Page 1 Gigabit Multi-Homing VPN Security Gateway MH-2300...
Page 2 Further, PLANET reserves the right to revise this publication and to make changes from time to time in the contents hereof without obligation to notify any person of such revision or changes.
Page 3 Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE separately. Revision User’s Manual of PLANET Gigabit Multi-Homing VPN Security Gateway Model: MH-2300 Rev: 1.0 (December, 2014) Part No. EM-MH-2300_v1.0...
Page 4: Table Of Contents
Gigabit Multi-Homing VPN Security Gateway MH-2300 Table of Contents Chapter 1. Installation ..............7 1.1 Hardware Installation..............7 1.2 Basic System Configuration ............7 Chapter 2. System ..............14 2.1 Administration................14 2.1.1 Admin ................15 2.1.2 Permitted IPs..............17 2.1.3 Logout ................17 2.1.4 Software Update............18 2.2 Configuration ................18...
Page 5 Gigabit Multi-Homing VPN Security Gateway MH-2300 4.6 Application Blocking ...............147 4.6.1 Examples of Blocking ..........149 4.7 Virtual Server................152 4.7.1 Examples of Virtual Server ........153 4.8 VPN....................169 4.8.1 Examples of VPN ............178 Chapter 5. Web Filter..............305 5.1 Configuration ................305 5.1.1 Examples of Web Filter ..........309 5.2 Reports ..................319...
Page 6 Gigabit Multi-Homing VPN Security Gateway MH-2300 8.5.2 System Info ..............381 8.5.3 Authentication............381 8.5.4 ARP Table ..............382 8.5.5 Sessions Info .............383 8.5.6 DHCP Clients..............383...
Page 7: Chapter 1. Installation
Otherwise, damage to reset function may happen. 1.2 Basic System Configuration Step 1. Connect the IT administrator’s network adaptor and MH-2300’s LAN port to the same hub / switch, and then launch a browser (IE or Firefox) to link the management interface at http://192.168.1.1.
Page 8 Menu Panel: Presents all the available system configurations in a tree directory structure. (See Overview of Functions for further details) Configuration Panel: Displays the data or configurable settings of the corresponding item selected on the Menu Panel. The MH-2300’s Management Interface...
Page 9 192.168.0.0 ~ 192.168.255.255 Step 4. At the first login, you will be guided through the basic settings that are required to install MH-2300 by the wizard. The Install Wizard Step 5. Select the language and character encoding for your management interface.
Page 10: Port Configuration
Gigabit Multi-Homing VPN Security Gateway MH-2300 The default encoding will be applied to the data of unspecified encoding. Port Configuration Step 1. Configure the LAN settings: (according to your network infrastructure). Physical Connection: Select “Port1 (LAN1)”. Interface Type: Select “LAN”.
Page 11 Gigabit Multi-Homing VPN Security Gateway MH-2300 Complete the remaining fields according to your network. Configuring the WAN Interface Settings...
Page 12 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Tick the box of “Synchronize to an NTP server” to ensure the accuracy of system clock. Configuring the System Clock Settings Step 4. Tick the box of “Outgoing” to create a policy for outgoing traffic.
Page 13 The Policy Allowing LAN Users to Access External Network Resources 2. To allow Internet access to LAN users, assign their PCs with static IP addresses within the same subnet as MH-2300 as well as designate MH-2300 as the default gateway. Otherwise, enable DHCP service to automatically distribute IP addresses to them.
Page 14: Chapter 2. System
Gigabit Multi-Homing VPN Security Gateway MH-2300 Chapter 2. System 2.1 Administration This chapter will cover the configuration of Admin, Permitted IPs, Software Update and Logout. The default administrator serves as a system administrator, who is allowed to modify configuration, monitor operational status, and access system reportings, whereas sub-administrators are subject to the access privileges permitted.
Page 15: Admin
Gigabit Multi-Homing VPN Security Gateway MH-2300 2.1.1 Admin 2.1.1.1 Adding a Sub-Administrator Step 1. Under System > Administration > Admin, set as shown below: Click the New Sub-Admin button to create a new sub-administrator. Specify the login credentials, respectively. Repeat the Password in the Confirm Password field.
Page 16 Gigabit Multi-Homing VPN Security Gateway MH-2300 2.1.1.2 Modifying the Password Step 1. Under System > Administration > Admin, set as shown below: Click Modify corresponding to the administrative account to be modified. Enter the current and the new passwords, respectively.
Page 17: Permitted Ips
Gigabit Multi-Homing VPN Security Gateway MH-2300 2.1.2 Permitted IPs 2.1.2.1 Adding a Permitted IP Step 1. Under System > Administration > Permitted IPs, click New Entry and then set as shown below: Specify a name for the permitted IP. Select “IPv4” for IP Version.
Page 18: Software Update
Gigabit Multi-Homing VPN Security Gateway MH-2300 Confirming to Log Out Step 3. A message is shown after confirming the logout. The Logout Message 2.1.4 Software Update Step 1. To run a software update, go to System > Administration > Software Update and follow the steps below: Click Browse to locate the software.
Page 19 Gigabit Multi-Homing VPN Security Gateway MH-2300 Configuration File Backup and Restore Utility Allowed for performing backups of system configuration and restore from a specific date (depending on the availability of backup). This feature efficaciously helps avert the corruption or damage of system configuration file.
Page 20 Gigabit Multi-Homing VPN Security Gateway MH-2300 Device Reboot The MH-2300 unit can be manually rebooted or scheduled to reboot at a specified time. Terms in Date / Time Synchronization Settings The system clock can be synchronized to an NTP server or a local computer.
Page 21: Settings
Gigabit Multi-Homing VPN Security Gateway MH-2300 Domain Name The domain name registered at a dynamic DNS provider. Real IP Address The real IP address that the domain name corresponds to. Terms in Host Table Hostname A user-definable name for a host that is accessible to internal users.
Page 22 Gigabit Multi-Homing VPN Security Gateway MH-2300 2.2.1.2 Importing System Settings Step 1. Under System > Configuration > Settings, set as shown below: Click under the System Settings section. In the Choose file dialogue box, select the configuration file and then click Open.
Page 23 Gigabit Multi-Homing VPN Security Gateway MH-2300 2.2.1.3 Resetting the System to Factory Settings Step 1. Under System > Configuration > Settings, set as shown below: Tick Reset to factory default settings under the System Settings section. Click OK at the lower right corner to proceed.
Page 24 Gigabit Multi-Homing VPN Security Gateway MH-2300 Click OK at the lower right corner to complete configuration. Enabling the Email Notifications 1. Click the Send Test Mail button to test the validity of email address 1 and 2. 2. To enable SMTP authentication, tick the box of Enable SMTP authentication...
Page 25: Date / Time
Gigabit Multi-Homing VPN Security Gateway MH-2300 2.2.1.5 Rebooting the MH-2300 Step 1. To reboot the MH-2300, go to System > Configuration > Settings and set as shown below: Under the Device Reboot section, click at the middle bottom of the screen.
Page 26: Multiple Subnets
Gigabit Multi-Homing VPN Security Gateway MH-2300 2.2.3 Multiple Subnets 2.2.3.1 Allows Internal Users to Access the Internet via NAT or Routing Prerequisite Configuration (Note: The IP addresses are used as examples only.) Configure Port 1 as LAN 1 (192.168.1.1 in NAT Routing mode) to connect it to the LAN subnet 192.168.1.x/24.
Page 27 Gigabit Multi-Homing VPN Security Gateway MH-2300 For adding a subnet in a different network, please create corresponding policies for network interconnection, such as LAN-to-LAN or DMZ-to-DMZ. To do so, select “Inside Any” (or DMZ any) for both Source Address and Destination Address, and then select “Any”...
Page 28 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Under Policy Object > Address > LAN, set as shown below: The Address Settings for LAN Subnets...
Page 29 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Go to Policy > Outgoing and configure the following settings: Click New Entry. Source Address: Specify a name for the outgoing policy, e.g., “LAN 1_Subnet1”. Action: Tick the box of “Permit all outgoing connections”.
Page 30 Gigabit Multi-Homing VPN Security Gateway MH-2300 Creating a Policy to Apply the Second LAN Address Settings...
Page 31: Routing Table
WAN 1 interface via routing or through WAN 2 interface via NAT. 2.2.4 Routing Table 2.2.4.1 Enabling Two Networks Connected by a Router to Access the Internet via MH-2300 Prerequisite Configuration (Note: The IP addresses are used as examples only) Company A: Port 1 is defined as LAN 1 (192.168.1.1 in NAT Routing mode) and...
Page 32 Gigabit Multi-Homing VPN Security Gateway MH-2300 Router 2 (10.10.10.2). Step 1. Go to System > Configuration > Routing Table and then set as shown below: Click New Entry. IP Version : Select “IPv4”. IP Address: Type “192.168.10.0”. Netmask: “255.255.255.0”. Gateway : “192.168.1.252”.
Page 33 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding the Third Static Routing Address Static Routing Addresses Successfully Added For adding a subnet in a different network, please create corresponding policies for network interconnection, such as LAN-to-LAN or DMZ-to-DMZ. To do so, select “Inside Any”...
Page 34: Dhcp
MH-2300 Step 2. The LAN subnets of 192.168.10.x/24, 192.168.20.x/24 and 192.168.1.x/24 are interconnected and are connected to the Internet through MH-2300 via NAT. The Deployment of Multiple LAN Subnets to Access the Internet via Routing 2.2.5 DHCP 2.2.5.1 Automatically Allocating IP Addresses to LAN PCs Step 1.
Page 35 Configuring the DHCP Server to Automatically Distribute IP Addresses When the box of “Obtain DNS server address automatically” is ticked, the primary DNS server on LAN PCs will be defaulted to MH-2300’s LAN interface address. This feature is recommended for the Internet access through a local authentication.
Page 36: Dynamic Dns
Gigabit Multi-Homing VPN Security Gateway MH-2300 From the drop-down list, select the Interface and IP Version based on the LAN user, respectively. Specify the IP address and MAC address in the corresponding fields. Click OK to complete the settings. Configuring the DHCP Server to Distribute an IP Address For the convenience of configuration, the MAC address is also obtainable by clicking the Clone MAC Address button.
Page 37: Host Table
Gigabit Multi-Homing VPN Security Gateway MH-2300 Dynamic DNS Settings Successfully Added 1. The description of the symbols used in Dynamic DNS are as follows: Symbol Description Connection Connection Connected Successful Failed If you do not have a Dynamic DNS account, you may select a service provider from the drop-down list and then click Sign up next to it to register an account.
Page 38: Language
Gigabit Multi-Homing VPN Security Gateway MH-2300 2.2.8 Language 2.2.8.1 Switching the System Language Step 1. Under System > Configuration > Language, you may switch the language of the user interface. The Language Settings...
Page 39: Chapter 3. Interface
By default, it is 1500 bytes. Incoming Packet Header Logging When enabled, packets destined to or originated from MH-2300 are logged in details, which are available under Monitoring > Logs > Traffic. Terms in Interface...
Page 40 Gigabit Multi-Homing VPN Security Gateway MH-2300 Interface Type The network interface is categorized into four types: Local Area Network (LAN) Wide Area Network (WAN) Demilitarized Zone (DMZ) LAN Connection Type (only configurable for WANs) It has three connection types, namely: NAT Routing: Allows private IP addresses (available and valid ones) to be translated into public addresses based on network policy.
Page 41 Gigabit Multi-Homing VPN Security Gateway MH-2300 representation of a public IPv4 address), is used by IPv6/IPv4 nodes that are communicating with IPv6 over an IPv4 infrastructure. When the IPv4-compatible address is used as an IPv6 destination, the IPv6 traffic is automatically encapsulated with an IPv4 header and sent to the destination using the IPv4 infrastructure.
