Reports in the main menu, and click the My Computers tab.
Using Network Objects The My Computers page appears. If a computer has not yet been added as a network object, the Add button appears next to it. If a computer has already been added as a network object, the Edit button appears next to it. 2. Do one of the following: • To add a network object, click Add next to the desired computer. • To edit a network object, click Edit next to the desired computer. The Safe@Office Network Object Wizard opens, with the Step 1: Network Object Type dialog box displayed.
Using Network Objects The computer's IP address and MAC address are automatically filled in. 5. Complete the fields using the information in the tables below. 6. Click Next. The Step 3: Save dialog box appears with the network object's name. If you are adding a new network object, this name is the computer's name. 7. To change the network object name, type the desired name in the field. 8. Click Finish. The new object appears in the Network Objects page.
Using Network Objects In this field… Do this… Exclude this computer Select this option to exclude this computer from 802.1x port-based from 802.1x Port Security security enforcement. The computer will be able to connect to a Safe@Office appliance ports and access the network without authenticating. Perform Static NAT Select this option to map the local computer's IP address to an (Network Address Internet IP address. Translation) External IP You must then fill in the External IP field.
Using Network Objects Table 29: Network Object Fields for a Network In this field… Do this… IP Range Type the range of local computer IP addresses in the network. Perform Static NAT Select this option to map the network's IP address range to a range of (Network Address Internet IP addresses of the same size. Translation) External IP Range You must then fill in the External IP Range field. Type the Internet IP address range to which you want to map the network's IP address range.
Configuring Network Service Objects Viewing and Deleting Network Objects To view or delete a network object 1. Click Network in the main menu, and click the Network Objects tab. The Network Objects page appears with a list of network objects. 2. To delete a network object, do the following: a. In the desired network object's row, click Erase. A confirmation message appears. b. Click OK. The network object is deleted.
Configuring Network Service Objects Adding and Editing Network Service Objects To add or edit a network service object 1. Click Network in the main menu, and click the Network Services tab. The Network Services page appears with a list of network service objects. 2. 196 Do one of the following: • To add a network service object, click New. • To edit an existing network service object, click Edit next to the desired object in the list.
Configuring Network Service Objects The Safe@Office Network Service Wizard opens, with the Step 1: Network Service Details dialog box displayed. 3. Complete the fields using the information in the table below. 4. Click Next. The Step 2: Network Service Name dialog box appears. 5. Type a name for the network service object in the field.
Configuring Network Service Objects 6. Click Finish. Table 30: Network Service Fields In this field… Do this… Protocol Select the network service's IP protocol. If you select Other, the Protocol Number field appears. If you select TCP or UDP, the Port Ranges field appears. Protocol Number Type the number of the network service's IP protocol. Port Ranges Type the network service's port or port ranges. Multiple ports or port ranges must be separated by commas.
Using Static Routes Using Static Routes A static route is a setting that explicitly specifies the route to use for packets, according to one of the following criteria: • The packet's source IP address and/or destination IP address • The network service used to send the packet Packets that match the criteria for a specific static route are sent to the route's defined destination, or next hop, which can be a specific gateway's IP address or an Internet connection.
Using Static Routes The Static Routes page lists all existing routes, including the default, and indicates whether each route is currently "Up" (reachable) or not. Adding and Editing Static Routes To add a static route 1. Click Network in the main menu, and click the Routes tab. The Static Routes page appears, with a list of existing static routes. 2. 200 Do one of the following: • To add a static route, click New Route.
Using Static Routes The Static Route Wizard opens displaying the Step 1: Source and Destination dialog box. 3. Complete the fields using the relevant information in the following table. 4. Click Next. The Step 2: Next Hop and Metric dialog box appears. 5. Complete the fields using the relevant information in the following table.
Using Static Routes 6. Click Next. The new static route is saved. Table 31: Static Route Fields In this field… Do this… Source Specify the source network (source routing). This can be either of the following: Source - • ANY. This route applies to packets originating in any network. • Specified Network. This route applies to packet originating in a specific network. The Network and Netmask fields appear. Type the source network's IP address.
Using Static Routes In this field… Do this… Service Specify the service used to send packets (service routing). This can be either of the following: • ANY. This route applies to packets sent using any service. • A specific service or network service object. Note: When defining a static route for a specific service, the Source and Destination fields must be set to ANY. Next Hop IP Specify the next hop to which packets should be sent. This can be any of the following: Metric • Specified IP.
Using Static Routes Viewing and Deleting Static Routes To view or delete a static route 1. Click Network in the main menu, and click the Routes tab. The Static Routes page appears, with a list of existing static routes. 2. To refresh the view, click Refresh. 3. To delete a route, do the following: a. In the desired route's row, click Erase. A confirmation message appears. b. Click OK. The route is deleted.
Managing Ports Managing Ports The Safe@Office appliance enables you to quickly and easily assign its ports to different uses, as shown in the following table. If desired, you can also disable ports. Table 32: Ports and Assignments You can assign this port... To these uses... LAN 1-4 LAN network A WAN Internet connection A port-based VLAN A VLAN that is dynamically assigned by a RADIUS server, as part of an 802.
Managing Ports You can assign this port... To these uses... USB Printers USB-based modems The Safe@Office appliance also allows you to restrict each port to a specific link speed and duplex setting and to configure its security scheme. For information on port-based security, see Using Port-Based Security on page 374. Viewing Port Statuses You can view the status of the Safe@Office appliance's ports on the Ports page, including each Ethernet connection's duplex state.
Managing Ports The Ports page appears.
Managing Ports In ADSL models, this page appears as follows: The page displays the information for each port, as described in the following table. 2. To refresh the display, click Refresh. Table 33: Ports Fields This field… Displays… Assign To The port's current assignment. For example, if the DMZ/WAN2 port is currently used for the DMZ, the field displays "DMZ".
Managing Ports This field… Displays… Status The port's current status. Ethernet ports can have the following statuses: Status Description The detected link The port is in use. speed and duplex (Full Duplex or Half Duplex) No Link The appliance does not detect anything connected to the port. Disabled The port is disabled. For example, the DMZ/WAN2 port's status will be "Disabled" if the port is assigned to "None", or if it assigned to "DMZ" and the DMZ is disabled.
Managing Ports This field… Displays… The ADSL port can have the following statuses: Status Description Sync OK The ADSL modem synchronized with the ADSL service provider. No Sync The ADSL modem failed to synchronize with the ADSL service provider. Check that a micro-filter is properly connected, and check that your DSL Standard setting is compatible with your service provider. You can view this setting in the Network > Internet Setup page.
Managing Ports This field… Displays… 802.1x The port's security scheme. This can be any of the following: Scheme Description N/A No security scheme is defined for the port. Unauthorized An 802.1x security scheme is defined for the port. Users have not yet connected to the port and attempted to authenticate, or a user failed to authenticate and no Quarantine network is configured. Authorized (network) An 802.1x security scheme is defined for the port.
Managing Ports Modifying Port Assignments You can assign ports to different networks or purposes. Since modifying port assignments often requires additional configurations, use the following table to determine which procedure you should use. Table 34: Modifying Port Assignments To assign a port to... See... No network The procedure below. This disables the port. LAN The procedure below VLAN or Configuring VLANs on page 174 VLAN Trunk A WAN Internet connection The procedure below.
Managing Ports To assign a port to... See... A USB-based modem Setting Up a USB Modem on page 141 To modify a port assignment 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Next to the desired port, click Edit. The Port Setup page appears. 3. In the Assign to Network drop-down list, do one of the following: • To assign a network port to the LAN, select LAN. • To configure a network port for use with a WAN Internet connection, select Internet.
Managing Ports • 4. To disable a network port, select None. • To disable the Serial port, select Disabled. Click Apply. A warning message appears. 5. Click OK. The port is reassigned to the specified network or purpose. Modifying Link Configurations By default, the Safe@Office appliance automatically detects the link speed and duplex. If desired, you can manually restrict the appliance's ports to a specific link speed and duplex setting. To modify a port's link configuration 1.
