Sangfor IAM 2.1 User Manual

Table of Contents

Quick Links

SANGFOR IAM v2.1 User Manual

IAM 2.1 User Manual

September, 2010

Table of Contents

Troubleshooting

Need help?

Do you have a question about the IAM 2.1 and is the answer not in the manual?

Questions and answers

Summary of Contents for Sangfor IAM 2.1

Page 1 SANGFOR IAM v2.1 User Manual IAM 2.1 User Manual September, 2010...
Page 2: Table Of Contents
SANGFOR IAM v2.1 User Manual Table of Contents Table of Contents ........................1 Announcement ......................... 8 Preface ............................9 About This Manual ........................9 Document Conventions ......................10 Graphic Interface Conventions ....................10 Symbol Conventions ........................ 11 Technical Support ........................11 Acknowledgements .........................
Page 3 SANGFOR IAM v2.1 User Manual 3.10. Backup/Restore ......................44 3.11. Reboot ..........................45 3.12. Maintenance ........................45 3.13. Auto Update ........................46 3.14. Route ..........................47 3.14.1. Policy Routing ......................47 3.14.2. Static Routing ......................50 3.15. Generate Certificate ....................... 53 3.16.
Page 4 SANGFOR IAM v2.1 User Manual 6.1.1. System Status ......................... 98 6.1.2. Optimization Status ....................... 98 6.1.3. Cache Hit ........................100 6.2. Proxy Options ........................ 101 6.2.1. System Settings ......................102 6.2.1.1. Basic Settings ......................104 6.2.1.2. Advanced Settings ....................105 Chapter 7 IAM ........................
Page 5 SANGFOR IAM v2.1 User Manual 7.1.2.9. Reminder ........................149 7.1.2.9.1. Time Reminder ..................... 149 7.1.2.9.2. Flow Reminder ..................... 150 7.1.2.9.3. Bulletin Page ....................151 7.2. Authentication Options....................153 7.2.1. New User Authentication .................... 153 7.2.2. SSO Settings ........................ 156 7.2.2.1. Active Directory SSO ....................157 7.2.2.1.1.
Page 6 SANGFOR IAM v2.1 User Manual 7.4.5.1. Binding IP/MAC ...................... 193 7.4.5.1.1. Bind IP ......................193 7.4.5.1.2. Bind MAC ....................194 7.4.5.1.3. Bind Both IP and MAC ................196 7.4.5.1.4. No Binding ....................197 7.4.5.2. Group ........................197 7.4.5.3. Authentication Method ..................... 198 7.4.5.4.
Page 7 SANGFOR IAM v2.1 User Manual 10.1.4. Behavior Monitoring ....................238 10.2. Audit Log Maintenance ....................239 10.3. Data Center Settings ..................... 239 10.4. Enter Data Center ......................242 Chapter 11 Logs/Troubleshooting ..................244 11.1. System Logs ......................... 244 11.2. Policy Troubleshooting ....................246 11.3.
Page 8 SANGFOR IAM v2.1 User Manual 13.3.12. Advanced ......................... 298 13.3.12.1. LAN Service ......................298 13.3.12.2. VPN Interface ....................... 302 13.3.12.3. LDAP Server ......................303 13.3.12.4. Radius Server ....................... 304 13.3.13. Generate Certificate ....................305 Chapter 14 DHCP ....................... 306 14.1. DHCP Status ........................ 306 14.2.
Page 9: Announcement
SANGFOR, SANGFOR Technology and the SANGFOR logo are the trademarks or registered trademarks of SANGFOR Technology Co., Ltd. All other trademarks used or mentioned herein belong to their respective owners. This manual shall only be used as usage guide, and no statement, information, or suggestion in it shall be considered as implied or express warranty of any kind, unless otherwise stated.
Page 10: Preface
SANGFOR IAM v2.1 User Manual Preface About This Manual The IAM2.1 User Manual includes the following chapters: Describe… Chapter Chapter 1 IAM The product appearance, function features and performance Installation parameters of IAM gateway device, and wiring and cautions before installation.
Page 11: Document Conventions
Chapter 13 Security How to configure some extension functions and security-related modules provided by the SANGFOR IAM gateway, such as gateway antivirus, intrusion prevention system (IPS), VPN settings, IPSec connection, and some other common and advanced settings.
Page 12: Symbol Conventions
SANGFOR IAM v2.1 User Manual Symbol Conventions This manual also adopts the following symbols to indicate the parts which need special attention to be paid during the operation: Convention Meaning Description Indicates actions that could cause setting error, loss of data or Caution damage to the device.
Page 13: Chapter 1 Iam Installation
1.2. Power The SANGFOR IAM series device uses 110 ~ 230V alternating current (AC) as its power supply. Make sure it is well-grounded before being provided with power supply.
Page 14: Configuration And Management
SANGFOR IAM v2.1 User Manual WAN1 Interface: Network interface, to be defined as WAN1, LAN, or DMZ interface WAN2 Interface: Network interface, to be defined as WAN2, LAN, or DMZ interface POWER: Power indicator of IAM gateway device ALARM: Alarm indicator of IAM gateway device (it keeps on for one minute...
Page 15 SANGFOR IAM v2.1 User Manual such as router, optical fiber transceiver, ADSL Modem, etc. Use standard RJ-45 Ethernet cable to connect DMZ interface to the DMZ zone network. Generally, the Web server and Mail server providing services to wide area network (WAN) are placed at the DMZ zone.
Page 16: Wiring Method Of Redundant System
Wire Sequences of Straight-through Cable and Crossover Cable 1.6. Wiring Method of Redundant System If two SANGFOR IAM gateway devices are deployed to work in high availability mode (HA), the wiring to the external network and internal network should be as shown in the following figure:...
Page 17 SANGFOR IAM v2.1 User Manual then use a standard RJ-45 Ethernet cable to connect the IAM gateway device to other networking device such as router, fiber optical transceiver or ADSL Modem, etc. Use the Console cable (among the accessories) to connect the serial ports of the two IAM gateway devices (through the CONSOLE interface).
Page 18: Chapter 2 Console
Having connected all the wires, you can go on to configure the SANGFOR IAM gateway device through the WEB UI. Detailed procedures are as described in the following chapters.
Page 19: Iam Gateway Configuration
Before login, you may be required to install the pop-up ActiveX control. Click “This site might require the following ActiveX control: „sangfor dcweb‟ from Sangfor Technology Co., Ltd‟. Click here to install…” > “Install ActiveX Control…” and then follow the instructions to finish installation.
Page 20: Chapter 3 System Status
SANGFOR IAM v2.1 User Manual Chapter 3 System Status [System] covers the running status of the IAM gateway device. Detailed sections are [Running Status], [Security Status], [License], [Gateway Mode], [Network Interface], [Date/Time], [Administrators], [WEB UI], [Backup/Restore], [Reboot], [Auto Update], [Route], [Generate Certificate], etc.
Page 21: Security Status
SANGFOR IAM v2.1 User Manual connections of the IAM gateway device and the detailed connection information of an IP address. For detailed introduction, please refer to Section 10.1.2 Connection Ranking. [View Flow Ranking]: Click this link to view the uplink and downlink flow information of the top 10 rankings, the IP group to which this IP address belongs, traffic amount of the uplink and downlink and of specific application.
Page 22: License
SANGFOR IAM v2.1 User Manual 3.3. License [License] includes [Gateway Antivirus license], [Application Ident/URL Library License] and [Multi-Function] authentication, etc. It limits the number of connections from external networks, of Branch VPN and Mobile VPN. A different license supports a certain number of lines and VPN licenses.
Page 23: Gateway Mode
SANGFOR IAM v2.1 User Manual 3.4. Gateway Mode [Gateway Mode]: Configures the working mode of the IAM gateway device. Four working modes are selectable, namely, [Route Mode], [Bridge Mode], [Bypass Mode] and [Single-arm Mode]. The default configuration page of [Gateway Mode] is as shown below: The current gateway mode and interface information are seen, below which is a <Configure>...
Page 24 SANGFOR IAM v2.1 User Manual The deployment is as shown in the following figure: Under Route mode, the default gateway of all the LAN servers are directing to the LAN interface IP of IAM gateway device, or to the layer 3 switch which then directs to IAM gateway device.
Page 25: Bridge Mode
SANGFOR IAM v2.1 User Manual 3.4.2. Bridge Mode Bridge-mode deployment takes the IAM gateway device as a network cable with filtering function. This mode is usually applied where the original topology of the network is inconvenient to be altered. The IAM gateway device locates between the original gateway and the LAN users, no change to be made on the original gateway and the LAN users.
Page 26: Bridge Mode: Multiple-Interface
SANGFOR IAM v2.1 User Manual The configuration page is as shown below: 3.4.2.1. Bridge Mode: Multiple-Interface Through bridging the interfaces of the IAM gateway device, we can establish multiple interfaces for a bridge so as to create an environment supporting dual routes or dual lines of the network.
Page 27 SANGFOR IAM v2.1 User Manual Environment examples for Bridge-mode deployment: Environment 1: S1 connects to two external lines R1 and R2; an IAM gateway device (under bridge mode) is then deployed to bridge R1 and R2 with S1. Environment 2: In order to enhance the stability of the network and reduce single-node failure, both the kernel switch and the router of local area network are in redundancy.
Page 28 SANGFOR IAM v2.1 User Manual [Gateway Mode]: Options are [Multi-Interface] and [Multi-Bridge]. [Select Interface]: Only available for [Multi-Interface]. [LAN Zone Interface List]: The selected interface will connect to local area network. [WAN Zone Interface List]: The selected interface will connect to the outgoing device(s).
Page 29: Bridge Mode: Multi-Bridge
SANGFOR IAM v2.1 User Manual 3.4.2.2. Bridge Mode: Multi-Bridge Environment for Bridge mode Multi-bridge: In order to enhance the stability of the network and reduce single-node failure, both the kernel switch and the router of local area network are in redundancy. Both R1 and R2 use VRRP protocol.
Page 30 SANGFOR IAM v2.1 User Manual [Select LAN Zone Interface]: Select a LAN interface. [Select WAN Zone Interface]: Select a WAN interface. [Bridge List]: Defines the direction the data are forwarded to. Click the <Next> button to get into the next page to configure the bridge, as shown below: [Bridge Direction]: Indicates the direction of data transmission.
Page 31 SANGFOR IAM v2.1 User Manual [Default Gateway]: Directs to the next hop interface IP of the bridge. Under Multi-Bridge mode, you have to configure [Default Gateway] for each bridging direction. [Default gateway] configures the default route of each bridge that is directing to the gateway.
Page 32: Bypass Mode
SANGFOR IAM v2.1 User Manual network segments should also be configured in [Bridge Mode] > [Bridge Settings ] page > [Bridge IP List]. Under Bridge mode, the IAM gateway device supports VLAN TRUNK traversing; [Bridge  IP] can be IP address of 802.1Q-VLAN (which indicates the IAM gateway device can be transparently connected to the main channel of VLAN TRUNK).
Page 33 SANGFOR IAM v2.1 User Manual Under the [Gateway Mode] default configuration page, click <Configure> to enter the [Select Gateway Mode] page. Select [Bypass Mode] and click the <Next> button, then the following page appears: [IP Address]: Configures the IP address of the MANAGE interface (DMZ interface).
Page 34 SANGFOR IAM v2.1 User Manual [Monitored Network Segment List]: Configure the network segments to be monitored. In order to have the IAM gateway device connecting to the console or the client-updater, the  [IP Address] and [Default Gateway] must be configured and the network cable should connect to the DMZ interface.
Page 35: Single-Arm Mode
SANGFOR IAM v2.1 User Manual Click the <Next> button to continue the next step, configuring [Excluded IP List], as shown below: [Excluded IP List]: Access data requested by these excluded IP addressed will not be recorded. Bypass mode deployment supposes that there is a HUB or a switch with mirror port. If the ...
Page 36 SANGFOR IAM v2.1 User Manual no influence on the network environment. If the device is down, you need only disable the proxy service on the user‟s PC and to have it back into normal. Typical topology of the single-arm mode is as shown below: failure will not disconnect the network.
Page 37 SANGFOR IAM v2.1 User Manual Gateway Mode] page. Select [Single Arm Mode] and click the <Next> button, then the following page appears: [IP Address]: Configures the IP address of the LAN interface. [Default Gateway]: Configures the gateway of the local area network, same with the gateway of the LAN computer.
Page 38: Network Interface
SANGFOR IAM v2.1 User Manual 3.5. Network Interface Under Route mode, you can configure the network interfaces on this [Network Interface] page. If it is in Bridge mode, [Multi-bridge], you can also configure the bridge here. As to other gateway modes, the network interfaces are configured in [System] >...
