Planet CS-2001 User Manual

page of 848

/ 848
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

CS-2001 UTM Content Security Gateway User's Manual

User's Manual

CS-2001

UTM Content Security Gateway

Table of Contents

Summary of Contents for Planet CS-2001

Page 1 CS-2001 UTM Content Security Gateway User’s Manual User’s Manual CS-2001 UTM Content Security Gateway...
Page 2: Federal Communication Commission Interference Statement
Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s...
Page 3: Customer Service
interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference radio communications. However, there is no guarantee that interference will not occur in a particular installation.
Page 4 Any error messages that displayed when the problem occurred ♦ Any software running when the problem occurred ♦ Steps you took to resolve the problem on your own Revision User’s Manual for PLANET UTM Content Security Gateway Model: CS-2001v2 Rev: 1.0 (April, 2012) PartNo: EM-CS2001v2_v1.0...
Page 5: Table Of Contents
Table of Contents Quick Installation Guide ................8 Hardware Installation ..................9 Basic System Configuration ................1 S.1 Overview of Functions ..............9 System ...................... 16 Chapter 1 Administration ................17 1.1 Admin ..................... 19 1.2 Permitted IPs .................. 21 1.3 Logout ....................
Page 6 8.2 RADIUS Authentication .............. 166 8.3 POP3 Authentication ..............187 8.4 LDAP Authentication ..............190 Chapter 9 Application Blocking ..............204 9.1 Example ..................207 Chapter 10 Virtual Server ................214 10.1 Example ..................216 Chapter 11 VPN ....................236 11.1 Example ..................
Page 7 Chapter 21 Web VPN / SSL VPN ..............622 21.1 Example ..................626 IM Recording ..................641 Chapter 22 Configuration ................642 22.1 Example ..................644 Chapter 23 Reports ..................650 23.1 Statistics ..................657 23.2 Message History................. 659 Policy ...................... 659 Chapter 24 Policy ....................
Page 8 Chapter 32 Diagnostic Tools ................816 32.1 Ping .................... 817 32.2 Traceroute .................. 820 32.3 Packet Capture ................822 Chapter 33 Wake-On-LAN ................823 33.1 Example ..................824 Chapter 34 Status .................... 825 34.1 Interface ..................826 34.2 System Info ................828 34.3 Authentication ................
Page 9: Quick Installation Guide
Quick Installation Guide...
Page 10: Hardware Installation
Front panel: Ethernet Port1/2/3/4 Power Indicator Console Port HDD Indicator USB Port Figure 1a. Front Panel of the CS-2001 Rear panel: Power Switch Power Socket Figure 1b. Rear Panel of the CS-2001  Power Indicator: Lights up when the power is on.
Page 11 CS-2001 UTM Content Security Gateway User’s Manual LED / Port Description LED1(Left) Orange Steady on indicates the port is connected to other network device. Blink to indicates there is traffic on the port LED2(Right) Orange Steady on indicates the port is connected at...
Page 12: Basic System Configuration
Basic System Configuration Step 1. Connect both the IT administrator’s PC and the device’s LAN port to the same hub / switch, and launch a browser (e.g., IE or Firefox) to access the management interface address which is set to http://192.168.1.1 by default.
Page 13  Configuration Panel: Displays the data or configurable settings of the corresponding item selected on the Menu Panel. Figure4. The CS-2001 User Interface Note： 1. For your reference, you may configure your management address based on the available subnet ranges below.
Page 14 Step 4. If it’s the first time you’ve logged into the management interface, an install wizard will appear to guide you through setting some of the basic settings required. System > Configuration > Installation Wizard Figure5. The Install Wizard Step 5. Select the language for the user interface and the default character encoding.
Page 15 Fill in the IP Address and Netmask fields. Figure7. Interface Settings Important : 1. Note: Once the LAN interface is changed, please enter the new LAN IP address in the browser next time when you log in the CS-2001 Web UI.
Page 16 Step 7. Configure theWAN Interface (please refer to your ISP for the settings).  Setting: Select Port2(WAN1)  Interface: Select WAN  Connection Mode: Select the required mode  Configure the remaining settings. Figure8. The WAN Settings...
Page 17 Step 8. Tick the Synchronize to an NTP Server box to ensure the system is provided with the accurate time. Figure9. Time Settings Step 9. Enable Outgoing. Figure10. Enabling an Outgoing Policy...
Page 18 DHCP to enable LAN PCs to obtain IP addresses, users may have Internet access right after configuring DHCP. To configure any network policies, please go to Policy Object and Policy. Step 10. Provide the following CS-2001 interface information to LAN users. Figure12. Settings Confirmation...
Page 19 Step 11. Settings complete. Figure13. Installation Wizard Completed...
Page 20: Overview Of Functions
S.1 Overview of Functions Category Configurable Settings Description Index System Administration Admin Creates, modifies or removes Chapter 1 administrator accounts. Permitted IPs Permits specific IP addresses to access the system. Software Update the system’s software Update version. Configuration Settings For importing or exporting the Chapter 2 system settings, resetting the system to factory default settings,...
Page 21 LAN and DMZ users. Installation For quick installation and Wizard configuration. Language Available languages include Traditional Chinese, Simplified Chinese and English. Network Settings For DNS settings, link speed / Chapter 3 duplex settings, etc. Interface For configuring the interface type: LAN (IP address, netmask, MAC address, etc.), WAN (connection type, downstream / upstream bandwidth, etc.), DMZ...
Page 22 Web-based mail, online gaming, VPN Tunneling, and remote controlling. Virtual Server Mapped IPs Maps an internal host to an Chapter 10 external IP address to provide a Port Mapping specific connection or service, Port-Mapping such as PC-Anywhere, FTP, Group HTTP, etc. One-Step For establishing secure and Chapter 11...
Page 23 Personal Rule spam filtering is applied in the following order: Greylist Global Rule Filtering > Personal Rule, Global Whitelist Rule > Whitelist > Blacklist > Blacklist Fingerprint > Bayesian Filtering Training > Spam Signature... Anti-Virus Settings Scans for virus-infected mail Chapter 14 using ClamAV and Sophos.
Page 24 IDP Reports Settings Provides statistics in the form of Chapter 20 graphs and logs. Statistics can be Statistics sent to the specific recipient Logs periodically and logs can be searched based on the specified criteria. SSL Web Settings For configuring the VPN IP Chapter 21 range, the protocol and the encryption algorithm.
Page 25 DNS controlling mechanism. The backup mode provides continuous access if one of the WAN links ceases to function. High Settings For installing two CS-2001 Chapter 27 Availability devices to ensure an uninterrupted network connection. Co-Defense Core Switch...
Page 26 Historical Top Chart Traffic WAN Traffic Displays the usage statistics from Chapter 31 Grapher the WAN interfaces. Policy-Based Displays the usage statistics of a Traffic configured policy. Diagnostic Ping Provides Ping, Traceroute and Chapter 32 Tools Packet Capture to diagnose the Traceroute connection.
Page 27: System
System...
Page 28: Chapter 1 Administration
Chapter 1 Administration This chapter mainly explains the authorization settings for accessing the CS-2001. It covers the subjects of Admin, Permitted IPs, Software Update and Logout. The complete administrative authority lies in the hands of the IT administrator. Other than the IT administrator, any other administrator, also known as...
Page 29 Terms in Admin Admin Name  The authentication name to log in the system.  The IT administrator’s name and password are assigned as admin which cannot be deleted. Access Privilege  The main IT administrator have the privilege of reading, writing and viewing. That means the main IT administrator is able to view and change the system configuration, logs and accounts.
Page 30: Admin
1.1 Admin 1.1.1 Adding a Sub-Administrator Step 1. Go to System > Administration > Admin, set as below: （Figure 1-1）  Click the New Sub-Admin button to create a new sub-administrator.  Enter the Sub-Admin Name and Password.  Enter the password again in the Confirm Password field. ...
Page 31: Modifying The Password
1.1.2 Modifying the Password Step 1. Go to System > Administration > Admin and then set as below: （Figure 1-2）  Click the Modify button of the admin you want to modify.  Enter the original password in the Password field and then enter the new password in the New Password field.
Page 32: Permitted Ips
1.2 Permitted IPs 1.2.1 Adding a Permitted IP Step 1. Under System > Administrator > Permitted IPs, click the New Entry button and then set as below: （Figure 1-3）  Enter the name in the Name field.  Select IPv4 for Protocol. ...
Page 33: Logout
1.3 Logout 1.3.1 Logging out the System Step 1. Click Logout to protect the system from any unauthorized modification while being away. （Figure 1-4, 1-5） Figure 1-4 The Logout Screen Figure 1-5 Confirming to Log Out...
Page 34 Step 2. Click OK and then the logout message appears. （Figure 1-6） Figure 1-6 The Logout Message...
Page 35: Updating Software
1.4 Updating Software Step 1. To run a software update, go to System > Administration > Software Update and follow the steps below:  Click Browse to locate the software and then open it.  Click OK to proceed to update the software. （Figure 1-7）...
Page 36: Chapter 2 Configuration
Chapter 2 Configuration Configuration includes the following system settings: System Settings, Date / Time, Multiple Subnets, Route Table, DHCP, Dynamic DNS, Host Table, SNMP and Language.
Page 37 Terms in Setting System Settings  Allows the IT administrator to import / export system settings, perform a factory reset and format the built-in hard disk. Configuration File Backup and Restore Utility (Used: 40KB, Free: 9MB, Capacity: 10MB)  Saves a copy of the system settings file to the devices’ s internal storage. The IT administrator can restore the system’s settings based upon the file’s date.
Page 38 device can block their IP address for the specified amount of time. This helps to prevent any unauthorized tampering of the device.
Page 39 Proxy Settings (for signature updates)  Once the Proxy Server is deployed, the proxy settings must be configured for the CS-2001 to access the Internet. SIP/ H.323 NAT Traversal Settings  Enables SIP NAT Traversal or H.323 NAT traversal.
Page 40 Interface  Denotes in which network, i.e. LAN or DMZ, the subnet resides. VLAN ID  Permits the interface on the CS-2001 to support VLAN tags belonging to the LAN or DMZ. Terms in Routing Table Dynamic Routing  Routers exchange routing information to reflect any changes in the typology of the network.
Page 41 Note： Dynamic Routing Protocols can be categoried into the following two categories:  Distance-Vector Routing Protocol: Uses the Bellman-Ford algorithm to calculate paths. Examples of distance-vector routing protocols include RIPv1/2 and IGRP (Cisco's proprietary protocol). Using RIP, the maximum hop count from the first router to the destination is 15. Any destination greater than 15 hops away is considered unreachable.
Page 42 private purposes.  In 2007 30-bit AS numbers were introduced. These numbers are written either as simple integers, or in the form x.y, where x and y are 16-bit numbers. Numbers of the form 0.y are exactly the old 16-bit AS numbers, 1.y numbers and 65535.65535 are reserved, and the remainder of the space is available for allocation.
Page 43 Terms in DHCP Static IP Assignment  DHCP can allocate IP addresses based upon the MAC address of PCs in the LAN or DMZ. Terms in Dynamic DDNS Domain Name  The domain name registered at the DDNS service provider. Real IP Address ...
Page 44  Level 3 provides not only authentication for SMTP data but also encryption and is referred to as AuthPriv. User Name  The NMS uses this user name to access information from the CS-2001. Auth Protocol  Supports the authentication protocols of HMAC_MD5_96 and HMAC_SHA_96.
Page 45 Auth Password  The NMS uses this password to access information from the CS-2001. Privacy Protocol  Supports the cipher Data Encryption Standard (DES) that is based on a 56-bit Symmetric-key algorithm. Privacy Password  The NMS uses this password to access information from the CS-2001.
Page 46: Settings
2.1 Settings 2.1.1 Exporting System Settings Step 1. Under System > Configuration > Settings, click next to Export System Settings under the System Settings section. Step 2. Click Save in the File Download window, and then assign a storage folder. After that, click Save in the Save As window to complete exporting the system settings.
Page 47 2.1.2 Importing System Settings Step 1. Under System > Configuration > Settings, click Browse… next to Import System Settings under the System Settings section. Next, in the Choose File window, select the configuration file and then click Open. （Figure 2-2） Step 2.
Page 48 2.1.3 Resetting the System to Factory Default Settings and Formatting the Hard Drive Step 1. Under System > Configuration > Settings, tick Reset to factory default settings and Format the inbuilt hard disk under the Hard Disk Formatting section. （Figure 2-4） Figure 2-4 Resetting the Device to Factory Default Step 2.
Page 49 2.1.4 Enabling Email Alert Notification Step 1. Go to System > Configuration > Settings. Under the Name Settings section, configure the following settings:  Type your company name in the Company Name field.  Type a name in the Device Name field. Step 2.
Page 50 2.1.5 Rebooting the CS-2001 Step 1. To reboot the CS-2001, go to System > Configuration > Settings. Under the Device Reboot section click Reboot next to To reboot the system, click. Step 2. A confirmation dialogue box will appear asking “Are you sure you want to reboot the system? Step 3.
Page 51: Date / Time
2.2 Date / Time 2.2.1 CS-2001 Time Settings Step 1. Go to System > Configuration > Date/Time and configure the following settings: （Figure 2-7）  Configure the GMT offset hours.  Tick Synchronize to an NTP server.  Type the IP address of Internet time server in the NTP Server IP / Hostname field.
Page 52: Multiple Subnet
2.3 Multiple Subnet 2.3.1 Using NAT / Routing Mode For LAN Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Configure port 1 as LAN1 (192.168.1.1, NAT routing mode) and connect it to the LAN which is using the IP address range 192.168.1.x/24. Configure port 2 as WAN1 (10.10.10.1) and connect it to the ISP router (10.10.10.2);...
Page 53 Figure 2-8 Configuring Multiple Subnet Figure 2-9 Settings Completed Important: 1. When the PCs’ subnets or IP addresses are not on the same Interface. You may go to Policy > LAN to LAN and create a policy (select Inside Any for both Source Address and Destination Address) to enable LAN to LAN connection.
Page 54 Step 2. Under Network > Interface, set as below: （Figure 2-10）  Click on Port 2’s Modify button.  For Interface Type select WAN, and enter all the relevant settings (provided by your ISP).  For WAN NAT Redirection, select A designated IP and then enter 162.172.50.1.
Page 55 CS-2001 UTM Content Security Gateway User’s Manual Step 3. Under Policy Object > Address > LAN, set as below: （Figure 2-11） Figure 2-11 Address Settings for the LAN...
Page 56 Step 4. Go to Policy > Outgoing and configure the following settings:  Click on New Entry.  Source Address: Select the name of the LAN addresses. (LAN1_Subnet1)  Action: Tick Port 3 (WAN2).  Click on Advanced Settings. For Port3 (WAN2) select Automatic. ...
Page 57 Figure 2-13 The Second Outgoing Policy Settings...
Page 58 Figure 2-14 Policy Settings Completed...
Page 59 Step 5. The configuration of LAN1 to the Internet is now complete. （Figure 2-15） Figure 2-15 The LAN Configured Using Multiple Subnet Note： 1. The LAN subnet 192.168.1.x/24 is only able to gain access to the Internet via WAN2 (using NAT).
Page 60 2.3.2 Using Multiple Subnets to Establish a VLAN Gateway to Regulate VLAN Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the LAN which is using 192.168.1.x/24. VLAN ID 10 using 192.168.100.x/24.
Page 61 Figure 2-16 First Multiple Subnet Setting...
Page 62 Figure 2-17 Second Multiple Subnet Setting Figure 2-18 Multiple Subnet Settings Completed Note： 1. The device’s interface settings permits multiple VLAN gateways to control each of the VLAN’s access to the Internet or communication amongst the VLANs. 2. When the PCs’ subnets or IP addresses are not on the same Interface. You may go to Policy > LAN to LAN and create a policy (select Inside Any for both Source Address and Destination Address) to enable LAN to LAN connection.
Page 63 Step 2. Go to Policy Object > Address > LAN, and set as below: （Figure 2-19） Figure 2-19 Address Settings for the LAN...
Page 64 Step 3. Go to Policy Object > Address > LAN Group and then set as below: (Figure 2-20) Figure 2-20 LAN Group Settings Step 4. Go to Policy > Outgoing, set as below:  Click on New Entry.  Source Address: Select the name of the LAN addresses (VLAN_Group) ...
Page 65 Step 5. The internal network’s VLAN. (Figure 2-23) Figure 2-23 The Completed Mulitple Subnet VLAN Settings...
Page 66: Route Table
2.4 Route Table 2.4.1 Enabling Two Networks Connected by a Router to Access the Internet via the CS-2001 Prerequisite Setup (Note: IP addresses used as examples only) Company A: Port 1 is set as LAN 1 (192.168.1.1, NAT routing mode) which is connected to the LAN subnet 192.168.1.x/24.
Page 67 Step 1. Go to System > Configuration > Route Table and set as below:  Click on New Entry.  IP Version : Select IPv4.  IP Address: Type 192.168.10.0.  Netmask: 255.255.255.0.  Gateway : 192.168.1.252.  Interface : LAN1. ...
Page 68 Figure 2-26 Static Route Setttings Figure 2-27 The Completed Static Route Settings Important: 1. To enable the LAN to LAN connection, go to Policy > LAN to LAN and create a policy (select Inside Any for both Source Address and Destination Address). To enable the DMZ to DMZ connection, go to Policy >...
Page 69 Step 2. The subnets 192.168.10.x/24,192.168.20.x/24 and 192.168.1.x/24 can now communicate with each other. In addition, these subnets may also access the Internet using real IP addresses assigned from the CS-2001 device’s NAT mechanism. （Figure 2-28） Figure 2-28 The Routing Table...
Page 70: Dhcp
2.5 DHCP 2.5.1 Using an External DHCP Server to Allocate IP Addresses to Internal PCs Step 1. Go to System > Configuration > DHCP, and set as below: （Figure 2-29）  Tick Enable DHCP Relay.  From DHCP Relay Interface select the interface. ...
Page 71 Note: 1. When Enable DHCP Relay Support is enabled, internal PCs can obtain an IP address from the server through the specified interface (WAN1/2/3/4/5/6 or VPN-WAN1/2/3/4/5/6) of the CS-2001.
Page 72 2.5.2 Using the CS-2001 to Allocate IP Addresses to LAN PCs Step 1. Go to System > Configuration > DHCP and set as below: （Figure 2-30）  Select Enable DHCP.  Deselect Obtain DNS server address automatically.  DNS Server 1: Type an IP address as DNS Server 1.
Page 73 Figure 2-30 DHCP Settings...
Page 74 1. Enabling Obtain DNS server address automatically is intended for LAN users whom access the Internet via the device’s authentication mechanism. LAN users need to configure their Preferred DNS server address to be the same as the LAN interface address of the CS-2001 in Internet Protocol (TCP/IP) Properties.
Page 75: Ddns
2.6 DDNS Step 1. Go to System > Configuration > Dynamic DNS, and set as below: （Figure 2-31）  Click New Entry. Select a Service Provider from the drop-down list.  Tick Use the IP of on the right of WAN IP and then select a WAN port.
Page 76: Host Table
2.7 Host Table Step 1. Go to System > Configuration > Host Table and set as below: （ Figure 2-33）  Configure the Host Name accordingly.  Select IPv4 for IP Version.  Type the virtual IP address that the host name corresponds to in the Virtual IP Address field.
Page 77: Snmp
2.8 SNMP 2.8.1 SNMP Agent Settings Step 1. Go to System > Configuration > SNMP. Under the SNMP Agent Settings section configure the following: （Figure 2-34）  Tick the interfaces that are permitted to send SNMP agent messages.  Device Name: Name the device. By default, it is UTM. ...
Page 78 Port: Type the port number of SNMP Trap. (Default value: 162)  Click OK.  The IT administrator may now install a SNMP Trap client to receive alerts from the CS-2001. Figure 2-35 SNMP Trap Settings Note: 1. The IT administrator may test the SNMP trap by clicking on...
Page 79: Bulletin Board
CS-2001 UTM Content Security Gateway User’s Manual 2.9 Bulletin Board 2.9.1 Using CS-2001 to Announce the Information to LAN Users and DMZ Users Step 1. Go to System > Configuration > Bulletin Board and then configure the settings in the Bulletin Board Login Settings secion.
Page 80 Step 2. Under System > Configuration > Bulletin Board, configure the settings in the Bulletin Board Announcements section.  Click New Entry. （Figure 2-37）  Enter the Subject.  Specify the Announcement Duration.  Target Viewer: tick LAN Users and select Inside Any; tick DMZ Users and select DMZ Any.
Page 81 Step 3. The LAN users and DMZ users will see the announcement when they access the Internet. （Figure 2-39, 2-40） Figure 2-39 Clicking the Button to See the Announcement Figure 2-40 LAN / DMZ Users Seeing the Announcement Note: 1. To know how many users have seen the announcement, you may go to System > Configuration >...
Page 82 172.19.1.254. You may enter http://172.19.1.254:84 in the web browser. (Figure 2-41, 2-42) Figure 2-41 Logging in the Bulletin Board Setting Page Figure 2-42 The Bulletin Board Setting Page...
Page 83: Language
2.10 Language 2.10.1 Changing the Language Step 1. Under System > Configuration > Language, you may change the language of the user interface. （Figure 2-36） Figure 2-36 The Language Settings...
Page 84: Interface
Interface...
Page 85: Chapter 3 Interface
Chapter 3 Interface The Interface configuration allows you to configure the connection parameters separately for LAN, WAN and DMZ interfaces as well as to assign multiple network interfaces into a group based on your topology plan. In this chapter, it will be covering the functionality and application of Settings, Interface and Interface Group.
Page 86 By Source IP: For services that require using the same IP address throughout the process, such as online game and banking, CS-2001 helps user retain the same WAN port (i.e. IP address) over which the session was created to avoid disconnection caused by the variation of the user’s IP address.
Page 87 Interface Designation  The system-assigned name based on the network interface type selected. Interface Type  The network interface is categorized into three types:  Local Area Network (LAN)  Wide Area Network (WAN)  Demilitarized Zone (DMZ) Connection Type (As Interface Type set to LAN) ...
Page 88  IPv6 address represent itself as text string using the following three conventional forms:  Colon-hexadecimal form: This is the preferred form n:n:n:n:n:n:n:n. Each n represents the hexadecimal value of one of the eight 16-bit elements of the address. For example: 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A ...
Page 89  The IPv6 prefix is the part of the address that indicates the bits that have fixed values. If it happens not to be a multiple of four such as 21DA:D3:0:2F3B:2AA:FF:FE28:9C5A/59, then the third 16 bits (i.e., 2F3B) have to be modified (to 2F20) to become a multiple of four. ...
Page 90  The result, 02-AA-00-FF-FE-3F-2A-1C, is converted to colon-hexadecimal notation, yielding the interface identifier 2AA:FF:FE3F:2A1C. Thus, in this example, the link-local address that corresponds to the network adapter with the MAC address of 00-AA-00-3F-2A-1C is FE80::2AA:FF:FE3F:2A1C. Any IP Routing  For hoteliers (hotel, guest house, inn, hostel, motel, etc.) to provide customers with Internet service.
Page 91  When ticked, the management interface is available for access via SSH protocol. Connection Type (As Interface Type set to WAN)  It has three connection types, namely:  Static IP Address (Leased Line User)  Dynamic IP Address (Cable Modem User) ...
Page 92 NAT Redirection  Translates private IP addresses into public addresses.  Auto-configuration: The public address is automatically designated by the system.  A designated IP: The public address is manually designated by the IT administrator. Max. Downstream & Upstream Bandwidth ...
Page 93 Detection Mode  When Round-Robin or Active-Backup is selected for Bonding Mode, ARP detect can be selected to detect the connection. Saturated Connections  Determines the amount of sessions each WAN port can process at a time under By Traffic, By Session or By Packet mode. New sessions will be distributed to other WAN ports when the number of sessions has reached the maximum specified.
Page 94 Terms in Interface Group Interface Group  Allows you to group network interface while each group is isolated from one another. Note: This requires at least a WAN port with a static IP and a LAN or DMZ running Transparent Bridging mode. ...
Page 95: Example
3.1.1 Modifying the LAN Interface (NAT / Routing) 3.1.2 Configuring the WAN Interface 3.1.3 Using CS-2001 as a Gateway for Users on Two Subnets to Access the Internet (NAT/Routing) 3.1.4 Using CS-2001 as a Gateway for the Internal Users to Access the Internet...
Page 96: Modifying The Lan Interface (Nat / Routing)
3.1.1 Modifying the LAN Interface (NAT / Routing) Prerequisite Setup (Note: IP addresses used as examples only) Port1 is configured as LAN1 by default. (IP address: 192.168.1.1, NAT/ Routing) Step 1. Go to Network > Interface and then set as below: （Figure 3-1）...
Page 97 2. Do not disable HTTP and HTTPS before configuring the settings under System > Administration > Permitted IPs, or the IT administrator may be unable to access the Web UI from LAN.
Page 98: Configuring The Wan Interface
3.1.2 Configuring the WAN Interface Step 1. Go to Network > Interface and then click Port2’s Modify button. Select WAN for Interface Type. Step 2. Configure the Service Detection (ICMP & DNS):  If ICMP is selected, enter the Alive Indicator Site IP. （Figure 3-2）...
Page 99 Step 3. Select WAN for Interface Type:  Static IP Address: （Figure 3-4）  Enter the IP Address, Netmask and Default Gateway.  Enter the Max. Downstream Bandwidth and the Max. Upstream Bandwidth.  Tick Ping, HTTP and HTTPS.  Click OK. （Figure 3-5）...
Page 100 Figure 3-4 Configuring the Static IP Address Figure 3-5 Setting Completed...
Page 101 Figure 3-6 Configuring the Dynamic IP Address Figure 3-7 Setting Completed...
Page 102 Figure 3-8 Configuring the PPPoE Figure 3-9 Setting Completed...
Page 103 1. The DNS Settings may be configured under Network > Settings. 2. When Ping, HTTP and HTTPS are enabled, the users may access the CS-2001 Web UI from external network. The access from the external network might affect the network security, thus it is suggested to disable Ping, HTTP and HTTPS after the configuration.
Page 104 3.1.3 Using CS-2001 as a Gateway for Users on Two Subnets to Access the Internet (NAT/Routing) Prerequisite Setup (Note: IP Addresses used as examples only) Configure Port1 as WAN1 (61.11.11.11) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet.
