Sangfor IAM11.2 User Manual

Table of Contents

Quick Links

IAM 11.2 User Manual

SANGFOR IAM11.2

User Manual

2016 January

www.sangfor.com

Table of Contents

Troubleshooting

Summary of Contents for Sangfor IAM11.2

Page 1: User Manual
IAM 11.2 User Manual SANGFOR IAM11.2 User Manual 2016 January www.sangfor.com...
Page 2 IAM 11.2 User Manual www.sangfor.com...
Page 3: Table Of Contents
3.1.2.2 IPv4 SNAT......................53 3.1.2.3 IPv4 DNAT......................59 3.1.2.4 IPv6 NAT....................... 63 3.1.3 Network.......................... 65 3.1.3.1 Deployment......................65 3.1.3.2 Network Interface Configuration................ 92 3.1.3.3 Static Routes......................99 3.1.3.4 Policy-Based Routing..................101 3.1.3.5 High Availability....................106 3.1.3.6 HOSTS.........................115 3.1.3.7 DHCP........................116 www.sangfor.com...
Page 4 3.3.3.3 Importing and Exporting Custom Application Rules.........190 3.3.4 URL Database........................ 190 3.3.4.1 URL Database List....................191 3.3.5 Ingress Rule Database....................195 3.3.5.1 Ingress Rules...................... 195 3.3.5.2 Combined Ingress Rule..................206 3.3.6 Service...........................210 3.3.7 IP Group........................212 3.3.8 ISP..........................213 3.3.9 Schedule........................215 www.sangfor.com...
Page 5 3.5.2.4 Excluded Application..................400 3.6 Traffic Management.........................402 3.6.1 Overview........................402 3.6.2 Bandwidth Management....................403 3.6.3 Bandwidth Channel Configuration................403 3.6.3.1 Line Bandwidth....................404 3.6.3.2 Limited Channel....................412 3.6.3.3 Traffic Sub-Channel....................421 3.6.3.4 Penalty Channel....................428 3.6.3.5 Adding a Channel Using a Template..............438 3.6.3.6 Exclusion Policy....................438 www.sangfor.com...
Page 6: Www.sangfor.com
4.1.5 Configuration of SSO Implemented with Third-Party Devices........555 4.1.5.1 SSO Implemented with Ruijie SAM..............555 4.1.5.2 SSO Implemented with Devices Supporting the HTTP SSO Interface....563 4.1.5.3 SSO Implemented with H3C CAMS..............565 4.1.5.4 SSO Implemented with Dr. COM............... 566 www.sangfor.com...
Page 7 IAM 11.2 User Manual 4.1.5.5 SSO Implemented with H3C IMC...............568 4.1.6 SSO Implemented with Another SANGFOR Device............569 4.1.7 SSO Implemented with a Database System..............571 4.2 Configuration That Requires No User Authentication............574 4.3 Configuration That Requires Password Authentication............580 4.3.1 SMS Authentication......................
Page 8: Declaration
SANGFOR, SANGFOR Technologies and the SANGFOR logo are the trademarks or registered trademarks of SANGFOR Technologies Co. Ltd. All other trademarks used or mentioned herein belong to their respective owners. This manual shall only be used as usage guide, and no statement, information, or suggestion in it shall be considered as implied or express warranties of any kind, unless otherwise stated.
Page 9: About This Document
Describe the interface and each of the function such as generate report, check online behavior and system management. Justify overall configuration, setting and precaution. This document takes SANGFOR IAM M5100 as an example. Equipment of different models differs in both hardware and software specifications. Therefore, confirm with SANGFOR about problems involving product specifications.
Page 10: Symbol Conventions
Warning: alerts you to pay attention to the provided information. Improper operation may cause bodily injuries. Note or tip: provides additional information or a tip to operations. Technical Support Email: tech.support@sangfor.com.hk International Service Centre: +60 12711 7129 (7511) Malaysia: 1700817071 Website: www.sangfor.com Acknowledgment Thanks for choosing our product and user manual.
Page 11: Chapter 1 Iam Installation
1.2 Power The SANGFOR IAM device uses 110 ~ 230V alternating current (IAM) as its power supply. Make sure it is well-grounded before being provided with power supply. 1.3 Product Appearance SANGFOR IAM Hardware Device Above is the front panel of SANGFOR IAM hardware gateway device.
Page 12 IAM 11.2 User Manual the front panel are described respectively in the following table. www.sangfor.com...
Page 13: Configuration And Management
The default IP address settings for the network interfaces are described below: Interface IP Address eth0 (LAN) 10.251.251.251/24 eth1 (DMZ) 10.252.252.252/24 eth2 (WAN1) 200.200.20.61/24 1.5 Wiring Method of Standalone Connect the power cable to the Power interface on the rear panel of the IAM device and switch on www.sangfor.com...
Page 14 If connections cannot be established while the corresponding indicator functions normally, please check whether cables are correctly used for connections. The differences between straight-through cable and crossover cable are the wire sequences at both ends, as shown below: www.sangfor.com...
Page 15 After startup, the ALARM indicator may flash, which means the device is writing logs. However, if the ALARM indicator stays lighted for a long time and does not go out, please www.sangfor.com...
Page 16: Wiring Method Of Redundant System
After the two devices are correctly wired, switch on the power for both devices and then configure them. The procedures for configuring the redundant system are the same as that for a standalone device. You need only configure the active IAM device, which will automatically synchronize its configurations to the standby IAM device. www.sangfor.com...
Page 17: Chapter 2 Iam Console
After finishing all the wiring, you can then log into the Web User Interface (UI) to configure the SANGFOR IAM device. Follow the procedures below to log into the console of the IAM device: Step 1. Configure an IP address (for example, 10.251.251.100) on the 10.251.251.X subnet for the computer, and then type the default login IP address and port in the IE address bar: https://10.251.251.251.
Page 18: Remove The Certificate Alert Dialog
Here, the IP address refers to that of the network interface for login and it is the IP address of the LAN interface by default. In this example, we suppose that you have logged into the console through the default address of the LAN interface. www.sangfor.com...
Page 19 Only when you login through the IP address specified in [Issue Console SSL Cert. To] and the local computer has installed the certificate will this alert dialog be removed. If you login through other address or the computer has not installed the certificate, the alert dialog will still www.sangfor.com...
Page 20: Configuration
When you modify the settings on the [System] > [Network] > [Deployment] page or [System] > [System Time] page or default encoding on the [System] > [General] > [Advanced] > [Web UI Options] page, the IAM device will restart and you need to re-login. www.sangfor.com...
Page 21 1. On the [Members] page, you can select the columns that you want to display and the page will only display the information of the selected columns, as shown below: 2. On the [Online Users] page, you can select [Sort Ascending] or [Sort Descending] to sort the information in ascending or descending order by the corresponding column. www.sangfor.com...
Page 22: Chapter 3 Functions
On the Dashboard page, System Resources are displayed, including the graph of Throughput on All WAN Interfaces, Web-Access Connection Quality, Top Application by Traffic, Top Users by Traffic, Application Bandwidth Distribution, Network Interface, Security Events and Internet Activities. 3.1.1.1.1 Displayed Panels On the Dashboard page, click Displayed Panels. The following page is displayed: www.sangfor.com...
Page 23 The System Resources panel displays the overall conditions of device resources, including the CPU usage, memory usage, disk usage, number of sessions, number of online users, daily connection quality, number of ICS users over last 7 days, system time, and daily log summary. See the following figure. www.sangfor.com...
Page 24 3.1.1.1.3.2 Throughput on ALL WAN Interfaces The Throughput on ALL WAN Interfaces panel displays the real-time conditions of data received and transmitted on interfaces in a curve. See the following figure. Click . The following figure is displayed. www.sangfor.com...
Page 25 Interface specifies the interface whose data forwarding conditions are to be displayed. 3.1.1.1.3.3 Web-Access Connection Quality The Web-Access Connection Quality panel displays the network quality information monitored by the device, as shown in the following figure. www.sangfor.com...
Page 26 Set the username and application type to view details about the user that uses the application. 3.1.1.1.3.5 Top Users by Traffic The Top Users by Traffic panel displays the top 10 users by traffic. You can rank the users by www.sangfor.com...
Page 27 Set the username to view details about the applications used by the user. 3.1.1.1.3.6 Application Bandwidth Distribution The Application Bandwidth Distribution panel displays the Application Bandwidth Distribution dynamically in different colors. See the following figure. Click . The following figure is displayed. www.sangfor.com...
Page 28 Click to set the automatic refresh interval. 3.1.1.1.3.8 Security Events The Security Events panel displays the number of times that insecure behaviors are detected. See the www.sangfor.com...
Page 29: Online Users
The Internet Activities panel displays real-time information about online behaviors of users. See the following figure. Click to set the automatic refresh interval. 3.1.1.2 Online users 3.1.1.2.1 Viewing Online Users The Online Users panel displays authenticated users that are online. See the following figure. www.sangfor.com...
Page 30 On the User Group panel, enter a keyword in the Search box to query online users of the corresponding user group. On the Online Users panel, you can search users by name or IP address. See the following figure. 3.1.1.2.2 Filtering Online Users Click Filter to specify the conditions for filtering users. See the following figure. www.sangfor.com...
Page 31 Operation column. 3.1.1.2.5 Forcibly Logging Out Online Users The administrator can forcibly log out online users, excluding temporary users, USB Key users, and those that do not require authentication. If the administrator attempts to forcibly log out a www.sangfor.com...
Page 32: Connection Quality
The device also provides the detection function for a single user. If a problem cannot be solved based on the overall network quality evaluation result, the device can perform detection for a single user, thereby providing more accurate data statistics. See the following figure. www.sangfor.com...
Page 33 You can view the current network quality monitoring status, recent network quality, current network quality, and network diagnosis result. Select Enable Web-Access Connection Quality Monitor, and click Yes in the displayed dialog box. Click and set the quality criteria. www.sangfor.com...
Page 34 You can set a website to be monitored in Website. By default, Website is set to All Websites. A maximum of three monitoring object list can be defined. Each list contains a maximum of 100 domain names. Click Custom Website List to change monitoring websites. Click Settings to edit a website list. www.sangfor.com...
Page 35 Hover over the waveform and a popup menu is displayed, in which you can view network quality details. When the network quality level is poor, you can click View to view the list of users with a low Internet access speed. www.sangfor.com...
Page 36 The Assessment panel displays network quality details, including multiple possible causes of poor network quality. The possible causes and handling suggestions are listed as follows: Traffic control is disabled. Bandwidth resources are insufficient (if Hypertext Transfer Protocol (HTTP) traffic occupies 90% www.sangfor.com...
Page 37 For example, if user A is found in the list of users with a low Internet access speed, you can click User-Based Detection and enter the username or IP address in User, or click Select User and select the user in the organization structure shown in the following figure. www.sangfor.com...
Page 38 IAM 11.2 User Manual Click OK. Then click Settings in Address to set a monitoring address. www.sangfor.com...
Page 39 Web access request. In Address, select Use address in built-in database or Specified. Click OK. Then click Start. The following takes www.google.com as an example. When you access www. google.com, the access request is redirected to the test page. www.sangfor.com...
Page 40: Traffic Statistics
A message indicating detection in progress is displayed on the administrator page. After the detection is complete, the following page is displayed: The detection results are displayed on the administrator page. 3.1.1.4 Traffic Statistics The Traffic Statistics panel displays traffic information about online users and applications, status www.sangfor.com...
Page 41 Set the line and application in the Type pane. See the following figure. Line specifies the line to be viewed and App Category specifies the application to be viewed. After setting the line and application, click Commit. The page shown in the following figure is displayed. www.sangfor.com...
Page 42 You can choose to display all applications, selected applications and unselected applications. The selected applications are displayed in the right pane. Click OK to save the settings. You can set the specific user or IP address in the Objects pane. See the following figure. www.sangfor.com...
Page 43 In the Objects pane, the User Group Filter, Username and IP address option buttons are mutually exclusive. Below Group Filter, the slash (/) indicates all groups. After you click Select, the page shown in the following figure is displayed. www.sangfor.com...
Page 44 3.1.1.4.2 Top Apps by Traffic 3.1.1.4.2.1 Viewing Application Rankings The Top Applications by Traffic panel displays rankings of applications by traffic in real time. See the following figure. As shown in the preceding figure, you can filter applications by bandwidth. The displayed information www.sangfor.com...
Page 45 3.1.1.4.2.2 Top Applications by Traffic Click Filter to specify the conditions for filtering applications. See the following figure. In the Objects pane, set the line and user group. In Show, set the number of displayed applications ranked by traffic. Then click Commit. www.sangfor.com...
Page 46 The displayed information includes the channel name, line, real-time speed, percent, user quantity, minimum bandwidth, maximum bandwidth, priority, and status. You can choose to display the traffic history within a certain period of time. Select All channels or Operating channels from the View drop-down list. www.sangfor.com...
Page 47: Internet Activities
3.1.1.4.4.2 Search by Username Click Search by Username to query connection information by username. See the following figure. 3.1.1.5 Internet Activities 3.1.1.5.1 Viewing Internet Activities The Internet Activities panel displays information about recent online behaviors of users. See the www.sangfor.com...
Page 48 In the Objects pane, set the network behaviors to be viewed. The available options include Search Term, Forum and Microblog, Emails, Outgoing File, IM Chats, Websites Browsing, and Others. In Action, set the actions to be viewed. The available options include Reject and Log. www.sangfor.com...
Page 49: Locked Users
The displayed information includes the locked details, operation, locked time, IP address, violation type, and remaining time. Select a locked user and click Unlock to relieve the user. Click Unlock All to relieve all users. 3.1.1.6.2 Filtering Locked Users Click Filter to specify the punishment conditions. See the following figure. www.sangfor.com...
Page 50: Dhcp Status
In the Objects pane, set the users to be filtered. You can select any of User Group, Username, and IP address. 3.1.1.7 DHCP Status The DHCP Status panel displays the DHCP assignment conditions after DHCP is enabled. See the following figure. www.sangfor.com...
Page 51: Security Events
The Firewall Rules panel is shown in the following figure. In Direction, set the direction to which a filtering rule applies, which can be LAN<->DMZ, DMZ<->WAN, WAN<->LAN, LAN<->LAN, DMZ<->DMZ, VPN<->WAN, or VPN<->LAN. After selecting a filtering direction, you can manage Firewall Rules on the right pane, including deleting or adding Firewall Rules. www.sangfor.com...
Page 52 3. Set a rule to allow HTTP packets from the LAN zone to the DMZ. Specifically, select Allow from Action, HTTP from Service, and All from Source and Destination or enter an IP group. Select All Day from Schedule and specify a time period. Select LAN->DMZ from Data Flow. See the following figure. www.sangfor.com...
Page 53: Ipv4 Snat
The device is required to implement Internet access for intranet users. 1. On IPv4 SNAT, click Add. In the dialog box shown in the following figure, select Enabled and enter a rule name in Name. www.sangfor.com...
Page 54 IP address of the WAN interface specified in step 2. If Specified IP is selected, source IP addresses will be translated into the specified IP addresses. Click Advanced to set more specific matching conditions, including the destination IP address translation condition and protocol conversion condition. These two conditions are not set in this example. www.sangfor.com...
Page 55 202.3.3.0/255.255.255.0 of the education network, the source IP address of the computer will be translated to the IP address of WAN1 interface, which is 202.96.1.1. 1. Add two IP groups: education network segment and internal network segment. The following figure shows an example of defining IP group “Education Network Segment ". www.sangfor.com...
Page 56 WAN1 (Education Network Line) based on the specified Policy-Based Routing. For details, see section 3.2.3.4. 2. On IPv4 SNAT, click Add. In the dialog box shown in the following figure, select Enabled and enter a rule name in Name. www.sangfor.com...
Page 57 5. In Mapped Src IP, set the range of IP addresses to which source IP addresses of data meeting the conditions are translated. In this example, source IP addresses will be translated to the IP address of WAN1, which is 202.96.1.1. Therefore, select Specified IP and set the IP address. www.sangfor.com...
Page 58 To edit a rule, click the name of the rule and then edit the rule in the displayed dialog box. 8. Add a filtering rule to allow data from the LAN to the wide area network (WAN). For details, see section 3.2.2.1. www.sangfor.com...
Page 59: Ipv4 Dnat
Basic Rule. In the displayed dialog box, select Enabled and set the rule name. 2. In Protocol, set the data conditions of this DNAT rule and the destination IP address and port. In Protocol, select the type of protocol data for which IPv4 DNAT needs to be performed. In Dst Port, www.sangfor.com...
Page 60 WAN1 connects to the intranet through a fiber. A public network IP address 202.96.137.89 exists and the domain name is www.sangfor.com. A DNAT IPv4 DNAT rule needs to be configured to publish the intranet server to the public network so that users on the LAN (192.168.1.0/255.255.255.0, connected to the LAN interface) can access 192.168.1.80 by visiting the...
Page 61 WAN interface to the device. In this example, the public network IP address corresponding to the domain name www.sangfor.com is the IP address of WAN1. Therefore, select WAN1. 3. In Source Address, set the source IP address in the DNAT rule. In this example, the intranet server is mapped to the public network and the public network IP address is not fixed.
Page 62 6. In Mapped IP, set the IP address to which the IP addresses of data meeting the conditions are translated. In this example, the IP address of the destination server is 192.168.1.80. Therefore, select Specified IP and enter 192.168.1.80. 7. In Mapped Port, set the port to which the ports of access requests meeting the conditions are www.sangfor.com...
Page 63: Ipv6 Nat
IP addresses of data that meets the conditions and is forwarded by the device. Destination NAT involves translating the destination IP addresses of data meeting the conditions. You can manage source IPv6 NAT rules, including adding and deleting rules. See the following figure. www.sangfor.com...
Page 64 Source NAT: Set the range of IPv6 addresses to which source IP addresses of data meeting the conditions are translated. In this example, source IP addresses will be translated to 3000::/64. 2. Click Add and select Destination NAT. See the following figure. www.sangfor.com...
Page 65: Network
In this example, destination IP addresses will be translated to 2000::/64. See the following figure. 3.1.3 Network 3.1.3.1 Deployment On the Deployment Mode panel, you can set the operating mode of the device to route, single arm, www.sangfor.com...
Page 66 Click Settings and three deployment modes are displayed: route, bridge, and bypass. Select a deployment mode for the device. Before deploying the device on the network, you are advised to configure information including the deployment mode, interfaces, routes, and users of the device. The default IP addresses of interfaces www.sangfor.com...
Page 67 Internet access for the LAN. The following figure shows a typical deployment scenario. Example: The customer's network covers L3. The device functions as a gateway to implement Internet access for intranet users. A public network line (fiber) is available and assigned a fixed IP address. www.sangfor.com...
Page 68 2. In navigation area, choose System > Network > Deployment. On the Deployment pane on the right, click Settings. On the page shown in the following figure, select the route mode and click Next. 3. Define a LAN interface and a WAN interface. Specifically, select an idle network interface and click www.sangfor.com...
Page 69 Other idle network interfaces can be added to any interface list. 4. Click Next and configure the IP address of the LAN interface. In this example, set the IP address of LAN interface eth0 to 192.168.20.1/255.255.255.0. www.sangfor.com...
Page 70 IP address. Therefore, select Specified. If the public network IP address is automatically obtained over DHCP, select Auto assign. In this example, the public network IP address has been assigned. Therefore, enter the assigned public www.sangfor.com...
Page 71 If PPPoE is employed, connect the WAN interface to a modem. If Enable is selected in Auto Dial-up, automatic dialup is performed after the connection line is disconnected abnormally or the device is restarted. Enter the dialup account and password. 6. Configure DMZ interface eth1. Set the IP address and subnet mask. www.sangfor.com...
Page 72 The rule name and IP address to which a source address is translated cannot be modified here. They can be modified on the IPv4 SNAT page. If Internet access needs to be achieved for users on another network segment through a proxy, add another IPv4 SNAT rule on IPv4 SNAT. For details, see section 3.2.2.2. www.sangfor.com...
Page 73 IAM 11.2 User Manual 8. Confirm the configuration information and click Commit. www.sangfor.com...
Page 74 3. After an 802.1q-VLAN address is configured for the LAN interface, the LAN interface can connect to the trunk interface of an L2 switch that supports VLAN. The device (one-armed router) can then forwards data among VLANs and implement firewall rules between LANs. The device can implement www.sangfor.com...
Page 75 This unit functions as a proxy server, controls and audits Internet access, since data go through it. Take the following scenario for example. The unit is deployed in Single Arm mode and used to proxy, accelerate and control Internet access. The network topology is as shown below: www.sangfor.com...