Page 39: Multi-Node Sync
SANGFOR IAM v2.1 User Manual forwarded to each other (one-armed route); besides, you can configure [LAN<->LAN] firewall rules to control the access among different VLAN IDs (VID). [DMZ Interface]: Displays the information of DMZ interface. Click the <Configure> button to enter the corresponding configuration page to configure the [IP address] and [Subnet mask].
Page 40 SANGFOR IAM v2.1 User Manual The [Multi-Node Synchronization] configuration page is as shown below: [Multi-Node Synchronization]: [Enable] it and the user authentication information, user list, and data of the internal identification libraries will be synchronized in real time. [Communication Interface]: Configures the network interface used for the synchronization between the IAM gateway devices.
Page 41: Date/Time
<View Synchronization Report> button to view the synchronization information. 3.7. Date/Time [Date/Time]: Configures the system date and time of the SANGFOR IAM hardware gateway device. In addition to modifying the system time directly, you can configure a [Time Server] to synchronize the time, and select a local [Time Zone].
Page 42 SANGFOR IAM v2.1 User Manual <Select All>, <Inverse>: Click the corresponding button to select the needed administrator(s). <Delete>, <Enable>, <Disable>: Click the corresponding button to delete, enable or disable the selected administrator. <Add>: Click this button to enter the [Edit Administrator] page, as shown below: [Administrator Name]: Type in a unique name for this administrator to distinguish it from others.
Page 43 SANGFOR IAM v2.1 User Manual introductions are followed in this section. [Login IP List]: Configures the IP address(es) with which administrator(s) can log in to the console. You can type in a single IP address or IP range. One entry per line, maximum 32 entries are allowed.
Page 44: Webui
SANGFOR IAM v2.1 User Manual [Delayed Email Audit] and [Data Center Audit]. [View]: Indicates this admin can only view the selected user or sub-group user information, viewing the policy applied to its group and the online user list. [Member Management]: Indicates this admin can manage and edit the selected group and sub-group user.
Page 45: Backup/Restore
SANGFOR IAM v2.1 User Manual [Default Encoding]: Select an option and the unrecognizable codes of the monitored data will be handled as this code. [HTTPS Login Port]: Configures the port of HTTPS protocol for logging in to the WEB UI. It is 443 by default.
Page 46: Reboot
SANGFOR IAM v2.1 User Manual [Backup Configuration]: Click the link <Click to backup configuration> to download the configurations to the local computer and to backup them. [Restore from configuration automatically backed up at some time]: Select the time when the configuration file is backed up.
Page 47: Auto Update
SANGFOR IAM v2.1 User Manual Under the default configuration page, click the <Advanced> button to enter the [System Maintenance] > [Advanced] page and configure [Auto Upload Unknown URL], [Auto Report System Error] and [Auto Report Unknown Application], as shown below: [Auto Upload Unknown URL]: Select [Enable] and the unknown URL found during using the IAM gateway device will be automatically uploaded.
Page 48: Route
ISP server of the update server is the same with that used by the IAM gateway device. 3.14. Route [Route] covers [Policy Routing] and [Static Routing], and mainly configures the route related to the IAM gateway device. 3.14.1. Policy Routing SANGFOR IAM gateway device allows you to configure [Policy Routing]. Policy routing is...
Page 49 SANGFOR IAM v2.1 User Manual mainly used when IAM gateway connects to multiple external lines. Through configuring the source IP, destination IP, source port, destination port, protocol, etc., the policy-based route will be created. Therefore, which external line is the outgoing line to the external network is selected according to the manually-created policy.
Page 50 SANGFOR IAM v2.1 User Manual [Policy Name]: Type in a unique name for this policy-based routing to distinguish it from others. [Source IP], [Destination IP]: Configures the source IP, destination IP of the data packet on which this policy routing applies. Four options are available, namely, [All], [Single IP], [IP range] and [Subnet].
Page 51: Static Routing
If the selected [Target Line] is unavailable, IAM gateway device will arrange the data packets  with an available target line. If you need the routing table of each ISP, please contact the Customer Service of SANGFOR.  Having gained the routing table, click the <Browse> button to upload the policy routing and then click the <Import>...
Page 52 Add return route for SNAT function (for multiple segments)  If there are several LAN segments access Internet through the SANGFOR gateway device,  then you need to add a [Static Routing], so that the IAM gateway device can return the data...
Page 53 SANGFOR IAM v2.1 User Manual Configuration Example of Static Routing Provided that, there are two LAN segments, 10.251.251.X and 192.168.2.X, which are connected to each other through a layer 3 switch. The LAN PCs of both the segments direct to the corresponding gateway configured on the layer 3 switch.
Page 54: Generate Certificate
SANGFOR IAM v2.1 User Manual 3.15. Generate Certificate [Generate Certificate]: Generates the hardware certificate which is the only label to distinguish this device. This certificate can function as its ID when it registers on the SC (Secure Center) Management. The [Generate Certificate] page is as shown below: 3.16.
Page 55 SANGFOR IAM v2.1 User Manual [High Availability]: Displays the status of this function, enabled or disabled. [Device Name]: Displays the name the local device. Click <Modify> to edit the device name. [Active/Standby Status]: Displays the active or standby status of the local device. Click the <Switch to Active>...
Page 56 SANGFOR IAM v2.1 User Manual Configuration Example of High Availability Timeout of the primary node is 10 seconds, the primary node will send message to the standby node every 10 seconds. If the standby node does not receive the message from the primary node in 10 seconds, the standby node will think the primary node got down and switch from Standby status to Active status automatically.
Page 57: Chapter 4 Object
Control Policy] page > [Access Control], and [Bandwidth Settings] configuration in [Bandwidth Management], to create a policy. SANGFOR IAM gateway device adopts some patented technology to efficiently block the above mentioned chat and IM software tools. Because the data packets of each kind of software have a...
Page 58 SANGFOR IAM v2.1 User Manual The key to identify the application is to analyze the features of these data packets. SANGFOR will periodically provide the feature values definition of the software such as P2P, IM, etc. You can contact SANGFOR and apply for application identification rule packets to manually import the rules, and you can analyze data packets by yourself and define your own application identification rule by clicking the <Add>...
Page 59 SANGFOR IAM v2.1 User Manual Configure in [Packet Content Matching] section the feature value according to the analysis on the data packets. [Internal Rule Library Released At]: Indicates the latest time that the current version of internal rule library was released at.
Page 60: Intelligent Ident Rule
[Intelligent Ident Rule] mainly identifies the plain text or cipher text form P2P applications, identifies the encrypted Skype data according to the Skype actions, and identifies the SSL certificate, SANGFOR VPN data, data from proxy tool, and the VOIP and IM video and voice data.
Page 61 SANGFOR IAM v2.1 User Manual [Application Ident Rule] detects the P2P application as well, limited to plaintext P2P data. If  you disable the [P2P Action] (in the Intelligent Ident Rule List on the [Intelligent Ident Rule] page), it can still successfully identify the plaintext P2P data but fails to identify the cipher text P2P data.
Page 62: Service
SANGFOR IAM v2.1 User Manual Rule] and [Intelligent Ident Rule] > VOIP [Edit Intelligent Ident Rule]. 4.3. Service [Service] generally is in association with the rule configured in [Firewall] > [Firewall Rules] and rules configured in [IAM] > [Access Control Policy] page > [Access Control] > [Service Control].
Page 63: Ip Group
SANGFOR IAM v2.1 User Manual [Service Name]: Type in a unique name for this new service (the characters better be easy for memory) to distinguish it from others. Click [TCP], [UDP], [ICMP] or [Others] to define the protocol to be applied; check [Add Port] and type in a single port or a port range, as shown below: If it is [Other] protocol, [Protocol number] 0 indicates all the protocols.
Page 64 SANGFOR IAM v2.1 User Manual [IP Group] generally is in association with the rule configured in [Firewall] > [Firewall Rules]. It configures the source IP address, destination IP addresses, or defines the LAN users in association with [IAM] > [Organization Structure] page > [Edit User] > [User Attribute] > [Binding] > [Bind IP] >...
Page 65: Schedule
SANGFOR IAM v2.1 User Manual Finally, you have to click the <OK> button to save all the settings. The local PC can [Auto Resolve] the domain name, with the condition that the Internet is accessible to it. 4.5. Schedule [Schedule] defines the commonly used time periods, mainly used as valid time or expiry time. The defined schedule can be referenced by [Firewall] >...
Page 66: Url Group
SANGFOR IAM v2.1 User Manual [Name]: Names the newly-created schedule. [Description]: Type in a brief description for this schedule. Click (or click and drag) the needed time periods in the table and click the <Enable> button to enable the selected time periods; and then click the <OK> button to save the settings on this page.
Page 67 SANGFOR IAM v2.1 User Manual [URL Library Released At]: Indicates the latest time that the current version of URL library was released at. [Update URL Library]: If the URL library cannot automatically update for it is disconnected to the Internet, you can manually update the URL library. Just click the <Browse> button and upload the...
Page 68 SANGFOR IAM v2.1 User Manual [URL Search]: Enter the domain name into [URL Search] and click the <Search> button to search whether this domain name exists in the URL library and in which URL group this domain name is contained. For instance, type in www.sina.com and click the <Search> button, the search result is...
Page 69: White List Group
SANGFOR IAM v2.1 User Manual [Domain Name Keyword]: URL group is automatically matched if the URL contains the configured domain name keyword. Having completed configuring this page, you have to click the <OK> button to save the settings. 4.7. White List Group [White List Group] defines the domain name white list, which can be referenced by [Access Control Policy] >...
Page 70: Keyword Group
SANGFOR IAM v2.1 User Manual [Description]: Type in a brief description for this white list group. [URL List]: Configures the composition of the white list group, one domain name (IP address) per row. Having completed configuring, you have to click the <OK> button to save the settings.
Page 71: File Type Group
SANGFOR IAM v2.1 User Manual [Name]: Names the new keyword group. [Description]: Type in a brief description for this keyword group. [Keyword]: Configures the keywords, one entry (keyword) per row. Having completed configuring, you have to click the <OK> button to save the settings.
Page 72: Ingress Rule
SANGFOR IAM v2.1 User Manual [Name]: Names the new file type group. [Description]: Type in a brief description for this file type group. [File Type]: Configures the extension of file type, one entry per row. Having completed configuring, you have to click the <OK> button to save the settings.
Page 73 [Update Internal Rule]: Click the <Browse> button to upload the internal ingress rule file and update the current internal rules. You can obtain this file from SANGFOR Customer Service. [Import Rule] is corresponding to the <Export> button below the [Ingress Rule List] which can export the selected ingress rule file(s) of .conf format;...
Page 74 SANGFOR IAM v2.1 User Manual [Rule Name]: Names the combined ingress rule. [Matching Condition]: Select the matching condition to the combined rule, [One of the rules must be satisfied] or [All of the rules must be satisfied]. [Matching Condition]: Defined the relations between the combined rules. Options are [One of the rules must be satisfied] and [All of the rules must be satisfied].
Page 75 SANGFOR IAM v2.1 User Manual [Classification]: Defines the classification of this ingress rule; options are [Operation System], [Process], [File], [Registry], [Task Plan] and [Others]. [Rule Type]: Select the type for this ingress rule (or enter directly a new user-defined rule type name into the text box followed).
Page 76 SANGFOR IAM v2.1 User Manual Step 1: <Add> a new ingress rule. Select [Classification] (or any other existing rule type). Step 2: Enter [Rule type]. Click the pull-down menu and select a rule type, or enter a new one. Length of rule type must be within 95 bytes.
Page 77 SANGFOR IAM v2.1 User Manual Configure [Rule Type], [Rule Name], [Description], [Process Settings] (including [Process Name], [Window Name], [Application Path], [Application MD5], [File Size], etc.), and [Operation] as [Deny Internet access], [Stop Process] or [Submit report only] Having completed configuring this page, click the <OK> button to save the settings and add this ingress rule to the [Ingress Rule List].