Page 105 Figure 3-10 Configuring the LAN Interface...
Page 106 Step 2. Go to Network > Interface and then set as below: （Figure 3-11）  Click Port3’s Modify button.  Select LAN for Interface Type.  Select NAT Routing for Connection Type.  Enter the IPv4 Address and the Netmask. ...
Page 107 Step 3. LAN1 and LAN2 users will connect to WAN1(61.11.11.11) and use WAN1’s IP address to access the Internet. You may create the policy to establish the connection between LAN1 and LAN2. （Figure 3-12） Figure 3-12 The Deployment of LAN using NAT / Routing Mode...
Page 108 3.1.4 Using CS-2001 as a Gateway for the Internal Users to Access the Internet and Configure the DMZ for the External Users to Access the Network Resource Prerequisite Setup (Note: IP addresses used as examples only) Configure Port1 as LAN1(192.168.1.1, NAT/Routing) and connect to the LAN. IP address range:192.168.1.x/24.
Page 109 Figure 3-13 Configuring the LAN Interface...
Page 110 Step 2. Go to Network > Interface and then set as below: （Figure 3-14）  Click Port3’s Modify button.  Select DMZ for Interface Type.  Select Transparent Routing for Connection Type.  Tick Ping, HTTP and HTTPS.  Click OK. Figure 3-14 DMZ Interface Settings Note：...
Page 111 Step 3. The external users may connect to the web server (61.11.11.12) to access the network resource. The LAN users may connect to WAN1 (61.11.11.11) and use WAN1’s IP address to access the Internet. （Figure 3-15） Figure 3-15 The Deployment of DMZ Using Transparent Routing Mode...
Page 112: Internet (Nat/Routing)
3.1.5 Deploying the CS-2001 between the Gateway and LAN (configuring two subnets, one using Transparent Routing, the other one using NAT/Routing) for the LAN users to access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Gateway’s LAN IP addresses are 192.168.1.1 (192.168.1.x/24) and 192.168.2.1 (192.168.2.x/24).
Page 113 Step 1. Go to Network > Interface and then set as below: （Figure 3-16）  Click Port2’s Modify button.  Select LAN for Interface Type.  Select Transparent Routing for Connection Type.  Tick Ping, HTTP and HTTPS.  Click OK. Figure 3-16 Configuring the LAN Interface Step 2.
Page 114 Settings Step 3. LAN1 users (192.168.1.x/24) and LAN2 users (192.168.2.x/24) may use their original IP addresses to access the Internet via the CS-2001. You may create the policy to establish the connection between LAN1 and LAN2. （Figure 3-18）...
Page 115 Figure 3-18 The deployment of LAN Using Transparent Routing and NAT/ Routing...
Page 116: Deploying The Cs-2001 Between The Gateway And The Lan
3.1.6 Deploying the CS-2001 between the Gateway and the LAN (LAN1 and DMZ1), connecting LAN1 to the user’s PC (using NAT/Routing mode) and then connecting DMZ1 to user’s PC (using Transparent Bridging mode) Prerequisite Setup (Note: IP addresses used as examples only) Gateway’s LAN (172.16.1.1).
Page 117 Step 1. Go to Network > Interface and then set as below: （Figure 3-19）  Click Port1’s Modify button.  Select LAN for Interface Type.  Select NAT Routing for Connection Type.  Enter the IPv4 Address and the Netmask. ...
Page 118 Figure 3-20 DMZ Interface Settings Step 3. Go to Network > Interface Group and then set as below: （Figure 3-21）  Configure Port2(WAN1) and Port3(WAN2) as Group1.  Click OK. Figure 3-21 Configuring the Interface Group...
Page 119 Step 4. PCs (IP range: 172.16.x.x/16) on DMZ may use the original address to access the Internet through CS-2001. PCs on LAN will connect to WAN1 (172.16.1.12) and use WAN1’s IP address to access the Internet. （Figure 3-22） Figure 3-22 The Deployment of DMZ Using Transparent Bridging Mode...
Page 120  PCs in DMZ (172.16.x.x/16):  The LAN PCs (default gateway:172.16.1.1) will access the Internet through CS-2001’s WAN1.  Configure the default gateway as CS-2001’s WAN1 (172.16.1.12). Packets pass through the CS-2001 will use WAN1(172.16.1.12) or WAN2(211.22.22.22) to access the Internet. (Load Balancing) ...
Page 121 3. Configure a router to connect different subnets in LAN for the PCs to access the Internet through the original firewall. PCs in DMZ may using the original IP address to access the （Figure 3-24） Internet through CS-2001’s WAN1. Figure 3-24 The Deployment of DMZ Using Transparent Bridging 03...
Page 122 4. Configure two Firewall to connect the Internet and the CS-2001 and then configure a router to connect the CS-2001 and DMZ (192.168.2.1/24 and 192.168.3.1/24). Connect the two subnets to WAN1’s firewall and WAN2’s firewall individually. Then, the packets from the two subnets （Figure 3-25）...
Page 123: Deploying Cs-2001 Between The Gateway And Lan (Lan1 And Dmz1)
3.1.7 Deploying CS-2001 between the Gateway and LAN (LAN1 and DMZ1) for LAN Users and DMZ Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Gateway: LAN(192.168.1.1), IP range:192.168.1.x/24 WAN(61.11.11.11) connects to the ADSL Termination Unit Remote to access the Internet.
Page 124 Step 1. Go to Network > Interface and then set as below: （Figure 3-26）  Click Port1’s Modify button.  Select WAN for Interface Type.  Select the Connection Type.  Configure the connection settings.  Tick Ping, HTTP and HTTPS. ...
Page 125 Step 2. Under Network > Interface, set as below: （Figure 3-27）  Click Port2’s Modify button.  Select LAN for Interface Type.  Select Transparent Bridging for Connection Type.  Tick Ping, HTTP and HTTPS.  Click OK. Figure 3-27 LAN Settings Using Transparent Bridging Mode...
Page 126 Step 3. Under Network > Interface and then set as below: （Figure 3-28）  Click Port3’s Modify button.  Select WAN for Interface Type.  Select the Connection Type.  Configure the connection settings.  Tick Ping, HTTP and HTTPS. ...
Page 127 Figure 3-30 Interface Group Settings Important： 1. Then, the CS-2001 may operate as two individual switches. Port1(WAN1) and Port2 (LAN1) connect to the LAN, Port3(WAN2) and Port4(DMZ1) connect to the DMZ. The PCs under two different switches may not connect to each other.
Page 128 Step 6. Users connecting to Port2(LAN1) will use 192.168.1.x/24 to access the Internet. Users on Port4(DMZ1) will use the IP address that distributed by the ISP to access the Internet. （Figure 3-31） Figure 3-31 Interface Group Deployment...
Page 129 3.1.8 Using the CS-2001 Device as the Gateway and Connecting it to the LAN (There are Two LAN Interface, One Use NAT/Routing, the Other One Use Transparent Bridging Mode) for the LAN Users to Access the Internet Prerequisite Setup (Note: IP Addresses used as examples only) Configure Port1 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit...
Page 130 Step 1. Go to Network > Interface and set as below: （Figure 3-32）  Click Port1’s Modify button.  Select WAN for Interface Type.  Select the Connection Type.  Configure the connection settings.  Tick Ping, HTTP and HTTPS. ...
Page 131 Step 2. Go to Network > Interface and then set as below: （Figure 3-33）  Click Port2’s Modify button.  Select LAN for Interface Type.  Select NAT/Routing for Connection Type.  Enter the IPv4 Address and the Netmask.  Tick Ping, HTTP and HTTPS.
Page 132 Step 4. Go to Network > Interface Group and then set as below: （Figure 3-35）  Configure Port1(WAN1), Port2(LAN1) and Port3(LAN2) as Group  Click OK. Figure 3-35 Interface Group Settings Note： 1. Then, users on the same subnet may be divided into different interface according to their departments.
Page 133 Step 5. PCs under sales department (LAN1) and PCs under support department (LAN2) are on 192.168.1.x/24. They will connect to WAN1 and use WAN1’s IP address (61.11.11.11) to access the Internet. You may create the policy to establish the connection between LAN1 and LAN2. （Figure 3-36）...
Page 135: Policy Object
Policy Object...
Page 136: Chapter 4 Address
Chapter 4 Address In Address, the IT administrator may configure network settings of LAN, WAN and DMZ, as well as designate specific addresses in a network as a group. An IP address might represent a host or a subnet, in either case, the IT administrator may give it an easily identifiable name for better management.
Page 137 Terms in Address Name  An easily identifiable name to represent the IP address or addresses. Address type  Used to designate the IP range and IPv6 address / prefix length or IP / netmask IP. IP Version  IPv4 or IPv6 can be selected. IP Address ...
Page 138 FQDN（Fully Qualified Domain Name）  The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN may be www.planet.com.tw. The hostname is www, and the domain name is planet.com.tw.  To regulate the access to the specified web site, the IT administrator only needs to configure an FQDN setting.
Page 139: Example
4.1 Example Settings Scenario Page 4.1.1 LAN Using DHCP to Grant Only FTP Access to a LAN User with Specific IP Address 4.1.2 Creating a Policy for Certain Users to Connect to a LAN/ WAN Specific IP Address Group...
Page 140 4.1.1 Using DHCP to Assign an IP to a Specific User and only Permitting FTP Access Step 1. Under Policy Object > Address > LAN, set as below: （Figure 4-1）  Click New Entry. Type the name of the user in the Name field. (e.g., Alex).
Page 141 Note: 1. To save the configured data from Policy Object > Address > WAN / LAN / DMZ as a file for storage or modification, use Export data entries. If the list needs to be restored due to accidential modifications etc., use Import data entries. 2.
Page 142 Step 2. Go to Policy > Outgoing and configure as below: （Figure 4-3）  Source Address: Select the source address.  Service Select FTP.  Click OK. （Figure 4-4） Figure 4-3 The Outgoing Policy Settings Figure 4-4 Policy Completed...
Page 143 4.1.2 Creating a Policy for Certain Users to Connect to a Specific IP Address Step 1. Create several addresses under Policy Object > Address > LAN. （Figure 4-5） Figure 4-5 The Creation of Several LAN Addresses...
Page 144 Step 2. Under Policy Object > Address > LAN Group, set as below: （Figure 4-6）  Click New Entry.  Name: Designate a name for the group.  Select group members from the Available address column on the left, and then click Add. ...
Page 145 Step 3. Go to Policy Object > Address > WAN and configure as below: （ Figure 4-8）  Click New Entry.  Name: Designate a name for the group.  Address Type: Select IP / Netmask.  IP Version: Select IPv4. ...
Page 146 Step 4. Go to Policy > Outgoing and configure as below: （Figure 4-10）  Source Address: Select the LAN address group.  Destination Address: Select the WAN destination address.  Click OK. （Figure 4-11） Figure 4-10 The Policy Settings Figure 4-11 The Completed Policy Settings Note: 1.
Page 147: Chapter 5 Service
TCP and UDP protocols provide different services. These services have an associated port number, for example Telnet = 23, FTP = 21, SMTP = 25, POP3 = 110, etc. The CS-2001 provides control over access to these services using Pre-defined and Custom settings.
Page 148 Client Port  The port number of the client user’s PC which is used for connecting to the CS-2001. It is recommended using the default range (0 to 65535). Server Port  The port number for the customized service.
Page 149: Example Of Pre-Defined
5.1 Example of Pre-defined 5.1.1 Creating a Policy to Permit WAN Users Using VoIP Technology to Communicate with LAN Users (Using VoIP Port Numbers of TCP 1720, TCP 15328-15333 and UDP 15328-15333) Step 1. Go to Policy Object > Address > LAN Group and configure the following settings.
Page 150 Step 2. Go to Policy Object > Service > Custom and then configure as below: （Figure 5-3）  Name: Type in a name for the service.  In row number 1 select TCP for the protocol. Leave the Client Port on the default setting.
Page 151 Step 3. Go to Policy Object > Virtual Server > Port Mapping and use settings you created in Policy Object > Service > Custom. (Figure 5-5) Figure 5-5 Using the Pre-defined Service Settings Step 4. Go to Policy > Incoming and configure as below: （Figure 5-6）...
Page 152 Step 5. Go to Policy > Outgoing and configure as below: （Figure 5-8）  Source Address: Select the LAN group.  Service: Select the custom service.  Action: Select Port1 (WAN1).  Click OK. （Figure 5-9） Figure 5-8 The Outgoing Policy for VoIP Figure 5-9 The Completed Settings Note: 1.
Page 153: Example Of Service Group
5.2 Example of Service Group 5.2.1 Creating a Policy with a Service Group to Limit Specific LAN Users to Access Only Certain Internet Services (HTTP, POP3, SMTP and DNS) Step 1. Go to Policy Object > Service > Group, and set as below: （Figure 5-10）...
Page 154 Figure 5-11 The Added Service Group...
Page 155 Step 2. Go to Policy Object > Address > LAN Group and create a LAN Group of specific LAN users that are only permitted to access certain services. （ Figure 5-12） Figure 5-12 The Added LAN Group Step 3. Under Policy > Outgoing, set as below: （Figure 5-13）...
Page 156 Figure 5-14 The Completed Policy Settings...
Page 157: Chapter 6 Schedule
Chapter 6 Schedule Schedule is used for regulating the activation time of policies. With its help, the IT administrator may determine a specific period of time for each policy to take effect, saving time on system administration.
Page 158 Terms in Schedule Name  Designates the name of the schedule. Type  Two modes are provided:  Recurring: Based upon a weekly schedule, with configurable start and end periods for each of the seven days in a week.  One-Time: Provides a start and stop time for a single specific date based upon the year, month, day, hour and minute.
Page 159: Example
6.1 Example 6.1.1 Assigning Daily Internet Access Time Slots for LAN Users Step 1. Under Policy Object > Schedule > Settings, set as below: （Figure 6-1）  Type the name.  Mode: Select either Recurring or One-Time.  Use the drop-down menus to select the required start and end time for each day of the week.
Page 160 Step 2. Under Policy > Outgoing, set as below: （Figure 6-3）  Select the pre-defined schedule for Schedule.  Click OK. （Figure 6-4） Figure 6-3 Applying the Schedule to the Policy Figure 6-4 The Completed Policy Settings...
Page 161: Chapter 7 Qos
Chapter 7 QoS QoS provides bandwidth management for LAN users accessing the Internet via the CS-2001. When applied with a Policy, it ensures users are allocated suitable amounts of bandwidth. （Figure 7-1, 7-2） Figure 7-1 The Network with no QoS Figure 7-2 Applying QoS to the Network (Max.
Page 162 Terms in Settings Name  The name of the QoS setting. Port  The WAN port to apply QoS. Downstream Bandwidth  Determines the guaranteed bandwidth and maximum bandwidth of the total downstream bandwidth. Upstream Bandwidth：  Determines the guaranteed bandwidth and maximum bandwidth of the total upstream bandwidth.
Page 163: Example
7.1 Example 7.1.1 Creating a Policy to Limit Upload and Download Bandwidth Step 1. Under Policy Object > QoS > Settings, set as below: （Figure 7-3）  Click New Entry. Type the Name accordingly.  Configure the bandwidth of Port 2 (WAN1) and Port 3 (WAN2). ...
Page 164 Figure 7-4 The Completed QoS Settings...
Page 165 Step 2. Under Policy > Outgoing, set as below: （Figure 7-5）  Select the pre-configured QoS setting.  Click OK. （Figure 7-6） Figure 7-5 Applying QoS to a Policy...
Page 166 Figure 7-6 The Completed Policy Setting Note： 1. Under Policy Object > QoS > Settings, the available bandwidth range, such as G. Bandwidth and M. Bandwidth, is predefined under Interface > WAN. Thus, an appropriate value of Max. Downstream Bandwidth and Max. Upstream Bandwidth should be configured under Interface >...
Page 167: Chapter 8 Authentication
Chapter 8 Authentication Authentication regulates users access to the Internet. CS-2001 offers five authentication modes, namely User, Group, RADIUS, POP3 and LDAP, adding flexibility to your choice of authentication method.
Page 168 Terms in Authentication Authentication Management  Provides basic settings for managing authentication:  Authentication Port Number: The port number designated for authentication. By default, it is 82.  Authentcation Idle Timeout: If an authenticated connection has been idle for a period of time, it will expire. The default is 30 minutes. ...
Page 169 Figure 8-1 Authentication Management Settings...
Page 170  The authentication login screen appears after a user attempts to access a web site: （Figure 8-2） Figure 8-2 The Authentication Login Screen  An authenticated user will be redirected to the designated web site: （Figure 8-3） Figure 8-3 The User Being Redirected to a Website...
Page 171 Note： 1. The Allow password modification mechanism is only applicable to authenticated users. 2. The authentication login screen appears after either trying to access a web site or by typing the management address together with its authentication port number in the address field of a web browser.
Page 172 CS-2001 UTM Content Security Gateway User’s Manual LDAP User Name Lists the LDAP User Name from LDAP server. The user name may be grouped for authentication.
Page 173: User / Group Authentication
1. The IT administrator may export the Authentication user list for safe keeping, and restore the list if needed. 2. To use authentication, LAN users must configure their Preferred DNS server in Internet Protocol (TCP/IP) Properties to be the same as the LAN interface address of CS-2001.
Page 174 Step 2. Under Policy Object > Authentication > Group, set as below: （Figure 8-5）  Click New Entry.  Group Name: Type a name for the group.  Select group members from the Available Authentication User column on the left, and then click Add. ...
Page 175 Step 3. Go to Policy > Outgoing and configure as below: （Figure 8-6）  Authentication: Select the group name that was configured in the previous step.  Click OK. （Figure 8-7） Figure 8-6 Apply the Authentication to a Policy Figure 8-7 The Completed Policy Settings...
Page 176 Step 4. The authentication login screen is displayed in the web browser when a LAN user tries to access the Internet. Internet access will be available after applying the valid user name and password to the corresponding fields in the login screen. （Figure 8-8）...
Page 177: Radius Authentication
8.2 RADIUS Authentication 8.2.1 Regulating Internet Access with a Policy – An Example using the RADIUS Server from Windows Server 2003 ※ The Configuration of Windows Server 2003 Built-in RADIUS Server Step 1. Go to Start > Settings > Control Panel > Add/Remove Programs, and then click Add/Remove Windows Components on the left.
Page 178 Step 3. The Internet Authentication Service. （Figure 8-11） Figure 8-11 Selecting the Internet Authentication Service Step 4. Go to Start > Settings > Control Panel > Administrative Tools > Internet Authentication Service, and then click it. （Figure 8-12） Figure 8-12 The Path of Internet Authentication Service on the Start Menu...
Page 179 Step 5. Right-click RADIUS Clients and then click New RADIUS Client. （Figure 8-13） Figure 8-13 Adding a RADIUS Client Step 6. Type a name and the client address, namely the management address of CS-2001. （Figure 8-14）...
Page 180 Figure 8-14 Typing a Friendly Name and the Management Address...
Page 181 Step 7. Select RADIUS Standard from the Client-Vendor dorp-down list, and then configure the Shared secret and Confirm shared secret as same as that of the CS-2001 under Policy Object > Authentication > RADIUS. （Figure 8-15） Figure 8-15 Selecting the Client Vendor and Entering the Password Step 8.
Page 182 Figure 8-16 Adding a Remote Access Policy...
Page 183 Step 9. Select Use the wizard to set up a typical policy for a common scenario and then type a name in the Policy name field. （Figure 8-17） Figure 8-17 Configuring and Naming the Policy...
Page 184 Step 10. Select Ethernet. （Figure 8-18） Figure 8-18 Selecting the Access Method...
Page 185 Step 11. Select User. （Figure 8-19） Figure 8-19 Selecting User or Group Access Step 12. Select MD5-Challenge from the drop-down list. （Figure 8-20） Figure 8-20 Selecting an Authentication Method...
Page 186 Step 13. Right-click the newly added policy name and then click Properties. （Figure 8-21） Figure 8-21 Configuring the Properties of a Policy...
Page 187 Step 14. Select Grant remote access permission and then remove the existing settings. Next, click Add…. （Figure 8-22） Figure 8-22 Configuring the RADIUS Properties...
Page 188 Step 15. Select Service-Type to add. （Figure 8-23） Figure 8-23 Select the Attribute Type Step 16. Select Authenticate Only and Framed from the Available types and then click Add. （Figure 8-24） Figure 8-24 Adding the Service Type...
Page 189 Step 17. Click on the Edit Profile…, then click the IP tab and then tick Server settings determine IP address assignment. （Figure 8-25） Figure 8-25 Configuring the IP Setting...
Page 190 Step 18. Click on the Edit Profile… button then click on the Authentication tab. Tick Microsoft Encrypted Authentication version 2 (MS-CHAP v2), Microsoft Encrypted Authentication (MS-CHAP ), Encrypted authentication (CHAP) and Unencrypted authentication [PAP, SPAP]. （Figure 8-26） Figure 8-26 Configuring the Authentication Settings...
Page 191 Step 19. Click on the Edit Profile…, click the Advanced tab and then click Add…. （Figure 8-27） Figure 8-27 Configuring the Advanced Settings...
Page 192 Step 20. Select Framed-Protocol and click Add. （Figure 8-28） Figure 8-28 Adding the Attribute...
Page 193 Step 21. For Framed-Protocol, select PPP from the Attribute value drop-down list. （Figure 8-29） Figure 8-29 Attribute Setting 1 Step 22. For Service-Type, select Framed from the Attribute value drop-down list. （Figure 8-30） Figure 8-30 Attribute Setting 2...
Page 194 Step 23. Go to Start > Settings > Control Panel > Administrative Tools, then select Computer Management. （Figure 8-31） Figure 8-31 Selecting “Computer Management” on the Start Menu Step 24. In the left column, go to Computer Management (Local) > System Tools >...
Page 195 Figure 8-32 Adding a User...
Page 196 RADIUS server: （Figure 8-33） Figure 8-33 The RADIUS Server Settings Note： 1. You may click Test Connection to detect the connection between CS-2001 and RADIUS server. Step 27. Under Policy Object > Authentication > Group, select RADIUS Server from the Available Authentication User column and then click Add.
Page 197 Step 28. Under Policy > Outgoing, set as below: （Figure 8-35）  Select the defined user group for Authentication User.  Click OK. （Figure 8-36） Figure 8-35 Applying the Authentication to a Policy Figure 8-36 The Completed Policy Settings Step 29. The authentication login screen will appear in the web browser with which a LAN user tries to surf the Internet.
Page 198: Pop3 Authentication
Step 1. Under Policy Object > Authentication > POP3, set as below: （Figure 8-38） Figure 8-38 The POP3 Server Settings Note： may click Test Connection to test the connection between CS-2001 and the POP3 1. You server. Step 2. From Policy Object > Authentication > Group, select POP3 User from the Available Addresses column and then click Add.
Page 199 Figure 8-39 Adding POP3 User to an Authenticated Group...
Page 200 Step 3. Under Policy > Outgoing, set as below: （Figure 8-40）  Authentication: Select the user group.  Click OK. （Figure 8-41） Figure 8-40 Using POP3 Authentication in a Policy Figure 8-41 A Policy with POP3 Authentication Step 4. The authentication login screen appears in the web browser when a LAN user tries to access the Internet.
Page 201: Ldap Authentication
8.4 LDAP Authentication 8.4.1 Regulating Internet Access with a Policy － An Example of Windows Server 2003 Built-in LDAP Server ※ The Configuration of the LDAP Server from Windows Server 2003 Step 1. Go to Start > Settings > Control Panel > Administrative Tools > Manage Your Server.
Page 202 Step 3. In the Preliminary Steps window, click Next. （Figure 8-44） Figure 8-44 Preliminary Steps Step 4. In the Server Role window, select Domain Controller (Active Directory) and click Next. （Figure 8-45） Figure 8-45 Server Role...
Page 203 Step 5. In the Summary of Selections window, click Next. （Figure 8-46） Figure 8-46 Summary of Selections Step 6. In the Active Directory Installation Wizard window, click Next. （Figure 8-47） Figure 8-47 Active Directory Installation Wizard...
Page 204 Step 7. In the Operating System Compatibility window, click Next. （Figure 8-48） Figure 8-48 Operating System Compatibility Step 8. In the Domain Controller Type window, select Domain controller for a new domain, then click Next. （Figure 8-49） Figure 8-49 Domain Controller Type...
Page 205 Step 9. In the Create New Domain window, select Domain in a new forest and click Next. （Figure 8-50） Figure 8-50 Creating a New Domain Step 10. In the New Domain Name window, enter the Full DNS name for new domain and then click Next.
Page 206 Step 11. In the NetBIOS Domain Name window, type a Domain NetBIOS name and then click Next. （Figure 8-52） Figure 8-52 The NetBIOS Domain Name Step 12. In the Database and Log Folders window, specify the pathname of the Database folder and the Log folder and then click Next. （Figure 8-53）...
Page 207 Step 13. In the Shared System Volume window, specify the Folder location and then click Next. （Figure 8-54） Figure 8-54 The Shared System Volume Step 14. In the DNS Registration Diagnostics window, select I will correct the problem later by configuring DNS manually (Advanced) and then click Next.
Page 208 Step 15. In the Permissions window, select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems and then click Next. （Figure 8-56） Figure 8-56 Permissions Step 16. In the Directory Services Restore Mode Administrator Password window, enter the Restore Mode Password and Confirm password, and then click Next.
Page 209 Step 17. In the Summary window, click Next. (Figure 8-58) Figure 8-58 The Summary Step 18. Settings completed. （Figure 8-59） Figure 8-59 Settings Completed...
Page 210 Step 19. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers. （Figure 8-60） Figure 8-60 Navigating to “Active Directory Users and Computers” on the Menu Step 20. In the Active Directory Users and Computers window, right-click Users, and then go to New >...
Page 211 Step 21. In the New Object–User window, apply your information to the fields, and then click Next. （Figure 8-62） Figure 8-62 New Object – User Settings Step 22. In the New Object – User window, enter the password, and then click Next.
Page 212 （Figure 8-65） Figure 8-65 LDAP Server Settings Note : 1. You may click Test Connection to detect the connection between CS-2001 and LDAP server. 2. Lists the LDAP User Name from LDAP server. The user name may be grouped for authentication.
Page 213 Step 25. Go to Policy Object > Authentication > Group, then add LDAP User. （Figure 8-66） Figure 8-66 Adding the LDAP User...
Page 214 Step 26. Under Policy > Outgoing, set as below: （Figure 8-67）  Select the defined user group for Authentication User.  Click OK. （Figure 8-68） Figure 8-67 Using LDAP Authentication in a Policy Figure 8-68 A Policy with LDAP Authentication Step 27.
Page 215: Chapter 9 Application Blocking
Chapter 9 Application Blocking Application Blocking regulates the control of Instant Messenger Login, File Transfer over IM, Peer-to-Peer Sharing, Multimedia Streaming, Web-Based Mail, Online Gaming, VPN Tunneling, Remote Controlling and Other Applications.
Page 216 Note: 1. Once the Proxy Server is deployed, the proxy settings under System > Configuration > Settings must be configured for the CS-2001 to access the Internet. Instant Messenger Login  Regulates the use of MSN, Yahoo, ICQ/AIM, QQ, Skype, Google Talk, Gadu-Gadu, Rediff, WebIM, Alisoft, BaiduHi, SinaUC, Fetion, Facebook Chat, Comfrog.
Page 217 VPN Tunneling  Regulates the online usage of VNN Client, Ultra-Surf, Tor, Hamachi, HotSpot Shield and FreeGate. Remote Controlling  Regulates the online usage of TeamViewer, VNC and Remote Desktop.