Page 76 IP address of IAM (https://10.251.251.251) into address bar to visit Web admin console of IAM. On the login page, log in to IAM console with the default account admin/admin. Navigate to System > Network > Deployment page. Click Settings, select Single Arm Mode and click Next. www.sangfor.com...
Page 77 IAM 11.2 User Manual www.sangfor.com...
Page 78 Select an available interface as Manage Interface and configure an IPv4 address for the interface (IPv6 address is also supported). Default Mange interface is eth1, through which users can connect to this unit. After configuring Manage interface, click Next. www.sangfor.com...
Page 79 IAM 11.2 User Manual Make sure the network settings are correct. Then, click Commit. Clicks Commit, and the following dialog pops up to notify you that applying the settings requires www.sangfor.com...
Page 80: Bridge Mode
Operating environment 2: If Virtual Router Redundancy Protocol (VRRP) or Hot Standby Router Protocol (HSRP) is enabled on the intranet, the device can be deployed in multi-bridge mode to implement basic audit control functions without affecting Active-Standby handovers of the original firewalls. The following figure shows the two operating environments. www.sangfor.com...
Page 81 LAN interface, whose default IP address is 10.251.251.251/24, configure an IP address on this network segment on the PC and log in to the device by accessing https://10.251.251.251. The default login username and password are both admin. www.sangfor.com...
Page 82 3. Add a LAN interface and a WAN interface to form a bridge and configure two bridges. See the following figure. LAN Interface: Select an internal network interface from LAN Interface. WAN Interfaces: Select a WAN interface from WAN Interface. Bridge: Bridges are defined in Bridge. Data can be forwarded between interfaces on a bridge and www.sangfor.com...
Page 83 The following will describe the configuration in details. When the device operates in bridge mode, the bridge IP address can be empty. The bridge IP addresses must be on different network segments and the VLAN IDs must be unique. www.sangfor.com...
Page 84 6. Configure the gateway address and DNS address. Configure the default gateway and DNS address. In this example, two idle IP addresses are assigned as the bridge IP addresses. The default gateway points to the virtual IP address of the front-end www.sangfor.com...
Page 85 1. When the device operates in bridge mode, the gateway addresses of all PCs on the LAN do not need to be modified. Retain the internal interface IP address that points to the front-end device. 2. During data penetration, ensure that the WAN connects to the front-end router and the LAN www.sangfor.com...
Page 86 Internet access data. In bypass mode, the network will not be interrupted even if the device breaks down. Typical application scenarios are shown in the figures below. www.sangfor.com...
Page 87 To solve this problem, connect the management interface (DMZ interface) of the device to the intranet switch and assign an idle IP address for the device to communicate with the public network and intranet. Connect the DMZ to the intranet switch. www.sangfor.com...
Page 88 2. In navigation area, choose System > Network > Deployment. On the Deployment pane on the right, click Settings. On the page shown in the following figure, select the bypass mode and click Next. www.sangfor.com...
Page 89 192.168.1.1-192.168.1.10 access other network segments (external network), the data will not be monitored. In Advanced, set the monitoring server list. If an IP address on a monitored network segment is accessed, the data will be monitored. For example, a web server exists on the intranet and the www.sangfor.com...
Page 90 Therefore, add the IP address of this web server to the monitoring server list. Some TCP control functions can be implemented in bypass mode based on monitoring. In other words, only data that can be monitored can be controlled. 5. Confirm the configuration information and click Commit. www.sangfor.com...
Page 91 5. In bypass mode, the device mainly implements the monitoring function and the control function is not as comprehensive as in route mode and bridge mode. Only TCP connections can be restricted, such as URL filtering, keyword filtering, and mail filtering. User Datagram Protocol (UDP) connections are not restricted, such as P2P connections. www.sangfor.com...
Page 92: Network Interface Configuration
MAC Address: indicates the address of the physical network adapter of a network interface. MTU: indicates the MTU of a network interface, which ranges from 700 to 1800. The MTU must be set to at least 1280 if IPv6 is enabled. otherwise, IPv6 addresses will be cleared. www.sangfor.com...
Page 93 The procedure for configuring a network interface is as follows: On the Interfaces page, click the name of the physical interface. For example, to configure eth0 on the LAN, click eth0. The LAN Interface page is displayed, as shown in the following figure. www.sangfor.com...
Page 94 10.10.0.0/255.255.0.0, and IP address 10.10.0.1 is not used on the intranet, 2/10.10.0.1/255.255.0.0 can be entered in the IP address list. Add information about other VLANs (802.1q) one by one on different rows. To configure eth2 on the WAN, click eth2 and the WAN Interface Configuration page is displayed. www.sangfor.com...
Page 95 If Specified is selected in Address, a fixed IP address assigned by the carrier can be configured for this network interface, or auto assign can be enabled, depending on the actual situation. In PPPoE, Internet access is implemented through ADSL dialup. The dialup username and password www.sangfor.com...
Page 96 MAC Address: indicates the address of the physical network adapter of a network interface. MTU: indicates the MTU of a network interface, which ranges from 700 to 1800. The MTU must be set to at least 1280 if IPv6 is enabled. otherwise, IPv6 addresses will be cleared. www.sangfor.com...
Page 97 To configure a bridge, click its name. The Bridge Configuration page shown in the following figure is displayed. To change the IP address of the default gateway, change it to another IP address on the same segment. Otherwise, you need to change it on the Deployment page. www.sangfor.com...
Page 98 2/10.10.0.1/255.255.0.0 can be entered in the IP address list. Add information about other VLANs (802.1q) one by one on different rows. In bridge mode, you can define the management interface. Click Interfaces. On the MANAGE Interface page, set the IP address, which can be an IPv4 or IPv6 address. www.sangfor.com...
Page 99: Static Routes
When a PC on the intranet accesses the Internet, the data is forwarded to the device by the L3 switch. However, when the device forwards data to the PC, the destination is unclear because the IP address of the PC is on another network segment. As a result, Internet access failure occurs. To solve this www.sangfor.com...
Page 100 Destination: destination network ID. Subnet Mask: subnet mask of the target network. Next-Hop IP: next-hop IP address to the target network. Interface: interface through which data is forwarded. Click Routing Table to display all system routes, including IPv4 and IPv6 routes. www.sangfor.com...
Page 101: Policy-Based Routing
There are multiple external network lines on the device, for example, a China Telecom line and a China Unicom line. The customer requires that data is forwarded over the China Telecom line when intranet users access China Telecom servers and over the China Unicom line when intranet www.sangfor.com...
Page 102 Therefore, a policy-based route needs to be set to ensure that data to the specified address is forwarded over line 1. 1. Add an IP group named Online Banking. Set the IP address to 127.8.66.42. 2. Click Add. The Policy-Based Routing dialog box is displayed. www.sangfor.com...
Page 103 China Unicom servers. Assume that line 1 is a China Telecom line and line 2 is a China Unicom line. 1. Set a Link State Detection policy. Click Link State Detection. The Link State Detection page is displayed. www.sangfor.com...
Page 104 2s and a failure is detected for over three times. 2. Set a policy-based route to forward data whose destination address is a China Telecom server over line 1, the China Telecom line, and data whose destination address is a China Unicom server over line www.sangfor.com...
Page 105 3.3.8) can be imported. To obtain the policy-based routing file of a carrier, contact the 400 hotline or access the technical forum of SANGFOR. On the Policy-Based Routing page, click Import, select the policy-based routing table of line 2, and...
Page 106: High Availability
The devices work at the same time. In this way, when a line fails, the device can seamlessly switch to another line, ensuring consistency in the policy and user status. This is similar to the working principle in a VRRP environment. Both modes aim to ensure www.sangfor.com...
Page 107 The configurations on the standby device is the same as those on the active device. The following figure shows the topology. The procedure is as follows: 1. Select the Active-Standby mode and set related parameters. In the navigation area, choose System > Network > HA. See the following figure. www.sangfor.com...
Page 108 Device Name: Enter a name for distinguishing the current device from the other. Role of This Device: Set the role of the current device to Active unit or Standby unit. In this example, select Active unit. 3. Configure the active device. www.sangfor.com...
Page 109 Email Alarm: This field specifies whether to send an alarm mail when a switchover occurs. Click the hyperlink on the right to access the alarm configuration page. An alarm will be triggered if a manual switchover is performed. 3. Configure the standby device as follows: www.sangfor.com...
Page 110 The deployment of the devices will not affect the operation and switchover of the original network. As shown in the following figure, configure multiple SANGFOR IAMs in Master-Master mode. Ensure that the device can work properly after a VRRP switchover due to a link fault.
Page 111 The configuration procedure is as follows: 1. In the navigation area, choose System > Network > HA. The HA page is displayed. 2. Select Master-Master and click Settings. The HA mode configuration page is displayed, as shown in the following figure. www.sangfor.com...
Page 112 Email Alarm: This field specifies whether to send an alarm mail when a device gets offline. If this option is selected, you need to configure an alarm mail. 4. Set another device as a node device. The configuration page is shown in the following figure. www.sangfor.com...
Page 113 The control device can synchronize configurations. Click Synchronize. Then the device will send a synchronization signal. Configurations and information will be synchronized. The status of all online node devices will be displayed in Online Devices. After configuration, the page showing the information about the online device is displayed. www.sangfor.com...
Page 114 8. A device supports only Master-Master in bridge mode, and Master-Master and Active-Standby in route mode. If Active-Standby is used in bridge mode, an upgrade cannot be performed and a message will be displayed, prompting the customer to change the HA mode to Master-Master. www.sangfor.com...
Page 115: Hosts
If the active or control device is disconnected, the HA indicator is steady on, indicating an exception. 3.1.3.6 HOSTS HOSTS file is a built-in host file on the unit, which contains the mapping information of IP addresses and domain names/hostnames. Navigate to System > Network > Hosts page, as shown below: www.sangfor.com...
Page 116: Dhcp
192.168.1.100–192.168.1.199. The PC of the manager needs to be assigned a fixed IP address 192.168.1.100. 1. Enable the DHCP service. 2. In Interface, select an interface for which DHCP is to be enabled. Here select the LAN interface. Set the leas duration and DHCP network parameters. www.sangfor.com...
Page 117 4. Click Reserved IP Addresses and set a reserved IP address. According to the MAC address, assign a fixed IP address to the PC. Click Add and enter the name, fixed IP address, MAC address, and hostname in the displayed dialog box. www.sangfor.com...
Page 118: Protocol Extension
Example: A PC needs to connect to the PPPoE server through dialup and can access the Internet after authentication. The SANGFOR IAM is deployed in bridge mode between the PC and the PPPoE server and needs to audit and control the online behaviors of the PC.
Page 119 L2TP does not use the default port 1701 for communication, double-click the protocol rule and edit port information. The information about ports can be separated by a comma (,). If multiple special protocols in the protocol de-encapsulation list exist, select the corresponding protocol rules. www.sangfor.com...
Page 120: Optical Bypass Module
When a power failure occurs, the device restarts due to a breakdown, or a network interface becomes abnormal, the device will stop processing data and switch to an optical bypass module. The optical bypass module configuration page is displayed only in bridge mode, as shown in the following figure. www.sangfor.com...
Page 121 Click Add Optical Bypass Module to add an optical bypass mode. In the Add Optical Bypass Module dialog box, Optical Module ID and Bridge. Enter the module ID on the bypass switch in Optical Module ID. See the following figure. www.sangfor.com...
Page 122: General
On the Licensing page, you can set the Device License, Multi-Function License, Antivirus License, Application Signature Database, Software Update License, WiFi Access License, Third Party URL Database License and Sangfor URL Database. Device License: The device license is used to activate the device and authorize the number of lines, number of branches, and number of mobile users.
Page 123: Administrator
Third Party URL Database License: This license is used to activate the update validity period of URL Database from third parties. Sangfor URL Database: This license is used to activate the update validity period of URL Database from Sangfor. Click Edit and enter the license to activate the authorization of the corresponding function.
Page 124 Role dialog box is displayed. Click Add, enter the username and description of the role to be added, and click Commit. 2. Create an administrator account. Click Add. The Administrator Roles dialog box for creating an administrator account is displayed. Set related parameters on the Login Security tab. www.sangfor.com...
Page 125 You can set a single IP address or an IP address segment. Set one IP address in each row and a maximum of 32 rows can be set. 3. On the Realm page, set the permission for the added administrator account to manage a user group. Click Select and select a group in the displayed organization structure. www.sangfor.com...
Page 126 IAM 11.2 User Manual 4. In Permission, set whether the administrator account has the permission to view or edit other modules on the console. www.sangfor.com...
Page 127 Users and Object pages. Assign the role "Manager" to the administrator account. 1. Add a role. On the Administrator page, click Administrative Roles. In the Administrative Roles dialog box, click Add, enter the role name Manager and description of the role, and click OK. www.sangfor.com...
Page 128 Manager. On the Login Security page, enter the password @1234abcd and confirm the password. 3. On the Realm page, click Select, select Director Group in the displayed organization structure, and click Commit. www.sangfor.com...
Page 129 6. Log in to the console with the account emily. You can view online users in the Network department group and mail approval information, manage the Director Group group and Internet access policies, Objects, and set user authentication. www.sangfor.com...
Page 130 1. Add two administrator roles: "Campus administrator" and "School administrator". In the Administrative Roles list, roles are displayed in descending order of permission level. As shown in the following figure, the permission level of the "Campus administrator" role is higher than that of the "School administrator" role. www.sangfor.com...
Page 131 IAM 11.2 User Manual 2. Create two administrator accounts test1 and test2. Associate test1 to the "Campus administrator" role, which can manage all students. Associate test2 to the "School administrator" role, which can manage the students of the computer school. www.sangfor.com...
Page 132 IAM 11.2 User Manual 3. Log in to the console with the administrator account test1 and define a policy named No Game www.sangfor.com...
Page 133 2. A higher-level administrator can set whether to allow a lower-level administrator to view the defined policy, or whether to allow an administrator of the same level to view and edit the defined policy. 3. By default, a lower-level administrator cannot modify the Internet Access Policy defined by a www.sangfor.com...
Page 134: Date/Time
3.1.4.3 Date/Time On the Date/Time page, you can set the system time of the SANGFOR IAM. You can directly change the system time or by synchronizing the system time with the time server.
Page 135: Update
On the Update page, you can configure and manage system update, proxy server, and database update. 3.1.4.4.1 System Update On the System Update page, you can upload an upgrade package to upgrade the software of the device, as shown in the following figure. www.sangfor.com...
Page 136: Proxy Server
Authentication required, and enter the username and password. See the following figure. 3.1.4.4.3 Database Update On the Database Update page, you can manage the upgrade of the virus database, URL database, system patch, application signature database, and audit rule database. www.sangfor.com...
Page 137: Alarm Options
 Sensitive keyword is detected  Disk usage exceeds threshold  Throughput exceeds threshold  Report Center related error  CPU usage exceeds threshold  Memory usage exceeds threshold  Give alert when MAC address is excluded automatically  www.sangfor.com...
Page 138 Period (minute) to 5 and Maximum (Kbps) to 100, an alarm will be reported if the traffic exceeds 100 kbps for 5 minutes. When both parameters are set to 0, no alarm will be reported. Click OK for the settings to take effect. See the following figure. www.sangfor.com...
Page 139 0 or Memory usage exceeds threshold is not selected, no alarm will be reported. Click Commit for the settings to take effect. See the following figure. By default, Email Delivery Options are applied for sending alarm mails. You can set different recipient mailboxes and sending intervals. See the following figure. www.sangfor.com...
Page 140 Select In specified way, set the recipient mailboxes, alarm mail subject, interval for sending alarm mails. Subject: specifies the title of an alarm notification mail. You can enter any texts except special characters. Interval: specifies the interval for sending alarm notification mails. In specified way: specifies the outgoing mail server and recipient address. www.sangfor.com...
Page 141: Global Exclusion
Click Send Testing Email to send a test mail. Click Commit for the settings to take effect. 3.1.4.6 Global Exclusion On the Global Exclusion page, you can add the IP address of an intranet user or a destination server www.sangfor.com...
Page 142 In Custom Excluded Addresses, you can add exclusion addresses. Specifically, click Add, enter the description and address in the displayed Add Excluded Address dialog box, and click OK for the settings to take effect. www.sangfor.com...
Page 143: Backup/Restore
IAM 11.2 User Manual 3.1.4.7 Backup/Restore On the Backup/Restore page, you can download and save the device configurations, or import a backed up device configuration file. www.sangfor.com...
Page 144: Custom Webpage
On the Custom Webpage page, you can define the custom page to which the device redirects. Two types of pages can be defined: bulletin board and other pages, which include the following: Access Denied  Virus Detected  Daily Online Online duration quota has been Used Up  www.sangfor.com...
Page 145 On the Bulletin Board pane, click the name of a Bulletin Board. The Edit Predefined Bulletin Board dialog box is displayed, as shown in the following figure. In the Edit Predefined Bulletin Board dialog box, you can change the source code to change the page www.sangfor.com...
Page 146: Report Center
Click External Report Center to access the web UI of the external report center. The default username and password for logging in to the external report center are both admin. See the following figure. www.sangfor.com...
Page 147 Enter the synchronization account information about the external report center in Policy Name and Pre-Shared Key. In Web-Access Port, set the port used by the external report center to provide web services. Then click Commit. On the Internal Report Center page, set disk alarm parameters and automatic log deletion parameters. www.sangfor.com...
Page 148: Advanced Settings
In this case, it is recommended that an external report center be installed. Click OK to finish the settings. 3.1.4.10 Advanced Settings On the Advanced page, you can complete other system settings of the device, including Web UI, Proxy, Remote Tech Support, Syslog Server, Central Management, Device Name, Server Certificate, www.sangfor.com...
Page 149 Click Certificate to download an SSL certificate of the console. After this certificate is installed, the SSL certificate warning message will no longer be displayed on the login page of the console. Click Commit to save the settings. www.sangfor.com...
Page 150 Therefore, it is recommended that the IP address of a proxy server is listed. Click Commit to save the settings. 3.1.4.10.3 Remote Tech Support On the Remote Tech Support page, you can set whether to allow remote login to the device from a www.sangfor.com...
Page 151 After technical support assistance is enabled, technical support engineers can remotely connect to the device and intranet. Click to enable access to the system backstage, which will be disabled after one day by default. To download black box in the last 1- 30days, click Download Black Box button. www.sangfor.com...
Page 152: Syslog Server
Select Error Logs to synchronize the error logs on the device to the Syslog server. Select Email Alarm Logs to synchronize the email alarm logs on the device to the Syslog server. Select Admin Logs to synchronize the administrator operation logs to the Syslog server. www.sangfor.com...
Page 153 Shared Secret: If a shared key is set on the web agent at the headquarters, a shared key must be set here. Generally no shared key needs to be set. After the IAM is connected to the center end for centralized management, the www.sangfor.com...
Page 154: Server Certificate
A certificate needs to be generated when the device is connected to the central end for centralized management. A hardware certificate uniquely identifies an IAM. To prevent other IAMs from connecting to the central end using the same account, a hardware certificate can be generated and imported to central end. See the following figure. www.sangfor.com...
Page 155 In Virtual IP, set virtual IPv4 and IPv6 addresses. The client will be redirected to a virtual IP address. 3.1.4.10.9 SNMP On the SNMP page, you can set and enable the SNMP function for the IAM. See the following figure. www.sangfor.com...
Page 156 MD5 or SHA. Encryption: to enable DES encryption and set an encryption password. Download MIB: Click this button to download the MIB of the device and import it to the SNMP management software to monitor the parameters of the device. www.sangfor.com...
Page 157: Diagnostics