Page 42 Gigabit Multi-Homing VPN Security Gateway MH-2300 to all the interfaces identified by the address. The multicast address types supersede the IPv4 broadcast addresses. They are prefixed with FF (that is, the first bits are 11111111) such as FF02::1 for all nodes address, FF02::2 for all routers address, etc.
Page 43 Gigabit Multi-Homing VPN Security Gateway MH-2300 HTTPS When ticked, the management interface is available for access via HTTPS protocol. Telnet When ticked, the management interface is available for access via Telnet protocol. When ticked, the management interface is available for access via SSH protocol.
Page 44: Examples Of Interface
Gigabit Multi-Homing VPN Security Gateway MH-2300 Priority The priority of a WAN interface in the connectivity. Terms in Interface Group Interface Group Allows for physically isolating network interfaces by NIC teaming. The feature is intended for a scenario that runs in Transparent Bridging mode and accesses the Internet via a static IP.
Page 45: Configuring The Wan Interface
Gigabit Multi-Homing VPN Security Gateway MH-2300 The LAN subnet is defaulted and subject to “192.168.1.x/24”. Therefore, the access to the management interface requires an IP address from the same subnet The management interface may not be accessible once the boxes of HTTP and HTTPS are unticked prior to the configuration of permitted IP under System >...
Page 46 Gigabit Multi-Homing VPN Security Gateway MH-2300 Click the Clone MAC Address button to obtain the MAC Address. Enter the Username provided by the ISP. Enter the Domain Name provided by the ISP. Enter the Max. Downstream Bandwidth and the Max.
Page 47 Gigabit Multi-Homing VPN Security Gateway MH-2300 Static IP Connection Settings Successfully Completed Configuring the Dynamic IP Connection Settings Dynamic IP Connection Settings Successfully Completed...
Page 48 Gigabit Multi-Homing VPN Security Gateway MH-2300 Configuring the PPPoE Connection Settings PPPoE Connection Settings Successfully Completed The DNS server is configurable under Network > Settings. The management interface is accessible externally (by diagnostic commands or web browsers) only if the Ping / Tracert, HTTP, HTTPS, Telnet and SSH settings from a WAN interface are enabled.
Page 49 IP address under System > Administration > Permitted IPs. 3.1.1.3 Using MH-2300 as a Gateway to Manage the Internet Access to Two LAN Subnets via NAT Routing Mode Prerequisite Configuration (Note: The IP addresses are used as examples only) Configure Port1 as WAN1 (61.11.11.11) and connect it to the ADSL modem...
Page 50 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 1. Go to Network > Interface and then set as shown below: Click Modify corresponding to Port 2. Select “LAN” for Interface Type. Select “NAT Routing” for Connection Type. Specify the IPv4 Address and Netmask.
Page 51 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Network > Interface and then set as shown below: Click Modify corresponding to Port3. Select “LAN” for Interface Type. Select “NAT Routing” for Connection Type. Enter the IPv4 Address and the Netmask.
Page 52 (61.11.11.11) via NAT Routing and interconnected through network policies. The Deployment of Two NAT-routed LAN Subnets 3.1.1.4 Deploying MH-2300 between a Gateway and Two LAN Subnets (Separately Running in Transparent Routing and NAT Routing Modes) to Manage the Internet Access of Internal Users...
Page 53 Gigabit Multi-Homing VPN Security Gateway MH-2300 (192.168.1.1). Specify a static route from 192.168.2.x/24 to 192.168.1.2 (WAN 1). Configure Port2 as LAN1 (Transparent Routing mode) and connect it to the LAN subnet 192.168.1.x/24 (with the gateway set to 192.168.1.1) for providing LAN users with Internet access.
Page 54 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Network > Interface and then set as shown below: Click Modify corresponding to Port3. Select “LAN” for Interface Type. Select “NAT Routing” for Connection Type. Enter the IPv4 Address and the Netmask.
Page 55 MH-2300 Step 3. The LAN subnets of 192.168.1.x/24 and 192.168.2.x/24 are now interconnected and are connected to the Internet through MH-2300. The Deployment of LAN Subnets Routed through Transparent and NAT Mode 3.1.1.5 Deploying MH-2300 between a Gateway and Two...
Page 56 Gigabit Multi-Homing VPN Security Gateway MH-2300 Configure Port1 as LAN1(192.168.1.1 in NAT Routing mode) to connect it to the LAN subnet 192.168.1.x/24, which is translated to 172.16.1.12 (WAN 1) for providing LAN users with Internet access. Configure Port2 as WAN1(172.16.1.12) to connect it to the gateway (172.16.1.1).
Page 57 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Network > Interface, set as shown below: Click Modify corresponding to Port 3. Select “DMZ” for Interface Type. Select “Transparent Bridging” for Connecion Type. Tick the boxes of “Ping/ Tracert”, “HTTP” and “HTTPS”.
Page 58 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. The DMZ subnet 172.16.x.x/16 is now connected to the Internet through MH-2300 via Transparent Bridging mode; also, the NAT-routed LAN subnet 172.16.1.12 is connected to the Internet using the public IP address.
Page 59 Gigabit Multi-Homing VPN Security Gateway MH-2300 balancing Specify LAN subnet as 192.168.1.x/24: The PCs in the LAN subnet with the gateway set to 192.168.1.1. are connected to the Internet using the public IP addresses of WAN 1 (172.16.1.12 is NAT-routed) and WAN 2 (211.22.22.22) via load balancing.
Page 60 Gigabit Multi-Homing VPN Security Gateway MH-2300 4. If a router is feasible, you may connect two LAN subnets to it to provide the Internet access using a public IP address via routing. The 3rd Deployment of a DMZ Subnet Routed through Transparent Bridging Mode...
Page 61 The 4th Deployment of a DMZ Subnet Routed through Transparent Bridging Mode 3.1.1.6 Deploying MH-2300 between a Gateway and Two Subnets (of which LAN and DMZ Run in Transparent Bridge Mode) to Manage the Internet Access of Internal...
Page 62 Gigabit Multi-Homing VPN Security Gateway MH-2300 set to 192.168.1.1). Next, connect WAN port (61.11.11.11) to the ADSL modem (ATUR) to access the Internet and then run DMZ in Transparet mode. Configure Port1 as WAN1 (192.168.1.2) and connect it to the gateway 192.168.1.1.
Page 63 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 1. Go to Network > Interface and then set as shown below: Click Modify corresponding to Port 1. Select “WAN” for Interface Type. Select your Connection Type. Configure the connection settings. Tick the boxes of “Ping/ Tracert”, “HTTP” and “HTTPS”.
Page 64 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Network > Interface, set as shown below: Click Modify corresponding to Port 2. Select “LAN” for Interface Type. Select “Transparent Bridging” for Connection Type. Tick the boxes of “Ping/ Tracert”, “HTTP” and “HTTPS”.
Page 65 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Under Network > Interface, set as shown below: Click Modify corresponding to Port 3. Select “WAN” for Interface Type. Select your Connection Type. Configure the connection settings. Tick the boxes of “Ping/ Tracert”, “HTTP” and “HTTPS”.
Page 66 Click OK. Configuring the Interface Group Settings After the completion of the above steps, the MH-2300 operates as two independent switches due to non-interconnected NIC groups, of which Group 1 (Port 1 and 2) provides Internet access to the LAN and Group 2 (Port 3 and 4)
Page 67 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 6. The LAN subnet 192.168.1.x/24 is now connected to the Internet through MH-2300; also, the server in the DMZ subnet is accessible by the public IP address 61.11.11.12 in Transparent Bridging mode. The Application of NIC Teaming 3.1.1.7 Using MH-2300 as a Gateway to Manage the Internet...
Page 68 Gigabit Multi-Homing VPN Security Gateway MH-2300 Configure Port 2 as LAN1 (192.168.1.1 in NAT Routing mode) to connect it to the LAN subnet 192.168.1.x/24 (assumed it is connected to your sales department) to provide the Internet access using the public IP address 61.11.11.11.
Page 69 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 1. Go to Network > Interface and then set as shown below: Click Modify corresponding to Port 1. Select “WAN” for Interface Type. Select your Connection Type. Configure the connection settings. Tick the boxes of “Ping/ Tracert”, “HTTP” and “HTTPS”.
Page 70 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Network > Interface and then set as shown below: Click Modify corresponding to Port 2. Select “LAN” for Interface Type. Select “NAT Routing” for Connection Type. Specify the IPv4 Address and the Netmask.
Page 71 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Go to Network > Interface Group and then set as shown below: Select “Group 1” for Port1 (WAN1), Port2 (LAN1) and Port3 (LAN2). Click OK. Configuring the Interface Group Settings The LAN users from within the same subnet may be categorized by their department using the NIC ports.
Page 72 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. The sales department from within LAN 1 and the customer support department from within LAN 2 are now interconnected through network policies and are connected to the Internet using the public IP address 61.11.11.11.
Page 73: Chapter 4. Policy Object
Gigabit Multi-Homing VPN Security Gateway MH-2300 Chapter 4. Policy Object 4.1 Address This chapter will cover the configuration of Address, which allows for adding LAN, WAN and DMZ addresses and grouping addresses by purpose. Each IP address can be assigned a friendly name and could represent a single host or a network subnet.
Page 74 Gigabit Multi-Homing VPN Security Gateway MH-2300 Prefix Length Enter 128 to match a single IPv6 address. Enter 64 to match an IPv6 subnet, such as 21DA:D3:0:2F3B. MAC Address Bind the IP address to its MAC address to help manage the network access.
Page 75: Examples Of Policy Creating
Gigabit Multi-Homing VPN Security Gateway MH-2300 4.1.1 Examples of Policy Creating 4.1.1.1 Creating a Policy to Allow Specific LAN Users the Access to FTP Service Step 1. Under Policy Object > Address > LAN, set as shown below: Click New Entry.
Page 76 Gigabit Multi-Homing VPN Security Gateway MH-2300 address entry) for covering the entire subnet, whether it is LAN, WAN, or DMZ. The configuration of each type of network addresses are the same; yet, the configuration of MAC address and Interface are not available to WAN address settings.
Page 77 Gigabit Multi-Homing VPN Security Gateway MH-2300 4.1.1.2 Creating a Policy to Allow a Users Group the HTTP Access Step 1. Create the LAN addresses to be managed under Policy Object > Address > LAN. Creating LAN Addresses Step 2. Under Policy Object > Address > LAN Group, set as shown below: Click New Entry.
Page 78 Gigabit Multi-Homing VPN Security Gateway MH-2300 Address Group Successfully Added The configuration of each type of network address groups are the same. Step 3. Go to Policy Object > Address > WAN and then configure as shown below: Click New Entry.
Page 79 Gigabit Multi-Homing VPN Security Gateway MH-2300 the expression “^mail.google” matches the domain beginning with “mail.google”. 　 Matching a domain postfix: Type the character “$” in the FQDN field to match the ending position within the domain. For example, the expression “google.com$”...
Page 80: Service
Network services are provided through TCP and UDP protocols using different port numbers, such as Telnet port 23, FTP port 21, SMTP port 25, POP3 port 110, etc. MH-2300 provides TCP and UDP services by the two following categories: Pre-defined: The default TCP and UDP services, which are not removable.
Page 81: Example Of Custom Service
Gigabit Multi-Homing VPN Security Gateway MH-2300 Protocol Type The protocol used for device communication. TCP and UDP are the most commonly used protocols among others. Client Port The client-end port for protocol communication. It is recommended to use the default value.
Page 82 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Policy Object > Service > Custom, configure as follows: Name: Specify a name for the service. In row No. 1, select TCP, leave the Client Port unchanged, and enter 1720 – 1720 for Server Port.
Page 83 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Create a custom service under Policy Object > Service > Custom and then create a corresponding policy under Policy Object > Virtual Server > Port Mapping. Service Successfully Applied to the Virtual Server Settings for Providing VoIP Service Step 4.