Page 218: Example
9.1 Example Example Scenario Page Regulating the Use of IM Software ─ Messaging and File 9.1.1 IM Transferring Regulating the Use of P2P Software － Downloading and 9.1.2 P2P Uploading...
Page 219 9.1.1 Regulating the Use of IM Software ─ Messaging and File Transferring Step 1. Go to Policy Object > Application Blocking > Settings and set as below: (Figure 9-1)  Click New Entry.  Type a name in the Name field. ...
Page 220 Figure 9-2 Settings Completed...
Page 221 Step 1. Under Policy > Outgoing, set as below: （Figure 9-3）  Application Blocking: Select the name of the Application Blocking setting.  Click OK. （Figure 9-4） Figure 9-3 Applying IM Blocking to a Policy Figure 9-4 A Policy with IM Blocking...
Page 222 9.1.2 Regulating the Use of P2P Software － Downloading and Uploading Step 1. Under Policy Object > Application Blocking > Settings, set as below: (Figure 9-5)  Click New Entry.  Type a name in the Name field.  Select Peer-to-Peer Sharing and tick Select All. ...
Page 223 Figure 9-6 Settings Completed...
Page 224 Step 2. Under Policy > Outgoing, set as below: （Figure 9-7）  Application Blocking: Select the name of the Application Blocking Setting.  Click OK. （Figure 9-8） Figure 9-7 Enabling the P2P Blocking in a Policy Figure 9-8 A Policy with P2P Blocking Note: 1.
Page 225: Chapter 10 Virtual Server
Chapter 10 Virtual Server Virtual server provides services to external users by mapping a real IP address from a WAN port on the CS-2001 to a private IP address within the LAN.  Mapped IPs: Uses Network Address Translation (NAT) to map a real IP address to a private IP address (one-to-one mapping) to provide any service (ports 0-65535).
Page 226 Terms in Virtual Server WAN IP  The real IP address of the WAN. Map to Virtual IP  The private network address of a server in the LAN. Server Real IP  The real IP address used by the virtual server. Service ...
Page 227: Example
10.1 Example Settings Scenario Page 10.1.1 Mapped IPs Using a Server to Provide FTP, Web and Mail Services through the Regulation of a Policy 10.1.2 Port Using Multiple Virtual Servers to Host a Web Site through the Regulation of a Policy Mapping 10.1.3 Port A VoIP Session Between an External and Internal User...
Page 228 10.1.1 Using a Server to Provide FTP, Web and Mail Services through the Regulation of a Policy Step 1. Setup a server in the LAN which provides FTP, web and mail services; configure its IP address as 192.168.1.100 and its Preferred DNS server address as that of the external DNS server.
Page 229 Step 4. Go to Policy Object > Service > Group, and create a group called Main_Service containing all of the server’s services e.g. DNS, FTP, HTTP, POP3, SMTP, etc. Create another group called Mail_Service comprising the services for enabling the server to send emails. （Figure 10-3）...
Page 230 Step 6. Under Policy > Outgoing, set as below: (Figure 10-6)  Source Address: Select the LAN address.  Service: Select Mail_Service.  Click OK. （Figure 10-7） Figure 10-6 Configuring an Outgoing Policy Figure 10-7 The Completed Policy Settings Important: 1.
Page 231 Step 7. The completed settings. （Figure 10-8） Figure 10-8 The Server Providing Multiple Services Note: 1. It is strongly recommended not to select ANY for Service when configuring a policy, especially when using a Mapped IP. This is because of the possibility of hackers being able to use some of the services as a means to hack into server.
Page 232 10.1.2 Using Multiple Virtual Servers to Host a Web Site through the Regulation of a Policy Step 1. Set up multiple web servers in the LAN using the IP addresses: 192.168.1.101, 192.168.1.102, 192.168.1.103 and 192.168.1.104. Step 2. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 10-9）...
Page 233 Figure 10-9 Setting Virtual IP Figure 10-10 The Completed Virtual IP Settings...
Page 234 Step 3. Under Policy > Incoming, set as below: （Figure 10-11）  Destination IP: Select the Virtual IP setting.  Service: Select HTTP(8080)  Click OK. （Figure 10-12） Figure 10-11 Applying the Service to Policy Figure 10-12 The Completed Policy Setting Note：...
Page 235 Step 4. Settings completed. （Figure 10-13） Figure 10-13 Multiple Servers Hosting a Single Website...
Page 236 10.1.3 A VoIP Session Between an External and Internal User (VoIP Ports: TCP 1720, TCP 15321-15333 and UDP 15321-15333) Step 1. Configure internal VoIP user with the IP address: 192.168.1.100. Step 2. Under Policy Object > Address > LAN, set as below: （Figure 10-14）...
Page 237 Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 10-16）  Name : Enter the name for the Virtual IP setting.  Server Real IP : Select Port 2 (WAN1) and type 61.11.11.12 in the field, or click Assist Me to select an IP addresss.
Page 238 Step 5. Under Policy > Incoming, set as below: （Figure 10-18）  Destination IP: Select the vitual server setting.  Service: Select the custom service setting.  Click OK. （Figure 10-19） Figure 10-18 Applying the Service to the Policy Figure 10-19 The Completed Policy Setting...
Page 239 Step 6. Under Policy > Outgoing, set as below: （Figure 10-20）  Source IP: Select the address setting.  Service: Select the service setting.  Action: Select Port2 (WAN1)  Click OK. （Figure 10-21） Figure 10-20 Setting an Outgoing Policy Figure 10-21 The Completed Settings Important：...
Page 240 Step 7. A VoIP session created between an internal and external user. （Figure 10-22） Figure 10-22 The Completed VoIP Setup...
Page 241 10.1.4 Using Multiple Virtual Servers to Provide HTTP, POP3, SMTP and DNS Services through the Regulation of a Policy Step 1. Set up multiple service servers of which IP addresses respectively are 192.168.1.101, 192.168.1.102, 192.168.1.103 and 192.168.1.104 in the LAN. And then, configure their preferred DNS server addresses as that of the external DNS server.
Page 242 Figure 10-25 A Created Group Service...
Page 243 Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 10-26）  Name: Enter the name for the setting.  Server Real IP: Select Port3 (WAN2) and type “211.22.22.23” in the field, or click Assist Me to select an IP address. ...
Page 244 Step 5. Go to Policy > Incoming and then set as below: （Figure 10-28）  Select the virtual server setting for Destination IP.  Select Main_Service for Service.  Click OK. （Figure 10-29） Figure 10-28 Configuring an Incoming Policy Figure 10-29 Policy Completed...
Page 245 Step 6. Go to Policy > Outgoing and set as below: （Figure 10-30）  Select the defined rule from the Source Address drop-down list.  Select Mail_Service from the Service drop-down list.  Click OK. （Figure 10-31） Figure 10-30 Configuring an Outgoing Policy Figure 10-31 Policy Completed Important：...
Page 246 Step 7. Settings completed. （Figure 10-32） Figure 10-32 Settings Completed...
Page 247: Chapter 11 Vpn
Chapter 11 VPN To obtain a private and secure network link, the CS-2001 is capable of establishing VPN connections. When used in combination with remote client authentication, it links the business’ remote sites and users, conveniently providing the enterprise with an encrypted network communication method. By allowing the...
Page 248 Terms in VPN Diffie-Hellman  A cryptographic protocol that allows two parties that have no perior knowledge of each other to establish a shared secret key over an insecure communications channel.  The RSA is a kind of asymmetric cryptography. It involves a public and private key.
Page 249 AH ( Authentication Header )  The Authentication Header guarantees connectionless integrity and data origin authentication of IP datagrams. ESP (Encapsulating Security Payload)  The Encapsulated Security Payload provides confidentiality and integrity protection to IP datagrams. DES (Data Encryption Standard) ...
Page 250 Extended Authentication (XAuth)  XAuth provides an additional level of authentication. It uses a Request/ Reply mechanism to provide the extended authentication. XAuth is also referred to as two factor authentication. Note: 1. The Account Name under Extended Authentication (XAuth) are the accounts listed under Poliy >...
Page 251 Terms in One-Step IPSec One-Step IPSec  One-Step IPSec merely takes one step to complete settings  Go to Policy Object > VPN > One-Step IPSec, and then refer to the following to configure:  Type a name for the connection in the Name field. （Figure 11-1）...
Page 252 Figure 11-3 The Automatically Created IPSec Policy Figure 11-4 The Corresponding Outgoing Policy Figure 11-5 The Corresponding Incoming Policy Note： 1. One-Step IPSec uses default settings (listed below) on most configurations to simplify the procedure of creating a VPN connection with IPSec encryption: ...
Page 253 Terms in VPN Wizard： VPN Wizard  It simplifies the settings of a VPN connection.  Under Policy Object > VPN > VPN Wizard, set as below:  Select a connection method and then click Next. （Figure 11-6）  Create a policy for VPN connection. Click Next when finished. （Figure 11-7）...
Page 254 Figure 11-9 Applying Available VPN Trunk to the Policy Figure 11-10 Setting Completed Figure 11-11 An Outgoing Policy Completed Figure 11-12 An Incoming policy Completed...
Page 255 Figure 11-13 IPSec Autokey Screen Note： 1. By default, CS-2001 will create an IPSec VPN connection using Dead Peer Detection. If Remote Gateway – Fixed IP or Domain Name has been specified, then the IT administrator may manually create an IPSec VPN connection.
Page 256 Click Modify to modify the settings, or click Remove to remove the settings. （Figure 11-14） Figure 11-14 PPTP Server Screen Note： 1. By default, CS-2001 will create a PPTP VPN connection using Echo-Request. If Manual Disconnect is ticked, then the IT administrator shall be able to disconnect the connection manually.
Page 257 Click Modify to modify the setting, or click Remove to remove the setting. （Figure 11-15） Figure 11-15 PPTP Client Screen Note： 1. By default, CS-2001 will create a PPTP VPN connection using Echo-Request. If Manual Connection is ticked, then the IT administrator shall be able to create a connection manually.
Page 258 1. Enabling the trunk load balancing feature will allow the packets of a session to be load-balanced through a VPN trunk to increase the link speed. The load balancing algorithm specifed under Network > Interface > Load Balancing Mode will be adapted to load balance between two CS-2001 units.
Page 259 Terms in Trunk Name  The description for VPN trunk. Note: the name has to be exclusive from any other. Group Member  The groups that are subject to the VPN Trunk rule. Configuration  Click Modify to change the configuration of VPN trunk; click Remove to remove the setting.
Page 260: Example
11.1 Example Settings Scenario Page 11.1.1 IPSec Autokey Using Two CS-2001 Devices to Mutually Access the Resources of Two Subnets via an IPSec VPN Connection 11.1.2 IPSec Autokey Creating an IPSec VPN Connection under Windows 2000 by a CS-2001 Device 11.1.3 IPSec Autokey Creating an IPSec VPN Connection between Two...
Page 261 Configure Port2 as WAN1(211.22.22.22) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet. Multiple subnet: 192.168.85.1. IP address range: 192.168.85.x/24 This example uses two CS-2001 devices to establish VPN connection between A Company and B Company. For A Company, set as below: Step 1.
Page 262 Step 3. Select Remote Gateway (Static IP or Hostname) for Remote Settings, and enter the management address of B Company. （Figure 11-20） Figure 11-20 Remote Settings...
Page 263 Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103 characters.) （Figure 11-21） Figure 11-21 Authentication Method Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 264 Step 8. Settings completed. （Figure 11-25） Figure 11-25 IPSec Autokey Settings Completed Step 9. Under Policy Object > VPN > Trunk, set as below: （Figure 11-26）  Name:Type a name.  Local Settings : Select “LAN”. Local IP / Netmask : Type “192.168.10.0”...
Page 265 Figure 11-26 VPN Trunk Settings Figure 11-27 VPN Trunk Created Step 10. Under Policy > Outgoing, set as below: （Figure 11-28）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-29） Figure 11-28 Configuring a Policy with VPN Trunk Figure 11-29 Policy Created...
Page 266 Step 11. Under Policy > Incoming, set as below: （Figure 11-30）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-31） Figure 11-30 Creating an Incoming Policy with VPN Trunk Figure 11-31 An Incoming Policy with VPN Trunk Note：...
Page 267 For B Company, set as below: Step 1. Under System > Configuration > Multiple Subnets, set as below: （Figure 11-32） Figure 11-32 Multiple Subnet Settings Step 2. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. （Figure 11-33）...
Page 268 Step 5. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. ( The maximum length of Pre-Shared Key String is 103 characters.) （Figure 11-36） Figure 11-36 Authentication Method Settings Step 6. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 269 Step 9. Settings completed. （Figure 11-40） Figure 11-40 IPSec Autokey Settings Completed Step 10. Under Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-41）  Name: Type a name.  Local Settings: Check “LAN”. Local IP / Netmask: Type “192.168.85.0”...
Page 270 Figure 11-41 VPN Trunk Settings Figure 11-42 VPN Trunk Created...
Page 271 Step 11. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-43）  Select the defined Trunk for VPN Trunk.  Click OK. （Figure 11-44） Figure 11-43 Using VPN Trunk in an Outgoing Policy Figure 11-44 An Outgoing Policy with VPN Trunk...
Page 272 Step 12. Under Policy > Incoming, click New Entry and then set as below: （Figure 11-45）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-46） Figure 11-45 Creating an Incoming Policy with VPN Trunk Figure 11-46 An Incoming Policy with VPN Trunk...
Page 273 Step 13. Settings completed. （Figure 11-47） Figure 11-47 Deployment of IPSec VPN...
Page 274 11.1.2 Creating an IPSec VPN Connection under Windows 2000 by a CS-2001 Device Prerequisite Setup (Note: IP addresses used as examples only) A Company uses a CS-2001 device: Configure Port1 as LAN1(192.168.10.1). IP address range:192.168.10.x/24 Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 275 11-50） Figure 11-50 Remote Settings Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103 characters.) （Figure 11-51） Figure 11-51 Authentication Method Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 276 Figure 11-54 Advanced Settings of IPSec Autokey Step 8. Settings completed. （Figure 11-55） Figure 11-55 IPSec Autokey Settings Completed Step 9. Under Policy Object > VPN > Trunk, set as below: （Figure 11-56）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.10.0”...
Page 277 Figure 11-56 VPN Trunk Settings Figure 11-57 VPN Trunk Created...
Page 278 Step 10. Under Policy > Outgoing, set as below: （Figure 11-58）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-59） Figure 11-58 Creating an Outgoing Policy with VPN Trunk Figure 11-59 Policy Completed...
Page 279 Step 11. Under Policy > Incoming, set as below: （Figure 11-60）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-61） Figure 11-60 Creating an Incoming Policy with VPN Trunk Figure 11-61 Policy Completed...
Page 280 For B Company, set as below: Step 1. Select Start > Run on the Start menu in Windows 2000. （Figure 11-62） Figure 11-62 Selecting “Run…” on the Start Menu Step 2. In the Open field of the Run window, type “mmc”. （Figure 11-63）...
Page 281 Step 3. In the Console 1 window, click Console on the menu bar, and then click Add/Remove Snap-in. （Figure 11-64） Figure 11-64 Selecting “Add / Remove Snap-in” on the Console Menu Step 4. In the Add / Remove Snap-in window, click Add. Then, in the Add Standalone Snap-ins window, select IP Security Policy Management and add it.
Page 282 Step 5. Select Local Computer, and then click Finish. （Figure 11-66） Figure 11-66 Selecting Local Computer Step 6. Settings completed. （Figure 11-67） Figure 11-67 Settings Completed...
Page 283 Step 7. Right-click the IP Security Policies on Local Machine, and then click Create IP Security Policy. （Figure 11-68） Figure 11-68 Creating an IP Security Policy Step 8. Click Next. （Figure 11-69） Figure 11-69 Security Policy Wizard...
Page 284 Step 9. Type the Name and Description and then click Next. （Figure 11-70） Figure 11-70 Name and Description Settings Step 10. Disable Activate the default response rule and then click Next. （Figure 11-71） Figure 11-71 Disable the “Activate the Default Response Rule”...
Page 285 Step 11. In the IP Security Policy Wizard window, tick Edit properties and click Finish. （Figure 11-72） Figure 11-72 Settings Completed Step 12. In the VPN_B Properties window, disable Use Add Wizard and then click Add. （Figure 11-73）...
Page 286 Figure 11-73 VPN_B Properties...
Page 287 Step 13. In the New Rule Properties window, click Add. （Figure 11-74） Figure 11-74 New Rule Properties Step 14. In the IP Filter List window, disable Use Add Wizard. Change the Name into “VPN_B WAN TO LAN” and then click Add. （Figure 11-75）...
Page 288 Figure 11-75 Adding an IP Filter...
Page 289 Step 15. In the Filter Properties window, select “A specific IP Address” for Source address, and then apply B Company’s WAN IP address “211.22.22.22” and subnet mask “255.255.255.255” to the fields. After that, select “A specific IP Subnet” for Destination address, and then type “192.168.10.0”...
Page 290 Figure 11-77 IP Filter Added...
Page 291 Step 17. In the New Rule Properties window, click Filter Action tab and then tick Require Security. Next, click Edit. （Figure 11-78） Figure 11-78 Selecting Filter Action Step 18. In the Require Security Properties window, tick “Session Key Perfect Forward Secrecy” on the bottom. （Figure 11-79）...
Page 292 Figure 11-79 Ticking the “Session Key Perfect Forward Secrecy”...
Page 293 Step 19. Select the security method (Custom / None / 3DES / MD5), and then click Edit. （Figure 11-80） Figure 11-80 Selecting a Security Method to Edit Step 20. Select Custom (for expert users), and then click Settings. （Figure 11-81）...
Page 294 Figure 11-81 Modifying Security Method...
Page 295 Step 21. Tick Data integrity and encryption, and select “MD5” for Integrity algorithm and “3DES” for Encryption algorithm. Tick Generate a new key every, and enter “28800” in the seconds field, and then click OK to return to the New Rule Properties window. （Figure 11-82）...
Page 296 Figure 11-83 Selecting the Connection Type...
Page 297 Step 23. In the New Rule Properties window, click Tunnel Setting tab. After that, tick The tunnel endpoint is specified by this IP Address, and then enter “61.11.11.11” as the WAN IP address of A Company. （Figure 11-84） Figure 11-84 Tunnel Setting Step 24.
Page 298 Figure 11-85 Authentication Methods Settings...
Page 299 Step 25. Select Use this string to protect the key exchange (preshared key), and then enter the preshared key “123456789” in the field. （Figure 11-86） Figure 11-86 Preshared Key Settings...
Page 300 Step 26. Click Apply, and then click Close to close the window. （Figure 11-87） Figure 11-87 Authentication Methods Settings...
Page 301 Step 27. Settings completed. （Figure 11-88） Figure 11-88 Settings Completed...
Page 302 Step 28. In the VPN_B Properties window, disable Use Add Wizard; click Add to create the second IP security rule. （Figure 11-89） Figure 11-89 VPN_B Properties Settings...
Page 303 Step 29. In the New Rule Properties window, click Add. （Figure 11-90） Figure 11-90 Clicking “Add…” to Add an IP Filter...
Page 304 Step 30. In the IP Filter List window, disable Use Add Wizard. Change the Name into “VPN_B LAN TO WAN”, and then click Add. （Figure 11-91） Figure 11-91 Adding an IP Filter...
Page 305 Step 31. In the Filter Properties window, select “A specific IP Subnet” for Source address, and then type “192.168.10.0” as A Company‘s subnet address and “255.255.255.0” as subnet mask. After that, select “A specific IP Address” for Destination address, and then type “211.22.22.22” as B Company‘s WAN IP address and “255.255.255.255”...
Page 306 Step 32. Settings completed. （Figure 11-93） Figure 11-93 IP Filter Added...
Page 307 Step 33. In the New Rule Properties window, click Filter Action tab; tick Required Security and then click Edit. （Figure 11-94） Figure 11-94 Filter Action Settings Step 34. In the Require Security Properties window, tick Session key Perfect Forward Secrecy on the bottom. （Figure 11-95）...
Page 308 Figure 11-95 Ticking the “Session Key Perfect Forward Secrecy”...
Page 309 Step 35. Select the security method (Custom / None / 3DES / MD5), and then click Edit. （Figure 11-96） Figure 11-96 Security Methods Settings Step 36. Select “Custom (for expert users)”, and then click Settings. （Figure 11-97）...
Page 310 Figure 11-97 Modifying Security Method...
Page 311 Step 37. Check Data integrity and encryption, and select “MD5” for Integrity algorithm and “3DES” for Encryption algorithm. Tick Generate a new key every, and type “28800” in the seconds field, and then click OK to return to the New Rule Properties window （Figure 11-98）...
Page 312 Step 38. In the New Rule Properties window, click Connection Type tab and tick All network connections. （Figure 11-99） Figure 11-99 Selecting the Connection Type...
Page 313 Step 39. In the New Rule Properties window, click Tunnel Setting tab. After that, tick The tunnel endpoint is specified by this IP Address, and then type “211.22.22.22” as the WAN IP address of B Company. （Figure 11-100） Figure 11-100 Tunnel Settings...
Page 314 Step 40. In the New Rule Properties window, click Authentication Methods tab. Next, select the method “Kerberos” and then click Edit on the right. （Figure 11-101） Figure 11-101 Authentication Methods Settings...
Page 315 Step 41. Select Use this string to protect the key exchange (preshared key), and then enter the preshared key “123456789” in the field. （Figure 11-102） Figure 11-102 Preshared Key Settings...
Page 316 Step 42. Click Apply, and then click Close to close the window. （Figure 11-103） Figure 11-103 New Authentication Method Created...
Page 317 Step 43. Settings completed. （Figure 11-104） Figure 11-104 Settings Completed...
Page 318 Step 44. In the VPN_B Properties window, click General tab and then click Advanced. （Figure 11-105） Figure 11-105 General Settings of VPN_B Properties...
Page 319 Step 45. Tick Master Key Perfect Forward Secrecy and then click Methods. （Figure 11-106） Figure 11-106 Key Exchange Settings Step 46. Click Move up or Move down to arrange the order of selected item. Move the item “IKE / 3DES / MD5” to the top, and then click OK. （Figure 11-107）...
Page 320 Step 47. Settings completed. （Figure 11-108） Figure 11-108 IPSec VPN Settings Completed Step 48. Right-click VPN_B and move to Assign, and then click it. （Figure 11-109） Figure 11-109 Assigning a Security Rule to VPN_B...
Page 321 Step 49. Select Start > Settings > Control Panel on the Start menu, and then click it. （Figure 11-110） Figure 11-110 Selecting “Control Panel” on the Start Menu Step 50. In the Control Panel window, double-click Administrative Tools. （Figure 11-111） Figure 11-111 Double-Clicking “Administrative Tools”...
Page 322 Step 51. In the Administrative Tools window, double-click Services. （Figure 11-112） Figure 11-112 The Services Window Step 52. In the Services window, right-click IPSec Policy Agent and move to Restart, and then click it. （Figure 11-113） Figure 11-113 Restarting IPSec Policy Agent...
Page 323 Step 53. Settings completed. （Figure 11-114） Figure 11-114 Deployment of IPSec VPN Using CS-2001 and Windows 2000...
Page 324 Configure Port2 as WAN1(211.22.22.22) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet. This example uses two CS-2001 devices to establish VPN connection between A Company and B Company. (using aggressive mode) For A Company, set as below: Step 1.
Page 325 and enter the management address of B Company. （Figure 11-117） Figure 11-117 Remote Settings...
Page 326 Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103 characters. （Figure 11-118） Figure 11-118 Authentication Method Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 327 Step 8. Select “Aggressive mode” for Mode. Enter 11.11.11.11 in the My ID field and then enter @abc123 in the Peer ID field. （Figure 11-122） Figure 11-122 Mode Settings Note： 1. MY ID / Peer ID Settings:  The ID will be the same as the WAN IP if you leave the field blank. ...
Page 328 Step 10. Under Policy Object > VPN > Trunk, set as below: （Figure 11-124）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.10.0” as A Company’s subnet address and “255.255.255.0” as Mask.  Remote Settings: Select Remote IP / Netmask.
Page 329 Step 11. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-126）  Select the defined trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-127） Figure 11-126 Configuring an Outgoing Policy with VPN Trunk Figure 11-127 An Outgoing Policy with VPN Trunk...
Page 330 Step 12. Under Policy > Incoming, click New Entry and then set as below: （Figure 11-128）  Select the defined trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-129） Figure 11-128 Configuring an Incoming Policy with VPN Trunk Figure 11-129 An Incoming Policy with VPN Trunk...
Page 331 For B Company, set as below: Step 1. Under Policy Object > VPN > IPSec Autokey, click New Entry and then set as below: （Figure 11-130） Figure 11-130 IPSec Autokey Screen Step 2. Enter ipsec2 in the Name field and then select Port2 (WAN1) for WAN Interface.
Page 332 Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm; select “SHA1” for Authentication Algorithm; select “DH 2” for Key Group. （Figure 11-134） Figure 11-134 ISAKMP Algorithm Settings...
Page 333 Step 6. Configure the settings under IPSec Algorithm. Select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. （Figure 11-135） Figure 11-135 IPSec Algorithm Settings Step 7. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800”...
Page 334 Step 10. Select Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-139）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.20.0” as B Company’s subnet address and “255.255.255.0” as Mask.
Page 335 Figure 11-140 VPN Trunk Created...
Page 336 Step 11. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-141）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-142） Figure 11-141 Configuring an Outgoing Policy with VPN Trunk Figure 11-142 Policy Completed...
Page 337 Step 12. Under Policy > Incoming, click New Entry and then set as below: （Figure 11-143）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-144） Figure 11-143 Configuring an Incoming Policy with VPN Trunk Figure 11-144 Policy Completed...
Page 338 Step 13. Settings completed. （Figure 11-145） Figure 11-145 Deployment of IPSec VPN Using Aggressive Mode...
Page 339 A Company’s WAN port 1 and B Company’s WAN port 1; A Company’s WAN port 2 and B Company’s WAN port 2. This example uses two CS-2001 devices. Assume that A Company wants to create a VPN connection with B Company in order to access files. (GRE / IPSec package...
Page 340 For A Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. （Figure 11-146） Figure 11-146 IPSec Autokey Screen Step 2. Enter VPN_01 in the Name field and then select Port2 (WAN1) for the WAN Interface.
Page 341 Step 6. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only. If ticked Use both algorithms, please select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. （Figure 11-151） Figure 11-151 IPSec Algorithm Settings Step 7. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800”...
Page 342 Step 9. Setting completed. （Figure 11-154） Figure 11-154 IPSec Autokey Settings Completed Step 10. Select Policy Object > VPN > IPSec Autokey, and then click New Entry. Step 11. Type VPN_02 in the Name field and then select Port3(WAN2) for the WAN Interface.