Page 78 SANGFOR IAM v2.1 User Manual Configure [Rule Type], [Rule Name], [Description] [File Attributes]: Options are [User‟s computer must contain the following file] and [User‟s computer must not contain the following file]; enter the file path or click <Browse> to upload the file;...
Page 79 SANGFOR IAM v2.1 User Manual type the [File Path] that is provided by IAM gateway device. Definitions of some the macro directories are as shown in the following table (case insensitive): Format Definition (provided the C disk is the system disk)
Page 80 SANGFOR IAM v2.1 User Manual with the return value. The [Task Plan] ingress rule configuration page is as shown below: [Rule Type]: Configures the type of the ingress rule. [Rule Name], [Description]: Configures the name and brief description for the ingress rule.
Page 81: Ssl Certificate
SANGFOR IAM v2.1 User Manual [Others] ingress rule can fulfill IP/MAC binding over the layer 3 switch, and ban the client end from logging into a LAN PC as administrator to access the Internet, which can avoid virus infection. The [Others] ingress rule configuration page is as shown below: Configure [Rule Type], [Rule Name], [Description], etc.
Page 82 SANGFOR IAM v2.1 User Manual root certificates in the library are trusted. You can import trusted root certificate to the [Trusted Root Certificate List] or delete a trusted root certificate. The related page is as shown below: [Import Trusted Root Certificate]: Import certificate from the local PC, only support crt or cer format certificate.
Page 83: Chapter 5 Firewall
SANGFOR IAM v2.1 User Manual Chapter 5 Firewall [Firewall] covers configurations of [Firewall Rules], [NAT Rules], [Anti-DoS] and [ARP Protection], as shown below: 5.1. Firewall Rule [Firewall Rule] configures the specific settings of data packet access. IAM gateway device allows you to configure the filtering rules for data transmission between [LAN<->DMZ],...
Page 84 SANGFOR IAM v2.1 User Manual Under the above configuration page, click the <Edit> button and the [Edit Firewall Rule LAN<->DMZ] configuration page. Click the <Enable> button to enable this rule; or click the <Add> button and the [Edit Firewall Rule LAN<->DMZ] configuration page pops up, as shown in the following figure: Firewall rules are to be matched from top to bottom.
Page 85: Dmz <-> Wan
SANGFOR IAM v2.1 User Manual to say, the data packets will be dropped. 5.1.2. DMZ <-> WAN [DMZ <-> WAN] configures the rule for access fulfilled between WAN interface and DMZ interface. The service can be all the services of certain protocol or a user-defined service(s). For detailed configuration, please refer to Section 5.1.1 LAN <->...
Page 86: Vpn <-> Wan
SANGFOR IAM v2.1 User Manual In the [Firewall Rule List], information of [Service], [Source IP Group], [Destination IP Group] can be configured in the corresponding page of [Object] or you can click the <Add> button followed to create a new one. For detailed configuration of each object, please refer to the corresponding section in Chapter 4 Object.
Page 87: Vpn<->Lan
SANGFOR IAM v2.1 User Manual 5.1.5. VPN<->LAN [VPN<->LAN] configures the rule for data transmission between the VPN interface and the DMZ interface. By default, TCP, UDP and ICMP data transmission of both directions between the interfaces are allowed. The configuration page is as shown below: For instance, to allow the IP addresses (172.16.1.100-172.16.1.200) of a Branch VPN...
Page 88: Lan<->Lan
SANGFOR IAM v2.1 User Manual As to other kinds of data packets from the VPN headquarters or the Branch VPN, you can also configure filtering rule(s) for the data transmission between other interfaces. 5.1.6. LAN<->LAN [LAN <-> LAN] configures the data transmission between the LAN1 interface (LAN interface on...
Page 89: Dmz <-> Dmz
SANGFOR IAM v2.1 User Manual 5.1.7. DMZ <-> DMZ [DMZ <-> DMZ] configures the data transmission between the DMZ1 interface (DMZ interface on the IAM gateway device) and the DMZ2 interface (the WAN2 interface on the IAM gateway device), or configures the communication among the IP addresses (of different segment) that are bound with the DMZ interface.
Page 90: Snat
SANGFOR IAM v2.1 User Manual 5.2.1. SNAT Provided that a LAN IP address is 192.168.1.0./255.255.255.0, to create a SNAT (source network address translation) rule to proxy all the LAN users to get access to the Internet, you need to configure the followings.
Page 91: Dnat
SANGFOR IAM v2.1 User Manual If [Advanced Settings] is checked, more settings are seen. Detailed introductions are as follows: [Destination Address]: Options are [All] and [Specified]. [All] means all the destination IP addresses, while [Specified] indicates that the destination addresses are the specified ones.
Page 92 SANGFOR IAM v2.1 User Manual page, as shown below: Type a [Rule Name] to name this DNAT rule; Select an [Ingress Interface]; Select a [Protocol], [All] the protocols or the [Specified] protocol TCP; enter [Source port] 0 (indicates all the ports), [Destination port] 80~80;...
Page 93: Anti-Dos
SANGFOR IAM v2.1 User Manual satisfied. Having completed configuring this page, you have to click the <OK> button to save the settings. If the [Source port] of TCP [Protocol] is configured as 0, it indicates all the ports.  Settings of allowing any Internet IP address to access the LAN IP 10.251.251.61 at port 80 ...
Page 94 [LAN Address List]: Configures the LAN IP range which gets access to the Internet through the SANGFOR IAM gateway device. The data packets from the IP addresses outside the [LAN Address List] will be dropped by the IAM gateway device, which means these blocked IP...
Page 95 SANGFOR IAM v2.1 User Manual same segment with IAM gateway device) will be blocked by the IAM gateway device. This [LAN Router List] will prevent the MAC address of the LAN router (in the list) from being blocked by the IAM gateway device.
Page 96: Arp Protection
SANGFOR IAM v2.1 User Manual (that directly connects to the IAM gateway device) to the [LAN Router List], so that the MAC address of this interface is excluded from the anti-DoS rule and from being blocked. Generally, if the WAN interface of the IAM gateway device connects to any firewall or router, the interface IP address of this routing device should be added into the [LAN Router List].
Page 97 SANGFOR IAM v2.1 User Manual The configuration page is as shown below. [Enable ARP Protection]: Select [Enable] to enable the ARP spoofing protection function. [Static ARP List]: If the gateway of the LAN PC is not an interface IP address of the IAM gateway device, the [Static ARP List] should be configured.
Page 98: Chapter 6 Wan Optimization
The SANGFOR IAM gateway device will help to solve this problem. The preliminary data requested by a LAN user who visits this website for the first time will be cached by the IAM...
Page 99: System Status
SANGFOR IAM v2.1 User Manual 6.1.1. System Status [System Status] displays the disk usage, sessions, memory usage and cached objects information, as shown below: [Disk Usage]: Displays the utilized disk space by and the available disk space for optimization. [Sessions]: Refreshes and displays the total current sessions every five minutes.
Page 100 SANGFOR IAM v2.1 User Manual [Optimization] displays two kinds of statistics objects, one is [Flow], and the other is [Flow Speed], in time unit of [Last 24 hours], [Last 7 days] or [Last 30 days]. [Flow]: Makes statistics of traffic volume passing through and the traffic volume saved by the WAN optimization module.
Page 101: Cache Hit
SANGFOR IAM v2.1 User Manual 6.1.3. Cache Hit [Cache Hit] makes statistics of the percentage and times the cached data being matched (hit) by the requested data. The information is displayed in [Bar graph] and [Pie graph]. Hits may be counted by object or by byte;...
Page 102: Proxy Options
SANGFOR IAM v2.1 User Manual The [Pie graph] on [Object hit] is as shown below: [Memory Hit]: Indicates the cached data (in the memory of the IAM gateway device) being hit by the LAN-user-requested data and being accelerated. [Disk Hit]: Indicates the cached data (in the disk of the IAM gateway device) being hit by the LAN-user-requested data and being accelerated.
Page 103: System Settings
SANGFOR IAM v2.1 User Manual 6.2.1. System Settings [System Settings] globally enables or disables the WAN optimization function, as well as displays the [Cache Usage] information. You can also clear the cache on this page. [WAN Optimization]: Globally enables the WAN optimization function. Select [Enable] or...
Page 104 SANGFOR IAM v2.1 User Manual [Disable] and then click the <OK> button to enable and disable this module respectively. [Cache Usage]: Displays the utilized/maximum memory space and disk space. Click the <Clear Cache> button and it prompts whether to continue the operation, as shown below: If you confirm to clear the cache, just click the <OK>...
Page 105: Basic Settings
SANGFOR IAM v2.1 User Manual 6.2.1.1. Basic Settings [Basic Settings] includes [Cache Time Settings] and [Other Settings], as shown below: [Shortest Update Interval: Check this option and configure the minimum interval the cache is updated by the IAM gateway device. The IAM gateway device will not update the cached objects within this time interval even though they have been updated by the server;...
Page 106: Advanced Settings
SANGFOR IAM v2.1 User Manual [Limit memory cache size to smaller than]: Check this item and configure the maximum value the memory can cache. The system will automatically adjust this value; it is not recommended to be altered manually. [Not cache object greater than _ KB]: Check this item and configure the size limit of a single file to be cached.
Page 107 SANGFOR IAM v2.1 User Manual this item is checked, the program will automatically define an expiry date for these WebPages. [Check for Updates Upon Every Request]: Check this item and every request will be inspected regardless of whether the corresponding cache is the latest. For sure, the cache hit percent will lower down if it is checked.
Page 108: Chapter 7 Iam
SANGFOR IAM v2.1 User Manual Chapter 7 IAM [IAM] covers configuration of [Access Control Policy], [Authentication Option], [Authentication Server], [Organization Structure], [User Import], [LDAP Sync] and [Online Users]. The default page is as shown below: 7.1. Access Control Policy [Access Control Policy] mainly configures the policy controlling the LAN users to get access to the Internet.
Page 109 SANGFOR IAM v2.1 User Manual [Access Control Policy List]: Displays the already-configured policies, including the information of the [Policy Name], [Description], [Expiry Date], [Status] and [Operation] <Select All>, <Inverse>: Click this button to quickly select the needed policies. <Add>: Click this button to create a new access control policy.
Page 110: Add Access Control Policy
SANGFOR IAM v2.1 User Manual <Rename>: Click this operation link in the access control policy list to rename the policy, as shown below: Type the new name in the text box, and then click the <OK> button to save the settings.
Page 111 SANGFOR IAM v2.1 User Manual [Single policy], [Multiple policy]: Select either of the options and then type the name in the text box (better easy for memory) to distinguish it from others. [Description]: Enter a brief description for this access control policy.
Page 112: Edit Access Control Policy
SANGFOR IAM v2.1 User Manual Having completed configuring the page, you have to click the <OK> button to add one policy or multiple policies, as shown below: 7.1.2. Edit Access Control Policy Under the default configuration page of [Access Control Policy], click the name of a policy to enter the [Edit Access Control Policy] page, as shown below: [Policy]: Select a policy to edit.
Page 113: Access Control
The followings are detailed introductions to each module. 7.1.2.1. Access Control To facilitate network administrator to control the Internet activity of the LAN users, SANGFOR IAM gateway device provides the control service based on inspecting the content of the data packets of a specific application, as well as the control function for Internet service according to the destination IP address, protocol port, and schedule.
Page 114: Application Control
SANGFOR IAM v2.1 User Manual 7.1.2.1.1. Application Control [Application Control] configures the items based on which the content of data packets will be inspected, and then achieves control over certain application. [Application Control]: You have to check it to activate the rules configured under it, as shown below: Click the <Add>...
Page 115: Service Control
SANGFOR IAM v2.1 User Manual For instance, if you want the LAN users to run applications only based on HTTP protocol, you need Allow ([Action]) all the HTTP applications ([Type]) and DNS application ([Type]). <Select All>, <Inverse>: Click the button to quickly select the needed applications.
Page 116 SANGFOR IAM v2.1 User Manual Click the <Add> button to configure the service(s) to be controlled. Just select [Destination IP], [Service], [Action] and [Schedule], and then you have finished configuring the [Service Control] rule. For instance, if you do not want to have the LAN users to browse WebPages during office hours, you need to configure a service rule to deny HTTP service.