Page 84 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. Go to Policy > Outgoing and then configure as follows: Source Address: Select the LAN group. Service: Select the custom service. Action: Select “Port2 (WAN1)”. Click OK. Creating a Policy for Allowing Outgoing VoIP Traffic...
Page 85: Example Of Service Group
Gigabit Multi-Homing VPN Security Gateway MH-2300 4.2.2 Example of Service Group 4.2.2.1 Grouping the Services and Creating a Policy to Permit Users to Access Network Services (HTTP, POP3, SMTP and DNS) Step 1. Go to Policy Object > Service > Group, and then set as shown below: Group Name: Specify a name for the service group.
Page 86: Schedule
Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Under Policy > Outgoing, set as shown below: Source Address: Select the LAN address group from the previous step. Service: Select the service group. Click OK. Creating a Policy to Apply the Service Group Settings Policy Successfully Created 4.3 Schedule...
Page 87: Examples Of Schedule
Gigabit Multi-Homing VPN Security Gateway MH-2300 Type Two scheduling methods are available as follows: Recurring: Policies are executed on the times specified on a weekly basis. One-Time: Provides a start and stop time for a single specific druation based upon the year, month, day, hour and minute.
Page 88 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Policy > Outgoing, set as shown below: Select the pre-defined schedule for Schedule. Click OK. Applying the Schedule to the Policy The Completed Policy Settings...
Page 89: Qos
Gigabit Multi-Homing VPN Security Gateway MH-2300 4.4 QoS This chapter will cover the configuration of QoS, which allows for applying QoS setting to a network policy to efficaciously allocate and manage the network bandwidth. Before Applying QoS to the Network...
Page 90: Example Of Bandwidth Limitation
Gigabit Multi-Homing VPN Security Gateway MH-2300 Upstream Bandwidth Determine the guaranteed bandwidth and maximum bandwidth of the total upstream bandwidth. Priority Prioritize the QoS settings to allocate the bandwidth. G.Bandwidth Allocate the minimum (guaranteed) amount of bandwidth. M.Bandwidth Allocate the maximum amount of bandwidth.
Page 91 Gigabit Multi-Homing VPN Security Gateway MH-2300 QoS Rule Successfully Added...
Page 92 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Policy > Outgoing, set as shown below: QoS: Select the QoS setting. Click OK.
Page 93: Authentication
Gigabit Multi-Homing VPN Security Gateway MH-2300 Creating a Policy to Apply the QoS Settings Policy Successfully Created Please refer to the Max. Upstream Bandwidth and Max. Downstream Bandwidth in a WAN interface to create the corresponding QoS settings. 4.5 Authentication...
Page 94 Once expired, users will be logged off. Disable URL redirection for authentication: To gain an access to the external network, the internal users should type http://MH-2300 IP address:authentication port number in the browser and then get authenticated on their own.
Page 95 Gigabit Multi-Homing VPN Security Gateway MH-2300 The Authentication Settings The authentication screen shown to a user who attempts to access the Internet. The Authentication Prompt Screen 1. The Allow password modification is only applicable to local authentication accounts under Policy Object > Authentication > Account.
Page 96 Gigabit Multi-Homing VPN Security Gateway MH-2300 http://210.59.123.456/authentication.html. Compose the messages (HTML supported) separately for authentication users, successful authentications and failed authentications. (Note: Please copy the system default messages to a text file for backup before editing.) Users will be redirected to the pre-authentication website or webpage...
Page 97 Gigabit Multi-Homing VPN Security Gateway MH-2300 Composing the Authentication Messages The Successful Authentication Message Supplying an Invalid Set of Credentials Terms in Account Account Name Specify a name for the local authentication.
Page 98 Gigabit Multi-Homing VPN Security Gateway MH-2300 Password Specify a password for the local authentication. Confirm Password Repeat the password in this field. Force password change at initial login Once enabled, users will be forced to change their password at the first login.
Page 99: Local / Group Authentication
Gigabit Multi-Homing VPN Security Gateway MH-2300 4.5.1 Local / Group Authentication 4.5.1.1 Managing Internet Access with A Local Authentication Group Step 1. Under Policy Object > Authentication > Account, add the users to be authenticated. The User Accounts for Authentication The local authentication users are available for export and import.
Page 100 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Policy Object > Authentication > Group, set as shown below: Click New Entry. Group Name: Specify a name for the authentication group. Select group members from the Available Accounts column on the left, and then click Add.
Page 101 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Go to Policy > Outgoing and then configure as follows: Authentication: Select the authentication group. Click OK to complete the settings. Creating a Policy to Apply the Authentication Group Settings Policy Successfully Created...
Page 102: Radius Authentication
Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. The group members will be prompted for their authentication credentials to access the Internet. Click Login to complete the authentication procedure. The Authentication Prompt Screen Step 5. To log out of authentication session, click Logout Authentication-User in the pop-up window (appeared when being authenticated;...
Page 103 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 1. Go to Start > Programs > Administrative Tools > Server Manager. Next, in the Server Manager tree panel, expand Roles to check the availability of Network Policy Server (appeared as an installed role...
Page 104 Gigabit Multi-Homing VPN Security Gateway MH-2300 Checking the Availability of Network Policy Server Step 2. Go to Start > Programs > Administrative Tools > Network Policy Server and then set as shown below: In the NPS (Local) tree panel, expand RADIUS Clients and Servers, right-click RADIUS Client, and then select New RADIUS Client.
Page 105 Gigabit Multi-Homing VPN Security Gateway MH-2300 Click Tick the box of “Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)”, “Microsoft Encrypted Authentication (MS-CHAP)”, “Encrypted authentication (CHAP)”, and “Unencrypted authentication (PAP, SPAP)”. Click Next. Click Next. Click Edit to change the attribute values of Framed-Protocol and Service-Type.
Page 106 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting the Network Policy Server on the Start Menu...
Page 107 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting the New RADIUS Client from the Shortcut Menu...
Page 108 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding a RADIUS Client...
Page 109 Gigabit Multi-Homing VPN Security Gateway MH-2300 RADIUS Client Successfully Added Adding a Network Policy...
Page 110 Gigabit Multi-Homing VPN Security Gateway MH-2300 Specifying the Policy Name and Connection Type...
Page 111 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding a Condition Scrolling Down to Select Service Type...
Page 112 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting the Service Types Policy Conditions Successfully Specified...
Page 113 Gigabit Multi-Homing VPN Security Gateway MH-2300 Granting the Access Permission...
Page 114 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting Authentication Methods...
Page 115 Gigabit Multi-Homing VPN Security Gateway MH-2300 Configuring Constraints If Needed Changing the RADIUS Attribute Values...
Page 116 Gigabit Multi-Homing VPN Security Gateway MH-2300 RADIUS Attribute Values Successfully Changed...
Page 117 Gigabit Multi-Homing VPN Security Gateway MH-2300 Confirming the Policy Settings...
Page 118 Gigabit Multi-Homing VPN Security Gateway MH-2300 Network Policy Successfully Added Step 3. Go to Start > Programs > Administrative Tools > Computer Management and then set as shown below: In the Computer Management (Local) tree panel, expand System Tools, expand Local Users and Groups, right-click...
Page 119 Gigabit Multi-Homing VPN Security Gateway MH-2300 In the New User dialog box, set as shown below: Specify a user name and a password. Tick the box of “Password never expires”. Click Create and then click Close to complete the settings.
Page 120 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting the New User from the Shortcut Menu Adding a User...
Page 121 Gigabit Multi-Homing VPN Security Gateway MH-2300 User Successfully Added Step 4. Under Policy Object > Authentication > RADIUS, configure the RADIUS Server Settings according to your Windows 2008 RADIUS server: Configuring the RADIUS Server Settings You may click Test Connection to test the connection to your RADIUS server.
Page 122 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. Under Policy Object > Authentication > Group, select as shown below: The Group Setting for User Authentication Step 6. Under Policy > Outgoing, set as shown below: Select the authentication group for Authentication.
Page 123: Pop3 Authentication
Gigabit Multi-Homing VPN Security Gateway MH-2300 Policy Successfully Created Step 7. The group members will be prompted for their authentication credentials to access the Internet. Click Login to complete the authentication procedure. The Authentication Prompt Screen 4.5.3 POP3 Authentication 4.5.3.1 Managing Internet Access with a POP3 Server Step 1.
Page 124 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Policy Object > Authentication > Group and then set as shown below: The Group Setting for User Authentication Step 3. Under Policy > Outgoing, set as shown below: Authentication: Select the authentication group.
Page 125: Ldap Authentication
Gigabit Multi-Homing VPN Security Gateway MH-2300 Policy Successfully Created Step 4. The group members will be prompted for their authentication credentials to access the Internet. Click Login to complete the authentication procedure. The Authentication Prompt Screen 4.5.4 LDAP Authentication 4.5.4.1 Managing Internet Access with a Windows 2008 LDAP Server ※...
Page 126 Gigabit Multi-Homing VPN Security Gateway MH-2300 Click Next Click Next Specify a password and repeat it to confirm. Click Next. Click Next. Click Finish to complete the settings. Selecting the Server Manager on the Start Menu...
Page 127 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding a Role Service...
Page 128 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting the Active Directory Domain Services...
Page 129 Gigabit Multi-Homing VPN Security Gateway MH-2300 The Introduction to Active Directory Domain Services...
Page 130 Gigabit Multi-Homing VPN Security Gateway MH-2300 Confirming the Installation of Active Directory Domain Services...
Page 131 Gigabit Multi-Homing VPN Security Gateway MH-2300 Launching the Active Directory Domain Services Installation Wizard...
Page 132 Gigabit Multi-Homing VPN Security Gateway MH-2300 Active Directory Domain Services Installation Wizard...
Page 133 Gigabit Multi-Homing VPN Security Gateway MH-2300 Operating System Compatibility...
Page 134 Gigabit Multi-Homing VPN Security Gateway MH-2300 Choosing a Deployment Configuration...
Page 135 Gigabit Multi-Homing VPN Security Gateway MH-2300 Naming the Forest Root Domain...
Page 136 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting the Forest Functional Level...
Page 137 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting the DNS Server...
Page 138 Gigabit Multi-Homing VPN Security Gateway MH-2300 Choosing the Location for Database, Log Files and SYSVOL...
Page 139 Gigabit Multi-Homing VPN Security Gateway MH-2300 Specifying a Password for the Directory Services Restore Mode...
Page 140 Gigabit Multi-Homing VPN Security Gateway MH-2300 A Summary for Reviewing Your Selections...
Page 141 Gigabit Multi-Homing VPN Security Gateway MH-2300 Completing the Active Directory Domain Services Installation...
Page 142 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers and then set as shown below: In the Active Directory Users and Computers tree panel, expand my.com (or the name of your forest root domain), right-click Users, select New, and then select User.
Page 143 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding a New User Typing in the User Information...