On the System Logs page, you can view the run logs of each module of the device and therefore determine whether the modules run properly. Click Filter. On the Filter page that is displayed, select a log type, as shown in the following figure. www.sangfor.com...
Page 158: Capture Packets
3.1.5.2 Capture Packets The capture packets tool is used to capture packets passing through the device to quickly locate problems. It can be used to detect errors. Click Options to display the Options dialog box, as shown in the following figure. www.sangfor.com...
Page 159 Click Stop to stop capturing packets. A .pcap file is generated, as shown in the following figure. Click Delete to delete the specified file, Download to download the file to the specified path, or Refresh to view real-time information about the packet capturing results. The file can be opened using Sniffer or Ethereal. www.sangfor.com...
Page 160: Web Console
Input any command on the command console and press Enter, as shown in the following figure. www.sangfor.com...
Page 161: Troubleshooting
On the Troubleshooting page, you can query which module of the device rejects a packet and the rejection reasons to quickly locate a configuration error or test whether some rules take effect. Click Settings. On the Filter page, set all kinds of filtering conditions, as shown in the following figure. www.sangfor.com...
Page 162 This protects the network environment against excessively heavy traffic that occurs because all data are transmitted straight through. If this option is not selected, the traffic management policies are not effective. By default, straight-through transmission is not enabled for the traffic management module. www.sangfor.com...
Page 163: Shutdown
After the interception logging and straight-through transmission functions are enabled, if the administrator does not manually click Close, these functions are still enabled even if the device is restarted. 3.1.5.5 Shutdown On the Shutdown page, the Restart Device and Restart Service buttons are available, as shown in the following figure. www.sangfor.com...
Page 164: Proxy
The IAM unit can function as a proxy server. By enabling and configuring this unit as a proxy server in a web browser, internal users can access to the Internet through that unit. Therefore, this unit can manage and control Internet activities. 3.2.1 Proxy Services Available proxy services include HTTP proxy, SOCKS4/SOCKS5 proxy and proxy auto-config (PAC) script. www.sangfor.com...
Page 165 To edit a PAC script, click Edit Script, as shown below: On the above page, it provides the following operations: Import, Restore Defaults, Download Example. Import. It allows administrators to import an existing PAC file to the unit; www.sangfor.com...
Page 166: Proxies
On the Proxies page, you can perform the following operations: Add, Delete, Enable, Disable, Move UP and Move Down. 3.2.2.1 HTTP Proxy To add a HTTP proxy, click Add, select HTTP Proxy and configure the fields on the following page: www.sangfor.com...
Page 167 Enable: Select this option to enable this HTTP proxy. Name: Specifies a distinguishable name for this HTTP proxy. Description: Description to this HTTP proxy. Object: It allows you to specify source IP group and destination domain for this HTTP proxy. www.sangfor.com...
Page 168 Auto, proxy IP address will be automatically chosen. You can also select a specific IP address from the pull-down list. In the list, there are IP addresses of VLAN interfaces, WAN interfaces, bridge interfaces, DMZ interfaces, and interfaces for Single Arm mode (exclusive of IP addresses of LAN interfaces). www.sangfor.com...
Page 169: Socks4 Proxy
Source: Specifies the IP group. Default is the All group. You can also select one or more IP groups specified in Objects > IP Group. Options: It allows you to specify action and proxy IP address for this SOCKS4 proxy. www.sangfor.com...
Page 170: Socks5 Proxy
3.2.2.3 SOCKS5 Proxy To add a new SOCKS5 proxy, click Add, select SOCKS5 Proxy and configure the fields on the following page: Enable: Select this option to enable this SOCKS5 proxy. Name: Specifies a distinguishable name for this SOCKS5 proxy. www.sangfor.com...
Page 171: Icap Server Groups
Proxy data can be sent to an ICAP server from this unit, which can perform virus scanning and data loss prevention (DLP) against the proxy data. You can configure at most 64 ICAP server groups and each server group can contain one or more ICAP www.sangfor.com...
Page 172 ICAP server in the server group by turns. An ICAP server is given an unique IP address and port, and must not exist in two different ICAP server groups. To add a new ICAP server group, click Add and configure the following fields: www.sangfor.com...
Page 173 To add an ICAP server, click Add Server and configure the following fields. Name: Specifies a distinguishable name of this ICAP server. Description: Descriptive information of this ICAP server. Server IP: Specifies the address of this ICAP server. It cannot exceed 96 characters. IPv6 address is supported as well. www.sangfor.com...
Page 174: Cascading Proxy Servers
A cascading proxy server is required when this unit needs another proxy server to do proxy before gaining resources. To add a new cascading proxy server, click Add on Cascading Proxy Servers page in Proxy > Cascading Proxy Servers, and configure the fields on the following page: www.sangfor.com...
Page 175: Forward
Therefore, when internal users access internal resources through the proxy server, requests could be forwarded to the corresponding LAN server directly. Note that destination address can be IP address or domain name, but forward IP address can only be IP address. www.sangfor.com...
Page 176 IAM 11.2 User Manual For example, configure a forward entry to forward the access to www.sangfor.com (through port 443) to the LAN server at 10.1.1.3 (through port 443). The corresponding configuration is as shown in the following page: Health Check Options: You can specify health check method, L4 health check or L7 health check, and action in case that forward refuses to work, Stop forwarding data or Continue forwarding data.
Page 177: Object
Internet access duration of some applications based on the application identification results. The Application Signature can be periodically updated by accessing the SANGFOR server. SANGFOR will periodically update the Application Signature on the server for recognizing the latest applications and versions on the Internet.
Page 178: Application Signature
For details about custom rules, see section 3.3.3. SSL management, Internet access audit, terminal reminders, and traffic management are controlled and audited based on application identification results. Therefore, the application library is very important. An embedded application www.sangfor.com...
Page 179: Viewing The Application Signature
3.3.1.1 Viewing the Application Signature In the navigation area, choose Objects > Application Signature. The Application Signature pane is displayed on the right. The value behind Total Applications indicates the total number of embedded application rules and URL groups on the device. www.sangfor.com...
Page 180 In Search, input a search keyword, for example, Facebook, and press Enter, as shown in the following figure. Click Database Manual Update to manually import application identification rule files to the device. The procedure for adding a label and associate it with applications is as follows: www.sangfor.com...
Page 181 IAM 11.2 User Manual Click Tags, click Add, and enter the label name. In the position for associating applications, click Select and select applications as required. Click OK. A label is added and associated to applications successfully. www.sangfor.com...
Page 182: Enabling/Disabling Application Identification Rules
Therefore, it is not allowed to disable such rules on the device. 2. In the Application Signature, the Mobile Applications maps application software running on mobile endpoints such as smartphones and tablets. www.sangfor.com...
Page 183: Advanced App Signature
The Advanced App Signature is used to recognize application types of all kinds of Internet access data. It differs from the Application Signature in the identification mode. The Advanced App Signature can recognize encrypted data, such as ciphertext or plaintext P2P applications, Skype, SSL, SANGFOR VPN www.sangfor.com...
Page 184: Enabling/Disabling Advanced App Signature
P2P behavior identification rules are another type of application identification and are used for intelligent identification of P2P data that cannot be recognized in the Application Signature. P2P behavior rules can be edited. Click P2P Behavior and the rule editing dialog box is displayed. www.sangfor.com...
Page 185 In Excluded Port, set one or more ports that are to be excluded from scanning. If the destination port of data is an exclusion port, the device will not perform P2P identification for the data. www.sangfor.com...
Page 186: Editing Ultrasurf/Freegate Identification Rules
You can adjust the sensitivity level based on the data identification conditions. In the second notes point in the above figure, Settings will automatically link to the page displayed after you choose System > General > Update > Database Update. Then you can check whether the www.sangfor.com...
Page 187: Editing Web Online Proxy Identification Rules
In the third notes point in the above figure, Settings will automatically link to the page displayed after you choose System > General > Global Exclusion. You can add the destination addresses of misjudged network applications to the global exclusion address list to reduce the misjudgment rate. www.sangfor.com...
Page 188: Custom Application
On the Custom Application page, click Add. In the Add Custom Application window, you can add custom application rules. Example: Traffic needs to be guaranteed for mails of the company (SANGFOR) but there is no such an application type. In this case, you can define a company mail application rule as follows: 1.
Page 189 Target Domain: specifies the destination domain name of packets. In this example, set this field to the domain name mail address of SANGFOR, for example, mail.sangfor.com.cn. 3. Click Commit. The setting of the rule is complete. 4. Set the priority of the defined rule. The embedded Application Signature also contains mail...
Page 190: Enabling, Disabling, And Deleting Custom Application Rules
The URL Database is a collection of different types of URLs defined based on webpage contents. The URL Database aims to help the device identify websites to implement access control and traffic control for different types of websites. The URL Database contains a URL Database list and an www.sangfor.com...
Page 191: Url Database List
URL identification system. The URL Database list consists of embedded URL groups and custom URL groups. Embedded URL groups are periodically updated by SANGFOR on the server. The device visits the server over the Internet to update embedded URL groups. This type of update requires authorization.
Page 192 Fuzzy search is not supported in URL Lookup. 3.3.4.1.2 Adding URL Groups You can add a URL group to define URLs. On the URL Database page, click Add. The Add URL Category window is displayed, as shown in following figure. www.sangfor.com...
Page 193 2. After a custom URL group is added, an intelligent identification URL group with the same name will be added in the intelligent URL identification system. 3.3.4.1.3 Deleting URL Groups You can delete a custom URL group. An embedded URL group cannot be deleted. To delete a URL www.sangfor.com...
Page 194 Open. 3.3.4.1.6 Importing and Exporting URL Database On the URL Database page, click Import & Export, choose Export, select the save path, and click OK to export all custom URL Database contents. www.sangfor.com...
Page 195: Ingress Rule Database
In the navigation area, choose Objects > Ingress Rule Database > Ingress Rules. On the Ingress Rules page, you can add or delete Ingress rules. 3.3.5.1.1 Adding Ingress Rules On the Ingress Rules page, click Add and choose a rule type, which may be Operating System Based www.sangfor.com...
Page 196 95 characters. Category: specifies the type of the rule. You can select a rule type from the drop-down list or enter a rule type. The length of the entered rule type must be equal to or shorter than 95 characters. www.sangfor.com...
Page 197 Required Operating System: lists the OS versions allowed on intranet PCs that need to access the Internet through the device. For example, SANGFOR requires that all PCs on the intranet need to run Windows XP and that SP4 must be installed on the PCs for protection against viruses. PCs that do not meet the requirements cannot access the Internet through the device.
Page 198 Process Name: specifies the full name of a process. No wildcard is supported. Window Name: specifies the full name of a window. No wildcard is supported. Program Path: specifies the installation path of the program. System environment variables are supported. See the following figure. www.sangfor.com...
Page 199 MD5 value and program size of the process. See the following figure. Adding File Based Rules You can set rules for detecting files on clients. Access the Ingress Rules page, click Add and select File Based Rule. The File Based Rule page is displayed. www.sangfor.com...
Page 200 Reject, Delete file or Report only from Action. If File does not exist is selected, you can select you can select Reject, Delete file or Report only from Action. File Path: specifies the storage path of files. System environment variables are supported. See the following figure. www.sangfor.com...
Page 201 You can set the MD5 value, file size, and number of days after which files are updated. Click OK. Adding Registry Rules You can set rules for detecting registries on clients. Access the Ingress Rules page, click Add and select Registry Based Rule. The Registry Based Rule page is displayed. www.sangfor.com...
Page 202 VBScript. You can set return values in these executable files. The Ingress client takes actions based on the return values. Access the Ingress Rules page, click Add and select Task Based Rule. The Task Based Rule page is displayed. www.sangfor.com...
Page 203 Task: The task execution plan can be set to Start running periodically or Start running only once upon ingress program startup. Responding: specifies whether to check the execution results of a task script. It can be set to Check returned results or Disabled. Responding Timeout: specifies the timeout duration for obtaining task execution results. www.sangfor.com...
Page 204 Yes. 3.3.5.1.3 Modifying Ingress Rules On the Ingress Rules page, select a custom Ingress rule and click its name. In the dialog box for editing the Ingress rule, modify the settings as required except the rule name. www.sangfor.com...
Page 205 IAM 11.2 User Manual 3.3.5.1.4 Editing Ingress Rules in Batches On the Ingress Rules page, select multiple custom Ingress rules and click Edit. You can edit only the rule type in batches. www.sangfor.com...
Page 206: Combined Ingress Rule
Logic: specifies the condition for the Combined Ingress Rule to take effect. A Combined Ingress Rule can be set to take effect when any member rule is effective or when all member rules are effective. When the specified member rule is met, the specified action will be performed. www.sangfor.com...
Page 207 Example: The administrator requires intranet users to install Kaspersky or Rising. If an intranet user does not install either antivirus software, the user cannot access the Internet. 1. Set two Ingress rules for detecting Kaspersky and Rising. The device detects the processes of the antivirus software. www.sangfor.com...
Page 208 2. Set a Combined Ingress Rule to combine the preceding two rules. According to the customer requirements, Internet access is allowed if either antivirus software is installed. Therefore, set Logic to Rules are with AND logic. The Combined Ingress Rule takes effect when neither antivirus software process is running. Set the action to Reject. www.sangfor.com...
Page 209 3.3.5.2.2 Deleting and Modifying Combined Ingress Rules On the Combined Ingress Rule List page, select a Combined Ingress Rule and click Delete. Alternatively, click the name of a Combined Ingress Rule and modify the settings as required except the rule name. See the following figure. www.sangfor.com...
Page 210: Service
Access Mgt > Policies > Add > Access Control > Service and determine the Internet access permission based on the defined services. In the navigation area, choose Objects > Service. The Service pane is displayed on the right. www.sangfor.com...
Page 211 Click Commit. The setting of a network service is complete. After clicking Others, you can enter a protocol ID. The protocol ID 0 indicates all protocols. www.sangfor.com...
Page 212: Ip Group
In the navigation area, choose Objects > IP Group. The IP Group pane is displayed on the right. Click Add. The Edit IP Group window is displayed. Name: specifies the name of the IP group to be added. Description: specifies the description of the IP group. www.sangfor.com...
Page 213: Isp
On the ISP page, you can set the IP address segment of the network carrier. This IP address segment is invoked during multiline routing in policy-based routing. Click Delete to delete the selected Internet service provider (ISP) address library. Click Add to add an ISP address library. The configuration page is shown in the following figure. www.sangfor.com...
Page 214 WHOIS: specifies the WHOIS flag of the ISP address segment. A WHOIS flag uniquely identifies the address of a carrier. Auto Update: specifies whether to automatically update the ISP address library. Automatic update is enabled by default. WHOIS Server: specifies the server for updating the ISP address library. www.sangfor.com...
Page 215: Schedule
Firewall > Firewall Rules, Access Mgt > Policies, or Bandwidth Mgt > Bandwidth Channel. In the navigation area, choose Objects > Schedule. The Schedule pane is displayed on the right, as shown in the following figure. Click Add. The Schedule page is displayed. www.sangfor.com...
Page 216 Included: a date within the specified included date segment can match the schedule group. Excluded: a date that is not within the specified excluded date segment can match the schedule group. This field can be used to exclude holidays and festivals. Click Add to set a time segment. See the following figure. www.sangfor.com...
Page 217: Keyword Group
Access Mgt > Policies > Add > Access Control > Search Keyword. In the navigation area, choose Objects > Keyword Group. The Keyword Group pane is displayed on the right. Click Add. The Edit Keyword Group page is displayed. www.sangfor.com...
Page 218: File Type Group
Policies > Add > Access Control > File Type, or used to set traffic control based on file types on the page displayed after you choose Bandwidth Mgt > Bandwidth Channel. In the navigation area, choose Objects > File Type Group. The File Type Group pane is displayed on the right. www.sangfor.com...
Page 219: Location
File Extendsions: specifies the file types. Enter the file name extensions, such as *.mp3 or mp3. 3.3.12 Location On the Location page, you can classify locations by wireless network, IP segment, or VLAN. In the navigation area, choose Objects > Location. The Location pane is displayed on the right. www.sangfor.com...
Page 220 Type: specifies the type of the location group, which can be set to IP Segment, or VLAN. IP Segment: You can select an IP group or enter an IP address range. Only one IPv6 address or IP address segment can be entered in each row. www.sangfor.com...
Page 221 When you search location objects by IP address, the IP address segment needs to be displayed. For example, location object A is 2.2.2.2–5.5.5.5. If you search for 3.3.3.3, location object needs to be displayed. Location objects can be referenced by Internet access policies and traffic control policies, but www.sangfor.com...
Page 222: Users
Manually created by the console administrator. Set on the Authentication Policy page and automatically added after authentication (including users that do not require authentication, users authenticated on a third-party server, and SSO users). Users imported by using the import function. www.sangfor.com...
Page 223 Network access permission is specified on the Authentication Policy page. As shown in the following figure, select a group in Add Non-Local/Domain Users to Group. Then the Internet Access Policy of the specified group will be applied to temporary users. www.sangfor.com...
Page 224: User Authentication
SSO integrated with other third-party devices such as Ruijie SAM system, H3C CAMS system, and the Web authentication system of CITY HOT. For details, see section 3.4.2.3.6. SSO integrated with other SANGFOR devices. For details, see section 3.4.2.3.7. SSO integrated with the database server. For details, see section 3.4.2.3.8.
Page 225: Authentication
You can configure different Auth Methods for different network segments. The Auth Methods supported by the device are listed as follows: Open Auth Password based: including Local Password Based, authentication by an external authentication www.sangfor.com...
Page 226 2. On the authentication page, select an Auth Method. Four Auth Methods are displayed because local authentication server, WeChat Based Authentication server, QR Code Based Authentication server, and SMS Based Authentication server are selected in authentication policies. Each authentication server maps an Auth Method. www.sangfor.com...
Page 227 For example, enter the username test and password password. The system searches for user test among local users. If the user exists and has a local password (Local user database is selected in user properties), the system checks whether www.sangfor.com...
Page 228 On the authentication page, select SMS Based Authentication, enter the mobile phone number, and click Send. Enter the verification code carried in the SMS message and click Log In. The username displayed on the IAM is the mobile phone number. www.sangfor.com...
Page 229 The supported SSO types include AD domain SSO, Radius SSO, proxy SSO, POP3 SSO, Web SSO, database SSO, and SSO on SANGFOR devices and other third-party devices, such as Ruijie SAM system, H3C CAMS system, and HTTP/HTTPS authentication system of CITY HOT.
Page 230 IAM for Internet access. In otherwise, these users are restricted from Internet access. SSO users and USB Key users cannot be authenticated for Internet access. 3.4.2.1.2 Adding Authentication Policies Choose Users > Authentication Policy. Click Add and add an authentication policy, as shown in the following figure. www.sangfor.com...
Page 231 Based. To select another authentication server, choose Users > External Auth Server and select an authentication server. For details, see section 3.4.2.2. To use Local Password Based, choose Users > Local Users and add a user. For details, see section 3.4.3.1. www.sangfor.com...
Page 232 If Specified URL is selected, the user will jump to the custom webpage after authentication. If Login successful webpage is selected, the user will jump to the authentication successful page after www.sangfor.com...
Page 233 SSO. In addition, the users can obtain relevant Internet access permission. The SSO process is transparent to intranet users. www.sangfor.com...
Page 234 SSO and provides an authentication tool. Users can manually run this tool and perform authentication using SSO integrated with Active Directory. If Predefined webpage is selected, the predifined webpage will be displayed when users attempt to open a webpage after SSO fails. www.sangfor.com...