Page 117: Proxy Control
SANGFOR IAM v2.1 User Manual <Move Up>, <Move Down>: Click the button to move up or move down the corresponding selected service(s) respectively. [Default Action]: Select [Allow] or [Deny] to configure the default action (of the current access control policy) for the service control rules that are not in the above rule list. This item functions in association with the service(s) configured above.
Page 118: Web Filter
Socks4 and Socks5 proxies] is that, the proxy is at the WAN interface end of the SANGFOR IAM gateway device. If the proxy is at the LAN interface end, then it needs to cooperate with ingress rule. As to the detailed introduction to ingress rule, please refer to Section 4.
Page 119 SANGFOR IAM v2.1 User Manual [Action]: Select [Disable], [Deny] or [Allow] define the status of the selected URL(s). [Schedule]: Select [All day], [On duty], [Off duty] or [Internet access total time] to define the valid time of the selected URL(s). As to detailed configuration of [Schedule], please refer to Section 4.5 Schedule.
Page 120 SANGFOR IAM v2.1 User Manual [Action]: Select [Deny] or [Allow] to define the status of the corresponding URL. Having completed configuring this page, you have to click the <OK> button to save the settings. Advanced Filter [Advanced Filter] functions specifically for URL filtering of HTTP POST, controlling the process of logging in or posting to BBS, WEBMAIL, etc.
Page 121: Https Url Filter
SANGFOR IAM v2.1 User Manual [Action]: Select [Disable], [Deny], [Allow] or [Only allow login POST] to define the status of the selected URL(s). [Schedule]: Select [All day], [On duty], [Off duty] or [Internet access total time] to define the valid time of the selected URL(s). As to the detailed configuration of [Schedule], please refer to Section 4.5 Schedule.
Page 122 SANGFOR IAM v2.1 User Manual [Action]: Select [Disable], [Deny] or [Allow] define the status of the selected URL(s). [Schedule]: Select [All day], [On duty], [Off duty] or [Internet access total time] to define the valid time of the selected URL(s). As to the configuration of [Schedule], please refer to Section 4.5 Schedule.
Page 123: Keyword Filter
SANGFOR IAM v2.1 User Manual Having completed configuring this page, you have to click the <OK> button to save the settings. 7.1.2.2.3. Keyword Filter [Keyword Filter] configures the filtering function for [Search Engine] and [HTTP Upload]. [Keyword Filter]: Check this item to activate the keyword filtering rules configured under it.
Page 124: File Type Filter
SANGFOR IAM v2.1 User Manual keywords, please refer to Section 4.8 Keyword Group. [Search Engine]: Check this item to enable the rules configured under it. <Add Keyword Group>: Click this button to list the invalid keywords. To activate the keyword(s), you have to [Select] the corresponding keyword and configure the [Action] as [Deny].
Page 125 SANGFOR IAM v2.1 User Manual [File Type Filter] configures filtering function for [Upload] and [Download]. [The following restrictions will also be applied to FTP upload/download]: Check this item and the filtering rules configured below will also apply to FTP upload/download.
Page 126 SANGFOR IAM v2.1 User Manual To activate the file type(s), select the corresponding keyword(s) and configure the [Action] as [Deny]. <Select All>, <Inverse>: Click the corresponding button to select the needed file type(s). <Move UP>, <Move Down>: Click the corresponding button to move up or move down the selected file type(s).
Page 127: Activex Filter
Internet and disclose your personal information. Some of these ActiveX controls often are installed automatically by the browser, leading to spread of malicious plug-ins. SANGFOR gateway device can effectively solve this problem, with the help of [ActiveX Filter] rule.
Page 128 SANGFOR IAM v2.1 User Manual to the former two, only one of them can be selected. Verify Legality of the Signature [Verify digital signature of ActiveX]: Select this item, and you can configure the conditions to verify the legality of the certificate (signature).
Page 129 SANGFOR IAM v2.1 User Manual this item, and the access control policy will check whether the certificate (signature) of the ActiveX control exists in the [Trusted Root Certificate List]. If certificate does not exist in the list, the ActiveX control will be filtered. As to the management of certificates, please refer to Section 4.11 SSL Certificate.
Page 130 SANGFOR IAM v2.1 User Manual [Online Anti-virus Plug-in]: Check this item, and the plug-in will be allowed to install if it is a kind of online anti-virus plug-in. [Player Plug-in]: Check this item, and the plug-in will be allowed to install if it is a kind of player plug-in.
Page 131: Script Filter
Trojan or other kinds of viruses which are caused by running risky scripts. SANGFOR IAM gateway device can identify the features of the scripts of the browsed webpage, and block these scripts before they are downloaded to the browser; therefore, the LAN users are kept away from the script viruses.
Page 132: Email Filter
SANGFOR IAM v2.1 User Manual [Filter risk object and invoking]: Check this item, and the script will be directly filtered if it contains risky object and invoking. [Not filter the script of the following websites]: You can add the websites (among those in the white list group) whose scripts will not be filtered.
Page 133: Delayed Email Audit
SANGFOR IAM v2.1 User Manual [Email Filter], [Enable Email Filter]: Check the two items to activate the email filtering function. For instance, if you want the LAN users use only the email address provided by the enterprise itself, select [Only allow emails sent from the addresses with the following suffixes], and then type the vpn.com.cn in the text box.
Page 134 SANGFOR IAM v2.1 User Manual The configuration page is as shown below: [Audit Address], [Audit-free Address List]: Define respectively the email address(es) to be audited or not to be audited. For instance, if you do not want to audit the emails received by the email addresses of the enterprise itself, you can type the domain name of the enterprise‟...
Page 135: Ssl Management
SANGFOR IAM v2.1 User Manual any email need audit. The audit information will be automatically delivered to this email address if there is email need audit. Check and configure this item to avoid delaying the delivery of some important emails. This function must be in association with he configurations in [Advance] >...
Page 136: Ssl Content Ident
SANGFOR IAM v2.1 User Manual [Enable SSL Control]: Check this item to enable the [SSL black/white list control] function. Type the black list and white list respectively in the corresponding text box; and configure whether to enable the expired certificate.
Page 137 SANGFOR IAM v2.1 User Manual [SSL Content Ident]: Check this item to activate the SSL content identification function. The configuration page is as shown below: [Enable SSL content identification]: Check this item to enable the identification function, and the SSL-encrypted WEBMAIL, WEB-BBS, POP3, SMTP contents will be identified, excluding financial services such as online banking, online payment, etc.
Page 138: Application Audit
SANGFOR IAM v2.1 User Manual SSL content identification function is invalid for financial services, such as online banking, online payment, etc. 7.1.2.5. Application Audit [Application Audit] helps monitoring the Internet access information and records of the LAN users, including configuration of [Audit Option] and [Outgoing File Alarm].
Page 139 SANGFOR IAM v2.1 User Manual [Audit Option] falls into the following aspects: [Application Behavior Audit]: Records all the behaviors of the LAN users on the Internet.
Page 140 SANGFOR IAM v2.1 User Manual [Application Content Audit]: Audits the contents of the specific applications used by the LAN users. [Web Upload Audit]: Audits the text contents, BBS posting contents, WebMail contents and the contents of the attachments that the LAN users are to upload.
Page 141: Outgoing File Alarm
SANGFOR IAM v2.1 User Manual The emails delivered through WebMail and the BBS posts can only be displayed under  certain decoding. Checking [Web Content Audit] will lead to massive logs. If you do not want some websites  or file types to be audited, please configure the options in [Advanced] > [Web Tracking].
Page 142 SANGFOR IAM v2.1 User Manual [Enable Outgoing File Alarm]: Check this option to activate the outgoing file alarm function. <Select All>, <Inverse>: Click it (above/below the file type list) to select the needed file type(s). <Alarm All>, <Alarm Encrypted>: Click it (above/below the file type list) to configure the [Alarm Option] of the selected file type(s).
Page 143 SANGFOR IAM v2.1 User Manual [In Adding Status]: Configures the option under it. You can configure the new file type here. [Use internal classifications (feature ident)]: Select a file type from the existing internal library and then click <OK>. The access control policy will identify the application according to the features of this specific file type.
Page 144 SANGFOR IAM v2.1 User Manual [Enable alarm on multi-layer nested compression (more than 2 layers)]: Check this option and it will give alarm when the nested compression file is detected. [Enable alarm-free extension]: Check this option and enter the file type(s) free from alarm. You can type several suffixes in the text box which are separated from each other with an English comma (,).
Page 145: Flow/Time Statistics
SANGFOR IAM v2.1 User Manual have to activate the corresponding license. As to the detailed operation, please refer to Section 3.3 License. To have the [Outgoing File Alarm] function work, you have to enable [Audit files uploaded  by FTP], [Web Upload Audit] and [Audit outing emails], please refer to Section 7.1.2.5 Application Audit.
Page 146: Online Duration Control
SANGFOR IAM v2.1 User Manual 7.1.2.6.2. Online Duration Control [Online Duration Control] configuration can control the online duration of the users. The configuration page is as shown below: [Enable Online Duration Control]: Select [Enable] or [Disable] to enable or disable this control function respectively.
Page 147: Ingress System
SANGFOR IAM v2.1 User Manual [Enable Session Control]: Enable it to limit the maximum concurrent sessions (connections) for a single IP address (user). This function can prevent the users from creating large number of sessions caused by scanning tool or using several download tools (at the same time) such as P2P. It helps to lower down the possibility that the viruses spread widely by scanning and connecting to other devices.
Page 148: Risk Ident
SANGFOR IAM v2.1 User Manual <Add>: Click this button and the options pop up, as shown below: Select a [Type], [Schedule] and then click the <Add> to add this new ingress rule into the list. As to the configuration of a new schedule (here it indicates the valid time), please refer to Section 4.5 Schedule.
Page 149 SANGFOR IAM v2.1 User Manual [Risk Ident]: Check this item and the options pop up, as shown below: [Enable], [Disable]: Select it to enable or disable the risky behavior identification function. [Identification Sensitivity]: Configures the sensitivity level of the rule detecting risky behaviors.
Page 150: Reminder
SANGFOR IAM v2.1 User Manual [Risk Ident] function is disabled by default. If you want to activate this function, you have to  activate the corresponding license. As to the detailed operation, please refer to Section 3.3 License. [Alarm Level] and [Intercept Level] must not be higher than [Identification Sensitivity].
Page 151: Flow Reminder
SANGFOR IAM v2.1 User Manual of the users and activate the prompt settings. [Schedule]: Select the time period to define the valid time of the [Time Reminder] function. As to the configuration of a schedule, please refer to Section 4.5 Schedule.
Page 152: Bulletin
SANGFOR IAM v2.1 User Manual [Flow Reminder]: Enable it to have the IAM gateway device record the online flow caused by the users and activate the prompt settings. [Schedule]: Select the time period to define the valid time of the [Flow Reminder] function. As to the configuration of a schedule, please refer to Section 4.5 Schedule.
Page 153 SANGFOR IAM v2.1 User Manual Having completed configuring this page, you have to click the <OK> button to save the settings. The related reminder pages can be defined and modified in [Advanced] > [Page  Customization] page. In some rule modules (such as [Access Control], [Web Filter], etc.), there is a [Default Action] ...
Page 154: Authentication Options
SANGFOR IAM v2.1 User Manual 7.2. Authentication Options [Authentication Options] mainly configures the IAM gateway device and user authentication related options. The configuration page is as shown below: 7.2.1. New User Authentication [New User Authentication] configures the default policy that is applicable to the users not included in the member list.
Page 155 SANGFOR IAM v2.1 User Manual <Select All>, <Inverse>: Click it to select the needed new user policy. <Move Up>, <Move Down>: Click it to move up or move down the selected new user policy. <Add>: Click this button to add a new user policy.
Page 156 [Automatically add authenticated new users to the above group] option is not checked. SANGFOR IAM gateway device supports the following third-party servers: LDAP server, RADIUS server and POP3 server.