Managing Ports Resetting Ports to Defaults You can reset the Safe@Office appliance's ports to their default link configurations ("Automatic Detection") and default assignments (shown in the following table). Table 35: Default Port Assignments Port Default Assignment LAN 1-4 LAN DMZ / WAN2 DMZ WAN This port is always assigned to the WAN. ADSL This port is always assigned to the WAN. Serial Console Note: Resetting ports to their defaults may result in the loss of your Internet connection.
Managing Ports Resetting All Ports to Defaults To reset all ports to defaults 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Click Default. A confirmation message appears. 3. Click OK. All ports are reset to their default assignments and to "Automatic Detection" link configuration. Resetting Individual Ports to Defaults To reset a port to defaults 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2.
Overview Chapter 7 Using Bridges This chapter describes how to connect multiple network segments at the data-link layer, using a bridge. This chapter includes the following topics: Overview ..................................................................................................217 Workflow..................................................................................................223 Adding and Editing Bridges .....................................................................
Overview directly, with no firewall filtering the traffic between them. The network interfaces operate as if they were connected by a hub or switch.
Overview For example, if you assign the LAN and primary WLAN networks to a bridge and disable the bridge's internal firewall, the two networks will act as a single, seamless network, and only traffic from the LAN and primary WLAN networks to other networks (for example, the Internet) will be inspected by the firewall. If you enable the internal firewall, it will enforce security rules and inspect traffic between the LAN and primary WLAN networks.
Overview • Transparent roaming In a routed network, if a host is physically moved from one network area to another, then the host must be configured with a new IP address. However, in a bridged network, there is no need to reconfigure the host, and work can continue with minimal interruption. The Safe@Office appliance allows you to configure anti-spoofing for bridged network segments.
Overview How Does Bridge Mode Work? Bridges operate at layer 2 of the OSI model, therefore adding a bridge to an existing network is completely transparent and does not require any changes to the network's structure. Each bridge maintains a forwarding table, which consists of associations.
Overview Multiple Bridges and Spanning Tree Protocol When using multiple bridges, you can enable fault tolerance and optimal packet routing, by configuring Spanning Tree Protocol (STP - IEEE 802.1d). When STP is enabled, each bridge communicates with its neighboring bridges or switches to discover how they are interconnected. This information is then used to eliminate loops, while providing optimal routing of packets.
Workflow Figure 22: Link Redundancy with STP Workflow To use a bridge 1. Add a bridge. See Adding and Editing Bridges on page 224. 2. Add the desired internal networks to the bridge. See Adding Internal Networks to Bridges on page 228. 3. Add the desired Internet connections to the bridge. See Adding Internet Connections to Bridges on page 233. 4. If you enabled the firewall between networks on this bridge, add security rules and VStream Antivirus rules as needed.
Adding and Editing Bridges For information on adding security rules, see Adding and Editing Rules on page 364. For information on adding VStream Antivirus rules, see Adding and Editing Vstream Antivirus Rules on page 473. Adding and Editing Bridges To add or edit a bridge 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. 224 Do one of the following: • To add a bridge, click Add Bridge. • To edit a bridge, click Edit in the desired bridge's row.
Adding and Editing Bridges The Bridge Configuration page appears. 3. Complete the fields using the following table. 4. Click Apply. A success message appears.
Adding and Editing Bridges Table 36: Bridge Configuration Fields In this field… Do this… Network Name Type a name for the bridge. Firewall Between Members Specify whether the firewall should be enabled between networks on this bridge, by selecting one of the following: Non IP Traffic • Enabled. The firewall is enabled, and it will inspect traffic between networks on the bridge, enforcing firewall rules and SmartDefense protections. This is the default value. • Disabled.
Adding and Editing Bridges In this field… Do this… Bridge Priority Select this bridge's priority. The bridge's priority is combined with a bridged network's MAC address to create the bridge's ID. The bridge with the lowest ID is elected as the root bridge. The other bridges in the tree calculate the shortest distance to the root bridge, in order to eliminate loops in the topology and provide fault tolerance. To increase the chance of this bridge being elected as the root bridge, select a lower priority.
Adding Internal Networks to Bridges Adding Internal Networks to Bridges Note: In order to add a VLAN of any type (port-based, tag-based, VAP, or WDS link) to the bridge, you must first create the desired VLAN. For information on adding port-based VLANs, see Adding and Editing Port-Based VLANs on page 178. For information on adding tag-based VLANs, see Adding and Editing Tag-Based VLANs on page 180.For information on adding VAPs, see Configuring Virtual Access Points on page 294.
Adding Internal Networks to Bridges New fields appear. 4. Complete these fields as described below.
Adding Internal Networks to Bridges If the assigned bridge uses STP, additional fields appear. 5. Click Apply. A warning message appears. 6. Click OK. A success message appears. In the My Network page, the internal network appears indented under the bridge.
Adding Internal Networks to Bridges Table 37: Bridged Network Fields In this field… Do this… Assign to Bridge Select the bridge to which the connection should be assigned. Bridge Anti-Spoofing Select this option to enable anti-spoofing. If anti-spoofing is enabled, only IP addresses within the Allowed IP Range can be source IP addresses for packets on this network. Allowed IP Range Type the range of IP addresses that should be allowed on this network.
Adding Internal Networks to Bridges In this field… Do this… Spanning Tree Protocol - Port Select the port's priority. Priority The port's priority is combined with the port's logical number to create the port's ID. The port with the lowest ID is elected as the root port, which forwards frames out of the bridge. The other ports in the bridge calculate the least-cost path to the root port, in order to eliminate loops in the topology and provide fault tolerance.
Adding Internet Connections to Bridges Adding Internet Connections to Bridges To add an Internet connection to a bridge 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Next to the desired Internet connection, click Edit. The Internet Setup page appears. 3. In the Port drop-down list, specify the port that the Internet connection should use, by doing one of the following: • To use the ADSL port, select ADSL. This option is available in ADSL models only.
Adding Internet Connections to Bridges New fields appear. 5. Complete the fields specified in the table below. 6. Complete the rest of the fields using the relevant information in Internet Setup Fields on page 127.
Adding Internet Connections to Bridges New fields appear, depending on the selected options, and whether the selected bridge uses STP. 7. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Adding Internet Connections to Bridges Table 38: Bridged Connection Fields In this field… Do this… Bridge Mode Select this option to configure a Bridged PPPoA connection. The Bridge To field appears. This field is relevant for Bridged PPPoA connections only. Bridge To Select the bridge to which you want to add the PPPoA connection. This field is relevant for Bridged PPPoA connections only. Assign to Bridge Select the bridge to which the connection should be assigned.
Adding Internet Connections to Bridges In this field… Do this… Spanning Tree Protocol - Port Select the port's priority. Priority The port's priority is combined with the port's logical number to create the port's ID. The port with the lowest ID is elected as the root port, which forwards frames out of the bridge. The other ports in the bridge calculate the least-cost path to the root port, in order to eliminate loops in the topology and provide fault tolerance.
Deleting Bridges Deleting Bridges To delete a bridge 1. Remove all internal networks from the bridge, by doing the following for each network: a. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. b. Click Edit in the desired network's row. c. In the Mode drop-down list, select Enabled. d. Click Apply. Remove all Internet connections from the bridge, by doing the following for each connection: a.
Overview Chapter 8 Configuring High Availability This chapter describes how to configure High Availability (HA) for two or more Safe@Office appliances. This chapter includes the following topics: Overview ..................................................................................................239 Configuring High Availability on a Gateway...........................................242 Sample Implementation on Two Gateways ..............................................
Overview 4. When a gateway that was offline comes back online, or a gateway's priority changes, the gateway sends a heartbeat notifying the other gateways in the cluster. If the gateway's priority is now the highest, it becomes the Active Gateway. The Safe@Office appliance supports Internet connection tracking, which means that each appliance tracks its Internet connection's status and reduces its own priority by a userspecified amount, if its Internet connection goes down.