Page 235 You can also specify whether authenticated users are added to the local organization structure as public users or private users. Automatic binding specifies whether to automatically synchronize the binding relationships between usernames and IP/MAC addresses of authenticated users, including local users, domain users, and new users. www.sangfor.com...
Page 236 Terms of Use with Slideshow: This item is available in advanced options when the Auth Method is SSO or Open Auth. If Terms of Use with Slideshow is selected, SSO users and authentication-free users will be redirected to the disclaimer page when they access a webpage. www.sangfor.com...
Page 237 3.4.2.1.4 Editing Authentication Policies in Batches You can edit all attributes of authentication policies except the name and authentication scope in batches. Example: Change the Auth Method of test1 and test2 to Open Auth, take hostname as the username, www.sangfor.com...
Page 238 In Username, select Take hostname as username. In Action, select Engineer Group from Add Non-Local/Domain Users to Group. Select Add user account to local user database. Then new users are automatically added to the engineer group, with the computer name as the username. www.sangfor.com...
Page 239 Authentication policies are matched from top down. If the IP address, MAC address, VLAN ID, and terminal scope meet a policy, the Auth Method of this policy takes effect. Select an authentication policy for which the priority is to be adjusted. Click Move Up or Move Down. www.sangfor.com...
Page 240: External Auth Server
The IAM is compatible with nine external authentication servers: SMS, WeChat, QR code, LDAP, RADIUS, POP3, Database, H3C CAMS, and third-party auth system. As shown in the following figure, add the corresponding authentication server for an Auth Method that needs to be used on the IAM. www.sangfor.com...
Page 241 Internet by entering the verification code carried in the SMS message. Before performing SMS Based Authentication, add a SMS server on the External Auth Server page and set related parameters correctly. Click Add and choose SMS Based Authentication. www.sangfor.com...
Page 242 Name: specifies the name of the SMS server. Message Content: specifies the content of an SMS message that is sent to notify a verification code. The validity period of a verification code is 10 minutes. Click Restore Defaults to restore the default content. www.sangfor.com...
Page 243 The SMS gateway types of different carriers are listed in the Type drop-down list, including China Mobile v2, China Mobile v3, China Unicom, and China Telecom v3. HTTP is selected when the Webservice gateway is used. If a GSM modem is selected in Type, set the parameters shown in the following figure. www.sangfor.com...
Page 244 Set Corporate Code, Service Code, SP No., No., Username, and Password based on the information provided by the service provider. In Type, select HTTP. Generally the customer will provide a Webservice gateway. The IAM transmits some parameters to a URL of the server, and the SMS gateway sends SMS messages based on the www.sangfor.com...
Page 245 To test whether the SMS modem or gateway can send SMS messages normally, enter a mobile phone number for receiving the SMS message and click Commit to send a test message. SANGFOR has two types of SMS modems: GSM modem and CDMA modem, as shown in the following figure.
Page 246 IAM 11.2 User Manual 3.4.2.2.2 WeChat Based Authentication Before performing WeChat Based Authentication, add a WeChat server on the External Auth Server page and set related parameters correctly. Click Add and choose WeChat Based Authentication. www.sangfor.com...
Page 247 Scenario 2: No code needs to be deployed (service account and subscription account supported). In case of interworking with a third-party WeChat platform, such as Weimob and Weigou, you need to set related parameters, as shown in the following figure. www.sangfor.com...
Page 248 IAM 11.2 User Manual If a third-party platform is used, no SANGFOR code needs to be deployed. The user ID is extracted from the URL or cookie and no check is performed. WeChat service providers, such as Weimop and Weigou, cannot modify the service code but can extract user IDs from the URL or cookie. For details about the configuration method, see the developer document and a link for downloading the document is provided.
Page 249 QR Code Based Authentication, a QR code is displayed. The visitor needs to scan the QR code using an authenticated mobile phone. Before performing QR Code Based Authentication, add a QR Code Based Authentication server on the External Auth Server page and specify a user that can approve the QR code. www.sangfor.com...
Page 250: Ldap Server
Before performing LDAP SSO or using the LDAP server for authentication, add an LDAP server on the External Auth Server page and set related parameters. After adding the LDAP server, configure it on the following three tab pages: Basics: www.sangfor.com...
Page 251 Therefore, you can define the jurisdiction areas of different administrators by using the BaseDN field. The supported LDAP types are: MS Active Directory, OPEN LDAP, SUN LDAP, IBM LDAP, Lotus LDAP, Novell LDAP, and OTHER LDAP. www.sangfor.com...
Page 252 User Filter: user filtering condition on the LDAP server for determining whether a node is a user. For example, you can enter "(|(objectClass=user)(objectClass=person))" in the AD domain to determine whether a node is a user. OU Filter: organization unit filtering condition on the LDAP server for determining whether a node is organization unit. example, enter "(|(objectClass=organizationalUnit)(objectClass=organization)(objectClass=domain)(objectClass=dom www.sangfor.com...
Page 253 If Type is set to MS Active Directory, the preceding parameters are already set and the default settings are recommended. If another LDAP type is selected, adjust the parameters based on the actual situation so that the IAM can read correct information from the LDAP server. Advanced: www.sangfor.com...
Page 254 AD domain identifies the child groups of a group. Therefore, the member attribute is used to search the child groups of a group. Paged Search: An extended API is used for search on the LDAP server. The default setting is www.sangfor.com...
Page 255: Radius Server
LDAP server, the settings are the same as above. Set Authentication Port to 3268 and IP Address to the IP address of the parent domain. See the following figure. 3.4.2.2.5 Radius Server Before using the Radius server for authentication, add a Radius server on the External Auth Server page and set related parameters. www.sangfor.com...
Page 256: Pop3 Server
Port: authentication port of the Radius server, which is 1812 by default. Timeout (sec): timeout duration of authentication requests. Shared Secret: key for Radius negotiation. Protocol: Radius negotiation protocol. 3.4.2.2.6 POP3 Server Before performing POP3 SSO, add a POP3 server on the External Auth Server page and set related parameters. www.sangfor.com...
Page 257 Server Name: name of the POP3 server to be added. POP3 Server: Set the server IP address, authentication port, and timeout duration. 3.4.2.2.7 Database Server Before performing database SSO, add a database server on the External Auth Server page and set related parameters. www.sangfor.com...
Page 258 Click Test Validity to test the connectivity between the IAM and the database server, and the effectiveness of the preceding configuration. 3.4.2.2.8 H3C CAMS Server Before performing H3C CAMS SSO, add an H3C CAMS server on the External Auth Server page and www.sangfor.com...
Page 259 Click Test Validity to test the connectivity between the IAM and the server. 3.4.2.2.9 Third-Party Auth System Before specifying a third-party auth system (CAS authentication) as Auth Server in authentication policy, add a third-party auth system in Users > Authentication > External Auth Server and configure related parameters, as shown below: www.sangfor.com...
Page 260: Single Sign-On
The supported SSO types include MS AD domain SSO, Radius SSO, proxy SSO, POP3 SSO, Web SSO, database SSO, and SSO on SANGFOR devices and other third-party devices, such as Ruijie SAM system, H3C CAMS system, and HTTP/HTTPS authentication system of CITY HOT.
Page 261 Intercepting login information on the listening port The preceding methods can be used independently or combined. They do not conflict with each other. The SSO success rate can be increased by combing several modes. Mode 1: By delivering the login script in the domain www.sangfor.com...
Page 262 Embed an SSO client program ADSSO on the IAM. The program will periodically obtain login information from the AD server and report the obtained information to the IAM for implementing SSO. Configure SSO on the IAM as follows: Select Enable Domain SSO. Select Domain SSO. Click Add to add a domain server. www.sangfor.com...
Page 263 When an intranet user opens a webpage, the computer automatically accesses the IAM and submits an identity credential for implementing SSO. Configure SSO on the IAM as follows: Select Enable Domain SSO. Select Enable Integrated Windows Authentication. www.sangfor.com...
Page 264 Mode 4: Obtain login profile by listening to computer login to domain In this mode, the IAM intercepts data of the PC that logs in to the domain server and obtains login information from the data, thereby implementing SSO. No component needs to be installed on the www.sangfor.com...
Page 265 IAM. In RADIUS Attribute, set the Radius attribute to be read. In Custom User Attribute, set a custom user attribute to which the read Radius attribute value is assigned. www.sangfor.com...
Page 266 Enable Proxy SSO: to enable or disable proxy SSO. Obtain login profile by monitoring the data of computer logging into proxy server: If this option is selected, the IAM obtains login information about users through interception. If the data of users www.sangfor.com...
Page 267 If a web server is deployed and intranet users log in to the web server with accounts and passwords, web SSO can be used. A user can access the Internet after being authenticated by the web server. See the following figure. www.sangfor.com...
Page 268 Authentication Success Keyword: keyword for identifying whether web SSO is successful. If the specified keyword is included in the returned result, the web SSO is successful. Authentication Failure Keyword: keyword for identifying whether web SSO fails. If the specified keyword is included in the returned result, the web SSO fails. www.sangfor.com...
Page 269 URL Parameter: name of the parameter corresponding to the authentication field in the URL request. Form encoding: If garbled characters are displayed, the specified coding type can be used. If no coding type is specified, the IAM will automatically select a coding type. For details about the configuration procedure, see section 4.1.4. www.sangfor.com...
Page 270 For details about the configuration procedure, see section 4.1.5. 3.4.2.3.7 SANGFOR Appliance The IAM can work with another IAM or an SG to implement authentication. Two SANGFOR devices are deployed, one for authentication and the other for audit and control. After a user is authenticated on the authentication IAM the audit and control IAM can synchronize the user information from the authentication IAM for audit and control.
Page 271 If a database system is deployed for storing and managing user authentication information and the organization structure, SQL statements can be configured on the SANGFOR IAM for querying the user list and authenticated users from the database system, and synchronizing the information to the local organization structure and online user list, thereby implementing SSO by working with the database system.
Page 272 Select any idle interface. The listening port can be set in domain SSO (listening mode), Radius SSO, POP3 SSO, and web SSO. This listening port can also be used to intercept mirrored Internet access data when the IAM is deployed in bypass mode. www.sangfor.com...
Page 273: Custom Webpage
Captive Portal with Terms of Use but no Slideshow  Captive Portal with Slideshow and Terms of Use  Captive Portal with Full-screen Slideshow  Click Upload to upload an authentication page template. You can download an example page and edit it. www.sangfor.com...
Page 274 Click Update to modify the name and description of the template. You can also import other pages. Embedded page templates can be edited. The procedure is as follows: Click the name of any page template. The page shown in the following figure is displayed. www.sangfor.com...
Page 275 The values of Page Caption, LOGO, Background Color, Page Contents, Pictures for Slideshow, and Terms of Use are displayed on the authentication page, as shown in the following figure. Click Background Color, select a color in the upper left corner, and click OK to save the setting. www.sangfor.com...
Page 276 IAM 11.2 User Manual Click Edit next to Page Content and edit the contents, as shown in the following figure. www.sangfor.com...
Page 277 Picture URLs are automatically added to the global exclusion list to ensure that unauthenticated users can access these pictures. Click Edit next to Terms of Use. Edit the disclaimer and set whether the option The “I have read and agreed Terms of Use” option is selected by default. Click OK. www.sangfor.com...
Page 278: Users
On the Member tab page, you can view details about each child group and member user, including the group, Internet Access Policy, login scope, expiration time (user), description, creator, and status (Enabled or Disabled). You can select a column to show information as required. www.sangfor.com...
Page 279 There are two types of advanced search conditions: basic search conditions and other options. When multiple search conditions are set, only users meeting all the search conditions will be filtered out. In Basics, there are three options: Username, IP Address, and MAC, which are mutually exclusive. See the following figure. www.sangfor.com...
Page 280 In the Policies, you can view only the name of Internet access policies and you need to click a policy to view the details. The policy result set provides an easier way for the administrator to view details about Internet access policies referenced by users and user groups. On the Policies tab page, click www.sangfor.com...
Page 281 The default user group on the device, that is, Root, cannot be deleted and its name cannot be modified. All created groups are child groups of Root. On the IAM user groups are graded. The user group root is a level-1 group and its child groups are level-2 groups. This organization structure facilitates management. www.sangfor.com...
Page 282 Add on the Members tab page, and choose Group. 2. Access the Add Group window. Set the user group name in Group Name and the description of the user group in Description. Click Add to add a policy for this user group. 3. Click Commit. www.sangfor.com...
Page 283 PCs for login. Restrict the IP address range of Public User to 192.168.1.2-192.168.1.100. 1. Set the Auth Method of users on the network segment 192.168.1.0/255.255.255.0. Choose Users > Authentication Policy and set an authentication policy. Set the authentication scope to 192.168.1.0/255.255.255.0. www.sangfor.com...
Page 284 IAM 11.2 User Manual Set Auth Method to Password based and Auth Server to Local user database. www.sangfor.com...
Page 285 3. Access the Add User window. Select Enabled and set the login username, description, displayed name, and group. 4. Set user attributes including the local password, expiration time, and custom attribute. Select Local Password. Then enter and confirm the login password. www.sangfor.com...
Page 286 Users > Advanced > Custom Attributes. 5. Set the Internet Access Policy of the user. In the Add User window, set a policy on the Policies tab page. Select an Internet Access Policy to be associated, or click Add Policy. www.sangfor.com...
Page 287 IAM 11.2 User Manual 6. Set advanced attributes of the user. In the Add User window, set advanced attributes on the Advanced tab page. www.sangfor.com...
Page 288 Login IP Addresses: This option restricts the login IP address or MAC address range. In this example, the login IP address range is restricted to 192.168.1.2-192.168.1.100. After editing the user attributes and Internet Access Policy, click Commit. 7. Access the Internet and open a webpage as a user on the specified network segment. The www.sangfor.com...
Page 289 1. Set the Auth Method of users on the network segment 192.168.1.0/255.255.255.0. Choose Users > Authentication Policy and set an authentication policy. Set the authentication scope to 192.168.1.0/255.255.255.0. Set Auth Method to Password based and Auth Server to Local user database. www.sangfor.com...
Page 290 3. Access the Add User window. Select Enabled and set the login username, description, displayed name, and group. 4. Set user attributes including the local password, expiration time, and custom attribute. Select Local Password. Then enter and confirm the login password. www.sangfor.com...
Page 291 Set the Internet Access Policy of the user. In the Add User window, set a policy on the Policies tab page. Select an Internet Access Policy to be associated, or click Add. Set advanced attributes of the user. In the Add User window, set advanced attributes on the Advanced tab page. www.sangfor.com...
Page 292 In this example, the user needs to be bound with the IP address 192.168.1.117. Click Add and the page shown in the following figure is displayed. Filter By: You can choose to bind an IP address or MAC address. Address: address to be bound with the user. In this example, the IP address 192.168.1.177 needs to www.sangfor.com...
Page 293 After the password is changed, the authentication page is displayed. Enter the new password for login. If the username and password are correct but the login IP address is not the bound one, the authentication fails, as shown in the following figure. www.sangfor.com...
Page 294 In Usernames, enter multiple usernames separated with a common (,). The Password must be changed upon first login option can be selected as the added users share the same original password. Other configurations are the same as adding a single user. For details, see the preceding section. www.sangfor.com...
Page 295 To delete this user group, delete the associated policy and then delete the user group. For details about associating a policy on the Authentication Policy page, see section 3.4.2.1. www.sangfor.com...
Page 296 Restrict the login IP address range to 192.168.1.1-192.168.1.255. Set the validity period of the users to January 1, 2016. 1. Select Engineer Lee and Engineer Zhang, and click Edit. 2. Set user attributes. www.sangfor.com...
Page 297 Select Description and enter Engineer. Select Password and Local Password, and enter and confirm the password. Select Password must be changed upon first login. Select User account expiration and set the expiration time to January 1, 2016. 3. Set advanced attributes. www.sangfor.com...
Page 298 Import users from a CSV file. You can import attributes including the displayed name, group, password, login IP address range, public account setting, and custom attributes. When users are imported, if the specified group does not exist, it will be created. www.sangfor.com...
Page 299 Internet. Export Users Example 1: Export user group Engineer Group and its member users. 1. On the Members tab page, select user group Engineer Group, click Import/Export, and choose Export. 2. Save the exported file. The export is complete. www.sangfor.com...
Page 300 Then the Internet Access Policy of the target group is applied to the user. Example 1: Move user test to user group Engineer Group and apply the Internet Access Policy of Engineer Group to this user. 1. Select user test and click Move. 2. Select the target user group Engineer Group. www.sangfor.com...
Page 301 On the Member and Policy pane, user group information is displayed, including the type and path. On the Members tab page, you can view details about each user group and user. Domain users differ from local users in that domain users cannot be edited, moved, or deleted on the IAM. www.sangfor.com...
Page 302: User Import
1. Set information about the database from which information is to be synchronized to the IAM including the IP address, port, login username, and login password. For details, see section 3.4.2.2. 2. Choose Users > Users Import > User Sync, click Add, and set synchronization parameters in the www.sangfor.com...
Page 303 Click Test Validity to list the information about obtained users and user groups, and the SQL statement execution time. www.sangfor.com...
Page 304 IAM including the IP address, port, login username, and login password. For details, see section 3.4.2.2. 2. Choose Users > User Import > User Sync, click Add, and set synchronization parameters in the displayed Sync User Accounts from H3C CAMS Server window. www.sangfor.com...
Page 305 IAM by using this policy remain unaffected. 3.4.3.2.2.3 Viewing Synchronization Reports The IAM generates a synchronization report each time synchronization is performed. Click Import History. On the Import History page, select a synchronization report and download it. www.sangfor.com...
Page 306: User Binding
MAC address of a user and this IP address or MAC address is dedicated to this user. That is, this IP address or MAC address cannot be used by other users. The binding relationship is bidirectional. Choose Users > User Binding. Click Add and add a binding relationship, as shown in the following figure. www.sangfor.com...
Page 307 Internet with the bound MAC address next time. In batch editing, you can edit the description and enable/disable Open Auth for multiple users. Select users and click Edit, as shown in the following figure. www.sangfor.com...
Page 308: Advanced
IAM 11.2 User Manual Click Delete to delete the selected binding relationship. Click Advanced and set the number of endpoints from which the user can log in. Click Advanced Search and set advanced search conditions, as shown in the following figure. www.sangfor.com...
Page 309 MAC address. You can import user binding relationships in batches. The procedure is as follows: 1. Click Example File to download the example file. Set the user binding information to be imported based on the format in the example file. www.sangfor.com...
Page 310: Mac Filtering Across L3 Switch
2. Select Advanced. In MAC Filtering Across L3 Switch, select Enable MAC filtering across L3 switch. 3. In SNMP Servers, enter the information about the L3 switch from which the IAM obtains MAC addresses. Enable SNMP for the L3 switch in advance. www.sangfor.com...
Page 311 MAC address of the L3 switch. The IAM counts the number of IP addresses corresponding to each MAC address every 10 minutes. If a MAC address corresponds to multiple IP addresses, this MAC address is the one of the L3 switch. www.sangfor.com...
Page 312: Access Mgt
On the Policies page, administrators can set different Internet access policies based on the permission assignment conditions of intranet users. There are five types of Internet access policies: Internet access permission policy, Internet access audit policy, quota control, terminal reminder policy, and Ingress policy. www.sangfor.com...
Page 313: Introduction To Policies
The URLs are referenced from the URL groups defined on the page displayed after you choose Objects > URL Database. The IAM has embedded URL groups. Dedicated personnel collect and classify a large number of URLs. Embedded URL groups can be referenced. In www.sangfor.com...
Page 314 Objects > File Type Group (for details, see section 3.3.11). SSL Contents includes only SSL content identification. SSL content identification involves auditing and controlling the contents of applications that are connected through SSL protocols, including HTTPS, encrypted SMTP, and encrypted POP3. For www.sangfor.com...