Page 157: Sso Settings
SANGFOR IAM v2.1 User Manual You can choose the needed one according to your case. As to the configuration of third-party authentication server, please refer to Section 7.3 Authentication Server. [Add to Organization Structure]: Check the option [Automatically add authenticated new users to the above group], and the applicable new users will be added to the assigned structure group and entitled with all the privileges of this structure group.
Page 158: Active Directory Sso
SANGFOR IAM v2.1 User Manual SSO, as well as the configuration of a listening port to listen to the login data of the network. The configuration page is as shown below: 7.2.2.1. Active Directory SSO When the host of the user logs in to the active directory server (not for the first time), it will automatically passing the WEB authentication, without typing the username and password once again.
Page 159: Install Component Mode
SANGFOR IAM v2.1 User Manual The domain controller locates in the local area network, that is to say, PC1 and PC2 can log in to the domain controller before authentication; the domain controller and IAM gateway device can communicate with...
Page 160: Configure Logon Script Program
SANGFOR IAM v2.1 User Manual gateway device when the user logs in to the Active Directory, and will enable the user to logoff from the IAM gateway device when it is logging off. 7.2.2.1.3. Configure Logon Script Program Logging in to the domain controller, click [Start] > [Program] > [Administrator Tool] > [Manage...
Page 161 SANGFOR IAM v2.1 User Manual Right click the to-be-monitored directory in the pop-up window, and click [Properties], as shown below: Select [Group Policy] and then [Default Domain Policy], as shown below:...
Page 162 SANGFOR IAM v2.1 User Manual Then click [User Configuration] > [Windows Settings] > [Scripts (Logon/Logoff)] in the pop-up [Group Policy Object Editor], as shown below: Double click [Logon] item, and the [Logon Properties] dialog appears, as shown below:...
Page 163 SANGFOR IAM v2.1 User Manual Click the <Show Files> button, and a directory is opened. Save the logon.exe script file into this director and close the window.
Page 164: Configure Logoff Script Program
SANGFOR IAM v2.1 User Manual Under the [Logon Properties] dialog, click the <Add> button to enter the [Add a Script] dialog. Click <Browse> to upload the logon.exe script file and enter [Script Parameters] the IP address (IP address of the IAM gateway device), the port number (1773) and shared key (must be the same with that configured on the IAM gateway device).
Page 165 SANGFOR IAM v2.1 User Manual Under the pop-up [Logoff Properties] dialog, click the <Show Files> button to open a directory and save the logoff script (that is, the logoff.exe file). And then close the directory.
Page 166 SANGFOR IAM v2.1 User Manual Click the <Add> button in the pop-up [Logoff Properties] dialog, and the [Add a Script] dialog appears (as shown below). Click the <Browse> button to upload the logoff script file (that is the logoff.exe file) and enter the [Script Parameters] (the IP address 10.251.251.251). Then close the related configuration dialog/page one by one.
Page 167: Pop3 Sso
SANGFOR IAM v2.1 User Manual the domain controller will not be found when the user is added to the domain. If a user has logged in to the Active Directory successfully but the primary DNS or IP address  is modified later, single sign-on (SSO) will get invalid; though, it seems that the user can still use the correct password to successfully log in.
Page 168: Network Environment
SANGFOR IAM v2.1 User Manual user enters username, password and the authentication system can successfully log in to the assigned POP3 server, the password entered by the user is then proved correct, and the user will get authenticated; if it fails to log in, then the user cannot get authenticated.
Page 169: Web Sso
SANGFOR IAM v2.1 User Manual If the POP3 server is in the external network, to achieve SSO, you have to check the option  [Allow users to access DNS service before authentication] (in [IAM] > [Authentication Options] page> [Other Authentication Options]), and entitle the user‟s root group the privilege to access the POP3 server.
Page 170 SANGFOR IAM v2.1 User Manual [Redirect to this page before authentication]: Check this option, and the webpage being browsed will be redirected to the configured page for Web SSO if the user has not been authenticated yet. [User Table Name]: Configures the name of the user table to be handed in to the server when user is getting Web authentication.
Page 171: Proxy Sso
SANGFOR IAM v2.1 User Manual 7.2.2.4. Proxy SSO 7.2.2.4.1. Proxy Authentication Proxy authentication is generally applicable to the environment that the users get access to the Internet through Proxy, and that each user has been allocated with a proxy account.
Page 172: Listening Mirror Port
SANGFOR IAM v2.1 User Manual If the authentication does not have the IAM gateway device get involved, SSO is available only when a listening port is configured first. As to the configuration of a listening port, please refer to Section 7.2.2.5 SNMP Option.
Page 173: Page Display After Authentication
SANGFOR IAM v2.1 User Manual Type single IP address(es) or IP range(s) in the text box. The IP address(es) contained in this list has to get SSO authentication through the IAM gateway device, otherwise, it cannot access the Internet. It is an exception if some users have bound any of the IP address in this list but have checked [None] for [Authentication Method] (please refer to [IAM] >...
Page 174: Authentication Conflict Settings
SANGFOR IAM v2.1 User Manual [Go to the recently requested Webpage]: If the user gets authenticated successfully, the WEB page will be redirected to the page that is requested by the user before successful authentication. [Go to the Logout page]: If the user gets authenticated successfully, the Web page will be redirected to the logout page.
Page 175: Snmp Option
SANGFOR IAM v2.1 User Manual 7.2.5. SNMP Option [SNMP Option] helps to achieve Internet access through binding MAC, or binding IP and MAC address when a layer 3 switch exists in the networking environment. The configuration page is as shown below:...
Page 176: Other Authentication Options
SANGFOR IAM v2.1 User Manual [Enable], [Disable]: Select it to enable or disable the [SNMP Option] function. [SNMP Server Access Timeout], [SNMP Server Access Interval]: Configures the timeout and the time interval that the layer 3 switch is accessed. The default value is recommended.
Page 177 SANGFOR IAM v2.1 User Manual this user in certain time (it is 120 minutes by default), this user will automatically log out. [Submit user name and password by POST]: Check this option, and the user will get authenticated through Web, with the correct username and password.
Page 178: Authentication Server
 <Ingress Client> to download and manually install the Ingress Client. 7.3. Authentication Server [Authentication Server]: Configures the third-party authentication server. SANGFOR IAM gateway device supports three authentication servers in the external networks, namely, LDAP, RADIUS and POP3. The default configuration page of [Authentication Server] is as shown below:...
Page 179: Ldap
SANGFOR IAM v2.1 User Manual Click the <Add> button, and the [Edit Authentication Server] page appears, as shown below: [Server Type]: Select the needed server to open the corresponding settings. 7.3.1. LDAP [LDAP] server supports Microsoft SGtive Directory, SUN LDAP and OPEN LDAP server. You can select a needed one according to your case.
Page 180: Radius
SANGFOR IAM v2.1 User Manual Generally, you need only configure [IP address], [Authentication port], [Server User], [Password] and [Types]; other settings are recommended to be the defaults. If necessary, please turn to the system administrator of LDAP server for detailed configuration guide to this page.
Page 181: Pop3
SANGFOR IAM v2.1 User Manual Generally, you need only configure [IP address], [Authentication port], [Shared key], [Timeout] and [Protocol]. If necessary, please turn to the system administrator of RADIUS server for detailed configuration guide to this page. 7.3.3. POP3 [POP3] server configuration page is as shown below: You can configure the [IP address], [Authentication port] and [Timeout] for the POP3 server.
Page 182 SANGFOR IAM v2.1 User Manual As shown above, there is a built-in group, root group of the [Member List]. The root group cannot be deleted, and its name cannot be modified. The user-defined groups are subgroups of the root group.
Page 183: Search
SANGFOR IAM v2.1 User Manual [Summary]: Displays the brief information of each member. [Description]: Displays the description of each member. <Select All>, <Inverse>: Click it to select the needed member(s) quickly. A group is of hierarchic structure, supporting maximum 16 hierarchies.
Page 184: Add Subgroup
SANGFOR IAM v2.1 User Manual [Advanced Search]: Check this option, and the advanced search conditions appears which will help you to set more specific conditions to find a needed group or user. The advanced search conditions are [Authentication Method], [Other Option] and [Sort By].
Page 185 SANGFOR IAM v2.1 User Manual Add an object, [Single subgroup] or [Multiple subgroups], to add one subgroup or multiple subgroup at one time respectively. If [Multiple subgroups] is selected, you can add a number of subgroups at a time that are of same properties.
Page 186: Edit Subgroup
For instance, to add a subgroup for the “2222”, you have to click [2222] (on the left tree) and then click the <Add Subgroup> button. The hierarchic structure of SANGFOR gateway supports maximum 16 hierarchies (root group ...
Page 187 SANGFOR IAM v2.1 User Manual [Search]: The function and configuration are the same with those in the above Section [Add Subgroup]. Be noted that here you can only search the members in the group “2222”. It is the same with other subgroup (searching for the members of the current subgroup).
Page 188 SANGFOR IAM v2.1 User Manual Check the needed subgroup or user(s) to be moved, and then click the <Select> button; choose a target group in the organization structure and click <OK>. The selected member(s) then is moved to the target group.
Page 189 The export and import functions are only available for the subgroup members. User members cannot be exported or imported like that, for different users on the SANGFOR gateway cannot have a same name while group can share a name if only the groups are of the different paths.
Page 190 SANGFOR IAM v2.1 User Manual [Use Parent Group Policy]: Check this option and policy(policies) is inhered from and exactly the same with that (those) of its parent group, and you cannot do any operation on the policy(policies), such as adding, moving up/down, or deleting policy. Uncheck this option, and the group can associate with access control policy of its own.
Page 191: Edit User
SANGFOR IAM v2.1 User Manual One user or group can associate with maximum 10 access control policies.  If there are multiple policies in the list, please adjust well the order of the policies. As to the  detailed introductions and notes, please refer to Section 7.1 Access Control Policy.
Page 192 SANGFOR IAM v2.1 User Manual by a back slash (/). [Description]: Type a brief introduction for this newly-created user. If [Multiple users] is selected, you cannot configure the [Display Time], bind IP or MAC address, or create DKEY authentication user. The configuration page is as shown below: Having completed configuring this page, you have to click the <OK>...
Page 193: Edit User
SANGFOR IAM v2.1 User Manual Till then the user is added successfully and the new user is listed in the [Member List]. 7.4.5. Edit User Under the default configuration page of [Member List], click the name of a user to get into the configuration page of this user.
Page 194: Binding Ip/Mac
SANGFOR IAM v2.1 User Manual 7.4.5.1. Binding IP/MAC [Binding] configures the to-be-bound IP/MAC only with which the users can get authenticated through the IAM gateway device. Options are [Bind IP], [Bind MAC], [Bind both IP and MAC] and [No binding]. If [No binding] is selected, you have to configure an authentication method ([Password], [Dkey] or [Only allow SSO]).
Page 195: Bind Mac
SANGFOR IAM v2.1 User Manual Click <Add IP>, and configure [Add Object], [Single IP], [IP range] or [Subnet], and enter an IP address or IP range respectively. <Get from IP group>: Click it to select an already defined IP group (as to the configuration of IP group, please refer to the relevant part in Section 4.5 Schedule).
Page 196 SANGFOR IAM v2.1 User Manual To add MAC address, you can directly enter the MAC address(es) in [Binding] text box, or click <Scan MAC address>. <Scan MAC address>: Click it and enter the to-be-scanned IP range, the device will scan and get the MAC addresses of these IP addresses.
Page 197: Bind Both Ip And Mac
SANGFOR IAM v2.1 User Manual 7.4.5.1.3. Bind Both IP and MAC [Bind both IP and MAC] configures the to-be-bound IP/MAC followed, as shown below: To add IP/MAC address, you can directly enter the IP/MAC address in the [Binding] text box or click <Scan MAC address>.
Page 198: No Binding
SANGFOR IAM v2.1 User Manual <Clear List>: Click it to clear all the IP and MAC addresses in the list. 7.4.5.1.4. No Binding [No binding] indicates not binding with any, IP address or MAC address. If this item is selected, you then have to configure at least one [Authentication Method].