Page 343 Step 14. Under the ISAKMP Algorithm section, select “3DES” for Encryption Algorithm; select “MD5” for Authentication Algorithm; select “DH 1” for Key Group. （Figure 11-159） Figure 11-159 ISAKMP Algorithm Settings Step 15. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only.
Page 344 Step 18. Settings completed. （Figure 11-163） Figure 11-163 IPSec Autokey Settings Completed Step 19. Under Policy Object > VPN > Trunk, set as below: （Figure 11-164）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.10.0”...
Page 345 Figure 11-164 VPN Trunk Settings Figure 11-165 VPN Trunk Created...
Page 346 Step 20. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-166）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-167） Figure 11-166 Configuring an Outgoing Policy with VPN Trunk Figure 11-167 Policy Completed...
Page 347 Step 21. Under Policy > Incoming, click New Entry and then set as below: （Figure11-168）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-169） Figure 11-168 Configuring an Incoming Policy with VPN Trunk Figure 11-169 An Incoming Policy with VPN Trunk Completed...
Page 348 For B Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. （Figure 11-170） Figure 11-170 IPSec Autokey Screen Step 2. Type VPN_01 in the Name field and then select Port2(WAN1) for WAN Interface.
Page 349 Figure 11-174 ISAKMP Algorithm Settings...
Page 350 Step 6. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only. If ticked Use both algorithms, please select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. （Figure 11-175） Figure 11-175 IPSec Algorithm Settings Step 7. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800”...
Page 351 Step 10. Under Policy Object > VPN > IPSec Autokey, click New Entry again. Step 11. Type VPN_02 in the Name field and then select Port3 (WAN2) for Interface. （Figure 11-180） Figure 11-180 Name and Interface Settings Step 12. Select Remote Gateway (Static IP or Hostname) for Remote Settings, and enter the management address of A Company (WAN port 2).
Page 352 Algorithm. （Figure 11-184） Figure 11-184 IPSec Algorithm Settings Step 16. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800” in the IPSec SA Lifetime field and then select “Main Mode” for Mode. （Figure 11-185）...
Page 353 Step 19. Under Policy Object > VPN > Trunk, set as below: （Figure 11-188）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.20.0” as B Company’s subnet address and “255.255.255.0” as Mask.  Remote Settings: Select Remote IP / Netmask.
Page 354 Step 20. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-190）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-191） Figure 11-190 Using VPN Trunk in an Outgoing Policy Figure 11-191 An Outgoing Policy with VPN Trunk...
Page 355 Step 21. Select Policy > Incoming, click New Entry and then set as below: （Figure 11-192）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-193） Figure 11-192 Using VPN Trunk in an Incoming Policy Figure11-193 An Incoming Policy with VPN Trunk...
Page 356 Step 22. Settings completed. （Figure 11-194） Figure 11-194 Deployment of IPSec VPN Using GRE/IPSec...
Page 357 C Company: Configure Port1 as LAN1(192.168.30.1). IP range:192.168.30.x/24. Configure Port2 as WAN1(121.33.33.33) and connect it to the ADSL Termination Unit Remote to access the Internet. This example is to use three CS-2001 devices to establish VPN connection among A Company, B Company and C Company.
Page 358 CS-2001 UTM Content Security Gateway User’s Manual For A Company, set as below: Step1. Go to Policy Object > VPN > IPSec Autokey and then click New Entry. （Figure 11-195） Figure 11-195 IPSec Autokey Step2. Type VPN_01 in the Name field and then select Port2(WAN1) for Interface.
Page 359 Figure 11-199 Configuring the IPSec Algorithm Step6. Under the IPSec Algorithm section, select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm. （Figure 11-200） Figure 11-200 Configuring the IPSec Algorithm Step7. Under the Advanced Settings (optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 360 Step8. Policy Created. （Figure 11-202） Figure 11-202 Policy Created Step9. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-203）  Type the name in the Name field.  Local Settings: select LAN. Enter the local subnet and the mask. ...
Page 361 Figure 11-204 First Trunk Completed Step10. Go to Policy Object > VPN > IPSec Autokey and then click the New Entry button again. （Figure 11-205） Figure 11-205 The IPSec Autokey Page Step11. Type VPN_02 in the Name field and then select Port2(WAN1) for the Interface.
Page 362 1 for Key Group. （Figure 11-209） Figure 11-209 Configuring ISAKMP Algorithm...
Page 363 Step15. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and MD5 for Authentication Algorithm. （Figure 11-210） Figure 11-210 Configuring IPSec Algorithm Step16. Under the Advanced Settings (Optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 364 Step18. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-213）  Type the name in the Name field.  Local Settings: select LAN. Enter the IP address and the Mask in the Local IP / Netmask field.
Page 365 Step19. Go to Policy Object > VPN > Trunk Group, click New Entry and then set as below: （Figure 11-215）  Type the name in the Name field.  Move the IPSec_VPN_Trunk_01(LAN) and IPSec_VPN_Trunk_02(LAN) from the Available Trunks column to the Selected Trunks column.
Page 366 Step20. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-217）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-218） Figure 11-217 Configuring the Outgoing Policy with VPN Trunk Figure 11-218 Policy Created...
Page 367 Step21. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-219）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-220） Figure 11-219 Configuring an Incoming Policy with VPN Trunk Figure 11-220 Policy Created...
Page 368 For B Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey and then click the New Entry button. （Figure 11-221） Figure 11-221 The IPSec Autokey Page Step 2. Type VPN_01 in the Name field and then select Port2(WAN1) for Interface.
Page 369 Step 6. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm. （Figure 11-226） Figure 11-226 Configuring the IPSec Algorithm Step 7. Under the Advanced Settings (optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 370 Step 9. Under Policy Object > VPN > Trunk, click the New Entry button and then set as below: （Figure 11-229）  Type the name in the Name field.  Local Settings: Select LAN. Local IP / Netmask: Enter the subnet and the mask.
Page 371 Step 10. Go to Policy Outgoing, click the New Entry button and then set as below: （Figure 11-231）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-232） Figure 11-231 Configuring an Outgoing Policy with VPN Trunk Figure 11-232 A Policy with VPN Trunk Created...
Page 372 Step 11. Go to Policy > Incoming, click the New Entry button and then set as below: （Figure 11-233）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-234） Figure 11-233 Configuring an Incoming Policy with VPN Trunk Figure 11-234 A Policy with VPN Trunk Created...
Page 373 For C Company, set as below: Step 1. Under Policy Object > VPN > IPSec Autokey, click the New Entry button and then set as below: （Figure 11-235） Figure 11-235 The IPSec Autokey Page Step 2. Enter the name in the Name field and then select Port2(WAN1) for Interface.
Page 374 Step 6. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm. （Figure 11-240） Figure 11-240 Configuring the IPSec Algorithm Step 7. Under the Advanced Settings (optional) section, select GROUP 1 from the PFS Key Group drop-down list.
Page 375 Step 9. Go to Policy Object > VPN > Trunk, click the New Entry button and then set as below: （Figure 11-243）  Type the name in the Name field.  Local Settings : Select LAN. Enter C Company’s subnet / mask 192.168.30.3 / 255.255.255.0 in the field.
Page 376 Step 10. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 11-245）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-246） Figure 11-245 Configuring an Outgoing Policy Figure 11-246 Policy Completed...
Page 377 Step 11. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-247）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-248） Figure 11-247 Configuring an Incoming Policy Figure 11-248 Setting Completed...
Page 378 Step 12. Setting completed. （Figure 11-249） Figure 11-249 The Deployment of IPSec VPN...
Page 379 A Company’s WAN port 1 and B Company’s WAN port 1; A Company’s WAN port 2 and B Company’s WAN port 2. This example is to use two CS-2001 devices to establish VPN connection between A Company and B Company.
Page 380 1. The IT administrator may enable or disable the external users to access the Internet via the CS-2001 device when they establish a VPN connection with the CS-2001 device. 2. Auto-disconnect if idle for: if the VPN connection is idle for the defined times, it will be...
Page 381 3. Using RADIUS Server (refer to chapter 8 for RADIUS authentication) to establish PPTP VPN connection, go to Policy Object > VPN > PPTP Server and create a PPTP Server setting of which User Name is“*” and the Password is “@radius” for RADIUS authentication. Step 2.
Page 382 Figure 11-253 Configuring the Second PPTP Server...
Page 383 Figure 11-254 Second PPTP Server Completed...
Page 384 Step 3. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-255）  Type the name in the Name field.  Local Settings: Select LAN. Type A Company’s subnet / mask 192.168.10.0 / 255.255.255.0 in the field. ...
Page 385 Note： 1. When Remote IP / Netmask is selected for Remote Settings, you may select only one tunnel to establish the PPTP VPN connection. Step 4. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 11-257）...
Page 386 Step 5. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-259）  Select the defined VPN from the VPN Trunk drop-down list.  Click OK. （Figure 11-260） Figure 11-259 Configuring an Incoming Policy with VPN Trunk Figure 11-260 Settings Completed...
Page 387 For B Company, set as below: Step 1. Go to Policy Object > VPN > PPTP Client and then set as below:  Click New Entry. （Figure 11-261）  Type PPTP_01 in the Username field.  Enter 123456789 in the Password field. ...
Page 388 Figure 11-263 Second PPTP Client Setting Completed Figure 11-264 Second PPTP Client Setting Completed Note： 1. When CS-2001 PPTP Client establish VPN connection with Windows PPTP Server, NAT with PPTP Client must be selected for the PCs under CS-2001 to access to Windows PPTP server.
Page 389 Step 2. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-265）  Enter the name in the Name field.  Local Settings: select LAN. Enter B Company’s local subnet / mask 192.168.20.0/ 255.255.255.0 in the Local IP / Netmask field.
Page 390 Figure 11-266 Settings Completed Note: 1. When Remote IP / Netmask is selected for Remote Settings, the number of the PPTP_Client tunnel should be configured according to the number of WAN.
Page 391 Step 3. Go to Policy > Outgoing and then set as below: （Figure 11-267）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-268） Figure 11-267 Configuring an Outgoing Policy Figure 11-268 Setting Completed...
Page 392 Step 4. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-269）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-270） Figure 11-269 Configuring an Incoming Policy Figure 11-270 Settings Completed...
Page 393 Step 5. Settings completed. （Figure 11-271） Figure 11-271 The Deployment of PPTP VPN...
Page 394 Configure Port 2 as WAN1(211.22.22.22) and connect it to the ADSL Termination Unit Remote(ATUR) to access the Internet. This example is to use two CS-2001 devices to establish VPN connection between A Company and B Company. For A Company, set as below:...
Page 395 Step 1. Go to Policy Object >VPN > PPTP Server and then set as below: （Figure 11-272）  Click Modify.  Click Enable PPTP.  Click Encryption.  Tick Allow Internet access via and then select the port.  Auto-disconnect if idle for: type 0. ...
Page 396 Step 2. Go to Policy Object > VPN > PPTP Server, click New Entry and then set as below: （Figure 11-273）  Type PPTP_Connection in the Username field.  Type 123456789 in the Password field.  Under Client IP(s) assigned from, click IP Range. ...
Page 397 Figure 11-275 Configuring PPTP Connection Figure 11-276 Setting Completed Note: 1. When CS-2001 PPTP Client establish VPN connection wih the CS-2001 PPTP Server, NAT with PPTP Client must be selected for CS-2001 PPTP Client users to access the Internet via PPTP Server.
Page 398 Step 2. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-277）  Enter the name in the Name field.  Local Settings: select LAN. Type B Company’s subnet/ mask 192.168.20.0 / 255.255.255.0 in the Local IP / Netmask field. ...
Page 399 Step 3. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 11-279）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-280） Figure 11-279 Configuring an Outgoing Policy Figure 11-280 Setting Completed Note：...
Page 400 Step 4. Setting Completed. （Figure 11-281） Figure 11-281 Deployment of PPTP VPN Connection...
Page 401 Remote (ATUR) to access the Internet. B Company uses a PC running Windows 2000. IP address: 211.22.22.22 This example is to establish VPN connection by one CS-2001 device and one PC running Windows 2000. For A Company, set as below:...
Page 402 1. The IT administrator may enable or disable the external users to access the Internet via the CS-2001 device when they establish a VPN connection to the CS-2001 PPTP Server. 2. Auto-disconnect if idle for: if the VPN connection is idle for the specified minutes, it will be...
Page 403 Client IP Allocation/ IP Range must be on the LAN1 (192.168.10.x/24) which must not already be in use. In addition, the external user must establish the PPTP VPN connection to the CS-2001 via IPSec VPN. Step 2. Go to Policy Object > VPN > PPTP Server, click New Entry and then set as below: （Figure 11-283）...
Page 404 Step 3. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-285）  Type the name in the Name field.  Local Settings: select LAN. Type A Company’s subnet / mask 192.168.10.0 / 255.255.255.0 in the Local IP/ Netmask field. ...
Page 405 Note： 1. If the external users want to connect to the IPSec VPN subnet, the Local IP/ Netmask must be configured as the IPSec VPN subnet.
Page 406 Step 4. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 11-287）  Select the defined trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-288） Figure11-287 Configuring an Outgoing Policy Figure 11-288 Setting Completed...
Page 407 Step 5. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-289）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-290） Figure 11-289 Configuring an Incoming Policy with VPN Trunk Figure 11-290 Setting Completed...
Page 408 For B Company, set as below: Step 1. Right-click on My Network Places and then click Properties. （Figure 11-291） Figure 11-291 Selecting “Properties” on the Shortcut Menu of “My Network Places” Step 2. In the Network and Dial-up Connections window, double-click ”Make New Connection”.
Page 409 Figure 11-292 Double-Clicking on “Make New Connection”...
Page 410 Step 3. In the Location Information window, specify the country / region, area code and phone system accordingly, and then click OK. （Figure 11-293） Figure 11-293 Local Information Settings Step 4. In the Phone And Modem Options window, click OK. （Figure 11-294）...
Page 411 Figure 11-294 Phone and Modem Options...
Page 412 Step 5. In the Network Connection Wizard window, click Next. （Figure 11-295） Figure 11-295 Network Connection Wizard Step 6. In the Network Connection Type window, select Connect to a private network through the Network and then click Next. （Figure 11-296） Figure 11-296 Select the “Connect to a private network through the Internet”...
Page 413 Step 7. In the Destination Address window, type the host name or IP address in the blank field and then click Next. （Figure 11-297） Figure 11-297 Destination Address Settings Step 8. In the Connection Availability window, select For all users and then click Next.
Page 414 Step 9. In the Completing the New Connection Wizard window, type a Connection Name and then click Finish. （Figure 11-299） Figure 11-299 New Connection Created...
Page 415 Step 10. In the Connect Virtual Private Connection window, set as below: （Figure 11-300）  User Name: Type “PPTP_Connection”.  Password: Enter 123456789.  Tick Save Password.  Click Connect.  The “Connecting Virtual Private Connection…” dialogue box appears. （Figure 11-301） ...
Page 416 Figure 11-302 PPTP VPN Connection Successfully Connected...
Page 417 Step 11. Settings completed. （Figure 11-303） Figure 11-303 Deployment of PPTP VPN...
Page 418: Mail Security
Mail Security...
Page 419: Chapter 12 Configuration
Chapter 12 Configuration Mail configuration refers to the processing basis of mail services. In this chapter, it will be covering the functionality and application of Settings, Mail Domains, Account Manager, Mail Relay, Mail Notice, Queued Mail and Mail Signatures.
Page 420 Terms in Settings Log Storage Time  Quarantined spam / virus emails can be designate a storage time and deleted when due.  You may also decide whether a quarantined email can be repeatedly retrieved or not. Personal Email Viewer / Email Notification Settings ...
Page 421  Tag spam email’s subject with: --Spam--.  Tag virus-infected emails with: --Virus--.  Type the subject and the content of the mail notice.  Click OK. （Figure 12-1）...
Page 422 Figure 12-1 Configuring the Settings of Mail Security...
Page 423  A notice with customized subject and message. （Figure 12-2） Figure 12-2 A Notice Shows Customized Subject and Message  An unscanned email is highlighted with a warning message“---Unscanned---”. （Figure 12-3） Figure 12-3 An Unscanned Email Shows a Warning Message...
Page 424  The spam mail’s subject tagged with warning message. （Figure 12-4） Figure 12-4 The Spam Mail’s Subject Tagged with “Spam”  The virus mail’s subject tagged with warning message. （Figure 12-5） Figure 12-5 The Virus Mail’s Subject Tagged with “Virus”...
Page 425 Terms in Account Manager Account Learning Settings  Disabled: Accounts added manually.  Accounts added automatically: the email account will be added in the local mail server automatically once it is proved valid by the mail server.  Synchronized with LDAP server: The accounts can be imported from LDAP server.
Page 426: Mail Domains
12.1 Mail Domains 12.1.1 Using Mail Domains to Filter Emails Step 1. Apply to a local ISP for several domain names, “planet.com.tw”, “supportplanet.com.tw”, “testplanet.com.tw” and “virtualplanet.com.tw” for instance, to provide mail service. The mapped IP address is 172.19.100.164.
Page 427 Step 2. Under Mail Management > Configuration > Mail Domains, set as below:  Click the New Entry button to create the first entry.  Type planet.com.tw in the Domain Name field.  Enter the mapped IP address.  Click OK and then modify the domain.
Page 428 Figure 12-8 Modifying the First Entry Figure 12-9 Typing the Domain Alias Figure 12-10 Settings Completed Figure 12-11 Creating the Second Entry...
Page 429 Figure 12-12 The Second Entry Completed Figure 12-13 Modifying the Second Entry Figure 12-14 Typing the Domain Alias Figure 12-15 Settings Completed...
Page 430 Note： 1. The CS-2001 device will filter the emails according to the settings under Mail Security > Configuration > Mail Domains. If there is no Mail Domains settings, the filtered emails will be recorded under Mail Security > Mail Reports > Logs > Outbound SMTP.
Page 431: Account Manager
 Select Accounts added automatically.  Click OK.  The CS-2001 filters any emails passing through by verifying with the mail server that the recipients account exists.  Select Import from LDAP server and configure the settings.  Click OK.
Page 432 Step3. Go to Mail Security > Configuration > Account Manager, import the accounts into the system:  Click the Browse... button. In the Choose file window, locate the file and then click the Open button. （Figure 12-16）  Click the Import button. In the Import Mail Account window, select the file type and then click the OK button.
Page 433 Step4. Go to Mail Security > Configuration > Account Manager, add or remove the accounts.  Click the Add button.  Enter the account information. （Figure 12-18）  Click the OK button. （Figure 12-19）  To remove the account, select the account and then click the Remove button.
Page 434 Figure 12-20 Removing the Account Note： 1. Once Accounts added automatically is selected, the CS-2001 will varify the existence of the account with the mail server before relaying the mail. 2. When Imported from LDAP server is selected, the CS-2001 will determine whether to relay the email by varifying the account with the LDAP accounts list.
Page 435 Step5. Users may be given permission to access Personal Email Viewer under Mail Security > Configuration > Account Manager.  To permit a user to access Personal Email Viewer, select the account(s) and then click Enable Personal Email Viewer.  Click OK in the confirmation window.
Page 436 12.2.2 Accessing Personal Email Viewer Step 1. Type the management address together with the HTTP port (8080) or HTTPS port (1443) in the address field of a Web browser. （Figure 12-23）  Type the account name and the password.  Select the mail domain from the drop-down list.
Page 437 Step 2. Users will be requested to configure user preferences during their first login.  Click Continue. （Figure 12-24）  Configure the User Preferences accordingly. （Figure 12-25）  Click Save.  Settings completed. （Figure 12-26）  Click Continue. Figure 12-24 The Greeting Message Shown upon First Login...
Page 438 Figure 12-25 The User Preferences Settings Figure 12-26 User Preferences Settings Completed...
Page 439 Step 3. Below shows the CS-2001’s user-friendly, web-based mailbox. （Figure 12-27） Figure 12-27 The Web Mail User Interface...
Page 440 12.2.3 Using Whitelist and Blacklist to Filter Emails Supposed the domain name “planet.com.tw” is registered to your organization, and you are using the account “joe” to log in to Personal Email Viewer, then: Step 1. Click Preference in the Web Mail main screen and then a pop-up window appears.
Page 441 Figure 12-29 Creating the Second Entry of Whitelist Figure 12-30 Settings Completed...
Page 442 Step 2. Click Preference in the Personal Email Viewer main screen and then a pop-up window appears. Click the Blacklist button under the User Preference section.  Click the New button.  Type *yahoo* in the Email Address/ Domain Name field. ...
Page 443 Figure 12-32 Creating the Second Entry of Blacklist Figure 12-33 Blacklist Created...
Page 444  Emails sent to share2k003@yahoo.com.tw will be rated as spam mail.  Only share2k01@yahoo.com.tw will receive emails from joe@planet.com.tw, whereas share2k003@yahoo.com.tw receives none as a result of emails sent to it are classified as spam.
Page 445: Mail Relay
12.3 Mail Relay 12.3.1 Using CS-2001 as a Gateway (Set the Mail Server in DMZ under Transparent Mode) Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/Routing Mode) and connect it to the LAN which is using the IP range 192.168.1.X/24.
Page 446 Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below: （Figure 12-35）  Select Sender’s IP Address.  Type the IP Address and the Netmask.  Click OK. Figure 12-35 Mail Relay Settings Note： 1.
Page 447 12.3.2 Deploying the CS-2001 Device between the Gateway and Mail Server (Mail Server is in DMZ under Transparent Mode) Prerequisite Setup LAN Segment: 172.16.x.x/16 Configure Port1 as WAN1(172.16.1.12) and connect it to the LAN. Configure Port2 as DMZ1 (Transparent Routing mode) and connect it to the mail server.
Page 448 Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below:  Click New Entry. （Figure 12-37）  Select Sender’s IP Address.  Type the IP Address and the Netmask.  Click OK.  Click New Entry again. （Figure 12-38）...
Page 449 12.3.3 Using CS-2001 as Gateway to Enable Branch’s Employees to Send Emails via Headquarters’ Mail Server (Set the Mail Server under DMZ Transparent Routing Mode) Prerequisite Setup Configure Port1 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet.
Page 450 Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below: （Figure 12-40）  Select Sender’s IP Address.  Enter the IP Address and the Netmask.  Click OK. Figure 12-40 Mail Relay Settings...
Page 451: Mail Notice
12.4 Mail Notice 12.4.1 Retrieving Spam or Virus Emails from the Mail Notice (An Outlook Exparess Example) Step 1. All the accounts are listed under Mail Security > Configuration > Mail Notice but only accounts in the Selected Accounts column will be notified: （Figure 12-41）...
Page 452 Step 2. Go to Mail Security > Configuration > Mail Notice and then set as below:  Tick Notice for, then select “Both Spam and Viruses” from the drop-down list.  Tick Send Mail Notice on weedends.  Select “00 : 00” for 1st Time. ...
Page 453 Note： 1. Accounts in the Selected Accounts column will receive a mail notice based upon schedules when emails sent from or to them are classified as spam or virus emails. 2. Up to six email notifications can be sent based upon the time order, starting from the earliest time set.
Page 454: Queued Mail
12.5 Queued Mail 12.5.1 Monitoring Email Delivery Status Step 1. Go to Mail Security > Configuration > Settings and then set as below:  Max. Lifetime of Queued Mail: 4 hour.  When the delivery has failed, the system will keep trying to resend the email to the recipient periodically within the storage time.
Page 455 Step 2. Go to Mail Security > Configuration > Queued Mail to obtain the delivery status.  A symbol, under the Reason column, indicates an email is being processed (delivered). （Figure 12-44 Figure 12-45）  Factors that caused failed deliveries are obtainable and the email can be resent by clicking Resend.
Page 456: Mail Signatures
12.6 Mail Signatures Step 1. Go to Mail Security > Configuration > Mail Signatures and then set as below:  Tick Add signatures to all outgoing messages.  Type the message to be shown in the text field.  Click OK to complete the settings. （Figure 12-46）...
Page 457 Step 2. Any email sent from the CS-2001 will now have the signature message appended to the body of the email for the recipient to view. （Figure 12-47） Figure 12-47 Email with the Mail Signatures...
Page 458: Chapter 13 Anti-Spam
Chapter 13 Anti-Spam Users will no longer be disturbed by large influxes of spam. The Anti-Spam mechanism prevents the users from wasting their time on searching for business emails amongst the spam. It also lowers the risk of accidentally deleting business emails when deleting spam.
Page 459 Settings must be configured for the CS-2001 to access the Internet. 2. The CS-2001 will apply its default spam filtering settings if no method has been selected. 3. Bayesian filtering is not effective unless at least 200 messages have been classified for spam （Figure 13-1）...
Page 460 Spam Actions (Sending)  The action of outbound spam mail can be set to delete, deliver as normal or store the quarantine. Spam Actions (Receiving)  The action of inbound spam mail is deliver. In addition, you may also store the spam in the quarantine.
Page 461  The figure below shows that an email’s subject is tagged with the score (optional). （Figure 13-3） Figure 13-3 An Email’s Subject Tagged with the Score Terms in Personal Rule Search  Used for searching for individual emails.  Used for retrieving quarantined emails. Whitelist ...