Page 315 Flow/Online Duration involves auditing the traffic and Internet access duration of users, user groups, and domain names. If you choose to measure the traffic and Internet access duration of network applications, you can query the data center for the application access traffic and time of intranet www.sangfor.com...
Page 316 The administrator can set reminders and punishments. On the Bandwidth pane, you can limit the traffic rate of a single user. If the traffic rate threshold is exceeded, the IAM sends an alarm mail to notify the administrator. The administrator can set www.sangfor.com...
Page 317 On the Reminder Policy pane, you can set a Bulletin Board. The specified Bulletin Board will be periodically displayed for intranet users. 3.5.1.1.5 Ingress Policy Ingress Policy consists of two modules: Ingress and External Link, as shown in the following figure. www.sangfor.com...
Page 318: Adding Object For Access Control
Internet Access Policy is valid only after being associated with specific Internet access objects. There are a number of Internet access objects on the IAM. The Internet access objects to which Internet access policies can be associated are listed on the Object tab page, as shown in the following figure. www.sangfor.com...
Page 319 Department in Users, All in Location, PC in Endpoint Device, and All in Destination. This policy is applicable to user test with the endpoint device PC on the IP address segment at the R&D headquarters. The object set is displayed on the Selected pane. www.sangfor.com...
Page 320 In Domain Attributes, you can select users meeting specified attributes on the LDAP server. On the Domain Attributes page, click Add. In the Add Domain Attribute dialog box, set attribute conditions. A maximum of five conditions can be set. The conditions have the AND relationship. www.sangfor.com...
Page 321 The procedure for adding an Internet Access Policy for a specific object is as follows: When creating this Internet Access Policy, you can directly add objects for this policy. 1. On the Policies page, click Add. 2. Click Object, select an object type and then select a user group or user. www.sangfor.com...
Page 322 Recursive pass down to its subgroups to apply the Internet Access Policy to child groups. If this option is not selected, this policy does not apply to child groups. However, it will still apply to member users of this user group and child groups added later. Click OK. www.sangfor.com...
Page 323 You can change the Internet Access Policy of a single user on the Online userspage. The procedure is as follows: 1. Choose System > Online Users. On the Members pane, select user justin for which an Internet Access Policy is to be added or edited. www.sangfor.com...
Page 324: Viewing Network Access Policies Of Users
Internet Access Policy of the user. 3.5.1.3 Viewing Network Access Policies of Users Choose Users > Local Users and you can view the Internet access policies associated with local users and domain users. See the following figure. www.sangfor.com...
Page 325 Click Policies next to a user group. The names of all Internet access policies associated with the user group are displayed. Click View Resultant Set to display the policy combination results, as shown in the following figure. Choose System > Online Users and you can view the Internet access policies of online users. www.sangfor.com...
Page 326 Click the username of a user whose Internet Access Policy is to be viewed. The page shown in the following figure is displayed. If the online usersis a temporary user, you can only view the Internet Access Policy of this user and cannot edit the policy. www.sangfor.com...
Page 327: Matching Network Access Policies
3.5.1.4 Matching Network Access Policies If a user or user group is associated with multiple policies, the policies are matched in a certain order. Overlay policies are matched from top down. For non-overlay policies, only the first valid policy is matched. www.sangfor.com...
Page 328: Adding Policies
Users > Policies is changed accordingly. 3.5.1.5 Adding Policies 3.5.1.5.1 Adding Network Access Permission Policies The procedure for setting an Internet access permission policy is as follows: 1. On the Policies page, click Add and choose Access Control. www.sangfor.com...
Page 329 If Never Expire is selected, the policy will be valid permanently. If Valid till is selected and a date is set, for example, 2016-06-01, the policy will expire after January 1, 2016. www.sangfor.com...
Page 330 The IAM has an application rule library that is set for all types of common network applications and a URL Database that is set for websites (for details, see sections 3.3.1–3.3.4). The Application module references these rules to implement permission control on network applications and websites. www.sangfor.com...
Page 331 1. Select Application. Click Add and choose Application. Click below Application. The Application Signature, Advanced App Signature, custom applications, and schedule groups are referenced. For details, see sections 3.3.1–3.3.3 and section 3.3.9. 2. On the Select Applications page, select P2P. www.sangfor.com...
Page 332 Example: Set a policy to prevent users from accessing e-banks and bank websites in working hours. 1. Select Application. Click Add and choose Application. Click below Application. 2. In the Select Application window, find the Visit Web Site type, and select Internet Banking and Bank Website under Finance. www.sangfor.com...
Page 333 1. In the URL Database, no URL group is specific for Gmail. Therefore, set a URL group and add the URL of Gmail before setting the policy. Choose Objects > URL Database and click Add. On the Add URL Category page, enter the URL group www.sangfor.com...
Page 334 URL. In URL, enter the value of Issued To in the SSL certificate issued by the website. HTTPS URLs support wildcards. Therefore, enter *.google.com. 2. Select Access Control. Click Add and choose Application. Click below Application. www.sangfor.com...
Page 335 URL of the visited security website. To define the URL of an HTTPS website, set the URL based on the value of Issued To in the certificate issued by the website. B. Service Port control is performed based on the destination IP address and port of packets, and the time www.sangfor.com...
Page 336 IP Group at the bottom of the drop-down list to create it. Click OK. Add IP Group: This item is linked to the page displayed after you choose Objects > IP Group. In the Edit IP Group dialog box, enter the IP group name, description, and IP address, and click Commit. www.sangfor.com...
Page 337 Click Commit. Add Service: This item is linked to the page displayed after you choose Objects > Service. In the Add Service dialog box, enter the service name and port or protocol ID, and click Commit. www.sangfor.com...
Page 338 By default, the IAM allows access to network services for which no control policy is set. C. Proxy Proxy control involves controlling behaviors of using HTTP and SOCK proxies, and behaviors of using other protocols on a standard HTTP or SSL port. See the following figure. www.sangfor.com...
Page 339 Example: Set a policy to reject search requests with the keyword "Job Hunting" and allow search requests with the keyword "Game" all day. When detecting search requests with the keyword "Game", the IAM sends an alarm mail to sangfor@sangform.com.cn. The IAM prevents uploading data containing political sensitive keywords through HTTP.
Page 340 4. Set Action to Reject and Schedule to All Day, and click OK. The policy of rejecting search requests for the keyword "Job Hunting" all day is set successfully. Repeat steps 1–4 to set a policy to generate alarms for search requests for the keyword "Game". www.sangfor.com...
Page 341 6. In the Keyword drop-down list, select Political Sensitive Keyword. If the required keyword is not included, select Add Keyword Group to create it. 7. Return to the configuration page, select all URL types, and click OK. www.sangfor.com...
Page 342 7. If only keyword filtering is required, click OK. To enable Web keyword filtering alarms, choose System > General > Alarm Options > Events > Sensitive Keyword is detected, as shown in the following figure. www.sangfor.com...
Page 343 IAM 11.2 User Manual To set the address of the mail server for sending alarm mails and the recipient mailbox, choose System > General > Alarm Options > SMTP Server. www.sangfor.com...
Page 344 For details about defining objects, see sections 3.2.9 and 3.2.11. Click the drop-down button below File Type and choose a keyword group. Select Apply to FTP upload/download as well. 2. On the Upload tab page, click Add. www.sangfor.com...
Page 345 The policy of rejecting requests to upload film files to websites or over FTP all day is set successfully. 2. On the Download tab page, click Add. 6. In the Fill Type drop-down list, select Movie. If the required file type is not included, select Add File Type Group to create it. www.sangfor.com...
Page 346 FTP all day is set successfully. 8. To allow file uploading and downloading for some websites, add an exclusion URL. Select Excluded Website and select exclusion URL types. www.sangfor.com...
Page 347 If the identified contents are to be audited, auditing policies must be set on the Audit Policy page. For details, see section 3.5.1.4.2. In this example, select Filter and audit. 3. After the function of identifying encrypted web application contents is enabled, the IAM does not www.sangfor.com...
Page 348 Example 2: The customer has a mail server support.com.cn on the public network. The mail server receives and sends mails through SSL. The customer requires to audit and filter the contents of mails sent and received through the mail client. 1. Select Contents. www.sangfor.com...
Page 349 Excluded. 1. The SSL content identification function is invalid for financial websites such as e-banks and online payment websites. This is because the IAM shields such information to avoid auditing sensitive financial information. www.sangfor.com...
Page 350 If the recipient of any mail matches any of the listed mail addresses, the IAM allows the mail. In this example, mails sent to gmail mailboxes are to be filtered. Therefore, enter @gmail.com in Block email sent to the www.sangfor.com...
Page 351 IAM will block mails whose size exceeds the specified value. If Block email if attachments exceed is selected and the function of detecting the number of attachments in mails is enabled, the IAM will block mails whose number of attachments exceeds the specified value. www.sangfor.com...
Page 352 5. Before enabling mail filtering, ensure that the IAM can connect to the mail server properly. Otherwise, mails cannot be sent. QQ Whitelist You can configure a QQ number whitelist to allow specified QQ numbers and block other QQ numbers. The whitelist function is compatible with both PC QQ client and mobile QQ client. www.sangfor.com...
Page 353 If only the function SN of behavior audit is enabled, Audit Policy includes Application, Flow/Online Duration, and Webpage Content. To set an Audit Policy, perform the following steps: Step 1 Click Add, and choose Audit Policy. The page for editing the Audit Policy is displayed. www.sangfor.com...
Page 354 To audit Internet access behavior of users, enable the function SN of Internet access behavior audit. The outgoing HTTP packets, website visits or downloads, mails, IM content, FTP content, TELNET content, and Internet access behaviors are audited. HTTP Data Outgoing: You can select Web-based BBS posting to record intranet users’ behavior of www.sangfor.com...
Page 355 HTTP protocol are audited and file content is not recorded. You can also set the level of URL record details at Access Mgt > Advanced > Logging. For details, see Section 3.5.2.1. www.sangfor.com...
Page 356 IM: It is used to audit instant messaging between intranet users with IM tools. The tool options include MSN, Yahoo, Google-Talk, Fetion, WebQQ, and Web-MSN. Other IM chats: It is used to specify whether to audit IM content when an IM type is added to the audit rule library. www.sangfor.com...
Page 357 Internet access behaviors that cannot be identified by the IAM. If this option is selected, the IAM records destination IP addresses and port numbers using a large number of logs. By default, this option is not selected and you are recommended to use the default setting. www.sangfor.com...
Page 358 Microblog desktop client and web browser. To audit the images and videos posted on microblogs, select Include microblog attachment (such as image, video and Music). Configure the policy for auditing web BBS post content, text and images posted using microblogs, and web mails and attachments. See the following figure. www.sangfor.com...
Page 359 Email: It is used to audit intranet users' attempts to send and receive mails using the mail client. You can select Outgoing email (SMTP) to audit the information about mails, including mail attachments, sent by intranet users. You can select Incoming email (POP3/IMAP) to audit the information about mails, including mail attachments, received by intranet users. www.sangfor.com...
Page 360 FTP: It is used to audit the names and content of files uploaded by intranet users using FTP and the names of files downloaded by intranet users using FTP. Telnet: It is used to audit the commands run by intranet users using Telnet. The port number must be www.sangfor.com...
Page 361 IAM records destination IP addresses and port numbers using a large number of logs. By default, this option is not selected and you are recommended to use the default setting. Configure the policy for auditing various types of identified Internet access behaviors. See the following figure. www.sangfor.com...
Page 362 Internet through the IAM are collected and sorted by group. If you select Log application traffic for each user as well, the statistics can be collected by user. This option provides basis for Internet access traffic statistics collection and sorting in the data center. The options must be www.sangfor.com...
Page 363 You can enable or disable the list. In the Specified, you can select the applications to be excluded. In the Excluded Port list, you can enter the port numbers to be excluded from Internet access duration statistics collection. www.sangfor.com...
Page 364 Auditing Webpage Content Webpage Content is used to specify whether to audit the content of webpages accessed by intranet users. You can choose to audit webpage titles, webpage bodies, or content of only the webpages that contain specified keywords. www.sangfor.com...
Page 365 If you select Specified URL categories, the IAM audits both the titles and content of only the specified webpages accessed by intranet users. You can click Select and then specify the webpages. When you click Select, the page shown in the following figure is displayed. www.sangfor.com...
Page 366 Section 3.3.9. Click the Action drop-down list box and select the handling method to be used by the IAM when it detects a specified keyword. The list includes the Log contents, Reject, and Log contents & reject requests options. www.sangfor.com...
Page 367 Step 1 Click Add, and choose Quota Control. The page for editing the quota control is displayed. Step 2 Select Enabled to enable the policy. Note: If you do not select this checkbox, the configured policy does not take effect. www.sangfor.com...
Page 368 IAM. When the traffic reaches the quota, the user cannot access the Internet or is connected through the low-speed traffic channel. The Flow Quota Per User and Action If Threshold is Reached modules are provided for setting the flow quota. You can also set Start Date of Month to www.sangfor.com...
Page 369 Action If Threshold is Reached: It is configured to send an alarm mail to an administrator when a user's flow quota is reached, notify a user when the user reaches a specified proportion of the quota, and specify the method for handling quota exceeding. www.sangfor.com...
Page 370 The Daily Duration Quota Per User and Action If Threshold is Reached modules are provided for setting the online duration quota. Type: You can choose between application duration and online duration. Period: indicates the time in which Internet access duration is calculated. www.sangfor.com...
Page 371 The traffic control channel must be configured in advance on the traffic management page. Bandwidth Bandwidth is used to control the traffic rate of a user. If the traffic rate limit is exceeded, the user is warned or punished. www.sangfor.com...
Page 372 Remind user: indicates the notification interval. After the threshold for a user is reached, an alarm is displayed when the user opens a webpage. Every (Minute): indicates the interval for notifying a user and the value ranges from 0 to 1440. www.sangfor.com...
Page 373 Set Max Endpoints Per User to the upper limit. 3.5.1.5.4 Adding a Reminder Policy Reminder Policy is used to notify users of Internet access behaviors. Administrators can configure www.sangfor.com...
Page 374 Step 3 Specify Name and Description. The policy name is the unique identifier of the policy. It cannot be the same as an existing one and is mandatory. The description information is a policy overview and is optional. Step 4 On the Options page, set the reminder policy as required. www.sangfor.com...
Page 375 URL to display the Bulletin Board that you define. 3.5.1.5.5 Adding an Ingress Policy To set an Ingress policy, perform the following steps: Step 1 Click Add, and choose Ingress Policy. The page for editing the Ingress policy is displayed. www.sangfor.com...
Page 376 IM messages and audit the files exchanged using IM tools. After the Ingress system is enabled, a terminal can connect to the Internet only when it comply with the Ingress policy. If the Ingress program cannot be installed on a terminal, you can specify whether to allow the terminal to access the Internet. www.sangfor.com...
Page 377 External Link is used to check whether the Internet access line that a terminal uses is allowed. When the Ingress program detects that a terminal accesses the Internet using an external line, it can record the non-compliance information. See the following figure. www.sangfor.com...
Page 378: Adding A Policy Using A Template
This facilitates addition of multiple Internet access policies that are identical with or similar to each other. The configuration page is shown in the figure below： www.sangfor.com...
Page 379 Policy Name, Description, Policy Setup, Applicable Group and User, and Advanced Settings. Give view privilege to administrator in lower-level role If the option is not selected on the Advanced Settings tab page, low-level administrators cannot use this template to add a new policy after logging in to the console. www.sangfor.com...
Page 380: Deleting An Ingress Policy
Group and User options of the policies. You can use this function to associate multiple users or user groups with one or more policies. Step 1 Select the policies to be edited in batches. Step 2 Click Edit. The Applicable Object window is displayed. www.sangfor.com...
Page 381: Enabling Or Disabling A Policy
3.5.1.9 Enabling or Disabling a Policy Each policy can be in either the Enabled or Disabled state. The Enabled state indicates that a policy is available and all the rules included in the policy are effective when the policy is invoked. www.sangfor.com...
Page 382: Changing The Policy Order
2. The order of policies created by administrators at different levels cannot be changed, and the priorities of the policies depend on the priorities of the administrators. The order of policies created by administrators at the same level can be changed. www.sangfor.com...
Page 383: Importing/Exporting A Policy
The procedure for exporting policies is as follows: Step 1 Select one or more policies to be exported. Click Step 2 Save the exported policies. www.sangfor.com...
Page 384 IAM 11.2 User Manual The procedure for importing a policy is as follows: Step 1 Click Import. Select the policy to be imported. Step 2 Click Open. www.sangfor.com...
Page 385: Advanced Policy Options
Filter Rules for Audit, and IM file Upload. Website Access Logging Options: Optimized Logging: indicates that only the attempts to access text webpages are logged and different attempts to access the same domain name in a short time are recorded only once. www.sangfor.com...
Page 386 Fuzzy match is allowed but no wildcard is allowed. Not log access to URL with the following suffixes: indicates that the URLs containing the suffixes included in the list are not logged. Fuzzy match is allowed but no wildcard is allowed. www.sangfor.com...
Page 387: Web Access Options
3.5.2.2 Web Access Options Web Access Options is used to specify whether to, during matching of URL filter permission control policies, disallow accessing websites using IP addresses, allow resources with external domain names on webpages, and disable forbidden webpages. www.sangfor.com...
Page 388: Policy Troubleshooting
Policy troubleshooting is used to specify whether the computers and mobile terminals where the admission plug-in or safe desktop plug-in cannot be installed are allowed to access the Internet. 3.5.2.4 Excluded Application Excluded Application is used to specify the applications excluded from Internet access during www.sangfor.com...
Page 389 Define Object > User-Defined Application, define the application, and select the application in this list. Excluded Ports: You can enter the destination ports of Internet applications so that the ports are excluded from Internet access duration audit and control. www.sangfor.com...
Page 390: Traffic Management
The penalty is configured for the penalty channel. Generally, a small amount of bandwidth is allocated to the penalty channel. Line Bandwidth Allocation: It is used to specify allocation of upstream and downstream bandwidth to Internet lines. If the IAM is deployed in bridge mode, you must set the actual Internet line bandwidth www.sangfor.com...
Page 391: Bandwidth Management
Edit Line Bandwidth: It is used to set the Internet line bandwidth. Bandwidth Channel: It is used to set and manage assurance channels, limitation channels, and penalty channels. New Channel: It is used to add channels, including level-1 channels, sub-channels, and penalty www.sangfor.com...
Page 392: Line Bandwidth
Click Line 1. The Edit Line Bandwidth: Line 1 window is displayed. In this example, the company leases a 10 Mbps line, and therefore the values of Outbound and Inbound are set to 800 MB/s. Step 2 Choose Bandwidth Management > Bandwidth Channel www.sangfor.com...
Page 393 When the load is higher than the threshold, the bandwidth is decreased to the upper limit. High Bandwidth Usage Threshold: It is used to ensure line availability during peak traffic hours and improve the dynamic bandwidth assurance performance. By default, busy line protection is disabled. www.sangfor.com...
Page 394 Note: If you are not sure about the advanced settings, you can click Recommended Settings to use the recommended settings. Step 3 Configure the assurance channel. In this example, bandwidth assurance is implemented to ensure that finance department personnel can access online banking websites and send and receive mails properly. www.sangfor.com...
Page 395 Channel : It is used to set the effective line, channel type, limited or assured bandwidth, and per-user bandwidth. Target Line: It is used to select the line applicable to the channel. That is, the channel is used only when data is transferred through the selected line. In this example, there is only one line. Therefore, www.sangfor.com...
Page 396 Maximum Bandwidth Per User: It is used to limit the bandwidth available to each IP address using the channel. This example does not involve this limitation. Therefore, do not select this option. www.sangfor.com...