Overview Note: To use a WAN virtual IP address, the Internet connection method must be "Static IP". PPP-based connections and dynamic IP connections are not supported. Before configuring HA, the following requirements must be met: • You must have at least two identical Safe@Office appliances. • The appliances must have identical firmware versions and firewall rules. • The appliances' internal networks and bridges must be the same.
Configuring High Availability on a Gateway Configuring High Availability on a Gateway The following procedure explains how to configure HA on a single gateway. You must perform this procedure on each Safe@Office appliance that you want to include in the HA cluster. To configure HA on a Safe@Office appliance 1. Set the appliance’s internal IP addresses and network range. Each appliance must have a different internal IP address. See Changing IP Addresses on page 156. 2.
Configuring High Availability on a Gateway The fields are enabled. 4. Next to each network for which you want to enable HA, select the HA check box. The Internet-Primary field represents the WAN interface, and the Internet-Secondary field represents the WAN2 interface. 5. In the Virtual IP field, type the default gateway IP address.
Configuring High Availability on a Gateway This can be any unused IP address in the network, and must be the same for all gateways. You can assign a virtual IP address to any internal interface, as well as to "LAN Static IP" Internet connections (that is, LAN connections for which the Obtain IP address automatically (using DHCP) check box is cleared). 6. Click the Synchronization radio button next to the network you want to use as the synchronization interface.
Configuring High Availability on a Gateway Table 39: High Availability Page Fields In this field… Do this… Priority My Priority Type the gateway's priority. This must be an integer between 1 and 255. Internet Connection Tracking Internet - Primary Type the amount to reduce the gateway's priority if the primary Internet connection goes down. This must be an integer between 0 and 255. Internet - Secondary Type the amount to reduce the gateway's priority if the secondary Internet connection goes down.
Configuring High Availability on a Gateway In this field… Do this… DMZ Type the amount to reduce the gateway's priority if the DMZ / WAN2 port's Ethernet link is lost. This must be an integer between 0 and 255. When in passive state Disable VPN Select this option to specify that VPN connectivity should be disabled when the gateway is a Passive Gateway.
Sample Implementation on Two Gateways Sample Implementation on Two Gateways The following procedure illustrates how to configure HA for the following two Safe@Office gateways, Gateway A and Gateway B: Table 40: Gateway Details Gateway A Gateway B Internal Networks LAN, DMZ LAN, DMZ Internet Connections Primary and secondary Primary only LAN Network IP Address 192.169.100.1 192.169.100.2 LAN Network 255.255.255.0 255.255.255.0 DMZ Network IP Address 192.169.101.1 192.169.101.
Sample Implementation on Two Gateways 3. Connect the LAN network computers of Gateways A and B to hub 1. 4. Connect the DMZ network computers of Gateways A and B to hub 2. 5. Do the following on Gateway A: a. Set the gateway's internal IP addresses and network range to the values specified in the table above. See Changing IP Addresses on page 156. b. Click Setup in the main menu, and click the High Availability tab. The High Availability page appears. c.
Sample Implementation on Two Gateways 6. Do the following on Gateway B: a. Set the gateway's internal IP addresses and network range to the values specified in the table above. See Changing IP Addresses on page 156. b. Click Setup in the main menu, and click the High Availability tab. The High Availability page appears. c. Select the Gateway High Availability check box. The Gateway High Availability area is enabled. The LAN and DMZ networks are listed. d. Next to LAN, select the HA check box. e.
Overview Chapter 9 Using Traffic Shaper This chapter describes how to use Traffic Shaper to control the flow of communication to and from your network. This chapter includes the following topics: Overview ..................................................................................................251 Setting Up Traffic Shaper.........................................................................253 Predefined QoS Classes............................................................................
Overview Each class has a bandwidth limit, which is the maximum amount of bandwidth that connections belonging to that class may use together. Once a class has reached its bandwidth limit, connections belonging to that class will not be allocated further bandwidth, even if there is unused bandwidth available. For example, traffic used by PeerTo-Peer file-sharing applications may be limited to a specific rate, such as 512 kilobit per second.
Setting Up Traffic Shaper Setting Up Traffic Shaper To set up Traffic Shaper 1. Enable Traffic Shaper for the Internet connection, using the procedure Using Internet Setup on page 102. You can enable Traffic Shaper for incoming or outgoing connections. • When enabling Traffic Shaper for outgoing traffic: Specify a rate (in kilobits/second) slightly lower than your Internet connection's maximum measured upstream speed.
Predefined QoS Classes For example, if Traffic Shaper is enabled for outgoing traffic, and you create an Allow rule associating all outgoing VPN traffic with the Urgent QoS class, then Traffic Shaper will handle outgoing VPN traffic as specified in the bandwidth policy for the Urgent class. See Adding and Editing Rules on page 364. Note: Traffic Shaper must be enabled for the direction of traffic specified in the rule.
Predefined QoS Classes Table 41: Predefined QoS Classes Class Weight Delay Sensitivity Useful for Default 10 Medium Normal traffic. (Normal Traffic) All traffic is assigned to this class by default. Urgent 15 High Traffic that is highly sensitive to delay. For (Interactive Traffic) example, IP telephony, videoconferencing, and interactive protocols that require quick user response, such as telnet.
Adding and Editing Classes Adding and Editing Classes To add or edit a QoS class 1. Click Network in the main menu, and click the Traffic Shaper tab. The Quality of Service Classes page appears. 2. 256 Click Add.
Adding and Editing Classes The Safe@Office QoS Class Editor wizard opens, with the Step 1 of 3: Quality of Service Parameters dialog box displayed. 3. Complete the fields using the relevant information in the following table. 4. Click Next. The Step 2 of 3: Advanced Options dialog box appears. 5. Complete the fields using the relevant information in the following table.
Adding and Editing Classes Note: Traffic Shaper may not enforce guaranteed rates and relative weights for incoming traffic as accurately as for outgoing traffic. This is because Traffic Shaper cannot control the number or type of packets it receives from the Internet; it can only affect the rate of incoming traffic by dropping received packets. It is therefore recommended to enable traffic shaping for incoming traffic only if necessary.
Adding and Editing Classes Table 42: QoS Class Fields In this field… Do this… Relative Weight Type a value indicating the class's importance relative to the other defined classes. For example, if you assign one class a weight of 100, and you assign another class a weight of 50, the first class will be allocated twice the amount of bandwidth as the second when the lines are congested.
Viewing and Deleting Classes In this field… Do this… Incoming Traffic: Select this option to limit the rate of incoming traffic belonging to this Limit rate to class. Then type the maximum rate (in kilobits/second) in the field provided. DiffServ Code Select this option to mark packets belonging to this class with a DiffServ Point Code Point (DSCP), which is an integer between 0 and 63. Then type the DSCP in the field provided.
Restoring Traffic Shaper Defaults Restoring Traffic Shaper Defaults If desired, you can reset the Traffic Shaper bandwidth policy to use the four predefined classes, and restore these classes to their default settings. For information on these classes and their defaults, see Predefined QoS Classes on page 254. Note: This will delete any additional classes you defined in Traffic Shaper and reset all rules to use the Default class.
Overview Chapter 10 Working with Wireless Networks This chapter describes how to configure wireless internal networks. This chapter includes the following topics: Overview ..................................................................................................263 Configuring Wireless Networks ...............................................................273 Troubleshooting Wireless Connectivity ...................................................
Overview The Primary WLAN In addition to the LAN and DMZ networks, you can define a wireless internal network called the primary WLAN (wireless LAN) network. The primary WLAN is the main wireless network, and it controls all other wireless network's statuses: wireless networks can be enabled only if the primary WLAN is enabled, and disabling the primary WLAN automatically disables all other wireless network. In addition, all wireless networks inherit certain settings from the primary WLAN.
Overview company resources. You could configure Traffic Shaper bandwidth management to give stations in the Guest network a low priority, and by enabling Secure HotSpot on this network, you could define terms of use that the guest users must accept before accessing the Internet. In contrast, the Employee VAP would use the more secure WPA2-Enterprise (802.11i) encryption standard and allow employees to access company resources such as the intranet.