Page 199: Authentication Method
SANGFOR IAM v2.1 User Manual Click the <Select> button to view the organization structure list, the user groups. Click <OK> to add the needed and selected user group. Click <Cancel> to give up selecting the user group. 7.4.5.3. Authentication Method [Authentication Method] includes four options, namely, [Password], [DKEY], [None] and [Only allow SSO].
Page 200 SANGFOR IAM v2.1 User Manual [Password]: Indicates to verify new user according to the WEB username and password. [Custom password]: Configures the original password for the IAM gateway authenticated user (username). [LDAP], [RADIUS] and [POP3]: Check the server type of the third-party‟s that is used for authentication of this user.
Page 201: Expiry Date
SANGFOR IAM v2.1 User Manual [Enable monitor-free Dkey]: Check this item and this user‟s behavior on the Internet will not be recorded (monitored). [Dkey initial password]: Enter the initial password of the DKEY. [Confirm password]: Enter once again the above initial password to check its correctness.
Page 202: Enable This User
SANGFOR IAM v2.1 User Manual on] some day. If [Expired on] is selected, the username will get expired after the configured date. Date format is yyyy-mm-dd (for instance, 2009-06-12). The configuration page is as shown below: 7.4.5.5. Enable This User [Enable This User] configures whether to enable or disable this user.
Page 203 SANGFOR IAM v2.1 User Manual Before generating DKEY, please DO download and install the DKEY driver. Inserting the  DKEY, you then can click the <Generate DKEY> button. DKEY falls into two types, one is for authentication and the other is to prevent monitoring.
Page 204: Access Control Policy
IP addresses. 7.4.5.6. Access Control Policy SANGFOR IAM gateway device can configure access control policy for an individual user. Under the [Edit User] default configuration page, click [Access Control Policy], and the corresponding...
Page 205: User Import
SANGFOR IAM v2.1 User Manual introduced in Section 7.1 Access Control Policy. 7.5. User Import [User Import] configuration can import batches of users. The configuration page is as shown below: [Column Headings] defines the columns of the user table. It supports importing the information of [User Name], [Group], [IP Address], [MAC Address], [Auth Method] (authentication method), [Description] and [Password].
Page 206 SANGFOR IAM v2.1 User Manual As shown in the above figure, you can import users according to [Single IP], [IP range] or [Subnet]. Filling in the corresponding information, you can click the <Scan> button, and the host name, IP and MAC addresses will be displayed in the [Content] table.
Page 207: Ldap Sync
SANGFOR IAM v2.1 User Manual The LDAP server configured in [Authentication Server] will be displayed here. Click the <Import> button and the list of all the users appear. 7.6. LDAP Sync [LDAP Sync] is used for synchronizing the users and organization structure of the domain server to the IAM gateway device, and for realizing the automatic synchronization of the user and organization structure of the domain server.
Page 208: Sync By Ldap Organization Structure
SANGFOR IAM v2.1 User Manual Having selected one of the modes, you have to click the <Save> button followed to save the settings. <Select All>, <Inverse>: Click it to select the needed policy or policies. <Add>: Click it to enter the [LDAP Synchronization Policy] configuration page.
Page 209 SANGFOR IAM v2.1 User Manual [Description]: Type a brief introduction for this synchronization policy. [Auto Synchronize]: Configures whether to automatically synchronize the information or not. Select [Enable] and the device will synchronize the domain users/user groups at certain time during 0:00~5:00 o‟clock; select [Disable] and the device will not synchronize the users/user groups.
Page 210: Sync By Ldap Security Group
SANGFOR IAM v2.1 User Manual Click <Sync Now> to have the user/user groups synchronized immediately according to the configured synchronization policy. Click the <Refresh> button to refresh and view the synchronization status, and the [Last Sync Status] is displayed in the list, as shown below: [Last Sync Time]: Displays the time of the latest synchronization and whether it synchronized successfully.
Page 211: View Sync Report
SANGFOR IAM v2.1 User Manual The above configurations are nearly the same with those of [Sync by LDAP organization structure], with the only difference that the selected and imported [Import Remote Target] are the security groups of the domain server.
Page 212: Online User
SANGFOR IAM v2.1 User Manual [Sync Report Name]: Displays the name of the report. Click the report name and you will see the detailed contents of this report. [Sync Mode]: Displays how the synchronization policy is synchronized, [Sync Now] or [Auto Sync].
Page 213 SANGFOR IAM v2.1 User Manual device. The configuration page is as shown below: [Online User List]: Displays the information of the online users that are accessing to the Internet through the IAM gateway device, including information of [No.], [Login/Display Name], [Authentication Method], [Group], [IP Address], [Online Duration] and [Login Time].
Page 214 SANGFOR IAM v2.1 User Manual [Blocked User List]: Displays the information of the blocked user(s), including [No.], [Login/Display Name], [Authentication Method], [Group], [IP Address], [Blocking form] and [Left Blocking Time]. <Unblock>: Click this button to unblock the selected blocked user(s). Having been unblocked, the...
Page 215: Chapter 8 Bandwidth Management
SANGFOR IAM v2.1 User Manual Chapter 8 Bandwidth Management SANGFOR IAM bandwidth management (BM) module enables you to configure assured bandwidth and bandwidth limitation for the external lines and bandwidth channels. It can guarantee the bandwidth for accessing to some important applications, and limit the uplink/downlink bandwidth as well.
Page 216: Bandwidth Channel
SANGFOR IAM v2.1 User Manual [Basic Information]: Displays the running status and flow information of the external lines. <Unfold All>, <Fold All>: Click it to unfold all or fold all the flow information of the channels. <Stop Refresh>: Click it to stop the function of refreshing the flow information in real time.
Page 217: Exclusion Policy
SANGFOR IAM v2.1 User Manual [Name]: Displays the name of the channel(s). [Realtime Speed]: Displays the uplink/downlink bandwidth of the channel in real time. [Bandwidth Usage]: Displays the percentage of the occupied bandwidth in the total bandwidth. [History Speed]: Displays the speed calculated according to the history statistics and time.
Page 218: Bandwidth Settings
[Filter Line]: Select an option to have the corresponding bandwidth channel (s) displayed in the bandwidth channel list. 8.2.1. Bandwidth Channel SANGFOR IAM bandwidth management (BM) module offers bandwidth allocation function to configure assured bandwidth and bandwidth limitation. You can define a bandwidth channel according to the service and application, object, schedule, external line, destination IP group, to achieve both assuring bandwidth and limiting bandwidth, and can build sub-channel for certain bandwidth channel to define the parent channel in detail.
Page 219: Add Bandwidth Channel
SANGFOR IAM v2.1 User Manual The page is as shown below: The bandwidth channel policies are matched from top to bottom. 8.2.1.1. Add Bandwidth Channel Click the <Add Parent Channel> button, and the [Edit Bandwidth Channel] configuration page appear, as shown below: [Channel Name]: Type one more names for the bandwidth channel(s).
Page 220 SANGFOR IAM v2.1 User Manual [Service/Application]: Configured the specific service(s) applied to this bandwidth channel. If [Custom] is selected, you can define and add services. Click <Add> and the corresponding options appear, as shown below: [Service Type]: Options are [Application], [Website] and [File].
Page 221 SANGFOR IAM v2.1 User Manual [Channel Type]: Defined the type of the bandwidth channel, [Guaranteed channel] or [Limited channel]. If the selected one is [Guaranteed channel], this policy will guarantee the user with the minimum bandwidth; if the selected one is [Limited channel], this policy will limit the bandwidth for the services available online.
Page 222 SANGFOR IAM v2.1 User Manual [Priority]: Options are [High], [Medium] and [Low]. The bandwidth channel with higher priority is preferred to be assigned with idle bandwidth (from other bandwidth channels). [Guaranteed Uplink], [Guaranteed Downlink Bandwidth]: Configures the bandwidth or percentage of the guaranteed uplink/downlink bandwidth in the total bandwidth allocated.
Page 223 SANGFOR IAM v2.1 User Manual [Max Bandwidth Per IP] is configured with a bandwidth value instead of a rate, and free from the impact of other bandwidth settings; while [Guaranteed Uplink/Downlink Bandwidth] and [Max Uplink/Downlink Bandwidth] are configured with a rate, which indicates that the actual bandwidth varies from the total bandwidth settings for this channel.
Page 224: Add Child Bandwidth Channel
8.2.1.2. Add Child Bandwidth Channel SANGFOR IAM gateway allows you to further define an existing bandwidth channel, and to divide the bandwidth of it much finely. Under the [Bandwidth Settings] configuration page, select an existing bandwidth channel, and then click the <Add Child Channel>...
Page 225: Select And Edit Bandwidth Channel
SANGFOR IAM v2.1 User Manual Channel. 8.2.1.3. Select and Edit Bandwidth Channel Under the [Bandwidth Settings] configuration page, click <Select All> to select all the existing bandwidth channels, or click <Inverse> to only select the currently unselected bandwidth channels. The configuration page is as shown below: [Name]: Click the name of a bandwidth channel to get into the [Edit Bandwidth Channel] page and edit this bandwidth channel (policy).
Page 226 SANGFOR IAM v2.1 User Manual The [Default Channel] in the [Bandwidth Channel] list is the system default channel, and  cannot be deleted. The bandwidth channels are matched according to the features of the flow, from top to  bottom.
Page 227: Exclusion Policy
[Exclusion Policy] functions while the local area network has a proxy which is deployed at the WAN interface end of the SANGFOR IAM gateway device. The exclusion policy will free the LAN users from limitations such as guaranteed bandwidth and maximum bandwidth.
Page 228: Line Bandwidth
SANGFOR IAM v2.1 User Manual bandwidth management module, that is to say, the physical bandwidth may be used out, which may result in congestion of the lines. 8.3. Line Bandwidth [Line Bandwidth] configures the actual uplink and downlink bandwidth of the external line(s). It is the base of [Guaranteed Bandwidth] and [Limited Bandwidth] configuration.
Page 229 SANGFOR IAM v2.1 User Manual Bridge-mode deployment. [System Settings]: Configures the uplink/downlink bandwidth of the virtual lines. Idle bandwidth of a virtual line cannot be borrowed by another virtual line, and the total bandwidth of the all the virtual lines must NOT be more than the total bandwidth of the physical line. One IAM gateway device supports maximum 4 virtual lines.
Page 230 SANGFOR IAM v2.1 User Manual SANGFOR IAM gateway device enables you to create a [Virtual Line Rule List]. It functions when there are multiple external lines connecting to the front-end Internet device (of the IAM gateway device) or there are several Internet devices connecting to the front end of the IAM gateway device, and the gateway mode of the IAM gateway device is Bridge mode [Multi-Bridge].
Page 231 SANGFOR IAM v2.1 User Manual <Up>, <Down>: Click the button to adjust the priority of each virtual line rule. You can also select a rule and then select [First row] or [Last row] to move the selected the rule to top or bottom, or select [No.] to move the selected virtual line to a specified row.
Page 232 SANGFOR IAM v2.1 User Manual Maximum 4 virtual lines are supported by one IAM gateway device.  [Virtual Line] configuration is only available for Bridge mode. ...
Page 233: Chapter 9 Delayed Email Audit
SANGFOR IAM v2.1 User Manual Chapter 9 Delayed Email Audit [Delayed Email Audit] configures the options for auditing some specific emails, including [Email Audit Policy], [Audited Email] and [Unaudited Email]. 9.1. Email Audit Policy [Email Audit Policy] defines the email audit policy to handle the applicable emails. Configurations are [Audit Timeout Settings] and [Sending Attempts].
Page 234: Audited Email
SANGFOR IAM v2.1 User Manual 9.2. Audited Email All the already audited emails or the to-be-sent emails will be listed here, as shown in the above figure. The audited emails can be searched for in the Data Center of the IAM gateway device (click [Internet Access Audit] >...
Page 235: Chapter 10 Internet Access Audit
SANGFOR IAM v2.1 User Manual Chapter 10 Internet Access Audit [Internet Access Audit] covers [Realtime Logs], [Audit Log Maintenance], [Data Center Settings] and [Enter Data Center]. The default configuration page of [Internet Access Audit] is as shown below: 10.1. Realtime Logs [Realtime Logs] includes the information of [Flow Ranking], [Connection Ranking], [Connection Monitoring] and [Behavior Monitoring].
Page 236: Flow Ranking