Page 144 Step 3. Go to Policy Object > Authentication > LDAP and then set as shown below: Configuring LDAP Server Settings You may click Test Connection to test the connection to your LDAP server. Once the LDAP server is successfully connected to MH-2300, users will be listed on the LDAP User Name table.
Page 145 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Go to Policy Object > Authentication > Group and then set as shown below: The Group Setting for User Authentication...
Page 146 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. Go to Policy > Outgoing and then set as shown below: Select the authentication group for Authentication. Click OK to complete the settings. Creating a Policy to Apply the Authentication Group Settings Policy Successfully Created Step 6.
Page 147: Application Blocking
Gigabit Multi-Homing VPN Security Gateway MH-2300 4.6 Application Blocking This chapter will cover the configuration of Application Blocking, which allows for blocking the use of instant messaging, peer-to-peer file sharing, multimedia streaming, web-based email messaging, online gaming, VPN tunneling and remote controlling applications, as well as customizing their signatures.
Page 148 Gigabit Multi-Homing VPN Security Gateway MH-2300 VPN Tunneling Tick the boxes of VPN tunneling applications to be blocked. The options currently available are VNN Client, UltraSurf, Tor, Hamachi, Hotspot Shield, and FreeGate. Remote Controlling Tick the boxes of remote controlling applications to be blocked. The options currently available are TeamViewer, VNC, Remote Desktop Connection, and ShowMyPC.
Page 149: Examples Of Blocking
Gigabit Multi-Homing VPN Security Gateway MH-2300 4.6.1 Examples of Blocking 4.6.1.1 Blocking the Use of IM Applications (including Messaging and File Transfer) Step 1. Go to Policy Object > Application Blocking > Settings and then set as shown below: Specify a name in the Rule Name field.
Page 150 Gigabit Multi-Homing VPN Security Gateway MH-2300 IM Blocking Rule Successfully Added Step 1. Under Policy > Outgoing, set as shown below: Application Blocking: Select the IM blocking rule. Click OK. Creating a Policy to Apply the IM Blocking Settings Policy Successfully Created...
Page 151 Gigabit Multi-Homing VPN Security Gateway MH-2300 4.6.1.2 Blocking the Use of P2P Applications (including File Download and Upload) Step 1. Under Policy Object > Application Blocking > Settings, set as shown below: Specify a name for the rule. Tick the box of the Select All next to the Peer-to-Peer Sharing.
Page 152: Virtual Server
Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Policy > Outgoing, set as shown below: Application Blocking: Select the rule. Click OK. Creating a Policy to Apply the P2P Blocking Settings Policy Successfully Created P2P applications are the major cause of bandwidth exhaust and also are hard to block its use due to the port alternation.
Page 153: Examples Of Virtual Server
Gigabit Multi-Homing VPN Security Gateway MH-2300 single service via load balancing algorithm. Port-Mapping Group: Group feature is available for Mapped IPs and Port Mapping settings to simplify the process of applying addresses to network policies. Terms in Mapped IPs Mapped IP Address Specify the IP address of a WAN port to be mapped.
Page 154 Gigabit Multi-Homing VPN Security Gateway MH-2300 Configure Port2 as WAN1 with the ISP-allocated IP addresses 61.11.11.10 to 61.11.11.14. Configure Port3 as WAN2 with the ISP-allocated IP addresses 211.22.22.18 to 211.22.22.30. 4.7.1.1 Using a Policy-managed Server to Provide Multiple Services (FTP, Web, Mail, etc.) Step 1.
Page 155 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Under Policy Object > Service > Group add a group named “Main_Service” which is consisted of DNS, FTP, HTTP, POP3, and SMTP services. Next, add another one named “Mail_Service” to group DNS, POP3, and SMTP services.
Page 156 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 6. Under Policy > Outgoing, set as shown below: Source Address: Select the LAN address group of the servers. Service: Select“Mail_Service”. Click OK. Creating a Policy to Apply the Service Group Settings Policy Successfully Created...
Page 157 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 7. Services are open to the public through the mapped IP address. The Deployment of a Server Providing Multiple Services through Address Mapping For the sake of security, it is not suggested selecting “Any” for Service when applying a mapped IP to a policy.
Page 158 Gigabit Multi-Homing VPN Security Gateway MH-2300 Load Balancing: Select “Round-Robin”. Interface: Select “LAN”. Private IP Address # 1: Specify “192.168.1.101” in the field or click Assist Me to select an address. Click Next Row when done. Private IP Address # 2: Specify “192.168.1.102” in the field or...
Page 159 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Under Policy > Incoming, set as shown below: Destination IP: Select the mapped IP (211.22.22.23). Service: Select“HTTP(8080)”. Click OK. Creating a Policy for the HTTP Service Policy Successfully Created External Web server requests will require appending the new port to the website address, such as http://www.yahoo.com:8080.
Page 160 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Web servers are available for public access through the port mapping setting. The Deployment of Multiple Servers Hosting a Website through Port Mapping 4.7.1.3 Permitting VoIP Telephony between External and Internal Users via TCP 1720, TCP 15323-15333 and UDP 15323-15333 Step 1.
Page 161 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Add a service setting under Policy Object > Service > Custom as follows: The Service Setting for VoIP Communication Step 4. Under Policy Object > Virtual Server > Port Mapping, set as shown below: Name : Specify a name for the port mapping setting.
Page 162 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. Under Policy > Incoming, set as shown below: Destination IP: Select the mapped IP (61.11.11.12). Service: Select the custom service. Click OK. Creating a Policy for Allowing Incoming VoIP Traffic Policy Successfully Created...
Page 163 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 6. Under Policy > Outgoing, set as shown below: Source Address: Select the IP address assigned for VoIP service. Service: Select the VoIP service. Action: Select “Port2 (WAN1)”. Click OK. Creating a Policy for Allowing Outgoing VoIP Traffic...
Page 164 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 7. VoIP communication is available between external and internal users through the port mapping setting. The Deployment of VoIP Communication through Port Mapping 4.7.1.4 Using Multiple Policy-managed Servers to Provide HTTP, POP3, SMTP, and DNS Services Step 1.
Page 165 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Policy Object > Address > LAN / LAN Group, set as shown below: The Address Settings for the Servers The Group Setting for Server IP Addresses Step 3. Under Policy Object > Service > Group, add a group named “Main_Service”...
Page 166 Gigabit Multi-Homing VPN Security Gateway MH-2300 Private IP Address # 2: Specify “192.168.1.102” in the field or click Assist Me to select an address. Click Next Row when done. Private IP Address # 3: Specify “192.168.1.103” in the field or click Assist Me to select an address.
Page 167 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. Go to Policy > Incoming and then set as shown below: Select the mapped IP (211.22.22.23) for Destination Address. Select “Main_Service” for Service. Click OK. Creating a Policy to Apply the Service Group Settings...
Page 168 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 6. Go to Policy > Outgoing and set as shown below: Select the LAN address group of the servers for Source Address. Select “Mail_Service” for Service. Click OK. Creating a Policy to Apply the Service Group Settings...
Page 169: Vpn
Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 7. Services are open to the public through the port mapping setting. The Deployment of Multiple Servers Providing Services through Port Mapping 4.8 VPN This chapter will cover the configuration of VPN, which allows for establishing private and secure site-to-site connections, enabling network to be built among distributed locations and in a convenient way.
Page 170 Gigabit Multi-Homing VPN Security Gateway MH-2300 An asymmetric cryptography that involves a public and private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key.
Page 171 Gigabit Multi-Homing VPN Security Gateway MH-2300 AES (Advanced Encryption Standard) The Advanced Encryption Standard (AES) is a symmetric key encryption technique, usually using a 128-bit, 192-bit and 256-bit key. AES is a commonly seen and adopted nowadays. NULL Algorithm The NULL Algorithm is an instant and convenient alternative for connection.
Page 172 Gigabit Multi-Homing VPN Security Gateway MH-2300 The corresponding autokey, trunk and policy settings will be automatically added. Adding a One-Step IPSec Rule One-Step IPSec Rule Successfully Added A VPN Trunk Created Correspondingly An Outgoing Policy Created Correspondingly An Incoming Policy Created Correspondingly...
Page 173 Gigabit Multi-Homing VPN Security Gateway MH-2300 For the convenience of quick VPN connection, One-Step IPSec uses default settings for some of the configurations as listed below: IKE Negotiation: Main mode Authentication Method: Pre-Shared Key ISAKMP Settings: DES + MD5 + Diffie-Hellman 1...
Page 174 Gigabit Multi-Homing VPN Security Gateway MH-2300 Applying the VPN Trunk to Network Policies VPN Wizard Successfully Completed An Outgoing Policy Created Correspondingly An Incoming Policy Created Correspondingly Terms in IPSec Autokey The description of the symbols used for connecton status are as follows:...
Page 175 Gigabit Multi-Homing VPN Security Gateway MH-2300 Name The name of an IPSec rule. Note that the name cannot be repeated under Policy Object > VPN > IPSec Autokey. Interface The external interface of your local gateway. Gateway The external interface of the remote gateway.
Page 176 Gigabit Multi-Homing VPN Security Gateway MH-2300 Uptime The elapsed time of an established VPN connection. Configuration Click Modify or Remove to edit or delete the corresponding rule. The PPTP Server Rule Table A PPTP VPN connection is maintained using Echo-Request mechanism and can be manually disconnected by ticking the box of “Manual disconnection”...
Page 177 Gigabit Multi-Homing VPN Security Gateway MH-2300 A PPTP VPN connection is maintained using Echo-Request mechanism and can be manually connected by ticking the box of “Manual connection” within the PPTP client rule. Terms in Trunk Status The description of the symbols used for connection status are as follows.
Page 178: Examples Of Vpn
Port 1 is added with a multiple subnet (192.168.85.1) and is connected to the LAN subnet 192.168.85.x / 24 This example will be using two units of MH-2300 to establish a VPN tunnel for private network access as follows: For Company A, set as shown below: Step 1.
Page 179 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Select “Remote Gateway (Static IP or Hostname)” for Remote Settings, and enter the gateway address of Company B. The Remote Settings Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String.
Page 180 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 8. The IPSec autokey rule is successfully added. IPSec Autokey Rule Successfully Added Step 9. Under Policy Object > VPN > Trunk, set as shown below: Specify a name for the VPN trunk.
Page 181 Gigabit Multi-Homing VPN Security Gateway MH-2300 VPN Trunk Successfully Added Step 10. Under Policy > Outgoing, set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 182 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 11. Under Policy > Incoming, set as shown below: Select the VPN trunk for VPN Trunk. Click OK. Creating a Policy to Apply the VPN Trunk Settings Policy Successfully Created If Remote Settings is selected for Remote Gateway or Client (Dynamic IP) under Policy Object >...
Page 183 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Policy Object > VPN > IPSec Autokey and then click New Entry. The IPSec Autokey Rule Table Step 3. Enter “VPN_B” in the Name field and then select “Port2 (WAN1)” for Interface.