Page 397 Select and select applications types and website types in the User-Defined Applicable Service and Application dialog box that appears. In this example, select Mail/All, Website Access/Online Payment, and Website Access/Personal Banking for ensuring access to online banking websites and sending and receiving mails. www.sangfor.com...
Page 398 User-Defined Applicable Object dialog box that appears. In this example, bandwidth assurance must be implemented for all users in the finance department. Therefore, select the Finance Department user group and click Commit. www.sangfor.com...
Page 399 After the parameters are set, the settings are displayed. See the following figure. Click OK to save the settings. Step 4 When the settings are save, a message is displayed. Click Close. The Bandwidth Channel tab page displays the configured channel. Ensure that the channel is www.sangfor.com...
Page 400: Limited Channel
Step 1 Choose Bandwidth Management > Edit Line Bandwidth and configure Internet line bandwidth. Click Line 1. The Edit Line Bandwidth window is displayed. In this example, the company leases a 800 Mbps line, and therefore the values of Outbound and Inbound are set to 800 Mbps. www.sangfor.com...
Page 401 The Line Bandwidth section displays the total bandwidth of all Internet lines. Click Edit Line Bandwidth Attributes. The Edit Line Bandwidth page is displayed. Click Advanced Settings and set the line idleness threshold and specify whether to enable busy line protection. See the following figure. www.sangfor.com...
Page 402 Based on username (When multiple IP addresses are connected to the Internet with the same username, traffic control is implemented for all the IP addresses as a whole.) To save the configuration, click Commit. To cancel the configuration, click Cancel. www.sangfor.com...
Page 403 Enter the name of the channel in the Channel Name text box. The Home Channel field displays the level of the channel and / indicates a level-1 channel. In the Channel Editing Menu, choose Bandwidth Channel Settings. The related attributes for setting the channel are displayed on the right. www.sangfor.com...
Page 404 Target Line: It is used to select the line applicable to the channel. That is, the channel is used only when data is transferred through the selected line. In this example, there is only one line. Therefore, select Line 1. www.sangfor.com...
Page 405 When the load is higher than the threshold, the bandwidth is decreased to the upper limit. www.sangfor.com...
Page 406 Specified allows you to select application types. You can click Select and select applications types in the User-Defined Applicable Service and Application dialog box that appears. In this example, select Download Tool, P2P, and P2P Stream Media/All to implement traffic www.sangfor.com...
Page 407 You can click Objects and select objects in the User-Defined Applicable Object dialog box that appears. In this example, bandwidth limitation must be implemented for all users in the marketing department. Therefore, select the Marketing Department user group and click OK. www.sangfor.com...
Page 408 Scheduled: It is used to set the effective time of the channel. Destination: It is used to select the destination IP address group. After the parameters are set, the settings are displayed. See the following figure. Click OK. Step 4 The Bandwidth Channel tab page displays the configured channel. www.sangfor.com...
Page 409: Traffic Sub-Channel
Click Line 1. The Edit Line Bandwidth window is displayed. In this example, the company leases a 800 Mbps line, and therefore the values of Outbound and Inbound are set to 800 Mbps. Step 2 Choose Bandwidth Management > Line Bandwidth. www.sangfor.com...
Page 410 Enter the name of the channel in the Channel Name text box. The Home Channel field displays the level of the channel and / indicates a level-1 channel. In the Channel Editing Menu, choose Bandwidth Channel Settings. The related attributes for setting the channel are displayed on the right. www.sangfor.com...
Page 411 Therefore, select Guaranteed Channel and set Minimum and Maximum bandwidth Outbound Bandwidth and Inbound Bandwidth to 30% and 50% of the total bandwidth respectively. The total bandwidth is 800 Mbps and therefore the assured bandwidth is 240 Mbps www.sangfor.com...
Page 412 Set Applicable Object to All Users, Scheduled to All day, and Destination to All. After the parameters are set, the settings are displayed. See the following figure. Click OK to save the settings. Step 4 Close the notification dialog box. The Bandwidth Allocation tab page displays the configured channel. www.sangfor.com...
Page 413 Enter the name of the channel in the Channel Name text box. The Home Channel field displays the level of the channel and /HTTP /HTTP Application Assurance indicates a sub-channel. In the Channel Editing Menu, choose Bandwidth Channel Settings. The related attributes for setting the channel are displayed on the right. www.sangfor.com...
Page 414 Priority includes three options, namely, High, Medium, and Low, which indicate the priority of allocating bandwidth of other channels to this channel when the other channels are idle. Max bandwidth Per User is use to limit the unbound and outbound speed per user IP address www.sangfor.com...
Page 415 Step 6 The Bandwidth Channel tab page displays the configured parent channel and child channel. 1. The percentages defined by the sub-channel depends on the bandwidth calculated for the parent channel. The actual traffic for the sub-channel does not exceed the traffic limit of the parent channel. www.sangfor.com...
Page 416: Penalty Channel
Click Line 1. The Edit Line Bandwidth window is displayed. In this example, the company leases 800 Mbps line, and therefore the values of Outbound and Inbound are set to 800 Mbps. Step 2 Choose Bandwidth Management > Channel Configuration. www.sangfor.com...
Page 417 High Bandwidth Usage Threshold: It is used to ensure line availability during peak traffic hours and improve the dynamic bandwidth assurance performance. By default, busy line protection is disabled. You can select High Bandwidth Usage Threshold to enable the function and set the upper limits on www.sangfor.com...
Page 418 Note: If you are not sure about the advanced settings, you can click Recommended Settings to use the recommended settings. Step 3 Configure the penalty channel. In this example, traffic control is applied to transferred data of marketing personnel and the total bandwidth is limited to 256 Kbps. www.sangfor.com...
Page 419 / indicates a level-1 channel. In the Channel Editing Menu, choose Bandwidth Channel Settings. The related attributes for setting the channel are displayed on the right. Bandwidth Channel Settings: It is used to set the channel type, limited bandwidth, and per-user bandwidth. www.sangfor.com...
Page 420 Maximum Bandwidth Per User: It is used to limit the bandwidth available to each IP address using the channel. In this example, the data transfer bandwidth for each user in the marketing department is limited to 128 Kbps. Set Outbound and Inbound to 128 Kbps. www.sangfor.com...
Page 421 Specified allows you to select application types. You can click Select and select applications types in the User-Defined Applicable Service and Application dialog box that appears. In this example, select All to implement traffic control over all data. Make sure that the Selected list is correct and click OK. www.sangfor.com...
Page 422 Scheduled: It is used to set the effective time of the channel. Destination: It is used to select the destination IP address group. After the parameters are set, the settings are displayed. See the following figure. Click OK. You will be prompt a windows shown as below: www.sangfor.com...
Page 423 If Enable This Policy is selected, the policy is enabled. Otherwise, it is disabled. Enter the name of the policy in the Policy Name text box and the description of the policy in the Description text box to facilitate management. www.sangfor.com...
Page 424 Select Daily Quota and set the daily traffic quota for each user. In this example, it is set to 1 GB. Select Monthly Quota and set the monthly traffic quota for each user. In this example, it is set to 30 www.sangfor.com...
Page 425 Select Penalty, Add to Traffic Control Channel, and then the Download Traffic Penalty Channel for Marketing Department policy. Object is used to select the users, locations, terminal types, and destination areas to which the policy is applicable. In this example, the marketing department is selected. Click Commit. www.sangfor.com...
Page 426: Adding A Channel Using A Template
An exclusion policy is used to transfer specified types of data through none of the traffic management channels. This helps prevent traffic control over the data. For example, if an IAM is deployed in bridge mode and the DMZ of the front-end firewall is connected to some servers, traffic management is not www.sangfor.com...
Page 427 Step 2 Choose Bandwidth Management > Bandwidth Configuration > Exclusion Rules, click New, and add an exclusion policy. Step 3 Set the exclusion policy. Set Policy Name and Application Category. If the application type is uncertain, you can select All. Set Destination to the group specified in Step 1. www.sangfor.com...
Page 428: Line Bandwidth Configuration
Choose Bandwidth Management > Bandwidth Channel and configure Internet line bandwidth. See the following figure. Line 1 corresponds to WAN1, line 2 corresponds to WAN2, and so on. In routing mode, multiple lines are available if multi-line authorization is enabled. Click the required line to edit. www.sangfor.com...
Page 429: Virtual Line Configuration
1. Choose Bandwidth Management > Line Bandwidth, click Add, and set the bandwidth value of line 2. Assume that line 2 in this example corresponds to the line from China Unicom. The following figure www.sangfor.com...
Page 430 202.96.0.0/24 through the line from China Telecom. LAN IP : It is used to set the source IP addresses of packets. WAN IP Address: It is used to set the destination IP addresses of packets. Service: It is used to set the protocol of packets. www.sangfor.com...
Page 431 Channel Availability: It is used to specify the application types to which the channel is available. Click Select and select applications types in the User-Defined Applicable Service and Application dialog box that appears. In this example, select P2P/All and P2P Streaming Media/All to implement P2P traffic control. Click OK. www.sangfor.com...
Page 432 Step 5 Control the P2P traffic of the two virtual lines separately. Use the method for setting the limitation channel policy of line 1 to set the limitation channel policy of line 2. Step 6 The Bandwidth Channel tab page displays the configured channels. The limitation channel configuration is complete. www.sangfor.com...
Page 433: Endpoint Device Connection Management
It is used to set the maximum number of endpoint devices allowed for a single IP address or user, which prevents intranet users from functioning as Internet proxies for others. When the shared connection is detected and the limit is exceeded, the IP address or user is locked. See the following figure. www.sangfor.com...
Page 434 All: indicates that connection sharing between PCs, between mobile endpoint devices, and between PCs and mobile endpoint devices is detected. PCs: indicates that connection sharing between PCs is detected. Lockout Options: It is used to disable Internet access when the maximum number of endpoint www.sangfor.com...
Page 435 Filter: It is used to filter user types in the list. You can select all users, locked users, or unlocked users, or select users based on IP addresses. Excluded Users: It is used to add users, user groups, and IP addresses to a list so that they are www.sangfor.com...
Page 436 IAM 11.2 User Manual excluded from detection of connection sharing. Click Excluded Users (Groups) and select trusted users and user groups. See the following figure. Click Add and enter the trusted IP addresses or IP address ranges. See the following figure. www.sangfor.com...
Page 437: Mobile Endpoint Management
7 or 30 days. The statistics can be collected by source IP address or username. See the following figure. To view more information about users who use shared Internet connections, click Report Center. 3.7.2 Mobile Endpoint Management It is used to detect and block untrusted mobile endpoint device’s Internet access attempts. See the following figure. www.sangfor.com...
Page 438 The mobile endpoints list page displays up to 1000 entries generated within the previous week. You can click Report Center and query more information on the mobile endpoint management page. Excluded Users: It is used by administrators to prevent the IAM from blocking the Internet access www.sangfor.com...
Page 439 IAM 11.2 User Manual attempts of listed mobile endpoints. Click Excluded Users and select trusted users and user groups. Click Add and enter the IP addresses of APs or the network segments where the APs provide the www.sangfor.com...
Page 440: Security Protection
Trends: It is used to calculate the number of mobile endpoints detected in the previous 7 or 30 days. You can click Report Center and query more information on the mobile endpoint management page. See the following figure. 3.8 Security Protection It consists of the Anti-DoS Attack, Anti-ARP Spoofing, and Virus Removal at Gateway modules. www.sangfor.com...
Page 441: Anti-Dos Attack
As a result, normal user requests are not responded. The anti-DoS attack function of the SANGFOR IAM is protected against both DoS attacks from the Internet on the intranet and the DoS attacks from virus-infected computers or attack tools residing on the intranet.
Page 442: Arp Protection
In serious cases, the entire intranet is interrupted. ARP protection is implemented based on cooperation between the IAM and the admission clients of intranet PCs. www.sangfor.com...
Page 443 PC and the gateway. MAC Address Broadcast Interval (sec): It is used to set the interval for broadcasting the MAC address of the gateway (intranet interface of the IAM). It is recommended that you set the interval to 10 seconds. www.sangfor.com...
Page 444: Antivirus
HTTP and FTP file types that require virus removal. The following figure shows the Antivirus page. www.sangfor.com...
Page 445 Click Commit. The following figure shows the Virus Database Update page. Update Service Expires On: indicates the expiration date of the automatic update service for the virus definition library. Within the validity period, the IAM automatically connects to the SANGFOR www.sangfor.com...
Page 446: Vpn Configuration
You can click Tunnel NAT State and query the tunnel NAT status. You can click Refresh to refresh the current page after VPN status changes. You can click Display Options and select options from the list. By default, all the options are selected. www.sangfor.com...
Page 447: Basic Settings
Webagent address and standby Webagent address. See the following figure. For dynamic addressing (HQ does not use a fixed IP address), enter the Webagent webpage address (which is generally an address ended with .php). Click Test to check connectivity. If it uses a fixed IP www.sangfor.com...
Page 448 Webagent IP address. You can also click Shared Key to set a shared key to prevent connection to unauthorized devices. If you forget the Webagent password, you must contact SANGFOR's customer service center. It will generate a file that does not contain a Webagent password for you to replace the original file. If you set a shared key, all the VPN nodes must use the key to communicate with each other.
Page 449: User Management
Threads: It is used to set the maximum number of VPNs connected to a VPN device. The default value is 20 and a maximum of 1280 VPNs are allowed. If you need to change the value, contact SANGFOR's technical engineers for help.
Page 450 The search result includes the following information: user group, group attribute (unlimited, enabled, or disabled), status (unlimited, enabled, or disabled), type (unlimited, mobile, or branch), DKEY status (unlimited, enabled, or disabled), and user idleness duration (unlimited, one year, one month, one week, or user-defined). See the following figure. www.sangfor.com...
Page 451 You can click Search to search for information. You can click Cancel to cancel information editing. You can click Delete to delete selected users. You can click New User to set account information including the username, password, description, algorithm, and type. See the following figure. www.sangfor.com...
Page 452 (hardware device authentication), LDAP authentication, or Radius authentication. Before using Radius authentication or LDAP authentication, set the authentication server in LDP Authentication or Radius Authentication. Algorithm: You can select from the DES, 3DES, AES, SANGFOR_DES, SCB2, and SM4 algorithms. Two peers must use the same algorithm. www.sangfor.com...
Page 453 Enable Compression: It is used to use an encryption algorithm to encrypt data transferred between the gateway and a user. This parameter is used to set SANGFOR's proprietary VPN technology. It ensures high bandwidth use efficiency when the bandwidth is low and speeds up data transmission. However, it is not applicable to all network environments.
Page 454 Channel parameter settings are configured to control the traffic of branch VPNs. Intra-channel NAT settings are configured to handle address conflict between two www.sangfor.com...
Page 455 The following figure shows the configuration page. For details of route selection policy settings, see Section 3.2.3.4 "Multi-Line Route Selection Policy." For details of multicast service settings, see Section 3.10.12.3. www.sangfor.com...
Page 456 Timeout: When the network has a significant delay and high packet loss rate, you can set a timeout interval on a SANGFOR VPN for the network. The timeout interval of each channel depends on the server configuration. The default timeout interval is 20s. For a poor network environment, you can...
Page 457: Connection Management
Enable tunnel dynamic probe: When the local or peer end has many lines, this option is applicable. After it is selected, the SANGFOR VPN regularly detects the delay and packet loss rate of each line and selects an optimal line based on the detection result for data transmission.
Page 458 Otherwise, the page does not exist. If the Webagents are set to fixed IP addresses, a test success indicates that the information entered in the format of IP address: Port number is correct. However, the test success www.sangfor.com...
Page 459: Virtual Ip Address Pool
VPN. This enables you to specify the local services available to the peer end. After setting the preceding parameters, select Allow to activate the connection. Then, click Save. 3.9.5 Virtual IP Address Pool You can create a virtual IP address pool for mobile users and another for branch users. See the following figure. www.sangfor.com...
Page 460 If the virtual IP address is 0.0.0.0, it indicates that virtual IP addresses are assigned automatically. When a mobile user connects to the HQ, SANGFOR's VPN device assigns an idle IP address from the pool to the user. You can also specify a fixed IP address for the mobile user. See the following figure.
Page 461 You can click Add, set the user type to Branch, set the start IP address and end IP address (you can click Calculate to obtain the suitable end IP address) of the virtual IP address segment, and specify the subnet mask and number of network segments. See the following figure. www.sangfor.com...
Page 462 You can click Advanced in the Virtual IP Address Pool window, and set the subnet mask, DNS, and WINS server information for the virtual IP addresses to be assigned to the virtual network adapters of mobile clients. See the following figure. www.sangfor.com...
Page 463 Advanced window is not transferred to the virtual network adapter. The following provides a simple example to describe the configuration method. The HQ SANGFOR device is deployed in routing mode and mobile used must connected remotely through VPNs to the HQ. The process is as follows: Click Add to add a rule in the Virtual IP Address Pool window, and select the IP address segment that is the same as that of the device LAN port and is not used by intranet users.
Page 464 Click Add in the Virtual IP pool window and select the Mobile user type. The default virtual IP address 0.0.0.0 indicates automatic assignment of virtual IP addresses. If you need to specify a virtual IP address, enter the IP address manually. See the following figure. www.sangfor.com...
Page 465: Multi-Line Settings
You can add, modify, and delete line information and change the line selection policy. If the device has multiple WAN ports and multiple lines, select Enable Multi-Line and add the lines. Click Add. The dialog box shown in the following figure is displayed. www.sangfor.com...
Page 466 DNS Address. If it is an ADSL line, you do not need to set the parameter. 2. Set Preset Bandwidth according to the actual situation of the line. Click Advanced on the Multi-line Settings page. The Multi-Line Advanced Settings dialog box is displayed. See the following figure. www.sangfor.com...
Page 467: Multi-Line Route Selection Policy
3.9.7 Multi-Line Route Selection Policy SANGFOR VPN gateway provide powerful multi-line route selection policies for VPNs. It can select the optimal transmission lines among multiple lines based on the conditions of the lines. It also allows transmission over multiple lines at the same time.
Page 468 Secondary Lines: It consists of all the lines that do not belong to the active line group. The lines in the group transmit VPN data only when all the lines in the active line group fail. Request Assignment: indicates how VPN traffic is distributed among the lines in the active line group. www.sangfor.com...
Page 469: Local Subnet List
Configure the subnets that require interconnection on the Local Subnet List page. See the following figure. Click Add and add a subnet segment and subnet mask. Subnet Segment and Subnet Mask must be set to the network ID and subnet mask of a network www.sangfor.com...
Page 470: Inter-Channel Routing Settings
The local subnet list functions as a statement. The network segments defined in the list are regarded by SANGFOR's VPN device and software client as VPN network segments. All the packets intended for the network segments are encapsulated in the VPN channels for transmission when the packets reach the VPN device or software client.
Page 471 Shanghai branch to connect to the HQ through a VPN. Therefore, data with the username shanghai is sent to the HQ. 2. Select Enable Routing in the Inter-channel Routing Settings window for Guangzhou branch, click New, and add the route to the Shanghai branch. See the following figure. www.sangfor.com...
Page 472 Shanghai branch to access the Internet through the HQ. If a branch accesses the Internet through the HQ, you must choose System Management > Firewall > NAT Proxy and add proxy rules for VPN network segments. For details, see the firewall setup description. www.sangfor.com...
Page 473: Third Party Connection
IAM. See the following figure. Outgoing Line: indicates the line used to set up standard IPSec VPN connections with the peer end. Select a line egress and click Add. The Edit Peer Device dialog box is displayed. See the following figure. www.sangfor.com...
Page 474 Address Type: The types include fixed IP address, dynamic IP address, and dynamic domain name. If you select static IP Address at Peer End, you must enter the fixed IP address and the pre-shared key. See the following figure. www.sangfor.com...