Overview You can use WDS links to create loop-free topologies, such as a star or tree of access points.
Overview When used together with bridge mode and Spanning Tree Protocol (STP), you can use WDS links to create redundant topologies, such as a loop or mesh of linked access points.
Overview Figure 25: Redundant Loop of Access Points Linked by WDS and STP You can configure up to seven WDS links, in addition to the primary WLAN. For information on configuring WDS links, see Configuring WDS Links on page 298. Note: All access points in a WDS must use the same radio channel for the WDS link and for communicating with wireless stations. Therefore, using WDS may have a negative impact on wireless throughput.
Overview Network Count Limitations You can configure a total of eight wireless objects, including any combination of the following: • The primary WLAN • Up to three virtual access points (VAPs) • Up to seven WDS links For example, if you configure the primary WLAN and two VAPs, then you can configure five WDS links, or one more VAP and four WDS links. When Extended Range (XR) mode is enabled for a wireless object, then it is counted as two objects.
Overview Security Description WEP encryption In the WEP (Wired Equivalent Privacy) encryption security method, wireless Protocol stations must use a pre-shared key to connect to your network. This method is not recommended, due to known security flaws in the WEP protocol. It is provided for compatibility with existing wireless deployments. Note: The appliance and the wireless stations must be configured with the same WEP key. 802.1x: RADIUS In the 802.
Overview Security Description WPA-Enterprise: The WPA-Enterprise (Wi-Fi Protected Access) security method uses MIC RADIUS (message integrity check) to ensure the integrity of messages, and TKIP authentication, (Temporal Key Integrity Protocol) to enhance data encryption. Protocol encryption Furthermore, WPA-Enterprise includes 802.1x and EAP authentication, based either on a central RADIUS authentication server, or on the Safe@Office appliance's built-in EAP authenticator.
Overview Security Description WPA2 (802.11i) The WPA2 security method uses the more secure Advanced Encryption Protocol Standard (AES) cipher, instead of the RC4 cipher used by WPA and WEP. When using WPA-Enterprise or WPA-Personal security methods, the Safe@Office appliance enables you to restrict access to the wireless network to wireless stations that support the WPA2 security method. If this setting is not selected, the Safe@Office appliance allows clients to connect using both WPA and WPA2.
Configuring Wireless Networks Configuring Wireless Networks Note: It is recommended to configure wireless networks via Ethernet and not via a wireless connection, because the wireless connection could be broken after making a change to the configuration. Using the Wireless Configuration Wizard The Wireless Configuration Wizard provides a quick and simple way of setting up your basic primary WLAN parameters for the first time. Note: You cannot configure WPA-Enterprise and 802.1x using this wizard.
Configuring Wireless Networks The Wireless Configuration Wizard opens, with the Wireless Configuration dialog box displayed. 5. Select the Enable wireless networking check box to enable the primary WLAN. The fields are enabled. 6. Complete the fields using the information in Basic WLAN Settings Fields on page 284. 7. Click Next.
Configuring Wireless Networks 8. The Wireless Security dialog box appears. 9. Do one of the following: • Click WPA-Personal to use the WPA-Personal security mode. WPA-Personal (also called WPA-PSK) uses a passphrase for authentication. This method is recommended for small, private wireless networks, which want to authenticate and encrypt wireless data, but do not want to install a RADIUS server or use the Safe@Office EAP authenticator. Both WPA and the newer, more secure WPA2 (802.
Configuring Wireless Networks • To bridge the LAN and WLAN networks so that they appear as a single unified network, click Bridge Mode. Traffic from the WLAN to the LAN will be allowed to pass freely, and the LAN and WLAN will share a single IP address range. Note: This option creates a bridge called "default-bridge", which includes the WLAN and the LAN. If desired, you can later remove this bridge by running the Wireless Configuration Wizard again, and choosing Firewall Mode.
Configuring Wireless Networks Do the following: 1. In the text box, type the passphrase for accessing the network, or click Random to randomly generate a passphrase. This must be between 8 and 63 characters. It can contain spaces and special characters, and is case-sensitive. 2. Click Next. The Wireless Security Confirmation dialog box appears. 3. Click Next.
Configuring Wireless Networks 4. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. 278 Prepare the wireless stations.
Configuring Wireless Networks WEP If you chose WEP, the Wireless Configuration-WEP dialog box appears. Do the following: 1. Choose a WEP key length. The possible key lengths are: • 64 Bits - The key length is 10 hexadecimal characters. • 128 Bits - The key length is 26 hexadecimal characters. • 152 Bits - The key length is 32 hexadecimal characters. Some wireless card vendors call these lengths 40/104/128, respectively.
Configuring Wireless Networks 4. Click Next. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations. No Security The Wireless Security Complete dialog box appears. • Click Finish. The wizard closes. Manually Configuring a Wireless Network To manually configure a wireless network 1. If you intend to use the 802.
Configuring Wireless Networks 4. In the desired wireless network's row, click Edit. The Edit Network Settings page appears. 5. In the Mode drop-down list, select Enabled. The fields are enabled. 6. In the IP Address field, type the IP address of the wireless network network's default gateway. The wireless network must not overlap other networks.
Configuring Wireless Networks 7. In the Subnet Mask field, type the wireless network’s internal network range. 8. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 157. 9. If desired, configure a DHCP server. See Configuring a DHCP Server on page 158. 10. Complete the fields using the information in Basic Wireless Settings Fields on page 284. 11.
Configuring Wireless Networks New fields appear. 12. Click Apply. A warning message appears, telling you that you are about to change your network settings. 13. Click OK. A success message appears.
Configuring Wireless Networks Note: Some wireless cards have "Infrastructure" and "Ad-hoc" modes. These modes are also called "Access Point" and "Peer to Peer". On the wireless client, choose the "Infrastructure" or "Access Point" mode. You can set the wireless cards to either "Long Preamble" or "Short Preamble". Table 44: Basic Wireless Settings Fields In this field… Do this… Wireless Settings Network Name Type the network name (SSID) that identifies your wireless network.
Configuring Wireless Networks In this field… Do this… Operation Mode Select an operation mode: • 802.11b (11 Mbps). Operates in the 2.4 GHz range and offers a maximum theoretical rate of 11 Mbps. When using this mode, only 802.11b stations will be able to connect. • 802.11g (54 Mbps). Operates in the 2.4 GHz range, and offers a maximum theoretical rate of 54 Mbps. When using this mode, only 802.11g stations will be able to connect. • 802.11b/g (11/54 Mbps). Operates in the 2.
Configuring Wireless Networks In this field… Do this… Each operation mode indicates a wireless protocol (such as 802.11g Super), followed by the maximum bandwidth (such as 108 Mbps). The list of modes is dependent on the selected country. You can prevent older wireless stations from slowing down your network, by choosing an operation mode that restricts access to newer wireless stations.
Configuring Wireless Networks In this field… Do this… Security Select the security protocol to use. For information on the supported security protocols, see Wireless Security Protocols on page 269. If you select WEP encryption, the WEP Keys area opens. If you select 802.1x, the Authentication Server field appears. If you select WPA-Enterprise, the Authentication Server, Require WPA2 (802.11i), and WPA Encryption fields appear. If you select WPA-Personal, the Passphrase, Require WPA2 (802.
Configuring Wireless Networks In this field… Do this… Require WPA2 Specify whether you want to require wireless stations to connect using (802.11i) WPA2, by selecting one of the following: WPA Encryption • Enabled. Only wireless stations using WPA2 can access the wireless network. • Disabled. Wireless stations using either WPA or WPA2 can access the wireless network. This is the default. Select the encryption method to use for authenticating and encrypting wireless data: • Auto.
Configuring Wireless Networks In this field… Do this… Key 1, 2, 3, 4 Select the WEP key length from the drop-down list. length The possible key lengths are: • 64 Bits. The key length is 10 characters. • 128 Bits. The key length is 26 characters. • 152 Bits. The key length is 32 characters. Note: Some wireless card vendors call these lengths 40/104/128, respectively. Note: WEP is generally considered to be insecure, regardless of the selected key length.