Page 462 Comment  The description of the rule’s name. Classification  When Spam is selected, emails that meet the inspection criteria will be classified as spam.  When Ham (Non-Spam) is selected, emails that meet the inspection criteria will be classified as ham. Action ...
Page 463 “joe” typed as a pattern, it means emails from whosever email account contained the word “joe” will be considered as spam or ham.
Page 464 Spam Training Using Forwarded Mail  IT administrator may designate a separate email account for reporting spam emails. Through the help of users, spam emails can be reported to CS-2001 to raise filtering accuracy. Ham Training Using Forwarded Mail ...
Page 465 Training Schedule  CS-2001 can be scheduled a daily time for spam or ham training.  CS-2001 can be set to immediately train. An Overview on Email Transmission A mail server acts as an intermediary among users during mail delivery or retrieval.
Page 466 The Three Key Elements of Email Transmission An email transmission is achieved by using an MUA, MTA and MDA.  ：Whether sending or receiving email, the end-user MUA（Mail User Agent） client must rely on an MUA which came along with the OS, as without it they are unable to obtain email access.
Page 467 How an Email is Processed Composing and sending an email:  Email delivery from an MUA to an MTA: Run a MUA client (email program) and follow the instructions below:  Apply the sender address and the domain name of outgoing mail server (sender MTA), to the corresponding fields.
Page 468  Email retrieval: signifies MUA is using POP (Post Office Protocol) to communicate with the MTA by which users may have the access to emails. Currently, POP3 (Post Office Protocol version 3) is the most popular protocol for incoming emails. By default, port 110 is assigned to the POP3 protocol.
Page 469: Example
Scenario Page 13.1.1 Detecting Whether Emails are Spam 13.1.2 Using CS-2001 in Accordance with Whitelist and Blacklist to Filter Spam (Mail Server Is Deployed in DMZ under Transparent Mode) 13.1.3 Deploying CS-2001 in between Gateway and Mail Server and Filtering...
Page 470 13.1.1 Detecting Whether Emails are Spam Prerequisite Setup Configure Port1 as LAN1(192.168.1.1, NAT/ Routing mode) and connect it to the LAN which is using 192.168.1.x/24. Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet. IP range: 61.11.11.10 to 61.11.11.14. Configure Port3 as WAN2(211.22.22.22) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 471 Step 3. Under Policy Object > Address > DMZ, set as below: （Figure 13-4） Figure 13-4 Creating an Address Setting Corresponding to the Mail Server Step 4. Under Policy Object > Service > Group, set as below: （Figure 13-5） Figure 13-5 Creating Service Groups to Include the POP3, SMTP or DNS Services...
Page 472 Step 5. Go to Policy > Outgoing and then set as below: （Figure 13-6）  Select the defined group (Mail_Service_02) from the Service drop-down list.  Tick POP3 for Anti-Spam.  Click OK. （Figure 13-7）...
Page 473 Figure 13-6 Configuring an Outgoing Policy with Group Service and POP3 Anti-Spam...
Page 474 Figure 13-7 Policy Created...
Page 475 Step 6. Under Policy > WAN to DMZ, set as below: （Figure 13-8）  Select the defined rule from the Destination Address drop-down list.  Select the defined service group (Mail_Service_01) from the Service drop-down list.  Tick POP3 for Anti-Spam. ...
Page 476 Figure 13-9 Policy Created...
Page 477 Step 7. Go to Policy > DMZ to WAN and then set as below: （Figure 13-10）  Select the defined group from the Source Address drop-down list.  Select the defined service group (Mail_Service_02) from the Service drop-down list.  Tick POP3 for Anti-Spam.
Page 478 Figure 13-10 Creating a DMZ to WAN Policy with Group Service and POP3 Anti-Spam...
Page 479 Figure 13-11 Policy Created...
Page 480 Step 8. Under Mail Security > Anti-Spam > Settings, set as below: （Figure 13-12） Figure 13-12 Anti-Spam Filter Settings and Action Settings...
Page 481  The list of filtered spam cannot be obtained by means of Mail Notice. Step 9. When receiving an email from an external mail account js1720@ms21.pchome.com.tw, CS-2001 will filter the email for spam. Step 10. When receiving an email from an internal mail account...
Page 482: Transparent Mode
13.1.2 Using CS-2001 in Accordance with Whitelist and Blacklist to Filter Spam (Mail Server Is Deployed in DMZ under Transparent Mode) Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the LAN which is using 192.168.1.x/24.
Page 483 Step 3. Go to Policy Object > Service > Group and then set as below: （Figure 13-15） Figure 13-15 Creating Service Groups to Include POP3, SMTP and DNS Service...
Page 484 Step 4. Go to Policy > WAN to DMZ and then set as below: （Figure 13-16）  Select the defined rule from the Destination Address drop-down list.  Select the defined rule (Mail_Service_01) from the Service drop-down list.  Select SMTP for Anti-Spam. ...
Page 485 Figure 13-17 Policy Created...
Page 486 Step 5. Under Policy > DMZ To WAN, set as below: （Figure 13-18）  Select the defined rule for Source Address.  Select the defined service (Mail_Service_02) for Service.  Select SMTP for Anti-Spam.  Click OK. （Figure 13-19）...
Page 487 Figure 13-18 Creating a DMZ to WAN Policy...
Page 488 Figure 13-19 Policy Created...
Page 489 Step 6. Go to Mail Security > Configuration > Mail Domains and then set as below: （Figure 13-20） Figure 13-20 Mail Domain Settings Step 7. Go to Mail Security > Anti-Spam > Settings and then set as below: （Figure 13-21） Figure 13-21 Anti-Spam Settings Note: 1.
Page 490 Step 8. Go to Mail Security > Anti-Spam > Whitelist and then set as below:  Click New Entry.  Type share2k01@yahoo.com.tw in the Mail Account field.  Select From for Direction.  Click OK. （Figure 13-22）  Click New Entry again. ...
Page 491 Figure 13-25 Creating the Fourth Entry on Whitelist Figure 13-26 Whitelist Setting Completed Note: 1. Whitelist can be exported as a file for archive and editing purpose, which can be used for restoring the list later on.
Page 492 Step 9. Go to Mail Security > Anti-Spam > Blacklist and then set as below:  Click New Entry.  Type *yahoo* in the Mail Account field.  Select From for Direction.  Click OK. （Figure 13-27）  Click New Entry again. ...
Page 493 3. Whitelist overrides Blacklist, thus, email inspection will firstly act on Whitelist and then Blacklist. Step 10. Provided that joe@supportplanet.com.tw steve@supportplanet.com.tw both receive an email from a Yahoo account:  If the sender’s account is share2k01@yahoo.com.tw, then both Joe and Steve will receive it.
Page 494 13.1.3 Deploying CS-2001 in between Gateway and Mail Server and Filtering Spam with Global Rule (Mail Server Is Deployed in DMZ under Transparent Mode) Prerequisite Setup Gateway: 172.16.x.x/16 Configure Port1 as LAN1. Configure Port2 as WAN1 (172.16.1.12) and connect it to the gateway.
Page 495 Figure 13-31 Creating Service Groups...
Page 496 Step 4. Under Policy > WAN To DMZ, set as below: （Figure 13-32）  Select the defined DMZ for Destination Address.  Select the defined service (Mail_Service_01) for Service.  Select SMTP for Anti-Spam.  Click OK. （Figure 13-33） Figure 13-32 Creating a WAN to DMZ Policy with Service and SMTP Anti-Spam...
Page 497 Figure 13-33 Policy Completed...
Page 498 Step 5. Under Policy > DMZ To WAN, set as below: （Figure 13-34）  Select the defined DMZ for Source Address.  Select the defined service (Mail_Service_02) for Service.  Select SMTP for Anti-Spam.  Click OK. （Figure 13-35）...
Page 499 Figure 13-34 Creating a DMZ to WAN Policy with Service and SMTP Anti-Spam...
Page 500 Figure 13-35 Policy Created...
Page 501 Step 6. Under Mail Security > Configuration > Mail Domains, set as below: （Figure 13-36） Figure 13-36 Mail Domain Settings Step 7. Under Mail Security > Configuration > Mail Relay, set as below: （Figure 13-37） Figure 13-37 Mail Relay Settings Note: 1.
Page 502 Step 8. Under Mail Security > Anti-Spam > Settings, set as below: （Figure 13-38） Figure 13-38 Anti-Spam Settings Note: 1. An email that meets a Global Rule will be processed based on the corresponding Action setting of the Global Rule.
Page 503 Step 9. Go to Mail Security > Anti-Spam > Global Rule and then set as below:  Click New Entry.  Type HamMail in the Rule Name field.  Type Ham Mail in the Comment field.  Select Ham (Non-Spam) for Classification. ...
Page 504 Note: 1. The Action setting of a Global Rule will be unavailable if Classification selected as Ham (Non-Spam). It is because normal emails do not need any additional process before sending to the recipient.
Page 505 Step 10. Go to Mail Security > Anti-Spam > Global Rule and then set as below:  Click New Entry.  Type SpamMail in the Rule Name field.  Type Spam Mail in the Comment field.  Select Spam for Classification. ...
Page 506 Email header can be used as a reference when configuring Condition and Item of Global Rule. Figure 13-43 shows the header of an email. To view header, click to select any email in your Outlook Express, then right-click it and move to Properties on the shortcut menu. After a window appeared, click the Details tab for header information.（Figure 13-43）...
Page 507 Step 11. Provided that joe@supportplanet.com.tw steve@supportplanet.com.tw both receive an email from a Yahoo account:  If the sender’s account is share2k01@yahoo.com.tw, then both Joe and Steve will receive it.  But if the sender’s account is share2k003@yahoo.com.tw, only Joe will receive it. Emails that sent to Steve will be classified as spam and quarantined.
Page 508 13.1.4 Improving Bayesian Filtering Accuracy by Training Spam Filtering / Ham-Filtering (An Outlook Express Example) To train spam filtering: Step 1. In Outlook Express, create a new folder named “Spam Mail”:  Right-click Local Folders, and then select New Folder. （Figure 13-44）...
Page 509 Figure 13-45 Naming the Folder as Spam Mail...
Page 510 Step 2. Click Inbox in Outlook Express, and then move the spam to the Spam Mail folder  In Inbox, select all the spam, right-click them, and then move to Move to Folder on shortcut menu. （Figure 13-46）  Select Spam Mail folder in the Move window, and then click OK. （Figure 13-47）...
Page 511 Figure 13-47 Selecting the “Spam Mail” Folder...
Page 512 Step 3. Compact the Spam Mail folder to make it easier importing spam messages onto CS-2001 for spam filtering training:  Click the Spam Mail folder. （Figure 13-48）  In the upper left corner, click File, point to Folder, and then click Compact.
Page 513 Figure 13-49 Compacting the Spam Mail Folder...
Page 514 Step 4. Copy the pathname of the Spam Mail folder to CS-2001 device for training use:  Right-click Spam Mail folder, and then click Properties on shortcut menu. （Figure 13-50）  In the Spam Mail Properties window, copy the pathname.
Page 515 Figure 13-51 Copying the Pathname of the Spam Mail Folder...
Page 516 Step 5. Go to Mail Security > Anti-Spam > Training and then configure the settings under the Spam Training Using Importing section:  Paste the pathname of the Spam Mail folder in the Import Spam Mail from field.  Click the lower right OK to import the folder; the spam filtering will be trained on schedules.
Page 517 Step 6. Delete all spam emails in the Spam Mail folder; since they have been compressed and uploaded to CS-2001, they are of no use any longer:  In the Spam Mail folder, select all emails, right-click them, and then click Delete on shortcut menu.
Page 518 Figure 13-54 All Spam Emails Have Been Deleted To train ham filtering: Step 7. In Outlook Express, create a new folder called “Ham Mail”:  Right-click Local Folders, and then select New Folder. （Figure 13-55）  In the Create Folder window, type “Ham Mail” in the Folder name field, and then click OK.
Page 519 Figure 13-55 Creating a New Folder Figure 13-56 Naming the Folder as Ham Mail...
Page 520 Step 8. Click Inbox in Outlook Express, and then move normal emails to the Ham Mail folder:  In Inbox, select all the hams, right-click them, and then move to Move to Folder on shortcut menu. （Figure 13-57）  Select Ham Mail folder in the Move window, and then click OK. （Figure 13-58）...
Page 521 Figure 13-58 Selecting the Ham Mail Folder...
Page 522 Step 9. Compact the Ham Mail folder for the easy of importing normal email messages onto CS-2001 for ham filtering training:  Click the Ham Mail folder. （Figure 13-59）  In the upper left corner, click File, point to Folder, and then click Compact.
Page 523 Figure 13-60 Compacting the Ham Mail Folder...
Page 524 Step 10. Copy the pathname of the Ham Mail folder to CS-2001 device for training use:  Right-click the Ham Mail folder, and then click Properties on shortcut menu. （Figure 13-61）  In the Ham Mail Properties window, copy the pathname.
Page 525 Figure 13-62 Copying the Pathname of the Ham Mail Folder...
Page 526 Step 11. Go to Mail Security> Anti-Spam > Training, configure the settings under the Ham Training Using Importing section.  Paste the pathname of the Ham Mail folder to the Import ham mail from field.  Click lower right OK to import the folder; the ham filtering will be trained on schedules.
Page 527 Step 12. Delete all emails in the Ham Mail folder; since they have been compressed and uploaded to CS-2001, they are of no use any longer:  In the Ham Mail folder, select all normal emails, right-click them, and then click Delete on shortcut menu.
Page 528 Figure 13-65 All Normal Emails Have Been Deleted...
Page 529 13.1.5 Improving Bayesian Filtering Accuracy by Training Spam Filtering / Ham-Filtering Step 1. On you mail server, create an email account, such as spam@supportplanet.com.tw, for gathering spam emails. Step 2. On you mail server, create an email account, such as ham@supportplanet.com.tw, for gathering normal emails.
Page 530 Step 4. In Mail Security > Anti-Spam > Training, configure the Ham Training Using Forwarded Mail setting according to the relevant information of ham@supportplanet.com.tw:  POP3 Server  Enter the user name and the password.  Click OK. （Figure 13-66） Figure 13-66 Email Accounts Used for Gathering Normal/ Spam Messages and Training...
Page 531 To train spam filtering: Step 5. In Outlook Express, forward all spam emails in the Inbox as attachment to spam@supportplanet.com.tw:  In Inbox, select all spam emails, right-click any of the selected emails, and then click Forward As Attachment on shortcut menu. （Figure 13-67）...
Page 532 Figure 13-68 Forwarding the Selected Spam Emails as Attachment...
Page 533 To train ham filtering: Step 6. In Outlook Express, forward all normal emails in the Inbox as attachment to ham@supportplanet.com.tw:  In Inbox, select all normal emails, right-click any of the selected emails, and then click Forward As Attachment on shortcut menu. （Figure 13-69）...
Page 534 Figure 13-70 Forwarding the Selected Normal Emails as Attachment...
Page 535 Step 7. CS-2001 will retrieve emails in spam@supportplanet.com.tw ham@supportplanet.com.tw periodically and use them for training on schedules. （Figure 13-71） Figure 13-71 Training Schedule Settings...
Page 537: Chapter 14 Anti-Virus
Chapter 14 Anti-Virus Due to its inbound and outbound email anti-virus scanning capabilities, CS-2001 guards against the extensive damage that virus infections can inflict on your business.
Page 538  Sophos─The purchase of an end-user license is required for legal use. Note: 1. To assure the CS-2001 is updated successfully, click Test Connection to check whether the connection to the virus definition server works before running the update. 2. Once the Proxy Server is deployed, the proxy settings under System > Configuration >...
Page 539 Figure 14-1 Anti-Virus Settings Note: 1. Three virus-scanning modes available for users are ClamAV, Sophos and ClamAV+Sophos.
Page 540: Example
14.1 Example Scenario Page 14.1.1 Filtering Out the Virus Emails on Mail Server the Virus Emails on Mail Server 14.1.2 Using CS-2001 as a Gateway to Filter Out Virus Emails (Mail Server Is Deployed in LAN under NAT Mode)
Page 541 14.1.1 Filtering Out the Virus Emails on Mail Server Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/ Transparent Routing mode) and connect it to the LAN which is using 192.168.1.x/24. Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 542 Step 4. Go to Policy Object > Service > Group, set as below: （Figure 14-3） Figure 14-3 Creating Service Groups to Include the POP3, SMTP and DNS Services...
Page 543 Step 5. Under Policy > Outgoing, set as below: （Figure 14-4）  Select the defined service (Mail_Service_02) for Service.  Select POP3 for Anti-Virus.  Click OK. （Figure 14-5）...
Page 544 Figure 14-4 Creating an Outgoing Policy with Service and POP3 Anti-Virus Figure 14-5 Policy Created...
Page 545 Step 6. Under Policy > WAN To DMZ, set as below: （Figure 14-6）  Select the defined DMZ for Destination Address.  Select the defined service (Mail_Service_01) for Service.  Select POP3 for Anti-Virus.  Click OK. （Figure 14-7） Figure 14-6 Creating a WAN to DMZ Policy with Service and POP3 Anti-Virus...
Page 546 Figure 14-7 Policy Created...
Page 547 Step 7. Under Policy > DMZ To WAN, set as below: （Figure 14-8）  Select the defined DMZ for Source Address.  Select the defined service (Mail_Service_02) for Service.  Select POP3 for Anti-Virus.  Click OK. （Figure 14-9）...
Page 548 Figure 14-8 Creating a DMZ to WAN Policy with Service and POP3 Anti-Virus...
Page 549 Figure 14-9 Policy Created...
Page 550 Step 8. Go to Mail Security > Anti-Virus > Settings and then set as below: （Figure 14-10） Figure 14-10 Anti-Virus Settings...
Page 551 Step 9. When receiving emails from an external mail account, such as js1720@ms21.pchome.com.tw, CS-2001 will scan emails for viruses. Step 10. When an external user receiving emails from an internal account, such as joe@supportplanet.com.tw, CS-2001 will scan emails for viruses.
Page 552 14.1.2 Using CS-2001 as a Gateway to Filter Out Virus Emails (Mail Server Is Deployed in LAN under NAT Mode) Prerequisite Setup Configure Port1 as LAN1(192.168.2.1, NAT/Routing mode) and connect it to the LAN which is using 192.168.2.x/24. Mail Server: using LAN1 IP address (192.168.2.12) mapping to WAN1 IP address(61.11.11.12).
Page 553 Figure 14-13 Creating Service Groups to Include POP3, SMTP and DNS Service Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 14-14） Figure 14-14 Port Mapping Settings...
Page 554 Step 5. Under Policy > Incoming, set as below: （Figure 14-15）  Select the defined virtual server for Destination Address.  Select the defined service (Mail_Service_01) for Service.  Select SMTP for Anti-Virus.  Click OK. （Figure 14-16） Figure 14-15 Creating an Incoming Policy with Service and SMTP Anti-Virus...
Page 555 Figure 14-16 Policy Completed...
Page 556 Step 6. Under Policy > Outgoing, set as below: （Figure 14-17）  Select the defined LAN address for Source Address.  Select the defined service (Mail_Service_02) for Service.  Select SMTP for Anti-Virus.  Click OK. （Figure 14-18）...
Page 557 Figure 14-17 Creating an Outgoing Policy with Service and SMTP Anti-Virus...
Page 558 Figure 14-18 Settings Completed...
Page 559 Step 7. Go to Mail Security > Configuration > Mail Domains and then set as below: （Figure 14-19） Figure 14-19 Mail Domain Settings Step 8. Go to Mail Security > Anti-Virus > Settings and then set as below: （Figure 14-20） Figure 14-20 Anti-Virus Settings Note：...
Page 560 Step 9. When “Joe”, an internal user at supportplanet.com.tw, receives emails from external mail accounts at yahoo.com.tw:  The virus mail from share2k01@yahoo.com.tw will be stored in the quarantine.  The regular mail from share2k003@yahoo.com.tw will be sent to joe@supportplanet.com.tw. Step 10.
Page 561: Chapter 15 Mail Reports
Chapter 15 Mail Reports CS-2001 provides you with email reports in the form of statistics and logs, presenting you with a thorough insight into the email activities of the business.
Page 562 Terms in Setting Periodic Report Scheduling Settings  It can generate and send out the periodic report to the designated recipient(s) on schedules. History Report Scheduling Settings  It can generate and send the history report to the designated recipient(s) on schedules.
Page 563 Figure 15-2 Periodical Report Sent as an Attachment...
Page 564 Terms in Logs Search  Available searching criteria are: date, sender, sender IP, recipient, attachment, subject, attribute and process.  Go to Mail Security > Mail Reports > Logs, click the Search icon and then set as below:  Enable the searching duration and then specify a period of time. ...
Page 565 Figure 15-3 Searching for a Specific Log Note： 1. How to open an “.mbx” file (exported from quarantined or archived emails) on your local computer:  Convert the “.mbx” file into an “.eml” file with an mbx2eml application (e.g., IMAPSize) and then run Outlook Express to open the “.eml”...
Page 566  Run IMAPSize, go to Tools > mbox2eml on the menu bar, and then click it.（Figure 15-26）  In the mbox2eml window, click the Select mbox files to convert button, locate the “.mbx” file, click Open, and then click Convert to start converting the file into an “.eml”...
Page 567 Figure 15-26 Navigating to Tools > Mbox2eml on the Menu Bar Figure 15-27 Locating the “.mbx” File to be Converted...
Page 568 Figure 15-28 Converting the “.mbx” File into an “.eml” File Figure 15-29 File Conversion Completed...
Page 569 Figure 15-30 Clicking and Dragging the “.eml” File into Outlook Express to Open It...
Page 570: Statistics
15.1 Statistics Step 1. Mail Security > Mail Reports > Statistics shows a comprehensive statistical report. Step 2. In the upper left corner, click Day for a daily statistics report; click Week for a weekly statistics report; click Month for a monthly statistics report; click Year for an annual statistics report.
Page 571: Logs
15.2 Logs Step 1. Under Mail Security > Mail Reports > Logs, it shows how emails are processed.
Page 572 The symbols used in Logs:  Attribute： Symbol Description Regular Spam Virus Unscanned  Process: Symbol Description Deleted Notified Delivered Stored Retrieved  Attachment:...
Page 573: Web Filter
Web Filter...
Page 574: Chapter 16 Configuration
Chapter 16 Configuration Regulating the websites that employees may access improves profuctivity, and protects the network from the damage caused by malicious software or code.  Whitelist : To permit access to specific websites, the IT administrator may enter the complete URL, or a URL in combination with a wildcard (*). ...
Page 575 Terms in Setting URL Blocking License  To activate the Category feature for URL Blocking, the license key must be imported into the device here.  Each license key is unique to the device it was purchased for, thus the key is invalid if used on other devices.
Page 576 Figure 16-1 Web Filter Settings Note： 1. Before enabling syslog, please configure the syslog setting under System > Configuration > Settings.
Page 577  The alert message displays when an internal user tries to access the blocked web page. （Figure 16-2） Figure 16-2 The Alert Message Terms in Whitelist Name  The name of the Whitelist.  Specifies permitted URLs.  The asterisk character (“*”) allows any website. Terms in Blacklist Name ...
Page 578  Specifies any URLs required to be blocked.  The asterisk character (“*”) blocks any websites. Terms in Category Name  The name for the Category. Member  Provides the following categories: Anti-Social and Illegal, Pornographic and Abusive, Gaming and Gambling, Society and Commerce, Communication and Technology, Leisure, Information and Education, and Other.
Page 579 Terms in MIME/Script Name  The name of MIME/Script. Script  Window Popup：Blocking the popup window.  Microsoft ActiveX：Disallowing the execution of ActiveX.  Java Applet：Disallowing the execution of Java.  Web Cookie：Blocking Web Cookie. MIME Type  MIME (Multipurpose Internet Mail Extensions) is an Inernet standard that extends the format of e-mail.
Page 580  video/mpeg  application/octet-stream  application/pdf  application/msword Important: 1. To apply the Whitelist, Blacklist, Category, File Extensions and MIME/Script to the Policy, those rules need to be added in the Group first.
Page 581: Example
16.1 Example Settings Scenario Page 16.1.1 Whitelist Regulating User’s Access to Specific Websites Using Blacklist and Whitelist Blacklist Group 16.1.2 Category Regulating User’s access to Specific Website, Downloading or Uploading Specific File Extension via File Extensions MIME/Script HTTP or FTP or the Access to Specific MIME Types/ Group Script Types...
Page 582: Blacklist And Whitelist
16.1.1 Regulating User’s Access to Specific Websites Using Blacklist and Whitelist Step 1. Go to Web Filter > Configuration > Whitelist and then set as below:  Click New Entry.  Type the name in the Name field.  In the URL field, type the keyword of the URL, such as yahoo. ...
Page 583 Note： 1. Whitelist can be exported as a file for storage, which can be used for restoring the list later Step 2. Go to Web Filter > Configuration > Blacklist and then set as below: （Figure 16-6）  Type the name in the Name field. ...
Page 584 Step 3. Go to Web Filter > Configuration > Group, click New Entry and then set as below: （Figure 16-8）  Type the name in the Name field.  Move the Whitelist from the Available Whitelists column to the Selected Whitelists column. ...
Page 585 Figure 16-8 Group Settings for URL Blocking...
Page 586 Figure 16-9 The Completed Group Settings...
Page 587 Step 4. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 16-10）  Select the defined group from the Web Filter drop-down list.  Click OK. （Figure 16-11）  By applying this policy, only websites containing “yahoo” or “google” in the domain name will be permitted.
Page 588 16.1.2 Regulating User’s access to Specific Website, Downloading or Uploading Specific File Extension via HTTP or FTP or the Access to Specific MIME Types/ Script Types Step 1. Go to Web Filter > Configuration > Category, click New Entry and then set as below: （Figure 16-12）...
Page 589 Step 2. Go to Web Filter > Configuration > File Extensions, click New Entry and then set as below: （Figure 16-14）  Type the name in the Name field.  Select All types of file extensions.  Click OK. （Figure 16-15） Figure 16-14 Blocking the Specific File Extension Figure 16-15 Setting Completed Note：...
Page 590 Figure 16-16 Adding a New Extension Figure 16-17 Typing a New Extension Figure 16-18 File Extension Added...
Page 591 Step 3. Go to Web Filter > Configuration > MIME/Script, click New Entry and then set as below: （Figure 16-19）  Type the name in the Name field.  Under the Forbidden File Extensions section, tick Window Popup, Microsoft ActiveX, Java Applet and Web Cookie. ...
Page 592  Click Modify and then click Add. （Figure 16-21）  Enter the MIME Types in the field.  Click OK. （Figure 16-22, 16-23） Figure 16-21 Configuring the MIME Type Figure 16-22 Adding the MIME Types Figure 16-23 MIME Type Added...
Page 593 Step 4. Go to Web Filter > Configuration > Group, click New Entry and then set as below: （Figure 16-24）  Type the name in the Name field.  Select the defined category from the Category drop-down list.  Select the defined rule from the Upload Blocking drop-down list and the Download Blocking drop-down list.
Page 594 Figure 16-24 Configuring the URL Group...
Page 595 Figure 16-25 Setting Completed...
Page 596 Step 5. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 16-26）  Select the defined group from the Web Filter drop-down list.  Click OK. （Figure 16-27） Figure 16-26 Configuring the Policy Figure 16-27 Policy Completed...
Page 597: Chapter 17 Reports
Chapter 17 Reports Reports delivers the IT administrator with detailed statistics and logs regarding the access of websites made by users.