Page 184 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 7. Select the radio box of “Use both algorithms” under the IPSec Settings section, select “3DES” for Encryption Algorithm and select “MD5” for Authentication Algorithm. The IPSec Algorithm Settings Step 8. In the Advanced Settings (optional) section, select “DH 1” for PFS Key Group, enter “3600”...
Page 185 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 10. Under Policy Object > VPN > Trunk, set as shown below: Name: Specify a name for the VPN trunk. Local Settings: Select “LAN” for Interface and specify the subnet and netmask of Company B.
Page 186 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 11. Under Policy > Outgoing, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 187 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 12. Under Policy > Incoming, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 188 ADSL modem (ATUR). Company B is running a Windows 7 PC with an IP address of 211.22.22.22. This example will be using a unit of MH-2300 and a Windows 7 PC to establish a VPN tunnel for private network access as follows.
Page 189 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 1. Go to Policy Object > VPN > IPSec Autokey and then click New Entry. The IPSec Autokey Rule Table Step 2. Enter “VPN_A” in the Name field and then select “Port2 (WAN1)” for Interface.
Page 190 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 6. Select the radio box of “Use both algorithms” under the IPSec Settings section, select “3DES” for Encryption Algorithm, and then select “MD5” for Authentication Algorithm. IPSec Algorithm Settings Step 7. In the Advanced Settings (Optional) section, select “DH 1” for PFS Key Group, enter “3600”...
Page 191 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 9. Under Policy Object > VPN > Trunk, set as shown below: Name: Specify a name for the VPN trunk. Local Settings: Select “LAN” for Interface and specify the subnet and netmask of Company A.
Page 192 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 10. Under Policy > Outgoing, set as shown below: Select the VPN trunk for VPN Trunk. Click OK. Creating a Policy to Apply the VPN Trunk Settings Policy Successfully Created...
Page 193 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 11. Under Policy > Incoming, set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings Policy Successfully Created For B Company, set as shown below: Step 1.
Page 194 Gigabit Multi-Homing VPN Security Gateway MH-2300 Typing in “run” in the Search Field on the Start Menu Typing in “mmc” in the Run Command Box...
Page 195 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting “Add / Remove Snap-in” from the File Menu Adding the “IP Security Policy Management”...
Page 196 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting “Local Computer” Snap-in Successfully Added to the Console Root...
Page 197 Gigabit Multi-Homing VPN Security Gateway MH-2300 Creating an IP Security Policy The IP Security Policy Wizard...
Page 198 Gigabit Multi-Homing VPN Security Gateway MH-2300 Policy Name and Description Settings Default Response Rule Settings...
Page 199 Gigabit Multi-Homing VPN Security Gateway MH-2300 IP Security Policy Wizard Successfully Completed Step 2. In the VPN_B Properties dialog box, click the Rules tab and then set as shown below: Untick the box of “Use Add Wizard” and click Add.
Page 200 Gigabit Multi-Homing VPN Security Gateway MH-2300 Tick the boxes of “Accept unsecured communication, but always respond using IPsec” and “Use session key perfect forward secrecy (PFS)”. Click Add. In the New Security Method dialog box, select Custom and then click Settings.
Page 201 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding an IP Security Rule...
Page 202 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding an IP Filter List Specifying a Name of the IP Filter List...
Page 203 Gigabit Multi-Homing VPN Security Gateway MH-2300 Specifying the Source and Destination Addresses An IP Filter Successfully Added to the List...
Page 204 Gigabit Multi-Homing VPN Security Gateway MH-2300 An IP Filter List Successfully Added to the Rule...
Page 205 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding a Filter Action...
Page 206 Gigabit Multi-Homing VPN Security Gateway MH-2300 Configuring the Security Method...
Page 207 Gigabit Multi-Homing VPN Security Gateway MH-2300 Customizing the Security Method Specifying the Custom Security Method Settings...
Page 208 Gigabit Multi-Homing VPN Security Gateway MH-2300 Security Method Settings Successfully Completed...
Page 209 Gigabit Multi-Homing VPN Security Gateway MH-2300 Filter Action Successfully Added to the Rule...
Page 210 Gigabit Multi-Homing VPN Security Gateway MH-2300 Editing the Authentication Method...
Page 211 Gigabit Multi-Homing VPN Security Gateway MH-2300 Specifying a Preshared Key...
Page 212 Gigabit Multi-Homing VPN Security Gateway MH-2300 Authentication Method Successfully Added to the Rule...
Page 213 Gigabit Multi-Homing VPN Security Gateway MH-2300 Specifying the IPv4 Tunnel Endpoint...
Page 214 Gigabit Multi-Homing VPN Security Gateway MH-2300 Applying the Rule to All Network Connections...
Page 215 Gigabit Multi-Homing VPN Security Gateway MH-2300 IP Security Rule Successfully Added Step 3. In the VPN_B Properties dialog box, click the Rules tab and then set as shown below: Click Add. In the New Rule Properties dialog box, select the IP Filter List tab and then click Add: In the IP Filter List dialog box, type in “VPN_B Remote To...
Page 216 Gigabit Multi-Homing VPN Security Gateway MH-2300 In the New Rule Properties dialog box, click the Authenticaion Methods tab. Next, select “Kerberos” from the Authetication method preference order and then click Edit. In the Edit Authentication Method Properties dialog box, follow the steps below: Tick the box of “Use this string (preshared key)”...
Page 217 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding an IP Filter List Specifying a Name of the IP Filter List...
Page 218 Gigabit Multi-Homing VPN Security Gateway MH-2300 Specifying the Source and Destination Addresses An IP Filter Successfully Added to the List...
Page 219 Gigabit Multi-Homing VPN Security Gateway MH-2300 An IP Filter List Successfully Added to the Rule...
Page 220 Gigabit Multi-Homing VPN Security Gateway MH-2300 Adding a Filter Action...
Page 221 Gigabit Multi-Homing VPN Security Gateway MH-2300 Editing the Authentication Method...
Page 222 Gigabit Multi-Homing VPN Security Gateway MH-2300 Specifying a Preshared Key...
Page 223 Gigabit Multi-Homing VPN Security Gateway MH-2300 Authentication Method Successfully Added to the Rule...
Page 224 Gigabit Multi-Homing VPN Security Gateway MH-2300 Specifying the IPv4 Tunnel Endpoint...
Page 225 Gigabit Multi-Homing VPN Security Gateway MH-2300 Applying the Rule to All Network Connections...
Page 226 Gigabit Multi-Homing VPN Security Gateway MH-2300 IP Security Rule Successfully Added Step 4. In the VPN_B Properties dialog box, click the General tab and then set as shown below: Type in “VPN_B” in the Name field. Enter “180” in the minute(s) field.
Page 227 Gigabit Multi-Homing VPN Security Gateway MH-2300 Configuring the IP Security Policy General Properties Configuring the Key Exchange Settings...
Page 228 Gigabit Multi-Homing VPN Security Gateway MH-2300 Configuring the Security Methods Customizing the IKE Security Algorithms Step 5. In the Microsoft Management Console window, set as shown below: In the Console Root tree, click IP Security Policies on Local Computer, right-click the policy “VPN_B” and then select Assign.
Page 229 Gigabit Multi-Homing VPN Security Gateway MH-2300 Assigning an IP Security Policy IP Security Policy Successfully Assigned...
Page 230 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 6. Select Services on the Start menu or type in “services.msc” in the Search field, and then set as shown below: Scroll down to select IPSec Policy Agent, right-click it, and then select Restart.
Page 231 Gigabit Multi-Homing VPN Security Gateway MH-2300 Restarting the IPSec Policy Agent Once the configuration is completed, constantly ping the Company A’s LAN subnet, such as 192.168.10.1. The IPSec VPN tunnel is only successfully established if response packets are received from Company A.
Page 232 LAN subnet 192.168.20.x / 24. Port 2 is defined as WAN 1 (211.22.22.22) and is connected to the Internet via the ADSL modem (ATUR). This example will be using two units of MH-2300 to establish a VPN tunnel in Aggressive mode as follows:...
Page 233 Gigabit Multi-Homing VPN Security Gateway MH-2300 For A Company, set as shown below: Step 1. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. The IPSec Autokey Rule Table Step 2. Enter “VPN_A” in the Name field and select “Port2 (WAN1)” for Interface.
Page 234 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 6. Tick the radio box of “Use both algorithms” in the IPSec Settings section, select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. IPSec Algorithm Settings Step 7. In the Advanced Settings (Optional) section, select “DH 1” for PFS Key Group, enter “3600”...
Page 235 Gigabit Multi-Homing VPN Security Gateway MH-2300 Click OK. Adding a VPN Trunk VPN Trunk Successfully Added...
Page 236 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 11. Under Policy > Outgoing, click New Entry and then set as shown below: Select the VPN trunk from the VPN Trunk. Click OK. Creating a Policy to Apply the VPN Trunk Settings...
Page 237 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 12. Under Policy > Incoming, click New Entry and then set as shown below: Select the defined trunk from the VPN Trunk drop-down list. Click OK. Creating a Policy to Apply the VPN Trunk Settings...
Page 238 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Remote Settings: Select “Remote Gateway (Static IP or Hostname)”, and enter the gateway address of Company A. Remote Settings Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. ( The maximum length of the string is 62...
Page 239 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 9. The IPSec autokey rule is successfully added. IPSec Autokey Rule Successfully Added Step 10. Under Policy Object > VPN > Trunk, click New Entry and then set as shown below: Name: Specify a name for the VPN Trunk.
Page 240 Gigabit Multi-Homing VPN Security Gateway MH-2300 VPN Trunk Successfully Added Step 11. Under Policy > Outgoing, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK. Creating a Policy to Apply the VPN Trunk Settings...
Page 241 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 12. Under Policy > Incoming, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 242 Figure 11-145 The Deployment of an IPSec VPN Network Running in Aggressive Mode between Two Units of MH-2300 4.8.1.4 Using Two Units of MH-2300 to Load Balance Outbound IPSec VPN Traffic with GRE Encapsulation Prerequisite Configuration (Note: The IP Addresses are used as examples...
Page 243 Two IPSec VPN tunnels are established between Company A and B over their corresponding WAN 1 and WAN 2. This example will be using two units of MH-2300 to establish two VPN tunnels with GRE encapsulation as follows: For Company A, set as shown below: Step 1.
Page 244 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. Under the Encryption and Data Integrity Algorithms section, select “3DES” for Encryption Algorithm, “MD5” for Authentication Algorithm and “Diffie-Hellman1” for Key Group. Encryption and Data Integrity Algorithms Step 6. Under the IPSec Settings section, select the radio box of “Use both algorithms”, select “3DES”...
Page 245 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 9. The IPSec autokey rule “VPN_01” is successfully added. IPSec Autokey Rule “VPN_01” Successfully Added Step 10. Under Policy Object > VPN > IPSec Autokey, click New Entry. The IPSec Autokey Rule Table Step 11.
Page 246 Gigabit Multi-Homing VPN Security Gateway MH-2300 “MD5” for Authentication Algorithm. IPSec Algorithm Settings Step 16. Under the Advanced Settings (optional) section, select “DH1” for PFS Key Group, enter “3600” in the ISAKMP SA Lifetime field, “28800” in the IPSec SA Lifetime field, and then select “Main Mode”...
Page 247 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 19. Under Policy Object > VPN > Trunk, set as shown below: Name: Specify a name for VPN Trunk. Local Settings: Select “LAN” for Interface and specify the subnet and netmask of Company A.