Configuring Wireless Networks Table 45: Advanced Wireless Settings Fields In this field… Do this… Advanced Security Hide the Network Specify whether you want to hide your network's SSID, by selecting one of Name (SSID) the following: • Yes. Hide the SSID. Only devices to which your SSID is known can connect to your network. • No. Do not hide the SSID. Any device within range can detect your network name and attempt to connect to your network. This is the default.
Configuring Wireless Networks In this field… Do this… Wireless Transmitter Transmission Rate Select the transmission rate: • Automatic. The Safe@Office appliance automatically selects a rate. This is the default. • A specific rate This field only appears when configuring the primary WLAN, and it is inherited by all VAPs and WDS links. Transmitter Power Select the transmitter power. Setting a higher transmitter power increases the access point's range.
Configuring Wireless Networks In this field… Do this… Antenna Selection Multipath distortion is caused by the reflection of Radio Frequency (RF) signals traveling from the transmitter to the receiver along more than one path. Signals that were reflected by some surface reach the receiver after non-reflected signals and distort them. Safe@Office appliances avoid the problems of multipath distortion by using an antenna diversity system.
Configuring Wireless Networks In this field… Do this… RTS Threshold Type the smallest IP packet size for which a station must send an RTS (Request To Send) before sending the IP packet. If multiple wireless stations are in range of the access point, but not in range of each other, they might send data to the access point simultaneously, thereby causing data collisions and failures. RTS ensures that the channel is clear before the each packet is sent.
Configuring Wireless Networks Configuring Virtual Access Points You can partition the wireless network into wireless VLANs called virtual access points (VAPs). You can use VAPs to grant different permissions to groups of wireless users, by configuring each VAP with the desired security policy and network settings, and then assigning each group of wireless users to the relevant VAP. For more information on VAPs, see Overview on page 263.
Configuring Wireless Networks 2. If you intend to use the 802.1x or WPA-Enterprise security mode for the VAP, do one of the following: • To use the Safe@Office EAP authenticator for authenticating wireless clients, follow the workflow Using the Safe@Office EAP Authenticator for Authentication of Wireless Clients on page 395. You will be referred back to this procedure at the appropriate stage in the workflow, at which point you can continue from the next step. • 3.
Configuring Wireless Networks 6. In the Type drop-down list, select Virtual Access Point. New fields appear. 7. In the Mode drop-down list, select Enabled. The fields are enabled. 8. In the IP Address field, type the IP address of the VAP network's default gateway. The VAP network must not overlap other networks. 9. In the Subnet Mask field, type the VAP's internal network range. 10. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 157. 11.
Configuring Wireless Networks See Configuring a DHCP Server on page 158. 12. Complete the fields using the information in Basic Wireless Settings Fields on page 284. 13. To configure advanced settings, click Show Advanced Settings and complete the fields using the information in Advanced Wireless Settings Fields on page 290. New fields appear. 14. Click Apply.
Configuring Wireless Networks Note: Some wireless cards have "Infrastructure" and "Ad-hoc" modes. These modes are also called "Access Point" and "Peer to Peer". On the wireless client, choose the "Infrastructure" or "Access Point" mode. You can set the wireless cards to either "Long Preamble" or "Short Preamble".
Configuring Wireless Networks For information on using a wizard to configure the primary WLAN, see Using the Wireless Wizard on page 273. 2. Click Network in the main menu, and click the My Network tab. The My Network page appears. 3. Click Add Network. The Edit Network Settings page appears. 4. In the Network Name field, type a name for the WDS link. 5. In the Type drop-down list, select Wireless Distribution System. New fields appear. 6.
Configuring Wireless Networks 7. Do one of the following: • To create a bridged WDS link: 1) In the Mode drop-down list, select Bridged. The fields are enabled and additional fields appear. 2) Complete these fields as described in Bridged Network Fields on page 231. • To create a routed WDS link, do the following: 1) In the Mode drop-down list, select Enabled. The fields are enabled. 2) In the IP Address field, type the IP address of the WDS link's default gateway.
Configuring Wireless Networks New fields appear. 12. Click Apply. Note: Both sides of the WDS link must use the same radio channel and security settings. Note: WDS links support using the WEP security mode or no security. However, the access point can use any supported security protocol to communicate with wireless stations, including the WPA/WPA2 protocols.
Troubleshooting Wireless Connectivity Troubleshooting Wireless Connectivity I cannot connect to a wireless network from a wireless station. What should I do? • Check that the SSID configured on the station matches the Safe@Office appliance's SSID. The SSID is case-sensitive. • Check that the encryption settings configured on the station (encryption mode and keys) match the Safe@Office appliance's encryption settings.
Troubleshooting Wireless Connectivity • If both antennas are connected to the Safe@Office appliance, check that the Antenna Selection parameter in the primary WLAN's advanced settings is set to Automatic (see Manually Configuring a Wireless Network on page 280). • Relocate the Safe@Office appliance to a place with better reception, and avoid obstructions, such as walls and electrical equipment. For example, try mounting the appliance in a high place with a direct line of sight to the wireless stations.
Troubleshooting Wireless Connectivity currently receiving packets from another source, it sends back a CTS (Clear To Send) packet, indicating that the station can send the IP packet. Try setting the RTS Threshold parameter in the wireless network's advanced settings to a lower value. This will cause stations to use RTS for smaller IP packets, thus decreasing the likeliness of collisions.
Viewing the Safe@Office Appliance Status Chapter 11 Viewing Reports This chapter describes the Safe@Office Portal reports. This chapter includes the following topics: Viewing the Safe@Office Appliance Status ............................................305 Using the Traffic Monitor ........................................................................311 Viewing Computers..................................................................................316 Viewing Connections .............................
Viewing the Safe@Office Appliance Status To view the Safe@Office appliance's current status 1. Click Reports in the main menu, and click the Status tab. The Status Monitor page appears. The page displays the information in the following table. 2. To refresh the display, click Refresh. Table 46: Status Monitor Fields This field… Displays… Device Information Information about the Safe@Office appliance. Product The licensed software and the number of allowed nodes.
Viewing the Safe@Office Appliance Status This field… Displays… Firmware The currently installed firmware: • Main. The version of the primary firmware • Backup. The version of the backup firmware Uptime The time that elapsed from the moment the unit was turned on System A diagram of the Safe@Office appliance's ports, indicating the ports' statuses. Ports that are currently in use appear in green. Status Information about the Safe@Office appliance's status.
Viewing the Safe@Office Appliance Status This field… Displays… VPN The Safe@Office appliance's VPN tunnel status. This can be any of the following: Icon Description No tunnels connected. There are no open VPN tunnels. Tunnels are established. There are open VPN tunnels. Some permanent tunnels are down. Some permanent VPN tunnels are currently down. To view VPN tunnels, click on the link. Antivirus The Safe@Office appliance's VStream Antivirus status.
Viewing the Safe@Office Appliance Status This field… Displays… Services The Safe@Office appliance's Service Center connection status. This can be any of the following: Icon Description Connected. The Safe@Office appliance is connected to the Service Center, and security services are active. Firmware download: x% completed. The Safe@Office appliance is currently downloading a firmware file from the Service Center. The download is x% complete. Disabled. You are not subscribed to a Service Center.
Viewing the Safe@Office Appliance Status This field… Displays… Resource Utilization Safe@Office appliance resource utilization information. A bar graph next to each resource indicates the amount currently consumed. Kernel Mem The percentage of used memory in the kernel module, followed by the amount in kilobytes. User Mem The percentage of used memory in the user module, followed by the amount in kilobytes.
Using the Traffic Monitor Using the Traffic Monitor You can view incoming and outgoing traffic for selected network interfaces and QoS classes using the Traffic Monitor. This enables you to identify network traffic trends and anomalies, and to fine tune Traffic Shaper QoS class assignments. The Traffic Monitor displays separate bar charts for incoming traffic and outgoing traffic, and displays traffic rates in kilobits/second.