SANGFOR IAM v2.1 User Manual 10.1.1. Flow Ranking [Flow Ranking] displays the real-time flow information caused by the LAN users getting access to the Internet. You can obtain the host name of an IP address, and block the selected user(s) to get access to the Internet.
Page 237 SANGFOR IAM v2.1 User Manual [Search by Group]: Specifies a group to view the flow ranking information. Click the <Select> button and select a user group, and then click <OK>. [Display Option]: Specifies the number of items to be displayed (the top flow rankings), and the time interval to automatically refresh the data.
Page 238: Connection Ranking
SANGFOR IAM v2.1 User Manual System will prompt that the command for blocking the user is sent successfully. Click the <Auto Update> button and you will see there is no flow caused by the blocked user (for the user/IP address is blocked from accessing to the Internet).
Page 239: Connection Monitoring
SANGFOR IAM v2.1 User Manual LAN users, as shown below: Maximum top 20 connection rankings are displayed. 10.1.3. Connection Monitoring [Connection Monitoring] displays all the connections that a LAN IP address has established with the external networks. It only displays the top 200 connection rankings (IP addresses).
Page 240: Audit Log Maintenance
SANGFOR IAM v2.1 User Manual information of application type, application, and detailed information. Specify the search condition and click the <Search> button to view the latest Internet behavior of this user (IP address). The page is as shown below: 10.2. Audit Log Maintenance [Audit Log Maintenance] configures whether to have the system automatically delete the audit logs.
Page 241 [Data Center Primary Address], [Data Center Secondary Address]: Configures the server IP address of the Data Center of SANGFOR IAM gateway device. The address can be an IP address or the corresponding domain name; ensure that the IAM gateway device can parse the domain name (the IAM gateway should be able to access the Internet).
Page 242 SANGFOR IAM v2.1 User Manual [Data Center Web Port]: Configures the port through which the external Data Center provides WEB services. Click the [Enter External Data Center http://IP:PORT] (varies with IP address and port) to enter the login interface of the internal Data Center, as shown below:...
Page 243: Enter Data Center
SANGFOR IAM v2.1 User Manual Having completed configuring the page, you have to click the <OK> button to save all the settings. 10.4. Enter Data Center [Enter Data Center] enables you to log in to the internal Data Center of the IAM gateway device as the present user, to search for the logs and make statistics in real time.
Page 244 SANGFOR IAM v2.1 User Manual As the storage capacity of the IAM gateway device is limited, and data retrieval and search among massive data records in the Data Center will consume large resources, it is recommended NOT to have the internal Data Center store large amount of data. If your networking produces massive logs, you can install an independent (external) Data Center server to store logs and search for specific data.
Page 245: Chapter 11 Logs/Troubleshooting
SANGFOR IAM v2.1 User Manual Chapter 11 Logs/Troubleshooting [Logs/Troubleshooting] covers [System Logs], [Policy Troubleshooting] and [Packet Capture]. The configuration page is as shown below: 11.1. System Logs [System Logs] displays the running information of each function module of the IAM gateway device.
Page 246 SANGFOR IAM v2.1 User Manual define the display of the system logs, as shown below: Having completed defining the [Display Options] and [Filter Options], you have to click the <OK> button and then click the <Refresh> button to apply the new configuration, as shown...
Page 247: Policy Troubleshooting
SANGFOR IAM v2.1 User Manual 11.2. Policy Troubleshooting [Policy Troubleshooting] enables you to view which module has denied the data packet, for what reason, so as to locate the configuration mistakes made on certain module or test whether some rules is taking effect or not.
Page 248 SANGFOR IAM v2.1 User Manual [IP Address List]: Configures the IP address to which this rule is applied. It defaults to include all the segments. [Excluded IP List]: Configures the IP address whose data packet will get bypassed but the denied information will be recorded.
Page 249 SANGFOR IAM v2.1 User Manual and the data packets applicable to the policy (to be denied) will be let pass and the related information will be outputted to a WEB page. Click the <Click here to view packet drop list>...
Page 250: Packet Capture
SANGFOR IAM v2.1 User Manual 11.3. Packet Capture [Packet Capture] is used for capturing the data packets that go through the IAM gateway device. This function helps to quick locate configuration mistakes, and is a supplementary troubleshooting tool of policy troubleshooting.
Page 251 SANGFOR IAM v2.1 User Manual Click the <Stop capturing> button to have it stop capturing the data packets. And then you will see a captured file (with the file extension pcap) in the [Capture File List], as shown below: Click <View> to open the [Capture File Details] page, as shown below:...
Page 252 SANGFOR IAM v2.1 User Manual Click <Details> to view the detailed data loaded by the data packets, as shown below: [Advanced (TCPDUMP)]: Select this item and configure the conditions such as network interface and TCPDUMP filter expression which helps to capture data packets, as shown below:...
Page 253 SANGFOR IAM v2.1 User Manual Click the <Delete> button to delete a selected captured file, or click <Download> to save the file into a specified file path of the local computer. This captured file can be opened by the software...
Page 254: Chapter 12 Advanced
SANGFOR IAM v2.1 User Manual Chapter 12 Advanced [Advanced] covers the configurations of [Alarm], [Proxy Server], [Web Tracking], [Excluded IP/Domain] and [Page Customization]. 12.1. Alarm [Alarm] is used for sending alarm emails to the administrator if the IAM gateway device detects attack, virus, and file disclosure, to-be-audited email and risky behavior.
Page 255: Proxy Server
SANGFOR IAM v2.1 User Manual [SMTP Server Address]: Configures the IP address or domain name of the SMTP server used for delivering alarm emails. [Username], [Password]: Type the username and password if the SMTP server requires authentication. Having completed configuring this page, you can click the <Send Testing Email> button to check whether the email can be delivered successfully.
Page 256: Web Tracking
SANGFOR IAM v2.1 User Manual [Proxy Server List]: Enter the IP address or IP ranges of the proxy in this text box. That means the data forwarded to these proxies (IP addresses) will be detected, and thus the administrator can control the Internet access of the LAN users.
Page 257 SANGFOR IAM v2.1 User Manual You can define whether to record the URL in detail, or record only the visits to text webpages, or record the download of all HTTP file types, or record the URLs that contain certain prefix or suffix.
Page 258: Excluded Ip/Domain
SANGFOR IAM v2.1 User Manual [Not record URLs with the following suffixes (one suffix per row)]: Check this option and it will not record the URLs what contain any of the following suffixes configured. The suffix may be matched incompletely. Wildcard are not supported.
Page 259: Page Customization
SANGFOR IAM v2.1 User Manual (of a server) is any of the IP addresses/domain names configured here, the Internet access of the LAN user or the visits to the destination server will not be monitored. The data packets will get passed directly.
Page 260 SANGFOR IAM v2.1 User Manual [Custom Object]: Select a needed object (page). Options are [Authentication Results], [Access Denied], [Virus Detected], [Internet Access Timeout], [Network Ingress Client], [Modify User Password], [Bulletin File], [Web Authentication], [Online Duration Reminder], [Internet Flow Reminder], [PC Proxy Prompt] and [Anti-proxy Reminder].
Page 261: Chapter 13 Security
SANGFOR IAM v2.1 User Manual Chapter 13 Security 13.1. Gateway Antivirus Gateway Antivirus is used for detecting and removing the virus contained in the data packets that are going through the IAM gateway device, and thus to assure the security of the LAN computers.
Page 262 SANGFOR IAM v2.1 User Manual [Update Service Expired On]: Displays the expiry date of antivirus update service of the IAM gateway device. Within the expiry date, the IAM gateway device will automatically connect the website http://www.sangfor.com to update the virus library.
Page 263: Ips Options
SANGFOR IAM v2.1 User Manual 13.2. IPS 13.2.1. IPS Options IPS (Intrusion Prevention System) can discover the potential risks that may be brought to the local area network (LAN) by detecting the data packets and analyzing its true use, and therefore decide whether to allow the data packets get into the local area network.
Page 264 SANGFOR IAM v2.1 User Manual [Defense Level]: There are three levels of defense rules provided by the SANGFOR IAM gateway device, [High], [Medium] and [Low]. Select a level according to the actual security need of your networking.
Page 265: Ips Rules
SANGFOR IAM v2.1 User Manual All the matching and suspicious attacks will be recorded by the IAM gateway device, and be handled according to the action configured for different defense levels. As for the detailed logs, you can view then in the Data Center of the IAM gateway.
Page 266: Vpn Settings
SANGFOR IAM v2.1 User Manual [Auto Update]: Select [Enable] to allow the rules to be updated automatically. [Rule Search]: To search for the existing rule(s), you can have [Classified search] and [Exact search]. <Detail>: Click it to view the detailed descriptions of the corresponding IPS rule.
Page 267: Basic Settings
SANGFOR IAM v2.1 User Manual <Search>: Click this button to open the [Search User] dialog; type the user name and click the <OK> button to quickly search for the connection information of this user. The [Search User] dialog is as shown below: <Stop Service>: Click this button to stop the VPN service temporarily.
Page 268 If the Webagent password gets lost, there is no way to get back the lost password. The only  solution is to contact the Customer Service of SANGFOR to generate a new file (without Webagent password) and replace the original one.
Page 269 [Change MSS]: Configures the maximum size of the fragmentation under UDP transmission. [MTU], [Min Compression Value] and [Change MSS] are configured with the default values. If you need change the values, please follow the instructions given by the SANGFOR technicians.
Page 270: User Management
SANGFOR IAM v2.1 User Manual channels or not. You can specify a port to transmit broadcast packets, so as to avoid broadcast storm from appearing at the both ends of a VPN. 13.3.3. User Management [User Management] is used for managing the connecting-in VPN accounts. The configurations...
Page 271 SANGFOR IAM v2.1 User Manual driver will fail to be installed. <Delete>: Click this button to delete the selected user(s). <Import Text User>, <Import Domain User>: Click this button to import the TXT or CSV file that contains the user information.
Page 272 SANGFOR IAM v2.1 User Manual algorithm, etc. The configuration dialog is as shown below: [Authentication Method]: Configures authentication method, [Local] (hardware authentication), [LDAP] or [RADIUS]. [Use Group Attribute]: Classifies the user into certain group and configures whether to have the user apply the group attributes.
Page 273 IAM gateway device and the user, according to the selected algorithm. This is a unique technology of SANGFOR VPN. It will take the best advantage of the bandwidth, in particularly in networking environment with limited bandwidth resources, and accelerate data transmission.
Page 274: Connection Management
SANGFOR IAM v2.1 User Manual Before configuring [LAN Privilege], add some needed services in [VPN Settings] > [Advanced] > [LAN Service] page. 13.3.4. Connection Management To enable it to realize interconnecting among multiple nodes and form a “Web-like” networking, the IAM gateway device offers the connection management function and configuration options to manage these nodes.
Page 275 SANGFOR IAM v2.1 User Manual [Connection Name], [Description]: Type respectively the name and the description for this new connection. [Primary Webagent], [Secondary Webagent]: Type the primary and secondary Webagent of the to-be-connected VPN headquarters. Click the <Test> button followed to check the availability of the Webagent.
Page 276 SANGFOR IAM v2.1 User Manual If the Webagent is a domain name, testing results show success and the webpage exists,  otherwise, it indicates that the webpage does not exist. If the Webagent is a static IP address, testing results show success and the format (IP:PORT) of it is correct. In a word, successful testing results do not indicate connection success (of the VPN).
Page 277: Virtual Ip Pool
<OK> button to save all the settings. 13.3.5. Virtual IP Pool [Virtual IP Pool] contains the idle LAN IP addresses (or ranges) specified by the local SANGFOR IAM gateway device. These IP address are taken as the virtual IP addresses to be used by the mobile VPN users when they are getting connected to the gateway device (VPN).
Page 278 SANGFOR IAM v2.1 User Manual Click the <New> button to open the [Virtual IP Settings] configuration dialog; type the start IP and end IP. The dialog is as shown below: Click the <Advanced> button to open the [Advanced Setting] configuration dialog; enter DNS, WINS server address, and the mask of virtual IP that is to be allocated to the virtual network adapter of the mobile VPN user.