Page 248 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 20. Under Policy > Outgoing, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 249 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 21. Under Policy > Incoming, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 250 Gigabit Multi-Homing VPN Security Gateway MH-2300 pot 1). Remote Settings Step 4. Select “Pre-Shared Key” for Authentication Method and enter the Pre-Shared Key String. IPSec Algorithm Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm; select “MD5” for Authentication Algorithm;...
Page 251 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 8. For GRE Tunnel Settings, type “192.168.50.200” in the Local Endpoint Address field and “192.168.50.100” in the Remote Endpoint Address field. (Note: The local IP and the remote IP must be configured in the same class C network.) GRE Tunnel Settings Step 9.
Page 252 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 14. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm; select “MD5” for Authentication Algorithm; select “DH 1” for Key Group. ISAKMP Algorithm Settings Step 15. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only.
Page 253 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 19. Under Policy Object > VPN > Trunk, set as shown below: Name: Type a name. Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.20.0” as B Company’s subnet address and “255.255.255.0” as Mask.
Page 254 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 20. Under Policy > Outgoing, click New Entry and then set as shown below: Select the defined trunk for VPN Trunk. Click OK. Using VPN Trunk in an Outgoing Policy An Outgoing Policy with VPN Trunk...
Page 255 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 21. Select Policy > Incoming, click New Entry and then set as shown below: Select the defined trunk for VPN Trunk. Click OK. Using VPN Trunk in an Incoming Policy An Incoming Policy with VPN Trunk...
Page 256 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 22. Settings completed. Deployment of IPSec VPN Using GRE/IPSec 4.8.1.5 Using Three Units of MH-2300 to Create a Hub-and-Spoke IPSec VPN Network Prerequisite Configuration (Note: The IP addresses are used as examples only) [Company A] Port 1 is defined as LAN 1 (192.168.10.1) and is connected to the LAN subnet...
Page 257 Port 2 is defined as WAN 1 (121.33.33.33) and is connected to the Internet via the ADSL modem (ATUR). This example will be using three units of MH-2300 to create a hub-and-spoke IPSec VPN network as follows: For Company A, set as shown below: Step1.
Page 258 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step5. Under the ISAKMP Algorithm section, select 3DES for Encryption Algorithm, select MD5 for Authentication Algorithm and then select DH 1 for Key Group. Configuring the IPSec Algorithm Step6. Under the IPSec Algorithm section, select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm.
Page 259 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step9. Go to Policy Object > VPN > Trunk, click New Entry and then set as shown below: Type the name in the Name field. Local Settings: select LAN. Enter the local subnet and the mask.
Page 260 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step10. Go to Policy Object > VPN > IPSec Autokey and then click the New Entry button again. The IPSec Autokey Page Step11. Type VPN_02 in the Name field and then select Port2(WAN1) for the Interface.
Page 261 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step15. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and MD5 for Authentication Algorithm. Configuring IPSec Algorithm Step16. Under the Advanced Settings (optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 262 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step18. Go to Policy Object > VPN > Trunk, click New Entry and then set as shown below: Type the name in the Name field. Local Settings: select LAN. Enter the IP address and the Mask in the Local IP / Netmask field.
Page 263 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step19. Go to Policy Object > VPN > Trunk Group, click New Entry and then set as shown below: Type the name in the Name field. Move the IPSec_VPN_Trunk_01(LAN) and IPSec_VPN_Trunk_02(LAN) from the Available Trunks column to the Selected Trunks column.
Page 264 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step20. Under Policy > Outgoing, click New Entry and then set as shown below: Select the defined Trunk from the VPN Trunk drop-down list. Click OK. Configuring the Outgoing Policy with VPN Trunk Policy Created...
Page 265 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step21. Go to Policy > Incoming, click New Entry and then set as shown below: Select the defined Trunk from the VPN Trunk drop-down list. Click OK. Configuring an Incoming Policy with VPN Trunk...
Page 266 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Under the Remote Settings section, select Remote Gateway (Static IP or Hostname) and then enter A Company’s IP. Configuring the Remote Settings Step 4. Select Pre-Shared Key for Authentication Method and then enter the Pre-Shared Key String.
Page 267 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 8. Setting completed. IPSec Setting Completed Step 9. Under Policy Object > VPN > Trunk, click the New Entry button and then set as shown below: Type the name in the Name field.
Page 268 Gigabit Multi-Homing VPN Security Gateway MH-2300 Setting Completed Step 10. Go to Policy Outgoing, click the New Entry button and then set as shown below: Select the defined Trunk from the VPN Trunk drop-down list. Click OK. Configuring an Outgoing Policy with VPN Trunk...
Page 269 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 11. Go to Policy > Incoming, click the New Entry button and then set as shown below: Select the defined Trunk from the VPN Trunk drop-down list. Click OK. Configuring an Incoming Policy with VPN Trunk...
Page 270 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Under the Remote Settings section, select Remote Gateway (Static IP or Hostname) and then enter A Company’s IP in the field. Configuring the Remote Settings Step 4. Select Pre-Shared Key for Authentication Method and then enter the Pre-Shared Key String.
Page 271 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 8. Setting completed. Setting Completed Step 9. Go to Policy Object > VPN > Trunk, click the New Entry button and then set as shown below: Type the name in the Name field.
Page 272 Gigabit Multi-Homing VPN Security Gateway MH-2300 Setting Completed Step 10. Go to Policy > Outgoing, click New Entry and then set as shown below: Select the defined Trunk from the VPN Trunk drop-down list. Click OK. Configuring an Outgoing Policy...
Page 273 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 11. Go to Policy > Incoming, click New Entry and then set as shown below: Select the defined Trunk from the VPN Trunk drop-down list. Click OK. Configuring an Incoming Policy Setting Completed...
Page 274 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 12. Setting completed. The Deployment of IPSec VPN 4.8.1.6 Using Two Units of MH-2300 to Load Balance Outbound PPTP VPN Traffic Prerequisite Configuration (Note: The IP addresses are used as examples only) [Company A] Port 1 is defined as LAN 1 (192.168.10.1) and is connected to the LAN subnet...
Page 275 ADSL modem (ATUR). Two PPTP VPN tunnels are established between Company A and B over their corresponding WAN 1 and WAN 2. This example will be using two units of MH-2300 to establish VPN tunnels for private network access as follows:...
Page 276 Enabling the PPTP Server The Internet access via PPTP VPN tunnel can be allowed or blocked when connecting to the MH-2300 from an external network. Auto-disconnect if idle for: The PPTP VPN tunnels can be specified an idle timeout value (unit: minute) respectively to automatically disconnect.
Page 277 Gigabit Multi-Homing VPN Security Gateway MH-2300 below: Click New Entry. Select “Internal” for Authentication Type. Type “PPTP_01” in the Username field. Type “123456789” in the Password field. Select the radio box of “IP Range” under the Client IP Assignment section.
Page 278 Gigabit Multi-Homing VPN Security Gateway MH-2300 The Second PPTP Server Successfully Added The PPTP server settings can be exported as a file for archiving and editing purpose, which can be used for restoring the list later on.
Page 279 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Under Policy Object > VPN > Trunk, click New Entry and then set as shown below: Specify a name for the VPN trunk. Local Settings: Select “LAN” for Interface and specify the subnet and netmask of Company A.
Page 280 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Go to Policy > Outgoing, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 281 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. Go to Policy > Incoming, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 282 Gigabit Multi-Homing VPN Security Gateway MH-2300 Click OK to complete the settings. Adding the First PPTP Client First PPTP Client Successfully Added Adding the Second PPTP Client Second PPTP Client Successfully Added The Internet access via PPTP VPN tunnel or the access to an IPSec VPN network requested by a PPTP VPN client needs to be achieved by ticking the box of “NAT with PPTP client”.
Page 283 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Policy Object > VPN > Trunk, click New Entry and then set as shown below: Specify a name for the VPN trunk. Local Settings: Select “LAN” for Interface and specify the subnet and netmask for Company B.
Page 284 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Go to Policy > Outgoing and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 285 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Go to Policy > Incoming, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 286 MH-2300 Step 5. PPTP VPN tunnels have been successfully established and load-balanced between the two sites. The Deployment of a Load-balanced PPTP VPN Network between Two Units of MH-2300 4.8.1.7 Using Two Units of MH-2300 to Provide PPTP VPN Client with Internet Access via PPTP VPN Server...
Page 287 Gigabit Multi-Homing VPN Security Gateway MH-2300 This example will be using two units of MH-2300 to establish a VPN tunnel for providing the client-side users with Internet access as follows: For Company A, set as shown below: Step 1. Go to Policy Object >VPN > PPTP Server and then set as shown below: Click Modify.
Page 288 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Policy Object > VPN > PPTP Server, click New Entry and then set as shown below: Select “Internal” for Authentication Type. Type in “PPTP_Connection” in the Username field. Type in “123456789” in the Password field.
Page 289 Gigabit Multi-Homing VPN Security Gateway MH-2300 For Company B, set as shown below; Step 1. Go to Policy Object > VPN > PPTP Client, click New Entry and then set as shown below: Type in “PPTP_Connection” in the Username field.
Page 290 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Policy Object > VPN > Trunk, click New Entry and then set as shown below: Specify a name for the VPN trunk. Local Settings: Select “LAN” for Interface and specify the subnet and netmask for Company B.
Page 291 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Go to Policy > Outgoing, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy to Apply the VPN Trunk Settings...
Page 292 ADSL modem (ATUR). Company B is running a Windows 7 PC with an IP address of 211.22.22.22. This example will be using a unit of MH-2300 and a Windows 7 PC to establish a VPN tunnel for private network access as follows.
Page 293 Enabling the PPTP Server The Internet access via PPTP VPN tunnel can be allowed or blocked when connecting to the MH-2300 from an external network. The PPTP VPN tunnels can be specified an idle timeout value (unit: minute) respectively to automatically disconnect.
Page 294 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Policy Object > VPN > PPTP Server, click New Entry and then set as shown below: Select “Internal” for Authentication Type. Type in “PPTP_Connection” in the Username field. Type in “123456789” in the Password field.
Page 295 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Go to Policy Object > VPN > Trunk, click New Entry and then set as shown below: Specify a name for the VPN Trunk. Local Settings: Select “LAN” for Interface and specify the subnet and netmask for Company A.