Using the Traffic Monitor Viewing Traffic Reports To view a traffic report 1. Click Reports in the main menu, and click the Traffic tab. The Traffic Monitor page appears. 2. In the Traffic Monitor Report drop-down list, select the network interface for which you want to view a report. The list includes all currently enabled networks. For example, if the DMZ network is enabled, it will appear in the list. If Traffic Shaper is enabled, the list also includes the defined QoS classes.
Using the Traffic Monitor 3. To refresh all traffic reports, click Refresh. 4. To clear all traffic reports, click Clear. Note: The firewall blocks broadcast packets used during the normal operation of your network. This may lead to a certain amount of traffic of the type "Traffic blocked by firewall" that appears under normal circumstances and usually does not indicate an attack.
Using the Traffic Monitor The Traffic Monitor Settings page appears. 3. In the Sample monitoring data every field, type the interval (in seconds) at which the Safe@Office appliance should collect traffic data. The default value is one sample every 1800 seconds (30 minutes). 4. 314 Click Apply.
Using the Traffic Monitor Exporting General Traffic Reports You can export a general traffic report that includes information for all enabled networks and all defined QoS classes to a *.csv (Comma Separated Values) file. You can open and view the file in Microsoft Excel. To export a general traffic report 1. Click Reports in the main menu, and click the Traffic tab. The Traffic Monitor page appears. 2. Click Export. A standard File Download dialog box appears. 3. Click Save.
Viewing Computers Viewing Computers This option allows you to view the currently active computers on your network. The computers are graphically displayed, each with its name, IP address, and settings (DHCP, Static, etc.). You can also view node limit information. To view the computers 1. Click Reports in the main menu, and click the My Computers tab. The Active Computers page appears. If you configured High Availability, both the master and backup appliances are shown.
Viewing Computers blocked from accessing the Internet through the Safe@Office appliance, the reason why it was blocked is shown in red. If a network is bridged, the bridge's name appears in parentheses next to the network's name. If you are exceeding the maximum number of computers allowed by your license, a warning message appears, and the computers over the node limit are marked in red.
Viewing Connections The Node Limit window appears with installed software product and the number of nodes used. b. Click Close to close the window. Viewing Connections This option allows you to view currently active connections between your networks, as well as those from your networks to the Internet. Note: The report does not display connections between bridged networks, where Firewall Between Members is disabled. To view the active connections 1.
Viewing Connections The Connections page appears. The page displays the information in the following table. 2. To view information about a destination machine, click its IP address. The Safe@Office appliance queries the Internet WHOIS server, and a window displays the name of the entity to which the IP address is registered and their contact information. 3. To view information about a destination port, click the port. A window opens displaying information about the port. 4.
Viewing Connections Table 48: Connections Fields This field… Displays… Protocol The protocol used (TCP, UDP, and so on) Source IP The source IP address. Port The source port Destination IP The destination IP address. Port The destination port. QoS Class The QoS class to which the connection belongs (if Traffic Shaper is enabled) Options An icon indicating further details: • 320 - The connection is encrypted. • - The connection is being scanned by VStream Antivirus.
Viewing Network Statistics Viewing Network Statistics You can view statistics for each of the Safe@Office appliance's Internet connections, internal networks and bridges, using the Network Interface Monitor. Viewing General Network Statistics You can view general statistics for the Safe@Office appliance's network interfaces. To view general network statistics 1. Click Reports in the main menu, and click the Networks tab. The Networks page appears displaying general network statistics.
Viewing Network Statistics 2. To refresh the display, click Refresh. Table 49: General Network Statistics This field… Displays… Total Networks The total number of internal networks. Total Sent The total number of sent packets on all network interfaces. Total Received The total number of received packets on all network interfaces. Viewing Internet Connection Statistics You can view statistics for the primary and secondary Internet connections. To view statistics for an Internet connection 1.
Viewing Network Statistics The page displays statistics for the Internet connection. The following example shows statistics for the primary Internet connection. For information on the fields, see the following table. 3. To refresh the display, click Refresh.
Viewing Network Statistics This field… Displays… Mode The Internet connection method used Connected The connection duration, in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds Remote IP The IP address of the PPP peer. Address This field is only relevant for PPP-based Internet connections. Connection Probing Probing Method The connection probing method configured for the Internet connection ADSL These fields only appear for ADSL connections.
Viewing Network Statistics This field… Displays… RF status These fields only appear for ADSL connections. Tx Power The local and remote transmission power in dB SNR Margin The local and remote Signal to Noise Ration (SNR) margin in dB. The SNR margin is the difference between the amount of noise received by the by the local/remote line end, and the amount of noise it can tolerate. Line Attenuation The local and remote line attenuation in dB.
Viewing Network Statistics This field… Displays… Frame/Carrier The total number of frame alignment and carrier errors. Frame alignment errors occur when a frame that has extra bits is received. The number of such errors appears in the Received column. Carrier errors occur when the carrier is not present at the start of data transmission, or when the carrier is lost during transmission. Such errors usually indicate a problem with the cable. The number of such errors appears in the Transmitted column.
Viewing Network Statistics The page displays statistics for the network. The following example shows statistics for the LAN. For information on the fields, see the following table. 3. To refresh the display, click Refresh. Table 51: Wired Network Statistics This field… Displays… Type The network's type. Status The network's current status (Enabled/Disabled). IP Address The appliance's current IP address on the network interface. MAC Address The appliance's MAC address on the network interface.
Viewing Network Statistics This field… Displays… Statistics Statistics only appear if the network is enabled Packets The total number of transmitted and received packets Errors The total number of transmitted and received packets for which an error occurred Dropped The total number of transmitted and received packets that the firewall dropped Overruns The total number of transmitted and received packets that were lost, because they were sent or arrived more quickly that the appliance could handl
Viewing Network Statistics Viewing Wireless Network Statistics If the primary WLAN is enabled, you can view wireless statistics for the primary WLAN and VAPs. To view statistics for the primary WLAN and VAPs 1. Click Reports in the main menu, and click the Networks tab. The Networks page appears. 2. In the tree, click on the wireless network's name. The page displays statistics for the network. For information on the fields, see the following table. 3. To refresh the display, click Refresh.
Viewing Network Statistics Table 52: Wireless Statistics This field… Displays… Type The network's type, in this case "Wireless" Status The network's current status (Enabled/Disabled) IP Address The IP address of the wireless network's default gateway MAC Address The MAC address of the wireless network interface Wireless Wireless Mode The operation mode used by the WLAN, followed by the transmission rate in Mbps Domain The Safe@Office access point's region Country The country configured for t
Viewing Network Statistics This field… Displays… Missing Fragments The total number of packets missed during transmission and reception that were dropped, because fragments of the packet were lost Discarded Retries The total number of discarded retry packets that were transmitted and received Discarded Misc The total number of transmitted and received packets that were discarded for other reasons Viewing Bridge Statistics You can view statistics for bridges. To view statistics for a bridge 1.
Viewing Network Statistics The page displays statistics for the bridge. For information on the fields, see the following table. 3. To view statistics for bridged networks, in the tree, expand the bridge's node. The page displays statistics for the bridged network. 4. To refresh the display, click Refresh.
Viewing Network Statistics This field… Displays… Errors The total number of transmitted and received packets for which an error occurred Dropped The total number of transmitted and received packets that the firewall dropped Overruns The total number of transmitted and received packets that were lost, because they were sent or arrived more quickly that the appliance could handle Frame/Carrier The total number of frame alignment and carrier errors.
Viewing the Routing Table Viewing the Routing Table This option allows you to view the routing table currently in effect on the Safe@Office appliance. To view the current routing table 1. Click Reports in the main menu, and click the Routing tab. The Routing Table page appears. The page displays the information in the following table. 2. To resize a column, drag the relevant column divider right or left. 3. To refresh the display, click Refresh.