Page 279: Multiline Settings
SANGFOR IAM v2.1 User Manual After configuring the [Advanced] options of the [Virtual IP Pool], the virtual network adapter of the mobile VPN user‟s computer must be configured as [Obtain an IP address automatically] and [Use the following DNS server addresses], otherwise, the addresses configured in [Advanced] will not be allocated to the virtual network adapter of the mobile VPN user‟s...
Page 280 SANGFOR IAM v2.1 User Manual If your networking has multiple lines connecting to the external network, check [Enable Multiline] and then add the line. Click the <New> button to enter the [Edit Multiline] page and add a new line; the configuration...
Page 281: Multiline Routing Policy
[DNS Detection Time]: Configures the time interval of fulfilling DNS detection. Only when the [Enable DNS Detection] option is checked will the settings take effect. 13.3.7. Multiline Routing Policy SANGFOR IAM gateway device offers the powerful multiline routing policy for VPN. You can...
Page 282 SANGFOR IAM v2.1 User Manual configure the multiline policy to achieve intercommunication among different VPNs, according to the protocol applied, source IP, destination IP, source port, destination port, etc. For example, the Branch1 (172.16.1.0/24) need visit the FTP server (IP: 192.168.1.20) of its headquarters.
Page 283 SANGFOR IAM v2.1 User Manual Click the <Add> button to enter the [IP Range Settings] configuration dialog; configure the IP addressed and ports, and select a protocol, as shown below: [Protocol]: Select a protocol for data transmission. In this example, it is TCP.
Page 284 SANGFOR IAM v2.1 User Manual [Source Port]: Type a service port (of the local-terminal segment). In this example it is 20-21. [Destination IP]: Type an IP address (or the peer-VPN segment. In this example, it is the LAN IP range of the Branch1, 172.16.1.1-172.16.1.254.
Page 285: Local Subnet List
SANGFOR IAM v2.1 User Manual [Average distribution] routing policy options. If the routing policy selected is [Dynamic detection] option, the system will choose a line (an  optimal line) for the fastest connection). If policy-selected line is in fault, the system will automatically switch to an available line to ensure the smooth transmission of the data.
Page 286: Tunnel Route
[Local Subnet List]], so as to enable the intercommunication among these subnets. 13.3.9. Tunnel Route SANGFOR IAM gateway device offers the powerful VPN tunnel route configuration function. You can configure route for the VPN tunnels, to achieve interconnection among different VPNs (software/hardware) and establish a true web-like VPN network.
Page 287 SANGFOR IAM v2.1 User Manual shown below: [Source Subnet]: Configures the network ID of the source subnet. In this example, it is 172.16.1.0. [Source Mask]: Configures the mask of the source subnet. In this example, it is 255.255.255.0. [Destination Subnet]: Configures the network ID of the destination subnet. In this example, it is 10.1.1.0.
Page 288 SANGFOR IAM v2.1 User Manual by this tunnel route (indicating the corresponding username selected in the [VPN Settings] > [Connection Management] > [Edit Connection] configuration dialog. In this example, the branch Shanghai has established a VPN connection with its headquarters (using the name “Guest”...
Page 289 SANGFOR IAM v2.1 User Manual The tunnel route also is used for forwarding all the Internet access requests of a branch user to its VPN headquarters, enabling the branch VPN user to get access to the Internet through the VPN headquarters‟...
Page 290: Ipsec Connection
SANGFOR IAM gateway can connect with a third-party VPN device to establish standard IPSec VPN connection. 13.3.10.1. Device List [Device List] can enable the SANGFOR IAM gateway device to connect with a peer VPN to establish a standard IPSec connection. It is the first phase of negotiation of the standard VPN protocol.
Page 291 SANGFOR IAM v2.1 User Manual Click the <Advanced> button to view the advanced settings. The configuration dialog is as shown below:...
Page 292: Security Option
SANGFOR IAM v2.1 User Manual 13.3.10.2. Security Option [Security Option] configures the parameters used for establishing standard IPSec connection. This is the second phase of IPSec negotiation. The configuration page is as shown below:...
Page 293 Algorithm] (MD5 or SHA-1) and [Encryption Algorithm] (DES, 3DES or AES). Click the <New> button and the [Security Option] appears, as shown below: SANGFOR IAM gateway device will negotiate and establish IPSec connection with the peer device according to the configured policy.
Page 294: Outbound Policy
SANGFOR IAM v2.1 User Manual The [Encryption Algorithm] functions during the second Phase of IPSec connection. If there are multiple devices interconnected and each applies a different policy, you then have to add the policy of each device to the security potion list (i.e., create the corresponding policy for each device).
Page 295: Inbound Policy
SANGFOR IAM v2.1 User Manual 13.3.10.4. Inbound Policy [Inbound Policy] configures the rule used for data transmission from the peer device to the local device. Click the <New> button and the corresponding [Policy Settings] appears, as shown below:...
Page 296 SANGFOR IAM v2.1 User Manual...
Page 297: Common Settings
Both the [Service] and [Schedule] of [Outbound Policy]/[Inbound Policy] are extra rules  provided by the SANGFOR IAM gateway device, and only take effect on the local device, which means, these rules are not the negotiation topics during the process of negotiating with the third party and establishing the VPN connection.
Page 298 SANGFOR IAM v2.1 User Manual Click the <New> button and the [Schedule] configuration dialog appears, as shown below: In this example, the “Office hours” is the enabled time period, which means, the rule will take effect during this period if it has referenced this schedule.
Page 299: Algorithm List
[Radius Server]. 13.3.12.1. LAN Service SANGFOR IAM gateway device enables you to specify the access privileges of the VPN users, or even to specify a branch VPN user or mobile VPN user (IP address) to access certain service(s) provided by a LAN computer; besides, it configures the service parameters of the inbound policy...
Page 300 SANGFOR IAM v2.1 User Manual used for connecting to a third-party device. For example, to achieve the two requirements: a). only allow a user to access the WEB service provided by the headquarters WEB server (other services are unavailable for this user); b). allow an IP address of a branch VPN “branch1”...
Page 301 SANGFOR IAM v2.1 User Manual Step 1: Type a name in the [Service Name] text box and check the protocol (in this example, it is FTP service, using TCP protocol). Step 2: Click the <New> button to configure the IP ranges. The configuration dialog is as shown below: [Source IP]: Fill in the source IP.
Page 302 SANGFOR IAM v2.1 User Manual [Source port]: 1-65535. [Destination IP]: Fill in the destination IP addresses. In this example, it is the FTP server IP of the headquarters, 192.168.1.20. [Destination IP]: Port of FTP service is 20-21. The default configuration gives no limitation to the access privilege of VPN user.
Page 303: Vpn Interface
SANGFOR IAM v2.1 User Manual Step 4: Click the <LAN Privilege> button and the [Privilege Settings] configuration dialog pops up, as shown below: Step 5: Move the needed services to the service list (move from left to right) and check [Allow].
Page 304: Ldap Server
13.3.12.3. LDAP Server The VPN service of SANGFOR IAM gateway supports LDAP authentication through a third party. If you need to have a third party to fulfill LDAP authentication, configure the [LDAP Server] (including configuration of [LDAP Server IP], [LDAP Server Port], [Administrator Name) by following the introduction and instructions below.
Page 305: Radius Server
Having completed configuring the LDAP server (domain server), you can click the <Advanced> button to open the [Advanced Settings] dialog. The configuration dialog is as shown blow: Configure these settings according to your case. 13.3.12.4. Radius Server The VPN service of SANGFOR IAM gateway device supports RADIUS authentication through a...
Page 306: Generate Certificate
The configuration page is as shown below: 13.3.13. Generate Certificate The HARDCA is one of the patents of SANGFOR. The device that applies this technology can use its certificate to get its identity authenticated among different VPN nodes. The certificate of a device is generated with some of the features of this device and is then encrypted.
Page 307: Chapter 14 Dhcp
SANGFOR IAM v2.1 User Manual Chapter 14 DHCP 14.1. DHCP Status [DHCP Status] displays the running status of the DHCP and the IP addresses allocated to the LAN computers, details displayed are [Current status] of DHCP service, [Allocated IP Addresses], [Host Name] and [MAC Address].
Page 308 SANGFOR IAM v2.1 User Manual [DHCP Service Interface]: Select an interface for the DHCP service. You can use multiple network interfaces to fulfill DHCP services. [Enable DHCP Service]: Select [Enable] to enable the DHCP (service) module. [Lease Term]: Configures the expiry time of the IP address allocated by the DHCP.
Page 309 SANGFOR IAM v2.1 User Manual or [Hostname]. [Select] a user; type the [MAC Address] and [Hostname] and click <Obtain by IP> to get the corresponding parameter. Finally, click the <OK> button to save the above settings. Be noted that the DHCP IP ranges configured here must not conflict with the static IP ...
Page 310: Chapter 15 Wizard
SANGFOR IAM v2.1 User Manual Chapter 15 Wizard [Configuration Wizard] introduces the flow and steps of the basic configurations, with link to configuring a specific module. Just click the item (in blue) to directly get into the corresponding configuration page.
Page 311: Appendix A: Gateway Client-Updater
The gateway update and restoration system can be used to update the kernel version of SANGFOR IAM gateway device and backup configuration. When vital errors occur in the system, the IAM gateway device can be restored to the factory default configuration via the gateway restoration system.
Page 312 After logging in successfully, it clews login success, as shown in the figure below: [Search]: It will automatically search for the SANGFOR gateway devices, in the local area network (as long as there is no routing devices between the local computer and the IAM gateway...
Page 313 SANGFOR IAM v2.1 User Manual [Change password]: Modifies the login password of the gateway client-updater. [Disconnect]: Cut the connection to the SANGFOR hardware gateway. If there is no operation for a certain time, the client terminal will be disconnected automatically.
Page 314 [Backup Config]: Backup all the configuration information of the IAM hardware gateway device. [Restore Backup]: Restore all the backup configuration information to the IAM hardware gateway. Operations of both are only applied to the same-model and same-version SANGFOR devices. Devices of different models and versions are inapplicable.
Page 315 [Check Current]: View the information of the currently-loaded update package. [Load Package]: Load the downloaded update package. Upload the update package. Only after implementation of the aforementioned procedures, can [Update]> [Update Firmware] be clicked. [Download]: Please visit the SANGFOR official website www.sangfor.com to download the corresponding update package.
Page 316 SANGFOR IAM v2.1 User Manual [Network Config]: View the network configuration of the IAM gateway device, including information of interface IP, etc. [View Mode]: View the mode the current network interface card (NIC) is working in. [Set Net Mode]: Configure manually the working mode of NIC for the IAM gateway device, if the setting is not coherent to the actual network interface card mode.
Page 317 If the default configurations need to be restored, log in to the device and click [Update] > [Restore Default Config]. To update the Firmware kernel of the SANGFOR gateway device, please DO follow the instructions given by the technicians of SANGFOR.
Page 318: Appendix B: Acronyms And Abbreviations
SANGFOR IAM v2.1 User Manual Appendix B: Acronyms And Abbreviations Alternating Current Active Directory Address Resolution Protocol Bandwidth Management Certificate Authority Central Processing Unit DNAT Destination Network Address Translation Domain Name Server Denial of Service Attack High Availability HTTP Hyper Test Transfer Protocol...
Page 319 SANGFOR IAM v2.1 User Manual User Interface Uniform Resource Locator VLAN ID VLAN Virtual Local Area Network...

Sangfor IAM 2.1 User Manual

Table of Contents

Announcement

Preface

Chapter 1 IAM Installation

Chapter 2 Console

Chapter 3 System Status

Chapter 4 Object

Chapter 5 Firewall

Chapter 6 WAN Optimization

Chapter 7 IAM

Chapter 8 Bandwidth Management

Chapter 9 Delayed Email Audit

Chapter 10 Internet Access Audit

Chapter 11 Logs/Troubleshooting

Chapter 12 Advanced

Chapter 13 Security

Chapter 14 DHCP

Chapter 15 Wizard

Appendix A: Gateway Client-Updater

Appendix B: Acronyms and Abbreviations

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Sangfor IAM 2.1

Summary of Contents for Sangfor IAM 2.1