Page 296 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Go to Policy > Outgoing, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy for Allowing Outgoing VPN Traffic...
Page 297 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. Under Policy > Incoming, click New Entry and then set as shown below: Select the VPN trunk for VPN Trunk. Click OK to complete the settings. Creating a Policy for Allowing Incoming VPN Traffic...
Page 298 Gigabit Multi-Homing VPN Security Gateway MH-2300 Type in “123456789” in the Password field. Tick the box of “Remember this password”. Click Create. Click Close. Click Change adapter settings on the left panel: In the Network Connections window: Right-click VPN Connection and select “Connect” from the shortcut menu.
Page 299 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting “Set up a new connection or network” Selecting “Connect to a Workplace”...
Page 300 Gigabit Multi-Homing VPN Security Gateway MH-2300 Choosing a Connection Method Specifying an Internet Address to be Connected To...
Page 301 Gigabit Multi-Homing VPN Security Gateway MH-2300 Entering Your VPN Credentials in the Corresponding Fields VPN Connectivity Configuration Successfully Completed...
Page 302 Gigabit Multi-Homing VPN Security Gateway MH-2300 Selecting “Change Adapter Settings” on the Left Panel Right-clicking the VPN Connection Icon to Select “Connect” from the Shortcut Menu...
Page 303 Gigabit Multi-Homing VPN Security Gateway MH-2300 Clicking “Connect” to Establish a VPN Connection Vertifying the VPN Credentials VPN Connection Successfully Established...
Page 304 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. PPTP VPN tunnel has been successfully established between the MH-2300 and the Windows 7 PC. The Deployment of a PPTP VPN Network between MH-2300 and Windows7 PC...
Page 305: Chapter 5. Web Filter
Gigabit Multi-Homing VPN Security Gateway MH-2300 Chapter 5. Web Filter 5.1 Configuration Websites, files, MIME types or scripting languages can be blocked to avoid cyberslacking or being affected by malicious codes (e.g., viruses) through the following means: Whitelist : Allows you to permit the access to a specific website using an exact URL address or a keyword along with a wildcard character “*”.
Page 306 Gigabit Multi-Homing VPN Security Gateway MH-2300 The Web Filtering Settings Prior to enabling the syslog feature, please configure the System Message Settings under System > Configuration > Settings.
Page 307 Gigabit Multi-Homing VPN Security Gateway MH-2300 Below is an alert message shown to an internal user who is in an attempt to visit a forbidden website. The Denial Message for a Blacklisted Website Terms in Whitelist Name The name of a Whitelist rule.
Page 308 Gigabit Multi-Homing VPN Security Gateway MH-2300 The filtering mechanisms are performed in the following order: Whitelist 　　 Blacklist Group. Terms in File Extensions Name The name of a file extension rule. Predefined File Extensions (Select All) Allows you to block the HTTP or FTP file transfer based on the selected predefined file extensions.
Page 309: Examples Of Web Filter
Gigabit Multi-Homing VPN Security Gateway MH-2300 Multipart: For filtering a message that is composed of multiple subtypes. Application:For filtering any application or binary datagrams. Message:For constructing a MIME message. Image:For filtering any non-animated images. Audio:For filtering any audio packets. Video:For filtering any video packets.
Page 310 Gigabit Multi-Homing VPN Security Gateway MH-2300 Creating the Second Whitelist Rule Whitelist Rules Successfully Created Whitelist rules can be exported as a file for storage, which can be used for restoring the list later on. Step 2. Go to Web Filter > Configuration > Blacklist and then set as shown below: Specify a name in the Name field.
Page 311 Gigabit Multi-Homing VPN Security Gateway MH-2300 Blacklist rules can be exported as a file for storage, which can be used for restoring the list later on.
Page 312 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Go to Web Filter > Configuration > Group, click New Entry and then set as shown below: Specify a name in the Name field. Move the Whitelist from the Available Whitelists column to the Applied Whitelists column.
Page 313 Gigabit Multi-Homing VPN Security Gateway MH-2300 Grouping Whitelist and Blacklist Rules The Group Setting for Web Filtering Rules Step 4. Go to Policy > Outgoing, click New Entry and then set as shown below: Select the defined group from the Web Filter drop-down list.
Page 314 Gigabit Multi-Homing VPN Security Gateway MH-2300 5.1.1.2 Blocking the Website Access, HTTP / FTP File Transfers, and MIME / Script Types Step 1. Go to Web Filter > Configuration > File Extensions, click New Entry and then set as shown below: Specify a name in the Name field.
Page 315 Gigabit Multi-Homing VPN Security Gateway MH-2300 Specifying the Name of the File Extension File Extension Successfully Created Step 2. Go to Web Filter > Configuration > MIME/Script, click New Entry and then set as shown below: Specify a name in the Name field.
Page 316 Gigabit Multi-Homing VPN Security Gateway MH-2300 The MIME / Script Rule for Blocking Scripting Languages Under Web Filter > Configuration > MIME/ Script, MIME type can be added as in the following steps: Click Modify next to Available MIME Types and then click Add.
Page 317 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Go to Web Filter > Configuration > Group, click New Entry and then set as shown below: Specify a name in the Name field. Select the defined rule from the Upload Blocking drop-down list and the Download Blocking drop-down list.
Page 318 Gigabit Multi-Homing VPN Security Gateway MH-2300 Grouping the Filtering Rules The Group Setting for Web Filtering Rules...
Page 319: Reports
Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Go to Policy > Outgoing, click New Entry and then set as shown below: Select the defined group from the Web Filter drop-down list. Click OK. Creating a Policy to Apply the Web Filtering Settings Policy Successfully Created 5.2 Reports...
Page 320 Gigabit Multi-Homing VPN Security Gateway MH-2300 Under System > Configuration > Settings, configure the Email Notifications Settings, and then refer to the following to adjust settings under Web Filter > Reports > Settings: Under the Periodic Report Scheduling Settings section, tick Enable the mailing of Periodic Report and then select Weekly report and Daily report.
Page 321 Gigabit Multi-Homing VPN Security Gateway MH-2300 A Weekly History Report Sent through an Email Message The First Page of History Report...
Page 322 Gigabit Multi-Homing VPN Security Gateway MH-2300 Terms in Logs Search Category: Available searching criteria are time, source IP address, website, category and action. Upload: Available searching criteria are time, source IP addrss, website, filename, filtering rule and action. Download: Available searching criteria are time, source IP address, website, filename, filtering rule and action.
Page 323: Statistics
Gigabit Multi-Homing VPN Security Gateway MH-2300 Searching for the Specific Logs Under Web Filter > Reports > Logs, the Category reports can be sorted by the time, source IP, website address, category or action. Under Web Filter > Reports > Logs, the Downloaded and Uploaded reports can be sorted by the time, source IP, website address, filename, filtering rule or action.
Page 324 Gigabit Multi-Homing VPN Security Gateway MH-2300 Click Week for weekly statistical report. Click Month for monthly statistical report. Click Year for yearly statistical report. Web Filtering Statistical Report...
Page 325: Logs
Gigabit Multi-Homing VPN Security Gateway MH-2300 5.2.2 Logs Step 1. Under Web Filter > Reports > Logs, there it shows the URL blocking logs. The Web Filtering Logs...
Page 326: Chapter 6. Policy
Chapter 6. Policy 6.1 Policy MH-2300 inspects each packet passing through the device to see if it meets the criteria of any policy. Every packet is processed according to the designated policy; consequently any packets that do not meet the criteria will not be permitted to pass.
Page 327 Gigabit Multi-Homing VPN Security Gateway MH-2300 Terms in Policy Source Address & Destination Address Source address and Destination address is based around using the device as a point of reference. The initiating point of a session is referred to as the source address.
Page 328 Gigabit Multi-Homing VPN Security Gateway MH-2300 VPN Trunk This is where you apply the policy to regulate the session packets of IPSec or PPTP VPN. Action It determines over which WAN interfaces/ packets are permitted to pass through (see the table below).
Page 329 Gigabit Multi-Homing VPN Security Gateway MH-2300 Application Blocking Blocks the use of instant messaging, peet-to-peer sharing, video / audio streaming, Web-based email messaging, online gaming, VPN tunneling, remote controlling and other applications. To modify the application blocking settings, click the icon in the Options column.
Page 330: Example
QoS, you may temporarily disable the policy so as to modify the policy. Priority When accessing packets, MH-2300 inspects the packet to see if it is identical with the criteria of existing policies. The packet-to-policy inspection is performed by the priority of policies. Therefore, in order to optimize the process, you may rearrange the priority of policies accordingly by changing the figure in the drop-down list of each policy.
Page 331 Gigabit Multi-Homing VPN Security Gateway MH-2300 6.1.1.1 Creating a Policy to Monitor the Internet Access of LAN Users (Using Packet Logging and Traffic Grapher) Step 1. Go to Policy > Outgoing and then set as shown below: Enable the Packet Logging.
Page 332 Click any Source IP or Destination IP for sessions accessed through the IP address that you click on. For details of all sessions accessed through MH-2300, go to Monitoring > Logs > Traffic on the main menu. The Packets Logged by a Policy...
Page 333 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Under Monitoring > Traffic Grapher > Policy-Based Traffic, the traffic flow is displayed in graphics, giving you an instant insight into the traffic status. The Traffic Statistics Screen...
Page 334 Gigabit Multi-Homing VPN Security Gateway MH-2300 6.1.1.2 Creating Policies to Restrict the Access to Specific Web Sites Step 1. Go to Web Filter > Configuration > Whitelist / Blacklist / File Extensions / MIME / Script / Group and then set as shown below:...
Page 335 Gigabit Multi-Homing VPN Security Gateway MH-2300 The Group Setting for Web Filtering Rules Step 2. Go to Policy Object > Application Blocking > Settings and then set as shown below: Creating an Application Blocking Rule...
Page 336 Gigabit Multi-Homing VPN Security Gateway MH-2300 Application Blocking Rule Successfully Created Web Filter is intended for blocking the access to specific websites, scripting languages (e.g., the Java and cookies used on a stock exchange website), or HTTP / FTP file transfers.
Page 337 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Go to Policy > Outgoing and then set as shown below: Click New Entry. Select the defined group from the Destination Address field. Select Deny all outgoing connections for Action. Click OK.
Page 338 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Go to Policy > Outgoing and then set as shown below: Click New Entry. Select the defined group from the Web Filter drop-down list. Select the defined rule from the Application Blocking drop-down list.
Page 339 Gigabit Multi-Homing VPN Security Gateway MH-2300 6.1.1.3 Creating a Policy to Grant Internet Access to Only Authenticated Users on Schedule Step 1. Go to Policy Object > Schedule > Settings and then set as shown below: Figure 16-18 The Schedule Setting for Internet Access Step 2.
Page 340 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Go to Policy > Outgoing and then set as shown below: Select the defined group from the Authentication drop-down list. Select the defined rule from the Schedule drop-down list. Click OK. Creating a Policy to Apply the Schedule and Authentication Settings Policy Successfully Created 6.1.1.4 Creating a Policy to Enable a Remote User to Control a...
Page 341 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 3. Under Policy > Incoming, set as shown below: Select the defined Virtual Server for Destination Address. Select “PC-Anywhere(5617-5632)” for Service. Click OK. Creating a Policy for External Users Controlling an Internal PC Remotely Policy Successfully Created 6.1.1.5 Creating a Policy to Limit the Downloaded Bandwidth,...