Viewing the Routing Table Table 54: Routing Table Fields This field… Displays… Source The route's source Destination The route's destination Service The network service for which the route is configured Gateway The gateway's IP address Metric The route's metric Interface The interface for which the route is configured Origin The route's type: • Connected Route. A route to a network that is directly connected to the Safe@Office appliance • Static Route.
Viewing Wireless Station Statistics Viewing Wireless Station Statistics If the primary WLAN is enabled, you can view wireless statistics for individual wireless stations. To view statistics for a wireless station 1. Click Reports in the main menu, and click the My Computers tab. The Active Computers page appears. The following information appears next to each wireless station: • 2.
Viewing Wireless Station Statistics This field… Displays… Cipher The security protocol used for the wireless connection QoS Indicates whether the client is using Multimedia QoS (WMM). Possible values are: XR • yes. The client is using WMM. • no. The client is not using WMM. Indicates whether the wireless client supports Extended Range (XR) mode. Possible values are: • yes. The wireless client supports XR mode. • no. The wireless client does not support XR mode.
Viewing the Event Log Chapter 12 Viewing Logs This chapter describes the Safe@Office appliance logs. This chapter includes the following topics: Viewing the Event Log.............................................................................339 Viewing the Security Log.........................................................................
Viewing the Event Log To view the event log 1. Click Logs in the main menu, and click the Event Log tab. The Event Log page appears. The log table contains the columns described in Event Log Columns on page 342. The log messages are color-coded as described in Event Log Color Coding on page 343. 2. To navigate the log table, do any of the following: • • 3.
Viewing the Event Log 4. To resize a column, drag the relevant column divider right or left. 5. To refresh the display, click Refresh. 6. To save the displayed events to an *.xls file: a. Click Save. A standard File Download dialog box appears. b. Click Save. The Save As dialog box appears. 7. c. Browse to a destination directory of your choice. d. Type a name for the configuration file and click Save. The *.xls file is created and saved to the specified directory.
Viewing the Event Log b. Press CTRL+C. If you are using Internet Explorer, and this is the first time that you copy logs, a dialog box asks you whether you want to allow the Safe@Office Portal to access your clipboard. In this case, click Allow access. 8. The selected logs are copied to your clipboard. To clear all displayed events: a. Click Clear. A confirmation message appears. b. Click OK. All events are cleared. Table 56: Event Log Columns This column... Displays...
Viewing the Security Log Table 57: Event Log Color Coding An event marked in Indicates… this color… Red An error message Orange A warning message Blue An informational message Viewing the Security Log The Security Log displays security-related events, including the following: • Connections logged by firewall rules • Connections logged by VStream Antivirus • Connection logged by VStream Antispam • Security events logged by SmartDefense • Web sites blocked by Web rules or the centralized Web
Viewing the Security Log To view the event log 1. Click Logs in the main menu, and click the Security Log tab. The Security Log page appears. The log table contains the columns described in Security Log Columns on page 347. The log messages are color-coded as described in Security Log Color Coding on page 349. 2. To display information about a connection source or destination, click the relevant IP address.
Viewing the Security Log • Use the scroll bars, or Click on a log message and then press the UP and DOWN arrows on your keyboard. To view the next log page, click Next. 5. • To view the previous log page, click Back. To specify the number of logs to display per page, in the drop-down list at the bottom of the log table, select the desired number. 6. To resize a column, drag the relevant column divider right or left. 7. To refresh the display, click Refresh. 8.
Viewing the Security Log The selected logs are highlighted in yellow. b. Press CTRL+C. If you are using Internet Explorer, and this is the first time that you copy logs, a dialog box asks you whether you want to allow the Safe@Office Portal to access your clipboard. In this case, click Allow access. The selected logs are copied to your clipboard. 10. To clear all displayed events: a. Click Clear. A confirmation message appears. b. Click OK. All events are cleared.
Viewing the Security Log Table 58: Security Log Columns This column... Displays... No The log message number Date The date on which the action occurred, in the format DD:MM:YYYY, where: DD=date MM=month, in abbreviated form YYYY=year Time The time at which the action occurred, in the format hh:mm:ss, where: hh=hour mm=minutes ss=seconds Dir An icon indicating the direction of the connection on which the firewall acted.
Viewing the Security Log This column... Displays... Service The protocol and destination port used for the connection. Reason The reason the action was logged. Rule The number of the firewall rule that was executed. Net The internal network where the action occurred. Information Additional information about the logged action. Table 59: Security Log Actions Action Icon Description Connection accepted The firewall accepted a connection.
Viewing the Security Log Action Icon Description Blocked by VStream VStream Antivirus blocked a connection. Antivirus Table 60: Security Log Color Coding An event marked in this color… Red Indicates… Connection attempts that were blocked by your firewall, by a security policy downloaded from your Service Center, or by user-defined rules. Orange Traffic detected as suspicious, but accepted by the firewall.
The Safe@Office Firewall Security Policy Chapter 13 Setting Your Security Policy This chapter describes how to set up your Safe@Office appliance security policy. You can enhance your security policy by subscribing to services such as Web Filtering and Email Filtering. For information on subscribing to services, see Using Subscription Services on page 551. This chapter includes the following topics: The Safe@Office Firewall Security Policy ..............................................
The Safe@Office Firewall Security Policy Security Policy Implementation The key to implementing a network security policy is to understand that a firewall is simply a technical tool that reflects and enforces a network security policy for accessing network resources. A rule base is an ordered set of individual network security rules, against which each attempted connection is checked. Each rule specifies the source, destination, service, and action to be taken for each connection.
Default Security Policy Default Security Policy The Safe@Office default security policy includes the following rules: • Access is blocked from the WAN (Internet) to all internal networks (LAN, DMZ, primary WLAN, VLANs, VAPs, and OfficeMode). • Access is allowed from the internal networks to the WAN, according to the firewall security level (Low/Medium/High). • Access is allowed from the LAN network to the other internal networks (DMZ, primary WLAN, VLANs, VAPs, and OfficeMode).
Setting the Firewall Security Level Setting the Firewall Security Level The firewall security level can be controlled using a simple lever available on the Firewall page. You can set the lever to the following states. Table 61: Firewall Security Levels This Does this… Further Details Low Enforces basic control on All inbound traffic is blocked to the external incoming connections, Safe@Office appliance IP address, except for while permitting all ICMP echoes ("pings").
Setting the Firewall Security Level This Does this… Further Details High Enforces strict control on all All inbound traffic is blocked. level… incoming and outgoing connections. Restricts all outbound traffic except for the following: Web traffic (HTTP, HTTPS), email (IMAP, POP3, SMTP), ftp, newsgroups, Telnet, DNS, IPSEC IKE and VPN traffic. Block All Blocks all access between All inbound and outbound traffic is blocked networks. between the internal networks.
Setting the Firewall Security Level To change the firewall security level 1. Click Security in the main menu, and click the Firewall tab. The Firewall page appears. 2. Drag the security lever to the desired level. The Safe@Office appliance security level changes accordingly.
Configuring Servers Configuring Servers Note: If you do not intend to host any public Internet servers in your network (such as a Web Server, Mail Server, or an exposed host), you can skip this section. The Safe@Office appliance enables you to configure the following types of public Internet servers: • Servers for specific services You can allow all incoming connections of a specific service and forward them to a particular host in your network.
Configuring Servers The Servers page appears, displaying a list of services and a host IP address for each allowed service. 2. Complete the fields using the information in the following table. 3. Click Apply. A success message appears. Table 62: Servers Page Fields In this column… Allow Do this… Select the check box next to the public server you want to configure.
Configuring Servers In this Do this… Host IP Type the IP address of the computer that will run the service (one of your column… network computers), or click the corresponding This Computer button to allow your computer to host the service. VPN Only Select this option to allow only connections made through a VPN. To stop the forwarding of services to a specific host 1. Click Security in the main menu, and click the Servers tab. The Servers page appears. 2.