Page 598 Terms in Setting Periodic Report Scheduling Settings  Generates and sends out a periodic report to the designated recipient(s) based on a schedule. History Report Retrieving Settings  Generates the report of a specific date and instantly sends it to the designated recipient(s).
Page 599 Figure 17-2 A Daily Report Sent through an Email Message...
Page 600 Terms in Logs Search  Category: Available searching criteria are time, souce IP address, website, classification and action.  Upload: Available searching criteria are time, source IP addrss, website, file, rule and action.  Download: Available searching criteria are time, source IP address, website, file, rule and action.
Page 601 Figure 17-13 Searching for the Specific Logs Note: 1. Under Web Filter > Reports > Logs, the Category reports can be sorted by the time, source IP, website, class or action. 2. Under Web Filter > Reports > Logs, the download and the upload report can be sorted by the time, source IP, website, class and action.
Page 602: Statistics
17.1 Statistics Step 1. Under Web Filter > Reports > Statistics, bar charts shows the report of URL blocking. Step 2. In the upper left corner, click on a time reference from which to display the bar charts. Click on Day for bar charts derived from daily statistics; click on Week for bar charts derived from weekly statistics;...
Page 603 Step 4. Below it shows the statistics report. （Figure 17-15）  Y-axis indicates the amount of scanned URL.  X-axis indicates the time.
Page 605 Figure 17-15 Statistics Report...
Page 606: Logs
17.2 Logs Step 1. Under Web Filter > Reports > Logs, there it shows the URL blocking logs. （Figure 17-16） Figure 17-16 URL Blocking Logs...
Page 608: Chapter 18 Configuration
Chapter 18 Configuration In order to protect your network from various security threats, the device produces timely alerts and blocking mechanisms based upon anomaly flows and the inspection of packet contents.
Page 609 1. To ensure signature definitions can be updated successfully, click on Test Connection to check the connection to the designated IDP definition server. 2. Once the Proxy Server is deployed, the proxy settings under System > Configuration > Settings must be configured for the CS-2001 to access the Internet. IDP Logging Setting ...
Page 610  Type 60 in the Storage Lifetime field.  Click OK. （Figure 18-1） Figure 18-1 IDP Settings Note: 1. To enable Syslog, the IT administrator must configure the Syslog Message Settings under System > Configuration > Settings first.
Page 611  When detecting attacks, the IT administrator will receive both an email notification and a NetBIOS Notification, Also, a corresponding log will be available under IDP > IDP Reports > Logs. （Figure 18-2, 18-3） Figure 18-2 An Email Notification Figure 18-3 A NetBIOS Notification...
Page 612 Note: 1. The IDP log is generated upon the “Log”setting under IDP > Signatures > Anomaly / Pre-defined / Custom.
Page 613: Chapter 19 Signatures
Chapter 19 Signatures To protect your company's network from malicious intrusions and attacks, the CS-2001 provides alerts and blocking mechanisms based upon the inspection of packets and the detection of anomaly traffic flows. Regardless of whether the attack originated internally or externally, the device ensures that legitimate network traffic remains secure and undisturbed.
Page 614 Terms in Signatures Anomaly  Available signatures are syn flood, udp flood, icmp flood, portscan and http insptct. （Figure 19-1）  You may specify the action taken upon the detection of an anomaly flow. Available actions are Pass, Drop and Reject. Available Alert are Log and Alert. Figure 19-1 Anomaly Settings...
Page 615 Pre-defined  Available signatures are Attack Responses, Backdoor, Bad Traffic, Chat, DDoS, DNS, DoS, Exploit, Finger, FTP, ICMP, IMAP, Info, Misc, MySQL, NetBIOS, NNTP, Oracle, Policy, POP2, POP3, Porn, RPC, Rservices, Scan, Shellcode, SMTP, SNMP, Spyware, SQL, Telnet, TFTP, Web CGI, Web Client, Web Coldfusion, Web Frontpage, Web IIS, Web Misc, Web PHP, X11 and other.
Page 616 Figure 19-2 Pre-Defined Settings...
Page 617 Note: 1. All the signatures under the IDP > Signatures > Pre-defined are processed according to the Default Settings for Each Risk Level settings under IDP > Configuration > Settings. However, after the settings under IDP > Configuration > Settings, the user may go to IDP > Signatures >...
Page 618 Name  The name of the signature. Protocol  Determine of which IP Version (IPv4, IPv6) and Communication Protocol to detect and protect. Source IP / Netmask  The IP address/ netmask where the attack is from. Source Port  The port number where the attack is from.
Page 619: Example
19.1 Example 19.1.1 Adopting Packets Inspection along with Custom and Pre-Defined Signatures to Detect and Prevent the Intrusion Step 1. Under IDP > Configuration > Settings, set as below: （Figure 19-3） Figure 19-3 IDP Settings...
Page 620 Step 2. Go to IDP > Signatures > Anomaly and then set as below: （Figure 19-4）  Enable the signatures and configure the settings.  Click OK. Figure 19-4 Anomaly Settings...
Page 621 Step 3. Under IDP > Signatures > Pre-defined, set as below: （Figure 19-5）  Select the signatures.  Click OK. Figure 19-5 Pre-Defined Settings...
Page 622 Step 4. Go to IDP > Signatures > Custom and set as below: （Figure 19-6）  Type the name in the Name field.  Select IPv4 for IP Version and TCP for Communication Protocol.  Type the Source Port No. ...
Page 623 Note: 1. You may type a word string in the Content Pattern field; or convert it to hexadecimal ASCII code and then paste it into the field. (E.g., the word “cracks” can also be converted to |63 72 61 63 6b 73|) Step 5.
Page 624 Figure 19-8 Applying the IDP to the Policy...
Page 625 Figure 19-9 Policy Created...
Page 626: Chapter 20 Idp Report
Chapter 20 IDP Report CS-2001 provides you with a comprehensive IDP report in both statistics and logs. With the help of them, you could have a clear view of network security status.
Page 627 Terms in Settings Periodic Report Scheduling Settings  It can generates and send out the periodic report to the designated recipient(s) on schedules. History Report Scheduling Settings  It can generates the report of a specific date and instantly send it to the designated recipient(s).
Page 628 Figure 20-2 Periodic Report Received...
Page 629 Terms in Logs Search  Available search criteria are date, event, signature category, attacker IP, victim IP, interface and risk level.  Go to IDP > IDP Reprots > Logs, click the Search icon and then set as below:  Enable searching duration and specify a period of time.
Page 630: Statistics
CS-2001 UTM Content Security Gateway User’s Manual 20.1 Statistics Step 1. Go to IDP > IDP Reports > Statistics, to view a full-scale IDP report in statistics. Step 2. In the upper left corner, click Day to see the daily statistics report, click Week to see the weekly statistics report, click Month to see the monthly statistics report, click Year to see the yearly statistics report.
Page 631: Logs
20.2 Logs Under IDP > IDP Reports > Logs, it shows the IDP status. Note: 1. The symbol used in Logs:  Process: Symbol Description Allow Drop, Reject  Risk Level: Symbol Description High Risk Medium Risk Low Risk...
Page 632: Web Vpn / Ssl Vpn
Web VPN / SSL VPN...
Page 633: Chapter 21 Web Vpn / Ssl Vpn
Chapter 21 Web VPN / SSL VPN Since the Internet is in widespread use these days, the demand for secure remote connections is increasing. To meet this demand, SSL VPN provides the best solution. By using SSL VPN from a standard browser, clients can transfer data securely through its SSL security protocol without the need to install any software or hardware.
Page 634 Terms in VPN  DES, an acronym for Data Encryption Standard, is a cipher that was selected by NIST (National Institute of Standard and Technology), using a 56-bit key for encryption. 3DES  3DES, an acronym for Triple Data Encryption Standard, providing significantly enhanced security by executing the core DES algorithm three times in a row, is more difficult to break than DES, using a 168-bit key size.
Page 635 Hardware Auth.  The IT administrator may enable the PCs listed under Web VPN/ SSL VPN > Hardware Auth by adding them to the Selected Hardware column under Web VPN / SSL VPN / Settings.
Page 636 1. Hardware authentication prevents the need for users to enter a username and password every time they wish to establish a SSL VPN connection with the CS-2001. However, if it is the first time that a user tries to establish a SSL VPN connection, they will be requested to enter a username and password.
Page 637: Example
21.1 Example 21.1.1 Configuring Web / SSL VPN Connection settings for External Clients Step 1. Go to Interface > WAN, activate the HTTPS function. （Figure 21-2） Figure 21-2 WAN Interface Step 2. Go to Policy Object > Authentication > Account / Group and then set as below: （Figure 21-3, 21-4）...
Page 638 Figure 21-4 User Group Entries...
Page 639 Step 3. Go to Web VPN / SSL VPN > Settings and then set as below:  Click Modify. （Figure 21-5）  Tick Enable Web VPN / SSL VPN.  Select the IP Version.  Enter the Client IP address / netmask. ...
Page 640 Figure 21-6 Web VPN / SSL VPN Setting Completed...
Page 641 Figure 21-7 Web VPN / SSL VPN Authentication Settings Figure 21-8 Web VPN / SSL VPN Authentication Completed...
Page 642 Step 4. Go to Policy > Incoming and then set as below: （Figure 21-9）  Select the defined Web VPN / SSL VPN from the VPN Trunk drop-down list.  Click OK. （Figure 21-10） Figure 21-9 Configuring an Incoming Policy with Web VPN / SSL VPN Figure 21-10 Policy Created...
Page 643 Step 5. Configure the setting from a browser:  In the URL field, type the CS-2001 interface address plus sslvpn or webvpn. For example, https://61.11.11.11/sslvpn https://61.11.11.11/webvpn.  Click Yes in the Security Alert window. （Figure 21-11）  Click Yes in the Warning – Security window.
Page 644 Figure 21-12 Warning-Security Window...
Page 645 Figure 21-13 Warning-Security Window Figure 21-14 The Authentication Window Figure 21-15 Web VPN / SSL VPN Connection...
Page 646 Figure 21-16 Web VPN / SSL VPN Connection Established...
Page 647 (Figure 21-17) Figure 21-17 Web VPN / SSL VPN Connection Status Step 7. Under Web VPN / SSL VPN > Hardware Auth, it displays the connection status between the CS-2001 and the users. （Figure 21-18） Figure 21-18 The Authentication User List...
Page 648 Step 8. Go to Web VPN / SSL VPN > Settings and then set as below: （ Figure 21-19）  Click Modify.  Move the hardware from the Available Hardware column to the Selected Hardware column.  Click OK. （Figure 21-20） Figure 21-19 Configuring Authentication User / Group...
Page 649 Figure 21-20 Setting Completed Step 9. When a user establishes an SSL VPN connection through the CS-2001, their hardware can be directly authenticated without the need for a username and password.
Page 650 Note： 1. When hardware authentication and user/group authentication are both enabled, the device will first try to authenticate by hardware authentication and will perform the following:  If the user’s PC hardware information is under Web VPN / SSL VPN > Settings, then the user is permitted to establish a Web VPN connection.
Page 651 Figure 21-22 Installing Java Runtime Environment Plug-in...
Page 652: Im Recording
CS-2001 UTM Content Security Gateway User’s Manual IM Recording...
Page 653: Chapter 22 Configuration
Chapter 22 Configuration IM Recording can help you record and monitor the use of MSN and QQ messenger. This can prevent productivity losses from personal use and confidentiality breaches from information leaks.
Page 654 The user’s password is invalid. The CS-2001 device may not Invalid Password be able to record the user’s use of QQ messenger. 2. The CS-2001 wll authenticate the user’s account and password when the user attempts to log into the QQ messenger.
Page 655: Example
22.1 Example 22.1.1 Recording the Use of MSN / QQ Messenger Step 1. Users may log into the Web User Interface to add their own account. (Enter the management IP address appended with qq, e.g., http://192.168.1.1/qq) （Figure 22-1, 22-2） Figure 22-1 Entering the QQ Account and Password...
Page 656 Figure 22-2 Account Added Note: 1. IT administrator may add new users under IM Recording > Configuration > QQ Account Manager.
Page 657 Step 2. The added user is listed under IM Recording > Configuration > QQ Account Manager:  Tick Block QQ access with an invalid password.  Click OK.  The newly added user has not yet been authenticated. （Figure 22-3） ...
Page 658 Note: 1. Users may go to the Web user interface to change their password on their own. (Enter the （Figure 22-5） management IP address appended with qq. E.g., http://192.168.1.1/qq) Figure 22-5 Modifying the Password...
Page 659 Step 3. Go to Policy > Outgoing and set as below: （Figure 22-6）  Enable IM Recording.  Click OK. （Figure 22-7） Figure 22-6 Creating an Outgoing Policy with IM Recording...
Page 660 Figure 22-7 Policy Created...
Page 661: Chapter 23 Reports
Chapter 23 Reports The records of MSN and QQ messengers are shown in the form of easy-to-read log and statistics. Terms in Settings Periodic Report Scheduling Settings  It can generate and send out the periodic report to the designated recipient(s) on schedules.
Page 662 Figure 23-1 Periodic Report Settings Figure 23-2 Daily IM Statistics Report...
Page 663 Figure 23-3 Daily IM Statistics Report Figure 23-4 Historical Report Scheduling Settings...
Page 664 Figure 23-5 Historical Report Received...
Page 665 Figure 23-6 Weekly IM Statistics Report Terms in Message History Search  Available search criteria are date, time range, IM type, username, account, participants, message content and transferred file name.  Configure the Email Notification Settings under System > Configuration >...
Page 666  Click Search. （Figure 23-7）  Click Send Report.  The report is sent to the designated recipient(s). （Figure 23-8, 23-9）  To store the search results in the local computer, click the Download Report button. （Figure 23-10） Figure 23-7 Searching the Specific Logs Note: The logs under IM Recording >...
Page 667 CS-2001 UTM Content Security Gateway User’s Manual Figure 23-8 Receiving the Search Results Figure 23-9 The Searching Results Note: You may click the number under the icon to see the sent messages of the participants.
Page 668: Statistics
Figure 23-10 Downloading the Searching Results 23.1 Statistics Step 1. IM Recording > Reports > Statistics shows a comprehensive statistical report. Step 2. In the upper left corner, click Day to see the daily report; click Week to see the weekly report; click Month to see the monthly report; click Year to see the yearly report.
Page 669 Figure 23-11 IM Recording Statistical Report...
Page 670: Message History
23.2 Message History Step 1. IM Recording > Reports > Message History shows the logs of users’ conversation. （Figure 23-12） Figure 23-12 IM Conversation Logs Policy...
Page 671: Chapter 24 Policy
Chapter 24 Policy CS-2001 inspects each packet passing through the device to see if it meets the criteria of any policy. Every packet is processed according to the designated policy, consequently any packets that do not meet the criteria will not be permitted to pass.
Page 672 1. CS-2001 only processes packets accepted from the policy. Therefore, wherever the connection is made ─ regardless of the network type (LAN, WAN or DMZ) ─ there must be policies respectively configured for these networks. 2. CS-2001 adopts VPN trunk in policy to manage the packet transmission and reception of VPN connections.
Page 673 Terms in Policy Source Address & Destination Address  Source address and Destination address is based around using the device as a point of reference. The initiating point of a session is referred to as the source address. Service  The service to be regulated.
Page 674 Authentication  This requires users to be authenticated to create a connection. VPN Trunk  This is where you apply the policy to regulate the session packets of IPSec or PPTP VPN. Action  It determines over which WAN interface/s packets are permitted to pass through (see the table below).
Page 675 CS-2001 UTM Content Security Gateway User’s Manual Web App Firewall  It can regulate and filter all the web application. Anti-Virus  It filters viruses contained within files transferred over HTTP / Web-Based Mail / FTP / SMTP / POP3 protocol.
Page 676 Priority  When accessing packets, CS-2001 will inspect the packet to see if it is identical with the criteria of existing policies. The packet-to-policy inspection is performed by the priority of policies. Therefore, in order to optimize the process, you may rearrange the priority of policies accordingly by changing the figure in the pull-down menu of each policy.
Page 677: Example
24.1 Example No. Settings Scenario Page 24.1.1 Outgoing Creating a Policy to Monitor the Internet Access of LAN User 24.1.2 Outgoing Creating a Policy to Restrict the Access to Specific Web Sites 24.1.3 Outgoing Creating a Policy to Grant Internet Access to Only Authenticated Users on Schedule 24.1.4 Incoming...
Page 678 24.1.1 Creating a Policy to Monitor the Internet Access of LAN Users Step 1. Go to Policy > Outgoing and then set as below: （Figure 22-1）  Enable the Packet Logging.  Enable the Traffic Grapher.  Click OK. （Figure 22-2） Figure 22-1 Enabling Packet Logging and Traffic Grapher Figure 22-2 Setting Completed...
Page 679 Click any Source IP or Destination IP for sessions accessed through the IP address that you click on.  For details of all sessions accessed through CS-2001, go to Monitoring > Logs > Traffic on the main menu. （Figure 22-4）...
Page 680 Figure 22-4 Traffic Shown in Log Screen...
Page 681 Step 3. Under Monitoring > Traffic Grapher > Policy-Based Traffic, the traffic flow is displayed in graphics, giving you an instant insight of traffic status. （Figure 22-5）...
Page 683 Figure 22-5 Statistics Screen...
Page 684 24.1.2 Creating a Policy to Restrict the Access to Specific Web Sites Step 1. Go to Web Filter > Configuration > Whitelist/ Blacklist/ File Extensions/ MIME/ Scritp/ Group and then set as below: （Figure 22-6, 22-7, 22-8, 22-9, 22-10） Figure 22-6 Whitelist Settings Figure 22-7 Blacklist Settings Figure 22-8 File Extensions Settings...
Page 685 Figure 22-9 MIME / Script Settings Figure 22-10 Group Settings...
Page 686 Step 2. Go to Policy Object > Application Blocking > Settings and then set as below: （Figure 22-11, 22-12） Figure 22-11 Application Blocking Settings Figure 22-12 Setting Completed Note: 1. Script blocking is used for blocking certain functional features of a web site, such as Java, cookie, and so on.
Page 687 2. Application Blocking is used for blocking Instant Messenger, Peer-to-Peer Application, Video/ Audio Application, Webmail, Game Application, Tunnel Application, Remote Control Application and other application.
Page 688 Step 3. Go to Policy Object > Address > WAN / WAN Group and then set as below: （Figure 22-13, 22-14） Figure 22-13 WAN Interface Setting Figure 22-14 WAN Group Setting...
Page 689 Step 4. Go to Policy > Outgoing and then set as below: （Figure 22-15）  Select the defined group from the Destination Address field.  Select Deny All for Action.  Click OK. Figure 22-15 Creating an Outgoing Policy to Deny Access...
Page 690 Step 5. Go to Policy > Outgoing and then set as below: （Figure 22-16）  Select the defined group from the Web Filter drop-down list.  Select the defined rule from the Application Blocking drop-down list.  Click OK. （Figure 22-17） Figure 22-16 Applying Application Blocking to the Policy Figure 22-17 Policy Created Note:...
Page 691 24.1.3 Creating a Policy to Grant Internet Access to Only Authenticated Users on Schedule Step 1. Go to Policy Object > Schedule > Settings and then set as below: （Figure 22-18） Figure 22-18 Shcedule Settings Step 2. Go to Policy Object > Authentication > Account / Group and then set as below: （Figure 22-19）...
Page 692 Figure 22-20 Applying the Schedule and Authentication to the Policy Figure 22-21 Policy Completed...
Page 693 24.1.4 Creating a Policy to Enable a Remote User to Control a LAN PC with Remote Control Software (pcAnywhere) Step 1. Set up a computer to be remotely controlled; its IP address is 192.168.1.2. Step 2. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 22-22）...
Page 694 Step 3. Under Policy > Incoming, set as below: （Figure 22-23）  Select the defined Virtual Server for Destination Address.  Select PC-Anywhere(5629-5632) for Service.  Click OK. （Figure 22-24） Figure 22-23 Creating an Incoming Policy to Enable LAN PC to be Remotely Controlled Figure 22-24 Policy Completed...
Page 695 24.1.5 Creating a Policy to Limit the Bandwidth, Daily Total Traffic Amount and Maximum Concurrent Sessions of an Incoming Session to a FTP Server (A NAT Mode Example) Step 1. Set up a FTP server in DMZ; the server IP address is 192.168.3.2. (The DMZ subnet addresses range from 192.168.3.1/24) Step 2.
Page 696 Step 4. Go to Policy > WAN to DMZ and then set as below （Figure 22-27）  Select the defined rule from the Destination Address drop-down list.  Select FTP(18-21) from the Service drop-down list.  Select the defined rule from the QoS drop-down list. ...
Page 697 Figure 22-28 A WAN-to-DMZ Policy Created...
Page 698 24.1.6 Creating a Policy to Enable LAN / WAN Users to Have Email Access (A Transparent Mode Example) Step 1. Set up a mail server in DMZ. Next, point it to the external DNS server and then set its IP address to 61.11.11.12. Step 2.
Page 699 Step 4. Under Policy > WAN To DMZ, set as below: （Figure 22-31）  Select the defined DMZ rule for Destination Address.  Select the defined service for Service.  Click OK. （Figure 22-32） Figure 22-31 A WAN-to-DMZ Policy for Granting Email Access to WAN Users Figure 22-32 A WAN-to-DMZ Policy for Granting Email Access to WAN Users Completed...
Page 700 Step 5. Under Policy > LAN To DMZ, set as below: （Figure 22-33）  Select the defined DMZ entry for Destination Address.  Select the defined service for Service.  Click OK. （Figure 22-34） Figure 22-33 A LAN-to-DMZ Policy for Granting Email Access to LAN User Figure 22-34 A LAN-to-DMZ Policy for Granting Email Access to LAN User Completed...
Page 701 Step 6. Under Policy > DMZ To WAN, set as below: （Figure 22-35）  Select the defined rule for Source Address.  Select the defined rule for Service.  Click OK. （Figure 22-36） Figure 22-35 A DMZ-to-WAN Policy for Granting Email Access to WAN User Figure 22-36 A DMZ-to-WAN Policy for Granting Email Access to WAN User Completed...
Page 702: Anomaly Flow Ip
Anomaly Flow IP...
Page 703: Chapter 25 Anomaly Flow Ip
Chapter 25 Anomaly Flow IP Once an anomaly traffic flow is detected, CS-2001 will take action to block the flow of packets. This protection ensures that the network remains operational, and consequently the business’s revenue generating opportunities are left undisturbed.
Page 704: Example
25.1 Example 25.1.1 Configuration for Alerts and the Blocking of Internal DDoS Attacks Step 1. Go to System > Configuration > Settings and then configure the settings under the Email Notification Settings section. Step 2. Go to System > Configuration > SNMP and then configure the settings under the SNMP Trap Settings section.
Page 705 Step 3. Go to Anomaly Flow IP > Settings and then set as below: （Figure 23-2）  Enter the Traffic Threshold per IP. (The default value is 100)  Tick Enable Anomaly Flow IP Blocking and then type the Blocking Time.
Page 706 Step 4. When a DDoS attack occurs, CS-2001 generates a corresponding log under Anomaly Flow IP > Virus-infected IP, and if NetBIOS Notification is enabled, sends a NetBIOS broadcast to both the victim user and IT administrator to warn about the attack.
Page 707 Step 6. Internal users will see an alert message upon opening a web browser after being infected by a computer virus. CS-2001 limits virus-infected users’ bandwidth to a minimum in order to oblige users to take action to remove virus. Note: The alert message merely appears to virus-infected users at the very first time to open a web browser after the infection.
Page 708: Advance
Advance...
Page 709: Chapter 26 Inbound Balancing
Chapter 26 Inbound Balancing The CS-2001 provides enterprises with Inbound Load Balancing. It ensures uninterrupted access for external users to the company's servers. If one WAN link fails, incoming traffic will be redirected to another WAN link. In addition, inbound flows can be distributed to each port according to the regulated weighting and priority of each port, ensuring the quality of the connection.
Page 710 IP addresses with meaningful and more easily readable English hostnames, such as ccu.edu.tw, planet.com.tw.  We are all familiar with website addresses. For example if we want to browse yahoo's website we just type in www.yahoo.com into a browser to see the...
Page 711 Domain Name Type IP Address host1.nu.net.tw 61.11.11.12 host2.nu.net.tw 61.11.11.13 host2.nu.net.tw 211.22.22.23 Table 24-1 Domain Name and IP Address Mapping Table  Domain names can be mapped to more than one IP address. The table above indicates that host2 is mapped to two IP addresses, so it lists out two entries corresponding to host2.
Page 712  Supposing a user wants to send an email to mary@mail.nu.net.tw. The user is using test.com.tw as its SMTP server. The DNS records will be queried on this server to determine where to send the email destined for mail.nu.net.tw. The following table shows the MX record resulted from the query: （Table 24-4）...
Page 713 pointer records of the reverse database, this IP address is stored as the domain name 12.11.11.61.in-addr.arpa pointing back to its designated hostname.
Page 714  IPv6 uses PTR record as well. For example, host33.nu.net.tw points to FEC0::2AA:FF:FE3F:2A1C (FEC0:0000:0000:0000:02AA:00FF:FE3F:2A1C), in pointer records of the reverse database, this IP address is stored as the domain name C.1.A.2.F.3.E.F.F.F.0.0.A.A.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.E.F.IP6.INT. pointing back to its designated hostname.  For example, using the nslookup command to verify whether DNS lookup functions normally.
Page 715 Further Description DNS pointers are used to indicate which DNS server holds all the associated DNS records for a domain. Any specific information can be obtained from the DNS server, such as the physical address of a website or mail server. Thus, the DNS server must be reliably connected to the internet and accurate DNS records must be maintained.
Page 716 Note: 1. The DNS must point to the fixed IPs.
Page 717 Under Advance > Inbound Balancing > Settings, configure DNS settings as listed below: （Table 24-6） Domain Name Type IP Address Reverse Weight Priority nu.net.tw 61.11.11.11 nu.net.tw 211.22.22.22 Table 24-6 Domain Name and IP Address Mapping Table The Secondary DNS server can act as a substitute if the primary DNS server develops a fault by allowing the domain name to remain functioning.
Page 718 Configure DNS settings as listed below: （Table 24-7） Domain Name Type IP Address Weighting Priority web.nu.net.tw 61.11.11.11 web.nu.net.tw 211.22.22.22 www.nu.net.tw CNAME web.nu.net.tw Table 24-7 CNAME Record of www.nu.net.tw According to table 24-7, use nslookup command to verify the result of forward DNS lookup and reverse DNS lookup: C:\>nslookup Default Server：dns.hinet.net...
Page 719 As seen from table 24-7, it can be inferred that when browsing www.nu.net.tw, visitors are directed to different servers according to their browsing sequence. The 1st user accesses the server via 61.11.11.11. The 2nd user accesses the server via 211.22.22.22. The 3rd user accesses the server via 211.22.22.22.