Page 342 Gigabit Multi-Homing VPN Security Gateway MH-2300 To avoid exposing your networks to hackers, it is strongly recommended not to select “ANY” for Service when configuring an incoming policy or WAN-to-DMZ policy. Step 3. Go to Policy Object > QoS > Settings and then set as shown below:...
Page 343 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Go to Policy > WAN to DMZ and then set as shown below Select the defined rule from the Destination Address drop-down list. Select “FTP(24-21)” from the Service drop-down list. Select the defined rule from the QoS drop-down list.
Page 344 Gigabit Multi-Homing VPN Security Gateway MH-2300 Policy Successfully Created 6.1.1.6 Creating Policies to Enable LAN / WAN Users to Have Email Access (Running Mail Server in DMZ in Transparent Mode) Step 1. Set up a mail server in DMZ with an IP address of 61.11.11.12 and resolve the domain name with an external DNS server.
Page 345 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 4. Under Policy > WAN To DMZ, set as shown below: Select the predefined address rule for Destination Address. Select the predefined service rule for Service. Click OK. Creating a Policy for External Users Accessing DMZ Mail Server...
Page 346 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 5. Under Policy > LAN To DMZ, set as shown below: Select the predefined address rule for Destination Address. Select the predefined service rule for Service. Click OK. Creating a Policy for Internal Users Accessing DMZ Mail Server...
Page 347 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 6. Under Policy > DMZ To WAN, set as shown below: Select the predefined address rule for Source Address. Select the predefined service rule for Service. Click OK. Creating a Policy for External Users Accessing the DMZ Mail Server...
Page 348: Chapter 7. Abnormal Ip Flow
Chapter 7. Abnormal IP Flow 7.1 Abnormal IP Flow Once an abnormal traffic flow is detected, MH-2300 will take action to block the flow of packets. This protection ensures that the network remains operational, and consequently the business revenue generating opportunities are left undisturbed.
Page 349 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Anomaly Flow IP > Settings and then set as shown below: Enter the Traffic Threshold per IP. (The default value is 100) Tick Enable Anomaly Flow IP Blocking and then type the Blocking Time.
Page 350 Users whose PCs emit abnormal traffic flows can receive a customizable message in their browser to alert them about the incident. Step 3. When a DDoS attack occurs, MH-2300 generates a corresponding log under Anomaly Flow IP > Virus-infected IP.
Page 351: Chapter 8. Monitoring
VPN, PPPoE, SMTP, POP3, etc., providing the IT administrator with an instant insight when any connection issues arise. Application Blocking Logs provide details of all the applications that have been blocked by the MH-2300. Concurrent Sessions Logs provide details of the Max. Concurrent Sessions of each policy.
Page 352: Traffic
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.1.1 Traffic 8.1.1.1 Viewing the Logs of Used Protocols and Port Numbers Step 1. Go to Policy> DMZ To WAN and set as shown below: Enable the Packet Logging. Click OK. Creating a Policy to Enable Packet Logging for DMZ Traffic...
Page 353 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Under Monitoring > Logs > Traffic, it shows the traffic status of a policy. Click any Source IP or Destination IP, you will see of which protocols and ports it used and its traffic.
Page 354 Gigabit Multi-Homing VPN Security Gateway MH-2300 The Traffic Logs of a Specific IP Address Deleting All the Traffic Logs...
Page 355: Events
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.1.2 Events 8.1.2.1 Viewing the System Events and WAN Status Step 1. Under Monitoring > Logs > Events, there it shows the system history access and the status of WAN. The Event Logs...
Page 356: Connections
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.1.3 Connections 8.1.3.1 Viewing the Logs of WAN Connectivity Step 1. Under Monitoring > Logs > Connections, it shows the logs of PPPoE, Dynamic IP Address, DHCP, PPTP Server, PPTP Client, IPSec and Web VPN.
Page 357 Gigabit Multi-Homing VPN Security Gateway MH-2300 Deleting All the Connection Logs...
Page 358: Application Blocking
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.1.4 Application Blocking 8.1.4.1 Viewing the Logs of IPs That Attempted to Access Restricted Applications Step 1. Under Policy > Outgoing, set as shown below: Select the defined application blocking. Click OK. Creating a Policy to Apply the Application Blocking Settings Policy Successfully Created Step 2.
Page 359 Gigabit Multi-Homing VPN Security Gateway MH-2300 Deleting the Application Blocking Logs...
Page 360: Concurrent Sessions
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.1.5 Concurrent Sessions 8.1.5.1 Viewing the Logs of IPs That Exceeded Concurrent Sessions Threshold Step 1. Go to Policy > Outgoing and then set as shown below: Enter a value in the Max. Concurrent Sessions per IP field...
Page 361 Gigabit Multi-Homing VPN Security Gateway MH-2300 Creating a Policy to Limit the Maximum Concurrent Sessions Policy Successfully Created Step 2. Under Monitoring > Logs > Concurrent Sessions, it shows the logs of the concurrent sessions that have exceeded the specified value.
Page 362: Quota
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.1.6 Quota 8.1.6.1 Viewing the Logs of IPs That Exceeded Traffic Quota Step 1. Go to Policy > Outgoing and then set as shown below: Type a value in the Quota per Source IP field.
Page 363 Gigabit Multi-Homing VPN Security Gateway MH-2300 Creating a Policy to Limit the Network Traffic on a Per-IP Basis Policy Successfully Created Step 2. Under Monitoring > Logs > Quota, it shows the logs of the quota that have reached the configured value.
Page 364: Logging Settings
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.1.7 Logging Settings 8.1.7.1 Archiving or Retrieving Logs Generated by MH-2300 Step 1. Go to System > Configuration > Settings and then set as shown below: Tick Enable email notifications and then configure the related settings.
Page 365 Gigabit Multi-Homing VPN Security Gateway MH-2300 Step 2. Go to Monitoring > Logs > Settings and then set as shown below: The Logging Settings...
Page 366: Traffic Grapher
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.2 Traffic Grapher This chapter will cover the operation of Traffic Grapher, which allows for viewing the statistical graphs of a WAN interface or a network policy. WAN Traffic provides the statistical graphs of traffic or packets that are processed through a network interface.
Page 367: Wan Traffic
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.2.1 WAN Traffic Step 1. Under Monitoring > Traffic Grapher > WAN Traffic, the statistical graphs of a WAN interface are available in different time units. Click Minutes for statistics that are graphed per minute.
Page 368 Gigabit Multi-Homing VPN Security Gateway MH-2300 The WAN Statistical Graphs...
Page 369: Policy-Based Traffic
Gigabit Multi-Homing VPN Security Gateway MH-2300 The Traffic Grapher is automatically activated after a WAN interface is added under Network > Interface. The statistical graphs from a specific time can be obtained by using the date and time pickers (drop-down lists) and the Refresh button.
Page 370 Gigabit Multi-Homing VPN Security Gateway MH-2300 The Policy-based Statistical Graphs...
Page 371: Diagnostic Tools
Gigabit Multi-Homing VPN Security Gateway MH-2300 The Traffic Grapher requires manual activation for each network policy, respectively. By traffic direction, statistical graphs are categorized into six types, namely outgoing, incoming, WAN-to-DMZ, LAN-to-DMZ, DMZ-to-WAN, DMZ-to-LAN, LAN-to-LAN, and DMZ-to-DMZ. The statistical graphs from a specific time can be obtained by using the date and time pickers (drop-down lists) and the Refresh button.
Page 372 Gigabit Multi-Homing VPN Security Gateway MH-2300 The Ping Results of a Host If VPN is selected from the Interface drop-down list, the user must enter the local LAN IP address in the Interface field. Enter the IP address that is under the same subnet range in the Destination IP / Domain name field.
Page 373 Gigabit Multi-Homing VPN Security Gateway MH-2300 The Ping Results of a VPN Connection...
Page 374: Traceroute
8.3.2 Traceroute Step 1. Under Monitoring > Diagnostic Tools > Traceroute the Traceroute command can be used by the MH-2300 to send out packets to a specific address to diagnose the quality of the traversed network. Destination IP / Domain name : Enter the destination address or domain name for the packets.
Page 375: Wake-On-Lan
8.4 Wake-on-LAN Any wake-on-LAN supported PC can be remotely turned on by a “wake-up” packet sent from the MH-2300. By utilizing remote control software such as VNC, Terminal Service or PC Anywhere, a remote user may remotely wake up a computer and access it.
Page 376: Status
Sessions Info: It records all the sessions sending or receiving packets over MH-2300. DHCP Clients: It records the status of IP addresses distributed by MH-2300 built-in DHCP server. Terms in ARP Table Search Available searching criteria are IP Version, Destination IP, MAC Address...
Page 377 Gigabit Multi-Homing VPN Security Gateway MH-2300 Go to Monitoring > Status > ARP Table, click the search icon and than set as below: Select the IP Version and the Interface. Click the Search button. Searching for an ARP Entry Terms in Sessions Info...
Page 378 Gigabit Multi-Homing VPN Security Gateway MH-2300 Searching for the Info of a Session Terms in DHCP Clients Search Available searching criteria are IP Version, IP Addresses and MAC Address. Under Monitoring > Status > DHCP Clients, click the search icon and then set as shown below: Select the IP Version.
Page 379: Interface
Step 1. Under Monitoring > Status > Interface, it shows the status of all interfaces. The Status of All Network Interfaces 1. System Uptime: The operating uptime of the MH-2300. 2. No. of Active Sessions: Shows the current number of sessions connected to the device.
Page 380 Gigabit Multi-Homing VPN Security Gateway MH-2300 10. IP Address / Netmask: The interface’s IP address and netmask. 11. Default Gateway: Shows the WAN gateway address. 12. IPv6 Address / Prefix Length: The interface’s IPv6 address and prefix length. 13. IPv6 Default Gateway: The interface’s IPv6 default gateway.
Page 381: System Info
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.5.2 System Info Step 1. Under Monitoring > Status > System Info, it shows the current system information, such as CPU utilization and memory utilization. The Utilization of System Resources 8.5.3 Authentication Step 1. Under Monitoring > Status > Authentication, it shows the authentication status of the device.
Page 382: Arp Table
Gigabit Multi-Homing VPN Security Gateway MH-2300 IP Address: Displays the authenticated user’s IP address. Authentication – User Name: The user’s authenticated login name. Login Time: The user’s login time (year/ month/ day/ hour/ minute/ second) 8.5.4 ARP Table Step 1. Under Monitoring > Status > ARP Table, it shows NetBIOS Name, Destination IP, MAC Address and Interface of any computer that has connected to the device.
Page 383: Sessions Info
Gigabit Multi-Homing VPN Security Gateway MH-2300 8.5.5 Sessions Info Step 1. Under Monitoring > Status > Sessions Info, it provides a list of all the sessions that have connected to the device. By clicking on any source IP, it shows the port number and the traffic.

Planet MH-2300 User Manual

Chapter 1. Installation

Hardware Installation

Basic System Configuration

Chapter 2. System

Administration

Configuration

Chapter 3. Interface

Interface

Chapter 4. Policy Object

Address

Service

Schedule

Qos

Authentication

Application Blocking

Virtual Server

Vpn

Chapter 5. Web Filter

Configuration

Reports

Chapter 6. Policy

Policy

Chapter 7. Abnormal IP Flow

Abnormal IP Flow

Chapter 8. Monitoring

Logs

Traffic Grapher

Diagnostic Tools

Wake-On-LAN

Status

System Info

Authentication

ARP Table

Sessions Info

DHCP Clients

Quick Links

Related Manuals for Planet MH-2300

Summary of Contents for Planet MH-2300

Table of Contents