Using Rules Using Rules The Safe@Office appliance checks the protocol used, the ports range, and the destination IP address, when deciding whether to allow or block traffic. User-defined rules have priority over the default security policy rules and provide you with greater flexibility in defining and customizing your security policy.
Using Rules For example, if you want to block all outgoing FTP traffic, except traffic from a specific IP address, you can create a rule blocking all outgoing FTP traffic and move the rule down in the Rules table. Then create a rule allowing FTP traffic from the desired IP address and move this rule to a higher location in the Rules table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1.
Using Rules Table 63: Firewall Rule Types Rule Description Allow and This rule type enables you to do the following: Forward • Permit incoming traffic from the Internet to a specific service and destination IP address in your internal network and then forward all such connections to a specific computer in your network. Such rules are called NAT forwarding rules. For example, if the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.
Using Rules Rule Description Allow This rule type enables you to do the following: • Permit outgoing access from your internal network to a specific service on the Internet. Permit incoming access from the Internet to a specific service in your internal network. • Assign traffic to a QoS class.
Using Rules Adding and Editing Firewall Rules To add or edit a firewall rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. 364 Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click next to the desired rule.
Using Rules The Safe@Office Firewall Rule wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows an Allow and Forward rule.
Using Rules 5. Complete the fields using the relevant information in the following table. 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. To configure advanced settings, click Show Advanced Settings. New fields appear.
Using Rules 8. Complete the fields using the relevant information in the following table. 9. Click Next. The Step 4: Rule Options dialog box appears. 10. Complete the fields using the relevant information in the following table. 11. Click Next.
Using Rules The Step 5: Done dialog box appears. 12. If desired, type a description of the rule in the field provided. 13. Click Finish. The new rule appears in the Rules page. Table 64: Firewall Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Service Click this option to specify that the rule should apply to a specific standard service or a network service object.
Using Rules In this field… Do this… Protocol Select the protocol for which the rule should apply (ESP, GRE, TCP, UDP, ICMP, IGMP, or OSPF). To specify that the rule should apply for any protocol, select ANY. To specify a protocol by number, select Other. The Protocol Number field appears. Port Range To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box.
Using Rules In this field… Do this… Destination Select the destination of the connections you want to allow/block. This list includes network objects. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. To specify the Safe@Office IP addresses, select This Gateway. To specify any destination except the Safe@Office Portal IP addresses, select ANY.
Using Rules In this field… Do this… Quality of Select the QoS class to which you want to assign the specified connections. Service class If Traffic Shaper is enabled, Traffic Shaper will handle these connections as specified in the bandwidth policy for the selected QoS class. If Traffic Shaper is not enabled, this setting is ignored. For information on Traffic Shaper and QoS classes, see Using Traffic Shaper on page 251.
Using Rules Enabling/Disabling Firewall Rules You can temporarily disable a user-defined rule. To enable/disable a firewall rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Next to the desired rule, in the Enabled column, do one of the following: • To enable the rule, click The button changes to • To disable the rule, click The button changes to . and the rule is enabled. . and the rule is disabled.
Using Rules Enabling/Disabling Firewall Rule Logging You can enable or disable logging for a firewall rule, by using the information in Adding and Editing Firewall Rules on page 364, or by using the following shortcut. To enable/disable logging for a firewall rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2.
Using Port-Based Security The rule is deleted. Using Port-Based Security The Safe@Office appliance supports the IEEE 802.1x standard for secure authentication of users and devices that are directly attached to Safe@Office appliance's LAN and DMZ ports, as well as the wireless LAN. Authentication can be performed either by an external RADIUS server, or by the Safe@Office appliance's built-in EAP authenticator.
Using Port-Based Security accessing sensitive company resources. You can also configure Traffic Shaper to grant members of the Quarantine network a lower amount of bandwidth than authorized users. You can choose to exclude specific network objects from 802.1x port-based security enforcement. Excluded network objects will be able to connect to the Safe@Office appliance's ports and access the network without authenticating. For information on excluding network objects from 802.
Using Port-Based Security This step is only relevant when using a RADIUS server. 3. To configure a Quarantine network other than the LAN or DMZ, add a portbased VLAN network. See Adding and Editing Port-Based VLANs on page 178. 4. Click Network in the main menu, and click the Ports tab. The Ports page appears. 5. 376 Next to the desired port, click Edit.
Using Port-Based Security The Port Setup page appears. 6. In the Port Security drop-down list, select 802.1x. The Quarantine Network, Authentication Server, and Allow multiple hosts fields are enabled. 7. Complete the fields using the information in the following table. 8. Click Apply. A warning message appears. 9. Click OK.
Using Port-Based Security Table 65: Port-Based Security Fields In this field… Do this… Assign to network Specify how the Safe@Office appliance should handle users who authenticate successfully, by selecting one of the following: • A network name. All users who authenticate to this port successfully are assigned to the specified network. • From RADIUS. Use dynamic VLAN assignment to assign users to specific networks. This option is only relevant when using a RADIUS server.
Using Port-Based Security In this field… Do this… Allow multiple To allow multiple hosts to connect to this port, select this option. hosts Normally, 802.1x port-based security allows only a single host to connect to each port. However, when this option is selected, multiple clients can connect to the same port via a hub or switch. Each client on the port must authenticate separately. If authentication fails for one client, then all clients on the port will be blocked.
Using Secure HotSpot Using Secure HotSpot You can enable your Safe@Office appliance as a public Internet access hotspot for specific networks. When users on those networks attempt to access the Internet, they are automatically re-directed to the My HotSpot page http://my.hotspot. Note: You can configure Secure HotSpot to use HTTPS. In this case, the My HotSpot page will be https://my.hotspot.
Using Secure HotSpot network. For example, Secure HotSpot can be used in public computer labs, educational institutions, libraries, Internet cafés, and so on. The Safe@Office appliance allows you to add guest users quickly and easily. By default, guest users are given a username and password that expire in 24 hours and granted HotSpot Access permissions only. For information on adding quick guest users, see Adding Quick Guest Users on page 647.
Using Secure HotSpot 4. To exclude specific computers from Secure HotSpot enforcement, add or edit their network objects. See Adding and Editing Network Objects on page 187. You must select Exclude this computer/network from HotSpot enforcement option. 5. Add quick guest users as needed. See Adding Quick Guest Users on page 647. Enabling/Disabling Secure HotSpot To enable/disable Secure HotSpot 1. 382 Click Security in the main menu, and click the HotSpot tab.
Using Secure HotSpot The My HotSpot page appears. 2. In the HotSpot Networks area, do one of the following: • To enable Secure HotSpot for a specific network, select the check box next to the network. • 3. To disable Secure HotSpot for a specific network, clear the check box next to the network. Click Apply.
Using Secure HotSpot Customizing Secure HotSpot To customize Secure HotSpot 1. Click Security in the main menu, and click the HotSpot tab. The My HotSpot page appears. 2. Complete the fields using the information in the following table. 3. To preview the My HotSpot page, click Preview. A browser window opens displaying the My HotSpot page. 4. Click Apply. Your changes are saved.
Using Secure HotSpot In this field… Do this… My HotSpot Type the terms to which the user must agree before accessing the Internet. Terms You can use HTML tags as needed. My HotSpot is Select this option to require users to enter their username and password password- before accessing the Internet. protected If this option is not selected, users will be required only to accept the terms of use before accessing the network.
Using NAT Rules Using NAT Rules Overview In an IP network, each computer is assigned a unique IP address that defines both the host and the network. A computer's IP address can be public and Internet-routable, or private and non-routable. Since IPv4, the current version of IP, provides only 32 bits of address space, available public IP addresses are becoming scarce, most having already been assigned.
Using NAT Rules Supported NAT Rule Types The Safe@Office appliance enables you to define the following types of custom NAT rules: • Static NAT (or One-to-One NAT). Translation of an IP address range to another IP address range of the same size. This type of NAT rule allows the mapping of Internet IP addresses or address ranges to hosts inside the internal network. This is useful if you want each computer in your private network to have its own Internet IP addresses. • Hide NAT (or Many-to-One NAT).