Page 475 IAM 11.2 User Manual If you select Dynamic Domain Name at Peer End, you must set the dynamic domain name and the pre-shared key. See the following figure. www.sangfor.com...
Page 476 IAM 11.2 User Manual If you select Dynamic IP Address at Peer End, you must set the pre-shared key. In this case, connections can be set up only in the aggressive mode. See the following figure. www.sangfor.com...
Page 477 IAM 11.2 User Manual When you click Advanced, the Advanced Settings dialog box is displayed. See the following figure. www.sangfor.com...
Page 478 D-H Group: It is used to set the Differ-Hellman group for the two parties performing negotiation. The options include MODP768 Group (1), MODP1024 Group (2), and MODP1536 Group (5). Select Enable DPD to enable the DPD function which helps a VPN device to detect device faults that occur at the peer end of a channel. www.sangfor.com...
Page 479: Phase Ii
Standard IPSec does not allow both ends to set their peers to the dynamic IP address mode at the same time. 2. If you set ISAKMP Encryption Algorithm to SANGFOR_DES, both ends must be SANGFOR devices. 3.9.10.2 Phase II It is used to configure the inbound policy and outbound policy of VPNs.
Page 480 Inbound Policy Settings is used to sent rules for the packets sent from the peer end to the local end. Click Add. The Policy Setup dialog box is displayed. See the following figure. Policy Name: It is used to define the name of the inbound policy. www.sangfor.com...
Page 481 Select Enable This Policy and click Save. Outbound Policy is used to sent rules for the packets sent from the local end to the peer end. Click Add. The Policy Setup dialog box is displayed. See the following figure. www.sangfor.com...
Page 482 Security Options: It is used to select the security policy for negotiation. Configure the policy on the Security Options tab page. Expiry Time: It is used to set the effective time of a policy. The time must be predefined at VPN VPN www.sangfor.com...
Page 483: Security Options
2. The outbound service, inbound server, and time settings for outbound and inbound policies are extended rules of SANGFOR. The rules are effective only to the local device and are not negotiated when VPN connections are set up with third-party devices. The source IP addresses in the outbound policies and inbound policies correspond to Source and Peer Service.
Page 484 The outbound service, inbound server, and time settings for outbound and inbound policies are extended rules of SANGFOR. The rules are effective only to the local device and are not negotiated when VPN connections are set up with third-party devices.
Page 485: Object
When you click Add, the Schedule dialog box is displayed. See the following figure. In this example, a period called Business Hours is defined. Select period combinations and click Invalidate Rule. (By default, all periods are valid.) In this case, rules are ineffective in the selected periods. Click Save. www.sangfor.com...
Page 486: Algorithm List Settings
The IAM provides the DES, 3DES, MD5, AES, SHA-1, SINFOR_DES, SCB2, SM2, SM3, and SM4 encryption and authentication algorithms. You can add other algorithms as required. Before adding them, contact SANGFOR. 3.9.12 Advanced Settings It consists of LAN Services, VPN Interface, LDAP Server, and Radius Server Settings.
Page 487 Service Name to a value that can be easily identified. Select a protocol type. (In this example, the FTP service uses the TCP protocol.) See the following figure. 1. Click Add. The IP Address Range Settings dialog box is displayed. Set the parameters. See the following figure. www.sangfor.com...
Page 488 3. In the Permission Settings dialog box, move the service configured for Branch1 to the list on the right and select Allow. in this example, only the service is allowed. Therefore, set Default Action to Reject. After the preceding steps, the branch user branch1 with the intranet IP address 172.16.1.200 can www.sangfor.com...
Page 489: Vpn Interface Settings
DMZ port and set a subnet mask. Click Add, add an idle intranet interface, and set the intranet mask of the local VPN device. The value 0.0.0.0 indicates that the mask of the network port is used. www.sangfor.com...
Page 490 If the configuration is incorrect, an error is reported. See the following figure. The Saving settings fails message is displayed in the upper-left corner. You can click View Error Information to view the details. After you click View Error Information, a page is displayed, detailing the cause of the error. www.sangfor.com...
Page 491: Multicast Service
To meet the requirements of applications such as VoIP and video conferencing applications, SANGFOR's VPN gateway supports the inter-channel multicast service. You can define the multicast service. The IP address range is 224.0.0.1 to 239.255.255.255 and the port number range is 1 to 65535.
Page 492 IAM 11.2 User Manual Click Save. See the following figure. www.sangfor.com...
Page 493: Ldap Server Settings
IP address, port number, and administrator password of the LDAP server). See the following figure. Set the LDAP server information and click Advanced. The LDAP Advanced Settings dialog box is displayed. Set the parameters as required. See the following figure. www.sangfor.com...
Page 494: Radius Server Settings
The VPN service of the IAM supports third-party Radius authentication. If you need to enable this-party Radius authentication, set Radius information on the Radius Radius Server Settings tab page (including the IP address, port number, shared key, and Radius protocol of the Radius server). See the following figure. www.sangfor.com...
Page 495: Dynamic Routing Settings
IAM 11.2 User Manual 3.9.12.6 Dynamic Routing Settings It is used to set SANGFOR's VPN device to use the RIPv2 protocol to notify routing information to other routing devices, so as to dynamically update the RIP routing information of the intranet routing device.
Page 496: Chapter 4 Use Cases
The process is as follows: 1. The PC requests domain login. 2. The domain server returns login success information to the PC. 3. The PC executes the logon.exe script and reports the domain login success information to the device. www.sangfor.com...
Page 497 Step 2 Set the authentication policy. Choose User Authentication > Authentication Policy > New Authentication Policy. Set the authentication policy according to the IP or MAC addresses of the users who require SSO. Setting the authentication scope: Setting the authentication mode: www.sangfor.com...
Page 498 IAM 11.2 User Manual Setting the handling method to be used after authentication: www.sangfor.com...
Page 499 The shared key is used to encrypt the communication between the device and the AD domain server, and must be specified exactly the same in the login script. Click Download Domain SSO Program to download the login and logout scripts. www.sangfor.com...
Page 500 Step 4 Configure the login script on the AD domain server. 1. Log in to the domain server and choose Server Manager on the menu as shown in the following figure. 2. Choose Manage Users and Computers in Active Directory. www.sangfor.com...
Page 501 3. In the displayed window, right-click the domain to be monitored and choose Properties. 4. In the displayed window, click Group Policy. Double-click the group policy Default Domain Policy. 5. In the displayed Group Policy Object Editor window, choose User Configuration > Windows Settings > Scripts (Logon/Logoff). www.sangfor.com...
Page 502 IAM 11.2 User Manual 6. Double-click Logon on the right. In the displayed Logon Properties window, click Show Files in the lower left corner. A directory is opened. Save the login script file in the directory and close it. www.sangfor.com...
Page 503 IAM 11.2 User Manual www.sangfor.com...
Page 504 1775 for IPv4, or to 1775 for IPv6), and shared key (exactly the same as that configured on the device). The parameter values must be separated by space. Click Apply and then OK. Then close the windows one by one. www.sangfor.com...
Page 505 Step 5 Configure the logout script on the LDAP. The logout script helps users who are logged out of the domain server log out of the device as well. 1. Perform the steps for configuring the login script. In step 6, double-click Log off instead. www.sangfor.com...
Page 506 IAM 11.2 User Manual 2. In the displayed Logoff Properties window, click Show Files in the lower left corner. A directory is opened. Save the logout script file logff.exe in the directory and close it. www.sangfor.com...
Page 507 IAM 11.2 User Manual www.sangfor.com...
Page 508 3. In the Logoff Properties window, click Add. In the Add a Script window, click Browse, choose the AD logout script file logoff.exe, and enter the SG IP address specified during logout script parameter configuration. Close the pages one by one. www.sangfor.com...
Page 509: Obtaining Login Information Using A Program (Sso Without A Plug-In)
3. The domain server, device, and PC must be able to communicate with each other properly. 4.1.1.2 Obtaining Login Information Using a Program (SSO Without a Plug-in) The IAM has an ADSSO program, which can regularly connect to the Ad domain and detect the www.sangfor.com...
Page 510 Step 1 Choose Users > External Authentication Server and set the authentication AD domain server. (For details, see Section 3.4.2.2.) Step 2 Set the authentication policy. Choose Users > Authentication Policy > Add Authentication Policy. Set the authentication policy according to the IP or MAC addresses of the users who require www.sangfor.com...
Page 511 IAM 11.2 User Manual SSO. Setting the authentication scope: Setting the authentication mode: www.sangfor.com...
Page 512 IAM 11.2 User Manual Setting the handling method to be used after authentication: www.sangfor.com...
Page 513 Section 3.4.4.4. Step 4 Enable SSO on the device and set the IP address of the domain server. Choose Users > Single Sign On SSO > MS AD Domain and perform configuration. Select Enable Domain SSO. Select Domain SSO. www.sangfor.com...
Page 514 IAM 11.2 User Manual Click Add to add an AD domain server. Step 5 Verify that the AD domain server configuration takes effect. 1. Make sure that the RPC service works properly on the AD domain server. www.sangfor.com...
Page 515 Security Settings > Local Policy > Security Options > Network Security. Configure Kerberos and select the encryption types DES_CBC_CRC and DES_CBC_MD5. 3. Obtain user configuration from event logs. 1) Enable event log audit of the AD domain. Access the Control Panel and click Administrative Tools. www.sangfor.com...
Page 516 IAM 11.2 User Manual Edit Group Policy Management. www.sangfor.com...
Page 517 IAM 11.2 User Manual Edit Default Domain Controllers Policy. Enable Audit logon events and Audit account logon events. www.sangfor.com...
Page 518 Modify the group policy of the AD domain. If SSO is enabled for only specified groups, modify the related group policies. Modify user login and logout script settings. Choose User Configuration > Windows Settings > Scripts (Login/Logout) > Login. www.sangfor.com...
Page 519 IAM 11.2 User Manual Click Show File. The directory shown in the following figure is displayed. www.sangfor.com...
Page 520 IAM 11.2 User Manual Create the logon.bat script file that has content in the directory. The following content is recommended. www.sangfor.com...
Page 521 IAM 11.2 User Manual Save the file and close the group policy settings windows. www.sangfor.com...
Page 522 IAM 11.2 User Manual Update the group policy. www.sangfor.com...
Page 523: Sso Implemented Using Iwa
Step 4 Log in to the domain and access a webpage. View the online user list of the IAM, which displays the users who have been authenticated. 4.1.1.4 SSO Implemented in Monitoring Mode In this mode, the IAM intercepts data of the PC that logs in to the domain server and obtains login www.sangfor.com...
Page 524 Step 3 Enable SSO on the device and set the IP address of the domain server. Choose Users > Single Sign On SSO > MS AD Domain and perform configuration. Select Enable Domain SSO. Select Obtain login profile by monitoring the data of computer logging into domain. Enter the IP www.sangfor.com...
Page 525 The mirroring port must be an available one not in use. Step 5 Log in to the domain on a computer. If the login is successful, you can access the Internet. Scenario 2: Domain server deployed out of the intranet www.sangfor.com...
Page 526 Select Obtain login profile by monitoring the data of computer logging into domain. Enter the IP address and the listening port of the domain server in Domain Controllers. If there are multiple domain servers, enter the IP address and the listening port of each domain server in one line. www.sangfor.com...
Page 527: Proxy Sso Configuration
4.1.2.1 4 SSO in Monitoring Mode In the monitoring mode, proxy SSO is implemented by monitoring login data. It is applicable in two scenarios. Scenario 1: Proxy server deployed out of the intranet. See the following figure. www.sangfor.com...
Page 528 In Proxy Server List, enter the IP address and listening port of the proxy server. If there are multiple proxy servers, enter the one IP address and port number in each row. Set the port numbers to those for proxy authentication. See the following figure. www.sangfor.com...
Page 529 2. In this scenario, if Show Disclaimer is selected at Authentication Policy > Action > Advanced, redirection must be implemented at the DMZ port. Otherwise, users cannot be authenticated and access the Internet. Scenario 2: Proxy server deployed in the intranet. See the following figure. www.sangfor.com...
Page 530 In Proxy > Proxy Server Address List, enter the IP address and listening port of the proxy server. If there are multiple proxy servers, enter the one IP address and port number in each row. Set the port numbers to those for proxy authentication. See the following figure. www.sangfor.com...
Page 531: Sso In Isa Mode
Step 4 Log in to the proxy server on a computer. If the login is successful, you can access the Internet. This mode does not support Compatible with Kerberos. 4.1.2.2 SSO in ISA Mode It is applicable when the ISA server is located in the intranet and ISA login data does not pass through www.sangfor.com...
Page 532 Step 2 Choose Users > Single Sign On SSO > Proxy and perform configuration. Select Proxy > Enable Proxy SSO. Select Proxy, Obtain login profile by executing logon control through proxy. Enter the shared key in Shared Key. See the following figure. www.sangfor.com...
Page 533 Debug log path. If it is blank, the debug log function is disabled. If it is set, the debug log function is disabled. Enable it when necessary. In addition, make sure that the NETWORK SERVICE user can read and write the directory. www.sangfor.com...
Page 534 The supported encoding types include UTF-8, UTF-16, GB2312, GB18030, and BIG5. 4. Check the ISA plug-in panel to make sure that the Sangfor ISA Auth Filter plug-in is enabled Step 4 Log in to the proxy server on a computer. If the login is successful, you can access the Internet.
Page 535: Pop3 Sso Configuration
It is applicable to scenarios where the POP3 server is deployed within or out of the intranet. The POP3 SSO configurations for these two deployment modes of the POP3 server are described as follows: Scenario 1: POP3 server deployed in the intranet www.sangfor.com...
Page 536 In POP3 Server Address List, enter the IP address and listening port of the POP3 server. If there are multiple POP3 servers, enter the one IP address and port number in each row. Set the port numbers to those for POP3 authentication (default: TCP110). See the following figure. www.sangfor.com...
Page 537 The mirroring port must be an available one not in use. Step 4 The PC receives a mail using the mail client. After successful POP3 server login, it can access the Internet. Scenario 2: POP3 server deployed out of the intranet www.sangfor.com...
Page 538 POP3 servers, enter the one IP address and port number in each row. Set the port numbers to those for POP3 authentication (default: TCP110). See the following figure. Step 3 The PC sends and receives a mail using the mail client. After successful POP3 server login, it www.sangfor.com...
Page 539: Web Sso Configuration
A customer wants its web server and the device to authenticate users at the same time before the users access the Internet. It is applicable to scenarios where the web server is deployed within or out of the intranet. www.sangfor.com...
Page 540 Step 1 Set the authentication policy. Choose Users > Authentication Policy > Add. Set the authentication policy according to the IP or MAC addresses of the users who require SSO. Step 2 Choose Users > Single Sign On SSO > Web and perform configuration. Select Enable Web SSO. www.sangfor.com...
Page 541 Step 3 In this example, the login data does not pass through the device, set a mirroring port connected to the mirroring port on the switch forwarding login data packets. Click Others, and set the mirroring port. The mirroring port must be an available one not in use. www.sangfor.com...
Page 542 Step 1 Set the authentication policy. Choose Users > Authentication Policy > Add. Set the authentication policy according to the IP or MAC addresses of the users who require SSO. Step 2 Choose Users > Single Sign On SSO > Web and perform configuration. Select Enable Web SSO. www.sangfor.com...
Page 543: Configuration Of Sso Implemented With Third-Party Devices
Before accessing the Internet, a user must be authenticated by Ruijie SAM. After a user logs in to or logs out of Ruijie SAM, the user is logged in to or logged out of the IAM automatically. See the following figure. www.sangfor.com...
Page 544 IP or MAC addresses of the users who require SSO. Step 2 Choose Users > Single Sign On SSO > Third-Party Server and perform configuration. Select Ruijie SAM system and configure the shared key. See the following figure. www.sangfor.com...
Page 545 2. Copy logon.exe that must be called by the triggers to the related directory of the server. 3. The directory 2005 stores the trigger SQL statements customized for SQL Server 2005. Take logon_trigger.sql as an example. Open the file, copy all its content to the query manager of the SQL www.sangfor.com...
Page 546 6. Locate the ONLINE_USER table and click the trigger directory icon. No entry is displayed on the 对象资源管理器详细信息 Object Resource Manager Details tab page on the right. No trigger has been created for the ONLINE_USER table. See the following figure. www.sangfor.com...
Page 547 SQL Server 2005 Management Studio. Click Run on the toolbar. The trigger corresponding to the active tab page is installed. Go to another two tab pages and perform the same operations to install the triggers. 8. Access the Object Resource Manager Details tab page and refresh the page. The triggers installed are displayed. www.sangfor.com...
Page 548 IAM 11.2 User Manual 9. To delete a trigger, right-click the trigger on the Object Resource Manager Details tab page and choose Delete. In the dialog box that is displayed, click OK. www.sangfor.com...
Page 549 Internet users in the organization. Generally, the value must not exceed 2000 (high-end devices support the maximum value of 3000). If you retain the default value, when two users log in at the same time, the IAM authenticates only one of them and therefore the other user cannot access the Internet. www.sangfor.com...
Page 550 7. This method is applicable to all database systems using MS SQL Server 2000/2005 in addition to Ruijie SAM. You need to modify the SQL scripts for the other database systems so that the related database names, table names, and field names are correct. www.sangfor.com...
Page 551: Sso Implemented With Devices Supporting The Http Sso Interface
IP or MAC addresses of the users who require SSO. Step 2 Choose User Authentication > Single Sign On SSO > Third-Party Server and perform configuration. Select Enable HTTP SSO Interface and set the IP addresses of the devices accessible to the interface. www.sangfor.com...
Page 552 IAM 11.2 User Manual Step 3 Click Download Sample, which includes Logon.js and Logon.html. Modify Logon.html and configure the web authentication server. www.sangfor.com...
Page 553: Sso Implemented With H3C Cams
A PC is authenticate by H3C CAMS. The IAM synchronizes information about the organization structure and online users from H3C CAMS as scheduled. The PC accesses the Internet as an online user whose information is obtained by the IAM. www.sangfor.com...
Page 554: Sso Implemented With Dr. Com
SSO failure. 4.1.5.4 SSO Implemented with Dr. COM Dr. COM is an authentication and charging management system, which is commonly used in the www.sangfor.com...
Page 555 IP or MAC addresses of the users who require SSO. Step 2 Choose Users > Single Sign On SSO > Third-Party Server and perform configuration. Select Dr. COM and set its IP address. See the following figure. www.sangfor.com...
Page 556: Sso Implemented With H3C Imc
Before accessing the Internet, a user must be authenticated by H3C IMC. When the user logs in to or logs out of H3C IMC, the user is also logged in or out on the IAM. See the following figure. www.sangfor.com...
Page 557: Sso Implemented With Another Sangfor Device
Step 3 Configure H3C IMC. For details, contact its vendor. 4.1.6 SSO Implemented with Another SANGFOR Device The IAM can work with another IAM or an SG to implement authentication. Two SANGFOR devices are deployed, one for authentication and the other for audit and control. After a user is authenticated on the authentication IAM, the audit and control IAM can synchronize the user information from the authentication IAM for audit and control.
Page 558 IP or MAC addresses of the users who require SSO. Step 2 Choose Users > Single Sign On SSO > SANGFOR Devices and perform configuration. Select Receive Authentication Information from Other SANGFOR Devices and set the shared key.
Page 559: Sso Implemented With A Database System
Then, IAM B can receive authentication information from IAM A. This ensures authentication information consistency between the IAMs. Step 3 For IAM A deployed in bridge mode, select Send users credential to other Sangfor appliances and set the related device IP address and the shared key. See the following figure.
Page 560 IAM 11.2 User Manual organization structure, SQL statements can be configured on the SANGFOR IAM for querying the user list and authenticated users from the database system, and synchronizing the information to the local organization structure and online user list, thereby implementing SSO by working with the database system.
Page 561 3. In some cases, a user is authenticated by the IAM some time (depending on the settings of Sync Interval (sec) after being authenticated by the authentication server. Therefore, it is recommended that the authentication policy be configured not to require user authentication after an SSO failure. www.sangfor.com...
Page 562: Configuration That Requires No User Authentication
Internet access permissions of the Intranet Group are assigned to the users. Step 1 Choose Users > Authentication Policy > Add and enable user authentication. Set IP/MAC address. In this example, set it to 10.10.10.0/24. In Authentication Method, select Open Authentication. In Username, select Take IP address as username. www.sangfor.com...
Page 563 The customer requires that authenticated users are not added to the organization structure. Therefore, do not select Add Non-Local/Domain Users to Group. To enable the users to access the Internet with the permissions of Intranet Group, set Group Used by Non-local/Domain Users for Network Access to /Intranet Group/. www.sangfor.com...
Page 564 Internet. L3 switches are deployed between the intranet and the IAM. Step 1 Choose Users > Authentication Policy > Add and enable user authentication. Set Authentication Scope. In this example, set it to 10.10.10.0/24. www.sangfor.com...