Page 720: Example
26.1 Example Application Environment Page 26.1.1 Creating an A Record to Load Balance a Web Server Using the Backup Mode 26.1.2 Creating an A Record to Load Balance a Web Server Using the Round-Robin Mode 26.1.3 Creating a CNAME Record to Load Balance a Web Server Using the Round-Robin Mode 26.1.4 Creating a MX Record to Load Balance a Mail Server Using the Round-Robin Mode...
Page 721 26.1.1 Creating an A Record to Load Balance a Web Server Using the Backup Mode Step 1. Go to Advance > Inbound Balancing > Settings and proceed with the following settings:  Click New Entry. （Figure 24-2）  Type the domain name. ...
Page 722 Figure 24-3 The First Inbound Balance Configuration...
Page 723 Figure 24-4 The Second Inbound Balance Configuration Figure 24-5 The Completed Settings Note: 1. If @ is entered in the Hostname field, then it will be the defined domain name. In this example, it is supportplanet.com.tw. 2. ”.” indicates fully qualified domain name (FQDN). For example, if www is entered in the Hostname field, then it will be www.supportplanet.com.tw.
Page 724 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: （Figure 24-6, 24-7） Figure 24-6 Server 1 Settings Figure 24-7 Server 2 Settings...
Page 725 Step 3. Go to Policy > Incoming and then set as below:  Click New Entry. （Figure 24-8）  For Destination Address select [Virtual Server IP] Web_Server(61.11.11.11).  For Service select HTTP(80).  Click OK.  Click New Entry. （Figure 24-9） ...
Page 726 Figure 24-9 Configuring the First Settings of an Incoming Policy Settings Figure 24-10 The Completed Policy Settings...
Page 727 Step 4. Settings complete. If WAN 1 goes down, WAN 2 ensures user’s access to the web server remains uninterrupted. （Figure 24-11） Figure 24-11 Web Server Backup Deployment...
Page 728 26.1.2 Creating an A Record to Load Balance a Web Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings and proceed with the following settings:  Click New Entry. （Figure 24-12）  In the Domain Name field, enter the domain that you obtained from your ISP.
Page 729 Figure 24-13 The First Inbound Balance Settings Figure 24-14 The Second Inbound Balance Configuration Figure 24-15 Setting Completed...
Page 730 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: （Figure 24-16, 24-17） Figure 24-16 Server 1 Settings Figure 24-17 Server 2 Settings...
Page 731 Step 3. Go to Policy > Incoming and proceed with the following settings:  Click New Entry. （Figure 24-18）  Select the defined rule ([Virtual IP]Web_Server(61.11.11.11)) for Destination Address.  Select HTTP(80) for Service.  Click OK.  Click New Entry. （Figure 24-19）...
Page 732 Figure 24-19 Configuring the Second Policy Settings Figure 24-20 Policy Completed...
Page 733 Step 4. Setting completed. （Figure 24-21） Figure 24-21 The Round-Robin Deployment Note: 1. Inbound Balance Settings:（Table 24-9） Name Type Address Weight Priority www.supportplanet.com.tw 61.11.11.11 www.supportplanet.com.tw 211.22.22.22 Table 24-9 Web Server Weight and Priority Settings  The weight and priority values will distribute their access as below: ...
Page 734 cycle restarted)  The 5th user accesses the server via 211.22.22.22.  The 6th user accesses the server via 211.22.22.22.
Page 735 26.1.3 Creating a CNAME Record to Load Balance a Web Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings and then set as below:  Click New Entry. （Figure 24-22）  In the Domain Name field, enter the domain name you applied for from your ISP.
Page 736 Figure 24-23 The First Inbound Balance Settings Figure 24-24 The Second Inbound Balance Settings Figure 24-25 CNAME(Alias) Settings...
Page 737 Figure 24-26 Completed CNAME(Alias) Settings...
Page 738 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: （Figure 24-27, 24-28） Figure 24-27 Server 1 Settings Figure 24-28 Server 2 Settings...
Page 739 Step 3. Go to Policy > Incoming and then set as below:  Click New Entry. （Figure 24-29）  Select the defined rule ([Virtual IP]Web_Server(61.11.11.11)) for Destination Address.  Select HTTP(80) for Service.  Click OK.  Click New Entry. （Figure 24-30）...
Page 740 Figure 24-30 Configuring the Second Policy Settings Figure 24-31 Adding the Second Policy...
Page 741 Step 4. Setup completed. （Figure 24-32） Figure 24-32 Web Server Deployment Using CNAME Note: 1. The settings for Inbound Balancing:（Table 24-10） Name Type Address Weight Priority web.supportplanet.com.tw 61.11.11.11 web.supportplanet.com.tw 211.22.22.22 www.supportplanet.com.tw CNAME web.supportplanet.com.tw Table 24-10 The Web Servers Weight, Priority and CNAME Settings ...
Page 742  The 4th user accesses the server via 61.11.11.11 (Round-Robin priority distribution cycle has restarted)  The 5th user accesses the server via 211.22.22.2 2.  The 6th user accesses the server via 211.22.22.2 2.
Page 743 26.1.4 Creating a MX Record to Load Balance a Mail Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings and then set as below:  Click New Entry. （Figure 24-33）  Enter the Domain Name. ...
Page 744 Figure 24-34 The First Inbound Balance Settings Figure 24-35 The Second Inbound Balance Settings Figure 24-36 The MX(Mail eXchanger) Settings...
Page 745 Figure 24-37 MX(Mail eXchanger) Settings Completed...
Page 746 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: （Figure 24-38, 24-39, 24-40, 24-41） Figure 24-38 The First Setting of Server Figure 24-39 The Second Setting of Server...
Page 747 Figure 24-40 The Third Setting of Server Figure 24-41 The Fourth Setting of Server...
Page 748 Step 3. Go to Policy > Incoming and then set as below:  Click New Entry. （Figure 24-42）  Select the defined rule ([Virtual IP]Mail_Server_POP3(61.11.11.11)) for Destination Address.  Select POP3(110) for Service.  Click OK.  Click New Entry. （Figure 24-43）...
Page 749 Figure 24-43 The Second Policy Settings Figure 24-44 The Third Policy Settings...
Page 750 Figure 24-45 The Fourth Policy Settings Figure 24-46 Policy Completed...
Page 751 Step 4. Setup Completed. （Figure 24-47） Figure 24-47 The Mail Server Deployment Note: （Table 24-11） 1. Settings for Inbound Balancing: Name Type Address Weight Priority main.supportplanet.com.tw 61.11.11.11 main.supportplanet.com.tw 211.22.22.22 mail.supportplanet.com.tw. main.supportplanet.com.tw Table 24-11 The MX Server’s Weight and Priority Settings ...
Page 752  The 2nd user accesses the server via 211.22.22. 22.  The 3rd user accesses the server via 211.22.22.2 2 (Round-Robin priority distribution cycle finished).  The 4th user accesses the server via 61.11.11.11(Round-Robin priority distribution cycle has restarted).  The 5th user accesses the server via 211.22.22.2 2. ...
Page 753: Chapter 27 High Availability
Chapter 27 High Availability When two CS-2001 devices are deployed in the network, the two devices can operate in active / standby mode. The master device (active device) maintains a synchronization with the backup device (standby device). Once the master device fails, the backup device will seamlessly take over the operations.
Page 754 Terms in High Availability HA Mode  This mode is used to determine if the device will serve as the master or backup. Data Transmission Port / Management IP Address  Configures the IP address and port for executing the synchronization between the master device and the backup device.
Page 755: Example
27.1 Example 27.1.1 High Availability Deployment Preparation Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the LAN using 192.168.1.x/24. Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet. IP range:61.11.11.10 to 61.11.11.14. Configure Port3 as WAN2 (211.22.22.22) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 756 Step 1. Assign one CS-2001 device as the master and connect it to the same switch that the LAN is connected to. （Figure 25-1） Figure 25-1 The Deployment of the Master Device under High Availability Mode...
Page 757 Step 2. Using the master device, configure the following High Availability settings under Network > Interface. （Figure 25-2） Figure 25-2 The IP Address for the LAN Interface...
Page 758 Step 3. Using the master device, configure the following High Availability settings under Advance > High Availability > Settings:  Tick Enable High Availability(HA).  For HA Mode, select Active from the drop-down list.  For HA Port, select Port1 from the drop-down list. ...
Page 759 Step 4. To set up the backup device, be sure the backup device is turned off and then configure the interface. Backup device’s LAN port, WAN port and DMZ port must be different from Master device’s. After the configuration, turn on the device. （Figure 25-4）...
Page 760 1. When deploying a high availability between two devices, the Master device must be turned on to avoid synchronization errors. 2. The built-in disk of the CS-2001 device can be changed. The capacity of the new disk should be larger than or equal to the capacity of the original one to avoid synchronization errors. (To synchronize the data of Backup device and Master device.
Page 761 Figure 25-6 Backup Device Taking Over Operations When Master Device Fails 6. Note:  During backup, if the WAN port is using a dynamic IP address and it is in the process of being renewed, the session will disconnect.  IPSec VPN Connections: the IT administrator needs to set the Keepalive IP Address under Policy Object >...
Page 762: Chapter 28 Co-Defense System
Chapter 28 Co-Defense System The CS-2001 can work in cooperation with the network’s switch, to provide instant monitoring of the internal network’s status. When the device detects an anomaly traffic flow, it will block the flow and provide information to help the IT...
Page 763 Terms in Core Switch Name  The name used to identify the switch. Switch Model  The switch model can be selected or it can be customized. IP Version  The Internet protocol that the system can use to telnet into the switch. There are IPv4 and IPv6.
Page 764 Remove Blocking Command  This command instructs the core switch to discontinue blocking an IP/MAC address. Show Blocking Commands  This command is used to view the IP/MAC addresses that the switch is blocking. Note: 1. When the system detects the internal anomaly flow, the switch will use the following variables to block IP/MAC address, unblock already blocked IP/MAC addresses and view IP/MAC addresses.
Page 765: Example
28.1 Example 28.1.1 Quickly Isolating Any Anomaly Flow in the Internal Network by Utilizing the Core and Edge Switch Step 1. Go to Anomaly Flow IP > Settings and set as below: （Figure 26-2） Figure 26-2 Anomaly Flow IP Settings...
Page 766 Step 2. Under Advance > Co-Defense System > Core Switch, set as below: （ Figure 26-3）  Enter the name to identify the switch.  Select the model of the switch from the Switch Model drop-down list.  Select IPv4 from the IP Version drop-down list。 ...
Page 767 Figure 26-4 Core Switch Settings Completed...
Page 768 Step 3. Under Advance > Co-Defense System > Edge Switch, click New Entry and then set as below: （Figure 26-9）  Type the name in the Name field.  Select IPv4 from the IP Version drop-down list.  Fill the IP Address field and the Community String field. ...
Page 769 Step 4. Go to Advance > Co-Defense System > MAC ADDR Table. Using SNMP, the CS-2001 can obtain the MAC addresses of any packets that pass through the edge switch. Note: 1. Under Advance > Co-Defense System > Edge Switch, every port number from on the edge...
Page 770: Monitoring
Monitoring...
Page 771: Chapter 29 Logs
 Virus Logs show the detected viruses from your HTTP, Webmail and FTP packets processed through the CS-2001.  Application Blocking Logs provide details of all the applications that have been blocked by the CS-2001.
Page 772 Terms in Settings Logging Settings  Logs are sent to the designated recipient once the file size reaches 300 KB.  Logs can be backed up onto the remote device and SNMP Trap.  The log setting of traffic, events, connections, viruses, application blocking, concurrent sessions and quota: ...
Page 773 Figure 27-1 Searching for a Specific Log...
Page 774 Figure 27-2 Downloading the Search Results...
Page 775 Terms in Events Search  Available search criteria are date, admin name, IP address, event type and event log with detailed content.  Under Monitoring > Logs > Events, click Search and then set as below:  Enable the search duration and then specify a period of time to search within.
Page 776 Terms in Connection Search  PPPoE : Available search criteria are date and keyword.  Dynamic IP Address: Available search criteria are date and keyword.  DHCP: Available search criteria are date and keyword.  PPTP Server : Available search criteria are date and keyword. ...
Page 777 Figure 27-4 Searching for a Specific Log...
Page 778 Terms in Virus Search  Available search criteria are date, source IP, destination IP, application, infected file and virus name.  Under Monitoring > Logs > Viruses, click Search and then set as below: Terms in Application Blocking Search  Available search criteria are date, source IP and keyword.
Page 779: Traffic
29.1 Traffic 29.1.1 Viewing the Protocols and Port Numbers Used during an Access to CS-2001 Step 1. Go to Policy> DMZ To WAN and set as below: （Figure 27-5）  Enable the Packet Logging.  Click OK. （Figure 27-6） Figure 27-5 A Policy with Traffic Log...
Page 780 Step 2. Under Monitoring > Logs > Traffic, it shows the traffic status of a policy. （Figure 27-7） Figure 27-7 Traffic Log Step 3. Click any Source IP or Destination IP, you will see of which protocols and ports it used and its traffic. （Figure 27-8）...
Page 781 Figure 27-8Monitoring the Traffic Flow of Each IP Address...
Page 782 Step 4. To clear the logs, click the Clear button and then click OK in the confirmation window. （Figure 27-9） Figure 27-9 Deleting all the Traffic Log...
Page 783: Event
29.2 Event 29.2.1 Viewing System History Access and the Status of WAN Step 1. Under Monitoring > Logs > Events, there it shows the system history access and the status of WAN. （Figure 27-10）  Click the icon for details. （Figure 27-11）...
Page 784 Figure 27-11 Specific Details of a History Event...
Page 785: Connection
29.3 Connection 29.3.1 Viewing the Connection Logs of WAN Interface Step 1. Under Monitoring > Logs > Connections, it shows the logs of PPPoE, Dynamic IP Address, DHCP, PPTP Server, PPTP Client, IPSec, Web VPN, SMTP Inbound, SMTP Outbound and POP3. （Figure 27-12）...
Page 786 Step 2. To delete the logs, click the Clear button and then click OK in the confirmation window. （Figure 27-13） Figure 27-13 Deleting all the Connection Logs...
Page 787: Viruses
29.4 Viruses 29.4.1 Viewing the Detected Viruses from Internal Users Using HTTP / Web Mail / FTP Protocol to Transfer Files Step 1. Go to Policy > Outgoing and then set as below: （Figure 27-14）  For Anti-Virus, tick HTTP/Webmail and FTP. ...
Page 788 Figure 27-14 A Policy with HTTP/ WebMail and FTP...
Page 789 Figure 27-15 Policy Completed...
Page 790 Step 2. Under Monitoring > Logs > Viruses, it shows the logs of detected virus from the Internal users using HTTP/ WebMail and FTP protocol to transfer files. Step 3. To delete the logs, click the Clear button and then click OK.
Page 791: Application Blocking
29.5 Application Blocking 29.5.1 Viewing the Logs Step 1. Under Policy > Outgoing, set as below: （Figure 27-16）  Select the defined application blocking.  Click OK. （Figure 27-17） Figure 27-16 A Policy with Application Blocking Figure 27-17 Policy Completed...
Page 792 Step 2. Under Monitoring > Logs > Application Blocking, it shows the logs of applicatons that have been blocked. （Figure 27-18） Figure 27-18 Application Blocking Logs Step 3. To delete the logs, click the Clear button and then click OK from the confirmation window.
Page 793: Concurrent Sessions
29.6 Concurrent Sessions 29.6.1 Viewing the Logs of Concurrent Sessions that have been Exceeded the Configured Value Step 1. Go to Policy > Outgoing and then set as below: （Figure 27-20）  Enter a value in the Max. Concurrent Sessions per IP field ...
Page 794 Figure 27-20 A Policy with Limitation of Concurrent Sessions...
Page 795 Figure 27-21 Policy Completed Step 2. Under Monitoring > Logs > Concurrent Sessions, it shows the logs of the concurrent sessions that have exceeded the configured value. Step 3. To delete the logs, click the Clear button and then click OK in the confirmation window.
Page 796: Quota
29.7 Quota 29.7.1 Viewing the Logs of Quota that Has Been Reached Step 1. Go to Policy > Outgoing and then set as below: （Figure 27-22）  Type a value in the Quota per Source IP field.  Click OK. （Figure 27-23）...
Page 797 Figure 27-22 A Policy with Limitation of Quota per Source IP...
Page 798 Figure 27-23 Policy Completed Step 2. Under Monitoring > Logs > Quota, it shows the logs of the quota that have reached the configured value. Step 3. To delete the logs, click the Clear button and then click OK in the confirmation window.
Page 799: Log Backup
29.8 Log Backup 29.8.1 Archiving or Retrieving Logs Generated by CS-2001 Step 1. Go to System > Configuration > Settings and then set as below:  Tick Enable email notifications and then configure the related settings. （Figure 27-24）  Tick Enable syslog messages and then configure the related settings.
Page 800 Step 3. Go to Monitor > Log > Settings and then set as below: （Figure 27-27） Figure 27-27 Monitoring Settings...
Page 801 Note: 1. Once Email Notification is enabled, the logs will be sent to the IT administrator when the files size reaches 300KB. 2. When syslog message is enabled, the logs will be delivered to the designated remote device. 3. When SNMP trap alerts is enabled, the logs can be delivered to a PC installed with SNMP Trap software.（Figure 27-29）...
Page 802: Chapter 30 Accounting Reports
CS-2001 UTM Content Security Gateway User’s Manual Chapter 30 Accounting Reports Accounting report gives the IT administrator an insight into the various session of users that pass through the device, providing the IT administrator with detailed statistical reports and charts.
Page 803 Terms in Setting Accounting Report Settings  The configuration to enable or disable the recording of inbound and outbound data access and configure the storage period of the records.  Under Monitoring > Accounting Reports > Settings, set as below: ...
Page 804: Historical Top Chart
Terms in Today Top-N Time Slider  Drag the two sliders to adjust the statistics’ time interval (represented by the red portion.) Source IP  Indicates certain period of traffic of the source IP in the day.  Source IP: indicates the source IP of the packets. ...
Page 805 Figure 28-2 Searching for the Specific Log...
Page 806 Figure 28-3 Downloading the Accounting Reports...
Page 807 Figure 28-4 Deleting the Accounting Reprots...
Page 808: Flow Analysis
30.1 Flow Analysis Step 1. Under Monitoring > Accounting Reports > Flow Analysis, it shows the traffic of source IP and service through CS-2001. （Figure 28-5） Figure 28-5 Flow Analysis...
Page 809: Today's Top Chart
30.2 Today’s Top Chart Step 1. Under Monitoring > Accounting Reports > Today’s Top Chart, it shows the traffic from the source IP, destination IP and the traffic of service through CS-2001 in the day. （Figure 28-6）...
Page 810 Figure 28-6 Today Top-N...
Page 811 Step 2. You may drag the two sliders to adjust the statistics’ time interval. The left one is the start time slider, the right one is the end time slider. Once you adjust the time interval, the Service IP accounting report, the Destination IP accounting report and the Service accounting report will be refreshed according to the new time interval.
Page 812 Figure 28-7 Today Top-N Report according to the Time Interval...
Page 813 Step 3. By clicking any source IP, a pop-up window will show its destination IP and service. （Figure 28-8） Figure 28-8 The Destination IP and Service Step 4. By clicking any Destination IP, a pop-up window will show its source IP and service.
Page 814 Figure 28-9 The Source IP and Service...
Page 815 Step 5. By clicking any service, it will show its source IP and destination IP. （Figure 28-10） Figure 28-10 The Source IP and Destination IP...
Page 816: Historical Top Chart
30.3 Historical Top Chart Step 1. Under Monitoring > Accounting Reports > Historical Top Chart, you may see the traffic of the source IP, destination IP and service of the certain duration by specifying the date. （Figure 28-11） Figure 28-11 History Top-N...
Page 817: Chapter 31 Traffic Grapher
Chapter 31 Traffic Grapher Statistics delivers comprehensive information regarding network traffic, enabling the IT administrator to gain a thorough understanding of traffic flow across the WAN interfaces and packets managed by policies.  WAN Traffic provides upstream and downstream traffic flow statistics of all packets passing through the WAN interfaces based on their corresponding policies.
Page 818 Traffic Grapher Charts  Vertical axis indicates the network traffic.  Horizontal axis indicates time. Type/ Source/ Destination/ Service/ Action  The Items infer what Policy is used. Time  The statistics are available in time units of per minute, hour, day, week, month and year.
Page 819: Wan Traffic
31.1 WAN Traffic Step 1. In Monitoring > Traffic Grapher > WAN Traffic, it shows the statistics of upstream / downstream packets over the WAN interface. The statistic charts are available in the time unit of minute, hour, day, week, month and year. Click Minutes for statistic charts in the time unit of minute；Click Hours for statistic charts in the time unit of hour；Click Days for statistic charts in the time unit of day；Click Weeks for statistic charts in the time unit of...
Page 820 Step 2. Statistic charts （Figure 29-2）  Vertical axis indicates network stream.  Horizontal axis indicates time.
Page 822 Figure 29-2 The Network Stream Chart Note: 1. You may configure the time duration to search for the statistics in a certain period of time.
Page 823: Policy-Based Traffic
31.2 Policy-Based Traffic Step 1. When creating a new policy, if the Statistics is enabled, the Policy statistics charts in the path of Monitoring > Traffic Grapher > Policy-Based Traffic corresponding to the policy will start recording. Under Monitoring > Traffic Grapher > Policy-Based Traffic, the statistics charts corresponding to a policy are available in the time unit of minute, hour, day, week, month, and year.
Page 824 Step 2. Statistics charts. （Figure 29-4）  Vertical axis indicates network traffic.  Horizontal axis indicates time.
Page 826 Figure 29-4 Viewing the Policy Statistics Chart Note: 1. You may see the statistics of a certain time by using the time searching.
Page 827: Chapter 32 Diagnostic Tools
Chapter 32 Diagnostic Tools The device provides ping and traceroute utilities to help diagnose network issues with particular external nodes.
Page 828: Ping
32.1 Ping Step 1. To test whether a host is reachable across an IP network, go to Monitoring > Diagnostic Tools > Ping and then configure as below: （Figure 30-1）  Type the Destination IP or Domain name in the Destination IP / Domain name field.
Page 829 Figure 30-2 Ping Result Note: 1. If VPN is selected from the Interface drop-down list, the user must enter the local LAN IP address in the Interface field. Enter the IP address that is under the same subnet range in the Destination IP / Domain name field.
Page 830 Figure 30-3 Ping Results for a VPN Connection...
Page 831: Traceroute
32.2 Traceroute Step 1. Under Monitoring > Diagnostic Tools> Traceroute the Traceroute command can be used by the CS-2001 to send out packets to a specific address to diagnose the quality of the traversed network. （Figure 30-4）  In Destination IP / Domain name enter the destination address for the packets.
Page 832 Figure 30-5 Traceroute Results...
Page 833: Packet Capture
CS-2001 UTM Content Security Gateway User’s Manual 32.3 Packet Capture Capture packetfor debugging Step 1. Under Monitoring > Diagnostic Tools> Packet Capture the packet capture can help to debug and capture the packet content for debugging. ( figure 30-6 ) ...
Page 834: Chapter 33 Wake-On-Lan
Chapter 33 Wake-On-LAN Any wake-on-LAN supported PC can be remotely turned on by a “wake-up” packet sent from the CS-2001. By utilizing remote control software such as VNC, Terminal Service or PC Anywhere, a remote user may remotely wake up a computer...
Page 835: Example
33.1 Example 33.1.1 Remote Controlling a PC Step 1. Supposing the MAC address of the PC that is desired to be remotely controlled is 00:0C:76:B7:96:3B. Step 2. Under Monitoring > Wake-On-LAN > Settings, click New Entry and then set as below: ...
Page 836: Chapter 34 Status
ARP Table: records all the ARP tables of host PCs that have connected to CS-2001.  Sessions Info: It records all the sessions sending or receiving packets over CS-2001.  DHCP Clients: It records the status of IP addresses distributed by CS-2001 built-in DHCP server.
Page 837: Interface
（Figure 32-2） Figure 32-2 Status Interface Note: 1. System Uptime: the operating uptime of the CS-2001. 2. Active Sessions Number: shows the current number of sessions connected to the device. 3. Forwarding Mode: displays the interface connection mode. 4. WAN Connection: shows the WAN interface connection status.
Page 838 8. PPPoE / Dynamic IP Uptime: when the interface is connected using PPPoE, it displays the connection uptime. 9. MAC Address: displays the MAC address of the interface. 10. IP Address / Netmask: the interface’s IP address and netmask. 11. Default Gateway: shows the WAN gateway address. 12.
Page 839: System Info
34.2 System Info Step 1. Under Monitoring > Status > System Info, it shows the current system information, such as CPU utilization, hard disk utilization and memory utilization. （Figure 32-3）...
Page 840 Figure 32-3 System Information...
Page 841: Authentication
34.3 Authentication Step 1. Under Monitoring > Status > Authentication, it shows the authentication status of the device. （Figure 32-4） Figure 32-4 The Authentication Status Note: IP Address: displays the authenticated user’s IP address. Authentication – User Name: the user’s authenticated login name. Login Time: the user’s login time (year/ month/ day/ hour/ minute/ second)
Page 842: Arp Table
34.4 ARP Table Step 1. Under Monitoring > Status > ARP Table, it shows NetBIOS Name, IP Address, MAC Address and Interface of any computer that has connected to the device. （Figure 32-5） Figure 32-5 ARP Table Note: 1. NetBIOS Name: the computer’s network identification name. 2.
Page 843 Figure 32-6 Downloading the Anti-ARP Virus Software Figure 32-7 The Result of Executng the Anti-ARP Virus Software...
Page 844 Figure 32-8 The Anti-ARP Virus Software will Automatically Run when the System Startups...
Page 845: Sessions Info
34.5 Sessions Info Step 1. Under Monitoring > Status > Sessions Info, it provides a list of all the sessions that have connected to the device. （Figure 32-9） Figure 32-9 System Sessions...
Page 846 Step 2. By clicking on any source IP, it shows the port number and the traffic. （Figure 32-10） Figure 32-10 The System Info...
Page 847: Dhcp Clients
34.6 DHCP Clients Step 1. Under Monitoring > Status > DHCP Clients, it shows the status of IP address distributed by the device’s DHCP server. （Figure 32-11） Figure 32-11 The DHCP Clients Note: 1. NetBIOS Name: the computer’s network identification name. 2.
Page 848: Host Info
CS-2001 UTM Content Security Gateway User’s Manual 34.7 Host Info Step1. Under Monitoring > Status > Host Info, the IT administrator may view the list of NetBIOS and DNS. （Figure 34-12, 34-13） Figure 34-12 The List of NetBIOS Figure 34-13 The List of DNS...

Planet CS-2001 User Manual

Quick Installation Guide

Hardware Installation

Basic System Configuration

System

Chapter 1 Administration

Chapter 2 Configuration

Chapter 3 Interface

Modifying the LAN Interface (NAT / Routing)

Configuring the WAN Interface

Policy Object

Chapter 4 Address

Chapter 5 Service

Chapter 6 Schedule

Chapter 7 Qos

Chapter 8 Authentication

Chapter 9 Application Blocking

Chapter 10 Virtual Server

Chapter 11 VPN

Mail Security

Chapter 12 Configuration

Chapter 13 Anti-Spam

Chapter 14 Anti-Virus

Chapter 15 Mail Reports

Web Filter

Chapter 16 Configuration

Chapter 17 Reports

Idp

Chapter 18 Configuration

Chapter 19 Signatures

Chapter 20 IDP Report

Chapter 21 Web VPN / SSL VPN

IM Recording

Chapter 22 Configuration

Chapter 23 Reports

Chapter 24 Policy

Chapter 25 Anomaly Flow IP

Advance

Chapter 26 Inbound Balancing

Chapter 27 High Availability

Chapter 28 Co-Defense System

Monitoring

Chapter 29 Logs

Chapter 30 Accounting Reports

Chapter 31 Traffic Grapher

Chapter 32 Diagnostic Tools

Chapter 33 Wake-On-LAN

Chapter 34 Status

Quick Links

Related Manuals for Planet CS-2001

Summary of Contents for Planet CS-2001