Page 565 IAM 11.2 User Manual In Authentication Method, select Open Auth. In Username, select Take IP address as username. www.sangfor.com...
Page 566 IAM 11.2 User Manual In Action: The customer requires that authenticated users are added to the organization structure and the Intranet Group. Set Add Non-Local/Domain Users to Group Select Add user account to local user database Select Automatic binding. www.sangfor.com...
Page 567 Information about the user can be viewed in the online user list. The binding relationships between IP addresses and MAC addresses set up during user authentication are registered. You can query the relationships on the IP/ Bind IP/MAC Address tab page. www.sangfor.com...
Page 568: Configuration That Requires Password Authentication
4.3.1.1 Sending SMS Messages Through an SMS Modem SANGFOR's SMS modem is a tool that can be connected to the IAM to send SMS messages. To send SMS messages in this way, you must prepare a serial cable, a SANGFOR SMS modem, and a SIM card.
Page 569 Set Message Delivery Module to Use built-in SMS Module. Set Gateway Type to an SMS modem type, which can be GSM modem or CDMA modem. GSM Modem: It is installed with a GSM SIM card. CDMA Modem: It is installed with a CDMA SIM card. www.sangfor.com...
Page 570 Step 4 Choose Users > Authentication Policy > Add and enable SMS authentication. Set IP address/MAC address. In this example, set it to 192.168.1.0/24. In Authentication Method, select Password based. Set Authentication Server to Local Users and SMS Authentication. www.sangfor.com...
Page 571 They are not limited by the permissions assigned to the Visitor group. The visitors authenticated using SMS messages are not added to the organization structure on the IAM. Therefore, do not select Add Non-Local/Domain Users to Group. www.sangfor.com...
Page 572 A visitor selects SMS Authentication, enters his/her mobile number, and click Obtain Verification Code. The SMS module sends a verification code to the mobile number. After receiving the code, the visitor enters the code and click Login for authentication. See the following figure. www.sangfor.com...
Page 573 External Server SANGFOR's SMS modem can be connected to the IAM or a PC. If it is connected to a PC, SANGFOR's SMS service software must be installed on the PC. When an SMS message must be sent, the IAM sends an instruction to the PC and the SMS modem connected to the PC sends the message.
Page 574 SMS modem to the COM port of the SMS server (PC), and fasten the connectors to make sure that the SMS modem, serial cable, and SMS server are connected properly. Step 3 Choose User Authentication > External Authentication Server and set the SMS authentication server. www.sangfor.com...
Page 575 Set SMS Center to the SMS service number of the local SMS service provider. For example, the SMS service number of Shenzhen Mobile is 8613800755500. Set Serial Port to the actual serial port. Generally, a PC has only one COM port. Therefore, select COM0. If you use the second serial port, select COM1. www.sangfor.com...
Page 576 Choose Advanced > MAC Filtering Across L3 Switch and configure the IP addresses, MAC addresses, and SNMP information of the L3 switches. See Section 3.4.4.4. Step 6 Choose Users > Authentication Policy > Add and enable SMS authentication. Set IP address/ MAC address. In this example, set it to 192.168.2.0/24. www.sangfor.com...
Page 577 They are not limited by the permissions assigned to the Visitor group. The visitors authenticated using SMS messages are not added to the organization structure on the IAM. Therefore, do not select Add Non-Local/Domain Users to Group. www.sangfor.com...
Page 578 IAM 11.2 User Manual Click Advanced and select for open authentication, redirect to captive portal before access. www.sangfor.com...
Page 579 A visitor selects SMS Authentication, enters his/her mobile number, and click Obtain Verification Code. The SMS module sends a verification code to the mobile number. After receiving the code, the visitor enters the code and click Login for authentication. See the following figure. www.sangfor.com...
Page 580: Wechat And Qr Code Authentication
Access Internet Now. 4.3.2 WeChat and QR Code Authentication Configuration Case: A customer has an intranet segment 192.168.3.0/24, which is dedicated for users authenticated using WeChat or QR codes. A mobile user can follow the WeChat public account by www.sangfor.com...
Page 581 Then, you can adopt both the tapping and scanning means for good user experience. Access https://mp.weixin.qq.com/, click the registration link in the upper-right corner, and follow the instructions to select an account, enter the related information, and upload required materials to complete registration. www.sangfor.com...
Page 582 Log in to the WeChat public account and configure the advanced settings to disable the editing mode and enable the developer mode. Click the developer mode and configure the server based on the WeChat account type. Subscription accounts that have not been certified do not have developer IDs. The other accounts have developer IDs. www.sangfor.com...
Page 583 IAM 11.2 User Manual Step 2 Choose Users > External Authentication Server and add the WeChat authentication server. Select Enable. www.sangfor.com...
Page 584 Log in to the WeChat public platform and click the public account name in the upper-right corner. The Account Details page is displayed. Obtain the value of Original ID on the page. Users logging in by means of scanning access the Internet using IP addresses. To use OPENIDs as usernames for accessing the Internet, set OPENID. www.sangfor.com...
Page 585 You must log in to the WeChat public platform, choose Developer Center > Settings, and obtain the values of AppId and AppSecret. You must log in to the WeChat public platform, choose Developer Center > Interface Permission Table > Auth2.0 Web Authentication, and obtain the values of Domain Name of Authorization Callback Page. www.sangfor.com...
Page 586 Authenticator: In this example, select All Users, which are all the authenticated users. This means that a mobile phone of an authenticated user can be used to scan a QR code to implement authentication. To assign the approving permission only to specified groups and users, click select them in the organization structure. www.sangfor.com...
Page 587 In this case, the approver must be a public account. Step 4 Choose User Authentication > Authentication Policy and add an authentication policy. Setting the authentication scope: Set Authentication Method to Password based and WeChat Server to QR Code Server. www.sangfor.com...
Page 588 /Visitor/ group. Then, visitors authenticated can access the Internet based on the permissions assigned to the group. The visitors authenticated using WeChat or QR code are not added to the organization structure on the IAM. Therefore, do not select Add Non-Local/Domain Users To Group. www.sangfor.com...
Page 589 User Authentication > Custom Authentication Page. Method 2: Send the specified letter w (not case-sensitive). WeChat returns the Internet access message. User authentication by means of scanning: 1. A customer enters a store and sees a poster introducing WeChat authentication for Internet access www.sangfor.com...
Page 590 The customer selects QR Code Authentication. Use a mobile phone that has been authenticated to scan the QR code with WeChat. The PC displays the "Authentication success" message. Then, the customer can access the Internet. www.sangfor.com...
Page 591: Password Authentication
Step 1 The customer wants to authenticate all the PCs in the 192.168.1.0/255.255.255.0 segment using usernames and passwords. Therefore, set the authentication mode for the PCs first. Choose 用户认证 User Authentication > 认证策略 Authentication Policy and set an authentication policy. Set the authentication scope to 192.168.1.0/255.255.255.0. www.sangfor.com...
Page 592 Set Action to Automatic Binding and select Bind user account to IP address and MAC address. The local users are added or imported manually by administrators and are not automatically added to the organization structure on the IAM. Therefore, do not select Add Non-Local/Domain Users to Group. www.sangfor.com...
Page 593 Step 3 Choose Users > Users > Local User, and add a local user group and local users. For details, see Section 3.4.3.1.1. Step 4 When a user within the network segment accesses the Internet and opens a webpage. The authentication page of the IAM is displayed. Enter a username and password and click Login. www.sangfor.com...
Page 594 Step 2 The customer wants to authenticate all the PCs in the 192.168.2.0/255.255.255.0 segment using local user passwords and domain server passwords. Therefore, set the authentication mode for the PCs first. Choose Users > Authentication Policy and set an authentication policy. Set the authentication scope to 192.168.2.0/24. www.sangfor.com...
Page 595 IAM 11.2 User Manual Set Authentication Method to Password based and Authentication Server to Local User and Domain Server. www.sangfor.com...
Page 596 IAM 11.2 User Manual Set Action to automatic binding and select Bind user account to IP address and MAC address. Select Enable open authentication and set the validity period to 10 days. www.sangfor.com...
Page 597 IAM 11.2 User Manual Advanced: Enable user login restriction, select Add Non-Local/Domain Users to Group and select domain users and the Internet Group. Function: Within this network segment, only domain users and users in the Internet Group can be authenticated. www.sangfor.com...
Page 598 IAM is displayed. For a local user, enter the username and password of a local user account and click 登录 Login. For a domain user, enter the username and password of a domain account and click 登录 Login. www.sangfor.com...
Page 599: Other Configuration Cases
Step 1 The customer wants to authenticate all the PCs in the 192.168.1.0/255.255.255.0 segment using passwords. Therefore, set the authentication mode for the PCs first. Choose Users > Authentication Policy and set an authentication policy. Set the authentication scope to 192.168.1.0/24. www.sangfor.com...
Page 600 IAM 11.2 User Manual Set Authentication Method to Password based and Authentication Server to Local User. Step 2 Choose Advanced > Custom Attributes and set user-defined attributes. Attribute name: Gender Attribute value: a sequence including two values Male and Female www.sangfor.com...
Page 601 IAM 11.2 User Manual Step 3 Choose Users > Users > Local User, and add a local user group and local users. For details, see Section 3.4.3.1.1. You can select an attribute value when adding user. www.sangfor.com...
Page 602 IAM 11.2 User Manual Step 4 For female users, configure the Internet access policy to disallow them to access shopping and entertainment websites. www.sangfor.com...
Page 603 IAM 11.2 User Manual Apply this policy to the users whose attribute values are Female. Step 4 For male users, configure the Internet access policy to disallow them to use gaming applications. www.sangfor.com...
Page 604 Apply this policy to the users whose attribute values are Male. Configuration Case 2: The intranet users are authenticated using passwords. The customer has a hosted web server on the Internet at http://www.sangfor.com.cn. The users must be allowed to access the server before being authenticated.
Page 605 IAM 11.2 User Manual Step 2 Set an Internet access policy to allow accessing the URL. Choose Access Mgmt > Policies and click New to add an Internet access policy. www.sangfor.com...
Page 606 Associate the policy with the Temporary Group. Step 3 Set the authentication policy. Choose Users > Authentication Policy > Add. Set the authentication policy according to the IP or MAC addresses of the users to be authenticated using passwords. In Authentication Method, select Password based. www.sangfor.com...
Page 607 IAM 11.2 User Manual Choose Action > Advanced, select Add Non-Local/Domain Users to Group, and select the Temporary Group. www.sangfor.com...
Page 608 Step 4 When a user accesses the Internet and opens a webpage. The authentication page of the IAM is displayed. When the user accesses www.sangfor.com.cn, no authentication page is displayed. Configuration Case 3: A customer has an AD domain server on its intranet and intranet users must be authenticated using AD domain SSO.
Page 609 The shared key is used to encrypt the communication between the IAM and the AD domain server, and must be specified exactly the same in the login script. Click Download Domain SSO Program to download the login and logout scripts. www.sangfor.com...
Page 610 ISA server, which functions as a proxy. The IAM is deployed between the ISA server and a switch to implement control and audit. Intranet users must be able to access the Internet without being authenticated. On the IAM, IP addresses are used as usernames. www.sangfor.com...
Page 611 Step 2 Set the authentication policy. Choose Users > Authentication Policy > Add. Set the authentication policy according to the IP or MAC addresses of the users who require SSO. In Authentication Method, select Open Auth and set Take IP address as username. www.sangfor.com...
Page 612: Cas Server Authentication Case
Choose Users > Advanced > Authentication Options and select Open auth for data flow from WAN to LAN interface. Step 4 Configure the proxy settings of PCs to exclude the IAM IP address. 4.5 CAS Server Authentication Case Requirements: www.sangfor.com...
Page 613 Step 1: Make sure that CAS server is deployed properly in network, and obtain CAS server account and the URL used to connect to the CAS server(URL example: https://ip:8443/cas/login). Step2: Deploy the IAM unit in Route mode in this case, and configure a corresponding deployment www.sangfor.com...
Page 614 Step 4: Create an authentication policy in Users > Authentication > Authentication Policy, configure applicable objects as peer your need and select Password based as authentication method. In Auth Server field, choose the third-party auth system created in Step 3, as shown below. www.sangfor.com...
Page 615 If the user passes the authentication against the CAS server, the user information can be viewed in System > Status > Online Users, which means he/she has logged into the IAM unit successfully. www.sangfor.com...
Page 616: Policy Configuration Cases
Click Add and choose Access Control. The Access Control page is displayed. Enter the policy name and description. Step 2 Choose Access Mgt > Access Control > Application. The Application Control page is displayed on the right. Click Add. www.sangfor.com...
Page 617 IAM 11.2 User Manual Step 3 Click . The Select Applications window is displayed. www.sangfor.com...
Page 618 IAM 11.2 User Manual Step 4 Select P2P and P2P streaming media. www.sangfor.com...
Page 619 IAM 11.2 User Manual Step 5 Click OK. The application control page is displayed. Set the effective time to the office hours and action to Reject. Click OK. www.sangfor.com...
Page 620: Configuring An Im Monitoring Policy For A User Group
Click Add and choose Audit Policy. The Audit Policy page is displayed. Enter the policy name and description. Step 2 Choose Access Mgt > Audit Policy > Application. The Application page is displayed on the right. Click Add. www.sangfor.com...
Page 621 IAM 11.2 User Manual Click and select all involved IM objects on the Select IM page. Click OK. See the following figure. www.sangfor.com...
Page 622 Click Add and choose Ingress Policy. The Ingress Policy page is displayed. The policy is used to monitor encrypted QQ messages and the files transferred using QQ. Enter the policy name and description. Click below Type and select the option for monitoring IM messages. Set the effective time to Whole Day. www.sangfor.com...
Page 623 IAM 11.2 User Manual Click Add, click below Type and select the option for monitoring outbound IM files. Set the effective time to Whole Day. Step 5 Set user groups on the Objects page. www.sangfor.com...
Page 624: Enabling The Audit Function For A User Group
Click Add and choose Internet Access Audit Policy. The Internet Access Audit Policy page is displayed. Enter the policy name and description. Step 2 Choose Options > Application. The Application Audit page is displayed on the right. Click Add. The page for adding audit objects is displayed. www.sangfor.com...
Page 625 Step 4 Click Add. The page for adding audit objects is displayed. Select Access to other appications (exclusive of contents) and Access to unidentified applications (on which address and port. It incurs massive logs). Set the Internet access behaviors that can be identified by all devices. Set Schedule to All Day. www.sangfor.com...
Page 626 IAM 11.2 User Manual Step 5 Select applicable objects. Step 6 Click Commit. www.sangfor.com...
Page 627: Endpoint Device Management Configuration Cases
Step 1 In the navigation area, choose Endpoint Device > Connection Sharing. The Connection Sharing page is displayed on the right. Select Enable Shared Connection Detection. See the following figure. Step 2 On the Connection Sharing page, select options. See the following figure. www.sangfor.com...
Page 628 Set Lockout Options to Lock IP Address, so that one IP address can be used by only one user to access the Internet. Step 3 Choose Endpoint Device > Connection Sharing and select Enable Connection Sharing Detection. See the following figure. You only need to enable the mobile endpoint device management function. www.sangfor.com...
Page 629: Mobile Endpoint Management Configuration Cases
The configuration procedure is as follows: Step 1 In the navigation area, choose Connection Sharing > Status. The Connection Sharing page is displayed on the right. See the following figure. Select Enable Connection Sharing Detection and set the action to reject detected mobile endpoint www.sangfor.com...
Page 630: Comprehensive Configuration Cases
A customer has a network structure shown in the following figure. The Internet line bandwidth is 10 Mbps and the customer has about 500 intranet users accessing the Internet. Because of the limited Internet access bandwidth and some users download or watch movies online during business hours, website access is slow, which affects work efficiency. www.sangfor.com...
Page 631: Configuration Idea
IAM 11.2 User Manual The customer purchases SANGFOR's IAM and wants to implement the following configuration: 1. Deploy the IAM without changing the original network environment if possible. 2. Bind IP addresses with MAC addresses so that employee cannot change their IP addresses.
Page 632: Configuration Process
Choose System > Network > Deployment, click Configure, and select the bridge mode. Click Next and select the bridge port numbers. In this example, ETH0 and ETH2 are used as a pair of bridge port numbers. ETH0 is used for the LAN and ETH2 is used for the WAN. www.sangfor.com...
Page 633 IAM 11.2 User Manual Click Next and set the bridge IP address of the IAM. Click Next and set the IP address of the DMZ management port. You can retain the default settings. www.sangfor.com...
Page 634 IAM 11.2 User Manual Click Next and set the gateway and DNS for accessing the Internet. Click Next and click Commit. www.sangfor.com...
Page 635 IAM 11.2 User Manual Step 3 Add a common employee group and a director group for local users at Users > Local User > Add Group/User. www.sangfor.com...
Page 636 IAM 11.2 User Manual You can add multiple groups and separate the group names with a comma. Then click Commit. www.sangfor.com...
Page 637 IAM. Choose Users > Advanced > MAC Filtering Across L3 Switch. Tick Enable MAC Filtering across L3 switch. Select Add and add a server and enter the MAC address of the L3 switch to the exclusion list. www.sangfor.com...
Page 638 Step 5 Add an authentication policy for the common employee group and another for the director group at Users > Authentication > Authentication Policy. Click Add and set an authentication policy for the common user group. See the following figure. www.sangfor.com...
Page 639 IAM 11.2 User Manual www.sangfor.com...
Page 640 IAM 11.2 User Manual www.sangfor.com...
Page 641 Step 6 Set the Internet access permissions for the common user group at Policies > Access Control. Click Add and select the Internet access policy. Choose Access Control and set access control over P2P application and online streaming media applications for office hours and block access to illegal and unhealthy websites. www.sangfor.com...
Page 642 IAM 11.2 User Manual Click Object, choose Local Users, and select Common User Group. www.sangfor.com...
Page 643 IAM 11.2 User Manual Click Commit. Set the Audit policy for the common user group. Add the policy, select Audit policy, and add audit objects. www.sangfor.com...
Page 644 IAM 11.2 User Manual Click OK. Click Object, choose Local Users, and select Normal User Group. www.sangfor.com...
Page 645 IAM 11.2 User Manual Click Commit. Set the admission policy for the common user group. Add the policy, select Ingress Policy and enable IM message monitoring. Click Object, choose Local Users, and select Normal User Group. www.sangfor.com...
Page 646 IAM 11.2 User Manual Click Commit. Step 7 Set the Internet access audit policy for the director group. Select Audit Policy and add audit objects. www.sangfor.com...
Page 647 IAM 11.2 User Manual Click Object, choose Local Users, and select Director Group. www.sangfor.com...
Page 648 Step 8 Set the traffic management policy. Set the line bandwidth at Bandwidth Management > Line bandwidth. Click Line 1 and set the upstream and downstream bandwidth. Click Commit. Set the traffic management channel at Bandwidth Management > Bandwidth Channel. Select Enable Bandwidth Management System. www.sangfor.com...
Page 649 IAM 11.2 User Manual Click Add, select Add Parent Channel, and set the assurance channel for website access. www.sangfor.com...
Page 650 IAM 11.2 User Manual Click OK. Click Add, select Add Parent Channel, and set the limitation channel for P2P applications, download applications, and streaming media applications. www.sangfor.com...
Page 651 IAM 11.2 User Manual www.sangfor.com...
Page 652 IAM 11.2 User Manual Click OK. Step 9 Install the IAM. Connect the ETH0 (LAN) port of the IAM to the L3 switch and the ETH2 (WAN) port to the intranet port of the firewall. www.sangfor.com...
Page 653: Appendix: Usage Of Sangfor Device Upgrade System
Appendix: Usage of SANGFOR Device Upgrade System SANGFOR device upgrade system 6.0 can be use to upgrade the kernel version of the IAM. See the following figure. When the SANGFOR device upgrade system connects to the IAM for an upgrade, the computer used must be able to synchronize with the Internet time.
Page 654 Device IP Address: It is used to enter the IP address of the IAM to be upgraded. Device Search: It is used to search for the IP addresses of LAN ports of all the SANGFOR devices within the same intranet with 2 layers. See the following figure.
Page 655 IAM 11.2 User Manual Click Connect to log in to the current IAM for an upgrade. See the following figure. www.sangfor.com...
Page 656: Product Upgrade Procedure
4. Choose Upgrade > Upgrade Firmware. The IAM displays a upgrade success message and restarts. 5. If you need to restore the default settings, log in to the IAM and choose Upgrade > Restore Default Settings. Warning: You can upgrade the hardware firmware only under the instruction of SANGFOR technical engineers. www.sangfor.com...

Sangfor IAM11.2 User Manual

Chapter 1 IAM Installation

Chapter 2 IAM Console

Chapter 3 Functions

Chapter 4 Use Cases

Appendix: Usage of SANGFOR Device Upgrade System

Quick Links

User Manual

Troubleshooting

Related Manuals for Sangfor IAM11.2

Summary of Contents for Sangfor IAM11.2